scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • Concierge onboarding
  • Recommended participants from your org
  • Reach out to us to get started

Was this helpful?

Getting Started

How to get started, and what you will need

Scanner indexes logs that are stored in S3, allowing you to detect and investigate security threats quickly and debug your application logs.

You will need an AWS account to get started.

Store your own logs in one or more S3 buckets and give Scanner access to index them. These logs must be in JSON, Parquet, CSV, or Plaintext format.

Here are some examples of log sources that are common for Scanner users:

  • AWS CloudTrail

  • AWS CloudWatch

  • AWS VPC Flow

  • Cloudflare HTTP

  • Cloudflare DNS

  • Github Audit

  • Okta

  • Windows Security Event

Concierge onboarding

We provide a concierge onboarding service for new users. We will meet with you to create the necessary resources in your AWS account, make sure everything is running smoothly, and give you a tour of the product.

This meeting usually takes 30 minutes, with an optional additional 30 minutes for questions and product feedback.

Recommended participants from your org

As you try out Scanner, here are some of the people in your organization that you might want to loop in.

CISO / VP Engineering / Engineering Manager

Ensures that Scanner is meeting the business use cases of the security team at the desired cost.

Security Engineer

Decides between Scanner POC options:

  • Option 1: Quickstart with CloudTrail logs

  • Option 2: Bring your own logs

Uses Scanner to create detection rules and execute queries. Evaluates the product.

Works with your organization's infra/devops engineering team to give Scanner read-access to your logs in S3.

Infrastructure / Devops Engineer

Helps execute Scanner's CloudFormation, Terraform, or Pulumi template to give your Scanner instance read-access to logs in S3.

If the team chooses to bring their own logs, this person helps ship the desired logs to S3 if they are not there already.

Reach out to us to get started

PreviousArchitectureNextOverview

Last updated 1 year ago

Was this helpful?

If you would like to try out Scanner, visit to get a demo and meet with an engineer.

https://scanner.dev