Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compare and highlight discrepancies between NetBox inventory and observed network traffic #133

Closed
mmguero opened this issue Dec 7, 2022 · 2 comments
Closed

Compare and highlight discrepancies between NetBox inventory and observed network traffic #133

mmguero opened this issue Dec 7, 2022 · 2 comments
Assignees
@mmguero
Labels
enhancement New feature or request netbox Related to Malcolm's use of NetBox

Comments

@mmguero
Copy link
Collaborator

mmguero commented Dec 7, 2022
edited
Loading

Feature-tracking issue dependent on #131

We can cross-check network traffic with NetBox's model to highlight entities (devices and services) observed in network traffic for which there is no corresponding entry in the list of inventoried assets.

Currently this exists in two dashboards:

  • Zeek Known Summary - this dashboard draws from the periodically-generated known_ logs and software logs to provide a summary of the known devices and services in the network. The Uninventoried Observed Services and Uninventoried Observed Hosts tables show services and hosts (by IP address) that weren't found when searched via the NetBox API.

image

  • Asset Interaction Analysis - this dashboard contains a lot of the same information from the Zeek Known Summary dashboard, but it is from a traffic standpoint rather than just an "observed" standpoint. The Uninventoried Internal Source IPs, Uninventoried Internal Destination IPs and Uninventoried Internal Assets - Logs tables highlight communications involving devices that weren't found when searched via the NetBox API.

image

I've also incorporated views for uninventoried hosts and services into Arkime:

image
@mmguero mmguero added enhancement New feature or request netbox Related to Malcolm's use of NetBox labels Dec 7, 2022
@mmguero mmguero added this to Malcolm Dec 7, 2022
@mmguero mmguero mentioned this issue Dec 7, 2022
Closed
@mmguero mmguero moved this to Todo (design) in Malcolm Dec 7, 2022
@mmguero mmguero removed the status in Malcolm Dec 7, 2022
@mmguero mmguero moved this to Todo (design) in Malcolm Dec 7, 2022
@mmguero
Copy link
Collaborator Author

mmguero commented Dec 20, 2022
edited
Loading

This DQL query (for Dashboards) could be used to show logs for devices (identified by IP address) in the network without a corresponding entry in netbox:

(NOT event.provider:arkime) AND ((NOT event.provider:zeek) OR event.dataset:(conn OR  known*)) AND ((network.direction:(internal OR inbound) AND (destination.ip:*) AND (NOT destination.device.id:*)) OR (network.direction:(internal OR outbound) AND (source.ip:*) AND (NOT source.device.id:*)))

@mmguero mmguero pinned this issue Jan 9, 2023
@mmguero mmguero self-assigned this Jan 9, 2023
@mmguero mmguero moved this from Todo (design) to In Progress in Malcolm Jan 9, 2023
@mmguero
Copy link
Collaborator Author

mmguero commented Jan 18, 2023
edited
Loading

Work is moving forward for this feature. Here are two dashboards that highlight things that are missing from the inventory that are observed in network traffic.

You'll notice that the Asset Interaction Analysis has Uninventoried Internal Source IPs and Uninventoried Internal Destination IPs, while Zeek Known Summary has Uninventoried Observed Services and Uninventoried Observed Hosts visualizations. There is some overlap between these two dashboards: the Asset Interaction Analysis dashboard is more about the communications between the assets, while the Zeek Known Summary draws from the periodic summary logs that Zeek produces (software, known_*, etc.).

These visualizations give a good indication of hosts and services found in the network that aren't in the inventory.

75-81m Dashboards - Asset Interaction Analysis

75-81n Dashboards - Zeek Known Summary

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 18, 2023
@mmguero
work in progress for more dashboards updates for assets, see idaholab…
3ae212c 
…#133
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 18, 2023
@mmguero
work in progress for more dashboards updates for assets, see idaholab…
97b27da 
…#133
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 20, 2023
@mmguero
load up some service templates by default on netbox start (see idahol…
ca3d5a3 
…ab#133)
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 23, 2023
@mmguero
for idaholab#133, added some other ways to see uninventoried items
dc85325
@mmguero mmguero closed this as completed Feb 1, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in Malcolm Feb 1, 2023
@mmguero mmguero moved this from Done to Released in Malcolm Feb 3, 2023
@mmguero mmguero unpinned this issue Feb 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
enhancement New feature or request netbox Related to Malcolm's use of NetBox
Projects
Malcolm
Status: Released
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero