Merge pull request #12584 from Security-Onion-Solutions/jertel/suripcap

handle airgap when detections not enabled

salt/soc/merged.map.jinja

@@ -35,18 +35,16 @@
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}
 {%   do SOCMERGED.config.server.modules.pop('strelkaengine') %}
 {%   do SOCMERGED.config.server.modules.pop('suricataengine') %}
+{% elif pillar.global.airgap %}
+  {# if system is Airgap, don't autoupdate Yara & Sigma rules #}
+  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
+  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
 {% endif %}
 
 {% if pillar.manager.playbook == 0 %}
 {%   do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
 {% endif %}
 
-{# if system is Airgap, don't autoupdate Yara & Sigma rules #}
-{% if pillar.global.airgap %}
-  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
-  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
-{% endif %}
-
 {% set standard_actions = SOCMERGED.config.pop('actions') %}
 
 {% if pillar.global.endgamehost != '' %}