Restore Cortex XSOAR Objects Stored in Elasticsearch

Restore an Elasticsearch object snapshot in Cortex XSOAR.
Backing up and archiving the Elasticsearch database is controlled within Elasticsearch as part of Elasticsearch snapshots. The backup is maintained within a snapshot, after which you archive by deleting the relevant index(es).
As of v6.1, any XSOAR service that is using the Elasticsearch database will no longer run automatic backups.
Using the snapshot API, you create a snapshot of your database to your selected repository (remote or local). Snapshots can include the entire database or specific indexes. While using the snapshot, you can also specify the specific indexes or use wildcards. Snapshot time usually takes a few minutes, depending on the amount of indexes and documents you are backing up. After the snapshot is complete, you archive the data by deleting it from the database.
The following example shows how you would use the snapshot API to archive all of your 2020 indexes. The PUT operation is used to create a snapshot of the relevant indexes.
PUT /_snapshot/my_repository/year_2020_snapshot?wait_for_completion=true{ "indices": "dmst-*_2020*", "ignore_unavailable": true, "include_global_state": false, "metadata": { "taken_by": "user123", "taken_because": "backup before upgrading" }}
After creating the snapshot, the following DELETE operation is used to remove the selected indexes from Elasticsearch, completing the archive procedure.
DELETE /dmst-*_2020*
Restore a snapshot
You can restore a snapshot of your entire active database or specific indexes from a snapshot. The following procedure should be used to restore the entire database.
To restore specific indexes or archived indexes from a snapshot, follow only step 3, below.
  1. Stop the Cortex XSOAR service with the
    sudo service demisto stop
    command.
  2. Close the relevant Elasticsearch indexes with the
    curl -XPOST :“http://
    <serveradress:port>
    /*-dmst-*/_close”
    command.
  3. Restore the snapshot with the
    "http://
    <serveradress:port>
    /_snapshot/DemistoBackupRepository/snapshot_name_to_restore/_restore"
    command.
  4. Start the Cortex XSOAR service with the
    sudo service demisto start
    command.

Recommended For You