SIEM correlations produce alerts that you have to respond to. Over time you start seeing trends of the things that happen most frequently. Those become then the opportunities for orchestration.
Best practice
Another day in the SOC office. IT Security that was supposed to be challenging and interesting become repetitive and … boring. Same Alerts every day to analyse. Analyze the attachement, check IP reputation, check file hash, has anyone seen it? You know what I mean? Hope NO, because if YES, than we have little time before complete frustration.
Every time Soar travels through the data it collects crucial keys needed in orchestration and automation process. Integrated SIEM is a source of alerts from which SOAR generate its knowledge. EnergySoar is no different. From ingested alerts we collect our Observables. What are they ?