When viewing the Endpoint Entity page within Endpoint Detection and Response (SEDR), the IP address listed for the Endpoint Protection (SEP) client is incorrect. The IP address shown is not the IP address the client uses to connect to the Endpoint Protection Manager (SEPM). The IP address listed will generally be the first IP address in the client's NIC binding order.
SEDR is configured to obtain the IP address from the SEPM REST API using the first address in the IP Addresses array instead of the "lastConnectedIpAddr" value.
This issue is addressed in Endpoint Detection and Response 4.4. Starting with version 4.4, EDR will display the lastConnectedIpAddr value provided by the SEPM REST API as long as it is an IPv4 address AND the address matches an entry in the ipAddresses array. Otherwise, the first IPv4 address listed in the ipAddresses array will be used.