From 3021ed5d36f7fce48560042d7111b100d1aa1dd8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Wed, 5 Mar 2025 15:56:26 -0500
Subject: [PATCH] Add Actions

---
 salt/soc/soc_soc.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index 42c56ab52..480f8c5e7 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -63,6 +63,31 @@ soc:
       description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
       global: True
       forcedType: "[]{}"
+      syntax: json
+      uiElements:
+      - field: description
+        label: Description
+      - field: icon
+        label: Icon
+      - field: links
+        label: Links
+        required: True
+        forcedType: "[]string"
+        multiline: True
+      - field: name
+        label: Name
+        required: True
+      - field: target
+        label: Target
+      - field: jscall
+        label: JavaScript Call
+      - field: category
+        label: Category
+        options:
+        - hunt
+        - alerts
+        - dashboards
+        forcedType: "[]string"
     eventFields:
       default: &eventFields
         description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.