Manage Compute Units Usage - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Manage and track your Compute Units usage for API, Apps, and Cold Storage XQL queries.

Cortex XSIAM uses compute units (CU) for these types of queries:

  • API Queries—When running Cortex Query Language (XQL) queries on your data sources using APIs, each XQL query API consumes CU based on the timeframe, complexity, and number of API response results.

  • Apps—The Notebooks instance consumes 1000 CU each day and BigQuery queries consume CU based on the timeframe, complexity, and number of results. Apps is charged daily at 00:00 UTC.

  • Cold Storage Queries—Cold Storage is a data retention offering for cheaper storage usually for long-term compliance needs with limited search options. You can perform queries on Cold Storage data using the dataset format cold_dataset = <dataset name>, which consumes CU according to the following calculations.

    • Amount of data queried. 1CU for querying 35GB of data.

    • Timeframe, complexity, and the number of Cold Storage response results of each XQL Cold Storage query.

    When you query Cold Storage data, the rewarmed data is saved in a temporary hot storage cache that is available for subsequent queries on the same time-range at no additional cost. The rewarmed data is available in the cache for 24 hours and on each re-query the cached data is extended for 24 hours, for up to 7 days.


    The CU consumption of cold storage queries are based on the number of days in the query time frame. For example, when querying 1 hour of a specific day, the CU of querying this entire day are consumed. When querying 1 hour that extends past 2 days, such as from 23:50 to 00:50 of the following day, the CU of querying these two days are consumed.

Cortex XSIAM provides a free daily quota of CU allocated according to your license size. Queries called without enough quota will fail. To expand your investigation capabilities, you can purchase additional CU by enabling the Compute Unit add-on.

The Compute Unit add-on provides an additional 1 compute unit per day, in addition to your free daily quota. For example, if you have allocated 5 free daily CU, with the add-on you will have a total of 6 daily compute units. The CU are refreshed every 24 hours according to UTC time. You can purchase a minimum of 50 compute units.

To gauge how many CU you require, Cortex XSIAM provides a 30-day free trial period with a total of three times your allocated CU to run XQL API and Cold Storage queries. You can then track the cost of each XQL API and Cold Storage query responses and the Compute Units Usage page. In addition, Cortex XSIAM sends a notification when the Compute Units add-on has reached your daily threshold.

To enable the add-on, select Settings ConfigurationsCortex XDR LicenseAddons tile, and select the Compute Unit tile and Enable.

To manage your CU usage for your queries,

  1. Select Settings ConfigurationsData ManagementCompute Units Usage.

  2. In the Daily Usage in Compute Units section, monitor the amount of quota units used over the past 24 hours and the amount of free daily quota allocated according to your license size and the additional amount you have purchased. The time frame is calculated according to UTC time.

    For Managed Security tenants, the values calculated are the total daily usage of parent and child tenants.

  3. In the Compute Units over last 30 Days section, track your quota usage over the past 30 days. The red line represents your daily license quota. For Managed Security tenants, make sure you select from the MSSP Tenant Selection drop-down menu, the tenant for which you want to display the information. To investigate further.

    • Hover over each bar to view the total number of query units used each day.

    • Select a bar to display in the XCompute Unit Usage table the list of queries executed on the selected day.

  4. In the Compute Units Usage table, investigate all the queries that were executed on your tenant. For Managed Security tenants, make sure you select from the MSSP Tenant Selection drop-down menu, the tenant for which you want to display the information. You can filter and sort according to the following fields.

    • ID—Unique identifier representing the executed XQL API query.

    • Timestamp

      • For XQL API: date and time of query execution.

      • For Notebooks and BQ queries: date and time the query is charged.

    • Type—Indicates the type of query performed.

    • PAPI Key ID—API Key ID used to execute XQL APIs.

    • Query—The query description.

    • Compute Unit Usage—Displays how many query units were used to execute the query .

    • Tenant—Appears only in a Managed Security tenant. Displays which tenant executed an API query or Cold Storage query.

  5. Investigate the XQL API or Cold Storage query results.

    In the Compute Units Usage table, locate an XQL API or Cold Storage query, right-click and select Show Results.

    The query is displayed on the XQL Search page where you can view the query results.XQL Search