The Log Correlation Engine can be used to track DHCP leases and Active Directory authentication logs to automatically learn each user's Ethernet address and then alert when this relationship changes. Tenable has released a TASL script named user_to_mac.tasl which can perform this function with a variety of DHCP sources and Active Directory "successful login" events. This script is useful for several reasons:
- It continuously updates a text file named user_mac.txt with a list of all users, their last IP address and their MAC address.
- If a user account logs in from a different laptop, an alert will be logged.
- New user to MAC address detection events are also detected by the detect_change.tasl script.
Below are some screen shots of what these alerts look like under the Security Center.
|Summary of Events||Raw Syslog Capture|
To make use of this new script, download it to your plugins directory and also update your lce_tasl.prm file to parse the new event names.