Asset Inventory coverage best practices

Overview

Asset inventory delivers a complete and trusted view of all assets on the network, enabling teams to identify unmanaged devices, detect gaps in EDR coverage, and quickly spot new or unexpected systems. This continuous visibility helps reduce risk, support compliance and insurance requirements, and strengthen overall security posture.

Vectra uses passive, network-derived signals to accurately identify assets—including IoT and unmanaged systems—and enrich them with attributes such as name, type, OS, and other characteristics. These attributes power HostID, detection models, investigation workflows, and other downstream use cases.

In some deployments, visibility gaps can occur:

• Sensors may not see all DHCP traffic.

• Local-only communication (for example, mDNS and NetBIOS) may never reach monitored segments.

• Lack of visibility to other protocols can also impact coverage.

When key attributes are missing, assets may appear as Unattributed IP Sessions (IP-#.#.#.#). While this can result in a lower reported asset count, Vectra still tracks the activity and maintains effective threat detection. This article provides guidance for improving coverage for Asset Inventory, HostID, Detection, and Investigation metadata.

Benefits

High coverage of network derived signals such as DHCP, mDNS, and NetBIOS allows Vectra to:

Improve Asset Inventory

• Capture IP, MAC address, hostname, and DHCP options

• Build more detailed and enriched asset records (including make, model, OS, and version)

• Support stronger confidence in advanced fingerprinting (for example, DHCP-based identification)

Strengthen HostID

• Improve correlation between IP addresses and hostnames

• Reduce ambiguity in environments with dynamic addressing

Enhance Detection

• Provide additional context that detection models rely on

• Improve visibility into hosts that may otherwise be partially observed

Enrich Investigations

• Increase available metadata for pivoting and analysis

• Provide better historical context for device behavior

Identifying Low Coverage

Under Exposure → Inventory, a yellow warning box about Traffic Visibility Limiting Asset Recognition indicates low coverage and Vectra recommends that steps be taken to help improve coverage.

Vectra Customer Success teams may also proactively reach out to customers when telemetry indicates issues. Please work through this guide and try to increase coverage.

Use Traffic Validation (ENTV) to baseline DHCP, mDNS, and NetBIOS percentages on an aggregate and per sensor or subnet basis to gather baselines that you can use for later comparison after making changes.

Signals Needed for Good Coverage

While all of the signals below help, the bolded entries below are of critical importance for high quality Asset Inventory coverage.

• MAC address observed through DHCP traffic

• NetBIOS traffic

• mDNS traffic

• SSH traffic

• User Agent observed through HTTP traffic

Methods to Increase Coverage

Extend Network Sensor Coverage

Asset Inventory benefits from L2 network visibility of assets. While threat detection deployments have historically focused on monitoring Internet traffic and internal datacenters, Asset Inventory requires broader coverage—including internal networks and edge locations where assets reside.

The following resources are helpful to better understand what traffic should be observed by your Sensors and what traffic is being observed.

• NDR / Network Identity Architecture - overall architecture advice

• Network Traffic Recommendations - specifics on what to capture, what can be ignored

• Traffic Validation (ENTV) - how to validate the quality of the traffic being observed

  • Both aggregate and per Sensor data is provided to help zero in on problem areas

• Traffic Validation (ENTV) alerting - alerting options for traffic quality

Asset Visibility Forwarding

Please see Asset Visibility Forwarding for full details including sample configurations for a variety of networking equipment vendors.

Asset Visibility Forwarding is a deployment technique that allows Vectra to observe network asset identity-related artifacts even when your current Sensor placement does not provide full visibility. It uses standard network capabilities (such as ERSPAN or GRE) to forward selected traffic from switches or network devices to a Vectra Sensor.

By forwarding selected network traffic (such as DHCP, mDNS, and NetBIOS) from remote parts of your network, you can significantly improve:

• Asset Inventory coverage

• Host-ID accuracy

• Detection fidelity

• Metadata available for investigations

Asset Visibility Forwarding is most useful when:

• Your sensors do not see DHCP, mDNS, or NetBIOS traffic.

  • It is critical when you are not seeing all DHCP traffic.

• You have limited Layer 2 visibility.

• Devices communicate locally within access networks.

• You observe gaps in Asset Inventory or Host-ID coverage.

Forwarding DHCP Logs to Vectra

SIEM (Vectra Brain ingesting logs) aka SIEM Event Forwarding is another option that can provide DHCP log data to your Vectra Brain. DHCP will help with Host-ID name resolution, and may enhance Asset Inventory, but is not as comprehensive as configuring Asset Visibility Forwarding.

Observing DHCP packets is a much better sources than logs as Vectra can parse all required information for Asset Inventory and any future associated use cases.

Issues with DHCP logs as a source:

• There is no official standard format and not all can be parsed successfully.

  • Vectra supports the ISC format which includes Infoblox and DHCPD.

• Some do not include hostname and only provide IP and MAC.

Evaluating the Impacts of Changes

To see the impact of changes made to help increase coverage:

• Use Traffic Validation (ENTV)

  • Examine DHCP, mDNS, and NetBIOS traffic levels and look for an increase on a per subnet and aggregate basis from baseline values.

• See that Warnings on Asset Inventory are no longer being present.

  • It may take some time for changes to be fully realized.

  • It is recommended to wait up to a day or two to gather new data that would alter the metrics used to determine if the warning should be shown.

  • You may need to alter the timeframe for the report to not look at data for hosts that were observed before the changes were made.