Elasticsearch General Security Guidelines - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Best practices and security guidelines for Elasticsearch for Cortex XSOAR single-instance deployments.

Elasticsearch implements its own security features, most of which are free, using the XPack. Cortex XSOAR recommends you use these security features to protect your data.


As Elasticsearch is an external service, the default behavior is no longer secured. It is highly recommended to enable secure connections from, and to, Elasticsearch including secure connections between nodes, otherwise your data can be exposed from outside Cortex XSOAR.

This document provides some guidelines for implementing security in a single instance deployment using an Elasticsearch database. Multi-tenant security guidelines are available here.


To connect from Cortex XSOAR to Elasticsearch, you should use Elasticsearch authentication with either a username and password, or an API key to ensure that communication between Elasticsearch and Cortex XSOAR is secure.

You can provide the credentials either in the demisto.conf configuration file under the Elasticsearch branch, or as flags in the Cortex XSOAR installer. The password and/or API keys can be set in the configuration file as plain text or encrypted (using the server encryption key). After you start the Cortex XSOAR server, the Elasticsearch credentials are automatically encrypted.


Cortex XSOAR recommends that you implement an HTTPS connection using TLS for secure communication.

Use the Elasticsearch certificate verification method to establish a secure connection between your Elasticsearch nodes to avoid man-in-the-middle attacks.

User Permissions

The following are the user permissions required for the Elasticsearch user in single-instance and multi-tenant deployments.

  • create (indices)

  • delete (indices)

  • index (indices)

  • monitor (indices and cluster)

  • create_index (or at least auto_configure to dynamically create partitions) (indices)

In addition, multi-tenant deployments require the following user permission:

  • manage (or view_index_metadata, manage_index_templates) (cluster)