Reporting
      Back to home
      1. Knowledge Base
      2. Control Monitor
      3. Reporting

      Review Control Failures

      Prelude Security Control Monitor continuously monitors the health, deployment and configuration of enterprise security controls.  Each control category has a unique set of failure modes that are identified by Prelude SCM. 

      EDR Control Failures

      Missing EDR

      Missing EDR control failure indicates that the integrated EDR control does not have an active device record for a known device.  This can indicate a missing for failed EDR installation on the managed device.  Remediation is to install or repair the EDR solution on the specified devices.  

      Reduced Functionality Mode

      Reduced Functionality Mode (RFM) indicates that the EDR solution is operating in a reduced capacity on the managed device.  Remediation of this problem varies by EDR vendor and operating system.  

      Crowdstrike RFM

      SentinelONE Operational State

      • Not disabled: The Agent is not disabled or in an error state. It might be enabled.

      • Disabled completely by the user: A disabled Agent that was rebooted. The Agent functionality is disabled and SentinelOne assets are removed. This Agent is not protected. These functionalities are disabled: Detection, Device Control, Firewall Control, Ranger, and anti-tampering.

      • Disabled and not rebooted by the user: The Agent is disabled but was not rebooted. The Agent functionality is disabled, but SentinelOne assets remain. This Agent is not protected. These functionalities are disabled: Detection, Device Control, Firewall Control, Ranger, and anti-tampering. This option is available for Windows Agents only. If this state did not solve an interoperability issue, rebooting the endpoint may help. Rebooting the endpoint will completely disable the Agent.

      • Agent disable error: Fetch logs and get help from SentinelOne Support.

      • Disabled by SentinelOne: The Agent is disabled by SentinelOne due to a persistent error. This Agent is not protected. These functionalities are disabled: Detection, Device Control, Firewall Control, Ranger, and anti-tampering. This usually occurs when an endpoint does not have available resources. We recommend that you free resources, reboot the endpoint, and enable the Agent. If the issue persists, consult with Support.

        From Windows 23.2, anti-tampering is enabled when in Auto disabled mode and the Agent is protected.

      • Limited functionality: Agent database corrupted: Agent security capabilities are disabled by SentinelOne due to a persistent database error. This Agent is unprotected. These functionalities are disabled: Detection, Device Control, Firewall Control, Ranger, and anti-tampering. This usually occurs when an endpoint is out of disk space, out of memory, or is a recently-cloned VM. We recommend that you free resources, reboot the endpoint, and enable the Agent. If the issue persists, consult with Support.

      Microsoft Defender for Endpoint (MDE) Passive Mode