Retro Scan

Use Retro Scan to search historical events and their activity chain based on specified criteria.

This criteria requires an object type and an item. The following table shows the required format for each object type:

Table 1. Valid Item Formats for Retro Scan



DNS record

Type a domain name accessed by an endpoint.




IP address

Type an IP address accessed by an endpoint.



File name

Type the full file name or the file extension.


  • wmiprvse

  • suhost

File path

Type the folder name or full path. If the folder name or full path cannot be determined, use an asterisk (*) as the keyword suffix to perform a partial match. A suffix refers to the last segment of an expression.

For example, to search for c:\windows\system32\wbem\wmiprvse.exe, use any of the following keywords:

  • windows

  • win*

  • system32

  • system*

  • wbem

  • wmiprvse

  • wmi*

SHA-1 hash values

Type the SHA-1 hash value of a file.



MD5 hash values

Type the MD5 hash value of a file.



User account

Type the name of the Active Directory account or local user.


  • Active Directory user (<domain>\<user name>): jp\jane_doe

  • Local user (<user name>): jane_doe

  • A Retro Scan investigation can include up to 128 search criteria.

  • Free-form search supports partial matching of terms, provided that the term does not include spaces.

  • Search conditions are NOT case-sensitive.