Hello
@Mohammad_Sulaim



We are using customized ontology and not the Out Of the Box one yes.

I am using out out of the box now have the feelings that its not good idea, you guys created custom ontology via scripts or UI? what would be your recommendations or things I should do and not do?

thanks in advance

We are configuring the ontology using the UI.

We are using a lot of customized ontology because we are pushing cases and alerts through the API and not using connectors.

My advices would be:

1. If out of the box one is sufficient stick with it and do not go right away in a customized ontology.

2.Try to find field mapping that can be the more "global" to different types of alerts for a same product and configure this global configuration at the product root level in the ontology so that it will be automatically inherited.

3. If like us, you are pushing cases/alerts through the API, first try to define a standard convention for each data field and data it should contains so that global mapping will apply with no need to always review the ontology and not to hit the limit of parameters you can map to one chronicle SOAR field.

thanks
@Louis_Mesmin

Happy if this helps

thank you
@Louis_Mesmin
for your input!





in the OOTB mapping we are usually aiming to provide a "starting point" of mapping for Users to work with, like a reference point.


We also aiming to define the common schema events might have so we usually map on "product" or "vendor" level. (the ontology have a hierarchy of vendor - product - event levels, where vendor is top level, field defined on the vendor level will be "passed" down to product and event levels)

@Louis_Mesmin
is it possible to elaborate for you why you opted out to API approach, and not using connectors?

Dear
@Dmitry_Sarakeev
yes of course, maybe in an other thread ?