Block logs to Data Lake from specific endpoint

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block logs to Data Lake from specific endpoint

L1 Bithead



I have a case where logs are delivered to Data Lake from endpoint were we're unable to uninstall Cortex XDR agent. We also can't connect to this endpoint to take manual actions to stop receiving logs from it.

Is there any way to block/prevent these endpoint uploading logs to the Data Lake?

From my knowledge, we could implement Exclusion Policy for endpoint to prevent creating Incidents of any alerts created for that endpoint.


Please answer if you know other solutions to this problem.

Cortex XDR 


L3 Networker

Hi @tntrust,    


If you are unable to connect to the endpoint to manually uninstall the Cortex XDR agent, you are also able to do it on the tenant side from the Action Center. 


This can be done by going to Incident Response > Action Center > + New Action





Select “Agent Uninstall”, select next, and define your target endpoint. You are able to utilize filtering to define an agent scope for the uninstallation. In your case with an individual endpoint, it may be more useful to select the check mark to the left of the target list for manual selection. 


Select next again, review the action summary, and select done. You are able to view the status of the uninstallation under “All Actions” in the Action Center. 





Alert exclusions would not work in this scenario since they are designed to suppress alerts, not block them. Though they will be disregarded as alerts by Cortex XDR, the query builder can still be used to search for this data in the Data Lake instance. 


Hope this helps!


Further reading:


Uninstall the Cortex XDR agent:


Alert exclusions:



The problem is that this endpoint is not listed in Cortex XDR Portal. It was removed from Cortex XDR Portal, agent is still installed on endpoint and sending logs. Do you know how to address this kind of problem?

Hi @tntrust,  


If you are unable to view the Cortex XDR agents in the tenant and it is still sending logs to the CDL, we highly recommend contacting our technical assistance team at They will be able to help identify the issue pertaining to your particular environment and provide any necessary workarounds.

Okay, I've contacted with PA Support.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!