Skip to main content
All CollectionsInvestigate Cases
Observables: Enhance Threat Detection with Torq
Observables: Enhance Threat Detection with Torq

Learn about observables in Torq and how to use them efficiently.

Updated over a week ago

Observables are the indicators in security case management, including IP addresses, URLs, file hashes, and more. They play a vital role in monitoring, detecting, and responding to security threats efficiently.

In Torq, observables can be associated with multiple cases and are retained in the database even when not currently associated with any case. Updates to an observable automatically apply across all associated cases.

Adding Observables to Cases

  1. Navigate to the Cases page and open the case to which you want to add an observable.

  2. Access the Observables tab by expanding the case.

  3. Add an observable:

    • Click Add Observable.

    • Enter details such as the type (IP address, URL, file hash, etc.), value, and reputation score.

    • Optionally, provide a description and mark it as a key observable if it's particularly relevant to the case. Key observables are listed in the case overview to draw immediate attention.

    • Click Add to finalize.

OCSF Compliancy

Observables in Torq are OCSF-compliant objects that follow the OCSF schema for observable value types. If you need additional types not listed, please contact Torq support.

Add an observable to a case manually

Viewing Related Cases

  1. Select an Observable: From the Observables tab in a case's timeline, click on an observable of interest.

  2. Review Associated Cases: If the observable is associated with other cases, they will appear under Cases with this Observable in the Observable details form, helping you track its impact across multiple incidents.

Cases are matched based on the observable's type and value.

Use the related cases information to automate threat hunting
Did this answer your question?