SCANNER
Search
K
Comment on page

Getting Started

How to get started, and what you will need
Scanner indexes logs that are stored in S3, allowing you to detect and investigate security threats quickly.
You will need an AWS account to get started.
If you do not have logs in an S3 bucket already, we recommend trying Scanner with Option 1: Quickstart with CloudTrail logs.
Here are the two options you can choose from if you want to try Scanner.

Option 1: Quickstart with CloudTrail logs

With this option, you can analyze your AWS CloudTrail audit logs in Scanner and detect threats immediately. This option is fully automated and requires no manual work - only 5 minutes to get started.
We will give you a CloudFormation, Terraform, or Pulumi template to do the following:
  • Create a new Trail in CloudTrail.
  • Create a new S3 bucket to store the logs from this Trail.
    • Create new configuration to send s3:ObjectCreated events from this bucket to your Scanner instance.
  • Create a new S3 bucket to store Scanner index files.
  • Create a new IAM role with these permissions:
    • Read access to CloudTrail logs bucket.
    • Read/write access to Scanner index files bucket.
This tends to be the best option for most teams who want to get started with Scanner fast.
You can always add more S3 buckets and logs for Scanner to index later.

Option 2: Bring your own logs

Store your own logs in one or more S3 buckets and give Scanner access to index them.
If your logs are already in an S3 bucket, this option only takes 5 minutes to get started. If your logs aren't in a bucket already, there may be a decent amount of infra work for you to do to move logs to S3 depending on your circumstances - typically hours or days of work.
These logs must be in JSON, Parquet, CSV, or Plaintext format.
Here are some log sources with strong support in Scanner:
  • AWS CloudTrail
  • Cloudflare HTTP Request
  • Cloudflare VPC Flow
  • Github Audit
  • Okta
  • Windows Security Event
We will give you a CloudFormation, Terraform, or Pulumi template to do the following:
  • Select one or more S3 buckets containing logs that you want Scanner to index.
    • Create new configurations to send s3:ObjectCreated events from these buckets to your Scanner instance.
  • Create a new S3 bucket to store Scanner index files.
  • Create a new IAM role with these permissions:
    • Read access to S3 bucket containing your logs.
    • Read/write access to Scanner index files bucket.
As you try out Scanner, here are some of the people in your organization that you might want to loop in.

CISO / Security Engineering Manager

Ensures that Scanner is meeting the business use cases of the security team at the desired cost.

Security Engineer

Decides between Scanner POC options:
  • Option 1: Quickstart with CloudTrail logs
  • Option 2: Bring your own logs
Uses Scanner to create detection rules and execute queries. Evaluates the product.
Works with your organization's infra/devops engineering team to give Scanner read-access to your logs in S3.

Security Operations Analyst

Uses Scanner to create detection rules and execute queries. Evaluates the product.
Works with your company's infra/devops engineering team to give Scanner read-access to your logs in S3.

Infrastructure / Devops Engineer

Helps execute Scanner's CloudFormation, Terraform, or Pulumi template to give your Scanner instance read-access to logs in S3.
If the security team chooses to bring their own logs, this person helps ship the desired logs to S3 if they are not there already.

Reach out to us to get started

If you would like to try out Scanner, visit https://scanner.dev to get a demo. You can also reach out to the founders directly at [email protected].
Indexing Your S3 Logs - Previous
Architecture
Next - Indexing Your S3 Logs
S3 Integration
Last modified 4mo ago