Detection Rules
Scanner provides built-in threat detection rules - or you can write your own. These rules run continuously and send you notifications when the rule criteria are met.
Last updated
Was this helpful?
Scanner provides built-in threat detection rules - or you can write your own. These rules run continuously and send you notifications when the rule criteria are met.
Last updated
Was this helpful?
A detection rule is a query that runs continuously on new logs as they arrive in Scanner. When Scanner indexes a new log file in S3, it runs each detection rule query on the data in the file. Behind the scenes, Scanner builds up a cache of query results for reach detection rule, and the cached results are split into 1 minute time bins.
Whenever a detection rule query yields any hits, a detection event is created. This event is added to the _detections index in Scanner, so you can search through all detection events, compute statistical aggregations on them, and more.
You can also configure a detection rule to send the detection event to an Event Sink, allowing you to send notifications to other tools like Slack or Tines.
Visit the Detections tab in Scanner to view all of your detection rules.
The Search Detections button allows you to view all detection events that have been added to the _detections index.
You can filter the list of detection rules by status, severity, and tags or search for detection rules by name, tags, or severity. You can also create new detection rules or edit existing rules from this page.
Select New > Create New Rule to create a new rule, or select an existing rule to edit it.
You must specify a Name for the detection rule, and optionally specify a Description.
The Detection Query is the query that runs on all new log files indexed by Scanner. If this query has any results, then the detection rule is triggered, and a detection event is created.
When a detection rule is triggered, it will always add a detection event to the _detections index, which is a special index you can query.
In the main Detections tab, you can click Search Detections to open up the special _detections index and begin querying all past detection events.
You can also query the _detections index directly from the Search tab by adding @index=_detections to your query.
The _detections index is a special index where all detection events are written. You can query them the same way you query other log events, which allows you to perform powerful investigations.
Optionally, you can add tags to a detection rule. Tags can be used to classify and search for detection rules. Tags are included in detection events and can be searched in the _detectionsindex.
Scanner has default MITRE tags that you can use or you can create your own. See MITRE Tags for the full list of default tags.
Optionally, you can configure the detection rule to send any triggered detection events to an . For example, in this screenshot, we configure the detection rule to send events to a Slack event sink.
To set up an event sink, see .
_detections index
