Documentation
Start typing to search…
  1. Quick Start

Run Your First Retrohunt

  1. From Detection Rules, you can select Retrohunt to do a historical search in your data using the rule logic. Clicking this action will pop up a date picker window for selecting your time frame: the max window for a Retrohunt is two weeks. NOTE: You can select any two week time period as far back as your data goes in Nebulock (not just the most recent two weeks). For faster Retrohunt processing, select a smaller time window or a period of time where you know the activity exists.

  2. While the Retrohunt is running, you can navigate to other parts of the platform. When the Retrohunt is complete, you can return to Detection Rules and select Retrohunts from the left panel to view all executed Retrohunts for this rule.

  3. To view the results, click on the name of the Retrohunt. You can also see the total results returned on the right hand side of the listing page. NOTE: Retrohunts will return a maximum of 1,000 results. When you see 1,000 it means the retrohunt hit its max results. This typically indicates a rule is too broad and needs refinement.

  4. Results are displayed in a tabular format, where each row is a single match to the rule. Expand the result to view the event details.


Updated about 2 months ago

What’s Next