Index Cortex XSOAR War Room entries for Elasticsearch to ensure that you can search for them in incidents.
As Cortex XSOAR does not index notes, chats, and pinned as evidence entries from the War Room by default, use this procedure to index these entries (and re-index historical data for selected months) when using Elasticsearch.
Note
(Multi-tenant) The same instructions apply for multi-tenant deployments, for each tenant that requires War Room indexing.
Log in to your Cortex XSOAR server as root or an account with sudo privileges.
Stop the Cortex XSOAR service, by typing the following command:
systemctl stop demisto
Edit the
demisto.conf
file.Create a backup copy of your
demisto.conf
file, by typing the following command:cp /etc/demisto.conf /etc/demisto.conf.bak
Edit the
/etc/demisto.conf
file for all databases by adding the entries in the following format:"server.entries.restore": true, "db.index.entry.disable": false, "DB": { "IndexEntryContent": true }, "granular": { "index": { "entries": 7 } } }
The
granular.index.entries
total value is 7, which is split as to:1: notes
2: chats
4: pinned as evidence
You can choose one of the values separately, or add them together for all values. For example, 7 is the total of 1 (notes) + 2 (chats) + 4 (pinned as evidence).
Save the file.
We recommend you validate these changes before committing them.
Start Cortex XSOAR by typing the following command:
systemctl start demisto
( Optional) Re-index the War Room entries, as required.
After editing the
demisto.conf
file, indexing current data does not start, by default, until the next calendar month. For example, if you edit thedemisto.conf
file on October 5th, indexing starts on November 1st. If you want to index historical data, you must re-index your entries index in Elasticsearch to match the new indexing option. Also, if you re-index your entries index in Elasticsearch, indexing for the current month starts from the date of the re-index and does not wait until the following month.After entries indexing is enabled, you can re-index older entries to have them available for global searches, by running the reindex API on the desired index.
Copy the index with the desired historical data to a new index, which allocates shards and replicates based on the template configured in
demisto.conf
file. For example, the POST request below copies theindex dmst-common-entry_202110
(2021 October entries) to a newindex dmst-common-entry_202110-fixed
.POST _reindex { "source": { "index": "dmst-common-entry_202110" }, "dest": { "index": "dmst-common-entry_202110-fixed" } }
To confirm Cortex XSOAR is referring to the new index, add an alias and delete the original index. For example, the following POST request deletes the
index dmst-common-entry_202110
while also creating an alias fromdmst-common-entry_202110-fixed to dmst-common-entry_202110
.POST _aliases { "actions": [ { "add": { "index": "dmst-common-entry_202110-fixed", "alias": "dmst-common-entry_202110" } }, { "remove_index": { "index": "dmst-common-entry_202110" } } ] }
Confirm the index is available for searching in Cortex XSOAR.