This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

rogue detection

Hello,

is there some workaround or hidden functionality to track rogue devices on my network? It should be basicly list of devices without Endpoint installed.

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi Jakub,

    Thanks for reaching out.

    If all of the devices on your network are domain joined, the Device and Group Discovery feature with AdSync may help to identify the devices that are unprotected. 
    - Device group discovery FAQ

    Another way you could go about this is to export the full list of devices present in Sophos Central, to compare with the actively connected devices shown on your network firewall.
    Otherwise, requiring captive portal authentication prior to connecting to your network can also help you to build a list of unknown devices that may be on your network.

    Further information on the authentication methods that can be used to create a list of Live users is outlined in the following link. 
    - Live users

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for your reply Kushal. I know about "unprotected" feature via ADsync and im already implementing that. But i'm more curious about devices connecting across our whole company network and are outside of AD.

    Looking for feature that is more like this solution, which was working great. Is there any plan to implement such a feature?

    Product Documentation | McAfee Enterprise

    Thank you

  • FormerMember
    +1 FormerMember in reply to Jakub Kavka

    There are two things that would be of concern: Rogue Access Points (our Wireless feature has detections for this), and compromised/malicious nodes. Traditionally, detection of those is handled by IDS or IPS. The SFOS has both these capabilities. 
    Now, our endpoint also has IPS - this feature protects the endpoint from malicious incoming traffic. Its not built specifically to show reports of these nodes but you can use the alerts it generates to find them. In the alert you will see the external IP address that triggered the IPS detection and from there you can track it down. 

    If you are an XDR customer, you can also use the data lake to run reports on these types of things.

    Does that answer your questions? 

Reply
  • FormerMember
    +1 FormerMember in reply to Jakub Kavka

    There are two things that would be of concern: Rogue Access Points (our Wireless feature has detections for this), and compromised/malicious nodes. Traditionally, detection of those is handled by IDS or IPS. The SFOS has both these capabilities. 
    Now, our endpoint also has IPS - this feature protects the endpoint from malicious incoming traffic. Its not built specifically to show reports of these nodes but you can use the alerts it generates to find them. In the alert you will see the external IP address that triggered the IPS detection and from there you can track it down. 

    If you are an XDR customer, you can also use the data lake to run reports on these types of things.

    Does that answer your questions? 

Children
No Data