Scanner Collect now supports three new log sources that you can connect with just a few clicks.

Pull 1Password audit logs to monitor vault access and sharing activity. Ingest Azure Active Directory sign-ins and audit logs for identity monitoring. Connect Google Workspace admin and drive activity for comprehensive SaaS visibility.

Each source automatically handles API authentication, pagination, and delivers clean JSON files to your S3 data lake - no custom scripts or polling infrastructure required.

More sources, same simplicity.

You can now write custom Vector Remap Language (VRL) programs to transform and parse your log data exactly how you need it.

While Scanner provides built-in VRL transformations for common log sources, sometimes you need to handle messy application logs, parse custom formats, or normalize everything to your preferred schema. Custom VRL gives you that power with regex parsing, conditional logic, field manipulation, and filtering.

Transform logs at ingestion time, normalize diverse formats to Elastic Common Schema, or filter out noisy debug messages. Perfect for those bespoke application logs that don't fit the standard molds.

Scanner Collect helps you build a comprehensive log data lake in Amazon S3 with minimal setup and zero custom pipeline code.

In a single afternoon, you can integrate dozens of log sources - from Okta and Google Workspace to Slack and Wiz - all delivered as gzipped JSON files in your S3 buckets. Scanner then indexes these logs for full-text search and continuous detections.

Why build custom polling scripts and manage API tokens when you could be focusing on detection and response? Scanner Collect handles API pagination, authentication, webhooks, rate limits, and all the other infrastructure headaches.

The modern security perimeter is SaaS and cloud - your log collection should be too.

Read the full launch announcement →

Stop copy-pasting logs into ChatGPT. Scanner now includes an AI assistant to explain log events and detection alerts in plain English.

Click a button to get clear explanations of what happened, why an alert triggered, and suggestions for next steps in your investigation. Perfect for anyone who needs to quickly understand complex log data.

Powered by Claude Sonnet via Amazon Bedrock - your data stays in your AWS environment and doesn't train any models.

AI-powered investigations, security-first approach.

Admins can now set fine-grained query restrictions on a per-role basis to control which data users can search.

Restriction filters work as allowlists - users can only query data that matches their role's filters. Need to block access to sensitive HR logs or customer PII? Set up filters to keep that data out of reach for specific roles.

Perfect for organizations that need to share some log data broadly while keeping sensitive information locked down.

You can now easily toggle individual detection rules between active and paused states directly from the Scanner UI.

Whether you're using our out-of-the-box detection rules or your own custom ones, sometimes you need to quickly pause a noisy rule during an incident or temporarily disable rules during maintenance windows.

No more editing YAML files or redeploying - just click to pause, click to resume.

For organizations with strict data residency requirements, we've launched Self-Hosted Scanner.

Your log data never leaves your AWS account. Scanner's compute infrastructure runs in a dedicated AWS account that we manage, but all your logs and index files stay put in your S3 buckets.

The architecture uses familiar AWS services - ECS for core services like indexers and detection workers, Lambda for query processing, and your choice of messaging and database services. Everything is optimized for performance with VPC endpoints and regional alignment to minimize costs.

Perfect for enterprises that need the power of Scanner while maintaining complete control over their data sovereignty.

Your cloud, your data, your peace of mind.

We want to give admins peace of mind when they invite large groups of people in their organization to use Scanner.

Admins can now control the total query capacity their organization is allowed to use each month.

At the same time, they can give permission to specific roles to exceed the limit.

Throttle wisely, splurge selectively.

With great power comes great responsibility.

You can now configure detection alerts to be sent to PagerDuty.

Suitable for detection alerts with high severity levels, like High, Critical, etc.

Only wake up the on-call team member if you must!

You can now transform your logs as they flow into your Scanner indexes.

Within your S3 Import Rules, you can add transformation steps to do things like:

1. Add normalized Elastic Common Schema (ECS) fields to popular log source types.
2. Auto-parse JSON strings and "key=value" pairs.
3. Extract timestamps.
4. And more...

Normalized schemas make cross-source queries and correlations much easier.

This is our first step of many to make it easy to transform and enrich your logs.

Transformers - more than meets the eye.

When you're looking at a log event, it can be super helpful to look at other logs that happened in a given context around the same time.

We've made the "Go to Context" experience better, making it easier to search for the facets into which you want to drill down. This is particularly helpful when your log events have a large number of fields.

Example use cases:

• "What other requests came from this IP address at 5pm yesterday?"
• "When this error triggered, what else was happening on the same server at around the same time?"
• "Show me everything related to a given user ID across all of my log sources within this 10 minute time window."

Context is worth 80 IQ points. - Alan Kay

When Scanner detection alerts are triggered, you can send events to different destinations - called event sinks.

For example, you might send alerts to Slack, or to a webhook to integrate with your favorite SOAR tool.

We want it to be easier to test your event sink integrations. There is now a button you can use to send test events to your event sinks.

You'll see information about success or failure, which can help you debug things and make sure your integrations are flowing smoothly.

Go forth and integrate!

By popular demand, we've introduced Themes to Scanner, starting with Light Mode.

We spend so much time in our coding caves that it's probably too bright for our eyeballs, but we know you will enjoy!

What do you think - should we build more themes?

Now you can assign RBAC roles immediately on user invites.

Makes it faster to set up permissions when you're onboarding a new team member.

RBAC - all the things.

We love it when our amazing users share deeply thoughtful design ideas to make Scanner better. This one comes from you - very grateful!

You can now customize the format of the alerts you send to Slack and other event sinks. Logs can contain a lot of fields, so it's nice to be able to select specific fields and values to show in your alerts.

You can also add custom action buttons to your Slack alerts, eg. links to runbooks, wikis, custom webhooks to run, and so forth.

After you've specified your formatting, you can preview what the alert message will look like in Slack or what a webhook will receive.

You can customize alert formatting in the Scanner UI as well as in your detection rule YAML files.

Cleaner alerts, nice!

When you're digging through heaps of data, it's useful to be able to view just the fields of your logs that you care about.

We've made it easier to customize the columns you see in your search results table.

When you're viewing the details of an individual log event, you can now right-click on column names and add those columns to search results table.

You can also add and remove columns more easily directly from the table header of your search results.

We want to help folks solve complex problems - and make Scanner a little better at this every day. Tell us what else you want us to improve!

We've released a new tagging feature to make it easier to organize your detection rules. There are built-in tags for MITRE tactics and techniques, and you can also create your own.

As users continue to build larger collections of detection rules, reaching into the hundreds, we want to make it easy to organize them.

Give it a shot and let us know what you think.

Even for users who are new to Scanner's query language, we wanted it to be easy to write queries - and be productive immediately.

We've released a visual query builder that allows you to edit queries with a point-and-click interface.

The builder gives you typeahead suggestions to show you the useful options you have for search, like common column names you could use, frequent values that those columns have, aggregation functions you can use, and more.

Whether you use the query builder or the query language, you have access to all of the same power.