Skip to main content
After signing in, you’ll need to start ingesting alerts into north.sh. This can be done by setting up a Source (Eg. A webhook, email, or online form), or by connecting a SIEM.

Setting up a Source

On the homepage, under the “Create your first Source” section, click on the “Create Source” button. You’ll be asked to fill out a name for the source.
For now, north.sh only supports Webhooks as a source. We’re working on adding more sources in the future.
The “Source” acts as a point of entry for alerts into north.sh. For typical Security Operations setups, you can use a Webhook to send alerts from your SIEM, or other alerting engine (Eg. Elastalert, or a custom script).

Creating your first Alert

Once you’ve set up a source, you can start to test out creating test-alerts with the curl command provided. Once you’ve run the command, you should see the alert appear in the “Alerts” page.
For now, north.sh only supports JSON payloads. We’re working on adding more formats in the future.
Create Source
✨ Congrats! You’ve successfully set up a source and created your first alert, ready for triage.

Connecting a SIEM

north.sh supports connecting to multiple SIEMs, with initial support including Elastic 8 (On-Premises) & Splunk Enterprise (On-Premises).
SIEM Connect
To connect your SIEM, you’re going to need to deploy a north.sh siem-agent to interface with your SIEM, and send alerts to north.sh. Luckily north.sh makes this easy with a one-liner command, that is explored below. Start by heading back to the Dashboard (by clicking the north.sh logo), and clicking on the “Connect SIEM” button. You’ll be asked to fill out the details of the SIEM you’re connecting to.

Connecting Splunk Enterprise

Give your SIEM a name and description. Once you get to the “Base URL” field, you’ll need to supply the API-URL of your Splunk instance – not the UI URL. This is typically https://splunk-ip:8089.
It’s important you put in the URL of Splunk from the perspective of the siem-agent. If you’re planning to deploy the SIEM agent on the same instance as Splunk, you can use http://localhost:8089.
To finish connecting Splunk Enterprise to north.sh, you need to supply a username and password, alongside the connection details of your Splunk instance. After you’ve filled all the required details, click “Continue”.
For now, north.sh only supports the admin user, but in future will support more granular user permissions.
After you’ve filled in all required details, you’ll be asked to run a command to download and install the siem-agent on your Splunk instance. This command will download the siem-agent and install it on your Splunk instance.
# Locate a suitable directory to install the siem-agent
mkdir -p /opt/north_sh && cd /opt/north_sh

# Download and install the siem-agent
curl http://get.north.sh/01jk4aqnndzxy1gbvrrbb2khw6/secret_key_dont_share | sh

# Start the siem-agent
./siem-agent -c config.yaml
For now, north.sh only supports linux/amd64 and linux/arm64, non-containerized deployments of siem-agents. We’ll work to support containerized siem-agent deployments in the future.
After you’ve run the command, you should see the siem-agent start up and connect to north.sh. You can check the status of the siem-agent by running ./siem-agent status.

Connecting Elastic 8

Elastic 8 support is currently in development. We’re working hard to bring this to you as soon as possible.

Creating a Detection

Detections is where the power of north.sh comes to life. Once you have a SIEM connected, you can start creating new detections, creating filters in the alert UI, and hunting for threats across different SIEMs.
Create Detection
To create a detection, head over to the “Detections” page in the top navigation bar. Click on the “Create Detection” button, and you’ll be asked to fill out the details of the detection.
When you added a SIEM, north.sh already started analysing the different log streams located within the SIEM. This allows you to create detections based on the log streams available in your SIEM.
Once you’ve filled out the details of the detection, your detection will run automatically to any connected SIEM listed. Even when the connection to the SIEM is severed, or if the logsource is not performing as expected, north.sh will automatically retry the detection at a later time, to ensure continued detection coverage.