Step 2: Connect Your First Data Source using Scanner Collect

Pre-built integrations for popular sources like GitHub, Crowdstrike, Okta, and more.

  1. Navigate to the Collect tab

  2. Click 'Add new Source'

  3. Select a data source from available integrations

  4. Configure source settings (API credentials, transformations, etc.)

  5. Select the destination S3 bucket in your account for raw logs

  6. Enable indexing so Scanner processes logs for search and detection

See Scanner Collect for detailed integration guides.

Option B: Direct S3 Import (For Existing Logs)

Configure Scanner to index logs already stored in your S3 buckets.

  1. Navigate to the Collect tab

  2. Navigate to the S3-> Scanner Import Rules Tab

  3. Click Create New Rule

  4. Configure:

    1. Destination Index: Choose main or create a new index (e.g., cloudtrail)

    2. Import Source: Select your linked AWS account and S3 bucket

    3. S3 Key Prefix: (Optional) Specify folder path if logs are in a subfolder

    4. File Format: JSON, JSON Lines, CSV, or Parquet

    5. Compression: None, GZIP, etc.

    6. Timestamp Field: Field name containing event timestamp (e.g., eventTime for CloudTrail)

  5. Click Preview Rule to verify Scanner can parse your files

  6. Save the rule

Scanner will automatically begin indexing new files as they arrive.

Last updated

Was this helpful?