You can now transform your logs as they flow into your Scanner indexes.
Within your S3 Import Rules, you can add transformation steps to do things like:
Normalized schemas make cross-source queries and correlations much easier.
This is our first step of many to make it easy to transform and enrich your logs.
Transformers - more than meets the eye.
When you're looking at a log event, it can be super helpful to look at other logs that happened in a given context around the same time.
We've made the "Go to Context" experience better, making it easier to search for the facets into which you want to drill down. This is particularly helpful when your log events have a large number of fields.
Example use cases:
Context is worth 80 IQ points. - Alan Kay
When Scanner detection alerts are triggered, you can send events to different destinations - called event sinks.
For example, you might send alerts to Slack, or to a webhook to integrate with your favorite SOAR tool.
We want it to be easier to test your event sink integrations. There is now a button you can use to send test events to your event sinks.
You'll see information about success or failure, which can help you debug things and make sure your integrations are flowing smoothly.
Go forth and integrate!
By popular demand, we've introduced Themes to Scanner, starting with Light Mode.
We spend so much time in our coding caves that it's probably too bright for our eyeballs, but we know you will enjoy!
What do you think - should we build more themes?
Now you can assign RBAC roles immediately on user invites.
Makes it faster to set up permissions when you're onboarding a new team member.
RBAC - all the things.
We love it when our amazing users share deeply thoughtful design ideas to make Scanner better. This one comes from you - very grateful!
You can now customize the format of the alerts you send to Slack and other event sinks. Logs can contain a lot of fields, so it's nice to be able to select specific fields and values to show in your alerts.
You can also add custom action buttons to your Slack alerts, eg. links to runbooks, wikis, custom webhooks to run, and so forth.
After you've specified your formatting, you can preview what the alert message will look like in Slack or what a webhook will receive.
You can customize alert formatting in the Scanner UI as well as in your detection rule YAML files.
Cleaner alerts, nice!
When you're digging through heaps of data, it's useful to be able to view just the fields of your logs that you care about.
We've made it easier to customize the columns you see in your search results table.
When you're viewing the details of an individual log event, you can now right-click on column names and add those columns to search results table.
You can also add and remove columns more easily directly from the table header of your search results.
We want to help folks solve complex problems - and make Scanner a little better at this every day. Tell us what else you want us to improve!
We've released a new tagging feature to make it easier to organize your detection rules. There are built-in tags for MITRE tactics and techniques, and you can also create your own.
As users continue to build larger collections of detection rules, reaching into the hundreds, we want to make it easy to organize them.
Give it a shot and let us know what you think.
Even for users who are new to Scanner's query language, we wanted it to be easy to write queries - and be productive immediately.
We've released a visual query builder that allows you to edit queries with a point-and-click interface.
The builder gives you typeahead suggestions to show you the useful options you have for search, like common column names you could use, frequent values that those columns have, aggregation functions you can use, and more.
Whether you use the query builder or the query language, you have access to all of the same power.