Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MDE Device Id Enrichment #81

Merged
merged 3 commits into from
Jun 22, 2024
Merged

MDE Device Id Enrichment #81

merged 3 commits into from
Jun 22, 2024

Conversation

briandelmsft
Copy link
Owner

@briandelmsft briandelmsft commented Jun 20, 2024
edited
Loading

In the event a host entity is received without an MDE device ID, no effort was made to obtain one, so modules like MDE would not function on those host entities.

This change will do a best effort to lookup the device by FQDN and Hostname to return the MDE device id. FQDN matches are preferred over Hostname matches. In the event there is more than one device id found reporting in the last 12 hours with the same type of match (on FQDN or on hostname), we will not enrich since we don't know which device id to use. If any failure occurs running the query to get the MDE device id the base module will continue without the enrichment

@briandelmsft briandelmsft linked an issue Jun 20, 2024 that may be closed by this pull request
[Feature] Add additional methods to MDE module briandelmsft/SentinelAutomationModules#452
Closed
@briandelmsft briandelmsft marked this pull request as ready for review June 20, 2024 14:57
@piaudonn
Copy link
Collaborator

I recall there was a reason was this wasn't done back in the day. But I can't seem to remember which one.

@briandelmsft
Copy link
Owner Author

@piaudonn wasn't it just the risk of picking the wrong device? Since there's no guarantee that the device name is unique? I feel like that risk is adequately addressed since this will prefer FQDN matches to hostname and if it fails to hostname it will only return the ID of there's no other device IDs with the same name reporting in the last 12h

@piaudonn piaudonn merged commit b5f7bde into main Jun 22, 2024
2 checks passed
@piaudonn piaudonn deleted the mde_id_enrichment branch June 22, 2024 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@piaudonn piaudonn piaudonn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature] Add additional methods to MDE module
2 participants
@briandelmsft @piaudonn