1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Manage Data
    6. Migrate Cortex XSOAR Objects to Elasticsearch
    7. Elasticsearch Security Guidelines
    End-of-Life (EoL)

    Elasticsearch Security Guidelines

    Best practices for Elasticsearch.
    It is recommended that you implement these suggested best practices to secure tenant accounts that use Elasticsearch indexes. This is applicable for multi-tenant environments.

    How it works

    Due to Elasticsearch security limitations, tenants do not generate an API key using the main/host configuration. They will always generate a user name, role, and password per tenant.
    API key
    If there is no API key on the main/host configuration, you can force create an API key for a tenant by setting
    "Security.elasticsearch.apikey":true
    . However, it will not create an API key if the main/host account is configured with an API key due to https://www.elastic.co/guide/en/elasticsearch/reference/7.x/breaking-changes-7.6.html#_elasticsearch_api_key_privileges.
    User name, role, and password
    When you create or restart a tenant account, Cortex XSOAR checks if the role and user for the tenant already exists (based on the tenant name). If the role and user don't exist, they are created. The user is created with a 32-character password that contains capital letters, lower-case letters, numbers, and special characters.
    The password is then stored in the configuration file and encrypted using the route
    /encrypt/
    .

    Enable security features in Elasticsearch

    In order to automatically generate unique credentials for each tenant account's index, in your
    elasticsearch.yml
     file, you need to add the following key:
    xpack.security.enabled: "true"
    . The
    elasticsearch.yml
     is the Elasticsearch service configuration file. It is not stored in the demisto folder and can exist in varied places.
    If you do not enable XPack security the tenant accounts will inherit the credentials of the main account. You can still create or restart a tenant account but will receive the following warning:
    security (xpack) is not active. Will not set account user. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node

    Disable security features

    If you enabled security features in Elasticsearch, you can create a server configuration in Cortex XSOAR that will override and disable the security features.
    1. Go to
      Settings
      About
      Troubleshooting
      .
    2. In the
      Server Configurations
       section click
      Add server configuration
      .
      Security.elasticsearch.account: false

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo