Basic
277 articles
Workflow Template: QuickAction - Create a PDF Report for a Torq CaseCreates a PDF Summary Report of a Torq Case as a response to a QuickAction button.
Workflow Template: Rerun Failed Workflow Executions On DemandSearch the Activity Log for the failed workflow executions and their triggering events and reruns all the failed workflow executions
Workflow Template: Poll for new Veeam Backup & Replication Events and Open a CaseCreates a case in Torq for malware events detected by Veeam Backup & Replication.
Workflow Template: Poll for new Veeam ONE Alarm and Open a Torq CaseCreates a case in Torq when security-related alarms in Veeam ONE are triggered in a Warning or Error state.
Workflow Template: Attach a password protected archive to a Torq CaseAttach a suspicious or malicious file to a case within a password-protected archive for secure handling and analysis.
Workflow Template: Where used? Resource usage reportProvides 'Where Used' functionality in Torq, enabling users to query integrations, runners, or secrets.
Workflow Template: Extract Multiple Observables with AI TaskUse AI Task operator to extract multiple types of observables from a raw text.
Workflow Template: QuickAction - Scan Device on MS Defender for EndpointStart a full malware scan on a remote device when a quick action button is pressed.
Workflow Template: QuickAction - Isolate or Release a Device on MS Defender EndpointIsolate or release a remote device from isolation when a quick action button is pressed.
Workflow Template: What do we have? Environment Audit ReportGathers an account's resources list, including triggers, workflows, integration API keys, and secrets, to generate HTML and PDF reports.
Workflow Template: VirusTotal IOC Lookup with Summary of Results from AI TaskUsed as a nested workflow, receive an IP address, domain or file hash and query VirusTotal and analyze details with AI Task for a summary.
Workflow Template: Get Triggered Alarms from Veeam ONEThis workflow lists multiple security-related Veeam ONE alarms in Warning or Error status
Workflow Template: Silverfort Risk and Incidents to Torq Observables and CasesThis workflow will receive a webhook from Silverfort and create or update Torq cases based on Silverfort Incident and risk changes.
Workflow Template: Change Sweet Security incident statuses via Slack IntegrationNotify SOC and users of Sweet Security alerts, enriching incidents with responses.
Workflow Template: Start Configuration Backup in Veeam Backup & ReplicationInitiates a configuration backup of system settings, job configurations, and other essential data in Veeam Backup & Replication.
Workflow Template: Crowdstrike Falcon Sandbox - File Analysis with CacheSubmit a file to Falcon Sandbox for malware analysis.
Workflow Template: Torq Automation Expert - Fix This WorkflowThis workflow is used as part of the Torq Automation Expert Course that checks your skills at addressing and fixing errors in a workflow.
Workflow Template: Torq Automation Analyst - XML to JSONThis workflow is used as part of the Torq Automation Analyst Course to learn how to transform, select and filter data in Torq workflows.
Workflow Template: Torq Automation Analyst - Generate Token and HTTP GET DataThis workflow is used as part of the Torq Automation Analyst Course to learn about using basic HTTP steps in a workflow.
Workflow Template: Torq Automation Expert - PaginationThis workflow is used as part of the Torq Automation Expert Course to test your skills at using pagination to gather data in a workflow.
Workflow Template: Torq Automation Analyst - Fix this WorkflowThis workflow is used as part of the Torq Automation Analyst Course to learn about troubleshooting and fixing errors in a workflow.
Workflow Template: Create Torq Cases from Proofpoint Clicks PermittedOn a schedule check for clicks permitted in Proofpoint and enrich the URLs in VirusTotal and open a Torq Case for each finding.
Workflow Template: Synchronize Torq Case Runbooks from a GitHub RepositoryCreate or update Torq runbooks based on a GitHub repository when a commit has been made in the repository holding the runbooks.
QuickAction - Scan Device on SentinelOne - Workflow TemplateQuickly start a Full Disk Scan a Device with SentinelOne Agent using a single QuickAction button.
Workflow Template: Synchronize Torq Case Comment to JiraSynchronize Torq Case Comment to Jira driven by a "Comment added" Trigger.
Workflow Template: Synchronize Torq Case Attachment to JiraSynchronize Torq Case attachment to Jira driven by a "Attachment added" Trigger.
Workflow Template: Synchronize Torq Case Assignee to JiraSynchronize Torq Case Assignee to Jira driven by a "Assigned to teammate" Trigger.
Workflow Template: Synchronize Torq Case Comment to Microsoft Sentinel IncidentsSynchronize Torq Case Comment to a Sentinel Incident driven by a "Comment added" Trigger.
Workflow Template: Synchronize Torq Case State Change to JiraSynchronize Torq Case Change of State to a Jira ticket driven by a "State changed" Trigger.
Workflow Template: Synchronize Torq Case Severity to JiraSynchronize Torq Case Severity to Jira driven by a "Severity changed" Trigger.
Workflow Template: Synchronize Torq Case Severity to ServiceNow Urgency and ImpactSynchronize Torq Case Severity to ServiceNow driven by a "Severity changed" Trigger.
Workflow Template: Synchronize Torq Case Assignee to ServiceNowSynchronize Torq Case Assignee to ServiceNow driven by a "Assigned to teammate" Trigger.
Workflow Template: Synchronize Torq Case State Change to Microsoft Sentinel IncidentSynchronize Torq Case Change of State to a Sentinel Incident driven by a "State changed" Trigger.
Workflow Template: Synchronize Torq Case Attachment to ServiceNowSynchronize Torq Case attachment to ServiceNow driven by a "Attachment added" Trigger.
Workflow Template: Synchronize Torq Case State Change to ServiceNowSynchronize Torq Case Change of State to ServiceNow driven by a "State changed" Trigger.
Workflow Template: Synchronize Torq Case Assignee to Microsoft Sentinel IncidentsSynchronize Torq Case Assignee to a Sentinel Incident driven by a "Assigned to teammate" Trigger.
Workflow Template: Synchronize Torq Case Severity to Microsoft Sentinel IncidentsSynchronize Torq Case Severity to a Sentinel Incident driven by a "Severity changed" Trigger.
Workflow Template: Synchronize Torq Case Comment to ServiceNow NoteSynchronize Torq Case Comment to ServiceNow Note driven by a "Comment added" Trigger.
Workflow Template: Synchronize Torq Case Tags to Microsoft Sentinel IncidentsSynchronize Torq Case Tags to a Sentinel Incident driven by a "Tags Updated" Trigger.
Workflow Template: Reduce large Slack message to multiple 3000 character messagesThis workflow takes in a large message and breaks it into multiple "chunks" compatible with the 3000 character limit in the Slack API.
Workflow Template: Send a Teams message when a workspace table variable is deletedSend a Microsoft Teams message to subscribers when a workspace table variable is deleted.
Workflow Template: Send a Slack message when a workspace table variable is deletedSend a Slack message to subscribers when a workspace table variable is deleted.
Workflow Template: Simple SumoLogic Query with Optional Return Field FiltersFilter your search for specific messages or records in Sumo Logic and return only the relevant fields.
Workflow Template: Notify on Runner's Health Status Change via TeamsGet a Teams notification every time a Step Runner's health status changes.
Workflow Template: Notify on Runner's Health Status Change via SlackGet a Slack notification every time a Step Runner's health status changes.
Workflow Template: QuickAction - Upload a File from a URL to a CaseUploads a password protected archive from a URL as a response to a QuickAction button.
Workflow Template: Collect Azure VM and Network DetailsNested workflow used to collect Azure VM and Network info needed in support of remediation workflows.
Workflow Template: Alert on Google Login Activity Outside of Allowed RegionsRetrieve Google Login Activity for logins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Workflow Template: IP Address Enrichment with Cache (Silent Push)Receives an IP Address from a parent workflow and query Silent Push for enrichment.
Workflow Template: VirusTotal IOC Lookup with Summary of Results from OpenAIUsed as a nested workflow, receive an IP address, domain or file hash and query VirusTotal and send the details to OpenAI for a summary.
Workflow Template: Query Okta System Logs by Actor ActivityQuery the Okta System Logs by specific Actor and provide results and an optional summary of EventType and outcome result for the logs.
Workflow Template: Domain Enrichment with Cache (Shodan)Receives a Domain from a parent workflow and query Shodan for enrichment.
Workflow Template: Enrich New Cybereason MalOps File Hash DetailFor each new MalOp that is detected, attempt to enrich the file hash intelligence from VirusTotal and Recorded Future in the MalOp Comments
Workflow Template: Interactive Email Conversation using Google WorkspaceExample of using Google Workspace email as part of an interactive email conversation. This could also be added as a nested workflow.
Workflow Template: Collect Torq Global Variables with PaginationWorkflow that uses pagination to gather all Torq global variables and provide them into a single array.
Workflow Template: Verify Permissions to Execute Workflows (Google Cloud Identity)Workflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership.
Workflow Template: Process New NIST NVD VulnerabilitiesPull latest CVEs from the NIST NVD Database and update a Slack channel. Additional steps can be added to search for CVEs in other platforms
Workflow Template: Slack Slash Command - Hello WorldExample of an interactive experience with Slack Slash Commands and replying back to the channel with information from the event.
Workflow Template: Add Malicious IPs to Network Block Zone from Okta System LogsOn a schedule pull Okta system logs for specific event types, extract any IPv4 address and if found malicious update the block zone in Okta.
Workflow Template: Collect Torq Audit or Activity LogsNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Workflow Template: Handle Nessus Scan ResultsDaily notification of specific pre-defined Nessus scans. Send results to Slack channel as defined.
Workflow Template: Gather CircleCI Environment Variables from Bitbucket ReposQuery Bitbucket for workspace repositories and gather CircleCI Environment Variables that are configured in the project.
Workflow Template: Verify Permissions to Execute Specific Workflows (Okta)Workflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership in Okta.
Workflow Template: Send an email via SMTP with VirusTotal StatsSend a simple email via SMTP including VirusTotal engine stats in a HTML table format for a particular HASH lookup.
Workflow Template: Assign New Alerts from Hunters.aiRetrieve alerts from Hunters XDR, suggest to assign using Slack.
Workflow Template: Jira Issue Reminder and Escalation via Slack or TeamsSend reminder and escalation messages via Slack or Microsoft Teams on a Jira issue status on a specific polling interval.
Workflow Template: Append data to an Array (Torq)Append JSON data to an array using the Append to Array step. Example JSON data is provided to append to a new array.
Workflow Template: Open a PagerDuty Incident on Host Detection (CrowdStrike)Receive an event from CrowdStrike, if event is critical or high, open an incident with PagerDuty and enrich the IOC details with VirusTotal
Workflow Template: Upload a File in Teams to a SharePoint FolderCreate either a CSV, JSON or PDF file in Microsoft Teams and post an adaptive card with a link to the file in the Teams Channel
Workflow Template: Compliance - Generate report on non-compliant devices (Intune)Pull non-compliant devices list from Microsoft Intune and go over them. Retrieve an associated user from each device, and create a list.
Workflow Template: Merge JSON data using JQ based on a common Key/ValueSimple example using JQ to merge two JSON files using JQ using the key Email_Address as the match between the two datasets.
Workflow Template: Check Point R81 Management WorkflowAn example workflow that outlines the needed steps to make changes to the Check Point Management Server and install policy against a gateway
Workflow Template: Slack Mention to Analyze Suspicious URLs and IPs with VirusTotalReceive a suspicious list of URLs and/or IPs from Slack, scan using VirusTotal, and report back to the Slack thread the results.
Workflow Template: Create a Torq Case from a QRadar OffenseUsed as a nested workflow to open a Torq case from details in a QRadar Offense and optionally include QRadar events into the case details.
Workflow Template: Retrieve Daily Unencrypted Bucket Summary (AWS Macie)On a daily schedule retrieve data from Amazon Macie on specific criteria and deliver to a Slack user or Channel.
Workflow Template: Remove Public Links from Google Drive Detected by BigIDOn an alert from BigID where files with sensitive information are found publicly shared, loop over each finding and remove the public share.
Workflow Template: Jira Issue Creation, Update, and AssignmentExample workflow using the most common steps in the lifecycle of a Jira issue including issue assignment and example JQL query.
Workflow Template: Scan URLs with VirusTotal and Provide Summary VerdictReceive an array of URLs to scan with VirusTotal and provide a summary per URL of any malicious or suspicious count more than 1.
Workflow Template: Domain Enrichment with Cache (Recorded Future)Receive a domain from a parent workflow and query Recorded Future for its reputation.
Workflow Template: Clear Okta sessions for specific users via SlackReceive a Slack command to clear all sessions for one or more users.
Workflow Template: Enable GCP Bucket Versioning on a Wiz AlertReceive an issue from Wiz on a GCP storage bucket with versioning disabled, lookup the channel, ask the channel to enable versioning.
Workflow Template: Google Workspace Calendar OffboardingReceive message from Slack with an email address, find meetings where user is the originator/creator of the meetings and delete if approved.
Workflow Template: Analyze Files and URLs (Recorded Future Sandbox)Analyze Files and URLs and in Recoded Future Sandbox using nested functions with cache.
Workflow Template: AlienVault URL Enrichment with CacheNested workflow that will take a URL as input and query AlienVault's General and URL List for details and return analysis information.
Workflow Template: Daily Report to Slack on Inactive Okta UsersPoll the list of Okta users and list all users that have not logged in for the past 30 days and report the list to a Slack channel
Workflow Template: Search for CVE in Wiz and Snyk via Slack MentionWhen triggered via Slack, search in Wiz and Snyk for a specific CVE. Send findings to the Slack channel via a snippet.
Workflow Template: Gather CircleCI Global Environment Variables with Creation DateGather Global Environment Variables from CircleCI and provide results organized by context and included creation date and context id.
Workflow Template: Upload New Threat Intelligence IOCs to CybereasonReceives arrays of Domains, Hashes and IP Addresses IOC's and upload them to Cybereason.
Workflow Template: Analyze File with ANY.RUN and Provide a VerdictSubmit a file URL to ANY.RUN and wait for the analysis to complete. The workflow will send it verdict in the output.
Workflow Template: Add/Remove Entra ID User from Global Address List (ex-Azure AD)Receives user name / email from a Slack command and adds/removes the specified user from the Global Address List in Entra ID
Workflow Template: Compliance - Find unmanaged devices in Intune and Carbon BlackCompare lists of managed devices in Microsoft Intune and Carbon Black. List gaps (i.e., devices present only in one of the solutions)
Workflow Template: Send Slack Block Message and Perform Operations in ParallelExample workflow to send a Slack Block kit message and run another operation in parallel and wait for a Users response back to the message.
Workflow Template: Send Torq Audit or Activity Logs to Azure Blob StorageOn a schedule configured in Workflow Context, Torq workflow Audit Logs will be collected in a Nested Workflow and sent to an Azure Blob
Workflow Template: IP Penalty Box with Timeout via Slack (Cloudflare)Adds specific IPv4 or IPv6 address to a penalty box in Cloudflare by creating and removing IP Access Rules driven by Slack.
Workflow Template: Create IOCs on Malicious Files from a CrowdStrike IncidentFor each new EDR incident, validate the files involved with threat intelligence, and add to the global block list if found to be malicious
Workflow Template: Find all Okta Active Users with PaginationPagination example with Okta to find all active users and place the results into a single array of users.
Workflow Template: Retrieve Daily Scan Summary and Notify on Findings (Aqua)Pull Scan Summary information on findings in Aqua and deliver a short report to a Slack channel on the Findings on Warnings and Failures.
Workflow Template: Check for New Carbon Black Alerts and NotifyThis workflow periodically checks for new Carbon Black alerts and notifies end user of the alert and asks for verification of the activity
Workflow Template: Basic Global Variable Use in a WorkflowBasic Create/Read/Update/Append/Delete steps for use with Global Variables. This can provide ephemeral data storage between workflows.
Workflow Template: Create Attachment in Jira with JSON DataExample of how to add an attachment with JSON data to a Jira issue.
Workflow Template: Retrieve New Exploited Vulnerabilities from CISA update via TeamsOn a daily schedule poll the latest CISA vulnerabilities and update a Teams channel on any new CVEs and include references from NIST
Workflow Template: Ask a Question over Slack or Microsoft TeamsThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to ask a question.
Workflow Template: Count Number of Executions for Action (Torq)Workflow to be used as a nested workflow that will keep track of the number of executions of a given action and maximum executions per day.
Workflow Template: JSON Filtering with JQSimple filtering of VirusTotal IP Lookup JSON data. Use these examples to learn how easy it is to filter or create a new JSON output.
Workflow Template: Collect Azure Network Security Group DetailsNested workflow that will collect and format Azure NSG info to identify rule priority needed to block a given port and protocol
Workflow Template: Interactive Email Conversation (Microsoft 365)Example of using Microsoft 365 email as part of an interactive email conversation. This could also be added as a nested workflow.
Workflow Template: Approve Group Membership for New User (JumpCloud)Ask via Slack for approval from a specific department approver list when a new user is added and add user to the departments JumpCloud group
Workflow Template: Create Jira and Asana Tickets from Astrix AlertBased on a high risk finding from Astrix initiate a cases with Asana and Jira.
Workflow Template: Microsoft 365 Adaptive Card Email ConversationExample workflow to send an adaptive card questionnaire via Microsoft 365. Responses are delivered via a webhook back to a Torq workflow.
Workflow Template: Generate Table in ADF Format for Jira CommentsTemplate to be used as a nested workflow to generate a simple table from an array for Jira in ADF format.
Workflow Template: Workflow Notification Tracking in Google SheetsWorkflow that will receive notifications of failed workflows and save the details in a Google Sheet. Entries older than 7 days are removed.
Workflow Template: Webex Hello World Chat BotEasy starter template to create an interactive messaging experience for Webex users.
Workflow Template: Search for CVE Findings in Orca Triggered by SlackReceive a mention via Slack for "orca-cve", kick off a search in Orca for the specific CVE and update the thread in Slack with the results.
Workflow Template: Create IOCs on Malicious Files from a CrowdStrike AlertFor each new EDR alert, validate the files involved with threat intelligence, add to global block list if found to be malicious
Workflow Template: Approve Group Membership for New User Creation (Okta)Ask via Slack for approval from specific department approvers when a new user is added to Okta.
Workflow Template: Get AWS Access Key Information for User (AWS)Workflow that provides a summary of the Access Keys for a user including number of keys, status, last used and if the key is still in use.
Workflow Template: Retrieve New Exploited Vulnerabilities from CISAOn a daily schedule poll the latest CISA vulnerabilities and update a Slack channel on any new CVEs and include references from NIST
Workflow Template: Send Torq Audit and Activity Logs to SnowflakePull audit and activity logs from the Torq API and store them in Snowflake on a schedule of every 10 minutes.
Workflow Template: Reset Direct Manager reference for an Entra ID user (ex-Azure AD)Trigger on Teams command, find user in Entra ID, and reset the reference to the direct manager in the directory.
Workflow Template: Trigger specific scan, update results to Slack (Tenable)Triggers a specific pre-defined Tenable Cloud scan, waits for completion, updates on every vulnerable host with severity findings above 0.
Workflow Template: Retrieve and Normalize data on a DomainWorkflow to lookup threat intelligence data from a number of sources and aggregate domain and threat data, normalize a score for a domain
Workflow Template: Send Torq Audit and Activity Logs to S3 Bucket on a ScheduleBased on a configured time, workflow will upload Torq Audit and/or Activity logs to AWS S3 Buckets.
Workflow Template: Rename new iOS device to User / Serial Number (Jamf)For each new iOS device enrolled in Jamf, if the User Name was not set, change it to unique serial number. Otherwise rename to the User Name
Workflow Template: Cache VirusTotal Threat Intelligence Findings on an IOCReceive an IOC from a parent workflow, check the global variable for previous results, if not, query VirusTotal and save results
Workflow Template: Microsoft Teams - Hello WorldSimple example of Microsoft Teams messages using Adaptive Cards, collecting interactive responses and providing them back to the user.
Workflow Template: Check Point SmartTasks Notification to SlackNotification to Slack on status of a policy install or session details of additions, modification, or deletions when a session is published.
Workflow Template: Nested Check-Out of AWS Credentials via Britive (Britive)Example nested workflow using Britive to Check-Out AWS credentials to be used in a workflow. Check-In the creds using the trans-id provided
Workflow Template: ITSM - Notify Slack user on closed/resolve incidents (ServiceNow)Receive a Slack message on resolved or closed tickets within ServiceNow. Enrich the message with details from the ticket and closing users.
Workflow Template: Verify User's Group Membership in Okta via Slack CommandReceive a Slack command with the users email and optional group and provide the group membership including a match if a group is provided.
Workflow Template: Ask Users to Confirm Failed JumpCloud Login AttemptsDaily pull of failed logins from JumpCloud, reach out to users with failed logins over Slack and confirm they were the tying to login.
Workflow Template: Send Message over Slack or Microsoft TeamsThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to send a message.
Workflow Template: Upload Latest Recorded Future IOCs to CybereasonPull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Workflow Template: Suspend Okta Users that are Inactive for More than 30 DaysOn a scheduled interval check for users that have not logged in for more than 30 days. Ask a Slack channel for approval to suspend the users
Workflow Template: Teams Mention to Analyze Suspicious URLs and IPs with VirusTotalReceive a suspicious list of URLs and/or IPs from Microsoft Teams, scan using VirusTotal, and send results back to the Teams conversation.
Workflow Template: Enrich Hashes, CVEs and IP Addresses with Recorded FutureReceive a message with one or more CVEs, SHA256 hashes or suspicious IP addresses from Slack and enrich the data with Recorded Future.
Workflow Template: Collect all Public IP Addresses for an AWS AccountCollect all public IP addresses for a given AWS account and provide a simple summary list of IPs and a JSON list by region and service.
Workflow Template: Slack Mentions - Hello WorldSlack Bot workflow to reply to either mentions or direct conversations with the bot
Workflow Template: Nested Slack Block Generator from an ArrayWorkflow meant to be used as a nested workflow to build a Slack block from an array. This block can be used in the Slack Block Form step.
Workflow Template: Group IoCs From Text InputThis function takes a text and returns groups of hashes, URLs, domains and IP addresses
Workflow Template: Process New Cloud Vulnerability DB Issues (Open CVDB)Pull latest vulnerabilities from the Open Cloud Vulnerability Database and send an alert to a Slack Channel
Workflow Template: Open or Update a Jira Issue on an Uptycs AlertOpen a parent or child issue in Jira when a medium/high severity event is found. Ask a Slack channel if additional information is required.
Workflow Template: Just-In-Time Access to Group Membership in Active DirectoryTrigger on a Slack command where a user asks for temporary access to a group in Active Directory with approval from a Slack channel.
Workflow Template: Okta event on MFA addition with user Verification (Okta)Receive event from Okta when a user adds a MFA method, lookup source IP with VirusTotal or ask user if this was intended, if not open issue.
Workflow Template: Upload HIPAA Training Evidence in DrataIdentify users that are HIPAA training non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Identify and Label Confluence Content with PII from BigIDOn a trigger from BigID, label all content in Confluence with a specific tag and notify a Slack channel and open a Jira issue with findings.
Workflow Template: Gather CircleCI Environment Variables from GitHub Org ReposQuery GitHub for Organization Repositories and gather CircleCI Environment Variables that are configured in the project.
Workflow Template: Verify Permissions to Execute Workflows - EntraID (ex-Azure AD)Workflow that can be used to verify users have permissions to run a specific workflow by Id or name and also check group membership.
Workflow Template: Upload Hard Drive Encryption Evidence in DrataIdentify devices that are HD encryption non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Send a Microsoft Teams Notification upon Mention in a Torq CaseWhen a user is mentioned in a Torq Case comment, send the user a notification in Microsoft Teams with the text and a hyperlink to the case.
Workflow Template: Label Google Drive Files Containing PII Identified by BigIDOn trigger from BigID from findings of files in Google Drive that contain PII, assign a Google Drive label and field to the file.
Workflow Template: Reset Entra ID (ex-Azure AD) MFA Methods and Password on a UserThis workflow can be used as a nested workflow to reset a users password, remove all MFA methods for the user and clears any user sessions.
Workflow Template: Add MFA on IdP Evidence in DrataIdentify users that are MFA non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Fetch New QRadar Offenses with PaginationA nested workflow to pull all new open QRadar offenses and use pagination to return all results.
Workflow Template: SSL Certificate Expiration CheckFrom a List of domains or subdomains, check expiration dates from their certificates
Workflow Template: Find all Okta Active Devices with PaginationWorkflow that can be used as a nested workflow to gather all active Okta devices into a single array using pagination.
Workflow Template: Extract Multiple ObservablesExtracts different types of observables such as file hashes, IP addresses, IP range, email addresses, filenames, hostnames, URLs, and CVEs.
Workflow Template: Upload Screensaver Lock Evidence in DrataIdentify devices that are screen lock non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Identify PII Information Shared in a Slack Workspace via BigIDOn a trigger from BigID for PII information found in a Slack Workspace, send detailed findings to a specific Slack channel or admin.
Workflow Template: Simple Loops with TorqExample of using a loop over JSON data and loop over a range in a workflow. Results are collected with the "Collect" operator
Workflow Template: Add Anti-Virus Evidence in DrataIdentify devices that are anti-virus non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Upload Auto-Updates Evidence in DrataIdentify devices that are anti-update non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Add Password Manager Evidence in DrataIdentify devices that are password manager non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Send Torq Audit or Activity logs to Sumo Logic on a ScheduleWorkflow that can be used to send either Torq audit or activity logs to Sumo Logic on a scheduled interval.
Workflow Template: Handle Wiz Alert for AWS Admin Principals Inactive Over 90 DaysOn alert from Wiz on an AWS admin principal that is inactive over 90 days, ask a Slack channel for approval to deactivate the IAM account.
Workflow Template: Export a Torq Case in Word Document FormatExport a Torq Case including the general details, timeline, observables, attachments and custom fields into a Microsoft Word file.
Workflow Template: Collect Asynchronous Responses from Slack Block MessagesWorkflow that can be used to record asynchronous responses to Slack Block Kit messages that contain buttons for a user response.
Workflow Template: Convert Newline Delimited JSON to Standard JSONConverts Newline Delimited JSON formatted data into standard JSON format.
Workflow Template: Upload Background Check Evidence in DrataRemediate failed resources that require background check evidence by attaching necessary provided URL on workflow initiation.
Workflow Template: Assign or Remove Licenses on Users for Microsoft via Graph APIUsed as a nested workflow to assign or remove licenses to Microsoft 365 users. The workflow takes the SKU on input for assignment.
Workflow Template: Upload Security Training Evidence in DrataIdentify users that are security training non-compliant within Drata and upload evidence file provided to workflow.
Workflow Template: Get Failing Resources for a Test in DrataProvide insight into failed resources based on information collected from the Drata platform.
Workflow Template: Check if IPv4 Address is Part of an AWS IP Network BlockOn a mention from Slack, extract an ip address and try to match it to a network block in use at AWS. Provide the result back to the thread.
Workflow Template: Offboard SaaS User from Grip on Trigger from HibobOn trigger from Hibob, offboard the user from Grip and report the status back to a default Slack channel or the users Manager via Slack.
Workflow Template: Attach a Screenshot to a ServiceNow Incident or Jira IssueWorkflow that can be used as a nested workflow to attach a screenshot of a URL to either a Jira Issue or ServiceNow Incident
Workflow Template: Search for Unused or Inactive Roles in AWS IAMQueries AWS for the IAM Roles and groups roles by Last Used and Never Used after a defined amount of days.
Workflow Template: Verify User's Group Membership in Ping via Slack CommandReceive a Slack command with an optional group and provide the group membership including a match if a group is provided.
Workflow Template: Collect Information on Case Closing ActionShows a form whenever a Case is change to CLOSED status.
Workflow Template: URLScan URL Enrichment with CacheReceive a URL to analyze with URLScan and provide a summary of the URL with malicious, phishing, score and screenshot details if available.
Workflow Template: Subscribe Gmail address to watch a PUB SUB pre-defined topicMaintains a valid subscription to a topic by checking daily its expiration date and renewing it when necessary.
Workflow Template: Send Torq Audit and Activity Logs to Singularity XDRBased on a configured time, workflow audit and activity logs will be sent to SingularityXDR
Workflow Template: Google File Label LifecycleThis workflow showcases the published steps to support the Google file label lifecycle process.
Workflow Template: Issue a Push Challenge with Okta and Wait for a ResponseReceive an Okta user and factor ID from a parent workflow and send a push challenge to the user and wait for and return the response.
Workflow Template: AlienVault File Hash Enrichment with CacheNested workflow that will take a File Hash as input and query AlienVault's General and Analysis sections for details and return the results.
Workflow Template: Google Chat Hello WorldThis workflow demonstrates the use of the Google Chat Steps and the ability to interact with end users and create Google Chat Spaces.
Workflow Template: Pangea - Domain Enrichment with CacheReceives a Domain from a parent workflow and query Pangea for its reputation.
Workflow Template: Decode QR Codes in Torq Case AttachmentsDecode QR codes that are found in Torq Case Attachments by using a quick action or Run a Workflow on a Torq Case.
Workflow Template: Notify on Open and In-Progress Torq Cases Approaching the SLAScheduled workflow that will send a notification to Slack or Microsoft Teams on Torq cases that are approaching or past the defined SLA.
Workflow Template: Recorded Future Sandbox - File Analysis with CacheSubmits a File to Recorded Future Sandbox for full analysis.
Workflow Template: Generate Graph of Simple JSON Data using PythonFunctional workflow that will data JSON data and generate a base64 encoded PNG graph of the data that was passed to the workflow.
Workflow Template: Notify a Slack Channel on Case CreationWorkflow that will notify a specific Slack channel for every new Torq case that is created.
Workflow Template: Query Logs on Singularity XDR with PaginationThis workflow serves as a function that executes a query in Singularity XDR.
Workflow Template: Send Torq Audit or Activity Logs on a Schedule to SplunkWorkflow that can be used to send Torq audit and/or activity logs to Splunk on a schedule every 10 minutes.
Workflow Template: Simple Splunk Query with Optional Return Field FiltersA simple Splunk query that can use optional field filters to filter the dataset returned. Can be used as a nested workflow to simplify use.
Workflow Template: Find AWS Instance Information by Private IP Address in WizOn mention from Microsoft Teams, look for instances with the private IP Address and gather information on the instance and send to Teams.
Workflow Template: Verify Entra ID (ex-Azure AD) Audit Sign-Ins from Allowed RegionsRetrieve Entra ID Audit logs for Sign-Ins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Workflow Template: Run Antivirus Scan on a device on Microsoft Defender for EndpointRun a Quick or Full Antivirus Scan on a device by its machineId or device name.
Workflow Template: Retrieve and Normalize data on a File HashWorkflow to lookup threat intelligence data from a number of sources and aggregate threat data, normalize a score for the provided file hash
Workflow Template: Generate a Report for Torq Cases in Microsoft Docx FormatA nested workflow that generates a report on Torq cases, analyst activity, and case MTTR reporting with output as a Microsoft Word document.
Workflow Template: Create Microsoft Graph Subscriptions and RenewalsCreate one or more Microsoft Graph subscriptions to a Microsoft 365 trigger. The subscriptions are extended and renewed daily.
Workflow Template: Find all Hosts Impacted by an Open CVE in CrowdStrikeFind all hosts in CrowdStrike that are impacted by a specific CVE and output the list of hostnames and remediation information provided.
Workflow Template: Send a Microsoft Teams Notification to Assignee in a Torq CaseSend a notification to the new assignee on a Torq Case via Microsoft Teams with a summary of the case and a direct hyperlink to the case.
Workflow Template: Search for Vulnerabilities by Hostname in TenablePull information from a hostname in Tenable and output the information back to the parent workflow or an optional Slack user or channel.
Workflow Template: Send Torq Audit and Activity Logs to ElasticsearchPull the logs from Torq on a schedule and send to Elasticsearch in a batch transaction.
Workflow Template: Create Microsoft Graph Subscription and Renew DailyCreate a Microsoft Graph subscription to a Torq Microsoft 365 trigger. The subscription is renewed daily and extends the expiration date.
Workflow Template: Suspend Contractor Accounts in Okta with inactivity for 7 daysCheck daily for active accounts where the profile userType is "Contractor". Suspend the account if no login occurred in the past 7 days.
Workflow Template: VirusTotal Domain Enrichment with CacheNested workflow that will take a Domain as input and query VirusTotal for the domain and return analysis information to the parent workflow.
Workflow Template: Isolate or Unisolate device on Microsoft Defender for EndpointNested workflow to Isolate or Unisolate a device by its machineId or device name.
Workflow Template: URL Enrichment with Cache (Recorded Future)Receive an URL from a parent workflow and query Recorded Future for its reputation.
Workflow Template: Fetch File Information by Hash from Microsoft DefenderCollects threat information about a file by fileId (SHA1 Hash) in a time frame.
Workflow Template: VirusTotal URL Enrichment with CacheNested workflow that will take a URL as input and query VirusTotal for details and return analysis information on the URL.
Workflow Template: Torq Case Example Descriptions for Different Case TypesA workflow with many mock examples of Torq Case descriptions for Torq integration partners and formatting examples to use with Torq Cases.
Workflow Template: Recorded Future - IoC EnrichmentExtracts multiple observables from raw text and performs enrichment for each observable on RecordedFuture.
Workflow Template: AlienVault Combined Observable EnrichmentExtract multiple observables from raw text and performs enrichment for each observable in AlienVault returns analysis information.
Workflow Template: Collect Information on Case Closure by Permitted AnalystsCollect information when a Torq Case is changed to a CLOSED status and verifies that the analyst is permitted to close cases.
Workflow Template: Gather QRadar Events for a Given OffenseFor a given QRadar Offense pull all events for a specific time window and provide the list of events back to a parent workflow.
Workflow Template: AlienVault Domain Enrichment with CacheNested workflow that will take a Domain as input and query AlienVault's General, Malware and GEO sections and return analysis information.
Workflow Template: Notify a Teams Channel on Case CreationWorkflow that will notify a specific Microsoft Teams channel for every new Torq case that is created.
Workflow Template: Send Slack Notification upon Mention in a Torq CaseWhen a user is mentioned in a Torq Case comment, send the user a notification in Slack with the text and a hyperlink to the case.
Workflow Template: Prepare Case Properties by Case TypeWhen a new Torq case is created, based on the case type, create custom fields and quick action on the newly created case.
Workflow Template: Generate a Screenshot of a URL and Describe the Image via OpenAIGenerate a screenshot of a specific URL and ask OpenAI to review the image and provide input if it could be part of a phishing attempt.
Workflow Template: Retrieve and Normalize data on an IP AddressWorkflow to lookup threat intelligence data from a number of sources and aggregate geo data, threat data and normalize a score for the IP
Workflow Template: VirusTotal File Hash Enrichment with CacheNested workflow that will take a File Hash as input and query VirusTotal for analysis and if the hash is found, return the results.
Workflow Template: Handle Panther Okta Alerts on User Action DetectionOn a new Panther alert from Okta, ask the user if the action was intended and if so mark the alert resolved. If not, open a Torq case.
Workflow Template: Email Enrichment with Cache (Pangea)Receives an Email from a parent workflow and query Pangea for its reputation.
Workflow Template: VirusTotal IPv4 Address Enrichment with CacheWorkflow that will take an IPv4 address as input and query VirusTotal and return the analysis information to the parent workflow.
Workflow Template: AlienVault IPv4 Address Enrichment with CacheWorkflow that will take an IPv4 as input and query AlienVault's General, Malware and Reputation sections and return analysis information.
Workflow Template: Enrich SentinelOne Threat Finding and Run Singularity XDR SearchFor each new threat detected by SentinelOne, query Threat Intelligence data from VirusTotal and RecordedFuture and add notes to the threat
Workflow Template: File Hash Enrichment with Cache (Pangea)Receives a File Hash from a parent workflow and query Pangea for its reputation.
Workflow Template: Submit a File for Analysis to VirusTotal with CacheSubmit a file to VirusTotal for analysis and provide a simple cache for the analysis results. Use URLs or Torq file links to the file.
Workflow Template: Search Observables by Grouped UDM Fields in ChronicleReceives Observables as hash, IP address, domain, username or email and performs a query to Chronicle SIEM using Grouped UDM fields.
Workflow Template: Return Specific Default or Overriding Workspace VariableThis workflow will return a variable from two workspace variables with priority if found in the Overriding Workspace Variable then Default.
Workflow Template: Request File Download From CrowdStrike Using Real Time ResponseNested workflow that will take the CrowdStrike Device ID and a file path and will provide a download link to pass to a Sandbox vendor
Workflow Template: On Case Closure Set a Custom Field and Tag with Resolution ReasonWhen a Torq Case is closed or resolved, add a specific custom field and tag to the case the will contain the resolution reason of the case.
Workflow Template: Send a Slack Notification to Assignee in a Torq CaseSend a notification to a new assignee on a Torq Case via Slack with a summary of the case and a direct hyperlink to the case.
Workflow Template: Validate Gem Alert Events in SlackCommunicate with a user through Slack to validate a security alert.
Workflow Template: Run LiveResponses on Microsoft Defender for EndpointExecute Live Responses on an Endpoint and collects the results of each command.
Workflow Template: Torq Interact Multi-User Communication ExampleThis demo illustrates how to utilize Torq Interact to handle communications with one or more users.
Workflow Template: Scan URLs with URLScan and Provide a SummaryReceive an array of URLs to scan with URLScan and provide a summary per URL with malicious, phishing, score, and screenshot URL if available
Workflow Template: VirusTotal Combined Observable EnrichmentExtract multiple observables from raw text and performs enrichment for each observable in VirusTotal and returns analysis information.
Workflow Template: AbuseIPDB IPv4 Address Enrichment with CacheWorkflow that will take an IPv4 address as input and query AbuseIPDB for details about the address including the Abuse Confidence Score.
Workflow Template: Send a Question to Slack Users and Collect ResponsesSend a question to a number of Slack users and collect the responses in a global variable with a wait of up to 31 days to collect results.
Workflow Template: File Hash Enrichment with Cache (Recorded Future)Receive a file hash from a parent workflow and query Recorded Future for its reputation.
Workflow Template: Send a Microsoft Outlook Email to Assignee in a Torq CaseWorkflow that will notify the user by sending an email via Microsoft Outlook for every new Torq case that is assigned to the user.
Workflow Template: IP Address Enrichment with Cache (Pangea)Receives an IP Address from a parent workflow and query Pangea for its reputation.
Workflow Template: Domain Enrichment with Cache (Silent Push)Receives an Domain from a parent workflow and query Silent Push for enrichment.
Workflow Template: Generate a Screenshot and Attach to a Torq Case on URL AdditionWhen a new URL is added as an observable, attempt to generate a screenshot and if successful add it as an attachment to a Torq case.
Workflow Template: Download a File from a SentinelOne Threat IDFetch a file from a SentinelOne Threat ID and encrypt it with the provided password with a link to download.
Workflow Template: URL Analysis with Cache (Recorded Future Sandbox)Submits an URL to Recorded Future Sandbox for full analysis.
Workflow Template: URL Enrichment with Cache (Pangea)Receives an URL from a parent workflow and query Pangea for its reputation.
Workflow Template: IP Address Enrichment with Cache (Recorded Future)Receive an IP address from a parent workflow and query Recorded Future for its reputation.
Workflow Template: IP Address Enrichment with Cache (Shodan)Receives an IP Address from a parent workflow and query Shodan for enrichment.
Workflow Template: Search in Torq Audit Logs Based on QuerySearch for audit event based on action, email, actor type, actor_name or resource name.
Workflow Template: Generate a Dynamic PowerPoint Document based on Slide DataWorkflow that can be used as a guide on how to generate a dynamic PowerPoint document with the Python python-pptx library.
Workflow Template: Submit a File for Analysis to VMRay with CacheSubmit a file to VMRay for analysis and provide a simple cache for the analysis results. Use public URLs or Torq file links to the file.
Workflow Template: Gather Torq Audit or Activity LogsNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Workflow Template: Fetch Cyberint Alerts on a ScheduleFetch alerts from Cyberint on a schedule. An optional loop is available in the workflow to do additional actions as needed.
Workflow Template: Table Workspace Variable Example WorkflowThis Workflows is an example on how to use a table as a workspace variable to perform common CRUD tasks.
Workflow Template: Open Jira Issues and Enrich Event on Sysdig Kubernetes DetectionsDetect, enrich, alert and auto-assign incidents using Kubernetes namespaces using Sysdig Runtime Threat Intelligence and Detection.
Workflow Template: List All Groups with Pagination on Entra ID (ex-Azure AD)This function will collect all groups on Entra ID (ex AzureAD) using pagination.
Workflow Template: List All Users with Pagination on Entra ID (ex-Azure AD)This function will collect all users on Entra ID (ex AzureAD) using pagination.
Workflow Template: Fetch Incidents from Cortex XDR on a ScheduleOn a schedule, fetch new incidents from Cortex XDR using pagination.
Workflow Template: Create Tables on Snowflake for Torq Audit and Activity LogsCreate tables in snowflake database to store Torq audit and activity logs.
Workflow Template: Step Failure with Runner Configured Notification to SlackSend a notification to a Slack channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Workflow Template: Step Failure with Runner Configured Notification to TeamsSend a notification to a Teams channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Workflow Template: Step Failure with Runner Configured Notification to EmailSend an email notification via Gmail/Outlook when a step failure occurs where a runner is configured. A link to the execution is provided.
Workflow Template: Notify by Email when a Workflow Failure is TriggeredSend an email notification via Gmail/Outlook when a workflow failure is detected. A link to the workflow execution is provided.
Workflow Template: Notify Reviewer via Slack when Workflow is Submitted for ReviewWhen a workflow submission is requested send a message to each reviewer in Slack and include a link to the submission.
Workflow Template: Notify a Slack Channel when a Workflow Failure is TriggeredSend a notification to a Slack channel when a workflow failure is detected. A link to the execution log is provided in the message.
Workflow Template: Notify a Microsoft Team when a Workflow Failure is TriggeredSend a notification to a Microsoft Team when a workflow failure is detected. A link to the execution log is provided in the message.
Workflow Template: Notify Reviewer via Teams when Workflow is Submitted for ReviewWhen a workflow submission is requested send a message to each reviewer in Teams and include a link to the submission.
Workflow Template: Notify a Slack Channel for a New Share RequestWhen a new resource is shared with the workspace send a message with the details to a Slack channel with a link to the request.
Workflow Template: Notify a Microsoft Teams Channel for a New Share RequestWhen a new resource is shared with the workspace send a message with the details to a Teams channel with a link to the request.
Workflow Template: Watch Microsoft Security Response Center RSS FeedAn example workflow to check an RSS feed daily for changes using the Microsoft Security Response Center RSS feed as a sample.
Workflow Template: File Conversion using a Torq Interact WorkflowThis workflow is an example of how to use Torq Interact with the file upload and download parameters.
Workflow Template: Add a Weekday or Weekend Tag on Creation of a Torq CaseThis workflow will add a tag for either Weekday or Weekend to a new Torq case based on the local creation time of the case.
Workflow Template: Wiz GraphQL Query for AWS Instances with Open SSH AccessSimple example using the GraphQL functionality with Wiz to run a query. Use the API Console in Wiz to find GraphQL statements to use.
Workflow Template: Hello World (Discord)This is a simple example of using Discord to create an interactive workflow using an Ask Question step.