Hello. How can we help you?
-
DEVICE INTEGRATION
- Palo Alto (Device Integration)
- Dell Cylance Endpoint
- McAfee Web Gateway
- Imperva WAF
- Darktrace
- Forescout CounterACT
- Juniper Cortex Threat
- Zscaler
- Sophos
- Sophos Endpoint
- Trend Micro
- Sophos Cyberoam Firewall
- Radware-WAF
- NetScaler WAF
- Ubuntu
- Juniper SRX
- Forcepoint Websense
- FireEye
- Forcepoint DLP
- F5 BIG-IP ASM
- CyberArk PIM
- CheckPoint
- Bluecoat Proxy
- Accops Hyworks
- Barracuda WAF Syslog
- Forwarding F5 Distributed Cloud Services Logs to DNIF over TLS
- JIRA CLOUD
- Aruba ClearPass
- Show Remaining Articles (13) Collapse Articles
-
CONNECTORS
-
- 1Password Connector
- Abnormal Security
- Akamai Netstorage
- Atlassian
- Auth0 Connector
- AWS CloudTrail
- AWS Kinesis
- AWS S3
- AWS S3 (Optimized)
- AWS S3 Optimized Cross Account Connector
- Azure Blob Storage Connector
- Azure Event Hub
- Azure NSG
- Beats
- Box
- Cisco Duo
- Cloudflare Logpull Connector Setup Guide
- CloudWatch Connector
- Cortex XDR
- CrowdStrike
- Cyble Vision
- Device42
- Dropbox Connector
- GCP
- GCP PUB/SUB
- GitHub
- Google Workspace
- Haltdos
- HTTP Connector
- Hub Spot Connector
- Indusface
- Jira Connector
- Microsoft Graph Security API
- Microsoft Intune
- Mimecast
- Netflow
- Netskope Connector
- Network Traffic Analysis
- NextDLP Reveal
- Office 365
- Okta
- OneLogin
- Orca
- PICO Legacy Connector
- Prisma Alerts
- Prisma Incidents
- Salesforce
- Salesforce Pub/Sub Connector
- Shopify Connector
- Slack
- Snowflake
- Snyk Connector
- Syslog
- TCP
- Tenable Vulnerability Management Connector
- TLS
- Trend Micro Audit Logs
- Workday HCM Connector
- Zendesk
- Zoom
- Jumpcloud Connector
- Sophos connector
- Tenable Security Center Connector
- AWS GuardDuty Connector
- Trend Micro Vision One Connector
- RediffMail Pro Connector
- Microsoft Sentinel
- Microsoft Exchange Online Connector
- Show Remaining Articles (53) Collapse Articles
-
-
DATA INGESTION
-
HUNTING WITH WORKBOOKS
-
- Your first FIND with the HYPERCLOUD
- Create a Search Block
- Create a Signal Block
- Create a Text Block
- Create an Outlier Block
- Create a DQL Block
- Create an SQL Block
- Create a Code Block
- Create a Visualisation Block
- Create a Call Block
- Create a Return Block
- Create a Notification Block
- Schedule a Workbook
- Native Workbook
- Workbook Functions
- How to view Workbooks?
- Add Parameters to Workbook
- Working with Pass through Content
- How to create a Workbook?
- Workbooks
- Show Remaining Articles (5) Collapse Articles
-
-
DNIF Query Language (DQL Language)
-
SECURITY MONITORING
- Streamline Alert Analysis with Signal Tagging
- Workbook Versioning: Track, Collaborate, and Restore with Ease
- What is Security Monitoring?
- Creating Signal Suppression Rules
- Why EBA
- Signal Suppression Rule
-
- What are signals?
- View Signal Context Details
- Suspect & Target
- Source Stream
- Signal Filters
- Signal Data export
- Signal Context Details
- Signal Confidence Levels
- Raise and View Signals
- Investigate Anywhere
- How to add a signal to a case?
- Graph View for Signals
- Global Signals
- False Positives
- Add Multiple Signals to a Case
- Add comment to the signal
- Show Remaining Articles (1) Collapse Articles
-
OPERATIONS
-
MANAGE DASHBOARDS
-
MANAGE REPORTS
-
USER MANAGEMENT & ACCESS CONTROL
-
BILLING
-
MANAGING YOUR COMPONENTS
-
GETTING STARTED
-
INSTALLATION
-
SOLUTION DESIGN
-
AUTOMATION
-
- Active Directory
- AlienVault
- Asset Store
- ClickSend
- Domain Tools
- Fortigate
- GreenSnow
- JiraServiceDesk
- Microsoft Teams Channel
- New Relic
- Opsgenie
- PagerDuty
- Palo Alto
- ServiceNow
- Slack Configuration
- TAXII
- Trend Micro
- URLhaus
- User Store
- Virustotal
- Webhook
- Show Remaining Articles (6) Collapse Articles
-
-
TROUBLESHOOTING AND DEBUGGING
-
- TLS ( Troubleshooting Procedure)
- TCP (Troubleshooting Procedure)
- Syslog (Troubleshooting Procedure)
- Salesforce ( Troubleshooting Procedure)
- PICO
- Office 365 (Troubleshooting Procedure)
- GSuite
- GCP (Troubleshooting Procedure)
- Beats (Troubleshooting Procedure)
- Azure NSG ( Troubleshooting Procedure)
- Azure Eventhub
- AWS S3 (Troubleshooting Procedure)
-
-
LICENSE MANAGEMENT
-
RELEASE NOTES
- February 26, 2026 - Content Update
- January 19,2026 - Content Update
- December 23, 2025 - Application Update
- December 4,2025 - Content Update
- November 27, 2025 - Application Update
- October 28, 2025 - Content Update
- August 20, 2025 - Content Update
- August 5, 2025 - Application Update
- July 15, 2025 - Content Update
- June 13, 2025 - Content Update
- May 21, 2025 - Content Update
- April 17, 2025- Content Update
- March 25, 2025- Content Update
- March 18, 2025 - Application Update
- March 5, 2025 - Application Update
- January 27, 2025 - Application Update
- January 29, 2025 - Content update
- December 30, 2024 - Content Update
- December 12, 2024 - Content Update
- December 3, 2024 - Application Update
- November 15, 2024 - Content Update
- October 26, 2024- Application Update
- October 23, 2024 - Content Update
- October 16, 2024 - Application Update
- September 04, 2024 - Application Update
- September 04, 2024 - Content Update
- August 27, 2024 - Application Update
- July 30, 2024 - Application Update
- June 04, 2024- Application Update
- April 24, 2024- Application Update
- March 26, 2024 - Application Update
- February 19, 2024 - Application Update
- January 09, 2024 - Content Update
- January 09, 2024 - Application Update
- November 27, 2023 - Content Update
- November 27, 2023 - Application Update
- October 05, 2023 - Application Update (Release Notes v9.3.3)
- May 30, 2023 - Application Update (Release Notes v9.3.2)
- November 29, 2022 - Application Update (Release Notes v9.3.0)
- Show Remaining Articles (24) Collapse Articles
-
API
-
POLICIES
-
SECURITY BULLETINS
-
BEST PRACTICES
-
DNIF AI
-
DNIF LEGAL AND SECURITY COMPLIANCE
Adapter Safeguards
Safeguards play a vital role in the system to protect against any possible risks / disruptions.
DNIF has “Adapter Safeguards” that protects the Adapter from certain possible failures / dangers. They are listed as follows.
EPS Governor
EPS Governor helps to monitor the EPS reaching its max limit and take decisions on it to prevent any abnormal functioning of processes that can affect the overall operation of the Adapter.
How it safeguards the Adapter?
- EPS Governor monitors the incoming EPS at the rate of per minute where the monitoring is performed on each of the log collectors.
- EPS Governor consists of eps_threshold where it measures the capacity of the EPS coming from all the log collectors as per the Adapter Hardware statistics.
- Threshold can be defined as the limits or the maximum capacity that a system is able to sustain. The eps_threshold is the value of the incoming maximum EPS that an Adapter has the capacity to hold.
- Ideally, this eps_ threshold is calculated internally and are set as per the capacity of the Adapter Hardware.
- Once the eps_threshold is reached, the EPS Governor checks for the events monitoring status. These event monitoring status checks for the iteration of events. There is a default value set to ‘n’ which acts as the threshold called events_threshold.
- The events_threshold for iterations is also set internally by the EPS Governor, indicating that for the next ‘n’ iterations the events would be monitored.
- If for the next ‘n’ iterations, the events threshold is reached, the EPS Governor will take the decision to drop the events meeting the thresholds at the Adapter level.
- The ingestion does not get affected but after crossing the threshold, the EPS governor starts dropping off the events to prevent any failure of operations.
EVTMEM Cache Limits
EVTMEM is used to store the data in the form of a queue and transfer further for processing of those events. In case of any irregularities it takes decisions to prevent from abnormal functioning in the Adapter
How it safeguards the Adapter?
- There is a mechanism for holding the data in the form of queues that stores the data for further processing and the queue is called as EVTMEM.
- There is a possibility of pileup of the data in case it faces issues to transfer the data for further processing or in case of a high amount of data collection.
- To prevent the pileup of the data and leading to abnormalities in functioning of the Adapter, a limit has been defined in the queue which is called max_length that will hold a capacity to store the defined number of events in the queue.
- The calculation is all performed internally and is based on the mount point configuration. The max_length is measured from the mount point used in the deployment of DNIF tenant (previously known as cluster ) which is usually seen as /dnif.
- The calculation for the queue is defined as 30% of the total disk present for the mount point which is used as the value to set the max_length of the particular queue.
- If the queue reaches the threshold set for max_length and above, the EVTMEM will start dropping off the events to prevent any criticality faced on the Adapter.
- The event is dropped to prevent the queue increasing in the EVTMEM which can thus hamper the operations on the Adapter.
Datanode Transfer Cache limits
On Adapter, the incoming data is parsed and enriched and the output received as data chunks are held in a transfer cache until written in the DataNode.
How it safeguards the Adapter?
- Data is cached and saved on the Adapter before indexing on to the Datanode.
- A threshold level is internally set by the system to define the maximum number of records to be stored in a folder.
- If there is an increase of incoming data and the process is slowed down, the data is piled on Adapter disk.
- To prevent this pilling of data on Adapter, it stops ingesting logs as soon as the threshold is met.
- An alert message DataNode transfer cache full, stopping ingestion will be displayed under Notable Events indicating the threshold limit has been crossed and ingestion is stopped.