Device owner identified using a MAC address
You want to identify the identity of the end user of a machine based on a MAC address.
Data required
Procedure
- Gather the inputs, for example, you might need to identify the user registered to MAC address A4:C9:45:0F:DB.
- Set the search time range to the average period which users have to register devices. Start small and expand the time range if needed.
- Run the following search. You can optimize it by specifying an index.
This sample search uses Cisco Identity Services data. You can replace this source with any other identity and account data used in your organization.
sourcetype=cisco:ise:syslog EndPointMacAddress=A4:C9:45:0F:DB user=* eventtype=cisco-ise-passed-authentication
Search explanation
Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=cisco:ise:syslog |
Search only Cisco ISE logs. |
EndPointMacAddress=A4:C9:45:0F:DB |
Search for only events where the EndPointMacAddress is A4:C9:45:0F:DB. |
user=* |
Search for any user. |
eventtype=cisco-ise-passed-authentication |
Search for only authentication events that were successfully captured. |
Next steps
This search returns individual Cisco ISE events that are associated with the device you need to identify the owner of. The event information shows the user account associated with the device owner.
Finally, you might be interested in other processes associated with the Processing DMCA notices use case.