This guide covers common questions around the Cognito Detect subscription license metric.
How is the Vectra Cognito Detect product licensed?
Vectra subscription licensing is based on usage as described in our customer agreements. Licensed quantities are specified on orders, and any unlicensed amounts beyond what is ordered are subject to additional fees payable to Vectra.
How is the licensed usage for Cognito Detect measured?
Cognito Detect usage for licensing purposes is based on the 95th percentile of the number of concurrently active IPs observed over a 30-day period. The quantity of monitored IPs is measured in a way consistent with burstable billing (“95th percentile billing”) used by many Internet service providers (ISPs).
Vectra records the number of active unique internal IPs observed by the brain every 10 minutes. In a month, there are 6*24*30 samples observed for the active IP count. The top 5% are discarded to determine the 95th percentile value. During a 30-day period, the 95th percentile of this measurement determines the required licensed capacity. The 95th percentile means that 95% of the time, the number of active internal IPs being monitored is at or below the licensed count.
How is this counted in multi-brain deployments?
The total usage is calculated as the sum of the 95th percentile count of concurrently active IPs on each brain in the estate.
What determines an active IP?
An active IP is a source IP that is generating traffic and is inside the customer’s network. This could be a PC, laptop, server, IP camera, IP phone, virtual machine, router – anything with a unique internal IP address that is sourcing traffic. When traffic is observed from an internal IP, the system tracks the session as a ‘host session’. As long as the internal IP is generating traffic and active on the network, the IP is counted as an active IP contributing to the license count. If no traffic is observed from an IP in a consecutive 2-hour window, the host session is closed, and the IP is no longer considered to be active.
What is the difference between a ‘host session’ and a ‘host’?
A ‘host session’ is created and monitored for each currently active IP on the system. The ‘host session’ is attributed to a ‘host’ based on a mix of artifacts observed on the network (MAC address from DHCP, Kerberos machine auth, DNS requests/responses) and information actively gathered (reverse DNS, data from integrated products such as Carbon Black, CrowdStrike, or VMware). This attribution is done by the hostID subsystem, allowing Cognito to track the ‘host’ even if it changes IP addresses. However, a ‘host’ in Cognito does not necessarily correspond to a physical host. See “What about multi-homed devices?” below.
Are IPs outside my network counted?
No. Cognito only tracks active IPs that are considered internal to the network. The internal/external setting in the Cognito UI determines what is considered internal to the network. Any traffic that is originated from an IP that is external does not result in a host session and is not counted towards the license count.
Two sensors are seeing the same traffic in my network. Does this cause double counting?
No. The Cognito Brain de-duplicates flows, so only one copy of the flow is processed regardless of the number of sensors that observe it. Thus, the brain will not account for duplicate copies of the flow for its detections or for the purpose of the licensing metric.
Will a host changing IPs lead to double counting?
No. The platform tracks host objects and maps IP addresses to hosts. If a host changes IP address (e.g., a DHCP lease expires and host is provided a new IP), the old host session is terminated and a new one is created for the new IP address. Thus, a device changing IPs will not lead to double counting in the system.
What about multi-homed devices?
If a machine has multiple NICs, each with its own unique MAC and IP address, traffic observed from each NIC contributes to the licensing metric. Consequently, a device that has 2 NICs and is generating traffic on both will count as 2 unique active IPs for the duration of activity.
How can I view the concurrently active IP count or the 95th percentile metric?
Navigate to Network Statistics → Devices in the Cognito UI. The graph is explained below (please refer to the documentation included in the UI):
How can I audit or verify the count shown?
A complete list of all currently active IPs/host sessions may be downloaded on-demand from the Cognito UI by navigating to Network Statistics → Devices and clicking “Download Current IPs”:
The /api/v2.1/ip_addresses endpoint can also be used to pull a list of the current IPs, including their first and last seen timestamps.
Based on the deployment of the Vectra sensors, Vectra is collecting more than I care to monitor. How can I reduce the traffic?
Cognito offers the option to filter out traffic by subnet or VLAN. This generally provides the required tuning of coverage down to the desired devices and places in the network.
Does an IoT device count toward the license count the same as a high-value asset such as an application server?
Yes. All networked devices expose a potential attack surface that can be leveraged by attackers in the pursuit of their objectives. This includes infrastructure elements like firewalls, switches, and routers, end user devices like laptops, servers physical virtual and in the cloud, and IoT devices like phones, cameras, HVAC and other systems. IP addresses assigned to each of these entities are considered concurrently active IPs and are licensed equally. This makes determining the license amount simple and easy.
How do we license cloud environments that scale up and down quickly? How do we calculate the IP address?
The burstable billing model described above covers cloud environments as well – the 95th percentile will discard significant outliers and count VMs used for a significant duration of time. For planning purposes, in AWS, we recommend you access your AWS Cost Explorer dashboard (shown below) for a historic view of the number of deployed VMs. You can use this information to plan Detect IP count requirements. The concurrent IP count graph in the Cognito UI includes both cloud and on-premise hosts.
What happens when the observed 95th percentile metric is over my license count?
To the extent that you have exceeded the license quantity/volume purchased, you will have thirty (30) days to come into compliance by either (a) remediating the excess usage, such as by filtering out traffic by subnet or VLAN, or (b) performing a license count true-up where you pay Vectra or the authorized reseller for the pro-rated subscription fees for the number of additional licensing quantity/volume required, co-termed through the end of your current subscription term. Subscription fee rates for true-up licenses are based on your most recent and applicable order(s).
For more information or to discuss your options, contact your Customer Success Manager or Sales Representative.