Federated Search configuration - Configure Federated Search to create external datasets for querying distributed data sources - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

1. Navigate to IAM (Access Management) → Policies → Create Policy and select S3.

2. In Actions Allowed, select Effect → Allow.

3. In List, select ListBucket.

4. In Read, select GetObject.

5. In Resources, click ARN and fill your bucket name for both Bucket and Object. For Object, use and asterisk (*) and select Any object name.

6. Check the details and click Next.

7. Click Create Policy.

1. Navigate to IAM → Roles → Create Role.

2. In the Trusted entity type page, select Web identity.

3. In the Web identity page, under Identity provider, select Google, and under Audience, type 00000, and click Next.

   This will later be replaced by the identity created by Cortex XSIAM.

4. Select your policy and click Next.

5. Type a name for your role and select Create Role.

1. In the Federated Search wizard, type the Role ARN from AWS.

2. Specify the bucket region. Supported regions are us-east-1, us-west-2, ap-northeast-2, ap-southeast-2, eu-west-1, eu-central-1.

3. Click Generate to create a new Identity for this connection and copy the generated Identity.

   This is the identity provided by Cortex XSIAM to create a trust relationship with AWS.

4. In the AWS IAM console, add a trust relationship by adding the identity you generated above to the role and set a maximum session duration.

   1. In AWS IAM, select Roles.

   2. Select the role you created.

   3. Click Edit and set Maximum session duration to 12 hours.

      This configures the length of time the session lasts before requiring re-authentication.

   4. Click Save changes.

   5. Select Trust Relationships and click Edit policy.

   6. Replace the value of accounts.google.com:aud with the identity you generated above. You can also replace the policy content with the provided code snippet.

   7. Click Update policy.

1. In the Federated Search wizard, type a meaningful dataset name and add an optional description. External dataset names must always begin with external_.

2. In S3 URI, enter the Amazon S3 path of the partition directory using the S3 format. To find the path, in the AWS bucket click the directory to display Object overview and copy the S3 URI. The path can only include letters, digits, and the symbols "-","_","=",".". For example, s3://bucket-name/table-name/. Don't use wildcards.

   Your partitioned data must follow the Hive partitioning format, which uses key-value pairs. In your directory, name your partitions in the yyyy-mm-dd format, for example ds=2025-10-07. This creates external datasets based on your partitioned data source paths.

   When you filter a query using the Query Builder Time frame selection, the query uses the dates in the partition.

3. Specify the format. For correct deduction of the schema, you must provide the correct file format. Federated Search supports CSV, Parquet, and JSONL files. For optimal results, we recommend using Parquet format with explicit schema definition.

1. Specify the bucket region. Federated Search supports the following regions: africa-south1, asia-east1, asia-east2, asia-northeast1, asia-northeast2, asia-northeast3, asia-south1, asia-south2, asia-southeast1, asia-southeast2, australia-southeast1, australia-southeast2, europe-central2, europe-north1, europe-north2, europe-southwest1, europe-west1, europe-west10, europe-west12, europe-west2, europe-west3, europe-west4, europe-west6, europe-west8, europe-west9, me-central1, me-central2, me-west1, northamerica-northeast1, northamerica-northeast2, northamerica-south1, southamerica-east1, southamerica-west1, us-central1, us-east1, us-east4, us-east5, us-south1, us-west1, us-west2, us-west3, us-west4

   Note

   You can only configure regions that are in the multi-region of your tenant.

2. Click Generate to create a new Identity for this connection and copy the generated Identity.

   This is the service account that will allow read access to the GCS bucket.

3. Grant access to the connection.

   1. In the GCS project, navigate to IAM.

   2. In Allow → View by principals, click Grant access.

   3. Under New principles, paste the Identity you generated in the Federated Search wizard.

   4. Under Assign roles, select the role Storage Object Viewer.

   5. Click Save.

Configure the dataset.

1. In the Federated Search wizard, type a meaningful dataset name and add an optional description. External dataset names must always begin with external_.

2. In GS URI, specify the partition directory. For example, s3://bucket-name/table-name/. Don't use wildcards.

   Your partitioned data must follow the Hive partitioning format, which uses key-value pairs. In your directory, name your partitions in the yyyy-mm-dd format, for example ds=2025-10-07. This creates external datasets based on your partitioned data source paths

   When you filter a query using the Query Builder Time frame selection, the query uses the dates in the partition.

3. Specify the format. For correct deduction of the schema, you must provide the correct file format. Federated Search supports CSV, Parquet, and JSONL files. For optimal results, we recommend using Parquet format with explicit schema definition.

1. In your Azure tenant, navigate to All Services → App registrations, and click New registration.

2. Fill the following fields as below:

   • Name: Type a name

   • Supported account types: Accounts in this organizational directory only

   • Redirect URI: Leave blank for now.

3. Click Register.

1. In the Federated Search wizard, paste the following values from Azure: Directory ID, Application ID, Object ID.

2. Specify the blob region. Federated Search supports only eastus2.

   Note

   You can only configure regions that are in the multi-region of your tenant.

3. Click Generate to create a new Identity for this connection and copy the generated Identity.

   This is the identity used to establish the trust with Azure Storage.

1. In your Azure tenant, under All services → App registrations, select your application and click Add a certificate or secret.

2. Select Federated credentials and click Add credential.

3. In the Add a credential page, fill in the following values:

   • Federated credential scenario: Other issuer

   • Issuer: https://accounts.google.com

   • Type: Explicit subject identifier

   • Value: Identity you generated above in the Federated Search wizard.

4. Type a name and description, and click Add.

1. In Azure → Storage accounts, select your blob.

2. Select the container and in the left menu click Access Control (IAM).

3. Under Check Access, click Add role assignment.

4. In Role → Job function roles, select Storage Blob Data Reader and click Next.

5. For the Assign access to field, select User, group, or service principal.

6. Click Select members, search for the name of your app registration. Select the app registration and click Select.

7. Click Review + assign to finalize.

1. In the Federated Search wizard, type a meaningful dataset name and add an optional description. External dataset names must always begin with external_.

2. In Container URL, specify the partition directory. For example, s3://bucket-name/table-name/. Don't use wildcards.

   Your partitioned data must follow the Hive partitioning format, which uses key-value pairs. Name your partitions in the yyyy-mm-dd format, for example ds=2025-10-07. This creates external datasets based on your partitioned data source paths.

   When you filter a query using the Query Builder Time frame selection, the query uses the dates in the partition.

3. Specify the format. For correct deduction of the schema, you must provide the correct file format. Federated Search supports CSV, Parquet, and JSONL files. For optimal results, we recommend using Parquet format with explicit schema definition.