Skip to main content
 
Splunk Lantern

Device owner identified using a MAC address

 

You want to identify the identity of the end user of a machine based on a MAC address. 

Data required

Procedure

  1. Gather the inputs, for example, you might need to identify the user registered to MAC address A4:C9:45:0F:DB.
  2. Set the search time range to the average period which users have to register devices. Start small and expand the time range if needed. 
  3. Run the following search. You can optimize it by specifying an index.

This sample search uses Cisco Identity Services data. You can replace this source with any other identity and account data used in your organization.

sourcetype=cisco:ise:syslog 
EndPointMacAddress=A4:C9:45:0F:DB 
user=* 
eventtype=cisco-ise-passed-authentication 

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=cisco:ise:syslog 

Search only Cisco ISE logs. 

EndPointMacAddress=A4:C9:45:0F:DB 

Search for only events where the EndPointMacAddress is A4:C9:45:0F:DB. 

user=* 

Search for any user.

eventtype=cisco-ise-passed-authentication

Search for only authentication events that were successfully captured.

Next steps

This search returns individual Cisco ISE events that are associated with the device you need to identify the owner of. The event information shows the user account associated with the device owner.  

Finally, you might be interested in other processes associated with the Processing DMCA notices use case.