You can determine how it was detected (DHCP or Broadcast) by drilling down on the detection itself in the RSD Console and looking at the value for Detection Source; however, I see no way to tell the actual sensor that did the detecting. If the detection source was Broadcast you can take a look at the subnet the machine was detected on and deduce which sensor did the detection from that.
Only problem is that the IP subnet of the device no longer exists on our network. The device has been plugged into anther network with a different subnet, but the tech did not change the IP on the device.
As far as I can tell there is no way to determine the current location (logical or physical) of the device.
Thanks for responding. Perhaps this could be a useful field to consider including on a rogue system's properties in a future release - the name\IP of the sensor that detected the threat.
Just put an FMR request in. Thanks for your time.
Not possible at present - submitted an FMR to McAfee.
What can kind of help is go to the Network Tab in the ePo Console.
Click on the Subnets that contain Rogues and it should spit out a list of the subnets.
Click on the subnet and it will give you a list of the sensors that cover that specific subnet that contains rogues. If you are lucky, there will be only 1.
BTW, noticed that it seems the RSD names itself the IP of the machine at the time that it installs. If the IP changes later, RSD doesnt rename itself.....
Be sure to click the Details link and nslookup on the name just in case.
Trace back to the switch that that machine is on and an "arp -a" on that computer should list all the MAC's registered.
I have been drilling into the database tables for RSD to see if there is any link there, but no luck so far..........
Let me know if this helps.