Triage rules are used for auto-triaging user reported phish, and soon for auto-triaging flagged messages as well. They greatly reduce the time spent reviewing known-safe and clearly malicious reported phish, and they're a powerful tool for intelligently handling messages that require further analysis.
Here are two main ways organizations are using Triage Rules today:
- Auto-trash entire campaigns based on a single user report
- Trigger an email alert whenever a VIP user reports a message
When writing triage rules you may reference
user_reports.count to take action based on the number of users who have reported the same Message Group.
Soon, you’ll be able to:
- Run Triage Rules on flagged messages and trigger Actions based on conditions like time of day, which detection rules flagged, and more
- Auto-dismiss user reports of known-safe messages and send an email to the reporting user
- Trigger webhooks with Triage Rules, e.g. to send user reports to your SOAR
- Ingest and share Triage Rules via Feeds
Be sure to integrate your abuse mailbox or other phishing reporting mechanisms with Sublime.
Then create your first triage rule by visiting Rules > Triage Rules and clicking New rule.
Updated 7 months ago