Best practices and security guidelines for Elasticsearch for Cortex XSOAR single-instance deployments.
Elasticsearch implements its own security features, most of which are free, using the XPack. Cortex XSOAR recommends you use these security features to protect your data.
Note
As Elasticsearch is an external service, the default behavior is no longer secured. It is highly recommended to enable secure connections from, and to, Elasticsearch including secure connections between nodes, otherwise your data can be exposed from outside Cortex XSOAR.
The following provides some guidelines for implementing security in a single instance deployment using an Elasticsearch database.
Authentication
To connect from Cortex XSOAR to Elasticsearch, you should use Elasticsearch authentication with either a username and password, or an API key to ensure that communication between Elasticsearch and Cortex XSOAR is secure.
You can provide the credentials either in the demisto.conf
configuration file under the Elasticsearch branch, or as flags in the Cortex XSOAR installer. The XSOAR configuration file for Elasticsearch password and API key may accept a plain text, tommed or encrypted using the server encryption key. After you start the Cortex XSOAR server, the Elasticsearch credentials are automatically encrypted.
Communication
Cortex XSOAR recommends that you implement an https connection using TLS for secure communication.
Use the Elasticsearch certificate verification method to establish a secure connection between your Elasticsearch nodes to avoid man in the middle attacks.
User Permissions
The following lists the user permissions required for the Elasticsearch user in single-instance and multi-tenant deployments.
create (indices)
delete (indices)
index (indices)
monitor (indices)
create_index (or at least auto_configure to dynamically create partitions) (indices)
In addition, multi-tenant deployments require the following user permission:
manage (or view_index_metadata, manage_index_templates) (cluster)