Managed Sentinel – Alert 160

Alert IDMS-A160
Alert NamePotential rogue access points detected - Fortinet
DescriptionThis alert identifies access points identified by Fortinate as potentially fake. The top 10 by number of log events are returned.
An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Log sourcesIPS/IDS
False PositivesNew production wireless APs from a different manufacturer.
Guest users
Recommendations1. Notify the users/department using the rogue wireless device about the violation of Corporate Security Policy - policy notice
2. Provide details about the rogue WLAN device such as type, model, IP address, physical location to head of department, IT Director
3. Initiate device removal from corporate network.