Use Case
Reduce the Cost of SIEM and Log Search Tools
Reduce the Cost of SIEM and Log Search Tools
Scale and Cost
Why security logs are moving to Amazon S3

Amazon S3 is rapidly becoming one of the most popular storage destinations for security data, including data like cloud audit logs, network traffic logs, and identity provider logs. The reason is simple: the volume of data from security log sources has grown rapidly in recent years, making it prohibitively expensive to ingest into traditional SIEMs. The cost can easily range from $500,000 to $1 million per year just to ingest a single log source. For many organizations, these traditional tools are no longer viable options for these sources, so they move the sources to scalable storage, like S3. This can reduce costs by 90% compared to traditional SIEMs.

Security data sets in S3 can grow to sizes of one petabyte or more, and they frequently contain at least 12 months of retained data—necessary for threat hunting, compliance, and sometimes incident response purposes. For threat hunting and incident response, security analysts need to query this historical data to trace down threats or perform forensic analysis in the event of a breach. However, the primary tool available for searching security data in S3—Amazon Athena—faces significant limitations at this scale.

Problem
Traditionally, it is painfully slow to search data in S3

When searching through petabytes of data, Amazon Athena can take tens of hours to complete a single query. This becomes a major obstacle for productive investigations. Effective threat hunting often requires exploring dozens or even hundreds of leads, but Athena's slowness can restrict analysts to only a handful of queries per day. This bottleneck can mean the difference between catching a threat in time or missing it entirely.

To speed up Athena, many teams embark on intensive data engineering projects to optimize their raw security logs. They create custom partitions to better organize the data to match their query use cases and convert the data to efficient formats like Parquet. But these efforts require significant engineering time and ongoing maintenance—resources that many security teams simply don't have.

Solution
Scanner gives you fast search and threat detections for data in S3. Reduce SIEM costs, investigate at the speed of thought.

Enter Scanner. Scanner is designed to eliminate these obstacles. You can point Scanner at the S3 buckets containing your raw security data, and it will take care of the rest. It automatically organizes the raw data, building text and numerical indexes to make searching fast and efficient. There's no need for complex data engineering or ongoing maintenance—Scanner does the heavy lifting for you.

The result? Scanner can find indicators of compromise (IOCs), such as IP addresses, in a petabyte of logs in just tens of seconds. In comparison, Athena routinely takes tens of hours to perform the same search. This massive speedup transforms the way security teams conduct investigations. Instead of being limited to just a couple of queries per day, your team can run hundreds—giving them the power to fully explore every lead and get to the bottom of any threat.

Furthermore, you can turn queries into detection rules that run continuously on all new data, making sure you don't miss threats. Scanner sends alerts from detection rules to your team's communication tools, like Slack, or via webhooks to SOAR tools, like Tines or Torq. This allows you to respond rapidly to threats detected in your security data in S3.

Empower your security team with Scanner

Scanner is more than just a tool; it's a force multiplier for your security team. With Scanner, threat hunting and incident response are faster, easier, and far more effective. Instead of drowning in data, your analysts can focus on what matters most: finding threats and protecting your organization.

Experience Scanner Today
Scanner Solutions