Skip to main content

Alert Streaming: Route Alerts to Auto Triage

Stream security alerts from supported sources into Auto Triage to enable AI-driven triage and configuration-based post-verdict handling.

Auto Triage is not enabled by default and requires separate enablement. To get access, contact Torq Support.

Alerts can be streamed into Torq and evaluated by Auto Triage. This article describes, in general, how alert streaming and evaluation in Auto Triage work. Examples reference CrowdStrike alerts, but the same evaluation, filtering, and governance model applies to all alert sources integrated with Auto Triage.

Before streaming alerts to Auto Triage, configure the relevant alert source integration. If you are using CrowdStrike, see: CrowdStrike Data Connector: Enabling Seamless Event Ingestion

How alerts enter Auto Triage

Alerts are streamed into Torq from a supported alert source using its corresponding integration. Each integration instance represents a distinct alert source within a workspace.

When streaming to Auto Triage is enabled for a source:

  • Alerts are delivered as discrete events

  • Each alert is associated with its originating integration

  • Streaming applies only to new alerts

Before evaluation, streamed alerts are normalized into an internal event structure, and relevant observables are extracted.

Filtering alerts before triage

Not all incoming alerts are evaluated by Auto Triage. Before triage, alerts are filtered based on source-specific configuration.

For CrowdStrike, this filtering is based on alert type and severity level and is configured per integration and workspace.

Only alerts that match the configured criteria are routed to Auto Triage for evaluation. Alerts that do not meet these criteria are not triaged. This filtering allows organizations to control which alerts are eligible for automated evaluation before they enter the AI SOC pipeline.

How Auto Triage evaluates alerts

Auto Triage evaluates each eligible alert independently and produces a final verdict and severity.

Evaluation incorporates:

  • Alert metadata and extracted observables

  • Guidance, which provides environment-specific context

  • Rules that enforce deterministic outcomes when required

Auto Triage operates autonomously within these explicit guardrails. It evaluates risk but does not take action or modify source data.

For additional details, see:

  • Guidance to understand how contextual information influences risk interpretation

  • Rules to learn how deterministic logic can enforce verdict or severity outcomes

  • Verdict and severity logic for a complete description of evaluation outcomes

Permissions and access control

Auto Triage alerts are governed by granular triage permissions. These permissions ensure clear separation of duties while maintaining alignment with Case Management access controls.

Permissions determine who can:

  • View triaged alerts

    Users can list and view alerts and their triage outcomes, but cannot modify them.

  • Update verdicts or submit feedback

    Only users with permission to update alert verdicts can confirm or reject Auto Triage decisions or provide feedback.

  • Create or view cases from alerts

    Case visibility and creation inherit permissions from the Case Management module and depend on the user’s case access level.

  • Manage triage logic (Guidance and Rules)

    Viewing, creating, editing, and deleting triage rules and context are permissioned separately.

  • View triage metrics

    Access to dashboards and aggregate triage metrics is controlled independently.

Users without the required permissions can still observe triage outcomes, but cannot change how alerts are evaluated or handled.

For a full breakdown of triage-related permissions and scopes, see Torq Roles and Scopes: Manage Access and Permissions.

Outputs produced by Auto Triage

After the evaluation completes, Auto Triage produces the following outputs for each evaluated alert:

  • A final verdict

  • A final severity

  • A configuration-based post-verdict action, as defined for the alert source (such as opening a case, triggering a workflow, or taking no action)

  • (Optional) Source-system closure for false positives, if enabled in the alert source configuration

These outputs represent the conclusion of the Auto Triage evaluation process.

Based on the configured verdict-to-action mappings for the alert source, Auto Triage initiates downstream handling. For example, a malicious verdict may open a case, while other verdicts may trigger workflows or result in no action, depending on configuration and licensing.

Details on how verdicts map to downstream behavior are covered in the Configuration article.

After triage: visibility and downstream handling

After Auto Triage completes evaluation, alerts remain available for review and may trigger downstream actions based on configuration.

  • Review individual alerts, verdicts, and analysis on the Alerts page.

  • Monitor aggregate triage outcomes and trends in the Auto Triage Dashboard.

  • Trigger workflows or open cases based on verdict-to-action mappings defined in Configuration.

Governance and guardrails

Auto Triage operates within explicit configuration and granular triage permissions that control who can view alerts, update verdicts, manage triage logic, and create cases.

  • Alerts are evaluated only when an alert source is configured in Auto Triage for a given integration.

  • Changes to the configuration apply only to alerts evaluated after the change.

These guardrails provide configuration-based control while preserving analyst oversight.

Related Articles
Configuration: Manage Alert Sources and Post-Triage Actions
Alerts: Monitor, Review and Track Ingested Alerts
Torq Auto Triage: Cut Alert Noise, Focus on What Matters
How Torq's Auto Triage Determines Alert Severity and Verdicts
Auto Triage Dashboard: Monitor Triage Outcomes
Did this answer your question?