Update default queries

salt/soc/defaults.yaml

@@ -2128,14 +2128,11 @@ soc:
               query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
               description: Show all disabled Detections
             - name: "Detection Type - Suricata (NIDS)"
-              query: "so_detection.language:suricata | groupby so_detection.ruleset so_detection.isEnabled"
+              query: "so_detection.language:suricata | groupby so_detection.ruleset so_detection.isEnabled | groupby so_detection.category"
               description: Show all NIDS Detections, which are run with Suricata
             - name: "Detection Type - Sigma (Elastalert) - All"
-              query: "so_detection.language:sigma | groupby so_detection.ruleset so_detection.isEnabled"
+              query: "so_detection.language:sigma | groupby so_detection.ruleset so_detection.isEnabled | groupby so_detection.category | groupby so_detection.product"
               description: Show all Sigma Detections, which are run with Elastalert
-            - name: "Detection Type - Sigma (Elastalert) - Windows"
-              query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*" | groupby so_detection.ruleset so_detection.isEnabled'
-              description: Show all Sigma Detections with a logsource of Windows
             - name: "Detection Type - YARA (Strelka)"
               query: "so_detection.language:yara | groupby so_detection.ruleset so_detection.isEnabled"
               description: Show all YARA detections, which are used by Strelka

salt/strelka/compile_yara/compile_yara.py

@@ -43,6 +43,7 @@ def compile_yara_rules(rules_dir):
                 "event.dataset": "soc.detections",
                 "log.level": "error",
                 "error.message": error_message,
+                "error.analysis": "syntax error",
                 "detection_type": "yara",
                 "rule.uuid": rule_id,
                 "error.type": "runtime_status"