Sublime now integrates with Panther, allowing security teams to correlate Sublime email telemetry within Panther’s cloud-native SIEM for centralized threat detection.
The name of the game in threat detection is speed and precision. Achieving precise detection at scale is predicated on having the right telemetry, and the means to uniformly codify detection that spans signals. The Sublime + Panther integration allows you to accomplish just that: high-fidelity email data that intersects other telemetry within your SIEM.
Specifically, the integration allows security teams to centrally access context-rich Sublime logs that detail email and audit data.
We'll highlight two important use cases below. Visit the documentation
to get started in a few quick steps!
Detecting email-based attacks with Sublime & Panther
How it works
Users can easily set up the integration by exporting Sublime logs to an S3 bucket and then instructing Panther to read from the source.
Panther supports ingesting Sublime’s audit logs, messages with rule matches, and all messages in the Message Data Model (MDM) format, which is an object that structures EML data so that it's well-structured, easily referenced, and predictable.
The same insights that are natively surfaced within Sublime are accessible in Panther, allowing for the rapid triage of email alert data, in addition to broader correlation and enrichment opportunities. A key feature of Sublime's export data is that it bundles multiple rules matches into a single payload. In other words, a single flagged email event may contain multiple matching Sublime rules:
Both Sublime and Panther are built on detection-as-code principles. It becomes trivial to extend detection logic within Panther to tailor Sublime's detection data to meet your needs.
Bundled Alerts
Panther makes it easy to create alerts based on behaviorally flagged emails. Sublime sends event data that represents individual emails with multiple rule matches. Together, the result ensures that high-efficacy alerts are surfaced.
Sublime users can think of this detection as an extension of the action-oriented data in Priority View, but normalized to fit with other security tooling data. Below is Priority View in Sublime, detailing email campaigns that represent the highest severity as a result of multilayered detection—multiple behavioral rules paired with machine learning (ML) models.
Both Sublime and Panther have the ability to easily extend and tailor detections. It requires minimal setup to build upon the out-of-the-box coverage by writing detections that:
- Alert when multiple matching rules are present on a single email
- Alert when severity levels of matching rules are of a certain threshold
- Dynamically change severity levels based on a combination of factors
Configuration Changes
It is critical for defenders to institute proactive monitoring to ensure security tooling is working as expected. Panther also ingests Sublime audit logs to monitor for accidental internal misconfigurations or scenarios where an attacker gains unauthorized access and disables monitoring.
Security teams need alerts to indicate reduced visibility and misconfiguration. Sublime offers robust audit data and the following are events that can be used in detection authoring:
- Detecting when mailboxes are deactivated
- Detecting when a message source is deactivated or deleted
- Detecting when Sublime rules are deactivated or deleted
The managed Panther detection rules make it easy to generate alerts when the aforementioned events occur. As a result, teams can quickly respond to deviations that result in degraded visibility, whether it be from an unintentional configuration change or an attacker who is covering their tracks.
Start using Sublime + Panther
Security teams require visibility into security tooling across dynamic, complex environments, and email remains a notoriously porous attack vector.
The integration allows teams to continuously monitor and respond to email-based threats across environments and correlate with other critical tooling data.
Beyond bundled alerts and configuration changes, teams can customize detections unique to their organization with the level of granularity accessible in the Sublime platform. Some organizations will extend this telemetry into automation workflows to further reduce time spent on email-related incident response.
Follow step-by-step instructions in Panther’s documentation.
Deploy a free instance of Sublime today with no MX changes required.