From 47ba4c0f57b7f8a0ea756cb680b883fbc8d05317 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 1 May 2024 12:55:29 -0400
Subject: [PATCH] add new annotation for soc autoEnabledSigmaRules

---
 salt/soc/soc_soc.yaml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index 2001fb0c1..4b88a5f84 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -89,10 +89,13 @@ soc:
             advanced: True
             helpLink: sigma.html
           autoEnabledSigmaRules:
-            description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical'
-            global: True
-            advanced: True
-            helpLink: sigma.html
+            default: &autoEnabledSigmaRules
+              description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
+              global: True
+              advanced: True
+              helpLink: sigma.html
+            so-eval: *autoEnabledSigmaRules
+            so-import: *autoEnabledSigmaRules
           denyRegex:
             description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
             global: True