Observables
  • 15 Nov 2023
  • 3 Minutes to read
  • Dark
    Light

Observables

  • Dark
    Light

Article Summary

Observables are OCSF-compliant objects that represent the indicators related to each case, such as IP addresses, URLs, file hashes, resource UIDs, and more. Use the observables to monitor, detect, and respond to security threats.

Observables in Torq can be associated with one or more cases. Additionally, they remain in the database, even if they are disassociated from all cases. 

Important

When the reputation of an observable is updated in the context of a specific case, it's updated across all cases the observable is associated with.

Add an observable to a case

Use the Add observable to a case step to introduce a new observable and associate it with a specific case.
For example, you can create a workflow triggered when an identity and access management service, such as Okta, detects suspicious user activity. Extract relevant information, such as the IP address, from the trigger event and use the Add observable to a case step to add it as an observable to the case. You can extract more information, such as the username, from the trigger event and add it as additional observables to the same case.

Key observables

Mark an observable as a key observable to highlight its relevance to the case. Key observables are listed in the case overview to ensure they are brought to the attention of anyone reviewing the case.

Parameter

Description

Case ID

The ID of the case to associate the observable with.

Observable description

A brief description of the observable.

Observable type

The type of data the observable contains: IP address, URL, file hash, and more. Some observable types have subtypes available. Use Other to specify a different type of data. The observable types correspond to the OCSF schema observable value type identifier. Contact Torq support if you require additional types from the list.

Observable value

The observable data according to its type: 192.168.1.3, https://www.google.com/, and so on.

Observable reputation score

The observable reputation. Any update to the observable reputation score is reflected across all cases associated with the observable.

Mark as key observable

Observables may be marked as key observables for the case to indicate their importance to the investigation.

The observable type, value, description, and reputation score are saved even when it's no longer associated with any case. This means that if the observable is witnessed in the context of a different case, the existing description and reputation will be available for reference.
Use the Add observable to a case step

You can also add an observable to a case manually.

  1. Go to Cases.

  2.  Select the case you want to add the observable to.

  3. Expand the case timeline.

  4. Go to the Observables tab.

  5. Select Add Observable.

  6. Provide the observable information: type, value, reputation, and description.

  7. Click the star icon in the observable entry to mark it as a key observable for the case.
    Add an observable to a case manually

Enrich the observable

Once an observable is added to a case, you may want to enrich it to have an updated reputation score.
You can use the Added an Observable trigger to execute a workflow that will enrich the observable according to its type.
Add a trigger condition to get the observable type and enrich it with the threat intel services of your choice. Use the Update observable reputation score step to update the observable with the enrichment findings.

Enrich the added observable and update its reputation

Observable witnessed in other cases: threat hunting

Threat hunting is a proactive approach to cybersecurity that enables organizations to detect advanced threats that traditional security tools may not. It allows security analysts to explore and investigate the organization's networks and systems for signs of malicious activity and identify threats early in the attack lifecycle, limiting the damage that can be caused.

Use Torq workflows and cases to implement correlation, enrichment, and contextualization logic, leveraging the relationships between observables, cases, and alerts to discover relationships between seemingly unrelated events. You can read more about automated threat hunting in our blog.

Use the Query cases step to retrieve a list of the cases an observable is associated with to ensure you have the whole perspective. 
Add the Observable IDs optional parameter and specify the ID of the observable you want to investigate.query cases by observable IDs You can also view the list of the other cases that have the observable associated with them from the case itself:

  1. Go to Cases.

  2. Select the case that has the observable you want to investigate.

  3. Expand the case timeline.

  4. Go to the Observables tab.

  5. Select the relevant observable.

  6. If the observable is associated with other cases, they will be listed in the Cases with this observable section in the Observable details form.

Note

Cases are listed based on a match of an observable type-value combination. This means that the cases listed have the same type of observable with the same value.

Use the related cases information to automate threat hunting


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.