https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/ta-p/545353 <DIV class="lia-message-template-content-zone"> <P><STRONG><EM><FONT face="arial,helvetica,sans-serif" size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Graphics Created (1).jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50731iC0788D40D999EDC9/image-size/large?v=v2&amp;px=999" role="button" title="Graphics Created (1).jpg" alt="Graphics Created (1).jpg" /></span></FONT></EM></STRONG></P> <P><FONT face="arial,helvetica,sans-serif" size="4">&nbsp;</FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>The Operational Status of your XDR Agents is a crucial aspect to monitor to ensure your environment stays protected. The Operational Status </SPAN><SPAN>indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent may suffer from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. </SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>The XDR agent reports the operational status as follows:</SPAN></FONT></P> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><FONT face="arial,helvetica,sans-serif" size="4"><STRONG>Protected</STRONG><SPAN>—Indicates that the XDR agent is running as configured and did not report any exceptions to Cortex XDR</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="arial,helvetica,sans-serif" size="4"><STRONG>Partially protected</STRONG><SPAN>—Indicates that the XDR agent reported one or more exceptions to Cortex XDR</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="arial,helvetica,sans-serif" size="4"><STRONG>Unprotected</STRONG><SPAN>—Indicates the XDR agent is not enforcing protection on the endpoint</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="arial,helvetica,sans-serif" size="4"><STRONG>Local Resource Impact</STRONG><SPAN>—indicates that the XDR agent machine resources currently available for use, are not enough for the agent to operate smoothly</SPAN></FONT></LI> </UL> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>For additional information on each Operation Status, click </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Monitor-Agent-Operational-Status" target="_blank" rel="noopener"><SPAN>here</SPAN></A><SPAN>.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Further details regarding a degraded status can be viewed by either navigating to the </SPAN><I><SPAN>All Endpoints</SPAN></I><SPAN> table and right-clicking inside the </SPAN><I><SPAN>Operational Status</SPAN></I><SPAN> field, then under </SPAN><I><SPAN>Endpoint Data</SPAN></I><SPAN>, selecting </SPAN><I><SPAN>View Operational Status Data, </SPAN></I><SPAN>or via XQL using the </SPAN><I><SPAN>Endpoints</SPAN></I><SPAN> dataset and the </SPAN><I><SPAN>operational_status_description</SPAN></I><SPAN> field. The XQL query below demonstrates how to leverage this data to gain a more in-depth understanding of what is impacting your agents. The query includes comments describing what each stage/function is doing. You can copy and paste the entire query including the comments into your XQL search box.</SPAN></FONT></P> <H2>&nbsp;</H2> <H2><FONT color="#000000"><STRONG><U><FONT face="arial,helvetica,sans-serif" size="4">Degraded Agents With Associated Reason</FONT></U></STRONG></FONT><U></U></H2> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>//Setting case sensitivity to false for this query.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>config case_sensitive = false</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>//defining the data source to run the query against.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>|dataset = endpoints</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>//Limiting results to only the necessary fields.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>|fields operational_status_description as osd, endpoint_name, operational_status, operating_system&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>//Filtering to only include unprotected or partially protected endpoints in the results.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>|filter operational_status in (UNPROTECTED, PARTIALLY_PROTECTED)</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>/*The "arraymap" function applies a specified function to every element of an array. The syntax for this function is to first define the array, then define the function to apply separated by a comma.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>In this example the field "operational_status_description" has been given the alias "osd", so that is how it will be referenced for the duration of this query. The osd field is a string, but is structured like a json array. In order for the arraymap function to work, this field must be converted to an XQL native array. First, the "to_json_string" function is applied to the osd field which returns a json formatted string. Next, the "json_extract_array" function is applied to the output of the to_json_string function, which returns an XQL native array. Now that the input for the arraymap function is in the correct format, the "json_extract_scalar" is defined as the function to apply to every element in the array, using the "@element" syntax to apply the function to the field name "reason". The result is a new field created by the alter stage named "reason" which contains an array of all of the extracted reasons from the osd field.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>*/</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>| alter reason = arraymap (</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;json_extract_array (to_json_string(osd ),"$."),</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;json_extract_scalar ("@element", "$.reason"))</SPAN></FONT></P> <P><BR /><BR /></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>//Expanding the array to create individual log rows.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>|arrayexpand reason&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>//Counting the number of distinct endpoints with a common value in the "reason" field.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>|comp count_distinct(endpoint_name) as Agents by reason</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>//Graph parameters.</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>| view graph type = pie header = "Degraded Operational Status" xaxis = reason yaxis = Agents font = "Arial" headerfontsize = 12 legendfontsize = 10</SPAN></FONT></P> </DIV> Thu, 08 Jun 2023 20:09:49 GMT bbucao 2023-06-08T20:09:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/ta-p/545353 <P><SPAN>This article will walk through how to access critical data needed to effectively troubleshoot XDR agents that are in a degraded operational state using XQL queries.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Graphics Created (1).jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50748iBFBB7EC6B26F16AF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Graphics Created (1).jpg" alt="Graphics Created (1).jpg" /></span></P> Thu, 08 Jun 2023 20:09:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/ta-p/545353 bbucao 2023-06-08T20:09:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/549418#M56 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/205598">@bbucao</a>,&nbsp;</P><P>&nbsp;</P><P>how long does it take, when unprotected status will be shown in the dataset--&gt; endpoints?&nbsp;</P><P>Since 10 minutes I am waiting for the change.</P><P>&nbsp;</P><P>BR</P><P>&nbsp;</P><P>Rob</P> Fri, 14 Jul 2023 20:51:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/549418#M56 RFeyertag 2023-07-14T20:51:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/549436#M57 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</P><P>&nbsp;</P><P>the endpoints dataset gets updated approximately every 1 hour. The most up to date status can be found in the All Endpoints page in the console</P> Sat, 15 Jul 2023 06:56:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/549436#M57 sdrake 2023-07-15T06:56:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/550205#M58 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/158713">@sdrake</a>! Hope the API gets this informations faster?</P><P>&nbsp;</P><P>BR</P><P>&nbsp;</P><P>Rob</P> Thu, 20 Jul 2023 17:49:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/550205#M58 RFeyertag 2023-07-20T17:49:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/550221#M59 <P>if you use the Get Endpoint resource you can filter on the endpoint_status but then you're using something which doesn't match the OP</P> Thu, 20 Jul 2023 18:56:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/550221#M59 sdrake 2023-07-20T18:56:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/589640#M81 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/205598">@bbucao</a>&nbsp;this information is too relevant! Thank you for sharing.</P><P>&nbsp;</P><P>Does anyone know if there is some updated kb or document with instructions to remediate degraded operational status?</P><P>&nbsp;</P><P>PS: I found this one but the option over the endpoint "Right click &gt; Endpoint Data &gt; View Operational Status Data" isn't shown on my console.<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OGWCA2" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OGWCA2</A></P><P>&nbsp;</P><P>Thank you all</P> Fri, 14 Jun 2024 20:22:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/589640#M81 Silva 2024-06-14T20:22:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/597006#M82 <P>How would you make it an interactive graph? Meaning if you click on a link it should take the results of that finding.&nbsp;</P> Thu, 05 Sep 2024 18:09:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/troubleshoot-xdr-agent-degraded-operational-status-with-xql/tac-p/597006#M82 MosR 2024-09-05T18:09:36Z