diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index a64b9d90a..641300fdf 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -15,13 +15,14 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
+{% from "pcap/map.jinja" import STENOOPTIONS with context %}
+
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %}
 {% set BPF_COMPILED = "" %}
-{% from "pcap/map.jinja" import STENOOPTIONS with context %}
 
 # PCAP Section
 
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 4cbda4bb4..73c4d2395 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -15,6 +15,8 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %}
 
+{% from "suricata/map.jinja" import SURICATAOPTIONS with context %}
+
 {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -136,9 +138,10 @@ suribpf:
    {% endif %}
 
 so-suricata:
-  docker_container.running:
+  docker_container.{{ SURICATAOPTIONS.status }}:
+  {% if SURICATAOPTIONS.status == 'running' %}
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }}
-    - start: {{ START }}
+    - start: {{ SURICATAOPTIONS.start }}
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}
@@ -157,18 +160,27 @@ so-suricata:
       - file: /opt/so/conf/suricata/rules/
       - file: /opt/so/conf/suricata/bpf
 
+  {% else %} {# if Suricata isn't enabled, then stop and remove the container #}
+    - force: True
+  {% endif %}
+
 append_so-suricata_so-status.conf:
   file.append:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-suricata
     - unless: grep -q so-suricata /opt/so/conf/so-status/so-status.conf
 
-{% if grains.role == 'so-import' %}
-disable_so-suricata_so-status.conf:
+  {% if not SURICATAOPTIONS.start %}
+so-suricata_so-status.disabled:
   file.comment:
     - name: /opt/so/conf/so-status/so-status.conf
     - regex: ^so-suricata$
-{% endif %}
+  {% else %}
+delete_so-suricata_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-suricata$
+  {% endif %}
 
 /usr/local/bin/surirotate:
   cron.absent:
diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index ad4d70e80..2ffd5ad08 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -1,6 +1,15 @@
-# don't start the docker container if it is an import node
-{% if grains.id.split('_')|last == 'import' %}
-  {% set START = False %}
+{% set SURICATAOPTIONS = {} %}
+{% set ENABLED = salt['pillar.get']('suricata:enabled', 'True') %}
+
+# don't start the docker container if it is an import node or disabled via pillar
+{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %}
+  {% do SURICATAOPTIONS.update({'start': False}) %}
 {% else %}
-  {% set START = True %}
+  {% do SURICATAOPTIONS.update({'start': True}) %}
+{% endif %}
+
+{% if ENABLED is sameas false %}
+  {% do SURICATAOPTIONS.update({'status': 'absent'}) %}
+{% else %}
+  {% do SURICATAOPTIONS.update({'status': 'running'}) %}
 {% endif %}
\ No newline at end of file
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index ce0d6dccd..5f5adfaa6 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,7 +1,21 @@
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-{% from "zeek/map.jinja" import START with context %}
+{% from "zeek/map.jinja" import ZEEKOPTIONS with context %}
 
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
@@ -179,9 +193,10 @@ localzeeksync:
         LOCAL: {{ ZEEK.local | tojson }}
 
 so-zeek:
-  docker_container.running:
+  docker_container.{{ ZEEKOPTIONS.status }}:
+  {% if ZEEKOPTIONS.status == 'running' %}
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}
-    - start: {{ START }}
+    - start: {{ ZEEKOPTIONS.start }}
     - privileged: True
     - ulimits:
       - core=0
@@ -204,6 +219,9 @@ so-zeek:
       - file: /opt/so/conf/zeek/zeekctl.cfg
       - file: /opt/so/conf/zeek/policy
       - file: /opt/so/conf/zeek/bpf
+  {% else %} {# if Zeek isn't enabled, then stop and remove the container #}
+    - force: True
+  {% endif %}
 
 append_so-zeek_so-status.conf:
   file.append:
@@ -211,12 +229,17 @@ append_so-zeek_so-status.conf:
     - text: so-zeek
     - unless: grep -q so-zeek /opt/so/conf/so-status/so-status.conf
 
-{% if grains.role == 'so-import' %}
-disable_so-zeek_so-status.conf:
+  {% if not ZEEKOPTIONS.start %}
+so-zeek_so-status.disabled:
   file.comment:
     - name: /opt/so/conf/so-status/so-status.conf
     - regex: ^so-zeek$
-{% endif %}
+  {% else %}
+delete_so-zeek_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-zeek$
+  {% endif %}
 
 {% else %}
 
diff --git a/salt/zeek/map.jinja b/salt/zeek/map.jinja
index ad4d70e80..b5713c6d5 100644
--- a/salt/zeek/map.jinja
+++ b/salt/zeek/map.jinja
@@ -1,6 +1,15 @@
-# don't start the docker container if it is an import node
-{% if grains.id.split('_')|last == 'import' %}
-  {% set START = False %}
+{% set ZEEKOPTIONS = {} %}
+{% set ENABLED = salt['pillar.get']('zeek:enabled', 'True') %}
+
+# don't start the docker container if it is an import node or disabled via pillar
+{% if grains.id.split('_')|last == 'import' or ENABLED is sameas false %}
+  {% do ZEEKOPTIONS.update({'start': False}) %}
 {% else %}
-  {% set START = True %}
+  {% do ZEEKOPTIONS.update({'start': True}) %}
+{% endif %}
+
+{% if ENABLED is sameas false %}
+  {% do ZEEKOPTIONS.update({'status': 'absent'}) %}
+{% else %}
+  {% do ZEEKOPTIONS.update({'status': 'running'}) %}
 {% endif %}
\ No newline at end of file