From 927fe9039d1dca052e96cbfcdd3db380fe49b672 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 13 Mar 2024 20:50:03 -0400
Subject: [PATCH] handle airgap when detections not enabled

---
 salt/soc/merged.map.jinja | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index 2012917af..57abe7a48 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -35,18 +35,18 @@
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}
 {%   do SOCMERGED.config.server.modules.pop('strelkaengine') %}
 {%   do SOCMERGED.config.server.modules.pop('suricataengine') %}
+{% elif pillar.global.airgap %}
+  {# if system is Airgap, don't autoupdate Yara & Sigma rules #}
+  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
+  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
+{% endif %}
+
 {% endif %}
 
 {% if pillar.manager.playbook == 0 %}
 {%   do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %}
 {% endif %}
 
-{# if system is Airgap, don't autoupdate Yara & Sigma rules #}
-{% if pillar.global.airgap %}
-  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
-  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
-{% endif %}
-
 {% set standard_actions = SOCMERGED.config.pop('actions') %}
 
 {% if pillar.global.endgamehost != '' %}