Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Device owner identified using a MAC address


You want to identify the identity of the end user of a machine based on a MAC address. 

Data required


  1. Gather the inputs, for example, you might need to identify the user registered to MAC address A4:C9:45:0F:DB.
  2. Set the search time range to the average period which users have to register devices. Start small and expand the time range if needed. 
  3. Run the following search. You can optimize it by specifying an index.

This sample search uses Cisco Identity Services data. You can replace this source with any other identity and account data used in your organization.


Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only Cisco ISE logs. 


Search for only events where the EndPointMacAddress is A4:C9:45:0F:DB. 


Search for any user.


Search for only authentication events that were successfully captured.

Next steps

This search returns individual Cisco ISE events that are associated with the device you need to identify the owner of. The event information shows the user account associated with the device owner.  

Finally, you might be interested in other processes associated with the Processing DMCA notices use case.