Threat Hunting and Investigations Platform
Kognos is built around its unique Attack-Tracing AI, imbibed with security domain knowledge, to hunt down adversaries by:
1. Constantly predicting next steps based on observed activity, and;
2. Asking additional exploratory questions to trace an adversary’s every step as they move around the environment.
How many questions does Kognos use for investigations? Can I add custom questions?
Kognos autonomously asks thousands of dynamic questions per second to investigate. These questions are generated, on the fly, based on 2000+ MITRE mapped templated questions that are maintained as a knowledge graph. The Kognos Attack Tracing AI utilizes this knowledge graph to ask the questions.
Security teams can also add custom questions to the knowledge graph, using simple scripts to be asked as part of the autonomous investigation process, and customizing investigations based on the environment.
How many hunt hypotheses does Kognos use for hunting? Can I add custom hypotheses?
Kognos ships with hundreds of default hunt hypotheses to hunt for suspicious activity. When these hunt hypotheses yield results, the system automatically triggers the autonomous investigations to trace out the complete storyline.
Security teams can add additional hunt hypotheses as needed to trigger additional investigations. A user-friendly intelligent query language (IQL) can be used to create additional hunt hypotheses for specifying a variety of interesting IOCs and behaviors.
Can I generate reports of storylines to share with others?
Kognos allows you to easily produce and download complete PDF reports of storylines within seconds to share with others.
Will I get notified when a new story forms?
When stories reach a configured threshold, users can be notified via email. The system also supports REST API to push notifications to a plethora of other tools and systems.
How is it different from other tools?
Most contemporary tools correlate events, and as a result, generate alerts, leaving the arduous job of investigating these alerts to humans. Kognos models security events as relationship graphs, providing complete visibility into the environment.
This modeling, combined with the dynamic questioning using the attack tracing AI, traces out each and every step attackers take, and presents them as attack storylines - enabling security teams to quickly review the associated risk and respond in real-time.
What do security teams use Kognos for?
There are 3 use cases for Kognos: threat hunting, alert investigations and incident response.
Hundreds of hunt hypotheses can be set up for detecting lateral movement tools, living off the land (LOTL) binaries, persistence mechanisms, various IOCs, and other behaviors. Kognos generates pre-investigated threat storylines associated with any of these hunt hypotheses, providing deep and holistic visibility into the environment.
Kognos alert investigations can be used to investigate 100% of alerts. Through deep machine-driven investigations Kognos ensures every alert generated in the environment has been reviewed.
Kognos Incident Response can reduce IR time from days/weeks to minutes/hours. The Kognos platform generates the complete storyline of the incident, and allows the security team to export PDF reports of the incidents in real-time.
Does Kognos integrate with Carbon Black?
Yes. Kognos is an official integration partner with Carbon Black. We are located here
in the VMware Marketplace. Download details about Carbon Black + Kognos deployments here
What other integrations does Kognos support?
Kognos seamlessly integrates with a multitude of EDR, SIEM, NDR and Threat Intel sources, including CrowdStrike and SentinelOne. Here is a quick summary of the supported integrations.
Network: Bro/Zeek, Snort, Suricata, SecurityOnion, NetWitness, FW Logs, IDS/IPS logs
App logs: Nginx, Apache, IIS, Domain Controller Logs, DNS Logs, Proxy Logs
Cloud logs: AWS Cloud Trail, Cloud watch, Azure Audit Events, Azure Security Events
Data sources: Splunk, Elastic, NetWitness, File Logs, Rest API, SQL DBs, RocksDB, MySQL, Amazon S3 Buckets
Threat Intelligence: VirusTotal, ThreatCrowd, ThreatMiner, Carbon Black, Integrations with custom feeds, Cymru
Endpoint: Carbon Black, CrowdStrike, SentinelOne, Microsoft Sysmon, Linux AuditD, MacOS OpenBSM
How does Kognos connect with other tools?
The product integrates via APIs and adapters to various platforms and can be enabled quickly from the user interface.
How long does it take to deploy Kognos?
The initial deployment only takes 15 minutes to set up and your security team will begin to see value within 30 minutes.
Is Kognos a SaaS offering or On-Premise?
Kognos provides a SaaS offering, but can also be deployed in data centers on virtual, physical hardware, or customer’s cloud environments.
Kognos for MSSPs
Does Kognos support multi-tenancy?
Kognos supports multi-tenancy with user-level access control for providing single sign-on access for individual customer instances from a single console.
What’s the pricing model?
Standard pricing is based on the number of endpoints. Kognos also offers custom options to match MSSP pricing models.
Can I mix and match EDR and SIEM tools in my environment?
The Kognos suite of autonomous solutions is agnostic to the various EDR, NDR, SIEM, and XDR solutions your customers already have deployed. Kognos seamlessly integrates with existing infrastructure, forging relationships across data from different siloed sources.
Kognos was founded in late 2017 and officially launched the product in September 2020.