All Collections
Templates
Torq templates can be easily imported into your workspace for inspiration or immediate deployment, simplifying and enhancing your security automation processes.
322 articles
Accelerate Security Automation with Torq TemplatesDiscover Torq templates—ready-to-use workflows designed to streamline and enhance your cybersecurity automation efforts.
Crowdstrike Falcon Sandbox - File Analysis with Cache - Workflow TemplateSubmit a file to Falcon Sandbox for malware analysis.
Torq Automation Expert - Fix This Workflow - Workflow TemplateThis workflow is used as part of the Torq Automation Expert Course that checks your skills at addressing and fixing errors in a workflow.
Torq Automation Analyst - XML to JSON - Workflow TemplateThis workflow is used as part of the Torq Automation Analyst Course to learn how to transform, select and filter data in Torq workflows.
Torq Automation Analyst - Generate Token and HTTP GET Data - Workflow TemplateThis workflow is used as part of the Torq Automation Analyst Course to learn about using basic HTTP steps in a workflow.
Torq Automation Expert - Pagination - Workflow TemplateThis workflow is used as part of the Torq Automation Expert Course to test your skills at using pagination to gather data in a workflow.
Torq Automation Analyst - Fix this Workflow - Workflow TemplateThis workflow is used as part of the Torq Automation Analyst Course to learn about troubleshooting and fixing errors in a workflow.
Create Torq Cases from Proofpoint Clicks Permitted - Workflow TemplateOn a schedule check for clicks permitted in Proofpoint and enrich the URLs in VirusTotal and open a Torq Case for each finding.
Synchronize Torq Case Runbooks from a GitHub Repository - Workflow TemplateCreate or update Torq runbooks based on a GitHub repository when a commit has been made in the repository holding the runbooks.
Collect Azure VM and Network Details - Workflow TemplateNested workflow used to collect Azure VM and Network info needed in support of remediation workflows.
Alert on Google Login Activity Outside of Allowed Regions - Workflow TemplateRetrieve Google Login Activity for logins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Silent Push - IP Address Enrichment with Cache - Workflow TemplateReceives an IP Address from a parent workflow and query Silent Push for enrichment.
VirusTotal IOC Lookup with Summary of Results from OpenAI - Workflow TemplateUsed as a nested workflow, receive an IP address, domain or file hash and query VirusTotal and send the details to OpenAI for a summary.
Query Okta System Logs by Actor Activity - Workflow TemplateQuery the Okta System Logs by specific Actor and provide results and an optional summary of EventType and outcome result for the logs.
Shodan - Domain Enrichment with Cache - Workflow TemplateReceives a Domain from a parent workflow and query Shodan for enrichment.
Enrich New Cybereason MalOps File Hash Detail - Workflow TemplateFor each new MalOp that is detected, attempt to enrich the file hash intelligence from VirusTotal and Recorded Future in the MalOp Comments
Interactive Email Conversation using Google Workspace - Workflow TemplateExample of using Google Workspace email as part of an interactive email conversation. This could also be added as a nested workflow.
Collect Torq Global Variables with Pagination - Workflow TemplateWorkflow that uses pagination to gather all Torq global variables and provide them into a single array.
Verify Permissions to Execute Workflows - Google Cloud Identity - Workflow TemplateWorkflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership.
Process New NIST NVD Vulnerabilities (NVD) - Workflow TemplatePull latest CVEs from the NIST NVD Database and update a Slack channel. Additional steps can be added to search for CVEs in other platforms
Slack Slash Command - Hello World - Workflow TemplateExample of an interactive experience with Slack Slash Commands and replying back to the channel with information from the event.
Add Malicious IPs to Network Block Zone from Okta System Logs - Workflow TemplateOn a schedule pull Okta system logs for specific event types, extract any IPv4 address and if found malicious update the block zone in Okta.
Collect Torq Audit or Activity Logs - Workflow TemplateNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Handle Nessus Scan Results (Nessus) - Workflow TemplateDaily notification of specific pre-defined Nessus scans. Send results to Slack channel as defined.
Gather CircleCI Environment Variables from Bitbucket Repos - Workflow TemplateQuery Bitbucket for workspace repositories and gather CircleCI Environment Variables that are configured in the project.
Verify Permissions to Execute Specific Workflows - Okta - Workflow TemplateWorkflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership in Okta.
Send an email via SMTP with VirusTotal Stats - Workflow TemplateSend a simple email via SMTP including VirusTotal engine stats in a HTML table format for a particular HASH lookup.
Assign New Alerts from Hunters.ai - Workflow TemplateRetrieve alerts from Hunters XDR, suggest to assign using Slack.
Jira Issue Reminder and Escalation via Slack or Teams - Workflow TemplateSend reminder and escalation messages via Slack or Microsoft Teams on a Jira issue status on a specific polling interval.
Append data to an Array (Torq) - Workflow TemplateAppend JSON data to an array using the Append to Array step. Example JSON data is provided to append to a new array.
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow TemplateReceive an event from CrowdStrike, if event is critical or high, open an incident with PagerDuty and enrich the IOC details with VirusTotal
Upload a File in Teams to a SharePoint Folder - Workflow TemplateCreate either a CSV, JSON or PDF file in Microsoft Teams and post an adaptive card with a link to the file in the Teams Channel
Compliance - Generate report on non-compliant devices (Intune) - Workflow TemplatePull non-compliant devices list from Microsoft Intune and go over them. Retrieve an associated user from each device, and create a list.
Merge JSON data using JQ based on a common Key/Value - Workflow TemplateSimple example using JQ to merge two JSON files using JQ using the key Email_Address as the match between the two datasets.
Check Point R81 Management Workflow - Workflow TemplateAn example workflow that outlines the needed steps to make changes to the Check Point Management Server and install policy against a gateway
Slack Mention to Analyze Suspicious URLs and IPs with VirusTotal - Workflow TemplateReceive a suspicious list of URLs and/or IPs from Slack, scan using VirusTotal, and report back to the Slack thread the results.
Create a Torq Case from a QRadar Offense - Workflow TemplateUsed as a nested workflow to open a Torq case from details in a QRadar Offense and optionally include QRadar events into the case details.
Retrieve Daily Unencrypted Bucket Summary (AWS Macie) - Workflow TemplateOn a daily schedule retrieve data from Amazon Macie on specific criteria and deliver to a Slack user or Channel.
Remove Public Links from Google Drive Detected by BigID - Workflow TemplateOn an alert from BigID where files with sensitive information are found publicly shared, loop over each finding and remove the public share.
Jira Issue Creation, Update, and Assignment - Workflow TemplateExample workflow using the most common steps in the lifecycle of a Jira issue including issue assignment and example JQL query.
Scan URLs with VirusTotal and Provide Summary Verdict - Workflow TemplateReceive an array of URLs to scan with VirusTotal and provide a summary per URL of any malicious or suspicious count more than 1.
Recorded Future - Domain Enrichment with Cache - Workflow TemplateReceive a domain from a parent workflow and query Recorded Future for its reputation.
Clear Okta sessions for specific users via Slack - Workflow TemplateReceive a Slack command to clear all sessions for one or more users.
Enable GCP Bucket Versioning on a Wiz Alert - Workflow TemplateReceive an issue from Wiz on a GCP storage bucket with versioning disabled, lookup the channel, ask the channel to enable versioning.
Google Workspace Calendar Offboarding (Google Workspace) - Workflow TemplateReceive message from Slack with an email address, find meetings where user is the originator/creator of the meetings and delete if approved.
Recorded Future Sandbox -Analyze Files and URLs - Workflow TemplateAnalyze Files and URLs and in Recoded Future Sandbox using nested functions with cache.
AlienVault URL Enrichment with Cache - Workflow TemplateNested workflow that will take a URL as input and query AlienVault's General and URL List for details and return analysis information.
Daily Report to Slack on Inactive Okta Users - Workflow TemplatePoll the list of Okta users and list all users that have not logged in for the past 30 days and report the list to a Slack channel
Search for CVE in Wiz and Snyk via Slack Mention - Workflow TemplateWhen triggered via Slack, search in Wiz and Snyk for a specific CVE. Send findings to the Slack channel via a snippet.
Gather CircleCI Global Environment Variables with Creation Date - Workflow TemplateGather Global Environment Variables from CircleCI and provide results organized by context and included creation date and context id.
Upload New Threat Intelligence IOCs to Cybereason - Workflow TemplateReceives arrays of Domains, Hashes and IP Addresses IOC's and upload them to Cybereason.
Analyze File with ANY.RUN and Provide a Verdict - Workflow TemplateSubmit a file URL to ANY.RUN and wait for the analysis to complete. The workflow will send it verdict in the output.
Add/Remove Entra ID User from Global Address List (ex-Azure AD) - Workflow TemplateReceives user name / email from a Slack command and adds/removes the specified user from the Global Address List in Entra ID
Compliance - Find unmanaged devices in Intune and Carbon Black - Workflow TemplateCompare lists of managed devices in Microsoft Intune and Carbon Black. List gaps (i.e., devices present only in one of the solutions)
Send Slack Block Message and Perform Operations in Parallel - Workflow TemplateExample workflow to send a Slack Block kit message and run another operation in parallel and wait for a Users response back to the message.
Send Torq Audit or Activity Logs to Azure Blob Storage - Workflow TemplateOn a schedule configured in Workflow Context, Torq workflow Audit Logs will be collected in a Nested Workflow and sent to an Azure Blob
IP Penalty Box with Timeout via Slack (Cloudflare) - Workflow TemplateAdds specific IPv4 or IPv6 address to a penalty box in Cloudflare by creating and removing IP Access Rules driven by Slack.
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow TemplateFor each new EDR incident, validate the files involved with threat intelligence, and add to the global block list if found to be malicious
Find all Okta Active Users with Pagination - Workflow TemplatePagination example with Okta to find all active users and place the results into a single array of users.
Retrieve Daily Scan Summary and Notify on Findings (Aqua) - Workflow TemplatePull Scan Summary information on findings in Aqua and deliver a short report to a Slack channel on the Findings on Warnings and Failures.
Check for New Carbon Black Alerts and Notify - Workflow TemplateThis workflow periodically checks for new Carbon Black alerts and notifies end user of the alert and asks for verification of the activity
Basic Global Variable Use in a Workflow - Workflow TemplateBasic Create/Read/Update/Append/Delete steps for use with Global Variables. This can provide ephemeral data storage between workflows.
Create Attachment in Jira with JSON Data (Jira) - Workflow TemplateExample of how to add an attachment with JSON data to a Jira issue.
Retrieve New Exploited Vulnerabilities from CISA update via Teams - Workflow TemplateOn a daily schedule poll the latest CISA vulnerabilities and update a Teams channel on any new CVEs and include references from NIST
Ask a Question over Slack or Microsoft Teams - Workflow TemplateThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to ask a question.
Count Number of Executions for Action (Torq) - Workflow TemplateWorkflow to be used as a nested workflow that will keep track of the number of executions of a given action and maximum executions per day.
JSON Filtering with JQ - Workflow TemplateSimple filtering of VirusTotal IP Lookup JSON data. Use these examples to learn how easy it is to filter or create a new JSON output.
Collect Azure Network Security Group Details - Workflow TemplateNested workflow that will collect and format Azure NSG info to identify rule priority needed to block a given port and protocol
Interactive Email Conversation (Microsoft 365) - Workflow TemplateExample of using Microsoft 365 email as part of an interactive email conversation. This could also be added as a nested workflow.
Approve Group Membership for New User (JumpCloud) - Workflow TemplateAsk via Slack for approval from a specific department approver list when a new user is added and add user to the departments JumpCloud group
Create Jira and Asana Tickets from Astrix Alert - Workflow TemplateBased on a high risk finding from Astrix initiate a cases with Asana and Jira.
Microsoft 365 Adaptive Card Email Conversation - Workflow TemplateExample workflow to send an adaptive card questionnaire via Microsoft 365. Responses are delivered via a webhook back to a Torq workflow.
Generate Table in ADF Format for Jira Comments - Workflow TemplateTemplate to be used as a nested workflow to generate a simple table from an array for Jira in ADF format.
Workflow Notification Tracking in Google Sheets - Workflow TemplateWorkflow that will receive notifications of failed workflows and save the details in a Google Sheet. Entries older than 7 days are removed.
Webex Hello World Chat Bot - Workflow TemplateEasy starter template to create an interactive messaging experience for Webex users.
Search for CVE Findings in Orca Triggered by Slack - Workflow TemplateReceive a mention via Slack for "orca-cve", kick off a search in Orca for the specific CVE and update the thread in Slack with the results.
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow TemplateFor each new EDR detection, validate the files involved with threat intelligence, add to global block list if found to be malicious
Approve Group Membership for New User Creation (Okta) - Workflow TemplateAsk via Slack for approval from specific department approvers when a new user is added to Okta.
Get AWS Access Key Information for User (AWS) - Workflow TemplateWorkflow that provides a summary of the Access Keys for a user including number of keys, status, last used and if the key is still in use.
Retrieve New Exploited Vulnerabilities from CISA - Workflow TemplateOn a daily schedule poll the latest CISA vulnerabilities and update a Slack channel on any new CVEs and include references from NIST
Send Torq Audit and Activity Logs to Snowflake - Workflow TemplatePull audit and activity logs from the Torq API and store them in Snowflake on a schedule of every 10 minutes.
Reset Direct Manager reference for an Entra ID user (ex-Azure AD) - Workflow TemplateTrigger on Teams command, find user in Entra ID, and reset the reference to the direct manager in the directory.
Trigger specific scan, update results to Slack (Tenable) - Workflow TemplateTriggers a specific pre-defined Tenable Cloud scan, waits for completion, updates on every vulnerable host with severity findings above 0.
Retrieve and Normalize data on a Domain - Workflow TemplateWorkflow to lookup threat intelligence data from a number of sources and aggregate domain and threat data, normalize a score for a domain
Send Torq Audit and Activity Logs to S3 Bucket on a Schedule - Workflow TemplateBased on a configured time, workflow will upload Torq Audit and/or Activity logs to AWS S3 Buckets.
Rename new iOS device to User / Serial Number (Jamf) - Workflow TemplateFor each new iOS device enrolled in Jamf, if the User Name was not set, change it to unique serial number. Otherwise rename to the User Name
Cache VirusTotal Threat Intelligence Findings on an IOC - Workflow TemplateReceive an IOC from a parent workflow, check the global variable for previous results, if not, query VirusTotal and save results
Microsoft Teams - Hello World - Workflow TemplateSimple example of Microsoft Teams messages using Adaptive Cards, collecting interactive responses and providing them back to the user.
Check Point SmartTasks Notification to Slack - Workflow TemplateNotification to Slack on status of a policy install or session details of additions, modification, or deletions when a session is published.
Nested Check-Out of AWS Credentials via Britive (Britive) - Workflow TemplateExample nested workflow using Britive to Check-Out AWS credentials to be used in a workflow. Check-In the creds using the trans-id provided
ITSM - Notify Slack user on closed/resolve incidents (ServiceNow) - Workflow TemplateReceive a Slack message on resolved or closed tickets within ServiceNow. Enrich the message with details from the ticket and closing users.
Verify User's Group Membership in Okta via Slack Command - Workflow TemplateReceive a Slack command with the users email and optional group and provide the group membership including a match if a group is provided.
Ask Users to Confirm Failed JumpCloud Login Attempts - Workflow TemplateDaily pull of failed logins from JumpCloud, reach out to users with failed logins over Slack and confirm they were the tying to login.
Send Message over Slack or Microsoft Teams - Workflow TemplateThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to send a message.
Upload Latest Recorded Future IOCs to Cybereason - Workflow TemplatePull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Suspend Okta Users that are Inactive for More than 30 Days - Workflow TemplateOn a scheduled interval check for users that have not logged in for more than 30 days. Ask a Slack channel for approval to suspend the users
Teams Mention to Analyze Suspicious URLs and IPs with VirusTotal - Workflow TemplateReceive a suspicious list of URLs and/or IPs from Microsoft Teams, scan using VirusTotal, and send results back to the Teams conversation.
Enrich Hashes, CVEs and IP Addresses with Recorded Future - Workflow TemplateReceive a message with one or more CVEs, SHA256 hashes or suspicious IP addresses from Slack and enrich the data with Recorded Future.
Collect all Public IP Addresses for an AWS Account - Workflow TemplateCollect all public IP addresses for a given AWS account and provide a simple summary list of IPs and a JSON list by region and service.
Slack Mentions - Hello World - Workflow TemplateSlack Bot workflow to reply to either mentions or direct conversations with the bot
Nested Slack Block Generator from an Array - Workflow TemplateWorkflow meant to be used as a nested workflow to build a Slack block from an array. This block can be used in the Slack Block Form step.
Group IoCs From Text Input - Workflow TemplateThis function takes a text and returns groups of hashes, URLs, domains and IP addresses
Process New Cloud Vulnerability DB Issues (Open CVDB) - Workflow TemplatePull latest vulnerabilities from the Open Cloud Vulnerability Database and send an alert to a Slack Channel
Open or Update a Jira Issue on an Uptycs Alert - Workflow TemplateOpen a parent or child issue in Jira when a medium/high severity event is found. Ask a Slack channel if additional information is required.
Just-In-Time Access to Group Membership in Active Directory - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to a group in Active Directory with approval from a Slack channel.
Okta event on MFA addition with user Verification (Okta) - Workflow TemplateReceive event from Okta when a user adds a MFA method, lookup source IP with VirusTotal or ask user if this was intended, if not open issue.
Upload HIPAA Training Evidence in Drata - Workflow TemplateIdentify users that are HIPAA training non-compliant within Drata and upload evidence file provided to workflow.
Identify and Label Confluence Content with PII from BigID - Workflow TemplateOn a trigger from BigID, label all content in Confluence with a specific tag and notify a Slack channel and open a Jira issue with findings.
Gather CircleCI Environment Variables from GitHub Org Repos - Workflow TemplateQuery GitHub for Organization Repositories and gather CircleCI Environment Variables that are configured in the project.
Verify Permissions to Execute Workflows - EntraID (ex-Azure AD) - Workflow TemplateWorkflow that can be used to verify users have permissions to run a specific workflow by Id or name and also check group membership.
Upload Hard Drive Encryption Evidence in Drata - Workflow TemplateIdentify devices that are HD encryption non-compliant within Drata and upload evidence file provided to workflow.
Send a Microsoft Teams Notification upon Mention in a Torq Case - Workflow TemplateWhen a user is mentioned in a Torq Case comment, send the user a notification in Microsoft Teams with the text and a hyperlink to the case.
Label Google Drive Files Containing PII Identified by BigID - Workflow TemplateOn trigger from BigID from findings of files in Google Drive that contain PII, assign a Google Drive label and field to the file.
Reset Entra ID (ex-Azure AD) MFA Methods and Password on a User - Workflow TemplateThis workflow can be used as a nested workflow to reset a users password, remove all MFA methods for the user and clears any user sessions.
Add MFA on IdP Evidence in Drata - Workflow TemplateIdentify users that are MFA non-compliant within Drata and upload evidence file provided to workflow.
Fetch New QRadar Offenses with Pagination - Workflow TemplateA nested workflow to pull all new open QRadar offenses and use pagination to return all results.
SSL Certificate Expiration Check - Workflow TemplateFrom a List of domains or subdomains, check expiration dates from their certificates
Find all Okta Active Devices with Pagination - Workflow TemplateWorkflow that can be used as a nested workflow to gather all active Okta devices into a single array using pagination.
Extract Multiple Observables - Workflow TemplateExtracts different types of observables such as File Hashes, IP Addresses, IP Range, Email Addresses, Filenames, Hostnames, URLs, and CVEs.
Upload Screensaver Lock Evidence in Drata - Workflow TemplateIdentify devices that are screen lock non-compliant within Drata and upload evidence file provided to workflow.
Identify PII Information Shared in a Slack Workspace via BigID - Workflow TemplateOn a trigger from BigID for PII information found in a Slack Workspace, send detailed findings to a specific Slack channel or admin.
Simple Loops with Torq - Workflow TemplateExample of using a loop over JSON data and loop over a range in a workflow. Results are collected with the "Collect" operator
Add Anti-Virus Evidence in Drata - Workflow TemplateIdentify devices that are anti-virus non-compliant within Drata and upload evidence file provided to workflow.
Upload Auto-Updates Evidence in Drata - Workflow TemplateIdentify devices that are anti-update non-compliant within Drata and upload evidence file provided to workflow.
Add Password Manager Evidence in Drata - Workflow TemplateIdentify devices that are password manager non-compliant within Drata and upload evidence file provided to workflow.
Send Torq Audit or Activity logs to Sumo Logic on a Schedule - Workflow TemplateWorkflow that can be used to send either Torq audit or activity logs to Sumo Logic on a scheduled interval.
Handle Wiz Alert for AWS Admin Principals Inactive Over 90 Days - Workflow TemplateOn alert from Wiz on an AWS admin principal that is inactive over 90 days, ask a Slack channel for approval to deactivate the IAM account.
Export a Torq Case in Word Document Format - Workflow TemplateExport a Torq Case including the general details, timeline, observables, attachments and custom fields into a Microsoft Word file.
Collect Asynchronous Responses from Slack Block Messages - Workflow TemplateWorkflow that can be used to record asynchronous responses to Slack Block Kit messages that contain buttons for a user response.
Convert Newline Delimited JSON to Standard JSON - Workflow TemplateConverts Newline Delimited JSON formatted data into standard JSON format.
Upload Background Check Evidence in Drata - Workflow TemplateRemediate failed resources that require background check evidence by attaching necessary provided URL on workflow initiation.
Assign or Remove Licenses on Users for Microsoft via Graph API - Workflow TemplateUsed as a nested workflow to assign or remove licenses to Microsoft 365 users. The workflow takes the SKU on input for assignment.
Upload Security Training Evidence in Drata - Workflow TemplateIdentify users that are security training non-compliant within Drata and upload evidence file provided to workflow.
Get Failing Resources for a Test in Drata - Workflow TemplateProvide insight into failed resources based on information collected from the Drata platform.
Check if IPv4 Address is Part of an AWS IP Network Block - Workflow TemplateOn a mention from Slack, extract an ip address and try to match it to a network block in use at AWS. Provide the result back to the thread.
Offboard SaaS User from Grip on Trigger from Hibob - Workflow TemplateOn trigger from Hibob, offboard the user from Grip and report the status back to a default Slack channel or the users Manager via Slack.
Attach a Screenshot to a ServiceNow Incident or Jira Issue - Workflow TemplateWorkflow that can be used as a nested workflow to attach a screenshot of a URL to either a Jira Issue or ServiceNow Incident
Search for Unused or Inactive Roles in AWS IAM - Workflow TemplateQueries AWS for the IAM Roles and groups roles by Last Used and Never Used after a defined amount of days.
Verify User's Group Membership in Ping via Slack Command - Workflow TemplateReceive a Slack command with an optional group and provide the group membership including a match if a group is provided.
Collect Information on Case Closing Action - Workflow TemplateShows a form whenever a Case is change to CLOSED status.
URLScan URL Enrichment with Cache - Workflow TemplateReceive a URL to analyze with URLScan and provide a summary of the URL with malicious, phishing, score and screenshot details if available.
Subscribe Gmail address to watch a PUB SUB pre-defined topic - Workflow TemplateMaintains a valid subscription to a topic by checking daily its expiration date and renewing it when necessary.
Send Torq Audit and Activity Logs to Singularity XDR - Workflow TemplateBased on a configured time, workflow audit and activity logs will be sent to SingularityXDR
Google File Label Lifecycle - Workflow TemplateThis workflow showcases the published steps to support the Google file label lifecycle process.
Issue a Push Challenge with Okta and Wait for a Response - Workflow TemplateReceive an Okta user and factor ID from a parent workflow and send a push challenge to the user and wait for and return the response.
AlienVault File Hash Enrichment with Cache - Workflow TemplateNested workflow that will take a File Hash as input and query AlienVault's General and Analysis sections for details and return the results.
Google Chat Hello World - Workflow TemplateThis workflow demonstrates the use of the Google Chat Steps and the ability to interact with end users and create Google Chat Spaces.
Pangea - Domain Enrichment with Cache - Workflow TemplateReceives a Domain from a parent workflow and query Pangea for its reputation.
Decode QR Codes in Torq Case Attachments - Workflow TemplateDecode QR codes that are found in Torq Case Attachments by using a quick action or Run a Workflow on a Torq Case.
Notify on Open and In-Progress Torq Cases Approaching the SLA - Workflow TemplateScheduled workflow that will send a notification to Slack or Microsoft Teams on Torq cases that are approaching or past the defined SLA.
Recorded Future Sandbox - File Analysis with Cache - Workflow TemplateSubmits a File to Recorded Future Sandbox for full analysis.
Generate Graph of Simple JSON Data using Python - Workflow TemplateFunctional workflow that will data JSON data and generate a base64 encoded PNG graph of the data that was passed to the workflow.
Notify a Slack Channel on Case Creation - Workflow TemplateWorkflow that will notify a specific Slack channel for every new Torq case that is created.
Query Logs on Singularity XDR with Pagination - Workflow TemplateThis workflow serves as a function that executes a query in Singularity XDR.
Send Torq Audit or Activity Logs on a Schedule to Splunk - Workflow TemplateWorkflow that can be used to send Torq audit and/or activity logs to Splunk on a schedule every 10 minutes.
Simple Splunk Query with Optional Return Field Filters - Workflow TemplateA simple Splunk query that can use optional field filters to filter the dataset returned. Can be used as a nested workflow to simplify use.
Find AWS Instance Information by Private IP Address in Wiz - Workflow TemplateOn mention from Microsoft Teams, look for instances with the private IP Address and gather information on the instance and send to Teams.
Verify Entra ID (ex-Azure AD) Audit Sign-Ins from Allowed Regions - Workflow TemplateRetrieve Entra ID Audit logs for Sign-Ins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Run Antivirus Scan on a device on Microsoft Defender for Endpoint - Workflow TemplateRun a Quick or Full Antivirus Scan on a device by its machineId or device name.
Retrieve and Normalize data on a File Hash - Workflow TemplateWorkflow to lookup threat intelligence data from a number of sources and aggregate threat data, normalize a score for the provided file hash
Generate a Report for Torq Cases in Microsoft Docx Format - Workflow TemplateA nested workflow that generates a report on Torq cases, analyst activity, and case MTTR reporting with output as a Microsoft Word document.
Create Microsoft Graph Subscriptions and Renewals - Workflow TemplateCreate one or more Microsoft Graph subscriptions to a Microsoft 365 trigger. The subscriptions are extended and renewed daily.
Find all Hosts Impacted by an Open CVE in CrowdStrike - Workflow TemplateFind all hosts in CrowdStrike that are impacted by a specific CVE and output the list of hostnames and remediation information provided.
Send a Microsoft Teams Notification to Assignee in a Torq Case - Workflow TemplateSend a notification to the new assignee on a Torq Case via Microsoft Teams with a summary of the case and a direct hyperlink to the case.
Search for Vulnerabilities by Hostname in Tenable - Workflow TemplatePull information from a hostname in Tenable and output the information back to the parent workflow or an optional Slack user or channel.
Send Torq Audit and Activity Logs to Elasticsearch - Workflow TemplatePull the logs from Torq on a schedule and send to Elasticsearch in a batch transaction.
Create Microsoft Graph Subscription and Renew Daily - Workflow TemplateCreate a Microsoft Graph subscription to a Torq Microsoft 365 trigger. The subscription is renewed daily and extends the expiration date.
Suspend Contractor Accounts in Okta with inactivity for 7 days - Workflow TemplateCheck daily for active accounts where the profile userType is "Contractor". Suspend the account if no login occurred in the past 7 days.
VirusTotal Domain Enrichment with Cache - Workflow TemplateNested workflow that will take a Domain as input and query VirusTotal for the domain and return analysis information to the parent workflow.
Isolate or Unisolate device on Microsoft Defender for Endpoint - Workflow TemplateNested workflow to Isolate or Unisolate a device by its machineId or device name.
Recorded Future - URL Enrichment with Cache - Workflow TemplateReceive an URL from a parent workflow and query Recorded Future for its reputation.
Fetch File Information by Hash from Microsoft Defender - Workflow TemplateCollects threat information about a file by fileId (SHA1 Hash) in a time frame.
VirusTotal URL Enrichment with Cache - Workflow TemplateNested workflow that will take a URL as input and query VirusTotal for details and return analysis information on the URL.
Torq Case Example Descriptions for Different Case Types - Workflow TemplateA workflow with many mock examples of Torq Case descriptions for Torq integration partners and formatting examples to use with Torq Cases.
Recorded Future - IoC Enrichment - Workflow TemplateExtracts multiple observables from raw text and performs enrichment for each observable on RecordedFuture.
AlienVault Combined Observable Enrichment - Workflow TemplateExtract multiple observables from raw text and performs enrichment for each observable in AlienVault returns analysis information.
Collect Information on Case Closure by Permitted Analysts - Workflow TemplateCollect information when a Torq Case is changed to a CLOSED status and verifies that the analyst is permitted to close cases.
Gather QRadar Events for a Given Offense - Workflow TemplateFor a given QRadar Offense pull all events for a specific time window and provide the list of events back to a parent workflow.
AlienVault Domain Enrichment with Cache - Workflow TemplateNested workflow that will take a Domain as input and query AlienVault's General, Malware and GEO sections and return analysis information.
Notify a Teams Channel on Case Creation - Workflow TemplateWorkflow that will notify a specific Microsoft Teams channel for every new Torq case that is created.
Send Slack Notification upon Mention in a Torq Case - Workflow TemplateWhen a user is mentioned in a Torq Case comment, send the user a notification in Slack with the text and a hyperlink to the case.
Prepare Case Properties by Case Type - Workflow TemplateWhen a new Torq case is created, based on the case type, create custom fields and quick action on the newly created case.
Generate a Screenshot of a URL and Describe the Image via OpenAI - Workflow TemplateGenerate a screenshot of a specific URL and ask OpenAI to review the image and provide input if it could be part of a phishing attempt.
Retrieve and Normalize data on an IP Address - Workflow TemplateWorkflow to lookup threat intelligence data from a number of sources and aggregate geo data, threat data and normalize a score for the IP
VirusTotal File Hash Enrichment with Cache - Workflow TemplateNested workflow that will take a File Hash as input and query VirusTotal for analysis and if the hash is found, return the results.
Handle Panther Okta Alerts on User Action Detection - Workflow TemplateOn a new Panther alert from Okta, ask the user if the action was intended and if so mark the alert resolved. If not, open a Torq case.
Pangea - Email Enrichment with Cache - Workflow TemplateReceives an Email from a parent workflow and query Pangea for its reputation.
VirusTotal IPv4 Address Enrichment with Cache - Workflow TemplateWorkflow that will take an IPv4 address as input and query VirusTotal and return the analysis information to the parent workflow.
AlienVault IPv4 Address Enrichment with Cache - Workflow TemplateWorkflow that will take an IPv4 as input and query AlienVault's General, Malware and Reputation sections and return analysis information.
Enrich SentinelOne Threat Finding and Run Singularity XDR Search - Workflow TemplateFor each new threat detected by SentinelOne, query Threat Intelligence data from VirusTotal and RecordedFuture and add notes to the threat
Pangea - File Hash Enrichment with Cache - Workflow TemplateReceives a File Hash from a parent workflow and query Pangea for its reputation.
Submit a File for Analysis to VirusTotal with Cache - Workflow TemplateSubmit a file to VirusTotal for analysis and provide a simple cache for the analysis results. Use URLs or Torq file links to the file.
Search Observables by Grouped UDM Fields in Chronicle - Workflow TemplateReceives Observables as hash, IP address, domain, username or email and performs a query to Chronicle SIEM using Grouped UDM fields.
Return Specific Default or Overriding Workspace Variable - Workflow TemplateThis workflow will return a variable from two workspace variables with priority if found in the Overriding Workspace Variable then Default.
Request File Download From CrowdStrike Using Real Time Response - Workflow TemplateNested workflow that will take the CrowdStrike Device ID and a file path and will provide a download link to pass to a Sandbox vendor
On Case Closure Set a Custom Field and Tag with Resolution Reason - Workflow TemplateWhen a Torq Case is closed or resolved, add a specific custom field and tag to the case the will contain the resolution reason of the case.
Send a Slack Notification to Assignee in a Torq Case - Workflow TemplateSend a notification to a new assignee on a Torq Case via Slack with a summary of the case and a direct hyperlink to the case.
Validate Gem Alert Events in Slack - Workflow TemplateCommunicate with a user through Slack to validate a security alert.
Run LiveResponses on Microsoft Defender for Endpoint - Workflow TemplateExecute Live Responses on an Endpoint and collects the results of each command.
Torq Interact Multi-User Communication Example - Workflow TemplateThis demo illustrates how to utilize Torq Interact to handle communications with one or more users.
Scan URLs with URLScan and Provide a Summary - Workflow TemplateReceive an array of URLs to scan with URLScan and provide a summary per URL with malicious, phishing, score, and screenshot URL if available
VirusTotal Combined Observable Enrichment - Workflow TemplateExtract multiple observables from raw text and performs enrichment for each observable in VirusTotal and returns analysis information.
AbuseIPDB IPv4 Address Enrichment with Cache - Workflow TemplateWorkflow that will take an IPv4 address as input and query AbuseIPDB for details about the address including the Abuse Confidence Score.
Send a Question to Slack Users and Collect Responses - Workflow TemplateSend a question to a number of Slack users and collect the responses in a global variable with a wait of up to 31 days to collect results.
Recorded Future - File Hash Enrichment with Cache - Workflow TemplateReceive a file hash from a parent workflow and query Recorded Future for its reputation.
Send a Microsoft Outlook Email to Assignee in a Torq Case - Workflow TemplateWorkflow that will notify the user by sending an email via Microsoft Outlook for every new Torq case that is assigned to the user.
Pangea - IP Address Enrichment with Cache - Workflow TemplateReceives an IP Address from a parent workflow and query Pangea for its reputation.
Silent Push - Domain Enrichment with Cache - Workflow TemplateReceives an Domain from a parent workflow and query Silent Push for enrichment.
Generate a Screenshot and Attach to a Torq Case on URL Addition - Workflow TemplateWhen a new URL is added as an observable, attempt to generate a screenshot and if successful add it as an attachment to a Torq case.
Download a File from a SentinelOne Threat ID - Workflow TemplateFetch a file from a SentinelOne Threat ID and encrypt it with the provided password with a link to download.
Recorded Future Sandbox - URL Analysis with Cache - Workflow TemplateSubmits an URL to Recorded Future Sandbox for full analysis.
Pangea - URL Enrichment with Cache - Workflow TemplateReceives an URL from a parent workflow and query Pangea for its reputation.
Recorded Future - IP Address Enrichment with Cache - Workflow TemplateReceive an IP address from a parent workflow and query Recorded Future for its reputation.
Shodan - IP Address Enrichment with Cache - Workflow TemplateReceives an IP Address from a parent workflow and query Shodan for enrichment.
Search In Torq Audit Logs Based on Query - Workflow TemplateSearch for audit event based on action, email, actor type, actor_name or resource name.
Generate a Dynamic PowerPoint Document based on Slide Data - Workflow TemplateWorkflow that can be used as a guide on how to generate a dynamic PowerPoint document with the Python python-pptx library.
Submit a File for Analysis to VMRay with Cache - Workflow TemplateSubmit a file to VMRay for analysis and provide a simple cache for the analysis results. Use public URLs or Torq file links to the file.
Gather Torq Audit or Activity Logs - Workflow TemplateNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Fetch Cyberint Alerts on a Schedule - Workflow TemplateFetch alerts from Cyberint on a schedule. An optional loop is available in the workflow to do additional actions as needed.
Table Workspace Variable Example Workflow - Workflow TemplateThis Workflows is an example on how to use a table as a workspace variable to perform common CRUD tasks.
Open Jira Issues and Enrich Event on Sysdig Kubernetes Detections - Workflow TemplateDetect, enrich, alert and auto-assign incidents using Kubernetes namespaces using Sysdig Runtime Threat Intelligence and Detection.
List All Groups with Pagination on Entra ID (ex-Azure AD) - Workflow TemplateThis function will collect all groups on Entra ID (ex AzureAD) using pagination.
List All Users with Pagination on Entra ID (ex-Azure AD) - Workflow TemplateThis function will collect all users on Entra ID (ex AzureAD) using pagination.
Fetch Incidents from Cortex XDR on a Schedule - Workflow TemplateOn a schedule, fetch new incidents from Cortex XDR using pagination.
Create Tables on Snowflake for Torq Audit and Activity Logs - Workflow TemplateCreate tables in snowflake database to store Torq audit and activity logs.
Step Failure with Runner Configured Notification to Slack - Workflow TemplateSend a notification to a Slack channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Step Failure with Runner Configured Notification to Teams - Workflow TemplateSend a notification to a Teams channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Step Failure with Runner Configured Notification to Email - Workflow TemplateSend an email notification via Gmail/Outlook when a step failure occurs where a runner is configured. A link to the execution is provided.
Notify by Email when a Workflow Failure is Triggered - Workflow TemplateSend an email notification via Gmail/Outlook when a workflow failure is detected. A link to the workflow execution is provided.
Notify Reviewer via Slack when Workflow is Submitted for Review - Workflow TemplateWhen a workflow submission is requested send a message to each reviewer in Slack and include a link to the submission.
Notify a Slack Channel when a Workflow Failure is Triggered - Workflow TemplateSend a notification to a Slack channel when a workflow failure is detected. A link to the execution log is provided in the message.
Notify a Microsoft Team when a Workflow Failure is Triggered - Workflow TemplateSend a notification to a Microsoft Team when a workflow failure is detected. A link to the execution log is provided in the message.
Notify Reviewer via Teams when Workflow is Submitted for Review - Workflow TemplateWhen a workflow submission is requested send a message to each reviewer in Teams and include a link to the submission.
Notify a Slack Channel for a New Share Request - Workflow TemplateWhen a new resource is shared with the workspace send a message with the details to a Slack channel with a link to the request.
Notify a Microsoft Teams Channel for a New Share Request - Workflow TemplateWhen a new resource is shared with the workspace send a message with the details to a Teams channel with a link to the request.
Watch Microsoft Security Response Center RSS Feed - Workflow TemplateAn example workflow to check an RSS feed daily for changes using the Microsoft Security Response Center RSS feed as a sample.
File Conversion using a Torq Interact Workflow - Workflow TemplateThis workflow is an example of how to use Torq Interact with the file upload and download parameters.
Add a Weekday or Weekend Tag on Creation of a Torq Case - Workflow TemplateThis workflow will add a tag for either Weekday or Weekend to a new Torq case based on the local creation time of the case.
Wiz GraphQL Query for AWS Instances with Open SSH Access - Workflow TemplateSimple example using the GraphQL functionality with Wiz to run a query. Use the API Console in Wiz to find GraphQL statements to use.
Discord - Hello World - Workflow TemplateThis is a simple example of using Discord to create an interactive workflow using an Ask Question step.
Enable AWS S3 Bucket Versioning on Orca Alert - Workflow TemplateReceive an Orca alert on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Offboarding Remediation with Adaptive Shield - Workflow TemplateTriggered from a Slack mention to leverage Adaptive Shield's insight into SaaS applications to remediate offboarded user's access
Just-in-time access to Group Membership in PingOne - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to resources based on group membership via PingOne with approval.
Remediate Wiz Alert on Azure VM with Open SSH Access - Teams - Workflow TemplateWhenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Compliance - Provide temporary Device Admin to Mac users (JAMF) - Workflow TemplateReceive a request over Slack for temporary assignment of admin permissions. Get approval from Security channel, update policy on Jamf.
Enable AWS S3 Bucket Encryption on Alert from Wiz - Workflow TemplateReceive a Wiz issue on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AWS256 encryption.
Enable AWS S3 Bucket Versioning on Alert from Wiz - Workflow TemplateReceive an alert from Wiz on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Handle Suspicious AWS Console Logins (AWS SNS) - Workflow TemplateCheck source IP of the login session, verify with user if suspicious or malicious. If acknowledged - log a ticket. Otherwise - remediate.
Disable and Contain a Specific User in Entra ID (ex-Azure AD) - Workflow TemplateWorkflow and nested workflow that can be used to disable a specific user in Entra ID when an account is compromised.
Update Jira Status/User on Device with CVE Tag (Armis) - Workflow TemplateQuery Armis for devices with a specific tag where a vulnerability was found in a previous workflow and update Jira and user on the status.
Disable a Specific User in Google Cloud Identity - Workflow TemplateWorkflow and nested workflow that can be used to disable a specific user in Google Cloud Identity when an account is compromised.
Handle AWS Security Group with Open SSH Access on Orca Alert - Workflow TemplateWhenever an Orca alert is raised on an AWS security group with an open access (from the internet) to SSH, orchestrate remediation.
Enable AWS S3 Bucket Encryption on Alert (PrismaCloud) - Workflow TemplateReceive PrismaCloud alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Analyze Files in Netskope Sandbox with Cache - Workflow TemplateSubmit a file using a Webform to Netskope Sandbox for malware analysis.
Handle AWS S3 Bucket Allows HTTP Requests on Wiz Alert - Workflow TemplateReceive an issue from Wiz on an AWS S3 bucket no being compliant, apply a default AWS S3 bucket policy to remediate.
Add Phishing Domain to CloudFlare ZeroTrust (IntSights) - Workflow TemplatePoll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be added to the CloudFlare Zero Trust List
Remediate AWS VPC Created without Flow Logs with Orca - Workflow TemplateReceive an alert on an AWS VPC created without Flow Logs. Reach out to the owner, suggest remediation and define Flow Logs in AWS.
Remediate AWS EC2 Instance with Open SSH Access from Wiz Alert - Workflow TemplateWhenever an alert is raised on an AWS EC2 Instance having an open access (from the internet) for SSH, orchestrate remediation.
Block Domain Finding on PerceptionPoint (IntSights) - Workflow TemplatePoll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be blocked in PerceptionPoint's blocklist
Open a TheHive case triggered by SentinelOne findings - Workflow TemplateRetrieve latest threats from SentinelOne and enrich using third party vendors, open a case at TheHIVE with observables, tasks and TTPs.
Request Justification of Integration from Astrix Finding - Workflow TemplateAdd business context to new Astrix high-risk integrations by asking the owner to elaborate on the purpose of the integration by email.
Detected RDP session from Server to External IP (Armis) - Workflow TemplateReceive an event from Armis on a Network Policy Violation, lookup source/destination/user information and open Jira ticket and alert user.
Add/Del (IPs/Ranges/Subnets) from Okta BlockedIpZone (Okta) - Workflow TemplateReceive Slack command to add/del ip/range/subnet from the Okta BlockedIPZone, verify IP's and get approval from admin to update.
Hunt for specific CVE and Attempt Remediation (Armis) - Workflow TemplateQuery Armis for specific CVE to look for threat, query information from Armis and Jamf, place device into Jamf patch group and notify user.
Just-in-time access to Group Membership in AzureAD by TEAMS - Workflow TemplateTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Just in Time AWS Access with Slack Approval Flow (Britive) - Workflow TemplateRequest temporary access to AWS via Britive using Slack. Approval via a Slack channel and up to 8 hours of access with reminders every hour
Advanced Upload of the Latest Recorded Future IOCs to Cybereason - Workflow TemplatePull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Request User Account Unlock in JumpCloud - Workflow TemplateRequest an unlock of the users account in JumpCloud by sending a Slack Slash command and verifying the user and lock status.
Jira Enrichment for Hashes Found in Issue Description - Workflow TemplateEnrich hashes found in Jira issue description when a new comment is added to the issue with a specific keyword. Triggered by Jira automation
Add and Remove URLs from the Global Blacklist (Zscaler) - Workflow TemplateTriggers from Slack message for check url or remove url for the Global Blacklist for Zscaler. On a check url, the URL category is provided.
Isolate an AWS EC2 Instance by using tags (AWS) - Workflow TemplateWhen applying a specific Key:Value tag on an EC2 instance, apply a isolation security group and remove IAM Instance Role and apply new role
Enable Encryption on AWS S3 Bucket on Alert from Orca - Workflow TemplateReceive an Orca alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Request Just-in-Time Access to SSO Applications in JumpCloud - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to applications based on group membership via JumpCloud with approval.
Handle Orca Alert for IAM Role with Admin Permissions - Workflow TemplateReceive an Orca alert on excessive policies / permissions attached to an IAM Role. Update owner or channel via Slack.
Request AWS Credentials Based on Jira Assignment (Britive) - Workflow TemplateReceive a mention via Slack for Jira-Access with a Jira issue key. Provide access to the AWS account ID listed in the Jira issue via Slack.
Notify Project Owners of 5 or more Critical Issues in Snyk - Workflow TemplatePoll the projects for an organization in Snyk and create Jira issues when a project is found to have 5 or more critical issues.
Handle IAC Configuration Issues in Snyk and Notify Owner - Workflow TemplateGet latest configuration issues from projects in an organization, open a Jira issue if one does not exist and notify the project owner.
Enable AWS S3 Bucket Versioning on Lacework Alert - Workflow TemplateOn an alert received from Lacework for S3 bucket versioning, pull the event, ask Slack user or channel to enable versioning.
Handle High Level CNC Threat Detected on Network (Armis) - Workflow TemplateReceive alert from Armis on a CNC DNS query, pull details about the device, open Jira issue, and alert the channel or user via Slack/Email
Remediate Wiz Alert on Azure VM with Open SSH Access - Slack - Workflow TemplateWhenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Remediate Alerts from Rules to External Address Adaptive Shield - Workflow TemplateRemediate Adaptive Shield alerts generated from Outlook inboxes with email rules that forward email to external addresses using Slack
Okta Exposed Passwords in Failed Login Attempts - Workflow TemplateUncover possible exfiltrated credentials in Okta when a user accidentally inputs a password in the email field and is stored as clear text.
Disable and Contain a Specific Compromised User in Okta - Workflow TemplateWorkflow and nested workflow that can be used to disable a specific user in Okta when an account is found to be compromised.
Handle AWS S3 Bucket Should Enforce HTTPS Alert from Orca - Workflow TemplateReceive an Orca alert on an AWS S3 Bucket not being compliant, apply a default S3 bucket policy to remediate.
Create Exclusions on Multiple SentinelOne Sites - Workflow TemplateCreates Exclusions for a list of path, browser or filetype Items. Exclusions can be created in one site or in multiple sites.
Notify on Google Drive Files Containing PII Identified by BigID - Workflow TemplateOn a trigger from BigID on findings of files in Google Drive that contain PII, notify the file owner via Slack and open Jira issues.
Delete an IAM User Account - Workflow TemplateThis workflow automates the procedure to delete or detach items from an user before deleting an IAM User Account.
Detect impossible travels in Okta logins. - Workflow TemplateAnalyzes users' successful logins from different locations within a short timeframe to detect possible Impossible Travel escenarios.
Microsoft Teams Driven User Account Management Action Menu - Workflow TemplateDisplays a menu for User Management related activities such as Reset Password, Enable/Disable a User or Get User Information.
Whitelist SHA1 Hashes on Multiple SentinelOne Sites - Workflow TemplateWhitelist a list of Hashes in one or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Handle Wiz Alert for Public Azure Container with Sensitive Data - Workflow TemplateOn trigger from Wiz alert for an Azure Container containing sensitive data, ask a Slack channel or container owner to limit public access
Blacklist SHA1 Hashes on Multiple SentinelOne Sites - Workflow TemplateBlacklists a list of Hashes in one site or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Just-in-time access to Group Membership in AzureAD - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Handle Wiz Alert for Public AWS S3 Bucket with Sensitive Data - Workflow TemplateOn trigger from Wiz finding for a AWS S3 bucket containing sensitive data, ask a Slack channel or bucket owner to limit public access.
Just-in-Time (JIT) access to Okta SSO Applications by Slack - Workflow TemplateSlack mention of "JIT-Access" allowing users to ask for a temporary access to applications via Okta SSO, with an approval flow via Slack
Handle Gem Alert for NSG With Ingress From Any (0.0.0.0/0) - Workflow TemplateWorkflow triggers when a rule with open access to the internet is created for a security group.
Enrich SentinelOne Incident with Threat Intelligence from Intezer - Workflow TemplateTrigger from a Singularity Webhook on a new threat and provide threat enrichment from Intezer with optional Live Agent Endpoint Scan
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow TemplateReceive a file signature from Slack and hunt for the signature in Singularity XDR, notify owners of the endpoint, kick off scan of devices.
Analyze URLs and Files in Triage Sandbox - Workflow TemplateThis workflow submit URLs to Hatching Triage Sandbox for analysis.
Create Att&ck Layer from TTP List - Workflow TemplateReceives a list of TTPs and returns an Att&ck layer in JSON and SVG formats.
Download a File from a SentinelOne Endpoint - Workflow TemplateDownloads a file from a Sentinel One agent given an AgentID a file path and a password. File does not need to be part of an Incident.
Analyze URLs and Files in Recorded Future Sandbox - Workflow TemplateThis workflow submit URLs to Recorded Future Sandbox for analysis.
Just-in-time (JIT) access to Okta Groups via Slack - Workflow TemplateSlack mention of JIT-Group allowing users to ask for a temporary access to Okta groups with approval flow via a Slack channel
Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow TemplateCreates an snapshot of each EC2 volume when a EC2InstanceWriteActionsOnIAM alert from Gem Security is triggered.
Handle Gem Alert for Root Usage - Workflow TemplateReceives an alert for a recent usage of Root credentials and validates it with the user trough Slack
Just-in-time access to Group Membership in Entra ID by TEAMS - Workflow TemplateTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Just-in-time access to Group Membership in Entra ID (ex-Azure AD) - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Notify when a Thinkst Canary Token is triggered. - Workflow TemplateTriggers upon a Thinkst Canary token activation, sends a Slack notification, and opens a case with relevant data, including a static map.
Create Cases from Crowdstrike Detections found in Splunk - Workflow TemplateQuery Splunk for new Crowdstrike detections and create Torq cases for events that are detected including host and user details.
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow TemplateSearch on a schedule for SentinelOnes detections in Azure Sentinel and open a Torq case for each alert and threat.
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow TemplateOn a schedule query Google Chronicle for new SentinelOne threats and open a Torq case with the relevant agent and threat details
Query for user MFA fraud reports on Entra ID - Workflow TemplateOn schedule, query the Entra ID audit logs for fraud reports from users who declined an MFA request on the Microsoft Authenticator App.
Monitor and Handle Gmail Mailbox for Phishing (Gmail) - Workflow TemplateMonitor a Gmail inbox and scan each message for URL's and attachments to scan with VirusTotal. Label each message with the result.
Remove Outlook Forwarding or Redirect Rules on Mention in Teams - Workflow TemplateOn mention from Microsoft Teams, check the email mailbox for domains that are not permitted for forwarding or redirection of emails.
Monitor and Handle Mailbox Folder for Phishing via IMAP - Workflow TemplateMonitor and handle emails in an Inbox folder and scan the URLs and attachments via VirusTotal. Report back via Slack and send email result.
Request Elevation of Local Admin Privileges in JumpCloud - Workflow TemplateRequest an elevation of admin permissions to a system by sending a Slack Slash command and verifying the system and duration of access.
Monitor an Outlook Mailbox for Phishing with Recorded Future - Workflow TemplateScan messages arriving to a specific folder in Outlook with Recorded Future for malicious urls and files. Update category on email results.
CVE Search in Wiz, Snyk and Armis with Jira Issue Tracking - Workflow TemplateOn mention from Slack, search for CVE in Wiz, Snyk, and Armis. Report on findings in Slack and open and update Jira parent and child issues
Monitor an Outlook Mailbox for Phishing via Graph Subscription - Workflow TemplateAnalyze a message arriving to a mailbox in Outlook with VirusTotal for malicious and suspicious URLs and files. Update label on message.
AWS Bedrock Usage Examples - Workflow TemplateThis workflow demonstrates usage examples of a number of models available through Amazon Bedrock.
Monitor and Handle a Gmail Mailbox for Phishing Using OAuth2 - Workflow TemplateScan messages in a Gmail mailbox with a specific label with VirusTotal for malicious URLs and files. Update label and send email on results
Monitor an Outlook Mailbox for Phishing with VirusTotal - Workflow TemplateScan messages arriving to a specific folder in Outlook with VirusTotal for malicious URLs and files. Update the label on email results.