Dataset Management

The Dataset Management page enables you to manage your datasets and understand your data ingestion rates and storage availability.
This feature requires a Cortex® XDR™ Pro license.
The
Dataset Management
page enables you to manage your datasets and understand your data storage availability. The top part of the screen details your
Storage License Details
for the Cortex XDR Pro licenses and Cortex Pro per RTN retention licenses. In addition, a storage bar with all the datasets usage information is displayed. The bottom half of the screen lists your
Datasets
in a table format.
Before the Cortex XDR ingestion and storage enforcements are applied based on your licensing agreements, you will be notified ahead of time explaining these changes and the implementation timeline.
For each dataset listed in the table, the following information is available.
Certain fields are exposed and hidden by default. An asterisks (*) is beside every field that is exposed by default.
Field
Description
*DATASET NAME
Name of the dataset, where only English alphabetical characters (
a-z, A-Z
) are supported. Numbers (
0-9
) and underscores (
_
) are supported, but not as the first character of the name.
*TYPE
The type of dataset based on the method used to upload the data.
  • Correlation
    —A dataset containing data saved from a Correlation Rule.
  • Lookup
    —Two possible scenarios.
    • Uploaded through the user interface.
    • If saved by a query using the
      target
      command, the
      Type
      can be either
      User
      or
      Lookup
      . See the entry for
      target
      in the XQL Language Reference for details.
  • Raw
    —Every dataset where PANW data is ingested out-of-the-box or third-party data is ingested via a configured dedicated collector.
  • Snapshot
    —A dataset that contains only the last successful snapshot of the data, such as Workday or ServiceNow CMDB tables.
  • System
    —Cortex XDR datasets that are created out-of-the-box.
  • User
    —If saved by a query using the
    target
    command, the
    Type
    can be either
    User
    or
    Lookup
    . See the entry for
    target
    in the XQL Language Reference for details.
*TOTAL DAYS STORED
The actual number of days that the data is stored in the XDR data lake.
*TOTAL SIZE STORED
The actual size of the data that is stored in the XDR data lake. For the
xdr_data
dataset, where the first 30 days of storage are included with your license, the first 30 days are not included in the TOTAL SIZE STORED number.
*AVERAGE DAILY SIZE
The average daily amount stored in the XDR data lake.
*TOTAL EVENTS
The number of total events/logs that are stored in the XDR data lake.
*AVERAGE EVENT SIZE
The average size of a single event in the dataset (TOTAL SIZE STORED divided by the TOTAL EVENTS).
FIRST STORED DATE
The first time that Cortex XDR started to store data in this dataset.
*LAST STORED DATE
The last time that Cortex XDR started to store data in this dataset.
DEFAULT QUERY TARGET
Details whether the dataset is configured to use as your default query target in XQL Search, so when you write your queries you do not need to define a dataset. By default, only the
xdr_data
dataset is configured as the DEFAULT QUERY TARGET and this field is set to
Yes
. All other datasets have this field set to
No
. When setting multiple default datasets, your query does not need to mention any of the dataset names, and Cortex XDR queries the default datasets using a
join
.
The datasets
endpoints
and
host_inventory
include dataset permission enforcements in the Cortex XDR Query Language (XQL), Query Center, and XQL Widgets. To view or access any of these datasets, you need role-based access control (RBAC) permissions to the
Endpoint Administration
and
Host Inventory
views. For more information on RBAC, see Manage User Roles. Managed Security Services Providers (MSSP) administration permissions are not enforced on child tenants, but only on the MSSP tenant.

Recommended For You