Security setup for Siren Alert

  1. Create a role called sirenalert with the following actions in the sg_roles.yml file:

    sirenalert:
      cluster:
        - 'indices:data/write/bulk'
        - 'indices:admin/template/*'
        - 'indices:monitor/stats'
        - 'cluster:monitor/main'
        - 'cluster:monitor/health'
        - 'cluster:monitor/stats'
        - SIREN_CLUSTER
      indices:
        '*':
          '*':
            - SIREN_READONLY
            - SEARCH
            - 'indices:monitor/stats'
        'watcher_alarms*':
          '*':
            - SIREN_READWRITE
            - CREATE_INDEX
        '/(watcher|watcher_alarms)/':
          '*':
            - SIREN_READWRITE
            - CREATE_INDEX
  2. Add the below permissions to the sirenserver role:

    sirenserver:
      cluster:
          - 'cluster:monitor/nodes/info'
          - 'cluster:monitor/health'
          - 'cluster:monitor/main'
          - 'cluster:monitor/state'
          - 'cluster:monitor/nodes/stats'
          - SIREN_CLUSTER
          - CLUSTER_COMPOSITE_OPS
      indices:
        '*':
          '*':
            - indices:admin/get
            - CLUSTER_COMPOSITE_OPS_RO
            - indices:monitor/stats
        '?siren':
          '*':
            - ALL
        '?sirenaccess':
          '*':
            - ALL
  3. Update the investigate.yml file to include the following values under the investigate_access_control section:

    investigate_access_control:
      sirenalert:
        elasticsearch:
          username: sirenalert
          password: password
  4. Create a user called sirenalert and map that user to the sirenalert role by following the instructions under the Access Control: ACL section in Search Guard Classic integration and Siren Investigate access control .