Dataset Management - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-03-23
Last date published
2023-03-23

Note

This feature requires a Cortex XDR Pro license.

The Dataset Management page enables you to manage your datasets and understand your overall data storage, period based retention. The top part of the screen details your Storage License Details as you receive log storage based on the amount of storage associated with your license. All Cortex XDR licenses provide you with default retention of 30 days. You can extend your license retention depending on your requirements for the following types of storage.

  • Hot Storage—Fully searchable storage, for investigation and threat hunting.

  • Cold Storage—Cheaper storage is usually for long-term compliance needs with limited search options.

The bottom half of the screen lists your Datasets in a table format.

Note

Once Cortex XDR starts to enforce retention, you will not have access to data that exceeds your retention period. You will receive an email and in-app notification before any changes are implemented.

For each dataset listed in the table, the following information is available.

Note

Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.

Field

Description

*DATASET NAME

Name of the dataset, where only English alphabetical characters (a-z, A-Z) are supported. Numbers (0-9) and underscores (_) are supported, but not as the first character of the name.

*TYPE

The type of dataset is based on the method used to upload the data.

  • Correlation—A dataset containing data saved from a Correlation Rule.

  • Lookup—Two possible scenarios.

    • Uploaded through the user interface.

    • If saved by a query using the target command, the Type can be either User or Lookup. See the entry for target in the XQL Language Reference guide for details.

  • Raw—Every dataset where PANW data is ingested out-of-the-box or third-party data is ingested via a configured dedicated collector.

  • Snapshot—A dataset that contains only the last successful snapshot of the data, such as Workday or ServiceNow CMDB tables.

  • SystemCortex XDR datasets that are created out-of-the-box.

  • User—If saved by a query using the target command, the Type can be either User or Lookup.

*LOG UPDATE TYPE

The event logs are updated either continuously (Logs) or the current state is updated periodically (State) as detailed in the LAST UPDATED column.

*LAST UPDATED

The last time the data in the dataset logs were updated, When the LOG UPDATE TYPE is set to State.

*TOTAL DAYS STORED

The actual number of days that the data is stored in the Cortex XDR tenant, which is comprised of the HOT RANGE + the COLD RANGE.

*HOT RANGE

Details the exact period of the Hot Storage from the start date to the end date.

*COLD RANGE

Details the exact period of the Cold Storage from the start date to the end date.

*TOTAL SIZE STORED

The actual size of the data that is stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage. For the xdr_data dataset, where the first 30 days of storage are included with your license, the first 30 days are not included in the TOTAL SIZE STORED number.

*AVERAGE DAILY SIZE

The average daily amount stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage.

*TOTAL EVENTS

The number of total events/logs that are stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage.

*AVERAGE EVENT SIZE

The average size of a single event in the dataset (TOTAL SIZE STORED divided by the TOTAL EVENTS). This number is dependent on the events stored in the Hot Storage.

DEFAULT QUERY TARGET

Details whether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. By default, only the xdr_data dataset is configured as the DEFAULT QUERY TARGET and this field is set to Yes. All other datasets have this field set to No. When setting multiple default datasets, your query does not need to mention any of the dataset names, and Cortex XDR queries the default datasets using a join.

Note

The datasets endpoints and host_inventory include dataset permission enforcements in the Cortex Query Language (XQL), Query Center, and XQL Widgets. To view or access any of these datasets, you need role-based access control (RBAC) permissions to the Endpoint Administration and Host Inventory views. Managed Security Services Providers (MSSP) administration permissions are not enforced on child tenants, but only on the MSSP tenant.