Who rated this article

Sure John, so the XDR agent reports the operational status as Protected, Partially Protected, and Unprotected.

And these operational statuses will indicate whether the agent is providing protection according to your predefined security policies and profiles. And it’ll also help you to identify when an agent encounter any technical issues or misconfiguration that interferes the agent’s protection capability. 

And with this, I will discuss more on the agent operational status, and then I will also discuss how to collect and analyze endpoint logs.

Yeah, absolutely, so for protected status, this indicates that the XDR agent is running as configured; for partially protected it indicates that the XDR agent reported one or more exceptions; and lastly, unprotected status indicates that the XDR agent is not enforcing protection on the endpoint. 

Well, I would like to emphasize that I will be covering agents that are in partially protected and unprotected states. 

So, when you get this report in your XDR server console, you’ll get an idea that something is not right. Then you start to wonder what might have happened to these endpoints or what has caused them to be in that state all of a sudden. You can then start to think about what has changed in the environment and so on.

And the first important thing to do, is to collect the agent logs. 

Yes, you are absolutely right, now, there are three ways where you can retrieve endpoints agent logs. That is through Cortex XDR console, from the Agent console on the endpoint that you can find in the system tray for Windows, and lastly using the cytool command which you can run in the command prompt or live terminal.

So, once you have generated the logs, you are now ready to investigate! So, what’s next?  Well, you need to unzip the folder and it will be extracted into different kinds of file logs and groups of folders. You will be looking at the endpoint log named trapsd which is in text document type and can be found in the log folder as well. 

By the way, you have the option to use any free file search tool for logs analysis, or you can just simply use windows notepad or any tools that you are familiar with.

• AntiexploitStatus
• AntimalwareStatus
• EDRStatus
• Fileprevalence
• hostfirewall
• and lastly General status.

Glad you asked, I wanted to share that we have a various status codes for each platforms and those codes have a corresponding meaning. In Windows platforms, it can tell you if the agent is having a general failure, if the agent is not running or if the disk quota is exceeded.

And as for Linux, you can see things like unsupported kernel versions and if the agent is running asynchronously, and so on. 

Last but not the least, you can also identify if the Cortex XDR system extension requires Full Disk Access in a MacOS machines. 

So, these are just some information corresponding to the operational status codes and the lists of these codes can be found in our Knowledge Base article and you can absolutely refer to the transcript for more information.

We get this question a lot,  and I would like to share that if you seem to notice that a certain endpoint is disconnected or wondering if they have encountered connection issues, you can still do the steps I have mentioned before, and you can focus on the trapsd log and look for the communication log this time. You can simply search for the word “Error” and it will show various error messages such as - exception error, SSL error as well as  DNS errors and timeouts, too. 

So, with this initial step of the investigation, you can acquire quick information on your endpoint’s protection status and you can perform your initial troubleshooting. 

I think It’s not that difficult at all!

• The different kinds of Agent Operational Statuses
• How to collect endpoint logs and how to analyze them
• The lists of Cortex XDR Components
• And how to analyze Disconnected agent