1. Expel Help Center
  2. Connect Your Technology
  3. Q-Z Integrations

Sublime Security Setup for Workbench

This onboarding guide takes you through how to set up Sublime Security with Workbench. This integration enables application of Expel's detection strategy to Message Groups and Messages from Sublime Security, as well as pulling of alerts into Workbench for investigation and remediation.

Prerequisites

  • You must have Organization Admin access in Workbench to set up this integration.
  • You must have Admin privileges in Sublime to create a user account and API key.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Add a Sublime User with the Analyst Role for Console Access
  2. Generate API Credentials
  3. Add a Tag to a Rule in Sublime
  4. Add Sublime Security as a Security Device in Workbench
  5. Enable Auto-Remediation of Delivered Messages

Step 1: Add a Sublime User with the Analyst Role for Console Access

The Analyst role is the minimum required role from the default roles available and necessary for Expel to fully triage and research alerts, as well as manage API keys. Learn more about why Expel asks for console access.

  1. Log into the Sublime dashboard.
  2. Using the side menu, navigate to Admin > Account.
  3. In the Users section, select Invite Users.
    invite_users.png
  4. On the Invite users page, configure the settings as follows:
    • Email addresses - enter "soc+<Your_Organization_Name>@expel.io".
      • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".
    • Role - select Analyst from the dropdown menu.
  5. Select Create Invitation.
    invite_User_config.png
    This triggers an email invitation allowing the Expel SOC to create an account and complete console access configuration in Workbench on your behalf.

Step 2: Generate API Credentials

To integrate the technology with Workbench, you need to create secure credentials for the API.

  1. In Sublime, use the side menu to navigate to Automate > API.

  2. Your Base URL is displayed near the top of the page. Copy and save it to a safe place for use in a later step. Base URLs depend on deployment type and region, so yours may be different from the example below. 

    base-url-copy.png
     

  3. Next, select New Key.
  4. Give your new key a name, for example "Expel-Key".
  5. Select Save.
    create-api-key.png
  6. The next screen shows the newly generated API key. Copy and save this value in a safe place for use in a later step. You may also reference this value on the API page later if needed.
    api-key.png
  7. Close the Create API Key modal. Your new key appears in the API Keys list.

Step 3: Add a Tag to a Rule in Sublime

This step is optional and allows you to apply a tag to any rules for which you don't want results pulled into Workbench. For example, you could apply a tag to a rule for a process that isn't related to malicious emails or phishing.

  1. In Sublime, use the side menu to navigate to Detection Posture > Detection Rules.
  2. Select List view.
  3. Select the rule you wish to create a tag for.
  4. On the Detection Rule Details screen, select Edit Metadata.
    edit-rule-metadata.png
  5. Leave the Actions dropdown with no action selected.
  6. In the Tags dropdown, enter "ExpelIgnore" and select Create "ExpelIgnore".
    create-tag.png
  7. Select Save Rule.
    save-rule.png

Step 4: Add Sublime Security as a Security Device in Workbench

Now that you have the necessary credentials, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the Workbench side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Sublime” and then select the Sublime Security integration.
    sublime-add-device.png
  5. A configuration pane displays. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Sublime Security”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Sublime security API base URL - enter the Base URL you acquired in Step 2.
    • Sublime security API key - enter the API Key generated in Step 2.
  6. Select Save.
  7. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Step 5: Enable Auto-Remediation of Delivered Messages

Delivered messages from Sublime Security can be remediated via an automated workflow which will fire on alerts for newly delivered messages, and automatically remove these emails from user inboxes if the customer is onboarded with one of the supported email integrations (Microsoft 365 or GSuite, for example).

In order to enable automatic removal of emails, you must complete two steps.

Note that enabling Step 1 on its own simply gives the Expel SOC the ability to auto-remove emails on demand, at human discretion.

Enabling Step 2 allows an automated workflow to remove every email marked as a delivered threat by Sublime Security whether or not this email has already been triaged/investigated by the Expel SOC, without human input.

Removal of the email will not impact correlated detections; The Expel SOC will still respond to any additional detections and events linked to the original email. Visibility into removed emails is provided via Workbench, and removed emails can be restored to an inbox at customer request by either the customer or Expel.

Step 1: Enable the “Remove Malicious Email” Auto-Remediation

Follow the setup instructions for your email vendor(s) in the Expel Auto-Remediations Setup Guides to prepare to enable the Auto-Remediation for “Remove Malicious Email”.

Step 2: Enable the Customer Configuration for Auto-Removal of Delivered Messages

Sublime Security uses one Expel customer configuration option, org.preference.email.auto_remediate_delivered, that can be enabled via self-service in Workbench, or by a Customer Success Manager.

In order to use this configuration option, you must have already onboarded a supported email client with Expel (e.g. Microsoft 365 or GSuite).

When checked, this configuration option will enable the auto-removal of all Delivered Message events from Sublime Security, regardless of if the message has been triaged by Expel’s SOC or not. The delivered email will be removed for every impacted user that can be found in the onboarded email client.

If the Delivered Message event is later correlated to other activity, such as a suspicious identity, download, or execution event, this activity will still surface a separate alert that will be triaged by Expel’s SOC, unimpacted by this auto remediation.

To set up this configuration option:

  1. Log in to Workbench.
  2. Using the side menu, navigate to Organization Settings, select My Organizations, and select the name of your organization under the Name column:
    org-select.png
  3. Navigate to the Configuration tab, and find or filter by org.preference.email.auto_remediate_delivered.
  4. Check the box to enable this configuration option.
  5. Select Save.

Related articles