In a single-server installation, Cortex XSOAR and its database are installed on a single computer. Review the following single server deployment descriptions to determine which deployment is best for you.
Installation with the Bolt Database
When installing Cortex XSOAR with the Bolt database, the app server and database are installed on the same machine.
Before beginning your installation with the Bolt database, review the Cortex XSOAR System Requirements and then follow the instructions in Install Cortex XSOAR with Bolt Database.
Installation with the Elasticsearch Database
Elasticsearch is an analytics engine for all types of data. It enables storing, searching, and analyzing large amounts of data quickly and in near real time.
Maximum indicator capacity and disk usage comparison
The following table compares the maximum total indicator capacity and disk usage for the Bolt database and Elasticsearch. The maximum indicator capacity value was determined when testing the system.
We recommend using Elasticsearch if you plan to exceed at least one of the following maximum capacities for the Bolt database.
The Cortex XSOAR indicators used to test the sizing requirements did not contain a significant number of additional fields nor custom fields. The maximum size of the indicators tested had 20 additional or custom fields and a random string between 1-16 characters. Therefore, the indicators size tested were approximately 0.5KB. If you plan to have additional or custom fields for indicators, the maximum numbers should be reduced.
Benchmark | BoltDB | Elasticsearch |
---|---|---|
Maximum indicator capacity (total) | 5-7 million (Requires up to 10 seconds for a complex query) | 100 million (Requires approximately 40 seconds for a complex query) |
Disk usage | 5 million (~ 30 GB) | 100 million (~ 70 GB) |
The following diagram depicts a Cortex XSOAR environment with Elasticsearch.
In order to move to Elasticsearch, you must have Cortex XSOAR v6.1 or above and Elasticsearch installed. We recommend that you install Elasticsearch on a different server than Cortex XSOAR due to the high memory consumption for both services.
When working with Elasticsearch, Cortex XSOAR does not maintain, nor is it responsible, for the following:
Redundancy
Backups
Security
Elasticsearch clusters
Note
Moving data from the Elasticsearch database back to the Cortex XSOAR Bolt database is not supported.
Before beginning your installation with the Elasticsearch database, review the Cortex XSOAR System Requirements and the Elasticsearch System Requirements and then follow the instructions in Install Cortex XSOAR with Elasticsearch.