AN1877: Analytic 1877
Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets. Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.
Analyst context for executives and security teams
This analytic is about noticing when an unknown or unexpected physical device appears on a local network. For industrial environments, that matters because transient or unmanaged hardware can bypass normal asset governance and create uncertainty during an incident: defenders may not know what connected, when it connected, or what addresses it used.
Executive priority
Treat this as an asset visibility and operational resilience control question. Leaders should ask whether network teams and SOC/IR teams can prove when a new device connects to sensitive network segments, especially where industrial operations depend on tightly controlled connectivity. The decision value is strongest for compliance evidence, incident scoping, and reducing blind spots around unmanaged or temporary devices.
Technical view
Validate whether local network traffic metadata and network infrastructure logs can identify new or unexpected connections. The official description specifically calls out source MAC addressing, IP/MAC address outcomes, and switch or networking-device events such as SNMP notifications when a new client connects. Because no ATT&CK platforms, tactics, relationships, or detection logic are supplied, teams should treat this as a detection-data requirement rather than a complete analytic rule.
Likely telemetry
- Network traffic metadata showing source MAC addresses
- Network device connection-status logs
- Switch logs for new client/device connections
- SNMP notifications from networking devices
- IP address and MAC address assignment or observation records
Detection direction
- Confirm that network infrastructure logs record connection-status changes with enough detail to identify the resulting IP and MAC addresses.
- Compare observed source MAC addresses and new connection events against an approved or expected asset inventory.
- Tune alerting around sensitive network segments where unexpected hardware has higher operational significance.
- Account for false positives from legitimate maintenance, replacement equipment, temporary engineering workstations, or network changes.
- Validate retention and time synchronization so incident responders can determine when a device first appeared and how long it remained connected.
Mitigation priorities
- Maintain an accurate inventory of expected hardware and approved MAC/IP associations where operationally feasible.
- Prioritize monitoring on network segments where unknown devices could affect industrial operations or incident response confidence.
- Ensure switches and other networking devices are configured to log or notify on new client connections.
- Establish operational procedures for investigating unknown devices without disrupting production systems.
- Use collected evidence to support audit, compliance, and incident scoping activities.
Analyst notes and limits
This object is an ICS ATT&CK detection analytic, AN1877, focused on monitoring network traffic and network device logs for unknown or unexpected hardware devices. The most useful defensive action is to verify that the organization can observe and reconcile new physical/network connections against expected asset knowledge.
The supplied ATT&CK object does not provide platforms, tactics, relationships, or an official detection rule. It also does not identify any specific adversary use, active exploitation, or guaranteed detection coverage. Local network architecture, logging configuration, and asset inventory quality determine how actionable this analytic will be.
Analytic 1877
Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets. Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6d551616f71c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1877Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.