ATP - Duplicate Entries in Machines List

%3CLINGO-SUB%20id%3D%22lingo-sub-773293%22%20slang%3D%22en-US%22%3EATP%20-%20Duplicate%20Entries%20in%20Machines%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-773293%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20started%20to%20see%20several%20cases%20where%20machines%20are%20duplicated%20for%20a%20number%20of%20reasons%20and%20this%20has%20somewhat%20caused%20a%20concern%20for%20us%20while%20a%20machine%20is%20listed%20in%20the%20%3CU%3Eactive%20state%3C%2FU%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20understand%20the%20off%20boarding%20process%2C%20as%20mentioned%20back%20in%20March%20by%20Heike%20Ritter%2C%20however%20this%20is%20not%20always%20a%20practical%20solution%20especially%20when%20a%20machine%20was%20rebuild%20and%20the%20process%20was%20not%20followed.%20Furthermore%20when%20a%20machine%20is%20rebuild%20and%20a%20duplicate%20(or%20more)%20entry%20is%20created%2C%20the%20older%20of%20the%20two%20or%20more%20entries%20seems%20to%20stay%20active%20for%207%20days%20before%20moving%20to%20a%20non%20active%20state.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20this%20issue%2C%20can%20we%20possibly%20request%20a%20functionality%20where%20we%20can%20force%20change%20the%20status%20of%20a%20known%20(non%20active)%20machine%20to%20inactive.%20(In%20Qualys%20the%20same%20symptom%20of%20duplicates%20exist%20and%20here%20we%20can%20delete%20the%20asset%20entry).%20Naturally%20if%20the%20machine%20with%20the%20same%20machine%20ID%20comes%20back%20online%20for%20some%20reason%20it%20should%20be%20marked%20active%20again.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EMornay%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-791922%22%20slang%3D%22en-US%22%3ERE%3A%20ATP%20-%20Duplicate%20Entries%20in%20Machines%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-791922%22%20slang%3D%22en-US%22%3EAgree.%20Also%20a%20Qualys%20user%2C%20and%20it's%20very%20handy%20to%20be%20able%20to%20clean%20out%20inactive%20records%20on%20demand%3B%20helps%20to%20make%20reports%20reflect%20a%20far%20more%20accurate%20view%20of%20what's%20going%20on.%20It%20would%20be%20useful%20to%20have%20the%20same%20feature%20in%20Defender%20ATP.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-834375%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20-%20Duplicate%20Entries%20in%20Machines%20List%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-834375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275033%22%20target%3D%22_blank%22%3E%40jamrobot%3C%2FA%3EDuplicate%20'inactive'%20machines%20are%20also%20effecting%20my%20organisations%20TVM%20exposure%20score.%20An%20example%20being%20a%20machine%20with%20three%20instances.%20One%20active%2C%20and%20two%20inactive.%20The%20%3CEM%3Eactive%3C%2FEM%3Emachine%20shows%20far%20fewer%20%E2%80%98Security%20Recommendations%E2%80%99%20than%20its%20%3CEM%3Einactive%3C%2FEM%3Ecounterparts.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20that%20ATP%20retains%20previous%20inactive%20iterations%20because%20at%20the%20data%20retention%20setting%2C%20we%20have%20it%20set%20at%20180%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20it%20appears%20that%20the%20exposure%20score%20is%20using%20the%20security%20recommendations%20on%20the%20inactive%20machines%20to%20calculate%20its%20score.%20Most%20of%20which%20have%20been%20dealt%20with%20as%20can%20be%20seen%20by%20looking%20at%20the%20active%20machine.%20I%20have%20asked%20if%20there%20is%20a%20way%20of%20omitting%20the%20inactive%20machines%20if%20there%20is%20a%20matching%20active%20one.%20I%20will%20feedback%20if%20I%20findout%20anything.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

We have started to see several cases where machines are duplicated for a number of reasons and this has somewhat caused a concern for us while a machine is listed in the active state

 

We understand the off boarding process, as mentioned back in March by Heike Ritter, however this is not always a practical solution especially when a machine was rebuild and the process was not followed. Furthermore when a machine is rebuild and a duplicate (or more) entry is created, the older of the two or more entries seems to stay active for 7 days before moving to a non active state. 

 

With this issue, can we possibly request a functionality where we can force change the status of a known (non active) machine to inactive. (In Qualys the same symptom of duplicates exist and here we can delete the asset entry). Naturally if the machine with the same machine ID comes back online for some reason it should be marked active again. 

 

Thanks

Mornay

 

 

2 Replies
Highlighted
Agree. Also a Qualys user, and it's very handy to be able to clean out inactive records on demand; helps to make reports reflect a far more accurate view of what's going on. It would be useful to have the same feature in Defender ATP.
Highlighted

@jamrobotDuplicate 'inactive' machines are also effecting my organisations TVM exposure score. An example being a machine with three instances. One active, and two inactive. The active machine shows far fewer ‘Security Recommendations’ than its inactive counterparts. 

 

I understand that ATP retains previous inactive iterations because at the data retention setting, we have it set at 180 days.

 

However, it appears that the exposure score is using the security recommendations on the inactive machines to calculate its score. Most of which have been dealt with as can be seen by looking at the active machine. I have asked if there is a way of omitting the inactive machines if there is a matching active one. I will feedback if I findout anything.