{%- set MANAGER = salt['pillar.get']('manager:mainip', '') %}
{%- set URLBASE = salt['pillar.get']('global:url_base', '') %}
{%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %}
{%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %}
{%- set PLAYBOOK_KEY = salt['pillar.get']('playbook:api_key', '') %}
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
{%-   set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%-   set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
{%- else %}
{%-   set ES_USER = '' %}
{%-   set ES_PASS = '' %}
{%- endif %}

[es]
es_url = https://{{MANAGER}}:9200
es_ip = {{MANAGER}}
es_user = {{ ES_USER }}
es_pass = "{{ ES_PASS }}"
es_index_pattern = so-*
es_verifycert = no

[cortex]
auto_analyze_alerts = no
cortex_url = https://{{URLBASE}}/cortex/
cortex_key = {{ CORTEXKEY }}
supported_analyzers = Urlscan_io_Search,CERTatPassiveDNS

[fir]
fir_url = YOURFIRURL
fir_token = YOURFIRTOKEN
fir_actor = 3
fir_category = 3
fir_confidentiality = 1
fir_detection = 2
fir_plan = 8
fir_severity = 4
fir_verifycert = no

[grr]
grr_url = YOURGRRURL
grr_user = YOURGRRUSER
grr_pass = YOURGRRPASS

[hive]
hive_url = https://{{URLBASE}}/thehive/
hive_key = {{ HIVEKEY }}
hive_tlp = 3
hive_verifycert = no

[misp]
misp_url = YOURMISPURL
misp_key = YOURMISPKEY
misp_verifycert = no
distrib = 0
threat = 4
analysis = 0

[rtir]
rtir_url = YOURRTIRURL
rtir_api = REST/1.0/
rtir_user = YOURRTIRUSER
rtir_pass = YOURRTIRPASS
rtir_queue = Incidents
rtir_creator = root
rtir_verifycert = no

[slack]
slack_url = YOURSLACKWORKSPACE
slack_webhook = YOURSLACKWEBHOOK

[soc]
soc_url = http://{{MANAGER}}:9822

[playbook]
playbook_url = http://{{MANAGER}}:3200/playbook
playbook_ext_url = https://{{URLBASE}}/playbook
playbook_key = {{ PLAYBOOK_KEY }}
playbook_verifycert = no
playbook_unit_test_index = playbook-testing
playbook_rulesets = {{ salt['pillar.get']('soctopus:playbook:rulesets')|join(",") }}

[log]
logfile = /var/log/SOCtopus/soctopus.log