diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja
new file mode 100644
index 000000000..7cd624895
--- /dev/null
+++ b/salt/filebeat/etc/module_config.yml.jinja
@@ -0,0 +1,16 @@
+# DO NOT EDIT THIS FILE
+{% for module in MODULES.modules.keys() %}
+- module: {{ module }}
+  {%- for fileset in MODULES.modules[module] %}
+  {{ fileset }}:
+    enabled: {{ MODULES.modules[module][fileset].enabled }}
+    {#- only manage the settings if the fileset is enabled #}
+    {%- if MODULES.modules[module][fileset].enabled %}
+      {%- for var, value in MODULES.modules[module][fileset].items() %}
+        {%- if var|lower != 'enabled' %}
+    {{ var }}: {{ value }}
+        {%- endif %}
+      {%- endfor %}
+    {%- endif %}
+  {%- endfor %}
+{% endfor %}
diff --git a/salt/filebeat/etc/thirdparty.yml.jinja b/salt/filebeat/etc/thirdparty.yml.jinja
deleted file mode 100644
index 186115af4..000000000
--- a/salt/filebeat/etc/thirdparty.yml.jinja
+++ /dev/null
@@ -1,16 +0,0 @@
-# DO NOT EDIT THIS FILE
-{% for module in THIRDPARTY.modules.keys() %}
-- module: {{ module }}
-  {%- for fileset in THIRDPARTY.modules[module] %}
-  {{ fileset }}:
-    enabled: {{ THIRDPARTY.modules[module][fileset].enabled }}
-    {#- only manage the settings if the fileset is enabled #}
-    {%- if THIRDPARTY.modules[module][fileset].enabled %}
-      {%- for var, value in THIRDPARTY.modules[module][fileset].items() %}
-        {%- if var|lower != 'enabled' %}
-    {{ var }}: {{ value }}
-        {%- endif %}
-      {%- endfor %}
-    {%- endif %}
-  {%- endfor %}
-{% endfor %}
\ No newline at end of file
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index b3bce806c..b1a91b133 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -21,6 +21,7 @@
 {% set MANAGER = salt['grains.get']('master') %}
 {% set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
 {% from 'filebeat/map.jinja' import THIRDPARTY with context %}
+{% from 'filebeat/map.jinja' import SO with context %}
 
 
 filebeatetcdir:
@@ -78,21 +79,21 @@ filebeatmoduleconfsync:
     - group: root
     - template: jinja
 
-# Sync Filebeat modules
-filebeatmodules:
-  file.recurse:
-    - name: /opt/so/conf/filebeat/modules
-    - source: salt://filebeat/modules
-    - user: root
-    - group: root
+sodefaults_module_conf:
+  file.managed:
+    - name: /opt/so/conf/filebeat/etc/securityonion.yml
+    - source: salt://filebeat/etc/module_config.yml.jinja
+    - template: jinja
+    - defaults:
+        MODULES: {{ SO }}
 
 thirdparty_module_conf:
   file.managed:
     - name: /opt/so/conf/filebeat/etc/thirdparty.yml
-    - source: salt://filebeat/etc/thirdparty.yml.jinja
+    - source: salt://filebeat/etc/module_config.yml.jinja
     - template: jinja
     - defaults:
-        THIRDPARTY: {{ THIRDPARTY }}
+        MODULES: {{ THIRDPARTY }}
     
 so-filebeat:
   docker_container.running:
diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja
index 668889227..aaae60f31 100644
--- a/salt/filebeat/map.jinja
+++ b/salt/filebeat/map.jinja
@@ -1,2 +1,5 @@
 {% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %}
-{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
\ No newline at end of file
+{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
+
+{% import_yaml 'filebeat/securityoniondefaults.yaml' as SO %}
+{#% set SO = salt['pillar.get']('filebeat:third_party_filebeat', default=SODEFAULTS.third_party_filebeat, merge=True) %#}