Retroscan

In normal mode, the correlator handles only events coming from collectors in real time. Retroscan lets you apply correlation rules to historical events if you want to debug correlation rules or analyze historical data.

To test a rule, you do not need to replay the incident in real time, instead you can run the rule in Retroscan mode to process historical events which include the incident of interest.

You can use a search query to define a list of historical events to retrospectively scan, you can also specify a search period and the storage that you want to search for events. You can configure a task to have alerts generated and response rules applied during the retroscan of events.

Retroscanned events are not enriched with data from CyberTrace or the Kaspersky Threat Intelligence Portal.

Active lists are updated during retroscanning.

A retroscan cannot be performed on selections of events obtained using SQL queries that group data and contain arithmetic expressions.

To use Retroscan:

  1. In the Events section of the KUMA web interface, create the required event selection:
    • Select the storage.
    • Configure search expression using the constructor or search query.
    • Select the required period.
  2. Open the MoreButton drop-down list and choose Retroscan.

    The Retroscan window opens.

  3. In the Correlator drop-down list, select the Correlator to feed selected events to.
  4. In the Correlation rules drop-down list, select the Correlation rules that must be used when processing events.
  5. If you want responses to be executed when processing events, turn on the Execute responses toggle switch.
  6. If you want alerts to be generated during event processing, turn on the Create alerts toggle switch.
  7. Click the Create task button.

The retroscan task is created in the Task manager section.

To view scan results, in the Task manager section of the KUMA web interface, click the task you created and select Go to Events from the drop-down list.

This opens a new browser tab containing a table of events that were processed during the retroscan and the aggregation and correlation events that were created during event processing. Correlation events generated by the retroscan have an additional ReplayID field that stores the unique ID of the retrospective scan run. An analyst can restart the retroscan from the context menu of the task. New correlation events will have a different ReplayID.

Depending on your browser settings, you may be prompted for confirmation before your browser can open the new tab containing the retroscan results. For more details, please refer to the documentation for your specific browser.

Page top