utilize DNS/NTLM/DHCP/etc. when populating NetBox inventory via passively-gathered network traffic metadata

[mmguero]

When populating NetBox inventory via passively-gathered network traffic metadata, right now we are only using MAC address and IP address.

We ought to look at using DNS response, NTLM logs, etc., anything that can give us a hostname from an IP address, to improve this process.

[mmguero]

Here's the field breakdown (work in progress).

As much as possible, we want to use our normalized ECS fields for this.

• DNS
  • dns.question.name (keyword) and dns.resolved_ip (array of IP)
• NTLM
  • zeek.ntlm.hostname and source.ip
  • zeek.ntlm.server_nb_computer_name or zeek.ntlm.server_dns_computer_name and destination.ip
• krb5.log ???
• dhcp.log
  • zeek.dhcp.client_fqdn or zeek.dhcp.host_name (do we care about zeek.dhcp.domain?) to zeek.dhcp.assigned_addr or zeek.dhcp.client_addr or zeek.dhcp.requested_addr

[mmguero]

I feel pretty good about this. It's not perfect: making some assumptions from DNS, NTLM, DHCP, etc. logs isn't a perfect science but it seems to be pretty accurate and the error handling works (netbox doesn't allow you to defeat constraints for name uniqueness, I've got some checks in the code to make sure we don't try to do something stupid). I'm going to close this but may reopen if I find any major issues between now and the release next week, and will open other issues if we come up with improvements or fixes after that.