Hello,
is there some workaround or hidden functionality to track rogue devices on my network? It should be basicly list of devices without Endpoint installed.
Thanks!
This thread was automatically locked due to age.
Hello,
is there some workaround or hidden functionality to track rogue devices on my network? It should be basicly list of devices without Endpoint installed.
Thanks!
Hi Jakub,
Thanks for reaching out.
If all of the devices on your network are domain joined, the Device and Group Discovery feature with AdSync may help to identify the devices that are unprotected.
- Device group discovery FAQ
Another way you could go about this is to export the full list of devices present in Sophos Central, to compare with the actively connected devices shown on your network firewall.
Otherwise, requiring captive portal authentication prior to connecting to your network can also help you to build a list of unknown devices that may be on your network.
Further information on the authentication methods that can be used to create a list of Live users is outlined in the following link.
- Live users
Thanks for your reply Kushal. I know about "unprotected" feature via ADsync and im already implementing that. But i'm more curious about devices connecting across our whole company network and are outside of AD.
Looking for feature that is more like this solution, which was working great. Is there any plan to implement such a feature?
Product Documentation | McAfee Enterprise
Thank you
There are two things that would be of concern: Rogue Access Points (our Wireless feature has detections for this), and compromised/malicious nodes. Traditionally, detection of those is handled by IDS or IPS. The SFOS has both these capabilities.
Now, our endpoint also has IPS - this feature protects the endpoint from malicious incoming traffic. Its not built specifically to show reports of these nodes but you can use the alerts it generates to find them. In the alert you will see the external IP address that triggered the IPS detection and from there you can track it down.
If you are an XDR customer, you can also use the data lake to run reports on these types of things.
Does that answer your questions?
There are two things that would be of concern: Rogue Access Points (our Wireless feature has detections for this), and compromised/malicious nodes. Traditionally, detection of those is handled by IDS or IPS. The SFOS has both these capabilities.
Now, our endpoint also has IPS - this feature protects the endpoint from malicious incoming traffic. Its not built specifically to show reports of these nodes but you can use the alerts it generates to find them. In the alert you will see the external IP address that triggered the IPS detection and from there you can track it down.
If you are an XDR customer, you can also use the data lake to run reports on these types of things.
Does that answer your questions?