Resolution | There are two methods to locate the missing machine name.
First Method
- Log into the RSA NetWitness Endpoint UI.
- Select Machines Panel and right-click the column description panel.
 - Right-click Column Chooser and then right-click arrow next to Machine.ECAT.
- Check the Agent ID box and then close it. The Agent ID will now be searchable using various filters in the ECAT UI.
Second Method You can locate the source of the alert by running a query based on the Agent ID. (The agent ID is a unique combination of alphanumeric characters. The string is only used once for any machines, even if the machine name, IP, mac address changes, the agent ID will remain the same.)
The first step is to log into the ECAT database using SQL Studio Manager.
- Select -> New Query -> Drill down box, select the name of the ECAT database.
- Type the following query:
select machineName,MacAddress,agentID from machines where AgentID = '<AGENT ID>' (note: replace with actual AgentID found in the alert)
Screenshot from Lab SQL Server:

The above query will display allow you to see what the new machine name is for the client machine. |