Follow

Using Notifications in Cognito Recall

This functionality is now deprecated. Users are directed to use Custom Models and detect email notifications on detections for this functionality instead.

Enable Notification on Existing Searches

When Notification is enabled on a Search, the query is automatically run daily and an email summary of the results is sent to all subscribed users. Notification emails will be sent beginning at 09:00 UTC each day with a summary of the results for the previous day (midnight-to-midnight in the local time of your Recall instance).

Cognito Recall comes with a set of Searches created by Vectra Security Research, covering a variety of threat IoCs and compliance use cases.

Notifications may be enabled or disabled for these or any existing Searches by navigating to Management → Saved Objects → Searches in Recall.

image_1.png

Notification for individual Searches may be toggled on or off via the bell icon to the right of the search name. Activating the Notifications toggle in the column header will filter the display to Searches with Notification enabled.

Notification status for each Search is a system-wide setting for your Recall cluster and is not set per user. Each user may then choose whether to receive email notification of the daily Notification results, as described in “Subscribing to Email Notifications” below.

Modifying an Existing Search

Existing searches may be viewed and modified by clicking on the View results icon immediately next to the Search name. This takes you to recent results of the Search. Select Save in the top navigation bar to take you to the Search Definition page.

 image_3.png

image_2.png

The Search definition page includes:

  • Search name
  • Notification status
  • Description
  • Threat (0-99)
  • Certainty (0-99)
  • Category
  • Query
  • Metadata stream to query
  • Fields to include in results
  • Recent results

image_4.png

All of the fields may be modified. The modified Search may be saved either as an update to the current Search (default) or as a new Search (by selecting the Save as a new search checkbox.

Note that if you are modifying a Vectra-defined Search (names starting with “Cognito –“), we recommend saving under a new name to avoid your customizations being overwritten by future Recall updates.

Create a New Search with Notification

Any query may be saved as a Search and used with the Notifications feature.

Start with any query in Discover, e.g. this query written against the SSL metadata stream to locate JA3 hashes with the same value as Meterpreter running on Linux.

image_5.png

Extending the time range to your full Recall metadata history will allow you to both see retrospective results (especially useful if this is a new IoC from a threat intel feed) and to determine the efficacy of the Search, especially whether it is noisy or not.

Click Save in the top navigation bar to take you to the Search definition page.

Fill out the values for your Search

  • Search name
  • Description
  • Threat (0-99)
  • Certainty (0-99)
  • Category
  • Query
  • Metadata stream to query
  • Fields to include in results
  • Recent results

image_6.png

To enable Notification, simply toggle the Enable Notifications switch at the top of the page (label is incorrect in the image). If you are not yet ready to enable Notifications, you can also enable them later as described in “Enabling Notification on Existing Searches” above.

Click Save to finish creating your Search.

Subscribing to Email Notifications

Each Search's "Enable Notifications" setting is a system-wide setting for your Recall cluster.

Each user may then choose whether to receive email notification of the daily Notification results. To add yourself to the Notification summary, navigate to the User Profile page (towards the bottom of the left navigation bar).  Enter your email address and select the  “Subscribe to saved search notifications” checkbox.

image_7.png

Click Save. An email verification message will be sent. Once your email is verified, you will begin receiving the daily Notification Results summary email.

 

Email example:

Screenshot_2018-12-19_at_11.36.57.png

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.