How to find rogue devices on your network

Document created by Qualys Documentation Employee on Oct 18, 2012Last modified by Qualys Documentation Employee on Nov 30, 2012
Version 11Show Document
  • View in full screen mode

Use the Unknown Device Report to find rogue devices on your network based on saved map results. Before you run this report configure what's called the "approved hosts list" for the domain that you will report on. The list identifies hosts that you know and expect to find.

 

Using the steps below we'll walk you through configuring an approved hosts list and running a report to find rogue devices. You may run this report on any domain in your account. We'll be using the "none" domain, which is a special domain that is not associated with a registered DNS domain name.

 

Step 1: Approve hosts for your domain

There are two ways to approve hosts: from a saved map or by editing the domain settings.

 

To approve hosts from a saved map:

You can approve hosts directly from a saved map. Under VM, go to Scans > Maps, find a map on the domain you want to report on and select View from the Quick Actions menu.

 

maps_view.jpg

 

In the map results, select the check box next to each host you want to approve, then select Approve Hosts from the Actions menu at the top of the results and click Apply. (Note that any host with an "A" flag is already approved for the domain.)

 

map_results_approve_hosts.jpg

 

To approve hosts by editing the domain:

Under VM, go to Assets > Domains. Identify the domain you're interested in and click the Edit icon.

 

domains_edit.jpg

 

When the Edit Domain page appears, click Configure next to Approved Hosts.

 

edit_domain_configure.jpg

 

The Configure Approved Hosts window is where you identify which hosts are approved for the domain. Use these methods for adding hosts to the approved hosts list:

 

1) Move hosts from the Available Hosts list to the Approved Hosts list using the Add button. Available hosts include IP addresses in the domain's netblock, if a netblock has been defined.

 

2) Manually enter IPs (copy/paste), add IPs from asset groups in your account or add IPs from a saved map.

 

configure_approved_hosts.jpg

 

Step 2: Run the Unknown Device Report

Under VM, go to Reports > Templates. Find the Unknown Device Report in the list and select Run from the Quick Actions menu. (Tip: Use the filter to only show map templates.)

 

templates_run.jpg

 

The New Map Report page is where you provide report details (title and format) and select the domain you want to report on (or choose "No domain" if you're reporting on the none domain in your account). Then choose one or two saved maps that you want to compare to the approved hosts list. Click Run.

 

new_map_report.jpg

 

What's in the report?

The default settings in the Unknown Device Report template create reports that only list rogue hosts, which are hosts that were not added to the approved hosts list.

 

Example: Rogue hosts are found

All hosts listed in the Results section are rogue. This means they were detected in the map but they were not approved for the domain. (You'll notice that none of the hosts in the Results section have the "A" flag.)

 

udr_with_rogue_hosts.jpg

 

Example: No data matching your filters

You'll notice the message "no data found" when no hosts match the filters set in the Unknown Device Report template. For example, if only the Rogue host type filter is selected in the template (the default) and you see "No data found" then there are no rogue hosts for the domain. In other words, all hosts detected by the map were approved.

 

udr_no_rogue_hosts.jpg

 

Example: Approved hosts included

Many customers would like to see approved hosts in the report in addition to the rogue hosts. You can do this by editing filters in the report template. When included, you can tell which hosts are approved by looking at the Approved (A) column. If an "A" appears in this column, then the host is approved. If this column is blank, then the host is rogue.

 

udr_with_approved_hosts.jpg

 

Example: Compare two saved maps

When creating the report, you have the option to select two saved maps. The service compares these maps to identify systems that have been added or removed from your network. "Active" indicates the host was detected in both maps. "Removed" indicates the host was detected in Map 1 (the older map), but was not detected in Map 2 (the more recent map). "Added" indicates the host was not detected in Map 1 but was detected in Map 2.

 

udr_with_two_maps.jpg

Attachments

    Outcomes