scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • Types of event sinks
  • Creating an event sink
  • Slack
  • Webhook
  • PagerDuty
  • Sending alerts
  • Viewing all event sinks

Was this helpful?

  1. Using Scanner
  2. Detection Rules

Event Sinks

Event sinks are alert destinations.

PreviousDetection RulesNextOut-of-the-Box Detection Rules

Last updated 4 days ago

Was this helpful?

Types of event sinks

Scanner supports various types of event sinks:

  • Slack - send event alerts to a Slack channel.

  • Webhook - send event alerts to a URL webhook.

  • PagerDuty - send event alerts to a PagerDuty service.

Creating an event sink

You can click Create New Sink to create a new event sink directly from a detection rule or by going to Settings > Event Sinks. Different sinks require different configuration values.

Slack

Here is what the Event Sink configuration form looks like for Slack. Once you fill out the Slack Channel Name, and the Name and Description of the event sink, you'll be guided to authorize the Scanner app in your Slack workspace.

Webhook

When configuring webhooks on Tines, Torq, or other applications, make sure they accept POST requests and JSON content.

PagerDuty

On Scanner, select the PagerDuty event sink and provide the Events API V2 integration key for your service.

To customize alerts sent to PagerDuty, see Customizing PagerDuty Alerts.

Note: PagerDuty alerts from Scanner will need to be resolved manually.

Sending alerts

Viewing all event sinks

You can view all of your team's event sinks by navigating to the Settings tab and selecting Event Sinks. In this view, you can create a new event sink, or edit your existing event sinks.

To create a webhook event sink, select Webhook and provide the URL for the webhook (from , , or other applications).

First, you will need to create an Events API V2 integration for your PagerDuty service. See the for more information.

Alerts are sent to event sinks from detection rules. To configure a detection rule to send an alert to an event sink, see .

Tines
Torq
PagerDuty documentation
Creating a Slack event sink
Creating a webhook event sink
Creating a PagerDuty event sink
Event sink settings
Configuring a detection rule to push to an event sink