Triage Rules


Triage rules are used for auto-triaging user reported phish, and soon for auto-triaging flagged messages as well. They greatly reduce the time spent reviewing known-safe and clearly malicious reported phish, and they're a powerful tool for intelligently handling messages that require further analysis.

Here are two main ways organizations are using Triage Rules today:

  • Auto-trash entire campaigns based on a single user report
  • Trigger an email alert whenever a VIP user reports a message

When writing triage rules you may reference user_reports.count to take action based on the number of users who have reported the same Message Group.

Soon, you’ll be able to:

  • Run Triage Rules on flagged messages and trigger Actions based on conditions like time of day, which detection rules flagged, and more
  • Auto-dismiss user reports of known-safe messages and send an email to the reporting user
  • Trigger webhooks with Triage Rules, e.g. to send user reports to your SOAR
  • Ingest and share Triage Rules via Feeds

Get started

Be sure to integrate your abuse mailbox or other phishing reporting mechanisms with Sublime.

Then create your first triage rule by visiting Rules > Triage Rules and clicking New rule.