Disconnects one or more Next-Generation Firewalls (NGFWs) from the Cloud Logging and Collection Service (CLCS). This operation removes the specified devices from CLCS so they no longer forward logs to Cortex XDR.
The request must specify the target devices by their serial numbers (device_ids), along with the CSP account ID and region that the devices belong to. Up to 1000 device IDs can be submitted in a single request.
If a device ID in the request does not exist or is not connected, it is silently ignored. The response returns only the IDs of devices that were successfully disconnected.
Required license: This feature is included with a Cortex XSIAM Premium license. It is also included with any other Cortex XSIAM product that has the Cloud Runtime Security or Cloud Posture Security add-ons.
Required permission: Data Collection > Data Sources > Edit
Validation rules:
device_ids: Must contain 1–1000 unique alphanumeric strings, each 1–50 characters long.csp_account_id: Must be a positive integer.region: Must be a non-empty string (not whitespace-only, not a number).
Authorization
String
required
Your Cortex XSIAM API key.
Your Cortex XSIAM API key.
{api_key}
x-xdr-auth-id
String
required
Your Cortex XSIAM API key ID.
Your Cortex XSIAM API key ID.
{api_key_id}
x-xdr-nonce
String
A unique nonce value used for request authentication.
A unique nonce value used for request authentication.
0123456789abcdef
x-xdr-timestamp
String
The Unix timestamp in milliseconds at the time the request is sent.
The Unix timestamp in milliseconds at the time the request is sent.
1714118400000
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: {api_key}'
-H
'x-xdr-auth-id: {api_key_id}'
-H
'x-xdr-nonce: 0123456789abcdef'
-H
'x-xdr-timestamp: 1714118400000'
'https://api-yourfqdn/public_api/v1/clcs/disconnect_devices'
-d
'{
"request_data" : {
"device_ids" : [ "01234567890", "01234567891" ],
"csp_account_id" : 123456,
"region" : "us"
}
}'
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"device_ids\":[\"01234567890\",\"01234567891\"],\"csp_account_id\":123456,\"region\":\"us\"}}"
headers = {
'Authorization': "{api_key}",
'x-xdr-auth-id': "{api_key_id}",
'x-xdr-nonce': "0123456789abcdef",
'x-xdr-timestamp': "1714118400000",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/clcs/disconnect_devices", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/clcs/disconnect_devices")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = '{api_key}'
request["x-xdr-auth-id"] = '{api_key_id}'
request["x-xdr-nonce"] = '0123456789abcdef'
request["x-xdr-timestamp"] = '1714118400000'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"device_ids\":[\"01234567890\",\"01234567891\"],\"csp_account_id\":123456,\"region\":\"us\"}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"device_ids": [
"01234567890",
"01234567891"
],
"csp_account_id": 123456,
"region": "us"
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/clcs/disconnect_devices");
xhr.setRequestHeader("Authorization", "{api_key}");
xhr.setRequestHeader("x-xdr-auth-id", "{api_key_id}");
xhr.setRequestHeader("x-xdr-nonce", "0123456789abcdef");
xhr.setRequestHeader("x-xdr-timestamp", "1714118400000");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/clcs/disconnect_devices")
.header("Authorization", "{api_key}")
.header("x-xdr-auth-id", "{api_key_id}")
.header("x-xdr-nonce", "0123456789abcdef")
.header("x-xdr-timestamp", "1714118400000")
.header("content-type", "application/json")
.body("{\"request_data\":{\"device_ids\":[\"01234567890\",\"01234567891\"],\"csp_account_id\":123456,\"region\":\"us\"}}")
.asString();import Foundation
let headers = [
"Authorization": "{api_key}",
"x-xdr-auth-id": "{api_key_id}",
"x-xdr-nonce": "0123456789abcdef",
"x-xdr-timestamp": "1714118400000",
"content-type": "application/json"
]
let parameters = ["request_data": [
"device_ids": ["01234567890", "01234567891"],
"csp_account_id": 123456,
"region": "us"
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/clcs/disconnect_devices")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/clcs/disconnect_devices",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"device_ids\":[\"01234567890\",\"01234567891\"],\"csp_account_id\":123456,\"region\":\"us\"}}",
CURLOPT_HTTPHEADER => [
"Authorization: {api_key}",
"content-type: application/json",
"x-xdr-auth-id: {api_key_id}",
"x-xdr-nonce: 0123456789abcdef",
"x-xdr-timestamp: 1714118400000"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/clcs/disconnect_devices");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: {api_key}");
headers = curl_slist_append(headers, "x-xdr-auth-id: {api_key_id}");
headers = curl_slist_append(headers, "x-xdr-nonce: 0123456789abcdef");
headers = curl_slist_append(headers, "x-xdr-timestamp: 1714118400000");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"device_ids\":[\"01234567890\",\"01234567891\"],\"csp_account_id\":123456,\"region\":\"us\"}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/clcs/disconnect_devices");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "{api_key}");
request.AddHeader("x-xdr-auth-id", "{api_key_id}");
request.AddHeader("x-xdr-nonce", "0123456789abcdef");
request.AddHeader("x-xdr-timestamp", "1714118400000");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"device_ids\":[\"01234567890\",\"01234567891\"],\"csp_account_id\":123456,\"region\":\"us\"}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);The request body for disconnecting NGFW devices from CLCS.
request_dataobjectThe parameters specifying which devices to disconnect.
The parameters specifying which devices to disconnect.
device_idsarray[string]requiredA list of NGFW device serial numbers to disconnect. Must contain 1–1000 unique alphanumeric strings, each between 1 and 50 characters long.
A list of NGFW device serial numbers to disconnect. Must contain 1–1000 unique alphanumeric strings, each between 1 and 50 characters long.
["01234567890","01234567891"]csp_account_idintegerrequiredThe CSP (Cloud Service Provider) account ID that the devices belong to. Must be a positive integer.
The CSP (Cloud Service Provider) account ID that the devices belong to. Must be a positive integer.
123456regionstringrequiredThe cloud region where the devices are deployed. Must be a non-empty string (not whitespace-only, not a numeric value).
The cloud region where the devices are deployed. Must be a non-empty string (not whitespace-only, not a numeric value).
"us"{
"request_data": {
"device_ids": [
"01234567890",
"01234567891"
],
"csp_account_id": 123456,
"region": "us"
}
}{
"request_data": {
"device_ids": [
"033333333330123"
],
"csp_account_id": 789012,
"region": "eu"
}
}The operation completed. The response contains the IDs of devices that were successfully disconnected. Device IDs that were not found are silently omitted from the response.
The response envelope for the disconnect devices operation.
replyobjectThe response payload containing the IDs of successfully disconnected devices.
The response payload containing the IDs of successfully disconnected devices.
device_idsarray[string]requiredThe serial numbers of devices that were successfully disconnected. Device IDs from the request that were not found are silently omitted.
The serial numbers of devices that were successfully disconnected. Device IDs from the request that were not found are silently omitted.
["01234567890","01234567891"]{
"reply": {
"device_ids": [
"01234567890",
"01234567891"
]
}
}{
"reply": {
"device_ids": []
}
}Note: This response describes the intended validation error envelope. The backend currently raises a generic 500 Internal Server Error for these validation failures pending a fix to wrap Pydantic validation errors in the documented envelope. Treat the structure below as the contract clients should code against.
Bad request. The request body failed validation. Common causes include duplicate device IDs, an invalid or zero-value csp_account_id, or an empty region.
A standard error response envelope returned when a request fails.
replyobjectThe error payload containing the status code, message, and additional detail.
The error payload containing the status code, message, and additional detail.
err_codeintegerrequiredThe HTTP status code of the error.
The HTTP status code of the error.
400err_msgstringrequiredA short description of the error.
A short description of the error.
"Bad Request"err_extrastringAdditional detail about the error, including remediation guidance where applicable.
Additional detail about the error, including remediation guidance where applicable.
"Duplicate device IDs found: 01234567890"{
"reply": {
"err_code": 400,
"err_msg": "Bad Request",
"err_extra": "Duplicate device IDs found: 01234567890"
}
}{
"reply": {
"err_code": 400,
"err_msg": "Bad Request",
"err_extra": "The csp_account_id 0 is invalid. Try again using a number greater than zero."
}
}{
"reply": {
"err_code": 400,
"err_msg": "Bad Request",
"err_extra": "The region is empty. Try again by providing a valid region."
}
}Unauthorized. The API key or key ID provided for this request is missing or invalid.
A standard error response envelope returned when a request fails.
replyobjectThe error payload containing the status code, message, and additional detail.
The error payload containing the status code, message, and additional detail.
err_codeintegerrequiredThe HTTP status code of the error.
The HTTP status code of the error.
400err_msgstringrequiredA short description of the error.
A short description of the error.
"Bad Request"err_extrastringAdditional detail about the error, including remediation guidance where applicable.
Additional detail about the error, including remediation guidance where applicable.
"Duplicate device IDs found: 01234567890"{
"reply": {
"err_code": 400,
"err_msg": "Bad Request",
"err_extra": "Duplicate device IDs found: 01234567890"
}
}Forbidden. The API key does not have the required permissions to disconnect devices. Ensure the key has Data Collection > Data Sources > Edit permission.
A standard error response envelope returned when a request fails.
replyobjectThe error payload containing the status code, message, and additional detail.
The error payload containing the status code, message, and additional detail.
err_codeintegerrequiredThe HTTP status code of the error.
The HTTP status code of the error.
400err_msgstringrequiredA short description of the error.
A short description of the error.
"Bad Request"err_extrastringAdditional detail about the error, including remediation guidance where applicable.
Additional detail about the error, including remediation guidance where applicable.
"Duplicate device IDs found: 01234567890"{
"reply": {
"err_code": 400,
"err_msg": "Bad Request",
"err_extra": "Duplicate device IDs found: 01234567890"
}
}Internal server error. An unexpected error occurred while processing the disconnect request.
A standard error response envelope returned when a request fails.
replyobjectThe error payload containing the status code, message, and additional detail.
The error payload containing the status code, message, and additional detail.
err_codeintegerrequiredThe HTTP status code of the error.
The HTTP status code of the error.
400err_msgstringrequiredA short description of the error.
A short description of the error.
"Bad Request"err_extrastringAdditional detail about the error, including remediation guidance where applicable.
Additional detail about the error, including remediation guidance where applicable.
"Duplicate device IDs found: 01234567890"{
"reply": {
"err_code": 400,
"err_msg": "Bad Request",
"err_extra": "Duplicate device IDs found: 01234567890"
}
}