Custom Detection: Newly Discovered Asset

This trigger is assigned to the events NEW_DEVICE, and SESSION_EXPIRE. It may be used as is, or as a template, to generate a Detection whenever your sensors discover a new device.

Sample detection card:

Example trigger code:

// Type trigger code below
if (event === 'NEW_DEVICE') {
    debug('new device event \n' + JSON.stringify(Discover.device));

    const deviceId = Discover.device.id;
    const opts = { expire: 300, notify: true, priority: Session.PRIORITY_HIGH };
    Session.add(`newDevice-${deviceId}`, deviceId, opts);

}
if (event === 'SESSION_EXPIRE') {
    const sessionKeys = Session.expiredKeys;
    if (!sessionKeys) { return; }

    for (let i in sessionKeys) {
        if (sessionKeys[i].name.startsWith('newDevice-')) {
            var deviceObject = new Device(sessionKeys[i].value)

            deviceObject.metricAddCount("new_devices", 1);

            commitDetection('new_asset_discovered', {
                'title': 'New Asset Discovered',
                'description': `A new asset was discovered.`,
                'riskScore': 11,
                'categories': ['sec', 'sec.caution'],
                'participants': [
                    {
                        'object': deviceObject,
                        'role': 'offender'
                    }
                ],
                'identityKey': 'newDeviceDiscovery',
                'identityTtl': 'day'
            });

        }
    }
}