Can I mark Events as "suspicious" or "reviewed" for SOC triage?

Yes, contact us to enable the SOC (Security Operations Center) quick-label feature.

Triaging with Quick Labels

Quick Labels are shown as one-click menu items in the dropdown for each Event when you press the labels icon. They're intended to be a fast triaging tool to characterize Events that warrant attention.quick-label_suspicious_reviewed_Screen_Shot_2019-03-17_at_3.56.00_PM.png

Quick Label Sources

The labels shown on the dropdown list come from two sources, in order of precedence:

  1. Domain-level Quick Levels
    The comma-separate list of labels specified at becomes the standard list shown to all people viewing Events from an account from that domain.
  2. User-level Most Recently Used Labels
    As users apply labels to Events, the most recently used labels are appended to the dropdown list (following those from domain-level specification).


Domain Quick Labels

If you're a domain administrator, enter a comma-separate list of labels that you'd like all people to use when triaging Events from accounts using your domain at:


Most Recently Used Labels

Click Edit... if you need to add or remove a label that isn't yet shown in your most recently used list. After you press Save, the newly added/removed label will appear in your most recently used list and will be saved locally in your browser.



The NOT logical operator may also be helpful so that you can use a query like this to review and share those Events that are suspicious and not yet reviewed:

suspicious not reviewed

or, equivalently:

suspicious -reviewed

That way, SOC personnel can bookmark URLs that they want to see most commonly like:;q=suspicious+-reviewed


Have more questions? Submit a request