Follow

Why is Cognito showing alerts to Vectra host 74.201.86.237 ?

Why are we seeing Hidden HTTPS Tunnel detection, to Vectra host 74.201.86.237?

Answer:

  • Cognito is correct in generating a detection because the traffic is not normal HTTPS traffic. In this case, the uploaded data quantity exceeds the downloaded quantity.
  • It is normal for Cognito to communicate with metadata.vectranetworks.com whenever metadata sharing is enabled. The IP 74.201.86.237 is metadata.vectranetworks.com which is part of Vectra's public facing infrastructure.

Vectra has discussed not triggering on this traffic but concluded it is better for Cognito to be honest and forthcoming with everything that it sees on the network.  Metadata sharing may be toggled on/off in UI: 'Settings - External Connections' page.  The traffic shown in screenshot below is a Cognito metadata upload, sharing metadata to Vectra's cloud. 

For more information on metadata sharing please see Why is Metadata Sharing important?

 

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.