Manage compute units - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about managing and tracking your compute units usage for API and Cold Storage XQL queries.

Cortex XDR uses compute units (CU) for these types of queries:

  • API Queries: When running Cortex Query Language (XQL) queries on your data sources using APIs, each XQL query API consumes CU based on the timeframe, complexity, and number of API response results.

  • Cold Storage Queries: Cold Storage is a data retention offering for cheaper storage usually for long-term compliance needs with limited search options. You can perform queries on Cold Storage data using the dataset format cold_dataset = <dataset name>, which consumes CU according to the following calculations.

    • Amount of data queried. 1CU for querying 35GB of data.

    • Timeframe, complexity, and the number of Cold Storage response results of each XQL Cold Storage query.

    When you query Cold Storage data, the rewarmed data is saved in a temporary hot storage cache that is available for subsequent queries on the same time-range at no additional cost. The rewarmed data is available in the cache for 24 hours and on each re-query the cached data is extended for 24 hours, for up to 7 days.

    Note

    The CU consumption of cold storage queries are based on the number of days in the query time frame. For example, when querying 1 hour of a specific day, the CU of querying this entire day are consumed. When querying 1 hour that extends past 2 days, such as from 23:50 to 00:50 of the following day, the CU of querying these two days are consumed.