Every event in the 802 Secure Console as well as external alerts (email, sms, syslog, etc) will include an identifier and severity along with other pertinent information. The specific information sent will change based on the type of alert. For instance a cellular tower based alert will include cellular information, while a trust policy violation will include both client and access point information.
| Source | Description |
|---|---|
AIRSHIELD | AIRSHIELD operational events |
AIRCELL | AIRCELL related events |
INTERROGATOR | INTERROGATOR related events |
CONSOLE | Events from the Console/Platform |
POLICY | Trust Policy assignments and event triggers |
ANALYTICS | Results of analytic functions |
WIDS | Wireless intrusion detection events sourced from AIRSHIELD |
LRWPAN | 802.15.4 LoRWPAN related events |
| PERFORMANCE | WiFi Performance events |
The table below provides a high-level definition of each alert type (Identifier), sorted by Severity from highest to lowest. This information is helpful to identify the specific events that may impact your organization, as well as to plan integration and incident response.
| Severity | Identifier | Definition |
| 10 | NULLPROBERESPONSE | A probe response to a nil SSID has been detected. Null probe responses are used by an attacker to lock up a client interface. |
| 10 | ENCRYPTION CHANGE | Encryption settings have changed on the Access Point |
| 10 | KRACK | Repeating nonces have been discovered. This indicates an AP that is vulnerable to the KRACK attack. If numerous alerts are generated, it is likely that an attack is underway. |
| 10 | DISCONCODEINVALID | A disassociation frame gave an invalid disconnect reason |
| 7 | CLIENT TO AIRDECOY AP | A client has connected to the 802 Secure AirDecoy honeypot |
| 7 | NEW ACCESS POINT | A new Access Point has been discovered in your air space |
| 7 | WEAK OR UNENCRYPTED ACCESS POINT | A new Access Point was discovered with weak or no encryption |
| 7 | AP ADVERTISING NEW ESSID | An Access Point is advertising a new / different ESSID |
| 7 | ADVCRYPTO | The advertised encryption type has changed on the Access point |
| 6 | AMAZON ECHO DETECTED | An Amazon Echo client has been identified in your air space |
| 6 | DRONE DETECTED | A Drone has been identified in your air space |
| 6 | WIFI PRINTER DETECTED | A WiFi enabled Printer has been identified in your air space |
| 5 | TRUST POLICY VIOLATION | A client has connected to a network that violates your trust policy settings |
| 5 | EXCESSIVE CONNECTIONS | High connection attempts between a client and Access Point |
| 5 | CAPTIVE PORTAL ACCEPTED | A client has accepted the 802 Secure AirDecoy honeypot captive portal |
| 5 | AUTOMATIC AP TRUST LEVEL ASSIGNMENT TO SUSPECTED NEIGHBOR | A persistent Access Point with strong encryption has been assigned to the Suspected Neighbor Trust Level. Manual assignment to a Trust Level is recommended. |
| 5 | SIMILAR ESSID | An ESSID was discovered that is similar to an ESSID identified in your Trust Level configuration |
| 5 | NEW CELLULAR TOWER | A new cellular tower has been detected in your air space |
| 5 | AUTOMATIC AP TRUST LEVEL ASSIGNMENT TO HIGH THREAT | A persistent access point with weak or no encryption has been assigned to the High Threat Trust Level. Investigation and assignment to the proper Trust Level is recommended. |
| 4 | VEHICLE DETECTED | A vehicle has been identified in your air space |
| 4 | CONSUMER CAMERA DETECTED | A consumer camera has been identified in your air space |
| 4 | DEAUTHCODEINVALID | Deauthentication frame gave an invalid disconnect reason |
| 4 | WIFI DIRECT DETECTED | A WiFi-Direct enabled device has been identified in your air space |
| 4 | WIRELESS STORAGE DEVICE DETECTED | A WiFi enabled memory card (i.e. USB thumbdrive) has been identified in your air space |
| 4 | DASH CAMERA DETECTED | A dash camera has been identified in your air space |
| 4 | MEDICAL DEVICE DETECTED | A medical device has been identified in your air space |
| 4 | WIFI TELEVISION DETECTED | A WiFi enabled TV or sign has been identified in your air space |
| 4 | AMAZON FIRETV DETECTED | An Amazon FireTV WiFi-Direct enabled media player has been identified in your airspace |
| 4 | GOOGLE HOME DETECTED | A Google Home device has been identified in your air space |
| 4 | ROKU DETECTED | A Roku WiFi direct enabled media player has been identified in your air space |
| 3 | CHANCHANGE | An Access Point has changed channels |
| 3 | AIRDECOY CLIENT CONNECT | A client has connected to the 802 Secure AirDecoy honeypot |
| 3 | AIRDECOY CLIENT DISCONNECT | A client has disconnected from the 802 Secure AirDecoy honeypot |
| 1 | NEW WPA/WPA2 HANDSHAKE | New WPA handshake received |
| 1 | CLIENT ASSIGNED TO GROUP | A client was automatically assigned to a client group in accordance with your Trust Level rules |
| 1 | AIRSHIELD ONLINE | An AirShield sensor has come online |
| 1 | LOGIN | User logged in |
| 1 | SUSPICIOUS CELLULAR TOWER | A suspicious cellular tower was identified in your air space. This could indicate nefarious activity and warrants further investigation. |
| 1 | LOGOUT | User logged out |
| 1 | NEW X.509 CERTIFICATE | A new X.509 Server Certificate has been found on an access point. This could indicate a compromise and investigation is warranted if this was not planned or intentional. |
| 1 | AIRDECOY STARTED | The 802 Secure AirDecoy honeypot has started and is operational |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article