Installation Overview - Installation Guide - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Installation Guide

Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-03-20
Category
Installation Guide
Abstract

Overview of installation process for Cortex XSOAR, including single server, multi-tenant, BoltDB, Elasticsearch, and Elasticsearch with high availability.

This document provides instructions and information for installing Cortex XSOAR.

Before installing, review the following and determine the type of installation to perform based on your requirements:

  • Deployment

    • Single server deployment are designed for small and mid-sized customers and provides an all-in-one XSOAR experience.

    • Multi-tenant deployments are designed for MSSPs (managed security service providers) and enterprises that require strict data segregation, but also need the flexibility to share and manage critical security practices across tenant accounts.

  • Database

    Select the database based on your predicted data usage.

    • For the Bolt database, we recommend a limit of 1 million indicators for the development environment and 5-7 million indicators for the production environment. If you will exceed this limit, we recommend using Elasticsearch.

    • If you have a High Availability deployment requirement, you must use Elasticsearch.

The following shows the key differences in the different Cortex XSOAR installation architectures. Additional information for these architectures can be found in the reference links in the last row of the table.

Standalone

Multi-Tenant

High Availability

architecture-standalone.png
architecture-mt.png
architecture-ha.png

Audience

Small and mid-sized customers.

Managed Security Service Providers (MSSPs) or similar.

Customers with high demand in availability.

Benefits

Provides an all-in-one Cortex XSOAR experience.

Segregation of data per tenant combined with central management.

Maximized availability.

Database

Bolt database or Elasticsearch.

Bolt database or Elasticsearch.

Elasticsearch.

Operating System

  • RedHat

  • Centos

  • Ubuntu

  • Oracle Linux

  • RedHat

  • Centos

  • Ubuntu

  • Oracle Linux

  • RedHat

  • Centos

  • Ubuntu

  • Oracle Linux

Requirements

One server with:

  • 16 CPU

  • 32GB RAM

  • 1TB SSD storage

Main server and each tenant server with:

  • 16 CPU

  • 32GB RAM

  • 1TB SSD storage

Each app server with the following and a 3 node Elasticsearch cluster:

  • 16 CPU

  • 32GB RAM

  • 500 GB SSD with minimum 3k dedicated IOPS

Limitations

Recommendation for Bolt database: 1 million indicators for the development environment and 5-7 million indicators for the production environment. If you will have more indicators, we recommend using Elasticsearch.

Recommendation for Bolt database: 1 million indicators for the development environment and 5-7 million indicators for the production environment. If you will have more indicators, we recommend using Elasticsearch.

  • Remote repositories is not supported in Dev environments.

  • Cannot be configured with Bolt database, only with Elasticsearch.

  • Requires a shared file system for storing artifacts.

Performance

  • Bolt database - 1,384 incidents per hour.

  • Elasticseaarch - 1,679 incidents per hour.

---

5,686 incidents per hour (based on 4 app servers).

Additional Information

Single Server Installation Overview

Multi-Tenant Installation Overview

High Availability OverviewHigh Availability Overview

After you determine the type of installation that is required, review the applicable content in the following sections for additional information and instructions.