For e.g. for mandiant, connector can be built easily or the same can be configured as feed.
What is the best design choice in this case and why ?
I assume yara-l rules may not work on alerts consumed with soar connector. Are there any other factors that should be considered while making this decision ?
Thanks
Typically, logs and raw data go to SIEM, and dedicated specific Alerts go to SOAR
I saw a similar example recently, a user pushed confirmed Alerts into SIEM and then built a Yara detection looking for the Alert and raised it into SOAR. Whilst this worked, it added complexity to mapping fields and alert types. Instead I suggest considering the SOAR Connector, and then push more 'day to day' logs into SIEM.
This might not always be the case... but it is today.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.