change rulesRepos for airgap or not

salt/soc/defaults.yaml

@@ -1274,10 +1274,15 @@ soc:
           rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
           stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state
           rulesRepos:
-          - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
-            license: Elastic-2.0
-            folder: sigma/stable
-            community: true
+            default:
+              - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
+                license: Elastic-2.0
+                folder: sigma/stable
+                community: true
+            airgap:
+              - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
+                license: DRL
+                community: true
           sigmaRulePackages:
             - core
             - emerging_threats_addon
@@ -1333,9 +1338,14 @@ soc:
           denyRegex: ''
           reposFolder: /opt/sensoroni/yara/repos
           rulesRepos:
-          - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
-            license: DRL
-            community: true
+            default:
+              - repo: https://github.com/Security-Onion-Solutions/securityonion-yara
+                license: DRL
+                community: true
+            airgap:
+              - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
+                license: DRL
+                community: true
           yaraRulesFolder: /opt/sensoroni/yara/rules
           stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
         suricataengine:

salt/soc/merged.map.jinja

@@ -37,6 +37,15 @@
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
 {% endif %}
 
+{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
+{% if GLOBALS.airgap %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}
+{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %}
+{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %}
+{% endif %}
+
 {# remove these modules if detections is disabled #}
 {% if not SOCMERGED.config.server.client.detectionsEnabled %}
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}

salt/soc/soc_soc.yaml

@@ -107,11 +107,13 @@ soc:
             advanced: True
             helpLink: sigma.html
           rulesRepos:
-            description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'
-            global: True
-            advanced: True
-            forcedType: "[]{}"
-            helpLink: sigma.html
+            default: &eerulesRepos
+              description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'
+              global: True
+              advanced: True
+              forcedType: "[]{}"
+              helpLink: sigma.html
+            airgap: *eerulesRepos
           sigmaRulePackages:
             description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections -->  Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
             global: True
@@ -205,11 +207,13 @@ soc:
             advanced: True
             helpLink: yara.html
           rulesRepos:
-            description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.''
-            global: True
-            advanced: True
-            forcedType: "[]{}"
-            helpLink: yara.html
+            default: &serulesRepos
+              description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.''
+              global: True
+              advanced: True
+              forcedType: "[]{}"
+              helpLink: yara.html
+            airgap: *serulesRepos
         suricataengine:
           allowRegex:
             description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'