Technical Tip: FortiEDR: 'Disconnected (Expired)' collectors batch remove
| Description | This article describes how to remove 'Disconnected (Expired)' collectors in a single step. |
| Scope | FortiEDR v.6+. |
| Solution | If the FortiEDR does not connect to the Aggregator for 30+ days, its state changes to 'Disconnected (Expired)':
It is possible to remove collectors by selecting them manually; however in case of a high number of 'Disconnected (Expired)', it is more convenient to use the REST-API to remove all collectors, which did not connect to the environment for some period of time.
REST-API reference can be accessed through the FortiEDR manager: https://<manager_URL>/rest-ui
It can be done with the 'delete collectors' API call: /management-rest/inventory/delete-collectors. Use the 'lastSeenEnd' parameter to define the date of the last collector's connection to delete.
Example: In the sample case (see the screenshot above), the last connection date of the 'old-laptop' collector is 26.06.2025. To remove the 'old-laptop' collector, the following 'lastSeenEnd' value should be set: '2025-06-27 00:00:00':
The list of deleted with the API call collectors can be found in the audit trail: (Audit Trail | FortiEDR/XDR 7.2.0
|
