From 927fe9039d1dca052e96cbfcdd3db380fe49b672 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Mar 2024 20:50:03 -0400 Subject: [PATCH 1/2] handle airgap when detections not enabled --- salt/soc/merged.map.jinja | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 2012917af2..57abe7a489 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -35,16 +35,16 @@ {% do SOCMERGED.config.server.modules.pop('elastalertengine') %} {% do SOCMERGED.config.server.modules.pop('strelkaengine') %} {% do SOCMERGED.config.server.modules.pop('suricataengine') %} +{% elif pillar.global.airgap %} + {# if system is Airgap, don't autoupdate Yara & Sigma rules #} + {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %} + {% do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %} {% endif %} -{% if pillar.manager.playbook == 0 %} -{% do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %} {% endif %} -{# if system is Airgap, don't autoupdate Yara & Sigma rules #} -{% if pillar.global.airgap %} - {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %} - {% do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %} +{% if pillar.manager.playbook == 0 %} +{% do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %} {% endif %} {% set standard_actions = SOCMERGED.config.pop('actions') %} From 844cfe55cd0ea40317a51f9cee33a801d690d647 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Mar 2024 20:52:17 -0400 Subject: [PATCH 2/2] handle airgap when detections not enabled --- salt/soc/merged.map.jinja | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 57abe7a489..c22ed2210d 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -41,8 +41,6 @@ {% do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %} {% endif %} -{% endif %} - {% if pillar.manager.playbook == 0 %} {% do SOCMERGED.config.server.client.inactiveTools.append('toolPlaybook') %} {% endif %}