Integrating Elastic Stack security
Roles
To use Siren Investigate with an Elasticsearch cluster having Elastic Stack security features enabled, you must create the following roles:
- 
investigate_system: a role that allows Investigate to store user generated content.
- 
investigate_admin: a role that designates users with administrative privileges on an Investigate installation.
- 
investigate_user: a role that designates users with read access to specific indices.
- 
federate_system: a role used by the Siren Federate plugin to perform privileged operations in the cluster.
Two sample bash scripts to quickly initialize an Elasticsearch installation are provided below:
- 
initroles.sh, for Basic or Gold subscriptions; 
- 
initroles.sh, for Platinum subscriptions. 
| The script provided for the Platinum subscription enables Document level security on indices managed by Siren Investigate and grants the Siren Investigate user the privileges required to support OpenID Connect. | 
Both scripts require a working curl command on your system.
To use the script, download the version for your subscription and execute it as follows:
bash initroles.shYou will be asked to provide the following information:
- 
Elasticsearch username: the username of an Elasticsearch user with administrative privileges (defaults to elastic).
- 
Elasticsearch password: the password of the Elasticsearch user in the previous step (defaults to changeme).
- 
Elasticsearch URL: the URL of your Elasticsearch cluster (defaults to http://localhost:9200).
- 
Investigate index prefix: the prefix on Investigate indices (defaults to .siren).
- 
Index pattern readable by Investigate users: an index pattern matching indices that will be readable by users having the investigate_userrole.
- 
curl flags: any custom curl flag that should be set in requests to Elasticsearch (for example -kto ignore validation of private CA certificates or--cacert <ca.pem file>to validate certificates signed by a private CA)
Users
Once the roles have been created, you’ll need to create two system users:
- 
sirenserver: a user with the investigate_systemrole.
- 
federate: a user with the federate_systemrole.
When evaluating Siren, we recommend creating at least two additional end users, one with administrative privileges on the Investigate installation:
- 
sirenadmin: a user with the investigate_adminand theinvestigate_userrole.
- 
sirenuser: a user with the investigate_userrole.
A script to create all of the above users is available at initusers.sh.
To use the script, download it and execute:
bash initusers.shInvestigate configuration
Once the users have been created, investigate.yml will have to be
modified as follows:
Set elasticsearch.username and elasticsearch.password to
the credentials of the sirenserver user, for example:
elasticsearch.username: sirenserver
elasticsearch.password: passwordIf HTTPS is enabled for the Elasticsearch REST API, ensure
that the elasticsearch.url setting contains a URL starting with
https, for example:
elasticsearch.url: 'https://localhost:9220'If the certificate is not signed by a public authority, you
will also need to set the elasticsearch.ssl.certificateAuthorities to
the path of the CA chain bundle in PEM format, for example:
elasticsearch.ssl.certificateAuthorities: 'pki/elasticsearch.pem'To enable certificate verification, set
elasticsearch.ssl.verificationMode to full, for example:
elasticsearch.ssl.verificationMode: fullSet the backend parameter of the investigate_access_control
section of the investigate.yml to xpack:
investigate_access_control:
  admin_role: investigate_admin
  enabled: true
  backend: xpack
  acl:
    enabled: true
  cookie:
    secure: true
    password: '12345678123456781234567812345678'| If you are running Siren Investigate with https disabled, remember to set
 | 
After restarting Siren Investigate you should be able to login as sirenadmin
using the password set previously.
Next steps
If you need support for authentication mechanisms other than basic HTTP, please refer to Additional authentication mechanisms .
Otherwise, please refer to Configuring ACL in Siren Investigate to complete the Siren Investigate access control configuration.