diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 552cd7020..d9a5d4cb3 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1328,47 +1328,44 @@ soc:
           autoUpdateEnabled: true
           autoEnabledSigmaRules:
             default: |-
-              Enabled_On_Import:
-                # SOS - resources ruleset
-                - ruleset: ["securityonion-resources"]
-                  level: ["critical", "high"]
-                  product: ["*"]
-                  category: ["*"]
-                  service: ["*"]
-                # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
-                - ruleset: ["core"]
-                  level: ["critical"]
-                  product: ["*"]
-                  category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
-                  service: ["*"]
-                # SigmaHQ - Core ruleset - Logsource: Windows eventlogs
-                - ruleset: ["core"]
-                  level: ["critical"]
-                  product: ["windows"]
-                  category: ["*"]
-                  service: ["security", "system", "dns-client", "application"]
-                # SigmaHQ - Core ruleset - Logsource: misc
-                - ruleset: ["core"]
-                  level: ["critical"]
-                  product: ["*"]
-                  category: ["antivirus"]
-                  service: ["*"]
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
+              # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["*"]
+                category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
+                service: ["*"]
+              # SigmaHQ - Core ruleset - Logsource: Windows eventlogs
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["windows"]
+                category: ["*"]
+                service: ["security", "system", "dns-client", "application"]
+              # SigmaHQ - Core ruleset - Logsource: misc
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["*"]
+                category: ["antivirus"]
+                service: ["*"]
             so-eval: |-
-              Enabled_On_Import:
-                # SOS - resources ruleset
-                - ruleset: ["securityonion-resources"]
-                  level: ["critical", "high"]
-                  product: ["*"]
-                  category: ["*"]
-                  service: ["*"]
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
             so-import: |-
-              Enabled_On_Import:
-                # SOS - resources ruleset
-                - ruleset: ["securityonion-resources"]
-                  level: ["critical", "high"]
-                  product: ["*"]
-                  category: ["*"]
-                  service: ["*"]
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
           failAfterConsecutiveErrorCount: 10