Retrospective scan settings
Kaspersky CyberTrace allows you to save events potentially containing undetected indicators, perform a retrospective scan of these events according to the indicators from the updated feeds, and then view retrospective scan results. This section explains how to configure Kaspersky CyberTrace for using the retrospective scan on the Settings → Retroscan page. To access this page, you need to switch to the System management mode. This mode is accessible only to users with the Administrator role.
The Retroscan page allows you to do the following:
- Enable or disable the retrospective scan.
- View the current size of saved events.
- Remove saved events.
Saved events cannot be removed when the retrospective scan is in progress. If you want to disable the retrospective scan and remove the saved events, you must wait until the current retroscan task is finished.
Retroscan page
- On the General settings tab, manage the following settings:
- Set the frequency of the scheduled retrospective scan task or disable the scan on schedule. If Every month is selected, retrospective scan starts every 30 days.
- Enable or disable the size limit for events that must be saved for the retrospective scan.
- Set the maximum size of events (in gigabytes) that must be saved for the retrospective scan.
- Set how long (in days) the events used for the retrospective scan must be stored.
- Set how long (in days) the results of the retrospective scan must be stored.
General settings tab
- On the Feeds tab, enable or disable feeds that must be used in the retrospective scan.
Feeds tab
- On the Regular expressions tab, define the following settings:
- Enable or disable saving events related to a specific tenant for use in the retrospective scan.
If you exclude a tenant from the retrospective scan, the regular expressions contained in this tenant become unavailable for selection.
- Select regular expressions contained in a tenant for use in the retrospective scan.
You must select at least one regular expression.
Regular expressions tab
- Enable or disable saving events related to a specific tenant for use in the retrospective scan.
Recommendations on retrospective scan settings
Retrospective scan is a resource-consuming functionality that may take a long time when checking huge amounts of data. For more efficient use of retrospective scan without looking up indicators for all incoming events, we recommend to single out the events that will be retrospectively scanned to the separate event source.
To add an event source for retrospective scan:
- Add an event source.
When defining the event source settings, pay attention on the following:
- Add a regular expression to single out an event (for example, for Syslog message format it could be
^\<d+\>.*$). - Set the rule name typical for this source and indicator type (for example,
RE_IP_NEW_SIEM).For regular expressions for various event sources, see the "Regular expressions for popular event sources" section.
- Add a regular expression to single out an event (for example, for Syslog message format it could be
- Go to Settings → Retroscan, and then select the Regular expressions tab.
- Enable only those sources and their regular expressions that are necessary for retrospective scan.
- Save changes.
Service alerts related to retrospective scan
Kaspersky CyberTrace generates the following service alerts to inform you about the retrospective scan process:
KL_ALERT_RetroScanCompletedKL_ALERT_RetroScanErrorKL_ALERT_RetroScanStorageExceeded
For details about the above alerts, see the "Service alerts sent by Kaspersky CyberTrace" section.
Page top