Retro Scan

Use Retro Scan to search historical events and their activity chain based on specified criteria.

This criteria requires an object type and an item. The following table shows the required format for each object type:

Table 1. Valid Item Formats for Retro Scan

Type

Item

DNS record

Type a domain name accessed by an endpoint.

Examples:

  • cncserver.com

  • malicioussite.com

IP address

Type an IP address accessed by an endpoint.

Examples:

  • 192.168.0.1

File name

Type the full file name or the file extension.

Examples:

  • wmiprvse

  • suhost

File path

Type the folder name or full path. If the folder name or full path cannot be determined, use an asterisk (*) as the keyword suffix to perform a partial match. A suffix refers to the last segment of an expression.

For example, to search for c:\windows\system32\wbem\wmiprvse.exe, use any of the following keywords:

  • windows

  • win*

  • system32

  • system*

  • wbem

  • wmiprvse

  • wmi*

SHA-1 hash values

Type the SHA-1 hash value of a file.

Example:

a2da9cda33ce378a21f54e9f03f6c0c9efba61fa

MD5 hash values

Type the MD5 hash value of a file.

Example:

395dc2c9ff1dce7d150ad047e78c93e1

User account

Type the name of the Active Directory account or local user.

Examples:

  • Active Directory user (<domain>\<user name>): jp\jane_doe

  • Local user (<user name>): jane_doe
Note:

  • A Retro Scan investigation can include up to 128 search criteria.

  • Free-form search supports partial matching of terms, provided that the term does not include spaces.

  • Search conditions are NOT case-sensitive.