Monitor agent operational status - You can view the operational status of any Cortex XDR agent that you manage. - Administrator Guide - Cortex XSIAM - Cortex

Monitor agent operational status - You can view the operational status of any Cortex XDR agent that you manage. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2026-04-16

Category

Administrator Guide

Abstract

You can view the operational status of any Cortex XDR agent that you manage.

From the Cortex XSIAM management console, you have full visibility into the XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent may suffer from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XSIAM and other applications. The XDR agent reports the operational status as follows:

Protected: Indicates that the XDR agent is running as configured and did not report any exceptions to Cortex XSIAM.
Partially protected: Indicates that the XDR agent reported one or more exceptions to Cortex XSIAM.
Unprotected: Indicates the XDR agent is not enforcing protection on the endpoint.
Local Resource Impact: indicates that the XDR agent machine resources currently available for use, are not enough for the agent to operate smoothly.

You can monitor the Cortex XDR agent Operational Status in Endpoints → All Endpoints. If the Operational Status field is missing, add it.

The operational status that the agent reports varies according to the exceptions reported by the XDR agent.

Status	Description
Protected	Windows, Mac, and Linux: Indicates all protection modules are running as configured on the endpoint. iOS: Indicates that all required configurations are correct, and all required permissions are granted: Notifications permission Background app refresh permission The Cortex XDR widget is in use on the home screen. When the Network Shield is disabled, the Cortex XDR widget is required. The widget is mandatory on unsupervised devices. Android: Indicates that communication with the tenant is active.
Partially protected	Windows XDR data collection is not running, or not set Behavioral threat protection is not running Malware protection is not running Exploit protection is not running Mac Operating system adaptive mode* XDR Data Collection is not running, or not set Behavioral threat protection is not running Malware protection is not running Exploit protection is not running Linux Kernel module not loaded Kernel module compatible but not loaded Kernel version not compatible** XDR Data Collection is not running, or not set Behavioral threat protection is not running Anti-malware flow is asynchronous Malware protection is not running Exploit protection is not running iOS The device is not fully protected, because some, but not all, of the configuration and permission requirements are fulfilled Note Any of the listed items could lead to a partially protected state. Refer to the Cortex XSIAM management console for specific reasons for the state.
Unprotected	Windows, Mac, and Linux: Behavioral threat protection and Malware protection are not running Exploit protection and malware protection are not running The content is unavailable. iOS: Configurations might be incorrect The required permissions might not be enabled Android: The device is not fully protected, because communication between the device and the tenant has been inactive for three or more hours
Local Resource Impact	Windows, Mac, Linux Machine CPU impact on the agent operation Machine memory impact on the agent operation In addition to the status, either one of the following sub-statuses appear: Low local available memory No local available memory
Caution Status can have the following implications on the endpoint: (`Status`): The exploit protection module is not running. *(`Status`): XDR data collection is not running Behavioral threat protection is not running Anti-malware flow is asynchronous Local privilege escalation protection is asynchronous

Note

Caution