search

Step 3: Validate & Test

Once you have set up a new source you can expect to see data flowing into Scanner within a few minutes. Follow the steps below to get started exploring your data.

hashtag
Verify Data Ingestion

Check ingestion status:

  1. Navigate to the Search tab

  2. Query the _ingestion_records index for file-by-file ingestion logs

  3. Confirm events from your source appear in search results

Expected ingestion timing:

  • Scanner processes files within 2-5 minutes after they appear in S3

  • Some services (like CloudTrail) have additional 5-10 minute delays before writing to S3

hashtag
Run Your First Query

Try these searches to confirm data is flowing:

Simple text search:

"192.168.1.1"

Field-specific search:

ecs.source.ip: "192.0.2.1"

Aggregation:

| count by eventName

See Data Explorationarrow-up-right for a more in depth tutorial or Query Syntaxarrow-up-right for complete search capabilities.

hashtag
Set Up a Basic Detection Rule

  1. Navigate to the Detections tab

  2. Click Create Detection Rule

  3. Define criteria to match log events

  4. Configure alert thresholds and notification destinations

  5. Test the rule against historical data

  6. Save and enable

Detection rules can be created in the UI or defined as code in GitHub (YAML with unit tests).

See Detection Rulesenvelope for detailed configuration.

hashtag
Next Steps

✅ Connect additional data sources → Data Sourcesarrow-up-right ✅ Set up authentication & SSO → Authenticationarrow-up-right ✅ Explore advanced query techniques → Search & Analysis ✅ Configure output integrations → Integrations

PreviousStep 2: Connect Your First Data Source using Scanner CollectNextScanner Collect: Data Ingestion

Last updated

Was this helpful?