From 7259a5346b80cd481a44d822ee769afe6ffb3ea6 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 13 Nov 2019 13:49:34 -0500
Subject: [PATCH] Update osquery.template

---
 salt/soctopus/files/templates/osquery.template | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template
index 096921618..5f1c6961a 100644
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -11,6 +11,12 @@ hive_proxies:
   http: ''
   https: ''
 
+hive_observable_data_mapping:
+  - ip: '{match[osquery][EndpointIP1]}'
+  - ip: '{match[osquery][EndpointIP2]}'
+  - other: '{match[osquery][hostIdentifier]}'
+  - other: '{match[osquery][hostname]}'
+
 hive_alert_config:
   title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
   type: 'osquery'
@@ -23,9 +29,4 @@ hive_alert_config:
   follow: True
   caseTemplate: '5000'
   
-  
-  hive_observable_data_mapping:
-  - ip: '{match[osquery][EndpointIP1]}'
-  - ip: '{match[osquery][EndpointIP2]}'
-  - other: '{match[osquery][hostIdentifier]}'
-  - other: '{match[osquery][hostname]}'
+