Enable state tracking for sigma refresh

salt/common/tools/sbin/so-playbook-sigma-refresh

@@ -17,11 +17,21 @@
 
 . /usr/sbin/so-common
 
-# Regenerate ElastAlert & update Plays
+if ! [ -f /opt/so/state/playbook_regen_plays ] || [ "$1" = "--force" ]; then
-docker exec so-soctopus python3 playbook_play-update.py
 
-# Delete current Elastalert Rules
+    echo "Refreshing Sigma & regenerating plays... "
-rm /opt/so/rules/elastalert/playbook/*.yaml
 
-# Regenerate Elastalert Rules
+    # Regenerate ElastAlert & update Plays
-so-playbook-sync
+    docker exec so-soctopus python3 playbook_play-update.py
+
+    # Delete current Elastalert Rules
+    rm /opt/so/rules/elastalert/playbook/*.yaml
+
+    # Regenerate Elastalert Rules
+    so-playbook-sync
+    
+    # Create state file
+    touch /opt/so/state/playbook_regen_plays
+else
+  printf "\nState file found, exiting...\nRerun with --force to override.\n"
+fi

salt/playbook/init.sls

@@ -109,6 +109,13 @@ so-playbookruleupdatecron:
     - user: root
     - minute: '1'
     - hour: '6'
+
+so-playbookregencron:
+  cron.present:
+    - name: /usr/sbin/so-playbook-sigma-refresh > /opt/so/log/playbook/regen.log 2>&1
+    - user: root
+    - minute: '55'
+    - hour: '23'
     
 {% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %}
 idh-plays: