diff --git a/pillar/top.sls b/pillar/top.sls
index 0c4c11957..c16b556d1 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -19,6 +19,8 @@ base:
   '*_eval or *_heavynode or *_sensor or *_standalone or *_import':
     - match: compound
     - zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
 
   '*_managersearch or *_heavynode':
     - match: compound
diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml
index 329537494..e9bc76dfb 100644
--- a/salt/bpf/defaults.yaml
+++ b/salt/bpf/defaults.yaml
@@ -1,4 +1,5 @@
 bpf:
-    pcap: []
-    suricata: []
-    zeek: []
\ No newline at end of file
+  pcap: []
+  suricata: []
+  zeek:
+    - ip or not ip
diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml
index 86e4c0ee8..0474b2e62 100644
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -1,10 +1,13 @@
 bpf:
   pcap:
     description: List of BPF filters to apply to PCAP.
+    multiline: True
     helpLink: bpf.html
   suricata:
     description: List of BPF filters to apply to Suricata.
+    multiline: True
     helpLink: bpf.html
   zeek:
     description: List of BPF filters to apply to Zeek.
+    multiline: True
     helpLink: bpf.html
diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja
new file mode 100644
index 000000000..1bfb6799e
--- /dev/null
+++ b/salt/bpf/zeek.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set ZEEKBPF = BPFMERGED.zeek %}
diff --git a/salt/vars/standalone.map.jinja b/salt/vars/standalone.map.jinja
index 2efabefed..0e49a327d 100644
--- a/salt/vars/standalone.map.jinja
+++ b/salt/vars/standalone.map.jinja
@@ -1,12 +1,14 @@
 {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
 {% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %}
+{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %}
 
 {% set ROLE_GLOBALS = {} %}
 
 {% set STANDALONE_GLOBALS =
    [
      ELASTICSEARCH_GLOBALS,
-     LOGSTASH_GLOBALS
+     LOGSTASH_GLOBALS,
+     SENSOR_GLOBALS
    ]
 %}
 
diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml
index 18e8a4d8a..a21bf3389 100644
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -102,4 +102,3 @@ zeek:
     - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
     - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
     - application/vnd.openxmlformats-officedocument: doc
-  bpf: []
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index 5cc6310b9..41103f399 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -10,6 +10,8 @@
 {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
 {% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
 
+{% from 'bpf/zeek.map.jinja' import ZEEKBPF %}
+
 {% set BPF_STATUS = 0  %}
 
 # Zeek Salt State
@@ -162,8 +164,8 @@ zeekpacketlosscron:
     - dayweek: '*'
 
 # BPF compilation and configuration
-{% if ZEEKMERGED.zeek.bpf %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
+{% if ZEEKBPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
        {% set BPF_STATUS = 1  %}
   {% else  %}
@@ -181,7 +183,7 @@ zeekbpf:
     - user: 940
     - group: 940
 {% if BPF_STATUS %}
-    - contents: {{ ZEEKMERGED.bpf }}
+    - contents: {{ ZEEKBPF }}
 {% else %}
     - contents:
       - "ip or not ip"