Hello. How can we help you?
-
DEVICE INTEGRATION
- Palo Alto (Device Integration)
- Dell Cylance Endpoint
- McAfee Web Gateway
- Imperva WAF
- Darktrace
- Forescout CounterACT
- Juniper Cortex Threat
- Zscaler
- Sophos
- Sophos Endpoint
- Trend Micro
- Sophos Cyberoam Firewall
- Radware-WAF
- NetScaler WAF
- Ubuntu
- Juniper SRX
- Forcepoint Websense
- FireEye
- Forcepoint DLP
- F5 BIG-IP ASM
- CyberArk PIM
- CheckPoint
- Bluecoat Proxy
- Accops Hyworks
- Barracuda WAF Syslog
- Forwarding F5 Distributed Cloud Services Logs to DNIF over TLS
- JIRA CLOUD
- Aruba ClearPass
- Show Remaining Articles (13) Collapse Articles
-
CONNECTORS
-
- 1Password Connector
- Abnormal Security
- Akamai Netstorage
- Atlassian
- Auth0 Connector
- AWS CloudTrail
- AWS Kinesis
- AWS S3
- AWS S3 (Optimized)
- AWS S3 Optimized Cross Account Connector
- Azure Blob Storage Connector
- Azure Event Hub
- Azure NSG
- Beats
- Box
- Cisco Duo
- Cloudflare Logpull Connector Setup Guide
- CloudWatch Connector
- Cortex XDR
- CrowdStrike
- Cyble Vision
- Device42
- Dropbox Connector
- GCP
- GCP PUB/SUB
- GitHub
- Google Workspace
- Haltdos
- HTTP Connector
- Hub Spot Connector
- Indusface
- Jira Connector
- Microsoft Graph Security API
- Microsoft Intune
- Mimecast
- Netflow
- Netskope Connector
- Network Traffic Analysis
- NextDLP Reveal
- Office 365
- Okta
- OneLogin
- Orca
- PICO Legacy Connector
- Prisma Alerts
- Prisma Incidents
- Salesforce
- Salesforce Pub/Sub Connector
- Shopify Connector
- Slack
- Snowflake
- Snyk Connector
- Syslog
- TCP
- Tenable Vulnerability Management Connector
- TLS
- Trend Micro Audit Logs
- Workday HCM Connector
- Zendesk
- Zoom
- Jumpcloud Connector
- Sophos connector
- Tenable Security Center Connector
- AWS GuardDuty Connector
- Trend Micro Vision One Connector
- RediffMail Pro Connector
- Microsoft Sentinel
- Microsoft Exchange Online Connector
- Show Remaining Articles (53) Collapse Articles
-
-
DATA INGESTION
-
HUNTING WITH WORKBOOKS
-
- Your first FIND with the HYPERCLOUD
- Create a Search Block
- Create a Signal Block
- Create a Text Block
- Create an Outlier Block
- Create a DQL Block
- Create an SQL Block
- Create a Code Block
- Create a Visualisation Block
- Create a Call Block
- Create a Return Block
- Create a Notification Block
- Schedule a Workbook
- Native Workbook
- Workbook Functions
- How to view Workbooks?
- Add Parameters to Workbook
- Working with Pass through Content
- How to create a Workbook?
- Workbooks
- Show Remaining Articles (5) Collapse Articles
-
-
DNIF Query Language (DQL Language)
-
SECURITY MONITORING
- Streamline Alert Analysis with Signal Tagging
- Workbook Versioning: Track, Collaborate, and Restore with Ease
- What is Security Monitoring?
- Creating Signal Suppression Rules
- Why EBA
- Signal Suppression Rule
-
- What are signals?
- View Signal Context Details
- Suspect & Target
- Source Stream
- Signal Filters
- Signal Data export
- Signal Context Details
- Signal Confidence Levels
- Raise and View Signals
- Investigate Anywhere
- How to add a signal to a case?
- Graph View for Signals
- Global Signals
- False Positives
- Add Multiple Signals to a Case
- Add comment to the signal
- Show Remaining Articles (1) Collapse Articles
-
OPERATIONS
-
MANAGE DASHBOARDS
-
MANAGE REPORTS
-
USER MANAGEMENT & ACCESS CONTROL
-
BILLING
-
MANAGING YOUR COMPONENTS
-
GETTING STARTED
-
INSTALLATION
-
SOLUTION DESIGN
-
AUTOMATION
-
- Active Directory
- AlienVault
- Asset Store
- ClickSend
- Domain Tools
- Fortigate
- GreenSnow
- JiraServiceDesk
- Microsoft Teams Channel
- New Relic
- Opsgenie
- PagerDuty
- Palo Alto
- ServiceNow
- Slack Configuration
- TAXII
- Trend Micro
- URLhaus
- User Store
- Virustotal
- Webhook
- Show Remaining Articles (6) Collapse Articles
-
-
TROUBLESHOOTING AND DEBUGGING
-
- TLS ( Troubleshooting Procedure)
- TCP (Troubleshooting Procedure)
- Syslog (Troubleshooting Procedure)
- Salesforce ( Troubleshooting Procedure)
- PICO
- Office 365 (Troubleshooting Procedure)
- GSuite
- GCP (Troubleshooting Procedure)
- Beats (Troubleshooting Procedure)
- Azure NSG ( Troubleshooting Procedure)
- Azure Eventhub
- AWS S3 (Troubleshooting Procedure)
-
-
LICENSE MANAGEMENT
-
RELEASE NOTES
- May 6, 2026 - Content Update
- March 31, 2026 - Content Update
- March 16, 2026 - Application Update
- February 26, 2026 - Content Update
- January 19,2026 - Content Update
- December 23, 2025 - Application Update
- December 4,2025 - Content Update
- November 27, 2025 - Application Update
- October 28, 2025 - Content Update
- August 20, 2025 - Content Update
- August 5, 2025 - Application Update
- July 15, 2025 - Content Update
- June 13, 2025 - Content Update
- May 21, 2025 - Content Update
- April 17, 2025- Content Update
- March 25, 2025- Content Update
- March 18, 2025 - Application Update
- March 5, 2025 - Application Update
- January 27, 2025 - Application Update
- January 29, 2025 - Content update
- December 30, 2024 - Content Update
- December 12, 2024 - Content Update
- December 3, 2024 - Application Update
- November 15, 2024 - Content Update
- October 26, 2024- Application Update
- October 23, 2024 - Content Update
- October 16, 2024 - Application Update
- September 04, 2024 - Application Update
- September 04, 2024 - Content Update
- August 27, 2024 - Application Update
- July 30, 2024 - Application Update
- June 04, 2024- Application Update
- April 24, 2024- Application Update
- March 26, 2024 - Application Update
- February 19, 2024 - Application Update
- January 09, 2024 - Content Update
- January 09, 2024 - Application Update
- November 27, 2023 - Content Update
- November 27, 2023 - Application Update
- October 05, 2023 - Application Update (Release Notes v9.3.3)
- May 30, 2023 - Application Update (Release Notes v9.3.2)
- November 29, 2022 - Application Update (Release Notes v9.3.0)
- Show Remaining Articles (27) Collapse Articles
-
API
-
POLICIES
-
SECURITY BULLETINS
-
BEST PRACTICES
-
DNIF AI
-
DNIF LEGAL AND SECURITY COMPLIANCE
Create a Signal Block
Signals help us look up within multiple attack vectors, signals are triggered via Workbooks i.e. as per the logic set in its query. On executing a query via workbook and if there are any threat related data such as types of attacks etc, a signal will be triggered alerting us with relevant intel.
For example, if there is a “Brute Force” attack on a client’s website’s login screen, then we can effectively pull out relevant information regarding this attack, such as “Source IP Address”, “Event Name”, “Type of Attack”,”Source Country” and other relevant details as needed.
How to add a signal block?
- Hover on the Workbooks icon on the left navigation bar, it will display the folder wise view of existing workbooks in the tenant (previously known as cluster).
- Click plus icon on the Workbook page and then add a DQL /Search / Code / AI Block before you add a Signal Block.
It is mandatory to add a DQL /Search / Code / AI Block before you add a Signal Block.
- Once the query results of DQL /Search / Code / AI Block are displayed as in the below screen, you can add a signal block based on this particular query result.
- Click the plus icon on the Workbook page and select Signal Block from the list, the following section will be added to the Workbook page.
On the above screen, you will have to enter the following fields:
| Field | Description |
|---|---|
| Name | Enter a signal name for the signal you are about to create. Signal name has been parameterized, users can enter multiple field values with _ (underscore) and this will be displayed as a detection name on raising a signal. Note Parameterized signal names eliminate the need to create multiple workbooks for each detection type. Every parameterized field should be prepended and appended with an underscore **Signalname_Fieldname1_ _Fieldname2_ Fieldname3_** <li>**Example** signal_Evtlen_ _Pstatus Sample output of the above example will be displayed as signal_1423_NEF |
| Tactic | The system will recommend options for tactics based on the query results and attack type. |
| Technique | The system will recommend options as per the tactic selected. |
| Confidence | The confidence score is automatically calculated, with a default value of 5. It ranges from 1 to 5. |
| Score | Enter a score level for the attack in the range of 1-10, where 10 being the most critical attack and 1 a low risk attack. |
| Target | Target is the system/ IP/ file that was targeted for the attack. The common types of targets are listed as under: Host User Resource Port |
| Suspect | Suspect is the system/IP/URL etc from where the attack was initiated. The common types of suspects are listed as under: Host User Object Process Hash URLAction |
It is mandatory for a signal to have a target or a suspect. You can add multiple target fields and suspect fields.
- Enter / select the details and click Run, to raise the signal. The following message will be displayed:
Signal raised successfully
How to view the raised signal?
- Execute the following query to check if the signal has been raised
_fetch * from event where $Stream=SIGNALS limit 10
Signal Block Functions
| Icons | Functionality |
|---|---|
 | Used to execute the query |
 | Click this to revoke the executed query. |
 | Used to filter the query result based on your requirement. |
 | Delete a block |
For more details on details on Workbooks, refer Create a Workbook
Parameterised Signals
Enter a signal name for the signal you are about to create. Signal name has been parameterized, users can enter multiple field values with _ (underscore) and this will be displayed as a detection name on raising a signal.
- Parameterized signal names eliminate the need to create multiple workbooks for each detection type.
- Every parameterized field should be prepended and appended with an underscoreSignalname_$Fieldname1_ _$Fieldname2_ _$Fieldname3_
- Example: signal_$Evtlen_ _$Pstatus_
- Sample output of the above example will be displayed as signal_1423_NEF