ExtremeCloud IQ- Site Engine & Extreme Management Center

 View Only

Alarm fatigue with Threat Active / External Honeypot in WIPS / RADAR

  • 1.  Alarm fatigue with Threat Active / External Honeypot in WIPS / RADAR

    Posted 05-15-2018 11:05
    Hello folks,

    I have a sprawling wireless network that covers a lot of acres in town. Aside from the insanely high number of guest wireless users, I also run alongside a lot of public buildings that have their own WiFi networks (such as a large car lot).

    I seem to have a nagging collection of threats for "external honeypots". Which is OK if the device lingers. But I seem to get an alert for drive-by users. And I know sometimes a user requesting a network can result in a false detection. In other words, they fire open their laptop and Windows says "is there a dlink SSID in the house?" which then results in an External Honeypot message of "there is a dlink SSID!". I also seem so pick up a lot of cars from the car lot that have their own SSID's for the driver, passengers, and mechanics.

    My question is, how do I make these threats self-clear? I have a bunch where the first/last seen is all in the same time/minutes/seconds? I went into XMC and edited the Alarm Definition. Then under Other Options I checked the box for Cleared by Alarms "Threat Inactive". And then I also tried checking "No Curent Alarm". But neither one seemed to clear up all my old alarms. I still need to manually right-click and clear selected alarm.