Merge pull request #11955 from Security-Onion-Solutions/fix/sublime_analyzer_documentation

Sublime Analyzer Documentation

salt/sensoroni/files/analyzers/README.md

@@ -6,19 +6,20 @@ Security Onion provides a means for performing data analysis on varying inputs.
 
 The built-in analyzers support the following observable types:
 
-| Name                    | Domain | Hash  | IP    | Mail  | Other | URI   |  URL  | User Agent |
+| Name                    | Domain |  EML  | Hash  | IP    | Mail  | Other | URI   |  URL  | User Agent |
-| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|
+| ------------------------|--------|-------|-------|-------|-------|-------|-------|-------|-------|
-| Alienvault OTX          |✓ |✓|✓|✗|✗|✗|✓|✗|
+| Alienvault OTX          |✓ |✗|✓|✓|✗|✗|✗|✓|✗|
-| EmailRep                |✗ |✗|✗|✓|✗|✗|✗|✗|
+| EmailRep                |✗ |✗|✗|✗|✓|✗|✗|✗|✗|
-| Greynoise               |✗ |✗|✓|✗|✗|✗|✗|✗|
+| Greynoise               |✗ |✗|✗|✓|✗|✗|✗|✗|✗|
-| LocalFile               |✓ |✓|✓|✗|✓|✗|✓|✗|
+| LocalFile               |✓ |✗|✓|✓|✗|✓|✗|✓|✗|
-| Malware Hash Registry   |✗ |✓|✗|✗|✗|✗|✓|✗|
+| Malware Hash Registry   |✗ |✗|✓|✗|✗|✗|✗|✓|✗|
-| Pulsedive               |✓ |✓|✓|✗|✗|✓|✓|✓|
+| Pulsedive               |✓ |✗|✓|✓|✗|✗|✓|✓|✓|
-| Spamhaus                |✗ |✗|✓|✗|✗|✗|✗|✗|
+| Spamhaus                |✗ |✗|✗|✓|✗|✗|✗|✗|✗|
-| Urlhaus                 |✗ |✗|✗|✗|✗|✗|✓|✗|
+| Sublime Platform        |✗ |✓|✗|✗|✗|✗|✗|✗|✗|
-| Urlscan                 |✗ |✗|✗|✗|✗|✗|✓|✗|
+| Urlhaus                 |✗ |✗|✗|✗|✗|✗|✗|✓|✗|
-| Virustotal              |✓ |✓|✓|✗|✗|✗|✓|✗|
+| Urlscan                 |✗ |✗|✗|✗|✗|✗|✗|✓|✗|
-| WhoisLookup             |✓ |✗|✗|✗|✗|✓|✗|✗|
+| Virustotal              |✓ |✗|✓|✓|✗|✗|✗|✓|✗|
+| WhoisLookup             |✓ |✗|✗|✗|✗|✗|✓|✗|✗|
 
 ## Authentication
 
@@ -29,10 +30,11 @@ Many analyzers require authentication, via an API key or similar. The table belo
 [AlienVault OTX](https://otx.alienvault.com/api)            |✓|
 [EmailRep](https://emailrep.io/key)                  |✓|
 [GreyNoise](https://www.greynoise.io/plans/community)                 |✓|
-LocalFile                 |✗|
+[LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile)                 |✗|
 [Malware Hash Registry](https://hash.cymru.com/docs_whois)    |✗|
 [Pulsedive](https://pulsedive.com/api/)                 |✓|
 [Spamhaus](https://www.spamhaus.org/dbl/)                  |✗|
+[Sublime Platform](https://sublime.security)              |✓| 
 [Urlhaus](https://urlhaus.abuse.ch/)                   |✗|
 [Urlscan](https://urlscan.io/docs/api/)                   |✓|
 [VirusTotal](https://developers.virustotal.com/reference/overview)                |✓|

salt/sensoroni/files/analyzers/sublime/README.md

@@ -0,0 +1,24 @@
+# Sublime
+
+## Description
+Submit a base64-encoded EML file to Sublime Platform for analysis.
+
+## Configuration Requirements
+In SOC, navigate to `Administration`, toggle `Show all configurable settings, including advanced settings.`, and navigate to `sensoroni` -> `analyzers` -> `sublime_platform`.
+
+![image](https://github.com/Security-Onion-Solutions/securityonion/assets/16829864/a914f59d-c09f-40b6-ae8b-d644df236b81)
+
+
+The following configuration options are available for:
+
+``api_key`` - API key used for communication with the Sublime Platform API (Required)
+
+``base_url`` -  URL used for communication with Sublime Platform. If no value is supplied, the default of `https://api.platform.sublimesecurity.com` will be used.
+
+The following options relate to [Live Flow](https://docs.sublimesecurity.com/reference/analyzerawmessageliveflow-1) analysis only:
+
+``live_flow`` - Determines if live flow analysis should be used. Defaults to `False`.
+
+``mailbox_email_address`` - The mailbox address to use for during live flow analysis. (Required for live flow analysis)
+
+``message_source_id`` - The ID of the message source to use during live flow analysis. (Required for live flow analysis)