Overview Of The DNIF Data Model

The DNIF Data Model (DDM) is a symbiotic model which provides an impeccable coherence between the data and its extracted value. DDM was implemented in order to solve the problem of different vendor devices producing a variety of logs in different format with different parameters which may or may not be useful for detecting threat intel.

DDM is focused on extracting data and contains a collection of data models and documents that help in normalisation of data which is vendor neutral for various devices integrated.

What is DDM

Consider DDM as a database schema, which you can refer to while dealing with disparate datasets from various device types.

There are basically two types of model:

  1. Device Based Model: This model provides a comprehensive list of fields that are only available when a specific device type as the model name suggests is used.
  2. SubSystem Based Model: This model provides a 3 level of abstraction to the data normalised from any type of device.
Data Models in DNIF

Why use DDM

DDM helps you to normalise your data to match a common standard, with the help of same fields name for equivalent events from different sources and vendors.

This approach allows you to define relationships between event data while leaving the raw data intact in the ‘Datastore’.

After the data has been normalised from multiple sources, one can develop reports, modules, workbooks and correlation rules to gain an insight of the collected data. You can display the normalized data in dashboard view to gain an overall view of the events.

Multiple dashboards can be created as per the different requirements involving dashboards as per the PCI or DSS or any other compliances.


This manual assumes you are familiar with full data cycle in DNIF platform. If you are unsure of the same ,then no worries , you can get familiar with the same at :- Getting Data in DNIF

How to use the DDM

Based on the data from different sources which are ingested, there are few models which are specific to a particular device as listed in our device models page or SubSystem Based Model. One can query the dataset based on the values present in the respective tables to derive insights as as mentioned in the description.

These models will help analysts in selecting proper fields while writing rules or use cases. Some of these use cases can be found in our guides section.