Retrospective scan

You can use retrospective scan to refine the correlation rule resources or analyze historical data.

You can also choose to create alerts based on a retrospective scan.

To use retrospective scan:

1. In the main menu, go to Monitoring & reporting → Threat hunting.
2. Click the button in the top right corner of the events table, and then select Retroscan.

   The Retroscan panel opens.

3. In the Correlator drop-down list, select the Correlator to feed selected events to.
4. In the Correlation rules drop-down list, select the Correlation rules that must be used when processing events.
5. To execute responses during event processing, turn on the Execute responses toggle switch.
6. To generate alerts during event processing, turn on the Create alerts toggle switch.
7. Click the Create task button.

   The retrospective scan task is created in the KUMA Task Manager section.

Page top