Manage XQL APIs

To expand your investigation capabilities, Cortex XDR enables you to run XQL Queries on your data sources using APIs. In the Cortex XDR app, you can track your daily query unit usage and view the API query details.
  1. Navigate to
    Configurations
    Data Management
    XQL API Usage
    .
  2. In the
    Daily Usage in Query Units
    section, monitor the amount of quota units used over the past 24 hours and the amount of free daily quota allocated according to your license size. Time frame is calculated according to UTC time.
    For Managed Security tenants, the values calculated are the total daily usage of parent and child tenants.
  3. In the
    Query Units over last 30 Days
    section, to track your quota usage over the past 30 days. The red line represents your daily license quota. For Managed Security tenants, make sure you select from the
    MSSP Tenant Selection
    drop-down menu, the tenant for which you want to display the information. To investigate further:
    • Hover over each bar to view the total number of query units used on each day.
    • Select a bar to display in the
      XQL Queries Using API
      table the list of queries executed on the selected day.
  4. In the
    XQL Queries Using API
    , investigate all the XQL API queries that were executed on your tenant. For Managed Security tenants, make sure you select from the
    MSSP Tenant Selection
    drop-down menu, the tenant for which you want to display the information. You can filter and sort according to the following fields:
    • ID
      —Unique identifier representing the executed XQL API query.
    • Timestamp
      —Date and time of when the XQL API was executed.
    • PAPI Key ID
      —API Key ID used to execute the XQL API.
    • XQL Query
      —The XQL query called using an API search.
    • Query Unit Usage
      —Displays how many query units were to used to execute the API query.
    • Tenant
      —Appears only in a Managed Security tenant. Displays which tenant executed an API query.
  5. Investigate the XQL API query results.
    In the
    XQL Queries Using API
    table, locate an XQL API query, right-click and select
    Show Results
    .
    The query is displayed in the XQL Search page where you can view the query results.

Recommended For You