Retroscan

You can use the Retroscan feature to "replay" events in KUMA by feeding a sample of events into a correlator so that they can be processed by specific correlation rules. You can also choose to have alerts created while events are retroscanned. Retroscan can be useful when refining the correlation rule resources or analyzing historical data.

Retroscanned events are not enriched with data from CyberTrace or the Kaspersky Threat Intelligence Portal.

Active lists are updated during retroscanning.

A retroscan cannot be performed on selections of events obtained using SQL queries that group data and contain arithmetic expressions.

To use Retroscan:

1. In the Events section of KUMA, create the required event selection:
   • Select the storage.
   • Configure search expression using the constructor or search query.
   • Select the required period.
2. Open the drop-down list and choose Retroscan.

   The Retroscan window opens.

3. In the Correlator drop-down list, select the Correlator to feed selected events to.
4. In the Correlation rules drop-down list, select the Correlation rules that must be used when processing events.
5. If you want responses to be executed when processing events, turn on the Execute responses toggle switch.
6. If you want alerts to be generated during event processing, turn on the Create alerts toggle switch.
7. Click the Create task button.

The retroscan task is created in the Task manager section.

To view results of replay:

In the Task manager section of the KUMA web interface, click the task you created and select Go to Events from the drop-down list.

This opens a new browser tab containing a table of events that were processed during the retroscan and the aggregation and correlation events that were created during event processing.

Depending on your browser settings, you may be prompted for confirmation before your browser can open the new tab containing the retroscan results. For more details, please refer to the documentation for your specific browser.

Page top