Overview

Scanner provides a playground environment that allows you to explore and experiment with its log search capabilities without needing to connect your own data. This environment contains a demo data set, giving you a realistic context to understand how Scanner can be used for log analysis and security investigations.

To sign up for a playground environment, visit .

This guide will walk you through using Scanner to perform a threat investigation, showcasing key features and helping you get familiar with the tool in an interactive way.

Types of threats we'll investigate

In this guide, we'll walk through a scenario where we analyze AWS cloud audit logs to look for threat activity. Here are some of the tactics that the bad actors are using that we will be able to detect in the logs:

• Privilege escalation

• Exfiltration

• Lateral movement

• Command and control

Things we'll do

We'll use the Scanner Search and Detections features to do this investigation. Here are the specific actions we'll take:

• to look for failed AWS operations.

• to uncover suspicious failed AWS operations.

• to understand the specifics of what a bad actor was trying to do.

• to find logs that match a pattern.

• Summarize data using .

• Summarize data using .

• from summary data to detailed logs.

• Create a detection rule that .

• Create a detection rule that .

• to view the threat activity that triggered the rule.

• that have been triggered.

• from a public GitHub repository.

• to validate and test detection rules.

• Learn how to use Scanner to augment Splunk and Grafana.