Try in Splunk Security Cloud


Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Sessions
  • Last Updated: 2017-09-13
  • Author: Bhavin Patel, Splunk
  • ID: 91c676cf-0b23-438d-abee-f6335e1fce77


This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.


Name Technique Type
Detect Unauthorized Assets by MAC address   TTP


source | version: 1