Detections
Detections are automated monitors that scan your data for specific events or conditions, generating alerts when criteria are met. They run on scheduled intervals, continuously watching for security threats, operational anomalies, or business-critical events.
How to Access
Navigate to Insights → Detections in the platform.
Detections are currently provided and configured by our Solutions Team. We are actively developing a simplified interface to enable non-technical users to create detections without Python knowledge. Contact your account representative to request new detections.
Detection Cards
Each detection is displayed as a card showing:
| Field | Description |
|---|---|
| Title | Detection name (editable) |
| Description | What the detection monitors (editable) |
| Status | Enabled/Disabled toggle |
| Schedule | How often the detection runs (cron) |
| Last Run | When detection last executed |
| Alerts | Count of alerts generated |
| Training Mode | Whether in learning mode |
| Error Status | Any execution errors |
Detection Features
Enable/Disable Toggle
Control whether a detection is actively running:
- Enabled — Detection runs on schedule
- Disabled — Detection paused, no alerts generated
Configuration
Click the Configure button to adjust detection parameters:
- Query parameters
- Threshold values
- Alert severity
- Triage settings
Run Now
Manually trigger a detection run outside the normal schedule using the Run button. Useful for:
- Testing after configuration changes
- Immediate scanning after an incident
- Validating detection logic
Training Mode
When enabled, detections learn normal patterns before generating alerts:
- Reduces false positives during initial deployment
- Builds baseline understanding of your environment
- Alerts suppressed until training complete
AI-Assisted Triage
Configure detections to automatically analyze generated alerts:
| Setting | Description |
|---|---|
| Triage Enabled | Toggle automatic AI analysis |
| Triage Prompt | Custom instructions for AI analysis |
| LLM Selection | Choose which AI model analyzes alerts |
Custom triage prompts help the AI understand your specific context, improving analysis quality and reducing noise.
MITRE ATT&CK Integration
Detections can be mapped to the MITRE ATT&CK framework:
- Assign relevant tactics and techniques
- Build visibility into your detection coverage
- Identify gaps in your security monitoring
Adding Detections
To add a new detection:
- Click Add Detection
- Select from available detection bricks
- Configure the detection parameters
- Set the schedule and severity
- Enable the detection
Detection bricks are created by the Solutions Team. Contact support if you need a custom detection for your specific use case.
Best Practices
- Start with training mode — Let detections learn your environment
- Tune thresholds gradually — Adjust based on alert volume
- Enable AI triage — Reduce manual analysis burden
- Map to MITRE — Understand your detection coverage
- Monitor for errors — Check detection health regularly
- Review disabled detections — Re-enable or remove unused rules