https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517328#M2984 <P>Hi!</P> <P>&nbsp;</P> <P>The problem is that this endpoint is not listed in Cortex XDR Portal. It was removed from Cortex XDR Portal, agent is still installed on endpoint and sending logs. Do you know how to address this kind of problem?</P> Mon, 10 Oct 2022 16:10:49 GMT tntrust 2022-10-10T16:10:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517279#M2978 <P>Hello,</P> <P>&nbsp;</P> <P>I have a case where logs are delivered to Data Lake from endpoint were we're unable to uninstall Cortex XDR agent. We also can't connect to this endpoint to take manual actions to stop receiving logs from it.</P> <P><SPAN>Is there any way to block/prevent these endpoint uploading logs to the Data Lake?</SPAN></P> <P><SPAN>From my knowledge, we could<SPAN class="">&nbsp;implement Exclusion Policy for endpoint to prevent creating Incidents of any alerts created for that endpoint.</SPAN></SPAN></P> <P>&nbsp;</P> <P><STRONG>Please answer if you know other solutions to this problem.</STRONG></P> <P><STRONG><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</STRONG></P> Thu, 18 Apr 2024 19:33:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517279#M2978 tntrust 2024-04-18T19:33:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517324#M2983 <P><SPAN>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/244548">@tntrust</a>,&nbsp;&nbsp;&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>If you are unable to connect to the endpoint to manually uninstall the Cortex XDR agent, you are also able to do it on the tenant side from the Action Center.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>This can be done by going to Incident Response &gt; Action Center &gt; + New Action</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mfakhouri_0-1665415927062.png" style="width: 658px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44531iCA147DCF3A08D00E/image-dimensions/658x50/is-moderation-mode/true?v=v2" width="658" height="50" role="button" title="mfakhouri_0-1665415927062.png" alt="mfakhouri_0-1665415927062.png" /></span></P> <P>&nbsp;</P> <P><BR /><BR /></P> <P><SPAN>Select “Agent Uninstall”, select next, and define your target endpoint. You are able to utilize filtering to define an agent scope for the uninstallation. In your case with an individual endpoint, it may be more useful to select the check mark to the left of the target list for manual selection.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Select next again, review the action summary, and select done. You are able to view the status of the uninstallation under “All Actions” in the Action Center.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mfakhouri_1-1665415927071.png" style="width: 654px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44532iBF75E175B430E1BA/image-dimensions/654x105/is-moderation-mode/true?v=v2" width="654" height="105" role="button" title="mfakhouri_1-1665415927071.png" alt="mfakhouri_1-1665415927071.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Alert exclusions would not work in this scenario since they are designed to suppress alerts, not block them. Though they will be disregarded as alerts by Cortex XDR, the query builder can still be used to search for this data in the Data Lake instance.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this helps!</SPAN></P> <P>&nbsp;</P> <P><SPAN>Further reading:</SPAN></P> <P>&nbsp;</P> <P><SPAN>Uninstall the Cortex XDR agent:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/manage-cortex-xdr-agents/uninstall-the-cortex-agent" target="_blank"><SPAN>https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/manage-cortex-xdr-agents/uninstall-the-cortex-agent</SPAN></A></P> <P>&nbsp;</P> <P><SPAN>Alert exclusions:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-response/investigate-endpoint-alerts/alert-exclusions" target="_blank"><SPAN>https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-response/investigate-endpoint-alerts/alert-exclusions</SPAN></A></P> Mon, 10 Oct 2022 15:39:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517324#M2983 mfakhouri 2022-10-10T15:39:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517328#M2984 <P>Hi!</P> <P>&nbsp;</P> <P>The problem is that this endpoint is not listed in Cortex XDR Portal. It was removed from Cortex XDR Portal, agent is still installed on endpoint and sending logs. Do you know how to address this kind of problem?</P> Mon, 10 Oct 2022 16:10:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517328#M2984 tntrust 2022-10-10T16:10:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517456#M3000 <P><SPAN>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/244548">@tntrust</a>,&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>If you are unable to view the Cortex XDR agents in the tenant and it is still sending logs to the CDL, we highly recommend contacting our technical assistance team at support.paloaltonetworks.com. They will be able to help identify the issue pertaining to your particular environment and provide any necessary workarounds.</SPAN></P> Tue, 11 Oct 2022 13:42:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517456#M3000 mfakhouri 2022-10-11T13:42:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517762#M3016 <P>Okay, I've contacted with PA Support.</P> Thu, 13 Oct 2022 09:53:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-logs-to-data-lake-from-specific-endpoint/m-p/517762#M3016 tntrust 2022-10-13T09:53:53Z