Cortex XDR enables you to run XQL Queries on your data
sources using APIs. Each XQL query API consumes compute units based
on the timeframe, complexity, and the number of API response results.
Cortex XDR provides a free daily quota of compute units allocated
according to your license size. Queries called without enough quota
will fail. To expand your investigation capabilities, you can purchase
additional compute units by enabling the Compute Unit add-on.
Compute Unit add-on provides an additional 1 compute unit per day,
in addition to your free daily quota. For example, if you have allocated
5 free daily compute units, with the add-on you will have a total
of 6 daily compute units. The compute units are refreshed every
24 hours according to UTC time. You can purchase a minimum of 50
To gage how many compute units you require,
Cortex XDR provides a 30-day free trial period with a total of three
time your allocated compute units to run XQL API queries and track
the cost of each XQL API query responses
and the XQL API Usage page. In addition, Cortex XDR sends a notification
when the Compute Units add-on has reached your daily threshold.
enable the add-on, navigate to
Cortex XDR License
tile, select the
manage your XQL API queries:
XQL API Usage
Daily Usage in Compute Units
monitor the amount of quota units used over the past 24 hours and
the amount of free daily quota allocated according to your license
size. Time frame is calculated according to UTC time.
For Managed Security tenants, the values calculated are
the total daily usage of parent and child tenants.
Compute Units over last 30 Days
to track your quota usage over the past 30 days. The red line represents
your daily license quota. For Managed Security tenants, make sure
you select from the
MSSP Tenant Selection
menu, the tenant for which you want to display the information.
To investigate further:
Hover over each bar to view the total number
of query units used on each day.
Select a bar to display in the
table the list of queries executed on the
XQL Queries Using API
investigate all the XQL API queries that were executed on your tenant.
For Managed Security tenants, make sure you select from the
drop-down menu, the tenant for which
you want to display the information. You can filter and sort according
to the following fields:
—Unique identifier representing
the executed XQL API query.
—Date and time of when the
XQL API was executed.
PAPI Key ID
—API Key ID used to execute
the XQL API.
—The XQL query called using
an API search.
Compute Unit Usage
—Displays how many
query units were to used to execute the API query.
—Appears only in a Managed Security
tenant. Displays which tenant executed an API query.
Investigate the XQL API query results.
XQL Queries Using API
locate an XQL API query, right-click and select
The query is displayed in the XQL Search page
where you can view the query results.