UDT - Rogue Devices

I have a approved Whitelist using DNS names, which shows to have 200 odd devices in the list.

When I look at the rogue devices, there are >300 listed and on closer inspection some of them are devices which are in my allowed list (some have multiple NIC's).

Why is the correlation not working correctly, I see a similar issue if I use IP addresses.



  • Endpoints are group with IP, DNS and MAC.  If you only created a whitelist for DNS, but the endpoint is detected on the MAC address level, it will still be rogue device.  The most basic information that UDT gathers is the MAC address, it would be best to create whitelist using the MAC addresses.