this search might be prone to high false positives if dhcp snooping or arp inspection has been incorrectly configured, or if a device normally sends many arp packets (unlikely).

t1200
t1498
t1557
T1557.002
infrastructure
splunk

Techniques

T1200
T1498
T1557
T1557.002

Sample rules

Detect ARP Poisoning

source: splunk
technicques:
- T1200
- T1498
- T1557
- T1557.002

Description

By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization’s network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure.

Detection logic

`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection" 
| eval src_interface=src_int_prefix_long+src_int_suffix 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `detect_arp_poisoning_filter`