This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Block logs to Data Lake from specific endpoint

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block logs to Data Lake from specific endpoint

tntrust
L1 Bithead

‎10-10-2022 04:13 AM - last edited on ‎04-18-2024 12:33 PM by

Hello,

 

I have a case where logs are delivered to Data Lake from endpoint were we're unable to uninstall Cortex XDR agent. We also can't connect to this endpoint to take manual actions to stop receiving logs from it.

Is there any way to block/prevent these endpoint uploading logs to the Data Lake?

From my knowledge, we could implement Exclusion Policy for endpoint to prevent creating Incidents of any alerts created for that endpoint.

 

Please answer if you know other solutions to this problem.

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
Labels:
0 Likes Likes
4 REPLIES 4

mfakhouri
L3 Networker

‎10-10-2022 08:39 AM

Hi @tntrust,    

 

If you are unable to connect to the endpoint to manually uninstall the Cortex XDR agent, you are also able to do it on the tenant side from the Action Center. 

 

This can be done by going to Incident Response > Action Center > + New Action

 

 

mfakhouri_0-1665415927062.png

 



Select “Agent Uninstall”, select next, and define your target endpoint. You are able to utilize filtering to define an agent scope for the uninstallation. In your case with an individual endpoint, it may be more useful to select the check mark to the left of the target list for manual selection. 

 

Select next again, review the action summary, and select done. You are able to view the status of the uninstallation under “All Actions” in the Action Center. 

 

mfakhouri_1-1665415927071.png

 

 

Alert exclusions would not work in this scenario since they are designed to suppress alerts, not block them. Though they will be disregarded as alerts by Cortex XDR, the query builder can still be used to search for this data in the Data Lake instance. 

 

Hope this helps!

 

Further reading:

 

Uninstall the Cortex XDR agent:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/manage-co...

 

Alert exclusions:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo...

0 Likes Likes

tntrust
L1 Bithead
In response to mfakhouri

‎10-10-2022 09:10 AM

Hi!

 

The problem is that this endpoint is not listed in Cortex XDR Portal. It was removed from Cortex XDR Portal, agent is still installed on endpoint and sending logs. Do you know how to address this kind of problem?

0 Likes Likes

mfakhouri
L3 Networker
In response to tntrust

‎10-11-2022 06:42 AM

Hi @tntrust,  

 

If you are unable to view the Cortex XDR agents in the tenant and it is still sending logs to the CDL, we highly recommend contacting our technical assistance team at support.paloaltonetworks.com. They will be able to help identify the issue pertaining to your particular environment and provide any necessary workarounds.

0 Likes Likes

tntrust
L1 Bithead
In response to mfakhouri

‎10-13-2022 02:53 AM

Okay, I've contacted with PA Support.

0 Likes Likes
  • 1576 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks