have netbox enrichment mark logs for newly-discovered devices

[mmguero]

Prompted by #572

It would be a cool if during population of NetBox inventory via passively-gathered network traffic metadata that the network log entry that results in a newly-created entry in NetBox were somehow marked/flagged as a "new device." This could then be tied into alerting. It would also be a candidate for an event severity scoring category.

Network records marked as such should also probably show up in the "uninventoried devices" visualizations in Asset Interaction Analysis and Zeek Known Summary dashboards.

One question we need to consider: when autopopulation is not enabled, do we still want to set this flag? My guess is probably not, since you'd just re-trigger again and again for the same device? I guess it's a matter of semantics: is this flag meant to mean "new device autopopulated into NetBox inventory" or "uninventoried device observed?"

[trwagner1]

What I attempted to do without realzing was send everything to a "default" group.

Yes, it would be cool to have newly created devices as a "new device". I see where you are going with this.

Hmmm. If not base or default and not in inventory, then don't add to inventory? Sorry, that's what I'm thinking out loud as high level.

Yes, I agree Network records marked as such should also probably show up in the "uninventoried devices" visualizations in Asset Interaction Analysis and Zeek Known Summary dashboards.

Wait, shouldn't there be a stop gate?

I guess that's what you are asking. MAC address. Isn't that our base identifier?

If MAC address not observed, would that be a way to do a visualization?

Sorry, I'm thinking out loud.

[trwagner1]

@mmguero, "Network records marked as such should also probably show up in the "uninventoried devices" visualizations in Asset Interaction Analysis and Zeek Known Summary dashboards." Good suggestion, I like this.

"One question we need to consider: when autopopulation is not enabled, do we still want to set this flag? My guess is probably not, since you'd just re-trigger again and again for the same device? I guess it's a matter of semantics: is this flag meant to mean "new device autopopulated into NetBox inventory" or "uninventoried device observed?"

Good question. I would say it is exactly semantics, and I think we want both. From a TSA perspective, there are requirements to know when "NEW" devices connect to a network, so the first condition is true. From a security persective, you still want to know "occcasional" devices. If a device shows up, but only periodically, it "COULD" be a rogue device OR a potental threat. So, a tag of "uninventoried device observed" would also be necessary.