Email Alert - Switch and Port of Rouge MAC Device

Version 1

    Out of the box there is an alert for rouge MAC devices. I made some modifications to this rule so I would get an email telling me what the rogue mac was, what device detected it, and which port it originated on. I am not an expert in SQL so this took better part of a day figuring out how it works.


    This is what that email looks like:






    To set this up you need to go to "Manage Alerts" in on the Settings page.

    Edit the alert titled: "Alert me when a rogue MAC address appears on network"

    Immediately go to the "Trigger Actions" tab and click "Add Action"

    Select "Send and Email/Page" and click "Configure Action".


    In the next window you fill out "Name of Action" and who will receive the emails. This can be a group, one person, etc.

    Go to the "SMTP Server" tab and fill that out as well and any other settings you need.

    Finally, go to the message. This is where the magic happens!


    Here is my message data. The important parts are highlighted in blue and orange.


    "An unknown rogue device has been detected!


    MAC: ${N=SwisEntity;M=MACAddress}


    Switch: ${SQL:SELECT Caption from [dbo].[Nodes]


    WHERE  NodeID = (SELECT NodeID from [dbo].[UDT_Port]


    WHERE  PortID = (SELECT PortID from [dbo].[UDT_PortToEndpointCurrent]


    WHERE   EndpointID = ${N=SwisEntity;M=EndpointID}))}


    Port: ${SQL: SELECT Name from [dbo].[UDT_Port] WHERE  (PortID = ${SQL: SELECT PortID from [dbo].[UDT_PortToEndpointCurrent] WHERE  (EndpointID = ${N=SwisEntity;M=EndpointID})})}


    First Detected: ${N=SwisEntity;M=FirstSeen}


    Last Detected: ${N=SwisEntity;M=LastUpdate}


    If this is not meant to be on the network please add to watch list and shutdown port if necessary in User Device Tracker."


    Note: For this to detect the right port make sure you don't monitor your uplink ports to other switches. If you do it will not pull the right port.




    Happy monitoring!