Views:

Run retro scans on the historical data captured by existing custom detection models to identify past events that match your defined detection criteria.

Important
Important
  • Retro scans analyze historical data up to 7 days in the past.
  • The number of concurrent retro scan jobs is limited per company. If your company has reached the limit, you must wait for an ongoing job to complete before starting a new one.
  • Retro scan might generate multiple Workbench alerts if matched events are found across different time intervals.

Procedure

  1. Go to Agentic SIEM & XDRDetection Model ManagementCustom Models.
  2. Locate the custom model you want to scan historical data for and click the retro scan icon (DMMretroScanIcon=6cdd066e-f1c2-4c91-a006-1319a57e5e4f.jpg).
  3. Select the time range from the drop-down menu.
  4. Click Run retro scan.
    Once the retro scan is complete, any matched events generate Workbench alerts according to the configurations of your selected models.