Detects anomalous wireless connections such as unexpected SSID associations, failed or repeated authentication attempts, and connections outside of known geofenced networks. Defenders should monitor wireless connection logs and event codes for network discovery, authentication, and association events.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Microsoft-Windows-WLAN-AutoConfig | 8001, 8002, 8003 |
| User Account Authentication (DC0002) | WinEventLog:Security | 4624, 4625 |
| Field | Description |
|---|---|
| KnownSSIDList | Defines approved Wi-Fi SSIDs for the environment; deviations may indicate malicious connection attempts. |
| GeoLocationContext | Correlates expected physical location of systems with observed Wi-Fi connections to detect anomalies. |
Detects unauthorized wireless associations by monitoring wpa_supplicant logs, NetworkManager events, and system calls related to interface state changes. Anomalies include repeated association failures, new SSIDs outside baselined values, and rogue AP connections.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | linux:syslog | New Wi-Fi connection established or repeated association failures |
| Network Traffic Flow (DC0078) | auditd:SYSCALL | ioctl: Changes to wireless network interfaces (up, down, reassociate) |
| Field | Description |
|---|---|
| AllowedSSIDRegex | Regex-based whitelist of corporate SSIDs; anomalous matches indicate suspicious activity. |
| RetryThreshold | Number of failed association attempts allowed before triggering detection. |
Detects unauthorized Wi-Fi associations and SSID scanning activity using unified logs and airport command telemetry. Anomalies include rapid SSID switching, connections to unapproved SSIDs, or repeated authentication failures.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | macos:unifiedlog | Association and authentication events including failures and new SSIDs |
| Network Traffic Flow (DC0078) | macos:osquery | query: Historical list of associated SSIDs compared against baseline |
| Field | Description |
|---|---|
| BaselineSSIDHistory | Historical record of corporate SSID associations per device; deviations may indicate rogue AP usage. |
Detects rogue or suspicious wireless access attempts by monitoring firewall, WIDS/WIPS, and controller logs. Focus is on firewall rule changes, rogue AP detection, and anomalous MAC addresses connecting to access points.
| Data Component | Name | Channel |
|---|---|---|
| Firewall Rule Modification (DC0051) | NSM:Firewall | rule_modification: New or modified firewall rules related to wireless interfaces |
| Network Traffic Content (DC0085) | WIDS:AssociationLogs | Unauthorized AP or anomalous MAC address connection attempts |
| Field | Description |
|---|---|
| AuthorizedAPList | Defines known access points and MAC addresses; deviations highlight rogue or unauthorized devices. |