Skip to main content
All CollectionsBuild AutomationsCases
Automating Observables: Enhance Threat Detection with Torq
Automating Observables: Enhance Threat Detection with Torq

Learn how to automatically manage observables with Torq workflows.

Updated this week

Automatically managing observables in Torq streamlines the case investigation process and enhances your organization’s ability to respond to and mitigate potential threats efficiently.

Observables, such as IP addresses, URLs, file hashes, and resource UIDs, are critical indicators in cybersecurity investigations. Learn the basics here.

Add Observables Automatically

  1. Adding an Observable: Use one of the following steps

    • Add observable to a case: Introduces a new observable and associates it with a specific case.

    • Create an observable: Adds a new observable to the workspace without associating it with a case.

  2. Enter the Observable Details:

    • Enter the observable type (IP address, URL, file hash, etc.), value, and reputation score.

      • Specify a sub type by adding the Observable sub type optional parameter.

    • Optionally, provide a description.

    • Optionally, use the Enrichment parameter to attach enrichment data to the observable. This data is stored with the observable and is accessible whenever the observable is retrieved, including across all associated cases.

  3. Mark as Key: Optionally, use the Mark as Key Observable step to highlight an observable's significance. Key observables are displayed in the case Overview tab to ensure they receive immediate attention.

Additional steps are available to query, disassociate, and update observables.

Use the Add observable to a case step

Enrich Observables

When adding an observable to the workspace or associating it with a case, you may want to include enrichment data to provide additional context. This data helps streamline investigations and can be added or updated at any point.

Enrichment data is stored with the observable, making it readily available to anyone reviewing it—whether as part of a case or independently.

Manage Enrichment Data

  1. During Creation: Use the optional Enrichment parameter in the Create an observable or Add observable to a case steps to include enrichment data at the time of creation or association.

  2. After Creation: Use the Update observable enrichment step to add or modify enrichment data anytime.

  3. Accessing Enrichment Data: Once added, enrichment data is accessible whenever the observable is retrieved—via workflow steps, cases trigger scenarios or the API.

Example: Automatically Enrich an Observable When Associated with a Case

  1. Trigger the Workflow: Use the Observable added trigger to start a workflow when an observable is associated with a case.

  2. Set Trigger Conditions: Add a trigger condition to execute the workflow based on the observable type (e.g., IP address, domain, hash).

  3. Enrich the Observable: Use a threat intelligence service to retrieve additional information about the observable.

  4. Update the Observable:

    • Use the Update observable reputation score step to update the observable’s reputation with the latest data.

    • Use the Update observable enrichment step to add or modify enrichment data stored with the observable.

Leverage Observables for Threat Hunting

Enhance your proactive defense measures through threat hunting:

  • Correlate observables with potential security threats.

  • Implement enrichment and contextual analysis to uncover hidden threats.

  • Query associated cases using the observable's ID to see all related case activities and further analyze potential security breaches.

Retrieve Cases Associated with an Observable

  1. Use the Query cases step within your workflow.

  2. Add the Observable IDs optional parameter to list all cases associated with the observable, enabling a comprehensive review of related incidents.

Use the Query Observables step to query workspace observables. Optional parameters are available for applying filters.

query cases by observable IDs
Did this answer your question?