diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls
index 62873ebdd..0319c6c81 100644
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -28,7 +28,8 @@ so-soc:
       - /opt/so/conf/sigma:/opt/sensoroni/sigma:rw
       - /opt/so/conf/suricata:/opt/sensoroni/suricata:rw
       - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
-      - /opt/so/rules/nids/suri:/opt/sensoroni/nids:rw
+      - /opt/so/saltstack/local/salt/suricata/rules:/opt/sensoroni/suricata/rules:rw
+      - /opt/so/saltstack/local/salt/suricata/files:/opt/sensoroni/suricata/threshold:rw
       - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
       - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
       - /nsm/soc/uploads:/nsm/soc/uploads:rw
diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls
index 3379697bc..685aa66e7 100644
--- a/salt/suricata/config.sls
+++ b/salt/suricata/config.sls
@@ -158,7 +158,10 @@ suriconfig:
 surithresholding:
   file.managed:
     - name: /opt/so/conf/suricata/threshold.conf
-    - replace: False
+    - source: salt://suricata/files/threshold.conf
+    - user: 940
+    - group: 940
+    - contents: 'This file is managed by Security Onion. Do not modify by hand.'
 
 suriclassifications:
   file.managed: