Why is Metadata Sharing important?

Metadata Sharing improves threat detection by contributing anonymized metadata sourced from the X-series platform deployed in your organization, you are contributing directly to the efficacy and accuracy of Cognito and the security of your network. Access to detection metadata improves Vectra’s threat detection algorithms, enabling the Vectra software you use to be more effective in a constantly evolving threat landscape.

There are two different levels of Metadata Sharing:

Standard metadata sharing

Customers may opt-in to standard metadata sharing at any time by turning on the "Metadata sharing" option under Settings, Services section in the Cognito UI. The option is disabled by default. If enabled, data is collected daily and includes:

  • Anonymized information about detections that are triggered in your network
  • Anonymized information about algorithms in the research and development phase (and not yet visible in the UI) that are triggered in your network
  • Anonymized attribution of detections to hosts
  • Anonymized information related to host identification efficacy

Full metadata sharing

Full Opt-In raw session metadata is not anonymized and is more detailed including flow information. This cannot be enabled from the UI. In order to participate in full metadata sharing, please contact Vectra support (

Why participate in Full Sharing instead of Anonymized Sharing?

Vectra builds new models using a combination of security research and data science.

Security researchers help to identify, prioritize, and characterize fundamental attack behaviors.

Data scientists determine the best approach to identify those behaviors, develop and tune models, and optimize coverage and hit rate.

Finally, security researchers continually validate the model results and provide input to further refine models.

Models begin life in offline deployment running against datasets that Vectra has created from full opt in metadata sharing customers, security researcher input, packet captures from the wild, and other sources. Once models are mature enough, they are run in precursor state at customer sites and constantly monitored on the systems that have standard anonymized metadata sharing enabled. Standard sharing gives benefit to the entire user community by allowing the effectiveness of algorithms to be tested prior to full release. It also more specifically helps your organization by making sure that detection metrics for your site will be within the bounds that our Data.

Scientists have established baselines for the algorithm they are testing. Full sharing customers have the added benefit that the algorithms themselves were built against their specific data and can be further assured that they will function at their highest levels of effectiveness with the least noise in their specific environments. Full sharing customers also enjoy direct communication with our product and engineering teams that goes deeper than a normal customer relationship.

Vectra secures and limits access to metadata

Any metadata you contribute is anonymized by removing personal and network-specific information before it is sent to via an encrypted connection. Vectra treats this metadata as highly confidential and only allows authorized research personnel to access the metadata. Any metadata collected is securely deleted after a six-month period.

Metadata services are subject to a separate binding agreement between Vectra and you.

Was this article helpful?
1 out of 1 found this helpful

Download PDF


Article is closed for comments.