In ATP, the same endpoint appears twice on the Incident details page. There are also two separate endpoint details pages for the same host/IP address, and the information on each endpoint details pages varies.
If you have an endpoint under a workgroup with a name that exceeds 15 characters, the host name is reported in ATP twice: once with a short host name of 15 characters; the other with the full host name exceeding 15 characters. So the same endpoint may appear in ATP twice -- once for each reported host name. This issue is a result of the NetBIOS restrictions. See the following link for more information:
In this instance, there will be an endpoint details page for each host name. The endpoint details page with the shorter host name does not have details for most of the fields on the endpoint summary section (such as the user name, host domain/workgroup, MAC address, etc.). And the Incident graph on the Incident details page may show the same endpoint twice -- once for each reported host name. If you want to take an action on the endpoint (such as isolating the endpoint), you should perform the action on the endpoint with the full name. Note that any action that you take on the endpoint appears in the Action Manger only once.
Create host names that are 15 characters or less.