Overview

Scanner provides a playground environment that allows you to explore and experiment with its log search capabilities without needing to connect your own data. This environment contains a demo data set, giving you a realistic context to understand how Scanner can be used for log analysis and security investigations.

To sign up for a playground environment, visit scanner.dev/demo.

This guide will walk you through using Scanner to perform a threat investigation, showcasing key features and helping you get familiar with the tool in an interactive way.

Types of threats we'll investigate

In this guide, we'll walk through a scenario where we analyze AWS cloud audit logs to look for threat activity. Here are some of the tactics the bad actors are using that we will be able to detect in the logs:

• Privilege escalation

• Exfiltration

• Lateral movement

• Command and control

Things we'll do

We'll use the Scanner Search and Detections features to do this investigation. Here are the specific actions we'll take:

• Run a saved query to look for failed AWS operations.

• View column statistics to uncover suspicious failed AWS operations.

• View the details of a log event to understand the specifics of what a bad actor was trying to do.

• Run free-text search to find logs that match a pattern.

• Summarize data using simple count aggregations.

• Summarize data using more advanced aggregations.

• Pivot from summary data to detailed logs.

• Create a detection rule that triggers via a simple filter.

• Create a detection rule that triggers when a numeric threshold is met.

• View details of a detection event to view the threat activity that triggered the rule.

• Summarize detection events that have been triggered.

• Add out-of-the-box detection rules from a public GitHub repository.

• Use the scanner-cli tool to validate and test detection rules.

• Learn how to use Scanner to augment Splunk and Grafana.