Cortex XSOAR uses the demisto.conf
file to store the Elasticsearch configuration details. When setting up Elasticsearch for a new Cortex XSOAR installation, you need to add connection information for the Elasticsearch database to the demisto.conf file. You can also add optional parameters including shards, replicas, and refresh intervals for the indexes that will be created within Elasticsearch
For more information about Elasticsearch configuration for Cortex XSOAR, we recommend reviewing Elasticsearch Best Practices before editing the configuration file.
Edit the /etc/demisto.conf
file to add the new Elasticsearch configuration. At a minimum, you must provide the URL and a username/password or API key. You can also provide an indexPrefix if you want the indexes to be created with a different prefix.
Example
{ "elasticsearch": { "username": "elastic", "password": "changeme", "apiKey": "", "url": "https://readyelasticone:9200", "enabled": true, "insecure": true, "indexPrefix": "", "responseHeaderTimeoutSeconds": 120, "shards": { "common-invplaybook": 3, "common-entry": 3 }, "replicas": { "common-invplaybook": 1, "common-entry": 1 }, "defaultShardsPerIndex": 1, "defaultReplicasPerIndex": 2, "refreshIntervals": { "*": "30s", "common-configuration": "1s", "common-incident": "1s" } } }
The following table lists all the possible Elasticsearch configurations supported in the demisto.conf
file. Use these elements to tweak Elasticsearch performance.
Name | Type | Description |
---|---|---|
| string | The url, or urls, comma-separated to an Elasticsearch node. The url includes the schema and port. Default: Example: |
| boolean | Set to true to enable the use of Elasticsearch as the database. Default: Example: |
| string | The index prefix to address when creating, writing, and reading from Cortex XSOAR indexes. Default: N/a Example: |
| boolean | Set to true if Elasticsearch is used behind a proxy service. Default: Example: |
| string | The Elasticsearch username to establish a connection. * required (unless API key is provided) Default: N/a Example: |
| string | A plain, tommed, or encrypted password for Elasticsearch to establish connection. * required (unless API key is used) Default: N/a Example: |
| string | The Elasticsearch API key to establish connection. * required (unless a username and password are used) Default: N/a Example: |
| boolean | Allow an insecure connection to Elasticsearch for unsigned certificates. Default: Example: |
| number | The number of seconds for timeout while awaiting response headers from Elasticsearch. Default: Example: |
| number | The number of seconds for timeout while awaiting to establish connection to Elasticsearch. Default: Example: |
| number | The maximum number of idle connections to Elasticsearch that remain alive. Default: Example: |
| number | The number of seconds for an idle connection to be closed, if not used. Default: Example: |
| number | The amount of maximum retries when connection is refused or not found from Elasticsearch. Default: Example: |
| object | An index name for the number of shards for an object to determine shards allocation on each index. Default: N/a Example: |
| object | An index name for the number of replica objects to determine the replicas allocation on each index. Default: N/a Example: |
| number | The default number of shards for each index created using Cortex XSOAR. Default: N/a Example: |
| number | The default number of replicas for each index created using Cortex XSOAR. Default: N/a Example: |
| object | An index name for the number of maximum fields allowed in the index mapping. Default: Example: |
| object | An index name to number of seconds to perform refresh on the index. Use Default: N/a Example: |
| number | The amount of maximum objects to send to Elasticsearch when using bulk updates. Default: Example: |
| number | Amount of retries to run on version conflict errors received from Elasticsearch. Default: Example: |
| number | Maximum allowed results to return from Elasticsearch searches. Default: Example: “maxResultWindow”: 50000 |
| number | Maximum allowed results to return from Elasticsearch aggregations. Default: Example: |
| number | Maximum allowed objects to store on the last feed fetch limit. Default: Example: |
| boolean | Disable force refresh on new incidents to allow back-to-back searches using pre-processing scripts. Default: Example: |
| string | Uses a custom template name prefix. Default: Example: |
| array | Default cluster roles to provide new users in Elasticsearch created in Cortex XSOAR. Default: Example: |
| array | Default cluster roles to provide new API keys in Elasticsearch created in Cortex XSOAR. Default: Example: |
| boolean | Show Elasticsearch built queries before sending when using the log level debug. Default: Example: |