Observables are the indicators in security case management, including IP addresses, URLs, file hashes, and more. They play a vital role in monitoring, detecting, and responding to security threats efficiently.
In Torq, observables can be associated with multiple cases and are retained in the database even when not currently associated with any case. Updates to an observable automatically apply across all associated cases.
Adding Observables to Cases
Navigate to the Cases page and open the case to which you want to add an observable.
Access the Observables tab by expanding the case.
Add an observable:
Click Add Observable.
Enter details such as the type (IP address, URL, file hash, etc.), value, and reputation score.
Optionally, provide a description and mark it as a key observable if it's particularly relevant to the case. Key observables are listed in the case overview to draw immediate attention.
Click Add to finalize.
OCSF Compliancy
OCSF Compliancy
Observables in Torq are OCSF-compliant objects that follow the OCSF schema for observable value types. If you need additional types not listed, please contact Torq support.
Viewing Related Cases
Select an Observable: From the Observables tab in a case's timeline, click on an observable of interest.
Review Associated Cases: If the observable is associated with other cases, they will appear under Cases with this Observable in the Observable details form, helping you track its impact across multiple incidents.
Cases are matched based on the observable's type and value.
