Troubleshoot XDR Agent Degraded Operational Status with XQL

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker
No ratings

Graphics Created (1).jpg


The Operational Status of your XDR Agents is a crucial aspect to monitor to ensure your environment stays protected. The Operational Status indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent may suffer from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications.

The XDR agent reports the operational status as follows:


  • Protected—Indicates that the XDR agent is running as configured and did not report any exceptions to Cortex XDR
  • Partially protected—Indicates that the XDR agent reported one or more exceptions to Cortex XDR
  • Unprotected—Indicates the XDR agent is not enforcing protection on the endpoint
  • Local Resource Impact—indicates that the XDR agent machine resources currently available for use, are not enough for the agent to operate smoothly


For additional information on each Operation Status, click here.

Further details regarding a degraded status can be viewed by either navigating to the All Endpoints table and right-clicking inside the Operational Status field, then under Endpoint Data, selecting View Operational Status Data, or via XQL using the Endpoints dataset and the operational_status_description field. The XQL query below demonstrates how to leverage this data to gain a more in-depth understanding of what is impacting your agents. The query includes comments describing what each stage/function is doing. You can copy and paste the entire query including the comments into your XQL search box.


Degraded Agents With Associated Reason

//Setting case sensitivity to false for this query.

config case_sensitive = false


//defining the data source to run the query against.

|dataset = endpoints


//Limiting results to only the necessary fields.

|fields operational_status_description as osd, endpoint_name, operational_status, operating_system 


//Filtering to only include unprotected or partially protected endpoints in the results.

|filter operational_status in (UNPROTECTED, PARTIALLY_PROTECTED)


/*The "arraymap" function applies a specified function to every element of an array. The syntax for this function is to first define the array, then define the function to apply separated by a comma.

In this example the field "operational_status_description" has been given the alias "osd", so that is how it will be referenced for the duration of this query. The osd field is a string, but is structured like a json array. In order for the arraymap function to work, this field must be converted to an XQL native array. First, the "to_json_string" function is applied to the osd field which returns a json formatted string. Next, the "json_extract_array" function is applied to the output of the to_json_string function, which returns an XQL native array. Now that the input for the arraymap function is in the correct format, the "json_extract_scalar" is defined as the function to apply to every element in the array, using the "@element" syntax to apply the function to the field name "reason". The result is a new field created by the alter stage named "reason" which contains an array of all of the extracted reasons from the osd field.


| alter reason = arraymap (

            json_extract_array (to_json_string(osd ),"$."),

            json_extract_scalar ("@element", "$.reason"))

//Expanding the array to create individual log rows.

|arrayexpand reason 


//Counting the number of distinct endpoints with a common value in the "reason" field.

|comp count_distinct(endpoint_name) as Agents by reason


//Graph parameters.

| view graph type = pie header = "Degraded Operational Status" xaxis = reason yaxis = Agents font = "Arial" headerfontsize = 12 legendfontsize = 10

Rate this article:
L4 Transporter

Hello @bbucao


how long does it take, when unprotected status will be shown in the dataset--> endpoints? 

Since 10 minutes I am waiting for the change.





L1 Bithead

Hi @RFeyertag 


the endpoints dataset gets updated approximately every 1 hour. The most up to date status can be found in the All Endpoints page in the console

L4 Transporter

Thanks @sdrake! Hope the API gets this informations faster?





L1 Bithead

if you use the Get Endpoint resource you can filter on the endpoint_status but then you're using something which doesn't match the OP

Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎06-08-2023 01:09 PM
Updated by: