- 15 Nov 2023
- 3 Minutes to read
- DarkLight
Observables
- Updated on 15 Nov 2023
- 3 Minutes to read
- DarkLight
Observables are OCSF-compliant objects that represent the indicators related to each case, such as IP addresses, URLs, file hashes, resource UIDs, and more. Use the observables to monitor, detect, and respond to security threats.
Observables in Torq can be associated with one or more cases. Additionally, they remain in the database, even if they are disassociated from all cases.
Important
When the reputation of an observable is updated in the context of a specific case, it's updated across all cases the observable is associated with.
Add an observable to a case
Use the Add observable to a case step to introduce a new observable and associate it with a specific case.
For example, you can create a workflow triggered when an identity and access management service, such as Okta, detects suspicious user activity. Extract relevant information, such as the IP address, from the trigger event and use the Add observable to a case step to add it as an observable to the case. You can extract more information, such as the username, from the trigger event and add it as additional observables to the same case.
Key observables
Mark an observable as a key observable to highlight its relevance to the case. Key observables are listed in the case overview to ensure they are brought to the attention of anyone reviewing the case.
Parameter | Description |
---|---|
Case ID | The ID of the case to associate the observable with. |
Observable description | A brief description of the observable. |
Observable type | The type of data the observable contains: IP address, URL, file hash, and more. Some observable types have subtypes available. Use Other to specify a different type of data. The observable types correspond to the OCSF schema observable value type identifier. Contact Torq support if you require additional types from the list. |
Observable value | The observable data according to its type: 192.168.1.3, https://www.google.com/, and so on. |
Observable reputation score | The observable reputation. Any update to the observable reputation score is reflected across all cases associated with the observable. |
Mark as key observable | Observables may be marked as key observables for the case to indicate their importance to the investigation. |
The observable type, value, description, and reputation score are saved even when it's no longer associated with any case. This means that if the observable is witnessed in the context of a different case, the existing description and reputation will be available for reference.
You can also add an observable to a case manually.
Go to Cases.
Select the case you want to add the observable to.
Expand the case timeline.
Go to the Observables tab.
Select Add Observable.
Provide the observable information: type, value, reputation, and description.
Click the star icon in the observable entry to mark it as a key observable for the case.
Enrich the observable
Once an observable is added to a case, you may want to enrich it to have an updated reputation score.
You can use the Added an Observable trigger to execute a workflow that will enrich the observable according to its type.
Add a trigger condition to get the observable type and enrich it with the threat intel services of your choice. Use the Update observable reputation score step to update the observable with the enrichment findings.
Observable witnessed in other cases: threat hunting
Threat hunting is a proactive approach to cybersecurity that enables organizations to detect advanced threats that traditional security tools may not. It allows security analysts to explore and investigate the organization's networks and systems for signs of malicious activity and identify threats early in the attack lifecycle, limiting the damage that can be caused.
Use Torq workflows and cases to implement correlation, enrichment, and contextualization logic, leveraging the relationships between observables, cases, and alerts to discover relationships between seemingly unrelated events. You can read more about automated threat hunting in our blog.
Use the Query cases step to retrieve a list of the cases an observable is associated with to ensure you have the whole perspective.
Add the Observable IDs optional parameter and specify the ID of the observable you want to investigate. You can also view the list of the other cases that have the observable associated with them from the case itself:
Go to Cases.
Select the case that has the observable you want to investigate.
Expand the case timeline.
Go to the Observables tab.
Select the relevant observable.
If the observable is associated with other cases, they will be listed in the Cases with this observable section in the Observable details form.
Note
Cases are listed based on a match of an observable type-value combination. This means that the cases listed have the same type of observable with the same value.