Monitor Agent Operational Status - Administrator Guide - Cortex XDR - Cortex

Monitor Agent Operational Status - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2024-02-26

Last date published

2024-04-16

Category

Administrator Guide

Abstract

You can view the operational status of any Cortex XDR agent that you manage.

From the Cortex XDR management console, you have full visibility into the XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent may suffer from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The XDR agent reports the operational status as follows:

Protected—Indicates that the XDR agent is running as configured and did not report any exceptions to Cortex XDR.
Partially protected—Indicates that the XDR agent reported one or more exceptions to Cortex XDR.
Unprotected—Indicates the XDR agent is not enforcing protection on the endpoint.
Local Resource Impact—indicates that the XDR agent machine resources currently available for use, are not enough for the agent to operate smoothly.

You can monitor the Cortex XDR agent Operational Status in Endpoints → All Endpoints. If the Operational Status field is missing, add it.

The operational status that the agent reports varies according to the exceptions reported by the XDR agent.

Status	Description
Protected	(Windows, Mac, and Linux) Indicates all protection modules are running as configured on the endpoint.
Partially protected	Windows XDR data collection is not running, or not set Behavioral threat protection is not running Malware protection is not running Exploit protection is not running Mac Operating system adaptive mode* XDR Data Collection is not running, or not set Behavioral threat protection is not running Malware protection is not running Exploit protection is not running Linux Kernel module not loaded Kernel module compatible but not loaded Kernel version not compatible** XDR Data Collection is not running, or not set Behavioral threat protection is not running Anti-malware flow is asynchronous Malware protection is not running Exploit protection is not running Note Any of the listed items could lead to a partially protected state. Refer to the Cortex XDR management console for specific reasons for the state.
Unprotected	Windows, Mac, and Linux: Behavioral threat protection and Malware protection are not running Exploit protection and malware protection are not running The content is unavailable.
Local Resource Impact	Windows, Mac, Linux Machine CPU impact on the agent operation Machine memory impact on the agent operation In addition to the status, either one of the following sub-statuses appear: Low local available memory No local available memory
Caution Status can have the following implications on the endpoint: (`Status`)—The exploit protection module is not running. *(`Status`)— XDR data collection is not running Behavioral threat protection is not running Anti-malware flow is asynchronous Local privilege escalation protection is asynchronous

Note

Caution