Contained Arctic Wolf Agent Deactivation

Updated Jan 31, 2024

Deactivate an Arctic Wolf Agent that is contained

You are not required to deactivate Arctic Wolf® Agents that are contained. Arctic Wolf recommends keeping Agents in the Arctic Wolf Unified Portal Endpoints table until the containment incident is resolved.

After the incident is resolved and the Agent is uninstalled from the device, you can remove contained endpoints from the Endpoints table that have not checked in for 72 hours .

If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Unified Portal. If you cannot access the Arctic Wolf Unified Portal, contact your Concierge Security® Team (CST) at

Note: You cannot make these changes in the Risk Dashboard.

  1. Sign in to the MDR Dashboard.

  2. Click Dashboard > Managed Detection and Response.

  3. Click the Online Endpoints tile.

  4. In the Endpoints table, find the endpoint to deactivate.

  5. In the Actions column, click Remove offline endpoint.

    Tip: You can only remove endpoints that are Offline. The Agent only identifies endpoints as Offline if the Agent did not check in with them for 72 hours.

  6. In the dialog, click Remove Endpoint.

    Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.

See also