Investigate Child Tenant Data - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

For managed security providers, you can view, track, and investigate data across your Cortex XDR child tenants.

With Cortex XDR managed security, you can investigate the Cortex XDR child tenant data.

By default, Cortex XDR displays data for your tenant. To display data for of your child tenant, select the tenant from the drop-down.

mssp-select-tenant.png

Some common tasks that you might perform include:

  • Investigate incidents on a child tenant.

  • Investigate alerts on a child tenant.

  • Build and execute an XQL search query to search across the data of a child tenant.

    When running an XQL Search, you can execute XQL queries across a single child tenant or up to 100 child tenants simultaneously.

    • For XQL queries on a single child tenant, Cortex XDR provides the parent tenant with autocompletion and validation capabilities to all datasets available on the child tenant.

    • When executing XQL queries on multiple child tenants simultaneously:

      • Autocomplete and validation are supported on all datasets.

      • Queries are executed on each child tenant separately and return up to 1,000,000 results split across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of 100,000 per tenant.

      • You can select multiple datasets that share the same dataset name from different child tenants even when their schemas are different. Cortex XDR displays only the common fields that have the same name and the same data type in both datasets. If the datasets from two child tenants contain fields with the same name, but different data types, or one of the datasets contains fields that the other one doesn’t have, these fields will not be displayed. By default, even when you don’t select fields, Cortex XDR automatically selects the fields that are common to both child datasets.

        In the example below, if you select two child tenants which both contain a dataset called users, Cortex XDR displays users as a possible source for the query, even though they contain different fields.

        Tenant_1:
        users= {“employee_name”: “John”, “employee_number”: 123}
        Tenant_2:
        users= {“employee_name”: “John”, “employee_number”: "123", "national_ID": 123456789}
        
        

        When you start selecting fields from users, Cortex XDR displays only the field employee_name as an option for the query since its name and type are the same for both child tenants.

  • Use the Query Builder to build and execute an entity-specific query across the data of a child tenant. You can run either an ad-hoc query or a scheduled query on one or more child tenants. For each query, Cortex XDR returns up to 100,000,000 results across all selected tenants.

  • Use the Query Center to view previously run XQL searches and entity queries run on your tenant and the child tenants.