diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9be17bcca..b66ae3bbe 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1257,9 +1257,16 @@ soc: allowRegex: '' autoUpdateEnabled: true autoEnabledSigmaRules: - - core+critical - - securityonion-resources+critical - - securityonion-resources+high + default: + - core+critical + - securityonion-resources+critical + - securityonion-resources+high + so-eval: + - securityonion-resources+critical + - securityonion-resources+high + so-import: + - securityonion-resources+critical + - securityonion-resources+high communityRulesImportFrequencySeconds: 28800 denyRegex: '' elastAlertRulesFolder: /opt/sensoroni/elastalert diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index ae68dc01f..222566dba 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -30,9 +30,11 @@ {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {% do SOCMERGED.config.server.modules.pop('cases') %} -{# do not automatically enable Sigma rules if install is Eval or Import #} -{% if grains['role'] in ['so-eval', 'so-import'] %} - {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': []}) %} +{# set Sigma rules based on role if defined and default if not #} +{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %} +{% else %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %} {% endif %} {# remove these modules if detections is disabled #}