Cortex XDR enables you to run XQL queries on your data sources using a series of APIs. To execute XQL APIs you must have:

Query quota is made up of query units that enable you to run XQL APIs. Each XQL API query entails a cost of query units calculated according to the complexity and number of search results. The query cost for each API query is displayed in the

Get Query Results

API. You can also track the query cost per XQL API search, overall usage, and remaining quota in the Cortex XDR app or by running a Get XQL Query Quota API. Cortex XDR provides a free daily quota relative to your license size for you to run XQL API queries. In the case of Managed Security, the parent quota depends solely on the children licenses.

To execute a XQL API, you need to run a series of APIs. Each API requires a response value from the previous API to continue. This allows you to track the number of XQL queries you want to run, which in turn helps you manage your daily quota. Queries called without enough quota will fail. To ensure you don’t surpass your quota, Cortex XDR allows you to run up to four API queries in parallel.

Run the following APIs to call an XQL query: