Unified, cost-effective data querying against distributed, non-ingested data sources
Note
Federated Search is a Beta feature and is still subject to change. To enable the feature in your tenant, contact your Customer Support Team.
Federated Search is a query mechanism designed to provide unified access to distributed data sources without requiring pre-ingestion or centralization. This capability enables you to query data in place, significantly reducing the complexity and operational costs associated with the ingestion process and long-term data retention.
Modern enterprises store massive volumes of data across multiple cloud providers and hybrid environments. Centralized data ingestion and warehousing may be insufficient or expensive for cold or regulatory-mandated data. Federated Search allows you to:
Decouple data management from data analytics for cost optimization.
Maintain economic solutions for long-term data storage.
Perform on-demand incident response or compliance audits against existing long-term storage solutions without the overhead of ingestion.
The main use cases for Federated Search include:
Incident Investigation: Querying events that occurred a long time ago, where the data might not have been ingested into Cortex XSIAM.
Compliance audits: Accessing historical data needed for audits without the need for extensive ingestion.
Long-Term data storage: Providing an integrated solution for retaining data for many years.
Data linking: Joining external datasets with ingested datasets for comprehensive and unified data analysis.
You can keep non-critical, high-volume data types in their native storage locations while preserving the ability to query this data using XQL (Extended Query Language). This ensures that visibility is gained into a broader spectrum of data while maintaining the core value proposition of deep analytics on ingested data.