Server.Enrichment.Sublime.EmailAnalysis :: Velociraptor

Server.Enrichment.Sublime.EmailAnalysis

Submit an email to Sublime for analysis.

By default, this artifact returns matches for active detection rules.

This artifact can be called from within another artifact (such as one looking for files) to enrich the data made available by that artifact.

Ex.

SELECT * from Artifact.Server.Enrichment.Sublime(Message=$YourBase64EncodedMessage)


name: Server.Enrichment.Sublime.EmailAnalysis
author: Wes Lambert -- @therealwlambert, @weslambert@infosec.exchange
description: |
  Submit an email to Sublime for analysis.
  
  https://sublime.security/
  
  By default, this artifact returns matches for active detection rules.

  This artifact can be called from within another artifact (such as one looking for files) to enrich the data made available by that artifact.

  Ex.

    `SELECT * from Artifact.Server.Enrichment.Sublime(Message=$YourBase64EncodedMessage)`

type: SERVER

parameters:
    - name: Message
      type: string
      description: The message to submit to Sublime.
      default:

    - name: SublimeKey
      type: string
      description: API key for Sublime. Leave blank here if using server metadata store.
      default:
      
sources:
  - query: |
        LET Creds = if(
           condition=SublimeKey,
           then=SublimeKey,
           else=server_metadata().SublimeKey)

        LET URL <= 'https://api.platform.sublimesecurity.com/v0/messages/analyze'
        
        LET Response = SELECT parse_json(data=Content) AS Content
            FROM http_client(
                    url=URL,
                    headers=dict(`Authorization`=format(format="Bearer %v", args=[Creds]), `Content-Type`="application/json"),
                    data=serialize(item=dict(`raw_message`=Message, `run_active_detection_rules`=true)),
                    method='POST')

        LET ResultsQuery = SELECT * FROM foreach(
            row=Response, 
            query={
                SELECT 
                    rule.name AS Name, 
                    rule.source AS Source, 
                    rule.id AS ID, success AS Success, 
                    error AS Error, 
                    execution_time AS ExecutionTime
                FROM Content.rule_results WHERE matched = true
            }
        )
        
        SELECT * FROM foreach(
            row=if(condition=Response.Content.rule_results, 
                   then=ResultsQuery, 
                   else=Response.Content))