Firewall Threat Reduction
Read about how you can use one Pipeline (this case on Firewall Threat Reduction) to carry out multiple use cases and data solutions.


Data reduction
For the first use case, we will reduce the firewall.paloalto.threat data and send on the results.
Parser
We have an automated parser that uses machine learning to take a look at the firewall logs, automatically splitting it out into strings. Although the parser provides automated parsing, you can modify this to extract certain fields, split fields, change type etc.
Message Builder
Use the message builder to remove redundant information and take only certain logs from the parser.
Syslog
Send the data over to a Syslog data hub, reducing significantly the data usage.
Enrichment
A second use case would be to enrich your data with IPs coming from an external database.
Lookup
The Lookup action will pull enrichments uploaded to Onum containing IP addresses potentially exposed to threats.
This creates a new field, enriching the data with exposure database.


Conditional
From here, you can narrow down the data using the is not null condition to discard null fields and only send on data when there is a match.


Real-time alerts
The Twilio sink can be used to send an SMS to Twilio if there is an exposure level on the given IP.
At this point we have reduced data to send on for storage and archiving and enriched in real-time using a conditional for matches.
Real-time analysis
You can use Onum to analyze your data in real-time on the platform by grouping and aggregating it.
Group by
Group by IPs every five minutes and count how many times it contains the message ID field.

Splunk
This aggregated data can then be sent on to Splunk for further analysis.
Results
Data reduction filters out the noise to leave and send on the relevant data, massively reducing your logs.
Enrichment uses a database with an added level of complexity by filtering out null values, alerting if exposure is detected by sending an SMS to signal the need for further inspection.
Real-time analysis involves grouping and sending data over to Splunk for quick processing there.
Last updated
Was this helpful?