Endpoint ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Endpoint ID

L3 Networker

Hi,

 

Can 2 endpoints have the same endpoint ID, coz we observed 1 endpoint got removed from the console, and upon checking the endpoint ID of the missing endpoint is present on the console but with a different hostname.

 

Thanks

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @Shahwaz_Md ,

 

Thank you for writing to live community!

 

The Endpoint ID does not rotate as such with different endpoints, and that too for a very specific reason. The endpoint ID is always created as part of a complex algorithm which captures hardware ID of the endpoint and the agent distribution. However, that being said, it would not eliminate the fact that people always look for endpoints with hostnames and they would end up finding two hostnames to the same ID. The caveat would be that one of them would most likely be either disconnected, connection lost, or even possible to not exist on the tenant. 

The most common reason from our experience we have found is the ability to rotate and pass on devices from one employee to another. So, in your case, it is possible that the endpoint was installed with the agent, then it was reimaged and the hostname was changed for another employee and then installed with the xdr agent. In both the circumstances, the hardware ID remained the same as it was the same disk but different hostnames. 

 

An alternative theory can also exist that if the previous endpoint with a specific hostname had some issues on the circuitry or the hardware or anything else, so the hard disk was retrieved from the machine by pulling it out and it was plugged in to another endpoint and the if you would reimage the second host with the same hard disk and get an endpoint name, it would essentially contain the same endpoint IDs. Maybe you would want to check internally and then correlate if the previous hostname was re-imaged and renamed.

 

Hope this helps! Please mark the response as "Accept as Solution" if it answers your query.

View solution in original post

2 REPLIES 2

L5 Sessionator

Hi @Shahwaz_Md ,

 

Thank you for writing to live community!

 

The Endpoint ID does not rotate as such with different endpoints, and that too for a very specific reason. The endpoint ID is always created as part of a complex algorithm which captures hardware ID of the endpoint and the agent distribution. However, that being said, it would not eliminate the fact that people always look for endpoints with hostnames and they would end up finding two hostnames to the same ID. The caveat would be that one of them would most likely be either disconnected, connection lost, or even possible to not exist on the tenant. 

The most common reason from our experience we have found is the ability to rotate and pass on devices from one employee to another. So, in your case, it is possible that the endpoint was installed with the agent, then it was reimaged and the hostname was changed for another employee and then installed with the xdr agent. In both the circumstances, the hardware ID remained the same as it was the same disk but different hostnames. 

 

An alternative theory can also exist that if the previous endpoint with a specific hostname had some issues on the circuitry or the hardware or anything else, so the hard disk was retrieved from the machine by pulling it out and it was plugged in to another endpoint and the if you would reimage the second host with the same hard disk and get an endpoint name, it would essentially contain the same endpoint IDs. Maybe you would want to check internally and then correlate if the previous hostname was re-imaged and renamed.

 

Hope this helps! Please mark the response as "Accept as Solution" if it answers your query.

L3 Networker

Thanks for the detailed response Neel, I am also suspecting the reallocation of an old machine and just changing the hostname to be the issue here. 

 

Thanks again for the explaination.

  • 1 accepted solution
  • 2051 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!