Mac Address
Detects Mac Address patterns.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: structurally constrained pattern with corroborative keyword support reduces false positive rates significantly. Added context gating and exclusion rules improve precision and reduce incidental matches.
- Detection quality
- Verified
- Jurisdictions
- global
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- device-id
- Scope
- wide
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\bCorroborative evidence keywords
device, identifier, serial number, hardware, address, age, birthday, citizenship, city, date of birth, DOB, email, ethnicity, fax, first name, full name, gender, given name, last name, maiden name (+41 more)
Proximity: 300 characters
Should match
00:1A:2B:3C:4D:5E— MAC address with colonsAA-BB-CC-DD-EE-FF— MAC address with hyphens01:23:45:67:89:ab— Lowercase MAC address
Should not match
00:1A:2B:3C:4D— Only 5 octets instead of 600:1A:2B:3C:4D:5G— Contains invalid hex character G001A2B3C4D5E— No separators between octetstemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Technical identifiers appearing in public documentation, network configuration guides, or example configurations without representing actual infrastructure. Mitigation: Cross-reference with known documentation patterns and reserved address ranges. Require proximity to infrastructure-specific context.
- Placeholder and example values commonly used in technical tutorials and vendor documentation. Mitigation: Maintain exclusion lists for well-known example values (RFC 5737 documentation addresses, example MAC addresses).