Refactor to String

To accomodate the config screen, the annotation now specifies it as a multiline string with a yaml syntax. The user can edit the yaml to add or remove queries. The UI will parse the YAML before use. Also updated the IntegrityFailure queries to specify table columns more relevant to a sync failure than the default ones.
2025-12-07 17:52:46 +01:00 · 2024-10-09 12:54:55 -06:00
parent c77b0afd8e
commit ad0b0a5e95
2 changed files with 9 additions and 6 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2263,13 +2263,14 @@ soc:
            - name: "Detections with Overrides"
              query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled"
              description: Show Detections that have Overrides
-          detectionEngineStatusQueries:
+          detectionEngineStatusQueries: |
            suricata:
-              IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"'
+              default:
+              IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
            elastalert:
-              IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"'
+              IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
            strelka:
-              IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"'
+              IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
        detection:
          showUnreviewedAiSummaries: false
          presets:
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -464,9 +464,11 @@ soc:
        detections:
          <<: *appSettings
          detectionEngineStatusQueries:
-            description: Queries mapped to the detection engine status.
+            description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified.
            global: True
-            forcedType: "{}"
+            syntax: yaml
+            multiline: True
+            forcedType: "string"
        detection:
          showUnreviewedAiSummaries:
            description: Show AI summaries in detections even if they have not yet been reviewed by a human.