Step 3: Validate & Test

Once you have set up a new source you can expect to see data flowing into Scanner within a few minutes. Follow the steps below to get started exploring your data.

Verify Data Ingestion

Check ingestion status:

  1. Navigate to the Search tab

  2. Query the _ingestion_records index for file-by-file ingestion logs

  3. Confirm events from your source appear in search results

Expected ingestion timing:

  • Scanner processes files within 2-5 minutes after they appear in S3

  • Some services (like CloudTrail) have additional 5-10 minute delays before writing to S3

Run Your First Query

Try these searches to confirm data is flowing:

Simple text search:

"192.168.1.1"

Field-specific search:

ecs.source.ip: "192.0.2.1"

Aggregation:

| count by eventName

See Data Exploration for a more in depth tutorial or Query Syntax for complete search capabilities.

Set Up a Basic Detection Rule

  1. Navigate to the Detections tab

  2. Click Create Detection Rule

  3. Define criteria to match log events

  4. Configure alert thresholds and notification destinations

  5. Test the rule against historical data

  6. Save and enable

Detection rules can be created in the UI or defined as code in GitHub (YAML with unit tests).

See Detection Rules for detailed configuration.

Next Steps

✅ Connect additional data sources → Data Sources ✅ Set up authentication & SSO → Authentication ✅ Explore advanced query techniques → Search & Analysis ✅ Configure output integrations → Integrations

Last updated

Was this helpful?