[Osquery_manager] ARP Cache artifact saved query #15903
Open
+102
−42
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomsonpl
requested review from
joeypoon and
szwarckonrad
and removed request for
a team
💚 Build Succeeded
cc @tomsonpl |
andrewkroh
added
documentation
ferullo
reviewed
Nov 7, 2025
| ], | ||
| "id": "arp_cache_elastic", | ||
| "interval": "3600", | ||
| "query": "-- ARP Cache with Local Interface Information\n-- Provides complete network neighbor context by joining ARP cache with interface details\n-- Source: arp_cache + interface_details + interface_addresses tables\n-- Equivalent to Windows.Network.ArpCache artifact\n\nWITH arp_entries AS (\n SELECT \n a.address AS RemoteAddress,\n a.mac AS RemoteMACAddress,\n a.interface AS InterfaceName,\n CASE \n WHEN a.permanent = '1' THEN 'Persistent'\n ELSE 'Active'\n END AS Store,\n CASE\n WHEN a.address LIKE '%:%' THEN 'ipv6'\n ELSE 'ipv4'\n END AS AddressFamily\n FROM arp_cache a\n),\nlocal_interfaces AS (\n SELECT \n id.interface,\n id.mac AS LocalMAC,\n ia.address AS LocalAddress\n FROM interface_details id\n LEFT JOIN interface_addresses ia ON id.interface = ia.interface\n WHERE id.mac IS NOT NULL\n AND ia.address IS NOT NULL\n)\nSELECT \n ae.RemoteAddress,\n ae.RemoteMACAddress,\n ae.InterfaceName,\n ae.Store,\n ae.AddressFamily,\n li.LocalAddress,\n li.LocalMAC\nFROM arp_entries ae\nLEFT JOIN local_interfaces li ON ae.InterfaceName = li.interface\nORDER BY ae.InterfaceName, ae.RemoteAddress;", "platform": "linux,darwin,windows", |
Contributor
There was a problem hiding this comment.
I think you need to consider the address family when joining in the final table. Without the addition I added in this diff I saw two rows for each RemoteAddress, one with the IPv4 LocalAddress for the interface and one with the IPv6 LocalAddress.
WITH arp_entries AS (
SELECT
a.address AS RemoteAddress,
a.mac AS RemoteMACAddress,
a.interface AS InterfaceName,
CASE
WHEN a.permanent = '1' THEN 'Persistent'
ELSE 'Active'
END AS Store,
CASE
WHEN a.address LIKE '%:%' THEN 'ipv6'
ELSE 'ipv4'
END AS AddressFamily
FROM arp_cache a
),
local_interfaces AS (
SELECT
id.interface,
id.mac AS LocalMAC,
- ia.address AS LocalAddress
+ ia.address AS LocalAddress,
+ CASE
+ WHEN
+ ia.address LIKE '%:%' THEN 'ipv6'
+ ELSE 'ipv4'
END AS AddressFamily
FROM interface_details id
LEFT JOIN interface_addresses ia ON id.interface = ia.interface
WHERE id.mac IS NOT NULL
AND ia.address IS NOT NULL
)
SELECT
ae.RemoteAddress,
ae.RemoteMACAddress,
ae.InterfaceName,
ae.Store,
ae.AddressFamily,
li.LocalAddress,
li.LocalMAC
FROM arp_entries ae
-LEFT JOIN local_interfaces li ON ae.InterfaceName = li.interface
+LEFT JOIN local_interfaces li ON ae.InterfaceName = li.interface AND ae.AddressFamily = li.AddressFamily
ORDER BY ae.InterfaceName, ae.RemoteAddress
ferullo
reviewed
Nov 7, 2025
| } | ||
| }, | ||
| { | ||
| "key": "host.ip", |
Contributor
There was a problem hiding this comment.
I think this and host.mac should be source.* fields. host says
ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken.
I typically think of host as information about the collector, not the actual collected data. I wonder what the ECS team thinks?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ARP Cache Artifact
The ARP (Address Resolution Protocol) Cache artifact provides enriched network neighbor information by combining ARP cache entries with local network interface details. This comprehensive view is essential for investigating network communications, detecting ARP spoofing attacks, and understanding complete source-to-destination network endpoint relationships.
Core Forensic Artifacts Coverage
One query works in all platforms
🪟 ARP Cache with Local Interface Information
Description
Retrieves enriched ARP cache entries with local interface details including local IP addresses and MAC addresses. Combines ARP cache data with network interface configuration to provide complete neighbor relationship context. This enriched view helps investigate network communications, detect ARP spoofing, and understand both source and destination network endpoints. Equivalent to Windows.Network.ArpCache artifact functionality.
Detection Focus:
Result
Returns comprehensive ARP cache entries including:
Platform
allInterval
3600seconds (1 hour)Query ID
arp_cache_elasticECS Field Mappings
destination.ip→RemoteAddressdestination.mac→RemoteMACAddresshost.ip→LocalAddresshost.mac→LocalMACnetwork.name→InterfaceNamenetwork.type→AddressFamilytags→StoreSQL Query