Viewing retrospective scan results

In the Kaspersky CyberTrace web user interface, you can select the Retroscan page. To access this page, you need to switch to the System management mode. This mode is accessible only to users with the Administrator role.

Before using retrospective scan, you must enable and configure it. Later, you can also change the retrospective scan settings.

Retrospective scan allows you to rescan incoming events with objects (IP address, domain, URL, or hash) that were not considered malicious. The reason for checking these results could be that at the time of receiving such objects, Kaspersky CyberTrace did not contain information about related threats. However, because threat data feeds are regularly updated, it can be useful to save events that do not contain detected indicators, and then use updated indicators lists to rescan these events manually or according to a schedule.

Retroscan detections are included in the statistics and displayed on the Detections page, as well as on the graph, like all common detections. The results of retrospective scan are sent to the SIEM system. As well as for usual detections, the filters for sending retroscan detections to SIEM are also applied.

When a retrospective scan is in progress, all non-context values obtained from the events by applying the regular expressions specified in the retrospective scan settings on the Regular expressions tab are matched with the new indicators of the feeds enabled on the Feeds tab.

You can edit or add new regular expressions by selecting the Settings → Event sources page. If saved, the regular expressions will be available in the retrospective scan settings section on the Regular expressions tab.

In case of detection, the events that appeared in Kaspersky CyberTrace after adding an indicator to a feed will be displayed on the Detections page and will not be subject to retrospective scan.

If an indicator was added to a feed after its IP/Hash/URL had been obtained by means of a regular expression used in a retrospective scan, and if there were no detections related to this indicator, then the next retrospective scan run will display information about this indicator in the Detected indicators column, while the Date and time column will display the date and time of the indicator detection by the retrospective scan.

Each event related to this indicator will have its own record in the retrospective scan report.

The Retroscan page allows you to launch the retrospective scan manually and view the results when the scan process is finished.

On this page, you can perform the following actions:

• Launch a retrospective scan manually
• Configure the display of scan results
• View detailed information about a single retrospective scan result that contains detected indicators

This page also displays the following:

• Date and time of the next retrospective scan task
• Number of events that are saved for the retrospective scan
• Size of events that are saved for the retrospective scan

  The size of events is displayed with a delay of up to one hour. The actual current size of saved events may exceed the displayed value.

• Table with retrospective scan results for the specified period

  The table contains the following columns:

  • Status of the retrospective scan task:
    • Detected

      The result contains detected indicators.

    • Not detected

      The result does not contain detected indicators.

    • Canceled

      The retrospective scan process was canceled.

    • Failed

      The retrospective scan process failed.

  • Date and time when each retrospective scan task finished
  • Number of scanned indicators
  • Number of detected indicators

  

  Retroscan results

Launching a retrospective scan

To launch a retrospective scan,

Click the Start now button.

If needed, you can cancel the scan process.

Launching the retrospective scan can be unavailable for several reasons:

• Kaspersky CyberTrace is performing another retrospective scan task at the moment.
• Retrospective scan is disabled.

Configuring display of retrospective scan results that contain detection alerts

To display only the results that contain detection alerts,

Select Show only retroscan results with detection above the Results table.

Specifying the results period

You can specify the time period for displaying results by selecting one of the options above the Results table. You can select one of the following periods:

• All time
• Day
• Week
• Month
• 3 months
• Custom range

  

  Specifying the time period for retroscan results

Viewing results of a single retrospective scan

To view detailed information about a single retrospective scan task:

1. In the Results table, locate the result (containing detected indicators) that you want to view in detail.
2. Click the View details link.

On the page that opens, you can find detailed information about the first 50 detection events. To see all events, download the full report in CSV format (see below).

On the page, the following information is displayed:

• Date and time of the retrospective scan

  Date and time shown on the scan results page may differ from the date and time indicated in a report in CSV format. This occurs due to UTC settings: UTC+0 is always used in a report in CSV format, while the time on the scan results page depends on the custom settings.

• Number of processed events
• Number of detected indicators
• Number of processed indicators
• Number of detection alerts by category
• Information about each detection event in the Detected indicators section

  You can view detailed information about each indicator by expanding the bar with the indicator that you want. This information is contained in the following fields:

  • Category of the detected object
  • Timestamp—Date and time of indicator detection
  • Tenant—Tenant name that is associated with the original event
  • Source—Event source that sends the original event
  • ioc—Field by which an indicator is detected
  • IP—Field obtained by a regular expression

Downloading a report with the results of the retrospective scan

To download a report,

Click the Download full report button.

The generated CSV file contains the following data:

• Date and time when the detection alert received

  Date and time shown on the scan results page may differ from the date and time indicated in a report in CSV format. This occurs due to UTC settings: UTC+0 is always used in a report in CSV format, while the time on the scan results page depends on the custom settings.

• Tenant name that is associated with the original event
• Name of the event source
• Category of the detected object
• Detected indicator that caused the event
• Context information about the detection alert
• Detection alert

Page top