Use the Unknown Device Report to find rogue devices on your network based on saved map results. Before you run this report configure what's called the "approved hosts list" for the domain that you will report on. The list identifies hosts that you know and expect to find.
Using the steps below we'll walk you through configuring an approved hosts list and running a report to find rogue devices. You may run this report on any domain in your account. We'll be using the "none" domain, which is a special domain that is not associated with a registered DNS domain name.
Step 1: Approve hosts for your domain
There are two ways to approve hosts: from a saved map or by editing the domain settings.
To approve hosts from a saved map:
You can approve hosts directly from a saved map. Under VM, go to Scans > Maps, find a map on the domain you want to report on and select View from the Quick Actions menu.
In the map results, select the check box next to each host you want to approve, then select Approve Hosts from the Actions menu at the top of the results and click Apply. (Note that any host with an "A" flag is already approved for the domain.)
To approve hosts by editing the domain:
Under VM, go to Assets > Domains. Identify the domain you're interested in and click the Edit icon.
When the Edit Domain page appears, click Configure next to Approved Hosts.
The Configure Approved Hosts window is where you identify which hosts are approved for the domain. Use these methods for adding hosts to the approved hosts list:
1) Move hosts from the Available Hosts list to the Approved Hosts list using the Add button. Available hosts include IP addresses in the domain's netblock, if a netblock has been defined.
2) Manually enter IPs (copy/paste), add IPs from asset groups in your account or add IPs from a saved map.
Step 2: Run the Unknown Device Report
Under VM, go to Reports > Templates. Find the Unknown Device Report in the list and select Run from the Quick Actions menu. (Tip: Use the filter to only show map templates.)
The New Map Report page is where you provide report details (title and format) and select the domain you want to report on (or choose "No domain" if you're reporting on the none domain in your account). Then choose one or two saved maps that you want to compare to the approved hosts list. Click Run.
What's in the report?
The default settings in the Unknown Device Report template create reports that only list rogue hosts, which are hosts that were not added to the approved hosts list.
Example: Rogue hosts are found
All hosts listed in the Results section are rogue. This means they were detected in the map but they were not approved for the domain. (You'll notice that none of the hosts in the Results section have the "A" flag.)
Example: No data matching your filters
You'll notice the message "no data found" when no hosts match the filters set in the Unknown Device Report template. For example, if only the Rogue host type filter is selected in the template (the default) and you see "No data found" then there are no rogue hosts for the domain. In other words, all hosts detected by the map were approved.
Example: Approved hosts included
Many customers would like to see approved hosts in the report in addition to the rogue hosts. You can do this by editing filters in the report template. When included, you can tell which hosts are approved by looking at the Approved (A) column. If an "A" appears in this column, then the host is approved. If this column is blank, then the host is rogue.
Example: Compare two saved maps
When creating the report, you have the option to select two saved maps. The service compares these maps to identify systems that have been added or removed from your network. "Active" indicates the host was detected in both maps. "Removed" indicates the host was detected in Map 1 (the older map), but was not detected in Map 2 (the more recent map). "Added" indicates the host was not detected in Map 1 but was detected in Map 2.