Sublime Security

Scanner supports Sublime Security logs. This guide covers integration for two log sources:

  • Audit Logs, which contain information about actions taken in Sublime Security by users or by the system itself.

  • Message Event Logs, which contain information about email security events, analyses, and triggered detection rules.

In order for Scanner to see them, you need to configure Sublime Security to export these logs to an S3 bucket that Scanner is linked to.

Step 1: Set up Sublime Security to export logs to S3

You can follow the Sublime Security documentation to export these logs to an S3 bucket you own. See: Export Audit Logs and Message Events.

If you haven't done so already, link the S3 bucket containing your Sublime Security logs to Scanner using the Linking AWS Accounts guide.

Step 3: Set up two S3 Import Rules in Scanner, one per log source

Sublime Security exports files to S3 using this directory structure:

<configured_key_prefix>/<log_source_type>/<YYYY>/<MM>/<DD>/<HHMMSSZ>-<ID>.json

  • For Audit Logs, the log_source_type is sublime_platform_audit_log

  • For Message Event Logs, the log_source_type is sublime_platform_message_events.

For each log source type you want Scanner to read, you need to create a separate S3 Import Rule in Scanner. Using the Duplicate button helps streamline this.

Here is how to create an S3 Import Rule for the Audit Logs data source type, i.e. the files in the folder named sublime_platform_audit_log.

  1. Within Scanner, navigate to Settings > S3 Import Rules.

  2. Click Create Rule.

  3. For Rule name, type a name like my_team_name_sublime_audit_logs.

  4. For Destination Index, choose the index where you want these logs to be searchable in Scanner.

  5. For Status, set to Active if you want to start indexing the data immediately.

  6. For Source Type, we recommend sublime:audit, but you are free to choose any name. However, out-of-the-box detection rules will expect sublime:audit.

    1. For Message Event Logs, set the Source Type to sublime:message_events.

  7. For AWS Account, choose the account that contains the S3 bucket containing Sublime Security logs.

  8. For S3 Bucket, choose the S3 bucket containing Sublime Security logs.

  9. For S3 Key Prefix, type the prefix (i.e. directory path) where the Sublime Security is writing your specific log source type.

    1. Example: <configured_key_prefix>/sublime_platform_audit_log/

  10. For File type, choose JsonLines with Gzip compression.

  11. For Timestamp extractors, under Column name, type created_at. This is the field in each log event that contains the timestamp information.

  12. Click Preview rule to try it out. Check that the S3 keys you expect are appearing, and check that the log events inside are being parsed properly with the timestamp detected properly.

  13. When you're ready, click Create.

Once you have created the S3 Import Rule for the Audit Logs, you can duplicate the rule and use find-replace to create an S3 Import Rule for Message Event Logs, making these specific changes:

  • Change Rule name to something like my_team_name_sublime_message_event_logs.

  • Change Source Type to sublime:message_events

  • Change the S3 Key Prefix to <configured_key_prefix>/sublime_platform_message_events/

Last updated