Index War Room Entries Using Bolt DB - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Index Cortex XSOAR War Room entries for Bolt DB to ensure that you can search for them in the incidents. Re-index incidents for selected months.

As Cortex XSOAR does not index notes, chats, and pinned as evidence entries from the War Room, use this procedure to index these entries (and re-indexes incidents for selected months) when using Bolt DB.

Note

Depending on the number of cases in your system and server hardware, the re-indexing operation can take a significant amount of time, during which the Cortex XSOAR server is inaccessible. It is recommended to undertake this procedure when it has a minimal impact on your organization. After completion, you should review your Cortex XSOAR server, as it may have some impact on performance.

  1. Log in to your Cortex XSOAR server as root or an account with sudo privileges.

  2. Stop the Cortex XSOAR service, by typing the following command:

    systemctl stop demisto

  3. Make a backup copy of your demisto.conf file, by typing the following:

    cp /etc/demisto.conf /etc/demisto.conf.bak

  4. Edit the /etc/demisto.conf file for all databases by adding the entries in the following format:

    "server.entries.restore": true,
    "db.index.entry.disable": false,
    "DB": {
        "IndexEntryContent": true
    },
    "granular": {
        "index": {
            "entries": 7
       }
    }
    

    The granular.index.entries total value is 7, which is split as to:

    1: notes

    2: chats

    4: pinned as evidence

    You can choose one of the values separately, or add them together for all values. For example, 7 is the total of 1 (notes) + 2 (chats) + 4 (pinned as evidence).

  5. Save the file.

    We recommend you validate JSON changes before committing them.

  6. Go to Settings → About → Troubleshooting and add the following server configuration:

    Key

    Value

    DB.IndexEntryContent

    true

  7. Delete the relevant War Room entries index on all databases by running the following command on each database machine:

    rm -rf /var/lib/demisto/data/demistoidx/entries_MMYYYY

    For example, to delete March 2020, run:

    rm -rf /var/lib/demisto/data/demistoidx/entries_032020

    To add indexing for additional months, run the same command for each month, but change the date in the command, after entries_. Adding months may cause re-indexing to take longer depending on the number of cases in the system.

  8. Start Cortex XSOAR from the command line by running the following commands as required:

    • For the current month:

      # sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_MMYYYY

      For example, to re-index March 2021, run:

      sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_032021

    • For multiple months, add the dates as CSV values:

      sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_MMYYYY,entries_MMYYYY,entries_MMYYYY

      For example, to re-index January, February, March 2021, run:

      sudo -u demisto -g demisto -- /usr/local/demisto/server -stdout -restore-index-name=entries_032021,entries_022021,entries_012021

    A number of entries related to indexing appear, similar to below:

     2019-03-21 19:00:45.651 info DB restoring 419 keys into index entries from
    			investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1330)
    
    			2019-03-21 19:00:45.6649 info entry DB put in batch 78 index entries from
    			investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)
    
    			2019-03-21 19:00:46.4385 info entry DB put in batch 100 index entries from
    			investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)
    
    			2019-03-21 19:00:47.0948 info entry DB put in batch 100 index entries from
    			investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)
    
    			2019-03-21 19:00:47.8588 info entry DB put in batch 100 index entries from
    			investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)
    
    			2019-03-21 19:00:48.6046 info entry DB put in batch 41 index entries from
    			investigations-264/ (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1363)
    
    			2019-03-21 19:00:48.6047 info DB restore into [entries] [investigations-264]
    			[] completed (source: /home/circleci/.go_workspace/src/github.com/demisto/server/repo/complexRepo/repo.go:1371)
    
    			When the re-indexing has completed, the above console messages cease and
    			Demisto runs automatically.
    							
  9. Confirm that you can search your case comments through the search bar.

    indexing-war-room.png
  10. Stop Cortex XSOAR by typing the following command:

    systemctl stop demisto

  11. Start Cortex XSOAR by typing following command:

    systemctl start demisto