创建和启用新规则后,规则会开始根据您的 Google Security Operations 账号接收的事件实时搜索检测。借助 Retrohunt 功能,您可以使用所选规则在 Google SecOps 中的现有数据中搜索检测。当有可用资源可供运行时,系统会安排回溯性搜索。回溯性搜索的运行时间可能会有所不同。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-21。"],[[["\u003cp\u003eRetrohunts allow you to apply a selected rule to search for detections within existing historical data in Google Security Operations.\u003c/p\u003e\n"],["\u003cp\u003eRetrohunts are scheduled based on resource availability, which results in variable run times.\u003c/p\u003e\n"],["\u003cp\u003eAlerting for detections found via retrohunt is disabled if the rule's alerting status is disabled; you need to create a new version of the rule with alerting enabled and rerun the retrohunt to enable it.\u003c/p\u003e\n"],["\u003cp\u003eYou can initiate a retrohunt from the Rules Dashboard by selecting "Yara-L Retrohunt" for a specific rule, and then specifying the desired start and end time for the search.\u003c/p\u003e\n"],["\u003cp\u003ePast retrohunt results can be viewed in the Rule Detections view via a date range link, which displays the information in the Timeline and Detections graph.\u003c/p\u003e\n"]]],[],null,["# Running a rule against historical data\n======================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nWhen you create and enable a new rule, the rule begins searching for detections\nbased on the events received by your Google Security Operations account in real\ntime. A retrohunt lets you use the selected rule to\nsearch for detections throughout existing data in\nGoogle SecOps. Retrohunts are scheduled when there are\navailable resources to run. Expect variance in retrohunt run times.\n| **Note:** When you create detections using retrohunt on a rule with alerting status disabled, alerting on these detections is disabled as well. To enable alerting, create a new version of the rule with alerting status enabled and re-run the retrohunt.\n\nTo start a retrohunt, complete the following steps:\n\n1. Navigate to the Rules Dashboard.\n\n2. Click the Rules option icon for a rule and select **Yara-L Retrohunt**.\n\n\n **YARA-L Retrohunt option**\n3. In the YARA-L Retrohunt dialog window, select the start time and end time for your search. The default is one week. The window provides the available date and time range. Click **RUN** when ready.\n\n **Yara-L Retrohunt dialog window**\n4. You can view the progress of the retrohunt run from the rule detections view for the rule. If you cancel a retrohunt in progress, you can still view any detections it was able to make while running.\n\n5. If you have completed multiple retrohunts, you can view the results of past retrohunt runs by clicking the date range link as shown in the following figure. The results of each run are displayed in the Timeline and Detections graph in Rule Detections view.\n\n **Yara-L retrohunt runs**\n6. If you use a reference list in a rule, run a retrohunt,\n and then remove items from that list, then you need to revise\n that rule to a new version to see the new results. Google SecOps doesn't delete detections from\n reference lists, so refreshing the rule won't update the results.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
YARA-L Retrohunt 选项
