Skip to Content
Scanning & DetectionEvent-Driven Scanning

Event-Driven Scanning

Event-driven scanning enables real-time detection of sensitive data as files are uploaded or modified in your cloud storage. Instead of waiting for scheduled scans, the platform processes files within seconds of a storage event.

How It Works

Cloud Storage Event (file created/modified)
  → Event Notification (S3 Events / Pub/Sub / Event Grid)
  → Slim.io Event Receiver
  → Single-file scan triggered
  → Findings persisted
  → Governance policies evaluated
  → Actions executed (alert, tokenize, quarantine)

Event-driven scanning is an optional feature that requires configuration in both your cloud provider and Slim.io. It is customer-controlled — Slim.io does not enable event subscriptions without explicit setup.

AWS S3 Events

Setup

  1. In the AWS Console, navigate to your S3 bucket’s Properties > Event notifications.
  2. Create a new event notification:
    • Event types: s3:ObjectCreated:* (and optionally s3:ObjectRestore:*)
    • Destination: SNS Topic or SQS Queue
  3. Configure the SNS/SQS resource to forward events to Slim.io’s webhook endpoint.
  4. In Slim.io, enable event-driven scanning on the AWS connector and enter the SNS/SQS ARN.

Event Format

Slim.io processes S3 event notifications in the standard S3 event format:

{
  "Records": [
    {
      "eventName": "ObjectCreated:Put",
      "s3": {
        "bucket": { "name": "my-bucket" },
        "object": { "key": "uploads/data.csv", "size": 1048576 }
      }
    }
  ]
}

Google Cloud Storage Pub/Sub

Setup

  1. Create a Pub/Sub topic in your GCP project.
  2. Configure a notification on your GCS bucket:
gcloud storage buckets notifications create gs://your-bucket-name \
  --topic=projects/YOUR_PROJECT/topics/slim-io-events \
  --payload-format=json \
  --event-types=OBJECT_FINALIZE
  1. Create a Pub/Sub push subscription pointing to Slim.io’s webhook endpoint.
  2. In Slim.io, enable event-driven scanning on the GCP connector and enter the subscription details.

Filtering

You can filter events by object prefix to avoid scanning irrelevant files:

gcloud storage buckets notifications create gs://your-bucket-name \
  --topic=projects/YOUR_PROJECT/topics/slim-io-events \
  --payload-format=json \
  --event-types=OBJECT_FINALIZE \
  --object-prefix="uploads/"

Azure Event Grid

Setup

  1. In the Azure Portal, navigate to your Storage Account.
  2. Go to Events > Event Subscriptions.
  3. Create a new subscription:
    • Event types: Blob Created
    • Endpoint type: Webhook
    • Endpoint URL: Slim.io’s Azure webhook endpoint
  4. In Slim.io, enable event-driven scanning on the Azure connector.

Subject Filtering

Filter events by blob path prefix:

{
  "filter": {
    "subjectBeginsWith": "/blobServices/default/containers/uploads/"
  }
}

Processing Guarantees

PropertyBehavior
At-least-onceEvents may be delivered more than once; Slim.io deduplicates by file path and modification timestamp
OrderingEvents may arrive out of order; Slim.io uses the latest modification timestamp to resolve conflicts
RetryFailed event processing is retried with exponential backoff before being routed to the dead letter queue
Dead LetterEvents that exhaust retries are sent to the dead letter queue, visible in the Scan Monitor error log. Dead letter events can be manually retried from the dashboard.

Rate Limiting

Event-driven scans count against your monthly scan quota. To prevent runaway costs on high-volume buckets:

  • Configure a rate limit on event-driven scans (e.g., max 100 events per minute)
  • Set file size thresholds to skip very large files from event-driven processing
  • Use prefix filters in the cloud provider configuration to limit which paths trigger events
  • Monitor event volume in the Scan Monitor dashboard

Event-driven scanning complements but does not replace scheduled scans. Scheduled scans catch files that were uploaded before event-driven scanning was enabled, while events catch new uploads in real time.

Combining with Governance

Event-driven scanning is most powerful when combined with governance policies. For example:

  1. A CSV file is uploaded to an S3 bucket
  2. The event triggers an immediate scan
  3. Slim.io detects credit card numbers with high confidence
  4. A governance policy automatically tokenizes the credit card fields
  5. An alert is sent to the security team’s Slack channel

This enables near-real-time data protection without manual intervention.

Last updated on
LLM AssistFalse Positive Management