# Firewall Threat Reduction

Read about how you can use one Pipeline (this case on Firewall Threat Reduction) to carry out multiple use cases and data solutions.

<figure><picture><source srcset="/files/kG2oFT0159rldHl7dz3u" media="(prefers-color-scheme: dark)"><img src="/files/65jFTlvzkrBlFq14IuQN" alt=""></picture><figcaption></figcaption></figure>

## Data reduction

For the first use case, we will reduce the firewall.paloalto.threat data and send on the results.

### Parser

We have an automated parser that uses machine learning to take a look at the firewall logs, automatically splitting it out into strings. Although the parser provides automated parsing, you can modify this to extract certain fields, split fields, change type etc.

### Message Builder

Use the message builder to remove redundant information and take only certain logs from the parser.

### Syslog

Send the data over to a Syslog data hub, reducing significantly the data usage.

## <mark style="color:blue;">Enrichment</mark>

A second use case would be to enrich your data with IPs coming from an external database.&#x20;

### Lookup

The Lookup action will pull enrichments uploaded to Onum containing IP addresses potentially exposed to threats.

This creates a new field, enriching the data with exposure database.&#x20;

<figure><picture><source srcset="/files/k3ycMf68ZFhbyVsiSIt3" media="(prefers-color-scheme: dark)"><img src="/files/QmzQOm7qoOfX7VnDNJew" alt=""></picture><figcaption></figcaption></figure>

### Conditional

From here, you can narrow down the data using the ***is not null*** condition to discard null fields and only send on data when there is a match.

<figure><picture><source srcset="/files/2BQgTPG7W2dHbkfEO9iv" media="(prefers-color-scheme: dark)"><img src="/files/A8ETcL9OrxgymDfTKU6J" alt=""></picture><figcaption></figcaption></figure>

### Real-time alerts

The Twilio sink can be used to send an SMS to Twilio if there is an exposure level on the given IP.

At this point we have reduced data to send on for storage and archiving and enriched in real-time using a conditional for matches.

## <mark style="color:green;">Real-time analysis</mark>

You can use Onum to analyze your data in real-time on the platform by grouping and aggregating it.&#x20;

### Group by

Group by IPs every five minutes and count how many times it contains the message ID field.&#x20;

<figure><img src="/files/8oCG5aGG02OEcgPAvVw7" alt=""><figcaption></figcaption></figure>

### Splunk

This aggregated data can then be sent on to Splunk for further analysis.

## Results

Data reduction filters out the noise to leave and send on the relevant data, massively reducing your logs.

Enrichment uses a database with an added level of complexity by filtering out null values, alerting if exposure is detected by sending an SMS to signal the need for further inspection.

Real-time analysis involves grouping and sending data over to Splunk for quick processing there.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/usecases/security/firewall-threat-reduction.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.