Store Incident/Artifact Files in the Cloud - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Store incident attachments and artifact files including War Room, or through a Playbook.

Cortex XSOAR provides the ability to save incident attachments and artifact files (for example, attachments uploaded to the War Room, or added via a Playbook) in a cloud storage bucket, as opposed to working with the standard local file system. The cloud artifact file URL is added to the context data, providing a way for you to access the file from outside of Cortex XSOAR as well.

Cloud storage can be helpful if your environment has performance issues, such as high disk I/O utilization or a high storage volume. This feature is supported for GCP (using Google Cloud Storage), AWS (using Amazon S3), as well as Amazon S3-compatible products.


If you choose to save incident attachments and artifact files to the cloud, existing files are not migrated to the cloud and these files are no longer available within Cortex XSOAR. For this reason, we recommend using cloud storage for new deployments or in cases where you do not need access to previously saved files.

( Multi-tenant) - For multi-tenant deployments, the configuration needs to be added separately for each tenant. For multi-tenant high availability deployments, the configuration does not need to be added on each app server of the tenant. We recommend a separate bucket for each tenant, but multiple tenants can be assigned to the same bucket, if necessary.

( Multi-tenant) - If the tenant app server (the tenant folder on each host machine) was previously configured with cloud storage, via file configuration, the file configuration should be removed.

  1. Go to SettingsABOUTTroubleshooting.

  2. In the Server Configuration section, click Add Server Configuration.

  3. Add the Server.CloudStorage key and the value for GCP or S3:

    • GCP

      	"Platform": "Google-Storage",
      	"BucketName": "bucket-name",
      	"ArtifactsPath": "artifacts"
    • S3

      	"Platform": "AWS-S3",
      	"BucketName": "bucket-name",
      	"ArtifactsPath": "artifacts",
      	"Endpoint": "",
      	"PerProviderOptions": {
      		"Region": "eu-north-1",
      		"AccessKeyID": "abcdefg",
      		"AccessKeySecret": "abcdefg"


      Endpoint is required for Amazon S3-compatible products only, and not for a standard S3 environment. For example, if you are using MinIO, set this value to the machine IP (“x.x.x.x:9000"). If you omit this field, communication will be with the official AWS service.

      The bucket's access key secret can be plaintext or encrypted by the utility. See Step 4.b below.

  4. To authenticate Cortex XSOAR to the cloud provider, do one of the following:

    1. For GCP: Authentication is based on the service account set on the machine. Refer to the relevant GCP documentationrelevant GCP documentation for more information.

    2. For S3: The credentials are set in the server configuration. The bucket's access key secret can be encrypted using a utility installed with XSOAR.

      1. Run the following tom util command, including the bucket’s access key secret in plaintext:

        /usr/local/demisto/tom <plain text secret>

      2. Copy and paste the encrypted output into the AccessKeySecret field.