Authentication

Siren Alert supports authentication using Search Guard Classic. There are several options available.

Authenticate search request

Kibana https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/auth-reference.html[Elasticsearch basic authentication] is used for authentication.

Valid certificate

sentinl:
  settings:
    authentication:
      enabled: true
      username: 'elastic'
      password: 'password'
      cert:
        selfsigned: false
        pem: '/path/to/pem/key'

Self-signed certificate

sentinl:
  settings:
    authentication:
      enabled: true
      username: 'elastic'
      password: 'password'
      cert:
        selfsigned: true

Siren Platform

Authenticate Siren Alert using single user - default sentinl from Access Control app. For example, default investigate.yml.

+

# Access Control configuration
investigate_access_control:
  enabled: true
  cookie:
password: "12345678123456781234567812345678"
  admin_role: kibiadmin
  sentinl:
elasticsearch:
  username: sentinl
  password: password
...

Siren Platform or Kibana

It is possible to create multiple user credentials and assign these credentials to watchers, one credential per watcher, thereby authenticating each watcher separately. It is called impersonation.

  1. Create credentials in Search Guard Classic or X-Pack and assign the permissions you need. You need one user for Sentinl and one user per watcher.

  2. Set Siren Alert authentication.

    sentinl:
      settings:
        authentication:
          enabled: true
          impersonate: true
          username: 'elastic'
          password: 'password'
          sha: '6859a748bc07b49ae761f5734db66848'
          encryption:
            algorithm: 'AES-256-CBC'
            key: 'b9726b04608ac48ecb0b6918214ade54'
            iv: '1fb149265c7288d9ccf53f1d5cad47e1'
          cert:
            selfsigned: true
    • The password can be set as plaintext in the 'password' field. However, the recommended method is to create a sha from the password and set that as the sha property in the configuration. The value of the sha field i.e. the encrypted value can be obtained by running the src/siren_core_plugins/sentinl_private/scripts/encryptPassword.js script like the following. Replace password with the plaintext password you wish to encrypt.

  node src/siren_core_plugins/sentinl_private/scripts/encryptPassword.js password b9726b04608ac48ecb0b6918214ade54 1fb149265c7288d9ccf53f1d5cad47e1 AES-256-CBC
The encryption yaml settings are set by default if nothing is set in the investigate.yml. If you wish to use different values, please make sure that the encryptPassword script is running using the same values.

Authenticate report

Both username and password should be set in the report action in the user interface.

Note that these settings apply only to Siren platform 10 and later.

Search Guard Classic

sentinl:
  settings:
    report:
      active: true
      authentication:
        enabled: true
        mode:
          searchguard: true

X-Pack

sentinl:
  settings:
    report:
      active: true
      authentication:
        enabled: true
        mode:
          xpack: true

Basic

sentinl:
  settings:
    report:
      active: true
      authentication:
        enabled: true
        mode:
          basic: true

Custom

sentinl:
  settings:
    report:
      active: true
      authentication:
        enabled: true
        mode:
          custom: true
        custom: # you have to replace the following selectors with selectors found on your login page
          username_input_selector: '#username'
          password_input_selector: '#password'
          login_btn_selector: '#login-btn'