Investigate Child Tenant Data - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

For managed security providers, you can view, track, and investigate data across your Cortex XSIAM child tenants.

With Cortex XSIAM managed security, you can investigate the Cortex XSIAM child tenant data.

By default, Cortex XSIAM displays data for your tenant. To display data for of your child tenant, select the tenant from the drop-down.


Some common tasks that you might perform include:

  • Investigate incidents on a child tenant.

  • Investigate alerts on a child tenant.

  • Build and execute an XQL search query to search across the data of a child tenant.

    When running an XQL Search, you can execute XQL queries across a single child tenant or up to 100 child tenants simultaneously.

    • For XQL queries on a single child tenant, Cortex XSIAM provides the parent tenant with autocompletion and validation capabilities to all datasets available on the child tenant.

    • When executing XQL queries on multiple child tenants simultaneously:

      • Autocomplete and validation are supported on all datasets.

      • Queries are executed on each child tenant separately and return up to 1,000,000 results split across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of 100,000 per tenant.

      • You can select multiple datasets that share the same dataset name from different child tenants even when their schemas are different. Cortex XSIAM displays only the common fields that have the same name and the same data type in both datasets. If the datasets from two child tenants contain fields with the same name, but different data types, or one of the datasets contains fields that the other one doesn’t have, these fields will not be displayed. By default, even when you don’t select fields, Cortex XSIAM automatically selects the fields that are common to both child datasets.

        In the example below, if you select two child tenants which both contain a dataset called users, Cortex XSIAM displays users as a possible source for the query, even though they contain different fields.

        users= {“employee_name”: “John”, “employee_number”: 123}
        users= {“employee_name”: “John”, “employee_number”: "123", "national_ID": 123456789}

        When you start selecting fields from users, Cortex XSIAM displays only the field employee_name as an option for the query since its name and type are the same for both child tenants.

  • Use the Query Builder to build and execute an entity-specific query across the data of a child tenant. You can run either an ad-hoc query or a scheduled query on one or more child tenants. For each query, Cortex XSIAM returns up to 100,000,000 results across all selected tenants.

  • Use the Query Center to view previously run XQL searches and entity queries run on your tenant and the child tenants.