piaudonn
commented
3 months ago I recall there was a reason was this wasn't done back in the day. But I can't seem to remember which one.
Closed briandelmsft closed 3 months ago
piaudonn
commented
3 months ago I recall there was a reason was this wasn't done back in the day. But I can't seem to remember which one.
briandelmsft
commented
3 months ago @piaudonn wasn't it just the risk of picking the wrong device? Since there's no guarantee that the device name is unique? I feel like that risk is adequately addressed since this will prefer FQDN matches to hostname and if it fails to hostname it will only return the ID of there's no other device IDs with the same name reporting in the last 12h
In the event a host entity is received without an MDE device ID, no effort was made to obtain one, so modules like MDE would not function on those host entities.
This change will do a best effort to lookup the device by FQDN and Hostname to return the MDE device id. FQDN matches are preferred over Hostname matches. In the event there is more than one device id found reporting in the last 12 hours with the same type of match (on FQDN or on hostname), we will not enrich since we don't know which device id to use. If any failure occurs running the query to get the MDE device id the base module will continue without the enrichment