ATP is unable to properly identify the exact and correct endpoint involved in an incident | Host name nomenclature best practices


Article ID: 170178


Updated On:


Advanced Threat Protection Platform


When you use the Advanced Threat Protection (ATP):  Network control point, ATP is unable to identify the exact endpoint involved in an incident.  Instead, the endpoint provided is unavailable, incorrect, or too generic to help identify the endpoint.


ATP can only identify endpoints by IP address. ATP can use a reverse DNS lookup to get the domain name from the IP address. However, in some cases, this reverse DNS lookup is either not enabled or times-out due to unknown reasons.  Also, the IP address by itself is not a reliable way to identify an endpoint because the IP address continually changes due to DHCP and gets reallocated to other endpoints. Additionally, if you have endpoints whose device name (host name) is not configured properly, ATP may get some generic names such as: 'User-PC'  or "Administrator-PC"  or 'Admin-PC'.  Finally, using generic host names for multiple endpoints make it difficult to trace events/incidents back to the endpoint from where it originated.


ATP:N  2.0 and later


To ensure proper endpoint event correlations, ATP requires that all endpoints have unique host names. Failure to do so results in ATP mismatching endpoints to events, which can lead to confusing or incorrect information.  For example: