Cortex XDR uses compute units (CU) for these types of XQL Query APIs.
API Queries—When running Cortex Query Language (XQL) queries on your data sources using APIs, each XQL query API consumes CU based on the timeframe, complexity, and number of API response results.
Cold Storage Queries—Cold Storage is a data retention offering for cheaper storage usually for long-term compliance needs with limited search options. You can perform queries on Cold Storage data using the dataset format
cold_dataset = <dataset name>, which consumes CU according to the following calculations.Amount of data queried. 1CU for querying 35GB of data.
Timeframe, complexity, and the number of Cold Storage response results of each XQL Cold Storage query.
When you query Cold Storage data, the rewarmed data is saved in a temporary hot storage cache that is available for subsequent queries on the same time-range at no additional cost. The rewarmed data is available in the cache for 24 hours and on each re-query the cached data is extended for 24 hours, for up to 7 days.
Note
The CU consumption of cold storage queries are based on the number of days in the query time frame. For example, when querying 1 hour of a specific day, the CU of querying this entire day are consumed. When querying 1 hour that extends past 2 days, such as from 23:50 to 00:50 of the following day, the CU of querying these two days are consumed.
Cortex XDR provides a free daily quota of CU allocated according to your license size. Queries called without enough quota will fail. To expand your investigation capabilities, you can purchase additional CU by enabling the Compute Unit add-on.
The Compute Unit add-on provides an additional 1 compute unit per day, in addition to your free daily quota. For example, if you have allocated 5 free daily CU, with the add-on you will have a total of 6 daily compute units. The CU are refreshed every 24 hours according to UTC time. You can purchase a minimum of 50 compute units.
To gauge how many CU you require, Cortex XDR provides a 30-day free trial period with a total of three times your allocated CU to run XQL API and Cold Storage queries. You can then track the cost of each XQL API and Cold Storage query responses and the Compute Units Usage page. In addition, Cortex XDR sends a notification when the Compute Units add-on has reached your daily threshold.
To enable the add-on, select → → → tile, and select the Compute Unit tile and Enable.
To manage your CU usage for your XQL API and Cold Storage queries.
Select → → → .
In the Daily Usage in Compute Units section, monitor the amount of quota units used over the past 24 hours and the amount of free daily quota allocated according to your license size and the additional amount you have purchased. The time frame is calculated according to UTC time.
For Managed Security tenants, the values calculated are the total daily usage of parent and child tenants.
In the Compute Units over last 30 Days section, track your quota usage over the past 30 days. The red line represents your daily license quota. For Managed Security tenants, make sure you select from the MSSP Tenant Selection drop-down menu, the tenant for which you want to display the information. To investigate further.
Hover over each bar to view the total number of query units used each day for both API Usage and Cold Storage Usage.
Select a bar to display in the XQL Queries Using API table the list of XQL API and Cold Storage queries executed on the selected day.
In the Compute Units Usage table, investigate all the XQL API and Cold Storage queries that were executed on your tenant. For Managed Security tenants, make sure you select from the MSSP Tenant Selection drop-down menu, the tenant for which you want to display the information. You can filter and sort according to the following fields.
ID—Unique identifier representing the executed XQL API query.
Timestamp—Date and time of when the XQL API was executed.
Type—Indicates the type of query performed either an API Query or Cold Storage Query.
PAPI Key ID—API Key ID used to execute the XQL API.
XQL Query—The XQL query called using an API or Cold Storage search.
Compute Unit Usage—Displays how many query units were used to execute the API query and Cold Storage query.
Tenant—Appears only in a Managed Security tenant. Displays which tenant executed an API query or Cold Storage query.
Investigate the XQL API or Cold Storage query results.
In the Compute Units Usage table, locate an XQL API or Cold Storage query, right-click and select Show Results.
The query is displayed on the XQL Search page where you can view the query results.