We have recently implemented Rogue alerts in UDT. This is notifying us of items showing up as Rogue devices, those that are not in our approved MAC address white list.
The only problem is it seems like we keep getting Rogue Alerts for devices that are already in our whitelist. For example, we've been installing new printers at several locations. This morning when I installed a new one a few hours later we got a rogue alert for that device (working as designed) but then we also got 5 additional alerts for printers that we had already installed. We had already acknowledged those printer's rogue alerts, and those printers were already in the white list. I thought for a few weeks this was just a fluke but that has occurred numerous time to the point where my staff is spending more time searching for invalid alerts than valid alerts.
Is anyone using Rogue alerts? Have you seen similar problems to this?
The potential for this feature in UDT, especially as far the the SANS controls go, is great. However barriers to getting this to work seem great as well.