10-10-2022 04:13 AM
Hello,
I have a case where logs are delivered to Data Lake from endpoint were we're unable to uninstall Cortex XDR agent. We also can't connect to this endpoint to take manual actions to stop receiving logs from it.
Is there any way to block/prevent these endpoint uploading logs to the Data Lake?
From my knowledge, we could implement Exclusion Policy for endpoint to prevent creating Incidents of any alerts created for that endpoint.
Please answer if you know other solutions to this problem.
10-10-2022 08:39 AM
Hi @tntrust,
If you are unable to connect to the endpoint to manually uninstall the Cortex XDR agent, you are also able to do it on the tenant side from the Action Center.
This can be done by going to Incident Response > Action Center > + New Action
Select “Agent Uninstall”, select next, and define your target endpoint. You are able to utilize filtering to define an agent scope for the uninstallation. In your case with an individual endpoint, it may be more useful to select the check mark to the left of the target list for manual selection.
Select next again, review the action summary, and select done. You are able to view the status of the uninstallation under “All Actions” in the Action Center.
Alert exclusions would not work in this scenario since they are designed to suppress alerts, not block them. Though they will be disregarded as alerts by Cortex XDR, the query builder can still be used to search for this data in the Data Lake instance.
Hope this helps!
Further reading:
Uninstall the Cortex XDR agent:
Alert exclusions:
10-10-2022 09:10 AM
Hi!
The problem is that this endpoint is not listed in Cortex XDR Portal. It was removed from Cortex XDR Portal, agent is still installed on endpoint and sending logs. Do you know how to address this kind of problem?
10-11-2022 06:42 AM
Hi @tntrust,
If you are unable to view the Cortex XDR agents in the tenant and it is still sending logs to the CDL, we highly recommend contacting our technical assistance team at support.paloaltonetworks.com. They will be able to help identify the issue pertaining to your particular environment and provide any necessary workarounds.
10-13-2022 02:53 AM
Okay, I've contacted with PA Support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!