diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 6147af73b..552cd7020 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1327,16 +1327,48 @@ soc:
           showAiSummaries: true
           autoUpdateEnabled: true
           autoEnabledSigmaRules:
-            default:
-              - core+critical
-              - securityonion-resources+critical
-              - securityonion-resources+high
-            so-eval:
-              - securityonion-resources+critical
-              - securityonion-resources+high
-            so-import:
-              - securityonion-resources+critical
-              - securityonion-resources+high
+            default: |-
+              Enabled_On_Import:
+                # SOS - resources ruleset
+                - ruleset: ["securityonion-resources"]
+                  level: ["critical", "high"]
+                  product: ["*"]
+                  category: ["*"]
+                  service: ["*"]
+                # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
+                - ruleset: ["core"]
+                  level: ["critical"]
+                  product: ["*"]
+                  category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
+                  service: ["*"]
+                # SigmaHQ - Core ruleset - Logsource: Windows eventlogs
+                - ruleset: ["core"]
+                  level: ["critical"]
+                  product: ["windows"]
+                  category: ["*"]
+                  service: ["security", "system", "dns-client", "application"]
+                # SigmaHQ - Core ruleset - Logsource: misc
+                - ruleset: ["core"]
+                  level: ["critical"]
+                  product: ["*"]
+                  category: ["antivirus"]
+                  service: ["*"]
+            so-eval: |-
+              Enabled_On_Import:
+                # SOS - resources ruleset
+                - ruleset: ["securityonion-resources"]
+                  level: ["critical", "high"]
+                  product: ["*"]
+                  category: ["*"]
+                  service: ["*"]
+            so-import: |-
+              Enabled_On_Import:
+                # SOS - resources ruleset
+                - ruleset: ["securityonion-resources"]
+                  level: ["critical", "high"]
+                  product: ["*"]
+                  category: ["*"]
+                  service: ["*"]
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
           failAfterConsecutiveErrorCount: 10
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index c27228ab6..180ef96e4 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -217,10 +217,15 @@ soc:
               jinjaEscaped: True
           autoEnabledSigmaRules:
             default: &autoEnabledSigmaRules
-              description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
+              description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
               global: True
               advanced: True
               helpLink: sigma.html
+              multiline: True
+              syntax: yaml
+              duplicates: True
+              forcedType: string
+              jinjaEscaped: True
             so-eval: *autoEnabledSigmaRules
             so-import: *autoEnabledSigmaRules
           communityRulesImportFrequencySeconds: