DNS is going to be the most general way.
For agents, node name/IP comes from information the agent itself picks up, since we have a point of presence there.
For non-agents, node name comes from DetectionIP, which comes from parsing the log data. We pull the DetectionIP from the log message itself and in the case of most (all?) Cisco connectors doesn't use the origin ID, it comes from the source of the syslog data, which is written by the syslog daemon.