Various UI tweaks

salt/soc/config.sls

@@ -9,9 +9,16 @@
 include:
   - manager.sync_es_users
 
+socdirtest:
+  file.directory:
+    - name: /opt/so/rules/elastalert/rules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 socdir:
   file.directory:
-    - name: /opt/so/conf/soc
+    - name: /opt/so/conf/soc/fingerprints
     - user: 939
     - group: 939
     - makedirs: True

salt/soc/defaults.yaml

@@ -1006,7 +1006,7 @@ soc:
           communityRulesImportFrequencySeconds: 180
           elastAlertRulesFolder: /opt/sensoroni/elastalert
           rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
-          sigmaRulePackages: all
+          sigmaRulePackages: core
         elastic:
           hostUrl:
           remoteHostUrls: []
@@ -1050,10 +1050,10 @@ soc:
             - rbac/users_roles
         strelkaengine:
           compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py
-          reposFolder: /nsm/rules/yara/repos
+          reposFolder: /opt/sensoroni/yara/repos
           rulesRepos:
           - https://github.com/Security-Onion-Solutions/securityonion-yara
-          yaraRulesFolder: /opt/sensoroni/yara
+          yaraRulesFolder: /opt/sensoroni/yara/rules
         suricataengine:
           communityRulesFile: /nsm/rules/suricata/emerging-all.rules
           rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint

salt/soc/enabled.sls

@@ -23,7 +23,7 @@ so-soc:
         - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
     - binds:
       - /nsm/rules:/nsm/rules:rw #Need to tighten this up?
-      - /opt/so/rules/yara:/opt/sensoroni/yara:rw
+      - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
       - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
       - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
       - /nsm/soc/jobs:/opt/sensoroni/jobs:rw