DET0744 Detection of Transient Cyber Asset

Technique Detected: T0864 (Transient Cyber Asset)

Analytics

ICS

AN1877

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets. Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.

Log Sources

Mutable Elements