2 Replies Latest reply on Aug 7, 2014 11:50 AM by nicole pauls

    Unknown Hosts Attached

    jeremya

      Still trying to get some alerting in place. During our last security audit the question came up on the ability to detect unknown hosts attached to the network. Do any of you know how to setup an alert for an unknown host attaching to the network? Would I be looking at the AD level, switch or router level?

       

      Any assistance would be great.

       

      Thanks,

      Jeremy

        • Re: Unknown Hosts Attached
          curtisi

          jeremya:

           

          I'm not 100% certain the LEM is the very best way to track this, but tools like IP Address Manager or Network Performance Monitor could help.

           

          That said, the LEM does have the ability to look for things like DHCP requests (assuming you're logging your DHCP information) and correlating them against whether a LEM agent with the same IP came on-line.  If the LEM sees that DHCP request and doesn't see an Agent, then it can alert.  The assumption is you've got the LEM Agent on all your workstations/servers, therefore any machine making a DHCP request without an Agent is new or unknown.

           

          If you want to see a template rule that does this, look for "Template: DHCP but no Agent" in the LEM under BUILD --> RULES.  There's also a "Template: New Machine Created" but that's more for when a machine is added to the Domain.

          • Re: Unknown Hosts Attached
            nicole pauls

            I think having an IP address appear in a log that doesn't match a known list is the best suggestion we have - the DHCP but no Agent rule is an example if you have full agent coverage, but if you don't, you might be able to build lists of known hosts or known good IPs otherwise. Other ideas along those lines would be a Logon from an unknown IP, or firewall traffic in/outbound from an unknown IP, or proxy traffic from an unknown IP. The trick is going to be in determining what an "unknown" IP is.

             

            Some devices might log this, too. User Device Tracker (a separate SW product) does try to do some new device detection as well, since it's about detection of what device is where (and on which MAC).