Create Elasticsearch Snapshots - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-11-12
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create automated and manual backups of Cortex XSOAR data by using Elasticsearch snapshots.

We recommend scheduling regular automated snapshots of all indices. In addition, you can create a manual snapshot of some or all indices as needed. For example, you might want to create a manual snapshot of all indices before upgrading or making other significant changes.

Create a Snapshot Repository

Before creating snapshots, register a snapshot repository

Example:

PUT /_snapshot/xsoar_repository
{
  "type": "fs",
  "settings": {
    "location": "xsoar_backup_location"
  }
}
					

To enable cloud vendor repositories such as AWS S3 or Google Cloud Storage refer to the Elasticsearch Cloud documentation for snapshot and restore with custom repositories as an example of how to set up cloud vendor repositories.

NOTE - If you are using AWS Managed Elasticsearch, every Elasticsearch cluster is created with a default repository configured with a backend S3 bucket.

Automated Snapshots

Automated snapshots can be scheduled using the Elasticsearch snapshot API to create a SLM (snapshot lifecycle management) policy. For more details about snapshot lifecycle management in Elasticsearch, see the Elasticsearch SLM tutorial.

In the following example, an incremental snapshot is created every hour and saved to the backup repository xsoar_repository. Each snapshot has a suffix with the current date timestamp. All active Cortex XSOAR indices are backed up, and thirty days of snapshots are retained. Snapshots older than thirty days are automatically deleted from the backup repository.

PUT /_slm/policy/hourly-snapshots
{
  "schedule": "0 0 * * * ? ?", 
  "name": "<xsoar-snap-{now/d}>", 
  "repository": "xsoar_repository", 
  "config": { 
    "indices": ["*dmst-*"] 
  },
  "retention": { 
    "expire_after": "30d", 
    "min_count": 5
  }
}
Manual Snapshots

Using the Elasticsearch snapshot API, you can create a snapshot of your database or specific indices to your selected repository (remote or local). You can specify the specific indices or use wildcards. Snapshots usually take only a few minutes to complete, depending on the number of indices and documents you are backing up.

Create a Manual Snapshot of One or More Indices

The following example shows how to use the snapshot API to back up all of your 2020 indices. The snapshots are saved in the backup repository xsoar_repository. When creating the snapshot, you can provide a reason that will display in the snapshot metadata.

PUT /_snapshot/xsoar_repository/year_2020_snapshot?wait_for_completion=true
{
	"indices": ""dmst-*_2020*",  
    "ignore_unavailable": true,
    "include_global_state": false,
    "metadata": {
      "taken_by": "me",
      "taken_because": "reason for backup"
  }
}

The following example creates a snapshot to back up all of your 2021 incidents. The snapshots are saved in the backup repository xsoar_repository. When creating the snapshot, you can provide a reason that will display in the snapshot metadata.

PUT /_snapshot/xsoar_repository/snapshotname?wait_for_completion=true
{
  "indices": "*dmst-common-incident_2021*",
  "ignore_unavailable": true,
  "include_global_state": false,
  "metadata": {
    "taken_by": "me",
    "taken_because": "reason for backup"
  }
}
						

The following example creates a snapshot snapshotname in repository xsoar_repository for all of the Cortex XSOAR data from September 2021.

PUT /_snapshot/xsoar_repository/snapshotname?wait_for_completion=true
{
  "indices": "*dmst-common-*_202109*",
  "ignore_unavailable": true,
  "include_global_state": false
}
						
Create a Snapshot of the Entire Database

The following example API request creates a new snapshot named snapshotname in the repository xsoar_repository. The snapshot includes all Cortex XSOAR indices including cluster state like aliases, templates, etc.

PUT /_snapshot/xsoar_repository/snapshotname?wait_for_completion=true
{
  "indices": "*dmst*",
  "ignore_unavailable": true,
  "include_global_state": true
}