RetroHunt Events

The RetroHunt Events page displays threats that occurred in the past, but the InQuest signatures weren't yet updated with the latest content to detect them. RetroHunt file alerts result in a rescore of all sessions containing the alert generating file. Sessions are rescored in reverse chronological order up to the configured RetroHunt look back window (default 2 weeks) or 2 hours of analysis time, whichever limit is hit first. The RetroHunt look back window can be configured on the Devices page under the InQuest RetroHunt Historic TDE integration configuration settings.

To navigate to the RetroHunt Events page, click Analysis > RetroHunt Events. The right pane on the user interface displays RetroHunt events with their basic details in a tabular form. Basic details of these events include:

• Rescan Time – Rescan time refers to the time the files were rescanned by the InQuest RetroHunt Threat Discovery Engine.
• Session Time – Refers to the time the files were initially scanned by InQuest.
• Source IP – Source IP address from where the threat originated.
• Destination IP – Destination IP address.
• Hash – MD5 hash for the file.
• Filename – File that triggered the RetroHunt event.
• Alert Name – Identifier for the signature that fired on the file.
• Actions – A link to click and view the detailed analysis report of the RetroHunt event.

To view further details of an event, click View corresponding to an event in the table. You can also change the workflow status of the events, provided you have been granted the permission for it. If not, this option will be disabled.

Manual RetroHunt scans can be run from the Policy, Knowledge Base, and Knowledge Base Details Pages.

To run a RetroHunt scan from the Policy page:

1. Navigate to the Policy page.
2. Click View on a policy from the list.
3. A manual scan can be run from either the InQuest Labs tab or User-Defined tab by clicking RetroHunt on a signature from the results list.
4. Select from the drop-down menu to decide how far back the RetroHunt scan will run.

To run a manual scan from the Knowledge Base page:

1. Navigate to the Knowledge Base page.
2. Click RetroHunt on a signature from the results list.
3. Select from the drop-down menu to decide how far back the RetroHunt scan will run.

RetroHunt Scans can also be run from the Knowledge Base Details page by clicking RetroHunt under the Rescan RetroHunt Events section on the right side of the page.

Clicking Scan Result while on this page will bring you to the RetroHunt Events tab of the Analysis page that displays RetroHunt events with hits for this signature.