Today I thought of writing a guide on Cortex XSOAR installation. You might have heard of the trending word “SOAR” in the security industry, which is short for S_ecurity Orchestration, Automation and Response_. One of the coolest and leading SOAR products in the market is Cortex XSOAR, formally known as Demisto.
I’m going to do a series of posts for sharing knowledge on the product since there is very little XSOAR documentation and tutorials around XSOAR and it is such an amazing tool in every way. Also there are virtually zero guides on XSOAR community edition.
First of all we will get into installing XSOAR using Bolt Database(default) in your home lab or in the cloud, whichever you prefer. I will be doing the installation in a Ubuntu 22.04 LTS Server guest that runs on Virtual Box.
Minimum Server Specification:
RAM : 5 GB
CPU : 1 CPU
Hard Disk : 55 GB
Network Type : Bridged
The Architecture will be as follows :
HL Architecture
Step 1
Get two virtual machines ready with same specifications, however you can use little less RAM on the Main host since it wont be doing much work.
Step 2
Click here to get the trial license and the setup file for the installation.
Step 3
There are multiple ways to get the setup file into the xsoar-main like using WGET, WINSCP etc. Use your preferred method and get the demisto-XXXX.sh into the current working directory then issue the below commands with root /sudo privilege level. These will make the file executable and then run it as multi tenant main server.
sudo chmod +x demisto-XXXX.sh
sudo ./demisto-XXXX.sh -- -multi-tenant
Installation
Step 4
Accept the agreement and keep all the other settings on the default. Then set a user and a password.
Step 5
After the installation success you’ll be greeted with a message like below, then use the given link to access XSOAR from your host machine.
Installation success
Step 6
Now it is time to add the license file, which will be prompted to you on the first login to the XSOAR Main server. You will find the license file attached in the same email that you received your download link.
License upload screen
Step 7
Since we need Multi Tenancy, we need to restart the Demisto services in the main server(xsoar-main), using the below commands.
service stop demisto
service start demisto
Step 8
Now we can see new option in Settings called ACCOUNT MANAGEMENT which we can use for host management and syncing. Go to Settings -> Account Management -> Host and click on New Host/HA Group -> New Host, then you will be greeted with below screen. This might take some time so go get a coffee :)
After a while this message will go away and you can again go to New Host/HA Group -> New Host and download the installer package.
Step 9
Follow Step 3 again to get the installer file to xsoar-tenant. Below commands should be run for installation.
sudo chmod +x demistohost-XXXX.sh
sudo ./demistohost-XXXX.sh
Finally you will be able to see the added host on the hosts page like below and congratulations on your working multi tenant XSOAR Setup.
