Rogue access point

Triggered when an unauthorized access point is detected on the network. Alert name: ALERT_ROGUE_AP

Payload

{
  "metadata": {
    "alert_name": "ALERT_ROGUE_AP",
    "network_name": "Main Office",
    "timestamp": "2026-01-23T21:40:03Z"
  },
  "data": {
    "rogue_access_points": [
      {
        "mac": "AA:BB:CC:DD:EE:FF",
        "vendor": "TP-Link",
        "connected_switch_label": "Floor 2 Switch",
        "port_number": 24
      }
    ]
  }
}

Fields

Field	Type	Description
`mac`	string	MAC address of the rogue access point
`vendor`	string	Vendor identified from the MAC address
`connected_switch_label`	string	Switch where the rogue AP is connected
`port_number`	integer	Switch port number

WIDS configuration

Integrations

Slack

SIEM

Webhooks

Rogue access point

Payload

Fields

Integrations

Slack

SIEM

Webhooks

​Payload

​Fields

​Related

Payload

Fields

Related