Deprecate instead

salt/soc/defaults.yaml

@@ -1327,6 +1327,10 @@ soc:
           showAiSummaries: true
           autoUpdateEnabled: true
           autoEnabledSigmaRules:
+            default: []
+            so-eval: []
+            so-import: []
+          enabledSigmaRules:
             default: |-
               # SOS - resources ruleset
               - ruleset: ["securityonion-resources"]

salt/soc/merged.map.jinja

@@ -35,13 +35,21 @@
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
 {% do SOCMERGED.config.server.modules.pop('cases') %}
 
-{# set Sigma rules based on role if defined and default if not #}
+{# set enabled Sigma rules based on role if defined and default if not #}
+{# this particular config is deprecated as of 2.4.120 - use enabledSigmaRules instead #}
 {% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %}
 {% else %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
 {% endif %}
 
+{# set enabled Sigma rules based on role if defined and default if not #}
+{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'enabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules[GLOBALS.role]}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'enabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules.default}) %}
+{% endif %}
+
 {# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
 {% if GLOBALS.airgap %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}

salt/soc/soc_soc.yaml

@@ -215,8 +215,8 @@ soc:
               duplicates: True
               forcedType: string
               jinjaEscaped: True
-          autoEnabledSigmaRules:
-            default: &autoEnabledSigmaRules
+          enabledSigmaRules:
+            default: &enabledSigmaRules
               description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
               global: True
               advanced: True
@@ -226,6 +226,14 @@ soc:
               duplicates: True
               forcedType: string
               jinjaEscaped: True
+            so-eval: *enabledSigmaRules
+            so-import: *enabledSigmaRules
+          autoEnabledSigmaRules:
+            default: &autoEnabledSigmaRules
+              description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.'
+              global: True
+              advanced: True
+              helpLink: sigma.html
             so-eval: *autoEnabledSigmaRules
             so-import: *autoEnabledSigmaRules
           communityRulesImportFrequencySeconds: