You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The search should use dest_mac instead of src_mac.
| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac
| dedup All_Sessions.src_mac| `drop_dm_object_name("Network_Sessions")`
|`drop_dm_object_name("All_Sessions")`
| search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac
| fields + src_mac]
| `detect_unauthorized_assets_by_mac_address_filter`
The CIM Network Sessions Data Model says for src_mac:
The MAC address of the client initializing a network session.
Not applicable for DHCP events. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.
For dest_mac:
The internal MAC address of the network session client.
For DHCP events, this is the MAC address of the client acquiring an IP address lease.
The text was updated successfully, but these errors were encountered:
The search should use
dest_mac
instead ofsrc_mac
.The CIM Network Sessions Data Model says for
src_mac
:For
dest_mac
:The text was updated successfully, but these errors were encountered: