Recall custom models - how to create detections (QUX)

What are Custom Models?

Custom Models enables you to create your own detections within the Vectra platform. Using Custom Models you can expand the detection capabilities of the Vectraplatform by:

• Leveraging your experience and expertise to create Custom Model detections based on signatures or IoCs.

• Tailoring the Vectra platform to your environment by creating policy, audit or compliance Custom Models that are specific to your context.

• Getting a head-start by converting the Vectra-defined Saved Searches to your own Custom Models.

Custom Models are built upon Vectra Recall Saved Searches.

How Custom Models work

Custom Models are defined, and match against, Vectra Recall metadata and are published as detections in Vectra Detect. Custom Models are built upon the Saved Search Notifications feature within Vectra Recall enabling you to create detections, instead of email notifications, based on Saved Search results. Vectra maintain a collection of Recall Saved Searches that can be easily turned into Custom Models to monitor

Getting Started with Custom Models

Enabling a Recall Custom Models

if you already have a Recall Saved Search, you can enable it in your Vectra Brain. If you don't have a Recall Saved Search you'd like to enable as a custom model, skip to the next section "Defining a New Saved Search" to create your saved search and then you can come back to this section to enable it.

1. Login to your Vectra Brain

2. Click "Manage" on the left hand menu

3. Click "Custom Models" from the navigation bar.

4. Select the Saved Search you would like to enable as a custom model and click on the pencil icon on the right hand side.

5. Switch the "Activate Custom Model" toggle at the bottom of the modal to "on"

6. Options will appear to select the Category of detection this is, and the threat & certainty you would apply to this detection. You can also select an "info" category, which won't affect scoring.

7. Click "Save", and your custom model will be activated. Custom models are run hourly on the previous 3 hours of data.

Defining a New Saved Search

1. Login to Recall

2. Click "Discover" from the left menu

3. Select the metadata stream (top-left) you want to search

4. Select the time range over which you want to search. NOTE: when created the Custom Model will search over the previous 3 hours

5. Enter the search criteria and then click the magnifying glass

6. Results are shown in the results pane.

7. Click the "Save" ribbon button from the top menu bar

8. A "Save a New Saved Search" box will appear, please:

Enter a name for your Custom Model

9. Finally, click the “Save” button to save the Custom Model

Testing your Custom Models

1. Login to your Vectra Brain

2. Click "Manage" on the left hand menu

3. Click "Custom Models" from the navigation bar.

4. Click the pencil icon on the custom model you'd like to test.

5. Then click "Manage Search in Recall", this will open the search in Recall.

6. Change/Expand the timerange to one you know contains some “hits”

   • Verify that only the intended results appear

7. Change/Expand the timerange to one you know doesn’t contain some “hits”

   • Verify that no results appear

Tip: to see the results for yesterday, select Today, and then hit the left arrow!

View or Edit a Custom Model

1. Login to your Vectra Brain

2. Click "Manage" on the left hand menu

3. Click "Custom Models" from the navigation bar.

4. Click the pencil icon on the custom model you'd like to test.

5. You can enable or deactivate a custom model in the pop up modal, or you can click on "Manage Search in Cognito Recall" to edit the query itself.

6. If you want to edit the query, after clicking "Manage Search in Recall", and you will see the query in Recall.

7. Change the Saved Search query as required

8. Click the "Save" ribbon button from the top menu bar.

9. Click the “Save” button to save your changes

Viewing Detections created by Custom Models

1. Login to Vectra Detect

2. Search by Host

   1. Click “Hosts” from the left menu

   2. Search for a host that for which there should be a Custom Model detection

   3. Click on that hostname, and verify the Custom Model detections appear as expected

3. Search by Detection

   1. Click “Detections” from the left menu

   2. Enter the name of your Custom Model into the search box

   3. Verify that the list of detections is as expected

   4. Click into one of the detection results to view the details

Tip: in “Advanced Search” view only Custom Models by appending the search term “AND detection.is_custom_model:true”. Conversely, exclude Custom Models by appending the search term “AND detection.is_custom_model:false”

Converting an existing Saved Search to a Custom Model

1. Login to your Vectra Brain

2. Click "Manage" on the left hand menu

3. Click "Custom Models" from the navigation bar.

4. Select the Saved Search you would like to enable as a custom model and click on the pencil icon on the right hand side.

5. Switch the "Activate Custom Model" toggle at the bottom of the modal to "on"

6. Options will appear to select the Category of detection this is, and the threat & certainty you would apply to this detection. You can also select an "info" category, which won't affect scoring.

Converting a Custom Model to a Saved Search

1. Login to your Vectra Brain

2. Click "Manage" on the left hand menu

3. Click "Custom Models" from the navigation bar.

4. Select the Saved Search you would like to enable as a custom model and click on the pencil icon on the right hand side.

5. Switch the "Activate Custom Model" toggle to "off"

6. Click the “Save” button

Deleting a Custom Model

1. To delete a custom model, you should deactivate the Custom Model in the Detect UI, see the guide above

2. Once the Custom Model is Inactive, Navigate to Recall

3. click "Management" in the left hand menu

4. Click "Saved Objects"

5. Find the custom model you want to delete, select it, and click the "delete" button.

6. If you navigate back to the Custom Models page in the Cognito UI, you will see that your custom model is now deleted and you can click "delete" to remove it from the Custom Models list.

Example Custom Models

Leverage your experience and expertise to create Custom Model detections based on signatures or IoCs. e.g.:

• Find instances of EternalBlue compromise within your networks - metadata stream: metadata_isession; query: first_orig_resp_data_pkt:AA*AAAAAAAAAAA== AND id.resp_p:445 AND resp_ip_bytes:0

Tailor the Cognito platform to your environment by creating policy, audit or compliance Custom Models that are specific to your context. e.g.:

• Find where you are not using TLS1.3 - metadata stream: metadata_ssl; query: *:* AND NOT version:"TLS1.3"

Or, get a head-start by converting the Vectra-defined Saved Searches to your own Custom Models. e.g.:

• Convert the Vectra-defined signature for WannaCry (Saved Search: "Cognito - TTP - DNS - Wannacry Ransomware Domain") to a Custom Model

Create a Custom Model based upon a Vectra Match Signature Match:

• Create a saved search called "Vectra Match P2P". The query parameters will be

  • eve_json.alert.signature_id: "2027766" using the metadata-match index.

• This will create a custom model with any Vectra Match alert which has this signature. You can also look for multiple signatures by expanding the query to find multiple signatures.

Create a Custom Model based upon Vectra Match Signature Text

• You can match on text content including wildcards for the text fields. For instance, let's say you want to create a Custom Model based upon any signatures that have Cobalt Strike in the Signature Title rather than individual signatures, you can use the following query in the metadata-match index:

  • eve_json.alert.signature: *Cobalt* AND eve_json.alert.signature: *Strike*

  • You need to do both if you want to match Cobalt and Strike because you cannot match on a space with a wildcard, but this has the same effect.

  • You could also match on other fields besides Signature ID and Signature to craft flexible Custom Models/Saved Searches of your choice.

Custom Models FAQ

Is there any charge associated with the Custom Models?

Custom Models are included as part of the Recall solution.

I have a Detect license, but don’t have a Recall license – can I use Custom Models?

Unfortunately, no. Customers must have Detect and Recall to use Custom Models. To get access to Custom Models, please contact your account team to start a Recall evaluation!

I am currently evaluating Recall – can I use Custom Models?

Yes you can!

Is it possible to edit Saved Searches?

It is not possible to edit Saved Searches directly, edits should be made to a copy of the Saved Search. To do this, access the saved search in the Custom Model Management page, click "Manage Search in Recall", and a clone of the saved search will be made that can be customized to the user's needs.

Any changes made by the user directly to a Saved Search will not affect associated custom models.

Is it possible to edit the Custom Model Category?

It is not possible to edit the custom model Category once you have saved it. You should deactivate the custom model and create a copy of it, then enable the copy as a Custom model with your new Category in Custom Model Management page.

When and how often are Custom Models generated?

Custom Models are generated on an hourly basis. The time period over which the Custom Model searches run is the previous 3 hours.

All times are in the time-zone configured for your Vectra UI instance.

How many Custom Models are generated?

A detection is created within Detect for each record returned by the Custom Model search. Where the same host appears multiple times within the same 3-hour period, a single detection will be created, but each “hit” for that host will be listed in the detail section of that detection.

A cap of 500 “hits” per run is currently enforced across all Custom Models. Where the number of “hits” exceeds this cap, we prioritize creating detections for as many Custom Models and hosts as possible over adding additional “hits” for already created detections.

How do I test my Custom Models?

To test your Custom Model during the creation phase, execute the search in Recall for the previous day and validate that all records you expect to be present are, and that no records appear that you don’t expect.

To test that your Custom Model is executing correctly, create the Custom Model and wait until after 5am on the following day to verify that the detections have been created within Cognito Detect as expected.

Can I create triage rules for my Custom Models?

Yes – triage rules can be created for Custom Model detections.

What impact do Custom Models have on host scoring?

When creating Custom Models you are prompted to specify the Threat and Certainty that will be associated with the host for any “hits” from the Custom Model search. Custom Model detections then use these Threat and Certainty values to update the host scoring when “hits” are found.

If you would like to fire detections for Custom Models but don't want these to affect host scoring, you can set the custom model to fire "info" category detections.

On what Recall metadata streams can I create Custom Models?

Custom Models can be created for any Recall metadata streams.

Can I use Custom Models to create Scored Detections in the Vectra Match in the Detect UI?

Yes you can! You create a Recall Saved Search just like any other custom model, using the metadata-match index, along with the query/filter criteria of interest. Then enable/categorize it in the Vectra UI just like a traditional custom model. Note* this solution is designed to enable customers to create scored detections for select Vectra Match signatures and scenarios. It is not meant to generate Custom Models for large quantities of Vectra Match signatures do to the alert quantity. Please contact support if you have any questions around Vectra Match and Recall Custom Model limits.