Endpoint Detection and Response reports the wrong IP address for Endpoint Protection clients.

book

Article ID: 184869

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

When viewing the Endpoint Entity page within Endpoint Detection and Response (SEDR), the IP address listed for the Endpoint Protection (SEP) client is incorrect.  The IP address shown is not the IP address the client uses to connect to the Endpoint Protection Manager (SEPM).  The IP address listed will generally be the first IP address in the client's NIC binding order. 

Cause

SEDR is configured to obtain the IP address from the SEPM REST API using the first address in the IP Addresses array instead of the "lastConnectedIpAddr" value. 

Resolution

This issue is addressed in Endpoint Detection and Response 4.4.  Starting with version 4.4, EDR will display the lastConnectedIpAddr value provided by the SEPM REST API as long as it is an IPv4 address AND the address matches an entry in the ipAddresses array. Otherwise, the first IPv4 address listed in the ipAddresses array will be used.