MAC address lookups¶

TeskaLabs LogMan.io offers an optimized set of lookups for working with MAC addresses, called MAC Lookups.

There are always three steps to enable MAC Lookups:

Create a lookup declaration in the LogMan.io Library (the lookup description)
Create the lookup and its content in the Lookups section in the UI (the lookup content)
Add the lookup to the relevant parsing and/or correlation rules in the Library (the lookup application)

MAC address to vendor lookup¶

MAC Vendor lookup is when, based on MAC address range such as 0c:12:30:00:00:01 to 0c:12:30:00:00:ff, you want to obtain the vendor information of the manufacturer of the device the MAC address is assigned to.

Built-in MAC address to vendor lookup

When the MAC address from the event does not match any of the provided macvendor lookups, the default public MAC Vendor lookup provided by TeskaLabs LogMan.io will be used.

In LogMan.io, go to the Library.
In the Library, go to the folder /Lookups.
Create a new lookup declaration for your lookup, like "macvendorlookup.yaml" with a YAML extension
Add the following declaration:
```
define:
  type: lookup/macaddressrange
  name: macvendorlookup
  group: macvendor

keys:
  - name: range1
    type: mac
  - name: range2
    type: mac

fields:
  manufacturer:
    type: str
```
Make sure the type is always lookup/macaddressrange.

Change the name in the define section to your lookup name.

The group is used then in the enrichment process to locate all lookups that share the same group. The value is a unique identifier of the group (use case), here: macvendor

Keep the keys as they are in order to specify ranges.

To fields, add names and types of the lookup attributes.
```
fields:
  manufacturer:
    type: str
```
The value attribute will be used as default.

Currently, these types are supported: str, fp64, si32, geopoint, ip and mac
Save
In LogMan.io, go to Lookups.
Create a new lookup with the same name as above, i.e. "macvendorlookup". Specify two keys with the names: range1, range2.
Create records in the lookup with the ranges as keys and fields as specified above (in the example, there is only manufacturer in the value dictionary stored in the lookup).
Add the following enricher to the LogMan.io Parsec rule that should utilize the lookup:
```
define:
  type: enricher/mac
  group: macvendor

  schema:
    /Schemas/ECS.yaml:
      postfix: device.
```
Specify the group of the lookups to be used in the group attribute. It should be the same as the group mentioned above in the lookup declaration. Tenants are resolved automatically.

The enrichment is done on every field that has the type mac in the schema.

Postfix specifies the postfix for the attribute:

If input is source.mac

Then output is source.observer.<NAME_OF_THE_ATTRIBUTE>

When it comes to default public MAC Vendor lookup (see above), the following items are filled by default:
```
  manufacturer:
    type: str
```

MAC address range lookup¶

The MAC address range lookup uses the MAC address ranges, such as 0c:12:30:00:00:01 to 0c:12:30:00:00:ff, as keys.

The declaration of an MAC address range lookup must contain type lookup/macaddressrange in the define section and two keys with type mac in the keys section:

define:
  type: lookup/macaddressrange
  name: mylookup
  group: mygroup

keys:
  - name: range1
    type: mac
  - name: range2
    type: mac

fields:
  ...