Detect Unauthorized Assets by MAC address

Status: experimental
Severity: medium
Group by: All_Sessions.dest_ip, All_Sessions.dest_mac
Author: Bhavin Patel, Splunk
Source: github.com/splunk/security_content

The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration.

Rule body splunk

name: Detect Unauthorized Assets by MAC address
id: dcfd6b40-42f9-469d-a433-2e53f7489ff4
version: 9
creation_date: '2020-04-29'
modification_date: '2026-05-13'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration.
data_source: []
search: |-
    | tstats `security_content_summariesonly` count FROM datamodel=Network_Sessions
      WHERE nodename=All_Sessions.DHCP All_Sessions.tag=dhcp
      BY All_Sessions.dest_ip All_Sessions.dest_mac
    | dedup All_Sessions.dest_mac
    | `drop_dm_object_name("Network_Sessions")`
    | `drop_dm_object_name("All_Sessions")`
    | search NOT [
    | inputlookup asset_lookup_by_str
    | rename mac as dest_mac
    | fields + dest_mac]
    | `detect_unauthorized_assets_by_mac_address_filter`
how_to_implement: This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.
known_false_positives: This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.
references: []
finding:
    title: Potentially Unauthorized Device observed [ $dest_ip$ ]
    entity:
        field: dest_ip
        type: system
        score: 50
analytic_story:
    - Asset Tracking
asset_type: Infrastructure
mitre_attack_id: []
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: network
security_domain: network
baselines:
    - Count of assets by category

Stages and Predicates

Stage 1: `tstats`

| tstats `security_content_summariesonly` count FROM datamodel=Network_Sessions
  WHERE nodename=All_Sessions.DHCP All_Sessions.tag=dhcp
  BY All_Sessions.dest_ip All_Sessions.dest_mac

Stage 2: `dedup`

| dedup All_Sessions.dest_mac

Stage 3: `search`

| `drop_dm_object_name("Network_Sessions")`

Stage 4: `search`

| `drop_dm_object_name("All_Sessions")`

Stage 5: `search`

| search NOT [
| inputlookup asset_lookup_by_str
| rename mac as dest_mac
| fields + dest_mac]

Stage 6: `search`

| `detect_unauthorized_assets_by_mac_address_filter`

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`1`	eq	`1`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`All_Sessions.tag`	eq	`dhcp`
`nodename`	eq	`"All_Sessions.DHCP"`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Detect Unauthorized Assets by MAC address

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `dedup`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`

Stage 6: `search`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Detect Unauthorized Assets by MAC address

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: dedup

Stage 3: search

Stage 4: search

Stage 5: search

Stage 6: search

Exclusions

Indicators

Stage 1: `tstats`

Stage 2: `dedup`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`

Stage 6: `search`