From 1a829190ac4ba8777ac68bc865bfc6944be55d92 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Mar 2024 09:46:44 -0400 Subject: [PATCH] remove modules if detections disabled --- salt/soc/defaults.yaml | 2 +- salt/soc/merged.map.jinja | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 197aee0709..de372a98fd 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1081,7 +1081,7 @@ soc: allowRegex: '' autoUpdateEnabled: false communityRulesImportFrequencySeconds: 86400 - denyRegex: '.*' + denyRegex: '' elastAlertRulesFolder: /opt/sensoroni/elastalert rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint sigmaRulePackages: diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index bc7c5cada7..2012917af2 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -30,6 +30,13 @@ {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {% do SOCMERGED.config.server.modules.pop('cases') %} +{# remove these modules if detections is disabled #} +{% if not SOCMERGED.config.server.client.detectionsEnabled %} +{% do SOCMERGED.config.server.modules.pop('elastalertengine') %} +{% do SOCMERGED.config.server.modules.pop('strelkaengine') %} +{% do SOCMERGED.config.server.modules.pop('suricataengine') %} +{% endif %} + {% if pillar.manager.playbook == 0 %} {% do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %} {% endif %}