Triage Rules

Overview

Triage Rules are used for auto-triaging flagged messages and user reported messages to improve analyst efficiency and take high confidence remediation actions.

Here are a few ways organizations are using Triage Rules today:

  • Auto-quarantine and auto-review flagged messages when they landed in spam
  • Auto-quarantine campaigns when multiple Detection Rules flag
  • Auto-quarantine entire campaigns based on a single (or multiple) user reports
  • Trigger an email alert whenever a VIP user reports a message
  • Apply a warning banner to any flagged message when the recipient is a VIP

What are Triage Rules?

Triage Rules leverage MQL logic, functions, and syntax, just like a Detection Rule. However, Triage Rules require a trigger to start processing a message: either when a user reports a message or when any Detection Rule flags a message.

When writing Triage Rules, you may reference beta.attack_score functions and triage. MDM properties that are specific to this Rule type:

  • beta - Beta feature
    • .attack_score - Attack Score information about a given message
      • .verdict -*string* - A description — malicious, suspicious, or unknown — to communicate the likelihood of a given message being an attack
      • .score - *float* - A number from 0-100 calculated by the ML algorithm, with higher scores indicating a higher correlation with messages involved in attacks
  • triage - Message (group) information available during the evaluation of Triage Rules:
    • .user_reports - Aggregate information about user reports for the message group
      • .count - *number* - A count of the number of times this message group has been reported by distinct users
    • .flagged_rules - List of all Detection Rules that matched any message in the group
      • .attack_types - *array of strings* - Attack types associated with the Rule
      • .detection_methods - *array of strings* - Detection methods associated with the Rule
      • .name - *string* - Name of the Rule
      • .severity - *string* - Severity level of the Rule
      • .tactics_and_techniques - *array of strings* - Tactics and techniques associated with the Rule
      • .tags - *array of strings* - Tags associated with the Rule, including user provided tags
      • .feed - Information about the feed containing this rule, or null if the rule didn't come from a feed
        • .name - *string* - Name of the feed
        • .is_core - *boolean* - Whether the feed is the Sublime Rules Feed

Example Triage Rules

Default in platform: Flagged or user reported messages with a malicious Attack Score verdict

  • Trigger: flagged message, user report
  • Recommended Action: auto-quarantine, auto-review
type.inbound
and beta.attack_score() .verdict == "malicious"

Flagged or user reported messages with a suspicious Attack Score verdict

  • Trigger: flagged message, user report
  • Recommended Action: warning banner
type.inbound
and beta.attack_score() .verdict == "suspicious"

User reported message with more than 1 report

  • Trigger: user report
  • Recommended Action: warning banner
type.inbound
and triage.user_reports.count > 1 

Flagged messages with more than 3 matching Detection Rules

  • Trigger: flagged message
  • Recommended Action: auto-quarantine
type.inbound
and length(triage.flagged_rules) > 3

Flagged messages that landed in spam

  • Trigger: flagged message
  • Recommended Action: auto-quarantine
type.inbound
and external.spam

Flagged or user reported messages with Detection Rules that have specific tags

  • Trigger: flagged message, user report
  • Recommended Action: auto-quarantine
type.inbound
and any(triage.flagged_rules, any(.tags, . == "tag name here"))

Get started

To use the user report trigger, read our docs on User-reported phishing.

To create a Triage Rule, visit Rules > Triage and click New Rule. When you finish writing your Rule, click Create Rule. In the metadata modal, be sure to set the Type to “Triage” and the Triggers to “user report” and/or “flagged message”.