- while installing splunk integration it's asking for to select ontology mapping , which option should we select and why ?
Solved
Splunk Integration with Chronicle SOAR
+14- Silver 2
Best answer by KyHud
Hey,
Ontology and mapping in Chronicle SOAR helps the product understand what fields are important to the product, and visual family. It is essentially a mapping exercise of splunk field "SrcIp"-> Chronicle Field "Source Address". As this process can be time consuming there are connectors which bring with them a base set of ontology and mapping to give you a head start in defining relevant fields.
Our rule of thumb, as we have had the system for many years, is to not accept any integration defined ontology incase it disrupts our already defined ontology which we have done over the years,however, if this is a new SOAR instance with little to no mapping, adding in the predefined mapping from the marketplace can help initially with this process.
Cheers
K
+5- Bronze 2
- Answer
Hey,
Ontology and mapping in Chronicle SOAR helps the product understand what fields are important to the product, and visual family. It is essentially a mapping exercise of splunk field "SrcIp"-> Chronicle Field "Source Address". As this process can be time consuming there are connectors which bring with them a base set of ontology and mapping to give you a head start in defining relevant fields.
Our rule of thumb, as we have had the system for many years, is to not accept any integration defined ontology incase it disrupts our already defined ontology which we have done over the years,however, if this is a new SOAR instance with little to no mapping, adding in the predefined mapping from the marketplace can help initially with this process.
Cheers
K
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.