scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • Types of threats we'll investigate
  • Things we'll do

Was this helpful?

  1. Playground Guide

Overview

PreviousGetting StartedNextPart 1: Search and Analysis

Last updated 6 months ago

Was this helpful?

Scanner provides a playground environment that allows you to explore and experiment with its log search capabilities without needing to connect your own data. This environment contains a demo data set, giving you a realistic context to understand how Scanner can be used for log analysis and security investigations.

To sign up for a playground environment, visit .

This guide will walk you through using Scanner to perform a threat investigation, showcasing key features and helping you get familiar with the tool in an interactive way.

Types of threats we'll investigate

In this guide, we'll walk through a scenario where we analyze AWS cloud audit logs to look for threat activity. Here are some of the tactics that the bad actors are using that we will be able to detect in the logs:

  • Privilege escalation

  • Exfiltration

  • Lateral movement

  • Command and control

Things we'll do

We'll use the Scanner Search and Detections features to do this investigation. Here are the specific actions we'll take:

  • to look for failed AWS operations.

  • to uncover suspicious failed AWS operations.

  • to understand the specifics of what a bad actor was trying to do.

  • to find logs that match a pattern.

  • Summarize data using .

  • Summarize data using .

  • from summary data to detailed logs.

  • Create a detection rule that .

  • Create a detection rule that .

  • to view the threat activity that triggered the rule.

  • that have been triggered.

  • from a public GitHub repository.

  • to validate and test detection rules.

  • Learn how to use Scanner to augment Splunk and Grafana.

scanner.dev/demo
triggers via a simple filter
triggers when a numeric threshold is met
View details of a detection event
Summarize detection events
Add out-of-the-box detection rules
Use the scanner-cli tool
Run a saved query
View column statistics
View the details of a log event
Run free-text search
simple count aggregations
more advanced aggregations
Pivot