topic Alarm fatigue with Threat Active / External Honeypot in WIPS / RADAR in ExtremeCloud IQ- Site Engine Management Center https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/alarm-fatigue-with-threat-active-external-honeypot-in-wips-radar/m-p/17520#M527 Hello folks,<BR /> <BR /> I have a sprawling wireless network that covers a lot of acres in town. Aside from the insanely high number of guest wireless users, I also run alongside a lot of public buildings that have their own WiFi networks (such as a large car lot).<BR /> <BR /> I seem to have a nagging collection of threats for "external honeypots". Which is OK if the device lingers. But I seem to get an alert for drive-by users. And I know sometimes a user requesting a network can result in a false detection. In other words, they fire open their laptop and Windows says "is there a dlink SSID in the house?" which then results in an External Honeypot message of "there is a dlink SSID!". I also seem so pick up a lot of cars from the car lot that have their own SSID's for the driver, passengers, and mechanics.<BR /> <BR /> My question is, how do I make these threats self-clear? I have a bunch where the first/last seen is all in the same time/minutes/seconds? I went into XMC and edited the Alarm Definition. Then under Other Options I checked the box for Cleared by Alarms "Threat Inactive". And then I also tried checking "No Curent Alarm". But neither one seemed to clear up all my old alarms. I still need to manually right-click and clear selected alarm.<BR /> <BR /> Tue, 15 May 2018 18:05:00 GMT Steve_Ballantyn 2018-05-15T18:05:00Z Alarm fatigue with Threat Active / External Honeypot in WIPS / RADAR https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/alarm-fatigue-with-threat-active-external-honeypot-in-wips-radar/m-p/17520#M527 Hello folks,<BR /> <BR /> I have a sprawling wireless network that covers a lot of acres in town. Aside from the insanely high number of guest wireless users, I also run alongside a lot of public buildings that have their own WiFi networks (such as a large car lot).<BR /> <BR /> I seem to have a nagging collection of threats for "external honeypots". Which is OK if the device lingers. But I seem to get an alert for drive-by users. And I know sometimes a user requesting a network can result in a false detection. In other words, they fire open their laptop and Windows says "is there a dlink SSID in the house?" which then results in an External Honeypot message of "there is a dlink SSID!". I also seem so pick up a lot of cars from the car lot that have their own SSID's for the driver, passengers, and mechanics.<BR /> <BR /> My question is, how do I make these threats self-clear? I have a bunch where the first/last seen is all in the same time/minutes/seconds? I went into XMC and edited the Alarm Definition. Then under Other Options I checked the box for Cleared by Alarms "Threat Inactive". And then I also tried checking "No Curent Alarm". But neither one seemed to clear up all my old alarms. I still need to manually right-click and clear selected alarm.<BR /> <BR /> Tue, 15 May 2018 18:05:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/alarm-fatigue-with-threat-active-external-honeypot-in-wips-radar/m-p/17520#M527 Steve_Ballantyn 2018-05-15T18:05:00Z