Reconnect after endpoint cleanup

RemiLiquete · ‎02-17-2026

Hello,

I'm thinking about using the Endpoint Administration Cleanup tool.

However, I wanted to be sure if an endpoint is mistakenly deleted would shows up again in our tenant (if connected in the next 90 days).

Did anyone has experienced it yet?

Is this supposed to be the same if an endpoint is in "Connection Lost" then is connected?
If so, it doesn't work, that's why I'm wondering.

Regards,

Rémi.

kiwi · ‎02-18-2026

Hi @RemiLiquete ,

It's important to distinguish between "Connection Lost" and an actual "Deleted" state, as the system treats them very differently.

1. Licensing and Deletion In Cortex XDR, licensing is tied directly to the active management of the node.

License Revocation: Cortex XDR issues a license for every node where the agent is running and will revoke that license the moment the agent is removed or the node is manually deleted from the console.
Immediate Recovery: This is why many admins use the Cleanup tool—to immediately return licenses to the pool for use elsewhere.

2. Will it "Show Up Again"? This is where it gets tricky.

Manual/Cleanup Deletion: If you manually delete an endpoint or use the Cleanup tool, the license is revoked immediately. While the agent might attempt to check in, it generally will not automatically "re-protect" itself and reappear as a managed node. To restore it, you usually need to perform a fresh reinstall or use the cytool reconnect force command locally on the machine.
Connection Lost: This is a "soft" state. The license is still reserved for that machine. If a machine in "Connection Lost" status regains internet access, it will automatically check in and return to a "Connected" status without any manual intervention.

I hope this clarifies,

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

RemiLiquete · ‎02-18-2026

Hi @kiwi,

First of all, thank you for this detailled answer!

If I understand correctly what you are saying, when an agent tries to check-in after its deletion, we have no information about this?

Or maybe there's logs somewhere in the console we can exploit to determine if an agent is trying to check-in?

My concerns are about unknown agent being mistakenly deleted so we can't fix it until we are checking it locally on the server.

susekar · ‎02-23-2026

Hello @RemiLiquete ,

To answer your questions:

When a Cortex XDR agent is deleted from the management console, the visibility of its subsequent check-in attempts and activity depends on how the deletion occurred and which communication channel the agent is using.

1. Can you see if a deleted agent is trying to check in?

There is no specific “Check-in Attempt” log for agents that fail to register or authenticate after being deleted. However, you can often determine activity through other console logs:

Telemetry Logs (XQL):

The Cortex XDR agent uses separate channels for:

Management communication (heartbeats)
Telemetry (EDR data)

Even if the endpoint record has been removed from the All Endpoints list, the locally installed agent may still send raw telemetry data if it retains a valid authentication token.

Incident / Alert Generation:

If the deleted agent is still successfully sending telemetry:

It can still generate incidents or BIOC alerts.
The endpoint may appear as “Unknown” or show an outdated hostname in the incident view.

2. Logs to Use in the Console:

XQL Search (Primary Method)

Query the raw telemetry dataset using the known hostname or Agent ID. If results return, the agent is still active and communicating.

Example query:

dataset = xdr_data 
| filter agent_hostname = "HOSTNAME_OF_DELETED_AGENT" 
| sort _time desc

If events appear, the agent is running and successfully sending telemetry.

Management Audit Logs:

To determine who deleted the agent and when:

Navigate to: Settings → Management Audit Logs
Filter by:
- Type: Endpoint Administration
- Sub Type: Delete

This shows the administrator account and timestamp associated with the deletion.

3. Agent Behavior After Deletion:

The behavior varies depending on how the deletion occurred.

Manual Deletion:

If an administrator manually deletes an endpoint:

When the agent reconnects, it usually registers as a new endpoint with a new Agent ID.
In some cases, if the deletion process has not fully completed in the backend, the agent may resume communication with its original identity.

Automatic Purge (Default 180-Day Inactivity Policy):

If the agent is automatically removed due to inactivity:

Its unique identity is permanently removed.
It will not automatically re-onboard when it comes back online.
Manual intervention is required (reinstallation or forced reconnection).

4. Critical Limitation: Failed Registrations

If an agent attempts to register but fails (for example, because the Distribution ID used during installation was deleted):

The registration attempt is processed at a central Palo Alto Networks distribution service.
Because the request fails before reaching your tenant, no logs will appear in your console for that failed registration attempt.

This means you cannot see those failed check-in attempts from within your Cortex XDR tenant.

Recommendation for Mistakenly Deleted Agents:

-If you suspect an active agent was accidentally deleted and it is not automatically reappearing:

Run the following command locally on the endpoint to force re-registration:

cytool reconnect force <distribution_id>

-You can find the Distribution ID in the console under:

Endpoints → Agent Installation

-This forces the agent to establish a fresh registration with the tenant.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Unlock your full community experience!

Reconnect after endpoint cleanup