The Auto Triage dashboard presents metrics and visualizations aggregated across all alerts processed by Auto Triage. It is designed to help teams understand how alerts are evaluated over time, assess triage effectiveness, and validate that Auto Triage behavior aligns with organizational expectations.

The dashboard displays aggregated data for alerts processed by Auto Triage and can be filtered by time range, verdict, severity, MITRE ATT&CK techniques, and source.

It focuses on trends and outcomes rather than individual alerts, allowing teams to monitor alert volume, triage speed, and verdict distribution at a glance. By combining key metrics with time-based and flow visualizations, the dashboard helps teams evaluate how Auto Triage decisions and configuration changes affect alert handling over time.

The top section of the dashboard displays key metrics that indicate triage effectiveness and system responsiveness.

Indicates how many alerts Auto Triage identifies as non-malicious, helping reduce the volume of alerts requiring further handling.

Indicates how quickly Auto Triage begins analyzing alerts after ingestion, providing insight into system responsiveness.

Indicates how long it takes Auto Triage to reach a verdict, helping teams understand triage speed and consistency.

Indicates how often Auto Triage verdicts remain unchanged after analyst review. Changes and confirmations help improve future triage behavior.

The Alerts volume over time view shows how alert volume and triage outcomes change across the selected time range. Displayed as a time-based graph, it highlights trends and shifts in alert behavior rather than individual alerts.

Teams can filter the view by severity, source, or verdict to focus on specific segments of alert activity. This makes it easier to identify spikes in volume, shifts in verdict distribution, or other changes in alert behavior over time.

This view helps teams understand the impact of Auto Triage over time and detect anomalies that may point to noisy or newly introduced detections, emerging threats, or planned activity.

The Alert lifecycle flow provides an aggregated visualization of how alerts move through the Torq platform, from Auto Triage noise reduction and escalation decisions to case handling and resolution. It shows how alerts are distributed across verdicts, severities, and downstream handling, helping teams understand how alerts progress from triage to closure.

This view highlights who ultimately resolves and closes alerts—whether through human analyst action, Socrates-guided investigation, or automated workflows—providing visibility into how work is distributed across people and automation. This helps teams understand how Torq optimizes security operations by reducing noise, escalating important alerts, and freeing analysts to focus on more advanced investigations.

When you select a node in the alert flow, a Distribution panel opens, providing deeper insight into the alerts associated with that stage of the flow. This panel breaks down alert data by additional dimensions, such as MITRE ATT&CK tactic, alert source, and severity, enabling teams to analyze patterns and characteristics within a specific segment of the flow.

By applying these contextual filters, teams can better understand why alerts are routed or resolved in a certain way and identify contributing factors such as noisy detections, emerging threat activity, or changes in alert sources.

The view supports multiple layout options, allowing teams to switch between horizontal and vertical perspectives to better analyze alert distribution. It also supports zooming to explore dense areas of the flow when working with large alert volumes.

Overall, this view helps teams validate that alerts are flowing through the platform as intended—from noise reduction to resolution, while maintaining a focus on aggregated outcomes rather than individual alert records.