Why are we seeing Hidden HTTPS Tunnel detection, to Vectra host 220.127.116.11?
- Cognito is correct in generating a detection because the traffic is not normal HTTPS traffic. In this case, the uploaded data quantity exceeds the downloaded quantity.
- It is normal for Cognito to communicate with metadata.vectranetworks.com whenever metadata sharing is enabled. The IP 18.104.22.168 is metadata.vectranetworks.com which is part of Vectra's public facing infrastructure.
Vectra has discussed not triggering on this traffic but concluded it is better for Cognito to be honest and forthcoming with everything that it sees on the network. Metadata sharing may be toggled on/off in UI: 'Settings - External Connections' page. The traffic shown in screenshot below is a Cognito metadata upload, sharing metadata to Vectra's cloud.
For more information on metadata sharing please see Why is Metadata Sharing important?