How does the EDR create the uid device?
search cancel

How does the EDR create the uid device?


Article ID: 219694


Updated On:


Advanced Threat Protection Platform


How does the EDR create the uid device?



Release :

Component :


BROADCOM describes the behavior around the device_uid field within EDR appliance as follows:

1. SEDR creates device_uid when endpoint enrolls into SEDR's ECC 2.0.

- When SEPM Connector is configured and data sync happened, SEDR collects a list of endpoints which belongs to the source SEPM Group , then issue GUID for each new device. 
- The device_uid is revoked when the endpoint unenrolls from SEDR's provisioning.
- When SEPM Connector is deleted, or endpoint is deleted from SEPM Group, device_uid is revoked.
(This explains why same device is recognized with different device_uid after a reconfiguration of SEPM Connector, - due to MDR index saturation etc)

2. SEDR uses device_uid to manage authentication secret of enrolled endpoint.

- SEP Agent establishes long polling HTTP (TCP) connection against SEDR appliance port 80 once enrolled. 
  New policy, command (get-file, isolate etc.) is issued through this connection under ECC2.0 protocol. 
- device_uid is key to identify endpoint under this protocol.
- EDR Recorder events (800x) and other telemetry submission, reputation lookup events have this device_uid to associate with endpoint.

3. device_uid is submitted to SEPM from SEP Agent, and it is been stored into SEPM database.

- SEDR appliance includes device_uid to request LCP events (4123, 4124 events) from SEPM.
- However it is not related to UUID or other unique IDs of SEPM client properties.
- UUIDs or other uniqe IDs are managed independently by SEPM.

4. device_uid is just one type of GUID format string. 

- device_uid is generated by using Linux operating system underneath SEDR appliance. 
- device_uid is compliant with OSF DCE 1.1 random based UUID.