# Step 3: Validate & Test

### Verify Data Ingestion

**Check ingestion status:**

1. Navigate to the **Search** tab
2. Query the **\_usage index** for file-by-file ingestion logs (for both collect and indexing)
3. Confirm events from your source appear in search results

**Expected ingestion timing:**

* Scanner processes files within 2-5 minutes after they appear in S3
* Some services (like CloudTrail) have additional 5-10 minute delays before writing to S3

### Run Your First Query

Try these searches to confirm data is flowing:

**Simple text search:**

`"192.168.1.1"`

**Field-specific search:**

`ecs.source.ip: "192.0.2.1"`

**Aggregation:**

`| count by eventName`

See [Data Exploration](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/data-exploration) for a more in depth tutorial or [Query Syntax](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/query-syntax) for complete search capabilities.

### Set Up a Basic Detection Rule

1. Navigate to the **Detections** tab
2. Click **Create Detection Rule**
3. Define criteria to match log events
4. Configure alert thresholds and notification destinations
5. **Test** the rule against historical data
6. **Save** and enable

Detection rules can be created in the UI or defined as code in GitHub (YAML with unit tests).

See [Detection Rules](https://app.gitbook.com/u/LxZ4VuqzmPUsoJqJcfGTezNehNE2) for detailed configuration.

### Next Steps

✅ Connect additional data sources → [Data Sources](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources)\
✅ Set up authentication & SSO → [Authentication](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso)\
✅ Explore advanced query techniques → Search & Analysis\
✅ Configure output integrations → Integrations