Detection rules › By event

Sublime-Message-headers Event ID 7000010

50 detection rules reference this event. View event page.

Sublime MQL (50)

Attachment: EML with Sharepoint link likely unrelated to sender severity medium
Attachment: Fake secure message and suspicious indicators severity medium
Brand impersonation: Adobe with suspicious language and link severity high
Brand impersonation: AliExpress severity medium
Brand impersonation: Aquent severity medium
Brand impersonation: Box file sharing service severity medium
Brand impersonation: DocuSign severity high
Brand impersonation: Mailgun severity medium
Brand impersonation: Microsoft with embedded logo and credential theft language severity high
Brand impersonation: Microsoft with low reputation links severity medium
Brand impersonation: Morgan Stanley severity medium
Brand impersonation: Okta severity medium
Brand impersonation: Wix severity medium
Callback phishing in body or attachment (untrusted sender) severity medium
ClickFunnels link infrastructure abuse severity high
Compensation review with QR code in attached EML severity high
Credential phishing: 'Secure message' and engaging language severity medium
Credential phishing: Email delivery failure impersonation severity high
Credential phishing: Fake storage alerts (unsolicited) severity medium
EML attachment with credential theft language (unknown sender) severity high
Fake email quarantine notification severity high
Fake message thread with a suspicious link and engaging language from an unknown sender severity medium
Fake thread with suspicious indicators severity medium
Fake voicemail notification (untrusted sender) severity medium
Impersonation: Internal corporate services severity high
Link: Credential phishing traversing Russian infrastructure severity high
Link: Referrer anonymization service from untrusted sender severity medium
Link: Squarespace infrastructure abuse severity medium
Open redirect: bubblelife.com severity medium
Open redirect: convertcart.com severity medium
Open redirect: magic4media.com severity medium
Open redirect: pmifunds.com severity medium
Open redirect: predictiveresponse.net severity medium
Open redirect: qrxtech.com severity medium
Open redirect: secondstreetapp.com severity medium
Open redirect: Signature Travel Network severity medium
Open redirect: smartadserver.com severity medium
Open redirect: tuttocauzioni.it severity medium
Open redirect: weblinkconnect.com severity medium
Service Abuse: ExactTarget with suspicious sender indicators severity high
Service abuse: Free provider with SendGrid routing severity medium
Service abuse: Monday.com infrastructure with phishing intent severity high
Service abuse: Sendgrid credential theft with personalized request targeting single recipient severity medium
Service abuse: SendGrid impersonation via Sendgrid from new sender severity high
Spam/fraud: Predatory journal/research paper request severity medium
Spam: BlackBaud infrastructure abuse severity medium
Spam: Personalized subject and greetings via Salesforce Marketing Cloud severity low
Spam: Sendersrv.com with financial communications and unsubscribe language severity medium
Spoofable internal domain with suspicious signals severity medium
Vendor compromise: GovDelivery message with suspicious link severity high

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-headers Event ID 7000010

Sublime MQL (50)

Keyboard shortcuts

Search operators