Monitor agent operational status - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

You can view the operational status of any Cortex XDR agent that you manage.

From the Cortex XSIAM management console, you have full visibility into the XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent may suffer from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XSIAM and other applications. The XDR agent reports the operational status as follows:

  • Protected: Indicates that the XDR agent is running as configured and did not report any exceptions to Cortex XSIAM.

  • Partially protected: Indicates that the XDR agent reported one or more exceptions to Cortex XSIAM.

  • Unprotected: Indicates the XDR agent is not enforcing protection on the endpoint.

  • Local Resource Impact: indicates that the XDR agent machine resources currently available for use, are not enough for the agent to operate smoothly.

You can monitor the Cortex XDR agent Operational Status in EndpointsAll Endpoints. If the Operational Status field is missing, add it.

The operational status that the agent reports varies according to the exceptions reported by the XDR agent.

Status

Description

Protected

(Windows, Mac, and Linux) Indicates all protection modules are running as configured on the endpoint.

Partially protected

Windows

  • XDR data collection is not running, or not set

  • Behavioral threat protection is not running

  • Malware protection is not running

  • Exploit protection is not running

Mac

  • Operating system adaptive mode*

  • XDR Data Collection is not running, or not set

  • Behavioral threat protection is not running

  • Malware protection is not running

  • Exploit protection is not running

Linux

  • Kernel module not loaded**

  • Kernel module compatible but not loaded**

  • Kernel version not compatible**

  • XDR Data Collection is not running, or not set

  • Behavioral threat protection is not running

  • Anti-malware flow is asynchronous

  • Malware protection is not running

  • Exploit protection is not running

    Note

    Any of the listed items could lead to a partially protected state. Refer to the Cortex XSIAM management console for specific reasons for the state.

Unprotected

Windows, Mac, and Linux:

  • Behavioral threat protection and Malware protection are not running

  • Exploit protection and malware protection are not running

  • The content is unavailable.

Local Resource Impact

Windows, Mac, Linux

  • Machine CPU impact on the agent operation

  • Machine memory impact on the agent operation

In addition to the status, either one of the following sub-statuses appear:

  • Low local available memory

  • No local available memory

Caution

Status can have the following implications on the endpoint:

  • *(Status): The exploit protection module is not running.

  • **(Status):

    • XDR data collection is not running

    • Behavioral threat protection is not running

    • Anti-malware flow is asynchronous

    • Local privilege escalation protection is asynchronous