# Using Scanner (Complete Feature Reference) - [Scanner Collect: Data Ingestion](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion.md): Learn what Scanner Collect is, why it helps you build a scalable S3-based log data lake, and how it simplifies ingestion, indexing, and detection across your SaaS and cloud logs. - [Sources](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources.md) - [1Password](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/1password.md) - [Atlassian](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/atlassian.md) - [Auth0](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/auth0.md) - [Azure Activity](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/azure-activity.md) - [AWS Aurora](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-aurora.md) - [AWS CloudTrail](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-cloudtrail.md) - [AWS CloudWatch](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-cloudwatch.md) - [AWS ECS](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-ecs.md) - [AWS EKS](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-eks.md) - [AWS GuardDuty](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-guardduty.md) - [AWS Lambda](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-lambda.md) - [AWS Route53 Resolver](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-route53-resolver.md) - [AWS VPC Flow](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-vpc-flow.md) - [AWS VPC Transit Gateway Flow](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-vpc-transit-gateway-flow.md) - [AWS WAF](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/aws-waf.md) - [Cloudflare](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/cloudflare.md) - [Crowdstrike](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/crowdstrike.md) - [Custom Logs - AWS S3](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-logs-aws-s3.md) - [Custom Logs - HTTP](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-logs-http.md) - [Custom via Fluentd](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/custom-via-fluentd.md) - [Fastly](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/fastly.md) - [Github](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/github.md) - [Google Cloud Platform (GCP) Audit](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-cloud-platform-gcp-audit.md) - [Google Workspace](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-workspace.md) - [Google Workspace Activity](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-workspace/google-workspace-activity.md) - [Google Workspace Alerts](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/google-workspace/google-workspace-alerts.md) - [Jamf](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/jamf.md) - [Lacework](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/lacework.md) - [Okta](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/okta.md) - [Osquery](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/osquery.md) - [OSSEC](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/ossec.md) - [SentinelOne](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/sentinelone.md) - [Slack](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/slack.md) - [Snowflake](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/snowflake.md) - [Sophos](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/sophos.md) - [Syslog](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/syslog.md) - [Sublime Security](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/sublime-security.md) - [Suricata](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/suricata.md) - [Teleport](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/teleport.md) - [Windows Defender](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/windows-defender.md) - [Windows Sysmon](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/windows-sysmon.md) - [Wiz](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/wiz.md) - [Zeek](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/zeek.md) - [Index Organization](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/index-organization.md) - [Regular Expressions in Index Rules](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/regular-expressions-in-index-rules.md) - [Data Transformation & Enrichment](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment.md) - [Data Transformations](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/data-transformations.md) - [Custom VRL](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/custom-vrl.md) - [Lookup Table Enrichment](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/lookup-table-enrichment.md) - [Custom Lookup Tables](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/lookup-table-enrichment/custom-lookup-tables.md) - [Threat Intelligence](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/lookup-table-enrichment/threat-intelligence.md) - [Querying & Analysis](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis.md) - [Query Syntax](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/query-syntax.md): Here is how you search through your log events - [Understanding Tokens and Query Performance](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/tokens-and-query-performance.md) - [Data Exploration](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/data-exploration.md) - [Aggregation Functions](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions.md) - [avg()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/avg.md) - [count()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/count.md) - [countdistinct()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/countdistinct.md) - [eval()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/eval.md) - [groupbycount()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/groupbycount.md) - [head()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/head.md) - [max()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/max.md) - [min()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/min.md) - [percentile()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/percentile.md) - [rename()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/rename.md) - [stats()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/stats.md) - [sum()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/sum.md) - [table()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/table.md) - [tail()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/tail.md) - [var()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/var.md) - [where()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/where.md) - [Built-in Indexes](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/built-in-indexes.md) - [\_audit](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/built-in-indexes/_audit.md) - [\_usage](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/built-in-indexes/_usage.md) - [Detections & Alerting](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting.md) - [Detection Rules](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules.md): Scanner provides built-in threat detection rules - or you can write your own. These rules run continuously and send you notifications when the rule criteria are met. - [Out-of-the-Box Detection Rules](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/out-of-the-box-detection-rules.md) - [Detection Rules as Code](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code.md): Collaborate on, review, and continuously test detection rules. - [Getting Started](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/getting-started.md) - [Writing Detection Rules](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/writing-detection-rules.md) - [CLI](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/cli.md) - [Managing Synced Detection Rules](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-rules-as-code/managing-synced-detection-rules.md) - [Detection Alert Formatting](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-alert-formatting.md): Custom formatting for detection alerts - [Customizing PagerDuty Alerts](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/detection-alert-formatting/customizing-pagerduty-alerts.md) - [MITRE Tags](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/detection-rules/mitre-tags.md): Below are the default MITRE tags in Scanner. These are populated in the list of tags on the detection rule create and edit pages. - [Event Sinks](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/detections-and-alerting/event-sinks.md): Event sinks are alert destinations. - [Administration](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/administration.md) - [Authentication & SSO](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso.md): Use Single Sign On to connect your enterprise's identity provider to Scanner. - [SCIM](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso/scim.md): Use SCIM to automate user provisioning, deprovisioning, and role synchronization from your enterprise's identity provider to Scanner. - [Role-Based Access Control (RBAC)](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/administration/role-based-access-control-rbac.md) - [MCP & AI SecOps](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops.md): Connect AI SecOps agents to your security data via Model Context Protocol. - [Getting Started](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/getting-started.md) - [Scanner MCP Tools Reference](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/mcp-tools-reference.md) - [Using MCP for Security Operations](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations.md) - [Interactive Investigations](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/interactive-investigations.md) - [Detection Engineering](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/detection-engineering.md) - [Autonomous Workflows](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/autonomous-workflows.md) - [Deploying Agents](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents.md): Deploy autonomous SOC agents to your infrastructure using pre-built, production-ready examples from the scanner-inc/agents repository. - [Deploy via n8n](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents/n8n.md): Deploy Scanner SOC agents as n8n workflows. Import, configure credentials, activate. - [Deploy via AWS](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/deploying-agents/aws.md): Deploy Scanner SOC agents to AWS using the Claude Agent SDK and Terraform. - [Other AI Features](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/other-ai-features.md) - [Developer Tools](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools.md) - [API](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools/api.md): Scanner lets you turn your logs in S3 into an API, giving you the ability to execute ad hoc queries, create detection rules, and more. - [Ad hoc queries](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools/api/ad-hoc-queries.md): You can execute ad hoc queries with the Scanner API, which allows you to run an arbitrary query over a specified time range. - [Detection Rules](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools/api/detection-rules.md): A detection rule is a query that runs continuously on new logs as they arrive in Scanner. You can create create, read, update, and delete detection rules with the Scanner API. - [Event Sinks](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools/api/event-sinks.md): Event sinks are event alert destinations. You can create, read, update, and delete event sinks with the Scanner API. - [GitHub Sync](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools/api/github-sync.md) - [Validating YAML files](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools/api/validating-yaml-files.md) - [Beta Features](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features.md) - [Jupyter Notebooks](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/jupyter-notebooks.md): Powerful threat hunting and investigation with Jupyter notebooks. - [Getting Started with Jupyter Notebooks](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/jupyter-notebooks/getting-started-with-jupyter-notebooks.md) - [Scanner Notebooks on Github](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/jupyter-notebooks/scanner-notebooks-on-github.md) - [Scalar Functions and Operators](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators.md) - [coalesce()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/coalesce.md) - [if()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/if.md) - [arr.join()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/arr.join.md) - [math.abs()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/math.abs.md) - [math.round()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/math.round.md) - [num.parse()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/num.parse.md) - [num.to\_str()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/num.to_str.md) - [regex.extract()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.extract.md) - [regex.is\_match()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.is_match.md) - [regex.replace()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.replace.md) - [regex.replace\_all()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/regex.replace_all.md) - [str.uriencode()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/beta-features/scalar-functions-and-operators/str.uriencode.md) - [Unstable APIs](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/unstable.md) - [Lookup Tables](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/unstable/lookup-tables.md): Manage lookup table files via the Scanner API. These endpoints are unstable and may change without notice. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.