Skip to main content
Skip table of contents

Setting Up a Custom Triage

LAST UPDATED: MAR 21, 2025

The investigation dashboard organizes custom triages within the Events, Incidents, Pending Tasks, Artifacts, and Playbook Errors sections. A custom triage organizes and groups prioritized events, incidents, pending tasks, artifacts, and playbook errors based on user-relevant characteristics. Once saved, users can quickly revisit these views.

Frame 19 (9)-20241122-175332.png

A custom triage for events.

Frame 20 (12)-20241122-175523.png

A custom triage for incidents.

Role Token Requirement for Custom Triages

The Enable Triage role token is required for a user to create and view custom triages.

Frame 27-20250304-215606.png

Procedures

Creating a Simple Custom Triage

  1. Drag the table's column headers into the Saved Searches field to define groupings.

    DraggingTableHeadersToField.gif

  2. Observe the number of groupings reflected in a hierarchical structure, aligned with the order in which the attributes are positioned within the Saved Searches field.

    Frame 6 (26).png

  3. Click on the button next to the Incidents accordion.

    Frame 2 (33).png

  4. Create the custom triage.

    Group 55.png

    1. Input a unique custom triage name.

    2. (Optional) Make this triage accessible for viewing by other users, groups, or roles.

    3. Click on the Create button.

  5. Click the newly created the custom triage to view it.

    Frame 9 (32).png

RESULT

Users can now return to this custom triage from any other view.

Group 57.png

Creating a Custom Triage with Predefined Sort Orders and Filters

Users can further customize their triages by sorting data in ascending or descending order by table headers and applying filters.

Sorting Using Table Headers

Clicking on incident attributes within the table headers adjusts the sorting of data based on the selected header, making it the primary sorting reference. The icon beside a header indicates that the current sort order is ascending, while represents descending order. For example, clicking the Incident No. attribute until the icon appears sorts the table data by Incident No. in descending order.

clicking attribute to change order.gif
another primary sorting reference.gif

To sort the table by a different column, click the Incident No. header until no arrow appears, then click another attribute.

If users drag a header into the Saved Searches field while sorting is applied, a Column Sorting section will appear in the Edit Triage popup, reflecting the applied sorting in either ascending or descending order.

Group 49.png

Ordering Headers in the Saved Searches Field

The order of headers in the Saved Searches field determines how incidents are grouped and sorted in the table.

  • The leftmost header serves as the primary grouping.

  • Each subsequent header to the right creates nested subgroups.

  • The rightmost header defines the most specific sorting level within the final subgroup.

    Group 53.png

For example, if Incident Type is placed first, Status second, and Incident No. third, incidents will be grouped by Incident Type (e.g., all "Data Breach" incidents together), then further organized by Status within each type (e.g., "Open" vs. "Closed" Data Breach incidents), and finally sorted by Incident No. within each status group.

Group 54.png
change header sorting.gif

Rearranging the sorting structure by dragging the Status field to the first position.

Users can modify the sorting structure by dragging headers into different positions within the Saved Searches field, ensuring the data is displayed in a way that best supports their triaging needs.

If a table header can contain repeatable values—such as Incident Type or Status (i.e., there can be many phishing-type and “Open” incidents)—users can change the sorting direction of incidents within each group (accordion) by clicking its attribute in the Saved Searches field.

showing how sorting order works with grouping hierarchy.gif

Arranging incidents in the largest accordion by Status in descending order, and then within each Status, sort the incidents by Incident Type in descending order.

Applying a Filter

Users can click the Group 42.png button on any table header to apply filters and display data matching specific incident attributes. Multiple filters can be applied across one or more table headers.

Group 58.png

A filter on the Incident No. table header that displays only incidents where the incident number begins with 2025.

Group 59.png

A filter on the Status table header that displays only incidents with the Open status.

Use Case: Creating a Triage Sorted by Incident No. and Filtered for Data Breach Incidents

Users can save a custom triage with a predefined table header sorting order and filters in the following steps:

  1. Click an incident attribute in the table header to modify its sorting order (e.g., Incident No.).

    cyclethrougharrows.gif

    In this example, the Incident No. column is currently sorted in descending order, with numbers decreasing sequentially.

    Group 5 (1).png

  2. Drag the Incident No. column header, sorted in descending order, into the Saved Searches field.

    Group 44.png

  3. Filter a column by a specified value.

    Group 43.png

    1. Click the Group 42.png button on the desired column header to apply a filter to it.

    2. Select a value to filter by.

    3. Click the Filter button.

  4. Drag the filtered column header (e.g., Incident Type) into the Saved Searches field.

    Group 45.png

  5. Click on the button next to the Incidents accordion to create a custom triage based on the current view.

    Frame 2 (33).png

  6. Create the custom triage.

    Group 46.png

    1. Input a unique custom triage name.

    2. (Optional) Make this triage accessible for viewing by other users, groups, or roles.

    3. Review the triage conditions.

    4. Click on the Create button.

  7. Click the newly created the custom triage to view it.

    Frame 9 (32).png

RESULT

The table data is organized by grouping Incident No. first in descending order, then by Incident Type in descending order, with a filter applied to show only Data Breach incidents.

Group 52 (1).png

Editing and Deleting Custom Triages

To edit or delete a triage, click on the Anno ellipses.png icon.

Frame 26-20250304-192715.png

  • Clicking on the Edit Triage option will reopen the Edit Triage popover.

  • Clicking on the Remove Triage option will open a popover, prompting the user to confirm and delete the selected custom triage.

READER NOTE

  • Only the owner can delete their custom triage—no one else has permission.

  • If a user did not create the custom triage, only the View Triage option will be available.

    image 4-20250304-193425.png

  • If the triage owner edits or deletes their custom triage, users with viewing access will receive a notification indicating the update. Clicking the Update button will either synchronize the viewer’s triage to the latest version (if edited) or remove it (if deleted).

    Group 1.png
Reordering Custom Triages

Hover over a custom triage item, then drag the image 2 (1)-20250304-191140.png icon (grab handle) to adjust its order.

dragCustomTriage.gif
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close