scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • 1. Create a new GitHub repository for detection rules
  • 2. Connect to the Scanner GitHub App
  • 3. Add a sync source
  • 4. Check the status of your sync

Was this helpful?

  1. Using Scanner
  2. Beta features
  3. Detection Rules as Code

Getting Started

PreviousDetection Rules as CodeNextWriting Detection Rules

Last updated 8 months ago

Was this helpful?

1. Create a new GitHub repository for detection rules

We recommend in your organization for Scanner detection rules.

Add detection rule YAML files to your new repository. See Writing Detection Rulesfor information on how to write detection rules.

2. Connect to the Scanner GitHub App

Go to Settings > Integrations on your Scanner instance to connect your GitHub account.

Choose which account to connect to and which repositories the Scanner GitHub App can access. The App will only have read access to code and metadata in the selected repositories.

You will need to be logged into GitHub and have appropriate permissions on the selected repositories in order to complete this process.

If you want to connect multiple accounts, click on Connect again to select another account.

You will be able to configure repositories after connecting to the GitHub App, if you want to give the Scanner App access to more repositories or revoke access to repositories later.

3. Add a sync source

After connecting your GitHub account, go to Detection Rule: GitHub Settings.

On this page, you will see all connected GitHub accounts and sync sources.

To add a new sync source, click Add Repository. Select the repository and branch that you would like to sync from.

A sync will automatically kick off after you add a sync source. Syncs happen every 15 minutes (if there have been new commits since the last attempted sync), or they can be kicked off manually on the Detections page.

4. Check the status of your sync

Click on the connected repository to check the sync status. On this page, you will see information on the last sync status and the detection rules that were included.

You can also change the branch or update permissions on this page.

If there are no errors or failing tests, the detection rules will be synced and you will see them on the Detections page with a GitHub tag.

If there are any errors or failing tests, the sync does not proceed. You will be able to see which files had errors or failing tests. After fixing the files and checking in the changes, you can wait for a new sync to kickoff or kickoff a sync from the Detections page.

You will be prompted to assign event sinks to each key in this sync source. You can select one or more event sinks to assign to each key (or leave it blank). These keys are defined in the detection rules themselves; see the section for more information.

creating a new GitHub repository
Writing Detection Rules
Integrations page
Allow access to select repositories
GitHub integration options
GitHub settings page
Add a sync source
Assign event sinks
Kick off a GitHub sync
Last sync status and included rules
Synced detection rule