Dataset Management - Administrator Guide - Cortex XDR - Cortex

Dataset Management - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-03-22

Last date published

2023-09-21

Note

This feature requires a Cortex XDR Pro license.

The Dataset Management page enables you to manage your datasets and understand your overall data storage duration for different retention periods based on your Hot and Cold Storage licenses, including retention add-ons to extend your storage. The top of the page is where the details of your data retention licenses are listed.

Note

For more information on license retention and the defaults provided per license, see License Retention.

Important

Cortex XDR enforces retention on all log-type datasets excluding Host Inventory, Vulnerability Assessment, Metrics, and Users.

Hot and Cold Storage

Abstract

Learn more about how your Hot and Cold Storage licenses are displayed in the Dataset Management page.

Your current hot and cold storage licenses, including the default license retention and any additonal retention add-ons to extend storage, are listed within the Hot Storage License and Cold Storage License sections of the Dataset Management page. Whenever you extend your license retention, depending on your requirements and license add-ons for both Hot Storage and Cold Storage, the add-ons are listed.

Datasets Table

Abstract

Learn more about the Datasets table in the Dataset Management page.

For each dataset listed in the table, the following information is available.

Note

Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.
Datasets include dataset permission enforcements in the Cortex Query Language (XQL), Query Center, and XQL Widgets. For example, to view or access any of the endpoints and host_inventory datasets, you need role-based access control (RBAC) permissions to the Endpoint Administration and Host Inventory views. Managed Security Services Providers (MSSP) administration permissions are not enforced on child tenants, but only on the MSSP tenant.

Field	Description
*TYPE	The type of dataset is based on the method used to upload the data. Read more... Correlation—A dataset containing data saved from a Correlation Rule. Lookup—Two possible scenarios. Uploaded through the user interface. If saved by a query using the `target` command, the Type can be either User or Lookup. See the entry for `target` in the XQL Language Reference guide for details. Raw—Every dataset where PANW data is ingested out-of-the-box or third-party data is ingested via a configured dedicated collector. Snapshot—A dataset that contains only the last successful snapshot of the data, such as Workday or ServiceNow CMDB tables. System— Cortex XDR datasets that are created out-of-the-box. User—If saved by a query using the `target` command, the Type can be either User or Lookup.
*LOG UPDATE TYPE	The event logs are updated either continuously (Logs) or the current state is updated periodically (State) as detailed in the LAST UPDATED column.
*LAST UPDATED	The last time the data in the dataset logs were updated, When the LOG UPDATE TYPE is set to State.
*TOTAL DAYS STORED	The actual number of days that the data is stored in the Cortex XDR tenant, which is comprised of the HOT RANGE + the COLD RANGE.
*HOT RANGE	Details the exact period of the Hot Storage from the start date to the end date.
*COLD RANGE	Details the exact period of the Cold Storage from the start date to the end date.
*TOTAL SIZE STORED	The actual size of the data that is stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage. For the `xdr_data` dataset, where the first 30 days of storage are included with your license, the first 30 days are not included in the TOTAL SIZE STORED number.
*AVERAGE DAILY SIZE	The average daily amount stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage.
*TOTAL EVENTS	The number of total events/logs that are stored in the Cortex XDR tenant. This number is dependent on the events stored in the Hot Storage.
*AVERAGE EVENT SIZE	The average size of a single event in the dataset (TOTAL SIZE STORED divided by the TOTAL EVENTS). This number is dependent on the events stored in the Hot Storage.
DEFAULT QUERY TARGET	Details whether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. By default, only the `xdr_data` dataset is configured as the DEFAULT QUERY TARGET and this field is set to Yes. All other datasets have this field set to No. When setting multiple default datasets, your query does not need to mention any of the dataset names, and Cortex XDR queries the default datasets using a `join`.