Running a rule against historical data

When you create and enable a new rule, the rule begins searching for detections based on the events received by your Google Security Operations account in real time. A retrohunt enables you to use the selected rule to search for detections throughout existing data in Google Security Operations. Retrohunts are scheduled when there are available resources to run. Expect variance in retrohunt run times.

To start a retrohunt, complete the following steps:

  1. Navigate to the Rules Dashboard.

  2. Click the Rules option icon for a rule and select Yara-L Retrohunt.

    Retrohunt YARA-L Retrohunt option

  3. In the YARA-L Retrohunt pop-up window, select the start time and end time for your search. The default is one week. The window provides the available date and time range. Click RUN when ready.

    Retrohunt Pop-Up Window

    Yara-L Retrohunt pop-up window

  4. You can view the progress of the retrohunt run from the rule detections view for the rule. If you cancel a retrohunt in progress, you can still view any detections it was able to make while running.

  5. If you have completed multiple retrohunts, you can view the results of past retrohunt runs by clicking the date range link as shown in the following figure. The results of each run are displayed in the Timeline and Detections graph in Rule Detections view.

    Retrohunt Running

    Yara-L retrohunt runs

  6. If you use a reference list in a rule, run a retrohunt, and then remove items from that list, then you need to revise that rule to a new version to see the new results. Google Security Operations doesn't delete detections from reference lists, so refreshing the rule won't update the results.