Follow

Custom Models: Creating custom Detections using Recall Metadata

What are Custom Models?

Custom Models enables you to create your own detections within the Cognito platform. Using Custom Models you can expand the detection capabilities of the Cognito platform by:

  • Leveraging your experience and expertise to create Custom Model detections based on signatures or IoCs.
  • Tailoring the Cognito platform to your environment by creating policy, audit or compliance Custom Models that are specific to your context.
  • Getting a head-start by converting the Vectra-defined Saved Searches to your own Custom Models.

Custom Models are built upon Cognito Recall Saved Searches. 

 

How Custom Models work

Custom Models are defined, and match against, Cognito Recall metadata and are published as detections in Cognito Detect. Custom Models are built upon the Saved Search Notifications feature within Cognito Recall enabling you to create detections, instead of email notifications, based on Saved Search results. Vectra maintain a collection of Cognito Saved Searches that can be easily turned into Custom Models to monitor

 

Getting Started with Custom Models

Enabling a Cognito Custom Model

  1. Login to your Cognito Brain
  2. Click "Manage" on the left hand menu
  3. Click "Custom Models" from the navigation bar.
  4. Select the Saved Search you would like to enable as a custom model and click on the pencil icon on the right hand side.
  5. Switch the "Activate Custom Model" toggle at the bottom of the modal to "on"
  6. Options will appear to select the Category of detection this is, and the threat & certainty you would apply to this detection.
    You can also select an "info" category, which won't affect scoring.
    mceclip0.png
  7. Click "Save", and your custom model will be activated. Custom models are run hourly on the previous 3 hours of data.

Defining a New Saved Search

  1. Login to Cognito Recall
  2. Click "Discover" from the left menu
  3. Select the metadata stream (top-left) you want to search
  4. Select the time range over which you want to search.
    NOTE: when created the Custom Model will search over the previous 3 hours
  5. Enter the search criteria and then click the magnifying glass
  6. Results are shown in the results pane.
  7. Click the "Save" ribbon button from the top menu bar
  8. A "Save Search" box will appear, please:

mceclip0.png

    1. Enter a name for your Custom Model

9.  Finally, click the “Save” button to save the Custom Model

Testing your Custom Models

  1. Login to your Cognito Brain
  2. Click "Manage" on the left hand menu
  3. Click "Custom Models" from the navigation bar.
  4. Click the pencil icon on the custom model you'd like to test.
  5. Then click "Manage Search in Cognito Recall", this will open the search in Recall.
  6. Change/Expand the timerange to one you know contains some “hits”
    • Verify that only the intended results appear
  7. Change/Expand the timerange to one you know doesn’t contain some “hits”
    • Verify that no results appear

Tip: to see the results for yesterday, select Today, and then hit the left arrow!

View or Edit a Custom Model

  1. Login to your Cognito Brain
  2. Click "Manage" on the left hand menu
  3. Click "Custom Models" from the navigation bar.
  4. Click the pencil icon on the custom model you'd like to test.
  5. You can enable or deactivate a custom model in the pop up modal, or you can click on "Manage Search in Cognito Recall" to edit the query itself.
  6. If you want to edit the query, after clicking "Manage Search in Cognito Recall", and you will see the query in Recall.
  7. Change the Saved Search query as required
  8. Click the "Save" ribbon button from the top menu bar.
  9. Click the “Save” button to save your changes

Viewing Detections created by Custom Models

  1. Login to Cognito Detect
  2. Search by Host
    1. Click “Hosts” from the left menu
    2. Search for a host that for which there should be a Custom Model detection
    3. Click on that hostname, and verify the Custom Model detections appear as expected
  3. Search by Detection
    1. Click “Detections” from the left menu
    2. Enter the name of your Custom Model into the search box
    3. Verify that the list of detections is as expected
    4. Click into one of the detection results to view the details

Tip: in “Advanced Search” view only Custom Models by appending the search term “AND detection.is_custom_model:true”. Conversely, exclude Custom Models by appending the search term “AND detection.is_custom_model:false”

Converting an existing Saved Search to a Custom Model

  1. Login to your Cognito Brain
  2. Click "Manage" on the left hand menu
  3. Click "Custom Models" from the navigation bar.
  4. Select the Saved Search you would like to enable as a custom model and click on the pencil icon on the right hand side.
  5. Switch the "Activate Custom Model" toggle at the bottom of the modal to "on"
  6. Options will appear to select the Category of detection this is, and the threat & certainty you would apply to this detection.
    You can also select an "info" category, which won't affect scoring.

Converting a Custom Model to a Saved Search

  1. Login to your Cognito Brain
  2. Click "Manage" on the left hand menu
  3. Click "Custom Models" from the navigation bar.
  4. Select the Saved Search you would like to enable as a custom model and click on the pencil icon on the right hand side.
  5. Switch the "Activate Custom Model" toggle to "off"
  6. Click the “Save” button

Deleting a Custom Model

N.B. Cognito Custom Models cannot be deleted.

  1. To delete a custom model, you should deactivate the Custom Model in the cognito UI, see the guide above
  2. Once the Custom Model is Inactive, Navigate to Recall
  3. click "Management" in the left hand menu
  4. Click "Saved Objects"
  5. Find the custom model you want to delete, select it, and click the "delete" button.
  6. If you navigate back to the Custom Models page in the Cognito UI, you will see that your custom model is now deleted and you can click "delete" to remove it from the Custom Models list.

Example Custom Models

Leverage your experience and expertise to create Custom Model detections based on signatures or IoCs. e.g.:

  • Find instances of EternalBlue compromise within your networks - metadata stream: metadata_isession; query: first_orig_resp_data_pkt:AA*AAAAAAAAAAA== AND id.resp_p:445 AND resp_ip_bytes:0

Tailor the Cognito platform to your environment by creating policy, audit or compliance Custom Models that are specific to your context. e.g.:

  • Find where you are not using TLS1.3 - metadata stream: metadata_ssl; query: *:* AND NOT version:"TLS1.3"

Or, get a head-start by converting the Vectra-defined Saved Searches to your own Custom Models. e.g.:

  • Convert the Vectra-defined signature for WannaCry (Saved Search: "Cognito - TTP - DNS - Wannacry Ransomware Domain") to a Custom Model

 

Custom Models FAQ

How do I give feedback?

All feedback is greatly valued! Please send any suggestions, feedback, or experiences to Stephen Malone, Vectra Product Manager (smalone@vectra.ai) and/or join the public channel (#cognito-recall) in the community Slack channel!

Is there any charge associated with the Custom Models?

No – Custom Model is provided free-of-charge to customers who are licensed for both Cognito Detect and Recall.

I have a Cognito Detect Plus license – can I use Custom Models?

Yes! Customers with Cognito Detect Plus are able to enable Cognito Defined Saved Searches as Custom Models. To create your own saved searches and enable them as custom models, you will need a full Cognito Recall license. Please contact your account team to start a Cognito Recall evaluation!

I have a Cognito Detect license, but don’t have a Cognito Recall license – can I use Custom Models?

Unfortunately, no. Customers must have Cognito Detect and Cognito Recall to use Custom Models. To get access to Custom Models, please contact your account team to start a Cognito Recall evaluation!

I am currently evaluating Cognito Recall – can I use Custom Models?

Yes you can! 

Is it possible to edit Cognito Saved Searches?

It is not possible to edit Cognito Saved Searches directly, edits should be made to a copy of the Saved Search. To do this, access the saved search in the Custom Model Management page, click "Manage Search in Cognito Recall", and a clone of the saved search will be made that can be customised to the user's needs.

Any changes made by the user directly to a Cognito Saved Search will not affect associated custom models.

Is it possible to edit the Custom Model Category?

It is not possible to edit the custom model Category once you have saved it. You should deactivate the custom model and create a copy of it, then enable the copy as a Custom model with your new Category in Custom Model Management page.

When and how often are Custom Models generated?

Custom Models are generated on an hourly basis. The time period over which the Custom Model searches run is the previous 3 hours.

All times are in the time-zone configured for your Cognito UI instance.

How many Custom Models are generated?

A detection is created within Cognito Detect for each record returned by the Custom Model search. Where the same host appears multiple times within the same 3-hour period, a single detection will be created, but each “hit” for that host will be listed in the detail section of that detection.

A cap of 500 “hits” per run is currently enforced across all Custom Models. Where the number of “hits” exceeds this cap, we prioritize creating detections for as many Custom Models and hosts as possible over adding additional “hits” for already created detections.

How do I test my Custom Models?

To test your Custom Model during the creation phase, execute the search in Cognito Recall for the previous day and validate that all records you expect to be present are, and that no records appear that you don’t expect.

To test that your Custom Model is executing correctly, create the Custom Model and wait until after 5am on the following day to verify that the detections have been created within Cognito Detect as expected.

Can I create triage rules for my Custom Models?

Yes – triage rules can be created for Custom Model detections.

What impact do Custom Models have on host scoring?

When creating Custom Models you are prompted to specify the Threat and Certainty that will be associated with the host for any “hits” from the Custom Model search. Custom Model detections then use these Threat and Certainty values to update the host scoring when “hits” are found.

If you would like to fire detections for Custom Models but don't want these to affect host scoring, you can set the custom model to fire "info" category detections.

On what Cognito Recall metadata streams can I create Custom Models?

Custom Models can be created for any Cognito Recall metadata streams.

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.