search

Step 2: Connect Your First Data Source using Scanner Collect

hashtag
Option A: Direct from the log source using Scanner Collect (Recommended for New Data)

Pre-built integrations for popular sources like GitHub, Crowdstrike, Okta, and more.

  1. Navigate to the Collect tab

  2. For your first source follow the prompt on the landing page. Otherwise if you have existing sources - from the 'Overview' or 'Collect Rules' tab click the '+' in the upper right hand corner to create a new rule

  3. Select a data source from available integrations

  4. Configure source settings (API credentials, transformations, etc.)

  5. Select the destination S3 bucket in your account for raw logs

  6. When you have created the Collect Rule continue to create an Index Rule so Scanner processes logs for search and detection

See Scanner Collect for detailed integration guides.

hashtag
Option B: Direct S3 Indexing (For Logs already in S3)

Configure Scanner to index logs already stored in your S3 buckets.

  1. Navigate to the Collect tab

  2. Navigate to the "AWS S3 -> Scanner" > Index Rules Tab

  3. For your first source follow the prompt on the landing page. Otherwise if you have existing sources click the '+" icon in the upper right hand corner to create a new Index Rule

  4. Configure:

    1. Destination Index: Choose main or create a new index (e.g., cloudtrail)

    2. Import Source: Select your linked AWS account and S3 bucket

    3. S3 Key Prefix: (Optional) Specify folder path if logs are in a subfolder

    4. File Format: JSON, JSON Lines, CSV, or Parquet

    5. Compression: None, GZIP, etc.

    6. Timestamp Field: Field name containing event timestamp (e.g., eventTime for CloudTrail)

  5. Click Preview Rule to verify Scanner can parse your files

  6. Save the rule

Scanner will automatically begin indexing new files as they arrive.

PreviousTroubleshooting AWS ErrorsNextStep 3: Validate & Test

Last updated

Was this helpful?