Skip to main content

Automating Observables: Enhance Threat Detection with Torq

Learn how to manage observables automatically with Torq workflows.

Updated this week

Observables management in Torq streamlines the case investigation process and enhances your organization's ability to respond to and mitigate potential threats efficiently.

Observables, such as IP addresses, URLs, file hashes, and resource UIDs, are critical indicators in cybersecurity investigations. Learn the basics here.

Observables can be managed automatically, in cases, or in the centralized Observables page.

Add Observables Automatically

  1. Adding an Observable: Use one of the following steps

    • Add observable to a case: Introduces a new observable and associates it with a specific case.

    • Create an observable: Adds a new observable to the workspace without associating it with a case.

  2. Enter the Observable Details:

    • Enter the observable type (IP address, URL, file hash, etc.), value, and reputation score.

      • Specify a subtype by adding the Observable sub type optional parameter.

    • Optionally, provide a description.

    • Optionally, use the Enrichment parameter to attach enrichment data to the observable. This data is stored with the observable and is accessible whenever the observable is retrieved, including across all associated cases.

  3. Mark as Key: Optionally, use the Mark as Key Observable step to highlight an observable's significance. Key observables are displayed in the case Overview tab to ensure they receive immediate attention.

Additional steps are available to query, disassociate, and update observables.

Use the Add observable to a case step

Enrich Observables

When adding an observable to the workspace or associating it with a case, you may want to include enrichment data to provide additional context. This data helps streamline investigations and can be added or updated at any point.

Enrichment data is stored with the observable, making it readily available to anyone reviewing it—whether as part of a case or independently.

Manage Enrichment Data

  1. During Creation: Use the optional Enrichment parameter in the Create an observable or Add observable to a case steps to include enrichment data at the time of creation or association.

  2. After Creation: Use the Update observable enrichment step to add or modify enrichment data anytime.

  3. Accessing Enrichment Data: Once added, enrichment data is accessible whenever the observable is retrieved—via workflow steps, cases trigger scenarios, or the API.

Example: Automatically Enrich an Observable When Associated with a Case

  1. Trigger the Workflow: Use the Observable added trigger to start a workflow when an observable is associated with a case.

  2. Set Trigger Conditions: Add a trigger condition to execute the workflow based on the observable type (e.g., IP address, domain, hash).

  3. Enrich the Observable: Use a threat intelligence service to retrieve additional information about the observable.

  4. Update the Observable:

    • Use the Update observable reputation score step to update the observable's reputation with the latest data.

    • Use the Update observable enrichment step to add or modify enrichment data stored with the observable.

Leverage Observables for Threat Hunting

Enhance your proactive defense measures through threat hunting:

  • Correlate observables with potential security threats.

  • Implement enrichment and contextual analysis to uncover hidden threats.

  • Query associated cases using the observable's ID to see all related case activities and further analyze potential security breaches.

Retrieve Cases Associated with an Observable

  1. Use the Query cases step within your workflow.

  2. Add the Observable IDs optional parameter to list all cases associated with the observable, enabling a comprehensive review of related incidents.

Use the Query Observables step to query workspace observables. Optional parameters are available for applying filters.

query cases by observable IDs

Delete Observables Automatically

For ongoing maintenance, you can automate the cleanup of outdated or redundant observables. A workflow can identify the target observable and trigger a deletion step by its ID. The observable is then soft-deleted, automatically generating an event that updates all related cases. Timeline entries and audit logs are recorded for full traceability, ensuring a clean and accurate observables database without manual intervention.

You can automate the cleanup of outdated or redundant observables using a workflow. When triggered, the workflow identifies the target observable by its ID, and deletes it.

  1. Add the Delete Observable Step: In your workflow, insert the Delete Observable step from the available steps list.

  2. Provide Required Parameters: Enter the Observable ID and an optional access token.

  3. Execute the Workflow:

    • When the workflow runs, the observable is soft-deleted.

    • It will automatically be detached from any related cases.

    • The action is recorded in the case timeline and audit logs for traceability.

  4. Listen for Deletion Events (Optional): Use the Observable Deleted trigger in another workflow to perform follow-up actions, such as:

    • Sending a report

    • Cleaning up related data

    • Notifying the SOC team

Observables can also be deleted manually in the Observables page.

Related Articles
Leverage Torq Cases for Identity and Access Management
Cases Triggers: Initiate Workflows with Torq Case Management Events
Automating Notes in Torq Cases: Efficiently Store Information
Automating Cases Links in Torq: See the Bigger Picture
Observables: Enhance Threat Detection with Torq
Did this answer your question?