diff --git a/pillar/top.sls b/pillar/top.sls
index 86de8709e..41d3265f0 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -60,6 +60,8 @@ base:
     - elasticsearch.adv_elasticsearch
     - backup.soc_backup
     - backup.adv_backup
+    - firewall.soc_firewall
+    - firewall.adv_firewall
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -94,6 +96,8 @@ base:
     - influxdb.adv_influxdb
     - backup.soc_backup
     - backup.adv_backup
+    - firewall.soc_firewall
+    - firewall.adv_firewall
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -125,6 +129,8 @@ base:
     - soc.soc_soc
     - backup.soc_backup
     - backup.adv_backup
+    - firewall.soc_firewall
+    - firewall.adv_firewall
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -197,6 +203,8 @@ base:
     - redis.adv_redis
     - influxdb.soc_influxdb
     - influxdb.adv_influxdb
+    - firewall.soc_firewall
+    - firewall.adv_firewall
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
diff --git a/salt/firewall/defaults_soc_firewall.yaml b/salt/firewall/soc/defaults_soc_firewall.yaml
similarity index 94%
rename from salt/firewall/defaults_soc_firewall.yaml
rename to salt/firewall/soc/defaults_soc_firewall.yaml
index 718cba441..fd72df523 100644
--- a/salt/firewall/defaults_soc_firewall.yaml
+++ b/salt/firewall/soc/defaults_soc_firewall.yaml
@@ -31,40 +31,40 @@ firewall:
       file: True
       global: True
       title: Beats Endpoints SSL
-      helplink: firewall.html#host-groups
+      helpLink: firewall.html#host-groups
     elastic_agent_endpoint:
       description: List of IP addresses or CIDR blocks for Elastic Agent connections.
       file: True
       global: True
       title: Elastic Agents
-      helplink: firewall.html#host-groups
+      helpLink: firewall.html#host-groups
     elasticsearch_rest:
       description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
       file: True
       global: True
       title: Elasticsearch Rest
       advanced: True
-      helplink: firewall.html#host-groups
+      helpLink: firewall.html#host-groups
     endgame:
       description: List of IP addresses or CIDR blocks to allow Endgame access.
       file: True
       global: True
       title: Endgame
       advanced: True
-      helplink: firewall.html#host-groups
+      helpLink: firewall.html#host-groups
     strelka_frontend:
       description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
       file: True
       global: True
       title: Strelka Frontend
       advanced: True
-      helplink: firewall.html#host-groups
+      helpLink: firewall.html#host-groups
     syslog:
       description: List of IP addresses or CIDR blocks to allow syslog.
       file: True
       global: True
       title: Syslog Endpoint Traffic
-      helplink: firewall.html#host-groups
+      helpLink: firewall.html#host-groups
     standalone: 
       description: List of IP addresses or CIDR blocks to allow standalone connections.
       file: True
diff --git a/salt/firewall/soc/init.sls b/salt/firewall/soc/init.sls
new file mode 100644
index 000000000..bae1a3048
--- /dev/null
+++ b/salt/firewall/soc/init.sls
@@ -0,0 +1,5 @@
+soc_firewall_yaml:
+  file.managed:
+    - name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml
+    - source: salt://firewall/soc/soc_firewall.yaml.jinja
+    - template: jinja
diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja
new file mode 100644
index 000000000..00fc50dd1
--- /dev/null
+++ b/salt/firewall/soc/soc.map.jinja
@@ -0,0 +1,9 @@
+{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %}
+{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %}
+{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %}
+
+{% for group in PILLAR_SOC_FIREWALL_GROUPS %}
+{%   set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %}
+{%   set title = group[0]|upper ~ group[1:] %}
+{%   do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %}
+{% endfor %}
diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja
new file mode 100644
index 000000000..0502c0246
--- /dev/null
+++ b/salt/firewall/soc/soc_firewall.yaml.jinja
@@ -0,0 +1,2 @@
+{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%}
+{{ SOC_FIREWALL | yaml(False) }}
diff --git a/salt/top.sls b/salt/top.sls
index 25ec1ccd4..c09974418 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -77,6 +77,7 @@ base:
     - telegraf
     - influxdb
     - soc
+    - firewall.soc
     - kratos
     - firewall
     - idstools
@@ -121,6 +122,7 @@ base:
     - telegraf
     - influxdb
     - soc
+    - firewall.soc
     - kratos
     - firewall
     - manager
@@ -163,6 +165,7 @@ base:
     - telegraf
     - influxdb
     - soc
+    - firewall.soc
     - kratos
     - firewall
     - idstools
@@ -227,6 +230,7 @@ base:
     - telegraf
     - influxdb
     - soc
+    - firewall.soc
     - kratos
     - firewall
     - manager
@@ -296,6 +300,7 @@ base:
     - telegraf
     - influxdb
     - soc
+    - firewall.soc
     - kratos
     - firewall
     - idstools