From 41a58b791a1e820652e0ef15d3b8b97b527885e6 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Mon, 28 Feb 2022 21:17:59 -0500
Subject: [PATCH 1/2] Enable state tracking for sigma refresh

---
 .../tools/sbin/so-playbook-sigma-refresh      | 22 ++++++++++++++-----
 salt/playbook/init.sls                        |  7 ++++++
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/salt/common/tools/sbin/so-playbook-sigma-refresh b/salt/common/tools/sbin/so-playbook-sigma-refresh
index 5226b309e..76873b3d5 100755
--- a/salt/common/tools/sbin/so-playbook-sigma-refresh
+++ b/salt/common/tools/sbin/so-playbook-sigma-refresh
@@ -17,11 +17,21 @@
 
 . /usr/sbin/so-common
 
-# Regenerate ElastAlert & update Plays
-docker exec so-soctopus python3 playbook_play-update.py
+if ! [ -f /opt/so/state/playbook_regen_plays ] || [ "$1" = "--force" ]; then
 
-# Delete current Elastalert Rules
-rm /opt/so/rules/elastalert/playbook/*.yaml
+    echo "Refreshing Sigma & regenerating plays... "
 
-# Regenerate Elastalert Rules
-so-playbook-sync
+    # Regenerate ElastAlert & update Plays
+    docker exec so-soctopus python3 playbook_play-update.py
+
+    # Delete current Elastalert Rules
+    rm /opt/so/rules/elastalert/playbook/*.yaml
+
+    # Regenerate Elastalert Rules
+    so-playbook-sync
+    
+    # Create state file
+    touch /opt/so/state/playbook_regen_plays
+else
+  printf "\nState file found, exiting...\nRerun with --force to override.\n"
+fi
\ No newline at end of file
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index 57f9afb24..2decc6134 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -109,6 +109,13 @@ so-playbookruleupdatecron:
     - user: root
     - minute: '1'
     - hour: '6'
+
+so-playbookregencron:
+  cron.present:
+    - name: /usr/sbin/so-playbook-sigma-refresh > /opt/so/log/playbook/regen.log 2>&1
+    - user: root
+    - minute: '55'
+    - hour: '23'
     
 {% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %}
 idh-plays:

From e960d9990160efa86017ba77d13e18fbf3c3ead1 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Mon, 28 Feb 2022 21:18:41 -0500
Subject: [PATCH 2/2] Enable state tracking for sigma refresh

---
 salt/common/tools/sbin/soup | 1 -
 1 file changed, 1 deletion(-)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 73da9bc24..6e689b4b1 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -482,7 +482,6 @@ post_to_2.3.110() {
   echo "Post Processing for 2.3.110"
   echo "Updating Kibana dashboards"
   salt-call state.apply kibana.so_savedobjects_defaults queue=True
-  so-playbook-sigma-refresh >> /root/soup_playbook_sigma_refresh.log 2>&1 &
   POSTVERSION=2.3.110
 }