From cbb4d6846f98e4664fa704c980691db06f7f1ac8 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 8 Oct 2024 14:52:49 -0600
Subject: [PATCH] Detection Engine Status Queries

A few for testing
---
 salt/soc/defaults.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 00c45e5c5..bcdccf9ca 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1447,6 +1447,13 @@ soc:
         casesEnabled: true
         detectionsEnabled: true
         inactiveTools: ['toolUnused']
+        detectionEngineStatusQueries:
+          - suricata:
+            IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"'
+          - elastalert:
+            IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"'
+          - strelka:
+            IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"'
         tools:
           - name: toolKibana
             description: toolKibanaHelp