Skip to content

MAC Vendor Enricher

MAC Vendor enriches event with specified vendor attributes based on their MAC address value (only first 6 characters are considered to detect the vendor).



  name: MACVendor
  type: enricher/macvendor
  lookup: lmio_mac_vendor  # optional

  MAC1: detectedVendor1
  MAC2: detectedVendor2


Feb 5 10:50:01 0:0:0:0:0:ffff:1f1f:e001 %ASA-1-105043 5885E9001183


    'rt': 1580899801.0,
    'MAC1': '5885E9001183',
    'detectedVendor1': 'Realme Chongqing Mobile Telecommunications Corp Ltd',

Section define

This section defines the name and the type of the enricher, which in the case of Mac Vendor is always enricher/macvendor.

Item name

Shorter human-readable name of this declaration.

Item type

The type of this declaration, must be enricher/macvendor.

Section attributes

Specify dictionary with event's MAC attributes to search the lookup for, such as MAC1. Inside the dictionary, mention the attribute name in the event for the detected vendor to be stored in. For example:


will search the Mac Vendor lookup for MAC stored event["MAC1"], load the vendor to event["detectedVendor1"], if successfully looked up.

Lookup files

MAC Vendor enricher lookup files are based on OUI standard:

The files are stored in the default path directory (/lookups/macvendor), which can be overridden in configuration:


lmio_mac_vendor is the provided lookup ID in the enricher definition, which defaults to lmio_mac_vendor