Retrospective scan
You can use retrospective scan to refine the correlation rule resources or analyze historical data.
You can also choose to create alerts based on a retrospective scan.
To use retrospective scan:
- In the main menu, go to Monitoring & reporting → Threat hunting.
- Click the
button in the top right corner of the events table, and then select Retroscan.The Retroscan panel opens.
- In the Correlator drop-down list, select the Correlator to feed selected events to.
- In the Correlation rules drop-down list, select the Correlation rules that must be used when processing events.
- To execute responses during event processing, turn on the Execute responses toggle switch.
- To generate alerts during event processing, turn on the Create alerts toggle switch.
- Click the Create task button.
The retrospective scan task is created in the KUMA Task Manager section.
Page top