This feature requires a Cortex XDR Pro license.
The Dataset Management page enables you to manage your datasets and understand your overall data storage, period based retention. The top part of the screen details your Storage License Details as you receive log storage based on the amount of storage associated with your license. All Cortex XDR licenses provide you with default retention of 30 days. You can extend your license retention depending on your requirements for the following types of storage.
Hot Storage—Fully searchable storage, for investigation and threat hunting.
Cold Storage—Cheaper storage is usually for long-term compliance needs with limited search options.
The bottom half of the screen lists your Datasets in a table format.
Once Cortex XDR starts to enforce retention, you will not have access to data that exceeds your retention period. You will receive an email and in-app notification before any changes are implemented.
For each dataset listed in the table, the following information is available.
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.
Name of the dataset, where only English alphabetical characters (
The type of dataset is based on the method used to upload the data.
*LOG UPDATE TYPE
The event logs are updated either continuously (Logs) or the current state is updated periodically (State) as detailed in the LAST UPDATED column.
The last time the data in the dataset logs were updated, When the LOG UPDATE TYPE is set to State.
*TOTAL DAYS STORED
The actual number of days that the data is stored in the Cortex XDR tenant, which is comprised of the HOT RANGE + the COLD RANGE.
Details the exact period of the Hot Storage from the start date to the end date.
Details the exact period of the Cold Storage from the start date to the end date.
*TOTAL SIZE STORED
The actual size of the data that is stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage. For the
*AVERAGE DAILY SIZE
The average daily amount stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage.
The number of total events/logs that are stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage.
*AVERAGE EVENT SIZE
The average size of a single event in the dataset (TOTAL SIZE STORED divided by the TOTAL EVENTS). This number is dependent on the events stored in the Hot Storage.
DEFAULT QUERY TARGET
Details whether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. By default, only the
host_inventory include dataset permission enforcements in the Cortex Query Language (XQL), Query Center, and XQL Widgets. To view or access any of these datasets, you need role-based access control (RBAC) permissions to the Endpoint Administration and Host Inventory views. Managed Security Services Providers (MSSP) administration permissions are not enforced on child tenants, but only on the MSSP tenant.