Why is Cognito showing alerts to Vectra host ?

Why are we seeing Hidden HTTPS Tunnel detection, to Vectra host


  • Cognito is correct in generating a detection because the traffic is not normal HTTPS traffic. In this case, the uploaded data quantity exceeds the downloaded quantity.
  • It is normal for Cognito to communicate with whenever metadata sharing is enabled. The IP is which is part of Vectra's public facing infrastructure.

Vectra has discussed not triggering on this traffic but concluded it is better for Cognito to be honest and forthcoming with everything that it sees on the network.  Metadata sharing may be toggled on/off in UI: 'Settings - External Connections' page.  The traffic shown in screenshot below is a Cognito metadata upload, sharing metadata to Vectra's cloud. 

For more information on metadata sharing please see Why is Metadata Sharing important?



Was this article helpful?
0 out of 0 found this helpful

Download PDF


Article is closed for comments.