Step 3: Validate & Test
Once you have set up a new source you can expect to see data flowing into Scanner within a few minutes. Follow the steps below to get started exploring your data.
Verify Data Ingestion
Check ingestion status:
Navigate to the Search tab
Query the _ingestion_records index for file-by-file ingestion logs
Confirm events from your source appear in search results
Expected ingestion timing:
Scanner processes files within 2-5 minutes after they appear in S3
Some services (like CloudTrail) have additional 5-10 minute delays before writing to S3
Run Your First Query
Try these searches to confirm data is flowing:
Simple text search:
"192.168.1.1"
Field-specific search:
ecs.source.ip: "192.0.2.1"
Aggregation:
| count by eventName
See Data Exploration for a more in depth tutorial or Query Syntax for complete search capabilities.
Set Up a Basic Detection Rule
Navigate to the Detections tab
Click Create Detection Rule
Define criteria to match log events
Configure alert thresholds and notification destinations
Test the rule against historical data
Save and enable
Detection rules can be created in the UI or defined as code in GitHub (YAML with unit tests).
See Detection Rules for detailed configuration.
Next Steps
✅ Connect additional data sources → Data Sources ✅ Set up authentication & SSO → Authentication ✅ Explore advanced query techniques → Search & Analysis ✅ Configure output integrations → Integrations
Last updated
Was this helpful?