Guidance enables you to provide context for Auto Triage before alerts are evaluated. Use Guidance to explain how your environment works, how your SOC prefers to handle alerts, and what should be considered normal or risky. This helps Auto Triage determine the alert’s severity and verdict based on your organization’s context and priorities.
Auto Triage is not enabled by default and requires separate enablement. To get access, contact Torq Support.
When To Use
Use Guidance when:
Alert handling depends on context, not fixed rules.
You'd like to explain expected day-to-day behavior in your environment.
You want to reduce noise without forcing a final verdict.
Guidance provides context before alerts are triaged. Rules are applied after triage to enforce a final verdict.
If you need to enforce a specific severity or verdict, use Rules instead.
Rules and Guidance require the user to have the following Auto Triage scopes: Create and update triage context rules, View triage context rules, and Delete triage context rules. These scopes are not included in the default roles and must be assigned explicitly.
How to use
Access the Guidance tab: To manage Guidance, click the Settings icon in the top-right corner of the Auto Triage page, then select the Guidance tab.
Add guidance:
Click Add.
Enter a Name and optional Description.
Select where the guidance applies:
Always: The rule applies to all ingested alerts.
By source: The rule applies only to selected alert sources.
Enter guidance text in the Guidance field.
Click Add to enable the guidance.
Each guidance entry is limited to 2,000 characters.
Additional actions
Check guidance status: To quickly confirm whether a guidance entry is active, check the Status toggle button on the right side of the guidance list to see if it is enabled or disabled.
Manage guidance options: Click the more options button to copy a direct link, duplicate, or delete the rule.
Review guidance impact on alerts
After configuring guidance, teams can verify its impact on alert handling during Auto Triage.
When reviewing an alert on the main Alerts page, scroll to the bottom of the alert details panel to view the Rules and Guidance section and see which guidance was applied.
To open a guidance configuration page directly from an alert, hover over the guidance entry in the Rules and Guidance section and click Go to Guidance.
Track guidance updates
In the guidance tab, you can see who created each entry and who last updated it, along with the corresponding timestamps. This provides quick visibility into ownership and recent changes directly from the guidance tab.
Guidance creation and deletion can also be validated in Torq’s audit log.
Examples
Providing Context for Approved Internal Software
Internally developed or business-critical applications may generate behavior that resembles malicious activity. By utilizing guidance to describe known execution patterns, network behavior, or maintenance windows associated with approved internal software, Auto Triage can better interpret intent and reduce noise, without compromising visibility or forcing a premature decision.
Expected Security Testing
Security teams often run breach-and-attack simulation tools that intentionally mimic real attacker behavior. By adding guidance that identifies known simulation vendors and their unique system fingerprints, Auto Triage can confidently classify this activity as authorized testing rather than a real threat. This reduces unnecessary escalations while ensuring true attacks remain visible and prioritized.
FAQ
Does guidance enforce a severity or verdict?
No. Guidance provides context before triage to help interpret alerts, but it does not enforce a final severity or verdict. If you need to explicitly set or override an alert's outcome, you can just use rules instead.
When should I use guidance instead of rules?
Use guidance when alert handling depends on context or expected behavior, such as internal tools, maintenance windows, or security testing. Use rules only when you want to force a specific severity or verdict regardless of context.
How can I tell if guidance is being applied to an alert?
When viewing an alert, scroll to the bottom of the alert details pane and review the Rules and Guidance section. This shows which guidance entries were evaluated during auto triage and helps validate their impact.