The goal of Cognito's Detect Host Naming is to provide human-readable names associated with known hosts.
Host names result from known information about the host. Each observed name is referred to as an "artifact". Artifacts will typically be added to a host record over time as more host activity is seen and better associations are made. Host artifacts may be removed from a host depending on the observed behaviors.
Hosts are tracked internally in a name agnostic manner. When assessing host naming on your Cognito appliance it is important to understand that host names are decided at the time of viewing the web page.
It is therefore expected that displayed hostnames will change over time to reflect the most human readable name given the artifacts available at the time of page display.
Host Naming - Order of Applicability
If one single artifact is known, that artifact will be used for the name. For example, if only the MAC address is known then the name of the host will be the MAC of that host. Similarly, if only the DNS name is known, then that will be the name of the host.
When multiple artifacts are known, the naming priority is based on the type of the artifact(s) known. The list below reflects the current priority order of the host naming artifacts, artifacts earlier in the list will supersede artifacts later in the list.
- User Defined: A user-defined hostname associated with a host record.
- vCenter: The hostname obtained from vCenter/vSphere integration. This is an active query by the Cognito brain.
- Reverse DNS: The hostname (Fully Qualified Domain Name) returned by a reverse DNS query. This is an active query by the Cognito brain.
- DNS: The hostname (FQDN) observed in DNS traffic for that host. This is a passive observation made by Cognito.
- Kerberos: Any observed Kerberos machine names learned from successful Kerberos authentications. This is a passive observation made by Cognito.
- DHCP: The computer name observed from a DHCP query. This is a passive observation made by Cognito.
- Netbios: The computer name observed from NetBIOS traffic. This is a passive observation made by Cognito.
- Carbon Black : The integration-specific name or serial identifier. This is an active query actioned by Cognito.
- CrowdStrike : The integration-specific name or serial identifier. This is an active query actioned by Cognito.
- MAC: The MAC address observed in the DHCP response. This is a passive observation made by Cognito.
- Multicast DNS (mDNS)
The order of applicability of the above was chosen to ensure the quickest way for an analyst to locate a specific host within their environment. Host names change over time as Cognito aggregates additional artifacts, or prunes stale artifacts, on a host record.
Cognito also track hosts using HTTP cookies. However, both for privacy reasons and since no reasonable human-readable hostname can be extracted from HTTP cookies, they used only for tracking purposes and not for host naming purposes. Hosts that only have HTTP cookies for artifacts will get hostnames following the "AUTO-XXXXX" convention where XXXXX is a unique Cognito identifier for the host. This terminology indicates that Cognito is able to uniquely identify the host but is unable to attribute a name.
If no reliable artifacts are observed for a host, then the observed host will be attributed to a generic host container associated with the host's current IP address. These generic host containers are identified with the name "IP-xxx.xxx.xxx.xxx". As artifacts are observed the host being tracked may be separated from this generic host container.
As a result, devices may be initially assigned to a generic host container and then subsequently re-attributed to dedicated host records once proper artifacts are observed. If detection's are observed while the host is attached to the generic host container they will be migrated to the new host identifier at the same time.
Enhancing Host Name Accuracy
The accuracy of hostnames can be enhanced by:
- Bi-directional visibility of intra-subnet DHCP and Kerberos traffic
- Enabling Cognito's external connectors within the Settings, External Connectors page:
- Reverse DNS
- VMware vCenter Integration (read only vCenter credentials are needed)
- Events forwarded from SIEMs to improve host names.
- Windows Active Directory Security Events and DHCP server logs.
- Carbon Black / CrowdStrike integration.
Important Host Naming Notes
Some hosts on the network may have an incorrect name
Cognito learns to attribute host names to IP addresses by matching host naming artifacts to current traffic seen for a given IP address. If Cognito learns a confident name for an IP address but this IP address later changes owner without a period of inactivity or observed DHCP release Cognito will maintain the earlier name even if the IP address is used by a new system.
Cognito may be unable to identify this change of name if no new artifacts are seen to indicate the change of ownership. In these circumstances the user is encouraged to manually edit the host name to match the known good hostname.
Some hosts on the network will have the same name
Two distinct hosts may have a redundant/duplicated name. Examples may include wireless networks observing a number of devices named "My iPhone” or server networks observing hosts named "localhost".
The name of hosts on the network will change over time
Hostnames will change as Cognito sees new artifacts associated with the host. Changes to hostnames do not affect the underlying set of detections/campaigns for the host, nor do they affect the the host's threat/certainty scoring.
Some hosts on the network will have no name
Certain devices on network will not have hostnames, for example:
- Hosts where no naming artifact has been seen on the wire; these host containers will have IP-xx.xx.xx.xx style names or AUTO-xx.xx.xx.xx as above
- Hosts where artifacts have been seen but conflict or are too numerous
- Hosts which are listed as known proxies
A host on the network may go from having a name to having no name
If Cognito observes conflicting artifacts, too many new artifacts or deduces a host is a proxy, that host can transition from being named to being unnamed.