Query using Federated Search - Query distributed data sources using external datasets and join with ingested data. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

To query using Federated search, navigate to Incident Response → Investigation → Query Builder and select XQL.

You can build queries across external datasets and ingested datasets, giving you a powerful tool.

In its current version, Federated Search enables only ad-hoc queries via the query builder. You can search, filter and use JOIN operations.