Merge pull request #7366 from Security-Onion-Solutions/delta

Enable state tracking for sigma refresh

salt/common/tools/sbin/so-playbook-sigma-refresh

@@ -17,11 +17,21 @@
 
 . /usr/sbin/so-common
 
-# Regenerate ElastAlert & update Plays
-docker exec so-soctopus python3 playbook_play-update.py
+if ! [ -f /opt/so/state/playbook_regen_plays ] || [ "$1" = "--force" ]; then
 
-# Delete current Elastalert Rules
-rm /opt/so/rules/elastalert/playbook/*.yaml
+    echo "Refreshing Sigma & regenerating plays... "
 
-# Regenerate Elastalert Rules
-so-playbook-sync
+    # Regenerate ElastAlert & update Plays
+    docker exec so-soctopus python3 playbook_play-update.py
+
+    # Delete current Elastalert Rules
+    rm /opt/so/rules/elastalert/playbook/*.yaml
+
+    # Regenerate Elastalert Rules
+    so-playbook-sync
+    
+    # Create state file
+    touch /opt/so/state/playbook_regen_plays
+else
+  printf "\nState file found, exiting...\nRerun with --force to override.\n"
+fi

salt/common/tools/sbin/soup

@@ -482,7 +482,6 @@ post_to_2.3.110() {
   echo "Post Processing for 2.3.110"
   echo "Updating Kibana dashboards"
   salt-call state.apply kibana.so_savedobjects_defaults queue=True
-  so-playbook-sigma-refresh >> /root/soup_playbook_sigma_refresh.log 2>&1 &
   POSTVERSION=2.3.110
 }
 

salt/playbook/init.sls

@@ -110,6 +110,13 @@ so-playbookruleupdatecron:
     - minute: '1'
     - hour: '6'
 
+so-playbookregencron:
+  cron.present:
+    - name: /usr/sbin/so-playbook-sigma-refresh > /opt/so/log/playbook/regen.log 2>&1
+    - user: root
+    - minute: '55'
+    - hour: '23'
+    
 {% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %}
 idh-plays:
   file.recurse: