# Using Scanner (Complete Feature Reference)

- [Scanner Collect: Data Ingestion](/scanner/using-scanner-complete-feature-reference/data-ingestion.md): Learn what Scanner Collect is, why it helps you build a scalable S3-based log data lake, and how it simplifies ingestion, indexing, and detection across your SaaS and cloud logs.
- [Sources](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources.md)
- [1Password](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/1password.md)
- [Auth0](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/auth0.md)
- [Azure Activity](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/azure-activity.md)
- [AWS Aurora](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-aurora.md)
- [AWS CloudTrail](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-cloudtrail.md)
- [AWS CloudWatch](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-cloudwatch.md)
- [AWS ECS](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-ecs.md)
- [AWS EKS](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-eks.md)
- [AWS GuardDuty](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-guardduty.md)
- [AWS Lambda](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-lambda.md)
- [AWS Route53 Resolver](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-route53-resolver.md)
- [AWS VPC Flow](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-vpc-flow.md)
- [AWS VPC Transit Gateway Flow](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-vpc-transit-gateway-flow.md)
- [AWS WAF](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-waf.md)
- [Cloudflare](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/cloudflare.md)
- [Crowdstrike](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/crowdstrike.md)
- [Custom Logs - AWS S3](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-logs-aws-s3.md)
- [Custom Logs - HTTP](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-logs-http.md)
- [Custom via Fluentd](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-via-fluentd.md)
- [Fastly](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/fastly.md)
- [Github](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/github.md)
- [Google Cloud Platform (GCP) Audit](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-cloud-platform-gcp-audit.md)
- [Google Workspace](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-workspace.md)
- [Google Workspace Activity](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-workspace/google-workspace-activity.md)
- [Google Workspace Alerts](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-workspace/google-workspace-alerts.md)
- [Jamf](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/jamf.md)
- [Lacework](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/lacework.md)
- [Okta](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/okta.md)
- [Osquery](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/osquery.md)
- [OSSEC](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/ossec.md)
- [SentinelOne](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/sentinelone.md)
- [Slack](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/slack.md)
- [Snowflake](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/snowflake.md)
- [Sophos](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/sophos.md)
- [Syslog](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/syslog.md)
- [Sublime Security](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/sublime-security.md)
- [Suricata](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/suricata.md)
- [Teleport](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/teleport.md)
- [Windows Defender](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/windows-defender.md)
- [Windows Sysmon](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/windows-sysmon.md)
- [Wiz](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/wiz.md)
- [Zeek](/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/zeek.md)
- [Index Organization](/scanner/using-scanner-complete-feature-reference/data-ingestion/index-organization.md)
- [Regular Expressions in Index Rules](/scanner/using-scanner-complete-feature-reference/data-ingestion/regular-expressions-in-index-rules.md)
- [Data Transformation & Enrichment](/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment.md)
- [Data Transformations](/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/data-transformations.md)
- [Custom VRL](/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/custom-vrl.md)
- [Lookup Table Enrichment](/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/lookup-table-enrichment.md)
- [Custom Lookup Tables](/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/lookup-table-enrichment/custom-lookup-tables.md)
- [Threat Intelligence](/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/lookup-table-enrichment/threat-intelligence.md)
- [Querying & Analysis](/scanner/using-scanner-complete-feature-reference/querying-and-analysis.md)
- [Query Syntax](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/query-syntax.md): Here is how you search through your log events
- [Understanding Tokens and Query Performance](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/tokens-and-query-performance.md)
- [Data Exploration](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/data-exploration.md)
- [Aggregation Functions](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions.md)
- [avg()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/avg.md)
- [count()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/count.md)
- [countdistinct()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/countdistinct.md)
- [eval()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/eval.md)
- [groupbycount()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/groupbycount.md)
- [head()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/head.md)
- [max()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/max.md)
- [min()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/min.md)
- [percentile()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/percentile.md)
- [rename()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/rename.md)
- [stats()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/stats.md)
- [sum()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/sum.md)
- [table()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/table.md)
- [tail()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/tail.md)
- [var()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/var.md)
- [where()](/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/where.md)
- [Built-in Indexes](/scanner/using-scanner-complete-feature-reference/built-in-indexes.md)
- [\_audit](/scanner/using-scanner-complete-feature-reference/built-in-indexes/_audit.md)
- [\_usage](/scanner/using-scanner-complete-feature-reference/built-in-indexes/_usage.md)
- [Detections & Alerting](/scanner/using-scanner-complete-feature-reference/detections-and-alerting.md)
- [Detection Rules](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules.md): Scanner provides built-in threat detection rules - or you can write your own. These rules run continuously and send you notifications when the rule criteria are met.
- [Out-of-the-Box Detection Rules](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/out-of-the-box-detection-rules.md)
- [Detection Rules as Code](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code.md): Collaborate on, review, and continuously test detection rules.
- [Getting Started](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/getting-started.md)
- [Writing Detection Rules](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/writing-detection-rules.md)
- [CLI](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/cli.md)
- [Managing Synced Detection Rules](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/managing-synced-detection-rules.md)
- [Detection Alert Formatting](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-alert-formatting.md): Custom formatting for detection alerts
- [Customizing PagerDuty Alerts](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-alert-formatting/customizing-pagerduty-alerts.md)
- [MITRE Tags](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/mitre-tags.md): Below are the default MITRE tags in Scanner. These are populated in the list of tags on the detection rule create and edit pages.
- [Event Sinks](/scanner/using-scanner-complete-feature-reference/detections-and-alerting/event-sinks.md): Event sinks are alert destinations.
- [Administration](/scanner/using-scanner-complete-feature-reference/administration.md)
- [Authentication & SSO](/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso.md): Use Single Sign On to connect your enterprise's identity provider to Scanner.
- [Okta](/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso/okta.md)
- [Okta Workforce](/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso/okta/okta-workforce.md)
- [SAML](/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso/okta/saml.md)
- [Role-Based Access Control (RBAC)](/scanner/using-scanner-complete-feature-reference/administration/role-based-access-control-rbac.md)
- [MCP & AI SecOps](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops.md): Connect AI SecOps agents to your security data via Model Context Protocol.
- [Getting Started](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/getting-started.md)
- [Scanner MCP Tools Reference](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/mcp-tools-reference.md)
- [Using MCP for Security Operations](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations.md)
- [Interactive Investigations](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/interactive-investigations.md)
- [Detection Engineering](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/detection-engineering.md)
- [Autonomous Workflows](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/autonomous-workflows.md)
- [Other AI Features](/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/other-ai-features.md)
- [Developer Tools](/scanner/using-scanner-complete-feature-reference/developer-tools.md)
- [API](/scanner/using-scanner-complete-feature-reference/developer-tools/api.md): Scanner lets you turn your logs in S3 into an API, giving you the ability to execute ad hoc queries, create detection rules, and more.
- [Ad hoc queries](/scanner/using-scanner-complete-feature-reference/developer-tools/api/ad-hoc-queries.md): You can execute ad hoc queries with the Scanner API, which allows you to run an arbitrary query over a specified time range.
- [Detection Rules](/scanner/using-scanner-complete-feature-reference/developer-tools/api/detection-rules.md): A detection rule is a query that runs continuously on new logs as they arrive in Scanner. You can create create, read, update, and delete detection rules with the Scanner API.
- [Event Sinks](/scanner/using-scanner-complete-feature-reference/developer-tools/api/event-sinks.md): Event sinks are event alert destinations. You can create, read, update, and delete event sinks with the Scanner API.
- [GitHub Sync](/scanner/using-scanner-complete-feature-reference/developer-tools/api/github-sync.md)
- [Validating YAML files](/scanner/using-scanner-complete-feature-reference/developer-tools/api/validating-yaml-files.md)
- [Beta Features](/scanner/using-scanner-complete-feature-reference/beta-features.md)
- [Jupyter Notebooks](/scanner/using-scanner-complete-feature-reference/beta-features/jupyter-notebooks.md): Powerful threat hunting and investigation with Jupyter notebooks.
- [Getting Started with Jupyter Notebooks](/scanner/using-scanner-complete-feature-reference/beta-features/jupyter-notebooks/getting-started-with-jupyter-notebooks.md)
- [Scanner Notebooks on Github](/scanner/using-scanner-complete-feature-reference/beta-features/jupyter-notebooks/scanner-notebooks-on-github.md)
- [Scalar Functions and Operators](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators.md)
- [coalesce()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/coalesce.md)
- [if()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/if.md)
- [arr.join()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/arr.join.md)
- [math.abs()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/math.abs.md)
- [math.round()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/math.round.md)
- [num.parse()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/num.parse.md)
- [num.to\_str()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/num.to_str.md)
- [regex.extract()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.extract.md)
- [regex.is\_match()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.is_match.md)
- [regex.replace()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.replace.md)
- [regex.replace\_all()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.replace_all.md)
- [str.uriencode()](/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/str.uriencode.md)