Triage Rules


Triage Rules are used for auto-triaging flagged messages and user reported messages to improve analyst efficiency and take high confidence remediation actions.

Here are a few ways organizations are using Triage Rules today:

  • Auto-quarantine and auto-review flagged messages when they landed in spam
  • Auto-quarantine campaigns when multiple Detection Rules flag
  • Auto-quarantine entire campaigns based on a single (or multiple) user reports
  • Trigger an email alert whenever a VIP user reports a message
  • Apply a warning banner to any flagged message when the recipient is a VIP

What are Triage Rules?

Triage Rules leverage MQL logic, functions, and syntax, just like a Detection Rule. However, Triage Rules require a trigger to start processing a message: either when a user reports a message or when any Detection Rule flags a message.

When writing Triage Rules, you may reference triage. MDM properties that are specific to this Rule type:

  • triage - Message (group) information available during the evaluation of Triage Rules:
    • .user_reports - Aggregate information about user reports for the message group
      • .count - *number* - A count of the number of times this message group has been reported by distinct users
    • .flagged_rules - List of all Detection Rules that matched any message in the group
      • .attack_types - *array of strings* - Attack types associated with the Rule
      • .detection_methods - *array of strings* - Detection methods associated with the Rule
      • .name - *string* - Name of the Rule
      • .severity - *string* - Severity level of the Rule
      • .tactics_and_techniques - *array of strings* - Tactics and techniques associated with the Rule
      • .tags - *array of strings* - Tags associated with the Rule, including user provided tags

Note: These properties don’t auto-complete in the MQL Editor today, but are still reference-able.

Example Triage Rules

User reported message with more than 1 report

Trigger: user report

Action: warning banner

and triage.user_reports.count > 1 

Flagged messages with more than 3 matching Detection Rules

Trigger: flagged message

Action: auto-quarantine

and length(triage.flagged_rules) > 3

Flagged messages that landed in spam

Trigger: flagged message

Action: auto-quarantine

and external.spam

Get started

To use the user report trigger, read our docs on User-reported phishing.

To create a Triage Rule, visit Rules > Triage and click New Rule. When you finish writing your Rule, click Create Rule. In the metadata modal, be sure to set the Type to “Triage” and the Triggers to “user report” and/or “flagged message”.