We provide extensions for the major open source threat intelligence platforms. If you use any of them, you can easy integrate our service.
- MISP module for MAC Vendor Lookup API
- YETI module for MAC Vendor Lookup API
- Splunk module for MAC Vendor Lookup API
MISP module for MAC Vendor Lookup API
MAC address Vendor Lookup API is available as an extension for MISP – Open Source Threat Intelligence Platform. It allows making instant MAC Vendor Lookup for the MAC address attributes. To get vendor details and other information provided by the API, you only need to hover over the MAC address attribute value.
- Download the extension: https://github.com/MISP/misp-modules
Prerequisites
- You need a MISP instance up and running. To install and configure it, please refer to the official documentation.
- Ensure that your misp-modules are up-to-date.
Configuring the extension
- Log in to your MISP instance
- Go to Main menu > Administration > Server Settings & Maintenance
- Click on the Plugin settings tab and select the Enrichment option
- Enable the module by setting the Plugin.Enrichment_macaddress_io_enabled option to true
- Provide your API key by setting the Plugin.Enrichment_macaddress_io_api_key value
Using the extension
- Go to Event Actions > Add Event and create an event
- Add a mac-address attribute to the event, and set Value to a sample MAC address
- Move your mouse over the new attribute, and MAC lookup details will pop-up
YETI module for MAC Vendor Lookup API
MAC address Vendor Lookup API is available as an extension for YETI – Your Everyday Threat Intelligence. It allows performing instant MAC Vendor Lookup for the MAC address observables. To get vendor details and other information provided by the API, you only need to run investigation for the MAC address attribute value.
- Download the extension: https://github.com/yeti-platform/yeti
Prerequisites
- You need a YETI instance up and running. To install and configure it, please refer to theofficial documentation.
Configuring the extension
- Log in to your YETI instance.
- Go to Profile.
- Provide your API key by setting the macaddress.io API KEY value and click Save.
Using the extension
- Create new investigation. Go to New > Investigation.
- Then click Go to Graph.
- Click + button to add a new observable.
- Click the icon of the MAC address observable added.
- Go to Actions > Analytics.
- Click Run to start the Mac Address Vendor Lookup analytics.
- Click See Results to see the results.
- In order to see the API’s raw response, click Display raw results.
- Now, you can refresh the page and go to Info to see the contexts added.
- The contexts are also available within the Observables view. Just go to Main page, fill in the MAC address and press Launch.
Finally, choose the observable found.
Splunk module for MAC Vendor Lookup API
MAC address Vendor Lookup API is available as an extension for Splunk. It allows doing instant MAC Vendor Lookup and provides an external lookup for enriching MAC addresses with extra details, as well as dashboards which help to visualize MAC address details.- Download the extension: https://splunkbase.splunk.com/app/4308
Prerequisites
- You need a Splunk instance up and running. To install and configure it, please refer to the official documentation.
Configuring the extension
- Log in to your Splunk instance.
- Download and install the application. You can do it from within Splunk.
- You can start the configuration immediately once the application is installed and run.
Also, you can configure the application on the Apps page. Click Set up near the application name.
- Fill in your API key and click Save.
Using the extension
- Add data to Splunk. In this tutorial, we use a CSV file containing MAC addresses, but you're free to use any other approaches described in the official Splunk documentation. Go to Settings > Add data.
- Click Upload files from my computer.
- Select your file and press Next.
- We need to configure the timestamp extraction (the name of the corresponding Splunk option on the view) as Current and fill in CSV columns names. Then click Next. In the modal appeared, choose whether or not you’d like to save the source type changes.
- On the Input Settings page, choose the index to which you’d like to save your data. It’s possible to use our pre-built "mac_addresses’ index or another one. Then click Review.
- After reviewing, click Start searching or just go to Apps > Search & Reporting. You can add a lookup clause following your search query. Then choose the time period and click the Search icon.
- Once the results have appeared, you can expand each event to see enriched properties. To perform more comprehensive searches, take a look at the corresponding official documentation.
Advanced usage
MAC address vendor lookup for Splunk provides some pre-built dashboards you can use.
- Firstly, let’s make some visualization based on the MAC addresses found. Go to Apps > MAC Address Vendor Lookup > Dashboard.
- Fill in the index name "mac_addresses” and the field containing the MAC addresses in the source data.
- Then choose the fields which are supposed to be visible in the drilldown.
- Submit the form and wait for the result. It may take a while depending on the size of your dataset. Optionally, you can export a PDF report.
- Besides, you can use instant MAC vendor lookup from within the application. Go to Apps > MAC Address Vendor Lookup > MAC Address Vendor Lookup Fill in one or more comma-separated mac addresses. Select visible fields and submit the form.
