Detection rules › By event

Sublime-Message-headers Event ID 7000013

36 detection rules reference this event. View event page.

Sublime MQL (36)

BEC with unusual reply-to or return-path mismatch severity high
Brand impersonation: Google Drive fake file share severity medium
Brand impersonation: Greenvelope severity medium
Brand impersonation: Ledger severity low
Brand impersonation: LinkedIn severity medium
Brand impersonation: Microsoft fake sign-in alert severity medium
Brand impersonation: Microsoft with embedded logo and credential theft language severity high
Business Email Compromise (BEC) attempt from unsolicited sender severity medium
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old severity medium
Credential phishing: Engaging language and other indicators (untrusted sender) severity medium
Cyrillic vowel substitution in subject or display name from unknown sender severity medium
Fake request for tax preparation severity high
Fake shipping notification with link to free file hosting severity low
Fake thread with suspicious indicators severity medium
Google Notification alert link from non-Google sender severity medium
Inbound message from popular service via newly observed distribution list severity medium
Invoicera infrastructure abuse severity medium
Link: File sharing impersonation with suspicious language and sending patterns severity medium
Link: Free file hosting with undisclosed recipients severity medium
Link: Squarespace infrastructure abuse severity medium
Message traversed multiple onmicrosoft.com tenants severity medium
Microsoft infrastructure abuse with suspicious patterns severity high
Open redirect: bestdeals.today severity medium
Open redirect: isadatalab.com severity medium
Open redirect: queue.swytchbike.com severity medium
Open redirect: Ticketmaster severity low
Russia return-path TLD (untrusted sender) severity low
Salesforce infrastructure abuse severity medium
Sendgrid onmicrosoft.com domain phishing severity medium
Sendgrid voicemail phish severity high
Service abuse: AWS SNS callback scam impersonation severity medium
Service abuse: GitHub notification with excessive mentions and suspicious links severity high
Service abuse: Task management message sent via SendGrid severity medium
Suspicious mailer received from Gmail servers severity low
Tax Form: W-8BEN solicitation severity medium
VIP Impersonation via Google Group relay with suspicious indicators severity high

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-headers Event ID 7000013

Sublime MQL (36)

Keyboard shortcuts

Search operators