He pointed out that Win2k's DNS server will automatically create reverse DNS lookup zones (how you can get the name of a PC from DNS if you have it's IP address) if you give it the right info. I had thought that my only option was to manually create all 400+ zones using the admin wizard (or convince M, my very overworked partner in crime, to write a WMI script to do it). By reading the text of the reverse-lookup creation wizard dialog box veeeery carefully I realized that it should automatically create the zones I needed... if told to do the right thing in a very non-intuitive way. At least, from the perspective of a networking person. But, lo, it worked!
I checked periodically today and the DNS servers are dutifully creating new reverse lookup zones whenever PCs get or renew IP addresses from the DHCP server. In a few days, everyone should be represented there. So, by week's end WAVESS should be able to resolve all of the IPs it pulls out of the firewall logs to names. Then I'll truly have an automatic detection system. Thank you majikshop!