Investigate Child Tenant Data

For managed security providers, you can view, track, and investigate data across your Cortex XDR child tenants.
With Cortex XDR managed security, you can investigate the Cortex XDR child tenant data.
By default, Cortex XDR displays data for your tenant. To display data for one or more of your child tenants, select the tenants from the drop-down.
Some common tasks that you might perform include:
  • Investigate Incidents on a child tenant.
  • Investigate Alerts on a child tenant.
  • Build and execute an XQL Search query to search across the data of a child tenant.
    When running an XQL Search, you can execute XQL queries across a single child tenant or up to 100 child tenants simultaneously.
    • For XQL queries on a single child tenant, Cortex XDR provides the parent tenant with autocompletion and validation capabilities to all datasets available on the child tenant.
    • When executing XQL queries on multiple child tenants simultaneously:
      • Autocomplete and validation are only supported on Cortex XDR datasets. For example, on EDR data, Cortex XDR Alerts, and Palo Alto Networks next-generation firewall logs.
      • Queries are executed on each child tenant separately and return up to 1,000,000 results split across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of 100,000 per tenant.
      Run an XQL Query API on your local and child tenants.
  • Use the Query Builder to build and execute an entity-specific query across the data of a child tenant. You can run either an ad-hoc query or scheduled query on one or more child tenants. For each query, Cortex XDR returns up to 100,000,000 results across all selected tenants.
  • Use the Query Center to view previously run XQL searches and entity queries run on your tenant and the child tenants.

Recommended For You