I'm also evaluating the product and I have this question as well. I'm about to pull the trigger on a UTX license and this could be a make or break topic for that.
1 of 1 people found this helpful
This can be done using the built in UDT whitelist feature. When building the whitelist you can define mac addresses even with wild card characters. Example: ab.cd.ef.*. This will force UDT to ignore your defined vendor OUI and only look at the rest. If UDT finds systems that do not match it will be identified as rogue. Then if you have the "alert me when a rogue mac address appears on the network" alert enabled, you can be emailed with the email trigger action.
Now, keep in mind when you build the white list, do not define any criteria for IP and hostname. Leave those as "any".
This is just taking a different approach using the white list as opposed to just using alert logic to find mac anomalies in your network.
Here is an example using the UDT white list adding all Dell mac addresses: