We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud


By enabling IPv6 First Hop Security as a Layer 2 Security measure on the organization's network devices, we will be able to detect various attacks such as packet forging in the Infrastructure.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-10-28
  • Author: Mikael Bjerkeland, Splunk
  • ID: c3be767e-7959-44c5-8976-0e9c12a91ad2


ID Technique Tactic
T1200 Hardware Additions Initial Access
T1498 Network Denial of Service Impact
T1557 Man-in-the-Middle Credential Access, Collection
T1557.002 ARP Cache Poisoning Credential Access, Collection
`cisco_networks` facility="SISF" mnemonic IN ("IP_THEFT","MAC_THEFT","MAC_AND_IP_THEFT","PAK_DROP") 
| eval src_interface=src_int_prefix_long+src_int_suffix 
| eval dest_interface=dest_int_prefix_long+dest_int_suffix 
| stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface 
| table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count 
| `security_content_ctime(firstTime)` 
| `detect_ipv6_network_infrastructure_threats_filter`

Associated Analytic Story

How To Implement

This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.

Required field

  • _time
  • facility
  • mnemonic
  • src_int_prefix_long
  • src_int_suffix
  • dest_int_prefix_long
  • dest_int_suffix
  • src_mac
  • src_vlan
  • vendor_explanation
  • action

Kill Chain Phase

  • Reconnaissance
  • Delivery
  • Actions on Objectives

Known False Positives

None currently known


Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1