From ffaab4a1b47d7949ab6ff061d97d0b59f95ad049 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 6 Sep 2023 14:19:53 -0400
Subject: [PATCH 1/3] only add endgame to action if it is populated

---
 salt/soc/merged.map.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index dc2f889bb..c17c23b25 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -35,7 +35,7 @@
 {% endif %}
 
 {% set standard_actions = SOCMERGED.config.pop('actions') %}
-{% if pillar.global.endgamehost is defined %}
+{% if pillar.global.endgamehost != '' %}
 {%   set endgame_dict = {
        "name": "Endgame",
        "description": "Endgame Endpoint Investigation and Response",

From 60f1947eb4b4f5a6d2b5c43507164246a92e63cd Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 7 Sep 2023 14:01:19 -0400
Subject: [PATCH 2/3] prevent endgame_dict from being added to standard_actions
 if it is already present

---
 salt/soc/merged.map.jinja | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index c17c23b25..052ff9941 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -35,7 +35,17 @@
 {% endif %}
 
 {% set standard_actions = SOCMERGED.config.pop('actions') %}
+
 {% if pillar.global.endgamehost != '' %}
+{# this is added to prevent endgame_dict from being added to standard_actions for each time this file is rendered #}
+{%   set endgame = namespace(add=true) %}
+{%   for d in standard_actions %}
+{%     if d.name is defined %}
+{%       if d.name == 'Endgame' %}
+{%         set endgame.add = false %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
 {%   set endgame_dict = {
        "name": "Endgame",
        "description": "Endgame Endpoint Investigation and Response",
@@ -44,7 +54,9 @@
        "links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"]
      }
 %}
-{%   do standard_actions.append(endgame_dict) %}
+{%   if endgame.add %}
+{%     do standard_actions.append(endgame_dict) %}
+{%   endif %}
 {% endif %}
 
 {%   do SOCMERGED.config.server.client.hunt.update({'actions': standard_actions}) %}

From 35157f2e8b27c313235a4cbd95fa4e0bb77ea12f Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 7 Sep 2023 15:46:04 -0400
Subject: [PATCH 3/3] add comment

---
 salt/soc/merged.map.jinja | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index 052ff9941..33c0070ad 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -38,6 +38,7 @@
 
 {% if pillar.global.endgamehost != '' %}
 {# this is added to prevent endgame_dict from being added to standard_actions for each time this file is rendered #}
+{# since this map file is rendered 3 times, it causes endgame_dict to appened 3 times if custom actions are defined in the pillar #}
 {%   set endgame = namespace(add=true) %}
 {%   for d in standard_actions %}
 {%     if d.name is defined %}