From 6ce52bf9aba7946f5022640100b44397fa5cfa23 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 24 Oct 2024 13:11:49 -0600
Subject: [PATCH] Specify Defaults for detectionEngineStatusQueries

Specify the defaults as an example to the user.
---
 salt/soc/defaults.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 00468e7a0..6a9a1bfc6 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2265,10 +2265,13 @@ soc:
               description: Show Detections that have Overrides
           detectionEngineStatusQueries: |
             suricata:
+              default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error'
               IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
             elastalert:
+              default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error'
               IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
             strelka:
+              default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error'
               IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
         detection:
           showUnreviewedAiSummaries: false