Index War Room Entries in a Multi-Tenant Deployment - Multi-Tenant Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-29
Last date published
2023-02-09
End_of_Life
EoL
Category
Multi-Tenant Guide

By default, Cortex XSOAR does not index notes, chats, and pinned as evidence entries from incident War Rooms and it is not possible to find these entries in the Search Incidents bar. Use this procedure to index these entries, which also re-indexes incidents for selected months.

Note

Depending on the number of cases in your system and server hardware, the re-indexing operation can take a significant amount of time, during which the Cortex XSOAR server is inaccessible. It is recommended to undertake this procedure when it has a minimal impact on your organization. After completion, you should review your Cortex XSOAR server, as it may have some impact on performance.

Note

(Multi-tenant) - For multi-tenant deployments with Elasticsearch, following the non multi-tenant instructions to Index War Room Entries Using Elasticsearch, applied per tenant.Index War Room Entries Using Elasticsearch

  1. Stop the tenant process:

    In the main account, go to SettingsAccount ManagementAccounts, select the tenant account, and click Stop

  2. Log in to your Cortex XSOAR server as root or an account with sudo privileges.

  3. Make a backup copy of the tenant’s configuration file:

    cp /usr/local/demisto/tenants/acc_<tenant_name>/server.conf /usr/local/demisto/tenants/acc_<tenant_name>/server.conf.bak

  4. Edit the /usr/local/demisto/tenants/acc_<tenant_name>/server.conf file for all databases by adding or editing the following entries:

    "server.entries.restore": true,
    							"db.index.entry.disable": false,
    							"DB" : {
    							"IndexEntryContent": true
    							},
    							"granular": {
    							"index": {
    							"entries": 7
    							}
    							}

    The granular.index.entries total value is 7, which is split:

    1: notes

    2: chats

    4: pinned as evidence

    You can choose one of the values separately, or add them together for all values. For example, 7 is the total of 1 (notes) + 2 (chats) + 4 (pinned as evidence).

  5. Save the file.

    We recommend you validate JSON changes before committing them.

  6. Delete the relevant War Room entries index on all databases by running the following command on each database machine:

    rm- rf /var/lib/demisto/tenants/acc_<tenant_name>/data/demistoidx/entries_MMYYYY

    For example, to delete March 2020, run the following command:

    rm -rf /var/lib/demisto/tenants/acc_<tenant_name>/data/demistoidx/entries_032020

    To add indexing for additional months, run the same command for each month, but change the date in the command, after "entries_". Adding months may cause re-indexing to take longer depending on the number of cases in the system.

  7. Start the tenant process:

    Go to SettingsAccount ManagementAccounts, select the tenant account, and click Start.

    In the field Additional arguments for tenant start, specify which month(s) you want to re-index. For example, to re-index March 2020, enter -restore-index-name=entries_032020. For multiple months, use comma separated values. For example, -restore-index-name=entries_032020,entries_022020,entries_012020.

  8. Confirm that you can search your case comments through the search bar.

    indexing-war-room.png