Move to Client/Detections

Added a basic annotation.
2025-12-06 17:22:49 +01:00 · 2024-10-09 08:40:54 -06:00
parent 04ebe4efea
commit c77b0afd8e
2 changed files with 13 additions and 8 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1447,13 +1447,6 @@ soc:
        casesEnabled: true
        detectionsEnabled: true
        inactiveTools: ['toolUnused']
-        detectionEngineStatusQueries:
-          suricata:
-            IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"'
-          elastalert:
-            IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"'
-          strelka:
-            IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"'
        tools:
          - name: toolKibana
            description: toolKibanaHelp
@@ -2270,6 +2263,13 @@ soc:
            - name: "Detections with Overrides"
              query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled"
              description: Show Detections that have Overrides
+          detectionEngineStatusQueries:
+            suricata:
+              IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"'
+            elastalert:
+              IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"'
+            strelka:
+              IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"'
        detection:
          showUnreviewedAiSummaries: false
          presets:
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -461,7 +461,12 @@ soc:
        alerts: *appSettings
        cases: *appSettings
        dashboards: *appSettings
-        detections: *appSettings
+        detections:
+          <<: *appSettings
+          detectionEngineStatusQueries:
+            description: Queries mapped to the detection engine status.
+            global: True
+            forcedType: "{}"
        detection:
          showUnreviewedAiSummaries:
            description: Show AI summaries in detections even if they have not yet been reviewed by a human.