1 Reply Latest reply on May 12, 2018 10:24 AM by donrobert5

    UDT Rogue Device Alerts?

    snbeau

      We recently installed UDT to get rogue device alerts on our environment, but are a little disappointed in the same thing a lot of others have noted elsewhere in Thwack. We have to have alerts but we don't care about people on our guest wifi, which it doesn't let us segregate. I went through the devices found in the rogue list and watch-listed all the MACs that were connected to the wifi (99% were employee phones), just in case something happened it is tracked still in a special spot for these wireless devices.

       

      I put in a ticket with SW to try to get a sql query or something to adjust what triggers the alert, but essentially got the brush off that they'd give me the tables where the data is stored and I'd have to figure out the rest because it is out of their "scope of support". I worked with the tables given by support in SQL studio and pulled exactly what I needed with this query:

      select * FROM dbo.UDT_RogueMACAlert

      LEFT JOIN dbo.UDT_WatchListPresent

      ON MACAddress = watchitem

      WHERE watchitem IS NULL and Rogue <> 0

      This compares the watchlist and the rogue list and spits out everything that is rogue and isn't on the watchlist. I got excited that this would band-aid UDT enough for it to be worth the purchase. However, when adding this query to the alert configuration, it doesn't work. I looked elsewhere on how to add this properly to the alert config, but there isn't a whole lot on the specifics and the things I found to try, something like adding sql { } around the query, still didn't help.

       

      The error it gives is "Condition is not valid. Please fix reported errors to continue."

       

      Can someone help me with making this work?

       

      (PS shout out to James and Joe at Loop1 for helping get our SW environment setup)