Cortex XDR uses compute units (CU) for these types of XQL Query APIs.
API Queries—When running Cortex Query Language (XQL) queries on your data sources using APIs, each XQL query API consumes compute units based on the timeframe, complexity, and number of API response results.
Cold Storage Queries—Cold Storage is a data retention offering for cheaper storage usually for long-term compliance needs with limited search options. You can perform queries on Cold Storage data using the dataset format
cold_dataset = <dataset name>, which consumes compute units according to the following calculations.Amount of data queried. 1CU for querying 35GB of data.
Timeframe, complexity, and the number of Cold Storage response results of each XQL Cold Storage query.
Cortex XDR provides a free daily quota of compute units allocated according to your license size. Queries called without enough quota will fail. To expand your investigation capabilities, you can purchase additional compute units by enabling the Compute Unit add-on.
The Compute Unit add-on provides an additional 1 compute unit per day, in addition to your free daily quota. For example, if you have allocated 5 free daily compute units, with the add-on you will have a total of 6 daily compute units. The compute units are refreshed every 24 hours according to UTC time. You can purchase a minimum of 50 compute units.
To gauge how many compute units you require, Cortex XDR provides a 30-day free trial period with a total of three times your allocated compute units to run XQL API and Cold Storage queries. You can then track the cost of each XQL API and Cold Storage query responses and the Compute Units Usage page. In addition, Cortex XDR sends a notification when the Compute Units add-on has reached your daily threshold.
To enable the add-on, select → → → tile, and select the Compute Unit tile and Enable.
To manage your compute units usage for your XQL API and Cold Storage queries.
Select → → → .
In the Daily Usage in Compute Units section, monitor the amount of quota units used over the past 24 hours and the amount of free daily quota allocated according to your license size and the additional amount you have purchased. The time frame is calculated according to UTC time.
For Managed Security tenants, the values calculated are the total daily usage of parent and child tenants.
In the Compute Units over last 30 Days section, track your quota usage over the past 30 days. The red line represents your daily license quota. For Managed Security tenants, make sure you select from the MSSP Tenant Selection drop-down menu, the tenant for which you want to display the information. To investigate further.
Hover over each bar to view the total number of query units used each day for both API Usage and Cold Storage Usage.
Select a bar to display in the XQL Queries Using API table the list of XQL API and Cold Storage queries executed on the selected day.
In the Compute Units Usage table, investigate all the XQL API and Cold Storage queries that were executed on your tenant. For Managed Security tenants, make sure you select from the MSSP Tenant Selection drop-down menu, the tenant for which you want to display the information. You can filter and sort according to the following fields.
ID—Unique identifier representing the executed XQL API query.
Timestamp—Date and time of when the XQL API was executed.
Type—Indicates the type of query performed either an API Query or Cold Storage Query.
PAPI Key ID—API Key ID used to execute the XQL API.
XQL Query—The XQL query called using an API or Cold Storage search.
Compute Unit Usage—Displays how many query units were used to execute the API query and Cold Storage query.
Tenant—Appears only in a Managed Security tenant. Displays which tenant executed an API query or Cold Storage query.
Investigate the XQL API or Cold Storage query results.
In the Compute Units Usage table, locate an XQL API or Cold Storage query, right-click and select Show Results.
The query is displayed on the XQL Search page where you can view the query results.