Integrating Elastic Stack security


To use Siren Investigate with an Elasticsearch cluster having Elastic Stack security features enabled, you must create the following roles:

  • investigate_system: a role that allows Investigate to store user generated content.

  • investigate_admin: a role that designates users with administrative privileges on an Investigate installation.

  • investigate_user: a role that designates users with read access to specific indices.

  • federate_system: a role used by the Siren Federate plugin to perform privileged operations in the cluster.

Two sample bash scripts to quickly initialize an Elasticsearch installation are provided below:

The script provided for the Platinum subscription enables Document level security on indices managed by Siren Investigate and grants the Siren Investigate user the privileges required to support OpenID Connect.

Both scripts require a working curl command on your system.

To use the script, download the version for your subscription and execute it as follows:


You will be asked to provide the following information:

  • Elasticsearch username: the username of an Elasticsearch user with administrative privileges (defaults to elastic).

  • Elasticsearch password: the password of the Elasticsearch user in the previous step (defaults to changeme).

  • Elasticsearch URL: the URL of your Elasticsearch cluster (defaults to http://localhost:9200).

  • Investigate index prefix: the prefix on Investigate indices (defaults to .siren).

  • Index pattern readable by Investigate users: an index pattern matching indices that will be readable by users having the investigate_user role.

  • curl flags: any custom curl flag that should be set in requests to Elasticsearch (for example -k to ignore validation of private CA certificates or --cacert <ca.pem file> to validate certificates signed by a private CA)


Once the roles have been created, you’ll need to create two system users:

  • sirenserver: a user with the investigate_system role.

  • federate: a user with the federate_system role.

When evaluating Siren, we recommend creating at least two additional end users, one with administrative privileges on the Investigate installation:

  • sirenadmin: a user with the investigate_admin and the investigate_user role.

  • sirenuser: a user with the investigate_user role.

A script to create all of the above users is available at

To use the script, download it and execute:


Investigate configuration

Once the users have been created, investigate.yml will have to be modified as follows:

Set elasticsearch.username and elasticsearch.password to the credentials of the sirenserver user, for example:

elasticsearch.username: sirenserver
elasticsearch.password: password

If HTTPS is enabled for the Elasticsearch REST API, ensure that the elasticsearch.url setting contains a URL starting with https, for example:

elasticsearch.url: 'https://localhost:9220'

If the certificate is not signed by a public authority, you will also need to set the elasticsearch.ssl.certificateAuthorities to the path of the CA chain bundle in PEM format, for example:

elasticsearch.ssl.certificateAuthorities: 'pki/elasticsearch.pem'

To enable certificate verification, set elasticsearch.ssl.verificationMode to full, for example:

elasticsearch.ssl.verificationMode: full

Set the backend parameter of the investigate_access_control section of the investigate.yml to xpack:

  admin_role: investigate_admin
  enabled: true
  backend: xpack
    enabled: true
    secure: true
    password: '12345678123456781234567812345678'

If you are running Siren Investigate with https disabled, remember to set to false, as otherwise the cookie won’t be sent by the browser.

After restarting Siren Investigate you should be able to login as sirenadmin using the password set previously.

Next steps

If you need support for authentication mechanisms other than basic HTTP, please refer to Additional authentication mechanisms .

Otherwise, please refer to Configuring ACL in Siren Investigate to complete the Siren Investigate access control configuration.