Detection Rules

Scanner provides built-in threat detection rules - or you can write your own. These rules run continuously and send you notifications when the rule criteria are met.

What is a detection rule?

A detection rule is a query that runs continuously on new logs as they arrive in Scanner. When Scanner indexes a new log file in S3, it runs each detection rule query on the data in the file. Behind the scenes, Scanner builds up a cache of query results for reach detection rule, and the cached results are split into 1 minute time bins.

What is a detection event?

Whenever a detection rule query yields any hits, a detection event is created. This event is added to the _detections index in Scanner, so you can search through all detection events, compute statistical aggregations on them, and more.
You can also configure a detection rule to send the detection event to an Event Sink, allowiong you to send notifications to other tools like Slack or Tines.

Viewing detection rules

Visit the Detections tab in Scanner to view all of your detection rules.
Viewing detection rules
The Search Detections button allows you to view all detection events that have been added to the _detections index.
You can filter detection rules by name, edit any rule, or create a new rule.

Creating or editing a detection rule

You can click to Create New Rule, or you can edit any of the existing rules.
You must specify a Name for the detection rule, and optionally specify a Description.
The Detection Rule is a query that runs on all new log files indexed by Scanner. If this query has any results, then the detection rule is triggered, and a detection event is created.
Editing a detection rule
When a detection rule is triggered, it will always add a detection event to the _detections index, which is a special index you can query.

Searching through detection events

In the main Detections tab, you can click Search Detections to open up the special _detections index and begin querying all past detection events.
You can also query the _detections index directly from the Search tab by adding @index=_detections to your query.
Querying the _detections index
The _detections index is a special index where all detection events are written. You can query them the same way you query other log events, which allows you to perform powerful investigations.

Configuring a detection rule to push to an event sink

Optionally, you can configure the detection rule to send any detection events to an Event Sink. For example, in this screenshot, we configure the detection rule to send events to a Slack event sink we created earlier.
Configure detection rule to send events to Slack

Creating an event sink

You can click Create New Sink to create a new event sink directly from a detection rule. Different sinks require different configuration values.
Here is what the Event Sink configuration form looks like for Slack. Once you fill out the Slack Channel Name, and the Name and Description of the event sink, you'll be guided to authorize the Scanner app in your Slack workspace.
Creating a new Slack event sink

Viewing all event sinks

You can view all of your team's event sinks by navigating to the Settings tab and selecting Event Sinks. In this view, you can create a new event sink, or edit your existing event sinks.
Event sinks settings

Types of event sinks

Scanner supports various types of event sinks:
  • Slack
  • Tines (beta)
  • Torq (beta)
  • Jira (beta)
  • Custom webhooks (beta)