Skip to Content
IncidentsTriage

Triage

The Incident triage page is the main workspace for reviewing a single incident. From this page, administrators can inspect message information and move through the available triage sections during an investigation.

Incident triage page

It brings together the incident summary, email details, supporting analysis, attachments, and remediation actions in one place. Use the sections on the page to review the available evidence and decide what follow-up is needed.

Overview Section

The Overview section explains the verdict SucuriLabs assigned to the incident and shows the main reasons behind that classification.

Triage overview section

Classification reasoning

SucuriLabs lists the verdict it assigned to the message, such as benign, malicious, spam, or unknown. Under the verdict, the Overview section shows the detection signals that influenced the classification.

These signals can include checks such as sender authentication results, suspicious message content, link analysis, attachment analysis, or other security indicators found during inspection.

Using the overview

Use this section as the first summary of why the incident was classified a certain way. The overview helps analysts decide whether the verdict looks correct or whether they should continue reviewing the email details, identity analysis, attachments, and remediation history.

Remediation

The Remediation panel is where administrators record the final review decision for an incident and choose what action should be taken on the message.

Remediation panel

How remediation works

Remediation starts with SucuriLabs’s analysis and ends with an administrator’s review decision. The panel shows the current status, the AI verdict, the last action applied, and any review notes that were saved.

To update the remediation, select the edit icon in the Review field. This opens the remediation form.

Remediation review form

Review decision

Choose the verdict that best matches the incident after investigation:

Review optionWhen to use it
SpamThe message is unwanted or unsolicited, but not necessarily malicious
BenignThe message is legitimate and should not be treated as a threat
MaliciousThe message is harmful or part of a phishing or attack attempt

The review decision is the analyst’s final classification for the incident. It can confirm or override the AI verdict shown in the panel.

Remediation action

After selecting the review decision, choose the action SucuriLabs should apply to the message:

ActionWhat it does
Move to spamMoves the message to the recipient’s spam folder
QuarantineIsolates the message so users cannot interact with it
RestoreRestores the email to the user’s inbox
BannerAdds a warning banner to help users identify the message as risky
TrashMoves the message out of the inbox and into trash

Some actions may be unavailable depending on the message state, integration, or organization settings.

Comment and sharing

Add a comment to explain the reason for the review decision or remediation action. Comments help other administrators understand what happened during the investigation.

Enable Share with SucuriLabs when the incident should be shared to help improve detection rules and analysis. Leave it disabled when the message should remain private to the organization.

Select Submit to save the review and apply the remediation. Select Cancel to close the form without saving changes.

Triage activity

After remediation is submitted, the activity history records what changed, who made the update, and when it happened.

Remediation review history

Email

The Email section shows the original message details for the incident. Analysts use this section to confirm who sent the message, who received it, and when it arrived.

Triage email section

Metadata

The top of the section shows the key message fields:

FieldDescription
SubjectThe subject line of the message
SenderThe sender name and email address
RecipientsThe users who received the message
ReceivedThe date and time the message was received

This information helps analysts verify whether the message came from an expected sender and whether the recipients match the suspected campaign or incident scope.

Message content access

If message content access is restricted by the organization’s privacy policy, the message body is locked behind an access request. Enter the reason for viewing the content, then select Request Access.

When access is approved, the message content can be viewed for deeper investigation. Access requests are recorded so administrators can audit who viewed sensitive message content and why.

Attachments

The Attachments section lists the files found in the incident message. Analysts use this section to review attachment details and identify files that may need additional investigation.

Triage attachments section

Attachment metadata

Each attachment is shown in a table with file metadata:

ColumnDescription
File NameThe name of the attachment included in the message
Sha256The SHA-256 hash used to uniquely identify the file
Mime/TypeThe detected content type for the attachment
File SizeThe size of the file
First Obs.The first time SucuriLabs observed the file

Reviewing attachments

Review the file name, type, size, and first observed time to decide whether the attachment looks expected or suspicious. Unexpected file types, unusual file names, or repeated hashes across incidents can indicate a broader phishing or malware campaign.

If downloads are allowed by policy, use the download action to retrieve the file for further analysis in a safe environment.

Identity Analysis

The Identity Analysis section shows who SucuriLabs detected in the message and how the sender identity was assessed. Analysts use this section to check whether the message appears to come from a legitimate sender or may be impersonating a trusted person or organization.

Triage identity analysis section

Detected entities

Detected entities are people or accounts identified in the message. They can include recipients, targets, account contacts, or other identities related to the incident.

Reviewing these entities helps analysts understand who the message references, who may be targeted, and whether the sender is trying to impersonate someone familiar to the organization.

Sender assessment

The sender assessment shows the identity SucuriLabs associated with the sender. Use this information to compare the displayed sender name with the actual email address and domain.

Differences between the sender name, email address, and expected organization can indicate spoofing, impersonation, or a suspicious sender relationship.

Sender metadata

The metadata area provides technical details about the sender:

FieldDescription
DomainThe sender’s email domain
IPThe IP address or network associated with the message source
GeolocationThe detected location for the sending infrastructure
ASNThe autonomous system associated with the sender IP
AuthenticationThe SPF, DKIM, and DMARC authentication results

Authentication results help determine whether the sender was authorized to send mail for the domain. Passing SPF, DKIM, or DMARC can support legitimacy, while failed checks may indicate spoofing or misconfigured sending infrastructure.

Use this section together with the email content and attachments to decide whether the sender identity supports or contradicts the incident verdict.

Last updated on