Skip to main content

Rules: Enforce Alert Verdicts and Severities

Create and manage rules in Torq to enforce alert severity and verdicts after triage.

Auto Triage is not enabled by default and requires separate enablement. To get access, contact Torq Support.

Rules let you override Auto Triage decisions after an alert has been triaged. Use rules to apply organization-specific logic, such as reducing severity for expected testing activity or increasing severity for alerts involving critical assets or high-value users.

When a rule matches, it enforces the final severity or verdict, overriding the triage outcome. This ensures alert handling aligns with your organization’s priorities and remains consistent across alert sources.

Rules and Guidance require the user to have the following Auto Triage permissions: Create and update triage context rules, View triage context rules, and Delete triage context rules. These scopes are not included in the default roles and must be assigned explicitly.

How to use

  1. Access rules: Click the Settings icon in the top-right corner of the Auto Triage page and open the Rules tab.

  2. Create a new rule:

    1. Click Create.

    2. Enter a unique Name and optional Description.

  3. Define when the rule applies: Use the Apply field to specify the sources to which the rule will apply.

    • Always: The rule applies to all ingested alerts.

    • By source: The rule applies only to selected alert sources.

  4. Define the rule conditions:

    1. For the IF condition:

      1. Select an observable type, for example, hostname, IP, port, domain, or registry key.

      2. Enter the corresponding observable value.

        • Observable values support multiple comparison parameters, including Equals, Is in, and Contains. Select Matches RegEx to evaluate the value as a regular expression. Torq uses Go-style regular expressions (RE2).

        • When using the Is in or Is not in comparison parameters, you can enter multiple values. Click Enter after each value to add it as a separate list item.

    2. (Optional) Define additional conditions:

      1. Click Add condition.

        • Use AND when all conditions must match for the rule to apply.

        • Use OR when any of the conditions can match for the rule to apply.

  5. Define the rule outcome: In the THEN section, select one or both of the following options:

    • Set the severity to assign the final severity.

    • Set the verdict to assign the final verdict.

  6. (Optional) Test the rule: Click the Preview tab. Results load automatically for the last 30 days. To test a different time range, select it from the dropdown. See Test a rule against triaged alerts below for more details.

  7. Save the rule: Click Save. The rule is created, enabled, and placed at the top of the rules list.

  8. (Optional) Reorder rules: Drag the rule using the drag handle next to the rule number.

Rules are evaluated in order. The first matching rule is applied.

Test a rule against triaged alerts

Before saving or enabling a rule, you can validate it against a window of recently triaged alerts to understand its impact. This helps you catch rules that are too broad or too narrow before they affect live traffic.

The Preview tab is available only after a rule condition has been edited. If the tab appears greyed out, modify the rule conditions to enable it.

The preview runs against the last 30 days by default and evaluates up to the 10,000 most recent alerts that match the rule conditions. Test frequency is also limited per user and workspace to maintain performance.

The top of the preview shows the total number of alerts evaluated and how many matched the rule. Each change type shows a total count and a breakdown of original value → projected value, with the number of affected alerts per change. Each change type shows a total count and a breakdown of original value → projected value, with the number of affected alerts per change.

  • Verdict changes — how many alert verdicts the rule would change.

  • Severity changes — how many alert severities the rule would change.

Each matched alert is listed with its alert name, Alert ID, source, current verdict, and current severity. Click any row to open the full alert detail.

If no alerts match the rule conditions, the preview displays “No alerts matched this rule." Adjust the rule conditions to match more alerts.

Triaged alerts are not modified. Results show simulated impact only.

Additional actions

  • Disable a rule: Use the toggle in the Status column to enable/disable a rule.

  • Manage rule options: In the rule configuration panel, click the more options menu in the top-right corner to copy a direct link, duplicate the rule, or delete it.

Review rules impact on alerts

After configuring rules, teams can verify their impact on alert handling after triage.

When reviewing an alert in the main Alerts page, scroll to the bottom of the alert details panel to view the Rules and Guidance section to see which rules were applied.

To open a rule's configuration page directly from an alert, hover over the rule entry in the Rules and Guidance section and click Go to Rule.

Track rule updates

In the Rules tab, you can see who created each entry and who last updated it, along with the corresponding timestamps. This provides quick visibility into ownership and recent changes directly from the Rules tab.

Rule creation and deletion can also be validated in Torq’s audit log.

Examples

Escalate Company Email Activity to Critical

This rule escalates any alert containing a company email address to Critical by matching the email observable against a corporate-domain regular expression.

Configure the IF condition to detect company email addresses using a regular expression:

  • observable type

    • Comparison parameters: Equals

    • Value: Email

  • observable value

    • Operator: Matches regex

    • Value:(?i)^[A-Z0-9._%+-]+@torq\.io$

This configuration ensures the rule applies only to email observables and escalates alerts involving company-owned email addresses, regardless of letter case.

Critical Severity for CEO Activity

This rule escalates alerts to Critical when activity involves a designated VIP user, such as the CEO.

Configure the IF condition to detect activity involving VIP users:

  • observable type

    • Comparison parameter: Equals

    • Value: Hostname

  • observable value

    • Comparison parameter: In

    • Value: ceo-laptop ceo-macbook ceo-workstation

FAQ

What happens if multiple rules match the same alert?

Rules are evaluated from top to bottom. When multiple rules match, the rule higher in the list takes precedence. You can control this behavior by reordering rules using the drag handle.

Can rules be used to both lower and raise the severity?

Yes. Rules can enforce any supported severity or verdict, including lowering severity for expected or benign activity, or escalating alerts involving critical users or assets.

What happens when a rule is deleted?

Alerts that were previously affected by the rule will continue to display it in the Rules and Guidance section, with an indication that the rule has been deleted.

Do rules apply to existing alerts?

No. Rules apply only to alerts ingested after the rule is created or updated. Existing alerts are not re-evaluated.

What is the difference between evaluated alerts and matched alerts?

Evaluated is the total number of alerts the rule checked. Matched is the number of alerts where the rule conditions were met, and the rule would apply. In the Preview tab, both counts are shown. The Matched alerts counter in the rules table tracks only matched alerts from live production traffic over the last 30 days.

Related Articles
Configuration: Manage Alert Sources and Post-Triage Actions
Alerts: Monitor, Review and Track Ingested Alerts
Torq Auto Triage: Cut Alert Noise, Focus on What Matters
Alert Streaming: Route Alerts to Auto Triage
How Torq's Auto Triage Determines Alert Severity and Verdicts
Did this answer your question?