Index War Room Entries Using Elasticsearch

Index Cortex XSOAR War Room entries for Elasticsearch to ensure that you can search for them in incidents. Re-index incidents for selected months.
As Cortex XSOAR does not index notes, chats, and pinned as evidence entries from the War Room by default, use this procedure to index these entries (and re-index historical data for selected months) when using Elasticsearch.
(
Multi-tenant
) The same instructions apply for multi-tenant deployments, for each tenant that requires War Room indexing.
  1. Log in to your Cortex XSOAR server as root or an account with sudo privileges.
  2. Stop the Cortex XSOAR service, by typing the following command:
    systemctl stop demisto
  3. Edit the
    demisto.conf
    file.
    1. Create a backup copy of your
      demisto.conf
      file, by typing the following command:
      cp /etc/demisto.conf /etc/demisto.conf.bak
    2. Edit the
      /etc/demisto.conf
      file for all databases by adding the entries in the following format:
      "server.entries.restore": true, "db.index.entry.disable": false, "DB": { "IndexEntryContent": true }, "granular": { "index": { "entries": 7 } }
      The
      granular.index.entries
      total value is 7, which is split as to:
      1: notes
      2: chats
      4: pinned as evidence
      You can choose one of the values separately, or add them together for all values. For example, 7 is the total of 1 (notes) + 2 (chats) + 4 (pinned as evidence).
    3. Save the file.
      We recommend you validate these changes before committing them.
  4. Start Cortex XSOAR by typing the following command:
    systemctl start demisto
  5. (
    Optional
    ) Re-index the War Room entries, as required.
    After editing the
    demisto.conf
    file, indexing current data does not start, by default, until the next calendar month. For example, if you edit the
    demisto.conf
    file on October 5th, indexing starts on November 1st. If you want to index historical data, you must re-index your entries index in Elasticsearch to match the new indexing option. Also, if you re-index your entries index in Elasticsearch, indexing for the current month starts from the date of the re-index and does not wait until the following month.
    After entries indexing is enabled, you can re-index older entries to have them available for global searches, by running the reindex API on the desired index.
    1. Copy the index with the desired historical data to a new index, which allocates shards and replicates based on the template configured in
      demisto.conf
      file. For example, the POST request below copies the
      index dmst-common-entry_202110
      (2021 October entries) to a new
      index dmst-common-entry_202110-fixed
      .
      POST _reindex { "source": { "index": "dmst-common-entry_202110" }, "dest": { "index": "dmst-common-entry_202110-fixed" } }
    2. To confirm Cortex XSOAR is referring to the new index, add an alias and delete the original index. For example, the following POST request deletes the
      index dmst-common-entry_202110
      while also creating an alias from
      dmst-common-entry_202110-fixed to dmst-common-entry_202110
      .
      POST _aliases { "actions": [ { "add": { "index": "dmst-common-entry_202110-fixed", "alias": "dmst-common-entry_202110" } }, { "remove_index": { "index": "dmst-common-entry_202110" } } ] }
    3. Confirm the index is available for searching in Cortex XSOAR.

Recommended For You