enabled/disable soc in ui

2025-12-06 09:12:45 +01:00 · 2023-05-11 15:33:16 -04:00
parent a3b97b40ba
commit 8e18986671
11 changed files with 2256 additions and 2142 deletions
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -302,6 +302,13 @@ function add_soctopus_to_minion() {
 	"  " >> $PILLARFILE
 }

+function add_soc_to_minion() {
+    printf '%s\n'\
+    "soc:"\
+    "  enabled: True"\
+	"  " >> $PILLARFILE
+}
+
 function create_fleet_policy() {

 	JSON_STRING=$( jq -n \
@@ -356,6 +363,7 @@ function createEVAL() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }

 function createSTANDALONE() {
@@ -372,6 +380,7 @@ function createSTANDALONE() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }

 function createMANAGER() {
@@ -386,6 +395,7 @@ function createMANAGER() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }

 function createMANAGERSEARCH() {
@@ -400,6 +410,7 @@ function createMANAGERSEARCH() {
 	add_influxdb_to_minion
 	add_nginx_to_minion
 	add_soctopus_to_minion
+	add_soc_to_minion
 }

 function createIMPORT() {
@@ -409,6 +420,7 @@ function createIMPORT() {
 	add_telegraf_to_minion
 	add_influxdb_to_minion
 	add_nginx_to_minion
+	add_soc_to_minion
 }

 function createFLEET() {
@@ -418,6 +430,7 @@ function createFLEET() {
 	update_fleet_host_urls
 	update_logstash_outputs
 	add_telegraf_to_minion
+	add_nginx_to_minion
 }

 function createIDH() {
@@ -433,21 +446,18 @@ function createHEAVYNODE() {
 	add_redis_to_minion
 	add_curator_to_minion
 	add_telegraf_to_minion
-	add_nginx_to_minion
 }

 function createSENSOR() {
 	add_sensor_to_minion
 	add_strelka_strelka_to_minion
 	add_telegraf_to_minion
-	add_nginx_to_minion
 }

 function createSEARCHNODE() {
 	add_elasticsearch_to_minion
 	add_logstash_to_minion
 	add_telegraf_to_minion
-	add_nginx_to_minion
 	updateMine
 	apply_ES_state
 }
--- a/salt/soc/config.sls
+++ b/salt/soc/config.sls
@@ -0,0 +1,115 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - manager.sync_es_users
+
+socdir:
+  file.directory:
+    - name: /opt/so/conf/soc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+socdatadir:
+  file.directory:
+    - name: /nsm/soc/jobs
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+soclogdir:
+  file.directory:
+    - name: /opt/so/log/soc
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+socsaltdir:
+  file.directory:
+    - name: /opt/so/conf/soc/salt
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+socconfig:
+  file.managed:
+    - name: /opt/so/conf/soc/soc.json
+    - source: salt://soc/files/soc/soc.json.jinja
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+    - show_changes: False
+
+socmotd:
+  file.managed:
+    - name: /opt/so/conf/soc/motd.md
+    - source: salt://soc/files/soc/motd.md
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+socbanner:
+  file.managed:
+    - name: /opt/so/conf/soc/banner.md
+    - source: salt://soc/files/soc/banner.md
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+soc_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://soc/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+#soc_sbin_jinja:
+#  file.recurse:
+#    - name: /usr/sbin
+#    - source: salt://soc/tools/sbin_jinja
+#    - user: 939
+#    - group: 939 
+#    - file_mode: 755
+#    - template: jinja
+
+soccustom:
+  file.managed:
+    - name: /opt/so/conf/soc/custom.js
+    - source: salt://soc/files/soc/custom.js
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+soccustomroles:
+  file.managed:
+    - name: /opt/so/conf/soc/custom_roles
+    - source: salt://soc/files/soc/custom_roles
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+socusersroles:
+  file.exists:
+    - name: /opt/so/conf/soc/soc_users_roles
+    - require:
+      - sls: manager.sync_es_users
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -1,3 +1,8 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'docker/docker.map.jinja' import DOCKER -%}
@@ -5,28 +10,28 @@
 {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}

 {% for module, application_url in GLOBALS.application_urls.items() %}
-{%   do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %}
+{%   do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %}
 {% endfor %}

 {# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #}
 {% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %}
 {%   for m in minions.keys() %}
-{%     do SOCDEFAULTS.soc.server.modules.elastic.remoteHostUrls.append(m) %}
+{%     do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append(m) %}
 {%   endfor %}
 {% endfor %}

-{% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}

-{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
-{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
-{% for tool in SOCDEFAULTS.soc.server.client.tools %}
+{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
+{% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
 {%   if tool.name == "toolInfluxDb" and METRICS_LINK | length > 0 %}
 {%     do tool.update({'link': METRICS_LINK}) %}
 {%   endif %}
 {% endfor %}

-{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %}

-{% do SOCDEFAULTS.soc.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
+{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}

 {% set SOCDEFAULTS = SOCDEFAULTS.soc %}
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1,4 +1,6 @@
 soc:
+  enabled: False
+  config:
    logFilename: /opt/sensoroni/logs/sensoroni-server.log
    logLevel: info
    actions:
--- a/salt/soc/disabled.sls
+++ b/salt/soc/disabled.sls
@@ -0,0 +1,31 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - soc.sostatus
+  
+so-soc:
+  docker_container.absent:
+    - force: True
+
+so-soc_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-soc$
+
+salt-relay:
+  cron.absent:
+    - identifier: salt-relay
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -0,0 +1,68 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
+
+include:
+  - soc.config
+  - soc.sostatus
+
+so-soc:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
+    - hostname: soc
+    - name: so-soc
+    - networks:
+      - sobridge:
+        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
+    - binds:
+      - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
+      - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
+      - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
+      - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
+      - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
+      - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
+      - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
+      - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw
+      - /opt/so/saltstack:/opt/so/saltstack:rw
+    - extra_hosts: {{ DOCKER_EXTRA_HOSTS }}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
+    - watch:
+      - file: /opt/so/conf/soc/*
+    - require:
+      - file: socdatadir
+      - file: soclogdir
+      - file: socconfig
+      - file: socmotd
+      - file: socbanner
+      - file: soccustom
+      - file: soccustomroles
+      - file: socusersroles
+
+delete_so-soc_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-soc$
+
+salt-relay:
+  cron.present:
+    - name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
+    - identifier: salt-relay
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/soc/files/soc/soc.json.jinja
+++ b/salt/soc/files/soc/soc.json.jinja
@@ -1,2 +1,2 @@
 {% from 'soc/merged.map.jinja' import SOCMERGED -%}
-{{ SOCMERGED | json(sort_keys=True, indent=4 * ' ') }}
+{{ SOCMERGED.config | json(sort_keys=True, indent=4 * ' ') }}
--- a/salt/soc/init.sls
+++ b/salt/soc/init.sls
@@ -1,160 +1,13 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.

-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
-{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
+{% from 'soc/config.map.jinja' import SOCMERGED %}

 include:
-  - manager.sync_es_users
-
-socdir:
-  file.directory:
-    - name: /opt/so/conf/soc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-socdatadir:
-  file.directory:
-    - name: /nsm/soc/jobs
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-soclogdir:
-  file.directory:
-    - name: /opt/so/log/soc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-socsaltdir:
-  file.directory:
-    - name: /opt/so/conf/soc/salt
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-socconfig:
-  file.managed:
-    - name: /opt/so/conf/soc/soc.json
-    - source: salt://soc/files/soc/soc.json.jinja
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-    - show_changes: False
-
-socmotd:
-  file.managed:
-    - name: /opt/so/conf/soc/motd.md
-    - source: salt://soc/files/soc/motd.md
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-socbanner:
-  file.managed:
-    - name: /opt/so/conf/soc/banner.md
-    - source: salt://soc/files/soc/banner.md
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-soc_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://soc/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-#soc_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://soc/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-soccustom:
-  file.managed:
-    - name: /opt/so/conf/soc/custom.js
-    - source: salt://soc/files/soc/custom.js
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-soccustomroles:
-  file.managed:
-    - name: /opt/so/conf/soc/custom_roles
-    - source: salt://soc/files/soc/custom_roles
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
-socusersroles:
-  file.exists:
-    - name: /opt/so/conf/soc/soc_users_roles
-    - require:
-      - sls: manager.sync_es_users
-
-salt-relay:
-  cron.present:
-  - name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
-  - identifier: salt-relay
-
-so-soc:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
-    - hostname: soc
-    - name: so-soc
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
-    - binds:
-      - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
-      - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
-      - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
-      - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
-      - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
-      - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
-      - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
-      - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw
-      - /opt/so/saltstack:/opt/so/saltstack:rw
-    - extra_hosts: {{ DOCKER_EXTRA_HOSTS }}
-    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
-      - {{ BINDING }}
-      {% endfor %}
-    - watch:
-      - file: /opt/so/conf/soc/*
-    - require:
-      - file: socdatadir
-      - file: soclogdir
-      - file: socconfig
-      - file: socmotd
-      - file: socbanner
-      - file: soccustom
-      - file: soccustomroles
-      - file: socusersroles
-
-append_so-soc_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-soc
-
+{% if SOCMERGED.enabled %}
+  - soc.enabled
 {% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
+  - soc.disabled
 {% endif %}
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -1,3 +1,8 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
 {% from 'logstash/map.jinja' import LOGSTASH_NODES %}
@@ -6,14 +11,14 @@

 {% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %}

-{# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #}
-{% if SOCMERGED.server.modules.cases != 'soc' %}
-{%   do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %}
-{%   do SOCMERGED.server.client.update({'casesEnabled': false}) %}
-{%   do SOCMERGED.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
-{%   do SOCMERGED.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
-{%   if SOCMERGED.server.modules.cases == 'elasticcases' %}
-{%     do SOCMERGED.server.modules.update({
+{# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
+{% if SOCMERGED.config.server.modules.cases != 'soc' %}
+{%   do SOCMERGED.config.server.modules.elastic.update({'casesEnabled': false}) %}
+{%   do SOCMERGED.config.server.client.update({'casesEnabled': false}) %}
+{%   do SOCMERGED.config.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
+{%   do SOCMERGED.config.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
+{%   if SOCMERGED.config.server.modules.cases == 'elasticcases' %}
+{%     do SOCMERGED.config.server.modules.update({
         'elasticcases': {
           'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':5601',
           'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user,
@@ -23,13 +28,13 @@
 {%   endif %}
 {% endif %}
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
-{% do SOCMERGED.server.modules.pop('cases') %}
+{% do SOCMERGED.config.server.modules.pop('cases') %}

 {% if pillar.manager.playbook == 0 %}
-{%   do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %}
+{%   do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
 {% endif %}

-{% set standard_actions = SOCMERGED.pop('actions') %}
+{% set standard_actions = SOCMERGED.config.pop('actions') %}
 {% if pillar.global.endgamehost is defined %}
 {%   set endgame_dict = {
       "name": "Endgame",
@@ -42,12 +47,12 @@
 {%   do standard_actions.append(endgame_dict) %}
 {% endif %}

-{%   do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %}
-{%   do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %}
-{%   do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %}
-{%   do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %}
-{%   do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.hunt.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.dashboards.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.update({'job': {'actions': standard_actions}}) %}
+{%   do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %}

-{% set standard_eventFields = SOCMERGED.pop('eventFields') %}
-{%   do SOCMERGED.server.client.hunt.update({'eventFields': standard_eventFields}) %}
-{%   do SOCMERGED.server.client.dashboards.update({'eventFields': standard_eventFields}) %}
+{% set standard_eventFields = SOCMERGED.config.pop('eventFields') %}
+{%   do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %}
+{%   do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %}
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -1,4 +1,8 @@
 soc:
+  enabled:
+    description: You can enable or disable SOC.
+    advanced: True
+  config:
    licenseKey:
      title: License Key
      description: Optional Security Onion license key to unlock enterprise features.
--- a/salt/soc/sostatus.sls
+++ b/salt/soc/sostatus.sls
@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-soc_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-soc
+    - unless: grep -q so-soc /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}