Skip to main content
Detection encompasses the process of searching over your SIEM periodically in order to find malicious or suspicious activity within your environment. As north.sh focuses on empowering security teams, the detection experience brings some additional benefits to ensure threats are detected, and responded to, as fast as possible.

Writing Detection Rules

detection rules can be written in any query language available but not.SH prefers Sigma for its flexibility and expression. to write a detection rule head to the detection page and click create detection up the top right. from there you can add all the meta data about your detection as well as the detection itself.

Correlating Events

Scheduling Detections on SIEMs

Different Detection Rules can be deployed out to different SIEM instances, according with where your data lives. Certain detection languages will only be able to be run on certain SIEM products, for example Splunk Query Language can only run on Splunk servers.

Selecting Logsources

When you attach a SIEM to noth.sh via a siem-agent, logsources are analysed to determine what log types are present on the instance.

Building Filters

filters or exclusions are additions to your detection that filter out unwanted noise. they usually append any results that are found and filter out exceptions that are unique to your environment.

Validation

when ensuring your detection rules are valid it’s important to check each. Field individually exists within the same as well as, and likely has the correct types. north.sh labels these rules validation rules and help dramatically with the reliability of detections.