set Sigma rules based on role if defined and default if not

salt/soc/defaults.yaml

@@ -1257,9 +1257,16 @@ soc:
           allowRegex: ''
           autoUpdateEnabled: true
           autoEnabledSigmaRules:
-            - core+critical
-            - securityonion-resources+critical
-            - securityonion-resources+high
+            default:
+              - core+critical
+              - securityonion-resources+critical
+              - securityonion-resources+high
+            so-eval:
+              - securityonion-resources+critical
+              - securityonion-resources+high
+            so-import:
+              - securityonion-resources+critical
+              - securityonion-resources+high
           communityRulesImportFrequencySeconds: 28800
           denyRegex: ''
           elastAlertRulesFolder: /opt/sensoroni/elastalert

salt/soc/merged.map.jinja

@@ -30,9 +30,11 @@
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
 {% do SOCMERGED.config.server.modules.pop('cases') %}
 
-{# do not automatically enable Sigma rules if install is Eval or Import #}
-{% if grains['role'] in ['so-eval', 'so-import'] %}
-  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': []}) %}
+{# set Sigma rules based on role if defined and default if not #}
+{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
 {% endif %}
 
 {# remove these modules if detections is disabled #}