Configuration determines what happens after Auto Triage assigns a verdict, allowing teams to automate escalation, investigation, or follow-up actions without manual intervention.
Actions can automatically open a case (if licensed), trigger workflows, or do nothing. Mapping verdicts to actions helps teams respond more quickly to high-risk alerts, automate routine tasks, and reduce manual effort.
By default, no post-triage actions are taken until verdict-to-action mappings are explicitly configured. This approach allows teams to first observe alerts, review verdicts, and become familiar with the triage process before automatically opening cases. It helps organizations validate alert quality, configure Guidance and Rules to reflect organizational context, and build confidence in the system's decisions before introducing analyst workload.
Each source starts with default settings aligned with standard SOC operational practices:
True Positive – Malicious: Trigger workflow
True Positive – Benign: Trigger workflow
False Positive: Do nothing
These defaults allow teams to refine their triage strategy before escalating alerts into case management.
Torq recommends enabling Open case for malicious verdicts once triage behavior is validated and aligned with your investigation process.
Auto Triage verdicts
Auto Triage assigns one of three verdicts based on detection analysis:
False Positive
No malicious pattern or intent detected. The alert represents noise. Use Guidance and Rules to add organizational context and prevent these alerts from being surfaced to the SOC. Where possible, tune detection logic at the source to reduce alert volume.
True Positive – Benign
A malicious pattern was detected, but no malicious intent was identified. The activity matches known techniques but does not indicate an active threat.
True Positive – Malicious
Both a malicious pattern and malicious intent were detected. The alert represents a confirmed threat requiring investigation.
All three verdicts can trigger further investigation through workflows or cases. Configuration determines how each verdict is handled after triage completes.
When to use
Use Configuration to map triage verdicts to actions, ensuring that alerts either flow into case management for investigation or are handled automatically via workflows aligned with organizational procedures.
Configuration is valid when:
Alerts should automatically continue to investigation, automation, or no action after triage.
Teams want predictable and transparent outcomes for each verdict.
Default behavior provides predictable outcomes for each verdict, while allowing teams to refine actions over time as processes mature.
Configuration is set at the workspace level. Verdict-based actions are configured per source, and changes affect only future alerts.
How to use
Access the Configuration tab: In the Auto Triage page, click the Settings icon in the top-right corner, then open the Configuration tab.
Add or select a source:
If no sources are configured, click Add source to create one.
Select the alert source from the list.
The integration setup opens in a new tab, allowing you to create a new integration instance. See CrowdStrike Data Connector: Enabling Seamless Event Ingestion for instructions on creating and configuring a CrowdStrike streaming instance.
Once the source is added, it appears in the Configuration tab.
When adding a new source, review the default verdict actions and adjust them as needed to match your investigation and automation strategy.
Set verdict-based actions:
Click the source in the table to open the Verdict-based actions configuration pane.
For each verdict, select one of the following actions:
Open case: Automatically create a Torq case when an alert reaches the selected verdict. The case appears on the workspace’s Cases page, allowing analysts to pick it up and continue the investigation. Learn more about case creation
Trigger workflow: Generate an Alert triaged system event after triage completes. This event can be used by automation in the workspace to perform follow-up actions.
Do nothing: Take no action after triage. The alert remains visible on the Auto Triage Alerts and Auto Triage Dashboard pages, but does not flow into other reporting views.
Finalize the configuration:
Click Save. Changes take effect immediately for all future alerts from this source.
Selecting Trigger workflow causes an Alert triaged system event to be generated after triage completes. Any automation that has this trigger will run according to its own conditions and logic. Filtering and branching logic are defined inside the workflow based on alert attributes.
Verdict action: Open case
When the verdict mapping for True Positive – Malicious is set to Open case, Torq automatically creates a case that centralizes the full context of the triaged alert.
What Torq includes in the case
Each automatically created case contains:
The original alert and the triaged alert as case events
A tag indicating the case was created by Auto Triage
A tag reflecting the alert verdict (for example, True Positive – Malicious)
The case severity, set to match the alert severity
Linked observables extracted from the alert
IP addresses
URLs
File hashes
Hostnames
Email addresses
MAC addresses
Additional indicators stored in the Custom Fields tab
These values are automatically populated in the case’s Custom Fields tab and include:
Auto triage verdict
Process name
Process command line
Parent process command line
Grandparent process command line
Username
File path
Source (for example, CrowdStrike)
For supported sources (for example, CrowdStrike), Torq generates a structured case description that includes:
Detection name and summary
Verdict and reasoning
Alert attributes in a structured table
Suggested actions (if available)
Analysts can review and continue the investigation from the Cases page, where all relevant context is already organized.
If Cases are not included in your license
If Case Management is not licensed, Open Case is not available as a configurable action. Only Trigger workflow can be selected.
In this scenario:
No case is created.
The verdict is still available to downstream workflows.
The alert continues through the configured automation path.
This ensures consistent behavior without requiring additional configuration.
Automatically close cases on False Positive
If a case was automatically created from a True Positive verdict and the alert is later reclassified as a False Positive, Torq automatically closes the linked case.
When this occurs, Torq:
Sets the case resolution reason to False Positive
Adds a structured system comment, including:
The user who changed the verdict
The timestamp of the change
The analyst’s comment (if provided)
Updates the case status in the alert table
Records the action in the audit log
This ensures lifecycle consistency between alerts and cases while preserving full auditability.
FAQs
How does Configuration work with Guidance and Rules?
Configuration determines what action is taken after triage completes, based on the final verdict. Guidance provides organizational and operational context that informs how alerts are evaluated during triage, including expected behavior, risk tolerance, and internal business norms. Rules are applied after triage to enforce specific verdicts or severity changes. After a verdict is assigned, the configured verdict action determines what happens next.
Why wasn’t the case closed after I changed the verdict to False Positive?
Automatic case closure occurs on behalf of the user who changes the verdict. If that user does not have permission to manage cases (cm.case.write) or does not have access to the case, the case will remain open.
Why does Auto Triage use only three verdicts?
Each verdict provides a clear path forward: escalate immediately to investigation, route for further review, or close as noise. Additional verdict categories would not change these response paths or improve decision-making. All three verdicts can trigger workflows or cases based on organizational priorities, allowing teams to define the right action for each outcome.