ATP is unable to properly identify the exact and correct endpoint involved in an incident | Host name nomenclature best practices

book

Article ID: 170178

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

When you use the Advanced Threat Protection (ATP):  Network control point, ATP is unable to identify the exact endpoint involved in an incident.  Instead, the endpoint provided is unavailable, incorrect, or too generic to help identify the endpoint.

Cause

ATP can only identify endpoints by IP address. ATP can use a reverse DNS lookup to get the domain name from the IP address. However, in some cases, this reverse DNS lookup is either not enabled or times-out due to unknown reasons.  Also, the IP address by itself is not a reliable way to identify an endpoint because the IP address continually changes due to DHCP and gets reallocated to other endpoints. Additionally, if you have endpoints whose device name (host name) is not configured properly, ATP may get some generic names such as: 'User-PC'  or "Administrator-PC"  or 'Admin-PC'.  Finally, using generic host names for multiple endpoints make it difficult to trace events/incidents back to the endpoint from where it originated.

Environment

ATP:N  2.0 and later

Resolution

To ensure proper endpoint event correlations, ATP requires that all endpoints have unique host names. Failure to do so results in ATP mismatching endpoints to events, which can lead to confusing or incorrect information.  For example:

L-<employee-id>-PC