Can Zeek send an alert if a new device/IP shows up on scans?

[trwagner1]

Can Zeek, send an alert if a new device is shows up that's not normal?

Let's say you've run Malcolm for 60 days and it's discovered 30 devices. if a new deivce "x" appears that isn't an ip that's "recgnized" or normally observed, can Zeek send an alert about the device?

[mmguero]

Hi, great question. At the moment we don't have a way to do that, but I've created an issue (#573) to do just that, as it's a great suggestion. In the meantime, there's a few things you can do with visualizations to sort of approximate that:

• if NetBox inventory autopopulation is turned off then you will see devices that are unknown to the inventory as showing up in the "uninventoried" visualizations on the Asset Interaction Analysis and Zeek Known Summaries dashboard. The idea here being that you run autopopulation for a while, then curate your inventory once it's in a stable state, then observe new ("uninventoried") devices in those visualizations as they are seen.
• In Arkime, if you go to the Connections view, you can use the baselining feature to see new devices (although this just looks at the traffic over a certain period, not the NetBox inventory). The workflow would be something like this:
  • In Arkime, narrow your time frame down to the period of interest (let's say it's the last 24 hours)
  • Select the appropriate "baseline time frame" option to compare the current time window to (so, for example, if you are looking at last 24 hours and select 1x actual time frame it will look for new devices in the last 24 hours, or, more accurately, "IP addresses that were observed in the last 24 hours that were not observed in the pervious 24 hours."). You can expand that baseline time frame back quite a ways, see the options there.
  • The "baseline node visibility" option can be used to only show "new" devices, or only "old" devices, etc.
  • Expand your Query Size from the default 100 to the maximum value
  • You can see a screenshot of what this looks like here

Anyway, as I said, I've logged that issue to flag new IPs as such. Thanks for the suggestion.

[trwagner1]

Thanks. It was a pleasure to meet you last week in Indiana.

[mmguero]

Likewise.

[trwagner1]

Hi, great question. At the moment we don't have a way to do that, but I've created an issue (#573) to do just that, as it's a great suggestion. In the meantime, there's a few things you can do with visualizations to sort of approximate that:

• if NetBox inventory autopopulation is turned off then you will see devices that are unknown to the inventory as showing up in the "uninventoried" visualizations on the Asset Interaction Analysis and Zeek Known Summaries dashboard. The idea here being that you run autopopulation for a while, then curate your inventory once it's in a stable state, then observe new ("uninventoried") devices in those visualizations as they are seen.

• In Arkime, if you go to the Connections view, you can use the baselining feature to see new devices (although this just looks at the traffic over a certain period, not the NetBox inventory). The workflow would be something like this:

  • In Arkime, narrow your time frame down to the period of interest (let's say it's the last 24 hours)
  • Select the appropriate "baseline time frame" option to compare the current time window to (so, for example, if you are looking at last 24 hours and select 1x actual time frame it will look for new devices in the last 24 hours, or, more accurately, "IP addresses that were observed in the last 24 hours that were not observed in the pervious 24 hours."). You can expand that baseline time frame back quite a ways, see the options there.
  • The "baseline node visibility" option can be used to only show "new" devices, or only "old" devices, etc.
  • Expand your Query Size from the default 100 to the maximum value
  • You can see a screenshot of what this looks like here

Anyway, as I said, I've logged that issue to flag new IPs as such. Thanks for the suggestion.

This is a great "how to" for YouTube". ;-)