Templates
Torq templates can be easily imported into your workspace for inspiration or immediate deployment, simplifying and enhancing your security automation processes.
377 articles
Accelerate Security Automation with Torq TemplatesDiscover Torq templates—ready-to-use workflows designed to streamline and enhance your cybersecurity automation efforts.
Workflow Template: QuickAction - Create a PDF Report for a Torq CaseCreates a PDF Summary Report of a Torq Case as a response to a QuickAction button.
Workflow Template: Rerun Failed Workflow Executions On DemandSearch the Activity Log for the failed workflow executions and their triggering events and reruns all the failed workflow executions
Workflow Template: Poll for new Veeam Backup & Replication Events and Open a CaseCreates a case in Torq for malware events detected by Veeam Backup & Replication.
Workflow Template: Poll for new Veeam ONE Alarm and Open a Torq CaseCreates a case in Torq when security-related alarms in Veeam ONE are triggered in a Warning or Error state.
Workflow Template: Attach a password protected archive to a Torq CaseAttach a suspicious or malicious file to a case within a password-protected archive for secure handling and analysis.
Workflow Template: Where used? Resource usage reportProvides 'Where Used' functionality in Torq, enabling users to query integrations, runners, or secrets.
Workflow Template: Extract Multiple Observables with AI TaskUse AI Task operator to extract multiple types of observables from a raw text.
Workflow Template: QuickAction - Scan Device on MS Defender for EndpointStart a full malware scan on a remote device when a quick action button is pressed.
Workflow Template: QuickAction - Isolate or Release a Device on MS Defender EndpointIsolate or release a remote device from isolation when a quick action button is pressed.
Workflow Template: What do we have? Environment Audit ReportGathers an account's resources list, including triggers, workflows, integration API keys, and secrets, to generate HTML and PDF reports.
Workflow Template: VirusTotal IOC Lookup with Summary of Results from AI TaskUsed as a nested workflow, receive an IP address, domain or file hash and query VirusTotal and analyze details with AI Task for a summary.
Workflow Template: Get Triggered Alarms from Veeam ONEThis workflow lists multiple security-related Veeam ONE alarms in Warning or Error status
Workflow Template: Silverfort Risk and Incidents to Torq Observables and CasesThis workflow will receive a webhook from Silverfort and create or update Torq cases based on Silverfort Incident and risk changes.
Workflow Template: Change Sweet Security incident statuses via Slack IntegrationNotify SOC and users of Sweet Security alerts, enriching incidents with responses.
Workflow Template: Start Configuration Backup in Veeam Backup & ReplicationInitiates a configuration backup of system settings, job configurations, and other essential data in Veeam Backup & Replication.
Workflow Template: Crowdstrike Falcon Sandbox - File Analysis with CacheSubmit a file to Falcon Sandbox for malware analysis.
Workflow Template: Torq Automation Expert - Fix This WorkflowThis workflow is used as part of the Torq Automation Expert Course that checks your skills at addressing and fixing errors in a workflow.
Workflow Template: Torq Automation Analyst - XML to JSONThis workflow is used as part of the Torq Automation Analyst Course to learn how to transform, select and filter data in Torq workflows.
Workflow Template: Torq Automation Analyst - Generate Token and HTTP GET DataThis workflow is used as part of the Torq Automation Analyst Course to learn about using basic HTTP steps in a workflow.
Workflow Template: Torq Automation Expert - PaginationThis workflow is used as part of the Torq Automation Expert Course to test your skills at using pagination to gather data in a workflow.
Workflow Template: Torq Automation Analyst - Fix this WorkflowThis workflow is used as part of the Torq Automation Analyst Course to learn about troubleshooting and fixing errors in a workflow.
Workflow Template: Create Torq Cases from Proofpoint Clicks PermittedOn a schedule check for clicks permitted in Proofpoint and enrich the URLs in VirusTotal and open a Torq Case for each finding.
Workflow Template: Synchronize Torq Case Runbooks from a GitHub RepositoryCreate or update Torq runbooks based on a GitHub repository when a commit has been made in the repository holding the runbooks.
QuickAction - Scan Device on SentinelOne - Workflow TemplateQuickly start a Full Disk Scan a Device with SentinelOne Agent using a single QuickAction button.
Workflow Template: Synchronize Torq Case Comment to JiraSynchronize Torq Case Comment to Jira driven by a "Comment added" Trigger.
Workflow Template: Synchronize Torq Case Attachment to JiraSynchronize Torq Case attachment to Jira driven by a "Attachment added" Trigger.
Workflow Template: Synchronize Torq Case Assignee to JiraSynchronize Torq Case Assignee to Jira driven by a "Assigned to teammate" Trigger.
Workflow Template: Synchronize Torq Case Comment to Microsoft Sentinel IncidentsSynchronize Torq Case Comment to a Sentinel Incident driven by a "Comment added" Trigger.
Workflow Template: Synchronize Torq Case State Change to JiraSynchronize Torq Case Change of State to a Jira ticket driven by a "State changed" Trigger.
Workflow Template: Synchronize Torq Case Severity to JiraSynchronize Torq Case Severity to Jira driven by a "Severity changed" Trigger.
Workflow Template: Synchronize Torq Case Severity to ServiceNow Urgency and ImpactSynchronize Torq Case Severity to ServiceNow driven by a "Severity changed" Trigger.
Workflow Template: Synchronize Torq Case Assignee to ServiceNowSynchronize Torq Case Assignee to ServiceNow driven by a "Assigned to teammate" Trigger.
Workflow Template: Synchronize Torq Case State Change to Microsoft Sentinel IncidentSynchronize Torq Case Change of State to a Sentinel Incident driven by a "State changed" Trigger.
Workflow Template: Synchronize Torq Case Attachment to ServiceNowSynchronize Torq Case attachment to ServiceNow driven by a "Attachment added" Trigger.
Workflow Template: Synchronize Torq Case State Change to ServiceNowSynchronize Torq Case Change of State to ServiceNow driven by a "State changed" Trigger.
Workflow Template: Synchronize Torq Case Assignee to Microsoft Sentinel IncidentsSynchronize Torq Case Assignee to a Sentinel Incident driven by a "Assigned to teammate" Trigger.
Workflow Template: Synchronize Torq Case Severity to Microsoft Sentinel IncidentsSynchronize Torq Case Severity to a Sentinel Incident driven by a "Severity changed" Trigger.
Workflow Template: Synchronize Torq Case Comment to ServiceNow NoteSynchronize Torq Case Comment to ServiceNow Note driven by a "Comment added" Trigger.
Workflow Template: Synchronize Torq Case Tags to Microsoft Sentinel IncidentsSynchronize Torq Case Tags to a Sentinel Incident driven by a "Tags Updated" Trigger.
Workflow Template: Reduce large Slack message to multiple 3000 character messagesThis workflow takes in a large message and breaks it into multiple "chunks" compatible with the 3000 character limit in the Slack API.
Workflow Template: Send a Teams message when a workspace table variable is deletedSend a Microsoft Teams message to subscribers when a workspace table variable is deleted.
Workflow Template: Send a Slack message when a workspace table variable is deletedSend a Slack message to subscribers when a workspace table variable is deleted.
Workflow Template: Simple SumoLogic Query with Optional Return Field FiltersFilter your search for specific messages or records in Sumo Logic and return only the relevant fields.
Workflow Template: Notify on Runner's Health Status Change via TeamsGet a Teams notification every time a Step Runner's health status changes.
Workflow Template: Notify on Runner's Health Status Change via SlackGet a Slack notification every time a Step Runner's health status changes.
Workflow Template: QuickAction - Upload a File from a URL to a CaseUploads a password protected archive from a URL as a response to a QuickAction button.
Workflow Template: Collect Azure VM and Network DetailsNested workflow used to collect Azure VM and Network info needed in support of remediation workflows.
Workflow Template: Alert on Google Login Activity Outside of Allowed RegionsRetrieve Google Login Activity for logins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Workflow Template: IP Address Enrichment with Cache (Silent Push)Receives an IP Address from a parent workflow and query Silent Push for enrichment.
Workflow Template: VirusTotal IOC Lookup with Summary of Results from OpenAIUsed as a nested workflow, receive an IP address, domain or file hash and query VirusTotal and send the details to OpenAI for a summary.
Workflow Template: Query Okta System Logs by Actor ActivityQuery the Okta System Logs by specific Actor and provide results and an optional summary of EventType and outcome result for the logs.
Workflow Template: Domain Enrichment with Cache (Shodan)Receives a Domain from a parent workflow and query Shodan for enrichment.
Workflow Template: Enrich New Cybereason MalOps File Hash DetailFor each new MalOp that is detected, attempt to enrich the file hash intelligence from VirusTotal and Recorded Future in the MalOp Comments
Workflow Template: Interactive Email Conversation using Google WorkspaceExample of using Google Workspace email as part of an interactive email conversation. This could also be added as a nested workflow.
Workflow Template: Collect Torq Global Variables with PaginationWorkflow that uses pagination to gather all Torq global variables and provide them into a single array.
Workflow Template: Verify Permissions to Execute Workflows (Google Cloud Identity)Workflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership.
Workflow Template: Process New NIST NVD VulnerabilitiesPull latest CVEs from the NIST NVD Database and update a Slack channel. Additional steps can be added to search for CVEs in other platforms
Workflow Template: Slack Slash Command - Hello WorldExample of an interactive experience with Slack Slash Commands and replying back to the channel with information from the event.
Workflow Template: Add Malicious IPs to Network Block Zone from Okta System LogsOn a schedule pull Okta system logs for specific event types, extract any IPv4 address and if found malicious update the block zone in Okta.
Workflow Template: Collect Torq Audit or Activity LogsNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Workflow Template: Handle Nessus Scan ResultsDaily notification of specific pre-defined Nessus scans. Send results to Slack channel as defined.
Workflow Template: Gather CircleCI Environment Variables from Bitbucket ReposQuery Bitbucket for workspace repositories and gather CircleCI Environment Variables that are configured in the project.
Workflow Template: Verify Permissions to Execute Specific Workflows (Okta)Workflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership in Okta.
Workflow Template: Send an email via SMTP with VirusTotal StatsSend a simple email via SMTP including VirusTotal engine stats in a HTML table format for a particular HASH lookup.
Workflow Template: Assign New Alerts from Hunters.aiRetrieve alerts from Hunters XDR, suggest to assign using Slack.
Workflow Template: Jira Issue Reminder and Escalation via Slack or TeamsSend reminder and escalation messages via Slack or Microsoft Teams on a Jira issue status on a specific polling interval.
Workflow Template: Append data to an Array (Torq)Append JSON data to an array using the Append to Array step. Example JSON data is provided to append to a new array.
Workflow Template: Open a PagerDuty Incident on Host Detection (CrowdStrike)Receive an event from CrowdStrike, if event is critical or high, open an incident with PagerDuty and enrich the IOC details with VirusTotal
Workflow Template: Upload a File in Teams to a SharePoint FolderCreate either a CSV, JSON or PDF file in Microsoft Teams and post an adaptive card with a link to the file in the Teams Channel
Workflow Template: Compliance - Generate report on non-compliant devices (Intune)Pull non-compliant devices list from Microsoft Intune and go over them. Retrieve an associated user from each device, and create a list.
Workflow Template: Merge JSON data using JQ based on a common Key/ValueSimple example using JQ to merge two JSON files using JQ using the key Email_Address as the match between the two datasets.
Workflow Template: Check Point R81 Management WorkflowAn example workflow that outlines the needed steps to make changes to the Check Point Management Server and install policy against a gateway
Workflow Template: Slack Mention to Analyze Suspicious URLs and IPs with VirusTotalReceive a suspicious list of URLs and/or IPs from Slack, scan using VirusTotal, and report back to the Slack thread the results.
Workflow Template: Create a Torq Case from a QRadar OffenseUsed as a nested workflow to open a Torq case from details in a QRadar Offense and optionally include QRadar events into the case details.
Workflow Template: Retrieve Daily Unencrypted Bucket Summary (AWS Macie)On a daily schedule retrieve data from Amazon Macie on specific criteria and deliver to a Slack user or Channel.
Workflow Template: Remove Public Links from Google Drive Detected by BigIDOn an alert from BigID where files with sensitive information are found publicly shared, loop over each finding and remove the public share.
Workflow Template: Jira Issue Creation, Update, and AssignmentExample workflow using the most common steps in the lifecycle of a Jira issue including issue assignment and example JQL query.
Workflow Template: Scan URLs with VirusTotal and Provide Summary VerdictReceive an array of URLs to scan with VirusTotal and provide a summary per URL of any malicious or suspicious count more than 1.
Workflow Template: Domain Enrichment with Cache (Recorded Future)Receive a domain from a parent workflow and query Recorded Future for its reputation.
Workflow Template: Clear Okta sessions for specific users via SlackReceive a Slack command to clear all sessions for one or more users.
Workflow Template: Enable GCP Bucket Versioning on a Wiz AlertReceive an issue from Wiz on a GCP storage bucket with versioning disabled, lookup the channel, ask the channel to enable versioning.
Workflow Template: Google Workspace Calendar OffboardingReceive message from Slack with an email address, find meetings where user is the originator/creator of the meetings and delete if approved.
Workflow Template: Analyze Files and URLs (Recorded Future Sandbox)Analyze Files and URLs and in Recoded Future Sandbox using nested functions with cache.
Workflow Template: AlienVault URL Enrichment with CacheNested workflow that will take a URL as input and query AlienVault's General and URL List for details and return analysis information.
Workflow Template: Daily Report to Slack on Inactive Okta UsersPoll the list of Okta users and list all users that have not logged in for the past 30 days and report the list to a Slack channel
Workflow Template: Search for CVE in Wiz and Snyk via Slack MentionWhen triggered via Slack, search in Wiz and Snyk for a specific CVE. Send findings to the Slack channel via a snippet.
Workflow Template: Gather CircleCI Global Environment Variables with Creation DateGather Global Environment Variables from CircleCI and provide results organized by context and included creation date and context id.
Workflow Template: Upload New Threat Intelligence IOCs to CybereasonReceives arrays of Domains, Hashes and IP Addresses IOC's and upload them to Cybereason.
Workflow Template: Analyze File with ANY.RUN and Provide a VerdictSubmit a file URL to ANY.RUN and wait for the analysis to complete. The workflow will send it verdict in the output.
Workflow Template: Add/Remove Entra ID User from Global Address List (ex-Azure AD)Receives user name / email from a Slack command and adds/removes the specified user from the Global Address List in Entra ID
Workflow Template: Compliance - Find unmanaged devices in Intune and Carbon BlackCompare lists of managed devices in Microsoft Intune and Carbon Black. List gaps (i.e., devices present only in one of the solutions)
Workflow Template: Send Slack Block Message and Perform Operations in ParallelExample workflow to send a Slack Block kit message and run another operation in parallel and wait for a Users response back to the message.
Workflow Template: Send Torq Audit or Activity Logs to Azure Blob StorageOn a schedule configured in Workflow Context, Torq workflow Audit Logs will be collected in a Nested Workflow and sent to an Azure Blob
Workflow Template: IP Penalty Box with Timeout via Slack (Cloudflare)Adds specific IPv4 or IPv6 address to a penalty box in Cloudflare by creating and removing IP Access Rules driven by Slack.
Workflow Template: Create IOCs on Malicious Files from a CrowdStrike IncidentFor each new EDR incident, validate the files involved with threat intelligence, and add to the global block list if found to be malicious
Workflow Template: Find all Okta Active Users with PaginationPagination example with Okta to find all active users and place the results into a single array of users.
Workflow Template: Retrieve Daily Scan Summary and Notify on Findings (Aqua)Pull Scan Summary information on findings in Aqua and deliver a short report to a Slack channel on the Findings on Warnings and Failures.
Workflow Template: Check for New Carbon Black Alerts and NotifyThis workflow periodically checks for new Carbon Black alerts and notifies end user of the alert and asks for verification of the activity
Workflow Template: Basic Global Variable Use in a WorkflowBasic Create/Read/Update/Append/Delete steps for use with Global Variables. This can provide ephemeral data storage between workflows.
Workflow Template: Create Attachment in Jira with JSON DataExample of how to add an attachment with JSON data to a Jira issue.
Workflow Template: Retrieve New Exploited Vulnerabilities from CISA update via TeamsOn a daily schedule poll the latest CISA vulnerabilities and update a Teams channel on any new CVEs and include references from NIST
Workflow Template: Ask a Question over Slack or Microsoft TeamsThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to ask a question.
Workflow Template: Count Number of Executions for Action (Torq)Workflow to be used as a nested workflow that will keep track of the number of executions of a given action and maximum executions per day.
Workflow Template: JSON Filtering with JQSimple filtering of VirusTotal IP Lookup JSON data. Use these examples to learn how easy it is to filter or create a new JSON output.
Workflow Template: Collect Azure Network Security Group DetailsNested workflow that will collect and format Azure NSG info to identify rule priority needed to block a given port and protocol
Workflow Template: Interactive Email Conversation (Microsoft 365)Example of using Microsoft 365 email as part of an interactive email conversation. This could also be added as a nested workflow.
Workflow Template: Approve Group Membership for New User (JumpCloud)Ask via Slack for approval from a specific department approver list when a new user is added and add user to the departments JumpCloud group
Workflow Template: Create Jira and Asana Tickets from Astrix AlertBased on a high risk finding from Astrix initiate a cases with Asana and Jira.
Workflow Template: Microsoft 365 Adaptive Card Email ConversationExample workflow to send an adaptive card questionnaire via Microsoft 365. Responses are delivered via a webhook back to a Torq workflow.
Workflow Template: Generate Table in ADF Format for Jira CommentsTemplate to be used as a nested workflow to generate a simple table from an array for Jira in ADF format.
Workflow Template: Workflow Notification Tracking in Google SheetsWorkflow that will receive notifications of failed workflows and save the details in a Google Sheet. Entries older than 7 days are removed.
Workflow Template: Webex Hello World Chat BotEasy starter template to create an interactive messaging experience for Webex users.
Workflow Template: Search for CVE Findings in Orca Triggered by SlackReceive a mention via Slack for "orca-cve", kick off a search in Orca for the specific CVE and update the thread in Slack with the results.
Workflow Template: Create IOCs on Malicious Files from a CrowdStrike AlertFor each new EDR alert, validate the files involved with threat intelligence, add to global block list if found to be malicious
Workflow Template: Approve Group Membership for New User Creation (Okta)Ask via Slack for approval from specific department approvers when a new user is added to Okta.
Workflow Template: Get AWS Access Key Information for User (AWS)Workflow that provides a summary of the Access Keys for a user including number of keys, status, last used and if the key is still in use.
Workflow Template: Retrieve New Exploited Vulnerabilities from CISAOn a daily schedule poll the latest CISA vulnerabilities and update a Slack channel on any new CVEs and include references from NIST
Workflow Template: Send Torq Audit and Activity Logs to SnowflakePull audit and activity logs from the Torq API and store them in Snowflake on a schedule of every 10 minutes.
Workflow Template: Reset Direct Manager reference for an Entra ID user (ex-Azure AD)Trigger on Teams command, find user in Entra ID, and reset the reference to the direct manager in the directory.
Workflow Template: Trigger specific scan, update results to Slack (Tenable)Triggers a specific pre-defined Tenable Cloud scan, waits for completion, updates on every vulnerable host with severity findings above 0.
Workflow Template: Retrieve and Normalize data on a DomainWorkflow to lookup threat intelligence data from a number of sources and aggregate domain and threat data, normalize a score for a domain
Workflow Template: Send Torq Audit and Activity Logs to S3 Bucket on a ScheduleBased on a configured time, workflow will upload Torq Audit and/or Activity logs to AWS S3 Buckets.
Workflow Template: Rename new iOS device to User / Serial Number (Jamf)For each new iOS device enrolled in Jamf, if the User Name was not set, change it to unique serial number. Otherwise rename to the User Name
Workflow Template: Cache VirusTotal Threat Intelligence Findings on an IOCReceive an IOC from a parent workflow, check the global variable for previous results, if not, query VirusTotal and save results
Workflow Template: Microsoft Teams - Hello WorldSimple example of Microsoft Teams messages using Adaptive Cards, collecting interactive responses and providing them back to the user.
Workflow Template: Check Point SmartTasks Notification to SlackNotification to Slack on status of a policy install or session details of additions, modification, or deletions when a session is published.
Workflow Template: Nested Check-Out of AWS Credentials via Britive (Britive)Example nested workflow using Britive to Check-Out AWS credentials to be used in a workflow. Check-In the creds using the trans-id provided
Workflow Template: ITSM - Notify Slack user on closed/resolve incidents (ServiceNow)Receive a Slack message on resolved or closed tickets within ServiceNow. Enrich the message with details from the ticket and closing users.
Workflow Template: Verify User's Group Membership in Okta via Slack CommandReceive a Slack command with the users email and optional group and provide the group membership including a match if a group is provided.
Workflow Template: Ask Users to Confirm Failed JumpCloud Login AttemptsDaily pull of failed logins from JumpCloud, reach out to users with failed logins over Slack and confirm they were the tying to login.
Workflow Template: Send Message over Slack or Microsoft TeamsThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to send a message.
Workflow Template: Upload Latest Recorded Future IOCs to CybereasonPull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Workflow Template: Suspend Okta Users that are Inactive for More than 30 DaysOn a scheduled interval check for users that have not logged in for more than 30 days. Ask a Slack channel for approval to suspend the users
Workflow Template: Teams Mention to Analyze Suspicious URLs and IPs with VirusTotalReceive a suspicious list of URLs and/or IPs from Microsoft Teams, scan using VirusTotal, and send results back to the Teams conversation.
Workflow Template: Enrich Hashes, CVEs and IP Addresses with Recorded FutureReceive a message with one or more CVEs, SHA256 hashes or suspicious IP addresses from Slack and enrich the data with Recorded Future.
Workflow Template: Collect all Public IP Addresses for an AWS AccountCollect all public IP addresses for a given AWS account and provide a simple summary list of IPs and a JSON list by region and service.
Workflow Template: Slack Mentions - Hello WorldSlack Bot workflow to reply to either mentions or direct conversations with the bot
Workflow Template: Nested Slack Block Generator from an ArrayWorkflow meant to be used as a nested workflow to build a Slack block from an array. This block can be used in the Slack Block Form step.
Workflow Template: Group IoCs From Text InputThis function takes a text and returns groups of hashes, URLs, domains and IP addresses
Workflow Template: Process New Cloud Vulnerability DB Issues (Open CVDB)Pull latest vulnerabilities from the Open Cloud Vulnerability Database and send an alert to a Slack Channel
Workflow Template: Open or Update a Jira Issue on an Uptycs AlertOpen a parent or child issue in Jira when a medium/high severity event is found. Ask a Slack channel if additional information is required.
Workflow Template: Just-In-Time Access to Group Membership in Active DirectoryTrigger on a Slack command where a user asks for temporary access to a group in Active Directory with approval from a Slack channel.
Workflow Template: Okta event on MFA addition with user Verification (Okta)Receive event from Okta when a user adds a MFA method, lookup source IP with VirusTotal or ask user if this was intended, if not open issue.
Workflow Template: Upload HIPAA Training Evidence in DrataIdentify users that are HIPAA training non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Identify and Label Confluence Content with PII from BigIDOn a trigger from BigID, label all content in Confluence with a specific tag and notify a Slack channel and open a Jira issue with findings.
Workflow Template: Gather CircleCI Environment Variables from GitHub Org ReposQuery GitHub for Organization Repositories and gather CircleCI Environment Variables that are configured in the project.
Workflow Template: Verify Permissions to Execute Workflows - EntraID (ex-Azure AD)Workflow that can be used to verify users have permissions to run a specific workflow by Id or name and also check group membership.
Workflow Template: Upload Hard Drive Encryption Evidence in DrataIdentify devices that are HD encryption non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Send a Microsoft Teams Notification upon Mention in a Torq CaseWhen a user is mentioned in a Torq Case comment, send the user a notification in Microsoft Teams with the text and a hyperlink to the case.
Workflow Template: Label Google Drive Files Containing PII Identified by BigIDOn trigger from BigID from findings of files in Google Drive that contain PII, assign a Google Drive label and field to the file.
Workflow Template: Reset Entra ID (ex-Azure AD) MFA Methods and Password on a UserThis workflow can be used as a nested workflow to reset a users password, remove all MFA methods for the user and clears any user sessions.
Workflow Template: Add MFA on IdP Evidence in DrataIdentify users that are MFA non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Fetch New QRadar Offenses with PaginationA nested workflow to pull all new open QRadar offenses and use pagination to return all results.
Workflow Template: SSL Certificate Expiration CheckFrom a List of domains or subdomains, check expiration dates from their certificates
Workflow Template: Find all Okta Active Devices with PaginationWorkflow that can be used as a nested workflow to gather all active Okta devices into a single array using pagination.
Workflow Template: Extract Multiple ObservablesExtracts different types of observables such as file hashes, IP addresses, IP range, email addresses, filenames, hostnames, URLs, and CVEs.
Workflow Template: Upload Screensaver Lock Evidence in DrataIdentify devices that are screen lock non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Identify PII Information Shared in a Slack Workspace via BigIDOn a trigger from BigID for PII information found in a Slack Workspace, send detailed findings to a specific Slack channel or admin.
Workflow Template: Simple Loops with TorqExample of using a loop over JSON data and loop over a range in a workflow. Results are collected with the "Collect" operator
Workflow Template: Add Anti-Virus Evidence in DrataIdentify devices that are anti-virus non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Upload Auto-Updates Evidence in DrataIdentify devices that are anti-update non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Add Password Manager Evidence in DrataIdentify devices that are password manager non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Send Torq Audit or Activity logs to Sumo Logic on a ScheduleWorkflow that can be used to send either Torq audit or activity logs to Sumo Logic on a scheduled interval.
Workflow Template: Handle Wiz Alert for AWS Admin Principals Inactive Over 90 DaysOn alert from Wiz on an AWS admin principal that is inactive over 90 days, ask a Slack channel for approval to deactivate the IAM account.
Workflow Template: Export a Torq Case in Word Document FormatExport a Torq Case including the general details, timeline, observables, attachments and custom fields into a Microsoft Word file.
Workflow Template: Collect Asynchronous Responses from Slack Block MessagesWorkflow that can be used to record asynchronous responses to Slack Block Kit messages that contain buttons for a user response.
Workflow Template: Convert Newline Delimited JSON to Standard JSONConverts Newline Delimited JSON formatted data into standard JSON format.
Workflow Template: Upload Background Check Evidence in DrataRemediate failed resources that require background check evidence by attaching necessary provided URL on workflow initiation.
Workflow Template: Assign or Remove Licenses on Users for Microsoft via Graph APIUsed as a nested workflow to assign or remove licenses to Microsoft 365 users. The workflow takes the SKU on input for assignment.
Workflow Template: Upload Security Training Evidence in DrataIdentify users that are security training non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Get Failing Resources for a Test in DrataProvide insight into failed resources based on information collected from the Drata platform.
Workflow Template: Check if IPv4 Address is Part of an AWS IP Network BlockOn a mention from Slack, extract an ip address and try to match it to a network block in use at AWS. Provide the result back to the thread.
Workflow Template: Offboard SaaS User from Grip on Trigger from HibobOn trigger from Hibob, offboard the user from Grip and report the status back to a default Slack channel or the users Manager via Slack.
Workflow Template: Attach a Screenshot to a ServiceNow Incident or Jira IssueWorkflow that can be used as a nested workflow to attach a screenshot of a URL to either a Jira Issue or ServiceNow Incident
Workflow Template: Search for Unused or Inactive Roles in AWS IAMQueries AWS for the IAM Roles and groups roles by Last Used and Never Used after a defined amount of days.
Workflow Template: Verify User's Group Membership in Ping via Slack CommandReceive a Slack command with an optional group and provide the group membership including a match if a group is provided.
Workflow Template: Collect Information on Case Closing ActionShows a form whenever a Case is change to CLOSED status.
Workflow Template: URLScan URL Enrichment with CacheReceive a URL to analyze with URLScan and provide a summary of the URL with malicious, phishing, score and screenshot details if available.
Workflow Template: Subscribe Gmail address to watch a PUB SUB pre-defined topicMaintains a valid subscription to a topic by checking daily its expiration date and renewing it when necessary.
Workflow Template: Send Torq Audit and Activity Logs to Singularity XDRBased on a configured time, workflow audit and activity logs will be sent to SingularityXDR
Workflow Template: Google File Label LifecycleThis workflow showcases the published steps to support the Google file label lifecycle process.
Workflow Template: Issue a Push Challenge with Okta and Wait for a ResponseReceive an Okta user and factor ID from a parent workflow and send a push challenge to the user and wait for and return the response.
Workflow Template: AlienVault File Hash Enrichment with CacheNested workflow that will take a File Hash as input and query AlienVault's General and Analysis sections for details and return the results.
Workflow Template: Google Chat Hello WorldThis workflow demonstrates the use of the Google Chat Steps and the ability to interact with end users and create Google Chat Spaces.
Workflow Template: Pangea - Domain Enrichment with CacheReceives a Domain from a parent workflow and query Pangea for its reputation.
Workflow Template: Decode QR Codes in Torq Case AttachmentsDecode QR codes that are found in Torq Case Attachments by using a quick action or Run a Workflow on a Torq Case.
Workflow Template: Notify on Open and In-Progress Torq Cases Approaching the SLAScheduled workflow that will send a notification to Slack or Microsoft Teams on Torq cases that are approaching or past the defined SLA.
Workflow Template: Recorded Future Sandbox - File Analysis with CacheSubmits a File to Recorded Future Sandbox for full analysis.
Workflow Template: Generate Graph of Simple JSON Data using PythonFunctional workflow that will data JSON data and generate a base64 encoded PNG graph of the data that was passed to the workflow.
Workflow Template: Notify a Slack Channel on Case CreationWorkflow that will notify a specific Slack channel for every new Torq case that is created.
Workflow Template: Query Logs on Singularity XDR with PaginationThis workflow serves as a function that executes a query in Singularity XDR.
Workflow Template: Send Torq Audit or Activity Logs on a Schedule to SplunkWorkflow that can be used to send Torq audit and/or activity logs to Splunk on a schedule every 10 minutes.
Workflow Template: Simple Splunk Query with Optional Return Field FiltersA simple Splunk query that can use optional field filters to filter the dataset returned. Can be used as a nested workflow to simplify use.
Workflow Template: Find AWS Instance Information by Private IP Address in WizOn mention from Microsoft Teams, look for instances with the private IP Address and gather information on the instance and send to Teams.
Workflow Template: Verify Entra ID (ex-Azure AD) Audit Sign-Ins from Allowed RegionsRetrieve Entra ID Audit logs for Sign-Ins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Workflow Template: Run Antivirus Scan on a device on Microsoft Defender for EndpointRun a Quick or Full Antivirus Scan on a device by its machineId or device name.
Workflow Template: Retrieve and Normalize data on a File HashWorkflow to lookup threat intelligence data from a number of sources and aggregate threat data, normalize a score for the provided file hash
Workflow Template: Generate a Report for Torq Cases in Microsoft Docx FormatA nested workflow that generates a report on Torq cases, analyst activity, and case MTTR reporting with output as a Microsoft Word document.
Workflow Template: Create Microsoft Graph Subscriptions and RenewalsCreate one or more Microsoft Graph subscriptions to a Microsoft 365 trigger. The subscriptions are extended and renewed daily.
Workflow Template: Find all Hosts Impacted by an Open CVE in CrowdStrikeFind all hosts in CrowdStrike that are impacted by a specific CVE and output the list of hostnames and remediation information provided.
Workflow Template: Send a Microsoft Teams Notification to Assignee in a Torq CaseSend a notification to the new assignee on a Torq Case via Microsoft Teams with a summary of the case and a direct hyperlink to the case.
Workflow Template: Search for Vulnerabilities by Hostname in TenablePull information from a hostname in Tenable and output the information back to the parent workflow or an optional Slack user or channel.
Workflow Template: Send Torq Audit and Activity Logs to ElasticsearchPull the logs from Torq on a schedule and send to Elasticsearch in a batch transaction.
Workflow Template: Create Microsoft Graph Subscription and Renew DailyCreate a Microsoft Graph subscription to a Torq Microsoft 365 trigger. The subscription is renewed daily and extends the expiration date.
Workflow Template: Suspend Contractor Accounts in Okta with inactivity for 7 daysCheck daily for active accounts where the profile userType is "Contractor". Suspend the account if no login occurred in the past 7 days.
Workflow Template: VirusTotal Domain Enrichment with CacheNested workflow that will take a Domain as input and query VirusTotal for the domain and return analysis information to the parent workflow.
Workflow Template: Isolate or Unisolate device on Microsoft Defender for EndpointNested workflow to Isolate or Unisolate a device by its machineId or device name.
Workflow Template: URL Enrichment with Cache (Recorded Future)Receive an URL from a parent workflow and query Recorded Future for its reputation.
Workflow Template: Fetch File Information by Hash from Microsoft DefenderCollects threat information about a file by fileId (SHA1 Hash) in a time frame.
Workflow Template: VirusTotal URL Enrichment with CacheNested workflow that will take a URL as input and query VirusTotal for details and return analysis information on the URL.
Workflow Template: Torq Case Example Descriptions for Different Case TypesA workflow with many mock examples of Torq Case descriptions for Torq integration partners and formatting examples to use with Torq Cases.
Workflow Template: Recorded Future - IoC EnrichmentExtracts multiple observables from raw text and performs enrichment for each observable on RecordedFuture.
Workflow Template: AlienVault Combined Observable EnrichmentExtract multiple observables from raw text and performs enrichment for each observable in AlienVault returns analysis information.
Workflow Template: Collect Information on Case Closure by Permitted AnalystsCollect information when a Torq Case is changed to a CLOSED status and verifies that the analyst is permitted to close cases.
Workflow Template: Gather QRadar Events for a Given OffenseFor a given QRadar Offense pull all events for a specific time window and provide the list of events back to a parent workflow.
Workflow Template: AlienVault Domain Enrichment with CacheNested workflow that will take a Domain as input and query AlienVault's General, Malware and GEO sections and return analysis information.
Workflow Template: Notify a Teams Channel on Case CreationWorkflow that will notify a specific Microsoft Teams channel for every new Torq case that is created.
Workflow Template: Send Slack Notification upon Mention in a Torq CaseWhen a user is mentioned in a Torq Case comment, send the user a notification in Slack with the text and a hyperlink to the case.
Workflow Template: Prepare Case Properties by Case TypeWhen a new Torq case is created, based on the case type, create custom fields and quick action on the newly created case.
Workflow Template: Generate a Screenshot of a URL and Describe the Image via OpenAIGenerate a screenshot of a specific URL and ask OpenAI to review the image and provide input if it could be part of a phishing attempt.
Workflow Template: Retrieve and Normalize data on an IP AddressWorkflow to lookup threat intelligence data from a number of sources and aggregate geo data, threat data and normalize a score for the IP
Workflow Template: VirusTotal File Hash Enrichment with CacheNested workflow that will take a File Hash as input and query VirusTotal for analysis and if the hash is found, return the results.
Workflow Template: Handle Panther Okta Alerts on User Action DetectionOn a new Panther alert from Okta, ask the user if the action was intended and if so mark the alert resolved. If not, open a Torq case.
Workflow Template: Email Enrichment with Cache (Pangea)Receives an Email from a parent workflow and query Pangea for its reputation.
Workflow Template: VirusTotal IPv4 Address Enrichment with CacheWorkflow that will take an IPv4 address as input and query VirusTotal and return the analysis information to the parent workflow.
Workflow Template: AlienVault IPv4 Address Enrichment with CacheWorkflow that will take an IPv4 as input and query AlienVault's General, Malware and Reputation sections and return analysis information.
Workflow Template: Enrich SentinelOne Threat Finding and Run Singularity XDR SearchFor each new threat detected by SentinelOne, query Threat Intelligence data from VirusTotal and RecordedFuture and add notes to the threat
Workflow Template: File Hash Enrichment with Cache (Pangea)Receives a File Hash from a parent workflow and query Pangea for its reputation.
Workflow Template: Submit a File for Analysis to VirusTotal with CacheSubmit a file to VirusTotal for analysis and provide a simple cache for the analysis results. Use URLs or Torq file links to the file.
Workflow Template: Search Observables by Grouped UDM Fields in ChronicleReceives Observables as hash, IP address, domain, username or email and performs a query to Chronicle SIEM using Grouped UDM fields.
Workflow Template: Return Specific Default or Overriding Workspace VariableThis workflow will return a variable from two workspace variables with priority if found in the Overriding Workspace Variable then Default.
Workflow Template: Request File Download From CrowdStrike Using Real Time ResponseNested workflow that will take the CrowdStrike Device ID and a file path and will provide a download link to pass to a Sandbox vendor
Workflow Template: On Case Closure Set a Custom Field and Tag with Resolution ReasonWhen a Torq Case is closed or resolved, add a specific custom field and tag to the case the will contain the resolution reason of the case.
Workflow Template: Send a Slack Notification to Assignee in a Torq CaseSend a notification to a new assignee on a Torq Case via Slack with a summary of the case and a direct hyperlink to the case.
Workflow Template: Validate Gem Alert Events in SlackCommunicate with a user through Slack to validate a security alert.
Workflow Template: Run LiveResponses on Microsoft Defender for EndpointExecute Live Responses on an Endpoint and collects the results of each command.
Workflow Template: Torq Interact Multi-User Communication ExampleThis demo illustrates how to utilize Torq Interact to handle communications with one or more users.
Workflow Template: Scan URLs with URLScan and Provide a SummaryReceive an array of URLs to scan with URLScan and provide a summary per URL with malicious, phishing, score, and screenshot URL if available
Workflow Template: VirusTotal Combined Observable EnrichmentExtract multiple observables from raw text and performs enrichment for each observable in VirusTotal and returns analysis information.
Workflow Template: AbuseIPDB IPv4 Address Enrichment with CacheWorkflow that will take an IPv4 address as input and query AbuseIPDB for details about the address including the Abuse Confidence Score.
Workflow Template: Send a Question to Slack Users and Collect ResponsesSend a question to a number of Slack users and collect the responses in a global variable with a wait of up to 31 days to collect results.
Workflow Template: File Hash Enrichment with Cache (Recorded Future)Receive a file hash from a parent workflow and query Recorded Future for its reputation.
Workflow Template: Send a Microsoft Outlook Email to Assignee in a Torq CaseWorkflow that will notify the user by sending an email via Microsoft Outlook for every new Torq case that is assigned to the user.
Workflow Template: IP Address Enrichment with Cache (Pangea)Receives an IP Address from a parent workflow and query Pangea for its reputation.
Workflow Template: Domain Enrichment with Cache (Silent Push)Receives an Domain from a parent workflow and query Silent Push for enrichment.
Workflow Template: Generate a Screenshot and Attach to a Torq Case on URL AdditionWhen a new URL is added as an observable, attempt to generate a screenshot and if successful add it as an attachment to a Torq case.
Workflow Template: Download a File from a SentinelOne Threat IDFetch a file from a SentinelOne Threat ID and encrypt it with the provided password with a link to download.
Workflow Template: URL Analysis with Cache (Recorded Future Sandbox)Submits an URL to Recorded Future Sandbox for full analysis.
Workflow Template: URL Enrichment with Cache (Pangea)Receives an URL from a parent workflow and query Pangea for its reputation.
Workflow Template: IP Address Enrichment with Cache (Recorded Future)Receive an IP address from a parent workflow and query Recorded Future for its reputation.
Workflow Template: IP Address Enrichment with Cache (Shodan)Receives an IP Address from a parent workflow and query Shodan for enrichment.
Workflow Template: Search in Torq Audit Logs Based on QuerySearch for audit event based on action, email, actor type, actor_name or resource name.
Workflow Template: Generate a Dynamic PowerPoint Document based on Slide DataWorkflow that can be used as a guide on how to generate a dynamic PowerPoint document with the Python python-pptx library.
Workflow Template: Submit a File for Analysis to VMRay with CacheSubmit a file to VMRay for analysis and provide a simple cache for the analysis results. Use public URLs or Torq file links to the file.
Workflow Template: Gather Torq Audit or Activity LogsNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Workflow Template: Fetch Cyberint Alerts on a ScheduleFetch alerts from Cyberint on a schedule. An optional loop is available in the workflow to do additional actions as needed.
Workflow Template: Table Workspace Variable Example WorkflowThis Workflows is an example on how to use a table as a workspace variable to perform common CRUD tasks.
Workflow Template: Open Jira Issues and Enrich Event on Sysdig Kubernetes DetectionsDetect, enrich, alert and auto-assign incidents using Kubernetes namespaces using Sysdig Runtime Threat Intelligence and Detection.
Workflow Template: List All Groups with Pagination on Entra ID (ex-Azure AD)This function will collect all groups on Entra ID (ex AzureAD) using pagination.
Workflow Template: List All Users with Pagination on Entra ID (ex-Azure AD)This function will collect all users on Entra ID (ex AzureAD) using pagination.
Workflow Template: Fetch Incidents from Cortex XDR on a ScheduleOn a schedule, fetch new incidents from Cortex XDR using pagination.
Workflow Template: Create Tables on Snowflake for Torq Audit and Activity LogsCreate tables in snowflake database to store Torq audit and activity logs.
Workflow Template: Step Failure with Runner Configured Notification to SlackSend a notification to a Slack channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Workflow Template: Step Failure with Runner Configured Notification to TeamsSend a notification to a Teams channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Workflow Template: Step Failure with Runner Configured Notification to EmailSend an email notification via Gmail/Outlook when a step failure occurs where a runner is configured. A link to the execution is provided.
Workflow Template: Notify by Email when a Workflow Failure is TriggeredSend an email notification via Gmail/Outlook when a workflow failure is detected. A link to the workflow execution is provided.
Workflow Template: Notify Reviewer via Slack when Workflow is Submitted for ReviewWhen a workflow submission is requested send a message to each reviewer in Slack and include a link to the submission.
Workflow Template: Notify a Slack Channel when a Workflow Failure is TriggeredSend a notification to a Slack channel when a workflow failure is detected. A link to the execution log is provided in the message.
Workflow Template: Notify a Microsoft Team when a Workflow Failure is TriggeredSend a notification to a Microsoft Team when a workflow failure is detected. A link to the execution log is provided in the message.
Workflow Template: Notify Reviewer via Teams when Workflow is Submitted for ReviewWhen a workflow submission is requested send a message to each reviewer in Teams and include a link to the submission.
Workflow Template: Notify a Slack Channel for a New Share RequestWhen a new resource is shared with the workspace send a message with the details to a Slack channel with a link to the request.
Workflow Template: Notify a Microsoft Teams Channel for a New Share RequestWhen a new resource is shared with the workspace send a message with the details to a Teams channel with a link to the request.
Workflow Template: Watch Microsoft Security Response Center RSS FeedAn example workflow to check an RSS feed daily for changes using the Microsoft Security Response Center RSS feed as a sample.
Workflow Template: File Conversion using a Torq Interact WorkflowThis workflow is an example of how to use Torq Interact with the file upload and download parameters.
Workflow Template: Add a Weekday or Weekend Tag on Creation of a Torq CaseThis workflow will add a tag for either Weekday or Weekend to a new Torq case based on the local creation time of the case.
Workflow Template: Wiz GraphQL Query for AWS Instances with Open SSH AccessSimple example using the GraphQL functionality with Wiz to run a query. Use the API Console in Wiz to find GraphQL statements to use.
Workflow Template: Hello World (Discord)This is a simple example of using Discord to create an interactive workflow using an Ask Question step.
Workflow Template: Enable AWS S3 Bucket Versioning on Orca AlertReceive an Orca alert on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Workflow Template: Offboarding Remediation with Adaptive ShieldTriggered from a Slack mention to leverage Adaptive Shield's insight into SaaS applications to remediate offboarded user's access
Workflow Template: Just-in-time access to Group Membership in PingOneTrigger on a Slack command where a user asks for temporary access to resources based on group membership via PingOne with approval.
Workflow Template: Remediate Wiz Alert on Azure VM with Open SSH Access (Teams)Whenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Workflow Template: Compliance - Provide temporary Device Admin to Mac users (JAMF)Receive a request over Slack for temporary assignment of admin permissions. Get approval from Security channel, update policy on Jamf.
Workflow Template: Enable AWS S3 Bucket Encryption on Alert from WizReceive a Wiz issue on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AWS256 encryption.
Workflow Template: Enable AWS S3 Bucket Versioning on Alert from WizReceive an alert from Wiz on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Workflow Template: Handle Suspicious AWS Console Logins (AWS SNS)Check source IP of the login session, verify with user if suspicious or malicious. If acknowledged - log a ticket. Otherwise - remediate.
Workflow Template: Disable and Contain a Specific User in Entra ID (ex-Azure AD)Workflow and nested workflow that can be used to disable a specific user in Entra ID when an account is compromised.
Workflow Template: Update Jira Status/User on Device with CVE Tag (Armis)Query Armis for devices with a specific tag where a vulnerability was found in a previous workflow and update Jira and user on the status.
Workflow Template: Disable a Specific User in Google Cloud IdentityWorkflow and nested workflow that can be used to disable a specific user in Google Cloud Identity when an account is compromised.
Workflow Template: Handle AWS Security Group with Open SSH Access on Orca AlertWhenever an Orca alert is raised on an AWS security group with an open access (from the internet) to SSH, orchestrate remediation.
Workflow Template: Enable AWS S3 Bucket Encryption on Alert (PrismaCloud)Receive PrismaCloud alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Workflow Template: Analyze Files in Netskope Sandbox with CacheSubmit a file using a Webform to Netskope Sandbox for malware analysis.
Workflow Template: Handle AWS S3 Bucket Allows HTTP Requests on Wiz AlertReceive an issue from Wiz on an AWS S3 bucket no being compliant, apply a default AWS S3 bucket policy to remediate.
Workflow Template: Add Phishing Domain to CloudFlare ZeroTrust (IntSights)Poll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be added to the CloudFlare Zero Trust List
Workflow Template: Remediate AWS VPC Created without Flow Logs with OrcaReceive an alert on an AWS VPC created without Flow Logs. Reach out to the owner, suggest remediation and define Flow Logs in AWS.
Workflow Template: Remediate AWS EC2 Instance with Open SSH Access from Wiz AlertWhenever an alert is raised on an AWS EC2 Instance having an open access (from the internet) for SSH, orchestrate remediation.
Workflow Template: Block Domain Finding on PerceptionPoint (IntSights)Poll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be blocked in PerceptionPoint's blocklist
Workflow Template: Open a TheHive case triggered by SentinelOne findingsRetrieve latest threats from SentinelOne and enrich using third party vendors, open a case at TheHIVE with observables, tasks and TTPs.
Workflow Template: Request Justification of Integration from Astrix FindingAdd business context to new Astrix high-risk integrations by asking the owner to elaborate on the purpose of the integration by email.
Workflow Template: Detected RDP session from Server to External IP (Armis)Receive an event from Armis on a Network Policy Violation, lookup source/destination/user information and open Jira ticket and alert user.
Workflow Template: Add/Del (IPs/Ranges/Subnets) from Okta BlockedIpZone (Okta)Receive Slack command to add/del ip/range/subnet from the Okta BlockedIPZone, verify IP's and get approval from admin to update.
Workflow Template: Hunt for specific CVE and Attempt Remediation (Armis)Query Armis for specific CVE to look for threat, query information from Armis and Jamf, place device into Jamf patch group and notify user.
Workflow Template: Just-in-time access to Group Membership in AzureAD by TEAMSTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Workflow Template: Just in Time AWS Access with Slack Approval Flow (Britive)Request temporary access to AWS via Britive using Slack. Approval via a Slack channel and up to 8 hours of access with reminders every hour
Workflow Template: Advanced Upload of the Latest Recorded Future IOCs to CybereasonPull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Workflow Template: Request User Account Unlock in JumpCloudRequest an unlock of the users account in JumpCloud by sending a Slack Slash command and verifying the user and lock status.
Workflow Template: Jira Enrichment for Hashes Found in Issue DescriptionEnrich hashes found in Jira issue description when a new comment is added to the issue with a specific keyword. Triggered by Jira automation
Workflow Template: Add and Remove URLs from the Global Blacklist (Zscaler)Triggers from Slack message for check url or remove url for the Global Blacklist for Zscaler. On a check url, the URL category is provided.
Workflow Template: Isolate an AWS EC2 Instance by using tagsWhen applying a specific Key:Value tag on an EC2 instance, apply a isolation security group and remove IAM Instance Role and apply new role
Workflow Template: Enable Encryption on AWS S3 Bucket on Alert from OrcaReceive an Orca alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Workflow Template: Request Just-in-Time Access to SSO Applications in JumpCloudTrigger on a Slack command where a user asks for temporary access to applications based on group membership via JumpCloud with approval.
Workflow Template: Handle Orca Alert for IAM Role with Admin PermissionsReceive an Orca alert on excessive policies / permissions attached to an IAM Role. Update owner or channel via Slack.
Workflow Template: Request AWS Credentials Based on Jira Assignment (Britive)Receive a mention via Slack for Jira-Access with a Jira issue key. Provide access to the AWS account ID listed in the Jira issue via Slack.
Workflow Template: Notify Project Owners of 5 or more Critical Issues in SnykPoll the projects for an organization in Snyk and create Jira issues when a project is found to have 5 or more critical issues.
Workflow Template: Handle IAC Configuration Issues in Snyk and Notify OwnerGet latest configuration issues from projects in an organization, open a Jira issue if one does not exist and notify the project owner.
Workflow Template: Enable AWS S3 Bucket Versioning on Lacework AlertOn an alert received from Lacework for S3 bucket versioning, pull the event, ask Slack user or channel to enable versioning.
Workflow Template: Handle High Level CNC Threat Detected on Network (Armis)Receive alert from Armis on a CNC DNS query, pull details about the device, open Jira issue, and alert the channel or user via Slack/Email
Workflow Template: Remediate Wiz Alert on Azure VM with Open SSH Access (Slack)Whenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Workflow Template: Remediate Alerts from Rules to External Address Adaptive ShieldRemediate Adaptive Shield alerts generated from Outlook inboxes with email rules that forward email to external addresses using Slack
Workflow Template: Okta Exposed Passwords in Failed Login AttemptsUncover possible exfiltrated credentials in Okta when a user accidentally inputs a password in the email field and is stored as clear text.
Workflow Template: Disable and Contain a Specific Compromised User in OktaWorkflow and nested workflow that can be used to disable a specific user in Okta when an account is found to be compromised.
Workflow Template: Handle AWS S3 Bucket Should Enforce HTTPS Alert from OrcaReceive an Orca alert on an AWS S3 Bucket not being compliant, apply a default S3 bucket policy to remediate.
Workflow Template: Create Exclusions on Multiple SentinelOne SitesCreates Exclusions for a list of path, browser or filetype Items. Exclusions can be created in one site or in multiple sites.
Workflow Template: Notify on Google Drive Files Containing PII Identified by BigIDOn a trigger from BigID on findings of files in Google Drive that contain PII, notify the file owner via Slack and open Jira issues.
Workflow Template: Delete an IAM User AccountThis workflow automates the procedure to delete or detach items from an user before deleting an IAM User Account.
Workflow Template: Detect impossible travels in Okta loginsAnalyzes users' successful logins from different locations within a short timeframe to detect possible Impossible Travel escenarios.
Workflow Template: Microsoft Teams Driven User Account Management Action MenuDisplays a menu for User Management related activities such as Reset Password, Enable/Disable a User or Get User Information.
Workflow Template: Whitelist SHA1 Hashes on Multiple SentinelOne SitesWhitelist a list of Hashes in one or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Workflow Template: Handle Wiz Alert for Public Azure Container with Sensitive DataOn trigger from Wiz alert for an Azure Container containing sensitive data, ask a Slack channel or container owner to limit public access
Workflow Template: Blacklist SHA1 Hashes on Multiple SentinelOne SitesBlacklists a list of Hashes in one site or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Workflow Template: Just-in-time access to Group Membership in AzureADTrigger on a Slack command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Workflow Template: Handle Wiz Alert for Public AWS S3 Bucket with Sensitive DataOn trigger from Wiz finding for a AWS S3 bucket containing sensitive data, ask a Slack channel or bucket owner to limit public access.
Workflow Template: Just-in-Time (JIT) access to Okta SSO Applications by SlackSlack mention of "JIT-Access" allowing users to ask for a temporary access to applications via Okta SSO, with an approval flow via Slack
Workflow Template: Handle Gem Alert for NSG With Ingress From Any (0.0.0.0/0)Workflow triggers when a rule with open access to the internet is created for a security group.
Workflow Template: Enrich SentinelOne Incident with Threat Intelligence from IntezerTrigger from a Singularity Webhook on a new threat and provide threat enrichment from Intezer with optional Live Agent Endpoint Scan
Workflow Template: Threat Hunt for a Specified SHA1 Signature in SingularityXDRReceive a file signature from Slack and hunt for the signature in Singularity XDR, notify owners of the endpoint, kick off scan of devices.
Workflow Template: Analyze URLs and Files in Triage SandboxThis workflow submit URLs to Hatching Triage Sandbox for analysis.
Workflow Template: Create Att&ck Layer from TTP ListReceives a list of TTPs and returns an Att&ck layer in JSON and SVG formats.
Download a File from a SentinelOne Endpoint - Workflow TemplateDownloads a file from a Sentinel One agent given an AgentID a file path and a password. File does not need to be part of an Incident.
Workflow Template: Analyze URLs and Files in Recorded Future SandboxThis workflow submit URLs to Recorded Future Sandbox for analysis.
Workflow Template: Just-in-time (JIT) access to Okta Groups via SlackSlack mention of JIT-Group allowing users to ask for a temporary access to Okta groups with approval flow via a Slack channel
Workflow Template: Handle Gem Alert for EC2 Instance "Write" Actions on IAM EntitiesCreates an snapshot of each EC2 volume when a EC2InstanceWriteActionsOnIAM alert from Gem Security is triggered.
Workflow Template: Handle Gem Alert for Root UsageReceives an alert for a recent usage of Root credentials and validates it with the user trough Slack
Workflow Template: Just-in-time access to Group Membership in Entra ID by TEAMSTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Workflow Template: Just-in-time access to Group Membership in Entra ID (ex-Azure AD)Trigger on a Slack command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Workflow Template: Notify when a Thinkst Canary Token is triggeredTriggers upon a Thinkst Canary token activation, sends a Slack notification, and opens a case with relevant data, including a static map.
Workflow Template: Create Cases from Crowdstrike Detections found in SplunkQuery Splunk for new Crowdstrike detections and create Torq cases for events that are detected including host and user details.
Workflow Template: Create Cases from SentinelOne Events found in Azure SentinelSearch on a schedule for SentinelOnes detections in Azure Sentinel and open a Torq case for each alert and threat.
Workflow Template: Create Torq Cases from SentinelOne Threats Reported in ChronicleOn a schedule query Google Chronicle for new SentinelOne threats and open a Torq case with the relevant agent and threat details
Workflow Template: Query for user MFA fraud reports on Entra IDOn schedule, query the Entra ID audit logs for fraud reports from users who declined an MFA request on the Microsoft Authenticator App.
Workflow Template: Initial Microsoft Defender for Endpoint Case CreationFetch Alert Details by supplying an alert id and create a case using a Field Mapper
Workflow Template: Poll for New Microsoft Defender for Endpoint Events for CasesAutomatically pull new Microsoft Defender for Endpoint alerts on a schedule, then create cases with a field mapper.
Workflow Template: Use AI to Create Torq Case from Anvilogic AlertsUse Anvilogic Copilot, to analyze Anvilogic alerts and create cases in Torq.
Workflow Template: AI Event Triage with Anvilogic CopilotUse Anvilogic Copilot, to analyze a Threat Identifier’s Event of Interest (EOI).
Workflow Template: Initial Intezer Case CreationTakes a RAW JSON Alert as an input to create an Intezer case using a Field Mapper
Workflow Template: Create Intezer Case from Trigger AlertReceives alerts from Intezer Trigger and creates a case via a field mapper. It adds Quick Actions notes and an Initial Runbook.
Workflow Template: Poll Microsoft Outlook on a Schedule for New Messages for CasesAutomatically pull new messages from Outlook on a schedule, extract its components, enrich observables and create cases with a field mapper.
Workflow Template: Poll for new SentinelOne Threats and Open a Torq CaseAutomatically pull new SentinelOne alerts on a schedule, then creates cases with a field mapper.
Workflow Template: Poll for new CrowdStrike Alerts and Open a Torq CaseAutomatically pull new Crowdstrike alerts on a schedule, then deduplicate alerts and create cases with a field mapper.
Workflow Template: Initial CrowdStrike Case CreationReceives an alert event from CrowdStrike and creates a case with Torq using the field mapping nested workflow.
Workflow Template: Initial SentinelOne Case CreationReceives an alert event from SentinelOne and creates a case with Torq using the field mapping nested workflow.
Workflow Template: Create Case from Microsoft Sentinel IncidentReceives alerts from Microsoft Sentinel Trigger and creates a case via a field mapper.
Workflow Template: QuickAction - Fetch a File from Device on MS Defender EndpointFetches a file from a device on MS Defender Endpoint when a quick action button is pressed.
Workflow Template: Create a PDF Report for a Torq CaseCreates a PDF Summary Report for a Torq Case.
Workflow Template: QuickAction - Run a command on a device with MS Defender EndpointExecute commands on a remote endpoint using LiveResponse.
Workflow Template: Analyze Attachment Files in Sandbox (QuickAction)Send multiple Password-Protected Attachments to multiple Sandbox Engines to be analyzed.
QuickAction - Connect or Disconnect a SentinelOne Agent - Workflow TemplateQuickly connect or disconnect SentinelOne agents using a single QuickAction command.
Workflow Template: Monitor and Handle Gmail Mailbox for Phishing (Gmail)Monitor a Gmail inbox and scan each message for URL's and attachments to scan with VirusTotal. Label each message with the result.
Workflow Template: Remove Outlook Forwarding or Redirect Rules on Mention in TeamsOn mention from Microsoft Teams, check the email mailbox for domains that are not permitted for forwarding or redirection of emails.
Workflow Template: Monitor and Handle Mailbox Folder for Phishing via IMAPMonitor and handle emails in an Inbox folder and scan the URLs and attachments via VirusTotal. Report back via Slack and send email result.
Workflow Template: Request Elevation of Local Admin Privileges in JumpCloudRequest an elevation of admin permissions to a system by sending a Slack Slash command and verifying the system and duration of access.
Workflow Template: Monitor an Outlook Mailbox for Phishing with Recorded FutureScan messages arriving to a specific folder in Outlook with Recorded Future for malicious urls and files. Update category on email results.
Workflow Template: CVE Search in Wiz, Snyk and Armis with Jira Issue TrackingOn mention from Slack, search for CVE in Wiz, Snyk, and Armis. Report on findings in Slack and open and update Jira parent and child issues
Workflow Template: Monitor an Outlook Mailbox for Phishing via Graph SubscriptionAnalyze a message arriving to a mailbox in Outlook with VirusTotal for malicious and suspicious URLs and files. Update label on message.
Workflow Template: AWS Bedrock Usage ExamplesThis workflow demonstrates usage examples of a number of models available through Amazon Bedrock.
Workflow Template: Monitor and Handle a Gmail Mailbox for Phishing Using OAuth2Scan messages in a Gmail mailbox with a specific label with VirusTotal for malicious URLs and files. Update label and send email on results
Workflow Template: Monitor an Outlook Mailbox for Phishing with VirusTotalScan messages arriving to a specific folder in Outlook with VirusTotal for malicious URLs and files. Update the label on email results.