Install the Server with Elasticsearch - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-09-05
End_of_Life
EoL
Category
Administrator Guide
Abstract

Install Cortex XSOAR with Elasticsearch as the database. Prerequisites and instructions for installing a new Cortex XSOAR environment with Elasticsearch.

Verify the following information and requirements before you install Cortex XSOAR with Elasticsearch.

Elasticsearch is a distributed, open source search and analytics engine for all types of data. It enables processing and storing large amounts of data. In Cortex XSOAR v6.1 and later, if you are using Elasticsearch as your database, all objects are stored in Elasticsearch.

Note

Working with Elasticsearch for only indicators or audit logs is no longer supported.

The following diagram depicts a Cortex XSOAR environment with Elasticsearch.

xsoar-elasticsearch-install.png

The following provides instructions for installing a new Cortex XSOAR environment with Elasticsearch.

Note

It is recommended to install the Elasticsearch Monitoring content pack from the Marketplace to monitor Elasticsearch. After installation, add the Elasticsearch Monitoring dashboard, which includes various widgets to monitor Elasticsearch cluster status and track statistics.

  1. Download Cortex XSOAR from the link that you received from Cortex XSOAR Support by running the following command.

    wget -O demisto.sh “<downloadLink>

    Note

    When you receive a link to download, ensure that the downloadLink link refers to https://download.demisto.com and not https://download.demisto.works.

    For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept”

    To download the latest vendor affirmed FIPS version, append &downloadName=fips. For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept&downloadName=fips”

  2. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.

    For example, you can use the rpm --import public.key command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.

  3. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the makeself package by running the yum install makeself command.

  4. Run the chmod +x demistoserver-xxxx.sh command to convert the .sh file to an executable file.

  5. To install the app server with Elasticsearch, run one of the following commands:

    • If using username and password authentication: sudo ./demisto.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-username=<the elasticsearch user name> -elasticsearch-password=<the elasticsearch password>

    • If using API key authentication: sudo ./demisto.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-api-key=<the elasticsearch API key>

    Flag

    Type

    Description

    -elasticsearch-url

    String

    Elasticsearch URL addresses (comma-separated). For example, http://test1:9200,http://test2:9200

    -elasticsearch-api-key

    String

    The Elasticsearch API key, which should be used in licensed versions.

    Note: If you use this flag, you do not need to use the -elasticsearch-username and -elasticsearch-password flags.

    -elasticsearch-username

    String

    The Elasticsearch username. This flag is used with the -elasticsearch-password flag.

    Note: If you use this flag, you do not need to use the -elasticsearch-api-key flag.

    -elasticsearch-password

    String

    The Elasticsearch password. This flag is used with the -elasticsearch-username flag.

    Note: If you use this flag, you do not need to use the -elasticsearch-api-key flag.

    -elasticsearch-proxy=

    Boolean

    Whether to use a proxy when communicating with Elasticsearch. Can be true or false. Default is false.

    -elasticsearch-insecure=

    Boolean

    Whether to trust any certificate when communicating with Elasticsearch. Can be true or false. Default is false.

    -elasticsearch-timeout

    Integer

    The amount of time (in seconds) before Elasticsearch times out. Default is 20 seconds.

    -elasticsearch-prefix

    String

    Defines the unique prefix a Cortex XSOAR server uses when naming the Elasticsearch indices it creates

  6. Accept the EULA and add the information when prompted.

  7. (Optional) After the installation has completed, do the following:

    1. Confirm that the Cortex XSOAR server status is active, by running the systemctl status demisto command.

      If the server is not active, run the systemctl start demisto command to start the server.

    2. Confirm that the Docker service status is active, by running the systemctl status docker command.

    3. In a web browser, go to the https://serverURL:port to verify that Cortex XSOAR was successfully installed.

      When you open Cortex XSOAR for the first time you need to add the license.