diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 655e99f6c..86a726925 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -356,6 +356,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.20 ]] && up_to_2.4.30
     [[ "$INSTALLEDVERSION" == 2.4.30 ]] && up_to_2.4.40
     [[ "$INSTALLEDVERSION" == 2.4.40 ]] && up_to_2.4.50
+    [[ "$INSTALLEDVERSION" == 2.4.50 ]] && up_to_2.4.60
     true
 }
 
@@ -371,6 +372,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30
     [[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40
     [[ "$POSTVERSION"  == 2.4.40 ]] && post_to_2.4.50
+    [[ "$POSTVERSION"  == 2.4.50 ]] && post_to_2.4.60
     true
 }
 
@@ -427,6 +429,11 @@ post_to_2.4.50() {
   POSTVERSION=2.4.50
 }
 
+post_to_2.4.60() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.60
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -556,6 +563,14 @@ up_to_2.4.50() {
   INSTALLEDVERSION=2.4.50
 }
 
+up_to_2.4.60() {
+  echo "Creating directory to store Suricata classification.config"
+  mkdir -vp /opt/so/saltstack/local/salt/suricata/classification
+  chown socore:socore /opt/so/saltstack/local/salt/suricata/classification
+
+  INSTALLEDVERSION=2.4.60
+}
+
 determine_elastic_agent_upgrade() {
   if [[ $is_airgap -eq 0 ]]; then
     update_elastic_agent_airgap
diff --git a/salt/suricata/classification/classification.config b/salt/suricata/classification/classification.config
new file mode 100644
index 000000000..220736c94
--- /dev/null
+++ b/salt/suricata/classification/classification.config
@@ -0,0 +1,51 @@
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: inappropriate-content,Inappropriate Content was Detected,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2
+
+# Update
+config classification: targeted-activity,Targeted Malicious Activity was Detected,1
+config classification: exploit-kit,Exploit Kit Activity Detected,1
+config classification: external-ip-check,Device Retrieving External IP Address Detected,2
+config classification: domain-c2,Domain Observed Used for C2 Detected,1
+config classification: pup-activity,Possibly Unwanted Program Detected,2
+config classification: credential-theft,Successful Credential Theft Detected,1
+config classification: social-engineering,Possible Social Engineering Attempted,2
+config classification: coin-mining,Crypto Currency Mining Activity Detected,2
+config classification: command-and-control,Malware Command and Control Activity Detected,1
diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls
index 3ec1324bf..00364f384 100644
--- a/salt/suricata/config.sls
+++ b/salt/suricata/config.sls
@@ -129,6 +129,13 @@ surithresholding:
     - group: 940
     - template: jinja
 
+suriclassifications:
+  file.managed:
+    - name: /opt/so/conf/suricata/classification.config
+    - source: salt://suricata/classification/classification.config
+    - user: 940
+    - group: 940
+
 # BPF compilation and configuration
 {% if SURICATABPF %}
    {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %}
diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls
index ce309e41a..94b95ff5d 100644
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -27,6 +27,7 @@ so-suricata:
     - binds:
       - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
+      - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
       - /nsm/suricata/:/nsm/:rw
@@ -49,10 +50,12 @@ so-suricata:
       - file: surithresholding
       - file: /opt/so/conf/suricata/rules/
       - file: /opt/so/conf/suricata/bpf
+      - file: suriclassifications
     - require:
       - file: suriconfig
       - file: surithresholding
       - file: suribpf
+      - file: suriclassifications
 
 delete_so-suricata_so-status.disabled:
   file.uncomment:
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 30f277c0a..b54a44cbc 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -11,6 +11,14 @@ suricata:
       multiline: True
       title: SIDS
       helpLink: suricata.html
+  classification:
+    classification__config:
+      description: Classifications config file.
+      file: True
+      global: True
+      multiline: True
+      title: Classifications
+      helpLink: suricata.html
   config:
     af-packet:
       interface: