Elasticsearch General Security Guidelines - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-11-12
End_of_Life
EoL
Category
Administrator Guide
Abstract

Best practices for Elasticsearch for Cortex XSOAR single-instance deployments.

Elasticsearch implements its own security features, most of which are free, using the XPack. Cortex XSOAR recommends you use these security features to protect your data.

Note

Note: As Elasticsearch is an external service, the default behavior is no longer secured. It is highly recommended to enable secure connections from, and to, Elasticsearch including secure connections between nodes, otherwise your data can be exposed from outside Cortex XSOAR.

This document provides some guidelines for implementing security in a single instance deployment using an Elasticsearch database. Multi-tenant security guidelines are available here.

Authentication

To connect from Cortex XSOAR to Elasticsearch, you should use Elasticsearch authentication with either a username and password, or an API key to ensure that communication between Elasticsearch and Cortex XSOAR is secure.

You can provide the credentials either in the demisto.conf configuration file under the Elasticsearch branch, or as flags in the Cortex XSOAR installer. The password and/or API keys can be set in the configuration file as plain text or encrypted (using the server encryption key). After you start the Cortex XSOAR server, the Elasticsearch credentials are automatically encrypted.

Communication

Cortex XSOAR recommends that you implement an HTTPS connection using TLS for secure communication.

Use the Elasticsearch certificate verification method to establish a secure connection between your Elasticsearch nodes to avoid man in the middle attacks.

User Permissions

The following lists the user permissions required for the Elasticsearch user in single-instance and multi-tenant deployments.

  • create (indices)

  • delete (indices)

  • index (indices)

  • monitor (indices and cluster)

  • create_index (or at least auto_configure to dynamically create partitions) (indices)

In addition, multi-tenant deployments require the following user permission:

  • manage (or view_index_metadata, manage_index_templates) (cluster)