Restore a Tenant Database - Multi-Tenant Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Cortex XSOAR
Creation date
Last date published
Multi-Tenant Guide

Cortex XSOAR automatically backs up the database. If the database becomes corrupted or you need to revert to an earlier version of your data, you can restore a database backup.


As of Cortex XSOAR version 6.1, any XSOAR service that uses the Elasticsearch database no longer runs automatic backups. To back up or restore the contents of your Elasticsearch database, follow the instructions in the Elasticsearch documentation.

  1. Log out all users from Cortex XSOAR.

  2. Stop the tenant process.

    Go to SettingsAccount ManagementAccounts, select the tenant account, and click Stop.

  3. Delete the contents of the database directory.

    The default data directory for a specific tenant is /var/lib/demisto/tenants/acc_{TENANT_NAME}/data.

  4. Copy the backup file to the database location.

  5. Extract the .gzip backup file using tar -xzf <file-name>.

  6. Move the demisto_XXXXX.db files to the partitionsData folder. Keep the demisto.db file in the /data parent folder.

  7. The following directories need to be restored manually:

    • /var/lib/demisto/tenants/acc_{TENANT_NAME}/artifacts

    • /var/lib/demisto/tenants/acc_{TENANT_NAME}/attachments

    • /var/lib/demisto/tenants/acc_{TENANT_NAME}/images

    • /var/lib/demisto/tenants/acc_{TENANT_NAME}/d2_server.key

    • /var/lib/demisto/tenants/acc_{TENANT_NAME}/tools

    • /var/lib/demisto/tenants/acc_{TENANT_NAME}/versionControlRepo

    • /usr/local/demisto

    • /etc/demisto.conf

  8. Restart the tenant process and log in to Cortex XSOAR.

    Go to SettingsAccount MangementAccounts, select the tenant account, and click Start.