Elasticsearch Post Migration Health Check - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Perform validation checks after migration for Cortex XSOAR Elasticsearch deployment, including high availability.

Perform the following validation checks after migration. For High Availability deployments, perform on each application server, where applicable.

  1. Log in to the Cortex XSOAR server using both of the these methods:

    Log in using the configured authentication method that was previously used with the Bolt database (e.g., SAML or AD Auth).

    Log in using the default Administrator account.

  2. Install the Elasticsearch Monitoring Pack to check indexes in Elasticsearch for shards, replicas, and cluster status. Add the Elasticsearch monitoring dashboard after pack installation.

    (High Availability) - Perform only on first app server.

  3. (High Availability) - Validate application servers are online by navigating to SettingsAdvancedApp Servers.

  4. Validate integration settings by viewing SettingsIntegrations and filtering for enabled integrations.

  5. Validate that content such as Playbooks and Automations is available, via their respective menus in the UI.

  6. Create a new incident, and validate the following:

    New incident ID should be newer than the previous Incident ID in the system. If the new Incident ID is not newer, this could mean data was not migrated in the correct order, leading to data integrity issues. If data was not migrated in order from oldest to newest, you might need to perform the migration again.

    Playbooks run successfully.

  7. Open migrated incidents and indicators to verify they were migrated correctly.

    Query for historical incidents, for example, the last six months. Open older incidents and review Work Plan and War Room.