How does the EDR create the uid device?
BROADCOM describes the behavior around the device_uid field within EDR appliance as follows:
1. SEDR creates device_uid when endpoint enrolls into SEDR's ECC 2.0.
- When SEPM Connector is configured and data sync happened, SEDR collects a list of endpoints which belongs to the source SEPM Group , then issue GUID for each new device.
- The device_uid is revoked when the endpoint unenrolls from SEDR's provisioning.
- When SEPM Connector is deleted, or endpoint is deleted from SEPM Group, device_uid is revoked.
(This explains why same device is recognized with different device_uid after a reconfiguration of SEPM Connector, - due to MDR index saturation etc)
2. SEDR uses device_uid to manage authentication secret of enrolled endpoint.
- SEP Agent establishes long polling HTTP (TCP) connection against SEDR appliance port 80 once enrolled.
New policy, command (get-file, isolate etc.) is issued through this connection under ECC2.0 protocol.
- device_uid is key to identify endpoint under this protocol.
- EDR Recorder events (800x) and other telemetry submission, reputation lookup events have this device_uid to associate with endpoint.
3. device_uid is submitted to SEPM from SEP Agent, and it is been stored into SEPM database.
- SEDR appliance includes device_uid to request LCP events (4123, 4124 events) from SEPM.
- However it is not related to UUID or other unique IDs of SEPM client properties.
- UUIDs or other uniqe IDs are managed independently by SEPM.
4. device_uid is just one type of GUID format string.
- device_uid is generated by using Linux operating system underneath SEDR appliance.
- device_uid is compliant with OSF DCE 1.1 random based UUID.