Single Server Installation Overview - Installation Guide - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Installation Guide

Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-03-20
Category
Installation Guide
Abstract

Single server deployment overview with Bolt database, with Elasticsearch database, and with high availability.

In a single-server installation, Cortex XSOAR and its database are installed on a single computer. Review the following single server deployment descriptions to determine which deployment is best for you.

Installation with the Bolt Database

When installing Cortex XSOAR with the Bolt database, the app server and database are installed on the same machine.

Before beginning your installation with the Bolt database, review the Cortex XSOAR System Requirements and then follow the instructions in Install Cortex XSOAR with Bolt Database.

Installation with the Elasticsearch Database

Elasticsearch is an analytics engine for all types of data. It enables storing, searching, and analyzing large amounts of data quickly and in near real time.

Maximum indicator capacity and disk usage comparison

The following table compares the maximum total indicator capacity and disk usage for the Bolt database and Elasticsearch. The maximum indicator capacity value was determined when testing the system.

We recommend using Elasticsearch if you plan to exceed at least one of the following maximum capacities for the Bolt database.

The Cortex XSOAR indicators used to test the sizing requirements did not contain a significant number of additional fields nor custom fields. The maximum size of the indicators tested had 20 additional or custom fields and a random string between 1-16 characters. Therefore, the indicators size tested were approximately 0.5KB. If you plan to have additional or custom fields for indicators, the maximum numbers should be reduced.

Benchmark

BoltDB

Elasticsearch

Maximum indicator capacity (total)

5-7 million

(Requires up to 10 seconds for a complex query)

100 million

(Requires approximately 40 seconds for a complex query)

Disk usage

5 million (~ 30 GB)

100 million (~ 70 GB)

The following diagram depicts a Cortex XSOAR environment with Elasticsearch.

xsoar-elasticsearch-install.png

In order to move to Elasticsearch, you must have Cortex XSOAR v6.1 or above and Elasticsearch installed. We recommend that you install Elasticsearch on a different server than Cortex XSOAR due to the high memory consumption for both services.

When working with Elasticsearch, Cortex XSOAR does not maintain, nor is it responsible, for the following:

  • Redundancy

  • Backups

  • Security

  • Elasticsearch clusters

Note

Moving data from the Elasticsearch database back to the Cortex XSOAR Bolt database is not supported.

Before beginning your installation with the Elasticsearch database, review the Cortex XSOAR System Requirements and the Elasticsearch System Requirements and then follow the instructions in Install Cortex XSOAR with Elasticsearch.