Issue:
I have uninstalled the sensor, how to remove the device from the Elements Endpoint Detection and Response portal?
Resolution:
The devices cannot be manually removed from the Elements Endpoint Detection and Response portal. Inactive devices will remain in the Elements Endpoint Detection and Response (EDR) portal Devices view for 90 days before the removal. If a device becomes active after removal, it will appear back in the list.
Here is a list of the different possible statuses:
EDR Status and color code:
Active | Green = seen in last 24 hours
Inactive | Yellow = seen in last 7 days
Inactive | Red = not seen in 7 days
The device details are not removed from the EDR portal immediately after e.g. device is deleted from the EPP side or the client is uninstalled. The reason for this is that EDR stores a lot of event and incident information that can be relevant in Incident response carried out after the device is taken out of use. The device is a very important part of the BCD context. If information from the device is lost, BCD incident analysis and potential IR (incident response) will become difficult. Very often incident investigation or evidence collection starts days or weeks after the fact. Already removed device could be root source or part of e.g. lateral movement activity detected in BCD and incident investigation. For this reason, the EDR portal keeps devices information after a device has been removed to enable full incident investigation.
Article no: 000007694