Closed mmguero closed 5 months ago
Here's the field breakdown (work in progress).
As much as possible, we want to use our normalized ECS fields for this.
dns.question.name
(keyword) and dns.resolved_ip
(array of IP)zeek.ntlm.hostname
and source.ip
zeek.ntlm.server_nb_computer_name
or zeek.ntlm.server_dns_computer_name
and destination.ip
zeek.dhcp.client_fqdn
or zeek.dhcp.host_name
(do we care about zeek.dhcp.domain
?) to zeek.dhcp.assigned_addr
or zeek.dhcp.client_addr
or zeek.dhcp.requested_addr
I feel pretty good about this. It's not perfect: making some assumptions from DNS, NTLM, DHCP, etc. logs isn't a perfect science but it seems to be pretty accurate and the error handling works (netbox doesn't allow you to defeat constraints for name uniqueness, I've got some checks in the code to make sure we don't try to do something stupid). I'm going to close this but may reopen if I find any major issues between now and the release next week, and will open other issues if we come up with improvements or fixes after that.
When populating NetBox inventory via passively-gathered network traffic metadata, right now we are only using MAC address and IP address.
We ought to look at using DNS response, NTLM logs, etc., anything that can give us a hostname from an IP address, to improve this process.