Delete Cortex XDR Agents - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Delete endpoints from the management console views.

If you have an endpoint that you no longer want to track through the Cortex XSIAM management console, for example, if the endpoint disconnected from Cortex XSIAM, or an endpoint where the Cortex XDR agent was uninstalled, you can delete the endpoint from the management console views. Deleting an endpoint triggers the following lifespan flow:

  • The endpoint status changes to Deleted, and the license returns immediately to the license pool. After a retention period of 90 days, the agent is deleted from the database and is displayed in Cortex XSIAM as Endpoint Name - N/A (Deleted).

  • Data associated with the deleted endpoint is displayed in the Action Center tables and in the Causality View for the standard 90 days retention period.

  • Alerts that already include the endpoint data at the time of alert creation are not affected.

Additionally, Cortex XSIAM automatically deletes agents after a long period of inactivity.

  • Standard agents are deleted after 180 days of inactivity. Where day one is the first 24 hours of continuous inactivity.

  • VDI and TS agents are deleted after 6 hours of inactivity.


To reinstate an endpoint, you have to uninstall and reinstall the agent.

The following workflow describes how to delete the Cortex XDR agent from one or more Windows, Mac, or Linux endpoints.

  1. Select EndpointsAll Endpoints.

  2. Right-click the endpoint you want to remove.

    You can also select multiple endpoints if you want to perform a bulk delete.

  3. Select Endpoint ControlDelete Endpoint.