Observables, including IP addresses, URLs, file hashes, and more, are indicators in security case management. They play a vital role in monitoring, detecting, investigating, and responding to security threats efficiently.
In Torq, observables can be associated with multiple cases and are retained in the database even if they’re not currently associated with any case. Any updates to an observable are automatically reflected across all associated cases. Enrichment results can be saved in the observable’s context, making the information easily accessible when viewing the observable.
Observables can be managed in individual cases or in the centralized Observables page.
Observables in Cases
Observables can be added, edited, and managed directly in cases.
Adding Observables to Cases
Go to the Cases page and open the case where you want to add an observable.
Expand the case to access the Observables tab.
Click Add Observable.
Enter the observable details:
Type: Choose from IP address, URL, file hash, etc.
Select a subtype if applicable.
Value: Provide the exact indicator.
Reputation: Assign a descriptive score that reflects the indicator’s trust level or threat severity.
(Optional) Add a description to give context.
(Optional) Mark it as a Key Observable if it's critical to the case. Key observables are highlighted in the case Overview tab for immediate visibility.
(Optional) Use the Enrichment field to provide additional information, such as data from third-party systems.
Input should be in JSON format.
Enrichment data is saved with the observable and is available across all cases associated with the observable.
Once saved, the observable entry displays whether enrichment data is available.
Click Add to save the observable.
OCSF Compliance
OCSF Compliance
Observables in Torq are OCSF-compliant objects that follow the OCSF schema for observable value types. If you need additional types that are not listed, please contact Torq support.
Viewing Related Cases
Select an Observable: From the Observables tab in a case, click on the observable of interest.
Review Associated Cases: If the observable is associated with other cases, they will appear in the table under Cases with this Observable in the Observable details form, helping you track the observable impact across multiple incidents.
Cases are matched based on the observable's type and value.
Manage Observables in the Observables Page
Manage assets and risks efficiently using the centralized Observables page. The Observables page gives you complete visibility into all the observables in your workspace, including those not associated to a case, allowing easy threat tracking and traceability.
Navigate to Observables: In the left-hand menu, go to Investigate > Observables.
In the centralized observable table, you can:
Search for observables by value.
Filter by type, subtype, reputation, first seen, and last seen.
Sort by ID, value, type, subtype, reputation, first and last seen, and the number of cases associated.
Click on an observable to open it and view the observable details, including all the cases it is associated with.
Add new observables
Observables can be added automatically through Workflows, manually in a case, or in the Observables page. To add a new observable in the Observables page:
Add a new Observable: Click Add Observable to add an observable.
Fill in the details:
Select the relevant Type and Sub type.
Enter the observable Value.
Select the relevant Reputation.
Give the observable a useful description.
Optionally add Enrichment in JSON format.
Finalize: Click Add.
Edit observables
In the observables table, click on the observable you want to edit. Changes can be made to the observable reputation, description, and enrichment. Click Save.
Editing an observable affects every case in which it appears. Be sure to review the impact before confirming your action.
Delete Observables
Delete unnecessary, redundant, or incorrect observables from your workspace to maintain clean data and improve investigation accuracy. When an observable is deleted, it is detached from all related cases, which are automatically updated for full traceability, whether the deletion is triggered by a workflow or performed manually.
If the same observable is added again in the future, all existing information, such as case relations, enrichment details, descriptions, and reputation, will be automatically restored.
Observables can be deleted manually in the Observables page, and automatically in a workflow.
Manual Deletion
When an incorrect observable is created, such as one mistakenly added from a case, you can delete it. This method is best for quick, ad-hoc corrections.
Open the Observables Table: Go to the list of observables in your workspace.
Select the Observable: Click on the observable you want to delete.
Delete the Observable: In the top-right corner, click the Delete icon. Then, confirm the deletion when prompted.
The observable is removed from your workspace.
It is also detached from all linked cases.
Permissions
To access the Observables page, users need cm.observable.read, cm.observable.write or cm.observable.delete permissions. Based on the permissions they have, users can:
Description | Description | Actions | Role |
| List and view observables | View and read the observables' content | Owner, Cases Analyst, Cases Contributor, Contributor, |
| Create and update observables | Create and edit observables | Owner, Cases Analyst, Cases Contributor, Contributor, Creator |
| Delete observables | Remove observables | Owner, |