Compute units usage - Learn more about how to compute units (CU) works according to your license and available options after reaching your quota. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-04-21
Category
Administrator Guide
Abstract

Learn more about how to compute units (CU) works according to your license and available options after reaching your quota.

Cortex XSIAM provides a free annual quota of compute units (CU) allocated according to your license size. Queries called without enough quota will fail. To expand your investigation capabilities, you can purchase additional CU by enabling the Compute Unit add-on.

The Compute Unit add-on provides an additional 1 compute unit per day for a year, in addition to your free annual quota. For example, if you have allocated 1,825 free annual CU, with the add-on you will have a total of 2,190 annual compute units. The Compute Unit add-on is calculated on an annual basis, starting from the procurement of your add-on license. The minimum purchase amount is 50 compute units.

You can configure the daily consumption limit for your compute units according to your organizational needs and change it when needed. For example, you can set a lower limit on a daily basis, and during an incident investigation you can change it to a higher limit that enables you to consume more compute units.

Your unused compute unit balance cannot be transferred from one licensing period to the next.

To gauge how many compute units you require, Cortex XSIAM provides a 30-day free trial period with 1/12 of your allocated annual CU quota to run XQL API and Cold Storage queries. You can then track the cost of each XQL API and Cold Storage query responses in the Compute Units Usage page.

Note

From Cortex XSIAM 2.5, your new annual license balance.compute units are calculated on an annual basis. The migration from the previous daily calculation is automatic and doesn't require you to take any action. During migration, only the remaining compute units of your previous daily consumption license are transferred to your new annual license balance. Your remaining compute units from the previous license plan are calculated on a pro rata basis. For example, if you have 75 days remaining in your previous daily CU license, Cortex XSIAM

Cortex XSIAM transfers 75/365 of your daily compute units for that year to

To enable the add-on, select Settings Cortex XSIAM LicenseAddons tile, and select the Compute Unit tile and Enable.

How to manage your compute unit usage for your queries

  1. Select Settings ConfigurationsData ManagementCompute Unit Usage.

  2. In Annual Usage in Compute Units, monitor the number of free compute units per license year, the number of purchased compute units per license year, and the ratio of used compute units to your yearly total compute units.

    If you have Edit permissions for Public APIs, you can customize the Daily limit to cater to your needs.

    • Divide annual quota evenly: Total annual compute units divided by 365.

    • 1% of annual quota: 1% of the total annual compute units.

    • No limit

    • Custom: Configure a daily amount that is equal to or grater than your daily average calculated over a year (annual total/365). Use only integers.

    The default daily limit is the annual quota divided evenly.

    For Managed Security tenants, the values calculated are the total usage of parent and child tenants.

  3. In Compute Units Usage , view the compute unit usage over the past 30 days or over the past 12 months. For Managed Security tenants, make sure you select the tenant for which you want to display the information from the MSSP Tenant Selection drop-down menu.

    • Compute Units Usage over the Last 30 Days: Hover over each bar to view the total number of units used each day. The daily compute units are calculated at 00:00 UTC time. The red line represents your daily limit for that day. If you change the daily limit a few times on a specific day, the displayed limit is the last number you configured on that day. Select a bar to display in the Compute Unit Usage table the list of queries executed on the selected day.

    • Compute Units Usage over the Last 12 Months: Hover over each bar to view the total number of compute units used each month. The dotted gray line represents your average annual limit per month. You can use the 12 month display to plan how many compute units you need in the next licensing period.

  4. In the Compute Units Usage table, investigate all the queries that were executed on your tenant. For Managed Security tenants, make sure you select the tenant for which you want to display the information from the MSSP Tenant Selection drop-down menu. You can filter and sort according to the following fields.

    • ID: Unique identifier representing the executed XQL API query.

    • Timestamp

      • For XQL API: date and time of query execution.

      • For Notebooks and BQ queries: date and time the query is charged.

    • Type: Indicates the type of query performed.

    • PAPI Key ID: API Key ID used to execute XQL APIs.

    • Query: The query description.

    • Compute Unit Usage: Displays how many query units were used to execute the query .

    • Tenant: Appears only in a Managed Security tenant. Displays which tenant executed an API query or Cold Storage query.

  5. Investigate the XQL API or Cold Storage query results.

    In the Compute Units Usage table, locate an XQL API or Cold Storage query, right-click and select Show Results.

    The query is displayed in the query field of the Query Builder where you can view the query results. For more information, see How to build XQL queries.