and execute an XQL Search query to search
across the data of a child tenant.
When running an XQL Search,
you can execute XQL queries across a single child tenant or up to
100 child tenants simultaneously.
For XQL queries
on a single child tenant, Cortex XDR provides the parent tenant
with autocompletion and validation capabilities to all datasets
available on the child tenant.
XQL queries on multiple child tenants simultaneously:
and validation are only supported on Cortex XDR datasets. For example,
on EDR data, Cortex XDR Alerts, and Palo Alto Networks next-generation
Queries are executed on each child tenant separately and
return up to 1,000,000 results split across the selected tenants.
For example, an XQL query on 10 tenants returns a maximum of 100,000
the Query Builder to
build and execute an entity-specific query across the data of a
child tenant. You can run either an ad-hoc query or scheduled query
on one or more child tenants. For each query, Cortex XDR returns
up to 100,000,000 results across all selected tenants.
the Query Center to
view previously run XQL searches and entity queries run on your
tenant and the child tenants.