Create automated and manual backups of Cortex XSOAR data by using Elasticsearch snapshots.
We recommend scheduling regular automated snapshots of all indices. In addition, you can create a manual snapshot of some or all indices as needed. For example, you might want to create a manual snapshot of all indices before upgrading or making other significant changes.
Create Snapshot Repository
Before creating snapshots, register a snapshot repository
Example:
PUT /_snapshot/xsoar_repository { "type": "fs", "settings": { "location": "xsoar_backup_location" } }
To enable cloud vendor repositories such as AWS S3 or Google Cloud Storage refer to the Elasticsearch Cloud documentation for snapshot and restore with custom repositories as an example of how to set up cloud vendor repositories.
Note
If you are using AWS Managed Elasticsearch, every Elasticsearch cluster is created with a default repository configured with a backend S3 bucket.
Automated Snapshots
Automated snapshots can be scheduled using the Elasticsearch snapshot API to create a SLM (snapshot lifecycle management) policy. For more details about snapshot lifecycle management in Elasticsearch, see the Elasticsearch SLM tutorial.
In the following example, an incremental snapshot is created every hour and saved to the backup repository xsoar_repository
. Each snapshot has a suffix with the current date timestamp. All active Cortex XSOAR indices are backed up, and 30 days of snapshots are retained. Snapshots older than 30 days are automatically deleted from the backup repository.
PUT /_slm/policy/hourly-snapshots { "schedule": "0 0 * * * ? ?", "name": "<xsoar-snap-{now/d}>", "repository": "xsoar_repository", "config": { "indices": ["*dmst-*"] }, "retention": { "expire_after": "30d", "min_count": 5 } }
Manual Snapshots
Using the Elasticsearch snapshot API, you can create a snapshot of your database or specific indices to your selected repository (remote or local). You can specify the specific indices or use wildcards. Snapshots usually take only a few minutes to complete, depending on the number of indices and documents you are backing up.
Create a manual snapshot of one or more indices
The following example shows how to use the snapshot API to back up all of your 2020 indices. The snapshots are saved in the backup repository xsoar_repository
. When creating the snapshot, you can provide a reason that will display in the snapshot metadata.
PUT /_snapshot/xsoar_repository/year_2020_snapshot?wait_for_completion=true { "indices": ""dmst-*_2020*", "ignore_unavailable": true, "include_global_state": false, "metadata": { "taken_by": "me", "taken_because": "reason for backup" } }
The following example creates a snapshot to back up all of your 2021 incidents. The snapshots are saved in the backup repository xsoar_repository
. When creating the snapshot, you can provide a reason that will display in the snapshot metadata.
PUT /_snapshot/xsoar_repository/snapshotname?wait_for_completion=true { "indices": "*dmst-common-incident_2021*", "ignore_unavailable": true, "include_global_state": false, "metadata": { "taken_by": "me", "taken_because": "reason for backup" } }
The following example creates a snapshot snapshotname
in repository xsoar_repository
for all of the Cortex XSOAR data from September 2021.
PUT /_snapshot/xsoar_repository/snapshotname?wait_for_completion=true { "indices": "*dmst-common-*_202109*", "ignore_unavailable": true, "include_global_state": false }
Create a snapshot of the entire database
The following example API request creates a new snapshot named snapshotname
in the repository xsoar_repository
. The snapshot includes all Cortex XSOAR indices including cluster state like aliases, templates, etc.
PUT /_snapshot/xsoar_repository/snapshotname?wait_for_completion=true { "indices": "*dmst*", "ignore_unavailable": true, "include_global_state": true }