1 of 100

v1.692.0

Welcome

Falcon Onum helps security and IT leaders focus on the most important data. Gain control of your data by cutting through the noise for deep insights in real-time.

Quick links

Getting Started with Falcon Onum Understanding The Essentials Pipelines

Getting Started

About Falcon Onum

Observability & Orquestration in real time. Any format. Any source.

Overview

The exponential growth of data ingestion volumes can lead to reduced performance, slow response times, and increased costs. With this comes the need to implement optimization strategies & volume reduction control. We help you cut the noise of large data streams and reduce infrastructure by up to 80%.

Gain deep insights from any type of data, using any format, from any source.

All of this...

@ the Edge

By collecting and observing that data at the edge, as close as possible to where it’s being generated, gain real-time observations and take decisive action to prevent network downtime, payment system failures, malware infections, and more.

Unlike most tools that provide data observation and orchestration, Onum is not a data analytics space, which is already served well by security information and event management (SIEM) vendors and other analytics tools. Instead, Onum sits as close as possible to where the data is generated, and well in front of your analytics platforms, to collect and observe data across every aspect of your hybrid network.

Start with the basics

Architecture

Designed for the Edge, created in the Cloud

Easy, flexible deployment in any environment while keeping them as close as possible to where the data is produced delivers unparalleled speed and efficiency, enabling you to cut the infrastructure you have dedicated to orchestration by up to 80%.

The Onum infrastructure consists of:

Distributor: this is the service that hosts the Listener before forwarding it to Workers.
Worker: this is the service that runs the Pipelines, receiving data from its Distributor and contained within a Cluster.

Deployment

Falcon Onum installation process

Overview

Once you’ve obtained an Onum account, just a few steps are needed to complete the installation, depending on the type of deployment you require. Onum supports flexible deployment options, including both on-premises and cloud environments.

In case you have any question regarding the deployment and installation process, please .

Getting Started with Falcon Onum

Welcome to Falcon Onum! This guide will help you start working with Onum, a powerful tool designed to enhance your data analysis and processing capabilities.

Accessing Onum

Once you get your Onum credentials, you only have to go to console.onum.com and enter them to access your Tenant.

A Tenant is a domain that contains a set of data in your organization. You can use one or various Tenants and grant access to as many as required. Learn more about working with Tenants in this article.

Logging in

Once in , there are several ways to log in:

Log in with email address and password. Your password must be a minimum of 10 characters and include a combination of uppercase letters, lowercase letters, numbers, and symbols.
Two-factor authentication
Single Sign-On (SSO) with SAML
Single Sign-On (SSO) with OpenID

Learn more about the different authentication types in .

An inactive session will be automatically logged out after one hour.

Navigating the Interface

When you access the Onum app, you'll see , where you can see an overview of the activity in your Tenant.

You can access the rest of the areas in Onum using the left panel.

Create Your First Listener

Onum receives any data through Listeners.

These are logical entities created within a Distributor, acting as the gateway to the Onum system. Configuring a Listener involves defining an IP address, a listening port, and a transport layer protocol, along with additional settings depending on the type of Listener specialized in the data it will receive.

Access the Listeners area to start working with them. Learn how to create your first Listener .

Create Your First Data Sink

Onum outputs data via Data sinks. Use them to define where and how to forward the results of your streamlined data.

Access the Data sinks area to start working with them. Learn how to create your first Data sink .

Build Your First Pipeline

Use Pipelines to start transforming your data and build a data flow. Pipelines are made of the following components:

Learn more about Pipelines .

Use cases

Do you want to check the essential steps in Onum through specific Pipelines? Explore the most common use cases in .

Understanding The Essentials

Get to grips with the important concepts & best practices of the Falcon Onum application.

These articles contain information on functionalities across the entire platform.

Cards and Table Views

Viewing and modifying elements in the table.

Overview

In the Listeners, Pipelines, and Data sinks areas, you can view all the resources in your Tenant as cards or in a table.

In both views, you can:

Click the magnifying glass icon to look for specific elements in the list. You can search by name, status, or tag.
Display all the elements individually in a list or grouped by types. These grouping options vary depending on the area you are.

Table View

In the Table view, you can click the cog icon to begin customizing the table settings. You can reorder the columns in the table, hide or display the required ones or pin them.

Changes will be automatically applied. Click the Reset button to recover the original configuration.

Click a row to open the details window, or double-click it to access the element and edit it.
Use the buttons at the top right part of the table to expand or collapse each row in the table. This will change the level of detail of each element.
Click the ellipsis button on each row to edit the element, copy its ID, or remove it.

Cards View

In this view, each element is displayed as a card that shows details about it.

Click a card to open the details window, or double-click it to access the element and edit it.
Click the ellipsis button on each card to edit the element, copy its ID, or remove it.
Click the Add tag button and add the required tags to an element. For each tag you enter in the box, hit the Enter key. Click Save to add the tags.

Graph Calculations

Overview

This article outlines the more complex calculations that go on behind the graphs you see.

In the , , and views, you will see detailed metrics on your events and bytes in/out, represented in a graph at the top of these areas.

The line graph represents the events in/out, and the bar graph represents bytes in/on. Hover over a point on the chart to show a tooltip containing the events and bytes in for the selected time, as well as a percentage of how much increase/decrease has occurred since the previous lapse of time since the one currently selected.

The Time Range Selector

Overview

Throughout the entire Onum platform, you can set a period to either narrow down or extend the data shown. You can either select a predefined period or apply a custom time range.

The related graph and resources will be automatically updated to display data from the chosen period. To remove a selected period, simply click the bin icon that appears next to the period to go back to the default time range (1 hour ago).

The intervals will be calculated according to the Timezone of your browser. Keep an eye out for future implementations, where you can manually select a timezone.

Predefined and Custom time ranges

As well as predefined time intervals, you can also define a custom time range. To do it, simply select the required starting and ending dates in the calendar.

Comparisons

The interesting thing about Onum is that you can directly see how much volume you have saved compared to past ingestions, telling you what is going well and what requires further streamlining.

The comparison is direct/equivalent, meaning all data shown is analyzed compared to the previously selected equivalent time range.

For example, if the time range is 1 hour, the calculation of differences will be carried out using the previous one hour before the current selection =

Range selected: 10:00-11:00
Comparison: 09:00-10:00

Again, let´s say you now wish to view data over the last 7 days. The percentages will be calculated by measuring the volume retrospectively two weeks ago with the previous week.

Key Terminology

Get to grips with these key concepts to better understand how Onum works and use it to its full potential.

Action

A unit of work performing a given operation on an event.

THE WORKSPACE

Collect data from AWS products

Collect data from Google Cloud products

Collect data from Agari DMARC Protection

Where the vendor is Agari, it's product is DMARC Protection. For DMARC Protection API, right now we have the following product types/endpoints:

Collect data from Akamai products

Collect data from Guardicore

Where the vendor is Akamai, it's product is Guardicore. Right now we have the following product types/endpoints:

Inside each of those endpoints we have the YAML file to configure.

Collect data from Cisco Umbrella products

Where the vendor is Cisco, it's product is Umbrella. For Umbrella, right now we have the following product types/endpoints:

Inside each of those endpoints we have the YAML file to configure.

Collect data from CrowdStrike Falcon NG-SIEM

Where the vendor is CrowdStrike, it's product is Falcon API. For Falcon API, right now we have the following product types/endpoints:

Inside each of those endpoints we have the YAML file to configure.

Collect data from Netskope

Where the vendor is Netskope, we have the following product types/endpoints:

Alerts
Events

Inside each of those endpoints we have the YAML file to configure.

Collect data from Palo Alto products

Collect data from Cortex XDR

Integrate with API Logs from the Cortex Platform using the HTTP Pull Listener using the data Integration API.

Collect data from SentinelOne

Where the vendor is SentinelOne, it's product is web API. For Web API, right now we have the following product types/endpoints:

Collect data from Trend Vision One

Where the vendor is Trend Micro, it's product is Vision one. For Vision one, right now we have the following product types/endpoints:

Inside each of those endpoints we have the YAML file to configure.

Collect data from Microsoft products

Collect data from Check Point NGFW

Check Point's Next-Generation Firewall to Onum Syslog Listener

See the changelog of the Syslog Listener .

Overview

The following article outlines a basic data flow from your Check Point's Next-Generation Firewall (NGFW) to the Onum Syslog

Collect data from Fortinet NGFW

See the changelog of the Syslog Listener .

Overview

The following article outlines a basic data flow from your Fortinet Next-Generation Firewall (NGFW) to the Onum Syslog Listener.

Collect data from Palo Alto NGFW

Palo Alto NGFW to Onum Syslog Listener

See the changelog of the Syslog Listener .

Overview

The following article outlines a basic data flow from your Palo Alto Next-Generation Firewall (NGFW) to the Onum Syslog Listener.

Generate scheduled events

Most recent version: v0.0.1

See the changelog of the Tick Listener type .

Note that this Listener is only available in certain Tenants. Get in touch with us if you don't see it and want to access it.

Overview

The Tick listener allows you to emit events on a defined schedule.

Onum Setup

Double-click the Tick Listener.

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

Click Create listener when you're done.

Update Listeners

Note that this feature is only available for certain Tenants. if you need to use it and don't see it in your Tenant.

Next to the Listeners tab in the left menu, you'll see a number that indicates the Listeners that have pending updates. In this area, Listeners that have pending updates will show an Update tag.

Cloud Listeners

Are you interested in deploying your Onum installation in our Cloud? , and we will configure a dedicated Cloud Tenant for you and your organization.

Overview

If your Onum installation is deployed in our Cloud, the configuration settings of a Listener would be slightly different from Listeners defined in an On-Premise deployment:

AI Assistant

Just ask, and the assistant helps you building your Pipelines

Onum offers you two different types of AI-powered assistants to help you build powerful Pipelines:

Pipeline Assistant - Build your Pipeline structure using this assistant.
Action Assistant - Once you've defined your Pipeline structure, you can configure each Action settings using this assistant.

AI Pipeline Assistant

Note that this feature is only available for certain Tenants. Contact us if you need to use it and don't see it in your Tenant.

Overview

The Pipeline Assistant is an AI-powered chat feature designed to help users design and build their Pipelines. Any configuration requested through the chat will be automatically applied. Simply enter the results you expect from your Pipeline and the AI will generate a Pipeline structure according to your needs.

To start using it, create a new Pipeline, drag a Listener, and just click this icon at the bottom left corner:

Note that this AI Assistant only creates Pipeline structures. The individual Actions in the generated Pipeline won't be configured. You can use our to help you configure your Actions.

Examples

Here are some example use cases where we ask for help from the Pipeline Assistant. Check the prompts we use and the resulting configuration in each example picture.

Filter most common priorities

Send a report of aggregated data to Jira

Listeners

The default tab that opens when in the Pipeline area is the Listeners tab, which shows all Listeners in your Tenant, as well as their labels.

Use the search bar to find a specific Listener or Label.

Edit a Listener

You can edit a label from the list by clicking the ellipses next to its name and selecting Edit.

This will open the Listener Configuration and Labels for you to modify.

Create Listener

If the Listener you wish to use in the Pipeline does not already exist, you can create it directly from this view using the Create Listener button in the bottom right of the tab. This will open the Listener Configuration window.

Add a Listener to your Pipeline

Go to to learn step by step.

Advanced

Double-click the Azure Event Hubs Listener.

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

Establish the Event Hub Connection

Enter the Event Hub Namespace* to connect to (e.g. mynamespace.servicebus.windows.net). You can find this in the top left-hand corner of you Azure area.
In your Azure console, click your Event Hubs namespace to view the Hubs it contains in the middle pane and enter it in the Event Hub Name

In the Authentication section, choose between Connection String and Entra ID as the Authentication Type.

Connection String
- Connection String* The URL for your Event Hub. To get it:

You can now select the secret you just created in the corresponding fields.

Checkpointing & Processor

When multiple consumer instances read from the same Event Hub and consumer group, a cooperative processor coordinates partition ownership and progress using a checkpoint store (Azure Blob Storage).

Ensures at-least-once processing without duplicates when instances restart: committed checkpoints allow new owners to resume from the last processed offset instead of re-reading the whole partition.
Evenly distributes partitions across active instances (load balancing): with the balanced strategy, ownership is redistributed as instances join/leave;

Enter the Storage Container Name* In the left-hand menu, scroll down to Resource groups, where you will see a list of all the storage containers within your Event Hub. In Onum, enter the name of the blob container to persist checkpoints and ownership.

The Storage Connection String parameter is a secret, therefore you must add this string in the area, or select it from the list if you have already done so.

for where to find it in the Azure portal.

Then, configure the Processor Options.

Load Balancing Strategy
Choose how to distribute the work evenly across the server to avoid overload.
- Balanced - distributes load evenly across all servers.

Decide whether to Use batch settings.

When false, the handler processes events one-by-one using internal defaults (maxBatchSize=1, maxWaitTimeMs=500). When true, batch processing settings apply.

Max Batch Size* Enter the maximum bytes for the batch.

The Start Position defines where to begin reading the event stream.

Latest (End of Stream)
- Onum begins reading from the next event that is enqueued after Onum starts. It skips all existing events currently in the partition.

Add the Backoff Settings regarding how long to wait before retrying a request after failure.

Error Backoff (ms) Enter the amount of milliseconds to wait after an error before retrying.
Idle Backoff (ms) Enter the amount of milliseconds to wait before trying again to send a request.

Choose the Decompression method used to restore a compressed message to its original form before being processed (none, gzip or zlib)

Choose the Split Strategy method of dividing the data or requests from the following delimiter options:

None to ignore
Newline
JSON array

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

Learn more about labels in .

Audits

Overview

Fetches audits for user, domain, or organization. start_date defaults to 14 days ago and max is 13 months.

Configuration

Parameters

parameters.domain will store the value of the API URL, excluding the endpoint paths like /v1/cp/oauth/token or /v1/cp/alert_events

Secrets

secrets.client_id will reference to Agari's Client ID
secrets.client_secret will reference to Agari's Client Secret.

Open the Secret fields and click New secret to create a new one:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in .

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:

Configure as YAML

Toggle this ON to enable a free text field where you can paste your YAML.

Here we provide three different YAMLs that list audits by Domain, Organization and User.

Manually configure

If you would rather configure each field, follow the steps below.

Here you have the examples based on the List audits by Domain YAML. Simply replace the word domain with organization or user.

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 5 minutes (5m) as default, adjust based on your needs.
Offset - initial offset should be 5m
Format - RFC3339

Authentication Phase

Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.

Type* - token
Request Method* - POST (we would need to generate the JWT using the secrets client_id and client_secret)

Enumeration Phase

Toggle ON

Pagination Type* - offset/Limit
Limit* - 200
Request

Collection Phase

Variables
- Source - input
- Name - domainId

This HTTP Pull Listener now uses the data export API to extract alert events.

Click Create labels to move on to the next step and define the required if needed.

Pull data from HTTP endpoints

See the changelog of this Listener type here.

Note that this Listener is only available in certain Tenants. Get in touch with us if you don't see it and want to access it.

Overview

Onum supports integration with HTTP Pull. Select HTTP Pull from the list of Listener types and click Configuration to start.

HTTP Pull configuration

Double-click the HTTP Pull Listener.

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

Desconstructing a YAML

Here we will learn what each parameter of the YAML means, and how they correspond to the settings in the HTTP Pull Listener.

The YAML is used for pulling alerts via an API and typically uses

A Temporal Window to enable the use of a time-based query window for filtering results.
Authentication using a token to authenticate the connection.
The first phase (Enumeration) enables an initial listing phase to get identifiers (e.g., alert IDs), paginating through the results.
The second phase (Collection) then fetches full alert details using the alert IDs from the enumeration phase.

Only the Collection phase is mandatory, the rest of the fields are optional.

Let´s take a closer look at each phase below.

Temporal window

A temporal window is a defined time range used to filter or limit data retrieval in queries or API requests. It specifies the start and end time for the data you want to collect or analyze. This YAML uses a temporal window of 5 minutes, in RFC3339 format, with an offset of 0, in UTC timezone.

Parameter

Description

Temporal Window example

In Onum, toggle ON the Temporal Window selector and enter the information in the corresponding fields

Duration* - 5m
Offset*

Authentication phase

If your connection requires authentication, enter the credentials here.

Parameter

Description

Authentication credentials

The options provided will vary depending on the type chosen to authenticate your API. This is the type you have selected in the API end, so it can recognize the request.

Choose between the options below.

Basic

Username* - the user sending the request.
Password* - the password eg: ${secrets.password}

API Key

Enter the following:

API Key - API keys are usually stored in developer portals, cloud dashboards, or authentication settings. Set the a secret, eg: ${secrets.api_key}
Auth injection:

Token

Token Retrieve Based Authentication

Request -
- Method* - Choose between GET

HMAC

Signs the queries using a secret key that is used by the server to authenticate and validate integrity.

Token Retrieve Based Authentication

Request

Generate ID - Toggle ON to generate.

Retry

Toggle ON to allow for retries and to configure the specifics.

Parameter

Description

Throttling

Use throttling to intentionally limit the rate at which the HTTP requests are sent to the API or service.

Throttling Type*

The client itself controls and limits the rate at which it sends requests.

Parameter

Description

The server controls the rate at which it sends data.

Parameter

Description

Enumeration phase

The enumeration phase is an optional step in data collection or API integration workflows, where the system first retrieves a list of available items (IDs, resource names, keys, etc.) before fetching detailed data about each one.

Identify the available endpoints, methods, parameters, and resources exposed by the API. This performs initial data discovery to feed the collection phase and makes the results available to the Collection Phase via variable interpolation (inputs.*).

Can use:

${parameters.xxx}
${secrets.xxx}
${temporalWindow.xxx} (if configured)

Parameter

Description

Output

Parameter

Description

Enumeration example

Pagination type - offset/LimitUses classic pagination with offset and limit to page through results, fetching data in batches (pages) — limit determines page size, offset determines where to start.

Collection phase

The collection phase in an HTTP Puller is the part of the process where the system actively pulls or retrieves data from an external API using HTTP requests.

The collection phase is mandatory. This is where the final data retrieval happens (either directly or using IDs/resources generated by an enumeration phase).

The collection phase involves gathering actual data from an API after the enumeration phase has mapped out endpoints, parameters, and authentication methods. It supports dynamic variable resolution via the variable resolver and can use data exported from the Enumeration Phase, such as:

${parameters.xxx}
${secrets.xxx}
${temporalWindow.xxx}

Inputs

In collection phases, you can define variables to be used elsewhere in the configuration (for example, in URLs, query parameters, or request bodies). Each variable definition has the following fields:

Parameter

Description

Retry

Toggle ON to allow for retries and to configure the specifics.

Parameter

Description

Throttling

Use throttling to intentionally limit the rate at which the HTTP requests are sent to the API or service.

Throttling Type*

The client itself controls and limits the rate at which it sends requests.

Parameter

Description

The server controls the rate at which it sends data.

Parameter

Description

Parameter

Description

Output

Parameter

Description

Collection example

Let´s say you have the following SIEM Integration events from Sophos.

Pagination type - cursor. If you select the cursor type, you retrieve the data in chunks (pages) using a cursor token, which points to the position in the dataset where the next page of results should start.

Ports

The HTTP Pull Listener has two output ports:

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

The error message is provided in a free-text format and may change over time. Please consider this if performing any post-processing based on the message content.

Examples

1. Basic GET Puller

Here's a simple example of using the HTTP Puller collector with parameters for a basic GET request. No authentication, no pagination, just pulling JSON data from an API endpoint. Keep Config as YAML, Temporal window, Authentication and Enumeration phase as OFF.

Collection phase
- Pagination type - none Indicates that you only need one request to retrieve all data at once.
- Request

2. Make an HTTP request using offset and limit pagination

Instead of displaying the results in a scrollable list, we will use offset/limit pagination to fetch data in pages.

Pagination type - offset/Limit We control how many records are returned at a time (limit) and choose where to start each request (offset or skip parameter)
Zero Index - false

3. Enumeration + Collection with `responseBodyLink`

This example defines a data extraction workflow that

Enumerates through a paginated API endpoint using responseBodyLink.
Filters and transforms specific data from the paginated results.
Collects further data based on the enumerated output using individual requests.

It also uses a temporal window to scope or schedule the data extraction process.

Enumeration

The enumeration defines how to gather data in a paginated manner from the Cyber Threat Intelligence API using the responseBodyLink pagination strategy.

Pagination Type - The type is Next Link At Response Body
Selector - The next page link is found using the JSON path ".info.nextPage" This suggests that the response will contain a field info.nextPage with the URL of the next page of results.

For example, the response might look like:

Response type - JSON
Method - GET. The HTTP method is GET to fetch the data.
URL - The initial URL for the request is "https://api.cyberintel.dev/iocs", where the IOCs are listed.

Output

Select - The .data array from the response is selected for further processing. This array contains the actual IOC data.
Filter - The filter expression '.threatType == "Ransomware"' selects only those IOCs where the threatType is "Ransomware". This is how we focus on ransomware-related indicators.

Result: After processing the pages, we will have a list of ransomware IOC IDs.

Collection

Once the enumeration process gathers a list of IOC IDs related to ransomware, the collection section is responsible for retrieving more detailed information for each of those IOCs.

variables - This section defines variables used in the collection step.

Name - id: The variable id represents each individual IOC ID from the enumeration output.
Source - The source: input means that the IDs come from the output of the previous enumeration step.
Expression - expression: "." simply takes each item from the input (the IOC IDs).

HTTP Request for Detailed IOC Information

Pagination type: The type is "none", indicating no additional processing is needed before making the request.
Response type - JSON.
Method: The HTTP method is GET, to fetch detailed information about each IOC.

Output Selection and Mapping

Select: This selects the .data field from the response, which contains the detailed information for the IOC.
Filter: No additional filtering is applied.
Map: The map expression "{iocName: .name}" creates a new object with the iocName key, mapping it to the .name

Result: Each IOC name (or other information, if mapped) will be saved to a file.

4. Enumeration (collection output) + Collection (POST with `bodyRaw`)

Temporal window defines a 5-minute slice of time, offset 10 minutes ago.

Enumeration step:

Makes a paginated GET to /posts.
Extracts IDs from posts within the time window.
Produces a collection of IDs.

Collection step:

Uses those IDs in a POST request.
Filters, maps, and outputs enriched objects (id, title, status).
Saves results to a file.

Duration - 5m window size is 5 minutes.
Offset - 10m shifts the window back 10 minutes from “now”. So if current UTC is 12:00, the range would be 11:45 – 11:50.
Time zone - UTC