Sublime Security updates sublime.security

New

Sublime now supports datetime filtering on the GET /v0/audit-log/events.

You can use created_at[gte] and created_at[lt] (ISO 8601 format) to pull audit logs for a specific time window such as the last 24 hours or a defined date range.

This update simplifies SIEM integrations and compliance reporting by eliminating the need for client-side filtering, deduplication, or estimating daily event volume.

Learn more in our Documentation.

New

Sublime now supports Trusted Sender IPs, allowing organizations to reduce false positives caused by complex mail routing or on-prem relay configurations.

Admins can now configure a list of sender IP addresses they trust as legitimate. When messages from these IPs fail authentication checks (SPF, DKIM, or DMARC) solely due to an untrusted sending IP, Sublime will treat the message as authenticated.

This improves detection accuracy for internal and hybrid mail flows without requiring changes to public DNS or MX records.

New

Sublime reporting has been redesigned and enhanced with drilldowns, exports, and new data to transform how you understand and communicate your email security posture.

Attack Insights and User Reports Overview are your new hub for attack analysis highlights, attack trends, remediation activity, top targets & reporters, and even top attackers in your environment.

What’s new:

• Complete threat landscape: Gives you the full picture of email activity impacting your organization in one view, breaking down not just malicious attacks, but also spam, graymail, and email bombs.

• Visual storytelling: Shows the complete remediation journey at a glance with a Sankey diagram, while time-series charts reveal attack patterns and trends that were previously buried in data tables.
• Actionable Automation insights: Quantifies the value of your security automation, showing exactly how many threats were neutralized without human intervention.

• Exports: Export via CSV for raw data or PDF for sharable visualizations.

Log in and head to Attack Insights or User Reports Overview to see Sublime’s enhanced reporting and analytics in action now!

New

User report auto-replies now permit rich formatting and from/reply-to customization. This update includes:

• Rich email templates: format content with a rich text editor, embed your company logo, and use dynamic variables like subject, reporter_full_name, and report_date
• Separate From/Reply-to addresses: send automated replies from a dedicated address (instead of your general abuse mailbox)

These updates are available on the Close the loop with reporter and Acknowledge user report Automation pages. Logo upload and From and Reply-to address configuration can be found under Admin > Account.

New

You can now export any list of messages or message groups to enable further analysis outside of Sublime, power custom reports, and more.

On any page with a list of messages you can now export messages as a CSV or zip file of EMLs. Head to Manage > Exports for a list of all exports in your account.

New

Complex, enrichment-heavy Hunts now finish significantly faster, so you can get answers sooner during investigations and incident response. We’ve re-architected Hunts to parallel-process enrichment workloads, making Hunts that used to be slow or hit limits significantly faster (performance gains will vary based on data size and query complexity).

With this version, you can:

• Run enrichment-heavy hunts more efficiently (for example: attachment analysis with file.explode, or hunts that rely on WHOIS or ML functions).
• See faster turnaround during incident response and investigations.
• Run backtests and ADÉ jobs faster, so you can iterate on detections and validate changes sooner.

The update is now available, with no additional setup required.

New

ASA (Autonomous Security Analyst) can now automatically run on flagged messages whenever Attack Score is ambiguous to reduce analysts’ triage and investigation workload.

Activating the newest Automation, Send suspicious messages to ASA, sends flagged messages with a suspicious or unknown Attack Score verdict directly to ASA for in-depth analysis.

Learn more about ASA for flagged messages in our docs!

New

Sublime has added two new webhook configuration scopes, providing greater flexibility and control over automated workflows. Webhooks can now be configured to trigger:

• On the first message flagged in a message group
• On all messages processed within a flagged message group

These new options are in addition to the existing behavior of firing for flagged messages in a message group, enabling more precise event handling and integration customization.

Learn more about webhook configuration in our documentation.

New

Sublime’s ability to automatically remediate unwanted calendar events is now generally available.

When Sublime Quarantines, Moves to Spam, or Trashes a message with a calendar invite, that event is automatically deleted from the mailbox user’s calendar. If the message is later restored, the event is re-added to calendar as a placeholder for the original invite.

To enable this, extend your Sublime app permissions to include Calendar access. Not sure if you’ve already granted the right permissions? Head to Message Sources in the Sublime Platform and click on a message source to see permissions granted.

Reach out to us on Slack or via email for any questions or feedback, we’d love to hear from you!

New

We have added the ability to authenticate Private Feeds using GitHub Apps along with the existing ability to use SSH and HTTPS.

Learn more about authentication for Private Feeds in our documentation.