Viewing retrospective scan results

In the Kaspersky CyberTrace web user interface you can select the Retroscan tab.

Retrospective scanning allows you to rescan incoming events with objects that were not considered malicious. The reason for these checking results could be that at the time of receiving such objects, Kaspersky CyberTrace did not contain information about related threats. However, because threat data feeds are continuously updated, it can be useful to save events that do not contain detected indicators and then rescan these events manually or according to a schedule.

The Retroscan tab allows you to launch the retrospective scan manually and view the results that are received after the scan process is finished.

On this tab, you can perform the following actions:

• Launch a retrospective scan manually
• Configure displaying of scan results
• View detailed information about a single retrospective scan result that contains detected indicators

Also, this tab displays the following:

• Date and time of the next retrospective scan task
• Number of events that are saved for the retrospective scan
• Size of events that are saved for the retrospective scan

  The size of events is displayed with a delay of up to one hour. The actual current size of saved events may exceed the displayed value.

• Table with retrospective scan results for the specified period

  The table contains the following columns of data:

  • Status of the retrospective scan task:
    • Detected

      The result contains detected indicators.

    • Not detected

      The result does not contain detected indicators.

    • Canceled

      The retrospective scan process was canceled.

  • Date and time when each retrospective scan task has finished
  • Number of scanned indicators
  • Number of detected indicators

  If necessary, you can configure displaying only those results that contain detected indicators.

  

  Retroscan results

Launching a retrospective scan

To launch a retrospective scan:

Click the Start retroscan button.

If needed, you can cancel the scan process.

Launching the retrospective scan can be unavailable for several reasons:

• Kaspersky CyberTrace is performing another retrospective scan task at the moment.
• Retrospective scan is disabled.
• Kaspersky CyberTrace contains less than 1 MB of saved events for the retrospective scan.

Configuring display of retrospective scan results that contain detection events

To display only the results that contain detection events:

Select Show only retroscan results with detection above the Retroscan results table.

Specifying the results period

You can specify the time period for displaying results by selecting one of the Retroscan results period options above the Retroscan results table. You can select one of the following periods:

• Day
• Week
• Month
• 3 months
• All time
• Custom range

  

  Specifying the time period for retroscan results

Viewing results of a single retrospective scan

To view detailed information about a single retrospective scan task:

1. In the Retroscan results table, locate the result (containing detected indicators) that you want to view in detail.
2. Click the link in the Detected indicators column.

On the page that opens, you can find detailed information about the first 50 detection events. To see all events, download the full report in CSV format (see below).

On the page, the following information is displayed:

• Date and time of the retrospective scan
• Number of scanned events
• Number of scanned indicators
• Number of detected indicators
• Number of detection events by category
• Information about each detection event:
  • Detected indicator

    You can view detailed information about each indicator by clicking the indicator that you want.

  • Category of the detected object
  • Saved original event that contains detected indicator
  • Tenant name that is associated with the original event
  • Event source that sends the original event
  • Context information about the detection event

Downloading a report with the results of the retrospective scan

To download a report:

Click the Download report link near the Detected indicators section.

The generated CSV file contains the following data:

• Date and time when the detection event received
• Tenant name that is associated with the original event
• Name of the event source
• Category of the detected object
• Detected indicator that caused the event
• Context information about the detection event
• Detection event

Page top