1. Overview

Regularly decommissioning stale Defenders keeps your view of the environment clean and conserves licenses. Defenders can be decommissioned from the Console UI or the Prisma Cloud API.

Prisma Cloud automatically decommissions stale Defenders for you. In large scale environments, manually decommissioning Defenders could be onerous. If left undone, however, it can lead to lots of Defenders being left in a permanently offline state, cluttering your view of environment. To keep your view clean, Console automatically decommissions Defenders that haven’t been connected to Console for more than one day. This keeps the list of connected Defenders valid to a 24-hour window. The refresh period can be configured up to a maximum of 365 days under Manage > Defenders > Manage > Advanced Settings > Automatically remove disconnected Defenders after (days).

We recommend letting Prisma Cloud automatically decommission stale Defenders rather than using the UI or API.

2. Decommission Defenders manually

Decommissioning Defenders can be done manually from Console.

Go to Manage > Defenders > Manage, where you will find a list of all Defenders connected to Console. Click Actions > Decommission for each respective Defender.

3. Decommission Defenders with the API

The following endpoint can be used to decommission a Defender.

Path

DELETE /api/v1/defenders/[hostname]

Description

Deletes a Defender from the database. This endpoint does not actually uninstall Defender. Use the fully qualified domain name (FQDN) of the host. You can find the FQDN of the host in Manage > Defenders > Actions > Manage.

Example request

$ curl -X DELETE \
  -u <USERNAME>:<PASSWORD>
  'https://<CONSOLE>:8083/api/v1/defenders/aqsa-cto.sandbox'

4. Force uninstall Defender

The preferred method for uninstalling Defenders is via the Console UI. However, if a Defender instance is not connected to Console, or is otherwise not manageable through the Console UI, it can be manually removed.

On the Linux host where Container Defender runs, use the following command:

$ sudo /var/lib/twistlock/scripts/twistlock.sh -u
If you run this command on the same Linux host where the Prisma Cloud Console is installed, it also uninstalls Prisma Cloud Console.

On the Linux host where Host Defender runs, use the following command:

$ sudo /var/lib/twistlock/scripts/twistlock.sh -u defender-server

On the Windows host where Defender runs, use the following command:

C:\Program Files\Prisma Cloud\scripts\defender.ps1 -uninstall