Tweak structure

2025-12-06 09:12:45 +01:00 · 2024-11-19 11:54:15 -05:00
parent 56d6857cd6
commit 3fcf197bc1
1 changed files with 36 additions and 39 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1328,47 +1328,44 @@ soc:
          autoUpdateEnabled: true
          autoEnabledSigmaRules:
            default: |-
-              Enabled_On_Import:
-                # SOS - resources ruleset
-                - ruleset: ["securityonion-resources"]
-                  level: ["critical", "high"]
-                  product: ["*"]
-                  category: ["*"]
-                  service: ["*"]
-                # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
-                - ruleset: ["core"]
-                  level: ["critical"]
-                  product: ["*"]
-                  category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
-                  service: ["*"]
-                # SigmaHQ - Core ruleset - Logsource: Windows eventlogs
-                - ruleset: ["core"]
-                  level: ["critical"]
-                  product: ["windows"]
-                  category: ["*"]
-                  service: ["security", "system", "dns-client", "application"]
-                # SigmaHQ - Core ruleset - Logsource: misc
-                - ruleset: ["core"]
-                  level: ["critical"]
-                  product: ["*"]
-                  category: ["antivirus"]
-                  service: ["*"]
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
+              # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["*"]
+                category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
+                service: ["*"]
+              # SigmaHQ - Core ruleset - Logsource: Windows eventlogs
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["windows"]
+                category: ["*"]
+                service: ["security", "system", "dns-client", "application"]
+              # SigmaHQ - Core ruleset - Logsource: misc
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["*"]
+                category: ["antivirus"]
+                service: ["*"]
            so-eval: |-
-              Enabled_On_Import:
-                # SOS - resources ruleset
-                - ruleset: ["securityonion-resources"]
-                  level: ["critical", "high"]
-                  product: ["*"]
-                  category: ["*"]
-                  service: ["*"]
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
            so-import: |-
-              Enabled_On_Import:
-                # SOS - resources ruleset
-                - ruleset: ["securityonion-resources"]
-                  level: ["critical", "high"]
-                  product: ["*"]
-                  category: ["*"]
-                  service: ["*"]
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
          communityRulesImportFrequencySeconds: 86400
          communityRulesImportErrorSeconds: 300
          failAfterConsecutiveErrorCount: 10