Store incident attachments and artifact files including War Room, or through a Playbook.
Cortex XSOAR provides the ability to save incident attachments and artifact files (for example, attachments uploaded to the War Room, or added via a Playbook) in a cloud storage bucket, as opposed to working with the standard local file system. The cloud artifact file URL is added to the context data, providing a way for you to access the file from outside of Cortex XSOAR as well.
Cloud storage can be helpful if your environment has performance issues, such as high disk I/O utilization or a high storage volume. This feature is supported for GCP (using Google Cloud Storage), AWS (using Amazon S3), as well as Amazon S3-compatible products.
Note
If you choose to save incident attachments and artifact files to the cloud, existing files are not migrated to the cloud and these files are no longer available within Cortex XSOAR. For this reason, we recommend using cloud storage for new deployments or in cases where you do not need access to previously saved files.
( Multi-tenant) - For multi-tenant deployments, the configuration needs to be added separately for each tenant. For multi-tenant high availability deployments, the configuration does not need to be added on each app server of the tenant. We recommend a separate bucket for each tenant, but multiple tenants can be assigned to the same bucket, if necessary.
( Multi-tenant) - If the tenant app server (the tenant folder on each host machine) was previously configured with cloud storage, via file configuration, the file configuration should be removed.
Go to
→ → .In the Server Configuration section, click Add Server Configuration.
Add the
Server.CloudStorage
key and the value forGCP
orS3
:GCP
{ "Platform": "Google-Storage", "BucketName": "bucket-name", "ArtifactsPath": "artifacts" }
S3
{ "Platform": "AWS-S3", "BucketName": "bucket-name", "ArtifactsPath": "artifacts", "Endpoint": "example-objects-internal.com:443", "PerProviderOptions": { "Region": "eu-north-1", "AccessKeyID": "abcdefg", "AccessKeySecret": "abcdefg" } }
Note
Endpoint is required for Amazon S3-compatible products only, and not for a standard S3 environment. For example, if you are using MinIO, set this value to the machine IP (“x.x.x.x:9000"). If you omit this field, communication will be with the official AWS service.
The bucket's access key secret can be plaintext or encrypted by the utility. See step 4 below.
To authenticate Cortex XSOAR to the cloud provider, do one of the following:
For GCP: Authentication is based on the service account set on the machine. Refer to the relevant GCP documentation GCP documentation for more information.
For S3: The credentials are set in the server configuration. The bucket's access key secret can be encrypted using a utility installed with XSOAR.
Run the following
tom util
command, including the bucket’s access key secret in plaintext:/usr/local/demisto/tom <plain text secret>
Copy and paste the encrypted output into the AccessKeySecret field.