Merge pull request #14301 from Security-Onion-Solutions/truefalse

Update annotations for new features

salt/global/soc_global.yaml

@@ -12,11 +12,18 @@ global:
   mdengine:
     description: Which engine to use for meta data generation. Options are ZEEK and SURICATA.
     regex: ^(ZEEK|SURICATA)$
+    options:
+      - ZEEK
+      - SURICATA
     regexFailureMessage: You must enter either ZEEK or SURICATA.
     global: True
   pcapengine:
     description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
     regex: ^(STENO|SURICATA|TRANSITION)$
+    options:
+      - STENO
+      - SURICATA
+      - TRANSITION
     regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
     global: True
   ids:
@@ -38,6 +45,9 @@ global:
   pipeline:
     description: Sets which pipeline technology for events to use. Currently only Redis is fully supported. Kafka is experimental and requires a Security Onion Pro license.
     regex: ^(REDIS|KAFKA)$
+    options:
+      - REDIS
+      - KAFKA
     regexFailureMessage: You must enter either REDIS or KAFKA.
     global: True
     advanced: True

salt/soc/soc_soc.yaml

@@ -63,6 +63,31 @@ soc:
       description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
       global: True
       forcedType: "[]{}"
+      syntax: json
+      uiElements:
+      - field: name
+        label: Name
+        required: True
+      - field: description
+        label: Description
+      - field: icon
+        label: Icon
+      - field: links
+        label: Links
+        required: True
+        forcedType: "[]string"
+        multiline: True
+      - field: target
+        label: Target
+      - field: jscall
+        label: JavaScript Call
+      - field: category
+        label: Category
+        options:
+        - hunt
+        - alerts
+        - dashboards
+        forcedType: "[]string"
     eventFields:
       default: &eventFields
         description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
@@ -495,6 +520,19 @@ soc:
             description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
             global: True
             forcedType: "[]{}"
+            syntax: json
+            uiElements:
+            - field: name
+              label: Name
+              required: True
+            - field: description
+              label: Description
+            - field: query
+              label: Query
+              required: True
+            - field: showSubtitle
+              label: Show Query in Dropdown. 
+              forcedType: bool
           queryToggleFilters:
             description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query.
             global: True