Security setup for Siren Alert

  1. Create a role called sirenalert with the following actions in the sg_roles.yml file:

    sirenalert:
  cluster:
    - 'indices:data/write/bulk'
    - 'indices:admin/template/*'
    - 'indices:monitor/stats'
    - 'cluster:monitor/main'
    - 'cluster:monitor/health'
    - 'cluster:monitor/stats'
    - SIREN_CLUSTER
  indices:
    '*':
      '*':
        - SIREN_READONLY
        - SEARCH
        - 'indices:monitor/stats'
    'watcher_alarms*':
      '*':
        - SIREN_READWRITE
        - CREATE_INDEX
    '/(watcher|watcher_alarms)/':
      '*':
        - SIREN_READWRITE
        - CREATE_INDEX

  2. Add the below permissions to the sirenserver role:

    sirenserver:
  cluster:
      - 'cluster:monitor/nodes/info'
      - 'cluster:monitor/health'
      - 'cluster:monitor/main'
      - 'cluster:monitor/state'
      - 'cluster:monitor/nodes/stats'
      - SIREN_CLUSTER
      - CLUSTER_COMPOSITE_OPS
  indices:
    '*':
      '*':
        - indices:admin/get
        - CLUSTER_COMPOSITE_OPS_RO
        - indices:monitor/stats
    '?siren':
      '*':
        - ALL
    '?sirenaccess':
      '*':
        - ALL

  3. Update the investigate.yml file to include the following values under the investigate_access_control section:

    investigate_access_control:
  sirenalert:
    elasticsearch:
      username: sirenalert
      password: password

  4. Create a user called sirenalert and map that user to the sirenalert role by following the instructions under the Access Control: ACL section in Search Guard Classic integration and Siren Investigate access control .