The Alerts page is a single, centralized view of all alerts ingested into Torq and processed by Auto Triage. Review key triage outcomes, including AI-assigned verdicts and severity, source, and created cases.

In the Alerts page, all the alerts ingested into your workspace are shown in list view. Narrow the alert list with sorting and filtering to quickly surface the most relevant or high-impact alerts. Click on an individual alert to view more details.

Sort alerts by time acknowledged, verdict, alert name, source or severity.

Show the filter categories using the + icon at the top of the display and add the filters you want to use. Filter by:

Search alerts using intuitive free-text. Searchable fields include:

Select the relevant field chips to refine the search and show only results that match specific fields. Expand the results to see a preview of each match.

Search results retain any applied filters and sorting, and you can further narrow the results with additional filters.

Select multiple alerts to perform a bulk verdict confirmation or verdict change. Enter feedback in the dialogue box. You can optionally create a rule when changing a verdict by clicking Save as rule. This automatically saves the verdict changes and opens the Rules page in a new tab.

Verdict confirmation or change will appear in the history of each selected alert.

Click on an individual alert to open the alert view for deeper insight. View Auto Triage analysis and results, validate decisions, and take further actions.

The alert view shows details from the original acknowledged alert and the Auto Triage enrichment and triage context. View details such as the alert type, when the alert was detected by the source, the severity assigned by the source system, and any mitigation actions that took place before ingestion.

To open the original alert in the source platform, hover over the source name in the alert and click the Open icon.

In the alert view, analysts can review the AI-assigned verdict and severity. Confirm or change the results by selecting the relevant option. When confirming or making changes, provide a reason to ensure transparency and auditability.

Analyst feedback on verdict outcomes helps refine Auto Triage decision-making and improve accuracy over time.

If a case is created from an alert—automatically or manually—and an analyst reclassifies the alert as False Positive, the system automatically closes the case with the resolution reason False Positive. The case record notes that the case was automatically closed due to a user-initiated verdict change.

In the alert view Overview tab, you can review the Auto Triage analysis and enriched insights. Scroll to view the:

When closed or resolved cases exist in your workspace, Auto Triage searches for matches to the current alert's observables, including IP addresses, URLs, file hashes, hostnames, and email addresses. Matching is evaluated across multiple dimensions: the observables themselves, the activity type, and contextual factors. The more observables a historical case shares with the current alert, and the more aligned the activity types and context are, the higher its weighted relevance in the enrichment. Only the most relevant cases are referenced; cases with no observable overlap are automatically excluded, and only matches from the past 30 days are included by default.
​
In the alert's verdict justification, you will see which historical cases were referenced, which observables were used for matching, and how those cases were resolved. Click any referenced case link to open it directly.

The more consistently your team documents resolution reasons and associates observables when closing cases in Torq, the stronger this enrichment becomes.

Auto Triage provides recommended actions to help analysts understand potential next steps and respond efficiently.

The History tab shows a complete activity history, showing how the alert has evolved, providing a clear record of all events and decisions. The following events generate entries in the history:

This explains how Auto Triage processes, enriches, and determines verdicts for all incoming alerts. This transparency helps analysts understand how conclusions are reached.

In the top-right of the alert view, open the three-dot menu for more options. Copy a link to the alert for easy sharing, and view the source alert or triaged alert in JSON format for deeper analysis and troubleshooting.