Index War Room Entries Using Elasticsearch - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-07-30
End_of_Life
EoL
Category
Administrator Guide
Abstract

Index Cortex XSOAR War Room entries for Elasticsearch to ensure that you can search for them in incidents.

As Cortex XSOAR does not index notes, chats, and pinned as evidence entries from the War Room by default, use this procedure to index these entries (and re-index historical data for selected months) when using Elasticsearch.

Note

(Multi-tenant) The same instructions apply for multi-tenant deployments, for each tenant that requires War Room indexing.

  1. Log in to your Cortex XSOAR server as root or an account with sudo privileges.

  2. Stop the Cortex XSOAR service, by typing the following command:

    systemctl stop demisto

  3. Edit the demisto.conf file.

    1. Create a backup copy of your demisto.conf file, by typing the following command:

      cp /etc/demisto.conf /etc/demisto.conf.bak

    2. Edit the /etc/demisto.conf file for all databases by adding the entries in the following format:

      "server.entries.restore": true,
      "db.index.entry.disable": false,
      "DB": {
          "IndexEntryContent": true
      },
      "granular": {
          "index": {
      	"entries": 7
          }								}
      }							

      The granular.index.entries total value is 7, which is split as to:

      1: notes

      2: chats

      4: pinned as evidence

      You can choose one of the values separately, or add them together for all values. For example, 7 is the total of 1 (notes) + 2 (chats) + 4 (pinned as evidence).

    3. Save the file.

      We recommend you validate these changes before committing them.

  4. Start Cortex XSOAR by typing the following command:

    systemctl start demisto

  5. ( Optional) Re-index the War Room entries, as required.

    After editing the demisto.conf file, indexing current data does not start, by default, until the next calendar month. For example, if you edit the demisto.conf file on October 5th, indexing starts on November 1st. If you want to index historical data, you must re-index your entries index in Elasticsearch to match the new indexing option. Also, if you re-index your entries index in Elasticsearch, indexing for the current month starts from the date of the re-index and does not wait until the following month.

    After entries indexing is enabled, you can re-index older entries to have them available for global searches, by running the reindex API on the desired index.

    1. Copy the index with the desired historical data to a new index, which allocates shards and replicates based on the template configured in demisto.conf file. For example, the POST request below copies the index dmst-common-entry_202110 (2021 October entries) to a new index dmst-common-entry_202110-fixed.

      POST _reindex
      {
        "source": {
          "index": "dmst-common-entry_202110"
        },
        "dest": {
          "index": "dmst-common-entry_202110-fixed"
        }
      }
      
    2. To confirm Cortex XSOAR is referring to the new index, add an alias and delete the original index. For example, the following POST request deletes the index dmst-common-entry_202110 while also creating an alias from dmst-common-entry_202110-fixed to dmst-common-entry_202110.

      POST _aliases
      {
        "actions": [
          {
            "add": {
              "index": "dmst-common-entry_202110-fixed",
              "alias": "dmst-common-entry_202110"
            }
          },
          {
             "remove_index": {
                "index": "dmst-common-entry_202110"
              }
          }
        ]
      }
    3. Confirm the index is available for searching in Cortex XSOAR.