Detects rogue Wi-Fi access points broadcasting the same SSID as legitimate APs with stronger signal strength, unexpected MAC/BSSID values, or inconsistent encryption settings. Correlates authentication attempts, captive portal redirections, and anomalous traffic flows through unauthorized APs.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | WLANLogs:Association | Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type |
| Network Traffic Content (DC0085) | NSM:Flow | Probe responses from unauthorized APs responding to client probe requests |
| Application Log Content (DC0038) | networkdevice:syslog | Failed authentication requests redirected to non-standard portals |
| Field | Description |
|---|---|
| KnownSSIDs | Baseline of authorized SSIDs; deviations may indicate rogue AP. |
| AllowedBSSIDs | Whitelist of BSSID/MAC addresses mapped to corporate SSIDs. |
| SignalStrengthThreshold | Used to flag unusually strong signals from unexpected APs. |
| CaptivePortalDomains | Trusted login domains; unrecognized portals may be malicious. |