Skip to main content
Basic
231 articles
Collect Azure VM and Network Details - Workflow TemplateNested workflow used to collect Azure VM and Network info needed in support of remediation workflows.
Alert on Google Login Activity Outside of Allowed Regions - Workflow TemplateRetrieve Google Login Activity for logins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Silent Push - IP Address Enrichment with Cache - Workflow TemplateReceives an IP Address from a parent workflow and query Silent Push for enrichment.
VirusTotal IOC Lookup with Summary of Results from OpenAI - Workflow TemplateUsed as a nested workflow, receive an IP address, domain or file hash and query VirusTotal and send the details to OpenAI for a summary.
Query Okta System Logs by Actor Activity - Workflow TemplateQuery the Okta System Logs by specific Actor and provide results and an optional summary of EventType and outcome result for the logs.
Shodan - Domain Enrichment with Cache - Workflow TemplateReceives a Domain from a parent workflow and query Shodan for enrichment.
Enrich New Cybereason MalOps File Hash Detail - Workflow TemplateFor each new MalOp that is detected, attempt to enrich the file hash intelligence from VirusTotal and Recorded Future in the MalOp Comments
Interactive Email Conversation using Google Workspace - Workflow TemplateExample of using Google Workspace email as part of an interactive email conversation. This could also be added as a nested workflow.
Collect Torq Global Variables with Pagination - Workflow TemplateWorkflow that uses pagination to gather all Torq global variables and provide them into a single array.
Verify Permissions to Execute Workflows - Google Cloud Identity - Workflow TemplateWorkflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership.
Process New NIST NVD Vulnerabilities (NVD) - Workflow TemplatePull latest CVEs from the NIST NVD Database and update a Slack channel. Additional steps can be added to search for CVEs in other platforms
Slack Slash Command - Hello World - Workflow TemplateExample of an interactive experience with Slack Slash Commands and replying back to the channel with information from the event.
Add Malicious IPs to Network Block Zone from Okta System Logs - Workflow TemplateOn a schedule pull Okta system logs for specific event types, extract any IPv4 address and if found malicious update the block zone in Okta.
Collect Torq Audit or Activity Logs - Workflow TemplateNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Handle Nessus Scan Results (Nessus) - Workflow TemplateDaily notification of specific pre-defined Nessus scans. Send results to Slack channel as defined.
Gather CircleCI Environment Variables from Bitbucket Repos - Workflow TemplateQuery Bitbucket for workspace repositories and gather CircleCI Environment Variables that are configured in the project.
Verify Permissions to Execute Specific Workflows - Okta - Workflow TemplateWorkflow that can be used to verify users have permissions to run a specific workflow by Id or name also check group membership in Okta.
Send an email via SMTP with VirusTotal Stats - Workflow TemplateSend a simple email via SMTP including VirusTotal engine stats in a HTML table format for a particular HASH lookup.
Assign New Alerts from Hunters.ai - Workflow TemplateRetrieve alerts from Hunters XDR, suggest to assign using Slack.
Jira Issue Reminder and Escalation via Slack or Teams - Workflow TemplateSend reminder and escalation messages via Slack or Microsoft Teams on a Jira issue status on a specific polling interval.
Append data to an Array (Torq) - Workflow TemplateAppend JSON data to an array using the Append to Array step. Example JSON data is provided to append to a new array.
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow TemplateReceive an event from CrowdStrike, if event is critical or high, open an incident with PagerDuty and enrich the IOC details with VirusTotal
Upload a File in Teams to a SharePoint Folder - Workflow TemplateCreate either a CSV, JSON or PDF file in Microsoft Teams and post an adaptive card with a link to the file in the Teams Channel
Compliance - Generate report on non-compliant devices (Intune) - Workflow TemplatePull non-compliant devices list from Microsoft Intune and go over them. Retrieve an associated user from each device, and create a list.
Merge JSON data using JQ based on a common Key/Value - Workflow TemplateSimple example using JQ to merge two JSON files using JQ using the key Email_Address as the match between the two datasets.
Check Point R81 Management Workflow - Workflow TemplateAn example workflow that outlines the needed steps to make changes to the Check Point Management Server and install policy against a gateway
Slack Mention to Analyze Suspicious URLs and IPs with VirusTotal - Workflow TemplateReceive a suspicious list of URLs and/or IPs from Slack, scan using VirusTotal, and report back to the Slack thread the results.
Create a Torq Case from a QRadar Offense - Workflow TemplateUsed as a nested workflow to open a Torq case from details in a QRadar Offense and optionally include QRadar events into the case details.
Retrieve Daily Unencrypted Bucket Summary (AWS Macie) - Workflow TemplateOn a daily schedule retrieve data from Amazon Macie on specific criteria and deliver to a Slack user or Channel.
Remove Public Links from Google Drive Detected by BigID - Workflow TemplateOn an alert from BigID where files with sensitive information are found publicly shared, loop over each finding and remove the public share.
Jira Issue Creation, Update, and Assignment - Workflow TemplateExample workflow using the most common steps in the lifecycle of a Jira issue including issue assignment and example JQL query.
Scan URLs with VirusTotal and Provide Summary Verdict - Workflow TemplateReceive an array of URLs to scan with VirusTotal and provide a summary per URL of any malicious or suspicious count more than 1.
Recorded Future - Domain Enrichment with Cache - Workflow TemplateReceive a domain from a parent workflow and query Recorded Future for its reputation.
Clear Okta sessions for specific users via Slack - Workflow TemplateReceive a Slack command to clear all sessions for one or more users.
Enable GCP Bucket Versioning on a Wiz Alert - Workflow TemplateReceive an issue from Wiz on a GCP storage bucket with versioning disabled, lookup the channel, ask the channel to enable versioning.
Google Workspace Calendar Offboarding (Google Workspace) - Workflow TemplateReceive message from Slack with an email address, find meetings where user is the originator/creator of the meetings and delete if approved.
Recorded Future Sandbox -Analyze Files and URLs - Workflow TemplateAnalyze Files and URLs and in Recoded Future Sandbox using nested functions with cache.
AlienVault URL Enrichment with Cache - Workflow TemplateNested workflow that will take a URL as input and query AlienVault's General and URL List for details and return analysis information.
Daily Report to Slack on Inactive Okta Users - Workflow TemplatePoll the list of Okta users and list all users that have not logged in for the past 30 days and report the list to a Slack channel
Search for CVE in Wiz and Snyk via Slack Mention - Workflow TemplateWhen triggered via Slack, search in Wiz and Snyk for a specific CVE. Send findings to the Slack channel via a snippet.
Gather CircleCI Global Environment Variables with Creation Date - Workflow TemplateGather Global Environment Variables from CircleCI and provide results organized by context and included creation date and context id.
Upload New Threat Intelligence IOCs to Cybereason - Workflow TemplateReceives arrays of Domains, Hashes and IP Addresses IOC's and upload them to Cybereason.
Analyze File with ANY.RUN and Provide a Verdict - Workflow TemplateSubmit a file URL to ANY.RUN and wait for the analysis to complete. The workflow will send it verdict in the output.
Add/Remove Entra ID User from Global Address List (ex-Azure AD) - Workflow TemplateReceives user name / email from a Slack command and adds/removes the specified user from the Global Address List in Entra ID
Compliance - Find unmanaged devices in Intune and Carbon Black - Workflow TemplateCompare lists of managed devices in Microsoft Intune and Carbon Black. List gaps (i.e., devices present only in one of the solutions)
Send Slack Block Message and Perform Operations in Parallel - Workflow TemplateExample workflow to send a Slack Block kit message and run another operation in parallel and wait for a Users response back to the message.
Send Torq Audit or Activity Logs to Azure Blob Storage - Workflow TemplateOn a schedule configured in Workflow Context, Torq workflow Audit Logs will be collected in a Nested Workflow and sent to an Azure Blob
IP Penalty Box with Timeout via Slack (Cloudflare) - Workflow TemplateAdds specific IPv4 or IPv6 address to a penalty box in Cloudflare by creating and removing IP Access Rules driven by Slack.
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow TemplateFor each new EDR incident, validate the files involved with threat intelligence, and add to the global block list if found to be malicious
Find all Okta Active Users with Pagination - Workflow TemplatePagination example with Okta to find all active users and place the results into a single array of users.
Retrieve Daily Scan Summary and Notify on Findings (Aqua) - Workflow TemplatePull Scan Summary information on findings in Aqua and deliver a short report to a Slack channel on the Findings on Warnings and Failures.
Check for New Carbon Black Alerts and Notify - Workflow TemplateThis workflow periodically checks for new Carbon Black alerts and notifies end user of the alert and asks for verification of the activity
Basic Global Variable Use in a Workflow - Workflow TemplateBasic Create/Read/Update/Append/Delete steps for use with Global Variables. This can provide ephemeral data storage between workflows.
Create Attachment in Jira with JSON Data (Jira) - Workflow TemplateExample of how to add an attachment with JSON data to a Jira issue.
Retrieve New Exploited Vulnerabilities from CISA update via Teams - Workflow TemplateOn a daily schedule poll the latest CISA vulnerabilities and update a Teams channel on any new CVEs and include references from NIST
Ask a Question over Slack or Microsoft Teams - Workflow TemplateThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to ask a question.
Count Number of Executions for Action (Torq) - Workflow TemplateWorkflow to be used as a nested workflow that will keep track of the number of executions of a given action and maximum executions per day.
JSON Filtering with JQ - Workflow TemplateSimple filtering of VirusTotal IP Lookup JSON data. Use these examples to learn how easy it is to filter or create a new JSON output.
Collect Azure Network Security Group Details - Workflow TemplateNested workflow that will collect and format Azure NSG info to identify rule priority needed to block a given port and protocol
Interactive Email Conversation (Microsoft 365) - Workflow TemplateExample of using Microsoft 365 email as part of an interactive email conversation. This could also be added as a nested workflow.
Approve Group Membership for New User (JumpCloud) - Workflow TemplateAsk via Slack for approval from a specific department approver list when a new user is added and add user to the departments JumpCloud group
Create Jira and Asana Tickets from Astrix Alert - Workflow TemplateBased on a high risk finding from Astrix initiate a cases with Asana and Jira.
Microsoft 365 Adaptive Card Email Conversation - Workflow TemplateExample workflow to send an adaptive card questionnaire via Microsoft 365. Responses are delivered via a webhook back to a Torq workflow.
Generate Table in ADF Format for Jira Comments - Workflow TemplateTemplate to be used as a nested workflow to generate a simple table from an array for Jira in ADF format.
Workflow Notification Tracking in Google Sheets - Workflow TemplateWorkflow that will receive notifications of failed workflows and save the details in a Google Sheet. Entries older than 7 days are removed.
Webex Hello World Chat Bot - Workflow TemplateEasy starter template to create an interactive messaging experience for Webex users.
Search for CVE Findings in Orca Triggered by Slack - Workflow TemplateReceive a mention via Slack for "orca-cve", kick off a search in Orca for the specific CVE and update the thread in Slack with the results.
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow TemplateFor each new EDR detection, validate the files involved with threat intelligence, add to global block list if found to be malicious
Approve Group Membership for New User Creation (Okta) - Workflow TemplateAsk via Slack for approval from specific department approvers when a new user is added to Okta.
Get AWS Access Key Information for User (AWS) - Workflow TemplateWorkflow that provides a summary of the Access Keys for a user including number of keys, status, last used and if the key is still in use.
Retrieve New Exploited Vulnerabilities from CISA - Workflow TemplateOn a daily schedule poll the latest CISA vulnerabilities and update a Slack channel on any new CVEs and include references from NIST
Send Torq Audit and Activity Logs to Snowflake - Workflow TemplatePull audit and activity logs from the Torq API and store them in Snowflake on a schedule of every 10 minutes.
Reset Direct Manager reference for an Entra ID user (ex-Azure AD) - Workflow TemplateTrigger on Teams command, find user in Entra ID, and reset the reference to the direct manager in the directory.
Trigger specific scan, update results to Slack (Tenable) - Workflow TemplateTriggers a specific pre-defined Tenable Cloud scan, waits for completion, updates on every vulnerable host with severity findings above 0.
Retrieve and Normalize data on a Domain - Workflow TemplateWorkflow to lookup threat intelligence data from a number of sources and aggregate domain and threat data, normalize a score for a domain
Send Torq Audit and Activity Logs to S3 Bucket on a Schedule - Workflow TemplateBased on a configured time, workflow will upload Torq Audit and/or Activity logs to AWS S3 Buckets.
Rename new iOS device to User / Serial Number (Jamf) - Workflow TemplateFor each new iOS device enrolled in Jamf, if the User Name was not set, change it to unique serial number. Otherwise rename to the User Name
Cache VirusTotal Threat Intelligence Findings on an IOC - Workflow TemplateReceive an IOC from a parent workflow, check the global variable for previous results, if not, query VirusTotal and save results
Microsoft Teams - Hello World - Workflow TemplateSimple example of Microsoft Teams messages using Adaptive Cards, collecting interactive responses and providing them back to the user.
Check Point SmartTasks Notification to Slack - Workflow TemplateNotification to Slack on status of a policy install or session details of additions, modification, or deletions when a session is published.
Nested Check-Out of AWS Credentials via Britive (Britive) - Workflow TemplateExample nested workflow using Britive to Check-Out AWS credentials to be used in a workflow. Check-In the creds using the trans-id provided
ITSM - Notify Slack user on closed/resolve incidents (ServiceNow) - Workflow TemplateReceive a Slack message on resolved or closed tickets within ServiceNow. Enrich the message with details from the ticket and closing users.
Verify User's Group Membership in Okta via Slack Command - Workflow TemplateReceive a Slack command with the users email and optional group and provide the group membership including a match if a group is provided.
Ask Users to Confirm Failed JumpCloud Login Attempts - Workflow TemplateDaily pull of failed logins from JumpCloud, reach out to users with failed logins over Slack and confirm they were the tying to login.
Send Message over Slack or Microsoft Teams - Workflow TemplateThis workflow can be used where both Slack and Microsoft Teams are used by different parts of their organizations to send a message.
Upload Latest Recorded Future IOCs to Cybereason - Workflow TemplatePull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Suspend Okta Users that are Inactive for More than 30 Days - Workflow TemplateOn a scheduled interval check for users that have not logged in for more than 30 days. Ask a Slack channel for approval to suspend the users
Teams Mention to Analyze Suspicious URLs and IPs with VirusTotal - Workflow TemplateReceive a suspicious list of URLs and/or IPs from Microsoft Teams, scan using VirusTotal, and send results back to the Teams conversation.
Enrich Hashes, CVEs and IP Addresses with Recorded Future - Workflow TemplateReceive a message with one or more CVEs, SHA256 hashes or suspicious IP addresses from Slack and enrich the data with Recorded Future.
Collect all Public IP Addresses for an AWS Account - Workflow TemplateCollect all public IP addresses for a given AWS account and provide a simple summary list of IPs and a JSON list by region and service.
Slack Mentions - Hello World - Workflow TemplateSlack Bot workflow to reply to either mentions or direct conversations with the bot
Nested Slack Block Generator from an Array - Workflow TemplateWorkflow meant to be used as a nested workflow to build a Slack block from an array. This block can be used in the Slack Block Form step.
Group IoCs From Text Input - Workflow TemplateThis function takes a text and returns groups of hashes, URLs, domains and IP addresses
Process New Cloud Vulnerability DB Issues (Open CVDB) - Workflow TemplatePull latest vulnerabilities from the Open Cloud Vulnerability Database and send an alert to a Slack Channel
Open or Update a Jira Issue on an Uptycs Alert - Workflow TemplateOpen a parent or child issue in Jira when a medium/high severity event is found. Ask a Slack channel if additional information is required.
Just-In-Time Access to Group Membership in Active Directory - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to a group in Active Directory with approval from a Slack channel.
Okta event on MFA addition with user Verification (Okta) - Workflow TemplateReceive event from Okta when a user adds a MFA method, lookup source IP with VirusTotal or ask user if this was intended, if not open issue.
Upload HIPAA Training Evidence in Drata - Workflow TemplateIdentify users that are HIPAA training non-compliant within Drata and upload evidence file provided to workflow.
Identify and Label Confluence Content with PII from BigID - Workflow TemplateOn a trigger from BigID, label all content in Confluence with a specific tag and notify a Slack channel and open a Jira issue with findings.
Gather CircleCI Environment Variables from GitHub Org Repos - Workflow TemplateQuery GitHub for Organization Repositories and gather CircleCI Environment Variables that are configured in the project.
Verify Permissions to Execute Workflows - EntraID (ex-Azure AD) - Workflow TemplateWorkflow that can be used to verify users have permissions to run a specific workflow by Id or name and also check group membership.
Upload Hard Drive Encryption Evidence in Drata - Workflow TemplateIdentify devices that are HD encryption non-compliant within Drata and upload evidence file provided to workflow.
Send a Microsoft Teams Notification upon Mention in a Torq Case - Workflow TemplateWhen a user is mentioned in a Torq Case comment, send the user a notification in Microsoft Teams with the text and a hyperlink to the case.
Label Google Drive Files Containing PII Identified by BigID - Workflow TemplateOn trigger from BigID from findings of files in Google Drive that contain PII, assign a Google Drive label and field to the file.
Reset Entra ID (ex-Azure AD) MFA Methods and Password on a User - Workflow TemplateThis workflow can be used as a nested workflow to reset a users password, remove all MFA methods for the user and clears any user sessions.
Add MFA on IdP Evidence in Drata - Workflow TemplateIdentify users that are MFA non-compliant within Drata and upload evidence file provided to workflow.
Fetch New QRadar Offenses with Pagination - Workflow TemplateA nested workflow to pull all new open QRadar offenses and use pagination to return all results.
SSL Certificate Expiration Check - Workflow TemplateFrom a List of domains or subdomains, check expiration dates from their certificates
Find all Okta Active Devices with Pagination - Workflow TemplateWorkflow that can be used as a nested workflow to gather all active Okta devices into a single array using pagination.
Extract Multiple Observables - Workflow TemplateExtracts different types of observables such as File Hashes, IP Addresses, Email Addresses, Filenames, Hostnames, URLs, and CVEs.
Upload Screensaver Lock Evidence in Drata - Workflow TemplateIdentify devices that are screen lock non-compliant within Drata and upload evidence file provided to workflow.
Identify PII Information Shared in a Slack Workspace via BigID - Workflow TemplateOn a trigger from BigID for PII information found in a Slack Workspace, send detailed findings to a specific Slack channel or admin.
Simple Loops with Torq - Workflow TemplateExample of using a loop over JSON data and loop over a range in a workflow. Results are collected with the "Collect" operator
Add Anti-Virus Evidence in Drata - Workflow TemplateIdentify devices that are anti-virus non-compliant within Drata and upload evidence file provided to workflow.
Upload Auto-Updates Evidence in Drata - Workflow TemplateIdentify devices that are anti-update non-compliant within Drata and upload evidence file provided to workflow.
Add Password Manager Evidence in Drata - Workflow TemplateIdentify devices that are password manager non-compliant within Drata and upload evidence file provided to workflow.
Send Torq Audit or Activity logs to Sumo Logic on a Schedule - Workflow TemplateWorkflow that can be used to send either Torq audit or activity logs to Sumo Logic on a scheduled interval.
Handle Wiz Alert for AWS Admin Principals Inactive Over 90 Days - Workflow TemplateOn alert from Wiz on an AWS admin principal that is inactive over 90 days, ask a Slack channel for approval to deactivate the IAM account.
Export a Torq Case in Word Document Format - Workflow TemplateExport a Torq Case including the general details, timeline, observables, attachments and custom fields into a Microsoft Word file.
Collect Asynchronous Responses from Slack Block Messages - Workflow TemplateWorkflow that can be used to record asynchronous responses to Slack Block Kit messages that contain buttons for a user response.
Convert Newline Delimited JSON to Standard JSON - Workflow TemplateConverts Newline Delimited JSON formatted data into standard JSON format.
Upload Background Check Evidence in Drata - Workflow TemplateRemediate failed resources that require background check evidence by attaching necessary provided URL on workflow initiation.
Assign or Remove Licenses on Users for Microsoft via Graph API - Workflow TemplateUsed as a nested workflow to assign or remove licenses to Microsoft 365 users. The workflow takes the SKU on input for assignment.
Upload Security Training Evidence in Drata - Workflow TemplateIdentify users that are security training non-compliant within Drata and upload evidence file provided to workflow.
Get Failing Resources for a Test in Drata - Workflow TemplateProvide insight into failed resources based on information collected from the Drata platform.
Check if IPv4 Address is Part of an AWS IP Network Block - Workflow TemplateOn a mention from Slack, extract an ip address and try to match it to a network block in use at AWS. Provide the result back to the thread.
Offboard SaaS User from Grip on Trigger from Hibob - Workflow TemplateOn trigger from Hibob, offboard the user from Grip and report the status back to a default Slack channel or the users Manager via Slack.
Attach a Screenshot to a ServiceNow Incident or Jira Issue - Workflow TemplateWorkflow that can be used as a nested workflow to attach a screenshot of a URL to either a Jira Issue or ServiceNow Incident
Search for Unused or Inactive Roles in AWS IAM - Workflow TemplateQueries AWS for the IAM Roles and groups roles by Last Used and Never Used after a defined amount of days.
Verify User's Group Membership in Ping via Slack Command - Workflow TemplateReceive a Slack command with an optional group and provide the group membership including a match if a group is provided.
Collect Information on Case Closing Action - Workflow TemplateShows a form whenever a Case is change to CLOSED status.
URLScan URL Enrichment with Cache - Workflow TemplateReceive a URL to analyze with URLScan and provide a summary of the URL with malicious, phishing, score and screenshot details if available.
Subscribe Gmail address to watch a PUB SUB pre-defined topic - Workflow TemplateMaintains a valid subscription to a topic by checking daily its expiration date and renewing it when necessary.
Send Torq Audit and Activity Logs to Singularity XDR - Workflow TemplateBased on a configured time, workflow audit and activity logs will be sent to SingularityXDR
Google File Label Lifecycle - Workflow TemplateThis workflow showcases the published steps to support the Google file label lifecycle process.
Issue a Push Challenge with Okta and Wait for a Response - Workflow TemplateReceive an Okta user and factor ID from a parent workflow and send a push challenge to the user and wait for and return the response.
AlienVault File Hash Enrichment with Cache - Workflow TemplateNested workflow that will take a File Hash as input and query AlienVault's General and Analysis sections for details and return the results.
Google Chat Hello World - Workflow TemplateThis workflow demonstrates the use of the Google Chat Steps and the ability to interact with end users and create Google Chat Spaces.
Pangea - Domain Enrichment with Cache - Workflow TemplateReceives a Domain from a parent workflow and query Pangea for its reputation.
Decode QR Codes in Torq Case Attachments - Workflow TemplateDecode QR codes that are found in Torq Case Attachments by using a quick action or Run a Workflow on a Torq Case.
Notify on Open and In-Progress Torq Cases Approaching the SLA - Workflow TemplateScheduled workflow that will send a notification to Slack or Microsoft Teams on Torq cases that are approaching or past the defined SLA.
Recorded Future Sandbox - File Analysis with Cache - Workflow TemplateSubmits a File to Recorded Future Sandbox for full analysis.
Generate Graph of Simple JSON Data using Python - Workflow TemplateFunctional workflow that will data JSON data and generate a base64 encoded PNG graph of the data that was passed to the workflow.
Notify a Slack Channel on Case Creation - Workflow TemplateWorkflow that will notify a specific Slack channel for every new Torq case that is created.
Query Logs on Singularity XDR with Pagination - Workflow TemplateThis workflow serves as a function that executes a query in Singularity XDR.
Send Torq Audit or Activity Logs on a Schedule to Splunk - Workflow TemplateWorkflow that can be used to send Torq audit and/or activity logs to Splunk on a schedule every 10 minutes.
Simple Splunk Query with Optional Return Field Filters - Workflow TemplateA simple Splunk query that can use optional field filters to filter the dataset returned. Can be used as a nested workflow to simplify use.
Find AWS Instance Information by Private IP Address in Wiz - Workflow TemplateOn mention from Microsoft Teams, look for instances with the private IP Address and gather information on the instance and send to Teams.
Verify Entra ID (ex-Azure AD) Audit Sign-Ins from Allowed Regions - Workflow TemplateRetrieve Entra ID Audit logs for Sign-Ins and compare against specific allowed regions. If a violation occurs notify a Slack channel.
Run Antivirus Scan on a device on Microsoft Defender for Endpoint - Workflow TemplateRun a Quick or Full Antivirus Scan on a device by its machineId or device name.
Retrieve and Normalize data on a File Hash - Workflow TemplateWorkflow to lookup threat intelligence data from a number of sources and aggregate threat data, normalize a score for the provided file hash
Generate a Report for Torq Cases in Microsoft Docx Format - Workflow TemplateA nested workflow that generates a report on Torq cases, analyst activity, and case MTTR reporting with output as a Microsoft Word document.
Create Microsoft Graph Subscriptions and Renewals - Workflow TemplateCreate one or more Microsoft Graph subscriptions to a Microsoft 365 trigger. The subscriptions are extended and renewed daily.
Find all Hosts Impacted by an Open CVE in CrowdStrike - Workflow TemplateFind all hosts in CrowdStrike that are impacted by a specific CVE and output the list of hostnames and remediation information provided.
Send a Microsoft Teams Notification to Assignee in a Torq Case - Workflow TemplateSend a notification to the new assignee on a Torq Case via Microsoft Teams with a summary of the case and a direct hyperlink to the case.
Search for Vulnerabilities by Hostname in Tenable - Workflow TemplatePull information from a hostname in Tenable and output the information back to the parent workflow or an optional Slack user or channel.
Send Torq Audit and Activity Logs to Elasticsearch - Workflow TemplatePull the logs from Torq on a schedule and send to Elasticsearch in a batch transaction.
Create Microsoft Graph Subscription and Renew Daily - Workflow TemplateCreate a Microsoft Graph subscription to a Torq Microsoft 365 trigger. The subscription is renewed daily and extends the expiration date.
Suspend Contractor Accounts in Okta with inactivity for 7 days - Workflow TemplateCheck daily for active accounts where the profile userType is "Contractor". Suspend the account if no login occurred in the past 7 days.
VirusTotal Domain Enrichment with Cache - Workflow TemplateNested workflow that will take a Domain as input and query VirusTotal for the domain and return analysis information to the parent workflow.
Isolate or Unisolate device on Microsoft Defender for Endpoint - Workflow TemplateNested workflow to Isolate or Unisolate a device by its machineId or device name.
Recorded Future - URL Enrichment with Cache - Workflow TemplateReceive an URL from a parent workflow and query Recorded Future for its reputation.
Fetch File Information by Hash from Microsoft Defender - Workflow TemplateCollects threat information about a file by fileId (SHA1 Hash) in a time frame.
VirusTotal URL Enrichment with Cache - Workflow TemplateNested workflow that will take a URL as input and query VirusTotal for details and return analysis information on the URL.
Torq Case Example Descriptions for Different Case Types - Workflow TemplateA workflow with many mock examples of Torq Case descriptions for Torq integration partners and formatting examples to use with Torq Cases.
Recorded Future - IoC Enrichment - Workflow TemplateExtracts multiple observables from raw text and performs enrichment for each observable on RecordedFuture.
AlienVault Combined Observable Enrichment - Workflow TemplateExtract multiple observables from raw text and performs enrichment for each observable in AlienVault returns analysis information.
Collect Information on Case Closure by Permitted Analysts - Workflow TemplateCollect information when a Torq Case is changed to a CLOSED status and verifies that the analyst is permitted to close cases.
Gather QRadar Events for a Given Offense - Workflow TemplateFor a given QRadar Offense pull all events for a specific time window and provide the list of events back to a parent workflow.
AlienVault Domain Enrichment with Cache - Workflow TemplateNested workflow that will take a Domain as input and query AlienVault's General, Malware and GEO sections and return analysis information.
Notify a Teams Channel on Case Creation - Workflow TemplateWorkflow that will notify a specific Microsoft Teams channel for every new Torq case that is created.
Send Slack Notification upon Mention in a Torq Case - Workflow TemplateWhen a user is mentioned in a Torq Case comment, send the user a notification in Slack with the text and a hyperlink to the case.
Prepare Case Properties by Case Type - Workflow TemplateWhen a new Torq case is created, based on the case type, create custom fields and quick action on the newly created case.
Generate a Screenshot of a URL and Describe the Image via OpenAI - Workflow TemplateGenerate a screenshot of a specific URL and ask OpenAI to review the image and provide input if it could be part of a phishing attempt.
Retrieve and Normalize data on an IP Address - Workflow TemplateWorkflow to lookup threat intelligence data from a number of sources and aggregate geo data, threat data and normalize a score for the IP
VirusTotal File Hash Enrichment with Cache - Workflow TemplateNested workflow that will take a File Hash as input and query VirusTotal for analysis and if the hash is found, return the results.
Handle Panther Okta Alerts on User Action Detection - Workflow TemplateOn a new Panther alert from Okta, ask the user if the action was intended and if so mark the alert resolved. If not, open a Torq case.
Pangea - Email Enrichment with Cache - Workflow TemplateReceives an Email from a parent workflow and query Pangea for its reputation.
VirusTotal IPv4 Address Enrichment with Cache - Workflow TemplateWorkflow that will take an IPv4 address as input and query VirusTotal and return the analysis information to the parent workflow.
AlienVault IPv4 Address Enrichment with Cache - Workflow TemplateWorkflow that will take an IPv4 as input and query AlienVault's General, Malware and Reputation sections and return analysis information.
Enrich SentinelOne Threat Finding and Run Singularity XDR Search - Workflow TemplateFor each new threat detected by SentinelOne, query Threat Intelligence data from VirusTotal and RecordedFuture and add notes to the threat
Pangea - File Hash Enrichment with Cache - Workflow TemplateReceives a File Hash from a parent workflow and query Pangea for its reputation.
Submit a File for Analysis to VirusTotal with Cache - Workflow TemplateSubmit a file to VirusTotal for analysis and provide a simple cache for the analysis results. Use URLs or Torq file links to the file.
Search Observables by Grouped UDM Fields in Chronicle - Workflow TemplateReceives Observables as hash, IP address, domain, username or email and performs a query to Chronicle SIEM using Grouped UDM fields.
Return Specific Default or Overriding Workspace Variable - Workflow TemplateThis workflow will return a variable from two workspace variables with priority if found in the Overriding Workspace Variable then Default.
Request File Download From CrowdStrike Using Real Time Response - Workflow TemplateNested workflow that will take the CrowdStrike Device ID and a file path and will provide a download link to pass to a Sandbox vendor
On Case Closure Set a Custom Field and Tag with Resolution Reason - Workflow TemplateWhen a Torq Case is closed or resolved, add a specific custom field and tag to the case the will contain the resolution reason of the case.
Send a Slack Notification to Assignee in a Torq Case - Workflow TemplateSend a notification to a new assignee on a Torq Case via Slack with a summary of the case and a direct hyperlink to the case.
Validate Gem Alert Events in Slack - Workflow TemplateCommunicate with a user through Slack to validate a security alert.
Run LiveResponses on Microsoft Defender for Endpoint - Workflow TemplateExecute Live Responses on an Endpoint and collects the results of each command.
Torq Interact Multi-User Communication Example - Workflow TemplateThis demo illustrates how to utilize Torq Interact to handle communications with one or more users.
Scan URLs with URLScan and Provide a Summary - Workflow TemplateReceive an array of URLs to scan with URLScan and provide a summary per URL with malicious, phishing, score, and screenshot URL if available
VirusTotal Combined Observable Enrichment - Workflow TemplateExtract multiple observables from raw text and performs enrichment for each observable in VirusTotal and returns analysis information.
AbuseIPDB IPv4 Address Enrichment with Cache - Workflow TemplateWorkflow that will take an IPv4 address as input and query AbuseIPDB for details about the address including the Abuse Confidence Score.
Send a Question to Slack Users and Collect Responses - Workflow TemplateSend a question to a number of Slack users and collect the responses in a global variable with a wait of up to 31 days to collect results.
Recorded Future - File Hash Enrichment with Cache - Workflow TemplateReceive a file hash from a parent workflow and query Recorded Future for its reputation.
Send a Microsoft Outlook Email to Assignee in a Torq Case - Workflow TemplateWorkflow that will notify the user by sending an email via Microsoft Outlook for every new Torq case that is assigned to the user.
Pangea - IP Address Enrichment with Cache - Workflow TemplateReceives an IP Address from a parent workflow and query Pangea for its reputation.
Silent Push - Domain Enrichment with Cache - Workflow TemplateReceives an Domain from a parent workflow and query Silent Push for enrichment.
Generate a Screenshot and Attach to a Torq Case on URL Addition - Workflow TemplateWhen a new URL is added as an observable, attempt to generate a screenshot and if successful add it as an attachment to a Torq case.
Download a File from a SentinelOne Threat ID - Workflow TemplateFetch a file from a SentinelOne Threat ID and encrypt it with the provided password with a link to download.
Recorded Future Sandbox - URL Analysis with Cache - Workflow TemplateSubmits an URL to Recorded Future Sandbox for full analysis.
Pangea - URL Enrichment with Cache - Workflow TemplateReceives an URL from a parent workflow and query Pangea for its reputation.
Recorded Future - IP Address Enrichment with Cache - Workflow TemplateReceive an IP address from a parent workflow and query Recorded Future for its reputation.
Shodan - IP Address Enrichment with Cache - Workflow TemplateReceives an IP Address from a parent workflow and query Shodan for enrichment.
Search In Torq Audit Logs Based on Query - Workflow TemplateSearch for audit event based on action, email, actor type, actor_name or resource name.
Generate a Dynamic PowerPoint Document based on Slide Data - Workflow TemplateWorkflow that can be used as a guide on how to generate a dynamic PowerPoint document with the Python python-pptx library.
Submit a File for Analysis to VMRay with Cache - Workflow TemplateSubmit a file to VMRay for analysis and provide a simple cache for the analysis results. Use public URLs or Torq file links to the file.
Gather Torq Audit or Activity Logs - Workflow TemplateNested workflow that collects Torq workflow Activity logs or user Audit logs and returns the logs to the parent workflow.
Fetch Cyberint Alerts on a Schedule - Workflow TemplateFetch alerts from Cyberint on a schedule. An optional loop is available in the workflow to do additional actions as needed.
Table Workspace Variable Example Workflow - Workflow TemplateThis Workflows is an example on how to use a table as a workspace variable to perform common CRUD tasks.
Open Jira Issues and Enrich Event on Sysdig Kubernetes Detections - Workflow TemplateDetect, enrich, alert and auto-assign incidents using Kubernetes namespaces using Sysdig Runtime Threat Intelligence and Detection.
List All Groups with Pagination on Entra ID (ex-Azure AD) - Workflow TemplateThis function will collect all groups on Entra ID (ex AzureAD) using pagination.
List All Users with Pagination on Entra ID (ex-Azure AD) - Workflow TemplateThis function will collect all users on Entra ID (ex AzureAD) using pagination.
Fetch Incidents from Cortex XDR on a Schedule - Workflow TemplateOn a schedule, fetch new incidents from Cortex XDR using pagination.
Create Tables on Snowflake for Torq Audit and Activity Logs - Workflow TemplateCreate tables in snowflake database to store Torq audit and activity logs.
Step Failure with Runner Configured Notification to Slack - Workflow TemplateSend a notification to a Slack channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Step Failure with Runner Configured Notification to Teams - Workflow TemplateSend a notification to a Teams channel when a step failure occurs where a runner is configured. A link to the execution id is also provided
Step Failure with Runner Configured Notification to Email - Workflow TemplateSend an email notification via Gmail/Outlook when a step failure occurs where a runner is configured. A link to the execution is provided.
Notify by Email when a Workflow Failure is Triggered - Workflow TemplateSend an email notification via Gmail/Outlook when a workflow failure is detected. A link to the workflow execution is provided.
Notify Reviewer via Slack when Workflow is Submitted for Review - Workflow TemplateWhen a workflow submission is requested send a message to each reviewer in Slack and include a link to the submission.
Notify a Slack Channel when a Workflow Failure is Triggered - Workflow TemplateSend a notification to a Slack channel when a workflow failure is detected. A link to the execution log is provided in the message.
Notify a Microsoft Team when a Workflow Failure is Triggered - Workflow TemplateSend a notification to a Microsoft Team when a workflow failure is detected. A link to the execution log is provided in the message.
Notify Reviewer via Teams when Workflow is Submitted for Review - Workflow TemplateWhen a workflow submission is requested send a message to each reviewer in Teams and include a link to the submission.
Notify a Slack Channel for a New Share Request - Workflow TemplateWhen a new resource is shared with the workspace send a message with the details to a Slack channel with a link to the request.
Notify a Microsoft Teams Channel for a New Share Request - Workflow TemplateWhen a new resource is shared with the workspace send a message with the details to a Teams channel with a link to the request.
Watch Microsoft Security Response Center RSS Feed - Workflow TemplateAn example workflow to check an RSS feed daily for changes using the Microsoft Security Response Center RSS feed as a sample.
File Conversion using a Torq Interact Workflow - Workflow TemplateThis workflow is an example of how to use Torq Interact with the file upload and download parameters.
Add a Weekday or Weekend Tag on Creation of a Torq Case - Workflow TemplateThis workflow will add a tag for either Weekday or Weekend to a new Torq case based on the local creation time of the case.
Wiz GraphQL Query for AWS Instances with Open SSH Access - Workflow TemplateSimple example using the GraphQL functionality with Wiz to run a query. Use the API Console in Wiz to find GraphQL statements to use.
Discord - Hello World - Workflow TemplateThis is a simple example of using Discord to create an interactive workflow using an Ask Question step.