Administrators can set controls on running XQL queries.
You can find Query Management options under → → → . These options enable administrators to set controls on running queries.
Set query limits
Danger
Setting query limits requires View/Edit permissions for → .
Administrators can set query limits that control user-generated XQL queries within a tenant. Setting query limits helps to prevent resource strain and optimize tenant performance. You can control the following query settings:
Concurrent queries per user
Prevent system overload by setting a maximum number of concurrent queries that a user can run.
The concurrent query limit is applied per user. If a user exceeds the defined limit of concurrent queries, new queries are blocked until the number of active queries drops below the limit. The blocked user can view all of their In Progress queries from the Query Center, and cancel previous queries if required. For more information, see Edit and run queries in Query Center.
If a user is blocked, other users of the tenant can continue to run queries. By default, query limits apply to all users of the tenant, but you can exclude specific roles and groups from these limits.
Queries that are included in the concurrent queries calculation include:
Cortex Query Language (XQL) investigation queries, including cold and hot storage, XDM templates, XDR templates, free text search, and queries from the query library.
Scheduled queries and scheduled reports.
Note
A scheduled query or report is run on behalf of the user that originally created it, even if it is edited and run by another user.
XQL widget queries in dashboards and reports
XQL public API queries (cold and hot storage)
BIOC test queries.
Correlation rule test queries.
XQL queries run from playbook tasks.
Note
Queries run by correlation rules are not restricted by the query limit.
Very short queries do not count towards concurrent queries.
Query duration timeout
Prevent long running queries by setting a timeout duration for queries to automatically stop long running queries and reserve tenant resources.
Only integer values are supported for this field. In addition, the query timeout is an approximate value.
Note
To ensure optimal system performance, all queries (user-generated and otherwise) adhere to a default timeout limit of 60 minutes that is defined by Palo Alto that takes priority over the administrator defined value. Therefore, regardless of the value specified in this field, queries will be stopped after 60 minutes.
You can override the default timeout limit by including the
config max_runtime_minutesstage in your query to increase the query timeout value, up-to the administrator defined value. For more information about this stage, see max_runtime_minutes.
Go to → → → .
Under Query Limits select Enabled.
Under Concurrent Queries Per User, specify the maximum number of queries a user is allowed to run concurrently. Queries exceeding this limit will be blocked.
Important considerations:
A value of 0 will prevent all queries from running.
Setting a very low or very high limit could adversely affect overall query execution speed and system resources.
Under Query Timeout specify the maximum duration (in minutes) that any query can run.
By default, the query duration timeout is set to 60 minutes for all queries regardless of the value specified in this field. For more information, see the explanation above regarding Query timeout duration.
Under Excluded User Groups or Roles, choose specific user groups or roles that should be excluded from the query limits.
Click Save.
Changes to the query limit settings are recorded in the Management Audit Logs.