Automatically managing observables in Torq streamlines the case investigation process and enhances your organization’s ability to respond to and mitigate potential threats efficiently.
Observables, such as IP addresses, URLs, file hashes, and resource UIDs, are critical indicators in cybersecurity investigations. Learn the basics here.
Adding Observables to Cases Automatically
Adding an Observable: Use the Add observable to a case step to introduce a new observable and associate it with a specific case. For instance, if you get an alert about suspicious activity, you can pull out details like the IP address from this alert and add it as an observable.
What You Need:
Provide the case ID to associate the observable with.
Enter details such as the observable type (IP address, URL, file hash, etc.), value, and reputation score. Specify a sub type by adding the Observable sub type optional parameter.
Optionally, provide a description.
Optionally, use the Mark as Key Observable step to highlight the significance of an observable. Key observables are displayed in the case overview to ensure they receive immediate attention.
Additional steps are available to query, disassociate, and update observables as needed.
Enriching an Observable
Once an observable is associated with a case, enriching it provides a deeper insight:
Trigger a workflow when an observable is added with the Observable Added trigger.
Specify conditions for enrichment based on the observable's type.
Use threat intelligence services to enrich the observable.
Update the observable with the latest security data by using the Update observable reputation score step.
Threat Hunting with Observables
Enhance your proactive defense measures through threat hunting:
Correlate observables with potential security threats.
Implement enrichment and contextual analysis to uncover hidden threats.
Query associated cases using the observable's ID to see all related case activities and further analyze potential security breaches.
Retrieving Cases Associated with an Observable
Use the Query cases step within your workflow.
Add the Observable IDs optional parameter to list all cases associated with the observable, enabling a comprehensive review of related incidents.
Use the Query Observables step to query workspace observables. Optional parameters are available for applying filters.