Observables, including IP addresses, URLs, file hashes, and more, are indicators in security case management. They play a vital role in monitoring, detecting, investigating, and responding to security threats efficiently.
In Torq, observables can be associated with multiple cases and are retained in the database even if they’re not currently associated with any case. Any updates to an observable are automatically reflected across all associated cases. Enrichment results can be saved in the observable’s context, making the information easily accessible when viewing the observable.
Observables can be managed in individual cases or in the centralized Observables page.
Observables in Cases
Observables can be added, edited, and managed directly in cases.
Adding Observables to Cases
Go to the Cases page and open the case where you want to add an observable.
Expand the case to access the Observables tab.
Click Add Observable.
Enter the observable details:
Type: Choose from IP address, URL, file hash, etc.
Select a subtype if applicable.
Value: Provide the exact indicator.
Reputation: Assign a descriptive score that reflects the indicator’s trust level or threat severity.
(Optional) Add a description to give context.
(Optional) Mark it as a Key Observable if it's critical to the case. Key observables are highlighted in the case Overview tab for immediate visibility.
(Optional) Use the Enrichment field to provide additional information, such as data from third-party systems.
Input should be in JSON format.
Enrichment data is saved with the observable and is available across all cases associated with the observable.
Once saved, the observable entry displays whether enrichment data is available.
Click Add to save the observable.
OCSF Compliance
OCSF Compliance
Observables in Torq are OCSF-compliant objects that follow the OCSF schema for observable value types. If you need additional types that are not listed, please contact Torq support.
Viewing Related Cases
Select an Observable: From the Observables tab in a case, click on the observable of interest.
Review Associated Cases: If the observable is associated with other cases, they will appear in the table under Cases with this Observable in the Observable details form, helping you track the observable impact across multiple incidents.
Cases are matched based on the observable's type and value.
Manage Observables in the Observables Page
Manage assets and risks efficiently using the centralized Observables page. The Observables page gives you complete visibility into all the observables in your workspace, including those not associated to a case, allowing easy threat tracking and traceability.
Navigate to Observables: In the left-hand menu, go to Investigate > Observables.
In the centralized observable table, you can:
Search for observables by value.
Filter by type, subtype, reputation, first seen, and last seen.
Sort by ID, type, sub type, reputation, first and last seen and the number of cases associated.
Click on an observable to open it and view the observable details, including all the cases it is associated with.
Add new observables
Observables can be added automatically through Workflows, manually in a case, or in the Observables page. To add a new observable in the Observables page:
Add a new Observable: Click Add Observable to add an observable.
Fill in the details:
Select the relevant Type and Sub type.
Enter the observable Value.
Select the relevant Reputation.
Give the observable a useful description.
Optionally add Enrichment in JSON format.
Finalize: Click Add.
Edit observables
In the observables table, click on the observable you want to edit. Changes can be made to the observable reputation, description, and enrichment. Click Save.
Editing an observable affects every case in which it appears. Be sure to review the impact before confirming your action.
Permissions
To access the Observables page, users need cm.observable.read or cm.observable.write permissions. Based on the permissions they have, users can:
Description | Description | Actions |
| List and view observables | View and read the observables' content |
| Create and update observables | Create and edit observables |