Triage Rules

Overview

Triage rules are used for auto-triaging user reported phish, and soon for auto-triaging flagged messages as well. They greatly reduce the time spent reviewing known-safe and clearly malicious reported phish, and they're a powerful tool for intelligently handling messages that require further analysis.

Here are two main ways organizations are using Triage Rules today:

  • Auto-trash entire campaigns based on a single user report
  • Trigger an email alert whenever a VIP user reports a message

Soon, you’ll be able to:

  • Run Triage Rules on flagged messages and trigger Actions based on conditions like time of day, which detection rules flagged, and more
  • Auto-dismiss user reports of known-safe messages and send an email to the reporting user
  • Trigger webhooks with Triage Rules, e.g. to send user reports to your SOAR
  • Ingest and share Triage Rules via Feeds
  • Reference the number of reporting users in MQL and auto-remediate based on this information, e.g. always auto-trash a campaign if more than one user reports it

Get started

Be sure to integrate your abuse mailbox or other phishing reporting mechanisms with Sublime.

Then create your first triage rule by visiting Rules > Triage Rules and clicking New rule.