07-19-2023 05:32 AM
Hi @Shahwaz_Md ,
Thank you for writing to live community!
The Endpoint ID does not rotate as such with different endpoints, and that too for a very specific reason. The endpoint ID is always created as part of a complex algorithm which captures hardware ID of the endpoint and the agent distribution. However, that being said, it would not eliminate the fact that people always look for endpoints with hostnames and they would end up finding two hostnames to the same ID. The caveat would be that one of them would most likely be either disconnected, connection lost, or even possible to not exist on the tenant.
The most common reason from our experience we have found is the ability to rotate and pass on devices from one employee to another. So, in your case, it is possible that the endpoint was installed with the agent, then it was reimaged and the hostname was changed for another employee and then installed with the xdr agent. In both the circumstances, the hardware ID remained the same as it was the same disk but different hostnames.
An alternative theory can also exist that if the previous endpoint with a specific hostname had some issues on the circuitry or the hardware or anything else, so the hard disk was retrieved from the machine by pulling it out and it was plugged in to another endpoint and the if you would reimage the second host with the same hard disk and get an endpoint name, it would essentially contain the same endpoint IDs. Maybe you would want to check internally and then correlate if the previous hostname was re-imaged and renamed.
Hope this helps! Please mark the response as "Accept as Solution" if it answers your query.
