Detections tweaks

salt/soc/defaults.yaml

@@ -2049,9 +2049,9 @@ soc:
               query: "so_detection.isEnabled:false"
             - name: "Detection Type - Suricata (NIDS)"
               query: "so_detection.language:suricata"
-            - name: "Detection Type - Sigma - All"
+            - name: "Detection Type - Sigma (Elastalert) - All"
               query: "so_detection.language:sigma"
-            - name: "Detection Type - Sigma - Windows"
+            - name: "Detection Type - Sigma (Elastalert) - Windows"
               query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
             - name: "Detection Type - YARA (Strelka)"
               query: "so_detection.language:yara"

salt/soc/merged.map.jinja

@@ -30,6 +30,11 @@
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
 {% do SOCMERGED.config.server.modules.pop('cases') %}
 
+{# do not automatically enable Sigma rules if install is Eval or Import #}
+{% if grains['role'] in ['so-eval', 'so-import'] %}
+  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': ""}) %}
+{% endif %}
+
 {# remove these modules if detections is disabled #}
 {% if not SOCMERGED.config.server.client.detectionsEnabled %}
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}

salt/soc/soc_soc.yaml

@@ -83,6 +83,11 @@ soc:
             global: True
             advanced: True
             helpLink: sigma.html
+          autoEnabledSigmaRules:
+            description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical'
+            global: True
+            advanced: True
+            helpLink: sigma.html
           denyRegex:
             description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
             global: True