Torq's HyperSOC is driven by automatic case creation within the workflows you build. The options outlined below enable automatic case creation whenever events of interest are detected, following any necessary initial processing. This streamlines incident response, ensuring that cases are created and tracked without manual effort.
To automate case creation, include one of these steps in your workflow. Each provides distinct benefits, allowing you to choose the most suitable option.
Create a Case
Create a Case from JSON
Create a Case from Template
The case will be available on the Cases page by navigating to Investigate > Cases.
Create a case
When a workflow detects an event that requires investigation, you can use the Create a Case step. Use the step parameters to set the case attributes.
Consider the following when setting case attributes automatically:
Resolution SLA: You have the option to set it to 0 to indicate no target duration.
Description: Use markdown syntax to apply formatting to the case description. To include a markdown-supported table in the case description, use the Create ASCII table step with the optional parameter Markdown set to true.
Tags: Specify all relevant tags for the case.
Create a Case from JSON
Use the Create a case from JSON step to generate a case by passing attributes in JSON format. This step allows you to define additional case attributes beyond the standard Create a case step, such as custom fields, custom SLA timers, quick actions, and a runbook, all within the JSON object.
JSON Input Example
JSON Input Example
{
"title": "Compromised user device",
"description": "The user device is compromised by **unauthorized access** or _malware_.",
"state": {
"value": "New" //The state name is case-sensitive.
},
"severity": {
"value": "high"
},
"assignee": "john@torq.io",
"reporter": {
"user": {
"email": "jane@torq.io" //The email of the user who will be
listed as the case reporter. If
omitted, the case will be marked as
reported by a workflow.
}
},
"sla": "86400", //The Resolution SLA in seconds.
"category": "malware",
"tags": [
"malware",
"unauthorized access"
],
"custom_fields": [ //An example for each type of custom field is
available below.
{
"key": "short_string",
"value": "foo",
"type": "string",
"schema": {
"short_text": {
"min_length": 1,
"max_length": 255,
"regex": "^foo$"
}
}
},
{
"key": "number",
"value": "33",
"type": "number"
},
{
"key": "bool",
"value": "true",
"type": "boolean"
},
{
"key": "timestamp",
"value": "1999-01-01T10:00:10+02:00",
"type": "timestamp"
},
{
"key": "single_select",
"value": "foo",
"type": "single_select",
"schema": {
"single_select": {
"allowed_values": [
"foo",
"bar"
]
}
}
}
],
"custom_sla_timers": [ //State ID 0 indicates the timer is paused,
while State ID 1 indicates it's running.
Reminder: A lead timer must be running.
{
"name": "time_to_acknowledge",
"state": {
"id": 0
},
"is_lead": false
},
{
"name": "time_to_contain",
"state": {
"id": 1
},
"target": "21600", //Set the timer's target duration in seconds.
If not specified, the timer will default to
zero, meaning it has no target and is used
solely for tracking duration.
"is_lead": true
}
],
"quick_actions": [ //IDs can
be provided from the context or explicitly.
{
"title": "Block user",
"workflow_id": "8805ebc1-12fd-****-be4b-b0494f9845ec"
}
],
"runbook": "{{ $.create_a_runbook.runbook.id }}"
}
Create a Case from Template
Save reusable templates to simplify case creation. These templates store key case attributes, allowing easy application of pre-configured settings to new cases.
Create a Template:
Set up a case with the required attributes.
Use the Set case management template from case step and name the template.
Stored Attributes: Case templates save the case category, custom fields, Resolution SLA, custom SLA timers, quick actions, severity, tags, and runbook.
More information about the core case attributes is available here.Apply the Template:
Use Create a Case from Template to apply the saved settings.
Fill in custom fields, and the rest will be auto-applied.