Note
This feature requires a Cortex XDR Pro license.
The Dataset Management page enables you to manage your datasets and understand your overall data storage, period based retention. The top part of the screen details your Storage License Details as you receive log storage based on the amount of storage associated with your license. All Cortex XDR licenses provide you with default retention of 30 days. You can extend your license retention depending on your requirements for the following types of storage.
Hot Storage—Fully searchable storage, for investigation and threat hunting.
Cold Storage—Cheaper storage is usually for long-term compliance needs with limited search options.
The bottom half of the screen lists your Datasets in a table format.
Note
Once Cortex XDR starts to enforce retention, you will not have access to data that exceeds your retention period. You will receive an email and in-app notification before any changes are implemented.
For each dataset listed in the table, the following information is available.
Note
Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.
Field | Description |
---|---|
*DATASET NAME | Name of the dataset, where only English alphabetical characters ( |
*TYPE | The type of dataset is based on the method used to upload the data.
|
*LOG UPDATE TYPE | The event logs are updated either continuously (Logs) or the current state is updated periodically (State) as detailed in the LAST UPDATED column. |
*LAST UPDATED | The last time the data in the dataset logs were updated, When the LOG UPDATE TYPE is set to State. |
*TOTAL DAYS STORED | The actual number of days that the data is stored in the Cortex XDR tenant, which is comprised of the HOT RANGE + the COLD RANGE. |
*HOT RANGE | Details the exact period of the Hot Storage from the start date to the end date. |
*COLD RANGE | Details the exact period of the Cold Storage from the start date to the end date. |
*TOTAL SIZE STORED | The actual size of the data that is stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage. For the |
*AVERAGE DAILY SIZE | The average daily amount stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage. |
*TOTAL EVENTS | The number of total events/logs that are stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage. |
*AVERAGE EVENT SIZE | The average size of a single event in the dataset (TOTAL SIZE STORED divided by the TOTAL EVENTS). This number is dependent on the events stored in the Hot Storage. |
DEFAULT QUERY TARGET | Details whether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. By default, only the |
Note
The datasets endpoints
and host_inventory
include dataset permission enforcements in the Cortex Query Language (XQL), Query Center, and XQL Widgets. To view or access any of these datasets, you need role-based access control (RBAC) permissions to the Endpoint Administration and Host Inventory views. Managed Security Services Providers (MSSP) administration permissions are not enforced on child tenants, but only on the MSSP tenant.