Elasticsearch Server Configurations - Administrator Guide - 6.12 - Cortex XSOAR - Cortex

Elasticsearch Server Configurations - Administrator Guide - 6.12 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product

Cortex XSOAR

Version

6.12

Creation date

2023-04-30

Last date published

2025-02-27

Category

Administrator Guide

Abstract

Server configurations for Elasticsearch.

Key	Description	Default
`application.statistics.update.disable`	Disables the Return on Investment (ROI) statistics flag. Recommended to change to true if you do not need ROI as it may affect performance.	`false`
`elasticsearch.aggregations.optimize`	Enables you to search with Elasticsearch aggregations rather than searching locally in Cortex XSOAR. Default is true (search with aggregations).	`true`
`elasticsearch.allowOwnerAggs`	Gets a list of suggested owners with Elasticsearch aggregations rather than locally in Cortex XSOAR. Default is true (gets a list with aggregations).	`true`
`elasticsearch.maxresultwindowforindex.common-incident`	Limits the amount of incident results returned. Default is 10,000 documents (or `maxresultwindow` if defined in `demisto.conf`). We recommend changing it to 5000, as incidents are big documents and could affect performance.	10,000
`elasticsearch.replicas.<common-indicator>`	Sets the number of replica shards for an index upon creation, where `<common-indicator>` is the name of the index. The value of the replica shards and shards should match the total sum of Elasticsearch nodes. For more information, see General Configurations.	`1`
`elasticsearch.shards.<common-indicator>`	Sets the number of shards for an index upon creation, where `<common-indicator>` is the name of the index. The value of the replica shards and shards should match the total sum of Elasticsearch nodes. For more information, see General Configurations.	`1`
`Security.elasticsearch.account`	(Multi-tenant) Enables security features in Elasticsearch. Change to false to override and disable security.	`true`
`Security.elasticsearch.apikey`	(Multi-tenant) If there is no API key on the main/host configuration, you can create an API key for a tenant.	`true`
`server.large.html.unsearchable`	Set to false to make html fields searchable in the UI. To limit memory consumption, by default, indexing for HTML fields is disabled.	true
`server.large.markdown.unsearchable`	Set to `false` to make markdown fields searchable in the UI. To limit memory consumption, by default, indexing for markdown fields is disabled.	true
`server.text.max.characters`	For both Bolt DB and Elasticsearch, by default, indexing HTML, markdown, and long text fields, are set to 30,000 characters. If large fields are detected, only the first 30,000 characters are searchable. Increasing the amount may have a detrimental effect on performance.	30000