This Torq workflow template enables security teams to efficiently investigate potential threats by inputting various observables—hashes, IP addresses, domains, usernames, or emails—into Chronicle SIEM. It constructs an UDM (Unified Data Model) query by combining all provided observables with an AND operator. This flexible approach streamlines threat analysis and enhances response capabilities, as it allows for the optional inclusion of each observable type. Results are output in JSON and tabulated CSV format, providing clear, actionable data for security operations.
Optional Triggers
"It can be used as a nested workflow as it outputs all items found by Chronicle."
Use Cases
null
Workflow Breakdown
Receives hash, ip, email, username and domain observables. All fields are optional.
Builds an UDM query appending all items with an AND operator.
Vendors
Utils, Google Chronicle
Workflow Output
Output provides the time range, all items output from Chronicle in JSON format and a CSV formatted extraction of main values to be tabulated.
Tips
Show the CSV output in an Slack Snippet using the filetype CSV