When you create and enable a new rule, the rule begins searching for detections
based on the events received by your Google Security Operations account in real
time. A retrohunt lets you use the selected rule to
search for detections throughout existing data in
Google Security Operations. Retrohunts are scheduled when there are
available resources to run. Expect variance in retrohunt run times.
To start a retrohunt, complete the following steps:
Navigate to the Rules Dashboard.
Click the Rules option icon for a rule and select Yara-L Retrohunt.
YARA-L Retrohunt option
In the YARA-L Retrohunt dialog window, select the start time and end time for your search. The default is one week. The window provides the available date and time range. Click RUN when ready.
Yara-L Retrohunt dialog window
You can view the progress of the retrohunt run from the rule detections view for the rule. If you cancel a retrohunt in progress, you can still view any detections it was able to make while running.
If you have completed multiple retrohunts, you can view the results of past retrohunt runs by clicking the date range link as shown in the following figure. The results of each run are displayed in the Timeline and Detections graph in Rule Detections view.
Yara-L retrohunt runs
If you use a reference list in a rule, run a retrohunt,
and then remove items from that list, then you need to revise
that rule to a new version to see the new results. Google Security Operations doesn't delete detections from
reference lists, so refreshing the rule won't update the results.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-04-02 UTC."],[[["Retrohunts allow you to apply a selected rule to search for detections within existing historical data in Google Security Operations."],["Retrohunts are scheduled based on resource availability, which results in variable run times."],["Alerting for detections found via retrohunt is disabled if the rule's alerting status is disabled; you need to create a new version of the rule with alerting enabled and rerun the retrohunt to enable it."],["You can initiate a retrohunt from the Rules Dashboard by selecting \"Yara-L Retrohunt\" for a specific rule, and then specifying the desired start and end time for the search."],["Past retrohunt results can be viewed in the Rule Detections view via a date range link, which displays the information in the Timeline and Detections graph."]]],[]]
YARA-L Retrohunt option
