Review requirements for implementing Cortex XSOAR with Elasticsearch. Each option has specific sizing requirements.
The following provides the system requirements for implementing Cortex XSOAR with Elasticsearch.
Elasticsearch Server
The information in the following table is per Elasticsearch node, and assumes that the node is assigned all Elasticsearch node roles (for example, which data is written to disk and when).
Component | Dev Environment Minimum | Production Minimum |
|---|---|---|
CPU | 8 CPU Cores | 16 CPU cores |
Memory | 16 GB RAM | 32 GB RAM |
Storage | 250 GB SSD | 500 GB SSD with minimum 3k dedicated IOPS |
Note
You must ensure that between the Elasticsearch and Cortex XSOAR servers, and between Elasticsearch servers, latency should not exceed 100 MS. Latency that exceeds 100 MS can cause serious performance degradation.
Supported Elasticsearch Versions
Elasticsearch: Cortex XSOAR supports Elasticsearch versions 7.4 to 7.17 including minor versions.
OpenSearch: Cortex XSOAR supports OpenSearch versions 1.0 to 1.2 including minor versions.
Elasticsearch in the Cloud
Cortex XSOAR supports using Elasticsearch with all the major cloud service providers, Amazon Web Services, Azure, and Google Cloud Platform.
Note
For Opensearch, ensure that the AWS instance type supports a maximum HTTP payload of 100 MB, which is sufficient for production usage. For more information, see Amazon OpenSearch Instance Limits.
You can use Elasticsearch as a service provided by your cloud provider, or install Elasticsearch on a server in the cloud.
The hardware requirements for Elasticsearch in the cloud similar to those posted above. To achieve this with your cloud provider, Cortex XSOAR recommends you use the machines based on your intentions. For example:
When the Elasticsearch server functions as a data node, we recommend you use Storage optimized machines, such as the AWS i3.2xlarge machine. Alternatively, you can use a memory optimized machine, such as the AWS r3.2xlarge machine.
When the Elasticsearch server is used for any other function (such as master mode), we recommend that you use a Compute optimized machine, such as the AWS c4.2xlarge machine.
You can configure your cloud environment to work with different regions provided that you can maintain the minimum latency requirements noted above.