AN1587: Analytic 1587
Execution of discovery commands like `show cdp neighbors`, `show arp`, and other interface-level introspection on Cisco or Juniper devices.
Analyst context for executives and security teams
This analytic is about spotting discovery activity on network devices, specifically interface and neighbor introspection commands on Cisco or Juniper equipment. For leaders, the value is not that these commands are always malicious; administrators use them routinely. The risk is that the same activity can help an intruder understand routing, adjacency, interfaces, and reachable systems, which can affect incident scope and operational resilience if network infrastructure is involved.
Executive priority
Prioritize this as a network infrastructure visibility and governance question: can the organization prove who ran discovery commands on critical network devices, when they ran them, and from where? This matters for incident response, privileged access oversight, audit evidence, and business continuity because network devices often underpin site connectivity, segmentation, and recovery operations. Budget and control decisions should focus on logging, administrative access control, and SOC review processes for high-value network infrastructure.
Technical view
SOC and IR teams should validate whether command execution and session activity from Cisco and Juniper network devices are logged centrally and retained. Because ATT&CK does not provide detection logic for this analytic, teams should build local baselines for expected administrative discovery activity and review deviations by account, source, device criticality, time, and change window. Treat this as context-rich detection rather than a simple command match: the same discovery commands may be normal during troubleshooting or change management.
Likely telemetry
- Network device command accounting or administrative session logs
- AAA/TACACS+/RADIUS authentication and authorization records where available
- Syslog from Cisco and Juniper network devices
- Administrative access source IP, user, timestamp, and target device records
- Change-management or maintenance-window records for comparison
Detection direction
- Confirm that Cisco and Juniper device command activity is captured, normalized, time-synchronized, and searchable in the SIEM or managed detection platform.
- Baseline normal use of interface, neighbor, and ARP discovery commands by network administrators and compare against unusual users, sources, times, or critical devices.
- Correlate command execution with authentication events and approved change records to reduce false positives from legitimate troubleshooting.
- Pay attention to blind spots such as local console access, incomplete command accounting, devices not forwarding syslog, short log retention, and shared administrative accounts.
- Because no ATT&CK relationship context or official detection text is supplied, avoid assuming a specific adversary tactic or campaign; use this analytic as a validation point for network-device monitoring coverage.
Mitigation priorities
- Centralize and retain administrative logs from network devices, including command accounting where supported.
- Enforce named administrative accounts and strong privileged access controls for network infrastructure.
- Limit management access paths to approved administrative networks and monitor those paths.
- Tie expected discovery activity to change-management and troubleshooting workflows so SOC teams can distinguish routine operations from suspicious activity.
- Regularly test whether critical network devices are actually producing the telemetry needed for IR reconstruction and compliance evidence.
Analyst notes and limits
This object is a detection analytic for network devices, focused on discovery-style commands on Cisco or Juniper devices. Its practical importance is strongest where network infrastructure is business-critical or subject to privileged access, audit, or segmentation requirements. The most useful local enrichment will come from device inventory, admin account ownership, management-plane access design, and change records.
The supplied ATT&CK object has no tactic, no official detection logic, no relationships, and no claims about adversary use or impact. This take therefore cannot assert active exploitation, attribution, guaranteed detection, or relevance beyond the stated Network Devices platform and Cisco/Juniper examples. Local telemetry and administrative practices determine actual coverage.
Analytic 1587
Execution of discovery commands like `show cdp neighbors`, `show arp`, and other interface-level introspection on Cisco or Juniper devices.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 162b9a84bdb9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1587Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.