What determines if a machine is "on-prem" versus "off-prem" when investigating a device?
The FQDN and IP Address are two conditions that can be used for the Sensor to present as on or off-prem based on the values defined here in UI - Settings - General.
If the device has *.company.com registered on the Network Adapter or any relevant fqdn defined, this is a valid condition for the device to be recognized as on-prem. If the device also is connected to the Company network and the Sensor can ping one or more of the defined IP Addresses in Reachable Hosts, then it is also a condition that defines the device as on-prem. One or both of the conditions have to be met for the device to be considered on-prem. If neither condition is met, the machine is off-prem.
The following statement in Reachable Hosts:
"A reachable host should be the IP address or FQDN for a host that can only be reached when the device is on-prem. A good example would be the name of your internal DNS server. Private IP addresses (10.x.x.x, 172.x.x.x, etc.) are not allowed."
is a broad statement based on RFC 1918 as these IP ranges were originally defined as reserved IP Addresses. The concern here is that if you have a home user that has 172.X.X.X defined on their home network and the IP Address matches what is defined in Reachable Hosts as a reachable host, then the Sensor would be incorrectly reporting as on-prem.
This can potentially be an issue with any IP range. If a home network or remote network device has a matching condition in Reachable Hosts, there is the potential for this condition to be met and the Sensor to report that it is on-prem when it is really off-prem.
Example of Investigation Screen illustrating a device that is off-prem.
Can multiple sites be defined?
You can only set up "one site" by design. In theory, it is possible to define different sites of names, FQDNs, and IP Addresses that could isolate specific devices as different sites. Then the corresponding devices that can communicate with a specific name, FQDN, and IP Address would be a part of that "site". This would NOT be an effective method (by current design) for grouping sites because it is only evident in the investigation of a device if it is on or off-prem and also the associated "connections".