n8n templatesn8n templates

Receive and analyze emails with rules in Sublime Security

This workflow is designed to automate the reception and analysis of user-reported suspicious emails, particularly phishing emails with .eml attachments. It captures new emails through an IMAP email trigger and transfers the attachments to a secure analysis platform for rule detection. The system automatically categorizes the analysis results and generates detailed reports, which are pushed in real-time to a designated Slack channel. Additionally, if an email is missing an attachment, the system will issue a reminder to ensure that the security team can quickly respond to potential threats.

Workflow Diagram
Receive and analyze emails with rules in Sublime Security Workflow diagram

Workflow Name

Receive_and_analyze_emails_with_rules_in_Sublime_Security

Key Features and Highlights

This workflow automatically receives emails containing .eml attachments via an IMAP email trigger, focusing on centralized management and analysis of user-reported phishing emails. It securely transfers email attachments to the Sublime Security platform for multi-rule detection, automatically differentiates between matched and unmatched rule results, and formats detailed analysis reports which are then pushed to designated Slack channels. This ensures that the security team is promptly informed of potential threats. If an email lacks attachments, the system automatically sends a notification to alert relevant personnel.

Core Problems Addressed

  • Automates the capture of suspicious emails reported by users, eliminating delays and omissions caused by manual handling.
  • Utilizes security rules for precise email content analysis to quickly identify phishing and other security threats.
  • Delivers analysis results to the team in real time, enhancing response speed and collaboration efficiency.
  • Ensures the security and compliance of the email processing workflow, reducing the risk of false positives.

Use Cases

  • Automated phishing email handling in enterprise Security Operations Centers (SecOps).
  • Rapid identification and response to user-reported malicious emails by IT security teams.
  • Organizations requiring real-time communication of email security analysis results to team collaboration channels.

Main Workflow Steps

  1. Email Reception: Monitor a dedicated mailbox via IMAP trigger to capture new emails.
  2. Attachment Verification: Check whether the email contains attachments and confirm that the attachment type is .eml.
  3. Data Conversion: Convert the binary data of the email attachment into Base64 encoded format.
  4. Security Analysis: Invoke the Sublime Security API to perform rule-based detection on the email content.
  5. Result Classification: Use a code node to categorize analysis results into matched and unmatched rule groups.
  6. Message Formatting: Generate a report text including the count of matched rules and detailed rule names.
  7. Slack Notification: Send the formatted security analysis report to the specified Slack channel; if no attachment is found, send a missing attachment notification.

Involved Systems or Services

  • Outlook Mailbox (IMAP): Email retrieval.
  • Sublime Security: Email security detection and rule matching service.
  • Slack: Security incident reporting and team communication.
  • n8n: Automation workflow orchestration and execution platform.

Target Users and Value Proposition

  • Enterprise security teams and SecOps professionals aiming to improve phishing email response efficiency.
  • IT operations and security analysts seeking to reduce manual analysis workload and achieve security automation.
  • Any organization that requires integration of email security analysis with instant team notifications to enhance email threat management and team collaboration effectiveness.