Skip to main content
Splunk Lantern

Device owner identified using a MAC address

You might need to identify the identity of the end user of a machine based on a MAC address when doing the following: 

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

  • Splunk Enterprise or Splunk Cloud Platform
  • User data

Example

You need to identify the user registered to MAC address A4:C9:45:0F:DB.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Cisco Identity Services data. You can replace this source with any other identity and account data used in your organization.

  1. Set the search time range to the average period which users have to register devices. Start small and expand the time range if needed. 
  2. Run the following search: 
sourcetype=cisco:ise:syslog 
EndPointMacAddress=A4:C9:45:0F:DB 
user=* 
eventtype=’cisco-ise-passed-authentication’ 

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=cisco:ise:syslog 

Search only Cisco ISE logs. 

EndPointMacAddress=A4:C9:45:0F:DB 

Search for only events where the EndPointMacAddress is A4:C9:45:0F:DB. 

user=* 

Search for any user.

eventtype=’cisco-ise-passed-authentication’

Search for only authentication events that were successfully captured.

Result

This search returns individual Cisco ISE events that are associated with the device you need to identify the owner of. The event information shows the user account associated with the device owner.  

  • Was this article helpful?