Manage XQL APIs

Manage and track your XQL API queries.
Cortex XDR enables you to run XQL Queries on your data sources using APIs. Each XQL query API consumes compute units based on the timeframe, complexity, and the number of API response results. Cortex XDR provides a free daily quota of compute units allocated according to your license size. Queries called without enough quota will fail. To expand your investigation capabilities, you can purchase additional compute units by enabling the Compute Unit add-on.
The Compute Unit add-on provides an additional 1 compute unit per day, in addition to your free daily quota. For example, if you have allocated 5 free daily compute units, with the add-on you will have a total of 6 daily compute units. The compute units are refreshed every 24 hours according to UTC time. You can purchase a minimum of 50 compute units.
To gage how many compute units you require, Cortex XDR provides a 30-day free trial period with a total of three time your allocated compute units to run XQL API queries and track the cost of each XQL API query responses and the XQL API Usage page. In addition, Cortex XDR sends a notification when the Compute Units add-on has reached your daily threshold.
To enable the add-on, navigate to
Configurations
Cortex XDR License
Addons
tile, select the
Compute Unit
tile and
Enable
.
To manage your XQL API queries:
  1. Navigate to
    Configurations
    Data Management
    XQL API Usage
    .
  2. In the
    Daily Usage in Compute Units
    section, monitor the amount of quota units used over the past 24 hours and the amount of free daily quota allocated according to your license size. Time frame is calculated according to UTC time.
    For Managed Security tenants, the values calculated are the total daily usage of parent and child tenants.
  3. In the
    Compute Units over last 30 Days
    section, to track your quota usage over the past 30 days. The red line represents your daily license quota. For Managed Security tenants, make sure you select from the
    MSSP Tenant Selection
    drop-down menu, the tenant for which you want to display the information. To investigate further:
    • Hover over each bar to view the total number of query units used on each day.
    • Select a bar to display in the
      XQL Queries Using API
      table the list of queries executed on the selected day.
  4. In the
    XQL Queries Using API
    , investigate all the XQL API queries that were executed on your tenant. For Managed Security tenants, make sure you select from the
    MSSP Tenant Selection
    drop-down menu, the tenant for which you want to display the information. You can filter and sort according to the following fields:
    • ID
      —Unique identifier representing the executed XQL API query.
    • Timestamp
      —Date and time of when the XQL API was executed.
    • PAPI Key ID
      —API Key ID used to execute the XQL API.
    • XQL Query
      —The XQL query called using an API search.
    • Compute Unit Usage
      —Displays how many query units were to used to execute the API query.
    • Tenant
      —Appears only in a Managed Security tenant. Displays which tenant executed an API query.
  5. Investigate the XQL API query results.
    In the
    XQL Queries Using API
    table, locate an XQL API query, right-click and select
    Show Results
    .
    The query is displayed in the XQL Search page where you can view the query results.

Recommended For You