Techniques
Sample rules
Detect ARP Poisoning
- source: splunk
- technicques:
- T1200
- T1498
- T1557
- T1557.002
Description
By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization’s network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure.
Detection logic
`cisco_networks` facility="PM" mnemonic="ERR_DISABLE" disable_cause="arp-inspection"
| eval src_interface=src_int_prefix_long+src_int_suffix
| stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `detect_arp_poisoning_filter`