Detections destined for collector.*


If you are forwarding metadata to Cognito Recall the following detections may fire on the brain:

  1. HTTPS Hidden Tunnel with the destination:
  2. Smash and Grab with the destination:


It is normal for Cognito to communicate with collector.* whenever metadata forwarding is enabled for Cognito Recall. The IP can vary depending on the customer VPC.

Cognito is correct in generating a detections, the traffic is not normal HTTPS traffic. In this case, the uploaded data quantity exceeds the downloaded quantity.

Vectra has discussed not triggering on this traffic but concluded it is advantageous for Cognito Detect to be honest and forthcoming with everything that it sees on the network.

Recall Metadata Forwarding may be toggled on/off in UI under Settings, Services. Note: Disabling this option will prevent new data from being sent to Cognito Recall.


Creating a triage filter from an existing detection

  • Navigate to the Detections page
  • Select Actions
  • Select Track without Score(recommended) or Whitelist
  • Add the destination domain: collector.[code]

Creating a triage filter pro-actively

  • Navigate to Manage, Triage Filters
  • Create a new Triage filter:
    • Track without scores
    • Exfiltration
    • Smash and Grab
  • Add Destination Domain: collector.[id]
  • Repeat the same steps for Hidden HTTPS Tunnel


Was this article helpful?
2 out of 2 found this helpful

Download PDF


Article is closed for comments.