Scan status details of Cortex XDR

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Scan status details of Cortex XDR

L1 Bithead

Hi Team, 


Can I get more information on scan status for below scenarios.


. If the scan initiated and before completion the endpoint got disconnected what will be the status?

.. when the endpoint connects back, whether the scan automatically resume from where it stopped ?

... Difference between 'Aborted', 'Error' and 'Cancelled' status?


Cortex XDR 


L4 Transporter

Hello @Aneesh 


Thanks for reaching out on LiveCommunity!

Below are the answers to your questions.

1. Once the scan is initiated then it will be in progress status even if the endpoint got disconnected. Scan will be resumed if endpoint connects back within 24 hours.

2. Scan will resume automatically from where it was interrupted.

3. Below are the definitions for various action status.

  • Aborted—Scan was cancelled after it was started.

  • Error—Scan failed to run. e.g. endpoint got disconnected for more than 24 hours.

  • Canceled—Scan was canceled before it was started.

Please click Accept as Solution to acknowledge that the answer to your question has been provided.



L4 Transporter

Hello @Aneesh 
As per your requirements, scan status can be checked in multiple ways in Cortex XDR. Following are the methods  to do so:

  1. Endpoints Administration: In the Endpoints Tab, go to All Endpoints. We have two columns as "Scan status" and "Last Successful Scan". These can be used in parallel to map which endpoints had the scanning with result in the columns. Scan status can be described as below:


  2. Agent audit logs: In the agent audit logs, under the "Sub-Type" column, we can filter our "Scan" and find the status of the endpoints with malware scans with description. You can also set notifications forwarding as per your used cases to emails or syslog servers for this in form of agent logs.
  3. XQL Search: You can write your own XQL queries to query the scan status of the endpoints. XQL query also gives you the leverage to create multiple items based on your used cases from generating reports to alerts(eg. generate an alert for endpoints with cancelled scan, or failed scans etc.). A sample XQL query below will list you the list of endpoints with their scan status and last successful scans



dataset = endpoints 
| fields scan_status , last_successful_scan , endpoint_name , agent_version , last_seen , ip_address , platform , operating_system 




You can also schedule the queries or choose to create reports or widgets in your dashboards to be used in XDR dashboards for your auditing and reporting purposes by sorting endpoints counts on basis of scan status etc. as a sample shown below:




Hope this helps!Please mark this as "Accept as Solution" if it resolves your query

Ashutosh Patil

Hi @nsinghvirk


Thanks for the explanation.


As you said, before completion of a scan if the endpoint got disconnected and failed to connect back within 24 hrs, then the scan status will be in 'error' state.

In that case can we configure the waiting period for the endpoint to connect back ? if yes how ?


Also, some of the connected endpoints shows aborted scan state in our environment. So, to get some clarity,

aborted status shows when the scan is cancelled either from user or admin side?

what if there is no option for the user to cancel it and admin did not cancelled the scan.


Thanks in advance.


Hi @nsinghvirk

Can you help me with the above query?


Thanks in advance.


  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!