Impacted MAC Address
The MAC Address that was affected by the activity.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | MAC Address (Impacted) |
Client Console Short Name | Not applicable |
Web Console Tab/Name | MAC Address (Impacted) |
Elasticsearch Field Name | impactedMac |
Rule Builder Column Name | DMAC |
Regex Pattern | <dmac> |
NetMon Name | DestMAC |
Field Relationships
- SIP
- SIPv4
- SIPv6
- SIPv6E
- Origin Hostname
- Origin Hostname or IP
- Origin NAT IP
- DIP
- DIPv4
- DIPv6
- DIPv6E
- Impacted Hostname
- Impacted Hostname or IP
- Impacted NAT IP
- Origin Port
- Origin NAT Port
- Impacted Port
- Impacted NAT Port
- Origin MAC Address
- Origin Interface
- Impacted Interface
- Origin Domain
- Impacted Domain
- Origin Login
- Impacted Account
- IANA Protocol Number
- IANA Protocol Name
Common Applications
- Firewall
- IDS/IPS
- Vulnerability scanners
Use Case
- Differentiating hosts and interfaces.
- Detecting MAC ID cloning.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Can be in any format of MAC address
- MM:MM:MM:SS:SS:SS
- MM-MM-MM-SS-SS-SS
- MMM.MMM.SSS.SSS
- MM MM MM SS SS SS
- Impacted is Server (In Client-Server Model)
- Impacted is Target (In Attacker-Target Model)
Examples
- FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1 cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1 dvchost= USABLDRRECFLOW01dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=THINGS dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4
smac= in this log is the target MAC Address (impacted).
- Brocade Switch
03 01 2017 02:08:41 1.1.1.1 <LOC6:NOTE> Mar 1 02:08:38 ch3p1gw4 dataplane[2287]: fw rule INTERNAL-IN:10000 block udp(17) src=dp0p160p1/0:50:56:9a:ea:e8/fe80::e9c4:f7f6:e72c:2029(546) dst=/33:33:0:1:0:2/ff02::1:2(547) len=159 hoplimit=1 len=119
dst= with a possible destination hostname followed by destination (impacted) MAC Address.