Decommission Defenders

Regularly decommissioning stale Defenders keeps your view of the environment clean and conserves licenses. Defenders can be decommissioned from the Console UI or the Prisma Cloud API.
Prisma Cloud automatically decommissions stale Defenders for you. In large scale environments, manually decommissioning Defenders could be onerous. If left undone, however, it can lead to lots of Defenders being left in a permanently offline state, cluttering your view of environment. To keep your view clean, Console automatically decommissions Defenders that haven’t been connected to Console for more than one day. This keeps the list of connected Defenders valid to a 24-hour window. The refresh period can be configured up to a maximum of 365 days under
Manage > Defenders > Manage > Advanced Settings > Automatically remove disconnected Defenders after (days)
.
We recommend letting Prisma Cloud automatically decommission stale Defenders rather than using the UI or API.

Decommission Defenders manually

Decommissioning Defenders can be done manually from Console.
Go to
Manage > Defenders > Manage
, where you will find a list of all Defenders connected to Console. Click
Actions > Decommission
for each respective Defender.

Decommission Defenders with the API

The following endpoint can be used to decommission a Defender.
Path
DELETE /api/v1/defenders/[hostname]
Code copied to clipboard
Unable to copy due to lack of browser support.
Description
Deletes a Defender from the database. This endpoint does not actually uninstall Defender. Use the fully qualified domain name (FQDN) of the host. You can find the FQDN of the host in
Manage > Defenders > Actions > Manage
.
Example request
$ curl -X DELETE \ -u <USERNAME>:<PASSWORD> 'https://<CONSOLE>:8083/api/v1/defenders/aqsa-cto.sandbox'
Code copied to clipboard
Unable to copy due to lack of browser support.

Force uninstall Defender

The preferred method for uninstalling Defenders is via the Console UI. However, if a Defender instance is not connected to Console, or is otherwise not manageable through the Console UI, it can be manually removed.
On the Linux host where Container Defender runs, use the following command:
$ sudo /var/lib/twistlock/scripts/twistlock.sh -u
Code copied to clipboard
Unable to copy due to lack of browser support.
If you run this command on the same Linux host where the Prisma Cloud Console is installed, it also uninstalls Prisma Cloud Console.
On the Linux host where Host Defender runs, use the following command:
$ sudo /var/lib/twistlock/scripts/twistlock.sh -u defender-server
Code copied to clipboard
Unable to copy due to lack of browser support.
On the Windows host where Defender runs, use the following command:
C:\Program Files\Prisma Cloud\scripts\defender.ps1 -uninstall
Code copied to clipboard
Unable to copy due to lack of browser support.

Recommended For You