Monitor agent operational status - You can view the operational status of any Cortex XDR agent that you manage. - Administrator Guide - Cortex XSIAM

Monitor agent operational status - You can view the operational status of any Cortex XDR agent that you manage. - Administrator Guide - Cortex XSIAM - Cortex CLOUD

Cortex Cloud Runtime Security Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Runtime Security

Creation date

2024-12-24

Last date published

2026-06-04

Category

Administrator Guide

Abstract

You can view the operational status of any Cortex XDR agent that you manage.

From the Cortex Cloud management console, you have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent may suffer from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex Cloud and other applications. The Cortex XDR agent reports the operational status as follows:

Protected: Indicates that the Cortex XDR agent is running as configured and did not report any exceptions to Cortex Cloud.
Partially protected: Indicates that the Cortex XDR agent reported one or more exceptions to Cortex Cloud.
Unprotected: Indicates that the Cortex XDR agent is not enforcing protection on the endpoint.
Local Resource Impact: Indicates that the Cortex XDR agent machine resources currently available for use, are not enough for the agent to operate smoothly.

You can monitor the Cortex XDR agent Operational Status in Inventory → Endpoints → All Endpoints. If the Operational Status field is missing, add it.

The operational status that the agent reports varies according to the exceptions reported by the XDR agent.

Status	Description
Protected	Windows, Mac, and Linux: Indicates that all protection modules are running as configured on the endpoint.
Partially protected	Windows XDR data collection is not running, or not set Behavioral threat protection is not running Malware protection is not running Exploit protection is not running Mac Operating system adaptive mode* XDR Data Collection is not running, or not set Behavioral threat protection is not running Malware protection is not running Exploit protection is not running Linux Kernel module not loaded Kernel module compatible but not loaded Kernel version not compatible** XDR Data Collection is not running, or not set Behavioral threat protection is not running Anti-malware flow is asynchronous Malware protection is not running Exploit protection is not running Note Any of the listed items could lead to a partially protected state. Refer to the Cortex Cloud management console for specific reasons for the state.
Unprotected	Windows, Mac, and Linux: Behavioral threat protection and Malware protection are not running Exploit protection and malware protection are not running The content is unavailable
Local Resource Impact	Windows, Mac, Linux Machine CPU impact on the agent operation Machine memory impact on the agent operation In addition to the status, either one of the following sub-statuses appear: Low local available memory No local available memory
Caution Status can have the following implications on the endpoint: (`Status`): The exploit protection module is not running. *(`Status`): XDR data collection is not running Behavioral threat protection is not running Anti-malware flow is asynchronous Local privilege escalation protection is asynchronous

Note

Caution