{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/asset-tracking/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["asset-tracking","unauthorized-access","network"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection identifies unauthorized devices attempting to connect to the organization\u0026rsquo;s network by inspecting DHCP request packets. It achieves this by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the \u003ccode\u003eassets_by_str.csv\u003c/code\u003e file. The detection uses the Network_Sessions data model shipped with Enterprise Security and leverages the Assets and Identity framework to populate the \u003ccode\u003eassets_by_str.csv\u003c/code\u003e file, which should contain a list of known authorized organizational assets, including their MAC addresses. This activity is significant as unauthorized devices can introduce security risks, potentially leading to data breaches or network disruptions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthorized device attempts to connect to the network.\u003c/li\u003e\n\u003cli\u003eThe device sends a DHCP request to obtain an IP address.\u003c/li\u003e\n\u003cli\u003eThe network monitoring system captures the DHCP request.\u003c/li\u003e\n\u003cli\u003eThe system extracts the MAC address from the DHCP request.\u003c/li\u003e\n\u003cli\u003eThe extracted MAC address is compared against the list of authorized MAC addresses in \u003ccode\u003eassets_by_str.csv\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the MAC address is not found in the authorized list, an alert is triggered.\u003c/li\u003e\n\u003cli\u003eAn analyst investigates the alert to determine if the device is truly unauthorized.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthorized device successfully connecting to the network can lead to several negative consequences. This could include unauthorized access to sensitive data, the introduction of malware, or the disruption of network services. The risk is especially high if the unauthorized device is compromised or controlled by a malicious actor. The impact of such an event can range from minor data breaches to significant financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect Unauthorized Assets by MAC Address\u003c/code\u003e analytic within Splunk Enterprise Security as described in the \u0026ldquo;how_to_implement\u0026rdquo; section above.\u003c/li\u003e\n\u003cli\u003eEnsure the Assets and Identity framework is properly configured and populated with authorized asset information, including MAC addresses, as described in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003edetect_unauthorized_assets_by_mac_address_filter\u003c/code\u003e macro to minimize false positives, based on your organization\u0026rsquo;s environment and authorized device profiles.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this detection promptly to determine the nature and risk associated with any potentially unauthorized devices identified.\u003c/li\u003e\n\u003cli\u003eAdjust the finding score based on your organization\u0026rsquo;s risk appetite and the potential impact of unauthorized device access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:47:46Z","date_published":"2026-05-28T17:47:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-detect-unauthorized-mac/","summary":"This analytic identifies potentially unauthorized devices attempting to connect to an organization's network by inspecting DHCP request packets and comparing MAC addresses against a list of known authorized devices.","title":"Unauthorized Asset Detection via DHCP Request Analysis","url":"https://feed.craftedsignal.io/briefs/2026-05-detect-unauthorized-mac/"}],"language":"en","title":"CraftedSignal Threat Feed — Asset-Tracking","version":"https://jsonfeed.org/version/1.1"}