From 9ef83da23f2f8d48476503ec75b04b62bfb26181 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 7 Jan 2022 12:58:35 -0500
Subject: [PATCH] Add case exclusion toggle to Hunt to avoid hunt results
 getting case data hits unintentionally

---
 salt/soc/files/soc/soc.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index f9dcc5bcc..126577edc 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -166,7 +166,9 @@
         "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
         "eventFields": {{ hunt_eventfields | json }},
         "queryBaseFilter": "",
-        "queryToggleFilters": [],
+        "queryToggleFilters": [
+          { "name": "caseExcludeToggle", "filter": "NOT _index:so-case*", "enabled": true }
+        ],
         "queries": {{ hunt_queries | json }},
         "actions": {{ menu_actions | json }}           
       },