diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update
new file mode 100644
index 000000000..e6b682690
--- /dev/null
+++ b/salt/common/tools/sbin/so-yara-update
@@ -0,0 +1,84 @@
+#!/bin/bash
+output_dir="/opt/so/saltstack/default/salt/strelka/rules"
+#mkdir -p $output_dir
+repos="$output_dir/repos.txt"
+ignorefile="$output_dir/ignore.txt"
+
+deletecounter=0
+newcounter=0
+updatecounter=0
+
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
+
+if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
+
+  while IFS= read -r repo; do
+
+    # Remove old repo if existing bc of previous error condition or unexpected disruption
+    repo_name=`echo $repo | awk -F '/' '{print $NF}'`
+    [ -d $repo_name ] && rm -rf $repo_name
+
+    # Clone repo and make appropriate directories for rules
+    git clone $repo
+    echo "Analyzing rules from $repo_name..."
+    mkdir -p $output_dir/$repo_name
+    [ -f $repo_name/LICENSE ] && cp $repo_name/LICENSE $output_dir/$repo_name
+
+    # Copy over rules
+    for i in $(find $repo_name -name "*.yar*"); do
+      rule_name=$(echo $i | awk -F '/' '{print $NF}')
+      repo_sum=$(sha256sum $i | awk '{print $1}')
+
+      # Check rules against those in ignore list -- don't copy if ignored.
+      if ! grep -iq $rule_name $ignorefile; then
+        existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
+
+        # For existing rules, check to see if they need to be updated, by comparing checksums
+        if [ $existing_rules -gt 0 ];then
+          local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
+          if [ "$repo_sum" != "$local_sum" ]; then
+            echo "Checksums do not match!"
+            echo "Updating $rule_name..."
+            cp $i $output_dir/$repo_name;
+            ((updatecounter++))
+          fi
+        else
+          # If rule doesn't exist already, we'll add it
+          echo "Adding new rule: $rule_name..."
+          cp $i $output_dir/$repo_name
+          ((newcounter++))
+        fi
+      fi;
+    done
+
+    # Check to see if we have any old rules that need to be removed
+    for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
+      is_repo_rule=$(find $repo_name -name "$i" | wc -l)
+      if [ $is_repo_rule -eq 0 ]; then
+        echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
+        rm $output_dir/$repo_name/$i
+        ((deletecounter++))
+      fi
+    done
+    #rm -rf $repo_name
+  done < $repos
+
+  echo "Done!"
+
+  if [ "$newcounter" -gt 0 ];then
+    echo "$newcounter new rules added."
+  fi
+
+  if [ "$updatecounter" -gt 0 ];then
+    echo "$updatecounter rules updated."
+  fi
+
+  if [ "$deletecounter" -gt 0 ];then
+    echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
+  fi
+
+else
+  echo "Server returned $gh_status status code."
+  echo "No connectivity to Github...exiting..."
+  exit 1
+fi
diff --git a/salt/strelka/rules/ignore.txt b/salt/strelka/rules/ignore.txt
new file mode 100644
index 000000000..a803f8c28
--- /dev/null
+++ b/salt/strelka/rules/ignore.txt
@@ -0,0 +1,4 @@
+generic_anomalies.yar
+general_cloaking.yar
+thor_inverse_matches.yar
+yara_mixed_ext_vars.yar
diff --git a/salt/strelka/rules/repos.txt b/salt/strelka/rules/repos.txt
new file mode 100644
index 000000000..e26687ea9
--- /dev/null
+++ b/salt/strelka/rules/repos.txt
@@ -0,0 +1 @@
+https://github.com/Neo23x0/signature-base