We’re excited to announce a major expansion of Scanner’s detection rule capabilities with ready-to-use rules across 12 critical log sources. This release brings our total to 214 detection rules, covering 11 MITRE ATT&CK tactics and 45 techniques, providing extensive security monitoring across your technology stack.

Detection Coverage Across Your Cloud Infrastructure

Our new detection rules span four key areas:

Cloud Platforms

Monitor your cloud infrastructure with specialized rules for AWS CloudTrail, Google Cloud Platform, and Microsoft Azure. These rules help you detect suspicious activities, unauthorized access, and potential security violations across your cloud environments.

AWS CloudTrail – Detection rules for AWS audit logs and CloudTrail events

• Repository: scanner-inc/detection-rules-aws-cloudtrail

Google Cloud (GCP) – Detection rules for GCP audit and security logs

• Repository: scanner-inc/detection-rules-gcp

Microsoft Azure – Detection rules for Azure activity and security logs

• Repository: scanner-inc/detection-rules-azure

Identity and Access Management

Strengthen your identity security with dedicated rules for Okta, Auth0, and Cisco Duo. Track authentication patterns, administrative changes, and potential account compromises across your identity providers.

Okta – Detection rules for Okta authentication and administration events

• Repository: scanner-inc/detection-rules-okta

Auth0 – Detection rules for Auth0 authentication logs

• Repository: scanner-inc/detection-rules-auth0

Cisco Duo – Detection rules for Duo Security authentication events

• Repository: scanner-inc/detection-rules-cisco-duo

Collaboration and Productivity

Protect your workforce tools with rules for GitHub, Microsoft 365, Slack, and Google Workspace. Monitor sensitive actions, data access, and potential insider threats across your collaboration platforms.

GitHub – Detection rules for GitHub organization and repository events

• Repository: scanner-inc/detection-rules-github

Microsoft 365 – Detection rules for Microsoft 365 audit logs

• Repository: scanner-inc/detection-rules-microsoft-365

Slack – Detection rules for Slack workspace events

• Repository: scanner-inc/detection-rules-slack

Google Workspace (formerly GSuite) – Detection rules for Google Workspace admin and security logs

• Repository: scanner-inc/detection-rules-gsuite

Data and Infrastructure

Secure your critical data and systems with specialized rules for Snowflake and Windows process creation events. Track database access, system changes, and potentially malicious processes.

Snowflake – Detection rules for Snowflake database access and usage

• Repository: scanner-inc/detection-rules-snowflake

Windows Process Creation Events – Detection rules for Windows process creation events

• Repository: scanner-inc/detection-rules-windows-process-creation

Flexible and Customizable

Every environment is unique, which is why we’ve designed these rules to be adaptable:

• Fork any repository to create your customized version while maintaining upstream updates
• Enable or disable individual rules through Scanner’s interface
• Adjust detection parameters like thresholds, time windows, and severity levels
• Contribute improvements back to the community through pull requests

Getting Started

All detection rules are available in their respective repositories under the Scanner organization. Simply connect your log sources to Scanner and enable the relevant rules to begin strengthening your security posture.

Start exploring our detection rules today to enhance your security monitoring capabilities. For detailed documentation and implementation guides, visit our documentation on Scanner’s Out-of-the-Box Detection Rules

Join the Webinar on January 30th

Come join us for our webinar on January 30th where we’ll talk about setting up detections-as-code with CI/CD in Scanner. We’ll demonstrate how to automate your detection engineering workflow and maintain detection rules at scale.

‍