Skip to main content

Observables: Enhance Threat Detection with Torq

Learn about observables in Torq and how to use them efficiently.

Updated yesterday

Observables are the indicators in security case management, including IP addresses, URLs, file hashes, and more. They play a vital role in monitoring, detecting, and responding to security threats efficiently.

In Torq, observables can be associated with multiple cases and are retained in the database even if they’re not currently associated with any case. Any updates to an observable are automatically reflected across all associated cases.

Enrichment results can be saved in the observable’s context, making the information easily accessible when viewing the observable.

Adding Observables to Cases

  1. Go to the Cases page and open the case where you want to add an observable.

  2. Expand the case to access the Observables tab.

  3. Click Add Observable.

  4. Enter the observable details:

    • Type: Choose from IP address, URL, file hash, etc.

      • Select a sub-type if applicable.

    • Value: Provide the exact indicator.

    • Reputation: Assign a descriptive score that reflects the indicator’s trust level or threat severity.

  5. (Optional) Add a description to give context.

  6. (Optional) Mark it as a Key Observable if it's critical to the case. Key observables are highlighted in the case Overview tab for immediate visibility.

  7. (Optional) Use the Enrichment field to provide additional information—such as data from third-party systems.

    • Input should be in JSON format.

    • Enrichment data is saved with the observable and is available across all cases associated with the observable.

    • Once saved, the observable entry displays whether enrichment data is available.

  8. Click Add to save the observable.

OCSF Compliance

Observables in Torq are OCSF-compliant objects that follow the OCSF schema for observable value types. If you need additional types that are not listed, please contact Torq support.

Viewing Related Cases

  1. Select an Observable: From the Observables tab in a case, click on the observable of interest.

  2. Review Associated Cases: If the observable is associated with other cases, they will appear under Cases with this Observable in the Observable details form, helping you track the observable impact across multiple incidents.

Cases are matched based on the observable's type and value.

Related Articles
Automating Observables: Enhance Threat Detection with Torq
Extract Multiple Observables - Workflow Template
Recorded Future - IoC Enrichment - Workflow Template
VirusTotal Combined Observable Enrichment - Workflow Template
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow Template
Did this answer your question?