Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Automatic User MAC Address Tracking

The Log Correlation Engine can be used to track DHCP leases and Active Directory authentication logs to automatically learn each user's Ethernet address and then alert when this relationship changes. Tenable has released a TASL script named user_to_mac.tasl which can perform this function with a variety of DHCP sources and Active Directory "successful login" events. This script is useful for several reasons:

  • It continuously updates a text file named user_mac.txt with a list of all users, their last IP address and their MAC address.
  • If a user account logs in from a different laptop, an alert will be logged.
  • New user to MAC address detection events are also detected by the detect_change.tasl script.

Below are some screen shots of what these alerts look like under the Security Center.

User_mac_summary_2 User_mac_raw_syslog
Summary of Events Raw Syslog Capture

To make use of this new script, download it to your plugins directory and also update your lce_tasl.prm file to parse the new event names.