"ESCU - Detect Unauthorized Assets by MAC address - Rule" should use dest_mac instead of src_mac

[my2ndhead]

The search should use dest_mac instead of src_mac.

| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac
| dedup All_Sessions.src_mac| `drop_dm_object_name("Network_Sessions")`
|`drop_dm_object_name("All_Sessions")` 
| search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac 
| fields + src_mac] 
| `detect_unauthorized_assets_by_mac_address_filter` 

The CIM Network Sessions Data Model says for src_mac:

The MAC address of the client initializing a network session.

Not applicable for DHCP events. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.

For dest_mac:

The internal MAC address of the network session client.

For DHCP events, this is the MAC address of the client acquiring an IP address lease.

[P4T12ICK]

Thank you for your feedback. We will work on this.

[josehelps]

Hey thank you for raising this one @my2ndhead! Should be shipped in the next release.