have netbox enrichment mark logs for newly-discovered devices

[mmguero]

Prompted by #572

It would be a cool if during population of NetBox inventory via passively-gathered network traffic metadata that the network log entry that results in a newly-created entry in NetBox were somehow marked/flagged as a "new device." This could then be tied into alerting. It would also be a candidate for an event severity scoring category.

Network records marked as such should also probably show up in the "uninventoried devices" visualizations in Asset Interaction Analysis and Zeek Known Summary dashboards.

One question we need to consider: when autopopulation is not enabled, do we still want to set this flag? My guess is probably not, since you'd just re-trigger again and again for the same device? I guess it's a matter of semantics: is this flag meant to mean "new device autopopulated into NetBox inventory" or "uninventoried device observed?"

[trwagner1]

What I attempted to do without realzing was send everything to a "default" group.

Yes, it would be cool to have newly created devices as a "new device". I see where you are going with this.

Hmmm. If not base or default and not in inventory, then don't add to inventory? Sorry, that's what I'm thinking out loud as high level.

Yes, I agree Network records marked as such should also probably show up in the "uninventoried devices" visualizations in Asset Interaction Analysis and Zeek Known Summary dashboards.

Wait, shouldn't there be a stop gate?

I guess that's what you are asking. MAC address. Isn't that our base identifier?

If MAC address not observed, would that be a way to do a visualization?

Sorry, I'm thinking out loud.