From bec7b5bc8f41dbf2d106f98c1e203297837a384e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 25 Aug 2023 09:52:36 -0600
Subject: [PATCH 001/102] WIP: Demo + CleanUp

Contains hardcoded config values in infohandler, mock data inside the JS. Very much a prototype.
---
 config/clientparameters.go                    |   2 +
 html/index.html                               | 351 ++++++++++++-
 html/js/i18n.js                               |   2 +
 html/js/routes/detection.js                   | 157 ++++++
 html/js/routes/hunt.js                        | 204 ++++++--
 html/js/routes/playbook.js                    | 461 ++++++++++++++++++
 model/detection.go                            |  91 ++++
 server/casestore.go                           |   5 +
 server/detectionhandler.go                    | 109 +++++
 server/infohandler.go                         |  45 ++
 server/modules/elastic/converter.go           |  95 ++++
 server/modules/elastic/elasticcasestore.go    | 114 +++++
 .../modules/elasticcases/elasticcasestore.go  |  16 +
 server/modules/generichttp/httpcasestore.go   |  16 +
 server/modules/thehive/thehivecasestore.go    |  16 +
 server/server.go                              |   1 +
 16 files changed, 1647 insertions(+), 38 deletions(-)
 create mode 100644 html/js/routes/detection.js
 create mode 100644 html/js/routes/playbook.js
 create mode 100644 model/detection.go
 create mode 100644 server/detectionhandler.go

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 2acb62811..7681ae6e6 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -22,6 +22,8 @@ type ClientParameters struct {
 	CaseParams          CaseParameters    `json:"case"`
 	DashboardsParams    HuntingParameters `json:"dashboards"`
 	JobParams           HuntingParameters `json:"job"`
+	DetectionsParams    HuntingParameters `json:"detections"`
+	PlaybooksParams     HuntingParameters `json:"playbooks"`
 	DocsUrl             string            `json:"docsUrl"`
 	CheatsheetUrl       string            `json:"cheatsheetUrl"`
 	ReleaseNotesUrl     string            `json:"releaseNotesUrl"`
diff --git a/html/index.html b/html/index.html
index 8f9acc944..94c1d50e7 100644
--- a/html/index.html
+++ b/html/index.html
@@ -68,6 +68,22 @@
               <v-list-item-title v-text="i18n.cases"></v-list-item-title>
             </v-list-item-content>
           </v-list-item>
+          <v-list-item @click="" to="/detections">
+            <v-list-item-action>
+              <v-icon>fa-magnifying-glass</v-icon>
+            </v-list-item-action>
+            <v-list-item-content>
+              <v-list-item-title v-text="i18n.detections"></v-list-item-title>
+            </v-list-item-content>
+          </v-list-item>
+          <v-list-item @click="" to="/playbooks">
+            <v-list-item-action>
+              <v-icon>fa-book-bookmark</v-icon>
+            </v-list-item-action>
+            <v-list-item-content>
+              <v-list-item-title v-text="i18n.playbooks"></v-list-item-title>
+            </v-list-item-content>
+          </v-list-item>
           <v-list-item @click="" to="/jobs">
             <v-list-item-action>
               <v-icon>fa-stream</v-icon>
@@ -667,7 +683,13 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                           :color="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? 'secondary' : 'primary'">
                           <v-icon :title="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? i18n.alertEscalated : i18n.escalate">fa-exclamation-triangle</v-icon>
                         </v-btn>
-                        <router-link :to="{ name: 'case', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled">
+                        <router-link :to="{ name: 'case', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'cases'">
+                          <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
+                        </router-link>
+                        <router-link :to="{ name: 'detection', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'detections'">
+                          <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
+                        </router-link>
+                        <router-link :to="{ name: 'playbook', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'playbooks'">
                           <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
                         </router-link>
                       </td>
@@ -938,6 +960,331 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
       </v-container>
     </script>
 
+    <script type="text/x-template" id="page-detection">
+      <v-container fluid v-if="detect">
+        <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
+          <!-- Title -->
+          <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
+          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="'Detection Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+        </div>
+
+        <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
+          <div class="main col-md-9 order-md-1 col-12 order-2">
+            <v-tabs grow v-model="activeTab">
+              <v-tab id="detection_summaryTab" href="#summary">
+                <v-icon left>fa-clipboard</v-icon>
+                <div class="d-none d-lg-block">Summary</div>
+              </v-tab>
+              <v-tab id="detection_detailsTab" href="#details">
+                <v-icon left>fa-circle-info</v-icon>
+                <div class="d-none d-lg-block">Details</div>
+              </v-tab>
+              <v-tab id="detection_notesTab" href="#notes">
+                <v-icon left>fa-pencil</v-icon>
+                <div class="d-none d-lg-block">Notes</div>
+              </v-tab>
+              <v-tab id="detection_signatureTab" href="#signature">
+                <v-icon left>fa-signature</v-icon>
+                <div class="d-none d-lg-block">Signature</div>
+              </v-tab>
+              <v-tab id="detection_playbookTab" href="#playbook">
+                <v-icon left>fa-book-bookmark</v-icon>
+                <div class="d-none d-lg-block">Investigative Playbook</div>
+              </v-tab>
+              <v-tab id="detection_tuningTab" href="#tuning">
+                <v-icon left>fa-wrench</v-icon>
+                <div class="d-none d-lg-block">Tuning</div>
+              </v-tab>
+              <v-tab id="detection_historyTab" href="#history">
+                <v-icon left>fa-history</v-icon>
+                <div class="d-none d-lg-block">History</div>
+              </v-tab>
+
+              <v-tab-item value="summary">
+                <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <div>
+                    <!-- Description -->
+                    <span class="font-weight-bold">Description:</span><br/>
+                    <span id="detection-description" @click="startEdit('detection-description', 'description')" v-if="!isEdit('detection-description')">{{ detect.description }}</span>
+                    <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+                  </div>
+                  <!-- Engine -->
+                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="engineOptions" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <!-- Enabled -->
+                  <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Enabled"/>
+                  <!-- Reporting -->
+                  <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Reporting"/>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="details">
+                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- PublicID -->
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!detect.publicId">
+                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                    </template>
+                  </v-text-field>
+                  <!-- Author -->
+                  <v-text-field id="detection-author-edit" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="'Author'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+                  <!-- Severity -->
+                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-create" text small color="primary" class="align-self-end" @click="saveDetection(true)" v-if="isNew()">
+                      {{ i18n.create }}
+                    </v-btn>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)" v-else>
+                      {{i18n.update}}
+                    </v-btn>
+                  </div>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="notes">
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- Notes -->
+                  <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
+                </div>
+              </v-tab-item>
+              <v-tab-item value="signature">
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- Signature -->
+                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
+                </div>
+              </v-tab-item>
+              <v-tab-item value="playbook">
+                <div class="col pa-2" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <div class="col ma-2">
+                    <div class="row my-2">
+                      <span class="font-weight-bold">Title:&nbsp;</span>
+                      <a :href="'#/playbook/' + associatedPlaybook.onionId" style="text-decoration: none; cursor: 'pointer'">
+                        {{associatedPlaybook.title}}
+                      </router-link>
+                    </div>
+                    <div class="row my-2">
+                      <span class="font-weight-bold">Description:&nbsp;</span>{{associatedPlaybook.description}}
+                    </div>
+                    <div class="row my-2">
+                      <span class="font-weight-bold">Severity:&nbsp;</span>{{associatedPlaybook.severity}}
+                    </div>
+                  </div>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="tuning">
+                Coming Soon!
+              </v-tab-item>
+              <v-tab-item value="history">
+                Coming Soon!
+              </v-tab-item>
+            </v-tabs>
+          </div>
+          <div class="col-md-3 order-md-2 col-12 order-1">
+            <v-expansion-panels focusable multiple v-model="panel">
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="detection-related-playbooks">
+                  <h3>Cases</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Related Cases:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="detection-related-playbooks">
+                  <h3>Alerts</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Recent Alerts:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+            </v-expansion-panels>
+          </div>
+        </div>
+      </v-container>
+    </script>
+
+    <script type="text/x-template" id="page-playbook">
+      <v-container fluid v-if="playbook">
+        <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
+          <!-- Title -->
+          <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isEdit('playbook-title')">{{ playbook.title }}</h2>
+          <v-text-field id="playbook-title-edit" v-else hide-details="auto" outlined v-model="playbook.title" :rules="[rules.required]" persistent-hint :hint="'Playbook Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+        </div>
+
+        <div class="row mb-6 mb-md-1 mt-2 mx-lg-6 mx-sm-12">
+          <!-- Description -->
+          <span id="playbook-description" @click="startEdit('playbook-description', 'description')" v-if="!isEdit('playbook-description')">{{ playbook.description }}</span>
+          <v-textarea id="playbook-description-edit" v-else hide-details="auto" outlined v-model="playbook.description" :rules="[rules.required]" persistent-hint :hint="'Playbook Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+        </div>
+
+        <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
+          <div class="main col-md-9 order-md-1 col-12 order-2">
+            <v-tabs grow v-model="activeTab">
+              <v-tab id="playbook_notesTab" href="#notes">
+                <v-icon left>fa-comments</v-icon>
+                <div class="d-none d-lg-block">Observational Notes</div>
+              </v-tab>
+              <v-tab id="playbook_questionsTab" href="#questions">
+                <v-icon left>fa-circle-question</v-icon>
+                <div class="d-none d-lg-block">Investigative Questions</div>
+              </v-tab>
+              <v-tab id="playbook_casesTab" href="#cases">
+                <v-icon left>fa-briefcase</v-icon>
+                <div class="d-none d-lg-block">Cases</div>
+              </v-tab>
+              <v-tab id="playbook_historyTab" href="#history">
+                <v-icon left>fa-history</v-icon>
+                <div class="d-none d-lg-block">{{ i18n.history }}</div>
+              </v-tab>
+
+              <v-tab-item value="notes">
+                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- PublicID -->
+                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!playbook.publicId">
+                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                    </template>
+                  </v-text-field>
+                  <!-- Contributors -->
+                  <v-combobox id="playbook-contributors" v-model="playbook.contributors" persistent-hint :hint="'Contributors'" multiple>
+                    <template #selection="{ item }">
+                      <v-chip color="primary">{{item}}</v-chip>
+                    </template>
+                  </v-combobox>
+
+                  <!-- Severity -->
+                  <v-select id="playbook-severity-edit" v-model="playbook.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+
+                  <!-- Mechanism -->
+                  <v-select id="playbook-engine-edit" v-model="playbook.mechanism" :items="engineOptions" persistent-hint :hint="'Mechanism'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+
+                  <!-- Tags -->
+                  <v-combobox id="playbook-tags" v-model="playbook.tags" :items="tags" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                    <template #selection="{ item }">
+                      <v-chip color="primary">{{item}}</v-chip>
+                    </template>
+                  </v-combobox>
+
+                  <!-- IsCommunity -->
+                  <div class="my-3">
+                    <span class="font-weight-bold">Community Playbook:</span> {{ playbook.userEditable ? 'No' : 'Yes' }}
+                  </div>
+                  <div class="row">
+                    <div class="col">
+                      <!-- Content -->
+                      <span class="font-weight-bold">Note:</span>
+                      <v-textarea class="config-editor" outlined v-model="playbook.note" auto-grow rows="5" />
+                    </div>
+                  </div>
+                </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="playbook-cancel" text small color="primary" class="align-self-end" @click="cancelPlaybook()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="playbook-create" text small color="primary" class="align-self-end" @click="savePlaybook(true)" v-if="isNew()">
+                      {{ i18n.create }}
+                    </v-btn>
+                    <v-btn id="playbook-update" text small color="primary" class="align-self-end" @click="savePlaybook(false)" v-else>
+                      {{ i18n.update }}
+                    </v-btn>
+                  </div>
+                </div>
+              </v-tab-item>
+
+              <v-tab-item value="questions">
+                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <h2>Add Investigative Question</h2>
+                  <v-text-field id="playbook-question-add" v-model="addQuestion" persistent-hint :hint="'The investigative question written in plain language for human consumption, in the form of a question'"></v-text-field>
+                  <v-text-field id="playbook-context-add" v-model="addContext" persistent-hint :hint="'Provide optional context'"></v-text-field>
+                  <v-combobox id="playbook-datasources-add" v-model="addDataSources" persistent-hint :hint="'The data sources that can be used to answer the question'" multiple>
+                    <template #selection="{ item }">
+                      <v-chip color="primary">{{item}}</v-chip>
+                    </template>
+                  </v-combobox>
+
+                  <v-btn id="playbook-add-question" color="primary" class="mt-2" @click="appendQuestion()">
+                    Add
+                  </v-btn>
+                </div>
+
+                <v-text-field v-model="search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line></v-text-field>
+                <div v-for="q in playbook.questions" class="col px-5 py-2" style="background-color: rgb(40, 40, 40); border-radius: 4px;">
+                  <div class="font-italic my-2">{{q.question}}</div>
+                  <div class="my-2"><span class="font-weight-bold">Context:</span> {{ q.context }}</div>
+                  <div class="my-2"><span class="font-weight-bold">Data Sources:</span> {{ q.dataSources.join(', ') }}</div>
+                  <div class="my-2">
+                    <div><span class="font-weight-bold">Query:</span> {{ q.query }}</div>
+                    <v-data-table v-if="q.query" :headers="questionHeaders" :items="q.results">
+                      <template v-slot:item="result">
+                        <tr>
+                          <td v-text="result.item.payload['@timestamp']"></td>
+                          <td v-text="result.item.payload['@version']"></td>
+                          <td v-text="result.item.payload['message']"></td>
+                        </tr>
+                      </template>
+                    </v-data-table>
+                  </div>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="cases">
+                Coming Soon!
+              </v-tab-item>
+              <v-tab-item value="history">
+                Coming Soon!
+              </v-tab-item>
+            </v-tabs>
+          </div>
+          <div class="col-md-3 order-md-2 col-12 order-1">
+            <v-expansion-panels focusable multiple v-model="panel">
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="playbook-related-playbooks">
+                  <h3>Playbooks</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Related Playbooks:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="detection-related-playbooks">
+                  <h3>Alerts</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Recent Alerts:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+            </v-expansion-panels>
+          </div>
+        </div>
+      </v-container>
+    </script>
+
     <script type="text/x-template" id="page-terms">
       <v-container fluid>
         <v-row>
@@ -4114,6 +4461,8 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/routes/gridmembers.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/terms.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/users.js?v=VERSION_PLACEHOLDER"></script>
+    <script src="js/routes/detection.js?v=VERSION_PLACEHOLDER"></script>
+    <script src="js/routes/playbook.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/custom.js?v=VERSION_PLACEHOLDER"></script>
   </body>
 </html>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index c44de03d9..7bbe4f3b5 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -254,6 +254,7 @@ const i18n = {
       denied: 'Denied',
       description: 'Description',
       details: 'Details',
+      detections: 'Detections',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -545,6 +546,7 @@ const i18n = {
       passwordRequired: 'A password must be specified.',
       passwordReset: 'Change Password',
       passwordNeedsChanged: 'User has not yet changed their password',
+      playbooks: 'Playbooks',
       profileDetails: 'Profile Details',
       profileInstructions: 'You may be prompted to login again when updating your profile. This is a security measure to protect your account.',
       pcap: 'PCAP',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
new file mode 100644
index 000000000..b1e2e61ed
--- /dev/null
+++ b/html/js/routes/detection.js
@@ -0,0 +1,157 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+routes.push({ path: '/detection/:id', name: 'detection', component: {
+  template: '#page-detection',
+  data() { return {
+		i18n: this.$root.i18n,
+		params: {},
+		detect: null,
+		origDetect: null,
+		curEditTarget: null, // string containing element ID, null if not editing
+		origValue: null,
+		editField: null,
+		rules: {
+      required: value => (value && value.length > 0) || this.$root.i18n.required,
+      number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+      hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
+      shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+      longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+      fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+      fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+      fileRequired: value => (value != null) || this.$root.i18n.required,
+		},
+		severityOptions: ['low', 'medium', 'high'],
+		engineOptions: ['suricata', 'yara', 'elastalert'],
+		panel: [0, 1, 2],
+		activeTab: '',
+		associatedPlaybook: {
+			onionId: 'y5IYKIoB9-Z7uL2kmy_o',
+			publicId: "4020131e-223a-421e-8ebe-8a211a5ac4d6",
+			title: "Find the baddies",
+			severity: "high",
+			description: "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
+			mechanism: "suricata",
+			tags: ["one", "two", "three"],
+			relatedPlaybooks: [],
+			contributors: ["Corey Ogburn"],
+			userEditable: true,
+			createTime: "2023-08-22T12:49:47.302819008-06:00",
+			userId: "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
+		},
+  }},
+  created() {
+  },
+  watch: {
+	},
+	mounted() {
+		this.$root.loadParameters('detection', this.initDetection);
+	},
+  methods: {
+		async initDetection(params) {
+			this.params = params;
+			if (this.$route.params.id === 'create') {
+				this.detect = this.newDetection();
+			} else {
+				await this.loadData();
+			}
+
+			this.origDetect = Object.assign({}, this.detect);
+
+			this.loadUrlParameters();
+		},
+		loadUrlParameters() {
+
+		},
+		newDetection() {
+			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');
+			return {
+				title: 'Detection title not yet provided - click here to update this title',
+				description: 'Detection description not yet provided - click here to update this description',
+				author: author,
+				publicId: '',
+				severity: 'low',
+				content: '',
+				isEnabled: false,
+				isReporting: false,
+				engine: '',
+			}
+		},
+		async loadData() {
+			this.$root.startLoading();
+
+			try {
+					const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
+				this.detect = response.data;
+				this.detect.note = 'This is a note.';
+      } catch (error) {
+        if (error.response != undefined && error.response.status == 404) {
+          this.$root.showError(this.i18n.notFound);
+        } else {
+          this.$root.showError(error);
+        }
+			}
+
+      this.$root.stopLoading();
+		},
+		isNew() {
+			return this.$route.params.id === 'create';
+		},
+		cancelDetection() {
+			if (this.isNew()) {
+				this.$router.push({name: 'detections'});
+			} else {
+				this.detect = this.origDetect;
+			}
+		},
+		async startEdit(target, field) {
+			if (this.curEditTarget === target) return;
+			if (this.curEditTarget !== null) await this.stopEdit(false);
+
+			this.curEditTarget = target;
+			this.origValue = this.detect[field];
+			this.editField = field;
+
+			this.$nextTick(() => {
+				const el = document.getElementById(target + '-edit');
+				if (el) {
+					el.focus();
+					el.select();
+				}
+			});
+		},
+		generatePublicID() {
+			this.detect.publicId = crypto.randomUUID();
+		},
+		isEdit(target) {
+			return this.curEditTarget === target;
+		},
+		async stopEdit(commit) {
+			if (!commit) {
+				this.detect[this.editField] = this.origValue;
+			} else if (!this.isNew()) {
+				const response = await this.$root.papi.put('/detection', this.detect);
+
+        console.log('UPDATE', response);
+			}
+
+			this.curEditTarget = null;
+			this.origValue = null;
+			this.editField = null;
+		},
+		saveDetection(createNew) {
+			if (createNew) {
+				this.$root.papi.post('/detection', this.detect);
+			} else {
+				this.$root.papi.put('/detection', this.detect);
+			}
+			this.origDetect = Object.assign({}, this.detect);
+		},
+		print(x) {
+			console.log(x);
+		},
+  }
+}});
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 089d6bfaf..c8c6c3ff8 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -260,10 +260,15 @@ const huntComponent = {
       }
     },
     applyQuerySubstitutions(queries) {
-      queries.forEach(query => {
-        query.query = query.query.replace(/\{myId\}/g, this.$root.user.id);
-      });
-      return queries;
+      if (Array.isArray(queries)) {
+        queries.forEach(query => {
+          query.query = query.query.replace(/\{myId\}/g, this.$root.user.id);
+        });
+
+        return queries;
+      } else {
+        return [];
+      }
     },
     notifyInputsChanged(replaceHistory = false) {
       var hunted = false;
@@ -338,19 +343,21 @@ const huntComponent = {
         q = this.queryBaseFilter;
       }
 
-      for (var i = 0; i < this.filterToggles.length; i++) {
-        filter = this.filterToggles[i];
+      if (Array.isArray(this.filterToggles)) {
+        for (var i = 0; i < this.filterToggles.length; i++) {
+          filter = this.filterToggles[i];
 
-        if (filter.enabled) {
-          if (q.length > 0) {
-            q = q + " AND ";
-          }
-          q = q + filter.filter;
-        } else if (filter.exclusive) {
-          if (q.length > 0) {
-            q = q + " AND ";
+          if (filter.enabled) {
+            if (q.length > 0) {
+              q = q + " AND ";
+            }
+            q = q + filter.filter;
+          } else if (filter.exclusive) {
+            if (q.length > 0) {
+              q = q + " AND ";
+            }
+            q = q + "NOT " + filter.filter;
           }
-          q = q + "NOT " + filter.filter;
         }
       }
 
@@ -424,20 +431,22 @@ const huntComponent = {
         this.groupQuery(this.$route.query.groupByField, this.$route.query.groupByGroup);
         reRoute = true;
       }
-      for (const q in this.$route.query) {
-        this.filterToggles.forEach(toggle => {
-          if (toggle.name === q) {
-            const orig = toggle.enabled;
-            let enabled = this.$route.query[q];
-            if (typeof enabled === 'string') {
-              enabled = enabled.toLowerCase() === 'true';
-            }
-            toggle.enabled = enabled;
-            if (orig !== toggle.enabled) {
-              reRoute = true;
+      if (Array.isArray(this.filterToggles)) {
+        for (const q in this.$route.query) {
+          this.filterToggles.forEach(toggle => {
+            if (toggle.name === q) {
+              const orig = toggle.enabled;
+              let enabled = this.$route.query[q];
+              if (typeof enabled === 'string') {
+                enabled = enabled.toLowerCase() === 'true';
+              }
+              toggle.enabled = enabled;
+              if (orig !== toggle.enabled) {
+                reRoute = true;
+              }
             }
-          }
-        });
+          });
+        }
       }
       if (reRoute) return false;
       return true;
@@ -454,14 +463,74 @@ const huntComponent = {
         // This must occur before the following await, so that Vue flushes the old groupby DOM renders
         this.groupBys.splice(0);
 
-        const response = await this.$root.papi.get('events/', { params: {
-          query: await this.getQuery(),
-          range: this.dateRange,
-          format: this.i18n.timePickerSample,
-          zone: this.zone,
-          metricLimit: this.groupByLimit,
-          eventLimit: this.eventLimit
-        }});
+        let response;
+        if (this.category === 'playbooks') {
+          response = {
+            data: {
+              "metrics": {
+                "timeline": null,
+              },
+              "elapsedMs": 668,
+	            "errors": [],
+	            "criteria": {
+		            "query": "(_id:*) AND _index:\"*:so-case\" AND so_kind:detection",
+		            "dateRange": "",
+		            "metricLimit": 0,
+		            "eventLimit": 50,
+                "BeginTime": "2021-08-23T15:41:39-06:00",
+                "EndTime": "2023-08-23T15:41:39-06:00",
+                "CreateTime": "2023-08-23T15:41:39.446264196-06:00",
+                "ParsedQuery": {
+                  "Segments": [
+                    {}
+                  ]
+                },
+                "SortFields": null
+              },
+              "events": [
+                {
+                  "source": "manager:so-case",
+                  "Time": "2023-08-23T14:48:17.140438075-06:00",
+                  "timestamp": "2023-08-23T14:48:17.140Z",
+                  "id": "RDmUHooB-8rNCo4d3nIc",
+                  "type": "",
+                  "score": 3.287682,
+                  "payload": {
+                    "@timestamp": "2023-08-23T14:48:17.140438075-06:00",
+                    "so_playbook.onionId": "75332a3c-b029-46a0-9392-509ff90737a8",
+                    "so_playbook.publicId": "4020131e-223a-421e-8ebe-8a211a5ac4d6",
+                    "so_playbook.title": "Find the baddies",
+                    "so_playbook.severity": "high",
+                    "so_playbook.description": "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
+                    "so_playbook.mechanism": "suricata",
+                    "so_playbook.tags": ["one", "two", "three"],
+                    "so_playbook.relatedPlaybooks": [],
+                    "so_playbook.contributors": ["Jim Bob"],
+                    "so_playbook.userEditable": true,
+                    "so_playbook.createTime": "2023-08-22T12:49:47.302819008-06:00",
+                    "so_playbook.kind": "playbook",
+                    "so_playbook.userId": "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
+                    "so_kind": "playbook"
+                  }
+                }
+              ],
+              createTime: moment().subtract(2, 'seconds').toISOString(),
+              completeTime: moment().toISOString(),
+            }
+          };
+          response.data.totalEvents = response.data.events.length;
+        } else {
+          response = await this.$root.papi.get('events/', {
+            params: {
+              query: await this.getQuery(),
+              range: this.dateRange,
+              format: this.i18n.timePickerSample,
+              zone: this.zone,
+              metricLimit: this.groupByLimit,
+              eventLimit: this.eventLimit
+            }
+          });
+        }
 
         this.eventPage = 1;
         this.groupByPage = 1;
@@ -2037,7 +2106,62 @@ const huntComponent = {
       }
 
       window.open(url, target);
-    }
+    },
+    async CreateDetection() {
+      const response = await this.$root.papi.post('/detection', {
+        publicId: 'ABCDEF',
+        title: 'First!',
+        severity: 'low',
+        author: 'Corey Ogburn',
+        description: 'first try',
+        content: 'rule goes here',
+        isEnabled: true,
+        isReporting: true,
+        Engine: 'suricata'
+      });
+
+      console.log('CREATE', response);
+      this.onionID = response.data.id;
+      console.log('onionID', this.onionID);
+    },
+    async GetDetection() {
+      if (this.onionID) {
+        const response = await this.$root.papi.get('/detection/' + this.onionID);
+
+        console.log('GET', response);
+      } else {
+        console.log('No onionID');
+      }
+    },
+    async UpdateDetection() {
+      if (this.onionID) {
+        const response = await this.$root.papi.put('/detection', {
+          id: this.onionID,
+          publicId: 'ABCDEF',
+          title: 'Second!',
+          severity: 'low',
+          author: 'Corey Ogburn',
+          description: 'first try',
+          content: 'rule goes here',
+          isEnabled: true,
+          isReporting: true,
+          Engine: 'suricata'
+        });
+
+        console.log('UPDATE', response);
+      } else {
+        console.log('No onionID');
+      }
+    },
+    async DeleteDetection() {
+      if (this.onionID) {
+        const response = await this.$root.papi.delete('/detection/' + this.onionID);
+
+        console.log('DELETE', response);
+      } else {
+        console.log('No onionID');
+      }
+    },
   }
 };
 
@@ -2051,3 +2175,9 @@ routes.push({ path: '/cases', name: 'cases', component: casesComponent});
 
 const dashboardsComponent = Object.assign({}, huntComponent);
 routes.push({ path: '/dashboards', name: 'dashboards', component: dashboardsComponent});
+
+const detectionsComponent = Object.assign({}, huntComponent);
+routes.push({ path: '/detections', name: 'detections', component: detectionsComponent });
+
+const playbooksComponent = Object.assign({}, huntComponent);
+routes.push({ path: '/playbooks', name: 'playbooks', component: playbooksComponent });
diff --git a/html/js/routes/playbook.js b/html/js/routes/playbook.js
new file mode 100644
index 000000000..3db5a5f02
--- /dev/null
+++ b/html/js/routes/playbook.js
@@ -0,0 +1,461 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+routes.push({ path: '/playbook/:id', name: 'playbook', component: {
+  template: '#page-playbook',
+  data() { return {
+		i18n: this.$root.i18n,
+		params: {},
+		rules: {
+      required: value => (value && value.length > 0) || this.$root.i18n.required,
+      number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+      hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
+      shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+      longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+      fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+      fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+      fileRequired: value => (value != null) || this.$root.i18n.required,
+		},
+		playbook: null,
+		origPlaybook: null,
+		curEditTarget: null, // string containing element ID, null if not editing
+		origValue: null,
+		editField: null,
+		severityOptions: ['low', 'medium', 'high'],
+		engineOptions: ['none', 'suricata', 'yara', 'elastalert'],
+		panel: [0, 1, 2],
+		activeTab: '',
+		tags: [],
+		addQuestion: '',
+		addContext: '',
+		addDataSources: [],
+		addQuery: '',
+		search: '',
+		questionHeaders: [{ title: '@timestamp', key: 'item.payload["@timestamp"]' }, { title: '@version', value: '@version' }, { title: 'message', value: 'message' }],
+  }},
+  created() {
+  },
+  watch: {
+	},
+	mounted() {
+		this.$root.loadParameters('playbooks', this.initPlaybook);
+	},
+  methods: {
+		async initPlaybook(params) {
+			this.params = params;
+			if (this.$route.params.id === 'create') {
+				this.detect = this.newPlaybook();
+			} else {
+				await this.loadData();
+			}
+
+			this.origPlaybook = Object.assign({}, this.playbook);
+
+			this.loadUrlParameters();
+		},
+		loadUrlParameters() {
+
+		},
+		newPlaybook() {
+			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');
+			return {
+				publicId: '',
+				title: 'Detection title not yet provided - click here to update this title',
+				description: 'Detection description not yet provided - click here to update this description',
+				mechanism: '',
+				tags: [],
+				relatedPlaybooks: [],
+				detectionLinks: [],
+				contributors: [author],
+				userEditable: true,
+				questions: [],
+				note: '',
+			}
+		},
+		async loadData() {
+			this.$root.startLoading();
+
+			// try {
+			// 		const response = await this.$root.papi.get('playbook/' + encodeURIComponent(this.$route.params.id));
+			// 		this.detect = response.data;
+      // } catch (error) {
+      //   if (error.response != undefined && error.response.status == 404) {
+      //     this.$root.showError(this.i18n.notFound);
+      //   } else {
+      //     this.$root.showError(error);
+      //   }
+			// }
+			if (this.isNew()) {
+				this.playbook = this.newPlaybook();
+			} else {
+				this.playbook = {
+					onionId: this.$route.params.id,
+					publicId: "4020131e-223a-421e-8ebe-8a211a5ac4d6",
+					title: "Find the baddies",
+					severity: "high",
+					description: "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
+					mechanism: "suricata",
+					tags: ["one", "two", "three"],
+					relatedPlaybooks: [],
+					contributors: ["Corey Ogburn"],
+					userEditable: true,
+					createTime: "2023-08-22T12:49:47.302819008-06:00",
+					userId: "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
+					questions: [
+						{
+							question: "What network resources did they access?",
+							context: "Bad actors do bad things to network resources",
+							dataSources: ['windows_security', 'process_auditing'],
+							query: '*',
+							results: [
+								{
+									"source": "manager:.ds-logs-elastic_agent-default-2023.08.21-000001",
+									"Time": "2023-08-24T15:10:05.747Z",
+									"timestamp": "2023-08-24T15:10:05.747Z",
+									"id": "y5IYKIoB9-Z7uL2kmy_o",
+									"type": "",
+									"score": 2,
+									"payload": {
+										"@timestamp": "2023-08-24T15:10:05.747Z",
+										"@version": "1",
+										"agent.ephemeral_id": "b36260f3-7e22-4ada-9736-7825bba61050",
+										"agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"agent.name": "manager",
+										"agent.type": "filebeat",
+										"agent.version": "8.8.2",
+										"container.id": "elastic-agent-cdc5ba",
+										"data_stream.dataset": "elastic_agent",
+										"data_stream.namespace": "default",
+										"data_stream.type": "logs",
+										"ecs.version": "8.0.0",
+										"elastic_agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"elastic_agent.snapshot": false,
+										"elastic_agent.version": "8.8.2",
+										"event.agent_id_status": "auth_metadata_missing",
+										"event.dataset": "elastic_agent",
+										"event.ingested": "2023-08-24T15:10:16Z",
+										"event.module": "elastic_agent",
+										"host.architecture": "x86_64",
+										"host.containerized": false,
+										"host.hostname": "manager",
+										"host.id": "9b909224852841ee9e8394c0ccb6f345",
+										"host.ip": [
+											"192.168.122.119",
+											"172.17.1.1",
+											"172.17.0.1"
+										],
+										"host.mac": [
+											"02-42-F7-90-7C-0F",
+											"02-42-FD-01-4C-18",
+											"22-69-52-DA-7E-60",
+											"26-32-CC-C2-D0-96",
+											"32-5D-A3-D9-5E-BB",
+											"36-30-04-3E-2A-74",
+											"3A-47-4A-42-2D-42",
+											"52-54-00-17-A5-16",
+											"52-54-00-79-9B-AF",
+											"56-22-21-D2-59-BB",
+											"5A-84-1E-33-78-6F",
+											"5A-B1-C1-9E-26-54",
+											"5E-07-4D-47-FC-B6",
+											"66-FE-30-61-E6-77",
+											"82-20-8F-6D-BA-2B",
+											"86-14-06-40-98-7D",
+											"86-29-18-6F-10-88",
+											"8E-AD-CA-9F-EA-F6",
+											"96-4D-FB-AD-AB-8E",
+											"AA-FB-73-2B-C4-24",
+											"B2-68-3A-55-50-88",
+											"BE-53-9A-99-67-0C",
+											"CA-68-C4-C1-5B-4D",
+											"E2-0C-CE-E7-DA-50",
+											"EE-F2-CD-8D-0A-17",
+											"FE-99-5F-39-DF-D1"
+										],
+										"host.name": "manager",
+										"host.os.family": "redhat",
+										"host.os.kernel": "5.15.0-103.114.4.el9uek.x86_64",
+										"host.os.name": "Oracle Linux Server",
+										"host.os.platform": "ol",
+										"host.os.type": "linux",
+										"host.os.version": "9.2",
+										"input.type": "filestream",
+										"log.file.path": "/opt/Elastic/Agent/data/elastic-agent-cdc5ba/logs/elastic-agent-20230824.ndjson",
+										"log.level": "info",
+										"log.offset": 311104,
+										"log.origin.file.line": 821,
+										"log.origin.file.name": "coordinator/coordinator.go",
+										"log.source": "elastic-agent",
+										"message": "Updating running component model",
+										"metadata.beat": "filebeat",
+										"metadata.input.beats.host.ip": "172.17.1.1",
+										"metadata.input_id": "filestream-monitoring-agent",
+										"metadata.raw_index": "logs-elastic_agent-default",
+										"metadata.stream_id": "filestream-monitoring-agent",
+										"metadata.type": "_doc",
+										"metadata.version": "8.8.2",
+										"tags": [
+											"elastic-agent",
+											"input-manager",
+											"beats_input_codec_plain_applied"
+										]
+									}
+								},
+								{
+									"source": "manager:.ds-logs-elastic_agent-default-2023.08.21-000001",
+									"Time": "2023-08-24T15:09:25.702Z",
+									"timestamp": "2023-08-24T15:09:25.702Z",
+									"id": "GJIXKIoB9-Z7uL2k7C-E",
+									"type": "",
+									"score": 2,
+									"payload": {
+										"@timestamp": "2023-08-24T15:09:25.702Z",
+										"@version": "1",
+										"agent.ephemeral_id": "b36260f3-7e22-4ada-9736-7825bba61050",
+										"agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"agent.name": "manager",
+										"agent.type": "filebeat",
+										"agent.version": "8.8.2",
+										"container.id": "elastic-agent-cdc5ba",
+										"data_stream.dataset": "elastic_agent",
+										"data_stream.namespace": "default",
+										"data_stream.type": "logs",
+										"ecs.version": "8.0.0",
+										"elastic_agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"elastic_agent.snapshot": false,
+										"elastic_agent.version": "8.8.2",
+										"event.agent_id_status": "auth_metadata_missing",
+										"event.dataset": "elastic_agent",
+										"event.ingested": "2023-08-24T15:09:31Z",
+										"event.module": "elastic_agent",
+										"host.architecture": "x86_64",
+										"host.containerized": false,
+										"host.hostname": "manager",
+										"host.id": "9b909224852841ee9e8394c0ccb6f345",
+										"host.ip": [
+											"192.168.122.119",
+											"172.17.1.1",
+											"172.17.0.1"
+										],
+										"host.mac": [
+											"02-42-F7-90-7C-0F",
+											"02-42-FD-01-4C-18",
+											"22-69-52-DA-7E-60",
+											"26-32-CC-C2-D0-96",
+											"32-5D-A3-D9-5E-BB",
+											"36-30-04-3E-2A-74",
+											"3A-47-4A-42-2D-42",
+											"52-54-00-17-A5-16",
+											"52-54-00-79-9B-AF",
+											"56-22-21-D2-59-BB",
+											"5A-84-1E-33-78-6F",
+											"5A-B1-C1-9E-26-54",
+											"5E-07-4D-47-FC-B6",
+											"66-FE-30-61-E6-77",
+											"82-20-8F-6D-BA-2B",
+											"86-14-06-40-98-7D",
+											"86-29-18-6F-10-88",
+											"8E-AD-CA-9F-EA-F6",
+											"96-4D-FB-AD-AB-8E",
+											"AA-FB-73-2B-C4-24",
+											"AE-49-EF-7B-5E-B9",
+											"B2-68-3A-55-50-88",
+											"BE-53-9A-99-67-0C",
+											"CA-68-C4-C1-5B-4D",
+											"E2-0C-CE-E7-DA-50",
+											"EE-F2-CD-8D-0A-17",
+											"FE-99-5F-39-DF-D1"
+										],
+										"host.name": "manager",
+										"host.os.family": "redhat",
+										"host.os.kernel": "5.15.0-103.114.4.el9uek.x86_64",
+										"host.os.name": "Oracle Linux Server",
+										"host.os.platform": "ol",
+										"host.os.type": "linux",
+										"host.os.version": "9.2",
+										"input.type": "filestream",
+										"log.file.path": "/opt/Elastic/Agent/data/elastic-agent-cdc5ba/logs/elastic-agent-20230824.ndjson",
+										"log.level": "error",
+										"log.offset": 304406,
+										"log.origin.file.line": 221,
+										"log.origin.file.name": "fleet/fleet_gateway.go",
+										"log.source": "elastic-agent",
+										"message": "Checkin request to fleet-server succeeded after 2 failures",
+										"metadata.beat": "filebeat",
+										"metadata.input.beats.host.ip": "172.17.1.1",
+										"metadata.input_id": "filestream-monitoring-agent",
+										"metadata.raw_index": "logs-elastic_agent-default",
+										"metadata.stream_id": "filestream-monitoring-agent",
+										"metadata.type": "_doc",
+										"metadata.version": "8.8.2",
+										"tags": [
+											"elastic-agent",
+											"input-manager",
+											"beats_input_codec_plain_applied"
+										]
+									}
+								},
+								{
+									"source": "manager:.ds-logs-elastic_agent-default-2023.08.21-000001",
+									"Time": "2023-08-24T15:08:46.446Z",
+									"timestamp": "2023-08-24T15:08:46.446Z",
+									"id": "lZIXKIoB9-Z7uL2kTy6x",
+									"type": "",
+									"score": 2,
+									"payload": {
+										"@timestamp": "2023-08-24T15:08:46.446Z",
+										"@version": "1",
+										"agent.ephemeral_id": "b36260f3-7e22-4ada-9736-7825bba61050",
+										"agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"agent.name": "manager",
+										"agent.type": "filebeat",
+										"agent.version": "8.8.2",
+										"container.id": "elastic-agent-cdc5ba",
+										"data_stream.dataset": "elastic_agent",
+										"data_stream.namespace": "default",
+										"data_stream.type": "logs",
+										"ecs.version": "8.0.0",
+										"elastic_agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"elastic_agent.snapshot": false,
+										"elastic_agent.version": "8.8.2",
+										"event.agent_id_status": "auth_metadata_missing",
+										"event.dataset": "elastic_agent",
+										"event.ingested": "2023-08-24T15:08:50Z",
+										"event.module": "elastic_agent",
+										"host.architecture": "x86_64",
+										"host.containerized": false,
+										"host.hostname": "manager",
+										"host.id": "9b909224852841ee9e8394c0ccb6f345",
+										"host.ip": [
+											"192.168.122.119",
+											"172.17.1.1",
+											"172.17.0.1"
+										],
+										"host.mac": [
+											"02-42-F7-90-7C-0F",
+											"02-42-FD-01-4C-18",
+											"22-69-52-DA-7E-60",
+											"26-32-CC-C2-D0-96",
+											"32-5D-A3-D9-5E-BB",
+											"36-30-04-3E-2A-74",
+											"3A-47-4A-42-2D-42",
+											"52-54-00-17-A5-16",
+											"52-54-00-79-9B-AF",
+											"56-22-21-D2-59-BB",
+											"5A-84-1E-33-78-6F",
+											"5A-B1-C1-9E-26-54",
+											"5E-07-4D-47-FC-B6",
+											"66-FE-30-61-E6-77",
+											"82-20-8F-6D-BA-2B",
+											"86-14-06-40-98-7D",
+											"86-29-18-6F-10-88",
+											"8E-AD-CA-9F-EA-F6",
+											"96-4D-FB-AD-AB-8E",
+											"AA-FB-73-2B-C4-24",
+											"AE-49-EF-7B-5E-B9",
+											"B2-68-3A-55-50-88",
+											"BE-53-9A-99-67-0C",
+											"CA-68-C4-C1-5B-4D",
+											"E2-0C-CE-E7-DA-50",
+											"EE-F2-CD-8D-0A-17",
+											"FE-99-5F-39-DF-D1"
+										],
+										"host.name": "manager",
+										"host.os.family": "redhat",
+										"host.os.kernel": "5.15.0-103.114.4.el9uek.x86_64",
+										"host.os.name": "Oracle Linux Server",
+										"host.os.platform": "ol",
+										"host.os.type": "linux",
+										"host.os.version": "9.2",
+										"input.type": "filestream",
+										"log.file.path": "/opt/Elastic/Agent/data/elastic-agent-cdc5ba/logs/elastic-agent-20230824.ndjson",
+										"log.level": "info",
+										"log.offset": 296546,
+										"log.origin.file.line": 821,
+										"log.origin.file.name": "coordinator/coordinator.go",
+										"log.source": "elastic-agent",
+										"message": "Updating running component model",
+										"metadata.beat": "filebeat",
+										"metadata.input.beats.host.ip": "172.17.1.1",
+										"metadata.input_id": "filestream-monitoring-agent",
+										"metadata.raw_index": "logs-elastic_agent-default",
+										"metadata.stream_id": "filestream-monitoring-agent",
+										"metadata.type": "_doc",
+										"metadata.version": "8.8.2",
+										"tags": [
+											"elastic-agent",
+											"input-manager",
+											"beats_input_codec_plain_applied"
+										]
+									}
+								},
+							]
+						}
+					],
+					note: "This is a note",
+				};
+			}
+
+      this.$root.stopLoading();
+		},
+		isNew() {
+			return this.$route.params.id === 'create';
+		},
+		cancelPlaybook() {
+			if (this.isNew()) {
+				this.$router.push({name: 'playbooks'});
+			} else {
+				this.playbook = this.origPlaybook;
+			}
+		},
+		generatePublicID() {
+			this.playbook.publicId = crypto.randomUUID();
+		},
+		async startEdit(target, field) {
+			if (this.curEditTarget === target) return;
+			if (this.curEditTarget !== null) await this.stopEdit(false);
+
+			this.curEditTarget = target;
+			this.origValue = this.playbook[field];
+			this.editField = field;
+
+			this.$nextTick(() => {
+				const el = document.getElementById(target + '-edit');
+				if (el) {
+					el.focus();
+					el.select();
+				}
+			});
+		},
+		isEdit(target) {
+			return this.curEditTarget === target;
+		},
+		async stopEdit(commit) {
+			if (!commit) {
+				this.playbook[this.editField] = this.origValue;
+			} else if (!this.isNew()) {
+				// const response = await this.$root.papi.put('/playbook', this.playbook);
+        // console.log('UPDATE', response);
+			}
+
+			this.curEditTarget = null;
+			this.origValue = null;
+			this.editField = null;
+		},
+		savePlaybook(createNew) {
+			// if (createNew) {
+			// 	this.$root.papi.post('/playbook', this.playbook);
+			// } else {
+			// 	this.$root.papi.put('/playbook', this.playbook);
+			// }
+
+			this.origPlaybook = Object.assign({}, this.playbook);
+		},
+		print(x) {
+			console.log(x);
+		},
+  }
+}});
diff --git a/model/detection.go b/model/detection.go
new file mode 100644
index 000000000..54b2ed801
--- /dev/null
+++ b/model/detection.go
@@ -0,0 +1,91 @@
+package model
+
+import (
+	"errors"
+	"strings"
+)
+
+type ScanType string
+type SigLanguage string
+type Severity string
+type IDType string
+type EngineName = string
+
+const (
+	ScanTypeFiles           ScanType = "files"
+	ScanTypePackets         ScanType = "packets"
+	ScanTypePacketsAndFiles ScanType = "files,packets"
+	ScanTypeElastic         ScanType = "elastic"
+
+	SigLangElastic  SigLanguage = "elastic"  // yaml
+	SigLangSigma    SigLanguage = "sigma"    // yaml
+	SigLangSuricata SigLanguage = "suricata" // action, header, options
+	SigLangYara     SigLanguage = "yara"
+	SigLangZeek     SigLanguage = "zeek"
+
+	SeverityLow    Severity = "low"
+	SeverityMedium Severity = "medium"
+	SeverityHigh   Severity = "high"
+
+	IDTypeUUID IDType = "uuid"
+	IDTypeSID  IDType = "sid"
+
+	EngineNameSuricata   EngineName = "suricata"
+	EngineNameYara       EngineName = "yara"
+	EngineNameElastAlert EngineName = "elastalert"
+)
+
+var (
+	EnginesByName = map[EngineName]*DetectionEngine{
+		EngineNameSuricata: {
+			Name:        string(EngineNameSuricata),
+			IDType:      IDTypeSID,
+			ScanType:    ScanTypePackets,
+			SigLanguage: SigLangSuricata,
+		},
+		EngineNameYara: {
+			Name:        string(EngineNameYara),
+			IDType:      IDTypeUUID,
+			ScanType:    ScanTypeFiles,
+			SigLanguage: SigLangYara,
+		},
+		EngineNameElastAlert: {
+			Name:        string(EngineNameElastAlert),
+			IDType:      IDTypeUUID,
+			ScanType:    ScanTypeElastic,
+			SigLanguage: SigLangElastic,
+		},
+	}
+
+	ErrUnsupportedEngine = errors.New("unsupported engine")
+)
+
+type DetectionEngine struct {
+	Name        string      `json:"name"`
+	IDType      IDType      `json:"idType"`
+	ScanType    ScanType    `json:"scanType"`
+	SigLanguage SigLanguage `json:"sigLanguage"`
+}
+
+type Detection struct {
+	Auditable
+	PublicID    string     `json:"publicId"`
+	Title       string     `json:"title"`
+	Severity    Severity   `json:"severity"`
+	Author      string     `json:"author"`
+	Description string     `json:"description"`
+	Content     string     `json:"content"`
+	IsEnabled   bool       `json:"isEnabled"`
+	IsReporting bool       `json:"isReporting"`
+	Engine      EngineName `json:"engine"`
+}
+
+func (detect *Detection) Validate() error {
+	detect.Engine = strings.ToLower(detect.Engine)
+	_, engIsSupported := EnginesByName[detect.Engine]
+	if !engIsSupported {
+		return ErrUnsupportedEngine
+	}
+
+	return nil
+}
diff --git a/server/casestore.go b/server/casestore.go
index be9d6536e..1f5bcb204 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -38,4 +38,9 @@ type Casestore interface {
 	CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error)
 	GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error)
 	DeleteArtifactStream(ctx context.Context, id string) error
+
+	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
+	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	DeleteDetection(ctx context.Context, detectID string) error
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
new file mode 100644
index 000000000..fa1bb4396
--- /dev/null
+++ b/server/detectionhandler.go
@@ -0,0 +1,109 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package server
+
+import (
+	"net/http"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/web"
+
+	"github.com/go-chi/chi"
+)
+
+type DetectionHandler struct {
+	server *Server
+}
+
+func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
+	h := &DetectionHandler{
+		server: srv,
+	}
+
+	r.Route(prefix, func(r chi.Router) {
+		r.Get("/{onionId}", h.getDetection)
+
+		r.Post("/", h.postDetection)
+
+		r.Put("/", h.putDetection)
+
+		r.Delete("/{onionId}", h.deleteDetection)
+	})
+}
+
+func (h *DetectionHandler) getDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detectId := chi.URLParam(r, "onionId")
+
+	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	if err != nil {
+		if err.Error() == "Object not found" {
+			web.Respond(w, r, http.StatusNotFound, nil)
+		} else {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+		}
+
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
+}
+
+func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detect := &model.Detection{}
+
+	err := web.ReadJson(r, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusCreated, detect)
+}
+
+func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detect := &model.Detection{}
+
+	err := web.ReadJson(r, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	detect, err = h.server.Casestore.UpdateDetection(ctx, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
+}
+
+func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	id := chi.URLParam(r, "onionId")
+
+	err := h.server.Casestore.DeleteDetection(ctx, id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, nil)
+}
diff --git a/server/infohandler.go b/server/infohandler.go
index 783c41e81..c97960eb6 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 
+	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -61,5 +62,49 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		SrvToken:       srvToken,
 	}
 
+	info.Parameters.DetectionsParams.Queries = []*config.HuntingQuery{
+		{
+			Name:  "All",
+			Query: "_id:*",
+		},
+	}
+
+	info.Parameters.DetectionsParams.ViewEnabled = true
+	info.Parameters.DetectionsParams.CreateLink = "/detection/create"
+	info.Parameters.DetectionsParams.EventFetchLimit = 500
+	info.Parameters.DetectionsParams.EventItemsPerPage = 50
+	info.Parameters.DetectionsParams.GroupFetchLimit = 50
+	info.Parameters.DetectionsParams.MostRecentlyUsedLimit = 5
+	info.Parameters.DetectionsParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
+	info.Parameters.DetectionsParams.EventFields = map[string][]string{
+		"default": {
+			"soc_timestamp",
+			"so_detection.publicId",
+			"so_detection.title",
+			"so_detection.severity",
+			"so_detection.isEnabled",
+			"so_detection.engine",
+		},
+	}
+
+	info.Parameters.PlaybooksParams.ViewEnabled = true
+	info.Parameters.PlaybooksParams.CreateLink = "/playbook/create"
+	info.Parameters.PlaybooksParams.EventFetchLimit = 500
+	info.Parameters.PlaybooksParams.EventItemsPerPage = 50
+	info.Parameters.PlaybooksParams.GroupFetchLimit = 50
+	info.Parameters.PlaybooksParams.MostRecentlyUsedLimit = 5
+	info.Parameters.PlaybooksParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
+	info.Parameters.PlaybooksParams.Queries = []*config.HuntingQuery{
+		{Query: "*"},
+	}
+	info.Parameters.PlaybooksParams.EventFields = map[string][]string{
+		"default": {
+			"soc_timestamp",
+			"so_playbook.title",
+			"so_playbook.publicId",
+			"so_playbook.mechanism",
+		},
+	}
+
 	web.Respond(w, r, http.StatusOK, info)
 }
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index bdd4d2be2..f200b7405 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -639,6 +639,99 @@ func convertElasticEventToArtifactStream(event *model.EventRecord, schemaPrefix
 	return obj, err
 }
 
+func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix string) (*model.Detection, error) {
+	var err error
+	var obj *model.Detection
+
+	if event != nil {
+		obj = &model.Detection{}
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
+		if err == nil {
+			if value, ok := event.Payload[schemaPrefix+"detection.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.isReporting"]; ok {
+				obj.IsReporting = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.description"]; ok {
+				obj.Description = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.isEnabled"]; ok {
+				obj.IsEnabled = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
+				obj.Engine = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.publicId"]; ok {
+				obj.PublicID = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.severity"]; ok {
+				obj.Severity = model.Severity(value.(string))
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.content"]; ok {
+				obj.Content = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.author"]; ok {
+				obj.Author = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.title"]; ok {
+				obj.Title = value.(string)
+			}
+			// if value, ok := event.Payload[schemaPrefix+"artifact.caseId"]; ok {
+			// 	obj.CaseId = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.groupType"]; ok {
+			// 	obj.GroupType = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.groupId"]; ok {
+			// 	obj.GroupId = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.description"]; ok {
+			// 	obj.Description = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.artifactType"]; ok {
+			// 	obj.ArtifactType = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.streamLength"]; ok {
+			// 	obj.StreamLen = int(value.(float64))
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.streamId"]; ok {
+			// 	obj.StreamId = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.mimeType"]; ok {
+			// 	obj.MimeType = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.value"]; ok {
+			// 	obj.Value = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.tlp"]; ok {
+			// 	obj.Tlp = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.tags"]; ok && value != nil {
+			// 	obj.Tags = convertToStringArray(value.([]interface{}))
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.ioc"]; ok {
+			// 	obj.Ioc = value.(bool)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.md5"]; ok {
+			// 	obj.Md5 = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.sha1"]; ok {
+			// 	obj.Sha1 = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.sha256"]; ok {
+			// 	obj.Sha256 = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.protected"]; ok {
+			// 	obj.Protected = value.(bool)
+			// }
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"detection.createTime")
+		}
+	}
+
+	return obj, err
+}
+
 func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string) (interface{}, error) {
 	var obj interface{}
 	var err error
@@ -655,6 +748,8 @@ func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string)
 			obj, err = convertElasticEventToArtifact(event, schemaPrefix)
 		case "artifactstream":
 			obj, err = convertElasticEventToArtifactStream(event, schemaPrefix)
+		case "detection":
+			obj, err = convertElasticEventToDetection(event, schemaPrefix)
 		}
 	} else {
 		err = errors.New("Unknown object kind; id=" + event.Id)
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 5eeaf0d42..acd8eb3e6 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -273,6 +273,46 @@ func (store *ElasticCasestore) validateArtifactStream(artifactstream *model.Arti
 	return err
 }
 
+func (store *ElasticCasestore) validateDetection(detect *model.Detection) error {
+	var err error
+
+	if err == nil && detect.Id != "" {
+		err = store.validateId(detect.Id, "onionId")
+	}
+
+	if err == nil && detect.PublicID != "" {
+		err = store.validateId(detect.PublicID, "publicId")
+	}
+
+	if err == nil && detect.Title != "" {
+		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
+	}
+
+	if err == nil && detect.Severity != "" {
+		err = store.validateString(string(detect.Severity), SHORT_STRING_MAX, "severity")
+	}
+
+	if err == nil && detect.Author != "" {
+		err = store.validateString(detect.Author, SHORT_STRING_MAX, "author")
+	}
+
+	if err == nil && detect.Description != "" {
+		err = store.validateString(detect.Description, LONG_STRING_MAX, "description")
+	}
+
+	if err == nil && detect.Content != "" {
+		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
+	}
+
+	if err == nil {
+		_, okEngine := model.EnginesByName[detect.Engine]
+		if !okEngine {
+			err = errors.New("invalid engine")
+		}
+	}
+	return err
+}
+
 func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
 	obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
 
@@ -900,3 +940,77 @@ func (store *ElasticCasestore) ExtractCommonObservables(ctx context.Context, eve
 	}
 	return nil
 }
+
+func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	var err error
+
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id != "" {
+		return nil, errors.New("Unexpected ID found in new comment")
+	}
+
+	now := time.Now()
+	detect.CreateTime = &now
+	var results *model.EventIndexResults
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err == nil {
+		// Read object back to get new modify date, etc
+		detect, err = store.GetDetection(ctx, results.DocumentId)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (detect *model.Detection, err error) {
+	err = store.validateId(detectId, "detectId")
+	if err != nil {
+		return nil, err
+	}
+
+	obj, err := store.get(ctx, detectId, "detection")
+	if err == nil && obj != nil {
+		detect = obj.(*model.Detection)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	err := store.validateDetection(detect)
+	if err == nil {
+		if detect.Id == "" {
+			err = errors.New("Missing detection onion ID")
+			return nil, err
+		}
+
+		var old *model.Detection
+		old, err = store.GetDetection(ctx, detect.Id)
+		if err == nil {
+			var results *model.EventIndexResults
+
+			// Preserve read-only fields
+			detect.CreateTime = old.CreateTime
+
+			results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+			if err == nil {
+				// Read object back to get new modify date, etc
+				detect, err = store.GetDetection(ctx, results.DocumentId)
+			}
+		}
+	}
+
+	return detect, err
+}
+
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) error {
+	detect, err := store.GetDetection(ctx, onionID)
+	if err == nil {
+		err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	}
+
+	return err
+}
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index 4250e0a6c..9d8357e8c 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -144,3 +144,19 @@ func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
+
+func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) error {
+	return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 69c256901..f74c58a93 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -149,3 +149,19 @@ func (store *HttpCasestore) GetArtifactStream(ctx context.Context, id string) (*
 func (store *HttpCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
+
+func (store *HttpCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) error {
+	return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 44a5cf3a5..04740aa10 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -141,3 +141,19 @@ func (store *TheHiveCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *TheHiveCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
+
+func (store *TheHiveCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) error {
+	return errors.New("Unsupported operation by this module")
+}
diff --git a/server/server.go b/server/server.go
index 185217326..1894bb1c5 100644
--- a/server/server.go
+++ b/server/server.go
@@ -87,6 +87,7 @@ func (server *Server) Start() {
 		RegisterConfigRoutes(server, r, "/api/config")
 		RegisterGridMemberRoutes(server, r, "/api/gridmembers")
 		RegisterRolesRoutes(server, r, "/api/roles")
+		RegisterDetectionRoutes(server, r, "/api/detection")
 		RegisterUtilRoutes(server, r, "/api/util")
 
 		server.Host.RegisterRouter("/api/", r)

From 648e2b5a0959bbaa6804111ca4b1b8ced0f4459b Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 1 Sep 2023 15:24:15 -0600
Subject: [PATCH 002/102] WIP: More Detections Work

Walked back playbooks to focus on detections.

Made detections more data driven. Added form validation when creating a detection. TODO: form validation when editing.

Added Duplicate functionality to the API/UI, added Bulk enable/disable to API.

Touched the surface on how detections will sync.
---
 config/clientparameters.go                    |  53 +++++---
 html/index.html                               | 109 ++++++++++++++---
 html/js/i18n.js                               |   7 ++
 html/js/routes/detection.js                   |  63 +++++++---
 html/js/routes/hunt.js                        |   3 +
 model/detection.go                            |  22 ++++
 server/casestore.go                           |   3 +-
 server/detectionhandler.go                    | 115 +++++++++++++++++-
 server/infohandler.go                         |  98 +++++++++------
 server/modules/elastic/converter.go           |  95 ++++-----------
 server/modules/elastic/elasticcasestore.go    |  89 +++++++++++---
 .../modules/elasticcases/elasticcasestore.go  |   8 +-
 server/modules/generichttp/httpcasestore.go   |   8 +-
 server/modules/thehive/thehivecasestore.go    |   8 +-
 server/server.go                              |  12 --
 util/ptr.go                                   |  13 ++
 16 files changed, 495 insertions(+), 211 deletions(-)
 create mode 100644 util/ptr.go

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 7681ae6e6..ee31adf90 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -16,26 +16,27 @@ const DEFAULT_CHART_LABEL_OTHER_LIMIT = 10
 const DEFAULT_CHART_LABEL_FIELD_SEPARATOR = ", "
 
 type ClientParameters struct {
-	HuntingParams       HuntingParameters `json:"hunt"`
-	AlertingParams      HuntingParameters `json:"alerts"`
-	CasesParams         HuntingParameters `json:"cases"`
-	CaseParams          CaseParameters    `json:"case"`
-	DashboardsParams    HuntingParameters `json:"dashboards"`
-	JobParams           HuntingParameters `json:"job"`
-	DetectionsParams    HuntingParameters `json:"detections"`
-	PlaybooksParams     HuntingParameters `json:"playbooks"`
-	DocsUrl             string            `json:"docsUrl"`
-	CheatsheetUrl       string            `json:"cheatsheetUrl"`
-	ReleaseNotesUrl     string            `json:"releaseNotesUrl"`
-	GridParams          GridParameters    `json:"grid"`
-	WebSocketTimeoutMs  int               `json:"webSocketTimeoutMs"`
-	TipTimeoutMs        int               `json:"tipTimeoutMs"`
-	ApiTimeoutMs        int               `json:"apiTimeoutMs"`
-	CacheExpirationMs   int               `json:"cacheExpirationMs"`
-	InactiveTools       []string          `json:"inactiveTools"`
-	Tools               []ClientTool      `json:"tools"`
-	CasesEnabled        bool              `json:"casesEnabled"`
-	EnableReverseLookup bool              `json:"enableReverseLookup"`
+	HuntingParams       HuntingParameters   `json:"hunt"`
+	AlertingParams      HuntingParameters   `json:"alerts"`
+	CasesParams         HuntingParameters   `json:"cases"`
+	CaseParams          CaseParameters      `json:"case"`
+	DashboardsParams    HuntingParameters   `json:"dashboards"`
+	JobParams           HuntingParameters   `json:"job"`
+	DetectionsParams    HuntingParameters   `json:"detections"`
+	DetectionParams     DetectionParameters `json:"detection"`
+	PlaybooksParams     HuntingParameters   `json:"playbooks"`
+	DocsUrl             string              `json:"docsUrl"`
+	CheatsheetUrl       string              `json:"cheatsheetUrl"`
+	ReleaseNotesUrl     string              `json:"releaseNotesUrl"`
+	GridParams          GridParameters      `json:"grid"`
+	WebSocketTimeoutMs  int                 `json:"webSocketTimeoutMs"`
+	TipTimeoutMs        int                 `json:"tipTimeoutMs"`
+	ApiTimeoutMs        int                 `json:"apiTimeoutMs"`
+	CacheExpirationMs   int                 `json:"cacheExpirationMs"`
+	InactiveTools       []string            `json:"inactiveTools"`
+	Tools               []ClientTool        `json:"tools"`
+	CasesEnabled        bool                `json:"casesEnabled"`
+	EnableReverseLookup bool                `json:"enableReverseLookup"`
 }
 
 func (config *ClientParameters) Verify() error {
@@ -188,3 +189,15 @@ type GridParameters struct {
 	MaxUploadSize  uint64 `json:"maxUploadSize,omitempty"`
 	StaleMetricsMs uint64 `json:"staleMetricsMs,omitempty"`
 }
+
+type DetectionParameters struct {
+	HuntingParameters
+	Presets map[string]PresetParameters `json:"presets"`
+}
+
+func (params *DetectionParameters) Verify() error {
+	err := params.HuntingParameters.Verify()
+
+	return err
+
+}
diff --git a/html/index.html b/html/index.html
index 94c1d50e7..cf1329eb8 100644
--- a/html/index.html
+++ b/html/index.html
@@ -76,14 +76,14 @@
               <v-list-item-title v-text="i18n.detections"></v-list-item-title>
             </v-list-item-content>
           </v-list-item>
-          <v-list-item @click="" to="/playbooks">
+          <!-- <v-list-item @click="" to="/playbooks">
             <v-list-item-action>
               <v-icon>fa-book-bookmark</v-icon>
             </v-list-item-action>
             <v-list-item-content>
               <v-list-item-title v-text="i18n.playbooks"></v-list-item-title>
             </v-list-item-content>
-          </v-list-item>
+          </v-list-item> -->
           <v-list-item @click="" to="/jobs">
             <v-list-item-action>
               <v-icon>fa-stream</v-icon>
@@ -970,7 +970,50 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
           <div class="main col-md-9 order-md-1 col-12 order-2">
-            <v-tabs grow v-model="activeTab">
+            <!-- Edit View -->
+            <div v-if="isNew()">
+              <v-form ref="detection" v-model="editForm.valid">
+                <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- Description -->
+                  <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" auto-grow rows="5"></v-textarea>
+
+                  <!-- PublicID -->
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'">
+                    <template v-slot:append v-if="!detect.publicId">
+                      <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                    </template>
+                  </v-text-field>
+
+                  <!-- Author -->
+                  <v-text-field id="detection-author-create" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="i18n.author"></v-text-field>
+
+                  <!-- Severity -->
+                  <v-select id="detection-severity-create" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.detectionSeverity"/>
+
+                  <!-- Engine -->
+                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]"/>
+
+                  <!-- Reporting -->
+                  <v-checkbox id="detection-reporting-create" class="mt-5" v-model="detect.isReporting" :label="i18n.reporting"/>
+
+                  <!-- Signature -->
+                  <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
+                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="10" :rules="[rules.required]" />
+                </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-create-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-create-create" text small color="primary" class="align-self-end" @click="saveDetection(true)">
+                      {{ i18n.create }}
+                    </v-btn>
+                  </div>
+                </div>
+              </v-form>
+            </div>
+
+            <v-tabs grow v-model="activeTab" v-else>
               <v-tab id="detection_summaryTab" href="#summary">
                 <v-icon left>fa-clipboard</v-icon>
                 <div class="d-none d-lg-block">Summary</div>
@@ -987,10 +1030,10 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <v-icon left>fa-signature</v-icon>
                 <div class="d-none d-lg-block">Signature</div>
               </v-tab>
-              <v-tab id="detection_playbookTab" href="#playbook">
+              <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
                 <div class="d-none d-lg-block">Investigative Playbook</div>
-              </v-tab>
+              </v-tab> -->
               <v-tab id="detection_tuningTab" href="#tuning">
                 <v-icon left>fa-wrench</v-icon>
                 <div class="d-none d-lg-block">Tuning</div>
@@ -1009,12 +1052,19 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
                   </div>
                   <!-- Engine -->
-                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="engineOptions" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                   <!-- Enabled -->
                   <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Enabled"/>
                   <!-- Reporting -->
                   <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Reporting"/>
                 </div>
+                <div class="d-flex justify-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn v-if="!isNew()" id="detection-duplicate" text small color="primary" class="align-self-end" @click="duplicateDetection()">
+                      {{i18n.duplicate}}
+                    </v-btn>
+                  </div>
+                </div>
               </v-tab-item>
               <v-tab-item value="details">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
@@ -1027,35 +1077,52 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Author -->
                   <v-text-field id="detection-author-edit" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="'Author'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
                   <!-- Severity -->
-                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                 </div>
-                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <!-- <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-create" text small color="primary" class="align-self-end" @click="saveDetection(true)" v-if="isNew()">
-                      {{ i18n.create }}
-                    </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)" v-else>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
-                </div>
+                </div> -->
               </v-tab-item>
               <v-tab-item value="notes">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Notes -->
                   <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
                 </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                      {{i18n.update}}
+                    </v-btn>
+                  </div>
+                </div>
               </v-tab-item>
               <v-tab-item value="signature">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Signature -->
                   <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                      {{i18n.update}}
+                    </v-btn>
+                  </div>
+                </div>
               </v-tab-item>
-              <v-tab-item value="playbook">
+              <!-- <v-tab-item value="playbook">
                 <div class="col pa-2" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <div class="col ma-2">
                     <div class="row my-2">
@@ -1072,12 +1139,16 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     </div>
                   </div>
                 </div>
-              </v-tab-item>
+              </v-tab-item> -->
               <v-tab-item value="tuning">
-                Coming Soon!
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  Coming Soon!
+                </div>
               </v-tab-item>
               <v-tab-item value="history">
-                Coming Soon!
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  Coming Soon!
+                </div>
               </v-tab-item>
             </v-tabs>
           </div>
@@ -1707,7 +1778,6 @@ <h2 v-if="!isKind('pcap')" v-text="kind"></h2>
       </v-container>
     </script>
 
-
     <script type="text/x-template" id="page-job">
       <v-container fluid @click="jobClickHandler()">
         <v-row>
@@ -3319,7 +3389,6 @@ <h3>{{ i18n.details }}</h3>
       </v-container>
     </script>
 
-
     <script type="text/x-template" id="page-grid">
       <v-container fluid>
         <v-row>
@@ -4462,7 +4531,7 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/routes/terms.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/users.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/detection.js?v=VERSION_PLACEHOLDER"></script>
-    <script src="js/routes/playbook.js?v=VERSION_PLACEHOLDER"></script>
+    <!-- <script src="js/routes/playbook.js?v=VERSION_PLACEHOLDER"></script> -->
     <script src="js/custom.js?v=VERSION_PLACEHOLDER"></script>
   </body>
 </html>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 7bbe4f3b5..0b9b05ee8 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -255,6 +255,9 @@ const i18n = {
       description: 'Description',
       details: 'Details',
       detections: 'Detections',
+      detectionDefaultTitle: 'Detection title not yet provided - click here to update this title',
+      detectionDefaultDescription: 'Detection description not yet provided',
+      detectionSeverity: 'Severity',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -272,6 +275,7 @@ const i18n = {
       dstIpHelp: 'Optional destination IP address to include in this job filter',
       dstPort: 'Destination Port',
       dstPortHelp: 'Optional destination TCP port to include in this job filter',
+      duplicate: 'Duplicate',
       edit: 'Edit',
       edited: '(edited)',
       email: 'Email Address',
@@ -279,6 +283,7 @@ const i18n = {
       emailRequired: 'An email address must be specified.',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
+      engine: 'Engine',
       eps: 'EPS',
       epsProduction: 'Production EPS:',
       epsConsumption: 'Consumption EPS:',
@@ -574,6 +579,7 @@ const i18n = {
       relatedEventId: 'Related Event ID',
       relativeTimeHelp: 'Click the clock icon to change to absolute time',
       remove: 'Remove',
+      reporting: 'Reporting',
       required: 'Required.',
       reset: 'Reset',
       resetDefaults: 'Reset Defaults',
@@ -681,6 +687,7 @@ const i18n = {
       showBarChart: 'Show bar chart',
       showSankeyChart: 'Show Sankey diagram',
       showTable: 'Show table',
+      signature: 'Signature',
       socUrl: 'SOC Url',
       socExcludeToggle: 'Exclude SOC logs',
       sortedBy: 'Sort:',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index b1e2e61ed..5fd098061 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -8,12 +8,14 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
   template: '#page-detection',
   data() { return {
 		i18n: this.$root.i18n,
+		presets: {},
 		params: {},
 		detect: null,
 		origDetect: null,
 		curEditTarget: null, // string containing element ID, null if not editing
 		origValue: null,
 		editField: null,
+		editForm: { valid: true },
 		rules: {
       required: value => (value && value.length > 0) || this.$root.i18n.required,
       number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
@@ -24,35 +26,25 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
       fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
       fileRequired: value => (value != null) || this.$root.i18n.required,
 		},
-		severityOptions: ['low', 'medium', 'high'],
-		engineOptions: ['suricata', 'yara', 'elastalert'],
 		panel: [0, 1, 2],
 		activeTab: '',
-		associatedPlaybook: {
-			onionId: 'y5IYKIoB9-Z7uL2kmy_o',
-			publicId: "4020131e-223a-421e-8ebe-8a211a5ac4d6",
-			title: "Find the baddies",
-			severity: "high",
-			description: "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
-			mechanism: "suricata",
-			tags: ["one", "two", "three"],
-			relatedPlaybooks: [],
-			contributors: ["Corey Ogburn"],
-			userEditable: true,
-			createTime: "2023-08-22T12:49:47.302819008-06:00",
-			userId: "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
-		},
   }},
   created() {
   },
   watch: {
 	},
 	mounted() {
+		this.$watch(
+      () => this.$route.params,
+      (to, prev) => {
+				this.loadData();
+    	});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
   methods: {
 		async initDetection(params) {
 			this.params = params;
+			this.presets = params['presets'];
 			if (this.$route.params.id === 'create') {
 				this.detect = this.newDetection();
 			} else {
@@ -69,11 +61,11 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		newDetection() {
 			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');
 			return {
-				title: 'Detection title not yet provided - click here to update this title',
-				description: 'Detection description not yet provided - click here to update this description',
+				title: this.i18n.detectionDefaultTitle,
+				description: this.i18n.detectionDefaultDescription,
 				author: author,
 				publicId: '',
-				severity: 'low',
+				severity: this.getDefaultPreset('severity'),
 				content: '',
 				isEnabled: false,
 				isReporting: false,
@@ -86,7 +78,6 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			try {
 					const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
-				this.detect.note = 'This is a note.';
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -97,6 +88,27 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
       this.$root.stopLoading();
 		},
+		getDefaultPreset(preset) {
+      if (this.presets) {
+        const presets = this.presets[preset];
+        if (presets && presets.labels && presets.labels.length > 0) {
+          return presets.labels[0];
+        }
+      }
+      return "";
+    },
+    getPresets(kind) {
+      if (this.presets && this.presets[kind]) {
+        return this.presets[kind].labels;
+      }
+      return [];
+    },
+    isPresetCustomEnabled(kind) {
+      if (this.presets && this.presets[kind]) {
+        return this.presets[kind].customEnabled == true;
+      }
+      return false;
+    },
 		isNew() {
 			return this.$route.params.id === 'create';
 		},
@@ -143,12 +155,23 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.editField = null;
 		},
 		saveDetection(createNew) {
+			if (this.curEditTarget !== null) this.stopEdit(true);
+
+			this.$refs['detection'].validate();
+			if (!this.editForm.valid) return;
+
 			if (createNew) {
 				this.$root.papi.post('/detection', this.detect);
 			} else {
 				this.$root.papi.put('/detection', this.detect);
 			}
 			this.origDetect = Object.assign({}, this.detect);
+
+			this.$root.showTip(this.i18n.saveSuccess);
+		},
+		async duplicateDetection() {
+			const response = await this.$root.papi.post('/detection/' + encodeURIComponent(this.$route.params.id) + '/duplicate');
+			this.$router.push({name: 'detection', params: {id: response.data.id}});
 		},
 		print(x) {
 			console.log(x);
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index c8c6c3ff8..6c7f3496b 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2162,6 +2162,9 @@ const huntComponent = {
         console.log('No onionID');
       }
     },
+    print(x) {
+      console.log(x);
+    }
   }
 };
 
diff --git a/model/detection.go b/model/detection.go
index 54b2ed801..4d3f06a1c 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -77,6 +77,8 @@ type Detection struct {
 	Content     string     `json:"content"`
 	IsEnabled   bool       `json:"isEnabled"`
 	IsReporting bool       `json:"isReporting"`
+	IsCommunity bool       `json:"isCommunity"`
+	Note        string     `json:"note"`
 	Engine      EngineName `json:"engine"`
 }
 
@@ -89,3 +91,23 @@ func (detect *Detection) Validate() error {
 
 	return nil
 }
+
+func SyncDetections(detections []*Detection) error {
+	byEngine := map[EngineName][]*Detection{}
+	for _, detect := range detections {
+		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
+	}
+
+	if len(byEngine[EngineNameSuricata]) > 0 {
+		err := syncSuricata(byEngine[EngineNameSuricata])
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func syncSuricata(detections []*Detection) error {
+	return nil
+}
diff --git a/server/casestore.go b/server/casestore.go
index 1f5bcb204..6d6eda5ac 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -42,5 +42,6 @@ type Casestore interface {
 	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	DeleteDetection(ctx context.Context, detectID string) error
+	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
+	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index fa1bb4396..56806f1bd 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -7,7 +7,9 @@
 package server
 
 import (
+	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -25,20 +27,23 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 	}
 
 	r.Route(prefix, func(r chi.Router) {
-		r.Get("/{onionId}", h.getDetection)
+		r.Get("/{id}", h.getDetection)
 
 		r.Post("/", h.postDetection)
+		r.Post("/{id}/duplicate", h.duplicateDetection)
 
 		r.Put("/", h.putDetection)
 
-		r.Delete("/{onionId}", h.deleteDetection)
+		r.Delete("/{id}", h.deleteDetection)
+
+		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
 	})
 }
 
 func (h *DetectionHandler) getDetection(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	detectId := chi.URLParam(r, "onionId")
+	detectId := chi.URLParam(r, "id")
 
 	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
 	if err != nil {
@@ -71,7 +76,42 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	web.Respond(w, r, http.StatusCreated, detect)
+	err = model.SyncDetections([]*model.Detection{detect})
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
+}
+
+func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detectId := chi.URLParam(r, "id")
+
+	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	detect.Id = ""
+	detect.PublicID = ""
+	detect.Title = fmt.Sprintf("%s (copy)", detect.Title)
+	detect.CreateTime = nil
+	detect.UpdateTime = nil
+	detect.IsEnabled = false
+	detect.IsReporting = false
+	detect.IsCommunity = false
+
+	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
 }
 
 func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request) {
@@ -91,15 +131,27 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	err = model.SyncDetections([]*model.Detection{detect})
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
 func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	id := chi.URLParam(r, "onionId")
+	id := chi.URLParam(r, "id")
 
-	err := h.server.Casestore.DeleteDetection(ctx, id)
+	old, err := h.server.Casestore.DeleteDetection(ctx, id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	err = model.SyncDetections([]*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -107,3 +159,54 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 
 	web.Respond(w, r, http.StatusOK, nil)
 }
+
+func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	newStatus := chi.URLParam(r, "newStatus") // "enable" or "disable"
+
+	var enabled bool
+	switch strings.ToLower(newStatus) {
+	case "enable", "disable":
+		enabled = strings.ToLower(newStatus) == "enable"
+	default:
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid status; must be 'enable' or 'disable'"))
+		return
+	}
+
+	body := []string{}
+	err := web.ReadJson(r, body)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	IDs := map[string]struct{}{}
+
+	for _, id := range body {
+		IDs[id] = struct{}{}
+	}
+
+	errMap := map[string]string{} // map[id]error
+	modified := []*model.Detection{}
+
+	for id := range IDs {
+		det, mod, err := h.server.Casestore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
+		if err != nil {
+			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			continue
+		}
+
+		if mod {
+			modified = append(modified, det)
+		}
+	}
+
+	err = model.SyncDetections(modified)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, errMap)
+}
diff --git a/server/infohandler.go b/server/infohandler.go
index c97960eb6..3d7604f31 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -62,48 +62,70 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		SrvToken:       srvToken,
 	}
 
-	info.Parameters.DetectionsParams.Queries = []*config.HuntingQuery{
-		{
-			Name:  "All",
-			Query: "_id:*",
-		},
-	}
+	{
+		detections := &info.Parameters.DetectionsParams
 
-	info.Parameters.DetectionsParams.ViewEnabled = true
-	info.Parameters.DetectionsParams.CreateLink = "/detection/create"
-	info.Parameters.DetectionsParams.EventFetchLimit = 500
-	info.Parameters.DetectionsParams.EventItemsPerPage = 50
-	info.Parameters.DetectionsParams.GroupFetchLimit = 50
-	info.Parameters.DetectionsParams.MostRecentlyUsedLimit = 5
-	info.Parameters.DetectionsParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
-	info.Parameters.DetectionsParams.EventFields = map[string][]string{
-		"default": {
-			"soc_timestamp",
-			"so_detection.publicId",
-			"so_detection.title",
-			"so_detection.severity",
-			"so_detection.isEnabled",
-			"so_detection.engine",
-		},
+		detections.ViewEnabled = true
+		detections.CreateLink = "/detection/create"
+		detections.EventFetchLimit = 500
+		detections.EventItemsPerPage = 50
+		detections.GroupFetchLimit = 50
+		detections.MostRecentlyUsedLimit = 5
+		detections.SafeStringMaxLength = 100
+		detections.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
+		detections.EventFields = map[string][]string{
+			"default": {
+				"so_detection.title",
+				"so_detection.isEnabled",
+				"so_detection.engine",
+				"@timestamp",
+			},
+		}
+		detections.Queries = []*config.HuntingQuery{
+			{
+				Name:  "All",
+				Query: "_id:*",
+			},
+		}
 	}
 
-	info.Parameters.PlaybooksParams.ViewEnabled = true
-	info.Parameters.PlaybooksParams.CreateLink = "/playbook/create"
-	info.Parameters.PlaybooksParams.EventFetchLimit = 500
-	info.Parameters.PlaybooksParams.EventItemsPerPage = 50
-	info.Parameters.PlaybooksParams.GroupFetchLimit = 50
-	info.Parameters.PlaybooksParams.MostRecentlyUsedLimit = 5
-	info.Parameters.PlaybooksParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
-	info.Parameters.PlaybooksParams.Queries = []*config.HuntingQuery{
-		{Query: "*"},
+	{
+		detection := &info.Parameters.DetectionParams
+
+		detection.Presets = map[string]config.PresetParameters{
+			"severity": {
+				CustomEnabled: false,
+				Labels:        []string{"low", "medium", "high"},
+			},
+			"engine": {
+				CustomEnabled: false,
+				Labels:        []string{"suricata", "yara", "elastalert"},
+			},
+		}
 	}
-	info.Parameters.PlaybooksParams.EventFields = map[string][]string{
-		"default": {
-			"soc_timestamp",
-			"so_playbook.title",
-			"so_playbook.publicId",
-			"so_playbook.mechanism",
-		},
+
+	{
+		playbooks := &info.Parameters.PlaybooksParams
+
+		playbooks.ViewEnabled = true
+		playbooks.CreateLink = "/playbook/create"
+		playbooks.EventFetchLimit = 500
+		playbooks.EventItemsPerPage = 50
+		playbooks.GroupFetchLimit = 50
+		playbooks.MostRecentlyUsedLimit = 5
+		playbooks.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
+		playbooks.SafeStringMaxLength = 100
+		playbooks.Queries = []*config.HuntingQuery{
+			{Query: "*"},
+		}
+		playbooks.EventFields = map[string][]string{
+			"default": {
+				"soc_timestamp",
+				"so_playbook.title",
+				"so_playbook.publicId",
+				"so_playbook.mechanism",
+			},
+		}
 	}
 
 	web.Respond(w, r, http.StatusOK, info)
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index f200b7405..8b8fbeaf5 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -227,7 +227,7 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 		sortBySegment := segment.(*model.SortBySegment)
 		fields := sortBySegment.RawFields()
 		if len(fields) > 0 {
-			sorting := make([]map[string]map[string]string, 0, 0)
+			sorting := []map[string]map[string]string{}
 			for _, field := range fields {
 				newSort := make(map[string]map[string]string)
 				order := "desc"
@@ -260,7 +260,7 @@ func parseAggregation(name string, aggObj interface{}, keys []interface{}, resul
 	if buckets != nil {
 		metrics := results.Metrics[name]
 		if metrics == nil {
-			metrics = make([]*model.EventMetric, 0, 0)
+			metrics = []*model.EventMetric{}
 		}
 		for _, bucketObj := range buckets.([]interface{}) {
 			bucket := bucketObj.(map[string]interface{})
@@ -293,9 +293,9 @@ func parseAggregation(name string, aggObj interface{}, keys []interface{}, resul
 func flattenKeyValue(store *ElasticEventstore, fieldMap map[string]interface{}, prefix string, value map[string]interface{}) {
 	for key, value := range value {
 		flattenedKey := prefix + key
-		switch value.(type) {
+		switch v := value.(type) {
 		case map[string]interface{}:
-			flattenKeyValue(store, fieldMap, flattenedKey+".", value.(map[string]interface{}))
+			flattenKeyValue(store, fieldMap, flattenedKey+".", v)
 		default:
 			fieldMap[store.unmapElasticField(flattenedKey)] = value
 		}
@@ -650,81 +650,40 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 			if value, ok := event.Payload[schemaPrefix+"detection.userId"]; ok {
 				obj.UserId = value.(string)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.isReporting"]; ok {
-				obj.IsReporting = value.(bool)
-			}
-			if value, ok := event.Payload[schemaPrefix+"detection.description"]; ok {
-				obj.Description = value.(string)
-			}
-			if value, ok := event.Payload[schemaPrefix+"detection.isEnabled"]; ok {
-				obj.IsEnabled = value.(bool)
-			}
-			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
-				obj.Engine = value.(string)
-			}
 			if value, ok := event.Payload[schemaPrefix+"detection.publicId"]; ok {
 				obj.PublicID = value.(string)
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.title"]; ok {
+				obj.Title = value.(string)
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.severity"]; ok {
 				obj.Severity = model.Severity(value.(string))
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.author"]; ok {
+				obj.Author = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.description"]; ok {
+				obj.Description = value.(string)
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.content"]; ok {
 				obj.Content = value.(string)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.author"]; ok {
-				obj.Author = value.(string)
+			if value, ok := event.Payload[schemaPrefix+"detection.isEnabled"]; ok {
+				obj.IsEnabled = value.(bool)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.title"]; ok {
-				obj.Title = value.(string)
+			if value, ok := event.Payload[schemaPrefix+"detection.isReporting"]; ok {
+				obj.IsReporting = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.isCommunity"]; ok {
+				obj.IsCommunity = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.note"]; ok {
+				obj.Note = value.(string)
 			}
-			// if value, ok := event.Payload[schemaPrefix+"artifact.caseId"]; ok {
-			// 	obj.CaseId = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.groupType"]; ok {
-			// 	obj.GroupType = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.groupId"]; ok {
-			// 	obj.GroupId = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.description"]; ok {
-			// 	obj.Description = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.artifactType"]; ok {
-			// 	obj.ArtifactType = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.streamLength"]; ok {
-			// 	obj.StreamLen = int(value.(float64))
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.streamId"]; ok {
-			// 	obj.StreamId = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.mimeType"]; ok {
-			// 	obj.MimeType = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.value"]; ok {
-			// 	obj.Value = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.tlp"]; ok {
-			// 	obj.Tlp = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.tags"]; ok && value != nil {
-			// 	obj.Tags = convertToStringArray(value.([]interface{}))
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.ioc"]; ok {
-			// 	obj.Ioc = value.(bool)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.md5"]; ok {
-			// 	obj.Md5 = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.sha1"]; ok {
-			// 	obj.Sha1 = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.sha256"]; ok {
-			// 	obj.Sha256 = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.protected"]; ok {
-			// 	obj.Protected = value.(bool)
-			// }
+			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
+				obj.Engine = value.(string)
+			}
+
 			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"detection.createTime")
 		}
 	}
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index acd8eb3e6..651f2fe0a 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"sort"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/apex/log"
@@ -304,6 +305,10 @@ func (store *ElasticCasestore) validateDetection(detect *model.Detection) error
 		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
 	}
 
+	if err == nil && detect.Note != "" {
+		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
+	}
+
 	if err == nil {
 		_, okEngine := model.EnginesByName[detect.Engine]
 		if !okEngine {
@@ -981,36 +986,80 @@ func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string
 
 func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
 	err := store.validateDetection(detect)
-	if err == nil {
-		if detect.Id == "" {
-			err = errors.New("Missing detection onion ID")
-			return nil, err
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id == "" {
+		err = errors.New("Missing detection onion ID")
+		return nil, err
+	}
+
+	var old *model.Detection
+	old, err = store.GetDetection(ctx, detect.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	var results *model.EventIndexResults
+
+	// Preserve read-only fields
+	detect.CreateTime = old.CreateTime
+
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err != nil {
+		return nil, err
+	}
+	// Read object back to get new modify date, etc
+	return store.GetDetection(ctx, results.DocumentId)
+}
+
+func (store *ElasticCasestore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
+	var modified bool
+
+	detect, err := store.GetDetection(ctx, id)
+	if err != nil {
+		return nil, false, err
+	}
+
+	switch strings.ToLower(field) {
+	case "isenabled":
+		bVal, ok := value.(bool)
+		if !ok {
+			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
 		}
 
-		var old *model.Detection
-		old, err = store.GetDetection(ctx, detect.Id)
-		if err == nil {
-			var results *model.EventIndexResults
+		if detect.IsEnabled != bVal {
+			detect.IsEnabled = bVal
+			modified = true
+		}
+	}
 
-			// Preserve read-only fields
-			detect.CreateTime = old.CreateTime
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, false, err
+	}
 
-			results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-			if err == nil {
-				// Read object back to get new modify date, etc
-				detect, err = store.GetDetection(ctx, results.DocumentId)
-			}
+	if modified {
+		var results *model.EventIndexResults
+
+		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+		if err == nil {
+			// Read object back to get new modify date, etc
+			detect, err = store.GetDetection(ctx, results.DocumentId)
 		}
 	}
 
-	return detect, err
+	return detect, modified, err
 }
 
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) error {
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
 	detect, err := store.GetDetection(ctx, onionID)
-	if err == nil {
-		err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err != nil {
+		return nil, err
 	}
 
-	return err
+	err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+
+	return detect, err
 }
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index 9d8357e8c..f41d09181 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -157,6 +157,10 @@ func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *mode
 	return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) error {
-	return errors.New("Unsupported operation by this module")
+func (store *ElasticCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
+	return nil, false, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
 }
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index f74c58a93..1fac51103 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -162,6 +162,10 @@ func (store *HttpCasestore) UpdateDetection(ctx context.Context, detect *model.D
 	return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) error {
-	return errors.New("Unsupported operation by this module")
+func (store *HttpCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
+	return nil, false, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
 }
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 04740aa10..99ad5041f 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -154,6 +154,10 @@ func (store *TheHiveCasestore) UpdateDetection(ctx context.Context, detect *mode
 	return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) error {
-	return errors.New("Unsupported operation by this module")
+func (store *TheHiveCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
+	return nil, false, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
 }
diff --git a/server/server.go b/server/server.go
index 1894bb1c5..5080baf4e 100644
--- a/server/server.go
+++ b/server/server.go
@@ -736,15 +736,3 @@ func (server *Server) GetTimezones() []string {
 	}
 	return zones
 }
-
-func Ptr[T any](x T) *T {
-	return &x
-}
-
-func Copy[T any](x *T) *T {
-	if x == nil {
-		return nil
-	}
-
-	return Ptr(*x)
-}
diff --git a/util/ptr.go b/util/ptr.go
new file mode 100644
index 000000000..fe1477027
--- /dev/null
+++ b/util/ptr.go
@@ -0,0 +1,13 @@
+package util
+
+func Ptr[T any](x T) *T {
+	return &x
+}
+
+func Copy[T any](x *T) *T {
+	if x == nil {
+		return nil
+	}
+
+	return Ptr(*x)
+}

From 4541e9b481a24382e26f20b1d3928b8a06d41344 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 8 Sep 2023 15:24:33 -0600
Subject: [PATCH 003/102] WIP: Suricata Rule Parsing

Enabling/Disabling rules that use flowbits is different than rules that don't.

Parsing needs testing, currently failing because the rule I'm testing with uses angled quotes instead of straight quotes.

Can now delete a Detection from the UI.

UI now performs some light validation before saving a Detection.
---
 html/index.html                             |  13 +-
 html/js/i18n.js                             |   4 +
 html/js/routes/detection.js                 |  46 ++++-
 model/detection.go                          |  20 --
 server/detectionhandler.go                  | 203 +++++++++++++++++++-
 server/modules/elastic/elasticeventstore.go |   8 +-
 syntax/suricata.go                          | 156 +++++++++++++++
 7 files changed, 411 insertions(+), 39 deletions(-)
 create mode 100644 syntax/suricata.go

diff --git a/html/index.html b/html/index.html
index cf1329eb8..0b57feab9 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1063,6 +1063,9 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     <v-btn v-if="!isNew()" id="detection-duplicate" text small color="primary" class="align-self-end" @click="duplicateDetection()">
                       {{i18n.duplicate}}
                     </v-btn>
+                    <v-btn v-if="!isNew()" id="detection-delete" text small color="error" class="align-self-end" @click="deleteDetection()">
+                      {{i18n.delete}}
+                    </v-btn>
                   </div>
                 </div>
               </v-tab-item>
@@ -1071,7 +1074,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- PublicID -->
                   <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!detect.publicId">
-                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">{{i18n.generate}}</v-btn>
                     </template>
                   </v-text-field>
                   <!-- Author -->
@@ -1079,7 +1082,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Severity -->
                   <v-select id="detection-severity-edit" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                 </div>
-                <!-- <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
@@ -1088,14 +1091,14 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                       {{i18n.update}}
                     </v-btn>
                   </div>
-                </div> -->
+                </div>
               </v-tab-item>
               <v-tab-item value="notes">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Notes -->
                   <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
                 </div>
-                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
@@ -1111,7 +1114,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Signature -->
                   <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
-                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 0b9b05ee8..86c1a9348 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -353,6 +353,7 @@ const i18n = {
       firstName: 'First Name',
       flags: 'Flags',
       gigabytes: 'GB',
+      generate: 'Generate',
       graphs: 'Graphs',
       grid: 'Grid',
       gridEps: 'Grid EPS:',
@@ -687,6 +688,9 @@ const i18n = {
       showBarChart: 'Show bar chart',
       showSankeyChart: 'Show Sankey diagram',
       showTable: 'Show table',
+      sidMissingErr: "This suricata rule is missing it's SID.",
+      sidMultipleErr: 'Suricata rules can only specify one SID.',
+      sidMismatchErr: "The SID in this suricata rule must match the detection's Public ID.",
       signature: 'Signature',
       socUrl: 'SOC Url',
       socExcludeToggle: 'Exclude SOC logs',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 5fd098061..cb29827cc 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -157,8 +157,22 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		saveDetection(createNew) {
 			if (this.curEditTarget !== null) this.stopEdit(true);
 
-			this.$refs['detection'].validate();
-			if (!this.editForm.valid) return;
+			if (this.isNew()) {
+				this.$refs['detection'].validate();
+				if (!this.editForm.valid) return;
+			}
+
+			switch (this.detect.engine) {
+				case 'yara':
+					this.validateYara();
+					break;
+				case 'sigma':
+					this.validateSigma();
+					break;
+				case 'suricata':
+					this.validateSuricata();
+					break;
+			}
 
 			if (createNew) {
 				this.$root.papi.post('/detection', this.detect);
@@ -173,6 +187,34 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			const response = await this.$root.papi.post('/detection/' + encodeURIComponent(this.$route.params.id) + '/duplicate');
 			this.$router.push({name: 'detection', params: {id: response.data.id}});
 		},
+		async deleteDetection() {
+			await this.$root.papi.delete('/detection/' + encodeURIComponent(this.$route.params.id));
+			this.$router.push({ name: 'detections' });
+		},
+		validateYara() { },
+		validateSigma() {},
+		validateSuricata() {
+			const sidExtract = /\bsid: ?['"]?(.*?)['"]?;/
+			const results = sidExtract.exec(this.detect.content);
+
+			if (!results || results.length < 2) {
+				// sid not present in rule
+				this.$root.showError(this.i18n.sidMissingErr);
+				return;
+			} else if (results && results.length > 2) {
+				// multiple sids present in rule
+				this.$root.showError(this.i18n.sidMultipleErr);
+				return;
+			}
+
+			const sid = results[1];
+
+			if (this.detect.publicId !== sid) {
+				// sid doesn't match metadata
+				this.$root.showError(this.i18n.sidMismatchErr);
+				return;
+			}
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/model/detection.go b/model/detection.go
index 4d3f06a1c..8d3f8c912 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -91,23 +91,3 @@ func (detect *Detection) Validate() error {
 
 	return nil
 }
-
-func SyncDetections(detections []*Detection) error {
-	byEngine := map[EngineName][]*Detection{}
-	for _, detect := range detections {
-		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
-	}
-
-	if len(byEngine[EngineNameSuricata]) > 0 {
-		err := syncSuricata(byEngine[EngineNameSuricata])
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func syncSuricata(detections []*Detection) error {
-	return nil
-}
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 56806f1bd..fef9141e7 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -7,16 +7,23 @@
 package server
 
 import (
+	"context"
 	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 
+	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/syntax"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
 	"github.com/go-chi/chi"
 )
 
+var sidExtracter = regexp.MustCompile(`\bsid: ?['"]?(.*?)['"]?;`)
+
 type DetectionHandler struct {
 	server *Server
 }
@@ -76,12 +83,17 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	err = model.SyncDetections([]*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
+	if len(errMap) != 0 {
+		web.Respond(w, r, http.StatusInternalServerError, errMap)
+		return
+	}
+
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
@@ -131,12 +143,17 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	err = model.SyncDetections([]*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
+	if len(errMap) != 0 {
+		web.Respond(w, r, http.StatusInternalServerError, errMap)
+		return
+	}
+
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
@@ -151,13 +168,13 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	err = model.SyncDetections([]*model.Detection{old})
+	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
-	web.Respond(w, r, http.StatusOK, nil)
+	web.Respond(w, r, http.StatusOK, errMap)
 }
 
 func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Request) {
@@ -202,11 +219,181 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		}
 	}
 
-	err = model.SyncDetections(modified)
-	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
-		return
+	if len(modified) != 0 {
+		addErrMap, err := SyncDetections(ctx, h.server.Configstore, modified)
+		if err != nil {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+			return
+		}
+
+		// merge error maps
+		for k, v := range addErrMap {
+			origK, hasK := errMap[k]
+			if hasK {
+				errMap[k] = fmt.Sprintf("%s; %s", origK, v)
+			} else {
+				errMap[k] = v
+			}
+		}
 	}
 
 	web.Respond(w, r, http.StatusOK, errMap)
 }
+
+func SyncDetections(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (errMap map[string]string, err error) {
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	byEngine := map[model.EngineName][]*model.Detection{}
+	for _, detect := range detections {
+		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
+	}
+
+	if len(byEngine[model.EngineNameSuricata]) > 0 {
+		errMap, err = syncSuricata(ctx, cfgStore, byEngine[model.EngineNameSuricata])
+		if err != nil {
+			return errMap, err
+		}
+	}
+
+	return errMap, nil
+}
+
+func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (map[string]string, error) {
+	allSettings, err := cfgStore.GetSettings(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	local := settingByID(allSettings, "idstools.rules.local__rules")
+	if local == nil {
+		return nil, fmt.Errorf("unable to find local rules setting")
+	}
+
+	enabled := settingByID(allSettings, "idstools.sids.enabled")
+	if enabled == nil {
+		return nil, fmt.Errorf("unable to find enabled setting")
+	}
+
+	localLines := strings.Split(local.Value, "\n")
+	enabledLines := strings.Split(enabled.Value, "\n")
+
+	localIndex := indexRules(localLines)
+	enabledIndex := indexSIDs(enabledLines)
+
+	errMap := map[string]string{} // map[sid]error
+
+	for _, detect := range detections {
+		parsedRule, err := syntax.ParseSuricataRule(detect.Content)
+		if err != nil {
+			errMap[detect.PublicID] = fmt.Sprintf("unable to parse rule; reason=%s", err.Error())
+			continue
+		}
+
+		opt, ok := parsedRule.GetOption("sid")
+		if !ok || opt == nil {
+			errMap[detect.PublicID] = fmt.Sprintf("rule does not contain a SID; rule=%s", detect.Content)
+			continue
+		}
+
+		sid := *opt
+		_, isFlowbits := parsedRule.GetOption("flowbits")
+
+		_ = isFlowbits
+
+		lineNum, inLocal := localIndex[sid]
+		if !inLocal {
+			localLines = append(localLines, detect.Content)
+			lineNum = len(localLines) - 1
+			localIndex[sid] = lineNum
+		} else {
+			localLines[lineNum] = detect.Content
+		}
+
+		lineNum, inEnabled := enabledIndex[sid]
+		if !inEnabled {
+			line := detect.PublicID
+			if !detect.IsEnabled {
+				line = "# " + line
+			}
+
+			enabledLines = append(enabledLines, line)
+			lineNum = len(enabledLines) - 1
+			enabledIndex[sid] = lineNum
+		} else {
+			line := detect.PublicID
+			if !detect.IsEnabled {
+				line = "# " + line
+			}
+
+			enabledLines[lineNum] = line
+		}
+	}
+
+	local.Value = strings.Join(localLines, "\n")
+	enabled.Value = strings.Join(enabledLines, "\n")
+
+	err = cfgStore.UpdateSetting(ctx, local, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = cfgStore.UpdateSetting(ctx, enabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	return errMap, nil
+}
+
+func settingByID(all []*model.Setting, id string) *model.Setting {
+	found, ok := lo.Find(all, func(s *model.Setting) bool {
+		return s.Id == id
+	})
+	if !ok {
+		return nil
+	}
+
+	return found
+}
+
+func extractSID(rule string) *string {
+	sids := sidExtracter.FindStringSubmatch(rule)
+	if len(sids) != 2 { // 0: Full Match, 1: Capture Group
+		return nil
+	}
+
+	return util.Ptr(strings.TrimSpace(sids[1]))
+}
+
+func indexRules(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		sid := extractSID(line)
+		if sid == nil {
+			continue
+		}
+
+		index[*sid] = i
+	}
+
+	return index
+}
+
+func indexSIDs(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+
+		if line != "" {
+			index[line] = i
+		}
+	}
+
+	return index
+}
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index 93726aa59..017826323 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -577,8 +577,8 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 
 	query := fmt.Sprintf(`
     {
-      "query" : { 
-        "bool": { 
+      "query" : {
+        "bool": {
           "must": [
             { "match" : { "%s" : "%s" }}%s
           ]
@@ -621,8 +621,8 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 		}
 		query := fmt.Sprintf(`
       {
-        "query" : { 
-          "bool": { 
+        "query" : {
+          "bool": {
             "must": [
               { "match" : { "log.id.uid" : "%s" }}%s
             ]
diff --git a/syntax/suricata.go b/syntax/suricata.go
new file mode 100644
index 000000000..90ca8af83
--- /dev/null
+++ b/syntax/suricata.go
@@ -0,0 +1,156 @@
+package syntax
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+)
+
+type SuricataRule struct {
+	Action      string
+	Protocol    string
+	Source      string
+	Direction   string
+	Destination string
+	Options     []*RuleOption
+}
+
+type RuleOption struct {
+	Name  string
+	Value *string
+}
+
+type state int
+
+const (
+	stateAction state = iota
+	stateProtocol
+	stateSource
+	stateDirection
+	stateDestination
+	stateOptions
+)
+
+func ParseSuricataRule(rule string) (*SuricataRule, error) {
+	r := strings.NewReader(rule)
+	curState := stateAction
+	buf := strings.Builder{}
+	inQuotes := false
+	isEscaping := false
+
+	out := &SuricataRule{
+		Options: []*RuleOption{},
+	}
+
+	for r.Len() != 0 {
+		// TODO: Parse Source and Destination into Address and Ports
+		ch, _, _ := r.ReadRune()
+
+		switch curState {
+		case stateAction:
+			if ch == ' ' {
+				out.Action = strings.TrimSpace(buf.String())
+				buf.Reset()
+				curState = stateProtocol
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateProtocol:
+			if ch == ' ' {
+				out.Protocol = strings.TrimSpace(buf.String())
+				buf.Reset()
+				curState = stateSource
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateSource:
+			if ch == '<' || ch == '-' {
+				out.Source = strings.TrimSpace(buf.String())
+				buf.Reset()
+				buf.WriteRune(ch)
+				curState = stateDirection
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateDirection:
+			if ch == ' ' {
+				out.Direction = strings.TrimSpace(buf.String())
+				if out.Direction != "<>" && out.Direction != "->" {
+					return nil, fmt.Errorf("invalid direction, must be '<>' or '->', got %s", out.Direction)
+				}
+
+				buf.Reset()
+				curState = stateDestination
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateDestination:
+			if ch == '(' {
+				out.Destination = strings.TrimSpace(buf.String())
+				buf.Reset()
+				curState = stateOptions
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateOptions:
+			if ch == ')' && !inQuotes && !isEscaping {
+				if r.Len() != 0 {
+					// end of options, but not end of rule?
+					return nil, fmt.Errorf("invalid rule, expected end of rule, got %d more bytes", r.Len())
+				}
+			} else if ch == ';' && !inQuotes && !isEscaping {
+				option := strings.TrimSpace(buf.String())
+				buf.Reset()
+
+				split := strings.SplitN(option, ":", 2)
+				opt := &RuleOption{
+					Name: strings.TrimSpace(split[0]),
+				}
+
+				if len(split) == 2 {
+					opt.Value = util.Ptr(strings.TrimSpace(split[1]))
+				}
+
+				out.Options = append(out.Options, opt)
+			} else if ch == '"' { // TODO: current test rule has angled quotes, needs fixing
+				buf.WriteRune(ch)
+				if isEscaping {
+					isEscaping = false
+				} else {
+					inQuotes = !inQuotes
+				}
+			} else if ch == '\\' {
+				isEscaping = true
+				buf.WriteRune(ch)
+			} else {
+				buf.WriteRune(ch)
+			}
+		}
+	}
+
+	return out, nil
+}
+
+func (rule *SuricataRule) GetOption(key string) (value *string, ok bool) {
+	for _, opt := range rule.Options {
+		if opt.Name == key {
+			return opt.Value, true
+		}
+	}
+
+	return nil, false
+}
+
+func (rule *SuricataRule) String() string {
+	opts := make([]string, 0, len(rule.Options))
+	for _, opt := range rule.Options {
+		if opt.Value == nil {
+			opts = append(opts, fmt.Sprintf("%s;", opt.Name))
+		} else {
+			opts = append(opts, fmt.Sprintf("%s:%s;", opt.Name, *opt.Value))
+		}
+	}
+
+	return fmt.Sprintf("%s %s %s %s %s (%s)", rule.Action, rule.Protocol, rule.Source, rule.Direction, rule.Destination, strings.Join(opts, " "))
+}

From f4d1eaf3ed7e8f200d97bb85c3a3063451d53f44 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 19 Sep 2023 18:27:51 -0600
Subject: [PATCH 004/102] WIP: alerts

---
 html/js/routes/detection.js | 35 +++++++++++++++-------
 server/detectionhandler.go  | 60 +++++++++++++++++++++++++++++++------
 2 files changed, 75 insertions(+), 20 deletions(-)

diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index cb29827cc..a1d346eb9 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -162,18 +162,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				if (!this.editForm.valid) return;
 			}
 
+			let err;
 			switch (this.detect.engine) {
 				case 'yara':
-					this.validateYara();
+					err = this.validateYara();
 					break;
 				case 'sigma':
-					this.validateSigma();
+					err = this.validateSigma();
 					break;
 				case 'suricata':
-					this.validateSuricata();
+					err = this.validateSuricata();
 					break;
 			}
 
+			if (err) {
+				this.$root.showError(err);
+				return;
+			}
+
 			if (createNew) {
 				this.$root.papi.post('/detection', this.detect);
 			} else {
@@ -191,29 +197,36 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			await this.$root.papi.delete('/detection/' + encodeURIComponent(this.$route.params.id));
 			this.$router.push({ name: 'detections' });
 		},
-		validateYara() { },
-		validateSigma() {},
+		validateYara() {
+			return null;
+		},
+		validateSigma() {
+			return null;
+		},
 		validateSuricata() {
 			const sidExtract = /\bsid: ?['"]?(.*?)['"]?;/
 			const results = sidExtract.exec(this.detect.content);
 
 			if (!results || results.length < 2) {
 				// sid not present in rule
-				this.$root.showError(this.i18n.sidMissingErr);
-				return;
+				return this.i18n.sidMissingErr;
 			} else if (results && results.length > 2) {
 				// multiple sids present in rule
-				this.$root.showError(this.i18n.sidMultipleErr);
-				return;
+				return this.i18n.sidMultipleErr;
 			}
 
 			const sid = results[1];
 
 			if (this.detect.publicId !== sid) {
 				// sid doesn't match metadata
-				this.$root.showError(this.i18n.sidMismatchErr);
-				return;
+				return this.i18n.sidMismatchErr;
 			}
+
+			// normalize quotes
+			this.detect.content = this.detect.content.replaceAll('”', '"');
+			this.detect.content = this.detect.content.replaceAll('“', '"');
+
+			return null;
 		},
 		print(x) {
 			console.log(x);
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index fef9141e7..bc8c6b696 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -24,6 +24,8 @@ import (
 
 var sidExtracter = regexp.MustCompile(`\bsid: ?['"]?(.*?)['"]?;`)
 
+const suricataModifyFromTo = `"flowbits" "noalert; flowbits"`
+
 type DetectionHandler struct {
 	server *Server
 }
@@ -278,11 +280,18 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return nil, fmt.Errorf("unable to find enabled setting")
 	}
 
+	modify := settingByID(allSettings, "idstools.sids.modify")
+	if modify == nil {
+		return nil, fmt.Errorf("unable to find modify setting")
+	}
+
 	localLines := strings.Split(local.Value, "\n")
 	enabledLines := strings.Split(enabled.Value, "\n")
+	modifyLines := strings.Split(modify.Value, "\n")
 
-	localIndex := indexRules(localLines)
-	enabledIndex := indexSIDs(enabledLines)
+	localIndex := indexLocal(localLines)
+	enabledIndex := indexEnabled(enabledLines)
+	modifyIndex := indexModified(modifyLines)
 
 	errMap := map[string]string{} // map[sid]error
 
@@ -302,8 +311,6 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		sid := *opt
 		_, isFlowbits := parsedRule.GetOption("flowbits")
 
-		_ = isFlowbits
-
 		lineNum, inLocal := localIndex[sid]
 		if !inLocal {
 			localLines = append(localLines, detect.Content)
@@ -316,7 +323,7 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		lineNum, inEnabled := enabledIndex[sid]
 		if !inEnabled {
 			line := detect.PublicID
-			if !detect.IsEnabled {
+			if !detect.IsEnabled && !isFlowbits {
 				line = "# " + line
 			}
 
@@ -325,16 +332,32 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 			enabledIndex[sid] = lineNum
 		} else {
 			line := detect.PublicID
-			if !detect.IsEnabled {
+			if !detect.IsEnabled && !isFlowbits {
 				line = "# " + line
 			}
 
 			enabledLines[lineNum] = line
 		}
+
+		if isFlowbits {
+			lineNum, inModify := modifyIndex[sid]
+			if !inModify && !detect.IsEnabled {
+				// not in the modify file, but should be
+				line := fmt.Sprintf("%s %s", detect.PublicID, suricataModifyFromTo)
+				modifyLines = append(modifyLines, line)
+				lineNum = len(modifyLines) - 1
+				modifyIndex[sid] = lineNum
+			} else if inModify && detect.IsEnabled {
+				// in modify, but shouldn't be
+				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
+				delete(modifyIndex, sid)
+			}
+		}
 	}
 
 	local.Value = strings.Join(localLines, "\n")
 	enabled.Value = strings.Join(enabledLines, "\n")
+	modify.Value = strings.Join(modifyLines, "\n")
 
 	err = cfgStore.UpdateSetting(ctx, local, false)
 	if err != nil {
@@ -346,6 +369,11 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return errMap, err
 	}
 
+	err = cfgStore.UpdateSetting(ctx, modify, false)
+	if err != nil {
+		return errMap, err
+	}
+
 	return errMap, nil
 }
 
@@ -369,7 +397,7 @@ func extractSID(rule string) *string {
 	return util.Ptr(strings.TrimSpace(sids[1]))
 }
 
-func indexRules(lines []string) map[string]int {
+func indexLocal(lines []string) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
@@ -384,12 +412,11 @@ func indexRules(lines []string) map[string]int {
 	return index
 }
 
-func indexSIDs(lines []string) map[string]int {
+func indexEnabled(lines []string) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
 		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
-
 		if line != "" {
 			index[line] = i
 		}
@@ -397,3 +424,18 @@ func indexSIDs(lines []string) map[string]int {
 
 	return index
 }
+
+func indexModified(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, " \t"))
+		parts := strings.SplitN(line, " ", 2)
+
+		if strings.Contains(line, suricataModifyFromTo) {
+			index[parts[0]] = i
+		}
+	}
+
+	return index
+}

From 13c03c4d63908c6aca43bb7cd16deefae570808a Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 21 Sep 2023 16:33:01 -0600
Subject: [PATCH 005/102] WIP: Various improvements

Properly adds SIDs to disabled file.

MinLength now set in UI to match server requirement of 5.

After creating a detection, you're taken to the edit page for that detection instead of being left at a filled in create page.

If creating fails, a banner is shown.

Case insensitive sidExtractor. The extractSID function now returns nil if more than 1 SID is specified.

Tests for pure functions.
---
 html/index.html                 |   6 +-
 html/js/routes/detection.js     |  41 ++++----
 server/detectionhandler.go      |  52 ++++++++--
 server/detectionhandler_test.go | 164 ++++++++++++++++++++++++++++++++
 4 files changed, 235 insertions(+), 28 deletions(-)
 create mode 100644 server/detectionhandler_test.go

diff --git a/html/index.html b/html/index.html
index 0b57feab9..e2d9c7902 100644
--- a/html/index.html
+++ b/html/index.html
@@ -970,15 +970,15 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
           <div class="main col-md-9 order-md-1 col-12 order-2">
-            <!-- Edit View -->
             <div v-if="isNew()">
+              <!-- Create View -->
               <v-form ref="detection" v-model="editForm.valid">
                 <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Description -->
                   <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" auto-grow rows="5"></v-textarea>
 
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'">
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
@@ -1072,7 +1072,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-tab-item value="details">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">{{i18n.generate}}</v-btn>
                     </template>
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index a1d346eb9..e88abc266 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -17,14 +17,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		editField: null,
 		editForm: { valid: true },
 		rules: {
-      required: value => (value && value.length > 0) || this.$root.i18n.required,
-      number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
-      hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
-      shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
-      longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
-      fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
-      fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
-      fileRequired: value => (value != null) || this.$root.i18n.required,
+			required: value => (value && value.length > 0) || this.$root.i18n.required,
+			number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+			hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
+			minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
+			shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+			longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+			fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+			fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+			fileRequired: value => (value != null) || this.$root.i18n.required,
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
@@ -154,7 +155,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.origValue = null;
 			this.editField = null;
 		},
-		saveDetection(createNew) {
+		async saveDetection(createNew) {
 			if (this.curEditTarget !== null) this.stopEdit(true);
 
 			if (this.isNew()) {
@@ -180,14 +181,22 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				return;
 			}
 
-			if (createNew) {
-				this.$root.papi.post('/detection', this.detect);
-			} else {
-				this.$root.papi.put('/detection', this.detect);
-			}
-			this.origDetect = Object.assign({}, this.detect);
+			try {
+				let response;
+				if (createNew) {
+					response = await this.$root.papi.post('/detection', this.detect);
+				} else {
+					response = await this.$root.papi.put('/detection', this.detect);
+				}
+
+				this.origDetect = Object.assign({}, this.detect);
 
-			this.$root.showTip(this.i18n.saveSuccess);
+				this.$root.showTip(this.i18n.saveSuccess);
+
+				this.$router.push({name: 'detection', params: {id: response.data.id}});
+			} catch (error) {
+				this.$root.showError(error);
+			}
 		},
 		async duplicateDetection() {
 			const response = await this.$root.papi.post('/detection/' + encodeURIComponent(this.$route.params.id) + '/duplicate');
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index bc8c6b696..dc17abda2 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -22,7 +22,7 @@ import (
 	"github.com/go-chi/chi"
 )
 
-var sidExtracter = regexp.MustCompile(`\bsid: ?['"]?(.*?)['"]?;`)
+var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
 
 const suricataModifyFromTo = `"flowbits" "noalert; flowbits"`
 
@@ -280,6 +280,11 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return nil, fmt.Errorf("unable to find enabled setting")
 	}
 
+	disabled := settingByID(allSettings, "idstools.sids.disabled")
+	if disabled == nil {
+		return nil, fmt.Errorf("unable to find disabled setting")
+	}
+
 	modify := settingByID(allSettings, "idstools.sids.modify")
 	if modify == nil {
 		return nil, fmt.Errorf("unable to find modify setting")
@@ -287,11 +292,13 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 
 	localLines := strings.Split(local.Value, "\n")
 	enabledLines := strings.Split(enabled.Value, "\n")
+	disabledLines := strings.Split(disabled.Value, "\n")
 	modifyLines := strings.Split(modify.Value, "\n")
 
 	localIndex := indexLocal(localLines)
 	enabledIndex := indexEnabled(enabledLines)
-	modifyIndex := indexModified(modifyLines)
+	disabledIndex := indexEnabled(disabledLines)
+	modifyIndex := indexModify(modifyLines)
 
 	errMap := map[string]string{} // map[sid]error
 
@@ -339,6 +346,27 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 			enabledLines[lineNum] = line
 		}
 
+		if !isFlowbits {
+			lineNum, inDisabled := disabledIndex[sid]
+			if !inDisabled {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines = append(disabledLines, line)
+				lineNum = len(disabledLines) - 1
+				disabledIndex[sid] = lineNum
+			} else {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines[lineNum] = line
+			}
+		}
+
 		if isFlowbits {
 			lineNum, inModify := modifyIndex[sid]
 			if !inModify && !detect.IsEnabled {
@@ -357,6 +385,7 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 
 	local.Value = strings.Join(localLines, "\n")
 	enabled.Value = strings.Join(enabledLines, "\n")
+	disabled.Value = strings.Join(disabledLines, "\n")
 	modify.Value = strings.Join(modifyLines, "\n")
 
 	err = cfgStore.UpdateSetting(ctx, local, false)
@@ -369,6 +398,11 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return errMap, err
 	}
 
+	err = cfgStore.UpdateSetting(ctx, disabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
 	err = cfgStore.UpdateSetting(ctx, modify, false)
 	if err != nil {
 		return errMap, err
@@ -389,12 +423,12 @@ func settingByID(all []*model.Setting, id string) *model.Setting {
 }
 
 func extractSID(rule string) *string {
-	sids := sidExtracter.FindStringSubmatch(rule)
-	if len(sids) != 2 { // 0: Full Match, 1: Capture Group
+	sids := sidExtracter.FindAllStringSubmatch(rule, 2)
+	if len(sids) != 1 { // 1 match = 1 sid
 		return nil
 	}
 
-	return util.Ptr(strings.TrimSpace(sids[1]))
+	return util.Ptr(strings.TrimSpace(sids[0][1]))
 }
 
 func indexLocal(lines []string) map[string]int {
@@ -425,14 +459,14 @@ func indexEnabled(lines []string) map[string]int {
 	return index
 }
 
-func indexModified(lines []string) map[string]int {
+func indexModify(lines []string) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, " \t"))
-		parts := strings.SplitN(line, " ", 2)
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
 
-		if strings.Contains(line, suricataModifyFromTo) {
+		if strings.HasSuffix(line, suricataModifyFromTo) {
+			parts := strings.SplitN(line, " ", 2)
 			index[parts[0]] = i
 		}
 	}
diff --git a/server/detectionhandler_test.go b/server/detectionhandler_test.go
new file mode 100644
index 000000000..f1be97606
--- /dev/null
+++ b/server/detectionhandler_test.go
@@ -0,0 +1,164 @@
+package server
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSettingByID(t *testing.T) {
+	allSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+	byId := map[string]*model.Setting{
+		"1": allSettings[0],
+		"2": allSettings[1],
+		"3": allSettings[2],
+	}
+
+	table := []struct {
+		Name          string
+		SettingID     string
+		ExpectedValue *string
+	}{
+		{Name: "Get 1", SettingID: "1", ExpectedValue: util.Ptr("one")},
+		{Name: "Get 2", SettingID: "2", ExpectedValue: util.Ptr("two")},
+		{Name: "Get 3", SettingID: "3", ExpectedValue: util.Ptr("three")},
+		{Name: "Get 4", SettingID: "4", ExpectedValue: nil},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			value := settingByID(allSettings, test.SettingID)
+			if test.ExpectedValue == nil {
+				assert.Nil(t, value)
+			} else {
+				assert.Equal(t, *test.ExpectedValue, value.Value)
+				assert.Same(t, value, byId[test.SettingID])
+			}
+		})
+	}
+}
+
+func TestExtractSID(t *testing.T) {
+	table := []struct {
+		Name   string
+		Input  string
+		Output *string
+	}{
+		{Name: "Simple SID", Input: "sid:10000;", Output: util.Ptr("10000")},
+		{Name: "Empty SID", Input: "sid: ;", Output: util.Ptr("")},
+		{Name: "Capital SID", Input: "SID:10000;", Output: util.Ptr("10000")},
+		{Name: "UUID SID", Input: "sid: 82ca7105-9001-40b7-a8cc-4eaebaf17815;", Output: util.Ptr("82ca7105-9001-40b7-a8cc-4eaebaf17815")},
+		{Name: "No SID", Input: "nid: 10000", Output: nil},
+		{Name: "Single-Quoted SID", Input: "sid: '10000';", Output: util.Ptr("10000")},
+		{Name: "Double-Quoted SID", Input: `sid:"10000";`, Output: util.Ptr("10000")},
+		{Name: "Single-Quoted Empty SID", Input: "sid:'';", Output: util.Ptr("")},
+		{Name: "Double-Quoted Empty SID", Input: `sid: "";`, Output: util.Ptr("")},
+		{Name: "Multiple SIDs", Input: "sid: 10000; sid: 10001;", Output: nil},
+		{Name: "Sample Rule", Input: `alert http any any -> any any (msg:"RULE B"; flowbits: isset, test; flow: established,to_client; content:"uid=0"; sid:60000;)`, Output: util.Ptr("60000")},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			output := extractSID(test.Input)
+			assert.Equal(t, test.Output, output)
+		})
+	}
+}
+
+func TestIndexLocal(t *testing.T) {
+	lines := []string{
+		"sid: 10000;",
+		" ",
+		"# sid: 20000;",
+		"sid: 30000;",
+		"# 40000", // note: extractSID won't find anything here
+		"50000",
+	}
+
+	output := indexLocal(lines)
+	assert.Equal(t, 3, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 0)
+	assert.Contains(t, output, "20000")
+	assert.Equal(t, output["20000"], 2)
+	assert.Contains(t, output, "30000")
+	assert.Equal(t, output["30000"], 3)
+	assert.NotContains(t, output, "40000")
+	assert.NotContains(t, output, "50000")
+}
+
+func TestIndexEnabled(t *testing.T) {
+	lines := []string{
+		"10000",
+		" ",
+		"# 20000   ",
+		"30000 ",
+		"#   40000", // note: extractSID won't find anything here
+		"   50000",
+		" not a number ",
+		"#  24adee9b-6010-46ed-9c4a-9cb7a9c972a1",
+	}
+
+	output := indexEnabled(lines)
+
+	assert.Equal(t, 7, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 0)
+	assert.Contains(t, output, "20000")
+	assert.Equal(t, output["20000"], 2)
+	assert.Contains(t, output, "30000")
+	assert.Equal(t, output["30000"], 3)
+	assert.Contains(t, output, "40000")
+	assert.Equal(t, output["40000"], 4)
+	assert.Contains(t, output, "50000")
+	assert.Equal(t, output["50000"], 5)
+	assert.Contains(t, output, "not a number")
+	assert.Equal(t, output["not a number"], 6)
+	assert.Contains(t, output, "24adee9b-6010-46ed-9c4a-9cb7a9c972a1")
+	assert.Equal(t, output["24adee9b-6010-46ed-9c4a-9cb7a9c972a1"], 7)
+}
+
+func TestIndexModify(t *testing.T) {
+	lines := []string{
+		`90000 this that`,
+		`10000 "flowbits" "noalert; flowbits"`,
+		`# 20000 "flowbits" "noalert; flowbits"`,
+		`30000 "flowbits" "noalert; flowbits" # we'll turn this on later`,
+		`# An unrelated comment`,
+		`a83ba97b-a8e8-4258-be1b-022aff230e6e "flowbits" "noalert; flowbits"`,
+		` # 23220e49-7229-43a1-92d5-d68e46d27105 "flowbits" "noalert; flowbits"`,
+		`e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5 that this`,
+	}
+
+	// Reminder: We only care about the lines that the API has added,
+	// if a line doesn't end with suricataModifyFromTo (`"flowbits" "noalert; flowbits"`)
+	// then it's a line we don't want to touch.
+
+	output := indexModify(lines)
+
+	assert.Equal(t, 4, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 1)
+	assert.Contains(t, output, "20000")
+	assert.Equal(t, output["20000"], 2)
+	assert.Contains(t, output, "a83ba97b-a8e8-4258-be1b-022aff230e6e")
+	assert.Equal(t, output["a83ba97b-a8e8-4258-be1b-022aff230e6e"], 5)
+	assert.Contains(t, output, "23220e49-7229-43a1-92d5-d68e46d27105")
+	assert.Equal(t, output["23220e49-7229-43a1-92d5-d68e46d27105"], 6)
+	assert.NotContains(t, output, "90000")
+	assert.NotContains(t, output, "30000")
+	assert.NotContains(t, output, "e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5")
+}

From 9ab882737941e4a48ddcd3b9652801cd66f51843 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 22 Sep 2023 15:05:47 -0600
Subject: [PATCH 006/102] WIP: Tests

Added MemConfigStore to facilitate testing.

Test rule parsing, enabling/disabling of rules, and various helper functions.
---
 server/detectionhandler_test.go  |  51 +++++++++++++
 server/memconfigstore.go         |  46 ++++++++++++
 server/memconfigstore_test.go    | 112 ++++++++++++++++++++++++++++
 server/modules/salt/saltstore.go |   3 +-
 syntax/suricata_test.go          | 124 +++++++++++++++++++++++++++++++
 5 files changed, 335 insertions(+), 1 deletion(-)
 create mode 100644 server/memconfigstore.go
 create mode 100644 server/memconfigstore_test.go
 create mode 100644 syntax/suricata_test.go

diff --git a/server/detectionhandler_test.go b/server/detectionhandler_test.go
index f1be97606..e1449f03f 100644
--- a/server/detectionhandler_test.go
+++ b/server/detectionhandler_test.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"context"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
@@ -162,3 +163,53 @@ func TestIndexModify(t *testing.T) {
 	assert.NotContains(t, output, "30000")
 	assert.NotContains(t, output, "e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5")
 }
+
+func TestSyncSuricata(t *testing.T) {
+	emptySettings := []*model.Setting{
+		{Id: "idstools.rules.local__rules"},
+		{Id: "idstools.rules.enabled"},
+		{Id: "idstools.rules.disabled"},
+		{Id: "idstools.rules.modify"},
+	}
+	table := []struct {
+		Name string
+		InitialSettings []*model.Setting
+		Detections []*model.Detection // Content (Valid Rule), PublicID, IsEnabled
+		ExpectedSettings map[string]string
+		ExpectedErr error
+		ExpectedErrMap map[string]string
+	}{
+		{
+			Name: "Simple Add",
+			InitialSettings: emptySettings,
+			Detections: []*model.Detection{
+				{},
+			},
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			mCfgStore := NewMemConfigStore(test.InitialSettings)
+
+			errMap, err := syncSuricata(ctx, mCfgStore, test.Detections)
+
+			assert.Equal(t, test.ExpectedErr, err)
+			assert.Equal(t, test.ExpectedErrMap, errMap)
+
+			set, err := mCfgStore.GetSettings(ctx)
+			assert.NoError(t, err)
+
+			for id, expectedValue := range test.ExpectedSettings {
+				setting := settingByID(set, id)
+				assert.NotNil(t, setting)
+				assert.Equal(t, expectedValue, setting.Value)
+			}
+		})
+	}
+}
\ No newline at end of file
diff --git a/server/memconfigstore.go b/server/memconfigstore.go
new file mode 100644
index 000000000..c0dcddc0e
--- /dev/null
+++ b/server/memconfigstore.go
@@ -0,0 +1,46 @@
+package server
+
+import (
+	"context"
+
+	"github.com/samber/lo"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+)
+
+type MemConfigStore struct {
+	settings []*model.Setting
+}
+
+func NewMemConfigStore(settings []*model.Setting) *MemConfigStore {
+	return &MemConfigStore{
+		settings: settings,
+	}
+}
+
+func (m *MemConfigStore) GetSettings(ctx context.Context) ([]*model.Setting, error) {
+	return m.settings, nil
+}
+
+func (m *MemConfigStore) UpdateSetting(ctx context.Context, setting *model.Setting, remove bool) error {
+	_, index, ok := lo.FindIndexOf(m.settings, func(s *model.Setting) bool {
+		return s.Id == setting.Id
+	})
+
+	if remove {
+		if ok {
+			m.settings = append(m.settings[:index], m.settings[index+1:]...)
+		}
+	} else {
+		if ok {
+			m.settings[index] = setting
+		} else {
+			m.settings = append(m.settings, setting)
+		}
+	}
+
+	return nil
+}
+
+func (m *MemConfigStore) SyncSettings(ctx context.Context) error {
+	return nil
+}
diff --git a/server/memconfigstore_test.go b/server/memconfigstore_test.go
new file mode 100644
index 000000000..c1d550a85
--- /dev/null
+++ b/server/memconfigstore_test.go
@@ -0,0 +1,112 @@
+package server
+
+import (
+	"context"
+	"testing"
+
+	"github.com/samber/lo"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMemConfigStoreNew(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	assert.Implements(t, (*Configstore)(nil), mCfgStore)
+
+	ctx := context.Background()
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Same(t, &origSettings[0], &set[0])
+}
+
+func TestMemConfigStoreUpdate(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+
+	ctx := context.Background()
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	err := mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "1", Value: "new"}, false)
+	assert.NoError(t, err)
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 3)
+
+	s, ok := lo.Find(set, func(s *model.Setting) bool {
+		return s.Id == "1"
+	})
+	assert.True(t, ok)
+	assert.Equal(t, "new", s.Value)
+}
+
+func TestMemConfigStoreUpdateAdd(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+
+	ctx := context.Background()
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	err := mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "4", Value: "four"}, false)
+	assert.NoError(t, err)
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 4)
+
+	s, ok := lo.Find(set, func(s *model.Setting) bool {
+		return s.Id == "4"
+	})
+	assert.True(t, ok)
+	assert.Equal(t, "four", s.Value)
+}
+
+func TestMemConfigStoreUpdateRemove(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+
+	ctx := context.Background()
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	err := mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "4"}, true)
+	assert.NoError(t, err)
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 3)
+
+	err = mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "2"}, true)
+	assert.NoError(t, err)
+
+	set, err = mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 2)
+
+	s, ok := lo.Find(set, func(s *model.Setting) bool {
+		return s.Id == "2"
+	})
+	assert.False(t, ok)
+	assert.Nil(t, s)
+}
+
+func TestMemConfigStoreSync(t *testing.T) {
+	mCfgStore := NewMemConfigStore(nil)
+	err := mCfgStore.SyncSettings(context.Background())
+	assert.NoError(t, err)
+}
diff --git a/server/modules/salt/saltstore.go b/server/modules/salt/saltstore.go
index b901ad5c8..75906edf5 100644
--- a/server/modules/salt/saltstore.go
+++ b/server/modules/salt/saltstore.go
@@ -17,13 +17,14 @@ import (
 	"strings"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/json"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/salt/options"
 	"github.com/security-onion-solutions/securityonion-soc/syntax"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+
+	"github.com/apex/log"
 	"gopkg.in/yaml.v3"
 )
 
diff --git a/syntax/suricata_test.go b/syntax/suricata_test.go
new file mode 100644
index 000000000..f9b2d7f0f
--- /dev/null
+++ b/syntax/suricata_test.go
@@ -0,0 +1,124 @@
+package syntax
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+	"github.com/tj/assert"
+)
+
+func TestParseSuricata(t *testing.T) {
+	table := []struct {
+		Name   string
+		Input  string
+		Output *SuricataRule
+		Error  *string
+	}{
+		{
+			Name:  "Minimal Rule",
+			Input: `a b source port <> destination port ()`,
+			Output: &SuricataRule{
+				Action:      "a",
+				Protocol:    "b",
+				Source:      "source port",
+				Direction:   "<>",
+				Destination: "destination port",
+				Options:     []*RuleOption{},
+			},
+		},
+		{
+			Name:  "Bad Direction",
+			Input: `a b source port <- destination port ()`,
+			Error: util.Ptr("invalid direction, must be '<>' or '->', got <-"),
+		},
+		{
+			Name:  "Unnecessary Suffix",
+			Input: `a b source port <> destination port () x`,
+			Error: util.Ptr("invalid rule, expected end of rule, got 2 more bytes"),
+		},
+		{
+			Name:  "Escaped Option",
+			Input: `a b source port <> destination port (msg:"\\\"";)`,
+			Output: &SuricataRule{
+				Action:      "a",
+				Protocol:    "b",
+				Source:      "source port",
+				Direction:   "<>",
+				Destination: "destination port",
+				Options: []*RuleOption{
+					{Name: "msg", Value: util.Ptr(`"\\\""`)},
+				},
+			},
+		},
+		{
+			Name:  "Real rule",
+			Input: `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+			Output: &SuricataRule{
+				Action:      "alert",
+				Protocol:    "http",
+				Source:      "any any",
+				Direction:   "->",
+				Destination: "any any",
+				Options: []*RuleOption{
+					{Name: "msg", Value: util.Ptr(`"GPL ATTACK_RESPONSE id check returned root"`)},
+					{Name: "content", Value: util.Ptr(`"uid=0|28|root|29|"`)},
+					{Name: "classtype", Value: util.Ptr("bad-unknown")},
+					{Name: "sid", Value: util.Ptr("2100498")},
+					{Name: "rev", Value: util.Ptr("7")},
+					{Name: "metadata", Value: util.Ptr("created_at 2010_09_23, updated_at 2010_09_23")},
+				},
+			},
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			rule, err := ParseSuricataRule(test.Input)
+			if test.Error != nil {
+				assert.Nil(t, rule)
+				assert.Equal(t, *test.Error, err.Error())
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.Output, rule)
+			}
+		})
+	}
+}
+
+func TestSuricataRule(t *testing.T) {
+	input := `a b source port <> destination port (msg:"\\\""; noalert; sid:12345; rev: "9"; )`
+
+	rule, err := ParseSuricataRule(input)
+	assert.NoError(t, err)
+
+	rule2, err := ParseSuricataRule(rule.String())
+	assert.NoError(t, err)
+
+	assert.Equal(t, rule, rule2)
+
+	opt, ok := rule.GetOption("msg")
+	assert.True(t, ok)
+	assert.NotNil(t, opt)
+	assert.Equal(t, `"\\\""`, *opt)
+
+	opt, ok = rule.GetOption("sid")
+	assert.True(t, ok)
+	assert.NotNil(t, opt)
+	assert.Equal(t, "12345", *opt)
+
+	opt, ok = rule.GetOption("rev")
+	assert.True(t, ok)
+	assert.NotNil(t, opt)
+	assert.Equal(t, `"9"`, *opt)
+
+	opt, ok = rule.GetOption("noalert")
+	assert.True(t, ok)
+	assert.Nil(t, opt)
+
+	opt, ok = rule.GetOption("notfound")
+	assert.False(t, ok)
+	assert.Nil(t, opt)
+}

From 7baf618ccbf094fbd5ff57aacebc51151c65625c Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 25 Sep 2023 16:01:29 -0600
Subject: [PATCH 007/102] WIP: Modulaization and Elastic Index Change

Moved Casestore functions relating to Detections to a brand new Detectionstore.

TODO: TestSyncSuricata needs more tests, it currently only covers the bare minimum. Also, more testing needs to take place around what happens when the detections module is disabled.
---
 server/casestore.go                           |   6 -
 server/detectionengine.go                     |  12 +
 server/detectionhandler.go                    | 251 +-----------
 server/detectionstore.go                      |  21 +
 server/infohandler.go                         |   4 +-
 server/modules/elastic/elastic.go             |  22 ++
 server/modules/elastic/elasticcasestore.go    | 163 --------
 .../modules/elastic/elasticdetectionstore.go  | 360 ++++++++++++++++++
 server/modules/modules.go                     |   3 +
 server/modules/modules_test.go                |   1 +
 server/modules/suricata/suricata.go           | 269 +++++++++++++
 .../suricata/suricata_test.go}                | 126 +++++-
 .../modules/suricata/validate.go              |   2 +-
 .../modules/suricata/validate_test.go         |   2 +-
 server/server.go                              |   9 +-
 15 files changed, 828 insertions(+), 423 deletions(-)
 create mode 100644 server/detectionengine.go
 create mode 100644 server/detectionstore.go
 create mode 100644 server/modules/elastic/elasticdetectionstore.go
 create mode 100644 server/modules/suricata/suricata.go
 rename server/{detectionhandler_test.go => modules/suricata/suricata_test.go} (52%)
 rename syntax/suricata.go => server/modules/suricata/validate.go (99%)
 rename syntax/suricata_test.go => server/modules/suricata/validate_test.go (99%)

diff --git a/server/casestore.go b/server/casestore.go
index 6d6eda5ac..be9d6536e 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -38,10 +38,4 @@ type Casestore interface {
 	CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error)
 	GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error)
 	DeleteArtifactStream(ctx context.Context, id string) error
-
-	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
-	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
-	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 }
diff --git a/server/detectionengine.go b/server/detectionengine.go
new file mode 100644
index 000000000..09d430e1b
--- /dev/null
+++ b/server/detectionengine.go
@@ -0,0 +1,12 @@
+package server
+
+import (
+	"context"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+)
+
+type DetectionEngine interface {
+	ValidateRule(rule string) (string, error)
+	SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
+}
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index dc17abda2..4462b3c8c 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -10,22 +10,14 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"regexp"
 	"strings"
 
-	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
-	"github.com/security-onion-solutions/securityonion-soc/syntax"
-	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
 	"github.com/go-chi/chi"
 )
 
-var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
-
-const suricataModifyFromTo = `"flowbits" "noalert; flowbits"`
-
 type DetectionHandler struct {
 	server *Server
 }
@@ -54,7 +46,7 @@ func (h *DetectionHandler) getDetection(w http.ResponseWriter, r *http.Request)
 
 	detectId := chi.URLParam(r, "id")
 
-	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	detect, err := h.server.Detectionstore.GetDetection(ctx, detectId)
 	if err != nil {
 		if err.Error() == "Object not found" {
 			web.Respond(w, r, http.StatusNotFound, nil)
@@ -79,13 +71,13 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -104,7 +96,7 @@ func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Req
 
 	detectId := chi.URLParam(r, "id")
 
-	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	detect, err := h.server.Detectionstore.GetDetection(ctx, detectId)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -119,7 +111,7 @@ func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Req
 	detect.IsReporting = false
 	detect.IsCommunity = false
 
-	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -139,13 +131,13 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	detect, err = h.server.Casestore.UpdateDetection(ctx, detect)
+	detect, err = h.server.Detectionstore.UpdateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusNotFound, err)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -164,13 +156,13 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 
 	id := chi.URLParam(r, "id")
 
-	old, err := h.server.Casestore.DeleteDetection(ctx, id)
+	old, err := h.server.Detectionstore.DeleteDetection(ctx, id)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{old})
+	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -210,7 +202,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	modified := []*model.Detection{}
 
 	for id := range IDs {
-		det, mod, err := h.server.Casestore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
+		det, mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
 		if err != nil {
 			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
 			continue
@@ -222,7 +214,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	if len(modified) != 0 {
-		addErrMap, err := SyncDetections(ctx, h.server.Configstore, modified)
+		addErrMap, err := SyncDetections(ctx, h.server, modified)
 		if err != nil {
 			web.Respond(w, r, http.StatusInternalServerError, err)
 			return
@@ -242,7 +234,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
-func SyncDetections(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (errMap map[string]string, err error) {
+func SyncDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
@@ -254,222 +246,17 @@ func SyncDetections(ctx context.Context, cfgStore Configstore, detections []*mod
 		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
 	}
 
-	if len(byEngine[model.EngineNameSuricata]) > 0 {
-		errMap, err = syncSuricata(ctx, cfgStore, byEngine[model.EngineNameSuricata])
-		if err != nil {
-			return errMap, err
-		}
-	}
-
-	return errMap, nil
-}
-
-func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (map[string]string, error) {
-	allSettings, err := cfgStore.GetSettings(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	local := settingByID(allSettings, "idstools.rules.local__rules")
-	if local == nil {
-		return nil, fmt.Errorf("unable to find local rules setting")
-	}
-
-	enabled := settingByID(allSettings, "idstools.sids.enabled")
-	if enabled == nil {
-		return nil, fmt.Errorf("unable to find enabled setting")
-	}
-
-	disabled := settingByID(allSettings, "idstools.sids.disabled")
-	if disabled == nil {
-		return nil, fmt.Errorf("unable to find disabled setting")
-	}
-
-	modify := settingByID(allSettings, "idstools.sids.modify")
-	if modify == nil {
-		return nil, fmt.Errorf("unable to find modify setting")
-	}
-
-	localLines := strings.Split(local.Value, "\n")
-	enabledLines := strings.Split(enabled.Value, "\n")
-	disabledLines := strings.Split(disabled.Value, "\n")
-	modifyLines := strings.Split(modify.Value, "\n")
-
-	localIndex := indexLocal(localLines)
-	enabledIndex := indexEnabled(enabledLines)
-	disabledIndex := indexEnabled(disabledLines)
-	modifyIndex := indexModify(modifyLines)
-
-	errMap := map[string]string{} // map[sid]error
-
-	for _, detect := range detections {
-		parsedRule, err := syntax.ParseSuricataRule(detect.Content)
-		if err != nil {
-			errMap[detect.PublicID] = fmt.Sprintf("unable to parse rule; reason=%s", err.Error())
-			continue
-		}
-
-		opt, ok := parsedRule.GetOption("sid")
-		if !ok || opt == nil {
-			errMap[detect.PublicID] = fmt.Sprintf("rule does not contain a SID; rule=%s", detect.Content)
-			continue
-		}
-
-		sid := *opt
-		_, isFlowbits := parsedRule.GetOption("flowbits")
-
-		lineNum, inLocal := localIndex[sid]
-		if !inLocal {
-			localLines = append(localLines, detect.Content)
-			lineNum = len(localLines) - 1
-			localIndex[sid] = lineNum
-		} else {
-			localLines[lineNum] = detect.Content
-		}
-
-		lineNum, inEnabled := enabledIndex[sid]
-		if !inEnabled {
-			line := detect.PublicID
-			if !detect.IsEnabled && !isFlowbits {
-				line = "# " + line
+	for name, engine := range srv.DetectionEngines {
+		if len(byEngine[name]) != 0 {
+			eMap, err := engine.SyncDetections(ctx, byEngine[name])
+			for sid, e := range eMap {
+				errMap[sid] = e
 			}
-
-			enabledLines = append(enabledLines, line)
-			lineNum = len(enabledLines) - 1
-			enabledIndex[sid] = lineNum
-		} else {
-			line := detect.PublicID
-			if !detect.IsEnabled && !isFlowbits {
-				line = "# " + line
+			if err != nil {
+				return errMap, err
 			}
-
-			enabledLines[lineNum] = line
 		}
-
-		if !isFlowbits {
-			lineNum, inDisabled := disabledIndex[sid]
-			if !inDisabled {
-				line := detect.PublicID
-				if detect.IsEnabled {
-					line = "# " + line
-				}
-
-				disabledLines = append(disabledLines, line)
-				lineNum = len(disabledLines) - 1
-				disabledIndex[sid] = lineNum
-			} else {
-				line := detect.PublicID
-				if detect.IsEnabled {
-					line = "# " + line
-				}
-
-				disabledLines[lineNum] = line
-			}
-		}
-
-		if isFlowbits {
-			lineNum, inModify := modifyIndex[sid]
-			if !inModify && !detect.IsEnabled {
-				// not in the modify file, but should be
-				line := fmt.Sprintf("%s %s", detect.PublicID, suricataModifyFromTo)
-				modifyLines = append(modifyLines, line)
-				lineNum = len(modifyLines) - 1
-				modifyIndex[sid] = lineNum
-			} else if inModify && detect.IsEnabled {
-				// in modify, but shouldn't be
-				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
-				delete(modifyIndex, sid)
-			}
-		}
-	}
-
-	local.Value = strings.Join(localLines, "\n")
-	enabled.Value = strings.Join(enabledLines, "\n")
-	disabled.Value = strings.Join(disabledLines, "\n")
-	modify.Value = strings.Join(modifyLines, "\n")
-
-	err = cfgStore.UpdateSetting(ctx, local, false)
-	if err != nil {
-		return errMap, err
-	}
-
-	err = cfgStore.UpdateSetting(ctx, enabled, false)
-	if err != nil {
-		return errMap, err
-	}
-
-	err = cfgStore.UpdateSetting(ctx, disabled, false)
-	if err != nil {
-		return errMap, err
-	}
-
-	err = cfgStore.UpdateSetting(ctx, modify, false)
-	if err != nil {
-		return errMap, err
 	}
 
 	return errMap, nil
 }
-
-func settingByID(all []*model.Setting, id string) *model.Setting {
-	found, ok := lo.Find(all, func(s *model.Setting) bool {
-		return s.Id == id
-	})
-	if !ok {
-		return nil
-	}
-
-	return found
-}
-
-func extractSID(rule string) *string {
-	sids := sidExtracter.FindAllStringSubmatch(rule, 2)
-	if len(sids) != 1 { // 1 match = 1 sid
-		return nil
-	}
-
-	return util.Ptr(strings.TrimSpace(sids[0][1]))
-}
-
-func indexLocal(lines []string) map[string]int {
-	index := map[string]int{}
-
-	for i, line := range lines {
-		sid := extractSID(line)
-		if sid == nil {
-			continue
-		}
-
-		index[*sid] = i
-	}
-
-	return index
-}
-
-func indexEnabled(lines []string) map[string]int {
-	index := map[string]int{}
-
-	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
-		if line != "" {
-			index[line] = i
-		}
-	}
-
-	return index
-}
-
-func indexModify(lines []string) map[string]int {
-	index := map[string]int{}
-
-	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
-
-		if strings.HasSuffix(line, suricataModifyFromTo) {
-			parts := strings.SplitN(line, " ", 2)
-			index[parts[0]] = i
-		}
-	}
-
-	return index
-}
diff --git a/server/detectionstore.go b/server/detectionstore.go
new file mode 100644
index 000000000..726e41823
--- /dev/null
+++ b/server/detectionstore.go
@@ -0,0 +1,21 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package server
+
+import (
+	"context"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+)
+
+type Detectionstore interface {
+	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
+	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
+	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
+}
diff --git a/server/infohandler.go b/server/infohandler.go
index 3d7604f31..974478ef0 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -72,7 +72,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		detections.GroupFetchLimit = 50
 		detections.MostRecentlyUsedLimit = 5
 		detections.SafeStringMaxLength = 100
-		detections.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
+		detections.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:detection"
 		detections.EventFields = map[string][]string{
 			"default": {
 				"so_detection.title",
@@ -113,7 +113,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		playbooks.EventItemsPerPage = 50
 		playbooks.GroupFetchLimit = 50
 		playbooks.MostRecentlyUsedLimit = 5
-		playbooks.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
+		playbooks.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:playbook"
 		playbooks.SafeStringMaxLength = 100
 		playbooks.Queries = []*config.HuntingQuery{
 			{Query: "*"},
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index d9f16b60a..f3f9ce36b 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -28,6 +28,10 @@ const DEFAULT_ASYNC_THRESHOLD = 10
 const DEFAULT_INTERVALS = 25
 const DEFAULT_MAX_LOG_LENGTH = 1024
 const DEFAULT_CASE_SCHEMA_PREFIX = "so_"
+const DEFAULT_DETECTION_INDEX = "*:so-detection"
+const DEFAULT_DETECTION_AUDIT_INDEX = "*:so-detectionhistory"
+const DEFAULT_DETECTION_ASSOCIATIONS_MAX = 1000
+const DEFAULT_DETECTION_SCHEMA_PREFIX = "so_"
 
 type Elastic struct {
 	config module.ModuleConfig
@@ -67,6 +71,7 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 	intervals := module.GetIntDefault(cfg, "intervals", DEFAULT_INTERVALS)
 	maxLogLength := module.GetIntDefault(cfg, "maxLogLength", DEFAULT_MAX_LOG_LENGTH)
 	casesEnabled := module.GetBoolDefault(cfg, "casesEnabled", true)
+	detectionsEnabled := module.GetBoolDefault(cfg, "detectionsEnabled", true)
 	err := elastic.store.Init(host, remoteHosts, username, password, verifyCert, timeShiftMs, defaultDurationMs,
 		esSearchOffsetMs, timeoutMs, cacheMs, index, asyncThreshold, intervals, maxLogLength)
 	if err == nil && elastic.server != nil {
@@ -80,12 +85,29 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 				maxCaseAssociations := module.GetIntDefault(cfg, "maxCaseAssociations", DEFAULT_CASE_ASSOCIATIONS_MAX)
 				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_CASE_SCHEMA_PREFIX)
 				casestore := NewElasticCasestore(elastic.server)
+
 				err = casestore.Init(caseIndex, auditIndex, maxCaseAssociations, schemaPrefix, commonObservables)
 				if err == nil {
 					elastic.server.Casestore = casestore
 				}
 			}
 		}
+		if detectionsEnabled {
+			if elastic.server.Detectionstore != nil {
+				err = errors.New("Multiple detection modules cannot be enabled concurrently")
+			} else {
+				detIndex := module.GetStringDefault(cfg, "detectionIndex", DEFAULT_DETECTION_INDEX)
+				detAuditIndex := module.GetStringDefault(cfg, "detectionAuditIndex", DEFAULT_DETECTION_AUDIT_INDEX)
+				maxDetAssociations := module.GetIntDefault(cfg, "maxDetectionAssociations", DEFAULT_DETECTION_ASSOCIATIONS_MAX)
+				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_DETECTION_SCHEMA_PREFIX)
+				detstore := NewElasticDetectionstore(elastic.server)
+
+				err = detstore.Init(detIndex, detAuditIndex, maxDetAssociations, schemaPrefix)
+				if err == nil {
+					elastic.server.Detectionstore = detstore
+				}
+			}
+		}
 	}
 
 	licensing.ValidateDataUrl(host)
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 651f2fe0a..5eeaf0d42 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -13,7 +13,6 @@ import (
 	"regexp"
 	"sort"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/apex/log"
@@ -274,50 +273,6 @@ func (store *ElasticCasestore) validateArtifactStream(artifactstream *model.Arti
 	return err
 }
 
-func (store *ElasticCasestore) validateDetection(detect *model.Detection) error {
-	var err error
-
-	if err == nil && detect.Id != "" {
-		err = store.validateId(detect.Id, "onionId")
-	}
-
-	if err == nil && detect.PublicID != "" {
-		err = store.validateId(detect.PublicID, "publicId")
-	}
-
-	if err == nil && detect.Title != "" {
-		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
-	}
-
-	if err == nil && detect.Severity != "" {
-		err = store.validateString(string(detect.Severity), SHORT_STRING_MAX, "severity")
-	}
-
-	if err == nil && detect.Author != "" {
-		err = store.validateString(detect.Author, SHORT_STRING_MAX, "author")
-	}
-
-	if err == nil && detect.Description != "" {
-		err = store.validateString(detect.Description, LONG_STRING_MAX, "description")
-	}
-
-	if err == nil && detect.Content != "" {
-		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
-	}
-
-	if err == nil && detect.Note != "" {
-		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
-	}
-
-	if err == nil {
-		_, okEngine := model.EnginesByName[detect.Engine]
-		if !okEngine {
-			err = errors.New("invalid engine")
-		}
-	}
-	return err
-}
-
 func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
 	obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
 
@@ -945,121 +900,3 @@ func (store *ElasticCasestore) ExtractCommonObservables(ctx context.Context, eve
 	}
 	return nil
 }
-
-func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	var err error
-
-	err = store.validateDetection(detect)
-	if err != nil {
-		return nil, err
-	}
-
-	if detect.Id != "" {
-		return nil, errors.New("Unexpected ID found in new comment")
-	}
-
-	now := time.Now()
-	detect.CreateTime = &now
-	var results *model.EventIndexResults
-	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-	if err == nil {
-		// Read object back to get new modify date, etc
-		detect, err = store.GetDetection(ctx, results.DocumentId)
-	}
-
-	return detect, err
-}
-
-func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (detect *model.Detection, err error) {
-	err = store.validateId(detectId, "detectId")
-	if err != nil {
-		return nil, err
-	}
-
-	obj, err := store.get(ctx, detectId, "detection")
-	if err == nil && obj != nil {
-		detect = obj.(*model.Detection)
-	}
-
-	return detect, err
-}
-
-func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	err := store.validateDetection(detect)
-	if err != nil {
-		return nil, err
-	}
-
-	if detect.Id == "" {
-		err = errors.New("Missing detection onion ID")
-		return nil, err
-	}
-
-	var old *model.Detection
-	old, err = store.GetDetection(ctx, detect.Id)
-	if err != nil {
-		return nil, err
-	}
-
-	var results *model.EventIndexResults
-
-	// Preserve read-only fields
-	detect.CreateTime = old.CreateTime
-
-	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-	if err != nil {
-		return nil, err
-	}
-	// Read object back to get new modify date, etc
-	return store.GetDetection(ctx, results.DocumentId)
-}
-
-func (store *ElasticCasestore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
-	var modified bool
-
-	detect, err := store.GetDetection(ctx, id)
-	if err != nil {
-		return nil, false, err
-	}
-
-	switch strings.ToLower(field) {
-	case "isenabled":
-		bVal, ok := value.(bool)
-		if !ok {
-			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
-		}
-
-		if detect.IsEnabled != bVal {
-			detect.IsEnabled = bVal
-			modified = true
-		}
-	}
-
-	err = store.validateDetection(detect)
-	if err != nil {
-		return nil, false, err
-	}
-
-	if modified {
-		var results *model.EventIndexResults
-
-		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-		if err == nil {
-			// Read object back to get new modify date, etc
-			detect, err = store.GetDetection(ctx, results.DocumentId)
-		}
-	}
-
-	return detect, modified, err
-}
-
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
-	detect, err := store.GetDetection(ctx, onionID)
-	if err != nil {
-		return nil, err
-	}
-
-	err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-
-	return detect, err
-}
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
new file mode 100644
index 000000000..35f0e6264
--- /dev/null
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -0,0 +1,360 @@
+package elastic
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/apex/log"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/web"
+)
+
+type ElasticDetectionstore struct {
+	server          *server.Server
+	index           string
+	auditIndex      string
+	maxAssociations int
+	schemaPrefix    string
+}
+
+func NewElasticDetectionstore(srv *server.Server) *ElasticDetectionstore {
+	return &ElasticDetectionstore{
+		server: srv,
+	}
+}
+
+func (store *ElasticDetectionstore) Init(index string, auditIndex string, maxAssociations int, schemaPrefix string) error {
+	store.index = index
+	store.auditIndex = auditIndex
+	store.maxAssociations = maxAssociations
+	store.schemaPrefix = schemaPrefix
+
+	return nil
+}
+
+func (store *ElasticDetectionstore) validateId(id string, label string) error {
+	var err error
+
+	isValidId := regexp.MustCompile(`^[A-Za-z0-9-_]{5,50}$`).MatchString
+	if !isValidId(id) {
+		err = fmt.Errorf("invalid ID for %s", label)
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) validateString(str string, max int, label string) error {
+	return store.validateStringRequired(str, 0, max, label)
+}
+
+func (store *ElasticDetectionstore) validateStringRequired(str string, min int, max int, label string) error {
+	var err error
+
+	length := len(str)
+	if length > max {
+		err = errors.New(fmt.Sprintf("%s is too long (%d/%d)", label, length, max))
+	} else if length < min {
+		err = errors.New(fmt.Sprintf("%s is too short (%d/%d)", label, length, min))
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) error {
+	var err error
+
+	if err == nil && detect.Id != "" {
+		err = store.validateId(detect.Id, "onionId")
+	}
+
+	if err == nil && detect.PublicID != "" {
+		err = store.validateId(detect.PublicID, "publicId")
+	}
+
+	if err == nil && detect.Title != "" {
+		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
+	}
+
+	if err == nil && detect.Severity != "" {
+		err = store.validateString(string(detect.Severity), SHORT_STRING_MAX, "severity")
+	}
+
+	if err == nil && detect.Author != "" {
+		err = store.validateString(detect.Author, SHORT_STRING_MAX, "author")
+	}
+
+	if err == nil && detect.Description != "" {
+		err = store.validateString(detect.Description, LONG_STRING_MAX, "description")
+	}
+
+	if err == nil && detect.Content != "" {
+		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
+	}
+
+	if err == nil && detect.Note != "" {
+		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
+	}
+
+	if err == nil {
+		_, okEngine := model.EnginesByName[detect.Engine]
+		if !okEngine {
+			err = errors.New("invalid engine")
+		}
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, kind string, id string) (*model.EventIndexResults, error) {
+	var results *model.EventIndexResults
+	var err error
+
+	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+		document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+		document[store.schemaPrefix+"kind"] = kind
+
+		results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
+		if err == nil {
+			document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
+
+			if id == "" {
+				document[store.schemaPrefix+"operation"] = "create"
+			} else {
+				document[store.schemaPrefix+"operation"] = "update"
+			}
+
+			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+			if err != nil {
+				log.WithFields(log.Fields{
+					"documentId": results.DocumentId,
+					"kind":       kind,
+				}).WithError(err).Error("Object indexed successfully however audit record failed to index")
+			}
+		}
+	}
+
+	return results, err
+}
+
+func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{}, kind string, id string) error {
+	var err error
+
+	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+		err = store.server.Eventstore.Delete(ctx, store.index, id)
+		if err == nil {
+			document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+			document[store.schemaPrefix+AUDIT_DOC_ID] = id
+			document[store.schemaPrefix+"kind"] = kind
+			document[store.schemaPrefix+"operation"] = "delete"
+
+			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+			if err != nil {
+				log.WithFields(log.Fields{
+					"documentId": id,
+					"kind":       kind,
+				}).WithError(err).Error("Object deleted successfully however audit record failed to index")
+			}
+		}
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind string) (interface{}, error) {
+	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s" AND _id:"%s"`, store.index, store.schemaPrefix, kind, id)
+
+	objects, err := store.getAll(ctx, query, 1)
+	if err == nil {
+		if len(objects) > 0 {
+			return objects[0], err
+		}
+
+		err = errors.New("Object not found")
+	}
+
+	return nil, err
+}
+
+func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, max int) ([]interface{}, error) {
+	var err error
+	var objects []interface{}
+
+	if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
+		criteria := model.NewEventSearchCriteria()
+		format := "2006-01-02 3:04:05 PM"
+
+		var zeroTime time.Time
+
+		zeroTimeStr := zeroTime.Format(format)
+		now := time.Now()
+		endTime := now.Format(format)
+		zone := now.Location().String()
+
+		err = criteria.Populate(query,
+			zeroTimeStr+" - "+endTime, // timeframe range
+			format,                    // timeframe format
+			zone,                      // timezone
+			"0",                       // no metrics
+			strconv.Itoa(max))
+
+		if err == nil {
+			var results *model.EventSearchResults
+
+			results, err = store.server.Eventstore.Search(ctx, criteria)
+			if err == nil {
+				for _, event := range results.Events {
+					var obj interface{}
+
+					obj, err = convertElasticEventToObject(event, store.schemaPrefix)
+					if err == nil {
+						objects = append(objects, obj)
+					} else {
+						log.WithField("event", event).WithError(err).Error("Unable to convert case object")
+					}
+				}
+			}
+		}
+	}
+
+	return objects, err
+}
+
+func (store *ElasticDetectionstore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
+	obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
+
+	// Don't waste space by saving the these values which are already part of ES documents
+	id := obj.Id
+	obj.Id = ""
+	obj.UpdateTime = nil
+
+	return id
+}
+
+func (store *ElasticDetectionstore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	var err error
+
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id != "" {
+		return nil, errors.New("Unexpected ID found in new comment")
+	}
+
+	now := time.Now()
+	detect.CreateTime = &now
+
+	var results *model.EventIndexResults
+
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err == nil {
+		// Read object back to get new modify date, etc
+		detect, err = store.GetDetection(ctx, results.DocumentId)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticDetectionstore) GetDetection(ctx context.Context, detectId string) (detect *model.Detection, err error) {
+	err = store.validateId(detectId, "detectId")
+	if err != nil {
+		return nil, err
+	}
+
+	obj, err := store.get(ctx, detectId, "detection")
+	if err == nil && obj != nil {
+		detect = obj.(*model.Detection)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	err := store.validateDetection(detect)
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id == "" {
+		err = errors.New("Missing detection onion ID")
+		return nil, err
+	}
+
+	var old *model.Detection
+
+	old, err = store.GetDetection(ctx, detect.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	var results *model.EventIndexResults
+
+	// Preserve read-only fields
+	detect.CreateTime = old.CreateTime
+
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+
+	if err != nil {
+		return nil, err
+	}
+
+	// Read object back to get new modify date, etc
+	return store.GetDetection(ctx, results.DocumentId)
+}
+
+func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
+	var modified bool
+
+	detect, err := store.GetDetection(ctx, id)
+	if err != nil {
+		return nil, false, err
+	}
+
+	switch strings.ToLower(field) {
+	case "isenabled":
+		bVal, ok := value.(bool)
+		if !ok {
+			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
+		}
+
+		if detect.IsEnabled != bVal {
+			detect.IsEnabled = bVal
+			modified = true
+		}
+	}
+
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if modified {
+		var results *model.EventIndexResults
+
+		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+		if err == nil {
+			// Read object back to get new modify date, etc
+			detect, err = store.GetDetection(ctx, results.DocumentId)
+		}
+	}
+
+	return detect, modified, err
+}
+
+func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
+	detect, err := store.GetDetection(ctx, onionID)
+	if err != nil {
+		return nil, err
+	}
+
+	err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+
+	return detect, err
+}
diff --git a/server/modules/modules.go b/server/modules/modules.go
index 02e2538fb..c766934f8 100644
--- a/server/modules/modules.go
+++ b/server/modules/modules.go
@@ -19,6 +19,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/sostatus"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/statickeyauth"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/staticrbac"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/suricata"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/thehive"
 )
 
@@ -35,5 +36,7 @@ func BuildModuleMap(srv *server.Server) map[string]module.Module {
 	moduleMap["statickeyauth"] = statickeyauth.NewStaticKeyAuth(srv)
 	moduleMap["staticrbac"] = staticrbac.NewStaticRbac(srv)
 	moduleMap["thehive"] = thehive.NewTheHive(srv)
+	moduleMap["suricataengine"] = suricata.NewSuricataEngine(srv)
+
 	return moduleMap
 }
diff --git a/server/modules/modules_test.go b/server/modules/modules_test.go
index fae430a34..efb5b0f7e 100644
--- a/server/modules/modules_test.go
+++ b/server/modules/modules_test.go
@@ -25,6 +25,7 @@ func TestBuildModuleMap(tester *testing.T) {
 	findModule(tester, mm, "sostatus")
 	findModule(tester, mm, "statickeyauth")
 	findModule(tester, mm, "thehive")
+	findModule(tester, mm, "suricataengine")
 }
 
 func findModule(tester *testing.T, mm map[string]module.Module, module string) {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
new file mode 100644
index 000000000..3f5133336
--- /dev/null
+++ b/server/modules/suricata/suricata.go
@@ -0,0 +1,269 @@
+package suricata
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/samber/lo"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/util"
+)
+
+var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
+
+const modifyFromTo = `"flowbits" "noalert; flowbits"`
+
+type SuricataEngine struct {
+	srv *server.Server
+}
+
+func NewSuricataEngine(srv *server.Server) *SuricataEngine {
+	return &SuricataEngine{
+		srv: srv,
+	}
+}
+
+func (s *SuricataEngine) PrerequisiteModules() []string {
+	return nil
+}
+
+func (s *SuricataEngine) Init(config module.ModuleConfig) error {
+	return nil
+}
+
+func (s *SuricataEngine) Start() error {
+	s.srv.DetectionEngines[model.EngineNameSuricata] = s
+	return nil
+}
+
+func (s *SuricataEngine) Stop() error {
+	return nil
+}
+
+func (s *SuricataEngine) IsRunning() bool {
+	return false
+}
+
+func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
+	return rule, nil
+}
+
+func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	allSettings, err := s.srv.Configstore.GetSettings(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	local := settingByID(allSettings, "idstools.rules.local__rules")
+	if local == nil {
+		return nil, fmt.Errorf("unable to find local rules setting")
+	}
+
+	enabled := settingByID(allSettings, "idstools.sids.enabled")
+	if enabled == nil {
+		return nil, fmt.Errorf("unable to find enabled setting")
+	}
+
+	disabled := settingByID(allSettings, "idstools.sids.disabled")
+	if disabled == nil {
+		return nil, fmt.Errorf("unable to find disabled setting")
+	}
+
+	modify := settingByID(allSettings, "idstools.sids.modify")
+	if modify == nil {
+		return nil, fmt.Errorf("unable to find modify setting")
+	}
+
+	localLines := strings.Split(local.Value, "\n")
+	enabledLines := strings.Split(enabled.Value, "\n")
+	disabledLines := strings.Split(disabled.Value, "\n")
+	modifyLines := strings.Split(modify.Value, "\n")
+
+	localIndex := indexLocal(localLines)
+	enabledIndex := indexEnabled(enabledLines)
+	disabledIndex := indexEnabled(disabledLines)
+	modifyIndex := indexModify(modifyLines)
+
+	errMap = map[string]string{} // map[sid]error
+
+	for _, detect := range detections {
+		parsedRule, err := ParseSuricataRule(detect.Content)
+		if err != nil {
+			errMap[detect.PublicID] = fmt.Sprintf("unable to parse rule; reason=%s", err.Error())
+			continue
+		}
+
+		opt, ok := parsedRule.GetOption("sid")
+		if !ok || opt == nil {
+			errMap[detect.PublicID] = fmt.Sprintf("rule does not contain a SID; rule=%s", detect.Content)
+			continue
+		}
+
+		sid := *opt
+		_, isFlowbits := parsedRule.GetOption("flowbits")
+
+		lineNum, inLocal := localIndex[sid]
+		if !inLocal {
+			localLines = append(localLines, detect.Content)
+			lineNum = len(localLines) - 1
+			localIndex[sid] = lineNum
+		} else {
+			localLines[lineNum] = detect.Content
+		}
+
+		lineNum, inEnabled := enabledIndex[sid]
+		if !inEnabled {
+			line := detect.PublicID
+			if !detect.IsEnabled && !isFlowbits {
+				line = "# " + line
+			}
+
+			enabledLines = append(enabledLines, line)
+			lineNum = len(enabledLines) - 1
+			enabledIndex[sid] = lineNum
+		} else {
+			line := detect.PublicID
+			if !detect.IsEnabled && !isFlowbits {
+				line = "# " + line
+			}
+
+			enabledLines[lineNum] = line
+		}
+
+		if !isFlowbits {
+			lineNum, inDisabled := disabledIndex[sid]
+			if !inDisabled {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines = append(disabledLines, line)
+				lineNum = len(disabledLines) - 1
+				disabledIndex[sid] = lineNum
+			} else {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines[lineNum] = line
+			}
+		}
+
+		if isFlowbits {
+			lineNum, inModify := modifyIndex[sid]
+			if !inModify && !detect.IsEnabled {
+				// not in the modify file, but should be
+				line := fmt.Sprintf("%s %s", detect.PublicID, modifyFromTo)
+				modifyLines = append(modifyLines, line)
+				lineNum = len(modifyLines) - 1
+				modifyIndex[sid] = lineNum
+			} else if inModify && detect.IsEnabled {
+				// in modify, but shouldn't be
+				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
+				delete(modifyIndex, sid)
+			}
+		}
+	}
+
+	local.Value = strings.Join(localLines, "\n")
+	enabled.Value = strings.Join(enabledLines, "\n")
+	disabled.Value = strings.Join(disabledLines, "\n")
+	modify.Value = strings.Join(modifyLines, "\n")
+
+	err = s.srv.Configstore.UpdateSetting(ctx, local, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = s.srv.Configstore.UpdateSetting(ctx, enabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = s.srv.Configstore.UpdateSetting(ctx, disabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = s.srv.Configstore.UpdateSetting(ctx, modify, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	return errMap, nil
+}
+
+func settingByID(all []*model.Setting, id string) *model.Setting {
+	found, ok := lo.Find(all, func(s *model.Setting) bool {
+		return s.Id == id
+	})
+	if !ok {
+		return nil
+	}
+
+	return found
+}
+
+func extractSID(rule string) *string {
+	sids := sidExtracter.FindAllStringSubmatch(rule, 2)
+	if len(sids) != 1 { // 1 match = 1 sid
+		return nil
+	}
+
+	return util.Ptr(strings.TrimSpace(sids[0][1]))
+}
+
+func indexLocal(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		sid := extractSID(line)
+		if sid == nil {
+			continue
+		}
+
+		index[*sid] = i
+	}
+
+	return index
+}
+
+func indexEnabled(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+		if line != "" {
+			index[line] = i
+		}
+	}
+
+	return index
+}
+
+func indexModify(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+
+		if strings.HasSuffix(line, modifyFromTo) {
+			parts := strings.SplitN(line, " ", 2)
+			index[parts[0]] = i
+		}
+	}
+
+	return index
+}
diff --git a/server/detectionhandler_test.go b/server/modules/suricata/suricata_test.go
similarity index 52%
rename from server/detectionhandler_test.go
rename to server/modules/suricata/suricata_test.go
index e1449f03f..7e9cbcdfd 100644
--- a/server/detectionhandler_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -1,15 +1,35 @@
-package server
+package suricata
 
 import (
 	"context"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/util"
-
 	"github.com/stretchr/testify/assert"
 )
 
+func TestSuricataModule(t *testing.T) {
+	srv := &server.Server{
+		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+	}
+	mod := NewSuricataEngine(srv)
+
+	assert.Implements(t, (*module.Module)(nil), mod)
+	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
+
+	err := mod.Start()
+	assert.Nil(t, err)
+
+	err = mod.Stop()
+	assert.Nil(t, err)
+
+	assert.Equal(t, 1, len(srv.DetectionEngines))
+	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameSuricata])
+}
+
 func TestSettingByID(t *testing.T) {
 	allSettings := []*model.Setting{
 		{Id: "1", Value: "one"},
@@ -167,23 +187,94 @@ func TestIndexModify(t *testing.T) {
 func TestSyncSuricata(t *testing.T) {
 	emptySettings := []*model.Setting{
 		{Id: "idstools.rules.local__rules"},
-		{Id: "idstools.rules.enabled"},
-		{Id: "idstools.rules.disabled"},
-		{Id: "idstools.rules.modify"},
+		{Id: "idstools.sids.enabled"},
+		{Id: "idstools.sids.disabled"},
+		{Id: "idstools.sids.modify"},
 	}
 	table := []struct {
-		Name string
-		InitialSettings []*model.Setting
-		Detections []*model.Detection // Content (Valid Rule), PublicID, IsEnabled
+		Name             string
+		InitialSettings  []*model.Setting
+		Detections       []*model.Detection // Content (Valid Rule), PublicID, IsEnabled
 		ExpectedSettings map[string]string
-		ExpectedErr error
-		ExpectedErrMap map[string]string
+		ExpectedErr      error
+		ExpectedErrMap   map[string]string
 	}{
 		{
-			Name: "Simple Add",
+			Name:            "Enable New Simple Rule",
+			InitialSettings: emptySettings,
+			Detections: []*model.Detection{
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+				"idstools.sids.enabled":       "\n10000",
+				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name: "Disable Existing Simple Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`},
+				{Id: "idstools.sids.enabled", Value: "10000"},
+				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.sids.modify"},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+				"idstools.sids.enabled":       "# 10000",
+				"idstools.sids.disabled":      "10000",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name:            "Enable New Flowbits Rule",
 			InitialSettings: emptySettings,
 			Detections: []*model.Detection{
-				{},
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+				"idstools.sids.enabled":       "\n10000",
+				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name: "Disable Existing Flowbits Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`},
+				{Id: "idstools.sids.enabled", Value: "10000"},
+				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.sids.modify", Value: ""},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+				"idstools.sids.enabled":       "10000",
+				"idstools.sids.disabled":      "# 10000",
+				"idstools.sids.modify":        "\n" + `10000 "flowbits" "noalert; flowbits"`,
 			},
 		},
 	}
@@ -195,9 +286,14 @@ func TestSyncSuricata(t *testing.T) {
 		t.Run(test.Name, func(t *testing.T) {
 			t.Parallel()
 
-			mCfgStore := NewMemConfigStore(test.InitialSettings)
+			mCfgStore := server.NewMemConfigStore(test.InitialSettings)
+			mod := NewSuricataEngine(&server.Server{
+				Configstore:      mCfgStore,
+				DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+			})
+			mod.srv.DetectionEngines[model.EngineNameSuricata] = mod
 
-			errMap, err := syncSuricata(ctx, mCfgStore, test.Detections)
+			errMap, err := mod.SyncDetections(ctx, test.Detections)
 
 			assert.Equal(t, test.ExpectedErr, err)
 			assert.Equal(t, test.ExpectedErrMap, errMap)
@@ -212,4 +308,4 @@ func TestSyncSuricata(t *testing.T) {
 			}
 		})
 	}
-}
\ No newline at end of file
+}
diff --git a/syntax/suricata.go b/server/modules/suricata/validate.go
similarity index 99%
rename from syntax/suricata.go
rename to server/modules/suricata/validate.go
index 90ca8af83..68ca6731d 100644
--- a/syntax/suricata.go
+++ b/server/modules/suricata/validate.go
@@ -1,4 +1,4 @@
-package syntax
+package suricata
 
 import (
 	"fmt"
diff --git a/syntax/suricata_test.go b/server/modules/suricata/validate_test.go
similarity index 99%
rename from syntax/suricata_test.go
rename to server/modules/suricata/validate_test.go
index f9b2d7f0f..261cc8b4f 100644
--- a/syntax/suricata_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -1,4 +1,4 @@
-package syntax
+package suricata
 
 import (
 	"testing"
diff --git a/server/server.go b/server/server.go
index 5080baf4e..4b281b5e5 100644
--- a/server/server.go
+++ b/server/server.go
@@ -33,6 +33,7 @@ type Server struct {
 	Rolestore        Rolestore
 	Eventstore       Eventstore
 	Casestore        Casestore
+	Detectionstore   Detectionstore
 	Configstore      Configstore
 	GridMembersstore GridMembersstore
 	Metrics          Metrics
@@ -40,13 +41,15 @@ type Server struct {
 	Authorizer       rbac.Authorizer
 	Agent            *model.User
 	Context          context.Context
+	DetectionEngines map[model.EngineName]DetectionEngine
 }
 
 func NewServer(cfg *config.ServerConfig, version string) *Server {
 	server := &Server{
-		Config:      cfg,
-		Host:        web.NewHost(cfg.BindAddress, cfg.HtmlDir, cfg.IdleConnectionTimeoutMs, version, cfg.SrvKeyBytes, AGENT_ID),
-		stoppedChan: make(chan bool, 1),
+		Config:           cfg,
+		Host:             web.NewHost(cfg.BindAddress, cfg.HtmlDir, cfg.IdleConnectionTimeoutMs, version, cfg.SrvKeyBytes, AGENT_ID),
+		stoppedChan:      make(chan bool, 1),
+		DetectionEngines: map[model.EngineName]DetectionEngine{},
 	}
 	server.initContext()
 

From a411b0873d2dcff5b58ec72fb90e53ee6589585f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 26 Sep 2023 11:05:49 -0600
Subject: [PATCH 008/102] WIP: Tests

Converted repeated strings to fixtures.

Fleshed out the rest of SyncSuricata's tests.

Added validation tests.
---
 server/modules/suricata/suricata.go      |   7 +-
 server/modules/suricata/suricata_test.go | 260 +++++++++++++++++++----
 server/modules/suricata/validate.go      |   5 +
 3 files changed, 231 insertions(+), 41 deletions(-)

diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 3f5133336..b9725882d 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -49,7 +49,12 @@ func (s *SuricataEngine) IsRunning() bool {
 }
 
 func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
-	return rule, nil
+	parsed, err := ParseSuricataRule(rule)
+	if err != nil {
+		return rule, err
+	}
+
+	return parsed.String(), nil
 }
 
 func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 7e9cbcdfd..0a497f305 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -11,6 +11,24 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+const (
+	SimpleRuleSID    = "10000"
+	SimpleRule       = `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`
+	FlowbitsRuleASID = "50000"
+	FlowbitsRuleA    = `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:50000;)`
+	FlowbitsRuleBSID = "60000"
+	FlowbitsRuleB    = `alert http any any -> any any (msg:"RULE B"; flowbits: isset, test; flow: established,to_client; content:"uid=0"; sid:60000;)`
+)
+
+func emptySettings() []*model.Setting {
+	return []*model.Setting{
+		{Id: "idstools.rules.local__rules"},
+		{Id: "idstools.sids.enabled"},
+		{Id: "idstools.sids.disabled"},
+		{Id: "idstools.sids.modify"},
+	}
+}
+
 func TestSuricataModule(t *testing.T) {
 	srv := &server.Server{
 		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
@@ -20,7 +38,10 @@ func TestSuricataModule(t *testing.T) {
 	assert.Implements(t, (*module.Module)(nil), mod)
 	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
 
-	err := mod.Start()
+	err := mod.Init(nil)
+	assert.Nil(t, err)
+
+	err = mod.Start()
 	assert.Nil(t, err)
 
 	err = mod.Stop()
@@ -85,7 +106,7 @@ func TestExtractSID(t *testing.T) {
 		{Name: "Single-Quoted Empty SID", Input: "sid:'';", Output: util.Ptr("")},
 		{Name: "Double-Quoted Empty SID", Input: `sid: "";`, Output: util.Ptr("")},
 		{Name: "Multiple SIDs", Input: "sid: 10000; sid: 10001;", Output: nil},
-		{Name: "Sample Rule", Input: `alert http any any -> any any (msg:"RULE B"; flowbits: isset, test; flow: established,to_client; content:"uid=0"; sid:60000;)`, Output: util.Ptr("60000")},
+		{Name: "Sample Rule", Input: SimpleRule, Output: util.Ptr(SimpleRuleSID)},
 	}
 
 	for _, test := range table {
@@ -184,13 +205,66 @@ func TestIndexModify(t *testing.T) {
 	assert.NotContains(t, output, "e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5")
 }
 
-func TestSyncSuricata(t *testing.T) {
-	emptySettings := []*model.Setting{
-		{Id: "idstools.rules.local__rules"},
-		{Id: "idstools.sids.enabled"},
-		{Id: "idstools.sids.disabled"},
-		{Id: "idstools.sids.modify"},
+func TestValidate(t *testing.T) {
+	table := []struct {
+		Name        string
+		Input       string
+		ExpectedErr *string
+	}{
+		{
+			Name:  "Valid Rule",
+			Input: SimpleRule,
+		},
+		{
+			Name:  "Valid Rule with Flowbits",
+			Input: FlowbitsRuleA,
+		},
+		{
+			Name:  "Valid Rule with Escaped Quotes",
+			Input: `alert http any any -> any any (msg:"This rule has \"escaped quotes\"";)`,
+		},
+		{
+			Name:        "Invalid Direction",
+			Input:       `alert http any any <-> any any (msg:"This rule has an invalid direction";)`,
+			ExpectedErr: util.Ptr("invalid direction, must be '<>' or '->', got <->"),
+		},
+		{
+			Name:        "Unexpected Suffix",
+			Input:       SimpleRule + "x",
+			ExpectedErr: util.Ptr("invalid rule, expected end of rule, got 1 more bytes"),
+		},
+		{
+			Name:        "Unexpected End of Rule",
+			Input:       "x",
+			ExpectedErr: util.Ptr("invalid rule, unexpected end of rule"),
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			mod := NewSuricataEngine(&server.Server{})
+
+			_, err := mod.ValidateRule(test.Input)
+			if test.ExpectedErr == nil {
+				assert.NoError(t, err)
+
+				// this rule seems valid, attempt to parse, serialize, re-parse
+				parsed, err := ParseSuricataRule(test.Input)
+				assert.NoError(t, err)
+
+				_, err = ParseSuricataRule(parsed.String())
+				assert.NoError(t, err)
+			} else {
+				assert.Equal(t, *test.ExpectedErr, err.Error())
+			}
+		})
 	}
+}
+
+func TestSyncSuricata(t *testing.T) {
 	table := []struct {
 		Name             string
 		InitialSettings  []*model.Setting
@@ -201,80 +275,186 @@ func TestSyncSuricata(t *testing.T) {
 	}{
 		{
 			Name:            "Enable New Simple Rule",
-			InitialSettings: emptySettings,
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + SimpleRule,
+				"idstools.sids.enabled":       "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":      "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name:            "Disable New Simple Rule",
+			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + SimpleRule,
+				"idstools.sids.enabled":       "\n# " + SimpleRuleSID,
+				"idstools.sids.disabled":      "\n" + SimpleRuleSID,
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name: "Enable Existing Simple Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: SimpleRule},
+				{Id: "idstools.sids.enabled", Value: "# " + SimpleRuleSID},
+				{Id: "idstools.sids.disabled", Value: SimpleRuleSID},
+				{Id: "idstools.sids.modify"},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
 					IsEnabled: true,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
-				"idstools.sids.enabled":       "\n10000",
-				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.rules.local__rules": SimpleRule,
+				"idstools.sids.enabled":       SimpleRuleSID,
+				"idstools.sids.disabled":      "# " + SimpleRuleSID,
 				"idstools.sids.modify":        "",
 			},
 		},
 		{
 			Name: "Disable Existing Simple Rule",
 			InitialSettings: []*model.Setting{
-				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`},
-				{Id: "idstools.sids.enabled", Value: "10000"},
-				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.rules.local__rules", Value: SimpleRule},
+				{Id: "idstools.sids.enabled", Value: SimpleRuleSID},
+				{Id: "idstools.sids.disabled", Value: "# " + SimpleRuleSID},
 				{Id: "idstools.sids.modify"},
 			},
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
 					IsEnabled: false,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
-				"idstools.sids.enabled":       "# 10000",
-				"idstools.sids.disabled":      "10000",
+				"idstools.rules.local__rules": SimpleRule,
+				"idstools.sids.enabled":       "# " + SimpleRuleSID,
+				"idstools.sids.disabled":      SimpleRuleSID,
 				"idstools.sids.modify":        "",
 			},
 		},
 		{
 			Name:            "Enable New Flowbits Rule",
-			InitialSettings: emptySettings,
+			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					PublicID:  FlowbitsRuleASID,
+					Content:   FlowbitsRuleA,
 					IsEnabled: true,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
-				"idstools.sids.enabled":       "\n10000",
-				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":      "",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name:            "Disable New Flowbits Rule",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  FlowbitsRuleASID,
+					Content:   FlowbitsRuleA,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":      "",
+				"idstools.sids.modify":        "\n" + FlowbitsRuleASID + ` "flowbits" "noalert; flowbits"`,
+			},
+		},
+		{
+			Name: "Enable Existing Flowbits Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: FlowbitsRuleB},
+				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
+				{Id: "idstools.sids.disabled", Value: ""},
+				{Id: "idstools.sids.modify", Value: FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  FlowbitsRuleBSID,
+					Content:   FlowbitsRuleB,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": FlowbitsRuleB,
+				"idstools.sids.enabled":       FlowbitsRuleBSID,
+				"idstools.sids.disabled":      "",
 				"idstools.sids.modify":        "",
 			},
 		},
 		{
 			Name: "Disable Existing Flowbits Rule",
 			InitialSettings: []*model.Setting{
-				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`},
-				{Id: "idstools.sids.enabled", Value: "10000"},
-				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.rules.local__rules", Value: FlowbitsRuleB},
+				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
+				{Id: "idstools.sids.disabled", Value: "# " + FlowbitsRuleBSID},
 				{Id: "idstools.sids.modify", Value: ""},
 			},
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					PublicID:  FlowbitsRuleBSID,
+					Content:   FlowbitsRuleB,
 					IsEnabled: false,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
-				"idstools.sids.enabled":       "10000",
-				"idstools.sids.disabled":      "# 10000",
-				"idstools.sids.modify":        "\n" + `10000 "flowbits" "noalert; flowbits"`,
+				"idstools.rules.local__rules": FlowbitsRuleB,
+				"idstools.sids.enabled":       FlowbitsRuleBSID,
+				"idstools.sids.disabled":      "# " + FlowbitsRuleBSID,
+				"idstools.sids.modify":        "\n" + FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`,
+			},
+		},
+		{
+			Name:            "Completely Invalid Rule",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  "0",
+					Content:   "x",
+					IsEnabled: true,
+				},
+			},
+			ExpectedErrMap: map[string]string{
+				"0": "unable to parse rule; reason=invalid rule, unexpected end of rule",
+			},
+		},
+		{
+			Name:            "Rule Missing SID",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  "0",
+					Content:   `alert http any any -> any any (msg:"This rule doesn't have a SID";)`, // missing closing paren
+					IsEnabled: true,
+				},
+			},
+			ExpectedErrMap: map[string]string{
+				"0": `rule does not contain a SID; rule=alert http any any -> any any (msg:"This rule doesn't have a SID";)`,
 			},
 		},
 	}
@@ -299,12 +479,12 @@ func TestSyncSuricata(t *testing.T) {
 			assert.Equal(t, test.ExpectedErrMap, errMap)
 
 			set, err := mCfgStore.GetSettings(ctx)
-			assert.NoError(t, err)
+			assert.NoError(t, err, "GetSettings should not return an error")
 
 			for id, expectedValue := range test.ExpectedSettings {
 				setting := settingByID(set, id)
-				assert.NotNil(t, setting)
-				assert.Equal(t, expectedValue, setting.Value)
+				assert.NotNil(t, setting, "Setting %s", id)
+				assert.Equal(t, expectedValue, setting.Value, "Setting %s", id)
 			}
 		})
 	}
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index 68ca6731d..aac0d6c66 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -129,6 +129,11 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 		}
 	}
 
+	if curState != stateOptions || len(strings.TrimSpace(buf.String())) != 0 {
+		// We're unexpectedly done parsing the rule.
+		return nil, fmt.Errorf("invalid rule, unexpected end of rule")
+	}
+
 	return out, nil
 }
 

From ea0e6f5b6a9d6c9266b0e0b95eea637d21804006 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Sep 2023 09:18:19 -0600
Subject: [PATCH 009/102] WIP: Sync Community Detections

Removed permission checks left over from creating ElasticDetectionstore from ElasticCasestore.

Jerry rigged the config to always have a `suricataengine` module section so I don't have to fight salt.

Expanded on detection severity types.

Expanded the DetectionEngine interface to support how we're importing community rules.

First pass at a SyncCommunityRules.

Solved some issues around ParseSuricataRule and whitespace.
---
 config/config.go                              |   3 +
 model/detection.go                            |   8 +-
 server/detectionengine.go                     |   4 +-
 server/detectionhandler.go                    |  58 ++++++-
 server/detectionstore.go                      |   1 +
 .../modules/elastic/elasticdetectionstore.go  | 136 +++++++++-------
 server/modules/suricata/suricata.go           | 154 +++++++++++++++++-
 server/modules/suricata/suricata_test.go      |  69 +++++++-
 server/modules/suricata/validate.go           |  50 +++++-
 server/modules/suricata/validate_test.go      |   2 +-
 10 files changed, 402 insertions(+), 83 deletions(-)

diff --git a/config/config.go b/config/config.go
index c0cd1ff18..75ce93534 100644
--- a/config/config.go
+++ b/config/config.go
@@ -44,5 +44,8 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 			err = cfg.Server.Verify()
 		}
 	}
+
+	cfg.Server.Modules["suricataengine"] = map[string]interface{}{} // TODO: remove when put in config file
+
 	return cfg, err
 }
diff --git a/model/detection.go b/model/detection.go
index 8d3f8c912..4edc9a953 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -23,9 +23,11 @@ const (
 	SigLangYara     SigLanguage = "yara"
 	SigLangZeek     SigLanguage = "zeek"
 
-	SeverityLow    Severity = "low"
-	SeverityMedium Severity = "medium"
-	SeverityHigh   Severity = "high"
+	SeverityUnknown       Severity = "unknown"
+	SeverityInformational Severity = "informational"
+	SeverityMinor         Severity = "minor"
+	SeverityMajor         Severity = "major"
+	SeverityCritical      Severity = "critical"
 
 	IDTypeUUID IDType = "uuid"
 	IDTypeSID  IDType = "sid"
diff --git a/server/detectionengine.go b/server/detectionengine.go
index 09d430e1b..63bcf88b8 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -8,5 +8,7 @@ import (
 
 type DetectionEngine interface {
 	ValidateRule(rule string) (string, error)
-	SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
+	ParseRules(content string) ([]*model.Detection, error)
+	SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
+	SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 4462b3c8c..c3313f1d7 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -9,6 +9,7 @@ package server
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 
@@ -38,6 +39,7 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Delete("/{id}", h.deleteDetection)
 
 		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
+		r.Post("/sync/{engine}", h.syncCommunityDetections)
 	})
 }
 
@@ -77,7 +79,7 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
+	errMap, err := SyncLocalDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -137,7 +139,7 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
+	errMap, err := SyncLocalDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -162,7 +164,7 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{old})
+	errMap, err := SyncLocalDetections(ctx, h.server, []*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -214,7 +216,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	if len(modified) != 0 {
-		addErrMap, err := SyncDetections(ctx, h.server, modified)
+		addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
 		if err != nil {
 			web.Respond(w, r, http.StatusInternalServerError, err)
 			return
@@ -234,7 +236,51 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
-func SyncDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
+func (h *DetectionHandler) syncCommunityDetections(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	engineParam := chi.URLParam(r, "engine")
+
+	engine, ok := h.server.DetectionEngines[model.EngineName(engineParam)]
+	if !ok {
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid engine"))
+		return
+	}
+
+	err := r.ParseMultipartForm(int64(h.server.Config.MaxUploadSizeBytes))
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	file, _, err := r.FormFile("file")
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	content, err := io.ReadAll(file)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	detections, err := engine.ParseRules(string(content))
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	errMap, err := engine.SyncCommunityDetections(ctx, detections)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, errMap)
+}
+
+func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
@@ -248,7 +294,7 @@ func SyncDetections(ctx context.Context, srv *Server, detections []*model.Detect
 
 	for name, engine := range srv.DetectionEngines {
 		if len(byEngine[name]) != 0 {
-			eMap, err := engine.SyncDetections(ctx, byEngine[name])
+			eMap, err := engine.SyncLocalDetections(ctx, byEngine[name])
 			for sid, e := range eMap {
 				errMap[sid] = e
 			}
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 726e41823..de8b5f8fc 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -18,4 +18,5 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
+	GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) // map[detection.PublicId]detection.Id
 }
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 35f0e6264..34383adc6 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -115,29 +115,29 @@ func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, k
 	var results *model.EventIndexResults
 	var err error
 
-	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
-		document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
-		document[store.schemaPrefix+"kind"] = kind
+	// if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+	document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+	document[store.schemaPrefix+"kind"] = kind
 
-		results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
-		if err == nil {
-			document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
+	results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
+	if err == nil {
+		document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
 
-			if id == "" {
-				document[store.schemaPrefix+"operation"] = "create"
-			} else {
-				document[store.schemaPrefix+"operation"] = "update"
-			}
+		if id == "" {
+			document[store.schemaPrefix+"operation"] = "create"
+		} else {
+			document[store.schemaPrefix+"operation"] = "update"
+		}
 
-			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
-			if err != nil {
-				log.WithFields(log.Fields{
-					"documentId": results.DocumentId,
-					"kind":       kind,
-				}).WithError(err).Error("Object indexed successfully however audit record failed to index")
-			}
+		_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+		if err != nil {
+			log.WithFields(log.Fields{
+				"documentId": results.DocumentId,
+				"kind":       kind,
+			}).WithError(err).Error("Object indexed successfully however audit record failed to index")
 		}
 	}
+	// }
 
 	return results, err
 }
@@ -145,23 +145,23 @@ func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, k
 func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{}, kind string, id string) error {
 	var err error
 
-	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
-		err = store.server.Eventstore.Delete(ctx, store.index, id)
-		if err == nil {
-			document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
-			document[store.schemaPrefix+AUDIT_DOC_ID] = id
-			document[store.schemaPrefix+"kind"] = kind
-			document[store.schemaPrefix+"operation"] = "delete"
-
-			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
-			if err != nil {
-				log.WithFields(log.Fields{
-					"documentId": id,
-					"kind":       kind,
-				}).WithError(err).Error("Object deleted successfully however audit record failed to index")
-			}
+	// if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+	err = store.server.Eventstore.Delete(ctx, store.index, id)
+	if err == nil {
+		document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+		document[store.schemaPrefix+AUDIT_DOC_ID] = id
+		document[store.schemaPrefix+"kind"] = kind
+		document[store.schemaPrefix+"operation"] = "delete"
+
+		_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+		if err != nil {
+			log.WithFields(log.Fields{
+				"documentId": id,
+				"kind":       kind,
+			}).WithError(err).Error("Object deleted successfully however audit record failed to index")
 		}
 	}
+	// }
 
 	return err
 }
@@ -185,42 +185,42 @@ func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, ma
 	var err error
 	var objects []interface{}
 
-	if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
-		criteria := model.NewEventSearchCriteria()
-		format := "2006-01-02 3:04:05 PM"
+	// if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
+	criteria := model.NewEventSearchCriteria()
+	format := "2006-01-02 3:04:05 PM"
 
-		var zeroTime time.Time
+	var zeroTime time.Time
 
-		zeroTimeStr := zeroTime.Format(format)
-		now := time.Now()
-		endTime := now.Format(format)
-		zone := now.Location().String()
+	zeroTimeStr := zeroTime.Format(format)
+	now := time.Now()
+	endTime := now.Format(format)
+	zone := now.Location().String()
+
+	err = criteria.Populate(query,
+		zeroTimeStr+" - "+endTime, // timeframe range
+		format,                    // timeframe format
+		zone,                      // timezone
+		"0",                       // no metrics
+		strconv.Itoa(max))
 
-		err = criteria.Populate(query,
-			zeroTimeStr+" - "+endTime, // timeframe range
-			format,                    // timeframe format
-			zone,                      // timezone
-			"0",                       // no metrics
-			strconv.Itoa(max))
+	if err == nil {
+		var results *model.EventSearchResults
 
+		results, err = store.server.Eventstore.Search(ctx, criteria)
 		if err == nil {
-			var results *model.EventSearchResults
-
-			results, err = store.server.Eventstore.Search(ctx, criteria)
-			if err == nil {
-				for _, event := range results.Events {
-					var obj interface{}
-
-					obj, err = convertElasticEventToObject(event, store.schemaPrefix)
-					if err == nil {
-						objects = append(objects, obj)
-					} else {
-						log.WithField("event", event).WithError(err).Error("Unable to convert case object")
-					}
+			for _, event := range results.Events {
+				var obj interface{}
+
+				obj, err = convertElasticEventToObject(event, store.schemaPrefix)
+				if err == nil {
+					objects = append(objects, obj)
+				} else {
+					log.WithField("event", event).WithError(err).Error("Unable to convert case object")
 				}
 			}
 		}
 	}
+	// }
 
 	return objects, err
 }
@@ -358,3 +358,19 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 
 	return detect, err
 }
+
+func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) {
+	// TODO: 10000? Is that enough?
+	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), 10000)
+	if err != nil {
+		return nil, err
+	}
+
+	sids := map[string]string{}
+	for _, det := range all {
+		detection := det.(*model.Detection)
+		sids[detection.PublicID] = detection.Id
+	}
+
+	return sids, nil
+}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index b9725882d..6c8705c82 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"fmt"
 	"regexp"
+	"strconv"
 	"strings"
 
+	"github.com/apex/log"
 	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
@@ -57,7 +59,92 @@ func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	return parsed.String(), nil
 }
 
-func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+func (s *SuricataEngine) ParseRules(content string) ([]*model.Detection, error) {
+	// expecting one rule per line
+	lines := strings.Split(content, "\n")
+	dets := []*model.Detection{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(line)
+		if line == "" || strings.HasPrefix(line, "#") {
+			// empty or commented line, ignore
+			continue
+		}
+
+		line, err := s.ValidateRule(line)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse line %d: %w", i+1, err)
+		}
+
+		parsed, err := ParseSuricataRule(line)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse line %d: %w", i+1, err)
+		}
+
+		// extract details
+		sidOpt, ok := parsed.GetOption("sid")
+		if !ok || sidOpt == nil || len(*sidOpt) == 0 {
+			return nil, fmt.Errorf("unable to parse line %d: rule does not contain a SID", i+1)
+		}
+
+		sid, err := strconv.Unquote(*sidOpt)
+		if err != nil {
+			sid = *sidOpt
+		}
+
+		msg := sid
+
+		msgOpt, ok := parsed.GetOption("msg")
+		if ok && msgOpt != nil && len(*msgOpt) != 0 {
+			msg = *msgOpt
+		}
+
+		msg = strings.ReplaceAll(msg, `\;`, `;`)
+
+		title, err := strconv.Unquote(msg)
+		if err != nil {
+			title = msg
+		}
+
+		title = strings.ReplaceAll(title, `\"`, `"`)
+		title = strings.ReplaceAll(title, `\\`, `\`)
+
+		severity := model.SeverityUnknown // TODO: Default severity?
+
+		md := parsed.ParseMetaData()
+		if md != nil {
+			sigsev, ok := lo.Find(md, func(m *MetaData) bool {
+				return strings.EqualFold(m.Key, "signature_severity")
+			})
+			if ok {
+				switch strings.ToUpper(sigsev.Value) {
+				case "INFORMATIONAL":
+					severity = model.SeverityInformational
+				case "MINOR":
+					severity = model.SeverityMinor
+				case "MAJOR":
+					severity = model.SeverityMajor
+				case "CRITICAL":
+					severity = model.SeverityCritical
+				}
+			}
+		}
+
+		dets = append(dets, &model.Detection{
+			PublicID:    sid,
+			Title:       title,
+			Severity:    severity,
+			Content:     line,
+			IsEnabled:   true, // is this true?
+			IsCommunity: true,
+			Engine:      model.EngineNameSuricata,
+		})
+	}
+
+	return dets, nil
+}
+
+func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
@@ -210,6 +297,71 @@ func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model
 	return errMap, nil
 }
 
+func (s *SuricataEngine) SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+	errMap = map[string]string{}
+
+	results := struct {
+		Added   int
+		Updated int
+		Removed int
+	}{}
+
+	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	toDelete := map[string]struct{}{}
+	for sid := range commSIDs {
+		toDelete[sid] = struct{}{}
+	}
+
+	for _, detect := range detections {
+		id, exists := commSIDs[detect.PublicID]
+		if exists {
+			detect.Id = id
+
+			_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
+			if err != nil {
+				errMap[detect.PublicID] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			} else {
+				results.Updated++
+				delete(toDelete, detect.PublicID)
+			}
+		} else {
+			_, err = s.srv.Detectionstore.CreateDetection(ctx, detect)
+			if err != nil {
+				errMap[detect.PublicID] = fmt.Sprintf("unable to create detection; reason=%s", err.Error())
+			} else {
+				results.Added++
+			}
+		}
+	}
+
+	for sid := range toDelete {
+		_, err = s.srv.Detectionstore.DeleteDetection(ctx, sid)
+		if err != nil {
+			errMap[sid] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+		} else {
+			results.Removed++
+		}
+	}
+
+	log.WithFields(log.Fields{
+		"added":   results.Added,
+		"updated": results.Updated,
+		"removed": results.Removed,
+		"errors":  errMap,
+	}).Info("Suricata community detections synced")
+
+	return errMap, nil
+}
+
 func settingByID(all []*model.Setting, id string) *model.Setting {
 	found, ok := lo.Find(all, func(s *model.Setting) bool {
 		return s.Id == id
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 0a497f305..215adc34a 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -2,6 +2,7 @@ package suricata
 
 import (
 	"context"
+	"strings"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
@@ -39,13 +40,13 @@ func TestSuricataModule(t *testing.T) {
 	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
 
 	err := mod.Init(nil)
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 
 	err = mod.Start()
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 
 	err = mod.Stop()
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 
 	assert.Equal(t, 1, len(srv.DetectionEngines))
 	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameSuricata])
@@ -264,6 +265,66 @@ func TestValidate(t *testing.T) {
 	}
 }
 
+func TestParse(t *testing.T) {
+	table := []struct {
+		Name               string
+		Lines              []string
+		ExpectedDetections []*model.Detection
+		ExpectedError      *string
+	}{
+		{
+			Name: "Sunny Day Path w/ Edge Cases",
+			Lines: []string{
+				"# Comment",
+				SimpleRule,
+				"",
+				` alert  http any any  <>   any any (metadata:signature_severity   Informational; sid: "20000"; msg:"a \"tricky\"\;\\ msg";)`,
+				" # " + FlowbitsRuleA,
+			},
+			ExpectedDetections: []*model.Detection{
+				{
+					PublicID:    SimpleRuleSID,
+					Title:       `GPL ATTACK_RESPONSE id check returned root`,
+					Severity:    model.SeverityUnknown,
+					Content:     SimpleRule,
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+				},
+				{
+					PublicID:    "20000",
+					Title:       `a "tricky";\ msg`,
+					Severity:    model.SeverityInformational,
+					Content:     `alert http any any <> any any (metadata:signature_severity Informational; sid:"20000"; msg:"a \"tricky\"\;\\ msg";)`,
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+				},
+			},
+		},
+	}
+
+	mod := NewSuricataEngine(&server.Server{})
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			data := strings.Join(test.Lines, "\n")
+
+			detections, err := mod.ParseRules(data)
+			if test.ExpectedError == nil {
+				assert.NoError(t, err)
+				assert.Equal(t, test.ExpectedDetections, detections)
+			} else {
+				assert.Equal(t, *test.ExpectedError, err.Error())
+				assert.Empty(t, detections)
+			}
+		})
+	}
+}
+
 func TestSyncSuricata(t *testing.T) {
 	table := []struct {
 		Name             string
@@ -473,7 +534,7 @@ func TestSyncSuricata(t *testing.T) {
 			})
 			mod.srv.DetectionEngines[model.EngineNameSuricata] = mod
 
-			errMap, err := mod.SyncDetections(ctx, test.Detections)
+			errMap, err := mod.SyncLocalDetections(ctx, test.Detections)
 
 			assert.Equal(t, test.ExpectedErr, err)
 			assert.Equal(t, test.ExpectedErrMap, errMap)
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index aac0d6c66..8f9d1b89f 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -3,7 +3,9 @@ package suricata
 import (
 	"fmt"
 	"strings"
+	"unicode"
 
+	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 )
 
@@ -21,6 +23,11 @@ type RuleOption struct {
 	Value *string
 }
 
+type MetaData struct {
+	Key string
+	Value string
+}
+
 type state int
 
 const (
@@ -49,19 +56,19 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 
 		switch curState {
 		case stateAction:
-			if ch == ' ' {
+			if ch == ' ' && buf.Len() != 0 {
 				out.Action = strings.TrimSpace(buf.String())
 				buf.Reset()
 				curState = stateProtocol
-			} else {
+			} else if !unicode.IsSpace(ch) {
 				buf.WriteRune(ch)
 			}
 		case stateProtocol:
-			if ch == ' ' {
+			if ch == ' ' && buf.Len() != 0 {
 				out.Protocol = strings.TrimSpace(buf.String())
 				buf.Reset()
 				curState = stateSource
-			} else {
+			} else if !unicode.IsSpace(ch) {
 				buf.WriteRune(ch)
 			}
 		case stateSource:
@@ -113,7 +120,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				}
 
 				out.Options = append(out.Options, opt)
-			} else if ch == '"' { // TODO: current test rule has angled quotes, needs fixing
+			} else if ch == '"' {
 				buf.WriteRune(ch)
 				if isEscaping {
 					isEscaping = false
@@ -124,6 +131,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				isEscaping = true
 				buf.WriteRune(ch)
 			} else {
+				isEscaping = false
 				buf.WriteRune(ch)
 			}
 		}
@@ -139,7 +147,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 
 func (rule *SuricataRule) GetOption(key string) (value *string, ok bool) {
 	for _, opt := range rule.Options {
-		if opt.Name == key {
+		if strings.EqualFold(opt.Name, key) {
 			return opt.Value, true
 		}
 	}
@@ -147,10 +155,38 @@ func (rule *SuricataRule) GetOption(key string) (value *string, ok bool) {
 	return nil, false
 }
 
+func (rule *SuricataRule) ParseMetaData() []*MetaData {
+	mdOpt, ok := rule.GetOption("metadata")
+	if !ok || mdOpt == nil {
+		return nil
+	}
+
+	md := []*MetaData{}
+
+	parts := strings.Split(*mdOpt, ",")
+	for _, part := range parts {
+		part = strings.TrimSuffix(strings.TrimSpace(part), ",")
+		kv := strings.SplitN(part, " ", 2)
+		if len(kv) == 1 {
+			kv = append(kv, "")
+		}
+
+		md = append(md, &MetaData{Key: strings.TrimSpace(kv[0]), Value: strings.TrimSpace(kv[1])})
+	}
+
+	return md
+}
+
 func (rule *SuricataRule) String() string {
 	opts := make([]string, 0, len(rule.Options))
+	md := rule.ParseMetaData()
 	for _, opt := range rule.Options {
-		if opt.Value == nil {
+		if opt.Name == "metadata" && len(md) != 0 {
+			value := strings.Join(lo.Map(md, func(m *MetaData, _ int) string {
+				return fmt.Sprintf("%s %s", m.Key, m.Value)
+			}), ", ")
+			opts = append(opts, fmt.Sprintf("%s:%s;", opt.Name, value))
+		} else if opt.Value == nil {
 			opts = append(opts, fmt.Sprintf("%s;", opt.Name))
 		} else {
 			opts = append(opts, fmt.Sprintf("%s:%s;", opt.Name, *opt.Value))
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 261cc8b4f..1217cf3fa 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -114,7 +114,7 @@ func TestSuricataRule(t *testing.T) {
 	assert.NotNil(t, opt)
 	assert.Equal(t, `"9"`, *opt)
 
-	opt, ok = rule.GetOption("noalert")
+	opt, ok = rule.GetOption("NoAlErT")
 	assert.True(t, ok)
 	assert.Nil(t, opt)
 

From 654b4386dd48d328d88649babe6758619d0cac73 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Sep 2023 15:07:16 -0600
Subject: [PATCH 010/102] WIP: Community Detections Sync

Removed the sync endpoint from detections handler. Instead of so-rule-update attempting to upload the file or trigger a sync, the SuricataEngine module will watch files on disks for changes and respond to them. The DetectionEngine interface was cleaned up in response to this change.

All sync logic was moved the SuricataEngine module. The module now maintains a long-lived goroutine that checks a configurable file at a configurable interval for changes and applies them when seen. A fingerprint of the rules file is saved in a configurable location.

TODO: Tests.
---
 config/config.go                         |   7 +-
 server/detectionengine.go                |   2 -
 server/detectionhandler.go               |  46 ----------
 server/modules/suricata/suricata.go      | 107 +++++++++++++++++++++--
 server/modules/suricata/suricata_test.go |   2 +-
 5 files changed, 109 insertions(+), 55 deletions(-)

diff --git a/config/config.go b/config/config.go
index 75ce93534..9558286a8 100644
--- a/config/config.go
+++ b/config/config.go
@@ -45,7 +45,12 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		}
 	}
 
-	cfg.Server.Modules["suricataengine"] = map[string]interface{}{} // TODO: remove when put in config file
+	// TODO: remove when put in config file
+	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
+		"communityRulesFile":                   "/nsm/rules/suricata/emerging-all.rules",
+		"rulesFingerprintFile":                 "/opt/so/conf/soc/emerging-all.fingerprint",
+		"communityRulesImportFrequencySeconds": float64(5),
+	}
 
 	return cfg, err
 }
diff --git a/server/detectionengine.go b/server/detectionengine.go
index 63bcf88b8..e6f1d4c1a 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -8,7 +8,5 @@ import (
 
 type DetectionEngine interface {
 	ValidateRule(rule string) (string, error)
-	ParseRules(content string) ([]*model.Detection, error)
 	SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
-	SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index c3313f1d7..7743da32b 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -9,7 +9,6 @@ package server
 import (
 	"context"
 	"fmt"
-	"io"
 	"net/http"
 	"strings"
 
@@ -39,7 +38,6 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Delete("/{id}", h.deleteDetection)
 
 		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
-		r.Post("/sync/{engine}", h.syncCommunityDetections)
 	})
 }
 
@@ -236,50 +234,6 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
-func (h *DetectionHandler) syncCommunityDetections(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-
-	engineParam := chi.URLParam(r, "engine")
-
-	engine, ok := h.server.DetectionEngines[model.EngineName(engineParam)]
-	if !ok {
-		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid engine"))
-		return
-	}
-
-	err := r.ParseMultipartForm(int64(h.server.Config.MaxUploadSizeBytes))
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	file, _, err := r.FormFile("file")
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	content, err := io.ReadAll(file)
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	detections, err := engine.ParseRules(string(content))
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	errMap, err := engine.SyncCommunityDetections(ctx, detections)
-	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
-		return
-	}
-
-	web.Respond(w, r, http.StatusOK, errMap)
-}
-
 func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 6c8705c82..f7cf2573f 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -2,10 +2,16 @@ package suricata
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
+	"io"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
+	"time"
 
 	"github.com/apex/log"
 	"github.com/samber/lo"
@@ -20,7 +26,12 @@ var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
 const modifyFromTo = `"flowbits" "noalert; flowbits"`
 
 type SuricataEngine struct {
-	srv *server.Server
+	srv                                  *server.Server
+	communityRulesFile                   string
+	rulesFingerprintFile                 string
+	communityRulesImportFrequencySeconds int
+	isRunning                            bool
+	thread                               *sync.WaitGroup
 }
 
 func NewSuricataEngine(srv *server.Server) *SuricataEngine {
@@ -33,21 +44,107 @@ func (s *SuricataEngine) PrerequisiteModules() []string {
 	return nil
 }
 
-func (s *SuricataEngine) Init(config module.ModuleConfig) error {
+func (s *SuricataEngine) Init(config module.ModuleConfig) (err error) {
+	s.communityRulesFile = module.GetStringDefault(config, "communityRulesFile", "/nsm/rules/suricata/emerging-all.rules")
+	s.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/emerging-all.fingerprint")
+	s.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 5)
+
 	return nil
 }
 
 func (s *SuricataEngine) Start() error {
 	s.srv.DetectionEngines[model.EngineNameSuricata] = s
+	s.thread = &sync.WaitGroup{}
+	s.thread.Add(1)
+	s.isRunning = true
+
+	go s.watchCommunityRules()
+
 	return nil
 }
 
 func (s *SuricataEngine) Stop() error {
+	s.isRunning = false
+	s.thread.Wait()
+
 	return nil
 }
 
 func (s *SuricataEngine) IsRunning() bool {
-	return false
+	return s.isRunning
+}
+
+func (s *SuricataEngine) watchCommunityRules() {
+	defer func() {
+		s.thread.Done()
+		s.isRunning = false
+	}()
+
+	for s.isRunning {
+		time.Sleep(time.Second * time.Duration(s.communityRulesImportFrequencySeconds))
+		if !s.isRunning {
+			break
+		}
+
+		rules, hash, err := readAndHash(s.communityRulesFile)
+		if err != nil {
+			log.WithError(err).Error("unable to read community rules file")
+			continue
+		}
+
+		haveFP := true
+
+		fingerprint, err := os.ReadFile(s.rulesFingerprintFile)
+		if err != nil {
+			if !os.IsNotExist(err) {
+				haveFP = false
+			} else {
+				log.WithError(err).Error("unable to read rules fingerprint file")
+				continue
+			}
+		}
+
+		if haveFP && strings.EqualFold(string(fingerprint), hash) {
+			// if we have a fingerprint and the hashes are equal, there's nothing to do
+			continue
+		}
+
+		commDetections, err := s.parseRules(rules)
+		if err != nil {
+			log.WithError(err).Error("unable to parse community rules")
+			continue
+		}
+
+		errMap, err := s.syncCommunityDetections(context.Background(), commDetections)
+		if err != nil {
+			log.WithError(err).Error("unable to sync community detections")
+			continue
+		}
+
+		if len(errMap) > 0 {
+			log.WithFields(log.Fields{
+				"errors": errMap,
+			}).Error("unable to sync all community detections")
+		}
+	}
+}
+
+func readAndHash(path string) (content string, sha256Hash string, err error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return "", "", err
+	}
+	defer f.Close()
+
+	hasher := sha256.New()
+	data := io.TeeReader(f, hasher)
+
+	raw, err := io.ReadAll(data)
+	if err != nil {
+		return "", "", err
+	}
+
+	return string(raw), hex.EncodeToString(hasher.Sum(nil)), nil
 }
 
 func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
@@ -59,7 +156,7 @@ func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	return parsed.String(), nil
 }
 
-func (s *SuricataEngine) ParseRules(content string) ([]*model.Detection, error) {
+func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error) {
 	// expecting one rule per line
 	lines := strings.Split(content, "\n")
 	dets := []*model.Detection{}
@@ -297,7 +394,7 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	return errMap, nil
 }
 
-func (s *SuricataEngine) SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 215adc34a..d21faafc2 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -313,7 +313,7 @@ func TestParse(t *testing.T) {
 
 			data := strings.Join(test.Lines, "\n")
 
-			detections, err := mod.ParseRules(data)
+			detections, err := mod.parseRules(data)
 			if test.ExpectedError == nil {
 				assert.NoError(t, err)
 				assert.Equal(t, test.ExpectedDetections, detections)

From 5cb992534928f5d7ee55c83de8ba63930c477fe0 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 3 Oct 2023 16:31:41 -0600
Subject: [PATCH 011/102] Service Account Ctx, Community Rules, permissions

The context that the server initializes is being put to use and slightly modified. As I find new permissions I need, I'm adding roles to cover them. When the dust settles, I'll re-evaluate.

Search criteria now determine what permissions they need to check the user account for. Hints can be given but the search criteria's index and kind are tested to see if alternate permissions need to be checked.

detection/read and detection/write were quickly added to the rbac/permissions file. The roles they're attached to has not been finalized and will almost certainly change.

Lengthened the allowed title as many community rules have titles longer than 100 chars.

When RoundTrip'ing with ElasticTransport, do not add the es-security-runas-user header when the server's agent is in the ctx.

Added 2 new test rules to TestValidate inspired by community rules that couldn't parse but should've.

Successfully imported 30,000+ community rules!
---
 config/config.go                              |  2 +-
 model/event.go                                | 38 +++++++++
 rbac/permissions                              |  5 +-
 .../modules/elastic/elasticdetectionstore.go  |  2 +-
 server/modules/elastic/elasticeventstore.go   | 29 ++++---
 server/modules/elastic/elastictransport.go    | 23 ++++--
 .../staticrbac/staticrbacauthorizer.go        |  2 +
 server/modules/suricata/suricata.go           | 82 +++++++++++++++----
 server/modules/suricata/suricata_test.go      | 24 +++++-
 server/modules/suricata/validate.go           | 17 +++-
 server/server.go                              |  6 +-
 11 files changed, 187 insertions(+), 43 deletions(-)

diff --git a/config/config.go b/config/config.go
index 9558286a8..f19f83053 100644
--- a/config/config.go
+++ b/config/config.go
@@ -48,7 +48,7 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 	// TODO: remove when put in config file
 	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
 		"communityRulesFile":                   "/nsm/rules/suricata/emerging-all.rules",
-		"rulesFingerprintFile":                 "/opt/so/conf/soc/emerging-all.fingerprint",
+		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
 		"communityRulesImportFrequencySeconds": float64(5),
 	}
 
diff --git a/model/event.go b/model/event.go
index e75abc2fc..0f8f50036 100644
--- a/model/event.go
+++ b/model/event.go
@@ -7,6 +7,7 @@
 package model
 
 import (
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -14,6 +15,9 @@ import (
 	"github.com/apex/log"
 )
 
+var indexExtractor = regexp.MustCompile(`_index:[ \t]?"([^ \t]+)"`)
+var kindExtractor = regexp.MustCompile(`so_kind:[ \t]?"([^ \t]+)"`)
+
 type EventResults struct {
 	CreateTime   time.Time `json:"createTime"`
 	CompleteTime time.Time `json:"completeTime"`
@@ -115,6 +119,40 @@ func (criteria *EventSearchCriteria) Populate(query string, dateRange string, da
 	return err
 }
 
+func (criteria *EventSearchCriteria) DeterminePermissions(hintVerb string, hintNoun string) (verb string, noun string) {
+	var index, kind string
+
+	for _, seg := range criteria.ParsedQuery.Segments {
+		segStr := seg.String()
+
+		indexMatches := indexExtractor.FindStringSubmatch(segStr)
+		if len(indexMatches) != 0 {
+			index = indexMatches[1]
+		}
+
+		kindMatches := kindExtractor.FindStringSubmatch(segStr)
+		if len(kindMatches) != 0 {
+			kind = kindMatches[1]
+		}
+
+		if index != "" && kind != "" {
+			break
+		}
+	}
+
+	index = strings.ToLower(strings.TrimPrefix(strings.TrimSpace(index), "*:"))
+	kind = strings.ToLower(strings.TrimSpace(kind))
+
+	switch index {
+	case "so-detection":
+		return hintVerb, "detection"
+	}
+
+	_ = kind
+
+	return hintVerb, hintNoun
+}
+
 type EventMetric struct {
 	Keys  []interface{} `json:"keys"`
 	Value int           `json:"value"`
diff --git a/rbac/permissions b/rbac/permissions
index 603820686..8869dc270 100644
--- a/rbac/permissions
+++ b/rbac/permissions
@@ -29,7 +29,10 @@ roles/write:      user-admin
 users/read:       user-monitor
 users/write:      user-admin
 users/delete:     user-admin
-
+detection/read:   agent
+detection/write:  agent
+detection/read:   event-monitor
+detection/write:  event-admin
 
 # Define low-level permission set inheritence relationships
 # Syntax      => roleB: roleA
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 34383adc6..918a5c3b2 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -78,7 +78,7 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 	}
 
 	if err == nil && detect.Title != "" {
-		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
+		err = store.validateString(detect.Title, LONG_STRING_MAX, "title")
 	}
 
 	if err == nil && detect.Severity != "" {
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index 017826323..0e1ab03d2 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -176,21 +176,28 @@ func (store *ElasticEventstore) unmapElasticField(field string) string {
 func (store *ElasticEventstore) Search(ctx context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error) {
 	var err error
 	results := model.NewEventSearchResults()
-	if err = store.server.CheckAuthorized(ctx, "read", "events"); err == nil {
-		store.refreshCache(ctx)
+	verb, noun := criteria.DeterminePermissions("read", "events")
 
-		var query string
-		query, err = convertToElasticRequest(store, criteria)
+	err = store.server.CheckAuthorized(ctx, verb, noun)
+	if err != nil {
+		return nil, err
+	}
+
+	store.refreshCache(ctx)
+
+	var query string
+	query, err = convertToElasticRequest(store, criteria)
+	if err == nil {
+		var response string
+		response, err = store.luceneSearch(ctx, query)
 		if err == nil {
-			var response string
-			response, err = store.luceneSearch(ctx, query)
-			if err == nil {
-				err = convertFromElasticResults(store, response, results)
-				results.Criteria = criteria
-			}
+			err = convertFromElasticResults(store, response, results)
+			results.Criteria = criteria
 		}
 	}
+
 	results.Complete()
+
 	return results, err
 }
 
@@ -335,7 +342,9 @@ func (store *ElasticEventstore) indexSearch(ctx context.Context, query string, i
 		"query":     store.truncate(query),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Info("Searching Elasticsearch")
+
 	var json string
+
 	res, err := store.esClient.Search(
 		store.esClient.Search.WithContext(ctx),
 		store.esClient.Search.WithIndex(indexes...),
diff --git a/server/modules/elastic/elastictransport.go b/server/modules/elastic/elastictransport.go
index a4c8c6ace..e5606fb74 100644
--- a/server/modules/elastic/elastictransport.go
+++ b/server/modules/elastic/elastictransport.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 )
 
@@ -42,16 +43,20 @@ func NewElasticTransport(user string, pass string, timeoutMs time.Duration, veri
 
 func (transport *ElasticTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if user, ok := req.Context().Value(web.ContextKeyRequestor).(*model.User); ok {
-		log.WithFields(log.Fields{
-			"username":       user.Email,
-			"searchUsername": user.SearchUsername,
-			"requestId":      req.Context().Value(web.ContextKeyRequestId),
-		}).Debug("Executing Elastic request on behalf of user")
-		username := user.Email
-		if user.SearchUsername != "" {
-			username = user.SearchUsername
+		if user.Id != server.AGENT_ID {
+			log.WithFields(log.Fields{
+				"username":       user.Email,
+				"searchUsername": user.SearchUsername,
+				"requestId":      req.Context().Value(web.ContextKeyRequestId),
+			}).Debug("Executing Elastic request on behalf of user")
+			username := user.Email
+			if user.SearchUsername != "" {
+				username = user.SearchUsername
+			}
+			req.Header.Set("es-security-runas-user", username)
+		} else {
+			log.Info("Executing Elastic request without es-security-runas-user")
 		}
-		req.Header.Set("es-security-runas-user", username)
 	} else {
 		log.Warn("User not found in context")
 	}
diff --git a/server/modules/staticrbac/staticrbacauthorizer.go b/server/modules/staticrbac/staticrbacauthorizer.go
index a1a5463cf..5c1029b90 100644
--- a/server/modules/staticrbac/staticrbacauthorizer.go
+++ b/server/modules/staticrbac/staticrbacauthorizer.go
@@ -294,6 +294,8 @@ func (impl *StaticRbacAuthorizer) scanNow() {
 
 		// Ensure agent user/role exists
 		impl.AddRoleToUser(impl.server.Agent, "agent")
+		impl.AddRoleToUser(impl.server.Agent, "config-admin")
+		impl.AddRoleToUser(impl.server.Agent, "event-admin")
 
 		impl.previousUserHash = hash
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index f7cf2573f..1b234278a 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -80,31 +80,29 @@ func (s *SuricataEngine) watchCommunityRules() {
 		s.isRunning = false
 	}()
 
+	ctx := s.srv.Context
+
 	for s.isRunning {
 		time.Sleep(time.Second * time.Duration(s.communityRulesImportFrequencySeconds))
 		if !s.isRunning {
 			break
 		}
 
+		start := time.Now()
+
 		rules, hash, err := readAndHash(s.communityRulesFile)
 		if err != nil {
 			log.WithError(err).Error("unable to read community rules file")
 			continue
 		}
 
-		haveFP := true
-
-		fingerprint, err := os.ReadFile(s.rulesFingerprintFile)
+		fingerprint, haveFP, err := readFingerprint(s.rulesFingerprintFile)
 		if err != nil {
-			if !os.IsNotExist(err) {
-				haveFP = false
-			} else {
-				log.WithError(err).Error("unable to read rules fingerprint file")
-				continue
-			}
+			log.WithError(err).Error("unable to read rules fingerprint file")
+			continue
 		}
 
-		if haveFP && strings.EqualFold(string(fingerprint), hash) {
+		if haveFP && strings.EqualFold(*fingerprint, hash) {
 			// if we have a fingerprint and the hashes are equal, there's nothing to do
 			continue
 		}
@@ -115,7 +113,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 			continue
 		}
 
-		errMap, err := s.syncCommunityDetections(context.Background(), commDetections)
+		errMap, err := s.syncCommunityDetections(ctx, commDetections)
 		if err != nil {
 			log.WithError(err).Error("unable to sync community detections")
 			continue
@@ -125,7 +123,18 @@ func (s *SuricataEngine) watchCommunityRules() {
 			log.WithFields(log.Fields{
 				"errors": errMap,
 			}).Error("unable to sync all community detections")
+		} else {
+			err = os.WriteFile(s.rulesFingerprintFile, []byte(hash), 0644)
+			if err != nil {
+				log.WithError(err).WithField("path", s.rulesFingerprintFile).Error("unable to write rules fingerprint file")
+			}
 		}
+
+		dur := time.Since(start)
+
+		log.WithFields(log.Fields{
+			"durationSeconds": dur.Seconds(),
+		}).Info("Suricata community rules synced")
 	}
 }
 
@@ -147,6 +156,26 @@ func readAndHash(path string) (content string, sha256Hash string, err error) {
 	return string(raw), hex.EncodeToString(hasher.Sum(nil)), nil
 }
 
+func readFingerprint(path string) (fingerprint *string, ok bool, err error) {
+	_, err = os.Stat(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, false, nil
+		}
+
+		return nil, false, err
+	}
+
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return nil, false, err
+	}
+
+	fingerprint = util.Ptr(strings.TrimSpace(string(raw)))
+
+	return fingerprint, true, nil
+}
+
 func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	parsed, err := ParseSuricataRule(rule)
 	if err != nil {
@@ -279,8 +308,8 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	modifyLines := strings.Split(modify.Value, "\n")
 
 	localIndex := indexLocal(localLines)
-	enabledIndex := indexEnabled(enabledLines)
-	disabledIndex := indexEnabled(disabledLines)
+	enabledIndex := indexEnabled(enabledLines, false)
+	disabledIndex := indexEnabled(disabledLines, false)
 	modifyIndex := indexModify(modifyLines)
 
 	errMap = map[string]string{} // map[sid]error
@@ -408,6 +437,19 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		Removed int
 	}{}
 
+	allSettings, err := s.srv.Configstore.GetSettings(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	disabled := settingByID(allSettings, "idstools.sids.disabled")
+	if disabled == nil {
+		return nil, fmt.Errorf("unable to find disabled setting")
+	}
+
+	disabledLines := strings.Split(disabled.Value, "\n")
+	disabledIndex := indexEnabled(disabledLines, true)
+
 	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
 	if err != nil {
 		return nil, err
@@ -419,6 +461,9 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for _, detect := range detections {
+		_, disabled := disabledIndex[detect.PublicID]
+		detect.IsEnabled = !disabled
+
 		id, exists := commSIDs[detect.PublicID]
 		if exists {
 			detect.Id = id
@@ -454,7 +499,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		"updated": results.Updated,
 		"removed": results.Removed,
 		"errors":  errMap,
-	}).Info("Suricata community detections synced")
+	}).Info("suricata community diff")
 
 	return errMap, nil
 }
@@ -494,11 +539,16 @@ func indexLocal(lines []string) map[string]int {
 	return index
 }
 
-func indexEnabled(lines []string) map[string]int {
+func indexEnabled(lines []string, ignoreComments bool) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "#") && ignoreComments {
+			continue
+		}
+
+		line = strings.TrimLeft(line, "# \t")
 		if line != "" {
 			index[line] = i
 		}
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index d21faafc2..e816e4562 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -155,7 +155,7 @@ func TestIndexEnabled(t *testing.T) {
 		"#  24adee9b-6010-46ed-9c4a-9cb7a9c972a1",
 	}
 
-	output := indexEnabled(lines)
+	output := indexEnabled(lines, false)
 
 	assert.Equal(t, 7, len(output))
 	assert.Contains(t, output, "10000")
@@ -172,6 +172,20 @@ func TestIndexEnabled(t *testing.T) {
 	assert.Equal(t, output["not a number"], 6)
 	assert.Contains(t, output, "24adee9b-6010-46ed-9c4a-9cb7a9c972a1")
 	assert.Equal(t, output["24adee9b-6010-46ed-9c4a-9cb7a9c972a1"], 7)
+
+	output = indexEnabled(lines, true)
+	assert.Equal(t, 4, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 0)
+	assert.NotContains(t, output, "20000")
+	assert.Contains(t, output, "30000")
+	assert.Equal(t, output["30000"], 3)
+	assert.NotContains(t, output, "40000")
+	assert.Contains(t, output, "50000")
+	assert.Equal(t, output["50000"], 5)
+	assert.Contains(t, output, "not a number")
+	assert.Equal(t, output["not a number"], 6)
+	assert.NotContains(t, output, "24adee9b-6010-46ed-9c4a-9cb7a9c972a1")
 }
 
 func TestIndexModify(t *testing.T) {
@@ -239,6 +253,14 @@ func TestValidate(t *testing.T) {
 			Input:       "x",
 			ExpectedErr: util.Ptr("invalid rule, unexpected end of rule"),
 		},
+		{
+			Name:  "Parentheses in Unquoted Option",
+			Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`,
+		},
+		{
+			Name:  "Unescaped Double Quote in PCRE Option",
+			Input: `alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Unhidebody Function Observed in Phishing Landing"; flow:established,to_client; file.data; content:"function unhideBody()"; nocase; fast_pattern; content:"var bodyElems = document.getElementsByTagName(|22|body|22|)|3b|"; nocase; content:"bodyElems[0].style.visibility =|20 22|visible|22 3b|"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; content:"method="; nocase; pcre:"/^["']?post/Ri"; classtype:social-engineering; sid:2029732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_24;)`,
+		},
 	}
 
 	for _, test := range table {
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index 8f9d1b89f..f3ee8e707 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -24,7 +24,7 @@ type RuleOption struct {
 }
 
 type MetaData struct {
-	Key string
+	Key   string
 	Value string
 }
 
@@ -101,7 +101,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				buf.WriteRune(ch)
 			}
 		case stateOptions:
-			if ch == ')' && !inQuotes && !isEscaping {
+			if ch == ')' && !inQuotes && !isEscaping && len(strings.TrimSpace(buf.String())) == 0 {
 				if r.Len() != 0 {
 					// end of options, but not end of rule?
 					return nil, fmt.Errorf("invalid rule, expected end of rule, got %d more bytes", r.Len())
@@ -125,7 +125,18 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				if isEscaping {
 					isEscaping = false
 				} else {
-					inQuotes = !inQuotes
+					if strings.Contains(buf.String(), "pcre:") {
+						// is the current option a regular expression?
+						// if so, only end the quotes if the next character is a semicolon
+						next, _, _ := r.ReadRune()
+						r.UnreadRune()
+
+						if next == ';' {
+							inQuotes = false
+						}
+					} else {
+						inQuotes = !inQuotes
+					}
 				}
 			} else if ch == '\\' {
 				isEscaping = true
diff --git a/server/server.go b/server/server.go
index 4b281b5e5..9a41e1a77 100644
--- a/server/server.go
+++ b/server/server.go
@@ -63,7 +63,11 @@ func (server *Server) initContext() {
 	server.Agent = model.NewUser()
 	server.Agent.Id = AGENT_ID
 	server.Agent.Email = server.Agent.Id
-	server.Context = context.WithValue(context.Background(), web.ContextKeyRequestor, server.Agent)
+
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestor, server.Agent)
+	ctx = context.WithValue(ctx, web.ContextKeyRequestorId, AGENT_ID)
+
+	server.Context = ctx
 }
 
 func (server *Server) Start() {

From c4c66fb913040763bafc5e724d68016c73a7389f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 5 Oct 2023 12:23:43 -0600
Subject: [PATCH 012/102] WIP: GetAll that gets all

Uses elasticsearch's `search_after` to page through results when the max documents of -1 is passed in.
---
 model/event.go                                |  2 +
 server/modules/elastic/converter.go           | 14 ++++
 .../modules/elastic/elasticdetectionstore.go  | 72 ++++++++++++++-----
 server/modules/suricata/suricata.go           | 28 ++++++--
 4 files changed, 93 insertions(+), 23 deletions(-)

diff --git a/model/event.go b/model/event.go
index 0f8f50036..9f9306e8c 100644
--- a/model/event.go
+++ b/model/event.go
@@ -66,6 +66,7 @@ type EventSearchCriteria struct {
 	CreateTime  time.Time
 	ParsedQuery *Query
 	SortFields  []*SortCriteria
+	SearchAfter []interface{}
 }
 
 func (criteria *EventSearchCriteria) initSearchCriteria() {
@@ -166,6 +167,7 @@ type EventRecord struct {
 	Type      string                 `json:"type"`
 	Score     float64                `json:"score"`
 	Payload   map[string]interface{} `json:"payload"`
+	Sort      []interface{}          `json:"sort"`
 }
 
 type EventUpdateCriteria struct {
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 8b8fbeaf5..549e42e3e 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -196,6 +196,10 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 	esMap["size"] = criteria.EventLimit
 	esMap["query"] = makeQuery(store, criteria.ParsedQuery, criteria.BeginTime, criteria.EndTime)
 
+	if len(criteria.SearchAfter) != 0 {
+		esMap["search_after"] = criteria.SearchAfter
+	}
+
 	aggregations := make(map[string]interface{})
 
 	if criteria.MetricLimit > 0 {
@@ -244,6 +248,13 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 			}
 			esMap["sort"] = sorting
 		}
+	} else {
+		sort := map[string]string{}
+		for _, field := range criteria.SortFields {
+			sort[field.Field] = field.Order
+		}
+
+		esMap["sort"] = sort
 	}
 
 	bytes, err := json.WriteJson(esMap)
@@ -342,6 +353,9 @@ func convertFromElasticResults(store *ElasticEventstore, esJson string, results
 			event.Score = esRecord["_score"].(float64)
 		}
 		event.Payload = flatten(store, esRecord["_source"].(map[string]interface{}))
+		if esRecord["sort"] != nil {
+			event.Sort = esRecord["sort"].([]interface{})
+		}
 
 		if event.Payload["@timestamp"] != nil {
 			event.Time, _ = time.Parse(time.RFC3339, event.Payload["@timestamp"].(string))
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 918a5c3b2..c2bd36003 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -196,30 +196,65 @@ func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, ma
 	endTime := now.Format(format)
 	zone := now.Location().String()
 
-	err = criteria.Populate(query,
-		zeroTimeStr+" - "+endTime, // timeframe range
-		format,                    // timeframe format
-		zone,                      // timezone
-		"0",                       // no metrics
-		strconv.Itoa(max))
+	unlimited := false
+	if max == -1 {
+		max = 10000
+		unlimited = true
+	}
+
+	sort := []interface{}{}
+
+	for {
+		err = criteria.Populate(query,
+			zeroTimeStr+" - "+endTime, // timeframe range
+			format,                    // timeframe format
+			zone,                      // timezone
+			"0",                       // no metrics
+			strconv.Itoa(max))
+
+		if err != nil {
+			return nil, err
+		}
+
+		if unlimited {
+			// need a deterministic sort order for paging
+			criteria.SortFields = []*model.SortCriteria{
+				{
+					Field: "@timestamp",
+					Order: "desc",
+				},
+			}
+
+			if len(sort) != 0 {
+				criteria.SearchAfter = sort
+			}
+		}
 
-	if err == nil {
 		var results *model.EventSearchResults
 
 		results, err = store.server.Eventstore.Search(ctx, criteria)
-		if err == nil {
-			for _, event := range results.Events {
-				var obj interface{}
-
-				obj, err = convertElasticEventToObject(event, store.schemaPrefix)
-				if err == nil {
-					objects = append(objects, obj)
-				} else {
-					log.WithField("event", event).WithError(err).Error("Unable to convert case object")
-				}
+		if err != nil {
+			return nil, err
+		}
+
+		for _, event := range results.Events {
+			var obj interface{}
+
+			obj, err = convertElasticEventToObject(event, store.schemaPrefix)
+			if err == nil {
+				objects = append(objects, obj)
+			} else {
+				log.WithField("event", event).WithError(err).Error("Unable to convert case object")
 			}
 		}
+
+		if !unlimited || len(results.Events) == 0 {
+			break
+		}
+
+		sort = results.Events[len(results.Events)-1].Sort
 	}
+
 	// }
 
 	return objects, err
@@ -360,8 +395,7 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 }
 
 func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) {
-	// TODO: 10000? Is that enough?
-	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), 10000)
+	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), -1)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 1b234278a..0b641e706 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -25,6 +25,8 @@ var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
 
 const modifyFromTo = `"flowbits" "noalert; flowbits"`
 
+var errModuleStopped = fmt.Errorf("module has stopped running")
+
 type SuricataEngine struct {
 	srv                                  *server.Server
 	communityRulesFile                   string
@@ -115,6 +117,11 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		errMap, err := s.syncCommunityDetections(ctx, commDetections)
 		if err != nil {
+			if err == errModuleStopped {
+				log.Info("incomplete sync of suricata community detections due to module stopping")
+				return
+			}
+
 			log.WithError(err).Error("unable to sync community detections")
 			continue
 		}
@@ -134,7 +141,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		log.WithFields(log.Fields{
 			"durationSeconds": dur.Seconds(),
-		}).Info("Suricata community rules synced")
+		}).Info("suricata community rules synced")
 	}
 }
 
@@ -447,8 +454,16 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		return nil, fmt.Errorf("unable to find disabled setting")
 	}
 
+	modify := settingByID(allSettings, "idstools.sids.modify")
+	if modify == nil {
+		return nil, fmt.Errorf("unable to find modify setting")
+	}
+
 	disabledLines := strings.Split(disabled.Value, "\n")
+	modifyLines := strings.Split(modify.Value, "\n")
+
 	disabledIndex := indexEnabled(disabledLines, true)
+	modifyIndex := indexModify(modifyLines)
 
 	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
 	if err != nil {
@@ -461,8 +476,13 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for _, detect := range detections {
+		if !s.isRunning {
+			return errMap, errModuleStopped
+		}
+
 		_, disabled := disabledIndex[detect.PublicID]
-		detect.IsEnabled = !disabled
+		_, modified := modifyIndex[detect.PublicID]
+		detect.IsEnabled = !(disabled || modified)
 
 		id, exists := commSIDs[detect.PublicID]
 		if exists {
@@ -486,9 +506,9 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for sid := range toDelete {
-		_, err = s.srv.Detectionstore.DeleteDetection(ctx, sid)
+		_, err = s.srv.Detectionstore.DeleteDetection(ctx, commSIDs[sid])
 		if err != nil {
-			errMap[sid] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			errMap[sid] = fmt.Sprintf("unable to delete detection; reason=%s", err.Error())
 		} else {
 			results.Removed++
 		}

From 77ecfb0ba5b594edc4e631933d97c0406ea90f31 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 11 Oct 2023 15:48:18 -0600
Subject: [PATCH 013/102] WIP: Tightening Suricata Bolts

Added logic to disallow editing of community rules. Adjusted detection's form validation rules so that community rules aren't validated at the form level.

Removed "Details" Detection tab and reordered the controls under it to the "Summary" and "Signature" tabs. Rearranged some tabs.

Cleaned up the strings used in dropdowns (engine, severity) with capitalization. Cleaner UI, but the correct casing is still passed over the wire.

Refactored PublicID's "Generate" button to be "Extract" so that it fills the field using the SID in the rule. May eventually make this field readonly except for this modification.

Updated infohandler's response to use the same severity values the rules use.

Converted more strings to i18n references.

`indexDocument` and `deleteDocument` on the ElasticEventstore now pass the ctx in. This removes the WARN log message about making a request without a user. Needs more thorough testing to be sure there's no unwanted side effects.
---
 html/index.html                             | 86 ++++++++-------------
 html/js/i18n.js                             | 17 +++-
 html/js/routes/detection.js                 | 81 ++++++++++++++-----
 server/infohandler.go                       |  2 +-
 server/modules/elastic/converter.go         |  2 +-
 server/modules/elastic/elasticeventstore.go |  6 +-
 server/modules/suricata/suricata.go         |  2 +
 7 files changed, 118 insertions(+), 78 deletions(-)

diff --git a/html/index.html b/html/index.html
index e2d9c7902..d10c0ae23 100644
--- a/html/index.html
+++ b/html/index.html
@@ -965,7 +965,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
         <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
           <!-- Title -->
           <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
-          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="'Detection Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="i18n.detectionTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
         </div>
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
@@ -975,10 +975,10 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-form ref="detection" v-model="editForm.valid">
                 <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Description -->
-                  <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" auto-grow rows="5"></v-textarea>
+                  <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="i18n.detectionDescription" auto-grow rows="5"></v-textarea>
 
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'">
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="i18n.publicID">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
@@ -1018,18 +1018,14 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <v-icon left>fa-clipboard</v-icon>
                 <div class="d-none d-lg-block">Summary</div>
               </v-tab>
-              <v-tab id="detection_detailsTab" href="#details">
-                <v-icon left>fa-circle-info</v-icon>
-                <div class="d-none d-lg-block">Details</div>
+              <v-tab id="detection_signatureTab" href="#signature">
+                <v-icon left>fa-signature</v-icon>
+                <div class="d-none d-lg-block">Signature</div>
               </v-tab>
               <v-tab id="detection_notesTab" href="#notes">
                 <v-icon left>fa-pencil</v-icon>
                 <div class="d-none d-lg-block">Notes</div>
               </v-tab>
-              <v-tab id="detection_signatureTab" href="#signature">
-                <v-icon left>fa-signature</v-icon>
-                <div class="d-none d-lg-block">Signature</div>
-              </v-tab>
               <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
                 <div class="d-none d-lg-block">Investigative Playbook</div>
@@ -1047,47 +1043,49 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <div>
                     <!-- Description -->
-                    <span class="font-weight-bold">Description:</span><br/>
+                    <span class="font-weight-bold">{{i18n.description}}:</span><br/>
                     <span id="detection-description" @click="startEdit('detection-description', 'description')" v-if="!isEdit('detection-description')">{{ detect.description }}</span>
-                    <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+                    <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.detectionDescription" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
                   </div>
                   <!-- Engine -->
-                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="detection-engine-edit" v-model="detect.engine" :readonly="detect.isCommunity" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <!-- Author -->
+                  <v-text-field id="detection-author-edit" v-model="detect.author" :readonly="detect.isCommunity" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.author" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+                  <!-- Severity -->
+                  <v-select id="detection-severity-edit" class="text-capitalize" :readonly="detect.isCommunity" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.severity" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                   <!-- Enabled -->
-                  <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Enabled"/>
+                  <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/>
                   <!-- Reporting -->
-                  <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Reporting"/>
+                  <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" :label="i18n.reporting"/>
                 </div>
                 <div class="d-flex justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn v-if="!isNew()" id="detection-duplicate" text small color="primary" class="align-self-end" @click="duplicateDetection()">
                       {{i18n.duplicate}}
                     </v-btn>
-                    <v-btn v-if="!isNew()" id="detection-delete" text small color="error" class="align-self-end" @click="deleteDetection()">
+                    <v-btn v-if="!isNew() && !detect.isCommunity" id="detection-delete" text small color="error" class="align-self-end" @click="deleteDetection()">
                       {{i18n.delete}}
                     </v-btn>
                   </div>
                 </div>
               </v-tab-item>
-              <v-tab-item value="details">
-                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+              <v-tab-item value="signature">
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
-                    <template v-slot:append v-if="!detect.publicId">
-                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">{{i18n.generate}}</v-btn>
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
+                      <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
                     </template>
                   </v-text-field>
-                  <!-- Author -->
-                  <v-text-field id="detection-author-edit" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="'Author'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
-                  <!-- Severity -->
-                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <!-- Signature -->
+                  <v-textarea class="config-editor mt-2" :readonly="detect.isCommunity" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
                 <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                    <v-btn id="detection-update" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
@@ -1109,22 +1107,6 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   </div>
                 </div>
               </v-tab-item>
-              <v-tab-item value="signature">
-                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <!-- Signature -->
-                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
-                </div>
-                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
-                  <div class="d-inline-flex justify-end">
-                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
-                      {{ i18n.cancel }}
-                    </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
-                      {{i18n.update}}
-                    </v-btn>
-                  </div>
-                </div>
-              </v-tab-item>
               <!-- <v-tab-item value="playbook">
                 <div class="col pa-2" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <div class="col ma-2">
@@ -1196,13 +1178,13 @@ <h3>Alerts</h3>
         <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
           <!-- Title -->
           <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isEdit('playbook-title')">{{ playbook.title }}</h2>
-          <v-text-field id="playbook-title-edit" v-else hide-details="auto" outlined v-model="playbook.title" :rules="[rules.required]" persistent-hint :hint="'Playbook Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+          <v-text-field id="playbook-title-edit" v-else hide-details="auto" outlined v-model="playbook.title" :rules="[rules.required]" persistent-hint :hint="i18n.playbookTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
         </div>
 
         <div class="row mb-6 mb-md-1 mt-2 mx-lg-6 mx-sm-12">
           <!-- Description -->
           <span id="playbook-description" @click="startEdit('playbook-description', 'description')" v-if="!isEdit('playbook-description')">{{ playbook.description }}</span>
-          <v-textarea id="playbook-description-edit" v-else hide-details="auto" outlined v-model="playbook.description" :rules="[rules.required]" persistent-hint :hint="'Playbook Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+          <v-textarea id="playbook-description-edit" v-else hide-details="auto" outlined v-model="playbook.description" :rules="[rules.required]" persistent-hint :hint="i18n.playbookDescription" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
         </div>
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
@@ -1228,23 +1210,23 @@ <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isE
               <v-tab-item value="notes">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!playbook.publicId">
                       <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
                   </v-text-field>
                   <!-- Contributors -->
-                  <v-combobox id="playbook-contributors" v-model="playbook.contributors" persistent-hint :hint="'Contributors'" multiple>
+                  <v-combobox id="playbook-contributors" v-model="playbook.contributors" persistent-hint :hint="i18n.contributors" multiple>
                     <template #selection="{ item }">
                       <v-chip color="primary">{{item}}</v-chip>
                     </template>
                   </v-combobox>
 
                   <!-- Severity -->
-                  <v-select id="playbook-severity-edit" v-model="playbook.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="playbook-severity-edit" v-model="playbook.severity" :items="severityOptions" persistent-hint :hint="i18n.severity" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
 
                   <!-- Mechanism -->
-                  <v-select id="playbook-engine-edit" v-model="playbook.mechanism" :items="engineOptions" persistent-hint :hint="'Mechanism'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="playbook-engine-edit" v-model="playbook.mechanism" :items="engineOptions" persistent-hint :hint="i18n.playbookMechanism" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
 
                   <!-- Tags -->
                   <v-combobox id="playbook-tags" v-model="playbook.tags" :items="tags" persistent-hint :hint="i18n.caseTagsHelp" multiple>
@@ -1283,9 +1265,9 @@ <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isE
               <v-tab-item value="questions">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <h2>Add Investigative Question</h2>
-                  <v-text-field id="playbook-question-add" v-model="addQuestion" persistent-hint :hint="'The investigative question written in plain language for human consumption, in the form of a question'"></v-text-field>
-                  <v-text-field id="playbook-context-add" v-model="addContext" persistent-hint :hint="'Provide optional context'"></v-text-field>
-                  <v-combobox id="playbook-datasources-add" v-model="addDataSources" persistent-hint :hint="'The data sources that can be used to answer the question'" multiple>
+                  <v-text-field id="playbook-question-add" v-model="addQuestion" persistent-hint :hint="i18n.playbookQuestionHint"></v-text-field>
+                  <v-text-field id="playbook-context-add" v-model="addContext" persistent-hint :hint="i18n.playbookAddContext"></v-text-field>
+                  <v-combobox id="playbook-datasources-add" v-model="addDataSources" persistent-hint :hint="i18n.playbookDatasources" multiple>
                     <template #selection="{ item }">
                       <v-chip color="primary">{{item}}</v-chip>
                     </template>
@@ -3744,7 +3726,7 @@ <h4 v-if="metricsEnabled">{{ i18n.gridEps }} {{ gridEps | formatCount }}</h4>
                                 <v-btn v-if="canTest(item)" id="test-minion" icon :title="i18n.nodeTest" @click="showTestConfirm(item.id + '_' + item.role)">
                                   <v-icon>fa-file-import</v-icon>
                                 </v-btn>
-                                <v-btn v-if="canUpload(item)" id="import-minion" icon :title="i18n.uploadPcap" @click="showUploadConfirm(item)">
+                                <v-btn v-if="canUpload(item)" id="import-minion" icon :title="i18n.uploadPCAPEVTX" @click="showUploadConfirm(item)">
                                   <v-icon>fa-upload</v-icon>
                                 </v-btn>
                                 <v-btn id="restart-minion" icon :title="item.osNeedsRestart == 1 ? i18n.restartRequiredHelp : i18n.restartMinionHelp" @click="showRestartConfirm(item.id + '_' + item.role)">
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 86c1a9348..44cd9f781 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -93,7 +93,6 @@ const i18n = {
       artifactIocHelp: 'Enable this field if this is an Indicator of Compromise',
       artifactGroupType: 'Group Type',
       artifactGroupId: 'Group ID',
-      artifactDescription: 'Description',
       artifactProtected: 'Protected',
       artifactProtectedHint: 'Protected attachments are automatically zipped prior to downloading. This helps prevent analysts from accidentally executing the potentially infected attachment.',
       artifactType: 'Type',
@@ -205,6 +204,7 @@ const i18n = {
       container: 'Container',
       containerStatus: 'Container Status',
       continue: 'Would you like to continue?',
+      contributors: 'Contributors',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
       copyEventToClipboardAsKvp: 'Copy full event as field:value pairs',
       copyFieldToClipboard: 'Copy this value only',
@@ -257,7 +257,10 @@ const i18n = {
       detections: 'Detections',
       detectionDefaultTitle: 'Detection title not yet provided - click here to update this title',
       detectionDefaultDescription: 'Detection description not yet provided',
+      detectionDescription: 'Detection Description',
+      detectionEnabled: 'Enabled',
       detectionSeverity: 'Severity',
+      detectionTitle: 'Detection Title',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -316,6 +319,7 @@ const i18n = {
       expand: 'Expand',
       expandHelp: 'Expand and show detailed data',
       expired: 'Expired',
+      extract: 'Extract',
       incomplete: 'Incomplete',
       invalidHours: 'Hours are not valid. Ex: 1.5',
       failedEvents: 'Failed Events',
@@ -553,6 +557,12 @@ const i18n = {
       passwordReset: 'Change Password',
       passwordNeedsChanged: 'User has not yet changed their password',
       playbooks: 'Playbooks',
+      playbookAddContext: 'Provide optional context',
+      playbookDatasources: 'The data sources that can be used to answer the question',
+      playbookDescription: 'Playbook Description',
+      playbookTitle: 'Playbook Title',
+      playbookMechanism: 'Mechanism',
+      playbookQuestionHint: 'The investigative question written in plain language for human consumption, in the form of a question',
       profileDetails: 'Profile Details',
       profileInstructions: 'You may be prompted to login again when updating your profile. This is a security measure to protect your account.',
       pcap: 'PCAP',
@@ -561,6 +571,7 @@ const i18n = {
       pending: 'Pending',
       product: 'Security Onion',
       profile: 'Profile',
+      publicID: 'Public ID',
       queriesHelp: 'Choose from several pre-defined queries',
       queryHelp: 'Specify a query in Onion Query Language (OQL)',
       quickActions: 'Actions',
@@ -650,6 +661,8 @@ const i18n = {
       setting_fake_setting_foo: 'Fake Setting Translated',
       settingHelp_fake_setting_foo: 'This is a transalated fake setting description.',
 
+      severity: 'Severity',
+
       sha1: 'SHA1',
       sha256: 'SHA256',
       share: 'Clipboard',
@@ -770,7 +783,7 @@ const i18n = {
       unwrapHelp: 'Unwrap packets from encapsulation (Ex: VXLAN)',
       update: 'Update',
       upload: 'Upload',
-      uploadPcap: 'Upload PCAP/EVTX',
+      uploadPCAPEVTX: 'Upload PCAP/EVTX',
       updateProfile: 'Update Profile',
       updateSettings: 'Settings',
       updateSuccessful: 'Update successful',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index e88abc266..5ddcaebf2 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -29,6 +29,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
+		sidExtract: /\bsid: ?['"]?(.*?)['"]?;/,
   }},
   created() {
   },
@@ -99,11 +100,33 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
       return "";
     },
     getPresets(kind) {
-      if (this.presets && this.presets[kind]) {
-        return this.presets[kind].labels;
+			if (this.presets && this.presets[kind]) {
+				switch (kind) {
+					case 'severity':
+					case 'engine':
+						return this.capitalizeOptions(this.presets[kind].labels);
+					default:
+						return this.presets[kind].labels;
+				}
       }
       return [];
-    },
+		},
+		capitalizeOptions(opts) {
+			return opts.map(opt => {
+				const cap = opt.charAt(0).toUpperCase() + opt.slice(1).toLowerCase();
+				return {
+					text: cap,
+					value: opt,
+				}
+			})
+		},
+		requestRules(rules) {
+			if (this.detect.isCommunity) {
+				return [];
+			}
+
+			return rules;
+		},
     isPresetCustomEnabled(kind) {
       if (this.presets && this.presets[kind]) {
         return this.presets[kind].customEnabled == true;
@@ -123,6 +146,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		async startEdit(target, field) {
 			if (this.curEditTarget === target) return;
 			if (this.curEditTarget !== null) await this.stopEdit(false);
+			if (this.detect.isCommunity) return;
 
 			this.curEditTarget = target;
 			this.origValue = this.detect[field];
@@ -136,8 +160,19 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			});
 		},
-		generatePublicID() {
-			this.detect.publicId = crypto.randomUUID();
+		extractPublicID() {
+			let pid = '';
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						pid = this.extractSuricataPublicID();
+					} catch (e) {
+						// nothing, clear publicId
+					}
+					break;
+			}
+
+			this.detect.publicId = pid;
 		},
 		isEdit(target) {
 			return this.curEditTarget === target;
@@ -213,22 +248,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			return null;
 		},
 		validateSuricata() {
-			const sidExtract = /\bsid: ?['"]?(.*?)['"]?;/
-			const results = sidExtract.exec(this.detect.content);
-
-			if (!results || results.length < 2) {
-				// sid not present in rule
-				return this.i18n.sidMissingErr;
-			} else if (results && results.length > 2) {
-				// multiple sids present in rule
-				return this.i18n.sidMultipleErr;
-			}
-
-			const sid = results[1];
+			try {
+				const sid = this.extractSuricataPublicID();
 
-			if (this.detect.publicId !== sid) {
-				// sid doesn't match metadata
-				return this.i18n.sidMismatchErr;
+				if (this.detect.publicId !== sid) {
+					// sid doesn't match metadata
+					return this.i18n.sidMismatchErr;
+				}
+			} catch (e) {
+				return e;
 			}
 
 			// normalize quotes
@@ -237,6 +265,19 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return null;
 		},
+		extractSuricataPublicID() {
+			const results = this.sidExtract.exec(this.detect.content);
+
+			if (!results || results.length < 2) {
+				// sid not present in rule
+				throw this.i18n.sidMissingErr;
+			} else if (results && results.length > 2) {
+				// multiple sids present in rule
+				throw this.i18n.sidMultipleErr;
+			}
+
+			return results[1];
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/server/infohandler.go b/server/infohandler.go
index 974478ef0..79de50894 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -95,7 +95,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		detection.Presets = map[string]config.PresetParameters{
 			"severity": {
 				CustomEnabled: false,
-				Labels:        []string{"low", "medium", "high"},
+				Labels:        []string{"unknown", "informational", "minor", "major", "critical"},
 			},
 			"engine": {
 				CustomEnabled: false,
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 549e42e3e..e160f59b0 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -369,7 +369,7 @@ func convertFromElasticResults(store *ElasticEventstore, esJson string, results
 	aggs := esResults["aggregations"]
 	if aggs != nil {
 		for name, aggObj := range aggs.(map[string]interface{}) {
-			keys := make([]interface{}, 0, 0)
+			keys := make([]interface{}, 0)
 			parseAggregation(name, aggObj, keys, results)
 		}
 	}
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index 0e1ab03d2..b589f966f 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -374,7 +374,9 @@ func (store *ElasticEventstore) indexDocument(ctx context.Context, index string,
 	res, err := store.esClient.Index(store.transformIndex(index),
 		strings.NewReader(document),
 		store.esClient.Index.WithRefresh("true"),
-		store.esClient.Index.WithDocumentID(id))
+		store.esClient.Index.WithDocumentID(id),
+		store.esClient.Index.WithContext(ctx),
+	)
 
 	if err != nil {
 		log.WithError(err).Error("Unable to index document into Elasticsearch")
@@ -397,7 +399,7 @@ func (store *ElasticEventstore) deleteDocument(ctx context.Context, index string
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Deleting document from Elasticsearch")
 
-	res, err := store.esClient.Delete(store.transformIndex(index), id)
+	res, err := store.esClient.Delete(store.transformIndex(index), id, store.esClient.Delete.WithContext(ctx))
 
 	if err != nil {
 		log.WithFields(log.Fields{
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 0b641e706..1205dde5e 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -127,6 +127,8 @@ func (s *SuricataEngine) watchCommunityRules() {
 		}
 
 		if len(errMap) > 0 {
+			// there were errors, don't save the fingerprint.
+			// idempotency means we might fix it if we try again later.
 			log.WithFields(log.Fields{
 				"errors": errMap,
 			}).Error("unable to sync all community detections")

From 341a563696beb0a932f1366d19cf175b745c0716 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 19 Oct 2023 16:32:23 -0600
Subject: [PATCH 014/102] Early implementation of ElastAlert's DetectionEngine.

New library: go-git. We use it to clone/pull the sigma repo.

Prevent community rules from being updated through the detection CRUD endpoints.

Improved change detection in suricata's community importer. If a community rule's content hasn't changed then it isn't updated, significantly improving the time it takes to update community rules.

Improved support for sort criteria when querying elasticsearch.

Linting.
---
 config/config.go                              |   7 +
 go.mod                                        |  26 +-
 go.sum                                        |  99 +++-
 server/detectionhandler.go                    |  27 +
 server/detectionstore.go                      |   2 +-
 server/infohandler.go                         |   2 +-
 server/modules/elastalert/elastalert.go       | 145 ++++++
 server/modules/elastalert/elastalert_test.go  |  34 ++
 server/modules/elastalert/oneormore.go        |  39 ++
 server/modules/elastalert/oneormore_test.go   |  58 +++
 server/modules/elastalert/validate.go         | 112 ++++
 server/modules/elastalert/validate_test.go    |  52 ++
 server/modules/elastic/converter.go           |  13 +-
 server/modules/elastic/converter_test.go      | 482 +++++++++---------
 .../modules/elastic/elasticdetectionstore.go  |   7 +-
 server/modules/modules.go                     |   2 +
 server/modules/modules_test.go                |  29 +-
 server/modules/suricata/suricata.go           |  39 +-
 server/modules/suricata/suricata_test.go      |   2 +
 19 files changed, 904 insertions(+), 273 deletions(-)
 create mode 100644 server/modules/elastalert/elastalert.go
 create mode 100644 server/modules/elastalert/elastalert_test.go
 create mode 100644 server/modules/elastalert/oneormore.go
 create mode 100644 server/modules/elastalert/oneormore_test.go
 create mode 100644 server/modules/elastalert/validate.go
 create mode 100644 server/modules/elastalert/validate_test.go

diff --git a/config/config.go b/config/config.go
index f19f83053..2469e9e6a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -52,5 +52,12 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		"communityRulesImportFrequencySeconds": float64(5),
 	}
 
+	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
+		"communityRulesImportFrequencySeconds": float64(600),
+		"sigmaRepo":                            "https://github.com/SigmaHQ/sigma",
+		"sigmaRepoRoot":                        "/tmp/socdev/so/rules/sigma",
+		"gitTimeout":                           float64(600),
+	}
+
 	return cfg, err
 }
diff --git a/go.mod b/go.mod
index b7f6870f7..16b274a14 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/security-onion-solutions/securityonion-soc
 
-go 1.20
+go 1.21
 
 require (
 	github.com/apex/log v1.9.0
@@ -20,19 +20,41 @@ require (
 )
 
 require (
+	github.com/go-git/go-git/v5 v5.9.0
+	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
-	github.com/oapi-codegen/runtime v1.1.0 // indirect
+	github.com/deepmap/oapi-codegen v1.12.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/skeema/knownhosts v1.2.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
index 186a8a75d..6ce8fe3f2 100644
--- a/go.sum
+++ b/go.sum
@@ -1,4 +1,15 @@
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
+github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
@@ -6,9 +17,16 @@ github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -17,17 +35,41 @@ github.com/elastic/elastic-transport-go/v8 v8.3.0 h1:DJGxovyQLXGr62e9nDMPSxRyWIO
 github.com/elastic/elastic-transport-go/v8 v8.3.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.11.1 h1:1VgTgUTbpqQZ4uE+cPjkOvy/8aw1ZvKcU0ZUE5Cn1mc=
 github.com/elastic/go-elasticsearch/v8 v8.11.1/go.mod h1:GU1BJHO7WeamP7UhuElYwzzHtvf9SDmeVpSSy9+o6Qg=
+github.com/deepmap/oapi-codegen v1.12.4 h1:pPmn6qI9MuOtCz82WY2Xaw46EQjgvxednXXrP7g5Q2s=
+github.com/deepmap/oapi-codegen v1.12.4/go.mod h1:3lgHGMu6myQ2vqbbTXH2H1o4eXFTGnFiDaOaKKl5yas=
+github.com/elastic/elastic-transport-go/v8 v8.2.0 h1:hkK5IIs/15mpSXzd5THWVlWTKJyMw6cbCWM3T/B2S5E=
+github.com/elastic/elastic-transport-go/v8 v8.2.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
+github.com/elastic/go-elasticsearch/v8 v8.7.0 h1:ZvbT1YHppBC0QxGnMmaDUxoDa26clwhRaB3Gp5E3UcY=
+github.com/elastic/go-elasticsearch/v8 v8.7.0/go.mod h1:lVb8SvJV8McVkdswpL8YR5QKIkhlWaoSq60YpHilOLI=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
 github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
 github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
 github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
+github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
+github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -42,17 +84,26 @@ github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 h1:W9WBk7
 github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf h1:7JTmneyiNEwVBOHSjoMxiWAqB992atOeepeFYegn5RU=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o=
 github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
+github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
@@ -64,17 +115,28 @@ github.com/oapi-codegen/runtime v1.1.0 h1:rJpoNUawn5XTvekgfkvSZr0RqEnoYpFkyvrzfW
 github.com/oapi-codegen/runtime v1.1.0/go.mod h1:BeSfBkWWWnAnGdyS+S/GnlbmHKzf8/hwkvelJZDeKA8=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
 github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM=
+github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
@@ -82,7 +144,9 @@ github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKk
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -102,6 +166,9 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -113,6 +180,10 @@ golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AW
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -120,6 +191,10 @@ golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -128,16 +203,34 @@ golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 7743da32b..9ece4c656 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -12,10 +12,12 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
 	"github.com/go-chi/chi"
+	"github.com/pkg/errors"
 )
 
 type DetectionHandler struct {
@@ -71,6 +73,11 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	if detect.IsCommunity {
+		web.Respond(w, r, http.StatusBadRequest, errors.New("cannot create community detections using this endpoint"))
+		return
+	}
+
 	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
@@ -131,6 +138,26 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	if old.IsCommunity {
+		// the only editable fields for community rules are IsEnabled, IsReporting, and Note
+		old.IsEnabled = detect.IsEnabled
+		old.IsReporting = detect.IsReporting
+		old.Note = detect.Note
+
+		detect = old
+
+		log.Infof("existing detection %s is a community rule, only updating IsEnabled, IsReporting, and Note", detect.Id)
+	} else if detect.IsCommunity {
+		web.Respond(w, r, http.StatusBadRequest, errors.New("cannot update an existing non-community detection to make it a community detection"))
+		return
+	}
+
 	detect, err = h.server.Detectionstore.UpdateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusNotFound, err)
diff --git a/server/detectionstore.go b/server/detectionstore.go
index de8b5f8fc..2c1a1730a 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -18,5 +18,5 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
-	GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) // map[detection.PublicId]detection.Id
+	GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 }
diff --git a/server/infohandler.go b/server/infohandler.go
index 79de50894..dceeefaef 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -99,7 +99,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 			},
 			"engine": {
 				CustomEnabled: false,
-				Labels:        []string{"suricata", "yara", "elastalert"},
+				Labels:        []string{"suricata", "elastalert"},
 			},
 		}
 	}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
new file mode 100644
index 000000000..21322c5c4
--- /dev/null
+++ b/server/modules/elastalert/elastalert.go
@@ -0,0 +1,145 @@
+package elastalert
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/apex/log"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+
+	"github.com/go-git/go-git/v5"
+	_ "github.com/go-git/go-git/v5"
+)
+
+type ElastAlertEngine struct {
+	srv                                  *server.Server
+	communityRulesImportFrequencySeconds int
+	sigmaRepo                            string
+	sigmaRepoRoot                        string
+	gitTimeout                           int
+	isRunning                            bool
+	thread                               *sync.WaitGroup
+}
+
+func NewElastAlertEngine(srv *server.Server) *ElastAlertEngine {
+	return &ElastAlertEngine{
+		srv: srv,
+	}
+}
+
+func (e *ElastAlertEngine) PrerequisiteModules() []string {
+	return nil
+}
+
+func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
+	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
+	e.sigmaRepo = module.GetStringDefault(config, "sigmaRepo", "https://github.com/SigmaHQ/sigma")
+	e.sigmaRepoRoot = module.GetStringDefault(config, "sigmaRepoRoot", "/opt/so/rules/sigma")
+	e.gitTimeout = module.GetIntDefault(config, "gitTimeout", 600)
+
+	return nil
+}
+
+func (e *ElastAlertEngine) Start() error {
+	e.srv.DetectionEngines[model.EngineNameElastAlert] = e
+	e.isRunning = true
+
+	go e.startCommunityRuleImport()
+
+	return nil
+}
+
+func (e *ElastAlertEngine) Stop() error {
+	e.isRunning = false
+
+	return nil
+}
+
+func (e *ElastAlertEngine) IsRunning() bool {
+	return e.isRunning
+}
+
+func (e *ElastAlertEngine) ValidateRule(data string) (string, error) {
+	_, err := ParseElastAlertRule([]byte(data))
+	if err != nil {
+		return "", err
+	}
+
+	return string(data), nil
+}
+
+func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	return nil, nil
+}
+
+func (e *ElastAlertEngine) startCommunityRuleImport() {
+	defer func() {
+		e.thread.Done()
+		e.isRunning = false
+	}()
+
+	ctx := e.srv.Context
+
+	for e.isRunning {
+		time.Sleep(time.Duration(e.communityRulesImportFrequencySeconds) * time.Second)
+		if !e.isRunning {
+			return
+		}
+
+		err := e.ensureUpToDateRepo(ctx)
+		if err != nil {
+			log.WithField("error", err).Error("something went wrong while ensuring the sigma repo is up to date")
+			continue
+		}
+	}
+}
+
+func (e *ElastAlertEngine) ensureUpToDateRepo(ctx context.Context) error {
+	readme := filepath.Join(e.sigmaRepoRoot, "README.md")
+
+	gitCtx, cancel := context.WithTimeout(ctx, time.Duration(e.gitTimeout)*time.Second)
+	defer cancel()
+
+	_, err := os.Stat(readme)
+	if os.IsNotExist(err) {
+		err = os.MkdirAll(e.sigmaRepoRoot, 0755)
+		if err != nil {
+			return fmt.Errorf("unable to create repo root directory: %w", err)
+		}
+
+		_, err = git.PlainCloneContext(gitCtx, e.sigmaRepoRoot, false, &git.CloneOptions{
+			URL:   e.sigmaRepo,
+			Depth: 1,
+		})
+		if err != nil {
+			return fmt.Errorf("unable to clone repo: %w", err)
+		}
+	} else if err == nil {
+		repo, err := git.PlainOpen(e.sigmaRepoRoot)
+		if err != nil {
+			return fmt.Errorf("unable to open existing repo: %w", err)
+		}
+
+		w, err := repo.Worktree()
+		if err != nil {
+			return fmt.Errorf("unable to get worktree of existing repo: %w", err)
+		}
+
+		err = w.PullContext(gitCtx, &git.PullOptions{
+			Depth: 1,
+		})
+		if err != nil && err != git.NoErrAlreadyUpToDate {
+			return fmt.Errorf("unable to pull repo: %w", err)
+		}
+	} else {
+		return fmt.Errorf("unable to determine if README.md exists: %w", err)
+	}
+
+	return nil
+}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
new file mode 100644
index 000000000..f78c05398
--- /dev/null
+++ b/server/modules/elastalert/elastalert_test.go
@@ -0,0 +1,34 @@
+package elastalert
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/tj/assert"
+)
+
+func TestElastAlertModule(t *testing.T) {
+	srv := &server.Server{
+		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+	}
+	mod := NewElastAlertEngine(srv)
+
+	assert.Implements(t, (*module.Module)(nil), mod)
+	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
+
+	err := mod.Init(nil)
+	assert.NoError(t, err)
+
+	err = mod.Start()
+	assert.NoError(t, err)
+
+	assert.True(t, mod.IsRunning())
+
+	err = mod.Stop()
+	assert.NoError(t, err)
+
+	assert.Equal(t, 1, len(srv.DetectionEngines))
+	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameElastAlert])
+}
diff --git a/server/modules/elastalert/oneormore.go b/server/modules/elastalert/oneormore.go
new file mode 100644
index 000000000..959a47360
--- /dev/null
+++ b/server/modules/elastalert/oneormore.go
@@ -0,0 +1,39 @@
+package elastalert
+
+type OneOrMore[T comparable] struct {
+	Value  T
+	Values []T
+}
+
+func (om *OneOrMore[T]) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var multi []T
+
+	err := unmarshal(&multi)
+	if err != nil {
+		var single T
+
+		err := unmarshal(&single)
+		if err != nil {
+			return err
+		}
+
+		om.Value = single
+	} else {
+		om.Values = multi
+	}
+
+	return nil
+}
+
+func (om OneOrMore[T]) MarshalYAML() (interface{}, error) {
+	if om.Values != nil {
+		return om.Values, nil
+	}
+
+	return om.Value, nil
+}
+
+func (om *OneOrMore[T]) HasValue() bool {
+	var zero T
+	return om != nil && (om.Values != nil || om.Value != zero)
+}
diff --git a/server/modules/elastalert/oneormore_test.go b/server/modules/elastalert/oneormore_test.go
new file mode 100644
index 000000000..aec7a077f
--- /dev/null
+++ b/server/modules/elastalert/oneormore_test.go
@@ -0,0 +1,58 @@
+package elastalert
+
+import (
+	"testing"
+
+	"github.com/tj/assert"
+	"gopkg.in/yaml.v3"
+)
+
+func TestOneOrMore(t *testing.T) {
+	type TestStruct struct {
+		Value *OneOrMore[string] `yaml:"value"`
+	}
+
+	// One
+	data := []byte(`value: test`)
+	ts := TestStruct{}
+
+	err := yaml.Unmarshal(data, &ts)
+	assert.NoError(t, err)
+	assert.True(t, ts.Value.HasValue())
+	assert.Equal(t, "test", ts.Value.Value)
+	assert.Empty(t, ts.Value.Values)
+
+	data, err = yaml.Marshal(ts)
+	assert.NoError(t, err)
+	assert.Equal(t, "value: test\n", string(data))
+
+	// ...OrMore
+	data = []byte(`value: [test1, test2]`)
+	ts = TestStruct{}
+
+	err = yaml.Unmarshal(data, &ts)
+	assert.NoError(t, err)
+	assert.True(t, ts.Value.HasValue())
+	assert.Empty(t, ts.Value.Value)
+	assert.Equal(t, []string{"test1", "test2"}, ts.Value.Values)
+
+	data, err = yaml.Marshal(ts)
+	assert.NoError(t, err)
+	assert.Equal(t, "value:\n    - test1\n    - test2\n", string(data))
+
+	// nil
+	data = []byte(`value: null`)
+	ts = TestStruct{}
+
+	err = yaml.Unmarshal(data, &ts)
+	assert.NoError(t, err)
+	assert.False(t, ts.Value.HasValue())
+	assert.Empty(t, ts)
+
+	data, err = yaml.Marshal(ts)
+	assert.NoError(t, err)
+	assert.Equal(t, "value: null\n", string(data))
+
+	null := (*OneOrMore[string])(nil)
+	assert.False(t, null.HasValue())
+}
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
new file mode 100644
index 000000000..9591ab3e0
--- /dev/null
+++ b/server/modules/elastalert/validate.go
@@ -0,0 +1,112 @@
+package elastalert
+
+import (
+	"fmt"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+type SigmaStatus string
+
+const (
+	SigmaStatusStable       SigmaStatus = "stable"
+	SigmaStatusTest         SigmaStatus = "test"
+	SigmaStatusExperimental SigmaStatus = "experimental"
+	SigmaStatusDeprecated   SigmaStatus = "deprecated"
+	SigmaStatusUnsupported  SigmaStatus = "unsupported"
+)
+
+type SigmaLevel string
+
+const (
+	SigmaLevelInformational SigmaLevel = "informational"
+	SigmaLevelLow           SigmaLevel = "low"
+	SigmaLevelMedium        SigmaLevel = "medium"
+	SigmaLevelHigh          SigmaLevel = "high"
+	SigmaLevelCritical      SigmaLevel = "critical"
+)
+
+type RelatedRuleType string
+
+const (
+	RelatedRuleTypeDerived   RelatedRuleType = "derived"
+	RelatedRuleTypeObsoletes RelatedRuleType = "obsoletes"
+	RelatedRuleTypeMerged    RelatedRuleType = "merged"
+	RelatedRuleTypeRenamed   RelatedRuleType = "renamed"
+	RelatedRuleTypeSimilar   RelatedRuleType = "similar"
+)
+
+type SigmaRule struct {
+	Title          string                 `yaml:"title"`
+	LogSource      LogSource              `yaml:"logsource"`
+	Detection      Detection              `yaml:"detection"`
+	Status         *SigmaStatus           `yaml:"status"`
+	Description    *string                `yaml:"description"`
+	License        *string                `yaml:"license"`
+	Reference      []string               `yaml:"reference"`
+	Related        []*RelatedRule         `yaml:"related"`
+	Author         *string                `yaml:"author"`
+	Date           *string                `yaml:"date"`
+	Modified       *string                `yaml:"modified"`
+	Fields         []string               `yaml:"fields"`
+	FalsePositives OneOrMore[string]      `yaml:"falsepositives"`
+	Level          *SigmaLevel            `yaml:"level"`
+	Rest           map[string]interface{} `yaml:",inline"`
+}
+
+type LogSource struct {
+	Category   *string `yaml:"category"`
+	Product    *string `yaml:"product"`
+	Service    *string `yaml:"service"`
+	Definition *string `yaml:"definition"`
+}
+
+type Detection struct {
+	Condition OneOrMore[string]      `yaml:"condition"`
+	Rest      map[string]interface{} `yaml:",inline"`
+}
+
+type RelatedRule struct {
+	ID   string          `yaml:"id"`
+	Type RelatedRuleType `yaml:"type"`
+}
+
+func ParseElastAlertRule(data []byte) (*SigmaRule, error) {
+	rule := &SigmaRule{}
+
+	err := yaml.Unmarshal(data, rule)
+	if err != nil {
+		return nil, err
+	}
+
+	err = rule.Validate()
+	if err != nil {
+		return nil, err
+	}
+
+	return rule, nil
+}
+
+func (e *SigmaRule) Validate() error {
+	// check required fields
+	requiredFields := []string{}
+
+	if len(e.Title) == 0 {
+		requiredFields = append(requiredFields, "title")
+	}
+
+	if e.LogSource == (LogSource{}) {
+		requiredFields = append(requiredFields, "logsource")
+	}
+
+	if len(e.Detection.Condition.Values) == 0 && e.Detection.Condition.Value == "" {
+		requiredFields = append(requiredFields, "detection.condition")
+	}
+
+	if len(requiredFields) > 0 {
+		return fmt.Errorf("missing required fields: %s", strings.Join(requiredFields, ", "))
+	}
+
+	return nil
+}
diff --git a/server/modules/elastalert/validate_test.go b/server/modules/elastalert/validate_test.go
new file mode 100644
index 000000000..c52809952
--- /dev/null
+++ b/server/modules/elastalert/validate_test.go
@@ -0,0 +1,52 @@
+package elastalert
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseRule(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name          string
+		Input         string
+		ExpectedError *string
+	}{
+		{
+			Name:          "Empty Rule",
+			Input:         `{}`,
+			ExpectedError: util.Ptr("missing required fields: title, logsource, detection.condition"),
+		},
+		{
+			Name:          "Detection but No Condition",
+			Input:         `{ title: "title", logsource: { category: "test" }, detection: {}}`,
+			ExpectedError: util.Ptr("missing required fields: detection.condition"),
+		},
+		{
+			Name:  "Minimal Rule With Single Detection Condition",
+			Input: `{ title: "title", logsource: { category: "test" }, detection: { condition: "condition" }}`,
+		},
+		{
+			Name:  "Minimal Rule With Multiple Detection Condition",
+			Input: `{ title: "title", logsource: { category: "test" }, detection: { condition: [ "conditionOne", "conditionTwo" ] }}`,
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := ParseElastAlertRule([]byte(test.Input))
+			if test.ExpectedError == nil {
+				assert.NoError(t, err)
+			} else {
+				assert.Error(t, err)
+				assert.Equal(t, *test.ExpectedError, err.Error())
+			}
+		})
+	}
+}
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index e160f59b0..e8aca634f 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -103,7 +103,7 @@ func makeQuery(store *ElasticEventstore, parsedQuery *model.Query, beginTime tim
 
 	query := make(map[string]interface{})
 	query["query_string"] = queryDetails
-	must := make([]interface{}, 0, 0)
+	must := make([]interface{}, 0)
 	must = append(must, query)
 
 	if !endTime.IsZero() {
@@ -246,7 +246,10 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 				newSort[field] = sortParams
 				sorting = append(sorting, newSort)
 			}
-			esMap["sort"] = sorting
+
+			if len(sorting) != 0 {
+				esMap["sort"] = sorting
+			}
 		}
 	} else {
 		sort := map[string]string{}
@@ -254,7 +257,9 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 			sort[field.Field] = field.Order
 		}
 
-		esMap["sort"] = sort
+		if len(sort) != 0 {
+			esMap["sort"] = sort
+		}
 	}
 
 	bytes, err := json.WriteJson(esMap)
@@ -501,7 +506,7 @@ func convertElasticEventToCase(event *model.EventRecord, schemaPrefix string) (*
 }
 
 func convertToStringArray(input []interface{}) []string {
-	out := make([]string, len(input), len(input))
+	out := make([]string, len(input))
 	for idx, value := range input {
 		out[idx] = value.(string)
 	}
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index eb79ad5eb..1a3b535bc 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -23,170 +23,196 @@ func NewTestStore() *ElasticEventstore {
 	}
 }
 
-func TestMakeAggregation(tester *testing.T) {
+func TestMakeAggregation(t *testing.T) {
 	keys := []string{"one*", "two", "three*"}
 	agg, name := makeAggregation(NewTestStore(), "groupby_0", keys, 10, false)
-	assert.Equal(tester, "groupby_0|one", name)
+	assert.Equal(t, "groupby_0|one", name)
 
-	assert.NotNil(tester, agg["terms"])
+	assert.NotNil(t, agg["terms"])
 	terms := agg["terms"].(map[string]interface{})
-	assert.Equal(tester, "one", terms["field"])
-	assert.Equal(tester, "__missing__", terms["missing"])
-	assert.Equal(tester, 10, terms["size"])
+	assert.Equal(t, "one", terms["field"])
+	assert.Equal(t, "__missing__", terms["missing"])
+	assert.Equal(t, 10, terms["size"])
 
-	assert.NotNil(tester, terms["order"])
+	assert.NotNil(t, terms["order"])
 	order := terms["order"].(map[string]interface{})
-	assert.Equal(tester, "desc", order["_count"])
+	assert.Equal(t, "desc", order["_count"])
 
-	assert.NotNil(tester, agg["aggs"])
+	assert.NotNil(t, agg["aggs"])
 	secondAggs := agg["aggs"].(map[string]interface{})
-	assert.NotNil(tester, secondAggs["groupby_0|one|two"])
+	assert.NotNil(t, secondAggs["groupby_0|one|two"])
 	secondAgg := secondAggs["groupby_0|one|two"].(map[string]interface{})
-	assert.NotNil(tester, secondAgg["aggs"])
+	assert.NotNil(t, secondAgg["aggs"])
 	terms = secondAgg["terms"].(map[string]interface{})
-	assert.Nil(tester, terms["missing"])
+	assert.Nil(t, terms["missing"])
 
 	thirdAggs := secondAgg["aggs"].(map[string]interface{})
-	assert.NotNil(tester, thirdAggs["groupby_0|one|two|three"])
+	assert.NotNil(t, thirdAggs["groupby_0|one|two|three"])
 	thirdAgg := thirdAggs["groupby_0|one|two|three"].(map[string]interface{})
-	assert.Nil(tester, thirdAgg["aggs"])
+	assert.Nil(t, thirdAgg["aggs"])
 	terms = thirdAgg["terms"].(map[string]interface{})
-	assert.Equal(tester, "__missing__", terms["missing"])
+	assert.Equal(t, "__missing__", terms["missing"])
 }
 
-func TestMakeTimeline(tester *testing.T) {
+func TestMakeTimeline(t *testing.T) {
 	timeline := makeTimeline("30m")
-	assert.NotNil(tester, timeline["date_histogram"])
+	assert.NotNil(t, timeline["date_histogram"])
 	terms := timeline["date_histogram"].(map[string]interface{})
-	assert.Equal(tester, "@timestamp", terms["field"])
-	assert.Equal(tester, "30m", terms["fixed_interval"])
-	assert.Equal(tester, 1, terms["min_doc_count"])
+	assert.Equal(t, "@timestamp", terms["field"])
+	assert.Equal(t, "30m", terms["fixed_interval"])
+	assert.Equal(t, 1, terms["min_doc_count"])
 }
 
-func TestCalcTimelineInterval(tester *testing.T) {
+func TestCalcTimelineInterval(t *testing.T) {
 	start, _ := time.Parse(time.RFC3339, "2021-01-02T05:00:00Z")
 	end, _ := time.Parse(time.RFC3339, "2021-01-02T13:00:00Z")
 	interval := calcTimelineInterval(25, start, end)
-	assert.Equal(tester, "15m", interval)
+	assert.Equal(t, "15m", interval)
 
 	// Boundaries
 	start, _ = time.Parse(time.RFC3339, "2021-01-02T13:00:00Z")
 	end, _ = time.Parse(time.RFC3339, "2021-01-02T13:00:01Z")
 	interval = calcTimelineInterval(25, start, end)
-	assert.Equal(tester, "1s", interval)
+	assert.Equal(t, "1s", interval)
 
 	start, _ = time.Parse(time.RFC3339, "1990-01-02T05:00:00Z")
 	end, _ = time.Parse(time.RFC3339, "2021-01-02T13:00:00Z")
 	interval = calcTimelineInterval(25, start, end)
-	assert.Equal(tester, "30d", interval)
+	assert.Equal(t, "30d", interval)
 }
 
-func TestConvertToElasticRequestEmptyCriteria(tester *testing.T) {
+func TestConvertToElasticRequestEmptyCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
 	criteria.MetricLimit = 0
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"*"}}],"must_not":[],"should":[]}},"size":25}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertToElasticRequestGroupByCriteria(tester *testing.T) {
+func TestConvertToElasticRequestGroupByCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby -something "ghi" jkl*`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+
+	err := criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby -something "ghi" jkl*`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	assert.NoError(t, err)
+
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"aggs":{"bottom":{"terms":{"field":"ghi","order":{"_count":"asc"},"size":10}},"groupby_0|ghi":{"aggs":{"groupby_0|ghi|jkl":{"terms":{"field":"jkl","missing":"__missing__","order":{"_count":"desc"},"size":10}}},"terms":{"field":"ghi","order":{"_count":"desc"},"size":10}},"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertToElasticRequestSortByCriteria(tester *testing.T) {
+func TestConvertToElasticRequestSortByCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | sortby "ghi" jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+
+	err := criteria.Populate(`abc AND def AND q:"\\\\file\\path" | sortby "ghi" jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	assert.NoError(t, err)
+
+	criteria.SortFields = []*model.SortCriteria{
+		{Field: "ignored", Order: "ignored"},
+	}
+
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"aggs":{"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":{"missing":"_last","order":"desc","unmapped_type":"date"}},{"jkl":{"missing":"_last","order":"asc","unmapped_type":"date"}}]}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertToElasticRequestGroupBySortByCriteria(tester *testing.T) {
+func TestConvertToElasticRequestGroupBySortByCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby ghi jkl* | groupby mno | sortby ghi jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	err := criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby ghi jkl* | groupby mno | sortby ghi jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	assert.NoError(t, err)
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"aggs":{"bottom":{"terms":{"field":"ghi","order":{"_count":"asc"},"size":10}},"groupby_0|ghi":{"aggs":{"groupby_0|ghi|jkl":{"terms":{"field":"jkl","missing":"__missing__","order":{"_count":"desc"},"size":10}}},"terms":{"field":"ghi","order":{"_count":"desc"},"size":10}},"groupby_1|mno":{"terms":{"field":"mno","order":{"_count":"desc"},"size":10}},"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":{"missing":"_last","order":"desc","unmapped_type":"date"}},{"jkl":{"missing":"_last","order":"asc","unmapped_type":"date"}}]}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertFromElasticResultsSuccess(tester *testing.T) {
+func TestConvertToElasticRequestProgrammaticSortBy(t *testing.T) {
+	criteria := model.NewEventSearchCriteria()
+	criteria.MetricLimit = 0
+	criteria.SortFields = []*model.SortCriteria{
+		{Field: "name", Order: "asc"},
+	}
+	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
+	assert.Nil(t, err)
+
+	expectedJson := `{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"*"}}],"must_not":[],"should":[]}},"size":25,"sort":{"name":"asc"}}`
+	assert.Equal(t, expectedJson, actualJson)
+}
+
+func TestConvertFromElasticResultsSuccess(t *testing.T) {
 	esData, err := os.ReadFile("converter_response.json")
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	results := model.NewEventSearchResults()
 	err = convertFromElasticResults(NewTestStore(), string(esData), results)
-	if assert.Nil(tester, err) {
-		assert.Equal(tester, 9534, results.ElapsedMs)
-		assert.Equal(tester, 23689430, results.TotalEvents)
-		assert.Len(tester, results.Events, 25)
-		assert.Equal(tester, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
-		assert.Equal(tester, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
-		assert.Equal(tester, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
+	if assert.Nil(t, err) {
+		assert.Equal(t, 9534, results.ElapsedMs)
+		assert.Equal(t, 23689430, results.TotalEvents)
+		assert.Len(t, results.Events, 25)
+		assert.Equal(t, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
+		assert.Equal(t, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
+		assert.Equal(t, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
 	}
 }
 
-func TestConvertFromElasticResultsFailure(tester *testing.T) {
+func TestConvertFromElasticResultsFailure(t *testing.T) {
 	esData, err := os.ReadFile("converter_response_failure.json")
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	results := model.NewEventSearchResults()
 	err = convertFromElasticResults(NewTestStore(), string(esData), results)
-	if assert.NotNil(tester, err) {
-		assert.Error(tester, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
-		assert.Equal(tester, 9534, results.ElapsedMs)
-		assert.Equal(tester, 23689430, results.TotalEvents)
-		assert.Len(tester, results.Events, 25)
-		assert.Equal(tester, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
-		assert.Equal(tester, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
-		assert.Equal(tester, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
+	if assert.NotNil(t, err) {
+		assert.Error(t, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
+		assert.Equal(t, 9534, results.ElapsedMs)
+		assert.Equal(t, 23689430, results.TotalEvents)
+		assert.Len(t, results.Events, 25)
+		assert.Equal(t, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
+		assert.Equal(t, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
+		assert.Equal(t, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
 	}
 }
 
-func TestConvertFromElasticResultsTimedOut(tester *testing.T) {
+func TestConvertFromElasticResultsTimedOut(t *testing.T) {
 	results := model.NewEventSearchResults()
 	err := convertFromElasticResults(NewTestStore(), `{ "took": 123, "timed_out": true, "hits": {} }`, results)
-	assert.Error(tester, err)
+	assert.Error(t, err)
 
-	assert.Equal(tester, 123, results.ElapsedMs, "ElapsedMs should exist even on timeout.")
+	assert.Equal(t, 123, results.ElapsedMs, "ElapsedMs should exist even on timeout.")
 }
 
-func TestConvertFromElasticResultsInvalid(tester *testing.T) {
+func TestConvertFromElasticResultsInvalid(t *testing.T) {
 	results := model.NewEventSearchResults()
 	err := convertFromElasticResults(NewTestStore(), `{ }`, results)
-	assert.Error(tester, err)
+	assert.Error(t, err)
 }
 
-func TestConvertToElasticUpdateRequest(tester *testing.T) {
+func TestConvertToElasticUpdateRequest(t *testing.T) {
 	criteria := model.NewEventUpdateCriteria()
 	criteria.AddUpdateScript("ctx._source.event.acknowledged=true")
 	criteria.AddUpdateScript("ctx._source.event.escalated=true")
-	criteria.Populate("event.dataset:alerts", "2020/09/24 10:11:12 AM - 2020/09/24 12:14:15 PM", "2006/01/02 3:04:05 PM", "America/New_York", "0", "0")
+
+	err := criteria.Populate("event.dataset:alerts", "2020/09/24 10:11:12 AM - 2020/09/24 12:14:15 PM", "2006/01/02 3:04:05 PM", "America/New_York", "0", "0")
+	assert.NoError(t, err)
 
 	actualJson, err := convertToElasticUpdateRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"event.dataset:alerts"}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-09-24T10:11:12-04:00","lte":"2020-09-24T12:14:15-04:00"}}}],"must_not":[],"should":[]}},"script":{"inline":"ctx._source.event.acknowledged=true; ctx._source.event.escalated=true","lang":"painless"}}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
 const updateResponse = `{
@@ -208,17 +234,17 @@ const updateResponse = `{
   "failures" : [ ]
 }`
 
-func TestConvertFromElasticUpdateResultsSuccess(tester *testing.T) {
+func TestConvertFromElasticUpdateResultsSuccess(t *testing.T) {
 	results := model.NewEventUpdateResults()
 	err := convertFromElasticUpdateResults(NewTestStore(), updateResponse, results)
-	if assert.Nil(tester, err) {
-		assert.Equal(tester, 202, results.ElapsedMs)
-		assert.Equal(tester, 3, results.UpdatedCount)
-		assert.Equal(tester, 2, results.UnchangedCount)
+	if assert.Nil(t, err) {
+		assert.Equal(t, 202, results.ElapsedMs)
+		assert.Equal(t, 3, results.UpdatedCount)
+		assert.Equal(t, 2, results.UnchangedCount)
 	}
 }
 
-func TestAddEventUpdateResults(tester *testing.T) {
+func TestAddEventUpdateResults(t *testing.T) {
 	results1 := model.NewEventUpdateResults()
 	results1.ElapsedMs = 100
 	results1.UpdatedCount = 200
@@ -229,23 +255,23 @@ func TestAddEventUpdateResults(tester *testing.T) {
 	results2.UnchangedCount = 4
 
 	results1.AddEventUpdateResults(results2)
-	assert.Equal(tester, 112, results1.ElapsedMs)
-	assert.Equal(tester, 202, results1.UpdatedCount)
-	assert.Equal(tester, 404, results1.UnchangedCount)
+	assert.Equal(t, 112, results1.ElapsedMs)
+	assert.Equal(t, 202, results1.UpdatedCount)
+	assert.Equal(t, 404, results1.UnchangedCount)
 }
 
-func validateFormatSearch(tester *testing.T, original string, expected string) {
+func validateFormatSearch(t *testing.T, original string, expected string) {
 	output := formatSearch(original)
-	assert.Equal(tester, expected, output)
+	assert.Equal(t, expected, output)
 }
 
-func TestFormatSearch(tester *testing.T) {
-	validateFormatSearch(tester, "", "*")
-	validateFormatSearch(tester, " ", "*")
-	validateFormatSearch(tester, "\\foo\\bar", "\\foo\\bar")
+func TestFormatSearch(t *testing.T) {
+	validateFormatSearch(t, "", "*")
+	validateFormatSearch(t, " ", "*")
+	validateFormatSearch(t, "\\foo\\bar", "\\foo\\bar")
 }
 
-func validateMappedQuery(tester *testing.T, original string, expected string) {
+func validateMappedQuery(t *testing.T, original string, expected string) {
 	store := NewTestStore()
 	store.fieldDefs["foo"] = &FieldDefinition{aggregatable: false}
 	store.fieldDefs["foo.keyword"] = &FieldDefinition{aggregatable: true}
@@ -254,63 +280,63 @@ func validateMappedQuery(tester *testing.T, original string, expected string) {
 	search := query.NamedSegment(model.SegmentKind_Search)
 	mapSearch(store, search.(*model.SearchSegment))
 	output := search.String()
-	assert.Equal(tester, expected, output)
+	assert.Equal(t, expected, output)
 }
 
-func TestMapSearch(tester *testing.T) {
-	validateMappedQuery(tester, "foo: \"bar\"", "foo.keyword: \"bar\"")
-	validateMappedQuery(tester, "foo: \"bar\" AND barfoo: \"blue\"", "foo.keyword: \"bar\" AND barfoo: \"blue\"")
-	validateMappedQuery(tester, "foo: 123", "foo.keyword: 123")
-	validateMappedQuery(tester, "(foo: \"123\")", "(foo: \"123\")")
-	validateMappedQuery(tester, "foo2: \"bar\"", "foo2: \"bar\"")
-	validateMappedQuery(tester, "barfoo: \"bar\"", "barfoo: \"bar\"")
-	validateMappedQuery(tester, "barfoo: \"foo: bar\"", "barfoo: \"foo: bar\"")
+func TestMapSearch(t *testing.T) {
+	validateMappedQuery(t, "foo: \"bar\"", "foo.keyword: \"bar\"")
+	validateMappedQuery(t, "foo: \"bar\" AND barfoo: \"blue\"", "foo.keyword: \"bar\" AND barfoo: \"blue\"")
+	validateMappedQuery(t, "foo: 123", "foo.keyword: 123")
+	validateMappedQuery(t, "(foo: \"123\")", "(foo: \"123\")")
+	validateMappedQuery(t, "foo2: \"bar\"", "foo2: \"bar\"")
+	validateMappedQuery(t, "barfoo: \"bar\"", "barfoo: \"bar\"")
+	validateMappedQuery(t, "barfoo: \"foo: bar\"", "barfoo: \"foo: bar\"")
 }
 
-func TestConvertObjectToDocumentMap(tester *testing.T) {
+func TestConvertObjectToDocumentMap(t *testing.T) {
 	caseObj := model.NewCase()
 	actual := convertObjectToDocumentMap("test", caseObj, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NotNil(tester, actual)
-	assert.Equal(tester, caseObj, actual["so_test"])
-	assert.NotNil(tester, actual["@timestamp"])
+	assert.NotNil(t, actual)
+	assert.Equal(t, caseObj, actual["so_test"])
+	assert.NotNil(t, actual["@timestamp"])
 }
 
-func TestConvertToElasticIndexRequest(tester *testing.T) {
+func TestConvertToElasticIndexRequest(t *testing.T) {
 	store := NewTestStore()
 	event := make(map[string]interface{})
 	event["foo"] = "bar"
 	expected := `{"foo":"bar"}`
 
 	actual, err := convertToElasticIndexRequest(store, event)
-	assert.NoError(tester, err)
-	assert.Equal(tester, expected, actual)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, actual)
 }
 
-func TestConvertFromElasticIndexResults(tester *testing.T) {
+func TestConvertFromElasticIndexResults(t *testing.T) {
 	store := NewTestStore()
 	results := model.NewEventIndexResults()
 	json := `{"_version":1, "_id":"123abc", "result": "successful"}`
 
 	err := convertFromElasticIndexResults(store, json, results)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 }
 
-func TestConvertFromElasticResults_Failure(tester *testing.T) {
+func TestConvertFromElasticResults_Failure(t *testing.T) {
 	store := NewTestStore()
 	results := model.NewEventSearchResults()
 	json := `{"took" : 11,"timed_out" : false,"_shards" : {"total" : 28,"successful" : 16,"skipped" : 0,"failed" : 12,"failures" : [{"shard" : 0,"index" : "manager:.ds-logs-elastic_agent-default-2023.09.29-000002","node" : null,"reason" : {"type" : "no_shard_available_action_exception","reason" : "no"}},{"shard" : 0,"index" : "manager:.ds-logs-elastic_agent.filebeat-default-2023.09.29-000002","node" : null,"reason" : {"type" : null,"reason" : null}},{"shard" : 0,"index" : "manager:.ds-logs-elastic_agent.fleet_server-default-2023.09.29-000002","node" : null,"reason" : {"type" : "no_shard_available_action_exception","reason" : null}}]}, "hits":{"hits":[],"total":{"value": 0}}}`
 
 	err := convertFromElasticResults(store, json, results)
-	assert.Error(tester, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
+	assert.Error(t, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
 }
 
-func TestConvertElasticEventToCaseNil(tester *testing.T) {
+func TestConvertElasticEventToCaseNil(t *testing.T) {
 	caseObj, err := convertElasticEventToCase(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, caseObj)
+	assert.NoError(t, err)
+	assert.Nil(t, caseObj)
 }
 
-func TestConvertElasticEventToCaseWithoutTags(tester *testing.T) {
+func TestConvertElasticEventToCaseWithoutTags(t *testing.T) {
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
 	event.Payload["kind"] = "case"
@@ -318,10 +344,10 @@ func TestConvertElasticEventToCaseWithoutTags(tester *testing.T) {
 	event.Payload["case.tags"] = nil
 
 	_, err := convertElasticEventToCase(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 }
 
-func TestConvertElasticEventToCase(tester *testing.T) {
+func TestConvertElasticEventToCase(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 	myCompleteTime := myTime.Add(time.Hour * -2)
@@ -342,7 +368,7 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	event.Payload["so_case.tlp"] = "myTlp"
 	event.Payload["so_case.pap"] = "myPap"
 	event.Payload["so_case.category"] = "myCategory"
-	tags := make([]interface{}, 2, 2)
+	tags := make([]interface{}, 2)
 	tags[0] = "tag1"
 	tags[1] = "tag2"
 	event.Payload["so_case.tags"] = tags
@@ -351,36 +377,36 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	event.Payload["so_case.completeTime"] = myCompleteTime
 	event.Payload["so_case.startTime"] = myStartTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	caseObj := interf.(*model.Case)
-	assert.Equal(tester, "case", caseObj.Kind)
-	assert.Equal(tester, "update", caseObj.Operation)
-	assert.Equal(tester, "myTitle", caseObj.Title)
-	assert.Equal(tester, "myDesc", caseObj.Description)
-	assert.Equal(tester, 123, caseObj.Priority)
-	assert.Equal(tester, "medium", caseObj.Severity)
-	assert.Equal(tester, "myStatus", caseObj.Status)
-	assert.Equal(tester, "myTemplate", caseObj.Template)
-	assert.Equal(tester, "myUserId", caseObj.UserId)
-	assert.Equal(tester, "myAssigneeId", caseObj.AssigneeId)
-	assert.Equal(tester, "myPap", caseObj.Pap)
-	assert.Equal(tester, "myTlp", caseObj.Tlp)
-	assert.Equal(tester, "myCategory", caseObj.Category)
-	assert.Equal(tester, tags[0], "tag1")
-	assert.Equal(tester, tags[1], "tag2")
-	assert.Equal(tester, &myTime, caseObj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, caseObj.CreateTime)
-	assert.Equal(tester, &myCompleteTime, caseObj.CompleteTime)
-	assert.Equal(tester, &myStartTime, caseObj.StartTime)
-}
-
-func TestConvertElasticEventToArtifactNil(tester *testing.T) {
+	assert.Equal(t, "case", caseObj.Kind)
+	assert.Equal(t, "update", caseObj.Operation)
+	assert.Equal(t, "myTitle", caseObj.Title)
+	assert.Equal(t, "myDesc", caseObj.Description)
+	assert.Equal(t, 123, caseObj.Priority)
+	assert.Equal(t, "medium", caseObj.Severity)
+	assert.Equal(t, "myStatus", caseObj.Status)
+	assert.Equal(t, "myTemplate", caseObj.Template)
+	assert.Equal(t, "myUserId", caseObj.UserId)
+	assert.Equal(t, "myAssigneeId", caseObj.AssigneeId)
+	assert.Equal(t, "myPap", caseObj.Pap)
+	assert.Equal(t, "myTlp", caseObj.Tlp)
+	assert.Equal(t, "myCategory", caseObj.Category)
+	assert.Equal(t, tags[0], "tag1")
+	assert.Equal(t, tags[1], "tag2")
+	assert.Equal(t, &myTime, caseObj.UpdateTime)
+	assert.Equal(t, &myCreateTime, caseObj.CreateTime)
+	assert.Equal(t, &myCompleteTime, caseObj.CompleteTime)
+	assert.Equal(t, &myStartTime, caseObj.StartTime)
+}
+
+func TestConvertElasticEventToArtifactNil(t *testing.T) {
 	artifactObj, err := convertElasticEventToArtifact(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, artifactObj)
+	assert.NoError(t, err)
+	assert.Nil(t, artifactObj)
 }
 
-func TestConvertElasticEventToArtifactWithoutTags(tester *testing.T) {
+func TestConvertElasticEventToArtifactWithoutTags(t *testing.T) {
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
 	event.Payload["so_kind"] = "artifact"
@@ -388,10 +414,10 @@ func TestConvertElasticEventToArtifactWithoutTags(tester *testing.T) {
 	event.Payload["so_case.tags"] = nil
 
 	_, err := convertElasticEventToCase(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 }
 
-func TestConvertElasticEventToArtifact(tester *testing.T) {
+func TestConvertElasticEventToArtifact(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -420,37 +446,37 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_artifact.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	artifactObj := interf.(*model.Artifact)
-	assert.Equal(tester, "artifact", artifactObj.Kind)
-	assert.Equal(tester, "update", artifactObj.Operation)
-	assert.Equal(tester, "myValue", artifactObj.Value)
-	assert.Equal(tester, "myDesc", artifactObj.Description)
-	assert.Equal(tester, 123, artifactObj.StreamLen)
-	assert.Equal(tester, "myStreamId", artifactObj.StreamId)
-	assert.Equal(tester, "myGroupType", artifactObj.GroupType)
-	assert.Equal(tester, "myGroupId", artifactObj.GroupId)
-	assert.Equal(tester, "myUserId", artifactObj.UserId)
-	assert.Equal(tester, "myArtifactType", artifactObj.ArtifactType)
-	assert.Equal(tester, "myTlp", artifactObj.Tlp)
-	assert.Equal(tester, "myMimeType", artifactObj.MimeType)
-	assert.Equal(tester, true, artifactObj.Ioc)
-	assert.Equal(tester, tags[0], "tag1")
-	assert.Equal(tester, tags[1], "tag2")
-	assert.Equal(tester, "myMd5", artifactObj.Md5)
-	assert.Equal(tester, "mySha1", artifactObj.Sha1)
-	assert.Equal(tester, "mySha256", artifactObj.Sha256)
-	assert.Equal(tester, &myTime, artifactObj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, artifactObj.CreateTime)
-}
-
-func TestConvertElasticEventToArtifactStreamNil(tester *testing.T) {
+	assert.Equal(t, "artifact", artifactObj.Kind)
+	assert.Equal(t, "update", artifactObj.Operation)
+	assert.Equal(t, "myValue", artifactObj.Value)
+	assert.Equal(t, "myDesc", artifactObj.Description)
+	assert.Equal(t, 123, artifactObj.StreamLen)
+	assert.Equal(t, "myStreamId", artifactObj.StreamId)
+	assert.Equal(t, "myGroupType", artifactObj.GroupType)
+	assert.Equal(t, "myGroupId", artifactObj.GroupId)
+	assert.Equal(t, "myUserId", artifactObj.UserId)
+	assert.Equal(t, "myArtifactType", artifactObj.ArtifactType)
+	assert.Equal(t, "myTlp", artifactObj.Tlp)
+	assert.Equal(t, "myMimeType", artifactObj.MimeType)
+	assert.Equal(t, true, artifactObj.Ioc)
+	assert.Equal(t, tags[0], "tag1")
+	assert.Equal(t, tags[1], "tag2")
+	assert.Equal(t, "myMd5", artifactObj.Md5)
+	assert.Equal(t, "mySha1", artifactObj.Sha1)
+	assert.Equal(t, "mySha256", artifactObj.Sha256)
+	assert.Equal(t, &myTime, artifactObj.UpdateTime)
+	assert.Equal(t, &myCreateTime, artifactObj.CreateTime)
+}
+
+func TestConvertElasticEventToArtifactStreamNil(t *testing.T) {
 	artifactObj, err := convertElasticEventToArtifactStream(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, artifactObj)
+	assert.NoError(t, err)
+	assert.Nil(t, artifactObj)
 }
 
-func TestConvertElasticEventToArtifactStream(tester *testing.T) {
+func TestConvertElasticEventToArtifactStream(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -463,48 +489,48 @@ func TestConvertElasticEventToArtifactStream(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_artifactstream.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	obj := interf.(*model.ArtifactStream)
-	assert.Equal(tester, "artifactstream", obj.Kind)
-	assert.Equal(tester, "create", obj.Operation)
-	assert.Equal(tester, "myUserId", obj.UserId)
-	assert.Equal(tester, &myTime, obj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, obj.CreateTime)
-	assert.Equal(tester, "myValue", obj.Content)
+	assert.Equal(t, "artifactstream", obj.Kind)
+	assert.Equal(t, "create", obj.Operation)
+	assert.Equal(t, "myUserId", obj.UserId)
+	assert.Equal(t, &myTime, obj.UpdateTime)
+	assert.Equal(t, &myCreateTime, obj.CreateTime)
+	assert.Equal(t, "myValue", obj.Content)
 }
 
-func TestParseTime(tester *testing.T) {
+func TestParseTime(t *testing.T) {
 	m := make(map[string]interface{})
 
 	format := "2006-01-02 03:04pm"
-	t, _ := time.Parse(format, "2021-12-20 12:43pm")
-	m["obj"] = t
-	m["ptr"] = &t
+	tm, _ := time.Parse(format, "2021-12-20 12:43pm")
+	m["obj"] = tm
+	m["ptr"] = &tm
 	m["str"] = "2021-12-20T12:43:00Z"
 	m["bad"] = 12
 
 	expected := "2021-12-20 12:43pm"
 
 	actual := parseTime(m, "obj").Format(format)
-	assert.Equal(tester, expected, actual)
+	assert.Equal(t, expected, actual)
 
 	actual = parseTime(m, "ptr").Format(format)
-	assert.Equal(tester, expected, actual)
+	assert.Equal(t, expected, actual)
 
 	actual = parseTime(m, "str").Format(format)
-	assert.Equal(tester, expected, actual)
+	assert.Equal(t, expected, actual)
 
 	actualObj := parseTime(m, "bad")
-	assert.True(tester, actualObj.IsZero())
+	assert.True(t, actualObj.IsZero())
 }
 
-func TestConvertElasticEventToCommentNil(tester *testing.T) {
+func TestConvertElasticEventToCommentNil(t *testing.T) {
 	obj, err := convertElasticEventToComment(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, obj)
+	assert.NoError(t, err)
+	assert.Nil(t, obj)
 }
 
-func TestConvertElasticEventToComment(tester *testing.T) {
+func TestConvertElasticEventToComment(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -521,19 +547,19 @@ func TestConvertElasticEventToComment(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_comment.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	obj := interf.(*model.Comment)
-	assert.Equal(tester, "comment", obj.Kind)
-	assert.Equal(tester, "create", obj.Operation)
-	assert.Equal(tester, "myDesc", obj.Description)
-	assert.Equal(tester, 1.52, obj.Hours)
-	assert.Equal(tester, "myUserId", obj.UserId)
-	assert.Equal(tester, "myCaseId", obj.CaseId)
-	assert.Equal(tester, &myTime, obj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, obj.CreateTime)
+	assert.Equal(t, "comment", obj.Kind)
+	assert.Equal(t, "create", obj.Operation)
+	assert.Equal(t, "myDesc", obj.Description)
+	assert.Equal(t, 1.52, obj.Hours)
+	assert.Equal(t, "myUserId", obj.UserId)
+	assert.Equal(t, "myCaseId", obj.CaseId)
+	assert.Equal(t, &myTime, obj.UpdateTime)
+	assert.Equal(t, &myCreateTime, obj.CreateTime)
 }
 
-func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
+func TestConvertElasticEventToRelatedEvent(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -547,31 +573,31 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_related.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	obj := interf.(*model.RelatedEvent)
-	assert.Equal(tester, "related", obj.Kind)
-	assert.Equal(tester, "create", obj.Operation)
-	assert.Equal(tester, "myUserId", obj.UserId)
-	assert.Equal(tester, "myCaseId", obj.CaseId)
-	assert.Equal(tester, &myTime, obj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, obj.CreateTime)
-	assert.Len(tester, obj.Fields, 1)
-	assert.Equal(tester, "bar", obj.Fields["foo"])
-}
-
-func TestConvertSeverity(tester *testing.T) {
-	assert.Equal(tester, "high", convertSeverity(""))
-	assert.Equal(tester, "unknown", convertSeverity("unknown"))
-	assert.Equal(tester, "low", convertSeverity("low"))
-	assert.Equal(tester, "low", convertSeverity("Low"))
-	assert.Equal(tester, "low", convertSeverity("1"))
-	assert.Equal(tester, "medium", convertSeverity("medium"))
-	assert.Equal(tester, "medium", convertSeverity("Medium"))
-	assert.Equal(tester, "medium", convertSeverity("2"))
-	assert.Equal(tester, "high", convertSeverity("high"))
-	assert.Equal(tester, "high", convertSeverity("High"))
-	assert.Equal(tester, "high", convertSeverity("3"))
-	assert.Equal(tester, "critical", convertSeverity("critical"))
-	assert.Equal(tester, "critical", convertSeverity("4"))
-	assert.Equal(tester, "critical", convertSeverity("Critical"))
+	assert.Equal(t, "related", obj.Kind)
+	assert.Equal(t, "create", obj.Operation)
+	assert.Equal(t, "myUserId", obj.UserId)
+	assert.Equal(t, "myCaseId", obj.CaseId)
+	assert.Equal(t, &myTime, obj.UpdateTime)
+	assert.Equal(t, &myCreateTime, obj.CreateTime)
+	assert.Len(t, obj.Fields, 1)
+	assert.Equal(t, "bar", obj.Fields["foo"])
+}
+
+func TestConvertSeverity(t *testing.T) {
+	assert.Equal(t, "high", convertSeverity(""))
+	assert.Equal(t, "unknown", convertSeverity("unknown"))
+	assert.Equal(t, "low", convertSeverity("low"))
+	assert.Equal(t, "low", convertSeverity("Low"))
+	assert.Equal(t, "low", convertSeverity("1"))
+	assert.Equal(t, "medium", convertSeverity("medium"))
+	assert.Equal(t, "medium", convertSeverity("Medium"))
+	assert.Equal(t, "medium", convertSeverity("2"))
+	assert.Equal(t, "high", convertSeverity("high"))
+	assert.Equal(t, "high", convertSeverity("High"))
+	assert.Equal(t, "high", convertSeverity("3"))
+	assert.Equal(t, "critical", convertSeverity("critical"))
+	assert.Equal(t, "critical", convertSeverity("4"))
+	assert.Equal(t, "critical", convertSeverity("Critical"))
 }
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index c2bd36003..be1b7b0e0 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -335,7 +335,6 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 	detect.CreateTime = old.CreateTime
 
 	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-
 	if err != nil {
 		return nil, err
 	}
@@ -394,16 +393,16 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 	return detect, err
 }
 
-func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) {
+func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) {
 	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), -1)
 	if err != nil {
 		return nil, err
 	}
 
-	sids := map[string]string{}
+	sids := map[string]*model.Detection{}
 	for _, det := range all {
 		detection := det.(*model.Detection)
-		sids[detection.PublicID] = detection.Id
+		sids[detection.PublicID] = detection
 	}
 
 	return sids, nil
diff --git a/server/modules/modules.go b/server/modules/modules.go
index c766934f8..abb9ca71b 100644
--- a/server/modules/modules.go
+++ b/server/modules/modules.go
@@ -9,6 +9,7 @@ package modules
 import (
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastic"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/elasticcases"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/filedatastore"
@@ -37,6 +38,7 @@ func BuildModuleMap(srv *server.Server) map[string]module.Module {
 	moduleMap["staticrbac"] = staticrbac.NewStaticRbac(srv)
 	moduleMap["thehive"] = thehive.NewTheHive(srv)
 	moduleMap["suricataengine"] = suricata.NewSuricataEngine(srv)
+	moduleMap["elastalertengine"] = elastalert.NewElastAlertEngine(srv)
 
 	return moduleMap
 }
diff --git a/server/modules/modules_test.go b/server/modules/modules_test.go
index efb5b0f7e..e4880a6f6 100644
--- a/server/modules/modules_test.go
+++ b/server/modules/modules_test.go
@@ -13,22 +13,23 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestBuildModuleMap(tester *testing.T) {
+func TestBuildModuleMap(t *testing.T) {
 	mm := BuildModuleMap(nil)
-	findModule(tester, mm, "elastic")
-	findModule(tester, mm, "elasticcases")
-	findModule(tester, mm, "filedatastore")
-	findModule(tester, mm, "salt")
-	findModule(tester, mm, "httpcase")
-	findModule(tester, mm, "kratos")
-	findModule(tester, mm, "influxdb")
-	findModule(tester, mm, "sostatus")
-	findModule(tester, mm, "statickeyauth")
-	findModule(tester, mm, "thehive")
-	findModule(tester, mm, "suricataengine")
+	findModule(t, mm, "elastic")
+	findModule(t, mm, "elasticcases")
+	findModule(t, mm, "filedatastore")
+	findModule(t, mm, "salt")
+	findModule(t, mm, "httpcase")
+	findModule(t, mm, "kratos")
+	findModule(t, mm, "influxdb")
+	findModule(t, mm, "sostatus")
+	findModule(t, mm, "statickeyauth")
+	findModule(t, mm, "thehive")
+	findModule(t, mm, "suricataengine")
+	findModule(t, mm, "elastalertengine")
 }
 
-func findModule(tester *testing.T, mm map[string]module.Module, module string) {
+func findModule(t *testing.T, mm map[string]module.Module, module string) {
 	_, ok := mm[module]
-	assert.True(tester, ok)
+	assert.True(t, ok)
 }
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 1205dde5e..742f29263 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -141,7 +141,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		dur := time.Since(start)
 
-		log.WithFields(log.Fields{
+ 		log.WithFields(log.Fields{
 			"durationSeconds": dur.Seconds(),
 		}).Info("suricata community rules synced")
 	}
@@ -441,9 +441,10 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	errMap = map[string]string{}
 
 	results := struct {
-		Added   int
-		Updated int
-		Removed int
+		Added     int
+		Updated   int
+		Removed   int
+		Unchanged int
 	}{}
 
 	allSettings, err := s.srv.Configstore.GetSettings(ctx)
@@ -486,15 +487,20 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		_, modified := modifyIndex[detect.PublicID]
 		detect.IsEnabled = !(disabled || modified)
 
-		id, exists := commSIDs[detect.PublicID]
+		orig, exists := commSIDs[detect.PublicID]
 		if exists {
-			detect.Id = id
-
-			_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
-			if err != nil {
-				errMap[detect.PublicID] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			if orig.Content != detect.Content {
+				detect.Id = orig.Id
+
+				_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
+				if err != nil {
+					errMap[detect.PublicID] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+				} else {
+					results.Updated++
+					delete(toDelete, detect.PublicID)
+				}
 			} else {
-				results.Updated++
+				results.Unchanged++
 				delete(toDelete, detect.PublicID)
 			}
 		} else {
@@ -508,7 +514,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for sid := range toDelete {
-		_, err = s.srv.Detectionstore.DeleteDetection(ctx, commSIDs[sid])
+		_, err = s.srv.Detectionstore.DeleteDetection(ctx, commSIDs[sid].Id)
 		if err != nil {
 			errMap[sid] = fmt.Sprintf("unable to delete detection; reason=%s", err.Error())
 		} else {
@@ -517,10 +523,11 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	log.WithFields(log.Fields{
-		"added":   results.Added,
-		"updated": results.Updated,
-		"removed": results.Removed,
-		"errors":  errMap,
+		"added":     results.Added,
+		"updated":   results.Updated,
+		"removed":   results.Removed,
+		"unchanged": results.Unchanged,
+		"errors":    errMap,
 	}).Info("suricata community diff")
 
 	return errMap, nil
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index e816e4562..00a2fdf2a 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -45,6 +45,8 @@ func TestSuricataModule(t *testing.T) {
 	err = mod.Start()
 	assert.NoError(t, err)
 
+	assert.True(t, mod.IsRunning())
+
 	err = mod.Stop()
 	assert.NoError(t, err)
 

From 1c849e3bf45355d620fa165371d45655033f7d02 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 26 Oct 2023 15:44:41 -0600
Subject: [PATCH 015/102] WIP: ElastAlert

ElastAlert community rules are imported from zips in SigmaHQ's release page on github. The configured packages are downloaded, parsed, and fingerprinted. Currently the sigma converter isn't completely implemented until some networking issues are fixed.

GetAllCommunitySIDs can now filter by engine (or no filter if nil is passed).

Updated detection severities to match our pickiest engine so far: elastalert.

Added ID field to SigmaRules. Although it's not required, all community rules have one. This is the corresponding field to a detection's PublicID.

TODO: tests
---
 config/config.go                              |   9 +-
 go.mod                                        |  17 +-
 go.sum                                        |  80 +--
 model/detection.go                            |   5 +-
 server/detectionstore.go                      |   2 +-
 server/modules/elastalert/elastalert.go       | 508 ++++++++++++++++--
 server/modules/elastalert/validate.go         |   2 +
 .../modules/elastic/elasticdetectionstore.go  |   9 +-
 server/modules/suricata/suricata.go           |  10 +-
 9 files changed, 511 insertions(+), 131 deletions(-)

diff --git a/config/config.go b/config/config.go
index 2469e9e6a..1d7065951 100644
--- a/config/config.go
+++ b/config/config.go
@@ -53,10 +53,11 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 	}
 
 	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
-		"communityRulesImportFrequencySeconds": float64(600),
-		"sigmaRepo":                            "https://github.com/SigmaHQ/sigma",
-		"sigmaRepoRoot":                        "/tmp/socdev/so/rules/sigma",
-		"gitTimeout":                           float64(600),
+		"communityRulesImportFrequencySeconds": float64(5), // not a recommended value, I'm impatient
+		"elastAlertRulesFolder":                "/tmp/socdev/so/rules/elastalert",
+		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/sigma.fingerprint",
+		"sigmaRulePackages":                    "all",
+		"sigconverterUrl":                      "http://localhost:8000/sigma",
 	}
 
 	return cfg, err
diff --git a/go.mod b/go.mod
index 16b274a14..e502bf9f8 100644
--- a/go.mod
+++ b/go.mod
@@ -20,20 +20,14 @@ require (
 )
 
 require (
-	github.com/go-git/go-git/v5 v5.9.0
+	github.com/google/go-github/v56 v56.0.0
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
 )
 
 require (
-	dario.cat/mergo v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
-	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
@@ -46,15 +40,14 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/skeema/knownhosts v1.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )
diff --git a/go.sum b/go.sum
index 6ce8fe3f2..faac69a56 100644
--- a/go.sum
+++ b/go.sum
@@ -1,15 +1,4 @@
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
-github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
-github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
@@ -17,16 +6,10 @@ github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -41,14 +24,8 @@ github.com/elastic/elastic-transport-go/v8 v8.2.0 h1:hkK5IIs/15mpSXzd5THWVlWTKJy
 github.com/elastic/elastic-transport-go/v8 v8.2.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.7.0 h1:ZvbT1YHppBC0QxGnMmaDUxoDa26clwhRaB3Gp5E3UcY=
 github.com/elastic/go-elasticsearch/v8 v8.7.0/go.mod h1:lVb8SvJV8McVkdswpL8YR5QKIkhlWaoSq60YpHilOLI=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
-github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
-github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
 github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
 github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
@@ -64,12 +41,15 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod
 github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
 github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-github/v56 v56.0.0 h1:TysL7dMa/r7wsQi44BjqlwaHvwlFlqkK8CtBWCX3gb4=
+github.com/google/go-github/v56 v56.0.0/go.mod h1:D8cdcX98YWJvi7TLo7zM4/h8ZTx6u6fwGEkCdisopo0=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -91,19 +71,15 @@ github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgb
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o=
 github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak=
-github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
-github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
-github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
@@ -115,16 +91,14 @@ github.com/oapi-codegen/runtime v1.1.0 h1:rJpoNUawn5XTvekgfkvSZr0RqEnoYpFkyvrzfW
 github.com/oapi-codegen/runtime v1.1.0/go.mod h1:BeSfBkWWWnAnGdyS+S/GnlbmHKzf8/hwkvelJZDeKA8=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
-github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
-github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
-github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
@@ -132,11 +106,6 @@ github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXn
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM=
-github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
@@ -144,9 +113,7 @@ github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKk
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -166,9 +133,6 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
-github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
-github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -180,10 +144,6 @@ golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AW
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -191,10 +151,6 @@ golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -203,34 +159,18 @@ golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/model/detection.go b/model/detection.go
index 4edc9a953..f8089fbf9 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -25,8 +25,9 @@ const (
 
 	SeverityUnknown       Severity = "unknown"
 	SeverityInformational Severity = "informational"
-	SeverityMinor         Severity = "minor"
-	SeverityMajor         Severity = "major"
+	SeverityLow           Severity = "low"
+	SeverityMedium        Severity = "medium"
+	SeverityHigh          Severity = "high"
 	SeverityCritical      Severity = "critical"
 
 	IDTypeUUID IDType = "uuid"
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 2c1a1730a..92f1c0533 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -18,5 +18,5 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
-	GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) // map[detection.PublicId]detection
+	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 }
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 21322c5c4..87d85066d 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1,28 +1,41 @@
 package elastalert
 
 import (
+	"archive/zip"
+	"bytes"
 	"context"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"path/filepath"
+	"reflect"
+	"strings"
 	"sync"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 
-	"github.com/go-git/go-git/v5"
-	_ "github.com/go-git/go-git/v5"
+	"github.com/apex/log"
+	"github.com/google/go-github/v56/github"
 )
 
+var errModuleStopped = fmt.Errorf("module has stopped running")
+
 type ElastAlertEngine struct {
 	srv                                  *server.Server
 	communityRulesImportFrequencySeconds int
 	sigmaRepo                            string
-	sigmaRepoRoot                        string
-	gitTimeout                           int
+	elastAlertRulesFolder                string
+	rulesFingerprintFile                 string
+	sigconverterUrl                      string
+	sigmaRulePackages                    []string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
 }
@@ -40,8 +53,12 @@ func (e *ElastAlertEngine) PrerequisiteModules() []string {
 func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
 	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
 	e.sigmaRepo = module.GetStringDefault(config, "sigmaRepo", "https://github.com/SigmaHQ/sigma")
-	e.sigmaRepoRoot = module.GetStringDefault(config, "sigmaRepoRoot", "/opt/so/rules/sigma")
-	e.gitTimeout = module.GetIntDefault(config, "gitTimeout", 600)
+	e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/rules/elastalert")
+	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/sigma.fingerprint")
+	e.sigconverterUrl = module.GetStringDefault(config, "sigconverterUrl", "http://manager:8000/sigma")
+
+	pkgs := module.GetStringDefault(config, "sigmaRulePackages", "core")
+	e.parseSigmaPackages(pkgs)
 
 	return nil
 }
@@ -74,6 +91,49 @@ func (e *ElastAlertEngine) ValidateRule(data string) (string, error) {
 	return string(data), nil
 }
 
+func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
+	pkgs := strings.Split(strings.ToLower(cfg), "\n")
+	set := map[string]struct{}{}
+
+	for _, pkg := range pkgs {
+		switch pkg {
+		case "all":
+			set["all_rules"] = struct{}{}
+		case "emerging_threats_addon":
+			set["emerging_threats"] = struct{}{}
+		default:
+			pkg = strings.TrimSpace(pkg)
+			if pkg != "" {
+				set[pkg] = struct{}{}
+			}
+		}
+	}
+
+	_, ok := set["all_rules"]
+	if ok {
+		delete(set, "core++")
+		delete(set, "core+")
+		delete(set, "core")
+		delete(set, "emerging_threats")
+	}
+
+	_, ok = set["core++"]
+	if ok {
+		delete(set, "core+")
+		delete(set, "core")
+	}
+
+	_, ok = set["core+"]
+	if ok {
+		delete(set, "core")
+	}
+
+	e.sigmaRulePackages = make([]string, 0, len(set))
+	for pkg := range set {
+		e.sigmaRulePackages = append(e.sigmaRulePackages, pkg)
+	}
+}
+
 func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
 	return nil, nil
 }
@@ -92,54 +152,432 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			return
 		}
 
-		err := e.ensureUpToDateRepo(ctx)
+		start := time.Now()
+
+		zips, errMap := e.downloadSigmaPackages(ctx)
+		if len(errMap) != 0 {
+			log.WithField("errorMap", errMap).Error("something went wrong downloading sigma packages")
+			continue
+		}
+
+		zipHashes := map[string]string{}
+		for pkg, data := range zips {
+			h := sha256.Sum256(data)
+			zipHashes[pkg] = base64.StdEncoding.EncodeToString(h[:])
+		}
+
+		raw, err := os.ReadFile(e.rulesFingerprintFile)
+		if err != nil && !os.IsNotExist(err) {
+			log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to read rules fingerprint file")
+			continue
+		} else if err == nil {
+			oldHashes := map[string]string{}
+
+			err = json.Unmarshal(raw, &oldHashes)
+			if err != nil {
+				log.WithError(err).Error("unable to unmarshal rules fingerprint file")
+				continue
+			}
+
+			if reflect.DeepEqual(oldHashes, zipHashes) {
+				// only an exact match means no work needs to be done.
+				// If there's extra hashes in the old file, we need to remove them.
+				// If there's extra hashes in the new file, we need to add them.
+				// If there's a mix of new and old hashes, we need to include them all
+				// or the old ones would be removed.
+				log.Info("no sigma package changes to sync")
+				continue
+			}
+		}
+
+		detections, errMap := e.parseRules(zips)
+		if errMap != nil {
+			log.WithField("error", errMap).Error("something went wrong while parsing sigma rule files")
+			continue
+		}
+
+		errMap, err = e.syncCommunityDetections(ctx, detections)
 		if err != nil {
-			log.WithField("error", err).Error("something went wrong while ensuring the sigma repo is up to date")
+			if err == errModuleStopped {
+				log.Info("incomplete sync of elastalert community detections due to module stopping")
+				return
+			}
+
+			log.WithError(err).Error("unable to sync elastalert community detections")
 			continue
 		}
+
+		if len(errMap) > 0 {
+			// there were errors, don't save the fingerprint.
+			// idempotency means we might fix it if we try again later.
+			log.WithFields(log.Fields{
+				"errors": errMap,
+			}).Error("unable to sync all community detections")
+		} else {
+			fingerprints, err := json.Marshal(zipHashes)
+			if err != nil {
+				log.WithError(err).Error("unable to marshal rules fingerprints")
+			} else {
+				err = os.WriteFile(e.rulesFingerprintFile, fingerprints, 0644)
+				if err != nil {
+					log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to write rules fingerprint file")
+				}
+			}
+		}
+
+		dur := time.Since(start)
+
+		log.WithFields(log.Fields{
+			"durationSeconds": dur.Seconds(),
+		}).Info("elastalert community rules synced")
 	}
 }
 
-func (e *ElastAlertEngine) ensureUpToDateRepo(ctx context.Context) error {
-	readme := filepath.Join(e.sigmaRepoRoot, "README.md")
+func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*model.Detection, errMap map[string]error) {
+	errMap = map[string]error{} // map[pkgName|fileName]error
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
 
-	gitCtx, cancel := context.WithTimeout(ctx, time.Duration(e.gitTimeout)*time.Second)
-	defer cancel()
+	acceptedExtensions := map[string]bool{
+		".yml":  true,
+		".yaml": true,
+	}
 
-	_, err := os.Stat(readme)
-	if os.IsNotExist(err) {
-		err = os.MkdirAll(e.sigmaRepoRoot, 0755)
+	for pkg, zipData := range pkgZips {
+		reader, err := zip.NewReader(bytes.NewReader(zipData), int64(len(zipData)))
 		if err != nil {
-			return fmt.Errorf("unable to create repo root directory: %w", err)
+			errMap[pkg] = err
+			continue
+		}
+
+		for _, file := range reader.File {
+			if file.FileInfo().IsDir() || !acceptedExtensions[strings.ToLower(filepath.Ext(file.Name))] {
+				continue
+			}
+
+			f, err := file.Open()
+			if err != nil {
+				errMap[file.Name] = err
+				continue
+			}
+
+			data, err := io.ReadAll(f)
+			if err != nil {
+				f.Close()
+				errMap[file.Name] = err
+				continue
+			}
+
+			f.Close()
+
+			rule, err := ParseElastAlertRule(data)
+			if err != nil {
+				errMap[file.Name] = err
+				continue
+			}
+
+			id := rule.Title
+
+			if rule.ID != nil {
+				id = *rule.ID
+			} else {
+				fmt.Println()
+			}
+
+			sev := model.SeverityUnknown
+
+			if rule.Level != nil {
+				switch strings.ToLower(string(*rule.Level)) {
+				case "informational":
+					sev = model.SeverityInformational
+				case "low":
+					sev = model.SeverityLow
+				case "medium":
+					sev = model.SeverityMedium
+				case "high":
+					sev = model.SeverityHigh
+				case "critical":
+					sev = model.SeverityCritical
+				}
+			}
+
+			detections = append(detections, &model.Detection{
+				PublicID:    id,
+				Title:       rule.Title,
+				Severity:    sev,
+				Content:     string(data),
+				IsCommunity: true,
+				Engine:      model.EngineNameElastAlert,
+			})
 		}
+	}
+
+	return detections, errMap
+}
+
+func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
+	index, err := e.indexExistingRules()
+	if err != nil {
+		return nil, err
+	}
+
+	community, err := e.srv.Detectionstore.GetAllCommunitySIDs(ctx, util.Ptr(model.EngineNameElastAlert))
+	if err != nil {
+		return nil, err
+	}
+
+	toDelete := map[string]struct{}{} // map[publicID]struct{}
+	for _, det := range community {
+		toDelete[det.PublicID] = struct{}{}
+	}
+
+	results := struct {
+		Added     int
+		Updated   int
+		Removed   int
+		Unchanged int
+	}{}
+
+	errMap = map[string]error{} // map[publicID]error
+
+	// detections = []*model.Detection{}
+	for _, det := range detections {
+		path, ok := index[det.PublicID]
+		if !ok {
+			path = index[det.Title]
+		}
+
+		det.IsEnabled = path != ""
+
+		// 1. Save sigma Detection to ElasticSearch
+		oldDet, exists := community[det.PublicID]
+		if exists {
+			det.Id = oldDet.Id
+			if oldDet.Content != det.Content {
+				_, err = e.srv.Detectionstore.UpdateDetection(ctx, det)
+				if err != nil {
+					errMap[det.PublicID] = fmt.Errorf("unable to update detection: %s", err)
+					continue
+				}
+
+				delete(toDelete, det.PublicID)
+				results.Updated++
+			} else {
+				delete(toDelete, det.PublicID)
+				results.Unchanged++
+			}
+		} else {
+			_, err = e.srv.Detectionstore.CreateDetection(ctx, det)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to create detection: %s", err)
+				continue
+			}
+
+			delete(toDelete, det.PublicID)
+			results.Added++
+		}
+
+		if det.IsEnabled {
+			// 2. if enabled, send data to docker container to get converted to query
+
+			rule, err := e.sigmaToElastAlert(ctx, det.Content) // get sigma from docker container
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to convert sigma to elastalert: %s", err)
+				continue
+			}
+
+			_ = rule
+			// 3. put query in /opt/so/rules/sigma for salt to pick up
+
+			err = nil // os.WriteFile(path, []byte(rule), 0644)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to write enabled detection file: %s", err)
+				continue
+			}
+		}
+	}
 
-		_, err = git.PlainCloneContext(gitCtx, e.sigmaRepoRoot, false, &git.CloneOptions{
-			URL:   e.sigmaRepo,
-			Depth: 1,
-		})
+	for publicId := range toDelete {
+		_, err = e.srv.Detectionstore.DeleteDetection(ctx, community[publicId].Id)
 		if err != nil {
-			return fmt.Errorf("unable to clone repo: %w", err)
+			errMap[publicId] = fmt.Errorf("unable to delete detection: %s", err)
+			continue
+		}
+
+		results.Removed++
+	}
+
+	log.WithFields(log.Fields{
+		"added":     results.Added,
+		"updated":   results.Updated,
+		"removed":   results.Removed,
+		"unchanged": results.Unchanged,
+		"errors":    errMap,
+	}).Info("elastalert community diff")
+
+	return errMap, nil
+}
+
+func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData map[string][]byte, errMap map[string]error) {
+	errMap = map[string]error{} // map[pkgName]error
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	gh := github.NewClient(nil)
+
+	release, _, err := gh.Repositories.GetLatestRelease(ctx, "SigmaHQ", "sigma")
+	if err != nil {
+		errMap["sigma"] = err
+		return nil, errMap
+	}
+
+	pkgs := map[string]string{} // map[pkgName]downloadUrl
+
+	// organize assets
+	for _, asset := range release.Assets {
+		name := strings.ToLower(asset.GetName())
+		if !strings.HasSuffix(name, ".zip") {
+			continue
 		}
-	} else if err == nil {
-		repo, err := git.PlainOpen(e.sigmaRepoRoot)
+
+		link := asset.GetBrowserDownloadURL()
+
+		// Must be if/else-if so the order is correct.
+		// A switch statement might check "core" before "core++"
+		if strings.Contains(name, "all_rules") {
+			pkgs["all_rules"] = link
+		} else if strings.Contains(name, "core++") {
+			pkgs["core++"] = link
+		} else if strings.Contains(name, "core+") {
+			pkgs["core+"] = link
+		} else if strings.Contains(name, "core") {
+			pkgs["core"] = link
+		} else if strings.Contains(name, "emerging_threats") {
+			pkgs["emerging_threats"] = link
+		}
+	}
+
+	stats := map[string]int{} // map[pkgName]fileSize
+	zipData = map[string][]byte{}
+
+	for _, pkg := range e.sigmaRulePackages {
+		download, ok := pkgs[pkg]
+		if !ok {
+			log.WithField("package", pkg).Warn("unknown sigma package")
+			continue
+		}
+
+		resp, err := http.Get(download)
 		if err != nil {
-			return fmt.Errorf("unable to open existing repo: %w", err)
+			errMap[pkg] = err
+			continue
 		}
 
-		w, err := repo.Worktree()
+		if resp.StatusCode < 200 || resp.StatusCode > 299 {
+			errMap[pkg] = fmt.Errorf("non-200 status code during download: %d", resp.StatusCode)
+			continue
+		}
+
+		zipData[pkg], err = io.ReadAll(resp.Body)
 		if err != nil {
-			return fmt.Errorf("unable to get worktree of existing repo: %w", err)
+			errMap[pkg] = err
+			continue
 		}
 
-		err = w.PullContext(gitCtx, &git.PullOptions{
-			Depth: 1,
-		})
-		if err != nil && err != git.NoErrAlreadyUpToDate {
-			return fmt.Errorf("unable to pull repo: %w", err)
+		stats[pkg] = len(zipData[pkg])
+	}
+
+	log.WithField("downloadSizes", stats).Info("downloaded sigma packages")
+
+	return zipData, nil
+}
+
+func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err error) {
+	index = map[string]string{} // map[id | title]path
+
+	rules, err := os.ReadDir(e.elastAlertRulesFolder)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read elastalert rules directory: %w", err)
+	}
+
+	for _, rule := range rules {
+		if rule.IsDir() {
+			continue
+		}
+
+		filename := filepath.Join(e.elastAlertRulesFolder, rule.Name())
+
+		data, err := os.ReadFile(filename)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read elastalert rule file %s: %w", filename, err)
+		}
+
+		rule, err := ParseElastAlertRule(data)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse elastalert rule file %s: %w", filename, err)
 		}
-	} else {
-		return fmt.Errorf("unable to determine if README.md exists: %w", err)
+
+		id := rule.Title
+
+		if rule.ID != nil {
+			id = *rule.ID
+		}
+
+		index[id] = filename
 	}
 
-	return nil
+	return index, nil
+}
+
+func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string) (string, error) {
+	// wrapper for the payload
+	ruleWrapper := struct {
+		Rule     string   `json:"rule"`
+		Pipeline []string `json:"pipeline"`
+		Target   string   `json:"target"`
+		Format   string   `json:"format"`
+	}{
+		Rule:     base64.StdEncoding.EncodeToString([]byte(sigma)),
+		Pipeline: []string{},
+		Target:   "eql",
+		Format:   "default",
+	}
+
+	payload, err := json.Marshal(ruleWrapper)
+	if err != nil {
+		return "", err
+	}
+
+	// build request
+	req, err := http.NewRequest(http.MethodPost, e.sigconverterUrl, bytes.NewReader(payload))
+	if err != nil {
+		return "", err
+	}
+
+	req = req.WithContext(ctx)
+	req.Header.Add("Content-Type", "application/json")
+
+	// send request
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode < 200 || resp.StatusCode > 299 {
+		return "", fmt.Errorf("sigconverter returned non-200 status code: %d", resp.StatusCode)
+	}
+
+	elastRule, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	return string(elastRule), nil
 }
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
index 9591ab3e0..84583f83e 100644
--- a/server/modules/elastalert/validate.go
+++ b/server/modules/elastalert/validate.go
@@ -20,6 +20,7 @@ const (
 type SigmaLevel string
 
 const (
+	SigmaLevelUnknown       SigmaLevel = "unknown"
 	SigmaLevelInformational SigmaLevel = "informational"
 	SigmaLevelLow           SigmaLevel = "low"
 	SigmaLevelMedium        SigmaLevel = "medium"
@@ -39,6 +40,7 @@ const (
 
 type SigmaRule struct {
 	Title          string                 `yaml:"title"`
+	ID             *string                `yaml:"id"`
 	LogSource      LogSource              `yaml:"logsource"`
 	Detection      Detection              `yaml:"detection"`
 	Status         *SigmaStatus           `yaml:"status"`
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index be1b7b0e0..7824b3298 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -393,8 +393,13 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 	return detect, err
 }
 
-func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) {
-	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), -1)
+func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) {
+	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection")
+	if engine != nil {
+		query += fmt.Sprintf(` AND %sdetection.engine:"%s"`, store.schemaPrefix, *engine)
+	}
+
+	all, err := store.getAll(ctx, query, -1)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 742f29263..32f18a6a9 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -122,7 +122,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 				return
 			}
 
-			log.WithError(err).Error("unable to sync community detections")
+			log.WithError(err).Error("unable to sync suricata community detections")
 			continue
 		}
 
@@ -141,7 +141,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		dur := time.Since(start)
 
- 		log.WithFields(log.Fields{
+		log.WithFields(log.Fields{
 			"durationSeconds": dur.Seconds(),
 		}).Info("suricata community rules synced")
 	}
@@ -256,9 +256,9 @@ func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error)
 				case "INFORMATIONAL":
 					severity = model.SeverityInformational
 				case "MINOR":
-					severity = model.SeverityMinor
+					severity = model.SeverityLow
 				case "MAJOR":
-					severity = model.SeverityMajor
+					severity = model.SeverityHigh
 				case "CRITICAL":
 					severity = model.SeverityCritical
 				}
@@ -468,7 +468,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	disabledIndex := indexEnabled(disabledLines, true)
 	modifyIndex := indexModify(modifyLines)
 
-	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
+	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx, util.Ptr(model.EngineNameSuricata))
 	if err != nil {
 		return nil, err
 	}

From 064f4e7e4530c395164032402bc0673d87c95ec0 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 6 Nov 2023 16:30:42 -0700
Subject: [PATCH 016/102] WIP ElastAlert Improvements

Backend:

Removed go-github. Instead, we're using a configurable url template.

Updated config values to impact how the UI renders.

Replaced all references of github.com/tj/assert with references to github.com/stretchr/testify/assert for consistency.

Fixed an issue where errors resulted in more errors when syncing local detections in elastalert.

ElastAlert's SyncLocalDetections now implemented.

ElastAlert's syncCommunityDetections is further implemented.

Fixed a bug where syncing community detections resulted in purging local detections.

Tests. Refactor to make some functions more testable.

UI:

Hide charts when on detections page in advanced mode.

Removed auto-grow from rule text area. For large rules, modifying the rule would adjust the text area size which would adjust the browser's scroll position sometimes with counter productive effects.

Include js-yaml library to parse yaml (i.e. sigma) to retrieve values. Used to extract the PublicID field from a sigma rule. More uses to come.
---
 config/config.go                             |   7 +-
 go.mod                                       |   2 -
 go.sum                                       |   8 -
 html/index.html                              |   9 +-
 html/js/external/js-yaml.min.js              |   2 +
 html/js/routes/detection.js                  |   9 +
 licensing/license_manager_test.go            |   2 +-
 server/detectionhandler.go                   |   1 +
 server/infohandler.go                        |  22 +-
 server/modules/elastalert/elastalert.go      | 363 +++++++++++++++----
 server/modules/elastalert/elastalert_test.go | 334 ++++++++++++++++-
 server/modules/elastalert/oneormore_test.go  |   2 +-
 server/modules/suricata/validate_test.go     |   3 +-
 web/middleware_test.go                       |   2 +-
 14 files changed, 662 insertions(+), 104 deletions(-)
 create mode 100644 html/js/external/js-yaml.min.js

diff --git a/config/config.go b/config/config.go
index 1d7065951..21b18350e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -47,13 +47,12 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 
 	// TODO: remove when put in config file
 	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
-		"communityRulesFile":                   "/nsm/rules/suricata/emerging-all.rules",
-		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
-		"communityRulesImportFrequencySeconds": float64(5),
+		"communityRulesFile":   "/nsm/rules/suricata/emerging-all.rules",
+		"rulesFingerprintFile": "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
 	}
 
 	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
-		"communityRulesImportFrequencySeconds": float64(5), // not a recommended value, I'm impatient
+		"communityRulesImportFrequencySeconds": float64(61), // not a recommended value, I'm impatient
 		"elastAlertRulesFolder":                "/tmp/socdev/so/rules/elastalert",
 		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/sigma.fingerprint",
 		"sigmaRulePackages":                    "all",
diff --git a/go.mod b/go.mod
index e502bf9f8..29ef986ef 100644
--- a/go.mod
+++ b/go.mod
@@ -20,10 +20,8 @@ require (
 )
 
 require (
-	github.com/google/go-github/v56 v56.0.0
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
-	github.com/tj/assert v0.0.3
 )
 
 require (
diff --git a/go.sum b/go.sum
index faac69a56..e87a28ca7 100644
--- a/go.sum
+++ b/go.sum
@@ -43,13 +43,6 @@ github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-github/v56 v56.0.0 h1:TysL7dMa/r7wsQi44BjqlwaHvwlFlqkK8CtBWCX3gb4=
-github.com/google/go-github/v56 v56.0.0/go.mod h1:D8cdcX98YWJvi7TLo7zM4/h8ZTx6u6fwGEkCdisopo0=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -162,7 +155,6 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/html/index.html b/html/index.html
index d10c0ae23..2a713ac46 100644
--- a/html/index.html
+++ b/html/index.html
@@ -347,7 +347,7 @@ <h2 v-text="i18n[category]"></h2>
               <v-expansion-panel>
                 <v-expansion-panel-header id="huntOptionsHeader">{{i18n.options}}</v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  <v-switch v-if="isCategory('alerts') || isCategory('cases')" id="enable-advanced" :disabled="loading()" v-model="advanced" dense hide-details class="my-0" :label="i18n.advanced"></v-switch>
+                  <v-switch v-if="isCategory('alerts') || isCategory('cases') || isCategory('detections')" id="enable-advanced" :disabled="loading()" v-model="advanced" dense hide-details class="my-0" :label="i18n.advanced"></v-switch>
                   <v-switch v-if="isAdvanced()" id="auto-hunt" :disabled="loading()" v-model="autohunt" dense hide-details class="my-0" :label="i18n.autohunt"></v-switch>
                   <v-switch v-for="toggle in filterToggles" :key="toggle.name"
                     :id="'filterToggle-' + toggle.name"
@@ -466,7 +466,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
             </span>
           </v-col>
         </v-row>
-        <v-col id="graphs" v-if="loaded && isAdvanced()">
+        <v-col id="graphs" v-if="loaded && isAdvanced() && !isCategory('detections')">
           <v-toolbar dense flat>
             <v-toolbar-title>{{ i18n.standardMetrics }}</v-toolbar-title>
             <v-spacer />
@@ -998,7 +998,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
                   <!-- Signature -->
                   <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
-                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="10" :rules="[rules.required]" />
+                  <v-textarea class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" />
                 </div>
                 <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
@@ -1670,7 +1670,7 @@ <h4 v-if="!$root.loading">{{ i18n.usersEnabled }} {{ countUsersEnabled() }} / {{
                               <v-alert v-if="item.oidcStatus == 'enabled'" class="mt-2" type="warning" icon="fa-shield-halved" text dense>
                                 {{ i18n.oidcResetPasswordHelp }}
                               </v-alert>
-              
+
                               <v-form v-model="form.valid">
                                 <v-text-field id="password-input" v-model="form.password" :placeholder="i18n.passwordChange" :type="showPassword ? 'text' : 'password'"
                                   @click:append="showPassword = !showPassword" :append-icon="showPassword ? 'fa-eye-slash' : 'fa-eye'"
@@ -4500,6 +4500,7 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/external/purify-3.0.6.min.js"></script>
     <script src="js/external/chartjs-chart-sankey-0.12.0.min.js"></script>
     <script src="js/external/chartjs-adapter-moment-1.0.0.min.js"></script>
+    <script src="js/external/js-yaml.min.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/external/js-yaml.min.js b/html/js/external/js-yaml.min.js
new file mode 100644
index 000000000..bdd8eef54
--- /dev/null
+++ b/html/js/external/js-yaml.min.js
@@ -0,0 +1,2 @@
+/*! js-yaml 4.1.0 https://github.com/nodeca/js-yaml @license MIT */
+!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).jsyaml={})}(this,(function(e){"use strict";function t(e){return null==e}var n={isNothing:t,isObject:function(e){return"object"==typeof e&&null!==e},toArray:function(e){return Array.isArray(e)?e:t(e)?[]:[e]},repeat:function(e,t){var n,i="";for(n=0;n<t;n+=1)i+=e;return i},isNegativeZero:function(e){return 0===e&&Number.NEGATIVE_INFINITY===1/e},extend:function(e,t){var n,i,r,o;if(t)for(n=0,i=(o=Object.keys(t)).length;n<i;n+=1)e[r=o[n]]=t[r];return e}};function i(e,t){var n="",i=e.reason||"(unknown reason)";return e.mark?(e.mark.name&&(n+='in "'+e.mark.name+'" '),n+="("+(e.mark.line+1)+":"+(e.mark.column+1)+")",!t&&e.mark.snippet&&(n+="\n\n"+e.mark.snippet),i+" "+n):i}function r(e,t){Error.call(this),this.name="YAMLException",this.reason=e,this.mark=t,this.message=i(this,!1),Error.captureStackTrace?Error.captureStackTrace(this,this.constructor):this.stack=(new Error).stack||""}r.prototype=Object.create(Error.prototype),r.prototype.constructor=r,r.prototype.toString=function(e){return this.name+": "+i(this,e)};var o=r;function a(e,t,n,i,r){var o="",a="",l=Math.floor(r/2)-1;return i-t>l&&(t=i-l+(o=" ... ").length),n-i>l&&(n=i+l-(a=" ...").length),{str:o+e.slice(t,n).replace(/\t/g,"→")+a,pos:i-t+o.length}}function l(e,t){return n.repeat(" ",t-e.length)+e}var c=function(e,t){if(t=Object.create(t||null),!e.buffer)return null;t.maxLength||(t.maxLength=79),"number"!=typeof t.indent&&(t.indent=1),"number"!=typeof t.linesBefore&&(t.linesBefore=3),"number"!=typeof t.linesAfter&&(t.linesAfter=2);for(var i,r=/\r?\n|\r|\0/g,o=[0],c=[],s=-1;i=r.exec(e.buffer);)c.push(i.index),o.push(i.index+i[0].length),e.position<=i.index&&s<0&&(s=o.length-2);s<0&&(s=o.length-1);var u,p,f="",d=Math.min(e.line+t.linesAfter,c.length).toString().length,h=t.maxLength-(t.indent+d+3);for(u=1;u<=t.linesBefore&&!(s-u<0);u++)p=a(e.buffer,o[s-u],c[s-u],e.position-(o[s]-o[s-u]),h),f=n.repeat(" ",t.indent)+l((e.line-u+1).toString(),d)+" | "+p.str+"\n"+f;for(p=a(e.buffer,o[s],c[s],e.position,h),f+=n.repeat(" ",t.indent)+l((e.line+1).toString(),d)+" | "+p.str+"\n",f+=n.repeat("-",t.indent+d+3+p.pos)+"^\n",u=1;u<=t.linesAfter&&!(s+u>=c.length);u++)p=a(e.buffer,o[s+u],c[s+u],e.position-(o[s]-o[s+u]),h),f+=n.repeat(" ",t.indent)+l((e.line+u+1).toString(),d)+" | "+p.str+"\n";return f.replace(/\n$/,"")},s=["kind","multi","resolve","construct","instanceOf","predicate","represent","representName","defaultStyle","styleAliases"],u=["scalar","sequence","mapping"];var p=function(e,t){if(t=t||{},Object.keys(t).forEach((function(t){if(-1===s.indexOf(t))throw new o('Unknown option "'+t+'" is met in definition of "'+e+'" YAML type.')})),this.options=t,this.tag=e,this.kind=t.kind||null,this.resolve=t.resolve||function(){return!0},this.construct=t.construct||function(e){return e},this.instanceOf=t.instanceOf||null,this.predicate=t.predicate||null,this.represent=t.represent||null,this.representName=t.representName||null,this.defaultStyle=t.defaultStyle||null,this.multi=t.multi||!1,this.styleAliases=function(e){var t={};return null!==e&&Object.keys(e).forEach((function(n){e[n].forEach((function(e){t[String(e)]=n}))})),t}(t.styleAliases||null),-1===u.indexOf(this.kind))throw new o('Unknown kind "'+this.kind+'" is specified for "'+e+'" YAML type.')};function f(e,t){var n=[];return e[t].forEach((function(e){var t=n.length;n.forEach((function(n,i){n.tag===e.tag&&n.kind===e.kind&&n.multi===e.multi&&(t=i)})),n[t]=e})),n}function d(e){return this.extend(e)}d.prototype.extend=function(e){var t=[],n=[];if(e instanceof p)n.push(e);else if(Array.isArray(e))n=n.concat(e);else{if(!e||!Array.isArray(e.implicit)&&!Array.isArray(e.explicit))throw new o("Schema.extend argument should be a Type, [ Type ], or a schema definition ({ implicit: [...], explicit: [...] })");e.implicit&&(t=t.concat(e.implicit)),e.explicit&&(n=n.concat(e.explicit))}t.forEach((function(e){if(!(e instanceof p))throw new o("Specified list of YAML types (or a single Type object) contains a non-Type object.");if(e.loadKind&&"scalar"!==e.loadKind)throw new o("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.");if(e.multi)throw new o("There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.")})),n.forEach((function(e){if(!(e instanceof p))throw new o("Specified list of YAML types (or a single Type object) contains a non-Type object.")}));var i=Object.create(d.prototype);return i.implicit=(this.implicit||[]).concat(t),i.explicit=(this.explicit||[]).concat(n),i.compiledImplicit=f(i,"implicit"),i.compiledExplicit=f(i,"explicit"),i.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{},multi:{scalar:[],sequence:[],mapping:[],fallback:[]}};function i(e){e.multi?(n.multi[e.kind].push(e),n.multi.fallback.push(e)):n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e<t;e+=1)arguments[e].forEach(i);return n}(i.compiledImplicit,i.compiledExplicit),i};var h=d,g=new p("tag:yaml.org,2002:str",{kind:"scalar",construct:function(e){return null!==e?e:""}}),m=new p("tag:yaml.org,2002:seq",{kind:"sequence",construct:function(e){return null!==e?e:[]}}),y=new p("tag:yaml.org,2002:map",{kind:"mapping",construct:function(e){return null!==e?e:{}}}),b=new h({explicit:[g,m,y]});var A=new p("tag:yaml.org,2002:null",{kind:"scalar",resolve:function(e){if(null===e)return!0;var t=e.length;return 1===t&&"~"===e||4===t&&("null"===e||"Null"===e||"NULL"===e)},construct:function(){return null},predicate:function(e){return null===e},represent:{canonical:function(){return"~"},lowercase:function(){return"null"},uppercase:function(){return"NULL"},camelcase:function(){return"Null"},empty:function(){return""}},defaultStyle:"lowercase"});var v=new p("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"});function w(e){return 48<=e&&e<=55}function k(e){return 48<=e&&e<=57}var C=new p("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i=e.length,r=0,o=!1;if(!i)return!1;if("-"!==(t=e[r])&&"+"!==t||(t=e[++r]),"0"===t){if(r+1===i)return!0;if("b"===(t=e[++r])){for(r++;r<i;r++)if("_"!==(t=e[r])){if("0"!==t&&"1"!==t)return!1;o=!0}return o&&"_"!==t}if("x"===t){for(r++;r<i;r++)if("_"!==(t=e[r])){if(!(48<=(n=e.charCodeAt(r))&&n<=57||65<=n&&n<=70||97<=n&&n<=102))return!1;o=!0}return o&&"_"!==t}if("o"===t){for(r++;r<i;r++)if("_"!==(t=e[r])){if(!w(e.charCodeAt(r)))return!1;o=!0}return o&&"_"!==t}}if("_"===t)return!1;for(;r<i;r++)if("_"!==(t=e[r])){if(!k(e.charCodeAt(r)))return!1;o=!0}return!(!o||"_"===t)},construct:function(e){var t,n=e,i=1;if(-1!==n.indexOf("_")&&(n=n.replace(/_/g,"")),"-"!==(t=n[0])&&"+"!==t||("-"===t&&(i=-1),t=(n=n.slice(1))[0]),"0"===n)return 0;if("0"===t){if("b"===n[1])return i*parseInt(n.slice(2),2);if("x"===n[1])return i*parseInt(n.slice(2),16);if("o"===n[1])return i*parseInt(n.slice(2),8)}return i*parseInt(n,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&e%1==0&&!n.isNegativeZero(e)},represent:{binary:function(e){return e>=0?"0b"+e.toString(2):"-0b"+e.toString(2).slice(1)},octal:function(e){return e>=0?"0o"+e.toString(8):"-0o"+e.toString(8).slice(1)},decimal:function(e){return e.toString(10)},hexadecimal:function(e){return e>=0?"0x"+e.toString(16).toUpperCase():"-0x"+e.toString(16).toUpperCase().slice(1)}},defaultStyle:"decimal",styleAliases:{binary:[2,"bin"],octal:[8,"oct"],decimal:[10,"dec"],hexadecimal:[16,"hex"]}}),x=new RegExp("^(?:[-+]?(?:[0-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var I=/^[-+]?[0-9]+e/;var S=new p("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!x.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n;return n="-"===(t=e.replace(/_/g,"").toLowerCase())[0]?-1:1,"+-".indexOf(t[0])>=0&&(t=t.slice(1)),".inf"===t?1===n?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===t?NaN:n*parseFloat(t,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||n.isNegativeZero(e))},represent:function(e,t){var i;if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(n.isNegativeZero(e))return"-0.0";return i=e.toString(10),I.test(i)?i.replace("e",".e"):i},defaultStyle:"lowercase"}),O=b.extend({implicit:[A,v,C,S]}),j=O,T=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9])-([0-9][0-9])$"),N=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9]?)-([0-9][0-9]?)(?:[Tt]|[ \\t]+)([0-9][0-9]?):([0-9][0-9]):([0-9][0-9])(?:\\.([0-9]*))?(?:[ \\t]*(Z|([-+])([0-9][0-9]?)(?::([0-9][0-9]))?))?$");var F=new p("tag:yaml.org,2002:timestamp",{kind:"scalar",resolve:function(e){return null!==e&&(null!==T.exec(e)||null!==N.exec(e))},construct:function(e){var t,n,i,r,o,a,l,c,s=0,u=null;if(null===(t=T.exec(e))&&(t=N.exec(e)),null===t)throw new Error("Date resolve error");if(n=+t[1],i=+t[2]-1,r=+t[3],!t[4])return new Date(Date.UTC(n,i,r));if(o=+t[4],a=+t[5],l=+t[6],t[7]){for(s=t[7].slice(0,3);s.length<3;)s+="0";s=+s}return t[9]&&(u=6e4*(60*+t[10]+ +(t[11]||0)),"-"===t[9]&&(u=-u)),c=new Date(Date.UTC(n,i,r,o,a,l,s)),u&&c.setTime(c.getTime()-u),c},instanceOf:Date,represent:function(e){return e.toISOString()}});var E=new p("tag:yaml.org,2002:merge",{kind:"scalar",resolve:function(e){return"<<"===e||null===e}}),M="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\n\r";var L=new p("tag:yaml.org,2002:binary",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i=0,r=e.length,o=M;for(n=0;n<r;n++)if(!((t=o.indexOf(e.charAt(n)))>64)){if(t<0)return!1;i+=6}return i%8==0},construct:function(e){var t,n,i=e.replace(/[\r\n=]/g,""),r=i.length,o=M,a=0,l=[];for(t=0;t<r;t++)t%4==0&&t&&(l.push(a>>16&255),l.push(a>>8&255),l.push(255&a)),a=a<<6|o.indexOf(i.charAt(t));return 0===(n=r%4*6)?(l.push(a>>16&255),l.push(a>>8&255),l.push(255&a)):18===n?(l.push(a>>10&255),l.push(a>>2&255)):12===n&&l.push(a>>4&255),new Uint8Array(l)},predicate:function(e){return"[object Uint8Array]"===Object.prototype.toString.call(e)},represent:function(e){var t,n,i="",r=0,o=e.length,a=M;for(t=0;t<o;t++)t%3==0&&t&&(i+=a[r>>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]),r=(r<<8)+e[t];return 0===(n=o%3)?(i+=a[r>>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]):2===n?(i+=a[r>>10&63],i+=a[r>>4&63],i+=a[r<<2&63],i+=a[64]):1===n&&(i+=a[r>>2&63],i+=a[r<<4&63],i+=a[64],i+=a[64]),i}}),_=Object.prototype.hasOwnProperty,D=Object.prototype.toString;var U=new p("tag:yaml.org,2002:omap",{kind:"sequence",resolve:function(e){if(null===e)return!0;var t,n,i,r,o,a=[],l=e;for(t=0,n=l.length;t<n;t+=1){if(i=l[t],o=!1,"[object Object]"!==D.call(i))return!1;for(r in i)if(_.call(i,r)){if(o)return!1;o=!0}if(!o)return!1;if(-1!==a.indexOf(r))return!1;a.push(r)}return!0},construct:function(e){return null!==e?e:[]}}),q=Object.prototype.toString;var Y=new p("tag:yaml.org,2002:pairs",{kind:"sequence",resolve:function(e){if(null===e)return!0;var t,n,i,r,o,a=e;for(o=new Array(a.length),t=0,n=a.length;t<n;t+=1){if(i=a[t],"[object Object]"!==q.call(i))return!1;if(1!==(r=Object.keys(i)).length)return!1;o[t]=[r[0],i[r[0]]]}return!0},construct:function(e){if(null===e)return[];var t,n,i,r,o,a=e;for(o=new Array(a.length),t=0,n=a.length;t<n;t+=1)i=a[t],r=Object.keys(i),o[t]=[r[0],i[r[0]]];return o}}),R=Object.prototype.hasOwnProperty;var B=new p("tag:yaml.org,2002:set",{kind:"mapping",resolve:function(e){if(null===e)return!0;var t,n=e;for(t in n)if(R.call(n,t)&&null!==n[t])return!1;return!0},construct:function(e){return null!==e?e:{}}}),K=j.extend({implicit:[F,E],explicit:[L,U,Y,B]}),P=Object.prototype.hasOwnProperty,W=/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F\uFFFE\uFFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]/,H=/[\x85\u2028\u2029]/,$=/[,\[\]\{\}]/,G=/^(?:!|!!|![a-z\-]+!)$/i,V=/^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i;function Z(e){return Object.prototype.toString.call(e)}function J(e){return 10===e||13===e}function Q(e){return 9===e||32===e}function z(e){return 9===e||32===e||10===e||13===e}function X(e){return 44===e||91===e||93===e||123===e||125===e}function ee(e){var t;return 48<=e&&e<=57?e-48:97<=(t=32|e)&&t<=102?t-97+10:-1}function te(e){return 48===e?"\0":97===e?"":98===e?"\b":116===e||9===e?"\t":110===e?"\n":118===e?"\v":102===e?"\f":114===e?"\r":101===e?"":32===e?" ":34===e?'"':47===e?"/":92===e?"\\":78===e?"…":95===e?" ":76===e?"\u2028":80===e?"\u2029":""}function ne(e){return e<=65535?String.fromCharCode(e):String.fromCharCode(55296+(e-65536>>10),56320+(e-65536&1023))}for(var ie=new Array(256),re=new Array(256),oe=0;oe<256;oe++)ie[oe]=te(oe)?1:0,re[oe]=te(oe);function ae(e,t){this.input=e,this.filename=t.filename||null,this.schema=t.schema||K,this.onWarning=t.onWarning||null,this.legacy=t.legacy||!1,this.json=t.json||!1,this.listener=t.listener||null,this.implicitTypes=this.schema.compiledImplicit,this.typeMap=this.schema.compiledTypeMap,this.length=e.length,this.position=0,this.line=0,this.lineStart=0,this.lineIndent=0,this.firstTabInLine=-1,this.documents=[]}function le(e,t){var n={name:e.filename,buffer:e.input.slice(0,-1),position:e.position,line:e.line,column:e.position-e.lineStart};return n.snippet=c(n),new o(t,n)}function ce(e,t){throw le(e,t)}function se(e,t){e.onWarning&&e.onWarning.call(null,le(e,t))}var ue={YAML:function(e,t,n){var i,r,o;null!==e.version&&ce(e,"duplication of %YAML directive"),1!==n.length&&ce(e,"YAML directive accepts exactly one argument"),null===(i=/^([0-9]+)\.([0-9]+)$/.exec(n[0]))&&ce(e,"ill-formed argument of the YAML directive"),r=parseInt(i[1],10),o=parseInt(i[2],10),1!==r&&ce(e,"unacceptable YAML version of the document"),e.version=n[0],e.checkLineBreaks=o<2,1!==o&&2!==o&&se(e,"unsupported YAML version of the document")},TAG:function(e,t,n){var i,r;2!==n.length&&ce(e,"TAG directive accepts exactly two arguments"),i=n[0],r=n[1],G.test(i)||ce(e,"ill-formed tag handle (first argument) of the TAG directive"),P.call(e.tagMap,i)&&ce(e,'there is a previously declared suffix for "'+i+'" tag handle'),V.test(r)||ce(e,"ill-formed tag prefix (second argument) of the TAG directive");try{r=decodeURIComponent(r)}catch(t){ce(e,"tag prefix is malformed: "+r)}e.tagMap[i]=r}};function pe(e,t,n,i){var r,o,a,l;if(t<n){if(l=e.input.slice(t,n),i)for(r=0,o=l.length;r<o;r+=1)9===(a=l.charCodeAt(r))||32<=a&&a<=1114111||ce(e,"expected valid JSON character");else W.test(l)&&ce(e,"the stream contains non-printable characters");e.result+=l}}function fe(e,t,i,r){var o,a,l,c;for(n.isObject(i)||ce(e,"cannot merge mappings; the provided source object is unacceptable"),l=0,c=(o=Object.keys(i)).length;l<c;l+=1)a=o[l],P.call(t,a)||(t[a]=i[a],r[a]=!0)}function de(e,t,n,i,r,o,a,l,c){var s,u;if(Array.isArray(r))for(s=0,u=(r=Array.prototype.slice.call(r)).length;s<u;s+=1)Array.isArray(r[s])&&ce(e,"nested arrays are not supported inside keys"),"object"==typeof r&&"[object Object]"===Z(r[s])&&(r[s]="[object Object]");if("object"==typeof r&&"[object Object]"===Z(r)&&(r="[object Object]"),r=String(r),null===t&&(t={}),"tag:yaml.org,2002:merge"===i)if(Array.isArray(o))for(s=0,u=o.length;s<u;s+=1)fe(e,t,o[s],n);else fe(e,t,o,n);else e.json||P.call(n,r)||!P.call(t,r)||(e.line=a||e.line,e.lineStart=l||e.lineStart,e.position=c||e.position,ce(e,"duplicated mapping key")),"__proto__"===r?Object.defineProperty(t,r,{configurable:!0,enumerable:!0,writable:!0,value:o}):t[r]=o,delete n[r];return t}function he(e){var t;10===(t=e.input.charCodeAt(e.position))?e.position++:13===t?(e.position++,10===e.input.charCodeAt(e.position)&&e.position++):ce(e,"a line break is expected"),e.line+=1,e.lineStart=e.position,e.firstTabInLine=-1}function ge(e,t,n){for(var i=0,r=e.input.charCodeAt(e.position);0!==r;){for(;Q(r);)9===r&&-1===e.firstTabInLine&&(e.firstTabInLine=e.position),r=e.input.charCodeAt(++e.position);if(t&&35===r)do{r=e.input.charCodeAt(++e.position)}while(10!==r&&13!==r&&0!==r);if(!J(r))break;for(he(e),r=e.input.charCodeAt(e.position),i++,e.lineIndent=0;32===r;)e.lineIndent++,r=e.input.charCodeAt(++e.position)}return-1!==n&&0!==i&&e.lineIndent<n&&se(e,"deficient indentation"),i}function me(e){var t,n=e.position;return!(45!==(t=e.input.charCodeAt(n))&&46!==t||t!==e.input.charCodeAt(n+1)||t!==e.input.charCodeAt(n+2)||(n+=3,0!==(t=e.input.charCodeAt(n))&&!z(t)))}function ye(e,t){1===t?e.result+=" ":t>1&&(e.result+=n.repeat("\n",t-1))}function be(e,t){var n,i,r=e.tag,o=e.anchor,a=[],l=!1;if(-1!==e.firstTabInLine)return!1;for(null!==e.anchor&&(e.anchorMap[e.anchor]=a),i=e.input.charCodeAt(e.position);0!==i&&(-1!==e.firstTabInLine&&(e.position=e.firstTabInLine,ce(e,"tab characters must not be used in indentation")),45===i)&&z(e.input.charCodeAt(e.position+1));)if(l=!0,e.position++,ge(e,!0,-1)&&e.lineIndent<=t)a.push(null),i=e.input.charCodeAt(e.position);else if(n=e.line,we(e,t,3,!1,!0),a.push(e.result),ge(e,!0,-1),i=e.input.charCodeAt(e.position),(e.line===n||e.lineIndent>t)&&0!==i)ce(e,"bad indentation of a sequence entry");else if(e.lineIndent<t)break;return!!l&&(e.tag=r,e.anchor=o,e.kind="sequence",e.result=a,!0)}function Ae(e){var t,n,i,r,o=!1,a=!1;if(33!==(r=e.input.charCodeAt(e.position)))return!1;if(null!==e.tag&&ce(e,"duplication of a tag property"),60===(r=e.input.charCodeAt(++e.position))?(o=!0,r=e.input.charCodeAt(++e.position)):33===r?(a=!0,n="!!",r=e.input.charCodeAt(++e.position)):n="!",t=e.position,o){do{r=e.input.charCodeAt(++e.position)}while(0!==r&&62!==r);e.position<e.length?(i=e.input.slice(t,e.position),r=e.input.charCodeAt(++e.position)):ce(e,"unexpected end of the stream within a verbatim tag")}else{for(;0!==r&&!z(r);)33===r&&(a?ce(e,"tag suffix cannot contain exclamation marks"):(n=e.input.slice(t-1,e.position+1),G.test(n)||ce(e,"named tag handle cannot contain such characters"),a=!0,t=e.position+1)),r=e.input.charCodeAt(++e.position);i=e.input.slice(t,e.position),$.test(i)&&ce(e,"tag suffix cannot contain flow indicator characters")}i&&!V.test(i)&&ce(e,"tag name cannot contain such characters: "+i);try{i=decodeURIComponent(i)}catch(t){ce(e,"tag name is malformed: "+i)}return o?e.tag=i:P.call(e.tagMap,n)?e.tag=e.tagMap[n]+i:"!"===n?e.tag="!"+i:"!!"===n?e.tag="tag:yaml.org,2002:"+i:ce(e,'undeclared tag handle "'+n+'"'),!0}function ve(e){var t,n;if(38!==(n=e.input.charCodeAt(e.position)))return!1;for(null!==e.anchor&&ce(e,"duplication of an anchor property"),n=e.input.charCodeAt(++e.position),t=e.position;0!==n&&!z(n)&&!X(n);)n=e.input.charCodeAt(++e.position);return e.position===t&&ce(e,"name of an anchor node must contain at least one character"),e.anchor=e.input.slice(t,e.position),!0}function we(e,t,i,r,o){var a,l,c,s,u,p,f,d,h,g=1,m=!1,y=!1;if(null!==e.listener&&e.listener("open",e),e.tag=null,e.anchor=null,e.kind=null,e.result=null,a=l=c=4===i||3===i,r&&ge(e,!0,-1)&&(m=!0,e.lineIndent>t?g=1:e.lineIndent===t?g=0:e.lineIndent<t&&(g=-1)),1===g)for(;Ae(e)||ve(e);)ge(e,!0,-1)?(m=!0,c=a,e.lineIndent>t?g=1:e.lineIndent===t?g=0:e.lineIndent<t&&(g=-1)):c=!1;if(c&&(c=m||o),1!==g&&4!==i||(d=1===i||2===i?t:t+1,h=e.position-e.lineStart,1===g?c&&(be(e,h)||function(e,t,n){var i,r,o,a,l,c,s,u=e.tag,p=e.anchor,f={},d=Object.create(null),h=null,g=null,m=null,y=!1,b=!1;if(-1!==e.firstTabInLine)return!1;for(null!==e.anchor&&(e.anchorMap[e.anchor]=f),s=e.input.charCodeAt(e.position);0!==s;){if(y||-1===e.firstTabInLine||(e.position=e.firstTabInLine,ce(e,"tab characters must not be used in indentation")),i=e.input.charCodeAt(e.position+1),o=e.line,63!==s&&58!==s||!z(i)){if(a=e.line,l=e.lineStart,c=e.position,!we(e,n,2,!1,!0))break;if(e.line===o){for(s=e.input.charCodeAt(e.position);Q(s);)s=e.input.charCodeAt(++e.position);if(58===s)z(s=e.input.charCodeAt(++e.position))||ce(e,"a whitespace character is expected after the key-value separator within a block mapping"),y&&(de(e,f,d,h,g,null,a,l,c),h=g=m=null),b=!0,y=!1,r=!1,h=e.tag,g=e.result;else{if(!b)return e.tag=u,e.anchor=p,!0;ce(e,"can not read an implicit mapping pair; a colon is missed")}}else{if(!b)return e.tag=u,e.anchor=p,!0;ce(e,"can not read a block mapping entry; a multiline key may not be an implicit key")}}else 63===s?(y&&(de(e,f,d,h,g,null,a,l,c),h=g=m=null),b=!0,y=!0,r=!0):y?(y=!1,r=!0):ce(e,"incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line"),e.position+=1,s=i;if((e.line===o||e.lineIndent>t)&&(y&&(a=e.line,l=e.lineStart,c=e.position),we(e,t,4,!0,r)&&(y?g=e.result:m=e.result),y||(de(e,f,d,h,g,m,a,l,c),h=g=m=null),ge(e,!0,-1),s=e.input.charCodeAt(e.position)),(e.line===o||e.lineIndent>t)&&0!==s)ce(e,"bad indentation of a mapping entry");else if(e.lineIndent<t)break}return y&&de(e,f,d,h,g,null,a,l,c),b&&(e.tag=u,e.anchor=p,e.kind="mapping",e.result=f),b}(e,h,d))||function(e,t){var n,i,r,o,a,l,c,s,u,p,f,d,h=!0,g=e.tag,m=e.anchor,y=Object.create(null);if(91===(d=e.input.charCodeAt(e.position)))a=93,s=!1,o=[];else{if(123!==d)return!1;a=125,s=!0,o={}}for(null!==e.anchor&&(e.anchorMap[e.anchor]=o),d=e.input.charCodeAt(++e.position);0!==d;){if(ge(e,!0,t),(d=e.input.charCodeAt(e.position))===a)return e.position++,e.tag=g,e.anchor=m,e.kind=s?"mapping":"sequence",e.result=o,!0;h?44===d&&ce(e,"expected the node content, but found ','"):ce(e,"missed comma between flow collection entries"),f=null,l=c=!1,63===d&&z(e.input.charCodeAt(e.position+1))&&(l=c=!0,e.position++,ge(e,!0,t)),n=e.line,i=e.lineStart,r=e.position,we(e,t,1,!1,!0),p=e.tag,u=e.result,ge(e,!0,t),d=e.input.charCodeAt(e.position),!c&&e.line!==n||58!==d||(l=!0,d=e.input.charCodeAt(++e.position),ge(e,!0,t),we(e,t,1,!1,!0),f=e.result),s?de(e,o,y,p,u,f,n,i,r):l?o.push(de(e,null,y,p,u,f,n,i,r)):o.push(u),ge(e,!0,t),44===(d=e.input.charCodeAt(e.position))?(h=!0,d=e.input.charCodeAt(++e.position)):h=!1}ce(e,"unexpected end of the stream within a flow collection")}(e,d)?y=!0:(l&&function(e,t){var i,r,o,a,l,c=1,s=!1,u=!1,p=t,f=0,d=!1;if(124===(a=e.input.charCodeAt(e.position)))r=!1;else{if(62!==a)return!1;r=!0}for(e.kind="scalar",e.result="";0!==a;)if(43===(a=e.input.charCodeAt(++e.position))||45===a)1===c?c=43===a?3:2:ce(e,"repeat of a chomping mode identifier");else{if(!((o=48<=(l=a)&&l<=57?l-48:-1)>=0))break;0===o?ce(e,"bad explicit indentation width of a block scalar; it cannot be less than one"):u?ce(e,"repeat of an indentation width identifier"):(p=t+o-1,u=!0)}if(Q(a)){do{a=e.input.charCodeAt(++e.position)}while(Q(a));if(35===a)do{a=e.input.charCodeAt(++e.position)}while(!J(a)&&0!==a)}for(;0!==a;){for(he(e),e.lineIndent=0,a=e.input.charCodeAt(e.position);(!u||e.lineIndent<p)&&32===a;)e.lineIndent++,a=e.input.charCodeAt(++e.position);if(!u&&e.lineIndent>p&&(p=e.lineIndent),J(a))f++;else{if(e.lineIndent<p){3===c?e.result+=n.repeat("\n",s?1+f:f):1===c&&s&&(e.result+="\n");break}for(r?Q(a)?(d=!0,e.result+=n.repeat("\n",s?1+f:f)):d?(d=!1,e.result+=n.repeat("\n",f+1)):0===f?s&&(e.result+=" "):e.result+=n.repeat("\n",f):e.result+=n.repeat("\n",s?1+f:f),s=!0,u=!0,f=0,i=e.position;!J(a)&&0!==a;)a=e.input.charCodeAt(++e.position);pe(e,i,e.position,!1)}}return!0}(e,d)||function(e,t){var n,i,r;if(39!==(n=e.input.charCodeAt(e.position)))return!1;for(e.kind="scalar",e.result="",e.position++,i=r=e.position;0!==(n=e.input.charCodeAt(e.position));)if(39===n){if(pe(e,i,e.position,!0),39!==(n=e.input.charCodeAt(++e.position)))return!0;i=e.position,e.position++,r=e.position}else J(n)?(pe(e,i,r,!0),ye(e,ge(e,!1,t)),i=r=e.position):e.position===e.lineStart&&me(e)?ce(e,"unexpected end of the document within a single quoted scalar"):(e.position++,r=e.position);ce(e,"unexpected end of the stream within a single quoted scalar")}(e,d)||function(e,t){var n,i,r,o,a,l,c;if(34!==(l=e.input.charCodeAt(e.position)))return!1;for(e.kind="scalar",e.result="",e.position++,n=i=e.position;0!==(l=e.input.charCodeAt(e.position));){if(34===l)return pe(e,n,e.position,!0),e.position++,!0;if(92===l){if(pe(e,n,e.position,!0),J(l=e.input.charCodeAt(++e.position)))ge(e,!1,t);else if(l<256&&ie[l])e.result+=re[l],e.position++;else if((a=120===(c=l)?2:117===c?4:85===c?8:0)>0){for(r=a,o=0;r>0;r--)(a=ee(l=e.input.charCodeAt(++e.position)))>=0?o=(o<<4)+a:ce(e,"expected hexadecimal character");e.result+=ne(o),e.position++}else ce(e,"unknown escape sequence");n=i=e.position}else J(l)?(pe(e,n,i,!0),ye(e,ge(e,!1,t)),n=i=e.position):e.position===e.lineStart&&me(e)?ce(e,"unexpected end of the document within a double quoted scalar"):(e.position++,i=e.position)}ce(e,"unexpected end of the stream within a double quoted scalar")}(e,d)?y=!0:!function(e){var t,n,i;if(42!==(i=e.input.charCodeAt(e.position)))return!1;for(i=e.input.charCodeAt(++e.position),t=e.position;0!==i&&!z(i)&&!X(i);)i=e.input.charCodeAt(++e.position);return e.position===t&&ce(e,"name of an alias node must contain at least one character"),n=e.input.slice(t,e.position),P.call(e.anchorMap,n)||ce(e,'unidentified alias "'+n+'"'),e.result=e.anchorMap[n],ge(e,!0,-1),!0}(e)?function(e,t,n){var i,r,o,a,l,c,s,u,p=e.kind,f=e.result;if(z(u=e.input.charCodeAt(e.position))||X(u)||35===u||38===u||42===u||33===u||124===u||62===u||39===u||34===u||37===u||64===u||96===u)return!1;if((63===u||45===u)&&(z(i=e.input.charCodeAt(e.position+1))||n&&X(i)))return!1;for(e.kind="scalar",e.result="",r=o=e.position,a=!1;0!==u;){if(58===u){if(z(i=e.input.charCodeAt(e.position+1))||n&&X(i))break}else if(35===u){if(z(e.input.charCodeAt(e.position-1)))break}else{if(e.position===e.lineStart&&me(e)||n&&X(u))break;if(J(u)){if(l=e.line,c=e.lineStart,s=e.lineIndent,ge(e,!1,-1),e.lineIndent>=t){a=!0,u=e.input.charCodeAt(e.position);continue}e.position=o,e.line=l,e.lineStart=c,e.lineIndent=s;break}}a&&(pe(e,r,o,!1),ye(e,e.line-l),r=o=e.position,a=!1),Q(u)||(o=e.position+1),u=e.input.charCodeAt(++e.position)}return pe(e,r,o,!1),!!e.result||(e.kind=p,e.result=f,!1)}(e,d,1===i)&&(y=!0,null===e.tag&&(e.tag="?")):(y=!0,null===e.tag&&null===e.anchor||ce(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===g&&(y=c&&be(e,h))),null===e.tag)null!==e.anchor&&(e.anchorMap[e.anchor]=e.result);else if("?"===e.tag){for(null!==e.result&&"scalar"!==e.kind&&ce(e,'unacceptable node kind for !<?> tag; it should be "scalar", not "'+e.kind+'"'),s=0,u=e.implicitTypes.length;s<u;s+=1)if((f=e.implicitTypes[s]).resolve(e.result)){e.result=f.construct(e.result),e.tag=f.tag,null!==e.anchor&&(e.anchorMap[e.anchor]=e.result);break}}else if("!"!==e.tag){if(P.call(e.typeMap[e.kind||"fallback"],e.tag))f=e.typeMap[e.kind||"fallback"][e.tag];else for(f=null,s=0,u=(p=e.typeMap.multi[e.kind||"fallback"]).length;s<u;s+=1)if(e.tag.slice(0,p[s].tag.length)===p[s].tag){f=p[s];break}f||ce(e,"unknown tag !<"+e.tag+">"),null!==e.result&&f.kind!==e.kind&&ce(e,"unacceptable node kind for !<"+e.tag+'> tag; it should be "'+f.kind+'", not "'+e.kind+'"'),f.resolve(e.result,e.tag)?(e.result=f.construct(e.result,e.tag),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):ce(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")}return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||y}function ke(e){var t,n,i,r,o=e.position,a=!1;for(e.version=null,e.checkLineBreaks=e.legacy,e.tagMap=Object.create(null),e.anchorMap=Object.create(null);0!==(r=e.input.charCodeAt(e.position))&&(ge(e,!0,-1),r=e.input.charCodeAt(e.position),!(e.lineIndent>0||37!==r));){for(a=!0,r=e.input.charCodeAt(++e.position),t=e.position;0!==r&&!z(r);)r=e.input.charCodeAt(++e.position);for(i=[],(n=e.input.slice(t,e.position)).length<1&&ce(e,"directive name must not be less than one character in length");0!==r;){for(;Q(r);)r=e.input.charCodeAt(++e.position);if(35===r){do{r=e.input.charCodeAt(++e.position)}while(0!==r&&!J(r));break}if(J(r))break;for(t=e.position;0!==r&&!z(r);)r=e.input.charCodeAt(++e.position);i.push(e.input.slice(t,e.position))}0!==r&&he(e),P.call(ue,n)?ue[n](e,n,i):se(e,'unknown document directive "'+n+'"')}ge(e,!0,-1),0===e.lineIndent&&45===e.input.charCodeAt(e.position)&&45===e.input.charCodeAt(e.position+1)&&45===e.input.charCodeAt(e.position+2)?(e.position+=3,ge(e,!0,-1)):a&&ce(e,"directives end mark is expected"),we(e,e.lineIndent-1,4,!1,!0),ge(e,!0,-1),e.checkLineBreaks&&H.test(e.input.slice(o,e.position))&&se(e,"non-ASCII line breaks are interpreted as content"),e.documents.push(e.result),e.position===e.lineStart&&me(e)?46===e.input.charCodeAt(e.position)&&(e.position+=3,ge(e,!0,-1)):e.position<e.length-1&&ce(e,"end of the stream or a document separator is expected")}function Ce(e,t){t=t||{},0!==(e=String(e)).length&&(10!==e.charCodeAt(e.length-1)&&13!==e.charCodeAt(e.length-1)&&(e+="\n"),65279===e.charCodeAt(0)&&(e=e.slice(1)));var n=new ae(e,t),i=e.indexOf("\0");for(-1!==i&&(n.position=i,ce(n,"null byte is not allowed in input")),n.input+="\0";32===n.input.charCodeAt(n.position);)n.lineIndent+=1,n.position+=1;for(;n.position<n.length-1;)ke(n);return n.documents}var xe={loadAll:function(e,t,n){null!==t&&"object"==typeof t&&void 0===n&&(n=t,t=null);var i=Ce(e,n);if("function"!=typeof t)return i;for(var r=0,o=i.length;r<o;r+=1)t(i[r])},load:function(e,t){var n=Ce(e,t);if(0!==n.length){if(1===n.length)return n[0];throw new o("expected a single document in the stream, but found more")}}},Ie=Object.prototype.toString,Se=Object.prototype.hasOwnProperty,Oe=65279,je={0:"\\0",7:"\\a",8:"\\b",9:"\\t",10:"\\n",11:"\\v",12:"\\f",13:"\\r",27:"\\e",34:'\\"',92:"\\\\",133:"\\N",160:"\\_",8232:"\\L",8233:"\\P"},Te=["y","Y","yes","Yes","YES","on","On","ON","n","N","no","No","NO","off","Off","OFF"],Ne=/^[-+]?[0-9_]+(?::[0-9_]+)+(?:\.[0-9_]*)?$/;function Fe(e){var t,i,r;if(t=e.toString(16).toUpperCase(),e<=255)i="x",r=2;else if(e<=65535)i="u",r=4;else{if(!(e<=4294967295))throw new o("code point within a string may not be greater than 0xFFFFFFFF");i="U",r=8}return"\\"+i+n.repeat("0",r-t.length)+t}function Ee(e){this.schema=e.schema||K,this.indent=Math.max(1,e.indent||2),this.noArrayIndent=e.noArrayIndent||!1,this.skipInvalid=e.skipInvalid||!1,this.flowLevel=n.isNothing(e.flowLevel)?-1:e.flowLevel,this.styleMap=function(e,t){var n,i,r,o,a,l,c;if(null===t)return{};for(n={},r=0,o=(i=Object.keys(t)).length;r<o;r+=1)a=i[r],l=String(t[a]),"!!"===a.slice(0,2)&&(a="tag:yaml.org,2002:"+a.slice(2)),(c=e.compiledTypeMap.fallback[a])&&Se.call(c.styleAliases,l)&&(l=c.styleAliases[l]),n[a]=l;return n}(this.schema,e.styles||null),this.sortKeys=e.sortKeys||!1,this.lineWidth=e.lineWidth||80,this.noRefs=e.noRefs||!1,this.noCompatMode=e.noCompatMode||!1,this.condenseFlow=e.condenseFlow||!1,this.quotingType='"'===e.quotingType?2:1,this.forceQuotes=e.forceQuotes||!1,this.replacer="function"==typeof e.replacer?e.replacer:null,this.implicitTypes=this.schema.compiledImplicit,this.explicitTypes=this.schema.compiledExplicit,this.tag=null,this.result="",this.duplicates=[],this.usedDuplicates=null}function Me(e,t){for(var i,r=n.repeat(" ",t),o=0,a=-1,l="",c=e.length;o<c;)-1===(a=e.indexOf("\n",o))?(i=e.slice(o),o=c):(i=e.slice(o,a+1),o=a+1),i.length&&"\n"!==i&&(l+=r),l+=i;return l}function Le(e,t){return"\n"+n.repeat(" ",e.indent*t)}function _e(e){return 32===e||9===e}function De(e){return 32<=e&&e<=126||161<=e&&e<=55295&&8232!==e&&8233!==e||57344<=e&&e<=65533&&e!==Oe||65536<=e&&e<=1114111}function Ue(e){return De(e)&&e!==Oe&&13!==e&&10!==e}function qe(e,t,n){var i=Ue(e),r=i&&!_e(e);return(n?i:i&&44!==e&&91!==e&&93!==e&&123!==e&&125!==e)&&35!==e&&!(58===t&&!r)||Ue(t)&&!_e(t)&&35===e||58===t&&r}function Ye(e,t){var n,i=e.charCodeAt(t);return i>=55296&&i<=56319&&t+1<e.length&&(n=e.charCodeAt(t+1))>=56320&&n<=57343?1024*(i-55296)+n-56320+65536:i}function Re(e){return/^\n* /.test(e)}function Be(e,t,n,i,r,o,a,l){var c,s,u=0,p=null,f=!1,d=!1,h=-1!==i,g=-1,m=De(s=Ye(e,0))&&s!==Oe&&!_e(s)&&45!==s&&63!==s&&58!==s&&44!==s&&91!==s&&93!==s&&123!==s&&125!==s&&35!==s&&38!==s&&42!==s&&33!==s&&124!==s&&61!==s&&62!==s&&39!==s&&34!==s&&37!==s&&64!==s&&96!==s&&function(e){return!_e(e)&&58!==e}(Ye(e,e.length-1));if(t||a)for(c=0;c<e.length;u>=65536?c+=2:c++){if(!De(u=Ye(e,c)))return 5;m=m&&qe(u,p,l),p=u}else{for(c=0;c<e.length;u>=65536?c+=2:c++){if(10===(u=Ye(e,c)))f=!0,h&&(d=d||c-g-1>i&&" "!==e[g+1],g=c);else if(!De(u))return 5;m=m&&qe(u,p,l),p=u}d=d||h&&c-g-1>i&&" "!==e[g+1]}return f||d?n>9&&Re(e)?5:a?2===o?5:2:d?4:3:!m||a||r(e)?2===o?5:2:1}function Ke(e,t,n,i,r){e.dump=function(){if(0===t.length)return 2===e.quotingType?'""':"''";if(!e.noCompatMode&&(-1!==Te.indexOf(t)||Ne.test(t)))return 2===e.quotingType?'"'+t+'"':"'"+t+"'";var a=e.indent*Math.max(1,n),l=-1===e.lineWidth?-1:Math.max(Math.min(e.lineWidth,40),e.lineWidth-a),c=i||e.flowLevel>-1&&n>=e.flowLevel;switch(Be(t,c,e.indent,l,(function(t){return function(e,t){var n,i;for(n=0,i=e.implicitTypes.length;n<i;n+=1)if(e.implicitTypes[n].resolve(t))return!0;return!1}(e,t)}),e.quotingType,e.forceQuotes&&!i,r)){case 1:return t;case 2:return"'"+t.replace(/'/g,"''")+"'";case 3:return"|"+Pe(t,e.indent)+We(Me(t,a));case 4:return">"+Pe(t,e.indent)+We(Me(function(e,t){var n,i,r=/(\n+)([^\n]*)/g,o=(l=e.indexOf("\n"),l=-1!==l?l:e.length,r.lastIndex=l,He(e.slice(0,l),t)),a="\n"===e[0]||" "===e[0];var l;for(;i=r.exec(e);){var c=i[1],s=i[2];n=" "===s[0],o+=c+(a||n||""===s?"":"\n")+He(s,t),a=n}return o}(t,l),a));case 5:return'"'+function(e){for(var t,n="",i=0,r=0;r<e.length;i>=65536?r+=2:r++)i=Ye(e,r),!(t=je[i])&&De(i)?(n+=e[r],i>=65536&&(n+=e[r+1])):n+=t||Fe(i);return n}(t)+'"';default:throw new o("impossible error: invalid scalar style")}}()}function Pe(e,t){var n=Re(e)?String(t):"",i="\n"===e[e.length-1];return n+(i&&("\n"===e[e.length-2]||"\n"===e)?"+":i?"":"-")+"\n"}function We(e){return"\n"===e[e.length-1]?e.slice(0,-1):e}function He(e,t){if(""===e||" "===e[0])return e;for(var n,i,r=/ [^ ]/g,o=0,a=0,l=0,c="";n=r.exec(e);)(l=n.index)-o>t&&(i=a>o?a:l,c+="\n"+e.slice(o,i),o=i+1),a=l;return c+="\n",e.length-o>t&&a>o?c+=e.slice(o,a)+"\n"+e.slice(a+1):c+=e.slice(o),c.slice(1)}function $e(e,t,n,i){var r,o,a,l="",c=e.tag;for(r=0,o=n.length;r<o;r+=1)a=n[r],e.replacer&&(a=e.replacer.call(n,String(r),a)),(Ve(e,t+1,a,!0,!0,!1,!0)||void 0===a&&Ve(e,t+1,null,!0,!0,!1,!0))&&(i&&""===l||(l+=Le(e,t)),e.dump&&10===e.dump.charCodeAt(0)?l+="-":l+="- ",l+=e.dump);e.tag=c,e.dump=l||"[]"}function Ge(e,t,n){var i,r,a,l,c,s;for(a=0,l=(r=n?e.explicitTypes:e.implicitTypes).length;a<l;a+=1)if(((c=r[a]).instanceOf||c.predicate)&&(!c.instanceOf||"object"==typeof t&&t instanceof c.instanceOf)&&(!c.predicate||c.predicate(t))){if(n?c.multi&&c.representName?e.tag=c.representName(t):e.tag=c.tag:e.tag="?",c.represent){if(s=e.styleMap[c.tag]||c.defaultStyle,"[object Function]"===Ie.call(c.represent))i=c.represent(t,s);else{if(!Se.call(c.represent,s))throw new o("!<"+c.tag+'> tag resolver accepts not "'+s+'" style');i=c.represent[s](t,s)}e.dump=i}return!0}return!1}function Ve(e,t,n,i,r,a,l){e.tag=null,e.dump=n,Ge(e,n,!1)||Ge(e,n,!0);var c,s=Ie.call(e.dump),u=i;i&&(i=e.flowLevel<0||e.flowLevel>t);var p,f,d="[object Object]"===s||"[object Array]"===s;if(d&&(f=-1!==(p=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||f||2!==e.indent&&t>0)&&(r=!1),f&&e.usedDuplicates[p])e.dump="*ref_"+p;else{if(d&&f&&!e.usedDuplicates[p]&&(e.usedDuplicates[p]=!0),"[object Object]"===s)i&&0!==Object.keys(e.dump).length?(!function(e,t,n,i){var r,a,l,c,s,u,p="",f=e.tag,d=Object.keys(n);if(!0===e.sortKeys)d.sort();else if("function"==typeof e.sortKeys)d.sort(e.sortKeys);else if(e.sortKeys)throw new o("sortKeys must be a boolean or a function");for(r=0,a=d.length;r<a;r+=1)u="",i&&""===p||(u+=Le(e,t)),c=n[l=d[r]],e.replacer&&(c=e.replacer.call(n,l,c)),Ve(e,t+1,l,!0,!0,!0)&&((s=null!==e.tag&&"?"!==e.tag||e.dump&&e.dump.length>1024)&&(e.dump&&10===e.dump.charCodeAt(0)?u+="?":u+="? "),u+=e.dump,s&&(u+=Le(e,t)),Ve(e,t+1,c,!0,s)&&(e.dump&&10===e.dump.charCodeAt(0)?u+=":":u+=": ",p+=u+=e.dump));e.tag=f,e.dump=p||"{}"}(e,t,e.dump,r),f&&(e.dump="&ref_"+p+e.dump)):(!function(e,t,n){var i,r,o,a,l,c="",s=e.tag,u=Object.keys(n);for(i=0,r=u.length;i<r;i+=1)l="",""!==c&&(l+=", "),e.condenseFlow&&(l+='"'),a=n[o=u[i]],e.replacer&&(a=e.replacer.call(n,o,a)),Ve(e,t,o,!1,!1)&&(e.dump.length>1024&&(l+="? "),l+=e.dump+(e.condenseFlow?'"':"")+":"+(e.condenseFlow?"":" "),Ve(e,t,a,!1,!1)&&(c+=l+=e.dump));e.tag=s,e.dump="{"+c+"}"}(e,t,e.dump),f&&(e.dump="&ref_"+p+" "+e.dump));else if("[object Array]"===s)i&&0!==e.dump.length?(e.noArrayIndent&&!l&&t>0?$e(e,t-1,e.dump,r):$e(e,t,e.dump,r),f&&(e.dump="&ref_"+p+e.dump)):(!function(e,t,n){var i,r,o,a="",l=e.tag;for(i=0,r=n.length;i<r;i+=1)o=n[i],e.replacer&&(o=e.replacer.call(n,String(i),o)),(Ve(e,t,o,!1,!1)||void 0===o&&Ve(e,t,null,!1,!1))&&(""!==a&&(a+=","+(e.condenseFlow?"":" ")),a+=e.dump);e.tag=l,e.dump="["+a+"]"}(e,t,e.dump),f&&(e.dump="&ref_"+p+" "+e.dump));else{if("[object String]"!==s){if("[object Undefined]"===s)return!1;if(e.skipInvalid)return!1;throw new o("unacceptable kind of an object to dump "+s)}"?"!==e.tag&&Ke(e,e.dump,t,a,u)}null!==e.tag&&"?"!==e.tag&&(c=encodeURI("!"===e.tag[0]?e.tag.slice(1):e.tag).replace(/!/g,"%21"),c="!"===e.tag[0]?"!"+c:"tag:yaml.org,2002:"===c.slice(0,18)?"!!"+c.slice(18):"!<"+c+">",e.dump=c+" "+e.dump)}return!0}function Ze(e,t){var n,i,r=[],o=[];for(Je(e,r,o),n=0,i=o.length;n<i;n+=1)t.duplicates.push(r[o[n]]);t.usedDuplicates=new Array(i)}function Je(e,t,n){var i,r,o;if(null!==e&&"object"==typeof e)if(-1!==(r=t.indexOf(e)))-1===n.indexOf(r)&&n.push(r);else if(t.push(e),Array.isArray(e))for(r=0,o=e.length;r<o;r+=1)Je(e[r],t,n);else for(r=0,o=(i=Object.keys(e)).length;r<o;r+=1)Je(e[i[r]],t,n)}function Qe(e,t){return function(){throw new Error("Function yaml."+e+" is removed in js-yaml 4. Use yaml."+t+" instead, which is now safe by default.")}}var ze=p,Xe=h,et=b,tt=O,nt=j,it=K,rt=xe.load,ot=xe.loadAll,at={dump:function(e,t){var n=new Ee(t=t||{});n.noRefs||Ze(e,n);var i=e;return n.replacer&&(i=n.replacer.call({"":i},"",i)),Ve(n,0,i,!0,!0)?n.dump+"\n":""}}.dump,lt=o,ct={binary:L,float:S,map:y,null:A,pairs:Y,set:B,timestamp:F,bool:v,int:C,merge:E,omap:U,seq:m,str:g},st=Qe("safeLoad","load"),ut=Qe("safeLoadAll","loadAll"),pt=Qe("safeDump","dump"),ft={Type:ze,Schema:Xe,FAILSAFE_SCHEMA:et,JSON_SCHEMA:tt,CORE_SCHEMA:nt,DEFAULT_SCHEMA:it,load:rt,loadAll:ot,dump:at,YAMLException:lt,types:ct,safeLoad:st,safeLoadAll:ut,safeDump:pt};e.CORE_SCHEMA=nt,e.DEFAULT_SCHEMA=it,e.FAILSAFE_SCHEMA=et,e.JSON_SCHEMA=tt,e.Schema=Xe,e.Type=ze,e.YAMLException=lt,e.default=ft,e.dump=at,e.load=rt,e.loadAll=ot,e.safeDump=pt,e.safeLoad=st,e.safeLoadAll=ut,e.types=ct,Object.defineProperty(e,"__esModule",{value:!0})}));
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 5ddcaebf2..52470ca5e 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -170,6 +170,11 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 						// nothing, clear publicId
 					}
 					break;
+				case 'elastalert':
+					try {
+						pid = this.extractElastAlertPublicID();
+					} catch (e) {}
+					break;
 			}
 
 			this.detect.publicId = pid;
@@ -278,6 +283,10 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return results[1];
 		},
+		extractElastAlertPublicID() {
+			const yaml = jsyaml.load(this.detect.content);
+			return yaml['id'];
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/licensing/license_manager_test.go b/licensing/license_manager_test.go
index f83d08e09..897fe92a9 100644
--- a/licensing/license_manager_test.go
+++ b/licensing/license_manager_test.go
@@ -18,7 +18,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/tj/assert"
+	"github.com/stretchr/testify/assert"
 )
 
 const EXPIRED_KEY = ` H4sIAIvZnGMAA22QR4+bUBSF9/kVFlvPBExz2ZlqijHVNo6yeMaPYsOjPWMgyn8PMyNFihTpLm75zjnS/UXAOIYRzjpIbAiaohfv1Ef5FLX5rAvxRsC+yhqAsxJ9MfR/GASKDwcftnhmZhFELZy9z6yDP1MO7izw5JlmzWz3IAWirx2sSZHdJj4GD/hOUYtpzr9UHy7KtP3rYsBhusYQ4GcDW2Lz4+cb8WxhM7WLKbe8wa+uLaOgySd1inHVbkiyLQv4SmEDv2eoA/mU90bcAAb/UgCVeIK+VzmI4ES0WYI+oyYm8VBxAEZUFbKlp2ugz6t9n15kiX0uligc+es1jf3A7HldUAoctnhtxZ6f7R3+Rc5tOdqqcM5J/F0UyZJh4raOdcNTa6EEyoq+CXR0PloieilIUFlTgwa748r0chJZj2TdmAq3owZi3iFFk4vzx9mUGV41U1N3yLA/GEnCN+tdLa3uAR1zwn6MEh+EmDxefX9VulSjqi6F08hfcQLfYGNXnWxMFpwkKY3h6bJp8bs2z/zRfvCZEu7z3VDh8HRzoOMPa/51S8ho6LrBw7KZgu3qkq7KVGeHu+1Q9LZXkzJDJwaLnnwKpJAbnfkQstcyAlq0ho++q5YLDw11nES0xj+3NmfgvLhYC7rXKFGO927oPHg7oql6MNvDqxMWYxPuBkg/K+Uum/bxnGT90mwjrvZD4+yJmly1Llo+rsGZdZugo307jKf/FbdR950Vr1BHnRrlZMwsACQml/XKq8J5iV5HxgF7sub6Xueyvk7Gfo2Km1AuVZYsWNOv0FEtB4H1WJW/ayfh1S0ZZiB+f/sDb9bxLiEDAAA= 	`
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 9ece4c656..b515b05ff 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -262,6 +262,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 }
 
 func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
+	errMap = map[string]string{} // map[det.PublicID]error
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
diff --git a/server/infohandler.go b/server/infohandler.go
index dceeefaef..21743094f 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -86,6 +86,26 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "All",
 				Query: "_id:*",
 			},
+			{
+				Name:  "Enabled",
+				Query: "so_detection.isEnabled:true",
+			},
+			{
+				Name:  "Suricata",
+				Query: "so_detection.engine:suricata",
+			},
+			{
+				Name:  "ElastAlert",
+				Query: "so_detection.engine:elastalert",
+			},
+			{
+				Name:  "Suricata Enabled",
+				Query: "so_detection.engine:suricata AND so_detection.isEnabled:true",
+			},
+			{
+				Name:  "ElastAlert Enabled",
+				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:true",
+			},
 		}
 	}
 
@@ -95,7 +115,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		detection.Presets = map[string]config.PresetParameters{
 			"severity": {
 				CustomEnabled: false,
-				Labels:        []string{"unknown", "informational", "minor", "major", "critical"},
+				Labels:        []string{"unknown", "informational", "low", "medium", "high", "critical"},
 			},
 			"engine": {
 				CustomEnabled: false,
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 87d85066d..4baf06fd5 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -23,19 +23,25 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/util"
 
 	"github.com/apex/log"
-	"github.com/google/go-github/v56/github"
+	"gopkg.in/yaml.v3"
 )
 
 var errModuleStopped = fmt.Errorf("module has stopped running")
 
+var acceptedExtensions = map[string]bool{
+	".yml":  true,
+	".yaml": true,
+}
+
 type ElastAlertEngine struct {
 	srv                                  *server.Server
 	communityRulesImportFrequencySeconds int
-	sigmaRepo                            string
+	sigmaPackageDownloadTemplate         string
 	elastAlertRulesFolder                string
 	rulesFingerprintFile                 string
 	sigconverterUrl                      string
 	sigmaRulePackages                    []string
+	sigmaConversionTarget                string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
 }
@@ -51,11 +57,14 @@ func (e *ElastAlertEngine) PrerequisiteModules() []string {
 }
 
 func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
+	e.thread = &sync.WaitGroup{}
+
 	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
-	e.sigmaRepo = module.GetStringDefault(config, "sigmaRepo", "https://github.com/SigmaHQ/sigma")
+	e.sigmaPackageDownloadTemplate = module.GetStringDefault(config, "sigmaPackageDownloadTemplate", "https://github.com/SigmaHQ/sigma/releases/latest/download/sigma_%s.zip")
 	e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/rules/elastalert")
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/sigma.fingerprint")
 	e.sigconverterUrl = module.GetStringDefault(config, "sigconverterUrl", "http://manager:8000/sigma")
+	e.sigmaConversionTarget = module.GetStringDefault(config, "sigmaConversionTarget", "eql")
 
 	pkgs := module.GetStringDefault(config, "sigmaRulePackages", "core")
 	e.parseSigmaPackages(pkgs)
@@ -96,13 +105,13 @@ func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
 	set := map[string]struct{}{}
 
 	for _, pkg := range pkgs {
+		pkg = strings.TrimSpace(pkg)
 		switch pkg {
 		case "all":
 			set["all_rules"] = struct{}{}
-		case "emerging_threats_addon":
-			set["emerging_threats"] = struct{}{}
+		case "emerging_threats":
+			set["emerging_threats_addon"] = struct{}{}
 		default:
-			pkg = strings.TrimSpace(pkg)
 			if pkg != "" {
 				set[pkg] = struct{}{}
 			}
@@ -114,7 +123,7 @@ func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
 		delete(set, "core++")
 		delete(set, "core+")
 		delete(set, "core")
-		delete(set, "emerging_threats")
+		delete(set, "emerging_threats_addon")
 	}
 
 	_, ok = set["core++"]
@@ -135,10 +144,51 @@ func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
 }
 
 func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
-	return nil, nil
+	errMap = map[string]string{} // map[publicID]error
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	index, err := e.indexExistingRules()
+	if err != nil {
+		return nil, fmt.Errorf("unable to index existing rules: %w", err)
+	}
+
+	for _, det := range detections {
+		path := index[det.PublicID]
+		if path == "" {
+			path = filepath.Join(e.elastAlertRulesFolder, fmt.Sprintf("%s.yml", det.PublicID))
+		}
+
+		if det.IsEnabled {
+			eaRule, err := e.sigmaToElastAlert(ctx, det)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Sprintf("unable to convert sigma to elastalert: %s", err)
+				continue
+			}
+
+			err = os.WriteFile(path, []byte(eaRule), 0644)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Sprintf("unable to write enabled detection file: %s", err)
+				continue
+			}
+		} else {
+			// was enabled, no longer is enabled: Disable
+			err = os.Remove(path)
+			if err != nil && !os.IsNotExist(err) {
+				errMap[det.PublicID] = fmt.Sprintf("unable to remove disabled detection file: %s", err)
+				continue
+			}
+		}
+	}
+
+	return errMap, nil
 }
 
 func (e *ElastAlertEngine) startCommunityRuleImport() {
+	e.thread.Add(1)
 	defer func() {
 		e.thread.Done()
 		e.isRunning = false
@@ -241,11 +291,6 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 		}
 	}()
 
-	acceptedExtensions := map[string]bool{
-		".yml":  true,
-		".yaml": true,
-	}
-
 	for pkg, zipData := range pkgZips {
 		reader, err := zip.NewReader(bytes.NewReader(zipData), int64(len(zipData)))
 		if err != nil {
@@ -283,8 +328,6 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 
 			if rule.ID != nil {
 				id = *rule.ID
-			} else {
-				fmt.Println()
 			}
 
 			sev := model.SeverityUnknown
@@ -319,7 +362,7 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 }
 
 func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
-	index, err := e.indexExistingRules()
+	existing, err := e.indexExistingRules()
 	if err != nil {
 		return nil, err
 	}
@@ -329,9 +372,15 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 		return nil, err
 	}
 
+	index := map[string]string{}
 	toDelete := map[string]struct{}{} // map[publicID]struct{}
 	for _, det := range community {
 		toDelete[det.PublicID] = struct{}{}
+
+		path, ok := existing[det.PublicID]
+		if ok {
+			index[det.PublicID] = path
+		}
 	}
 
 	results := struct {
@@ -350,12 +399,10 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 			path = index[det.Title]
 		}
 
-		det.IsEnabled = path != ""
-
 		// 1. Save sigma Detection to ElasticSearch
 		oldDet, exists := community[det.PublicID]
 		if exists {
-			det.Id = oldDet.Id
+			det.IsEnabled, det.Id = oldDet.IsEnabled, oldDet.Id
 			if oldDet.Content != det.Content {
 				_, err = e.srv.Detectionstore.UpdateDetection(ctx, det)
 				if err != nil {
@@ -383,20 +430,29 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 		if det.IsEnabled {
 			// 2. if enabled, send data to docker container to get converted to query
 
-			rule, err := e.sigmaToElastAlert(ctx, det.Content) // get sigma from docker container
+			rule, err := e.sigmaToElastAlert(ctx, det) // get sigma from docker container
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to convert sigma to elastalert: %s", err)
 				continue
 			}
 
-			_ = rule
 			// 3. put query in /opt/so/rules/sigma for salt to pick up
+			if path == "" {
+				path = filepath.Join(e.elastAlertRulesFolder, fmt.Sprintf("%s.yml", det.PublicID))
+			}
 
-			err = nil // os.WriteFile(path, []byte(rule), 0644)
+			err = os.WriteFile(path, []byte(rule), 0644)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to write enabled detection file: %s", err)
 				continue
 			}
+		} else if path != "" {
+			// detection is disabled but a file exists, remove it
+			err = os.Remove(path)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to remove disabled detection file: %s", err)
+				continue
+			}
 		}
 	}
 
@@ -429,49 +485,11 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 		}
 	}()
 
-	gh := github.NewClient(nil)
-
-	release, _, err := gh.Repositories.GetLatestRelease(ctx, "SigmaHQ", "sigma")
-	if err != nil {
-		errMap["sigma"] = err
-		return nil, errMap
-	}
-
-	pkgs := map[string]string{} // map[pkgName]downloadUrl
-
-	// organize assets
-	for _, asset := range release.Assets {
-		name := strings.ToLower(asset.GetName())
-		if !strings.HasSuffix(name, ".zip") {
-			continue
-		}
-
-		link := asset.GetBrowserDownloadURL()
-
-		// Must be if/else-if so the order is correct.
-		// A switch statement might check "core" before "core++"
-		if strings.Contains(name, "all_rules") {
-			pkgs["all_rules"] = link
-		} else if strings.Contains(name, "core++") {
-			pkgs["core++"] = link
-		} else if strings.Contains(name, "core+") {
-			pkgs["core+"] = link
-		} else if strings.Contains(name, "core") {
-			pkgs["core"] = link
-		} else if strings.Contains(name, "emerging_threats") {
-			pkgs["emerging_threats"] = link
-		}
-	}
-
 	stats := map[string]int{} // map[pkgName]fileSize
 	zipData = map[string][]byte{}
 
 	for _, pkg := range e.sigmaRulePackages {
-		download, ok := pkgs[pkg]
-		if !ok {
-			log.WithField("package", pkg).Warn("unknown sigma package")
-			continue
-		}
+		download := fmt.Sprintf(e.sigmaPackageDownloadTemplate, pkg)
 
 		resp, err := http.Get(download)
 		if err != nil {
@@ -495,9 +513,11 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 
 	log.WithField("downloadSizes", stats).Info("downloaded sigma packages")
 
-	return zipData, nil
+	return zipData, errMap
 }
 
+// indexExistingRules maps the publicID of a detection to the path of the rule file.
+// Note that it indexes ALL rules and not just community rules.
 func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err error) {
 	index = map[string]string{} // map[id | title]path
 
@@ -513,21 +533,12 @@ func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err er
 
 		filename := filepath.Join(e.elastAlertRulesFolder, rule.Name())
 
-		data, err := os.ReadFile(filename)
-		if err != nil {
-			return nil, fmt.Errorf("unable to read elastalert rule file %s: %w", filename, err)
-		}
-
-		rule, err := ParseElastAlertRule(data)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse elastalert rule file %s: %w", filename, err)
+		ext := filepath.Ext(rule.Name())
+		if !acceptedExtensions[strings.ToLower(ext)] {
+			continue
 		}
 
-		id := rule.Title
-
-		if rule.ID != nil {
-			id = *rule.ID
-		}
+		id := strings.TrimSuffix(rule.Name(), ext)
 
 		index[id] = filename
 	}
@@ -535,7 +546,7 @@ func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err er
 	return index, nil
 }
 
-func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string) (string, error) {
+func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Detection) (string, error) {
 	// wrapper for the payload
 	ruleWrapper := struct {
 		Rule     string   `json:"rule"`
@@ -543,9 +554,9 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string)
 		Target   string   `json:"target"`
 		Format   string   `json:"format"`
 	}{
-		Rule:     base64.StdEncoding.EncodeToString([]byte(sigma)),
+		Rule:     base64.StdEncoding.EncodeToString([]byte(det.Content)),
 		Pipeline: []string{},
-		Target:   "eql",
+		Target:   e.sigmaConversionTarget,
 		Format:   "default",
 	}
 
@@ -570,14 +581,206 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string)
 	}
 	defer resp.Body.Close()
 
+	rawRule, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
 		return "", fmt.Errorf("sigconverter returned non-200 status code: %d", resp.StatusCode)
 	}
 
-	elastRule, err := io.ReadAll(resp.Body)
+	rule := string(rawRule)
+
+	if strings.HasPrefix(rule, "Error:") {
+		rule = strings.TrimSpace(strings.TrimPrefix(rule, "Error:"))
+		return "", fmt.Errorf("sigconverter returned error: %s", rule)
+	}
+
+	elastRule, err := wrapRule(det, string(rawRule))
+	if err != nil {
+		return "", fmt.Errorf("unable to wrap rule: %w", err)
+	}
+
+	return elastRule, nil
+}
+
+type CustomWrapper struct {
+	PlayTitle     string   `yaml:"play_title"`
+	PlayID        string   `yaml:"play_id"`
+	EventModule   string   `yaml:"event.module"`
+	EventDataset  string   `yaml:"event.dataset"`
+	EventSeverity int      `yaml:"event.severity"`
+	RuleCategory  string   `yaml:"rule.category"`
+	SigmaLevel    string   `yaml:"sigma_level"`
+	Alert         []string `yaml:"alert"`
+
+	Index       string                   `yaml:"index"`
+	Name        string                   `yaml:"name"`
+	Realert     *TimeFrame               `yaml:"realert,omitempty"` // or 0
+	Type        string                   `yaml:"type"`
+	Filter      []map[string]interface{} `yaml:"filter"`
+	PlayUrl     string                   `yaml:"play_url"`
+	KibanaPivot string                   `yaml:"kibana_pivot"`
+	SocPivot    string                   `yaml:"soc_pivot"`
+}
+
+type TimeFrame struct {
+	Milliseconds *int    `yaml:"milliseconds,omitempty"`
+	Seconds      *int    `yaml:"seconds,omitempty"`
+	Minutes      *int    `yaml:"minutes,omitempty"`
+	Hours        *int    `yaml:"hours,omitempty"`
+	Days         *int    `yaml:"days,omitempty"`
+	Weeks        *int    `yaml:"weeks,omitempty"`
+	Schedule     *string `yaml:"schedule,omitempty"`
+}
+
+func (dur *TimeFrame) SetSeconds(s int) {
+	dur.Milliseconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Seconds = util.Ptr(s)
+}
+
+func (dur *TimeFrame) SetMilliseconds(m int) {
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Milliseconds = util.Ptr(m)
+}
+
+func (dur *TimeFrame) SetMinutes(m int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Minutes = util.Ptr(m)
+}
+
+func (dur *TimeFrame) SetHours(h int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Hours = util.Ptr(h)
+}
+
+func (dur *TimeFrame) SetDays(d int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Days = util.Ptr(d)
+}
+
+func (dur *TimeFrame) SetWeeks(w int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Schedule = nil
+	dur.Weeks = util.Ptr(w)
+}
+
+func (dur *TimeFrame) SetSchedule(w string) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = util.Ptr(w)
+}
+
+func (dur TimeFrame) MarshalYAML() (interface{}, error) {
+	if dur.Milliseconds == nil &&
+		dur.Seconds == nil &&
+		dur.Minutes == nil &&
+		dur.Hours == nil &&
+		dur.Days == nil &&
+		dur.Weeks == nil &&
+		dur.Schedule == nil {
+		return 0, nil
+	}
+
+	type Alias TimeFrame
+
+	return struct {
+		Alias `yaml:",inline"`
+	}{(Alias)(dur)}, nil
+}
+
+func (dur *TimeFrame) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var zero int
+
+	err := unmarshal(&zero)
+	if err == nil {
+		return nil
+	}
+
+	type Alias *TimeFrame
+
+	dur = &TimeFrame{}
+
+	err = unmarshal(struct {
+		A Alias `yaml:",inline"`
+	}{(Alias)(dur)})
+
+	return err
+}
+
+func wrapRule(det *model.Detection, rule string) (string, error) {
+	severities := map[model.Severity]int{
+		model.SeverityUnknown:       0,
+		model.SeverityInformational: 1,
+		model.SeverityLow:           2,
+		model.SeverityMedium:        3,
+		model.SeverityHigh:          4,
+		model.SeverityCritical:      5,
+	}
+
+	sevNum := severities[det.Severity]
+
+	wrapper := &CustomWrapper{
+		PlayTitle:     det.Title,
+		PlayID:        det.Id,
+		EventModule:   "elastalert",
+		EventDataset:  "elastalert.alert",
+		EventSeverity: sevNum,
+		RuleCategory:  "TBD",
+		SigmaLevel:    string(det.Severity),
+		Alert:         []string{"modules.so.playbook-es.PlaybookESAlerter"},
+		Index:         ".ds-logs-*",
+		Name:          fmt.Sprintf("%s - %s", det.Title, det.Id),
+		Realert:       nil,
+		Type:          "any",
+		Filter: []map[string]interface{}{
+			{
+				"eql": rule,
+			},
+		},
+		PlayUrl:     "play_url",
+		KibanaPivot: "kibana_pivot",
+		SocPivot:    "soc_pivot",
+	}
+
+	rawYaml, err := yaml.Marshal(wrapper)
 	if err != nil {
 		return "", err
 	}
 
-	return string(elastRule), nil
+	return string(rawYaml), nil
 }
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index f78c05398..0839027ca 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -1,12 +1,20 @@
 package elastalert
 
 import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sort"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
-	"github.com/tj/assert"
+	"gopkg.in/yaml.v3"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestElastAlertModule(t *testing.T) {
@@ -32,3 +40,327 @@ func TestElastAlertModule(t *testing.T) {
 	assert.Equal(t, 1, len(srv.DetectionEngines))
 	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameElastAlert])
 }
+
+func TestParseSigmaPackages(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name     string
+		Input    string
+		Expected []string
+	}{
+		{
+			Name:     "Simple Sunny Day Path",
+			Input:    "core",
+			Expected: []string{"core"},
+		},
+		{
+			Name:     "Multiple Packages",
+			Input:    "core+\nemerging_threats",
+			Expected: []string{"core+", "emerging_threats_addon"},
+		},
+		{
+			Name:     "Rename (all => all_rules)",
+			Input:    "all",
+			Expected: []string{"all_rules"},
+		},
+		{
+			Name:     "Rename (emerging_threats_addon => emerging_threats)",
+			Input:    "emerging_threats",
+			Expected: []string{"emerging_threats_addon"},
+		},
+		{
+			Name:     "Normalize",
+			Input:    "CoRe++\n",
+			Expected: []string{"core++"},
+		},
+		{
+			Name:     "Account For Nesting Packages",
+			Input:    "core\ncore+\ncore++\nall_rules\nemerging_threats",
+			Expected: []string{"all_rules"},
+		},
+	}
+
+	for _, tt := range table {
+		tt := tt
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+
+			engine := ElastAlertEngine{}
+
+			engine.parseSigmaPackages(tt.Input)
+
+			sort.Strings(engine.sigmaRulePackages)
+			sort.Strings(tt.Expected)
+
+			assert.Equal(t, tt.Expected, engine.sigmaRulePackages)
+		})
+	}
+}
+
+func TestTimeFrame(t *testing.T) {
+	tf := TimeFrame{}
+
+	tf.SetWeeks(1)
+	assert.Equal(t, 1, *tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetDays(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Equal(t, 1, *tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetHours(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Equal(t, 1, *tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetMinutes(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Equal(t, 1, *tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetSeconds(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Equal(t, 1, *tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetMilliseconds(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Equal(t, 1, *tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetSchedule("0 0 0 * * *")
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Equal(t, "0 0 0 * * *", *tf.Schedule)
+
+	tf.Schedule = nil // everything is now nil
+
+	yml, err := yaml.Marshal(tf)
+	assert.NoError(t, err)
+	assert.Equal(t, "0\n", string(yml))
+
+	err = yaml.Unmarshal(yml, &tf)
+	assert.NoError(t, err)
+	assert.Empty(t, tf)
+
+	tf.SetWeeks(1)
+
+	yml, err = yaml.Marshal(tf)
+	assert.NoError(t, err)
+	assert.Equal(t, "weeks: 1\n", string(yml))
+
+	err = yaml.Unmarshal(yml, &tf)
+	assert.NoError(t, err)
+	assert.Equal(t, 1, *tf.Weeks)
+}
+
+func TestSigmaToElastAlertSunnyDay(t *testing.T) {
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method)
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("<eql>"))
+
+		callCount++
+	}))
+	defer srv.Close()
+
+	engine := ElastAlertEngine{
+		sigconverterUrl:       srv.URL,
+		sigmaConversionTarget: "eql",
+	}
+
+	det := &model.Detection{
+		Auditable: model.Auditable{
+			Id: "00000000-0000-0000-0000-000000000000",
+		},
+		Content:  "totally good sigma",
+		Title:    "Test Detection",
+		Severity: model.SeverityHigh,
+	}
+
+	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
+	assert.NoError(t, err)
+
+	expected := `play_title: Test Detection
+play_id: 00000000-0000-0000-0000-000000000000
+event.module: elastalert
+event.dataset: elastalert.alert
+event.severity: 4
+rule.category: TBD
+sigma_level: high
+alert:
+    - modules.so.playbook-es.PlaybookESAlerter
+index: .ds-logs-*
+name: Test Detection - 00000000-0000-0000-0000-000000000000
+type: any
+filter:
+    - eql: <eql>
+play_url: play_url
+kibana_pivot: kibana_pivot
+soc_pivot: soc_pivot
+`
+	assert.YAMLEq(t, expected, wrappedRule)
+	assert.Equal(t, 1, callCount)
+}
+
+func TestSigmaToElastAlertError(t *testing.T) {
+	callCount := 0
+	msg := "something went wrong"
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method)
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("Error: " + msg))
+
+		callCount++
+	}))
+	defer srv.Close()
+
+	engine := ElastAlertEngine{
+		sigconverterUrl:       srv.URL,
+		sigmaConversionTarget: "eql",
+	}
+
+	det := &model.Detection{
+		Auditable: model.Auditable{
+			Id: "00000000-0000-0000-0000-000000000000",
+		},
+		Content:  "totally good sigma",
+		Title:    "Test Detection",
+		Severity: model.SeverityHigh,
+	}
+
+	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
+	assert.Equal(t, "", wrappedRule)
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, msg)
+}
+
+func TestParseRules(t *testing.T) {
+	data := `title: Always Alert
+id: 00000000-0000-0000-0000-00000000
+status: experimental
+description: Always Alerts
+author: Corey Ogburn
+date: 2023/11/03
+modified: 2023/11/03
+logsource:
+    product: windows
+detection:
+    filter:
+       event.module: "zeek"
+    condition: "filter"
+level: high
+`
+
+	buf := bytes.NewBuffer([]byte{})
+
+	writer := zip.NewWriter(buf)
+	aa, err := writer.Create("rules/always_alert.yml")
+	assert.NoError(t, err)
+
+	_, err = aa.Write([]byte(data))
+	assert.NoError(t, err)
+
+	bad, err := writer.Create("rules/bad.yml")
+	assert.NoError(t, err)
+
+	_, err = bad.Write([]byte("bad data"))
+	assert.NoError(t, err)
+
+	err = writer.Close()
+	assert.NoError(t, err)
+
+	pkgZips := map[string][]byte{
+		"all_rules": buf.Bytes(),
+	}
+
+	engine := ElastAlertEngine{}
+
+	expected := &model.Detection{
+		PublicID:    "00000000-0000-0000-0000-00000000",
+		Title:       "Always Alert",
+		Severity:    model.SeverityHigh,
+		Content:     data,
+		IsCommunity: true,
+		Engine:      model.EngineNameElastAlert,
+	}
+
+	dets, errMap := engine.parseRules(pkgZips)
+	assert.NotNil(t, errMap)
+	assert.Error(t, errMap["rules/bad.yml"])
+	assert.Len(t, dets, 1)
+	assert.Equal(t, expected, dets[0])
+}
+
+func TestDownloadSigmaPackages(t *testing.T) {
+	t.Parallel()
+
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+
+		if r.RequestURI == "/fake.zip" {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+
+		assert.Equal(t, http.MethodGet, r.Method)
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("data"))
+
+	}))
+	defer srv.Close()
+
+	pkgs := []string{"core", "core+", "core++", "emerging_threats_addon", "all_rules", "fake"}
+
+	engine := ElastAlertEngine{
+		sigmaRulePackages:            pkgs,
+		sigmaPackageDownloadTemplate: srv.URL + "/%s.zip",
+	}
+
+	pkgZips, errMap := engine.downloadSigmaPackages(context.Background())
+	assert.NotNil(t, errMap)
+	assert.Error(t, errMap["fake"])
+	assert.Len(t, pkgZips, len(pkgs)-1)
+
+	for _, pkg := range pkgs[:len(pkgs)-1] {
+		assert.Equal(t, []byte("data"), pkgZips[pkg])
+	}
+
+	assert.Equal(t, len(pkgs), callCount)
+}
diff --git a/server/modules/elastalert/oneormore_test.go b/server/modules/elastalert/oneormore_test.go
index aec7a077f..43b5c35ff 100644
--- a/server/modules/elastalert/oneormore_test.go
+++ b/server/modules/elastalert/oneormore_test.go
@@ -3,7 +3,7 @@ package elastalert
 import (
 	"testing"
 
-	"github.com/tj/assert"
+	"github.com/stretchr/testify/assert"
 	"gopkg.in/yaml.v3"
 )
 
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 1217cf3fa..2ce0d1a41 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -4,7 +4,8 @@ import (
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/util"
-	"github.com/tj/assert"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestParseSuricata(t *testing.T) {
diff --git a/web/middleware_test.go b/web/middleware_test.go
index 3627b5eb6..d38f28c1e 100644
--- a/web/middleware_test.go
+++ b/web/middleware_test.go
@@ -13,7 +13,7 @@ import (
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 
-	"github.com/tj/assert"
+	"github.com/stretchr/testify/assert"
 )
 
 type TestHandler struct {

From 6328360e5ee826438671daed7139a66460d515e9 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 7 Nov 2023 11:07:05 -0700
Subject: [PATCH 017/102] WIP: License Text, Linting

`make([]any, x, x)` only needs to specify len, cap will match.

`x == nil || len(x) == 0` only the len check is necessary. len(nil) is 0.

`time.Now().Sub(...)` should be `time.Since(...)`.

Define, init, return simplified to return.

Unlike other languages, go doesn't require `break` statements at the end of cases in a switch.
---
 agent/jobmanager_test.go                      |  5 +++++
 html/js/routes/detection.js                   |  1 -
 html/js/routes/home.test.js                   |  5 +++++
 model/detection.go                            |  5 +++++
 model/event.go                                |  2 +-
 model/query.go                                | 22 +++++++++----------
 server/detectionengine.go                     |  5 +++++
 server/eventstore_fake.go                     |  6 ++---
 server/gridmembershandler_test.go             |  5 +++++
 server/memconfigstore.go                      |  5 +++++
 server/memconfigstore_test.go                 |  5 +++++
 server/modules/elastalert/elastalert.go       |  5 +++++
 server/modules/elastalert/elastalert_test.go  |  5 +++++
 server/modules/elastalert/oneormore.go        |  5 +++++
 server/modules/elastalert/oneormore_test.go   |  5 +++++
 server/modules/elastalert/validate.go         |  5 +++++
 server/modules/elastalert/validate_test.go    |  5 +++++
 server/modules/elastic/converter_test.go      |  2 +-
 .../modules/elastic/elasticdetectionstore.go  |  5 +++++
 server/modules/elastic/elasticeventstore.go   |  2 +-
 .../modules/elastic/elasticeventstore_test.go |  2 +-
 .../filedatastore/filedatastoreimpl.go        |  4 +---
 server/modules/kratos/kratosuser_test.go      |  2 +-
 server/modules/salt/options/context.go        |  5 +++++
 server/modules/salt/options/context_test.go   |  5 +++++
 server/modules/salt/saltstore.go              | 19 ++++++++--------
 server/modules/sostatus/sostatus.go           |  2 +-
 .../statickeyauth/statickeyauthimpl.go        |  2 +-
 server/modules/staticrbac/staticrbac_test.go  |  4 ++--
 server/modules/suricata/suricata.go           |  5 +++++
 server/modules/suricata/suricata_test.go      |  5 +++++
 server/modules/suricata/validate.go           |  5 +++++
 server/modules/suricata/validate_test.go      |  5 +++++
 server/queryhandler_test.go                   |  5 +++++
 server/server_fake.go                         |  2 +-
 server/utilhandler.go                         |  5 +++++
 server/utilhandler_test.go                    |  5 +++++
 util/ptr.go                                   |  5 +++++
 web/host.go                                   |  2 +-
 web/middleware.go                             |  5 +++++
 web/middleware_test.go                        |  5 +++++
 41 files changed, 165 insertions(+), 39 deletions(-)

diff --git a/agent/jobmanager_test.go b/agent/jobmanager_test.go
index 10c4c6801..1e32a40a9 100644
--- a/agent/jobmanager_test.go
+++ b/agent/jobmanager_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package agent
 
 import (
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 52470ca5e..2b1e93b27 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -1,4 +1,3 @@
-// Copyright 2019 Jason Ertel (github.com/jertel).
 // Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 // or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 // https://securityonion.net/license; you may not use this file except in compliance with the
diff --git a/html/js/routes/home.test.js b/html/js/routes/home.test.js
index 0f654f17d..473a3c629 100644
--- a/html/js/routes/home.test.js
+++ b/html/js/routes/home.test.js
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 require('../test_common.js');
 require('./home.js');
 
diff --git a/model/detection.go b/model/detection.go
index f8089fbf9..4bb5583bd 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package model
 
 import (
diff --git a/model/event.go b/model/event.go
index 9f9306e8c..73f410725 100644
--- a/model/event.go
+++ b/model/event.go
@@ -44,7 +44,7 @@ type EventSearchResults struct {
 
 func NewEventSearchResults() *EventSearchResults {
 	results := &EventSearchResults{
-		Events:  make([]*EventRecord, 0, 0),
+		Events:  make([]*EventRecord, 0),
 		Metrics: make(map[string]([]*EventMetric)),
 	}
 	results.initEventResults()
diff --git a/model/query.go b/model/query.go
index 076d0ee48..720d162a6 100644
--- a/model/query.go
+++ b/model/query.go
@@ -111,7 +111,7 @@ func (segment *BaseSegment) TermsAsString() string {
 }
 
 func (segment *BaseSegment) Clear() {
-	segment.terms = make([]*QueryTerm, 0, 0)
+	segment.terms = make([]*QueryTerm, 0)
 }
 
 func (segment *BaseSegment) RemoveTermsWith(raw string) int {
@@ -173,13 +173,13 @@ type SearchSegment struct {
 func NewSearchSegmentEmpty() *SearchSegment {
 	return &SearchSegment{
 		&BaseSegment{
-			terms: make([]*QueryTerm, 0, 0),
+			terms: make([]*QueryTerm, 0),
 		},
 	}
 }
 
 func NewSearchSegment(terms []*QueryTerm) (*SearchSegment, error) {
-	if terms == nil || len(terms) == 0 {
+	if len(terms) == 0 {
 		return nil, errors.New("ERROR_QUERY_INVALID__SEARCH_TERMS_MISSING")
 	}
 
@@ -267,13 +267,13 @@ type GroupBySegment struct {
 func NewGroupBySegmentEmpty() *GroupBySegment {
 	return &GroupBySegment{
 		&BaseSegment{
-			terms: make([]*QueryTerm, 0, 0),
+			terms: make([]*QueryTerm, 0),
 		},
 	}
 }
 
 func NewGroupBySegment(terms []*QueryTerm) (*GroupBySegment, error) {
-	if terms == nil || len(terms) == 0 {
+	if len(terms) == 0 {
 		return nil, errors.New("ERROR_QUERY_INVALID__GROUPBY_TERMS_MISSING")
 	}
 
@@ -329,13 +329,13 @@ type SortBySegment struct {
 func NewSortBySegmentEmpty() *SortBySegment {
 	return &SortBySegment{
 		&BaseSegment{
-			terms: make([]*QueryTerm, 0, 0),
+			terms: make([]*QueryTerm, 0),
 		},
 	}
 }
 
 func NewSortBySegment(terms []*QueryTerm) (*SortBySegment, error) {
-	if terms == nil || len(terms) == 0 {
+	if len(terms) == 0 {
 		return nil, errors.New("ERROR_QUERY_INVALID__SORTBY_TERMS_MISSING")
 	}
 
@@ -359,7 +359,7 @@ type Query struct {
 
 func NewQuery() *Query {
 	return &Query{
-		Segments: make([]QuerySegment, 0, 0),
+		Segments: make([]QuerySegment, 0),
 	}
 }
 
@@ -373,7 +373,7 @@ func (query *Query) NamedSegment(name string) QuerySegment {
 }
 
 func (query *Query) NamedSegments(name string) []QuerySegment {
-	segments := make([]QuerySegment, 0, 0)
+	segments := make([]QuerySegment, 0)
 	for _, segment := range query.Segments {
 		if segment.Kind() == name {
 			segments = append(segments, segment)
@@ -397,7 +397,7 @@ func (query *Query) RemoveSegment(name string) QuerySegment {
 }
 
 func (query *Query) Parse(str string) error {
-	currentSegmentTerms := make([]*QueryTerm, 0, 0)
+	currentSegmentTerms := make([]*QueryTerm, 0)
 	currentSegmentKind := SegmentKind_Search
 	var currentTermBuilder strings.Builder
 	escaping := false
@@ -440,7 +440,7 @@ func (query *Query) Parse(str string) error {
 					}
 					query.AddSegment(segment)
 					currentSegmentKind = ""
-					currentSegmentTerms = make([]*QueryTerm, 0, 0)
+					currentSegmentTerms = make([]*QueryTerm, 0)
 				} else if !escaping && (ch == ' ' || ch == ',' || ch == '\n' || ch == '\t') {
 					if currentTermBuilder.Len() > 0 {
 						term, err := NewQueryTerm(currentTermBuilder.String())
diff --git a/server/detectionengine.go b/server/detectionengine.go
index e6f1d4c1a..97868c885 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/eventstore_fake.go b/server/eventstore_fake.go
index 44071b02e..17ecf61eb 100644
--- a/server/eventstore_fake.go
+++ b/server/eventstore_fake.go
@@ -38,11 +38,11 @@ func NewFakeEventstore() *FakeEventstore {
 	store.InputSearchCriterias = make([]*model.EventSearchCriteria, 0)
 	store.InputUpdateCriterias = make([]*model.EventUpdateCriteria, 0)
 	store.InputAckCriterias = make([]*model.EventAckCriteria, 0)
-	store.SearchResults = make([]*model.EventSearchResults, 0, 0)
+	store.SearchResults = make([]*model.EventSearchResults, 0)
 	store.SearchResults = append(store.SearchResults, model.NewEventSearchResults())
-	store.IndexResults = make([]*model.EventIndexResults, 0, 0)
+	store.IndexResults = make([]*model.EventIndexResults, 0)
 	store.IndexResults = append(store.IndexResults, model.NewEventIndexResults())
-	store.UpdateResults = make([]*model.EventUpdateResults, 0, 0)
+	store.UpdateResults = make([]*model.EventUpdateResults, 0)
 	store.UpdateResults = append(store.UpdateResults, model.NewEventUpdateResults())
 	return store
 }
diff --git a/server/gridmembershandler_test.go b/server/gridmembershandler_test.go
index 3dbadccce..5f550ad8b 100644
--- a/server/gridmembershandler_test.go
+++ b/server/gridmembershandler_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/memconfigstore.go b/server/memconfigstore.go
index c0dcddc0e..cbb32dd45 100644
--- a/server/memconfigstore.go
+++ b/server/memconfigstore.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/memconfigstore_test.go b/server/memconfigstore_test.go
index c1d550a85..449609573 100644
--- a/server/memconfigstore_test.go
+++ b/server/memconfigstore_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 4baf06fd5..38206d5a7 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 0839027ca..c6cda090a 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/oneormore.go b/server/modules/elastalert/oneormore.go
index 959a47360..b958383ce 100644
--- a/server/modules/elastalert/oneormore.go
+++ b/server/modules/elastalert/oneormore.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 type OneOrMore[T comparable] struct {
diff --git a/server/modules/elastalert/oneormore_test.go b/server/modules/elastalert/oneormore_test.go
index 43b5c35ff..07193cee3 100644
--- a/server/modules/elastalert/oneormore_test.go
+++ b/server/modules/elastalert/oneormore_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
index 84583f83e..6dbb69594 100644
--- a/server/modules/elastalert/validate.go
+++ b/server/modules/elastalert/validate.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/validate_test.go b/server/modules/elastalert/validate_test.go
index c52809952..dcfcb3d17 100644
--- a/server/modules/elastalert/validate_test.go
+++ b/server/modules/elastalert/validate_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 1a3b535bc..793f72850 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -439,7 +439,7 @@ func TestConvertElasticEventToArtifact(t *testing.T) {
 	event.Payload["so_artifact.md5"] = "myMd5"
 	event.Payload["so_artifact.sha1"] = "mySha1"
 	event.Payload["so_artifact.sha256"] = "mySha256"
-	tags := make([]interface{}, 2, 2)
+	tags := make([]interface{}, 2)
 	tags[0] = "tag1"
 	tags[1] = "tag2"
 	event.Payload["so_artifact.tags"] = tags
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 7824b3298..c59044b35 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastic
 
 import (
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index b589f966f..4177c2d36 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -450,7 +450,7 @@ func (store *ElasticEventstore) updateDocuments(ctx context.Context, client *ela
 func (store *ElasticEventstore) refreshCache(ctx context.Context) {
 	store.cacheLock.Lock()
 	defer store.cacheLock.Unlock()
-	if store.cacheTime.IsZero() || time.Now().Sub(store.cacheTime) > store.cacheMs {
+	if store.cacheTime.IsZero() || time.Since(store.cacheTime) > store.cacheMs {
 		err := store.refreshCacheFromFieldCaps(ctx)
 		if err == nil {
 			store.cacheTime = time.Now()
diff --git a/server/modules/elastic/elasticeventstore_test.go b/server/modules/elastic/elasticeventstore_test.go
index b07017f23..dbef2ce94 100644
--- a/server/modules/elastic/elasticeventstore_test.go
+++ b/server/modules/elastic/elasticeventstore_test.go
@@ -120,7 +120,7 @@ func TestReadErrorFromJson(tester *testing.T) {
 
 func TestDisableCrossClusterIndexing(tester *testing.T) {
 	store := &ElasticEventstore{}
-	indexes := make([]string, 2, 2)
+	indexes := make([]string, 2)
 	indexes[0] = "*:so-*"
 	indexes[1] = "my-*"
 	newIndexes := store.disableCrossClusterIndexing(indexes)
diff --git a/server/modules/filedatastore/filedatastoreimpl.go b/server/modules/filedatastore/filedatastoreimpl.go
index 1783700ce..4e5e8ef4d 100644
--- a/server/modules/filedatastore/filedatastoreimpl.go
+++ b/server/modules/filedatastore/filedatastoreimpl.go
@@ -63,9 +63,7 @@ func (datastore *FileDatastoreImpl) Init(cfg module.ModuleConfig) error {
 }
 
 func (datastore *FileDatastoreImpl) CreateNode(ctx context.Context, id string) *model.Node {
-	var node *model.Node
-	node = model.NewNode(id)
-	return node
+	return model.NewNode(id)
 }
 
 func (datastore *FileDatastoreImpl) GetNodes(ctx context.Context) []*model.Node {
diff --git a/server/modules/kratos/kratosuser_test.go b/server/modules/kratos/kratosuser_test.go
index 30d60bcc0..fb9180354 100644
--- a/server/modules/kratos/kratosuser_test.go
+++ b/server/modules/kratos/kratosuser_test.go
@@ -44,7 +44,7 @@ func TestCopyToUser(tester *testing.T) {
 	kratosUser.Credentials = make(map[string]*KratosCredential)
 	kratosUser.Credentials["totp"] = &KratosCredential{Type: "totp"}
 	kratosUser.Credentials["webauthn"] = &KratosCredential{Type: "webauthn"}
-	oidcIds := make([]string, 1, 1)
+	oidcIds := make([]string, 1)
 	oidcIds[0] = "test"
 	kratosUser.Credentials["oidc"] = &KratosCredential{Type: "oidc", Identifiers: oidcIds}
 	kratosUser.Credentials["password"] = &KratosCredential{Type: "password"}
diff --git a/server/modules/salt/options/context.go b/server/modules/salt/options/context.go
index 8edadb074..e8eb17323 100644
--- a/server/modules/salt/options/context.go
+++ b/server/modules/salt/options/context.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package options
 
 import "context"
diff --git a/server/modules/salt/options/context_test.go b/server/modules/salt/options/context_test.go
index 8ad8eab18..b37de0cad 100644
--- a/server/modules/salt/options/context_test.go
+++ b/server/modules/salt/options/context_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package options
 
 import (
diff --git a/server/modules/salt/saltstore.go b/server/modules/salt/saltstore.go
index 75906edf5..fdb1cc014 100644
--- a/server/modules/salt/saltstore.go
+++ b/server/modules/salt/saltstore.go
@@ -136,7 +136,7 @@ func (store *Saltstore) GetSettings(ctx context.Context) ([]*model.Setting, erro
 		return nil, err
 	}
 
-	settings := make([]*model.Setting, 0, 0)
+	settings := make([]*model.Setting, 0)
 
 	// Parse the default values first.
 	err = filepath.Walk(store.saltstackDir+"/default", func(path string, info os.FileInfo, err error) error {
@@ -418,7 +418,6 @@ func (store *Saltstore) recursivelyParseAnnotations(
 			}
 		default:
 			foundAnnotation = true
-			break
 		}
 	}
 	return settings, foundAnnotation
@@ -714,7 +713,7 @@ func (store *Saltstore) alignInt64List(newValue string) ([]int64, error) {
 	var newList []int64
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]int64, 0, 0)
+		newList = make([]int64, 0)
 		for _, str := range tmp {
 			i, err := strconv.ParseInt(str, 10, 64)
 			if err != nil {
@@ -730,7 +729,7 @@ func (store *Saltstore) alignBoolList(newValue string) ([]bool, error) {
 	var newList []bool
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]bool, 0, 0)
+		newList = make([]bool, 0)
 		for _, str := range tmp {
 			b, err := strconv.ParseBool(str)
 			if err != nil {
@@ -746,7 +745,7 @@ func (store *Saltstore) alignFloat64List(newValue string) ([]float64, error) {
 	var newList []float64
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]float64, 0, 0)
+		newList = make([]float64, 0)
 		for _, str := range tmp {
 			f, err := strconv.ParseFloat(str, 64)
 			if err != nil {
@@ -762,9 +761,9 @@ func (store *Saltstore) alignListList(newValue string) ([][]interface{}, error)
 	var newList [][]interface{}
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([][]interface{}, 0, 0)
+		newList = make([][]interface{}, 0)
 		for _, str := range tmp {
-			l := make([]interface{}, 0, 0)
+			l := make([]interface{}, 0)
 			err := json.LoadJson([]byte(str), &l)
 			if err != nil {
 				return nil, err
@@ -779,7 +778,7 @@ func (store *Saltstore) alignMapList(newValue string) ([]map[string]interface{},
 	var newList []map[string]interface{}
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]map[string]interface{}, 0, 0)
+		newList = make([]map[string]interface{}, 0)
 		for _, str := range tmp {
 			m := make(map[string]interface{})
 			err := json.LoadJson([]byte(str), &m)
@@ -818,7 +817,7 @@ func (store *Saltstore) alignBestGuess(newValue string) interface{} {
 		}
 	}
 	if strings.HasPrefix(newValue, "[") && strings.HasSuffix(newValue, "]") {
-		tmp := make([]interface{}, 0, 0)
+		tmp := make([]interface{}, 0)
 		err := json.LoadJson([]byte(newValue), &tmp)
 		if err == nil {
 			return tmp
@@ -941,7 +940,7 @@ func getMembersFromJson(err error, output []byte) ([]*model.GridMember, error) {
 		response := &ListResponse{}
 		err = json.LoadJson(output, response)
 		if err == nil {
-			members = make([]*model.GridMember, 0, 0)
+			members = make([]*model.GridMember, 0)
 			for id, fingerprint := range response.Accepted {
 				members = append(members, model.NewGridMember(id, model.GridMemberAccepted, fingerprint))
 			}
diff --git a/server/modules/sostatus/sostatus.go b/server/modules/sostatus/sostatus.go
index 1755defca..ef119c1b9 100644
--- a/server/modules/sostatus/sostatus.go
+++ b/server/modules/sostatus/sostatus.go
@@ -98,7 +98,7 @@ func (status *SoStatus) refreshGrid(ctx context.Context) {
 	nodes := status.server.Datastore.GetNodes(ctx)
 	for _, node := range nodes {
 
-		staleMs := int(time.Now().Sub(node.UpdateTime) / time.Millisecond)
+		staleMs := int(time.Since(node.UpdateTime) / time.Millisecond)
 		if staleMs > status.offlineThresholdMs {
 			if node.ConnectionStatus != model.NodeStatusFault {
 				log.WithFields(log.Fields{
diff --git a/server/modules/statickeyauth/statickeyauthimpl.go b/server/modules/statickeyauth/statickeyauthimpl.go
index e75450b3e..98604abb6 100644
--- a/server/modules/statickeyauth/statickeyauthimpl.go
+++ b/server/modules/statickeyauth/statickeyauthimpl.go
@@ -106,7 +106,7 @@ func (auth *StaticKeyAuthImpl) validateAuthorization(ctx context.Context, key st
 
 func (auth *StaticKeyAuthImpl) validateApiKey(key string) bool {
 	pieces := strings.Split(key, " ")
-	if pieces != nil && len(pieces) > 0 {
+	if len(pieces) > 0 {
 		key = pieces[len(pieces)-1]
 	}
 	return key == auth.apiKey
diff --git a/server/modules/staticrbac/staticrbac_test.go b/server/modules/staticrbac/staticrbac_test.go
index c198843e4..176a0a9bf 100644
--- a/server/modules/staticrbac/staticrbac_test.go
+++ b/server/modules/staticrbac/staticrbac_test.go
@@ -23,11 +23,11 @@ func TestInit(tester *testing.T) {
 	err := auth.Init(cfg)
 	assert.Error(tester, err)
 
-	array := make([]interface{}, 1, 1)
+	array := make([]interface{}, 1)
 	array[0] = "MyValue1"
 	cfg["roleFiles"] = array
 
-	array = make([]interface{}, 1, 1)
+	array = make([]interface{}, 1)
 	array[0] = "MyValue2"
 	cfg["userFiles"] = array
 	err = auth.Init(cfg)
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 32f18a6a9..3fcefffac 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 00a2fdf2a..81110b21f 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index f3ee8e707..daa3bd07e 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 2ce0d1a41..5e93d94ff 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/queryhandler_test.go b/server/queryhandler_test.go
index a4bd0caf7..71498ddbe 100644
--- a/server/queryhandler_test.go
+++ b/server/queryhandler_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/server_fake.go b/server/server_fake.go
index e2d2bcba2..baacfa691 100644
--- a/server/server_fake.go
+++ b/server/server_fake.go
@@ -170,7 +170,7 @@ func NewFakeServer(authorized bool, roleMap map[string][]string) *Server {
 		roleMap: roleMap,
 	}
 
-	users := make([]*model.User, 0, 0)
+	users := make([]*model.User, 0)
 	users = append(users, &model.User{
 		Id:    "user-id-1",
 		Email: "user1@somewhere.invalid",
diff --git a/server/utilhandler.go b/server/utilhandler.go
index 997f7c2ed..bfbf4ed4b 100644
--- a/server/utilhandler.go
+++ b/server/utilhandler.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/utilhandler_test.go b/server/utilhandler_test.go
index 8699cce6f..6d92acdb9 100644
--- a/server/utilhandler_test.go
+++ b/server/utilhandler_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/util/ptr.go b/util/ptr.go
index fe1477027..fea87a3c5 100644
--- a/util/ptr.go
+++ b/util/ptr.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package util
 
 func Ptr[T any](x T) *T {
diff --git a/web/host.go b/web/host.go
index 0a67f35cd..57ce9af93 100644
--- a/web/host.go
+++ b/web/host.go
@@ -180,7 +180,7 @@ func (host *Host) pruneConnections() {
 
 	activeConnections := make([]*Connection, 0)
 	for _, connection := range host.connections {
-		durationSinceLastPing := int(time.Now().Sub(connection.lastPingTime).Milliseconds())
+		durationSinceLastPing := int(time.Since(connection.lastPingTime).Milliseconds())
 		if durationSinceLastPing < host.idleConnectionTimeoutMs {
 			activeConnections = append(activeConnections, connection)
 		} else if connection.websocket != nil {
diff --git a/web/middleware.go b/web/middleware.go
index bd06833fd..4c2bd4d70 100644
--- a/web/middleware.go
+++ b/web/middleware.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package web
 
 import (
diff --git a/web/middleware_test.go b/web/middleware_test.go
index d38f28c1e..64af02f89 100644
--- a/web/middleware_test.go
+++ b/web/middleware_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package web
 
 import (

From db72d14a0f6e1841f7769d1ee8f5cbe8eb5d0dc5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 16 Nov 2023 13:31:51 -0700
Subject: [PATCH 018/102] WIP: Overrides in the Tuning Tab

SeverityTranslations. A map used to translate one engine's severity levels to the levels we support in SOC's detections.

A lot of UI work around CRUDing overrides in the Tuning tab of a detection.

A little cleanup in hunt.js. Removed helper functions from the early days of detections. Could/should have been removed a long time ago.

Initial logic for applying overrides when syncing detections started, but the modified threshold file isn't updated yet until I revisit and test everything.
---
 config/clientparameters.go                   |   3 +-
 html/index.html                              | 191 +++++++++-
 html/js/i18n.js                              |  10 +
 html/js/routes/detection.js                  | 369 +++++++++++++++++--
 html/js/routes/hunt.js                       |  55 ---
 model/detection.go                           | 155 +++++++-
 server/detectionhandler.go                   |  26 +-
 server/infohandler.go                        |  10 +
 server/modules/elastalert/elastalert_test.go |   6 +-
 server/modules/elastalert/validate.go        |   4 +-
 server/modules/elastic/converter.go          |  63 +++-
 server/modules/suricata/suricata.go          |  53 ++-
 12 files changed, 825 insertions(+), 120 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index ee31adf90..72af921f4 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -192,7 +192,8 @@ type GridParameters struct {
 
 type DetectionParameters struct {
 	HuntingParameters
-	Presets map[string]PresetParameters `json:"presets"`
+	Presets              map[string]PresetParameters `json:"presets"`
+	SeverityTranslations map[string]string           `json:"severityTranslations"`
 }
 
 func (params *DetectionParameters) Verify() error {
diff --git a/html/index.html b/html/index.html
index 2a713ac46..f0026cfa6 100644
--- a/html/index.html
+++ b/html/index.html
@@ -991,14 +991,14 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <v-select id="detection-severity-create" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.detectionSeverity"/>
 
                   <!-- Engine -->
-                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]"/>
+                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]" v-on:change="onDetectionChange"/>
 
                   <!-- Reporting -->
                   <v-checkbox id="detection-reporting-create" class="mt-5" v-model="detect.isReporting" :label="i18n.reporting"/>
 
                   <!-- Signature -->
                   <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
-                  <v-textarea class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" />
+                  <v-textarea class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" @input="onDetectionChange()" />
                 </div>
                 <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
@@ -1127,7 +1127,192 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab-item> -->
               <v-tab-item value="tuning">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  Coming Soon!
+                  <v-col cols="12" style="padding-left: 0px; padding-right: 0px;">
+                    <v-toolbar class="elevation-0" fixed>
+                      <v-btn color="primary" id="add-override-button" style="text-decoration: none; cursor: 'pointer'" @click="createNewOverride()">
+                        <v-icon :title="i18n.create">fa-plus</v-icon>
+                      </v-btn>
+                    </v-toolbar>
+                    <div v-if="newOverride != null">
+                      <v-form ref="OverrideCreate">
+                        <v-select id="new-override-type" v-model="newOverride.type" :items="getOverrideTypes()" persistent-hint :hint="i18n.type" @change="createOverrideTypeChange()"></v-select>
+                        <!--
+                          1. Regex   - modify
+                          2. Value   - modify
+                          3. Type    - threshold
+                          3. Track   - suppress, threshold
+                          4. IP      - suppress
+                          5. Count   - threshold
+                          6. Seconds - threshold
+                          7. Custom Filter - engine:elastalert
+                        -->
+                        <!-- Suricata -->
+                        <div v-if="detect.engine === 'suricata'">
+                          <!-- regex -->
+                          <v-text-field v-if="newOverride.type === 'modify'" id="new-override-regex-edit" v-model="newOverride.regex" :rules="[rules.required]" persistent-hint :hint="i18n.regex"></v-text-field>
+                          <!-- value -->
+                          <v-text-field v-if="newOverride.type === 'modify'" id="new-override-value-edit" v-model="newOverride.value" :rules="[rules.required]" persistent-hint :hint="i18n.value"></v-text-field>
+                          <!-- (threshold) type -->
+                          <v-select v-if="newOverride.type === 'threshold'" id="new-override-threshold-type-edit" v-model="newOverride.thresholdType" :items="thresholdTypes" :rules="[rules.required]" persistent-hint :hint="i18n.thresholdType"></v-select>
+                          <!-- track -->
+                          <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
+                          <!-- ip -->
+                          <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr"></v-text-field>
+                          <!-- count -->
+                          <v-text-field v-if="newOverride.type === 'threshold'" id="new-override-count-edit" v-model="newOverride.count" :rules="[rules.required, rules.number]" persistent-hint :hint="i18n.count"></v-text-field>
+                          <!-- seconds -->
+                          <v-text-field v-if="newOverride.type === 'threshold'" id="new-override-seconds-edit" v-model="newOverride.seconds" :rules="[rules.required, rules.number]" persistent-hint :hint="i18n.secondsLabel"></v-text-field>
+                        </div>
+                        <!-- ElastAlert -->
+                        <div v-if="detect.engine === 'elastalert'">
+                          <!-- custom filter -->
+                          <v-text-field id="new-override-custom-filter-edit" v-model="newOverride.customFilter" :rules="[rules.required]" persistent-hint :hint="i18n.customFilter"></v-text-field>
+                        </div>
+                        <div v-if="newOverride" class="d-flex justify-end text-body-2 mt-2">
+                          <div class="d-inline-flex">
+                            <v-btn id="detection-create-cancel" text small color="primary" class="align-self-end" @click="newOverride = null">
+                              {{ i18n.cancel }}
+                            </v-btn>
+                            <v-btn v-if="newOverride.type" id="detection-create-create" text small color="primary" class="align-self-end" @click="addNewOverride()">
+                              {{ i18n.create }}
+                            </v-btn>
+                          </div>
+                        </div>
+                      </v-form>
+                    </div>
+                  </v-col>
+                  <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
+                    :items="detect.overrides" :item-key="'index'" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
+                    <template v-slot:item="{ item, index }">
+                      <tr>
+                        <td>
+                          <v-btn id="expandOverrideArrow" icon small @click="expand(item)">
+                            <v-icon v-if="isExpanded(item)" :alt="i18n.overrideExpand" :title="i18n.eventExpandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded(item)" :alt="i18n.overrideExpand" :title="i18n.eventExpandHelp">fa-angle-right</v-icon>
+                          </v-btn>
+                        </td>
+                        <td v-for="field in overrideHeaders" :key="field.value">
+                          <div class="d-inline-block">
+                            <span v-if="!field.format">{{ item[field.value] }}</span>
+                            <span v-else v-text="$root.formatLocalTimestamp(item[field.value], zone)"/>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="{ headers, item }">
+                      <tr>
+                        <td :colspan="headers.length" class="pa-4" v-if="detect.engine === 'suricata'">
+                          <!--
+                            1. Regex   - modify
+                            2. Value   - modify
+                            3. Type    - threshold
+                            3. Track   - suppress, threshold
+                            4. IP      - suppress
+                            5. Count   - threshold
+                            6. Seconds - threshold
+                            7. Custom Filter - engine:elastalert
+                          -->
+                          <!-- regex -->
+                          <div v-if="item.type === 'modify'">
+                            <div class="font-weight-bold mt-2">
+                              Regex:
+                            </div>
+                            <span id="override-regex" v-if="!isOverrideEdit('override-regex')" @click="startOverrideEdit('override-regex', item, 'regex')">
+                              {{item.regex}}
+                            </span>
+                            <v-text-field v-else id="override-regex-edit" ref="override-regex" hide-details="auto" outlined v-model="item.regex" :rules="[rules.required]"
+                              persistent-hint :hint="i18n.regex" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- value -->
+                          <div v-if="item.type === 'modify'">
+                            <div class="font-weight-bold mt-2">
+                              Value:
+                            </div>
+                            <span id="override-value" v-if="!isOverrideEdit('override-value')" @click="startOverrideEdit('override-value', item, 'value')">
+                              {{item.value}}
+                            </span>
+                            <v-text-field v-else id="override-value-edit" ref="override-value" hide-details="auto" outlined v-model="item.value" :rules="[rules.required]"
+                              persistent-hint :hint="i18n.value" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- type (threshold) -->
+                          <div v-if="item.type === 'threshold'">
+                            <div class="font-weight-bold mt-2">
+                              Type:
+                            </div>
+                            <span id="override-threshold-type" v-if="!isOverrideEdit('override-threshold-type')" @click="startOverrideEdit('override-threshold-type', item, 'thresholdType')">
+                              {{item.thresholdType}}
+                            </span>
+                            <v-select v-else id="override-threshold-type-edit" ref="override-threshold-type" v-model="item.thresholdType" :items="thresholdTypes" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
+                          </div>
+                          <!-- track -->
+                          <div v-if="['suppress', 'threshold'].includes(item.type)">
+                            <div class="font-weight-bold mt-2">
+                              Track:
+                            </div>
+                            <span id="override-track" v-if="!isOverrideEdit('override-track')" @click="startOverrideEdit('override-track', item, 'track')">
+                              {{item.track}}
+                            </span>
+                            <v-select v-else id="override-track-edit" ref="override-track" v-model="item.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
+                          </div>
+                          <!-- ip -->
+                          <div v-if="item.type === 'suppress'">
+                            <div class="font-weight-bold mt-2">
+                              IP:
+                            </div>
+                            <span id="override-ip" v-if="!isOverrideEdit('override-ip')" @click="startOverrideEdit('override-ip', item, 'ip')">
+                              {{item.ip}}
+                            </span>
+                            <v-text-field v-else id="override-ip-edit" ref="override-ip" hide-details="auto" outlined v-model="item.ip" :rules="[rules.required, rules.ciderFormat]"
+                              persistent-hint :hint="i18n.cidr" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- count -->
+                          <div v-if="item.type === 'threshold'">
+                            <div class="font-weight-bold mt-2">
+                              Count:
+                            </div>
+                            <span id="override-count" v-if="!isOverrideEdit('override-count')" @click="startOverrideEdit('override-count', item, 'count')">
+                              {{item.count}}
+                            </span>
+                            <v-text-field v-else id="override-count-edit" ref="override-count" hide-details="auto" outlined v-model="item.count" :rules="[rules.required, rules.number]"
+                              persistent-hint :hint="i18n.count" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- seconds -->
+                          <div v-if="item.type === 'threshold'">
+                            <div class="font-weight-bold mt-2">
+                              Seconds:
+                            </div>
+                            <span id="override-seconds" v-if="!isOverrideEdit('override-seconds')" @click="startOverrideEdit('override-seconds', item, 'seconds')">
+                              {{item.seconds}}
+                            </span>
+                            <v-text-field v-else id="override-seconds-edit" ref="override-seconds" hide-details="auto" outlined v-model="item.seconds" :rules="[rules.required, rules.number]"
+                              persistent-hint :hint="i18n.secondsLabel" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
+                          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="i18n.detectionTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field> -->
+                          <div class="d-flex justify-end text-body-2 mt-2">
+                            <div class="d-inline-flex">
+                              <v-btn id="override-edit-delete" text small color="red" @click="deleteOverride(item)">
+                                {{ i18n.delete }}
+                              </v-btn>
+                            </div>
+                          </div>
+                        </td>
+                        <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'elastalert'">
+                          <div>
+                            <div class="font-weight-bold">
+                              Custom Filter:
+                            </div>
+                            <span id="override-custom-filter" v-if="!isOverrideEdit('override-custom-filter')" @click="startOverrideEdit('override-custom-filter', item, 'customFilter')">
+                              {{item.customFilter}}
+                            </span>
+                            <v-text-field v-else id="override-custom-filter-edit" ref="override-custom-filter" hide-details="auto" outlined v-model="item.customFilter" :rules="[rules.required]"
+                              persistent-hint :hint="i18n.customFilter" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                        </td>
+                        <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'yara'"></td>
+                      </tr>
+                    </template>
+                  </v-data-table>
                 </div>
               </v-tab-item>
               <v-tab-item value="history">
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 44cd9f781..4b2a4e811 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -152,6 +152,7 @@ const i18n = {
       chartTitleTimeline: 'Timeline',
       chartTitleTop: 'Most Occurrences',
       cheatsheet: 'Cheat Sheet',
+      cidr: 'CIDR Notation',
       clear: 'Clear',
       clickForMoreInformation: 'Click for more information',
       collapse: 'Collapse',
@@ -210,11 +211,13 @@ const i18n = {
       copyFieldToClipboard: 'Copy this value only',
       copyFieldValueToClipboard: 'Copy as field:value',
       copyToClipboard: 'Copy to clipboard',
+      count: 'Count',
       cpuUsage: 'CPU Usage',
       cpuUsageAbbr: 'CPU',
       create: 'Create',
       createNewCase: 'Create a new case...',
       custom: 'Custom',
+      customFilter: 'Custom Filter',
       darkMode: 'Dark Mode',
       dashboards: 'Dashboards',
       dataset: 'Dataset',
@@ -440,6 +443,8 @@ const i18n = {
       interval24h: "24 hours",
       invalid: 'Invalid',
       ioWait: 'I/O Wait',
+      invalidCidr: 'Invalid CIDR Notation',
+      ipCidr: 'IP - CIDR Notation',
       job: 'Job',
       jobIncomplete: 'The job was unable to complete and will retry within a few minutes. Details are available below.',
       jobInProgress: 'This job is awaiting completion.',
@@ -542,6 +547,7 @@ const i18n = {
       order: 'Order',
       osUptime: 'OS Uptime',
       other: 'Other',
+      overrideExpand: 'Show all override fields',
       owner: 'Owner',
       packages: 'Packages',
       packets: 'Captured Packets',
@@ -585,6 +591,7 @@ const i18n = {
       refreshObservablesHelp: 'Refresh to view all recently added observables for this case.',
       refreshEventsHelp: 'Refresh to view all recently escalated events for this case.',
       refreshHistoryHelp: 'Refresh to view the latest history for this case.',
+      regex: 'Regex',
       reject: 'Reject',
       rejected: 'Rejected',
       related: 'Events',
@@ -612,6 +619,7 @@ const i18n = {
       save: 'Save',
       saveSuccess: 'Save successful!',
       seconds: 'seconds',
+      secondsLabel: 'Seconds',
       security: 'Security',
       securityInstructions: 'You may be prompted to login again when updating your security settings. If submitting a new password, you will need to verify your identity first with the old password. This is a security measure to protect your account.',
       securityInstructionsTotp: 'IMPORTANT: If you changed your password recently you must logout and login again with the new password before attempting to activate TOTP. Failure to relogin will result in the TOTP validation failing. If this occurs you will need to remove the TOTP code from your authenticator app, login to SOC with the new password, and then activate TOTP again.',
@@ -726,6 +734,7 @@ const i18n = {
       suricataLoss: 'Suricata Loss',
       suricataLossAbbr: 'Suri Loss',
       swapUsage: 'Swap Usage',
+      thresholdType: 'Threshold Type',
       throttledLogin: 'Excessive login requests detected. Login requests can resume momentarily.',
       time: 'Time',
       timePickerHelp: 'Choose the timespan to search, or click the calendar icon to switch to relative time',
@@ -761,6 +770,7 @@ const i18n = {
       totpDeactivate: 'Deactivate TOTP',
       totpSecretInstructions: 'If you are unable to scan the QR code, use the secret provided below instead.',
       totpUnlinkInstructions: 'If you no longer have access to your authenticator app, you can deactivate the TOTP.',
+      track: 'Track',
       trafficMonIn: 'Inbound Monitor Traffic',
       trafficMonInAbbr: 'Mon In',
       trafficMonInDrops: 'Dropped Monitor Traffic',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 2b1e93b27..5964fc929 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -3,17 +3,36 @@
 // https://securityonion.net/license; you may not use this file except in compliance with the
 // Elastic License 2.0.
 
+function debounce(fn, wait) {
+	let timer;
+	return (...args) => {
+		if(timer) {
+			clearTimeout(timer); // clear any pre-existing timer
+		}
+
+		const context = this; // get the current context
+		timer = setTimeout(()=>{
+			fn.apply(context, args); // call the function if time expires
+		}, wait);
+	}
+}
+
 routes.push({ path: '/detection/:id', name: 'detection', component: {
   template: '#page-detection',
   data() { return {
 		i18n: this.$root.i18n,
 		presets: {},
+		severityTranslations: {},
 		params: {},
 		detect: null,
 		origDetect: null,
 		curEditTarget: null, // string containing element ID, null if not editing
 		origValue: null,
 		editField: null,
+		curOverrideEditTarget: null,
+		origOverrideValue: null,
+		overrideEditField: null,
+		editOverride: null, // the override we're currently editing
 		editForm: { valid: true },
 		rules: {
 			required: value => (value && value.length > 0) || this.$root.i18n.required,
@@ -22,15 +41,38 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
 			shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
 			longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+			cidrFormat: value => (!value || /^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value)) || this.i18n.invalidCidr,
 			fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
 			fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
 			fileRequired: value => (value != null) || this.$root.i18n.required,
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
-		sidExtract: /\bsid: ?['"]?(.*?)['"]?;/,
+		sidExtract: /\bsid: ?['"]?(.*?)['"]?;/, // option
+		severityExtract: /\bsignature_severity ['"]?(.*?)['"]?[,;]/, // metadata
+		authorExtract: /\bauthor: ?['"]?(.*?)['"]?;/, // option
+		authorMetaExtract: /\bauthor ['"]?(.*?)['"]?[,;]/, // metadata
+		sortBy: 'createdAt',
+		sortDesc: false,
+		expanded: [],
+		overrideHeaders: [
+			{ text: 'Enabled', value: 'isEnabled' },
+			{ text: 'Type', value: 'type' },
+			{ text: 'Track', value: 'track' },
+			{ text: 'Created', value: 'createdAt', format: true },
+			{ text: 'Updated', value: 'updatedAt', format: true },
+		],
+		zone: moment.tz.guess(),
+		newOverride: null,
+		thresholdTypes: [
+			{ value: 'threshold', text: 'Threshold' },
+			{ value: 'limit', text: 'Limit' },
+			{ value: 'both', text: 'Both' }
+		],
+		trackOptions: ['by_src', 'by_dst', 'by_both'],
   }},
-  created() {
+	created() {
+		this.onDetectionChange = debounce(this.onDetectionChange, 300);
   },
   watch: {
 	},
@@ -39,13 +81,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
       () => this.$route.params,
       (to, prev) => {
 				this.loadData();
-    	});
+			});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
   methods: {
 		async initDetection(params) {
 			this.params = params;
 			this.presets = params['presets'];
+			this.severityTranslations = params['severityTranslations'];
+
 			if (this.$route.params.id === 'create') {
 				this.detect = this.newDetection();
 			} else {
@@ -77,8 +121,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.$root.startLoading();
 
 			try {
-					const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
+				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
+				if (this.detect.overrides) {
+					for (let i = 0; i < this.detect.overrides.length; i++) {
+						this.detect.overrides[i].index = i;
+					}
+				}
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -159,25 +208,6 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			});
 		},
-		extractPublicID() {
-			let pid = '';
-			switch (this.detect.engine) {
-				case 'suricata':
-					try {
-						pid = this.extractSuricataPublicID();
-					} catch (e) {
-						// nothing, clear publicId
-					}
-					break;
-				case 'elastalert':
-					try {
-						pid = this.extractElastAlertPublicID();
-					} catch (e) {}
-					break;
-			}
-
-			this.detect.publicId = pid;
-		},
 		isEdit(target) {
 			return this.curEditTarget === target;
 		},
@@ -186,8 +216,6 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				this.detect[this.editField] = this.origValue;
 			} else if (!this.isNew()) {
 				const response = await this.$root.papi.put('/detection', this.detect);
-
-        console.log('UPDATE', response);
 			}
 
 			this.curEditTarget = null;
@@ -198,7 +226,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			if (this.curEditTarget !== null) this.stopEdit(true);
 
 			if (this.isNew()) {
-				this.$refs['detection'].validate();
+				this.$refs.detection.validate();
 				if (!this.editForm.valid) return;
 			}
 
@@ -220,6 +248,12 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				return;
 			}
 
+			if (this.detect.overrides) {
+				for (let i = 0; i < this.detect.overrides.length; i++) {
+					this.detect.overrides[i] = this.cleanupOverride(this.detect.engine, this.detect.overrides[i]);
+				}
+			}
+
 			try {
 				let response;
 				if (createNew) {
@@ -232,7 +266,9 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 				this.$root.showTip(this.i18n.saveSuccess);
 
-				this.$router.push({name: 'detection', params: {id: response.data.id}});
+				if (createNew) {
+					this.$router.push({ name: 'detection', params: { id: response.data.id } });
+				}
 			} catch (error) {
 				this.$root.showError(error);
 			}
@@ -269,23 +305,286 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return null;
 		},
+		extractPublicID() {
+			let pid = this.detect.publicId;
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						pid = this.extractSuricataPublicID();
+					} catch {}
+					break;
+				case 'elastalert':
+					try {
+						const id = this.extractElastAlertPublicID();
+						if (id) pid = id;
+					} catch {}
+					break;
+			}
+
+			this.detect.publicId = pid;
+		},
+		extractSeverity() {
+			let sev = this.detect.severity;
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						sev = this.extractSuricataSeverity();
+					} catch {}
+					break;
+				case 'elastalert':
+					try {
+						const s = this.extractElastAlertSeverity();
+						if (s) sev = s;
+					} catch {}
+					break;
+			}
+
+			this.detect.severity = sev;
+		},
+		extractAuthor() {
+			let author = this.detect.author;
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						const a = this.extractSuricataAuthor();
+						if (a) author = a;
+					} catch {}
+					break;
+				case 'elastalert':
+					try {
+						const a = this.extractElastAlertAuthor();
+						if (a) author = a;
+					} catch {}
+					break;
+			}
+
+			this.detect.author = author;
+		},
 		extractSuricataPublicID() {
 			const results = this.sidExtract.exec(this.detect.content);
+			return results[1];
+		},
+		extractSuricataSeverity() {
+			const results = this.severityExtract.exec(this.detect.content);
 
-			if (!results || results.length < 2) {
-				// sid not present in rule
-				throw this.i18n.sidMissingErr;
-			} else if (results && results.length > 2) {
-				// multiple sids present in rule
-				throw this.i18n.sidMultipleErr;
+			let sev = (results[1] || '').toLowerCase();
+			if (this.severityTranslations[sev]) {
+				sev = this.severityTranslations[sev]
 			}
 
-			return results[1];
+			if (!this.presets['severity'].labels.includes(sev)) {
+				sev = this.getDefaultPreset('severity');
+			}
+
+			return sev;
+		},
+		extractSuricataAuthor() {
+			// do suricata rules even have a place for an author?
+
+			// first look for an option labeled author
+			const author = this.authorExtract.exec(this.detect.content);
+			if (author && author.length >= 2) return author[1];
+
+			// if no option, check metadata for a field labeled author
+			const authorMeta = this.authorMetaExtract.exec(this.detect.content);
+			if (authorMeta && authorMeta.length >= 2) return authorMeta[1];
 		},
 		extractElastAlertPublicID() {
-			const yaml = jsyaml.load(this.detect.content);
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
 			return yaml['id'];
 		},
+		extractElastAlertSeverity() {
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
+			const level = yaml['level'];
+
+			for (let lvl in this.presets['severity'].labels) {
+				if (this.presets['severity'].labels[lvl].toUpperCase() === level.toUpperCase()) {
+					return this.presets['severity'].labels[lvl];
+				}
+			}
+		},
+		extractElastAlertAuthor() {
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
+			return yaml['author'];
+		},
+		onDetectionChange() {
+			if (this.detect.engine) {
+				this.extractPublicID();
+				this.extractSeverity();
+				this.extractAuthor();
+			}
+		},
+		saveSetting(name, value, defaultValue = null) {
+      var item = 'settings.detection.' + name;
+      if (defaultValue == null || value != defaultValue) {
+        localStorage[item] = value;
+      } else {
+        localStorage.removeItem(item);
+      }
+    },
+    saveLocalSettings() {
+      this.saveSetting('sortDesc', this.sortDesc, true);
+      this.saveSetting('itemsPerPage', this.itemsPerPage, this.params['eventItemsPerPage']);
+      this.saveSetting('relativeTimeValue', this.relativeTimeValue, this.params['relativeTimeValue']);
+      this.saveSetting('relativeTimeUnit', this.relativeTimeUnit, this.params['relativeTimeUnit']);
+		},
+		sortOverrides(items, index, isDesc) {
+      const route = this;
+      if (index && index.length > 0) {
+        index = index[0];
+      }
+      if (isDesc && isDesc.length > 0) {
+        isDesc = isDesc[0];
+      }
+      items.sort((a, b) => {
+        if (index === "event.severity_label") {
+          return route.defaultSort(route.lookupAlertSeverityScore(a[index]), route.lookupAlertSeverityScore(b[index]), isDesc);
+        } else {
+          return route.defaultSort(a[index], b[index], isDesc);
+        }
+      });
+      return items
+		},
+		defaultSort(a, b, isDesc) {
+      if (!isDesc) {
+        return a < b ? -1 : 1;
+      }
+      return b < a ? -1 : 1;
+    },
+		expand(item) {
+      if (this.isExpanded(item)) {
+        this.expanded = [];
+      } else {
+        this.expanded = [item];
+			}
+		},
+		isExpanded(item) {
+      return (this.expanded.length > 0 && this.expanded[0] === item);
+		},
+		createNewOverride() {
+			this.newOverride = {
+				type: null,
+				isEnabled: false,
+				regex: null,
+				value: null,
+				track: null,
+				count: null,
+				seconds: null,
+				customFilter: null,
+			};
+		},
+		getOverrideTypes(engine) {
+			engine = engine || this.detect.engine;
+
+			switch (engine) {
+				case 'suricata':
+					return [
+						{ value: 'modify', text: 'Modify' },
+						{ value: 'suppress', text: 'Suppress' },
+						{ value: 'threshold', text: 'Threshold' }
+					];
+				case 'elastalert':
+					return [
+						{ value: 'custom filter', text: 'Custom Filter' }
+					];
+			}
+
+			return [];
+		},
+		cleanupOverride(engine, o) {
+			// ensures an override about to be saved
+			// only has the fields relevant to the engine
+			// and type selected
+			let out = {
+				type: o.type,
+				isEnabled: o.isEnabled,
+			};
+
+			if (engine === 'elastalert') {
+				out.customFilter = o.customFilter;
+			} else {
+				out.type = o.type
+
+				switch (o.type) {
+					case 'modify':
+						out.regex = o.regex;
+						out.value = o.value;
+						break;
+					case 'threshold':
+						out.thresholdType = o.thresholdType;
+						out.track = o.track;
+						out.count = parseInt(o.count);
+						out.seconds = parseInt(o.seconds);
+						break;
+					case 'suppress':
+						out.track = o.track;
+						out.ip = o.ip;
+						break;
+				}
+			}
+
+			return out;
+		},
+		createOverrideTypeChange() {
+			// reset the form, but we want the selected type to persist
+			const t = this.newOverride.type;
+			this.$refs.OverrideCreate.reset();
+			this.newOverride.type = t;
+		},
+		cancelNewOverride() {
+			this.$refs.OverrideCreate.reset();
+			this.newOverride = null;
+		},
+		addNewOverride() {
+			if (!this.newOverride) return;
+
+			if (!this.detect.overrides) {
+				this.detect.overrides = [];
+			}
+
+			this.detect.overrides.push(this.newOverride);
+
+			this.saveDetection(false);
+			this.newOverride = null;
+		},
+		async startOverrideEdit(target, override, field) {
+			if (this.curOverrideEditTarget === target) return;
+			if (this.curOverrideEditTarget !== null) await this.stopOverrideEdit(false);
+
+			this.curOverrideEditTarget = target;
+			this.origOverrideValue = override[field];
+			this.overrideEditField = field;
+			this.editOverride = override;
+
+			this.$nextTick(() => {
+				const el = document.getElementById(target + '-edit');
+				if (el) {
+					el.focus();
+					el.select();
+				}
+			});
+		},
+		isOverrideEdit(target) {
+			return this.curOverrideEditTarget === target;
+		},
+		async stopOverrideEdit(commit) {
+			if (commit && this.$refs[this.curOverrideEditTarget].hasError) return;
+
+			if (!commit) {
+				this.editOverride[this.overrideEditField] = this.origOverrideValue;
+			} else {
+				this.saveDetection(false);
+			}
+
+			this.curOverrideEditTarget = null;
+			this.origOverrideValue = null;
+			this.overrideEditField = null;
+			this.editOverride = null;
+		},
+		deleteOverride(item) {
+			this.detect.overrides = this.detect.overrides.filter(o => o !== item);
+			this.saveDetection(false);
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 6c7f3496b..321f515ed 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2107,61 +2107,6 @@ const huntComponent = {
 
       window.open(url, target);
     },
-    async CreateDetection() {
-      const response = await this.$root.papi.post('/detection', {
-        publicId: 'ABCDEF',
-        title: 'First!',
-        severity: 'low',
-        author: 'Corey Ogburn',
-        description: 'first try',
-        content: 'rule goes here',
-        isEnabled: true,
-        isReporting: true,
-        Engine: 'suricata'
-      });
-
-      console.log('CREATE', response);
-      this.onionID = response.data.id;
-      console.log('onionID', this.onionID);
-    },
-    async GetDetection() {
-      if (this.onionID) {
-        const response = await this.$root.papi.get('/detection/' + this.onionID);
-
-        console.log('GET', response);
-      } else {
-        console.log('No onionID');
-      }
-    },
-    async UpdateDetection() {
-      if (this.onionID) {
-        const response = await this.$root.papi.put('/detection', {
-          id: this.onionID,
-          publicId: 'ABCDEF',
-          title: 'Second!',
-          severity: 'low',
-          author: 'Corey Ogburn',
-          description: 'first try',
-          content: 'rule goes here',
-          isEnabled: true,
-          isReporting: true,
-          Engine: 'suricata'
-        });
-
-        console.log('UPDATE', response);
-      } else {
-        console.log('No onionID');
-      }
-    },
-    async DeleteDetection() {
-      if (this.onionID) {
-        const response = await this.$root.papi.delete('/detection/' + this.onionID);
-
-        console.log('DELETE', response);
-      } else {
-        console.log('No onionID');
-      }
-    },
     print(x) {
       console.log(x);
     }
diff --git a/model/detection.go b/model/detection.go
index 4bb5583bd..bde5a004b 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -8,13 +8,15 @@ package model
 import (
 	"errors"
 	"strings"
+	"time"
 )
 
 type ScanType string
 type SigLanguage string
 type Severity string
 type IDType string
-type EngineName = string
+type EngineName string
+type OverrideType string
 
 const (
 	ScanTypeFiles           ScanType = "files"
@@ -41,6 +43,11 @@ const (
 	EngineNameSuricata   EngineName = "suricata"
 	EngineNameYara       EngineName = "yara"
 	EngineNameElastAlert EngineName = "elastalert"
+
+	OverrideTypeSuppress     OverrideType = "suppress"
+	OverrideTypeThreshold    OverrideType = "threshold"
+	OverrideTypeModify       OverrideType = "modify"
+	OverrideTypeCustomFilter OverrideType = "customFilter"
 )
 
 var (
@@ -77,25 +84,147 @@ type DetectionEngine struct {
 
 type Detection struct {
 	Auditable
-	PublicID    string     `json:"publicId"`
-	Title       string     `json:"title"`
-	Severity    Severity   `json:"severity"`
-	Author      string     `json:"author"`
-	Description string     `json:"description"`
-	Content     string     `json:"content"`
-	IsEnabled   bool       `json:"isEnabled"`
-	IsReporting bool       `json:"isReporting"`
-	IsCommunity bool       `json:"isCommunity"`
-	Note        string     `json:"note"`
-	Engine      EngineName `json:"engine"`
+	PublicID    string      `json:"publicId"`
+	Title       string      `json:"title"`
+	Severity    Severity    `json:"severity"`
+	Author      string      `json:"author"`
+	Description string      `json:"description"`
+	Content     string      `json:"content"`
+	IsEnabled   bool        `json:"isEnabled"`
+	IsReporting bool        `json:"isReporting"`
+	IsCommunity bool        `json:"isCommunity"`
+	Note        string      `json:"note"`
+	Engine      EngineName  `json:"engine"`
+	Overrides   []*Override `json:"overrides"` // Tuning
+}
+
+// Note: JSON tags are used when storing the object in ElasticSearch,
+// YAML tags are used when storing the object in a YAML config file (Suricata).
+
+type Override struct {
+	Type               OverrideType `json:"type" yaml:"type"`
+	IsEnabled          bool         `json:"isEnabled" yaml:"-"`
+	CreatedAt          time.Time    `json:"createdAt" yaml:"-"`
+	UpdatedAt          time.Time    `json:"updatedAt" yaml:"-"`
+	OverrideParameters `yaml:",inline"`
+}
+
+type OverrideParameters struct {
+	// suricata
+	Regex         *string `json:"regex,omitempty" yaml:"regex,omitempty"`                 // modify
+	Value         *string `json:"value,omitempty" yaml:"value,omitempty"`                 // modify
+	GenID         *int    `json:"-" yaml:"genId,omitempty"`                               // suppress, threshold
+	ThresholdType *string `json:"thresholdType,omitempty" yaml:"thresholdType,omitempty"` // threshold
+	Track         *string `json:"track,omitempty" yaml:"track,omitempty"`                 // suppress, threshold
+	IP            *string `json:"ip,omitempty" yaml:"ip,omitempty"`                       // suppress
+	Count         *int    `json:"count,omitempty" yaml:"count,omitempty"`                 // threshold
+	Seconds       *int    `json:"seconds,omitempty" yaml:"seconds,omitempty"`             // threshold
+
+	// elastalert
+	CustomFilter *string `json:"customFilter,omitempty" yaml:"customFilter,omitempty"` // modify
+}
+
+func (o Override) MarshalYAML() (interface{}, error) {
+	out := map[string]*OverrideParameters{
+		string(o.Type): &o.OverrideParameters,
+	}
+
+	return out, nil
+}
+
+func (o *Override) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var m map[string]*OverrideParameters
+	if err := unmarshal(&m); err != nil {
+		return err
+	}
+
+	for k, v := range m {
+		o.Type = OverrideType(k)
+		o.IsEnabled = true
+		o.OverrideParameters = *v
+	}
+
+	return nil
 }
 
 func (detect *Detection) Validate() error {
-	detect.Engine = strings.ToLower(detect.Engine)
+	detect.Engine = EngineName(strings.ToLower(string(detect.Engine)))
 	_, engIsSupported := EnginesByName[detect.Engine]
 	if !engIsSupported {
 		return ErrUnsupportedEngine
 	}
 
+	for _, o := range detect.Overrides {
+		if err := o.Validate(detect.Engine); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (o *Override) Validate(engine EngineName) error {
+	if o.Type == "" {
+		return errors.New("override type is required")
+	}
+
+	if engine == EngineNameSuricata {
+		switch o.Type {
+		case OverrideTypeModify:
+			if o.Regex == nil || o.Value == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.GenID != nil ||
+				o.ThresholdType != nil ||
+				o.Track != nil ||
+				o.Count != nil ||
+				o.Seconds != nil ||
+				o.CustomFilter != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		case OverrideTypeSuppress:
+			if o.Value == nil || o.Track == nil || o.Count == nil || o.Seconds == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.Regex != nil ||
+				o.GenID != nil ||
+				o.ThresholdType != nil ||
+				o.CustomFilter != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		case OverrideTypeThreshold:
+			if o.ThresholdType == nil || o.Track == nil || o.Count == nil || o.Seconds == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.Regex != nil ||
+				o.Value != nil ||
+				o.GenID != nil ||
+				o.CustomFilter != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		}
+
+	} else if engine == EngineNameElastAlert {
+		switch o.Type {
+		case OverrideTypeCustomFilter:
+			if o.CustomFilter == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.Regex != nil ||
+				o.Value != nil ||
+				o.GenID != nil ||
+				o.ThresholdType != nil ||
+				o.Track != nil ||
+				o.Count != nil ||
+				o.Seconds != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		}
+	}
+
 	return nil
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index b515b05ff..6f881e7ac 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
@@ -78,6 +79,16 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	for _, over := range detect.Overrides {
+		if over.CreatedAt.IsZero() {
+			over.CreatedAt = time.Now()
+		}
+
+		if over.UpdatedAt.IsZero() {
+			over.UpdatedAt = time.Now()
+		}
+	}
+
 	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
@@ -138,6 +149,16 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	for _, over := range detect.Overrides {
+		if over.CreatedAt.IsZero() {
+			over.CreatedAt = time.Now()
+		}
+
+		if over.UpdatedAt.IsZero() {
+			over.UpdatedAt = time.Now()
+		}
+	}
+
 	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
@@ -145,14 +166,15 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 	}
 
 	if old.IsCommunity {
-		// the only editable fields for community rules are IsEnabled, IsReporting, and Note
+		// the only editable fields for community rules are IsEnabled, IsReporting, Note, and Overrides
 		old.IsEnabled = detect.IsEnabled
 		old.IsReporting = detect.IsReporting
 		old.Note = detect.Note
+		old.Overrides = detect.Overrides
 
 		detect = old
 
-		log.Infof("existing detection %s is a community rule, only updating IsEnabled, IsReporting, and Note", detect.Id)
+		log.Infof("existing detection %s is a community rule, only updating IsEnabled, IsReporting, Note, and Overrides", detect.Id)
 	} else if detect.IsCommunity {
 		web.Respond(w, r, http.StatusBadRequest, errors.New("cannot update an existing non-community detection to make it a community detection"))
 		return
diff --git a/server/infohandler.go b/server/infohandler.go
index 21743094f..3993ce79c 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -86,6 +86,10 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "All",
 				Query: "_id:*",
 			},
+			{
+				Name:  "Local Rules",
+				Query: "* AND so_detection.isCommunity:false",
+			},
 			{
 				Name:  "Enabled",
 				Query: "so_detection.isEnabled:true",
@@ -122,6 +126,12 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Labels:        []string{"suricata", "elastalert"},
 			},
 		}
+
+		detection.SeverityTranslations = map[string]string{
+			// informational and critical already map correctly
+			"minor": "low",
+			"major": "high",
+		}
 	}
 
 	{
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index c6cda090a..e5e39cb92 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -196,7 +196,8 @@ func TestSigmaToElastAlertSunnyDay(t *testing.T) {
 		assert.Equal(t, http.MethodPost, r.Method)
 
 		w.WriteHeader(http.StatusOK)
-		w.Write([]byte("<eql>"))
+		_, err := w.Write([]byte("<eql>"))
+		assert.NoError(t, err)
 
 		callCount++
 	}))
@@ -248,7 +249,8 @@ func TestSigmaToElastAlertError(t *testing.T) {
 		assert.Equal(t, http.MethodPost, r.Method)
 
 		w.WriteHeader(http.StatusOK)
-		w.Write([]byte("Error: " + msg))
+		_, err := w.Write([]byte("Error: " + msg))
+		assert.NoError(t, err)
 
 		callCount++
 	}))
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
index 6dbb69594..1be0f8972 100644
--- a/server/modules/elastalert/validate.go
+++ b/server/modules/elastalert/validate.go
@@ -47,7 +47,7 @@ type SigmaRule struct {
 	Title          string                 `yaml:"title"`
 	ID             *string                `yaml:"id"`
 	LogSource      LogSource              `yaml:"logsource"`
-	Detection      Detection              `yaml:"detection"`
+	Detection      SigmaDetection              `yaml:"detection"`
 	Status         *SigmaStatus           `yaml:"status"`
 	Description    *string                `yaml:"description"`
 	License        *string                `yaml:"license"`
@@ -69,7 +69,7 @@ type LogSource struct {
 	Definition *string `yaml:"definition"`
 }
 
-type Detection struct {
+type SigmaDetection struct {
 	Condition OneOrMore[string]      `yaml:"condition"`
 	Rest      map[string]interface{} `yaml:",inline"`
 }
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index e8aca634f..0012c20b2 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -16,6 +16,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/json"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 )
 
 func stripSegmentOptions(keys []string) []string {
@@ -409,13 +410,13 @@ func parseTime(fieldmap map[string]interface{}, key string) *time.Time {
 	var t time.Time
 
 	if value, ok := fieldmap[key]; ok {
-		switch value.(type) {
+		switch v := value.(type) {
 		case time.Time:
-			t = value.(time.Time)
+			t = v
 		case *time.Time:
-			t = *(value.(*time.Time))
+			t = *v
 		case string:
-			t, _ = time.Parse(time.RFC3339, value.(string))
+			t, _ = time.Parse(time.RFC3339, v)
 		}
 	}
 
@@ -700,7 +701,10 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 				obj.Note = value.(string)
 			}
 			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
-				obj.Engine = value.(string)
+				obj.Engine = model.EngineName(value.(string))
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.overrides"]; ok && value != nil {
+				obj.Overrides = convertElasticEventToOverride(value.([]interface{}))
 			}
 
 			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"detection.createTime")
@@ -710,6 +714,55 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 	return obj, err
 }
 
+func convertElasticEventToOverride(overrides []interface{}) []*model.Override {
+	overs := make([]*model.Override, 0, len(overrides))
+	for _, inter := range overrides {
+		override := inter.(map[string]interface{})
+		over := &model.Override{}
+
+		if value, ok := override["type"]; ok {
+			over.Type = model.OverrideType(value.(string))
+		}
+		if value, ok := override["isEnabled"]; ok {
+			over.IsEnabled = value.(bool)
+		}
+		if value, ok := override["createdAt"]; ok {
+			over.CreatedAt, _ = time.Parse(time.RFC3339, value.(string))
+		}
+		if value, ok := override["updatedAt"]; ok {
+			over.UpdatedAt, _ = time.Parse(time.RFC3339, value.(string))
+		}
+		if value, ok := override["thresholdType"]; ok && value != nil {
+			over.ThresholdType = util.Ptr(value.(string))
+		}
+		if value, ok := override["regex"]; ok && value != nil {
+			over.Regex = util.Ptr(value.(string))
+		}
+		if value, ok := override["value"]; ok && value != nil {
+			over.Value = util.Ptr(value.(string))
+		}
+		if value, ok := override["ip"]; ok && value != nil {
+			over.IP = util.Ptr(value.(string))
+		}
+		if value, ok := override["track"]; ok && value != nil {
+			over.Track = util.Ptr(value.(string))
+		}
+		if value, ok := override["count"]; ok && value != nil {
+			over.Count = util.Ptr(int(value.(float64)))
+		}
+		if value, ok := override["seconds"]; ok && value != nil {
+			over.Seconds = util.Ptr(int(value.(float64)))
+		}
+		if value, ok := override["customFilter"]; ok && value != nil {
+			over.CustomFilter = util.Ptr(value.(string))
+		}
+
+		overs = append(overs, over)
+	}
+
+	return overs
+}
+
 func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string) (interface{}, error) {
 	var obj interface{}
 	var err error
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 3fcefffac..88172d45e 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -18,12 +18,14 @@ import (
 	"sync"
 	"time"
 
-	"github.com/apex/log"
-	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/apex/log"
+	"github.com/samber/lo"
+	"gopkg.in/yaml.v3"
 )
 
 var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
@@ -316,6 +318,8 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 		return nil, fmt.Errorf("unable to find modify setting")
 	}
 
+	threshold := settingByID(allSettings, "suricata.thresholding.sids__yaml")
+
 	localLines := strings.Split(local.Value, "\n")
 	enabledLines := strings.Split(enabled.Value, "\n")
 	disabledLines := strings.Split(disabled.Value, "\n")
@@ -326,6 +330,11 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	disabledIndex := indexEnabled(disabledLines, false)
 	modifyIndex := indexModify(modifyLines)
 
+	thresholdIndex, err := indexThreshold(threshold.Value)
+	if err != nil {
+		return nil, err
+	}
+
 	errMap = map[string]string{} // map[sid]error
 
 	for _, detect := range detections {
@@ -407,6 +416,34 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 				delete(modifyIndex, sid)
 			}
 		}
+
+		// tuning
+		delete(thresholdIndex, detect.PublicID)
+		detOverrides := lo.Filter(detect.Overrides, func(o *model.Override, _ int) bool {
+			return o.IsEnabled
+		})
+
+		if len(detOverrides) > 0 {
+			// the only place we care about genID, we don't get it from the user except
+			// through the content of the rule. Default to 1 if we can't find it.
+			genID := 1
+
+			gid, ok := parsedRule.GetOption("gid")
+			if ok && gid != nil {
+				id, err := strconv.Atoi(*gid)
+				if err != nil {
+					genID = id
+				}
+			}
+
+			for _, o := range detOverrides {
+				if o.Type == model.OverrideTypeSuppress || o.Type == model.OverrideTypeThreshold {
+					o.GenID = util.Ptr(genID)
+				}
+			}
+
+			thresholdIndex[detect.PublicID] = detOverrides
+		}
 	}
 
 	local.Value = strings.Join(localLines, "\n")
@@ -496,6 +533,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		if exists {
 			if orig.Content != detect.Content {
 				detect.Id = orig.Id
+				detect.Overrides = orig.Overrides
 
 				_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
 				if err != nil {
@@ -605,3 +643,14 @@ func indexModify(lines []string) map[string]int {
 
 	return index
 }
+
+func indexThreshold(content string) (map[string][]*model.Override, error) {
+	index := map[string][]*model.Override{}
+
+	err := yaml.Unmarshal([]byte(content), &index)
+	if err != nil {
+		return nil, err
+	}
+
+	return index, nil
+}

From a9cba2fd5dd5e30a27cea64fd7121b0e5edbadd8 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 27 Nov 2023 09:08:57 -0700
Subject: [PATCH 019/102] WIP: Save Overrides

Overrides can now be enabled/disabled.

When saving a detection, add the saving overlay so multiple edits can't take place at once.

Apply CustomFilter overrides when wrapping.

Save threshold modifications to disk after syncing local detections and their overrides in suricata.
---
 html/index.html                         | 54 +++++++++++++++++++------
 html/js/i18n.js                         |  1 +
 html/js/routes/detection.js             | 52 ++++++++++++++++++++----
 model/detection.go                      | 10 +++++
 server/detectionhandler.go              |  6 +++
 server/modules/elastalert/elastalert.go | 10 ++++-
 server/modules/suricata/suricata.go     | 12 ++++++
 7 files changed, 124 insertions(+), 21 deletions(-)

diff --git a/html/index.html b/html/index.html
index f0026cfa6..0cdaf56e9 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1127,7 +1127,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab-item> -->
               <v-tab-item value="tuning">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <v-col cols="12" style="padding-left: 0px; padding-right: 0px;">
+                  <v-col v-if="canAddOverride()" cols="12" style="padding-left: 0px; padding-right: 0px;">
                     <v-toolbar class="elevation-0" fixed>
                       <v-btn color="primary" id="add-override-button" style="text-decoration: none; cursor: 'pointer'" @click="createNewOverride()">
                         <v-icon :title="i18n.create">fa-plus</v-icon>
@@ -1182,7 +1182,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     </div>
                   </v-col>
                   <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
-                    :items="detect.overrides" :item-key="'index'" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
+                    :items="detect.overrides" item-value="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
                     <template v-slot:item="{ item, index }">
                       <tr>
                         <td>
@@ -1212,9 +1212,20 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             6. Seconds - threshold
                             7. Custom Filter - engine:elastalert
                           -->
+                          <!-- isEnabled -->
+                          <div>
+                            <div class="font-weight-bold mt-4">
+                              {{i18n.enabled}}:
+                            </div>
+                            <span id="override-enabled" v-if="!isOverrideEdit('override-enabled')" @click="startOverrideEdit('override-enabled', item, 'isEnabled')">
+                              {{item.isEnabled}}
+                            </span>
+                            <v-checkbox v-else id="override-enabled-edit" ref="override-enabled" hide-details="auto" outlined v-model="item.isEnabled"
+                              persistent-hint :hint="i18n.enabled" v-on:change="stopOverrideEdit(true)"></v-checkbox>
+                          </div>
                           <!-- regex -->
                           <div v-if="item.type === 'modify'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Regex:
                             </div>
                             <span id="override-regex" v-if="!isOverrideEdit('override-regex')" @click="startOverrideEdit('override-regex', item, 'regex')">
@@ -1225,7 +1236,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- value -->
                           <div v-if="item.type === 'modify'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Value:
                             </div>
                             <span id="override-value" v-if="!isOverrideEdit('override-value')" @click="startOverrideEdit('override-value', item, 'value')">
@@ -1236,7 +1247,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- type (threshold) -->
                           <div v-if="item.type === 'threshold'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Type:
                             </div>
                             <span id="override-threshold-type" v-if="!isOverrideEdit('override-threshold-type')" @click="startOverrideEdit('override-threshold-type', item, 'thresholdType')">
@@ -1246,7 +1257,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- track -->
                           <div v-if="['suppress', 'threshold'].includes(item.type)">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Track:
                             </div>
                             <span id="override-track" v-if="!isOverrideEdit('override-track')" @click="startOverrideEdit('override-track', item, 'track')">
@@ -1256,7 +1267,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- ip -->
                           <div v-if="item.type === 'suppress'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               IP:
                             </div>
                             <span id="override-ip" v-if="!isOverrideEdit('override-ip')" @click="startOverrideEdit('override-ip', item, 'ip')">
@@ -1267,7 +1278,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- count -->
                           <div v-if="item.type === 'threshold'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Count:
                             </div>
                             <span id="override-count" v-if="!isOverrideEdit('override-count')" @click="startOverrideEdit('override-count', item, 'count')">
@@ -1278,7 +1289,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- seconds -->
                           <div v-if="item.type === 'threshold'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Seconds:
                             </div>
                             <span id="override-seconds" v-if="!isOverrideEdit('override-seconds')" @click="startOverrideEdit('override-seconds', item, 'seconds')">
@@ -1287,9 +1298,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             <v-text-field v-else id="override-seconds-edit" ref="override-seconds" hide-details="auto" outlined v-model="item.seconds" :rules="[rules.required, rules.number]"
                               persistent-hint :hint="i18n.secondsLabel" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
                           </div>
-                          <!-- <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
-                          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="i18n.detectionTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field> -->
-                          <div class="d-flex justify-end text-body-2 mt-2">
+                          <div class="d-flex justify-end text-body-2 mt-4">
                             <div class="d-inline-flex">
                               <v-btn id="override-edit-delete" text small color="red" @click="deleteOverride(item)">
                                 {{ i18n.delete }}
@@ -1298,8 +1307,20 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                         </td>
                         <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'elastalert'">
+                          <!-- isEnabled -->
+                          <div>
+                            <div class="font-weight-bold mt-2">
+                              {{i18n.enabled}}:
+                            </div>
+                            <span id="override-enabled" v-if="!isOverrideEdit('override-enabled')" @click="startOverrideEdit('override-enabled', item, 'isEnabled')">
+                              {{item.isEnabled}}
+                            </span>
+                            <v-checkbox v-else id="override-enabled-edit" ref="override-enabled" hide-details="auto" outlined v-model="item.isEnabled"
+                              persistent-hint :hint="i18n.enabled" @change="stopOverrideEdit(true, $event)"></v-checkbox>
+                          </div>
+                          <!-- custom filter -->
                           <div>
-                            <div class="font-weight-bold">
+                            <div class="font-weight-bold mt-2">
                               Custom Filter:
                             </div>
                             <span id="override-custom-filter" v-if="!isOverrideEdit('override-custom-filter')" @click="startOverrideEdit('override-custom-filter', item, 'customFilter')">
@@ -1308,6 +1329,13 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             <v-text-field v-else id="override-custom-filter-edit" ref="override-custom-filter" hide-details="auto" outlined v-model="item.customFilter" :rules="[rules.required]"
                               persistent-hint :hint="i18n.customFilter" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
                           </div>
+                          <div class="d-flex justify-end text-body-2 mt-2">
+                            <div class="d-inline-flex">
+                              <v-btn id="override-edit-delete" text small color="red" @click="deleteOverride(item)">
+                                {{ i18n.delete }}
+                              </v-btn>
+                            </div>
+                          </div>
                         </td>
                         <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'yara'"></td>
                       </tr>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 4b2a4e811..9e01eb118 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -287,6 +287,7 @@ const i18n = {
       email: 'Email Address',
       emailHelp: 'Specify a valid email address. Contact your administrator for new account creation.',
       emailRequired: 'An email address must be specified.',
+      enabled: 'Enabled',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
       engine: 'Engine',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 5964fc929..b757c8c55 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -123,11 +123,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			try {
 				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
-				if (this.detect.overrides) {
-					for (let i = 0; i < this.detect.overrides.length; i++) {
-						this.detect.overrides[i].index = i;
-					}
-				}
+				this.tagOverrides();
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -214,13 +210,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		async stopEdit(commit) {
 			if (!commit) {
 				this.detect[this.editField] = this.origValue;
-			} else if (!this.isNew()) {
-				const response = await this.$root.papi.put('/detection', this.detect);
 			}
 
 			this.curEditTarget = null;
 			this.origValue = null;
 			this.editField = null;
+
+			if (commit && !this.isNew()) {
+				this.saveDetection(false);
+			}
 		},
 		async saveDetection(createNew) {
 			if (this.curEditTarget !== null) this.stopEdit(true);
@@ -256,21 +254,39 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			try {
 				let response;
+				this.$root.startLoading();
+
 				if (createNew) {
 					response = await this.$root.papi.post('/detection', this.detect);
 				} else {
 					response = await this.$root.papi.put('/detection', this.detect);
 				}
 
+				// get any expanded overrides before updating this.detect
+				let index = -1;
+				if (this.expanded && this.expanded.length) {
+					index = this.expanded[0].index;
+				}
+
+				this.detect = response.data;
+				this.tagOverrides();
 				this.origDetect = Object.assign({}, this.detect);
 
+				// reinstate expanded override
+				if (index != -1 && this.detect.overrides && this.detect.overrides.length > index) {
+					this.expand(this.detect.overrides[index]);
+				}
+
 				this.$root.showTip(this.i18n.saveSuccess);
 
 				if (createNew) {
 					this.$router.push({ name: 'detection', params: { id: response.data.id } });
 				}
+
 			} catch (error) {
 				this.$root.showError(error);
+			} finally {
+				this.$root.stopLoading();
 			}
 		},
 		async duplicateDetection() {
@@ -585,6 +601,28 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.detect.overrides = this.detect.overrides.filter(o => o !== item);
 			this.saveDetection(false);
 		},
+		canAddOverride() {
+			if (this.detect.engine === 'elastalert') {
+				if (this.detect.overrides && this.detect.overrides.length > 0) {
+					for (let i = 0; i < this.detect.overrides.length; i++) {
+						if (this.detect.overrides[i].type === 'custom filter') {
+							// elastalert detections that already have a custom filter
+							// cannot have any other custom filter overrides
+							return false;
+						}
+					}
+				}
+			}
+
+			return true;
+		},
+		tagOverrides() {
+			if (this.detect.overrides) {
+				for (let i = 0; i < this.detect.overrides.length; i++) {
+					this.detect.overrides[i].index = i;
+				}
+			}
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/model/detection.go b/model/detection.go
index bde5a004b..eb3b2059d 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -154,10 +154,20 @@ func (detect *Detection) Validate() error {
 		return ErrUnsupportedEngine
 	}
 
+	customs := 0
+
 	for _, o := range detect.Overrides {
 		if err := o.Validate(detect.Engine); err != nil {
 			return err
 		}
+
+		if o.Type == OverrideTypeCustomFilter {
+			customs++
+		}
+	}
+
+	if detect.Engine == EngineNameElastAlert && customs > 1 {
+		return errors.New("only one custom filter override is allowed per ElastAlert detection")
 	}
 
 	return nil
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 6f881e7ac..503f7aa47 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -149,6 +149,12 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	err = detect.Validate()
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
 	for _, over := range detect.Overrides {
 		if over.CreatedAt.IsZero() {
 			over.CreatedAt = time.Now()
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 38206d5a7..74dba2c8f 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -602,7 +602,7 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Det
 		return "", fmt.Errorf("sigconverter returned error: %s", rule)
 	}
 
-	elastRule, err := wrapRule(det, string(rawRule))
+	elastRule, err := wrapRule(det, rule)
 	if err != nil {
 		return "", fmt.Errorf("unable to wrap rule: %w", err)
 	}
@@ -759,6 +759,14 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 
 	sevNum := severities[det.Severity]
 
+	// apply the first (should only have 1) CustomFilter override if any
+	for _, o := range det.Overrides {
+		if o.Type == model.OverrideTypeCustomFilter && o.CustomFilter != nil {
+			rule = fmt.Sprintf("(%s) and %s", rule, *o.CustomFilter)
+			break
+		}
+	}
+
 	wrapper := &CustomWrapper{
 		PlayTitle:     det.Title,
 		PlayID:        det.Id,
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 88172d45e..4715a325f 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -451,6 +451,13 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	disabled.Value = strings.Join(disabledLines, "\n")
 	modify.Value = strings.Join(modifyLines, "\n")
 
+	yamlThreshold, err := yaml.Marshal(thresholdIndex)
+	if err != nil {
+		return errMap, err
+	}
+
+	threshold.Value = string(yamlThreshold)
+
 	err = s.srv.Configstore.UpdateSetting(ctx, local, false)
 	if err != nil {
 		return errMap, err
@@ -471,6 +478,11 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 		return errMap, err
 	}
 
+	err = s.srv.Configstore.UpdateSetting(ctx, threshold, false)
+	if err != nil {
+		return errMap, err
+	}
+
 	return errMap, nil
 }
 

From 4111311b4e086f0f0d579ced2e22541f68bbf436 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 28 Nov 2023 12:50:31 -0700
Subject: [PATCH 020/102] WIP: Overrides

Expanding one override would expand all the rows. Fixed.

Expanded CIDR checking to include IPv6.

Changed OverrideParameters yaml tags: genId => gen_id, thresholdType => type, and no yaml output for CustomFilter.
---
 html/index.html             |  2 +-
 html/js/routes/detection.js | 15 +++++++++++++--
 model/detection.go          | 23 +++++++++++++----------
 3 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/html/index.html b/html/index.html
index 0cdaf56e9..8e239a4d5 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1182,7 +1182,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     </div>
                   </v-col>
                   <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
-                    :items="detect.overrides" item-value="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
+                    :items="detect.overrides" item-key="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
                     <template v-slot:item="{ item, index }">
                       <tr>
                         <td>
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index b757c8c55..0323155fe 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -41,10 +41,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
 			shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
 			longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
-			cidrFormat: value => (!value || /^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value)) || this.i18n.invalidCidr,
 			fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
 			fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
 			fileRequired: value => (value != null) || this.$root.i18n.required,
+			cidrFormat: value => (!value ||
+				/^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value) || // IPv4 CIDR
+				/^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/.test(value) // IPv6 CIDR
+			) || this.i18n.invalidCidr,
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
@@ -69,7 +72,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			{ value: 'limit', text: 'Limit' },
 			{ value: 'both', text: 'Both' }
 		],
-		trackOptions: ['by_src', 'by_dst', 'by_both'],
+		trackOptions: ['by_src', 'by_dst', 'by_either'],
   }},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -516,6 +519,14 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				isEnabled: o.isEnabled,
 			};
 
+			if (o.createdAt) {
+				out.createdAt = o.createdAt;
+			}
+
+			if (o.updatedAt) {
+				out.updatedAt = o.updatedAt;
+			}
+
 			if (engine === 'elastalert') {
 				out.customFilter = o.customFilter;
 			} else {
diff --git a/model/detection.go b/model/detection.go
index eb3b2059d..0e3eef025 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -111,17 +111,17 @@ type Override struct {
 
 type OverrideParameters struct {
 	// suricata
-	Regex         *string `json:"regex,omitempty" yaml:"regex,omitempty"`                 // modify
-	Value         *string `json:"value,omitempty" yaml:"value,omitempty"`                 // modify
-	GenID         *int    `json:"-" yaml:"genId,omitempty"`                               // suppress, threshold
-	ThresholdType *string `json:"thresholdType,omitempty" yaml:"thresholdType,omitempty"` // threshold
-	Track         *string `json:"track,omitempty" yaml:"track,omitempty"`                 // suppress, threshold
-	IP            *string `json:"ip,omitempty" yaml:"ip,omitempty"`                       // suppress
-	Count         *int    `json:"count,omitempty" yaml:"count,omitempty"`                 // threshold
-	Seconds       *int    `json:"seconds,omitempty" yaml:"seconds,omitempty"`             // threshold
+	Regex         *string `json:"regex,omitempty" yaml:"regex,omitempty"`        // modify
+	Value         *string `json:"value,omitempty" yaml:"value,omitempty"`        // modify
+	GenID         *int    `json:"-" yaml:"gen_id,omitempty"`                     // suppress, threshold
+	ThresholdType *string `json:"thresholdType,omitempty" yaml:"type,omitempty"` // threshold
+	Track         *string `json:"track,omitempty" yaml:"track,omitempty"`        // suppress, threshold
+	IP            *string `json:"ip,omitempty" yaml:"ip,omitempty"`              // suppress
+	Count         *int    `json:"count,omitempty" yaml:"count,omitempty"`        // threshold
+	Seconds       *int    `json:"seconds,omitempty" yaml:"seconds,omitempty"`    // threshold
 
 	// elastalert
-	CustomFilter *string `json:"customFilter,omitempty" yaml:"customFilter,omitempty"` // modify
+	CustomFilter *string `json:"customFilter,omitempty" yaml:"-"` // modify
 }
 
 func (o Override) MarshalYAML() (interface{}, error) {
@@ -194,13 +194,16 @@ func (o *Override) Validate(engine EngineName) error {
 				return errors.New("unnecessary fields in override")
 			}
 		case OverrideTypeSuppress:
-			if o.Value == nil || o.Track == nil || o.Count == nil || o.Seconds == nil {
+			if o.IP == nil || o.Track == nil {
 				return errors.New("missing required parameter(s)")
 			}
 
 			if o.Regex != nil ||
+				o.Value != nil ||
 				o.GenID != nil ||
 				o.ThresholdType != nil ||
+				o.Count != nil ||
+				o.Seconds != nil ||
 				o.CustomFilter != nil {
 				return errors.New("unnecessary fields in override")
 			}

From 8313d923e4e991eb470c0e450bf34e49af16fe1f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 28 Nov 2023 16:28:44 -0700
Subject: [PATCH 021/102] WIP: Track Options, Override UpdatedAt

Track is a field for both Suppress and Threshold type overrides but it contains different enum values depending on which of those two types, basically Threshold doesn't have `by_either`.

When saving a detection, update the UpdatedAt field for an override when the old detection doesn't have an override with the exact same values regardless of order.
---
 html/index.html             |   4 +-
 html/js/routes/detection.js | 151 +++++++++++++++++++-----------------
 server/detectionhandler.go  |  34 ++++++--
 3 files changed, 108 insertions(+), 81 deletions(-)

diff --git a/html/index.html b/html/index.html
index 8e239a4d5..4c9bb3ca4 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1155,7 +1155,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           <!-- (threshold) type -->
                           <v-select v-if="newOverride.type === 'threshold'" id="new-override-threshold-type-edit" v-model="newOverride.thresholdType" :items="thresholdTypes" :rules="[rules.required]" persistent-hint :hint="i18n.thresholdType"></v-select>
                           <!-- track -->
-                          <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
+                          <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="getTrackOptions(newOverride.type)" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
                           <!-- ip -->
                           <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr"></v-text-field>
                           <!-- count -->
@@ -1263,7 +1263,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             <span id="override-track" v-if="!isOverrideEdit('override-track')" @click="startOverrideEdit('override-track', item, 'track')">
                               {{item.track}}
                             </span>
-                            <v-select v-else id="override-track-edit" ref="override-track" v-model="item.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
+                            <v-select v-else id="override-track-edit" ref="override-track" v-model="item.track" :items="getTrackOptions(item.type)" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
                           </div>
                           <!-- ip -->
                           <div v-if="item.type === 'suppress'">
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 0323155fe..47f4d1a7c 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -18,8 +18,8 @@ function debounce(fn, wait) {
 }
 
 routes.push({ path: '/detection/:id', name: 'detection', component: {
-  template: '#page-detection',
-  data() { return {
+	template: '#page-detection',
+	data() { return {
 		i18n: this.$root.i18n,
 		presets: {},
 		severityTranslations: {},
@@ -72,22 +72,21 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			{ value: 'limit', text: 'Limit' },
 			{ value: 'both', text: 'Both' }
 		],
-		trackOptions: ['by_src', 'by_dst', 'by_either'],
-  }},
+	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
-  },
-  watch: {
+	},
+	watch: {
 	},
 	mounted() {
 		this.$watch(
-      () => this.$route.params,
-      (to, prev) => {
+			() => this.$route.params,
+			(to, prev) => {
 				this.loadData();
 			});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
-  methods: {
+	methods: {
 		async initDetection(params) {
 			this.params = params;
 			this.presets = params['presets'];
@@ -127,26 +126,26 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
 				this.tagOverrides();
-      } catch (error) {
-        if (error.response != undefined && error.response.status == 404) {
-          this.$root.showError(this.i18n.notFound);
-        } else {
-          this.$root.showError(error);
-        }
+			} catch (error) {
+				if (error.response != undefined && error.response.status == 404) {
+					this.$root.showError(this.i18n.notFound);
+				} else {
+					this.$root.showError(error);
+				}
 			}
 
-      this.$root.stopLoading();
+			this.$root.stopLoading();
 		},
 		getDefaultPreset(preset) {
-      if (this.presets) {
-        const presets = this.presets[preset];
-        if (presets && presets.labels && presets.labels.length > 0) {
-          return presets.labels[0];
-        }
-      }
-      return "";
-    },
-    getPresets(kind) {
+			if (this.presets) {
+				const presets = this.presets[preset];
+				if (presets && presets.labels && presets.labels.length > 0) {
+					return presets.labels[0];
+				}
+			}
+			return "";
+		},
+		getPresets(kind) {
 			if (this.presets && this.presets[kind]) {
 				switch (kind) {
 					case 'severity':
@@ -155,8 +154,18 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					default:
 						return this.presets[kind].labels;
 				}
-      }
-      return [];
+			}
+			return [];
+		},
+		getTrackOptions(type) {
+			switch (type) {
+				case 'threshold':
+					return ['by_src', 'by_dst'];
+				case 'suppress':
+					return ['by_src', 'by_dst', 'by_either'];
+			}
+
+			return [];
 		},
 		capitalizeOptions(opts) {
 			return opts.map(opt => {
@@ -174,12 +183,12 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return rules;
 		},
-    isPresetCustomEnabled(kind) {
-      if (this.presets && this.presets[kind]) {
-        return this.presets[kind].customEnabled == true;
-      }
-      return false;
-    },
+		isPresetCustomEnabled(kind) {
+			if (this.presets && this.presets[kind]) {
+				return this.presets[kind].customEnabled == true;
+			}
+			return false;
+		},
 		isNew() {
 			return this.$route.params.id === 'create';
 		},
@@ -434,51 +443,51 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			}
 		},
 		saveSetting(name, value, defaultValue = null) {
-      var item = 'settings.detection.' + name;
-      if (defaultValue == null || value != defaultValue) {
-        localStorage[item] = value;
-      } else {
-        localStorage.removeItem(item);
-      }
-    },
-    saveLocalSettings() {
-      this.saveSetting('sortDesc', this.sortDesc, true);
-      this.saveSetting('itemsPerPage', this.itemsPerPage, this.params['eventItemsPerPage']);
-      this.saveSetting('relativeTimeValue', this.relativeTimeValue, this.params['relativeTimeValue']);
-      this.saveSetting('relativeTimeUnit', this.relativeTimeUnit, this.params['relativeTimeUnit']);
+			var item = 'settings.detection.' + name;
+			if (defaultValue == null || value != defaultValue) {
+				localStorage[item] = value;
+			} else {
+				localStorage.removeItem(item);
+			}
+		},
+		saveLocalSettings() {
+			this.saveSetting('sortDesc', this.sortDesc, true);
+			this.saveSetting('itemsPerPage', this.itemsPerPage, this.params['eventItemsPerPage']);
+			this.saveSetting('relativeTimeValue', this.relativeTimeValue, this.params['relativeTimeValue']);
+			this.saveSetting('relativeTimeUnit', this.relativeTimeUnit, this.params['relativeTimeUnit']);
 		},
 		sortOverrides(items, index, isDesc) {
-      const route = this;
-      if (index && index.length > 0) {
-        index = index[0];
-      }
-      if (isDesc && isDesc.length > 0) {
-        isDesc = isDesc[0];
-      }
-      items.sort((a, b) => {
-        if (index === "event.severity_label") {
-          return route.defaultSort(route.lookupAlertSeverityScore(a[index]), route.lookupAlertSeverityScore(b[index]), isDesc);
-        } else {
-          return route.defaultSort(a[index], b[index], isDesc);
-        }
-      });
-      return items
+			const route = this;
+			if (index && index.length > 0) {
+				index = index[0];
+			}
+			if (isDesc && isDesc.length > 0) {
+				isDesc = isDesc[0];
+			}
+			items.sort((a, b) => {
+				if (index === "event.severity_label") {
+					return route.defaultSort(route.lookupAlertSeverityScore(a[index]), route.lookupAlertSeverityScore(b[index]), isDesc);
+				} else {
+					return route.defaultSort(a[index], b[index], isDesc);
+				}
+			});
+			return items
 		},
 		defaultSort(a, b, isDesc) {
-      if (!isDesc) {
-        return a < b ? -1 : 1;
-      }
-      return b < a ? -1 : 1;
-    },
+			if (!isDesc) {
+				return a < b ? -1 : 1;
+			}
+			return b < a ? -1 : 1;
+		},
 		expand(item) {
-      if (this.isExpanded(item)) {
-        this.expanded = [];
-      } else {
-        this.expanded = [item];
+			if (this.isExpanded(item)) {
+				this.expanded = [];
+			} else {
+				this.expanded = [item];
 			}
 		},
 		isExpanded(item) {
-      return (this.expanded.length > 0 && this.expanded[0] === item);
+			return (this.expanded.length > 0 && this.expanded[0] === item);
 		},
 		createNewOverride() {
 			this.newOverride = {
@@ -637,5 +646,5 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		print(x) {
 			console.log(x);
 		},
-  }
+	}
 }});
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 503f7aa47..b3b837155 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -155,20 +155,38 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	now := time.Now()
+
 	for _, over := range detect.Overrides {
 		if over.CreatedAt.IsZero() {
-			over.CreatedAt = time.Now()
+			over.CreatedAt = now
 		}
 
-		if over.UpdatedAt.IsZero() {
-			over.UpdatedAt = time.Now()
+		update := true
+		for i, oldOver := range old.Overrides {
+			if *over == *oldOver {
+				// Did the old detection contain an override with the EXACT same parameters?
+				// If so, we don't need to update the UpdatedAt field.
+				update = false
+
+				// A match was found, the old override can be removed from the list so it
+				// isn't compared to other overrides. i.e. removing it means it can only
+				// match one override in the new list.
+				old.Overrides = append(old.Overrides[:i], old.Overrides[i+1:]...)
+
+				break
+			}
 		}
-	}
 
-	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
-	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
-		return
+		if over.UpdatedAt.IsZero() || update {
+			over.UpdatedAt = now
+		}
 	}
 
 	if old.IsCommunity {

From 0b14887e2924325e2eb71c68eb3e1b0b73375d50 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 30 Nov 2023 15:03:53 -0700
Subject: [PATCH 022/102] WIP: ElastAlert enable new community detections

ElastAlert now enables first seen detections from the community. The infohandler now returns more predetermined search queries.
---
 server/infohandler.go                   | 12 ++++++++++++
 server/modules/elastalert/elastalert.go |  2 ++
 2 files changed, 14 insertions(+)

diff --git a/server/infohandler.go b/server/infohandler.go
index 3993ce79c..2295806e4 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -94,6 +94,10 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "Enabled",
 				Query: "so_detection.isEnabled:true",
 			},
+			{
+				Name:  "Disabled",
+				Query: "so_detection.isEnabled:false",
+			},
 			{
 				Name:  "Suricata",
 				Query: "so_detection.engine:suricata",
@@ -106,10 +110,18 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "Suricata Enabled",
 				Query: "so_detection.engine:suricata AND so_detection.isEnabled:true",
 			},
+			{
+				Name:  "Suricata Disabled",
+				Query: "so_detection.engine:suricata AND so_detection.isEnabled:false",
+			},
 			{
 				Name:  "ElastAlert Enabled",
 				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:true",
 			},
+			{
+				Name:  "ElastAlert Disabled",
+				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:false",
+			},
 		}
 	}
 
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 74dba2c8f..2b781102a 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -422,6 +422,8 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 				results.Unchanged++
 			}
 		} else {
+			det.IsEnabled = true
+
 			_, err = e.srv.Detectionstore.CreateDetection(ctx, det)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to create detection: %s", err)

From 5adb48a63f97366f2f811d8cc84e9b5cb96269e5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 19 Dec 2023 11:56:04 -0700
Subject: [PATCH 023/102] WIP: Post-Rebase go mod tidy

Also updated new chi references to chi/v5
---
 go.mod                     | 13 +------------
 go.sum                     | 33 ---------------------------------
 server/detectionhandler.go |  2 +-
 3 files changed, 2 insertions(+), 46 deletions(-)

diff --git a/go.mod b/go.mod
index 29ef986ef..f3e82605c 100644
--- a/go.mod
+++ b/go.mod
@@ -29,23 +29,12 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
-	github.com/deepmap/oapi-codegen v1.12.4 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
+	github.com/oapi-codegen/runtime v1.0.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
-	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )
diff --git a/go.sum b/go.sum
index e87a28ca7..21746b7b6 100644
--- a/go.sum
+++ b/go.sum
@@ -13,33 +13,14 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deepmap/oapi-codegen v1.16.2/go.mod h1:rdYoEA2GE+riuZ91DvpmBX9hJbQpuY9wchXpfQ3n+ho=
 github.com/elastic/elastic-transport-go/v8 v8.3.0 h1:DJGxovyQLXGr62e9nDMPSxRyWION0Bh6d9eCFBriiHo=
 github.com/elastic/elastic-transport-go/v8 v8.3.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.11.1 h1:1VgTgUTbpqQZ4uE+cPjkOvy/8aw1ZvKcU0ZUE5Cn1mc=
 github.com/elastic/go-elasticsearch/v8 v8.11.1/go.mod h1:GU1BJHO7WeamP7UhuElYwzzHtvf9SDmeVpSSy9+o6Qg=
-github.com/deepmap/oapi-codegen v1.12.4 h1:pPmn6qI9MuOtCz82WY2Xaw46EQjgvxednXXrP7g5Q2s=
-github.com/deepmap/oapi-codegen v1.12.4/go.mod h1:3lgHGMu6myQ2vqbbTXH2H1o4eXFTGnFiDaOaKKl5yas=
-github.com/elastic/elastic-transport-go/v8 v8.2.0 h1:hkK5IIs/15mpSXzd5THWVlWTKJyMw6cbCWM3T/B2S5E=
-github.com/elastic/elastic-transport-go/v8 v8.2.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
-github.com/elastic/go-elasticsearch/v8 v8.7.0 h1:ZvbT1YHppBC0QxGnMmaDUxoDa26clwhRaB3Gp5E3UcY=
-github.com/elastic/go-elasticsearch/v8 v8.7.0/go.mod h1:lVb8SvJV8McVkdswpL8YR5QKIkhlWaoSq60YpHilOLI=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
-github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
-github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
-github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -53,12 +34,8 @@ github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZH
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/influxdata/influxdb-client-go/v2 v2.13.0 h1:ioBbLmR5NMbAjP4UVA5r9b5xGjpABD7j65pI8kFphDM=
 github.com/influxdata/influxdb-client-go/v2 v2.13.0/go.mod h1:k+spCbt9hcvqvUiz0sr5D8LolXHqAAOfPw9v/RIRHl4=
-github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 h1:W9WBk7wlPfJLvMCdtV4zPulc4uCPrlywQOmbFOhgQNU=
-github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf h1:7JTmneyiNEwVBOHSjoMxiWAqB992atOeepeFYegn5RU=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
@@ -80,8 +57,6 @@ github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/oapi-codegen/runtime v1.0.0 h1:P4rqFX5fMFWqRzY9M/3YF9+aPSPPB06IzP2P7oOxrWo=
 github.com/oapi-codegen/runtime v1.0.0/go.mod h1:LmCUMQuPB4M/nLXilQXhHw+BLZdDb18B34OO356yJ/A=
-github.com/oapi-codegen/runtime v1.1.0 h1:rJpoNUawn5XTvekgfkvSZr0RqEnoYpFkyvrzfWeFKWM=
-github.com/oapi-codegen/runtime v1.1.0/go.mod h1:BeSfBkWWWnAnGdyS+S/GnlbmHKzf8/hwkvelJZDeKA8=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -94,8 +69,6 @@ github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
-github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
-github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
@@ -104,12 +77,8 @@ github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
@@ -131,8 +100,6 @@ golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 h1:3MTrJm4PyNL9NBqvYDSj3DHl46qQakyfqfWo4jgfaEM=
-golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index b3b837155..6d0f85748 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -17,7 +17,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/pkg/errors"
 )
 

From 679479c179481afa8334ff65cf2f4c1a371835a8 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 20 Dec 2023 15:26:51 -0700
Subject: [PATCH 024/102] WIP: ElastAlertEngine Tests

Refactored the ElastAlertEngine to use a new interface for interacting with external resources (Disk and Network). This allows for mocking these resources in the new tests.

Also updated Suricata's tests to include the new thresholding config value used by overrides.
---
 go.mod                                        |   1 +
 go.sum                                        |   2 +
 server/modules/elastalert/elastalert.go       |  75 ++++-
 server/modules/elastalert/elastalert_test.go  | 294 +++++++++++++++---
 .../modules/elastalert/mock/mock_iomanager.go | 113 +++++++
 server/modules/suricata/suricata_test.go      | 163 ++++++++--
 6 files changed, 555 insertions(+), 93 deletions(-)
 create mode 100644 server/modules/elastalert/mock/mock_iomanager.go

diff --git a/go.mod b/go.mod
index f3e82605c..55f718020 100644
--- a/go.mod
+++ b/go.mod
@@ -22,6 +22,7 @@ require (
 require (
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
+	go.uber.org/mock v0.3.0
 )
 
 require (
diff --git a/go.sum b/go.sum
index 21746b7b6..78e55c5b3 100644
--- a/go.sum
+++ b/go.sum
@@ -95,6 +95,8 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
+go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
+go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 2b781102a..bc38fb1b9 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -14,6 +14,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/fs"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -38,6 +39,14 @@ var acceptedExtensions = map[string]bool{
 	".yaml": true,
 }
 
+type IOManager interface {
+	ReadFile(path string) ([]byte, error)
+	WriteFile(path string, contents []byte, perm fs.FileMode) error
+	DeleteFile(path string) error
+	ReadDir(path string) ([]os.DirEntry, error)
+	MakeRequest(*http.Request) (*http.Response, error)
+}
+
 type ElastAlertEngine struct {
 	srv                                  *server.Server
 	communityRulesImportFrequencySeconds int
@@ -49,11 +58,13 @@ type ElastAlertEngine struct {
 	sigmaConversionTarget                string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
+	IOManager
 }
 
 func NewElastAlertEngine(srv *server.Server) *ElastAlertEngine {
 	return &ElastAlertEngine{
-		srv: srv,
+		srv:       srv,
+		IOManager: &ResourceManager{},
 	}
 }
 
@@ -156,7 +167,7 @@ func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections [
 		}
 	}()
 
-	index, err := e.indexExistingRules()
+	index, err := e.IndexExistingRules()
 	if err != nil {
 		return nil, fmt.Errorf("unable to index existing rules: %w", err)
 	}
@@ -174,14 +185,14 @@ func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections [
 				continue
 			}
 
-			err = os.WriteFile(path, []byte(eaRule), 0644)
+			err = e.WriteFile(path, []byte(eaRule), 0644)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Sprintf("unable to write enabled detection file: %s", err)
 				continue
 			}
 		} else {
 			// was enabled, no longer is enabled: Disable
-			err = os.Remove(path)
+			err = e.DeleteFile(path)
 			if err != nil && !os.IsNotExist(err) {
 				errMap[det.PublicID] = fmt.Sprintf("unable to remove disabled detection file: %s", err)
 				continue
@@ -221,7 +232,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			zipHashes[pkg] = base64.StdEncoding.EncodeToString(h[:])
 		}
 
-		raw, err := os.ReadFile(e.rulesFingerprintFile)
+		raw, err := e.ReadFile(e.rulesFingerprintFile)
 		if err != nil && !os.IsNotExist(err) {
 			log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to read rules fingerprint file")
 			continue
@@ -273,7 +284,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			if err != nil {
 				log.WithError(err).Error("unable to marshal rules fingerprints")
 			} else {
-				err = os.WriteFile(e.rulesFingerprintFile, fingerprints, 0644)
+				err = e.WriteFile(e.rulesFingerprintFile, fingerprints, 0644)
 				if err != nil {
 					log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to write rules fingerprint file")
 				}
@@ -367,7 +378,7 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 }
 
 func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
-	existing, err := e.indexExistingRules()
+	existing, err := e.IndexExistingRules()
 	if err != nil {
 		return nil, err
 	}
@@ -397,7 +408,6 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 
 	errMap = map[string]error{} // map[publicID]error
 
-	// detections = []*model.Detection{}
 	for _, det := range detections {
 		path, ok := index[det.PublicID]
 		if !ok {
@@ -448,14 +458,14 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 				path = filepath.Join(e.elastAlertRulesFolder, fmt.Sprintf("%s.yml", det.PublicID))
 			}
 
-			err = os.WriteFile(path, []byte(rule), 0644)
+			err = e.WriteFile(path, []byte(rule), 0644)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to write enabled detection file: %s", err)
 				continue
 			}
 		} else if path != "" {
 			// detection is disabled but a file exists, remove it
-			err = os.Remove(path)
+			err = e.DeleteFile(path)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to remove disabled detection file: %s", err)
 				continue
@@ -498,7 +508,13 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 	for _, pkg := range e.sigmaRulePackages {
 		download := fmt.Sprintf(e.sigmaPackageDownloadTemplate, pkg)
 
-		resp, err := http.Get(download)
+		req, err := http.NewRequest(http.MethodGet, download, nil)
+		if err != nil {
+			errMap[pkg] = err
+			continue
+		}
+
+		resp, err := e.MakeRequest(req)
 		if err != nil {
 			errMap[pkg] = err
 			continue
@@ -523,12 +539,12 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 	return zipData, errMap
 }
 
-// indexExistingRules maps the publicID of a detection to the path of the rule file.
+// IndexExistingRules maps the publicID of a detection to the path of the rule file.
 // Note that it indexes ALL rules and not just community rules.
-func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err error) {
+func (e *ElastAlertEngine) IndexExistingRules() (index map[string]string, err error) {
 	index = map[string]string{} // map[id | title]path
 
-	rules, err := os.ReadDir(e.elastAlertRulesFolder)
+	rules, err := e.ReadDir(e.elastAlertRulesFolder)
 	if err != nil {
 		return nil, fmt.Errorf("unable to read elastalert rules directory: %w", err)
 	}
@@ -582,7 +598,7 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Det
 	req.Header.Add("Content-Type", "application/json")
 
 	// send request
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := e.MakeRequest(req)
 	if err != nil {
 		return "", err
 	}
@@ -763,7 +779,7 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 
 	// apply the first (should only have 1) CustomFilter override if any
 	for _, o := range det.Overrides {
-		if o.Type == model.OverrideTypeCustomFilter && o.CustomFilter != nil {
+		if o.IsEnabled && o.Type == model.OverrideTypeCustomFilter && o.CustomFilter != nil {
 			rule = fmt.Sprintf("(%s) and %s", rule, *o.CustomFilter)
 			break
 		}
@@ -775,7 +791,7 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 		EventModule:   "elastalert",
 		EventDataset:  "elastalert.alert",
 		EventSeverity: sevNum,
-		RuleCategory:  "TBD",
+		RuleCategory:  "", // TODO: what should this be?
 		SigmaLevel:    string(det.Severity),
 		Alert:         []string{"modules.so.playbook-es.PlaybookESAlerter"},
 		Index:         ".ds-logs-*",
@@ -799,3 +815,28 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 
 	return string(rawYaml), nil
 }
+
+// go install go.uber.org/mock/mockgen@latest
+//go:generate mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+
+type ResourceManager struct{}
+
+func (_ *ResourceManager) ReadFile(path string) ([]byte, error) {
+	return os.ReadFile(path)
+}
+
+func (_ *ResourceManager) WriteFile(path string, contents []byte, perm fs.FileMode) error {
+	return os.WriteFile(path, contents, perm)
+}
+
+func (_ *ResourceManager) DeleteFile(path string) error {
+	return os.Remove(path)
+}
+
+func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
+	return os.ReadDir(path)
+}
+
+func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
+	return http.DefaultClient.Do(req)
+}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index e5e39cb92..f304deaed 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -9,17 +9,23 @@ import (
 	"archive/zip"
 	"bytes"
 	"context"
+	"io"
+	"io/fs"
 	"net/http"
-	"net/http/httptest"
 	"sort"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
-	"gopkg.in/yaml.v3"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert/mock"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 
 	"github.com/stretchr/testify/assert"
+	"go.uber.org/mock/gomock"
+	"gopkg.in/yaml.v3"
 )
 
 func TestElastAlertModule(t *testing.T) {
@@ -191,21 +197,20 @@ func TestTimeFrame(t *testing.T) {
 }
 
 func TestSigmaToElastAlertSunnyDay(t *testing.T) {
-	callCount := 0
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, http.MethodPost, r.Method)
+	ctrl := gomock.NewController(t)
 
-		w.WriteHeader(http.StatusOK)
-		_, err := w.Write([]byte("<eql>"))
-		assert.NoError(t, err)
-
-		callCount++
-	}))
-	defer srv.Close()
+	mio := mock.NewMockIOManager(ctrl)
+	body := "<eql>"
+	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
+		StatusCode:    http.StatusOK,
+		Body:          io.NopCloser(strings.NewReader(body)),
+		ContentLength: int64(len(body)),
+	}, nil)
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       srv.URL,
+		sigconverterUrl:       "localhost:8000/convert",
 		sigmaConversionTarget: "eql",
+		IOManager:             mio,
 	}
 
 	det := &model.Detection{
@@ -225,7 +230,7 @@ play_id: 00000000-0000-0000-0000-000000000000
 event.module: elastalert
 event.dataset: elastalert.alert
 event.severity: 4
-rule.category: TBD
+rule.category: ""
 sigma_level: high
 alert:
     - modules.so.playbook-es.PlaybookESAlerter
@@ -239,26 +244,24 @@ kibana_pivot: kibana_pivot
 soc_pivot: soc_pivot
 `
 	assert.YAMLEq(t, expected, wrappedRule)
-	assert.Equal(t, 1, callCount)
 }
 
 func TestSigmaToElastAlertError(t *testing.T) {
-	callCount := 0
-	msg := "something went wrong"
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, http.MethodPost, r.Method)
+	ctrl := gomock.NewController(t)
 
-		w.WriteHeader(http.StatusOK)
-		_, err := w.Write([]byte("Error: " + msg))
-		assert.NoError(t, err)
-
-		callCount++
-	}))
-	defer srv.Close()
+	mio := mock.NewMockIOManager(ctrl)
+	msg := "something went wrong"
+	body := "Error: " + msg
+	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
+		StatusCode:    http.StatusOK,
+		Body:          io.NopCloser(strings.NewReader(body)),
+		ContentLength: int64(len(body)),
+	}, nil)
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       srv.URL,
+		sigconverterUrl:       "localhost:3000/convert",
 		sigmaConversionTarget: "eql",
+		IOManager:             mio,
 	}
 
 	det := &model.Detection{
@@ -271,7 +274,7 @@ func TestSigmaToElastAlertError(t *testing.T) {
 	}
 
 	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
-	assert.Equal(t, "", wrappedRule)
+	assert.Empty(t, wrappedRule)
 	assert.Error(t, err)
 	assert.ErrorContains(t, err, msg)
 }
@@ -336,28 +339,31 @@ level: high
 func TestDownloadSigmaPackages(t *testing.T) {
 	t.Parallel()
 
-	callCount := 0
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		callCount++
-
-		if r.RequestURI == "/fake.zip" {
-			w.WriteHeader(http.StatusNotFound)
-			return
-		}
+	ctrl := gomock.NewController(t)
 
-		assert.Equal(t, http.MethodGet, r.Method)
+	mio := mock.NewMockIOManager(ctrl)
+	body := "data"
 
-		w.WriteHeader(http.StatusOK)
-		w.Write([]byte("data"))
+	for i := 0; i < 5; i++ {
+		// can't use mock's Times(x) because the first response's body
+		// closing will result in remaining requests getting 0 data
+		mio.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+			StatusCode:    http.StatusOK,
+			Body:          io.NopCloser(strings.NewReader(body)),
+			ContentLength: int64(len(body)),
+		}, nil)
+	}
 
-	}))
-	defer srv.Close()
+	mio.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+		StatusCode: http.StatusNotFound,
+	}, nil)
 
 	pkgs := []string{"core", "core+", "core++", "emerging_threats_addon", "all_rules", "fake"}
 
 	engine := ElastAlertEngine{
 		sigmaRulePackages:            pkgs,
-		sigmaPackageDownloadTemplate: srv.URL + "/%s.zip",
+		sigmaPackageDownloadTemplate: "localhost:3000/%s.zip",
+		IOManager:                    mio,
 	}
 
 	pkgZips, errMap := engine.downloadSigmaPackages(context.Background())
@@ -366,8 +372,208 @@ func TestDownloadSigmaPackages(t *testing.T) {
 	assert.Len(t, pkgZips, len(pkgs)-1)
 
 	for _, pkg := range pkgs[:len(pkgs)-1] {
-		assert.Equal(t, []byte("data"), pkgZips[pkg])
+		assert.Equal(t, []byte(body), pkgZips[pkg])
 	}
+}
+
+const (
+	SimpleRuleSID = "10000"
+	SimpleRule    = `title: Griffon Malware Attack Pattern
+	id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
+	status: experimental
+	description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
+	references:
+			- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
+	author: Nasreddine Bencherchali (Nextron Systems)
+	date: 2023/03/09
+	tags:
+			- attack.execution
+			- detection.emerging_threats
+	logsource:
+			category: process_creation
+			product: windows
+	detection:
+			selection:
+					CommandLine|contains|all:
+							- '\local\temp\'
+							- '//b /e:jscript'
+							- '.txt'
+			condition: selection
+	falsepositives:
+			- Unlikely
+	level: critical`
+)
+
+type MockDirEntry struct {
+	name  string
+	isDir bool
+	typ   fs.FileMode
+}
 
-	assert.Equal(t, len(pkgs), callCount)
+func (mde *MockDirEntry) Name() string {
+	return mde.name
+}
+
+func (mde *MockDirEntry) IsDir() bool {
+	return mde.isDir
+}
+
+func (mde *MockDirEntry) Type() fs.FileMode {
+	return mde.typ
+}
+
+func (mde *MockDirEntry) ModTime() time.Time {
+	return time.Now()
+}
+
+func (mde *MockDirEntry) Mode() fs.FileMode {
+	return mde.typ
+}
+
+func (mde *MockDirEntry) Size() int64 {
+	return 100
+}
+
+func (mde *MockDirEntry) Sys() any {
+	return nil
+}
+
+func (mde *MockDirEntry) Info() (fs.FileInfo, error) {
+	return mde, nil
+}
+
+func TestSyncElastAlert(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name           string
+		Detections     []*model.Detection
+		InitMock       func(*ElastAlertEngine, *mock.MockIOManager)
+		ExpectedErr    error
+		ExpectedErrMap map[string]string
+	}{
+		{
+			Name: "Enable New Simple Rule",
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Title:     "TEST",
+					Auditable: model.Auditable{
+						Id: SimpleRuleSID,
+					},
+					Severity: model.SeverityMedium,
+				},
+			},
+			InitMock: func(mod *ElastAlertEngine, m *mock.MockIOManager) {
+				// IndexExistingRules
+				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
+				// sigmaToElastAlert
+				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+					StatusCode: http.StatusOK,
+					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
+				}, nil)
+				// WriteFile when enabling
+				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: '[sigma rule]'\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
+			},
+		},
+		{
+			Name: "Disable Simple Rule",
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					IsEnabled: false,
+				},
+			},
+			InitMock: func(mod *ElastAlertEngine, m *mock.MockIOManager) {
+				// IndexExistingRules
+				filename := SimpleRuleSID + ".yml"
+				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{
+					&MockDirEntry{
+						name: filename,
+					},
+					&MockDirEntry{
+						name:  "ignored_dir",
+						isDir: true,
+					},
+					&MockDirEntry{
+						name: "ignored.txt",
+					},
+				}, nil)
+				// DeleteFile when disabling
+				m.EXPECT().DeleteFile(filename).Return(nil)
+			},
+		},
+		{
+			Name: "Enable Rule w/Override",
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Title:     "TEST",
+					Auditable: model.Auditable{
+						Id: SimpleRuleSID,
+					},
+					Severity: model.SeverityMedium,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeCustomFilter,
+							IsEnabled: false,
+							OverrideParameters: model.OverrideParameters{
+								CustomFilter: util.Ptr("FALSE"),
+							},
+						},
+						{
+							Type:      model.OverrideTypeCustomFilter,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								CustomFilter: util.Ptr("TRUE"),
+							},
+						},
+					},
+				},
+			},
+			InitMock: func(mod *ElastAlertEngine, m *mock.MockIOManager) {
+				// IndexExistingRules
+				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
+				// sigmaToElastAlert
+				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+					StatusCode: http.StatusOK,
+					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
+				}, nil)
+				// WriteFile when enabling
+				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: ([sigma rule]) and TRUE\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
+			},
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+			ctrl := gomock.NewController(t)
+
+			mockIO := mock.NewMockIOManager(ctrl)
+
+			mod := NewElastAlertEngine(&server.Server{
+				DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+			})
+
+			mod.IOManager = mockIO
+			mod.srv.DetectionEngines[model.EngineNameElastAlert] = mod
+
+			if test.InitMock != nil {
+				test.InitMock(mod, mockIO)
+			}
+
+			errMap, err := mod.SyncLocalDetections(ctx, test.Detections)
+
+			assert.Equal(t, test.ExpectedErr, err)
+			assert.Equal(t, test.ExpectedErrMap, errMap)
+		})
+	}
 }
diff --git a/server/modules/elastalert/mock/mock_iomanager.go b/server/modules/elastalert/mock/mock_iomanager.go
new file mode 100644
index 000000000..a1508daf0
--- /dev/null
+++ b/server/modules/elastalert/mock/mock_iomanager.go
@@ -0,0 +1,113 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert (interfaces: IOManager)
+//
+// Generated by this command:
+//
+//	mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+//
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	fs "io/fs"
+	http "net/http"
+	reflect "reflect"
+
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockIOManager is a mock of IOManager interface.
+type MockIOManager struct {
+	ctrl     *gomock.Controller
+	recorder *MockIOManagerMockRecorder
+}
+
+// MockIOManagerMockRecorder is the mock recorder for MockIOManager.
+type MockIOManagerMockRecorder struct {
+	mock *MockIOManager
+}
+
+// NewMockIOManager creates a new mock instance.
+func NewMockIOManager(ctrl *gomock.Controller) *MockIOManager {
+	mock := &MockIOManager{ctrl: ctrl}
+	mock.recorder = &MockIOManagerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockIOManager) EXPECT() *MockIOManagerMockRecorder {
+	return m.recorder
+}
+
+// DeleteFile mocks base method.
+func (m *MockIOManager) DeleteFile(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteFile", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteFile indicates an expected call of DeleteFile.
+func (mr *MockIOManagerMockRecorder) DeleteFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteFile", reflect.TypeOf((*MockIOManager)(nil).DeleteFile), arg0)
+}
+
+// MakeRequest mocks base method.
+func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "MakeRequest", arg0)
+	ret0, _ := ret[0].(*http.Response)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// MakeRequest indicates an expected call of MakeRequest.
+func (mr *MockIOManagerMockRecorder) MakeRequest(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MakeRequest", reflect.TypeOf((*MockIOManager)(nil).MakeRequest), arg0)
+}
+
+// ReadDir mocks base method.
+func (m *MockIOManager) ReadDir(arg0 string) ([]fs.DirEntry, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadDir", arg0)
+	ret0, _ := ret[0].([]fs.DirEntry)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadDir indicates an expected call of ReadDir.
+func (mr *MockIOManagerMockRecorder) ReadDir(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadDir", reflect.TypeOf((*MockIOManager)(nil).ReadDir), arg0)
+}
+
+// ReadFile mocks base method.
+func (m *MockIOManager) ReadFile(arg0 string) ([]byte, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadFile", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadFile indicates an expected call of ReadFile.
+func (mr *MockIOManagerMockRecorder) ReadFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadFile", reflect.TypeOf((*MockIOManager)(nil).ReadFile), arg0)
+}
+
+// WriteFile mocks base method.
+func (m *MockIOManager) WriteFile(arg0 string, arg1 []byte, arg2 fs.FileMode) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "WriteFile", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// WriteFile indicates an expected call of WriteFile.
+func (mr *MockIOManagerMockRecorder) WriteFile(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WriteFile", reflect.TypeOf((*MockIOManager)(nil).WriteFile), arg0, arg1, arg2)
+}
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 81110b21f..c1eea1de4 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -32,6 +32,7 @@ func emptySettings() []*model.Setting {
 		{Id: "idstools.sids.enabled"},
 		{Id: "idstools.sids.disabled"},
 		{Id: "idstools.sids.modify"},
+		{Id: "suricata.thresholding.sids__yaml"},
 	}
 }
 
@@ -374,10 +375,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + SimpleRule,
-				"idstools.sids.enabled":       "\n" + SimpleRuleSID,
-				"idstools.sids.disabled":      "\n# " + SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -391,10 +393,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + SimpleRule,
-				"idstools.sids.enabled":       "\n# " + SimpleRuleSID,
-				"idstools.sids.disabled":      "\n" + SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n# " + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n" + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -404,6 +407,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: "# " + SimpleRuleSID},
 				{Id: "idstools.sids.disabled", Value: SimpleRuleSID},
 				{Id: "idstools.sids.modify"},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -413,10 +417,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": SimpleRule,
-				"idstools.sids.enabled":       SimpleRuleSID,
-				"idstools.sids.disabled":      "# " + SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      SimpleRule,
+				"idstools.sids.enabled":            SimpleRuleSID,
+				"idstools.sids.disabled":           "# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -426,6 +431,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: SimpleRuleSID},
 				{Id: "idstools.sids.disabled", Value: "# " + SimpleRuleSID},
 				{Id: "idstools.sids.modify"},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -435,10 +441,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": SimpleRule,
-				"idstools.sids.enabled":       "# " + SimpleRuleSID,
-				"idstools.sids.disabled":      SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      SimpleRule,
+				"idstools.sids.enabled":            "# " + SimpleRuleSID,
+				"idstools.sids.disabled":           SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -452,10 +459,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
-				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
-				"idstools.sids.disabled":      "",
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":            "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":           "",
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -469,10 +477,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
-				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
-				"idstools.sids.disabled":      "",
-				"idstools.sids.modify":        "\n" + FlowbitsRuleASID + ` "flowbits" "noalert; flowbits"`,
+				"idstools.rules.local__rules":      "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":            "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":           "",
+				"idstools.sids.modify":             "\n" + FlowbitsRuleASID + ` "flowbits" "noalert; flowbits"`,
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -482,6 +491,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
 				{Id: "idstools.sids.disabled", Value: ""},
 				{Id: "idstools.sids.modify", Value: FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -491,10 +501,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": FlowbitsRuleB,
-				"idstools.sids.enabled":       FlowbitsRuleBSID,
-				"idstools.sids.disabled":      "",
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      FlowbitsRuleB,
+				"idstools.sids.enabled":            FlowbitsRuleBSID,
+				"idstools.sids.disabled":           "",
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -504,6 +515,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
 				{Id: "idstools.sids.disabled", Value: "# " + FlowbitsRuleBSID},
 				{Id: "idstools.sids.modify", Value: ""},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -513,10 +525,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": FlowbitsRuleB,
-				"idstools.sids.enabled":       FlowbitsRuleBSID,
-				"idstools.sids.disabled":      "# " + FlowbitsRuleBSID,
-				"idstools.sids.modify":        "\n" + FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`,
+				"idstools.rules.local__rules":      FlowbitsRuleB,
+				"idstools.sids.enabled":            FlowbitsRuleBSID,
+				"idstools.sids.disabled":           "# " + FlowbitsRuleBSID,
+				"idstools.sids.modify":             "\n" + FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`,
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -547,6 +560,92 @@ func TestSyncSuricata(t *testing.T) {
 				"0": `rule does not contain a SID; rule=alert http any any -> any any (msg:"This rule doesn't have a SID";)`,
 			},
 		},
+		{
+			Name:            "Thresholding (Modify)",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeModify,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								Regex: util.Ptr("rev:7;"),
+								Value: util.Ptr("rev:8;"),
+							},
+						},
+					},
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "\"10000\":\n    - modify:\n        regex: rev:7;\n        value: rev:8;\n",
+			},
+		},
+		{
+			Name:            "Thresholding (Suppress)",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeSuppress,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								Track: util.Ptr("by_src"),
+								IP:    util.Ptr("0.0.0.0"),
+							},
+						},
+					},
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "\"10000\":\n    - suppress:\n        gen_id: 1\n        track: by_src\n        ip: 0.0.0.0\n",
+			},
+		},
+		{
+			Name:            "Thresholding (Threshold)",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeThreshold,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								ThresholdType: util.Ptr("limit"),
+								Track:         util.Ptr("by_src"),
+								Count:         util.Ptr(5),
+								Seconds:       util.Ptr(60),
+							},
+						},
+					},
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "\"10000\":\n    - threshold:\n        gen_id: 1\n        type: limit\n        track: by_src\n        count: 5\n        seconds: 60\n",
+			},
+		},
 	}
 
 	ctx := context.Background()

From c8bb0cb41725458bedb32f75750fb65b0407d7d5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Dec 2023 15:00:43 -0700
Subject: [PATCH 025/102] WIP: Yara Parser

To thoroughly test the parser, the process loads all the stored rules from the yara rules folder but does not attempt to sync them to elasticsearch. Also includes tests with hand crafted queries with "features" found in the community rules.

Currently the only error this should run across is a legitimate error in a source rule: https://github.com/Security-Onion-Solutions/securityonion-yara/blob/master/yara/cn_pentestset_webshells.yar#L744
---
 config/config.go                        |   4 +
 model/detection.go                      |   6 +-
 server/modules/modules.go               |   2 +
 server/modules/modules_test.go          |   1 +
 server/modules/strelka/strelka.go       | 174 ++++++++++
 server/modules/strelka/validate.go      | 331 +++++++++++++++++++
 server/modules/strelka/validate_test.go | 414 ++++++++++++++++++++++++
 7 files changed, 929 insertions(+), 3 deletions(-)
 create mode 100644 server/modules/strelka/strelka.go
 create mode 100644 server/modules/strelka/validate.go
 create mode 100644 server/modules/strelka/validate_test.go

diff --git a/config/config.go b/config/config.go
index 21b18350e..d6523bbfc 100644
--- a/config/config.go
+++ b/config/config.go
@@ -59,5 +59,9 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		"sigconverterUrl":                      "http://localhost:8000/sigma",
 	}
 
+	cfg.Server.Modules["strelkaengine"] = map[string]interface{}{
+		"yaraRulesFolder": "/tmp/socdev/so/conf/strelka/rules",
+	}
+
 	return cfg, err
 }
diff --git a/model/detection.go b/model/detection.go
index 0e3eef025..a72fa445c 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -41,7 +41,7 @@ const (
 	IDTypeSID  IDType = "sid"
 
 	EngineNameSuricata   EngineName = "suricata"
-	EngineNameYara       EngineName = "yara"
+	EngineNameStrelka       EngineName = "strelka"
 	EngineNameElastAlert EngineName = "elastalert"
 
 	OverrideTypeSuppress     OverrideType = "suppress"
@@ -58,8 +58,8 @@ var (
 			ScanType:    ScanTypePackets,
 			SigLanguage: SigLangSuricata,
 		},
-		EngineNameYara: {
-			Name:        string(EngineNameYara),
+		EngineNameStrelka: {
+			Name:        string(EngineNameStrelka),
 			IDType:      IDTypeUUID,
 			ScanType:    ScanTypeFiles,
 			SigLanguage: SigLangYara,
diff --git a/server/modules/modules.go b/server/modules/modules.go
index abb9ca71b..ce07a6892 100644
--- a/server/modules/modules.go
+++ b/server/modules/modules.go
@@ -20,6 +20,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/sostatus"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/statickeyauth"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/staticrbac"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/strelka"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/suricata"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/thehive"
 )
@@ -39,6 +40,7 @@ func BuildModuleMap(srv *server.Server) map[string]module.Module {
 	moduleMap["thehive"] = thehive.NewTheHive(srv)
 	moduleMap["suricataengine"] = suricata.NewSuricataEngine(srv)
 	moduleMap["elastalertengine"] = elastalert.NewElastAlertEngine(srv)
+	moduleMap["strelkaengine"] = strelka.NewStrelkaEngine(srv)
 
 	return moduleMap
 }
diff --git a/server/modules/modules_test.go b/server/modules/modules_test.go
index e4880a6f6..8387a0afc 100644
--- a/server/modules/modules_test.go
+++ b/server/modules/modules_test.go
@@ -27,6 +27,7 @@ func TestBuildModuleMap(t *testing.T) {
 	findModule(t, mm, "thehive")
 	findModule(t, mm, "suricataengine")
 	findModule(t, mm, "elastalertengine")
+	findModule(t, mm, "strelkaengine")
 }
 
 func findModule(t *testing.T, mm map[string]module.Module, module string) {
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
new file mode 100644
index 000000000..b6866957d
--- /dev/null
+++ b/server/modules/strelka/strelka.go
@@ -0,0 +1,174 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package strelka
+
+import (
+	"context"
+	"io/fs"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/apex/log"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+)
+
+type IOManager interface {
+	ReadFile(path string) ([]byte, error)
+	WriteFile(path string, contents []byte, perm fs.FileMode) error
+	DeleteFile(path string) error
+	ReadDir(path string) ([]os.DirEntry, error)
+	MakeRequest(*http.Request) (*http.Response, error)
+}
+
+type StrelkaEngine struct {
+	srv             *server.Server
+	isRunning       bool
+	thread          *sync.WaitGroup
+	yaraRulesFolder string
+	IOManager
+}
+
+func NewStrelkaEngine(srv *server.Server) *StrelkaEngine {
+	return &StrelkaEngine{
+		srv:       srv,
+		IOManager: &ResourceManager{},
+	}
+}
+
+func (e *StrelkaEngine) PrerequisiteModules() []string {
+	return nil
+}
+
+func (e *StrelkaEngine) Init(config module.ModuleConfig) error {
+	e.thread = &sync.WaitGroup{}
+
+	e.yaraRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/conf/strelka/rules")
+
+	return nil
+}
+
+func (e *StrelkaEngine) Start() error {
+	e.srv.DetectionEngines[model.EngineNameStrelka] = e
+	e.isRunning = true
+
+	go e.startCommunityRuleImport()
+
+	return nil
+}
+
+func (e *StrelkaEngine) Stop() error {
+	e.isRunning = false
+
+	return nil
+}
+
+func (e *StrelkaEngine) IsRunning() bool {
+	return e.isRunning
+}
+
+func (e *StrelkaEngine) ValidateRule(data string) (string, error) {
+	_, err := ParseYaraRules([]byte(data))
+	if err != nil {
+		return "", err
+	}
+
+	return string(data), nil
+}
+
+func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	return nil, nil
+}
+
+func (e *StrelkaEngine) startCommunityRuleImport() {
+	for e.isRunning {
+		time.Sleep(time.Second * 10)
+		if !e.isRunning {
+			break
+		}
+
+		start := time.Now()
+
+		files, err := e.ReadDir(e.yaraRulesFolder)
+		if err != nil {
+			log.WithError(err).Error("Failed to read yara rules folder")
+			continue
+		}
+
+		rules := []*YaraRule{}
+		errors := 0
+
+		for _, file := range files {
+			ext := filepath.Ext(file.Name())
+			if file.IsDir() || strings.ToLower(ext) != ".yar" {
+				continue
+			}
+
+			filename := e.yaraRulesFolder + "/" + file.Name()
+
+			raw, err := e.ReadFile(filename)
+			if err != nil {
+				log.WithError(err).WithField("file", filename).Error("failed to read yara rule file")
+				errors++
+
+				continue
+			}
+
+			parsed, err := ParseYaraRules(raw)
+			if err != nil {
+				log.WithError(err).WithField("file", filename).Error("failed to parse yara rule file")
+				errors++
+
+				continue
+			}
+
+			rules = append(rules, parsed...)
+		}
+
+		log.WithFields(log.Fields{
+			"files":  len(files),
+			"rules":  len(rules),
+			"errors": errors,
+			"exTime": time.Since(start).Seconds(),
+		}).Info("parsed yara community rules")
+
+		_, _ = e.syncCommunityDetections(context.Background(), nil)
+	}
+}
+
+func (e *StrelkaEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
+	return nil, nil
+}
+
+// go install go.uber.org/mock/mockgen@latest
+//go:generate mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+
+type ResourceManager struct{}
+
+func (_ *ResourceManager) ReadFile(path string) ([]byte, error) {
+	return os.ReadFile(path)
+}
+
+func (_ *ResourceManager) WriteFile(path string, contents []byte, perm fs.FileMode) error {
+	return os.WriteFile(path, contents, perm)
+}
+
+func (_ *ResourceManager) DeleteFile(path string) error {
+	return os.Remove(path)
+}
+
+func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
+	return os.ReadDir(path)
+}
+
+func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
+	return http.DefaultClient.Do(req)
+}
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
new file mode 100644
index 000000000..e2a0f8b3c
--- /dev/null
+++ b/server/modules/strelka/validate.go
@@ -0,0 +1,331 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package strelka
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+)
+
+type parseState int
+
+const (
+	parseStateImportsID parseState = iota
+	parseStateWatchForHeader
+	parseStateInSection
+)
+
+type YaraRule struct {
+	Imports    []string
+	Identifier string
+	Meta       Metadata
+	Strings    []string
+	Condition  string
+}
+
+type Metadata struct {
+	Author      *string
+	Date        *string
+	Version     *string
+	Reference   *string
+	Description *string
+	Rest        map[string]string
+}
+
+func (md *Metadata) IsEmpty() bool {
+	return md.Author == nil && md.Date == nil && md.Version == nil && md.Reference == nil && md.Description == nil && len(md.Rest) == 0
+}
+
+func (md *Metadata) Set(key, value string) {
+	key = strings.ToLower(key)
+	switch key {
+	case "author":
+		md.Author = util.Ptr(value)
+	case "date":
+		md.Date = util.Ptr(value)
+	case "version":
+		md.Version = util.Ptr(value)
+	case "reference":
+		md.Reference = util.Ptr(value)
+	case "description":
+		md.Description = util.Ptr(value)
+	default:
+		if md.Rest == nil {
+			md.Rest = make(map[string]string)
+		}
+		md.Rest[key] = value
+	}
+}
+
+func ParseYaraRules(data []byte) ([]*YaraRule, error) {
+	rules := []*YaraRule{}
+	rule := &YaraRule{}
+
+	state := parseStateImportsID
+
+	raw := string(data)
+	buffer := bytes.NewBuffer([]byte{})
+	last := ' '
+	curCommentType := ' ' // either '/' or '*' if in a comment, ' ' if not in comment
+	curHeader := ""       // meta, strings, condition, or empty if not yet in a section
+	curQuotes := ' '      // either ' or " if in a string, ' ' if not in a string
+
+	for i, r := range raw {
+		if r == '\r' {
+			continue
+		}
+		if (curCommentType == '*' && last == '*' && r == '/') ||
+			(curCommentType == '/' && r == '\n') {
+			curCommentType = ' '
+
+			if last == '*' {
+				last = r
+				continue
+			}
+		}
+
+		if last == '/' && curQuotes == ' ' && curCommentType == ' ' {
+			if r == '/' {
+				curCommentType = '/'
+				if buffer.Len() != 0 {
+					buffer.Truncate(buffer.Len() - 1)
+				}
+			} else if r == '*' {
+				curCommentType = '*'
+				if buffer.Len() != 0 {
+					buffer.Truncate(buffer.Len() - 1)
+				}
+			}
+		}
+
+		if curCommentType != ' ' {
+			// in a comment, skip everything
+			last = r
+			continue
+		}
+
+	reevaluateState:
+		switch state {
+		case parseStateImportsID:
+			switch r {
+			case '\n':
+				// is this an import?
+				buf := buffer.String() // expected: `import "foo"`
+				if strings.HasPrefix(buf, "import ") {
+					buf = strings.TrimSpace(strings.TrimPrefix(buf, "import "))
+					buf = strings.Trim(buf, `"`)
+
+					rule.Imports = append(rule.Imports, buf)
+
+					buffer.Reset()
+				}
+			case '{':
+				buf := strings.TrimSpace(buffer.String()) // expected: `rule foo {` or `rule foo\n{`
+				buf = strings.TrimSpace(strings.TrimPrefix(buf, "rule"))
+
+				if strings.Contains(buf, ":") {
+					// gets rid of inheritance?
+					// rule This : That {...} becomes "This"
+					parts := strings.SplitN(buf, ":", 2)
+					buf = strings.TrimSpace(parts[0])
+				}
+
+				if buf != "" {
+					rule.Identifier = buf
+				} else {
+					return nil, errors.New(fmt.Sprintf("expected rule identifier at %d", i))
+				}
+
+				buffer.Reset()
+
+				state = parseStateWatchForHeader
+			default:
+				buffer.WriteRune(r)
+			}
+		case parseStateWatchForHeader:
+			buf := strings.TrimSpace(buffer.String())
+			if r == '\n' && len(buf) != 0 && buf[len(buf)-1] == ':' {
+				curHeader = strings.ToLower(strings.TrimSpace(strings.TrimSuffix(buf, ":")))
+				buffer.Reset()
+
+				if curHeader != "meta" &&
+					curHeader != "strings" &&
+					curHeader != "condition" {
+					return nil, errors.New(fmt.Sprintf("unexpected header at %d: %s", i, curHeader))
+				}
+
+				state = parseStateInSection
+			} else {
+				buffer.WriteRune(r)
+			}
+		case parseStateInSection:
+			if r == '\n' {
+				buf := strings.TrimSpace(buffer.String())
+				if len(buf) != 0 && buf[len(buf)-1] == ':' && !strings.HasPrefix(buf, "for ") {
+					// found a header, new section
+					state = parseStateWatchForHeader
+					goto reevaluateState
+				} else {
+					if buf != "" {
+						switch curHeader {
+						case "meta":
+							parts := strings.SplitN(buf, "=", 2)
+							if len(parts) != 2 {
+								return nil, errors.New(fmt.Sprintf("invalid meta line at %d: %s", i, buf))
+							}
+
+							key := strings.TrimSpace(parts[0])
+							value := strings.TrimSpace(parts[1])
+
+							rule.Meta.Set(key, value)
+						case "strings":
+							rule.Strings = append(rule.Strings, buf)
+						case "condition":
+							rule.Condition = strings.TrimSpace(rule.Condition + " " + buf)
+						}
+					}
+
+					buffer.Reset()
+				}
+			} else if r == '}' && len(strings.TrimSpace(buffer.String())) == 0 && curQuotes != '}' {
+				// end of rule
+				rules = append(rules, rule)
+				imports := rule.Imports
+				buffer.Reset()
+
+				state = parseStateImportsID
+				curHeader = ""
+				curQuotes = ' '
+				rule = &YaraRule{}
+
+				if len(imports) > 0 {
+					rule.Imports = append([]string{}, imports...)
+				}
+			} else {
+				buffer.WriteRune(r)
+				if (r == '\'' || r == '"' || r == '{') && last != '\\' && curQuotes == ' ' {
+					// starting a string
+					if r == '{' {
+						curQuotes = '}'
+					} else {
+						curQuotes = r
+					}
+				} else if curQuotes != ' ' && r == curQuotes && last != '\\' {
+					// ending a string
+					curQuotes = ' '
+				}
+			}
+		}
+
+		if r == '\\' && last == '\\' && curQuotes != ' ' {
+			// this is an escaped slash in the middle of a string,
+			// so we need to remove the previous slash so it's not
+			// mistaken for an escape character in case this is the
+			// last character in the string
+			last = ' '
+		} else {
+			last = r
+		}
+	}
+
+	if state != parseStateImportsID || len(strings.TrimSpace(buffer.String())) != 0 {
+		return nil, errors.New("unexpected end of rule")
+	}
+
+	return rules, nil
+}
+
+func (r *YaraRule) String() string {
+	buffer := bytes.NewBuffer([]byte{})
+
+	// imports
+	for _, i := range r.Imports {
+		line := fmt.Sprintf("import \"%s\"\n", i)
+		buffer.WriteString(line)
+	}
+
+	if len(r.Imports) > 0 {
+		buffer.WriteString("\n")
+	}
+
+	// identifier
+	buffer.WriteString(fmt.Sprintf("rule %s {\n", r.Identifier))
+
+	// meta
+	if !r.Meta.IsEmpty() {
+		buffer.WriteString("\tmeta:\n")
+
+		if r.Meta.Author != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tauthor = %s\n", *r.Meta.Author))
+		}
+
+		if r.Meta.Date != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tdate = %s\n", *r.Meta.Date))
+		}
+
+		if r.Meta.Version != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tversion = %s\n", *r.Meta.Version))
+		}
+
+		if r.Meta.Reference != nil {
+			buffer.WriteString(fmt.Sprintf("\t\treference = %s\n", *r.Meta.Reference))
+		}
+
+		if r.Meta.Description != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tdescription = %s\n", *r.Meta.Description))
+		}
+
+		keys := []string{}
+		for k := range r.Meta.Rest {
+			keys = append(keys, k)
+		}
+
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			buffer.WriteString(fmt.Sprintf("\t\t%s = %s\n", k, r.Meta.Rest[k]))
+		}
+
+		buffer.WriteString("\n")
+	}
+
+	// strings
+	if len(r.Strings) > 0 {
+		buffer.WriteString("\tstrings:\n")
+
+		for _, s := range r.Strings {
+			buffer.WriteString(fmt.Sprintf("\t\t%s\n", s))
+		}
+	}
+
+	// condition and closing bracket
+	buffer.WriteString(fmt.Sprintf("\n\tcondition:\n\t\t%s\n}", r.Condition))
+
+	return buffer.String()
+}
+
+func (r *YaraRule) Validate() error {
+	missing := []string{}
+
+	if r.Identifier == "" {
+		missing = append(missing, "identifier")
+	}
+
+	if r.Condition == "" {
+		missing = append(missing, "condition")
+	}
+
+	if len(missing) > 0 {
+		return fmt.Errorf("missing required fields: %s", strings.Join(missing, ", "))
+	}
+
+	return nil
+}
diff --git a/server/modules/strelka/validate_test.go b/server/modules/strelka/validate_test.go
new file mode 100644
index 000000000..4439afd4c
--- /dev/null
+++ b/server/modules/strelka/validate_test.go
@@ -0,0 +1,414 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package strelka
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+	"github.com/stretchr/testify/assert"
+)
+
+const BasicRule = `rule ExampleRule
+{
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const BasicRuleWMeta = `import "pe"
+
+rule MetadataExample {
+	meta:
+		author = "John Doe"
+		date = "2023-12-27"
+		version = "1.0"
+		reference = "http://somewhere.invalid"
+		description = "Example Rule"
+		my_identifier_1 = "Some string data"
+		mY_iDeNtIfIeR_2 = 24
+		MY_IDENTIFIER_3 = true
+
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const NormalizedBasicRuleWMeta = `import "pe"
+
+rule MetadataExample {
+	meta:
+		author = "John Doe"
+		date = "2023-12-27"
+		version = "1.0"
+		reference = "http://somewhere.invalid"
+		description = "Example Rule"
+		my_identifier_1 = "Some string data"
+		my_identifier_2 = 24
+		my_identifier_3 = true
+
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const RegexRule = `rule RegExpExample1
+{
+	strings:
+		$re1 = /md5: [0-9a-fA-F]{32}/
+		$re2 = /state: (on|off)/
+
+	condition:
+		$re1 and $re2
+}`
+
+const ImportRule = `import "pe"
+
+rule Test
+{
+    strings:
+        $a = "some string"
+
+    condition:
+        $a and pe.entry_point == 0x1000
+}`
+
+const UnexpectedHeader = `rule ExampleRule
+{
+	extra:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const RuleWithComments = `rule ExampleRule
+{
+	/*
+		Multiline comment
+	*/
+	strings:
+		$my_text_string = "text here"
+		// $my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const NoIdentifier = `rule {}`
+
+const BadMeta = `rule ExampleRule
+{
+	meta:
+		copyrighted
+		author = "Some Guy"
+}`
+
+const WeirdRule = `import "pe"
+
+rule ExampleRule : FILE
+{` + "\r\n" + `
+strings:
+$my_text_string = "text here"
+$my_hex_string = { E2 34 A1 C8 23 FB }
+$badslashes = "\\var\\www\\html\\"
+$multilinehex = {
+46 DC EA D3 17 FE 45 D8 09 23
+EB 97 E4 95 64 10 D4 CD B2 C2
+}
+condition : // comment
+$my_text_string or $my_hex_string
+}`
+
+func TestMetaSet(t *testing.T) {
+	t.Parallel()
+
+	meta := Metadata{}
+	assert.True(t, meta.IsEmpty())
+
+	meta.Set("author", "John Doe")
+
+	assert.Equal(t, "John Doe", *meta.Author)
+	assert.False(t, meta.IsEmpty())
+
+	meta.Author = nil
+
+	assert.True(t, meta.IsEmpty())
+
+	meta.Set("date", "2023-12-27")
+	meta.Set("version", "1.0")
+	meta.Set("reference", "http://somewhere.invalid")
+	meta.Set("description", "Example Rule")
+	meta.Set("my_identifier_1", "Some string data")
+
+	assert.Nil(t, meta.Author)
+	assert.Equal(t, "2023-12-27", *meta.Date)
+	assert.Equal(t, "1.0", *meta.Version)
+	assert.Equal(t, "http://somewhere.invalid", *meta.Reference)
+	assert.Equal(t, "Example Rule", *meta.Description)
+	assert.Equal(t, "Some string data", meta.Rest["my_identifier_1"])
+	assert.False(t, meta.IsEmpty())
+}
+
+func TestParseRule(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name          string
+		Input         string
+		ExpectedRules []*YaraRule
+		ExpectedError *string
+	}{
+		{
+			Name:  "Basic Rule",
+			Input: BasicRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:  "Basic Rule With Metadata",
+			Input: BasicRuleWMeta,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "MetadataExample",
+					Meta: Metadata{
+						Author:      util.Ptr(`"John Doe"`),
+						Date:        util.Ptr(`"2023-12-27"`),
+						Version:     util.Ptr(`"1.0"`),
+						Reference:   util.Ptr(`"http://somewhere.invalid"`),
+						Description: util.Ptr(`"Example Rule"`),
+						Rest: map[string]string{
+							"my_identifier_1": "\"Some string data\"",
+							"my_identifier_2": "24",
+							"my_identifier_3": "true",
+						},
+					},
+					Strings: []string{
+						"$my_text_string = \"text here\"",
+						"$my_hex_string = { E2 34 A1 C8 23 FB }",
+					},
+					Condition: "$my_text_string or $my_hex_string",
+				},
+			},
+		},
+		{
+			Name:  "Rule With Regex",
+			Input: RegexRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "RegExpExample1",
+					Strings: []string{
+						"$re1 = /md5: [0-9a-fA-F]{32}/",
+						"$re2 = /state: (on|off)/",
+					},
+					Condition: "$re1 and $re2",
+				},
+			},
+		},
+		{
+			Name:  "Rule With Import",
+			Input: ImportRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "Test",
+					Strings: []string{
+						`$a = "some string"`,
+					},
+					Condition: `$a and pe.entry_point == 0x1000`,
+				},
+			},
+		},
+		{
+			Name:          "Rule With Unexpected Header",
+			Input:         UnexpectedHeader,
+			ExpectedError: util.Ptr(`unexpected header at 26: extra`),
+		},
+		{
+			Name:  "Basic Rule With Comments",
+			Input: RuleWithComments,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:  "Multiple Rules",
+			Input: ImportRule + "\n\n" + BasicRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "Test",
+					Strings: []string{
+						`$a = "some string"`,
+					},
+					Condition: `$a and pe.entry_point == 0x1000`,
+				},
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:  "Rule With Oddities",
+			Input: WeirdRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+						`$badslashes = "\\var\\www\\html\\"`,
+						`$multilinehex = {`,
+						`46 DC EA D3 17 FE 45 D8 09 23`,
+						`EB 97 E4 95 64 10 D4 CD B2 C2`,
+						`}`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:          "Missing Identifier",
+			Input:         NoIdentifier,
+			ExpectedError: util.Ptr("expected rule identifier at 5"),
+		},
+		{
+			Name:          "Invalid Metadata",
+			Input:         BadMeta,
+			ExpectedError: util.Ptr("invalid meta line at 39: copyrighted"),
+		},
+		{
+			Name:          "Unexpected End Of Rule",
+			Input:         BasicRule[:len(BasicRule)-1],
+			ExpectedError: util.Ptr("unexpected end of rule"),
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			rules, err := ParseYaraRules([]byte(test.Input))
+			if test.ExpectedError == nil {
+				assert.NoError(t, err)
+				assert.NotNil(t, rules)
+
+				assert.Equal(t, test.ExpectedRules, rules)
+			} else {
+				assert.Error(t, err)
+				assert.Equal(t, *test.ExpectedError, err.Error())
+
+				assert.Empty(t, rules)
+			}
+		})
+	}
+}
+
+func TestRuleString(t *testing.T) {
+	rules, err := ParseYaraRules([]byte(BasicRuleWMeta))
+	assert.NoError(t, err)
+	assert.NotEmpty(t, rules)
+
+	raw := rules[0].String()
+	fmt.Println(raw)
+	assert.Equal(t, NormalizedBasicRuleWMeta, raw)
+}
+
+func TestValidate(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name string
+		Rule *YaraRule
+		Err  *string
+	}{
+		{
+			Name: "Minimally Valid Rule",
+			Rule: &YaraRule{
+				Identifier: "ExampleRule",
+				Condition:  "false",
+			},
+		},
+		{
+			Name: "Missing Identifier",
+			Rule: &YaraRule{
+				Condition: "false",
+			},
+			Err: util.Ptr("missing required fields: identifier"),
+		},
+		{
+			Name: "Missing Condition",
+			Rule: &YaraRule{
+				Identifier: "ExampleRule",
+			},
+			Err: util.Ptr("missing required fields: condition"),
+		},
+		{
+			Name: "Missing Multiple Fields",
+			Rule: &YaraRule{},
+			Err:  util.Ptr("missing required fields: identifier, condition"),
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			err := test.Rule.Validate()
+			if test.Err == nil {
+				assert.NoError(t, err)
+			} else {
+				assert.Error(t, err)
+				assert.Equal(t, *test.Err, err.Error())
+			}
+		})
+	}
+}

From 3c8f6285a866fd4fc9b5d59263fffdeec316c9e2 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 11 Jan 2024 15:22:18 -0700
Subject: [PATCH 026/102] WIP: Bulk Actions, Removal of Date Range from
 Detections Search

Detections can now be selected for bulk actions. The Select All checkbox toggles between selecting the entire current page and clearing all selection. If the current page is selected, a prompt to select ALL of the results becomes available. Currently the only actions that can be taken are the enabling or disabling of selected detections.

If picking individual IDs, then those IDs are sent up to the API to be modified. If ALL are selected, then the query is sent and detections matching the query will be modified.

A few component tests were added to hunt.test.js testing the SelectAll logic. Cypress tests will be added later.

UpdateDetectionField has been updated to update a detection field (i.e. without having the entire object) faster. Also should no longer be limited to one field although the functionality is not tested or implemented.

The ElasticDetectionstore now gets an ElasticSearch client passed into it so actions don't have to be run against Eventstore.

An error was fixed in the suricata parser. Better care is taken around modifying settings files that may be empty.

Settings' validator that used to check for Jinja now checks for opening AND closing jinja tags to prevent accidental false positives such as the suricata rule that contained `{%` in a URL.
---
 html/css/app.css                              |  34 +++++
 html/index.html                               |  50 +++++--
 html/js/i18n.js                               |   6 +
 html/js/routes/hunt.js                        | 141 +++++++++++++++++-
 html/js/routes/hunt.test.js                   |  98 ++++++++++++
 server/detectionhandler.go                    | 108 ++++++++++----
 server/detectionstore.go                      |   3 +-
 server/modules/elastic/elastic.go             |   2 +-
 .../modules/elastic/elasticdetectionstore.go  |  87 +++++++----
 server/modules/strelka/strelka.go             |   4 +-
 server/modules/suricata/suricata.go           |   9 +-
 server/modules/suricata/validate.go           |   1 -
 syntax/validator.go                           |   4 +-
 13 files changed, 471 insertions(+), 76 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 39b4325f9..f5b017f32 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -499,3 +499,37 @@ td {
 .theme--light .resolved-host {
   color: rgba(0, 0, 0, 0.5);
 }
+
+.multiselect-container {
+  width: 100%;
+  position: relative;
+  display: flex;
+  justify-content: flex-start;
+}
+
+#multiselect-checkbox {
+  display: inline-block;
+  position: absolute;
+  left: 50%;
+  transform: translateX(-50%);
+}
+
+.detection-selection {
+  display: inline-block;
+  vertical-align: sub;
+}
+
+.selection-counter {
+  margin-left: auto;
+  padding-right: 12px;
+}
+
+.bulk-actions {
+  display: inline-block;
+  max-width: 100px;
+  margin: 0 4px;
+}
+
+.detection-hunt-btn {
+  margin-top: 20px;
+}
diff --git a/html/index.html b/html/index.html
index 4c9bb3ca4..5c1f0e0a9 100644
--- a/html/index.html
+++ b/html/index.html
@@ -379,7 +379,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
           </v-col>
         </v-row>
         <v-row align="start">
-          <v-col cols="12" md="7">
+          <v-col cols="12" :md="isCategory('detections') ? 10 : 7">
             <v-textarea :clearable="isAdvanced()" :auto-grow="isAdvanced()" :readonly="!isAdvanced()" :disabled="loading()" @change="notifyInputsChanged" class="mx-2" v-model="$data[isAdvanced() ? 'query' : 'queryName']" :hint="isAdvanced() ? i18n.queryHelp : ''" rows="1" persistent-hint prepend-icon="fa-search" @keydown.enter.prevent="hunt" id="hunt-query-input">
               <template v-slot:prepend-inner>
                 <v-menu dense bottom three-line offset-y>
@@ -422,8 +422,8 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
               </template>
             </v-textarea>
           </v-col>
-          <v-col cols="12" md="5" class="d-flex flex-nowrap align-center">
-            <v-text-field :disabled="loading()" v-if="relativeTimeEnabled" id="huntrelativetimevalue" @change="notifyInputsChanged" class="mx-2"
+          <v-col cols="12" :md="isCategory('detections') ? 2 : 5" class="d-flex flex-nowrap align-center">
+            <v-text-field :disabled="loading()" v-if="relativeTimeEnabled && !isCategory('detections')" id="huntrelativetimevalue" @change="notifyInputsChanged" class="mx-2"
                 v-model="relativeTimeValue" :hint="i18n.relativeTimeHelp" persistent-hint="true" type="number">
               <template v-slot:prepend>
                 <v-btn v-if="relativeTimeEnabled" icon x-small @click="showAbsoluteTime" id="show-absolute-time">
@@ -438,7 +438,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                   v-model="relativeTimeUnit" :items="relativeTimeUnits"></v-select>
               </template>
             </v-text-field>
-            <v-text-field :disabled="loading()" v-if="!relativeTimeEnabled" id="huntdaterange" @change="notifyInputsChanged" class="mx-2"
+            <v-text-field :disabled="loading()" v-if="!relativeTimeEnabled && !isCategory('detections')" id="huntdaterange" @change="notifyInputsChanged" class="mx-2"
               v-model="dateRange" :hint="i18n.timePickerHelp" persistent-hint="true"
               prepend-inner-icon="fa-angle-down" @click:prepend-inner="showDateRangePicker">
               <template v-slot:prepend>
@@ -447,7 +447,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                 </v-btn>
               </template>
             </v-text-field>
-            <v-btn id="hunt" :disabled="loading()" :color="huntPending ? 'light-green accent-4' : (autoRefreshInterval ? 'secondary' : 'primary')" @click.stop="hunt">
+            <v-btn id="hunt" :class="isCategory('detections') ? 'detection-hunt-btn' : ''" :disabled="loading()" :color="huntPending ? 'light-green accent-4' : (autoRefreshInterval ? 'secondary' : 'primary')" @click.stop="hunt">
               <span v-if="isCategory('hunt')" class="d-sm-none d-lg-inline pr-2" v-text="i18n.hunt"></span>
               <span v-if="!isCategory('hunt')" class="d-sm-none d-lg-inline pr-2" v-text="i18n.refresh"></span>
               <v-icon v-if="isCategory('hunt') && !autoRefreshInterval">fa-crosshairs</v-icon>
@@ -631,10 +631,10 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
           <v-expand-transition>
             <v-row v-if="isExpandedSection('hunt-events')">
               <v-col cols="12">
-                <v-data-table :search="eventFilter" :sort-by.sync="sortBy" item-key="soc_id" :expanded.sync="expanded" :sort-desc.sync="sortDesc" :footer-props="footerProps"
-                  :items-per-page.sync="itemsPerPage" must-sort :headers="eventHeaders" :items="eventData" show-expand :page.sync="eventPage" :custom-sort="sortEvents">
-                  <template v-slot:top v-if="isAdvanced()">
-                    <v-container fluid>
+                <v-data-table ref="eventTable" :search="eventFilter" :sort-by.sync="sortBy" item-key="soc_id" :expanded.sync="expanded" :sort-desc.sync="sortDesc" :footer-props="footerProps"
+                  :items-per-page.sync="itemsPerPage" must-sort :headers="eventHeaders" :items="eventData" :page.sync="eventPage" show-select :custom-sort="sortEvents">
+                  <template v-slot:top>
+                    <v-container v-if="isAdvanced()" fluid>
                       <v-row>
                         <v-col cols="4"></v-col>
                         <v-col cols="2">
@@ -645,6 +645,36 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                         </v-col>
                       </v-row>
                     </v-container>
+                    <v-container v-if="isCategory('detections') && selectAllState !== false">
+                      <div>
+                          {{ i18n.selected }} {{ (selectAllState === true ? totalEvents : selectedCount).toLocaleString() }}
+                        <span class="ml-2" v-if="selectAllState === 'indeterminate' && isPageSelected() && totalEvents >= itemsPerPage">
+                          {{ i18n.selectAll.replaceAll('[[count]]', totalEvents.toLocaleString()) }}
+                          <v-btn @click="selectAllEvents(true, true)">
+                            {{ i18n.yes }}
+                          </v-btn>
+                        </span>
+                      </div>
+
+                      <span>
+                        {{ i18n.bulkAction }}
+                        <v-select class="bulk-actions" :disabled="loading()" v-model="selectedAction" :items="bulkActions"></v-select>
+                        <v-btn :disabled="selectAllState === false" @click="bulkAction()">{{ i18n.go }}</v-btn>
+                      </span>
+                    </v-container>
+
+                  </template>
+                  <template v-if="isMultiSelect()" v-slot:header.data-table-select="{ on, props }">
+                    <div class="multiselect-container">
+                      <v-simple-checkbox id="multiselect-checkbox"
+                        color="blue"
+                        v-bind="props"
+                        v-on="on"
+                        :indeterminate="selectAllState === 'indeterminate'"
+                        :value="selectAllState"
+                        @click="toggleSelectAll()"
+                      ></v-simple-checkbox>
+                    </div>
                   </template>
                   <template v-for="(header, headerIdx) in eventHeaders" v-slot:["header." + header.value]="{ props }">
                     <span :id="'col_' + header.value">
@@ -683,6 +713,8 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                           :color="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? 'secondary' : 'primary'">
                           <v-icon :title="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? i18n.alertEscalated : i18n.escalate">fa-exclamation-triangle</v-icon>
                         </v-btn>
+                        <v-checkbox class="detection-selection" @change="updateBulkSelector(item)" v-if="isMultiSelect()" v-model="item._isSelected">
+                        </v-checkbox>
                         <router-link :to="{ name: 'case', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'cases'">
                           <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
                         </router-link>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 9e01eb118..0a6afd919 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -110,6 +110,7 @@ const i18n = {
       beginTimeHelp: 'Filter start time in RFC 3339 format (Ex: 2020-10-16 13:00:00.230-04:00). Unused for imported PCAPs.',
       betweenOp: 'Between',
       blog: 'Blog',
+      bulkAction: 'Bulk Action:',
       bytes: 'Bytes',
       cancel: 'Cancel',
       captureLoss: 'Capture Loss',
@@ -264,6 +265,7 @@ const i18n = {
       detectionEnabled: 'Enabled',
       detectionSeverity: 'Severity',
       detectionTitle: 'Detection Title',
+      disable: 'Disable',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -287,6 +289,7 @@ const i18n = {
       email: 'Email Address',
       emailHelp: 'Specify a valid email address. Contact your administrator for new account creation.',
       emailRequired: 'An email address must be specified.',
+      enable: 'Enable',
       enabled: 'Enabled',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
@@ -362,6 +365,7 @@ const i18n = {
       flags: 'Flags',
       gigabytes: 'GB',
       generate: 'Generate',
+      go: 'GO',
       graphs: 'Graphs',
       grid: 'Grid',
       gridEps: 'Grid EPS:',
@@ -624,6 +628,8 @@ const i18n = {
       security: 'Security',
       securityInstructions: 'You may be prompted to login again when updating your security settings. If submitting a new password, you will need to verify your identity first with the old password. This is a security measure to protect your account.',
       securityInstructionsTotp: 'IMPORTANT: If you changed your password recently you must logout and login again with the new password before attempting to activate TOTP. Failure to relogin will result in the TOTP validation failing. If this occurs you will need to remove the TOTP code from your authenticator app, login to SOC with the new password, and then activate TOTP again.',
+      selected: 'Selected: ',
+      selectAll: 'Would you like to select all [[count]] events?',
       sensor: 'Sensor',
       sensorId: 'Sensor ID',
       sensorIdRequired: 'The Sensor ID must be entered before adding a new job.',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 321f515ed..76d8b9f07 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -140,6 +140,13 @@ const huntComponent = {
     mruCases: [],
     selectedMruCase: null,
     disableRouteLoad: false,
+    selectAllState: false,
+    selectedCount: 0,
+    selectedAction: 'enable',
+    bulkActions: [
+      { text: this.$root.i18n.enable, value: 'enable' },
+      { text: this.$root.i18n.disable, value: 'disable' },
+    ],
   }},
   created() {
     this.$root.initializeCharts();
@@ -1305,6 +1312,7 @@ const huntComponent = {
       if (events != null && events.length > 0) {
         let batch = [];
 
+        const multiSelect = this.isMultiSelect();
         events.forEach(function(event, index) {
           var record = event.payload;
           record.soc_id = event.id;
@@ -1313,6 +1321,11 @@ const huntComponent = {
           record.soc_timestamp = event.timestamp;
           record.soc_source = event.source;
           route.lookupSocIds(record);
+
+          if (multiSelect) {
+            record._isSelected = false;
+          }
+
           records.push(record);
 
           for (const key in record) {
@@ -1428,13 +1441,13 @@ const huntComponent = {
     removeColumnHeader(field) {
       this.populateQueryTableFields();
       this.queryTableFields = this.queryTableFields.filter(item => item != field);
-      
+
       // do not revert back to the predefined headers if this was the last column that was just removed. Otherwise
       // users would get frustrated if they're trying to remove all the columns to then add their own.
       this.repopulateEventHeaders(); // no defaults fields provided
     },
     isColumnHeader(field) {
-      return this.eventHeaders.find((item) => { 
+      return this.eventHeaders.find((item) => {
         if (item.value == field) {
           return true;
         }
@@ -1563,11 +1576,19 @@ const huntComponent = {
     isExpanded(item) {
       return (this.expanded.length > 0 && this.expanded[0] == item);
     },
+    isMultiSelect() {
+      return this.isCategory('detections');
+    },
     getExpandedData() {
       var records = []
       if (this.expanded.length > 0) {
         var data = this.expanded[0];
         for (key in data) {
+          if (key === '_isSelected') {
+            // Should we exclude all fields beginning with an underscore?
+            continue;
+          }
+
           var record = {};
           record.key = key;
           record.value = data[key];
@@ -2107,8 +2128,120 @@ const huntComponent = {
 
       window.open(url, target);
     },
-    print(x) {
-      console.log(x);
+    updateBulkSelector(item) {
+      if (item._isSelected) {
+        this.selectedCount = Math.min(this.selectedCount + 1, this.totalEvents);
+      } else {
+        this.selectedCount = Math.max(this.selectedCount - 1, 0);
+      }
+
+      switch (this.selectedCount) {
+        case 0:
+          this.selectAllState = false;
+          break;
+        case this.totalEvents:
+          this.selectAllState = true;
+          break;
+        default:
+          this.selectAllState = 'indeterminate';
+          break;
+      }
+    },
+    toggleSelectAll() {
+      switch (this.selectAllState) {
+        case 'indeterminate':
+          this.selectAllState = false;
+          this.selectAllEvents(false);
+          this.selectedCount = 0;
+          break;
+        case false:
+          this.selectAllState = 'indeterminate';
+          this.selectCurrentPage(true);
+          break;
+        case true:
+          this.selectAllState = false;
+          this.selectAllEvents(false);
+          break;
+      }
+    },
+    selectAllEvents(selection = true, ALL = false) {
+      for (let i = 0; i < this.eventData.length; i++) {
+        if (this.eventData[i]._isSelected !== selection) {
+          this.eventData[i]._isSelected = selection;
+          if (selection) {
+            this.selectedCount++;
+          } else {
+            this.selectedCount--;
+          }
+        }
+      }
+
+      this.selectedCount = Math.max(Math.min(this.selectedCount, this.totalEvents), 0);
+
+      if (ALL && selection) {
+        this.selectAllState = true;
+      }
+    },
+    selectCurrentPage(selection = true) {
+      this.$refs.eventTable._data.internalCurrentItems.forEach((item) => {
+        if (item._isSelected !== selection) {
+          item._isSelected = selection;
+          if (selection) {
+            this.selectedCount++;
+          } else {
+            this.selectedCount--;
+          }
+        }
+      });
+
+      this.selectedCount = Math.max(Math.min(this.selectedCount, this.totalEvents), 0);
+    },
+    isPageSelected() {
+      return this.$refs.eventTable._data.internalCurrentItems.every((item) => item._isSelected);
+    },
+    countSelected() {
+      let count = 0;
+      for (let i = 0; i < this.eventData.length; i++) {
+        if (this.eventData[i]._isSelected) {
+          count++;
+        }
+      }
+
+      this.selectedCount = count;
+    },
+    async bulkAction() {
+      this.$root.startLoading();
+
+      let payload = {};
+
+      switch (this.selectAllState) {
+        case true:
+          payload.query = this.query;
+          break;
+        case 'indeterminate':
+          let ids = [];
+          for (let i = 0; i < this.eventData.length; i++) {
+            if (this.eventData[i]._isSelected) {
+              ids.push(this.eventData[i].soc_id);
+            }
+          }
+
+          payload.ids = ids;
+          break;
+      }
+
+      try {
+        const response = await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
+
+        this.selectAllState = false;
+        this.selectedCount = 0;
+
+        this.hunt(false);
+      } catch (e) {
+        this.$root.handleError(e);
+      }
+
+      this.$root.stopLoading();
     }
   }
 };
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index 1028639e1..a9412ff6f 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -1093,3 +1093,101 @@ test('moveColumnHeader', () => {
   // double check that repopulateEventHeaders was invoked
   expect(comp.eventHeaders).toStrictEqual([{"text":"x", "value":"x"},{"text":"y", "value":"y"},{"text":"z", "value": "z"}]);
 });
+
+test('updateBulkSelector', () => {
+  const selected = { _isSelected: true };
+  const unselected = { _isSelected: false };
+
+  comp.totalEvents = 2;
+
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.selectAllState).toBe(false);
+
+  comp.updateBulkSelector(selected);
+
+  expect(comp.selectedCount).toBe(1);
+  expect(comp.selectAllState).toBe('indeterminate');
+
+  comp.updateBulkSelector(selected);
+
+  expect(comp.selectedCount).toBe(2);
+  expect(comp.selectAllState).toBe(true);
+
+  comp.updateBulkSelector(unselected);
+
+  expect(comp.selectedCount).toBe(1);
+  expect(comp.selectAllState).toBe('indeterminate');
+
+  comp.updateBulkSelector(unselected);
+
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.selectAllState).toBe(false);
+});
+
+test('toggleSelectAll', () => {
+  comp.totalEvents = 11;
+  comp.eventData = [];
+  comp.$refs = {
+    eventTable: {
+      _data: {
+        internalCurrentItems: []
+      }
+    }
+  };
+
+  for (let i = 0; i < comp.totalEvents; i++) {
+    let obj = { _isSelected: i === 0 };
+    comp.eventData.push(obj);
+    if (comp.$refs.eventTable._data.internalCurrentItems.length < 10) {
+      comp.$refs.eventTable._data.internalCurrentItems.push(obj);
+    }
+  }
+
+  comp.selectAllState = 'indeterminate';
+  comp.countSelected();
+
+  expect(comp.selectedCount).toBe(1);
+  expect(comp.isPageSelected()).toBe(false);
+
+  // the comp has 11 eventData, the first 10 are in the eventTable's internalCurrentItems
+  // eventData[0] is the only one selected
+
+  // some selected => none selected
+  comp.toggleSelectAll();
+
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.eventData[0]._isSelected).toBe(false);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.isPageSelected()).toBe(false);
+
+  // none selected => page selected
+  comp.toggleSelectAll();
+
+  expect(comp.selectAllState).toBe('indeterminate');
+  expect(comp.selectedCount).toBe(10);
+  expect(comp.eventData[10]._isSelected).toBe(false);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(10);
+  expect(comp.isPageSelected()).toBe(true);
+
+  // page selected => all selected
+  comp.selectAllEvents(true, true);
+
+  expect(comp.selectAllState).toBe(true);
+  expect(comp.selectedCount).toBe(11);
+  expect(comp.eventData[10]._isSelected).toBe(true);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(11);
+  expect(comp.isPageSelected()).toBe(true);
+
+  // all selected => none selected
+  comp.toggleSelectAll();
+
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.isPageSelected()).toBe(false);
+});
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 6d0f85748..45212232a 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/apex/log"
@@ -258,8 +259,13 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	body := []string{}
-	err := web.ReadJson(r, body)
+	type BulkOp struct {
+		IDs   []string `json:"ids"`
+		Query *string  `json:"query"`
+	}
+
+	body := BulkOp{}
+	err := web.ReadJson(r, &body)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
 		return
@@ -267,43 +273,95 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 
 	IDs := map[string]struct{}{}
 
-	for _, id := range body {
+	for _, id := range body.IDs {
 		IDs[id] = struct{}{}
 	}
 
-	errMap := map[string]string{} // map[id]error
-	modified := []*model.Detection{}
+	if body.Query != nil {
+		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
 
-	for id := range IDs {
-		det, mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
+		results, err := h.server.Detectionstore.Query(ctx, query, -1)
 		if err != nil {
-			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
-			continue
+			web.Respond(w, r, http.StatusInternalServerError, err)
+			return
 		}
-
-		if mod {
-			modified = append(modified, det)
+		for _, d := range results {
+			det := d.(*model.Detection)
+			id := det.Id
+			IDs[id] = struct{}{}
 		}
 	}
 
-	if len(modified) != 0 {
-		addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
-		if err != nil {
-			web.Respond(w, r, http.StatusInternalServerError, err)
-			return
-		}
+	log.WithField("count", len(IDs)).Info("bulk update ID count")
+
+	errMap := map[string]string{} // map[id]error
+	modified := make([]*model.Detection, 0, len(IDs))
+
+	start := time.Now()
+
+	c := make(chan string, 100)
+	mMod := &sync.Mutex{}
+	mErr := &sync.Mutex{}
+	wg := sync.WaitGroup{}
+
+	for i := 0; i < 2; i++ {
+		wg.Add(1)
+
+		go func() {
+			for id := range c {
+				mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": enabled})
+				if err != nil {
+					mErr.Lock()
+					errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+					mErr.Unlock()
 
-		// merge error maps
-		for k, v := range addErrMap {
-			origK, hasK := errMap[k]
-			if hasK {
-				errMap[k] = fmt.Sprintf("%s; %s", origK, v)
-			} else {
-				errMap[k] = v
+					continue
+				}
+
+				mMod.Lock()
+				modified = append(modified, mod)
+				mMod.Unlock()
 			}
+
+			wg.Done()
+		}()
+	}
+
+	for id := range IDs {
+		c <- id
+	}
+	close(c)
+
+	wg.Wait()
+
+	update := time.Since(start)
+	start = time.Now()
+
+	addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	sync := time.Since(start)
+
+	// merge error maps
+	for k, v := range addErrMap {
+		origK, hasK := errMap[k]
+		if hasK {
+			errMap[k] = fmt.Sprintf("%s; %s", origK, v)
+		} else {
+			errMap[k] = v
 		}
 	}
 
+	log.WithFields(log.Fields{
+		"updateTime":    update.Seconds(),
+		"syncTime":      sync.Seconds(),
+		"modifiedCount": len(modified),
+		"errorCount":    len(errMap),
+	}).Info("bulk update detection")
+
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 92f1c0533..ad168a3a5 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -16,7 +16,8 @@ type Detectionstore interface {
 	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
+	UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
+	Query(ctx context.Context, query string, max int) ([]interface{}, error)
 }
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index f3f9ce36b..8f4eb704a 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -100,7 +100,7 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 				detAuditIndex := module.GetStringDefault(cfg, "detectionAuditIndex", DEFAULT_DETECTION_AUDIT_INDEX)
 				maxDetAssociations := module.GetIntDefault(cfg, "maxDetectionAssociations", DEFAULT_DETECTION_ASSOCIATIONS_MAX)
 				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_DETECTION_SCHEMA_PREFIX)
-				detstore := NewElasticDetectionstore(elastic.server)
+				detstore := NewElasticDetectionstore(elastic.server, elastic.store.esClient)
 
 				err = detstore.Init(detIndex, detAuditIndex, maxDetAssociations, schemaPrefix)
 				if err == nil {
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index c59044b35..67ce910a3 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -7,6 +7,7 @@ package elastic
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"regexp"
@@ -15,6 +16,8 @@ import (
 	"time"
 
 	"github.com/apex/log"
+	"github.com/elastic/go-elasticsearch/v8"
+	"github.com/elastic/go-elasticsearch/v8/esapi"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -22,15 +25,17 @@ import (
 
 type ElasticDetectionstore struct {
 	server          *server.Server
+	esClient        *elasticsearch.Client
 	index           string
 	auditIndex      string
 	maxAssociations int
 	schemaPrefix    string
 }
 
-func NewElasticDetectionstore(srv *server.Server) *ElasticDetectionstore {
+func NewElasticDetectionstore(srv *server.Server, client *elasticsearch.Client) *ElasticDetectionstore {
 	return &ElasticDetectionstore{
-		server: srv,
+		server:   srv,
+		esClient: client,
 	}
 }
 
@@ -174,7 +179,7 @@ func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{},
 func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind string) (interface{}, error) {
 	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s" AND _id:"%s"`, store.index, store.schemaPrefix, kind, id)
 
-	objects, err := store.getAll(ctx, query, 1)
+	objects, err := store.Query(ctx, query, 1)
 	if err == nil {
 		if len(objects) > 0 {
 			return objects[0], err
@@ -186,7 +191,7 @@ func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind str
 	return nil, err
 }
 
-func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, max int) ([]interface{}, error) {
+func (store *ElasticDetectionstore) Query(ctx context.Context, query string, max int) ([]interface{}, error) {
 	var err error
 	var objects []interface{}
 
@@ -348,43 +353,65 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 	return store.GetDetection(ctx, results.DocumentId)
 }
 
-func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
-	var modified bool
-
-	detect, err := store.GetDetection(ctx, id)
-	if err != nil {
-		return nil, false, err
+func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error) {
+	if len(fields) == 0 {
+		return nil, errors.New("no fields to update")
 	}
 
-	switch strings.ToLower(field) {
-	case "isenabled":
-		bVal, ok := value.(bool)
-		if !ok {
-			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
-		}
+	unQtemplate := `ctx._source.%s=%v`
+	Qtemplate := `ctx._source.%s='%v'`
 
-		if detect.IsEnabled != bVal {
-			detect.IsEnabled = bVal
-			modified = true
+	lines := make([]string, 0, len(fields)+1)
+
+	for field, value := range fields {
+		switch strings.ToLower(field) {
+		case "isenabled":
+			newField := store.schemaPrefix + "detection.isEnabled"
+			lines = append(lines, fmt.Sprintf(unQtemplate, newField, value))
+		default:
+			return nil, fmt.Errorf("unsupported field: %s", field)
 		}
 	}
 
-	err = store.validateDetection(detect)
+	lines = append(lines, fmt.Sprintf(Qtemplate, store.schemaPrefix+"detection.userId", ctx.Value(web.ContextKeyRequestorId).(string)))
+
+	opts := []func(*esapi.UpdateRequest){
+		store.esClient.Update.WithContext(ctx),
+		store.esClient.Update.WithSource("true"),
+	}
+
+	script := strings.Join(lines, "; ")
+
+	res, err := store.esClient.Update("so-detection", id, strings.NewReader(fmt.Sprintf(`{"script": "%s"}`, script)), opts...)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
 
-	if modified {
-		var results *model.EventIndexResults
+	if res.IsError() {
+		return nil, fmt.Errorf("update error: %s", res.String())
+	}
 
-		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-		if err == nil {
-			// Read object back to get new modify date, etc
-			detect, err = store.GetDetection(ctx, results.DocumentId)
-		}
+	type DetectionExtractor struct {
+		Result string `json:"result"`
+		Get    struct {
+			Source struct {
+				Detection *model.Detection `json:"so_detection"`
+			} `json:"_source"`
+		} `json:"get"`
+	}
+
+	ex := DetectionExtractor{}
+
+	err = json.NewDecoder(res.Body).Decode(&ex)
+	if err != nil {
+		return nil, err
+	}
+
+	if ex.Result != "updated" {
+		log.Debug("problem")
 	}
 
-	return detect, modified, err
+	return ex.Get.Source.Detection, nil
 }
 
 func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
@@ -404,7 +431,7 @@ func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, eng
 		query += fmt.Sprintf(` AND %sdetection.engine:"%s"`, store.schemaPrefix, *engine)
 	}
 
-	all, err := store.getAll(ctx, query, -1)
+	all, err := store.Query(ctx, query, -1)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index b6866957d..e174e0f6f 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -90,7 +90,7 @@ func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, detections []*m
 
 func (e *StrelkaEngine) startCommunityRuleImport() {
 	for e.isRunning {
-		time.Sleep(time.Second * 10)
+		time.Sleep(time.Second * 600)
 		if !e.isRunning {
 			break
 		}
@@ -126,8 +126,6 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 			if err != nil {
 				log.WithError(err).WithField("file", filename).Error("failed to parse yara rule file")
 				errors++
-
-				continue
 			}
 
 			rules = append(rules, parsed...)
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 4715a325f..281a1cd03 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -412,7 +412,14 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 				modifyIndex[sid] = lineNum
 			} else if inModify && detect.IsEnabled {
 				// in modify, but shouldn't be
-				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
+				var after []string
+				before := modifyLines[:lineNum]
+
+				if lineNum+1 < len(modifyLines) {
+					after = modifyLines[lineNum+1:]
+				}
+
+				modifyLines = append(before, after...)
 				delete(modifyIndex, sid)
 			}
 		}
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index daa3bd07e..33ddf0b09 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -56,7 +56,6 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 	}
 
 	for r.Len() != 0 {
-		// TODO: Parse Source and Destination into Address and Ports
 		ch, _, _ := r.ReadRune()
 
 		switch curState {
diff --git a/syntax/validator.go b/syntax/validator.go
index 97fd0f405..6ab2b3231 100644
--- a/syntax/validator.go
+++ b/syntax/validator.go
@@ -14,7 +14,9 @@ import (
 func Validate(value string, syntax string) error {
 	var err error
 
-	if strings.Contains(value, "{#") || strings.Contains(value, "{{") || strings.Contains(value, "{%") {
+	if (strings.Contains(value, "{#") && strings.Contains(value, "#}")) ||
+		(strings.Contains(value, "{{") && strings.Contains(value, "}}")) ||
+		(strings.Contains(value, "{%") && strings.Contains(value, "%}")) {
 		err = errors.New("ERROR_JINJA_NOT_SUPPORTED")
 	} else {
 		switch strings.ToLower(syntax) {

From 5eafeb9e82b4968934be92dc2d6eb1c678b1c3e3 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 11 Jan 2024 15:50:19 -0700
Subject: [PATCH 027/102] WIP: Fix for removed Date Range from Detections

When hunting, the daterange for detections will always be from the unix epoch to now. This helps us treat detections like a traditional model instead of a timescale DB entry.
---
 html/js/routes/hunt.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 76d8b9f07..930da4011 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -527,10 +527,14 @@ const huntComponent = {
           };
           response.data.totalEvents = response.data.events.length;
         } else {
+          let range = this.dateRange;
+          if (this.isCategory('detections')) {
+            range = moment(0).format(this.i18n.timePickerFormat) + " - " + moment().format(this.i18n.timePickerFormat);
+          }
           response = await this.$root.papi.get('events/', {
             params: {
               query: await this.getQuery(),
-              range: this.dateRange,
+              range: range,
               format: this.i18n.timePickerSample,
               zone: this.zone,
               metricLimit: this.groupByLimit,

From 64984cd3c53af43aa76265c424e02637aefc8a9b Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 17 Jan 2024 13:08:06 -0700
Subject: [PATCH 028/102] WIP: Async Bulk Operations

Submitting a bulk operation against detections now results in a 202 (Accepted) and the work is done in a goroutine. At the end, the results are broadcast back to the client.
---
 html/js/i18n.js                               |   4 +
 html/js/routes/hunt.js                        |  58 ++++++--
 server/detectionhandler.go                    | 122 ++++++++++-------
 server/modules/elastic/elastic.go             |   2 +-
 .../modules/elastic/elasticdetectionstore.go  | 128 ++++++++++++++++--
 5 files changed, 240 insertions(+), 74 deletions(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index 0a6afd919..4d4f7380f 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -111,6 +111,8 @@ const i18n = {
       betweenOp: 'Between',
       blog: 'Blog',
       bulkAction: 'Bulk Action:',
+      bulkError: '',
+      bulkSuccess: 'Bulk update successfully updated {modified} of {total} events. ({time})',
       bytes: 'Bytes',
       cancel: 'Cancel',
       captureLoss: 'Capture Loss',
@@ -298,6 +300,8 @@ const i18n = {
       epsProduction: 'Production EPS:',
       epsConsumption: 'Consumption EPS:',
       error: 'Error',
+      errorSingular: 'error',
+      errorPlural: 'errors',
       errorHelp: 'See the Help section of the Security Onion documentation for additional troubleshooting guidance.',
       escalate: 'Escalate',
       escalationInvalid: 'Invalid alert - cannot escalate to a case due to insufficient alert information',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 930da4011..f63bf4ea9 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -181,11 +181,16 @@ const huntComponent = {
   beforeDestroy() {
     this.$root.setSubtitle("");
     this.stopRefreshTimer();
+    this.$root.unsubscribe('detections:bulkUpdate', this.bulkUpdateReport);
   },
   mounted() {
     this.$root.startLoading();
     this.category = this.$route.path.replace("/", "");
     this.$root.loadParameters(this.category, this.initHunt);
+
+    if (this.isCategory('detections')) {
+      this.$root.subscribe('detections:bulkUpdate', this.bulkUpdateReport);
+    }
   },
   watch: {
     '$route': 'loadData',
@@ -323,6 +328,9 @@ const huntComponent = {
       }
       this.resetRefreshTimer();
 
+      this.selectAllState = false;
+      this.selectedCount = 0;
+
       if (document.activeElement) {
         // Release focus to avoid clicking away causing a second hunt
         document.activeElement.blur();
@@ -2214,8 +2222,6 @@ const huntComponent = {
       this.selectedCount = count;
     },
     async bulkAction() {
-      this.$root.startLoading();
-
       let payload = {};
 
       switch (this.selectAllState) {
@@ -2235,18 +2241,52 @@ const huntComponent = {
       }
 
       try {
-        const response = await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
-
+        await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
+      } catch (e) {
+        this.$root.handleError(e);
+      } finally {
         this.selectAllState = false;
         this.selectedCount = 0;
-
         this.hunt(false);
-      } catch (e) {
-        this.$root.handleError(e);
       }
+    },
+    bulkUpdateReport(stats) {
+      if (stats.error > 0) {
+        let msg = this.i18n.bulkError;
+        msg += ' ' + stats.error.toLocaleString() + ' ' + (stats.error == 1 ? this.i18n.errorSingular : this.i18n.errorPlural) + '.';
 
-      this.$root.stopLoading();
-    }
+        this.$root.showError(msg);
+      } else {
+        let seconds = Math.floor(stats.time);
+        let hours = Math.floor(seconds / 3600);
+        seconds %= 3600;
+        let minutes = Math.floor(seconds / 60);
+        seconds = Math.floor(seconds % 60);
+
+        let t = '';
+
+        if (hours > 0) {
+          t += hours + 'h ';
+        }
+
+        if (minutes > 0 || t.length > 0) {
+          if (t.length > 0) {
+            minutes = `0${minutes}`;
+          }
+
+          t += minutes + 'm ';
+        }
+
+        t += seconds.toFixed(0) + 's';
+
+        let msg = this.i18n.bulkSuccess;
+        msg = msg.replaceAll('{modified}', stats.modified.toLocaleString());
+        msg = msg.replaceAll('{total}', stats.total.toLocaleString());
+        msg = msg.replaceAll('{time}', t);
+
+        this.$root.showInfo(msg);
+      }
+    },
   }
 };
 
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 45212232a..e3c530ded 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/apex/log"
@@ -22,6 +21,12 @@ import (
 	"github.com/pkg/errors"
 )
 
+type BulkOp struct {
+	IDs       []string `json:"ids"`
+	Query     *string  `json:"query"`
+	NewStatus bool     `json:"-"`
+}
+
 type DetectionHandler struct {
 	server *Server
 }
@@ -259,19 +264,55 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	type BulkOp struct {
-		IDs   []string `json:"ids"`
-		Query *string  `json:"query"`
-	}
-
-	body := BulkOp{}
-	err := web.ReadJson(r, &body)
+	body := &BulkOp{}
+	err := web.ReadJson(r, body)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
 		return
 	}
 
+	body.NewStatus = enabled
+
+	// TODO: Check any permissions needing to be checked, we can't return a 4XX after this point
+
+	// new context that doesn't contain a timeout or deadline, but does include
+	// the user we're making requests to ES on behalf of.
+	noTimeOutCtx := context.WithValue(context.Background(), web.ContextKeyRequestor, ctx.Value(web.ContextKeyRequestor).(*model.User))
+	noTimeOutCtx = context.WithValue(noTimeOutCtx, web.ContextKeyRequestorId, ctx.Value(web.ContextKeyRequestorId).(string))
+
+	go h.bulkUpdateDetectionAsync(noTimeOutCtx, body)
+
+	web.Respond(w, r, http.StatusAccepted, nil)
+}
+
+func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *BulkOp) {
+	var err error
+	var update, sync time.Duration
+	errMap := map[string]string{} // map[id]error
 	IDs := map[string]struct{}{}
+	modified := []*model.Detection{}
+
+	totalTimeStart := time.Now()
+
+	defer func() {
+		totalTime := time.Since(totalTimeStart)
+
+		log.WithFields(log.Fields{
+			"error":      len(errMap),
+			"total":      len(IDs),
+			"modified":   len(modified),
+			"updateTime": update.Seconds(),
+			"syncTime":   sync.Seconds(),
+			"totalTime":  totalTime.Seconds(),
+		}).Error("bulk update Detections finished")
+
+		h.server.Host.Broadcast("detections:bulkUpdate", "detection", map[string]interface{}{
+			"error":    len(errMap),
+			"total":    len(IDs),
+			"modified": len(modified),
+			"time":     totalTime.Seconds(),
+		})
+	}()
 
 	for _, id := range body.IDs {
 		IDs[id] = struct{}{}
@@ -280,9 +321,10 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	if body.Query != nil {
 		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
 
-		results, err := h.server.Detectionstore.Query(ctx, query, -1)
+		var results []interface{}
+
+		results, err = h.server.Detectionstore.Query(ctx, query, -1)
 		if err != nil {
-			web.Respond(w, r, http.StatusInternalServerError, err)
 			return
 		}
 		for _, d := range results {
@@ -294,56 +336,30 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 
 	log.WithField("count", len(IDs)).Info("bulk update ID count")
 
-	errMap := map[string]string{} // map[id]error
-	modified := make([]*model.Detection, 0, len(IDs))
+	modified = make([]*model.Detection, 0, len(IDs))
 
 	start := time.Now()
 
-	c := make(chan string, 100)
-	mMod := &sync.Mutex{}
-	mErr := &sync.Mutex{}
-	wg := sync.WaitGroup{}
-
-	for i := 0; i < 2; i++ {
-		wg.Add(1)
-
-		go func() {
-			for id := range c {
-				mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": enabled})
-				if err != nil {
-					mErr.Lock()
-					errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
-					mErr.Unlock()
-
-					continue
-				}
-
-				mMod.Lock()
-				modified = append(modified, mod)
-				mMod.Unlock()
-			}
+	for id := range IDs {
+		mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": body.NewStatus})
+		if err != nil {
+			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
 
-			wg.Done()
-		}()
-	}
+			continue
+		}
 
-	for id := range IDs {
-		c <- id
+		modified = append(modified, mod)
 	}
-	close(c)
 
-	wg.Wait()
-
-	update := time.Since(start)
+	update = time.Since(start)
 	start = time.Now()
 
 	addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
 	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
-	sync := time.Since(start)
+	sync = time.Since(start)
 
 	// merge error maps
 	for k, v := range addErrMap {
@@ -356,13 +372,21 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	log.WithFields(log.Fields{
-		"updateTime":    update.Seconds(),
-		"syncTime":      sync.Seconds(),
 		"modifiedCount": len(modified),
 		"errorCount":    len(errMap),
 	}).Info("bulk update detection")
 
-	web.Respond(w, r, http.StatusOK, errMap)
+	if len(errMap) != 0 {
+		fields := log.Fields{}
+		for k, v := range errMap {
+			fields[k] = v
+			if len(fields) == 10 {
+				break
+			}
+		}
+
+		log.WithFields(fields).Error("sample of bulk update detection errors")
+	}
 }
 
 func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 8f4eb704a..a0687e36c 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -100,7 +100,7 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 				detAuditIndex := module.GetStringDefault(cfg, "detectionAuditIndex", DEFAULT_DETECTION_AUDIT_INDEX)
 				maxDetAssociations := module.GetIntDefault(cfg, "maxDetectionAssociations", DEFAULT_DETECTION_ASSOCIATIONS_MAX)
 				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_DETECTION_SCHEMA_PREFIX)
-				detstore := NewElasticDetectionstore(elastic.server, elastic.store.esClient)
+				detstore := NewElasticDetectionstore(elastic.server, elastic.store.esClient, maxLogLength)
 
 				err = detstore.Init(detIndex, detAuditIndex, maxDetAssociations, schemaPrefix)
 				if err == nil {
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 67ce910a3..842514c42 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -6,10 +6,12 @@
 package elastic
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"regexp"
 	"strconv"
 	"strings"
@@ -21,6 +23,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+	"github.com/tidwall/gjson"
 )
 
 type ElasticDetectionstore struct {
@@ -30,12 +33,14 @@ type ElasticDetectionstore struct {
 	auditIndex      string
 	maxAssociations int
 	schemaPrefix    string
+	maxLogLength    int
 }
 
-func NewElasticDetectionstore(srv *server.Server, client *elasticsearch.Client) *ElasticDetectionstore {
+func NewElasticDetectionstore(srv *server.Server, client *elasticsearch.Client, maxLogLength int) *ElasticDetectionstore {
 	return &ElasticDetectionstore{
-		server:   srv,
-		esClient: client,
+		server:       srv,
+		esClient:     client,
+		maxLogLength: maxLogLength,
 	}
 }
 
@@ -391,27 +396,34 @@ func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id
 		return nil, fmt.Errorf("update error: %s", res.String())
 	}
 
-	type DetectionExtractor struct {
-		Result string `json:"result"`
-		Get    struct {
-			Source struct {
-				Detection *model.Detection `json:"so_detection"`
-			} `json:"_source"`
-		} `json:"get"`
+	raw, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
 	}
 
-	ex := DetectionExtractor{}
+	det := &model.Detection{}
+
+	rawDet := gjson.Get(string(raw), "get._source.so_detection").Raw
 
-	err = json.NewDecoder(res.Body).Decode(&ex)
+	err = json.Unmarshal([]byte(rawDet), det)
 	if err != nil {
 		return nil, err
 	}
 
-	if ex.Result != "updated" {
-		log.Debug("problem")
+	document := convertObjectToDocumentMap("detection", json.RawMessage(rawDet), store.schemaPrefix)
+	document[store.schemaPrefix+AUDIT_DOC_ID] = id
+	document[store.schemaPrefix+"kind"] = "detection"
+	document[store.schemaPrefix+"operation"] = "update"
+
+	err = store.audit(ctx, document, id)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"documentId": id,
+			"kind":       "detection",
+		}).WithError(err).Error("Detection updated successfully however audit record failed to index")
 	}
 
-	return ex.Get.Source.Detection, nil
+	return det, nil
 }
 
 func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
@@ -444,3 +456,89 @@ func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, eng
 
 	return sids, nil
 }
+
+func (store *ElasticDetectionstore) audit(ctx context.Context, document map[string]interface{}, id string) error {
+	var err error
+
+	// TODO: Rethink permissions here
+	// if err = store.server.CheckAuthorized(ctx, "write", "events"); err == nil {
+	// store.refreshCache(ctx)
+
+	var request string
+	request, err = convertToElasticIndexRequest(nil, document)
+	if err == nil {
+		log.Debug("Sending index request to primary Elasticsearch client")
+		_, err = store.indexDocument(ctx, store.disableCrossClusterIndex(store.auditIndex), request, id)
+		if err != nil {
+			log.WithError(err).Error("Encountered error while indexing document into elasticsearch")
+		}
+	}
+	// }
+	return err
+}
+
+func (store *ElasticDetectionstore) indexDocument(ctx context.Context, index string, document string, id string) (string, error) {
+	log.WithFields(log.Fields{
+		"index":     index,
+		"id":        id,
+		"document":  store.truncate(document),
+		"requestId": ctx.Value(web.ContextKeyRequestId),
+	}).Debug("Adding document to Elasticsearch")
+
+	res, err := store.esClient.Index(index,
+		strings.NewReader(document),
+		store.esClient.Index.WithRefresh("true"),
+		store.esClient.Index.WithDocumentID(id),
+		store.esClient.Index.WithContext(ctx),
+	)
+
+	if err != nil {
+		log.WithError(err).Error("Unable to index document into Elasticsearch")
+		return "", err
+	}
+	defer res.Body.Close()
+	json, err := store.readJsonFromResponse(res)
+
+	log.WithFields(log.Fields{
+		"response":  store.truncate(json),
+		"requestId": ctx.Value(web.ContextKeyRequestId),
+	}).Debug("Index new document finished")
+	return json, err
+}
+
+func (store *ElasticDetectionstore) truncate(input string) string {
+	if len(input) > store.maxLogLength {
+		return input[:store.maxLogLength] + "..."
+	}
+	return input
+}
+
+func (store *ElasticDetectionstore) disableCrossClusterIndex(index string) string {
+	pieces := strings.SplitN(index, ":", 2)
+	if len(pieces) == 2 {
+		index = pieces[1]
+	}
+	return index
+}
+
+func (store *ElasticDetectionstore) readErrorFromJson(json string) error {
+	errorType := gjson.Get(json, "error.type").String()
+	errorReason := gjson.Get(json, "error.reason").String()
+	errorDetails := json
+	if len(json) > MAX_ERROR_LENGTH {
+		errorDetails = json[0:MAX_ERROR_LENGTH]
+	}
+	err := errors.New(errorType + ": " + errorReason + " -> " + errorDetails)
+	return err
+}
+
+func (store *ElasticDetectionstore) readJsonFromResponse(res *esapi.Response) (string, error) {
+	var err error
+	var b bytes.Buffer
+	b.ReadFrom(res.Body)
+	json := b.String()
+	if res.IsError() {
+		err = store.readErrorFromJson(json)
+	}
+	return json, err
+}

From 594c2b8e2a9d0c5ff8cc9895b57770d73e610ba5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 29 Jan 2024 16:00:08 -0700
Subject: [PATCH 029/102] WIP: Strelka/Yara Community Rule Import, ElastAlert
 now translates with SigmaCLI

There's some side effects because the default `yaraRulesFolder` is still being used to store non-compiled rules by salt.

Updated tests around the new ExecCommand added to IOManagers.

This also includes ElastAlert switching to using the sigma cli instead of the sigconverter.io container. All references to the container have been removed.
---
 config/config.go                              |   5 +-
 go.mod                                        |  23 +-
 go.sum                                        | 111 ++++++-
 model/event.go                                |   2 +-
 server/detectionstore.go                      |   2 +
 server/mock/mock_detectionstore.go            | 145 +++++++++
 server/modules/elastalert/elastalert.go       |  74 ++---
 server/modules/elastalert/elastalert_test.go  |  74 +++--
 .../modules/elastalert/mock/mock_iomanager.go |  19 ++
 server/modules/strelka/mock/mock_iomanager.go | 132 ++++++++
 server/modules/strelka/strelka.go             | 297 ++++++++++++++++--
 server/modules/strelka/strelka_test.go        | 130 ++++++++
 server/modules/strelka/validate.go            |  22 ++
 server/modules/suricata/suricata.go           |   2 +-
 14 files changed, 921 insertions(+), 117 deletions(-)
 create mode 100644 server/mock/mock_detectionstore.go
 create mode 100644 server/modules/strelka/mock/mock_iomanager.go
 create mode 100644 server/modules/strelka/strelka_test.go

diff --git a/config/config.go b/config/config.go
index d6523bbfc..07d29a383 100644
--- a/config/config.go
+++ b/config/config.go
@@ -60,7 +60,10 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 	}
 
 	cfg.Server.Modules["strelkaengine"] = map[string]interface{}{
-		"yaraRulesFolder": "/tmp/socdev/so/conf/strelka/rules",
+		"yaraRulesFolder":             "/tmp/socdev/so/conf/strelka/rules",
+		"reposFolder":                 "/tmp/socdev/so/conf/strelka/repos",
+		"rulesRepos":                  []interface{}{"https://github.com/Security-Onion-Solutions/securityonion-yara"},
+		"compileYaraPythonScriptPath": "/tmp/socdev/so/conf/strelka/compile_yara.py",
 	}
 
 	return cfg, err
diff --git a/go.mod b/go.mod
index 55f718020..55f842da8 100644
--- a/go.mod
+++ b/go.mod
@@ -20,22 +20,39 @@ require (
 )
 
 require (
+	github.com/go-git/go-git/v5 v5.11.0
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
+	github.com/tj/assert v0.0.3
 	go.uber.org/mock v0.3.0
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/oapi-codegen/runtime v1.0.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
index 78e55c5b3..f0ee841c5 100644
--- a/go.sum
+++ b/go.sum
@@ -1,4 +1,13 @@
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
@@ -6,10 +15,16 @@ github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -17,13 +32,31 @@ github.com/elastic/elastic-transport-go/v8 v8.3.0 h1:DJGxovyQLXGr62e9nDMPSxRyWIO
 github.com/elastic/elastic-transport-go/v8 v8.3.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.11.1 h1:1VgTgUTbpqQZ4uE+cPjkOvy/8aw1ZvKcU0ZUE5Cn1mc=
 github.com/elastic/go-elasticsearch/v8 v8.11.1/go.mod h1:GU1BJHO7WeamP7UhuElYwzzHtvf9SDmeVpSSy9+o6Qg=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
+github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -36,14 +69,18 @@ github.com/influxdata/influxdb-client-go/v2 v2.13.0 h1:ioBbLmR5NMbAjP4UVA5r9b5xG
 github.com/influxdata/influxdb-client-go/v2 v2.13.0/go.mod h1:k+spCbt9hcvqvUiz0sr5D8LolXHqAAOfPw9v/RIRHl4=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf h1:7JTmneyiNEwVBOHSjoMxiWAqB992atOeepeFYegn5RU=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o=
 github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -59,25 +96,34 @@ github.com/oapi-codegen/runtime v1.0.0 h1:P4rqFX5fMFWqRzY9M/3YF9+aPSPPB06IzP2P7o
 github.com/oapi-codegen/runtime v1.0.0/go.mod h1:LmCUMQuPB4M/nLXilQXhHw+BLZdDb18B34OO356yJ/A=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
+github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
@@ -95,34 +141,88 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
 go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -130,8 +230,11 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/model/event.go b/model/event.go
index 73f410725..e93dad44d 100644
--- a/model/event.go
+++ b/model/event.go
@@ -145,7 +145,7 @@ func (criteria *EventSearchCriteria) DeterminePermissions(hintVerb string, hintN
 	kind = strings.ToLower(strings.TrimSpace(kind))
 
 	switch index {
-	case "so-detection":
+	case "so-detection", "*:so-detection":
 		return hintVerb, "detection"
 	}
 
diff --git a/server/detectionstore.go b/server/detectionstore.go
index ad168a3a5..af5184dc7 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -21,3 +21,5 @@ type Detectionstore interface {
 	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 	Query(ctx context.Context, query string, max int) ([]interface{}, error)
 }
+
+//go:generate mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
new file mode 100644
index 000000000..1d30b4a46
--- /dev/null
+++ b/server/mock/mock_detectionstore.go
@@ -0,0 +1,145 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/security-onion-solutions/securityonion-soc/server (interfaces: Detectionstore)
+//
+// Generated by this command:
+//
+//	mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
+//
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	context "context"
+	reflect "reflect"
+
+	model "github.com/security-onion-solutions/securityonion-soc/model"
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockDetectionstore is a mock of Detectionstore interface.
+type MockDetectionstore struct {
+	ctrl     *gomock.Controller
+	recorder *MockDetectionstoreMockRecorder
+}
+
+// MockDetectionstoreMockRecorder is the mock recorder for MockDetectionstore.
+type MockDetectionstoreMockRecorder struct {
+	mock *MockDetectionstore
+}
+
+// NewMockDetectionstore creates a new mock instance.
+func NewMockDetectionstore(ctrl *gomock.Controller) *MockDetectionstore {
+	mock := &MockDetectionstore{ctrl: ctrl}
+	mock.recorder = &MockDetectionstoreMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockDetectionstore) EXPECT() *MockDetectionstoreMockRecorder {
+	return m.recorder
+}
+
+// CreateDetection mocks base method.
+func (m *MockDetectionstore) CreateDetection(arg0 context.Context, arg1 *model.Detection) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateDetection indicates an expected call of CreateDetection.
+func (mr *MockDetectionstoreMockRecorder) CreateDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateDetection", reflect.TypeOf((*MockDetectionstore)(nil).CreateDetection), arg0, arg1)
+}
+
+// DeleteDetection mocks base method.
+func (m *MockDetectionstore) DeleteDetection(arg0 context.Context, arg1 string) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DeleteDetection indicates an expected call of DeleteDetection.
+func (mr *MockDetectionstoreMockRecorder) DeleteDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteDetection", reflect.TypeOf((*MockDetectionstore)(nil).DeleteDetection), arg0, arg1)
+}
+
+// GetAllCommunitySIDs mocks base method.
+func (m *MockDetectionstore) GetAllCommunitySIDs(arg0 context.Context, arg1 *model.EngineName) (map[string]*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAllCommunitySIDs", arg0, arg1)
+	ret0, _ := ret[0].(map[string]*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetAllCommunitySIDs indicates an expected call of GetAllCommunitySIDs.
+func (mr *MockDetectionstoreMockRecorder) GetAllCommunitySIDs(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllCommunitySIDs", reflect.TypeOf((*MockDetectionstore)(nil).GetAllCommunitySIDs), arg0, arg1)
+}
+
+// GetDetection mocks base method.
+func (m *MockDetectionstore) GetDetection(arg0 context.Context, arg1 string) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetDetection indicates an expected call of GetDetection.
+func (mr *MockDetectionstoreMockRecorder) GetDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDetection", reflect.TypeOf((*MockDetectionstore)(nil).GetDetection), arg0, arg1)
+}
+
+// Query mocks base method.
+func (m *MockDetectionstore) Query(arg0 context.Context, arg1 string, arg2 int) ([]any, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Query", arg0, arg1, arg2)
+	ret0, _ := ret[0].([]any)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Query indicates an expected call of Query.
+func (mr *MockDetectionstoreMockRecorder) Query(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Query", reflect.TypeOf((*MockDetectionstore)(nil).Query), arg0, arg1, arg2)
+}
+
+// UpdateDetection mocks base method.
+func (m *MockDetectionstore) UpdateDetection(arg0 context.Context, arg1 *model.Detection) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateDetection indicates an expected call of UpdateDetection.
+func (mr *MockDetectionstoreMockRecorder) UpdateDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDetection", reflect.TypeOf((*MockDetectionstore)(nil).UpdateDetection), arg0, arg1)
+}
+
+// UpdateDetectionField mocks base method.
+func (m *MockDetectionstore) UpdateDetectionField(arg0 context.Context, arg1 string, arg2 map[string]any) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateDetectionField", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateDetectionField indicates an expected call of UpdateDetectionField.
+func (mr *MockDetectionstoreMockRecorder) UpdateDetectionField(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDetectionField", reflect.TypeOf((*MockDetectionstore)(nil).UpdateDetectionField), arg0, arg1, arg2)
+}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index bc38fb1b9..59f14c63c 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -17,6 +17,7 @@ import (
 	"io/fs"
 	"net/http"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"reflect"
 	"strings"
@@ -45,6 +46,7 @@ type IOManager interface {
 	DeleteFile(path string) error
 	ReadDir(path string) ([]os.DirEntry, error)
 	MakeRequest(*http.Request) (*http.Response, error)
+	ExecCommand(cmd *exec.Cmd) ([]byte, int, time.Duration, error)
 }
 
 type ElastAlertEngine struct {
@@ -53,9 +55,7 @@ type ElastAlertEngine struct {
 	sigmaPackageDownloadTemplate         string
 	elastAlertRulesFolder                string
 	rulesFingerprintFile                 string
-	sigconverterUrl                      string
 	sigmaRulePackages                    []string
-	sigmaConversionTarget                string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
 	IOManager
@@ -79,8 +79,6 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
 	e.sigmaPackageDownloadTemplate = module.GetStringDefault(config, "sigmaPackageDownloadTemplate", "https://github.com/SigmaHQ/sigma/releases/latest/download/sigma_%s.zip")
 	e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/rules/elastalert")
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/sigma.fingerprint")
-	e.sigconverterUrl = module.GetStringDefault(config, "sigconverterUrl", "http://manager:8000/sigma")
-	e.sigmaConversionTarget = module.GetStringDefault(config, "sigmaConversionTarget", "eql")
 
 	pkgs := module.GetStringDefault(config, "sigmaRulePackages", "core")
 	e.parseSigmaPackages(pkgs)
@@ -570,57 +568,35 @@ func (e *ElastAlertEngine) IndexExistingRules() (index map[string]string, err er
 }
 
 func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Detection) (string, error) {
-	// wrapper for the payload
-	ruleWrapper := struct {
-		Rule     string   `json:"rule"`
-		Pipeline []string `json:"pipeline"`
-		Target   string   `json:"target"`
-		Format   string   `json:"format"`
-	}{
-		Rule:     base64.StdEncoding.EncodeToString([]byte(det.Content)),
-		Pipeline: []string{},
-		Target:   e.sigmaConversionTarget,
-		Format:   "default",
-	}
+	args := []string{"convert", "-t", "eql", "-p", "windows-logsources", "-p", "ecs_windows", "/dev/stdin"}
 
-	payload, err := json.Marshal(ruleWrapper)
-	if err != nil {
-		return "", err
-	}
+	cmd := exec.CommandContext(ctx, "sigma", args...)
+	cmd.Stdin = strings.NewReader(det.Content)
 
-	// build request
-	req, err := http.NewRequest(http.MethodPost, e.sigconverterUrl, bytes.NewReader(payload))
-	if err != nil {
-		return "", err
-	}
+	raw, code, runtime, err := e.ExecCommand(cmd)
 
-	req = req.WithContext(ctx)
-	req.Header.Add("Content-Type", "application/json")
+	log.WithFields(log.Fields{
+		"code":     code,
+		"output":   string(raw),
+		"command":  cmd.String(),
+		"execTime": runtime.Seconds(),
+		"error":    err,
+	}).Info("executing sigma cli")
 
-	// send request
-	resp, err := e.MakeRequest(req)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("problem with sigma cli: %w", err)
 	}
-	defer resp.Body.Close()
 
-	rawRule, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", err
-	}
+	query := string(raw)
 
-	if resp.StatusCode < 200 || resp.StatusCode > 299 {
-		return "", fmt.Errorf("sigconverter returned non-200 status code: %d", resp.StatusCode)
+	firstLine := strings.Index(string(raw), "\n")
+	if firstLine != -1 {
+		query = query[firstLine+1:]
 	}
 
-	rule := string(rawRule)
-
-	if strings.HasPrefix(rule, "Error:") {
-		rule = strings.TrimSpace(strings.TrimPrefix(rule, "Error:"))
-		return "", fmt.Errorf("sigconverter returned error: %s", rule)
-	}
+	query = strings.TrimSpace(query)
 
-	elastRule, err := wrapRule(det, rule)
+	elastRule, err := wrapRule(det, query)
 	if err != nil {
 		return "", fmt.Errorf("unable to wrap rule: %w", err)
 	}
@@ -840,3 +816,13 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
 	return http.DefaultClient.Do(req)
 }
+
+func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
+	start := time.Now()
+	output, err = cmd.CombinedOutput()
+	runtime = time.Since(start)
+
+	exitCode = cmd.ProcessState.ExitCode()
+
+	return output, exitCode, runtime, err
+}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index f304deaed..4940475e7 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -9,9 +9,12 @@ import (
 	"archive/zip"
 	"bytes"
 	"context"
+	"errors"
 	"io"
 	"io/fs"
 	"net/http"
+	"os/exec"
+	"slices"
 	"sort"
 	"strings"
 	"testing"
@@ -198,19 +201,28 @@ func TestTimeFrame(t *testing.T) {
 
 func TestSigmaToElastAlertSunnyDay(t *testing.T) {
 	ctrl := gomock.NewController(t)
-
 	mio := mock.NewMockIOManager(ctrl)
-	body := "<eql>"
-	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
-		StatusCode:    http.StatusOK,
-		Body:          io.NopCloser(strings.NewReader(body)),
-		ContentLength: int64(len(body)),
-	}, nil)
+
+	mio.EXPECT().ExecCommand(gomock.Cond(func(x any) bool {
+		cmd := x.(*exec.Cmd)
+
+		if !strings.HasSuffix(cmd.Path, "sigma") {
+			return false
+		}
+
+		if !slices.Contains(cmd.Args, "convert") {
+			return false
+		}
+
+		if cmd.Stdin == nil {
+			return false
+		}
+
+		return true
+	})).Return([]byte("<eql>"), 0, time.Duration(0), nil)
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       "localhost:8000/convert",
-		sigmaConversionTarget: "eql",
-		IOManager:             mio,
+		IOManager: mio,
 	}
 
 	det := &model.Detection{
@@ -248,20 +260,28 @@ soc_pivot: soc_pivot
 
 func TestSigmaToElastAlertError(t *testing.T) {
 	ctrl := gomock.NewController(t)
-
 	mio := mock.NewMockIOManager(ctrl)
-	msg := "something went wrong"
-	body := "Error: " + msg
-	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
-		StatusCode:    http.StatusOK,
-		Body:          io.NopCloser(strings.NewReader(body)),
-		ContentLength: int64(len(body)),
-	}, nil)
+
+	mio.EXPECT().ExecCommand(gomock.Cond(func(x any) bool {
+		cmd := x.(*exec.Cmd)
+
+		if !strings.HasSuffix(cmd.Path, "sigma") {
+			return false
+		}
+
+		if !slices.Contains(cmd.Args, "convert") {
+			return false
+		}
+
+		if cmd.Stdin == nil {
+			return false
+		}
+
+		return true
+	})).Return([]byte("Error: something went wrong"), 1, time.Duration(0), errors.New("non-zero return"))
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       "localhost:3000/convert",
-		sigmaConversionTarget: "eql",
-		IOManager:             mio,
+		IOManager: mio,
 	}
 
 	det := &model.Detection{
@@ -276,7 +296,7 @@ func TestSigmaToElastAlertError(t *testing.T) {
 	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
 	assert.Empty(t, wrappedRule)
 	assert.Error(t, err)
-	assert.ErrorContains(t, err, msg)
+	assert.ErrorContains(t, err, "problem with sigma cli")
 }
 
 func TestParseRules(t *testing.T) {
@@ -470,10 +490,7 @@ func TestSyncElastAlert(t *testing.T) {
 				// IndexExistingRules
 				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
 				// sigmaToElastAlert
-				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
-					StatusCode: http.StatusOK,
-					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
-				}, nil)
+				m.EXPECT().ExecCommand(gomock.Any()).Return([]byte("[sigma rule]"), 0, time.Duration(0), nil)
 				// WriteFile when enabling
 				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: '[sigma rule]'\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
 			},
@@ -539,10 +556,7 @@ func TestSyncElastAlert(t *testing.T) {
 				// IndexExistingRules
 				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
 				// sigmaToElastAlert
-				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
-					StatusCode: http.StatusOK,
-					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
-				}, nil)
+				m.EXPECT().ExecCommand(gomock.Any()).Return([]byte("[sigma rule]"), 0, time.Duration(0), nil)
 				// WriteFile when enabling
 				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: ([sigma rule]) and TRUE\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
 			},
diff --git a/server/modules/elastalert/mock/mock_iomanager.go b/server/modules/elastalert/mock/mock_iomanager.go
index a1508daf0..30e22c3cb 100644
--- a/server/modules/elastalert/mock/mock_iomanager.go
+++ b/server/modules/elastalert/mock/mock_iomanager.go
@@ -11,7 +11,9 @@ package mock
 import (
 	fs "io/fs"
 	http "net/http"
+	exec "os/exec"
 	reflect "reflect"
+	time "time"
 
 	gomock "go.uber.org/mock/gomock"
 )
@@ -53,6 +55,23 @@ func (mr *MockIOManagerMockRecorder) DeleteFile(arg0 any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteFile", reflect.TypeOf((*MockIOManager)(nil).DeleteFile), arg0)
 }
 
+// ExecCommand mocks base method.
+func (m *MockIOManager) ExecCommand(arg0 *exec.Cmd) ([]byte, int, time.Duration, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ExecCommand", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(int)
+	ret2, _ := ret[2].(time.Duration)
+	ret3, _ := ret[3].(error)
+	return ret0, ret1, ret2, ret3
+}
+
+// ExecCommand indicates an expected call of ExecCommand.
+func (mr *MockIOManagerMockRecorder) ExecCommand(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecCommand", reflect.TypeOf((*MockIOManager)(nil).ExecCommand), arg0)
+}
+
 // MakeRequest mocks base method.
 func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
 	m.ctrl.T.Helper()
diff --git a/server/modules/strelka/mock/mock_iomanager.go b/server/modules/strelka/mock/mock_iomanager.go
new file mode 100644
index 000000000..e30a25b2d
--- /dev/null
+++ b/server/modules/strelka/mock/mock_iomanager.go
@@ -0,0 +1,132 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/security-onion-solutions/securityonion-soc/server/modules/strelka (interfaces: IOManager)
+//
+// Generated by this command:
+//
+//	mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+//
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	fs "io/fs"
+	http "net/http"
+	exec "os/exec"
+	reflect "reflect"
+	time "time"
+
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockIOManager is a mock of IOManager interface.
+type MockIOManager struct {
+	ctrl     *gomock.Controller
+	recorder *MockIOManagerMockRecorder
+}
+
+// MockIOManagerMockRecorder is the mock recorder for MockIOManager.
+type MockIOManagerMockRecorder struct {
+	mock *MockIOManager
+}
+
+// NewMockIOManager creates a new mock instance.
+func NewMockIOManager(ctrl *gomock.Controller) *MockIOManager {
+	mock := &MockIOManager{ctrl: ctrl}
+	mock.recorder = &MockIOManagerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockIOManager) EXPECT() *MockIOManagerMockRecorder {
+	return m.recorder
+}
+
+// DeleteFile mocks base method.
+func (m *MockIOManager) DeleteFile(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteFile", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteFile indicates an expected call of DeleteFile.
+func (mr *MockIOManagerMockRecorder) DeleteFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteFile", reflect.TypeOf((*MockIOManager)(nil).DeleteFile), arg0)
+}
+
+// ExecCommand mocks base method.
+func (m *MockIOManager) ExecCommand(arg0 *exec.Cmd) ([]byte, int, time.Duration, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ExecCommand", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(int)
+	ret2, _ := ret[2].(time.Duration)
+	ret3, _ := ret[3].(error)
+	return ret0, ret1, ret2, ret3
+}
+
+// ExecCommand indicates an expected call of ExecCommand.
+func (mr *MockIOManagerMockRecorder) ExecCommand(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecCommand", reflect.TypeOf((*MockIOManager)(nil).ExecCommand), arg0)
+}
+
+// MakeRequest mocks base method.
+func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "MakeRequest", arg0)
+	ret0, _ := ret[0].(*http.Response)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// MakeRequest indicates an expected call of MakeRequest.
+func (mr *MockIOManagerMockRecorder) MakeRequest(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MakeRequest", reflect.TypeOf((*MockIOManager)(nil).MakeRequest), arg0)
+}
+
+// ReadDir mocks base method.
+func (m *MockIOManager) ReadDir(arg0 string) ([]fs.DirEntry, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadDir", arg0)
+	ret0, _ := ret[0].([]fs.DirEntry)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadDir indicates an expected call of ReadDir.
+func (mr *MockIOManagerMockRecorder) ReadDir(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadDir", reflect.TypeOf((*MockIOManager)(nil).ReadDir), arg0)
+}
+
+// ReadFile mocks base method.
+func (m *MockIOManager) ReadFile(arg0 string) ([]byte, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadFile", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadFile indicates an expected call of ReadFile.
+func (mr *MockIOManagerMockRecorder) ReadFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadFile", reflect.TypeOf((*MockIOManager)(nil).ReadFile), arg0)
+}
+
+// WriteFile mocks base method.
+func (m *MockIOManager) WriteFile(arg0 string, arg1 []byte, arg2 fs.FileMode) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "WriteFile", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// WriteFile indicates an expected call of WriteFile.
+func (mr *MockIOManagerMockRecorder) WriteFile(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WriteFile", reflect.TypeOf((*MockIOManager)(nil).WriteFile), arg0, arg1, arg2)
+}
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index e174e0f6f..fb60f9b9b 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -6,19 +6,27 @@
 package strelka
 
 import (
+	"bytes"
 	"context"
 	"io/fs"
 	"net/http"
+	"net/url"
 	"os"
+	"os/exec"
+	"path"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/apex/log"
+	"github.com/go-git/go-git/v5"
 )
 
 type IOManager interface {
@@ -27,13 +35,18 @@ type IOManager interface {
 	DeleteFile(path string) error
 	ReadDir(path string) ([]os.DirEntry, error)
 	MakeRequest(*http.Request) (*http.Response, error)
+	ExecCommand(cmd *exec.Cmd) ([]byte, int, time.Duration, error)
 }
 
 type StrelkaEngine struct {
-	srv             *server.Server
-	isRunning       bool
-	thread          *sync.WaitGroup
-	yaraRulesFolder string
+	srv                                  *server.Server
+	isRunning                            bool
+	thread                               *sync.WaitGroup
+	communityRulesImportFrequencySeconds int
+	yaraRulesFolder                      string
+	reposFolder                          string
+	rulesRepos                           []string
+	compileYaraPythonScriptPath          string
 	IOManager
 }
 
@@ -51,7 +64,11 @@ func (e *StrelkaEngine) PrerequisiteModules() []string {
 func (e *StrelkaEngine) Init(config module.ModuleConfig) error {
 	e.thread = &sync.WaitGroup{}
 
-	e.yaraRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/conf/strelka/rules")
+	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
+	e.yaraRulesFolder = module.GetStringDefault(config, "yaraRulesFolder", "/opt/so/conf/strelka/rules")
+	e.reposFolder = module.GetStringDefault(config, "reposFolder", "/opt/so/conf/strelka/repos")
+	e.rulesRepos = module.GetStringArrayDefault(config, "rulesRepos", []string{"github.com/Security-Onion-Solutions/securityonion-yara"})
+	e.compileYaraPythonScriptPath = module.GetStringDefault(config, "compileYaraPythonScriptPath", "/opt/so/conf/strelka/compile_yara.py")
 
 	return nil
 }
@@ -84,65 +101,269 @@ func (e *StrelkaEngine) ValidateRule(data string) (string, error) {
 	return string(data), nil
 }
 
-func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
-	return nil, nil
+func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, _ []*model.Detection) (errMap map[string]string, err error) {
+	return e.syncDetections(ctx)
 }
 
 func (e *StrelkaEngine) startCommunityRuleImport() {
 	for e.isRunning {
-		time.Sleep(time.Second * 600)
+		time.Sleep(time.Duration(e.communityRulesImportFrequencySeconds) * time.Second)
 		if !e.isRunning {
 			break
 		}
 
 		start := time.Now()
 
-		files, err := e.ReadDir(e.yaraRulesFolder)
+		// read existing repos
+		entries, err := os.ReadDir(e.reposFolder)
 		if err != nil {
-			log.WithError(err).Error("Failed to read yara rules folder")
+			log.WithError(err).Error("Failed to read yara repos folder")
 			continue
 		}
 
-		rules := []*YaraRule{}
-		errors := 0
+		existingRepos := map[string]struct{}{}
 
-		for _, file := range files {
-			ext := filepath.Ext(file.Name())
-			if file.IsDir() || strings.ToLower(ext) != ".yar" {
+		for _, entry := range entries {
+			if !entry.IsDir() {
 				continue
 			}
 
-			filename := e.yaraRulesFolder + "/" + file.Name()
+			existingRepos[entry.Name()] = struct{}{}
+		}
 
-			raw, err := e.ReadFile(filename)
-			if err != nil {
-				log.WithError(err).WithField("file", filename).Error("failed to read yara rule file")
-				errors++
+		upToDate := map[string]struct{}{}
 
+		// pull or clone repos
+		for _, repo := range e.rulesRepos {
+			parser, err := url.Parse(repo)
+			if err != nil {
+				log.WithError(err).WithField("repo", repo).Error("Failed to parse repo URL, doing nothing with it")
 				continue
 			}
 
-			parsed, err := ParseYaraRules(raw)
+			_, lastFolder := path.Split(parser.Path)
+			repoPath := filepath.Join(e.reposFolder, lastFolder)
+
+			if _, ok := existingRepos[lastFolder]; ok {
+				// repo already exists, pull
+				repo, err := git.PlainOpen(repoPath)
+				if err != nil {
+					log.WithError(err).WithField("repo", repo).Error("Failed to open repo, doing nothing with it")
+					continue
+				}
+
+				work, err := repo.Worktree()
+				if err != nil {
+					log.WithError(err).WithField("repo", repo).Error("Failed to get worktree, doing nothing with it")
+					continue
+				}
+
+				ctx, cancel := context.WithTimeout(e.srv.Context, time.Minute*5)
+
+				err = work.PullContext(ctx, &git.PullOptions{
+					Depth:        1,
+					SingleBranch: true,
+				})
+				if err != nil && err != git.NoErrAlreadyUpToDate {
+					cancel()
+					log.WithError(err).WithField("repo", repo).Error("Failed to pull repo, doing nothing with it")
+					continue
+				}
+				cancel()
+
+				if err == nil {
+					upToDate[repoPath] = struct{}{}
+				}
+			} else {
+				// repo does not exist, clone
+				_, err = git.PlainClone(repoPath, false, &git.CloneOptions{
+					Depth:        1,
+					SingleBranch: true,
+					URL:          repo,
+				})
+				if err != nil {
+					log.WithError(err).WithField("repo", repo).Error("Failed to clone repo, doing nothing with it")
+					continue
+				}
+
+				upToDate[repoPath] = struct{}{}
+			}
+		}
+
+		if len(upToDate) == 0 {
+			// no updates, skip
+			log.Info("All repos are up to date, ending import")
+			continue
+		}
+
+		communityDetections, err := e.srv.Detectionstore.GetAllCommunitySIDs(e.srv.Context, util.Ptr(model.EngineNameStrelka))
+		if err != nil {
+			log.WithError(err).Error("Failed to get all community SIDs")
+			continue
+		}
+
+		// parse *.yar files in repos
+		for repo := range upToDate {
+			err = filepath.WalkDir(repo, func(path string, d fs.DirEntry, err error) error {
+				if err != nil {
+					log.WithError(err).WithField("path", path).Error("Failed to walk path")
+					return nil
+				}
+
+				if d.IsDir() {
+					return nil
+				}
+
+				ext := filepath.Ext(d.Name())
+				if strings.ToLower(ext) != ".yar" {
+					return nil
+				}
+
+				raw, err := e.ReadFile(path)
+				if err != nil {
+					log.WithError(err).WithField("file", path).Error("failed to read yara rule file")
+					return nil
+				}
+
+				parsed, err := ParseYaraRules(raw)
+				if err != nil {
+					log.WithError(err).WithField("file", path).Error("failed to parse yara rule file")
+					return nil
+				}
+
+				for _, rule := range parsed {
+					sev := model.SeverityUnknown
+
+					metaSev, err := strconv.Atoi(rule.Meta.Rest["severity"])
+					if err == nil {
+						metaSev = 0
+					}
+
+					switch {
+					case metaSev >= 1 && metaSev < 20:
+						sev = model.SeverityInformational
+					case metaSev >= 20 && metaSev < 40:
+						sev = model.SeverityLow
+					case metaSev >= 40 && metaSev < 60:
+						sev = model.SeverityMedium
+					case metaSev >= 60 && metaSev < 80:
+						sev = model.SeverityHigh
+					case metaSev >= 80:
+						sev = model.SeverityCritical
+					}
+
+					det := &model.Detection{
+						Engine:      model.EngineNameStrelka,
+						PublicID:    rule.GetID(),
+						Title:       rule.Identifier,
+						Severity:    sev,
+						Content:     rule.String(),
+						IsCommunity: true,
+					}
+
+					comRule, exists := communityDetections[det.PublicID]
+					if exists {
+						det.Id = comRule.Id
+						det.Note = comRule.Note
+						det.IsEnabled = comRule.IsEnabled
+					}
+
+					if rule.Meta.Author != nil {
+						det.Author = *rule.Meta.Author
+					}
+
+					if rule.Meta.Description != nil {
+						det.Description = *rule.Meta.Description
+					}
+
+					if exists {
+						// pre-existing detection, update it
+						det, err = e.srv.Detectionstore.UpdateDetection(e.srv.Context, det)
+						if err != nil {
+							log.WithError(err).WithField("det", det).Error("Failed to update detection")
+							continue
+						}
+					} else {
+						// new detection, create it
+						det, err = e.srv.Detectionstore.CreateDetection(e.srv.Context, det)
+						if err != nil {
+							log.WithError(err).WithField("det", det).Error("Failed to create detection")
+							continue
+						}
+					}
+				}
+
+				return nil
+			})
 			if err != nil {
-				log.WithError(err).WithField("file", filename).Error("failed to parse yara rule file")
-				errors++
+				log.WithError(err).WithField("repo", repo).Error("Failed to walk repo")
+				continue
 			}
+		}
 
-			rules = append(rules, parsed...)
+		errMap, err := e.syncDetections(e.srv.Context)
+		if err != nil {
+			log.WithError(err).Error("Failed to sync community detections")
 		}
 
 		log.WithFields(log.Fields{
-			"files":  len(files),
-			"rules":  len(rules),
-			"errors": errors,
-			"exTime": time.Since(start).Seconds(),
-		}).Info("parsed yara community rules")
-
-		_, _ = e.syncCommunityDetections(context.Background(), nil)
+			"errMap": errMap,
+			"time":   time.Since(start).Seconds(),
+		}).Info("synced community detections")
 	}
 }
 
-func (e *StrelkaEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
+func (e *StrelkaEngine) syncDetections(ctx context.Context) (errMap map[string]string, err error) {
+	results, err := e.srv.Detectionstore.Query(ctx, `so_detection.engine:strelka AND so_detection.isEnabled:true AND _index:"*:so-detection"`, -1)
+	if err != nil {
+		return nil, err
+	}
+
+	enabledDetections := map[string]*model.Detection{}
+	for _, det := range results {
+		d := det.(*model.Detection)
+		enabledDetections[d.PublicID] = d
+	}
+
+	filename := filepath.Join(e.yaraRulesFolder, "enabled_rules.yar")
+
+	if len(enabledDetections) == 0 {
+		err = e.DeleteFile(filename)
+		if err != nil && !os.IsNotExist(err) {
+			return nil, err
+		}
+
+		return nil, nil
+	}
+
+	buf := bytes.Buffer{}
+
+	for _, det := range enabledDetections {
+		buf.WriteString(det.Content + "\n")
+	}
+
+	err = e.WriteFile(filename, buf.Bytes(), 0644)
+	if err != nil {
+		return nil, err
+	}
+
+	// compile yara rules
+	cmd := exec.CommandContext(ctx, "python3", e.compileYaraPythonScriptPath, e.yaraRulesFolder)
+
+	raw, code, dur, err := e.ExecCommand(cmd)
+
+	log.WithFields(log.Fields{
+		"command":  cmd.String(),
+		"output":   string(raw),
+		"code":     code,
+		"execTime": dur.Seconds(),
+		"error":    err,
+	}).Info("yara compilation results")
+
+	if err != nil {
+		return nil, err
+	}
+
 	return nil, nil
 }
 
@@ -170,3 +391,13 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
 	return http.DefaultClient.Do(req)
 }
+
+func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
+	start := time.Now()
+	output, err = cmd.CombinedOutput()
+	runtime = time.Since(start)
+
+	exitCode = cmd.ProcessState.ExitCode()
+
+	return output, exitCode, runtime, err
+}
diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go
new file mode 100644
index 000000000..cdc26a1b3
--- /dev/null
+++ b/server/modules/strelka/strelka_test.go
@@ -0,0 +1,130 @@
+package strelka
+
+import (
+	"context"
+	"io/fs"
+	"os/exec"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/strelka/mock"
+	"github.com/tj/assert"
+	"go.uber.org/mock/gomock"
+)
+
+const simpleRule = `rule dummy {
+	condition:
+	  false
+}`
+
+func TestStrelkaModule(t *testing.T) {
+	srv := &server.Server{
+		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+	}
+	mod := NewStrelkaEngine(srv)
+
+	assert.Implements(t, (*module.Module)(nil), mod)
+	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
+
+	err := mod.Init(nil)
+	assert.NoError(t, err)
+
+	err = mod.Start()
+	assert.NoError(t, err)
+
+	assert.True(t, mod.IsRunning())
+
+	err = mod.Stop()
+	assert.NoError(t, err)
+
+	assert.Equal(t, 1, len(srv.DetectionEngines))
+	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameStrelka])
+}
+
+func TestSyncSuricata(t *testing.T) {
+	table := []struct {
+		Name           string
+		InitMock       func(*servermock.MockDetectionstore, *mock.MockIOManager)
+		ExpectedErr    error
+		ExpectedErrMap map[string]string
+	}{
+		{
+			Name: "Enable Simple Rules",
+			InitMock: func(mockDetStore *servermock.MockDetectionstore, mio *mock.MockIOManager) {
+				mockDetStore.EXPECT().Query(gomock.Any(), gomock.Any(), gomock.Any()).Return([]interface{}{
+					&model.Detection{
+						PublicID:  "1",
+						Engine:    model.EngineNameStrelka,
+						Content:   simpleRule,
+						IsEnabled: true,
+					},
+					&model.Detection{
+						PublicID:  "2",
+						Engine:    model.EngineNameStrelka,
+						Content:   simpleRule,
+						IsEnabled: true,
+					},
+				}, nil)
+
+				mio.EXPECT().WriteFile(gomock.Any(), []byte(simpleRule+"\n"+simpleRule+"\n"), fs.FileMode(0644)).Return(nil)
+
+				mio.EXPECT().ExecCommand(gomock.Cond(func(c any) bool {
+					cmd := c.(*exec.Cmd)
+
+					if !strings.HasSuffix(cmd.Path, "python3") {
+						return false
+					}
+
+					if slices.Equal(cmd.Args, []string{"compileYaraPythonScriptPath", "yaraRulesFolder"}) {
+						return false
+					}
+
+					return true
+				})).Return([]byte{}, 0, time.Duration(0), nil)
+			},
+		},
+		{
+			Name: "No Enabled Rules",
+			InitMock: func(mockDetStore *servermock.MockDetectionstore, mio *mock.MockIOManager) {
+				mockDetStore.EXPECT().Query(gomock.Any(), gomock.Any(), gomock.Any()).Return([]interface{}{}, nil)
+				mio.EXPECT().DeleteFile("yaraRulesFolder/enabled_rules.yar").Return(nil)
+			},
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			ctrl := gomock.NewController(t)
+			mockDetStore := servermock.NewMockDetectionstore(ctrl)
+			mio := mock.NewMockIOManager(ctrl)
+
+			mod := NewStrelkaEngine(&server.Server{
+				DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+				Detectionstore:   mockDetStore,
+			})
+			mod.srv.DetectionEngines[model.EngineNameSuricata] = mod
+			mod.IOManager = mio
+
+			mod.compileYaraPythonScriptPath = "compileYaraPythonScriptPath"
+			mod.yaraRulesFolder = "yaraRulesFolder"
+
+			test.InitMock(mockDetStore, mio)
+
+			errMap, err := mod.SyncLocalDetections(ctx, nil)
+
+			assert.Equal(t, test.ExpectedErr, err)
+			assert.Equal(t, test.ExpectedErrMap, errMap)
+		})
+	}
+}
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
index e2a0f8b3c..fc6663286 100644
--- a/server/modules/strelka/validate.go
+++ b/server/modules/strelka/validate.go
@@ -7,6 +7,7 @@ package strelka
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"sort"
@@ -32,6 +33,7 @@ type YaraRule struct {
 }
 
 type Metadata struct {
+	ID          *string
 	Author      *string
 	Date        *string
 	Version     *string
@@ -47,6 +49,8 @@ func (md *Metadata) IsEmpty() bool {
 func (md *Metadata) Set(key, value string) {
 	key = strings.ToLower(key)
 	switch key {
+	case "id":
+		md.ID = util.Ptr(value)
 	case "author":
 		md.Author = util.Ptr(value)
 	case "date":
@@ -65,6 +69,24 @@ func (md *Metadata) Set(key, value string) {
 	}
 }
 
+func (rule *YaraRule) GetID() string {
+	if rule.Meta.Rest["id"] != "" {
+		return *rule.Meta.ID
+	}
+
+	hash := sha256.Sum256([]byte(rule.Identifier))
+
+	hash[6] = 0x40 | (hash[6] & 0x0f)
+	hash[8] = 0x80 | (hash[8] & 0x3f)
+	id := fmt.Sprintf("%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
+		hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], hash[8],
+		hash[9], hash[10], hash[11], hash[12], hash[13], hash[14], hash[15])
+
+	rule.Meta.ID = util.Ptr(id)
+
+	return id
+}
+
 func ParseYaraRules(data []byte) ([]*YaraRule, error) {
 	rules := []*YaraRule{}
 	rule := &YaraRule{}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 281a1cd03..207a62798 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -92,7 +92,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 	ctx := s.srv.Context
 
 	for s.isRunning {
-		time.Sleep(time.Second * time.Duration(s.communityRulesImportFrequencySeconds))
+		time.Sleep(time.Duration(s.communityRulesImportFrequencySeconds) * time.Second)
 		if !s.isRunning {
 			break
 		}

From 7549c63790e1ecf1bfcfc32033a6c22af53be5e5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 30 Jan 2024 13:14:58 -0700
Subject: [PATCH 030/102] WIP: Fix Suricata Parser Bug

Fixed a bug where 2 slashes before ending a string resulted in the parser not recognizing that the string terminated.

Updated "Parentheses in Unquoted Option" test to also test this case.
---
 server/modules/suricata/suricata_test.go | 2 +-
 server/modules/suricata/validate.go      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index c1eea1de4..a3d8a6bc5 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -263,7 +263,7 @@ func TestValidate(t *testing.T) {
 		},
 		{
 			Name:  "Parentheses in Unquoted Option",
-			Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`,
+			Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)\\"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`,
 		},
 		{
 			Name:  "Unescaped Double Quote in PCRE Option",
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index 33ddf0b09..fcb16a752 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -142,7 +142,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 						inQuotes = !inQuotes
 					}
 				}
-			} else if ch == '\\' {
+			} else if ch == '\\' && !isEscaping {
 				isEscaping = true
 				buf.WriteRune(ch)
 			} else {

From c4d9fe13d5150d08b6b5a1db4e62b6bca5394b69 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 31 Jan 2024 10:43:44 -0700
Subject: [PATCH 031/102] WIP: Cleanup

At one point detections was piggy backing off of CaseStore and some functions were added to fill out the interface's changes. Since then, detections have their own store and these filler functions are no longer needed.
---
 .../modules/elasticcases/elasticcasestore.go  | 20 -------------------
 server/modules/generichttp/httpcasestore.go   | 20 -------------------
 server/modules/thehive/thehivecasestore.go    | 20 -------------------
 3 files changed, 60 deletions(-)

diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index f41d09181..4250e0a6c 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -144,23 +144,3 @@ func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
-
-func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
-	return nil, false, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 1fac51103..69c256901 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -149,23 +149,3 @@ func (store *HttpCasestore) GetArtifactStream(ctx context.Context, id string) (*
 func (store *HttpCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
-
-func (store *HttpCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
-	return nil, false, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 99ad5041f..44a5cf3a5 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -141,23 +141,3 @@ func (store *TheHiveCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *TheHiveCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
-
-func (store *TheHiveCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
-	return nil, false, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}

From abd6ba05ef5ad0bb72666086b41aead5389808f4 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 31 Jan 2024 15:31:16 -0700
Subject: [PATCH 032/102] WIP: First pass at including sigma-cli in the
 dockerfile

---
 Dockerfile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2b1408e12..34d5a538d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@
 
 FROM ghcr.io/security-onion-solutions/golang:1.21.5-alpine as builder
 ARG VERSION=0.0.0
-RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv
+RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv python3-dev openssl-dev linux-headers
 COPY . /build
 WORKDIR /build
 RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
@@ -22,6 +22,8 @@ RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
 RUN npm install jest jest-environment-jsdom --global
 RUN ./build.sh "$VERSION"
 
+RUN pip3 install sigma-cli pysigma-backend-elasticsearch pysigma-pipeline-windows yara-python --break-system-packages
+
 FROM ghcr.io/security-onion-solutions/python:3-slim
 
 ARG UID=939
@@ -30,7 +32,7 @@ ARG VERSION=0.0.0
 ARG ELASTIC_VERSION=0.0.0
 ARG WAZUH_VERSION=0.0.0
 
-RUN apt update -y 
+RUN apt update -y
 RUN apt install -y bash tzdata ca-certificates wget curl tcpdump unzip tshark
 RUN update-ca-certificates
 RUN addgroup --gid "$GID" socore
@@ -46,6 +48,8 @@ COPY --from=builder /build/LICENSE .
 COPY --from=builder /build/README.md .
 COPY --from=builder /build/sensoroni.json .
 COPY --from=builder /build/gitdocs/_build/html ./html/docs
+COPY --from=builder /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages
+COPY --from=builder /usr/bin/sigma /usr/bin/sigma
 RUN find html/js -name "*test*.js" -delete
 RUN chmod u+x scripts/*
 RUN chown 939:939 scripts/*

From c6502fd5145447bad1e8adc019da3ae4ae7c8d5f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 1 Feb 2024 09:46:40 -0700
Subject: [PATCH 033/102] WIP: Remove Custom Config, Suricata Community Rules
 Start Disabled

Was overloading config values for easier development. Removed for a cleaner install to Kilo.

Suricata community rules seen for the first time are now disabled by default. Updated test to notice this change.
---
 config/config.go                         | 21 ---------------------
 server/modules/suricata/suricata.go      |  1 -
 server/modules/suricata/suricata_test.go |  2 --
 3 files changed, 24 deletions(-)

diff --git a/config/config.go b/config/config.go
index 07d29a383..9a740d85a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -45,26 +45,5 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		}
 	}
 
-	// TODO: remove when put in config file
-	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
-		"communityRulesFile":   "/nsm/rules/suricata/emerging-all.rules",
-		"rulesFingerprintFile": "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
-	}
-
-	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
-		"communityRulesImportFrequencySeconds": float64(61), // not a recommended value, I'm impatient
-		"elastAlertRulesFolder":                "/tmp/socdev/so/rules/elastalert",
-		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/sigma.fingerprint",
-		"sigmaRulePackages":                    "all",
-		"sigconverterUrl":                      "http://localhost:8000/sigma",
-	}
-
-	cfg.Server.Modules["strelkaengine"] = map[string]interface{}{
-		"yaraRulesFolder":             "/tmp/socdev/so/conf/strelka/rules",
-		"reposFolder":                 "/tmp/socdev/so/conf/strelka/repos",
-		"rulesRepos":                  []interface{}{"https://github.com/Security-Onion-Solutions/securityonion-yara"},
-		"compileYaraPythonScriptPath": "/tmp/socdev/so/conf/strelka/compile_yara.py",
-	}
-
 	return cfg, err
 }
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 207a62798..fe0860aa4 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -277,7 +277,6 @@ func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error)
 			Title:       title,
 			Severity:    severity,
 			Content:     line,
-			IsEnabled:   true, // is this true?
 			IsCommunity: true,
 			Engine:      model.EngineNameSuricata,
 		})
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index a3d8a6bc5..1d11c507f 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -317,7 +317,6 @@ func TestParse(t *testing.T) {
 					Title:       `GPL ATTACK_RESPONSE id check returned root`,
 					Severity:    model.SeverityUnknown,
 					Content:     SimpleRule,
-					IsEnabled:   true,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
 				},
@@ -326,7 +325,6 @@ func TestParse(t *testing.T) {
 					Title:       `a "tricky";\ msg`,
 					Severity:    model.SeverityInformational,
 					Content:     `alert http any any <> any any (metadata:signature_severity Informational; sid:"20000"; msg:"a \"tricky\"\;\\ msg";)`,
-					IsEnabled:   true,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
 				},

From 17f3d3016871347c154aae39a0971972057470bb Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 1 Feb 2024 14:39:37 -0700
Subject: [PATCH 034/102] WIP: Fix Sigma Shebang, Copy Site-Packages to New
 Location

This should help fix issues with soc running sigma.
---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 34d5a538d..e19d4aff3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,7 @@ RUN npm install jest jest-environment-jsdom --global
 RUN ./build.sh "$VERSION"
 
 RUN pip3 install sigma-cli pysigma-backend-elasticsearch pysigma-pipeline-windows yara-python --break-system-packages
+RUN sed -i 's/#!\/usr\/bin\/python3/#!\/usr\/bin\/env python/g' /usr/bin/sigma
 
 FROM ghcr.io/security-onion-solutions/python:3-slim
 
@@ -48,7 +49,7 @@ COPY --from=builder /build/LICENSE .
 COPY --from=builder /build/README.md .
 COPY --from=builder /build/sensoroni.json .
 COPY --from=builder /build/gitdocs/_build/html ./html/docs
-COPY --from=builder /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages
+COPY --from=builder /usr/lib/python3.11/site-packages /usr/local/lib/python3.9/site-packages
 COPY --from=builder /usr/bin/sigma /usr/bin/sigma
 RUN find html/js -name "*test*.js" -delete
 RUN chmod u+x scripts/*

From 587b9b3b3d98ed5fdcd2b95f205b36047c3f0926 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 2 Feb 2024 11:42:26 -0700
Subject: [PATCH 035/102] WIP: Removed Hardcoded Config Values

Moved hardcoded config values to the config in securityonion.
---
 server/infohandler.go | 109 ------------------------------------------
 1 file changed, 109 deletions(-)

diff --git a/server/infohandler.go b/server/infohandler.go
index 2295806e4..783c41e81 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -11,7 +11,6 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -62,113 +61,5 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		SrvToken:       srvToken,
 	}
 
-	{
-		detections := &info.Parameters.DetectionsParams
-
-		detections.ViewEnabled = true
-		detections.CreateLink = "/detection/create"
-		detections.EventFetchLimit = 500
-		detections.EventItemsPerPage = 50
-		detections.GroupFetchLimit = 50
-		detections.MostRecentlyUsedLimit = 5
-		detections.SafeStringMaxLength = 100
-		detections.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:detection"
-		detections.EventFields = map[string][]string{
-			"default": {
-				"so_detection.title",
-				"so_detection.isEnabled",
-				"so_detection.engine",
-				"@timestamp",
-			},
-		}
-		detections.Queries = []*config.HuntingQuery{
-			{
-				Name:  "All",
-				Query: "_id:*",
-			},
-			{
-				Name:  "Local Rules",
-				Query: "* AND so_detection.isCommunity:false",
-			},
-			{
-				Name:  "Enabled",
-				Query: "so_detection.isEnabled:true",
-			},
-			{
-				Name:  "Disabled",
-				Query: "so_detection.isEnabled:false",
-			},
-			{
-				Name:  "Suricata",
-				Query: "so_detection.engine:suricata",
-			},
-			{
-				Name:  "ElastAlert",
-				Query: "so_detection.engine:elastalert",
-			},
-			{
-				Name:  "Suricata Enabled",
-				Query: "so_detection.engine:suricata AND so_detection.isEnabled:true",
-			},
-			{
-				Name:  "Suricata Disabled",
-				Query: "so_detection.engine:suricata AND so_detection.isEnabled:false",
-			},
-			{
-				Name:  "ElastAlert Enabled",
-				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:true",
-			},
-			{
-				Name:  "ElastAlert Disabled",
-				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:false",
-			},
-		}
-	}
-
-	{
-		detection := &info.Parameters.DetectionParams
-
-		detection.Presets = map[string]config.PresetParameters{
-			"severity": {
-				CustomEnabled: false,
-				Labels:        []string{"unknown", "informational", "low", "medium", "high", "critical"},
-			},
-			"engine": {
-				CustomEnabled: false,
-				Labels:        []string{"suricata", "elastalert"},
-			},
-		}
-
-		detection.SeverityTranslations = map[string]string{
-			// informational and critical already map correctly
-			"minor": "low",
-			"major": "high",
-		}
-	}
-
-	{
-		playbooks := &info.Parameters.PlaybooksParams
-
-		playbooks.ViewEnabled = true
-		playbooks.CreateLink = "/playbook/create"
-		playbooks.EventFetchLimit = 500
-		playbooks.EventItemsPerPage = 50
-		playbooks.GroupFetchLimit = 50
-		playbooks.MostRecentlyUsedLimit = 5
-		playbooks.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:playbook"
-		playbooks.SafeStringMaxLength = 100
-		playbooks.Queries = []*config.HuntingQuery{
-			{Query: "*"},
-		}
-		playbooks.EventFields = map[string][]string{
-			"default": {
-				"soc_timestamp",
-				"so_playbook.title",
-				"so_playbook.publicId",
-				"so_playbook.mechanism",
-			},
-		}
-	}
-
 	web.Respond(w, r, http.StatusOK, info)
 }

From 1b33e451688bcf86b9995294940ddd458d47f184 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 2 Feb 2024 12:16:01 -0700
Subject: [PATCH 036/102] WIP: Detection History

Previous versions of a Detection's history are now presented in the History tab. With Refresh, Sort, Search, and Details.
---
 html/index.html                               | 172 +++++++++++++++++-
 html/js/i18n.js                               |   7 +-
 html/js/routes/detection.js                   |  55 +++++-
 server/detectionhandler.go                    |  19 ++
 server/detectionstore.go                      |   1 +
 server/mock/mock_detectionstore.go            |  15 ++
 .../modules/elastic/elasticdetectionstore.go  |   7 +
 7 files changed, 269 insertions(+), 7 deletions(-)

diff --git a/html/index.html b/html/index.html
index 5c1f0e0a9..b1c7c440c 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1376,9 +1376,173 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 </div>
               </v-tab-item>
               <v-tab-item value="history">
-                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  Coming Soon!
-                </div>
+                <v-row>
+                  <v-col>
+                    <v-toolbar class="elevation-0" fixed>
+                      <v-btn :title="i18n.refreshDetectionHistoryHelp" color="secondary" @click.stop="loadHistory()" id="refresh-history-button">
+                        <v-icon>fa-sync</v-icon>
+                      </v-btn>
+                    </v-toolbar>
+                  </v-col>
+                </v-row>
+                <!-- <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;"> -->
+                  <v-text-field v-model="historyTableOpts.search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
+                  <v-data-table ref="historyTable" :sort-by.sync="historyTableOpts.sortBy" :sort-desc.sync="historyTableOpts.sortDesc" :items-per-page.sync="historyTableOpts.itemsPerPage"
+                    :search="historyTableOpts.search" :footer-props="historyTableOpts.footerProps" must-sort :headers="historyTableOpts.headers"
+                    :items="history" item-key="id" :loading="historyTableOpts.loading" :expanded="historyTableOpts.expanded" class="history-table">
+                    <template v-slot:item="props">
+                      <tr>
+                        <td class="associated actions">
+                          <v-btn :id="`history-${props.index}-expand`" icon small @click="expandRow(props.item)">
+                            <v-icon v-if="isExpanded(props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded(props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
+                          </v-btn>
+                        </td>
+                        <td class="associated">
+                          <v-avatar color="primary" class="mr-2 white--text" size="28">
+                            <div class="font-weight-bold" :title="props.item.owner">
+                              {{ $root.getAvatar(props.item.owner) }}
+                            </div>
+                          </v-avatar>
+                          {{ props.item.owner }}
+                        </td>
+                        <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
+                        <td class="associated">
+                          <v-icon>fa-magnifying-glass</v-icon>
+                          <span class="rounded ml-2">{{ props.item.kind }}</span>
+                        </td>
+                        <td class="associated">
+                          <v-icon v-if="props.item.operation.toLowerCase() == i18n.create.toLowerCase()">fa-plus</v-icon>
+                          <v-icon v-if="props.item.operation.toLowerCase() == i18n.delete.toLowerCase()">fa-circle-xmark</v-icon>
+                          <v-icon v-if="props.item.operation.toLowerCase() == i18n.update.toLowerCase()">fa-pencil-alt</v-icon>
+                          <span class="rounded ml-2">{{ props.item.operation }}</span>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="props">
+                      <tr>
+                        <td colspan="5" class="case">
+                          <div class="mt-2">
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.id }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.id }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.kind }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.kind }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.operation }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.operation }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.dateCreated }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.createTime | formatDateTime }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.dateModified }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.updateTime | formatDateTime }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.title }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.title }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.description }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.description }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.author }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.author }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.enabled }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.isEnabled ? 'True' : 'False' }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.community }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.isCommunity ? 'True' : 'False' }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.reporting }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.isReporting ? 'True' : 'False' }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.severity }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.severity }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.engine }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.engine }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.content }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.content }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.note }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.note }}</span></v-col>
+                            </v-row>
+                          </div>
+
+                          <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
+                            <v-spacer/>
+                            <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
+                              <div class="case avatar-font" :title="props.item.owner">
+                                {{ $root.getAvatar(props.item.owner) }}
+                              </div>
+                            </v-avatar>
+                            <div class="mr-1">
+                              {{ props.item.owner }}
+                            </div>
+                            <div class="mr-1 d-none d-sm-block">
+                              &bull;
+                            </div>
+                            <div>
+                              {{ props.item.updateTime | formatDateTime }}
+                            </div>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:no-results>
+                      <v-alert :value="true" color="info" icon="fa-info">
+                        {{ i18n.noSearchResults }}
+                      </v-alert>
+                    </template>
+                  </v-data-table>
+                  <div class="text-xs-center pt-2 d-none">
+                      <v-btn v-text="i18n.loadMore" @click="loadHistory()"></v-btn>
+                  </div>
+                <!-- </div> -->
               </v-tab-item>
             </v-tabs>
           </div>
@@ -3091,7 +3255,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-row>
                     <v-col>
                       <v-toolbar class="elevation-0" fixed>
-                        <v-btn :title="i18n.refreshHistoryHelp" color="secondary" @click.stop="reloadAssociation('history', true)" id="refresh-history-button">
+                        <v-btn :title="i18n.refreshCaseHistoryHelp" color="secondary" @click.stop="reloadAssociation('history', true)" id="refresh-history-button">
                           <v-icon>fa-sync</v-icon>
                         </v-btn>
                       </v-toolbar>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 4d4f7380f..070f6dd35 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -169,6 +169,7 @@ const i18n = {
       commentHours: 'Work Hours',
       commentHoursHelp: 'Hours spent working on this update (leave blank for 0 hours)',
       commentRequired: 'Comments cannot be empty.',
+      community: 'Community',
       completed: 'Completed',
       config: 'Configuration',
       configTitle: 'Grid Configuration',
@@ -207,6 +208,7 @@ const i18n = {
       configQLZeekThreads: 'Change number of Zeek workers (threads)',
       container: 'Container',
       containerStatus: 'Container Status',
+      content: 'Content',
       continue: 'Would you like to continue?',
       contributors: 'Contributors',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
@@ -293,6 +295,7 @@ const i18n = {
       emailRequired: 'An email address must be specified.',
       enable: 'Enable',
       enabled: 'Enabled',
+      enabledLabel: 'Enabled:',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
       engine: 'Engine',
@@ -596,10 +599,11 @@ const i18n = {
       redisQueueSize: 'Redis Queue Size',
       refresh: 'Refresh',
       refreshAttachmentsHelp: 'Refresh to view all recently added attachments for this case.',
+      refreshCaseHistoryHelp: 'Refresh to view the latest history for this case.',
+      refreshDetectionHistoryHelp: 'Refresh to view the latest history for this detection.',
       refreshCommentsHelp: 'Refresh to view all recently added comments for this case.',
       refreshObservablesHelp: 'Refresh to view all recently added observables for this case.',
       refreshEventsHelp: 'Refresh to view all recently escalated events for this case.',
-      refreshHistoryHelp: 'Refresh to view the latest history for this case.',
       regex: 'Regex',
       reject: 'Reject',
       rejected: 'Rejected',
@@ -755,6 +759,7 @@ const i18n = {
       timestampFormat: 'YYYY-MM-DD HH:mm:ss.SSS Z',
       timezone: 'Time Zone:',
       timezoneHelp: 'Time Zone',
+      title: 'Title',
       toggleLegend: 'Toggle Legend',
       toolCyberchef: 'CyberChef',
       toolCyberchefHelp: 'Data decoding and transformation tools',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 47f4d1a7c..7178ec8e1 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -72,6 +72,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			{ value: 'limit', text: 'Limit' },
 			{ value: 'both', text: 'Both' }
 		],
+		historyTableOpts: {
+			sortBy: 'updateTime',
+			sortDesc: false,
+			search: '',
+			headers: [
+				{ text: this.$root.i18n.actions, width: '10.0em' },
+				{ text: this.$root.i18n.username, value: 'owner' },
+				{ text: this.$root.i18n.time, value: 'updateTime' },
+				{ text: this.$root.i18n.kind, value: 'kind' },
+				{ text: this.$root.i18n.operation, value: 'operation' },
+			],
+			itemsPerPage: 10,
+			footerProps: { 'items-per-page-options': [10,50,250,1000] },
+			count: 500,
+			expanded: [],
+			loading: false,
+		},
+		history: [],
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -126,6 +144,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
 				this.tagOverrides();
+				this.loadAssociations();
 			} catch (error) {
 				if (error.response != undefined && error.response.status == 404) {
 					this.$root.showError(this.i18n.notFound);
@@ -136,6 +155,17 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			this.$root.stopLoading();
 		},
+		loadAssociations() {
+			this.loadHistory();
+		},
+		async loadHistory() {
+			const route = this;
+			const id = route.$route.params.id;
+			const response = await this.$root.papi.get(`detection/${id}/history`);
+			if (response && response.data) {
+				this.history = response.data;
+			}
+		},
 		getDefaultPreset(preset) {
 			if (this.presets) {
 				const presets = this.presets[preset];
@@ -632,6 +662,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 						}
 					}
 				}
+			} else if (this.detect.engine === 'strelka') {
+				return false;
 			}
 
 			return true;
@@ -641,10 +673,29 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				for (let i = 0; i < this.detect.overrides.length; i++) {
 					this.detect.overrides[i].index = i;
 				}
+			} else {
+				this.detect.overrides = [];
 			}
 		},
-		print(x) {
-			console.log(x);
+		isExpanded(row) {
+			const expanded = this.historyTableOpts.expanded;
+			for (var i = 0; i < expanded.length; i++) {
+				if (expanded[i].id == row.id) {
+					return true;
+				}
+			}
+			return false;
 		},
+		async expandRow(row) {
+			const expanded = this.historyTableOpts.expanded;
+			for (var i = 0; i < expanded.length; i++) {
+				if (expanded[i].id == row.id) {
+					expanded.splice(i, 1);
+					return;
+				}
+			}
+
+			expanded.push(row);
+		}
 	}
 }});
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index e3c530ded..c38d73f71 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -42,6 +42,8 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Post("/", h.postDetection)
 		r.Post("/{id}/duplicate", h.duplicateDetection)
 
+		r.Get("/{id}/history", h.getDetectionHistory)
+
 		r.Put("/", h.putDetection)
 
 		r.Delete("/{id}", h.deleteDetection)
@@ -115,6 +117,23 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
+func (h *DetectionHandler) getDetectionHistory(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	id := chi.URLParam(r, "id")
+	if id == "" {
+		id = r.URL.Query().Get("id")
+	}
+
+	obj, err := h.server.Detectionstore.GetDetectionHistory(ctx, id)
+	if err != nil {
+		web.Respond(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, obj)
+}
+
 func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
diff --git a/server/detectionstore.go b/server/detectionstore.go
index af5184dc7..c73416b7e 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -20,6 +20,7 @@ type Detectionstore interface {
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 	Query(ctx context.Context, query string, max int) ([]interface{}, error)
+	GetDetectionHistory(ctx context.Context, detectID string) ([]interface{}, error)
 }
 
 //go:generate mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
index 1d30b4a46..60cf76910 100644
--- a/server/mock/mock_detectionstore.go
+++ b/server/mock/mock_detectionstore.go
@@ -99,6 +99,21 @@ func (mr *MockDetectionstoreMockRecorder) GetDetection(arg0, arg1 any) *gomock.C
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDetection", reflect.TypeOf((*MockDetectionstore)(nil).GetDetection), arg0, arg1)
 }
 
+// GetDetectionHistory mocks base method.
+func (m *MockDetectionstore) GetDetectionHistory(arg0 context.Context, arg1 string) ([]any, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetDetectionHistory", arg0, arg1)
+	ret0, _ := ret[0].([]any)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetDetectionHistory indicates an expected call of GetDetectionHistory.
+func (mr *MockDetectionstoreMockRecorder) GetDetectionHistory(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDetectionHistory", reflect.TypeOf((*MockDetectionstore)(nil).GetDetectionHistory), arg0, arg1)
+}
+
 // Query mocks base method.
 func (m *MockDetectionstore) Query(arg0 context.Context, arg1 string, arg2 int) ([]any, error) {
 	m.ctrl.T.Helper()
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 842514c42..6cde993f5 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -457,6 +457,13 @@ func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, eng
 	return sids, nil
 }
 
+func (store *ElasticDetectionstore) GetDetectionHistory(ctx context.Context, detectID string) ([]interface{}, error) {
+	query := fmt.Sprintf(`_index:"%s" AND %s%s:"%s" | sortby @timestamp^`, store.auditIndex, store.schemaPrefix, AUDIT_DOC_ID, detectID)
+	history, err := store.Query(ctx, query, store.maxAssociations)
+
+	return history, err
+}
+
 func (store *ElasticDetectionstore) audit(ctx context.Context, document map[string]interface{}, id string) error {
 	var err error
 

From b59206331ae2fcfcc26e034ece6a6d33e0b83fe5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 6 Feb 2024 13:33:31 -0700
Subject: [PATCH 037/102] WIP: UI Changes

Updated the Detection Overview tab.

Fixed an issue where some strelka metadata was coming through quoted. Added tests for new approach.

Next step: add some missing data to the model, conversion process, and validation process so we can finish the Overview tab.
---
 html/css/app.css                   |  61 ++++++++++
 html/index.html                    | 174 +++++++++++++++++++++--------
 html/js/routes/detection.js        | 131 +++++++++++++++++++++-
 server/modules/strelka/strelka.go  |   6 +-
 server/modules/strelka/validate.go |   1 +
 util/strings.go                    |  13 +++
 util/strings_test.go               |  67 +++++++++++
 7 files changed, 402 insertions(+), 51 deletions(-)
 create mode 100644 util/strings.go
 create mode 100644 util/strings_test.go

diff --git a/html/css/app.css b/html/css/app.css
index f5b017f32..5ffae166d 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -533,3 +533,64 @@ td {
 .detection-hunt-btn {
   margin-top: 20px;
 }
+
+.summary-backdrop {
+  background-color: rgb(53, 53, 53);
+  border-radius: 4px;
+}
+
+.summary-backdrop > div {
+  background-color: #2a2a2a;
+  border-radius: 4px;
+  padding: 16px;
+}
+
+.header {
+  font-size: 1.3em;
+  font-weight: bold;
+}
+
+.header:not(:first-child) {
+  margin-top: 16px;
+}
+
+.extracted-content {
+  background-color: #404040;
+  border-radius: 4px;
+  padding: 8px;
+}
+
+.extracted-content > pre {
+  text-wrap: wrap;
+}
+
+.detect-reference {
+  font-size: small;
+  display: table;
+  width: 100%;
+}
+
+.detect-reference > div {
+  display: table-row;
+}
+
+.detect-reference > div > div {
+  display: table-cell;
+  padding: 0 4px;
+}
+
+.detect-reference .key {
+  font-weight: bold;
+  text-align: right;
+}
+
+.ops-header {
+  font-weight: bold;
+  margin-top: 16px;
+}
+
+.ops-value > .v-input--selection-controls {
+  margin-top: 0 !important;
+  padding-top: 0 !important;
+  height: 24px !important;
+}
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index b1c7c440c..4b3b35357 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1047,23 +1047,23 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
             <v-tabs grow v-model="activeTab" v-else>
               <v-tab id="detection_summaryTab" href="#summary">
-                <v-icon left>fa-clipboard</v-icon>
-                <div class="d-none d-lg-block">Summary</div>
-              </v-tab>
-              <v-tab id="detection_signatureTab" href="#signature">
-                <v-icon left>fa-signature</v-icon>
-                <div class="d-none d-lg-block">Signature</div>
+                <v-icon left>fa-comments</v-icon>
+                <div class="d-none d-lg-block">Overview</div>
               </v-tab>
               <v-tab id="detection_notesTab" href="#notes">
-                <v-icon left>fa-pencil</v-icon>
-                <div class="d-none d-lg-block">Notes</div>
+                <v-icon left>fa-paperclip</v-icon>
+                <div class="d-none d-lg-block">Operational Notes</div>
+              </v-tab>
+              <v-tab id="detection_signatureTab" href="#signature">
+                <v-icon left>fa-eye</v-icon>
+                <div class="d-none d-lg-block">Detection Source</div>
               </v-tab>
               <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
                 <div class="d-none d-lg-block">Investigative Playbook</div>
               </v-tab> -->
               <v-tab id="detection_tuningTab" href="#tuning">
-                <v-icon left>fa-wrench</v-icon>
+                <v-icon left>fa-link</v-icon>
                 <div class="d-none d-lg-block">Tuning</div>
               </v-tab>
               <v-tab id="detection_historyTab" href="#history">
@@ -1072,22 +1072,39 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab>
 
               <v-tab-item value="summary">
-                <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                <div class="col pt-5 summary-backdrop">
                   <div>
-                    <!-- Description -->
+                    <div class="header">Summary</div>
+                    <div v-if="detect.description">
+                      {{detect.description}}
+                    </div>
+                    <div v-else>
+                      {{detect.title}}
+                    </div>
+                    <div class="header">References</div>
+                    <div>
+                      <div v-for="r in extractedReferences">
+                        <a :href="r.value" v-if="r.type==='url'" target="_blank">{{r.value}}</a>
+                        <span v-else>{{r.value}}</span>
+                      </div>
+                    </div>
+                    <div class="header">Signature</div>
+                    <div class="extracted-content">
+                      <pre>{{extractedLogic}}</pre>
+                    </div>
+                  </div>
+                  <!-- <div>
                     <span class="font-weight-bold">{{i18n.description}}:</span><br/>
                     <span id="detection-description" @click="startEdit('detection-description', 'description')" v-if="!isEdit('detection-description')">{{ detect.description }}</span>
                     <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.detectionDescription" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
                   </div>
-                  <!-- Engine -->
                   <v-select id="detection-engine-edit" v-model="detect.engine" :readonly="detect.isCommunity" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
-                  <!-- Author -->
                   <v-text-field id="detection-author-edit" v-model="detect.author" :readonly="detect.isCommunity" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.author" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
-                  <!-- Severity -->
+
                   <v-select id="detection-severity-edit" class="text-capitalize" :readonly="detect.isCommunity" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.severity" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
-                  <!-- Enabled -->
+
                   <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/>
-                  <!-- Reporting -->
+
                   <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" :label="i18n.reporting"/>
                 </div>
                 <div class="d-flex justify-end text-body-2 mt-2">
@@ -1099,41 +1116,41 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                       {{i18n.delete}}
                     </v-btn>
                   </div>
-                </div>
+                </div> -->
               </v-tab-item>
-              <v-tab-item value="signature">
+              <v-tab-item value="notes">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
-                    <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
-                      <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
-                    </template>
-                  </v-text-field>
-                  <!-- Signature -->
-                  <v-textarea class="config-editor mt-2" :readonly="detect.isCommunity" outlined v-model="detect.content" auto-grow rows="15" />
+                  <!-- Notes -->
+                  <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
                 </div>
                 <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-update" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
                 </div>
               </v-tab-item>
-              <v-tab-item value="notes">
+              <v-tab-item value="signature">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <!-- Notes -->
-                  <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
+                  <!-- PublicID -->
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
+                      <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
+                    </template>
+                  </v-text-field>
+                  <!-- Signature -->
+                  <v-textarea class="config-editor mt-2" :readonly="detect.isCommunity" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
                 <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                    <v-btn id="detection-update" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
@@ -1550,33 +1567,96 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
             <v-expansion-panels focusable multiple v-model="panel">
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Cases</h3>
+                  <h3>Operations</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  Related Cases:
-                  <ul>
-                    <li>123</li>
-                    <li>456</li>
-                    <li>ABC</li>
-                    <li>XYZ</li>
-                  </ul>
+                  <!-- <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/> -->
+                  <div class="ops-header">
+                    Enabled:
+                  </div>
+                  <div class="ops-value">
+                    <span @click="startEdit('detection-enabled', 'isEnabled')" v-if="!isEdit('detection-enabled')">
+                      {{detect.isEnabled ? 'True' : 'False'}}
+                    </span>
+                    <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" v-else @change="stopEdit(true)" />
+                  </div>
+                  <div class="ops-header">
+                    DetectionType:
+                  </div>
+                  <div class="ops-value">
+                    {{detect.engine}}
+                  </div>
+                  <div class="ops-header">
+                    Severity:
+                  </div>
+                  <div class="ops-value">
+                    {{detect.severity}}
+                  </div>
+                  <div class="ops-header">
+                    Ruleset:
+                  </div>
+                  <div class="ops-value">
+                    TODO
+                  </div>
+                  <!-- <div class="ops-header">
+                    Related-Playbooks:
+                  </div>
+                  <div class="ops-value">
+                    TODO
+                  </div> -->
+                  <div class="ops-header">
+                    Tags:
+                  </div>
+                  <div class="ops-value">
+                    <div>
+                      <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
+                    </div>
+                  </div>
                 </v-expansion-panel-content>
               </v-expansion-panel>
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Alerts</h3>
+                  <h3>Details</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  Recent Alerts:
-                  <ul>
-                    <li>123</li>
-                    <li>456</li>
-                    <li>ABC</li>
-                    <li>XYZ</li>
-                  </ul>
+                  [detail stuff goes here]
                 </v-expansion-panel-content>
               </v-expansion-panel>
             </v-expansion-panels>
+            <div class="detect-reference">
+              <div>
+                <div class="key">
+                  Detection Id:
+                </div>
+                <div class="value">
+                  {{ detect.id }}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  Author:
+                </div>
+                <div class="value">
+                  {{ detect.author }}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  Created:
+                </div>
+                <div class="value">
+                  {{ detect.createTime | formatDateTime}}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  Updated:
+                </div>
+                <div class="value">
+                  {{ detect.updateTime | formatDateTime }}
+                </div>
+              </div>
+            </div>
           </div>
         </div>
       </v-container>
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 7178ec8e1..a2bc579df 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -90,6 +90,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			loading: false,
 		},
 		history: [],
+		extractedReferences: [],
+		extractedLogic: '',
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -156,8 +158,135 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.$root.stopLoading();
 		},
 		loadAssociations() {
+			this.extractReferences();
+			this.extractLogic();
 			this.loadHistory();
 		},
+		extractReferences() {
+			switch (this.detect.engine) {
+				case 'suricata':
+					this.extractSuricataReferences();
+					break;
+				case 'strelka':
+					this.extractStrelkaReferences();
+					break;
+				case 'elastalert':
+					this.extractElastAlertReferences();
+					break;
+			}
+		},
+		extractSuricataReferences() {
+			const refFinder = /reference:([^;]*),([^;]*);/ig;
+			const matches = [...this.detect.content.matchAll(refFinder)];
+
+			this.extractedReferences = [];
+			for (let i = 0; i < matches.length; i++) {
+				this.extractedReferences.push({ type: matches[i][1], value: matches[i][2] });
+			}
+		},
+		extractStrelkaReferences() {
+			const refFinder = /reference\d*\s*=\s*['"]([^'"]*)['"]/ig;
+			const matches = [...this.detect.content.matchAll(refFinder)];
+
+			this.extractedReferences = [];
+			for (let i = 0; i < matches.length; i++) {
+				this.extractedReferences.push({ type: "url", value: matches[i][1] });
+			}
+		},
+		extractElastAlertReferences() {
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
+			if (yaml['references']) {
+				this.extractedReferences = yaml['references'].map(r => {
+					return { type: "url", value: r };
+				});
+			}
+		},
+		extractLogic() {
+			switch (this.detect.engine) {
+				case 'suricata':
+					this.extractSuricataLogic();
+					break;
+				case 'strelka':
+					this.extractStrelkaLogic();
+					break;
+				case 'elastalert':
+					this.extractElastAlertLogic();
+					break;
+			}
+		},
+		extractSuricataLogic() {
+			const suricataParser = /^\w+\s+(.*?)\((.*)\)$/gi;
+			const matches = suricataParser.exec(this.detect.content.trim());
+
+			const head = matches[1];
+
+			let meta = matches[2].split(';').filter(opt => {
+				opt = opt.trim();
+				if (!opt) return false;
+
+				const key = opt.split(':', 2)[0].trim().toLowerCase();
+				return ['msg', 'reference', 'metadata', 'sid', 'rev'].indexOf(key) === -1;
+			}).map(opt => opt.trim());
+
+			this.extractedLogic = [head, ...meta].join('\n\n');
+		},
+		extractStrelkaLogic() {
+			// from strings to the end of the rule
+			let stringsStart = this.detect.content.indexOf('strings:');
+			let ruleStop = this.detect.content.lastIndexOf('}');
+
+			// back up to the beginning of the strings line
+			while (this.detect.content[stringsStart] !== '\n') {
+				stringsStart--;
+			}
+			stringsStart++;
+
+			// cut out the part we want
+			const dump = this.detect.content.substring(stringsStart, ruleStop);
+
+			// begin unindenting
+			let lines = dump.split('\n');
+
+			// check if the first line begins with whitespace
+			const ws = dump[0];
+			if (ws !== ' ' && ws !== '\t') {
+				// does not begin with whitespace, no indentation to remove
+				return dump
+			}
+
+			// find the line with the least whitespace, don't count blank lines
+			let min = 1000000;
+			for (let i = 0; i < lines.length; i++) {
+				if (lines[i].length === 0) continue;
+				let linemin = 0;
+				for (let j = 0; j < lines[i].length; j++) {
+					if (lines[i][j] === ws) {
+						linemin++;
+					} else {
+						break;
+					}
+				}
+
+				if (linemin < min) {
+					min = linemin;
+				}
+			}
+
+			if (min === 0) {
+				// the line with the least amount of whitespace is already 0
+				return dump;
+			}
+
+			// remove the minimum amount of whitespace from each line
+			this.extractedLogic = lines.map(l => l.length >= min ? l.substring(min) : l).join('\n');
+		},
+		extractElastAlertLogic() {
+			const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+			const logSource = yaml['logsource'];
+			const detection = yaml['detection'];
+
+			this.extractedLogic = jsyaml.dump({ logsource: logSource, detection: detection });
+		},
 		async loadHistory() {
 			const route = this;
 			const id = route.$route.params.id;
@@ -232,7 +361,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		async startEdit(target, field) {
 			if (this.curEditTarget === target) return;
 			if (this.curEditTarget !== null) await this.stopEdit(false);
-			if (this.detect.isCommunity) return;
+			if (this.detect.isCommunity && field !== 'isEnabled') return;
 
 			this.curEditTarget = target;
 			this.origValue = this.detect[field];
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index fb60f9b9b..f6794fa21 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -264,16 +264,16 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 					comRule, exists := communityDetections[det.PublicID]
 					if exists {
 						det.Id = comRule.Id
-						det.Note = comRule.Note
 						det.IsEnabled = comRule.IsEnabled
 					}
 
 					if rule.Meta.Author != nil {
-						det.Author = *rule.Meta.Author
+						det.Author = util.Unquote(*rule.Meta.Author)
+
 					}
 
 					if rule.Meta.Description != nil {
-						det.Description = *rule.Meta.Description
+						det.Description = util.Unquote(*rule.Meta.Description)
 					}
 
 					if exists {
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
index fc6663286..8920c5b55 100644
--- a/server/modules/strelka/validate.go
+++ b/server/modules/strelka/validate.go
@@ -48,6 +48,7 @@ func (md *Metadata) IsEmpty() bool {
 
 func (md *Metadata) Set(key, value string) {
 	key = strings.ToLower(key)
+
 	switch key {
 	case "id":
 		md.ID = util.Ptr(value)
diff --git a/util/strings.go b/util/strings.go
new file mode 100644
index 000000000..5749b44c0
--- /dev/null
+++ b/util/strings.go
@@ -0,0 +1,13 @@
+package util
+
+import "strings"
+
+func Unquote(value string) string {
+	if strings.HasPrefix(value, `"`) && strings.HasSuffix(value, `"`) {
+		value = strings.TrimSuffix(strings.TrimPrefix(value, `"`), `"`)
+	} else if strings.HasPrefix(value, "'") && strings.HasSuffix(value, "'") {
+		value = strings.TrimSuffix(strings.TrimPrefix(value, "'"), "'")
+	}
+
+	return value
+}
diff --git a/util/strings_test.go b/util/strings_test.go
new file mode 100644
index 000000000..c4c08ab1f
--- /dev/null
+++ b/util/strings_test.go
@@ -0,0 +1,67 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/tj/assert"
+)
+
+func TestUnquote(t *testing.T) {
+	table := []struct {
+		Name     string
+		Input    string
+		Expected string
+	}{
+		{
+			Name:     "Empty",
+			Input:    "",
+			Expected: "",
+		}, {
+			Name:     "Unquoted",
+			Input:    "foo",
+			Expected: "foo",
+		}, {
+			Name:     "DoubleQuoted",
+			Input:    `"foo"`,
+			Expected: "foo",
+		}, {
+			Name:     "SingleQuoted",
+			Input:    "'foo'",
+			Expected: "foo",
+		}, {
+			Name:     "Double DoubleQuoted",
+			Input:    `""foo""`,
+			Expected: `"foo"`,
+		}, {
+			Name:     "Double SingleQuoted",
+			Input:    `''foo''`,
+			Expected: `'foo'`,
+		}, {
+			Name:     "Lopsided Quotes A",
+			Input:    `"foo'`,
+			Expected: `"foo'`,
+		}, {
+			Name:     "Lopsided Quotes B",
+			Input:    `'foo"`,
+			Expected: `'foo"`,
+		}, {
+			Name:     "Intermingled Quotes A",
+			Input:    `"foo'"bar"`,
+			Expected: `foo'"bar`,
+		}, {
+			Name:     "Intermingled Quotes B",
+			Input:    `'foo'"bar'`,
+			Expected: `foo'"bar`,
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+			actual := Unquote(test.Input)
+
+			assert.Equal(t, test.Expected, actual)
+		})
+	}
+}

From b1e834699acc39c8b10cbe66d256450dfbf77b4f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 6 Feb 2024 16:34:41 -0700
Subject: [PATCH 038/102] WIP: Detection Tags, Ruleset, and Language

Detections now have tags, a ruleset, and a language.

Suricata's ruleset is looked up from the config and should either be ETOPEN, ETPRO, or emerging_rules.

Strelka's ruleset is named after the repo the rule was downloaded from.

ElastAlert's ruleset is the zip pkg we downloaded the rule from (core, core+, all_rules, etc).

Queries, converters, and tests have been updated to include the new fields.

TODO: Change how detections are created to ask for language (and tags) instead of engine. Also show language instead of engine in search result columns.
---
 html/index.html                               |  7 +++---
 model/detection.go                            | 18 ++++++++++-----
 server/detectionhandler.go                    |  1 -
 server/modules/elastalert/elastalert.go       |  2 ++
 server/modules/elastalert/elastalert_test.go  |  4 ++++
 server/modules/elastic/converter.go           | 15 +++++++++++--
 .../modules/elastic/elasticdetectionstore.go  | 22 ++++++++++++++++---
 server/modules/strelka/strelka.go             |  5 ++++-
 server/modules/suricata/suricata.go           | 14 ++++++++++--
 server/modules/suricata/suricata_test.go      |  8 ++++++-
 10 files changed, 77 insertions(+), 19 deletions(-)

diff --git a/html/index.html b/html/index.html
index 4b3b35357..0904a17d2 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1592,11 +1592,11 @@ <h3>Operations</h3>
                   <div class="ops-value">
                     {{detect.severity}}
                   </div>
-                  <div class="ops-header">
+                  <div class="ops-header" v-if="detect.isCommunity">
                     Ruleset:
                   </div>
-                  <div class="ops-value">
-                    TODO
+                  <div class="ops-value" v-if="detect.isCommunity">
+                    {{detect.ruleset}}
                   </div>
                   <!-- <div class="ops-header">
                     Related-Playbooks:
@@ -1610,6 +1610,7 @@ <h3>Operations</h3>
                   <div class="ops-value">
                     <div>
                       <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
+                      <span v-if="detect.tags === null || detect.tags.length === 0">None</span>
                     </div>
                   </div>
                 </v-expansion-panel-content>
diff --git a/model/detection.go b/model/detection.go
index a72fa445c..65d959ec2 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -24,11 +24,9 @@ const (
 	ScanTypePacketsAndFiles ScanType = "files,packets"
 	ScanTypeElastic         ScanType = "elastic"
 
-	SigLangElastic  SigLanguage = "elastic"  // yaml
 	SigLangSigma    SigLanguage = "sigma"    // yaml
 	SigLangSuricata SigLanguage = "suricata" // action, header, options
-	SigLangYara     SigLanguage = "yara"
-	SigLangZeek     SigLanguage = "zeek"
+	SigLangYara     SigLanguage = "yara"     // meta, strings, condition
 
 	SeverityUnknown       Severity = "unknown"
 	SeverityInformational Severity = "informational"
@@ -41,7 +39,7 @@ const (
 	IDTypeSID  IDType = "sid"
 
 	EngineNameSuricata   EngineName = "suricata"
-	EngineNameStrelka       EngineName = "strelka"
+	EngineNameStrelka    EngineName = "strelka"
 	EngineNameElastAlert EngineName = "elastalert"
 
 	OverrideTypeSuppress     OverrideType = "suppress"
@@ -68,10 +66,16 @@ var (
 			Name:        string(EngineNameElastAlert),
 			IDType:      IDTypeUUID,
 			ScanType:    ScanTypeElastic,
-			SigLanguage: SigLangElastic,
+			SigLanguage: SigLangSigma,
 		},
 	}
 
+	SupportedLanguages = map[SigLanguage]struct{}{
+		SigLangSigma:    {},
+		SigLangSuricata: {},
+		SigLangYara:     {},
+	}
+
 	ErrUnsupportedEngine = errors.New("unsupported engine")
 )
 
@@ -93,9 +97,11 @@ type Detection struct {
 	IsEnabled   bool        `json:"isEnabled"`
 	IsReporting bool        `json:"isReporting"`
 	IsCommunity bool        `json:"isCommunity"`
-	Note        string      `json:"note"`
 	Engine      EngineName  `json:"engine"`
+	Language    SigLanguage `json:"language"`
 	Overrides   []*Override `json:"overrides"` // Tuning
+	Tags        []string    `json:"tags"`
+	Ruleset     *string     `json:"ruleset"`
 }
 
 // Note: JSON tags are used when storing the object in ElasticSearch,
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index c38d73f71..0654d0543 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -218,7 +218,6 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		// the only editable fields for community rules are IsEnabled, IsReporting, Note, and Overrides
 		old.IsEnabled = detect.IsEnabled
 		old.IsReporting = detect.IsReporting
-		old.Note = detect.Note
 		old.Overrides = detect.Overrides
 
 		detect = old
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 59f14c63c..f24b1076a 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -368,6 +368,8 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 				Content:     string(data),
 				IsCommunity: true,
 				Engine:      model.EngineNameElastAlert,
+				Language:    model.SigLangSigma,
+				Ruleset:     util.Ptr(pkg),
 			})
 		}
 	}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 4940475e7..a3ab7417a 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -300,6 +300,8 @@ func TestSigmaToElastAlertError(t *testing.T) {
 }
 
 func TestParseRules(t *testing.T) {
+	t.Parallel()
+
 	data := `title: Always Alert
 id: 00000000-0000-0000-0000-00000000
 status: experimental
@@ -347,6 +349,8 @@ level: high
 		Content:     data,
 		IsCommunity: true,
 		Engine:      model.EngineNameElastAlert,
+		Language:    model.SigLangSigma,
+		Ruleset:     util.Ptr("all_rules"),
 	}
 
 	dets, errMap := engine.parseRules(pkgZips)
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 0012c20b2..753098f69 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -697,12 +697,23 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 			if value, ok := event.Payload[schemaPrefix+"detection.isCommunity"]; ok {
 				obj.IsCommunity = value.(bool)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.note"]; ok {
-				obj.Note = value.(string)
+			if value, ok := event.Payload[schemaPrefix+"detection.ruleset"]; ok {
+				obj.Ruleset = util.Ptr(value.(string))
 			}
 			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
 				obj.Engine = model.EngineName(value.(string))
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.language"]; ok {
+				obj.Language = model.SigLanguage(value.(string))
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.tags"]; ok && value != nil {
+				arr := value.([]interface{})
+				obj.Tags = make([]string, 0, len(arr))
+
+				for _, tag := range arr {
+					obj.Tags = append(obj.Tags, tag.(string))
+				}
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.overrides"]; ok && value != nil {
 				obj.Overrides = convertElasticEventToOverride(value.([]interface{}))
 			}
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 6cde993f5..5ae53b1a5 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -85,7 +85,7 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 	var err error
 
 	if err == nil && detect.Id != "" {
-		err = store.validateId(detect.Id, "onionId")
+		err = store.validateId(detect.Id, "Id")
 	}
 
 	if err == nil && detect.PublicID != "" {
@@ -112,8 +112,17 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
 	}
 
-	if err == nil && detect.Note != "" {
-		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
+	if err == nil && detect.IsCommunity && detect.Ruleset == nil {
+		err = store.validateStringRequired(*detect.Ruleset, 0, SHORT_STRING_MAX, "ruleset")
+	}
+
+	if err == nil && len(detect.Tags) > 0 {
+		for _, tag := range detect.Tags {
+			err = store.validateString(tag, SHORT_STRING_MAX, "tag")
+			if err != nil {
+				break
+			}
+		}
 	}
 
 	if err == nil {
@@ -123,6 +132,13 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 		}
 	}
 
+	if err == nil {
+		_, okLang := model.SupportedLanguages[model.SigLanguage(detect.Language)]
+		if !okLang {
+			err = errors.New("invalid language")
+		}
+	}
+
 	return err
 }
 
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index f6794fa21..78d3402f4 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -252,6 +252,8 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 						sev = model.SeverityCritical
 					}
 
+					ruleset := filepath.Base(repo)
+
 					det := &model.Detection{
 						Engine:      model.EngineNameStrelka,
 						PublicID:    rule.GetID(),
@@ -259,6 +261,8 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 						Severity:    sev,
 						Content:     rule.String(),
 						IsCommunity: true,
+						Language:    model.SigLangYara,
+						Ruleset:     util.Ptr(ruleset),
 					}
 
 					comRule, exists := communityDetections[det.PublicID]
@@ -269,7 +273,6 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 
 					if rule.Meta.Author != nil {
 						det.Author = util.Unquote(*rule.Meta.Author)
-
 					}
 
 					if rule.Meta.Description != nil {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index fe0860aa4..eecb8a859 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -116,7 +116,15 @@ func (s *SuricataEngine) watchCommunityRules() {
 			continue
 		}
 
-		commDetections, err := s.parseRules(rules)
+		allSettings, err := s.srv.Configstore.GetSettings(ctx)
+		if err != nil {
+			log.WithError(err).Error("unable to get settings")
+			continue
+		}
+
+		ruleset := settingByID(allSettings, "idstools.config.ruleset")
+
+		commDetections, err := s.parseRules(rules, ruleset.Value)
 		if err != nil {
 			log.WithError(err).Error("unable to parse community rules")
 			continue
@@ -201,7 +209,7 @@ func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	return parsed.String(), nil
 }
 
-func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error) {
+func (s *SuricataEngine) parseRules(content string, ruleset string) ([]*model.Detection, error) {
 	// expecting one rule per line
 	lines := strings.Split(content, "\n")
 	dets := []*model.Detection{}
@@ -279,6 +287,8 @@ func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error)
 			Content:     line,
 			IsCommunity: true,
 			Engine:      model.EngineNameSuricata,
+			Language:    model.SigLangSuricata,
+			Ruleset:     util.Ptr(ruleset),
 		})
 	}
 
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 1d11c507f..dbb7fe836 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -296,6 +296,8 @@ func TestValidate(t *testing.T) {
 }
 
 func TestParse(t *testing.T) {
+	ruleset := util.Ptr("ruleset")
+
 	table := []struct {
 		Name               string
 		Lines              []string
@@ -319,6 +321,8 @@ func TestParse(t *testing.T) {
 					Content:     SimpleRule,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     ruleset,
 				},
 				{
 					PublicID:    "20000",
@@ -327,6 +331,8 @@ func TestParse(t *testing.T) {
 					Content:     `alert http any any <> any any (metadata:signature_severity Informational; sid:"20000"; msg:"a \"tricky\"\;\\ msg";)`,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     ruleset,
 				},
 			},
 		},
@@ -341,7 +347,7 @@ func TestParse(t *testing.T) {
 
 			data := strings.Join(test.Lines, "\n")
 
-			detections, err := mod.parseRules(data)
+			detections, err := mod.parseRules(data, *ruleset)
 			if test.ExpectedError == nil {
 				assert.NoError(t, err)
 				assert.Equal(t, test.ExpectedDetections, detections)

From 7aecfc26c5ff83a1d983b3ebed91acd5e61b2ab0 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 7 Feb 2024 16:42:41 -0500
Subject: [PATCH 039/102] Revise Quicklinks

---
 html/index.html | 26 ++++++++++++--------------
 html/js/i18n.js |  8 ++++----
 2 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/html/index.html b/html/index.html
index b1c7c440c..0793aefd7 100644
--- a/html/index.html
+++ b/html/index.html
@@ -4525,21 +4525,19 @@ <h4 v-if="!$root.loading">{{ i18n.settingsCustomized }} {{ settingsCustomized }}
                         </li>
                       </ul>
                     </li>
+
+                  </ul>
+                  <br/>
+                  <p class="font-weight-bold">{{i18n.configQLAnalystTitle}}</p>
+                  <ul>
                     <li>
-                      {{i18n.configQLNIDSHeader}}
+                      {{i18n.configQLSigmaHeader}}
                       <ul>
-                        <li>
-                          <router-link :to="{name: 'config', query: {s: 'idstools.config.ruleset'}}">{{i18n.configQLNIDSRuleset}}</router-link>
-                        </li>
-                        <li>
-                          <router-link :to="{name: 'config', query: {s: 'idstools.config.oinkcode'}}">{{i18n.configQLNIDSOinkCode}}</router-link>
+                        <li>                               
+                          <router-link :to="{name: 'config', query: {s: 'soc.config.server.modules.elastalertengine.sigmaRulePackages'}}">{{i18n.configQLSigmaRuleset}}</router-link>
                         </li>
                       </ul>
                     </li>
-                  </ul>
-                  <br/>
-                  <p class="font-weight-bold">{{i18n.configQLAnalystTitle}}</p>
-                  <ul>
                     <li>
                       {{i18n.configQLSuricataHeader}}
                       <ul>
@@ -4550,12 +4548,12 @@ <h4 v-if="!$root.loading">{{ i18n.settingsCustomized }} {{ settingsCustomized }}
                           <router-link :to="{name: 'config', query: {s: 'suricata.config.af-packet.threads'}}">{{i18n.configQLSuricataThreads}}</router-link>
                         </li>
                         <li>
-                          <router-link :to="{name: 'config', query: {s: 'idstools.sids'}}">{{i18n.configQLSIDS}}</router-link>
+                          <router-link :to="{name: 'config', query: {s: 'idstools.config.ruleset'}}">{{i18n.configQLNIDSRuleset}}</router-link>
                         </li>
                         <li>
-                          <router-link :to="{name: 'config', query: {s: 'suricata.thresholding.sids__yaml'}}">{{i18n.configQLSIDSThresholding}}</router-link>
-                      </ul>
-                    </li>
+                          <router-link :to="{name: 'config', query: {s: 'idstools.config.oinkcode'}}">{{i18n.configQLNIDSOinkCode}}</router-link>
+                        </ul>
+                        </li>
                     <li>
                       {{i18n.configQLZeekHeader}}
                       <ul>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 070f6dd35..9180ceb39 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -188,13 +188,13 @@ const i18n = {
       configQLNIDSRuleset: 'Change NIDS Ruleset',
       configQLNIDSOinkCode: 'Paid NIDS Rulesets Registration Code (oinkcode)',
       configQLAnalystTitle: 'Analyst Quick Links',
-      configQLSuricataHeader: 'Tune Suricata',
+      configQLSuricataHeader: 'Suricata',
       configQLHomeNet: 'Suricata Home Networks',
-      configQLSIDS: 'SIDS - ENABLE | DISABLE | MODIFY',
-      configQLSIDSThresholding: 'SIDS - Thresholding',
       configQLBPFHeader: 'BPFs (Berkeley Packet Filters)',
       configQLPCAP: 'PCAP',
       configQLPCAPMaxDirectoryFiles: 'Maximum number of files in PCAP directory',
+      configQLSigmaHeader: 'Sigma',
+      configQLSigmaRuleset: 'Change Sigma Community Ruleset',
       configQLSOCHeader: 'SOC',
       configQLSOCActions: 'Edit entries on SOC Actions menu',
       configQLSOCAlerts: 'Edit queries for SOC Alerts',
@@ -203,7 +203,7 @@ const i18n = {
       configQLSuricata: 'Suricata',
       configQLSuricataThreads: 'Change number of Suricata workers (threads)',
       configQLZeek: 'Zeek',
-      configQLZeekHeader: 'Tune Zeek',
+      configQLZeekHeader: 'Zeek',
       configQLZeekHomeNet: 'Zeek Home Networks',
       configQLZeekThreads: 'Change number of Zeek workers (threads)',
       container: 'Container',

From d4c8f5c68e636e815641b14828b2f14e0db7a561 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 8 Feb 2024 07:10:33 -0500
Subject: [PATCH 040/102] Add support for sigma pipelines

---
 server/modules/elastalert/elastalert.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 59f14c63c..102cdfc22 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -568,7 +568,7 @@ func (e *ElastAlertEngine) IndexExistingRules() (index map[string]string, err er
 }
 
 func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Detection) (string, error) {
-	args := []string{"convert", "-t", "eql", "-p", "windows-logsources", "-p", "ecs_windows", "/dev/stdin"}
+	args := []string{"convert", "-t", "eql", "-p", "/opt/sensoroni/sigma_final_pipeline.yaml", "-p", "/opt/sensoroni/sigma_so_pipeline.yaml", "-p", "windows-logsources", "-p", "ecs_windows", "/dev/stdin"}
 
 	cmd := exec.CommandContext(ctx, "sigma", args...)
 	cmd.Stdin = strings.NewReader(det.Content)

From 3c02be7f37952d6761eb8a7acae08456c812a734 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 8 Feb 2024 09:48:06 -0700
Subject: [PATCH 041/102] WIP: Reworked UI

New Operations and Details panels implemented in Detections view.

Small consistency change to how YaraRule's check if they already have an ID before generating one.
---
 html/index.html                    | 69 +++++++++++++++---------------
 html/js/i18n.js                    |  7 +++
 server/modules/strelka/validate.go |  2 +-
 3 files changed, 42 insertions(+), 36 deletions(-)

diff --git a/html/index.html b/html/index.html
index 0904a17d2..00399ef1f 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1022,8 +1022,8 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Severity -->
                   <v-select id="detection-severity-create" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.detectionSeverity"/>
 
-                  <!-- Engine -->
-                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]" v-on:change="onDetectionChange"/>
+                  <!-- Language -->
+                  <v-select id="detection-language-create" v-model="detect.language" :items="getPresets('language')" persistent-hint :hint="i18n.language" :rules="[rules.required]" v-on:change="onDetectionChange"/>
 
                   <!-- Reporting -->
                   <v-checkbox id="detection-reporting-create" class="mt-5" v-model="detect.isReporting" :label="i18n.reporting"/>
@@ -1074,21 +1074,21 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-tab-item value="summary">
                 <div class="col pt-5 summary-backdrop">
                   <div>
-                    <div class="header">Summary</div>
+                    <div class="header">{{i18n.summary}}</div>
                     <div v-if="detect.description">
                       {{detect.description}}
                     </div>
                     <div v-else>
                       {{detect.title}}
                     </div>
-                    <div class="header">References</div>
+                    <div class="header">{{i18n.references}}</div>
                     <div>
                       <div v-for="r in extractedReferences">
                         <a :href="r.value" v-if="r.type==='url'" target="_blank">{{r.value}}</a>
                         <span v-else>{{r.value}}</span>
                       </div>
                     </div>
-                    <div class="header">Signature</div>
+                    <div class="header">{{i18n.signature}}</div>
                     <div class="extracted-content">
                       <pre>{{extractedLogic}}</pre>
                     </div>
@@ -1567,45 +1567,27 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
             <v-expansion-panels focusable multiple v-model="panel">
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Operations</h3>
+                  <h3>{{ i18n.operations }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
                   <!-- <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/> -->
                   <div class="ops-header">
-                    Enabled:
+                    {{ i18n.enabled }}:
                   </div>
                   <div class="ops-value">
                     <span @click="startEdit('detection-enabled', 'isEnabled')" v-if="!isEdit('detection-enabled')">
-                      {{detect.isEnabled ? 'True' : 'False'}}
+                      {{ detect.isEnabled ? 'True' : 'False' }}
                     </span>
                     <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" v-else @change="stopEdit(true)" />
                   </div>
-                  <div class="ops-header">
-                    DetectionType:
-                  </div>
-                  <div class="ops-value">
-                    {{detect.engine}}
-                  </div>
-                  <div class="ops-header">
-                    Severity:
-                  </div>
-                  <div class="ops-value">
-                    {{detect.severity}}
-                  </div>
-                  <div class="ops-header" v-if="detect.isCommunity">
-                    Ruleset:
-                  </div>
-                  <div class="ops-value" v-if="detect.isCommunity">
-                    {{detect.ruleset}}
-                  </div>
                   <!-- <div class="ops-header">
-                    Related-Playbooks:
+                    Related Playbooks:
                   </div>
                   <div class="ops-value">
                     TODO
                   </div> -->
                   <div class="ops-header">
-                    Tags:
+                    {{ i18n.tags }}:
                   </div>
                   <div class="ops-value">
                     <div>
@@ -1617,17 +1599,34 @@ <h3>Operations</h3>
               </v-expansion-panel>
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Details</h3>
+                  <h3>{{ i18n.details }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  [detail stuff goes here]
+                  <div class="ops-header">
+                    {{ i18n.detectionType }}:
+                  </div>
+                  <div class="ops-value">
+                    {{ detect.engine }}
+                  </div>
+                  <div class="ops-header">
+                    {{ i18n.severity }}:
+                  </div>
+                  <div class="ops-value">
+                    {{ detect.severity }}
+                  </div>
+                  <div class="ops-header" v-if="detect.isCommunity">
+                    {{ i18n.ruleset }}:
+                  </div>
+                  <div class="ops-value" v-if="detect.isCommunity">
+                    {{ detect.ruleset }}
+                  </div>
                 </v-expansion-panel-content>
               </v-expansion-panel>
             </v-expansion-panels>
-            <div class="detect-reference">
+            <div class="detect-reference" v-if="!isNew()">
               <div>
                 <div class="key">
-                  Detection Id:
+                  {{i18n.detectionId}}:
                 </div>
                 <div class="value">
                   {{ detect.id }}
@@ -1635,7 +1634,7 @@ <h3>Details</h3>
               </div>
               <div>
                 <div class="key">
-                  Author:
+                  {{ i18n.author }}:
                 </div>
                 <div class="value">
                   {{ detect.author }}
@@ -1643,7 +1642,7 @@ <h3>Details</h3>
               </div>
               <div>
                 <div class="key">
-                  Created:
+                  {{ i18n.dateCreated }}:
                 </div>
                 <div class="value">
                   {{ detect.createTime | formatDateTime}}
@@ -1651,7 +1650,7 @@ <h3>Details</h3>
               </div>
               <div>
                 <div class="key">
-                  Updated:
+                  {{ i18n.dateModified }}:
                 </div>
                 <div class="value">
                   {{ detect.updateTime | formatDateTime }}
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 070f6dd35..9734bc913 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -267,8 +267,10 @@ const i18n = {
       detectionDefaultDescription: 'Detection description not yet provided',
       detectionDescription: 'Detection Description',
       detectionEnabled: 'Enabled',
+      detectionId: 'Detection Id',
       detectionSeverity: 'Severity',
       detectionTitle: 'Detection Title',
+      detectionType: 'Detection Type',
       disable: 'Disable',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
@@ -463,6 +465,7 @@ const i18n = {
       jobs: 'PCAP',
       keywords: 'Filter Keywords',
       kind: 'Kind',
+      language: 'Language',
       last: 'Last',
       lastHighstate: 'Last Synchronized',
       lastName: 'Last Name',
@@ -555,6 +558,7 @@ const i18n = {
       offline: 'Offline',
       online: 'Online',
       operation: 'Operation',
+      operations: 'Operations',
       options: 'Options',
       order: 'Order',
       osUptime: 'OS Uptime',
@@ -597,6 +601,7 @@ const i18n = {
       reason: 'Reason',
       reconnecting: 'Attempting to connect to manager',
       redisQueueSize: 'Redis Queue Size',
+      references: 'References',
       refresh: 'Refresh',
       refreshAttachmentsHelp: 'Refresh to view all recently added attachments for this case.',
       refreshCaseHistoryHelp: 'Refresh to view the latest history for this case.',
@@ -629,6 +634,7 @@ const i18n = {
       ruleMinLen: 'The provided value is too short',
       ruleMaxLen: 'The provided value is too long',
       rulePassBadChars: 'The password must not contain the following characters: " \' $ & !',
+      ruleset: 'Ruleset',
       save: 'Save',
       saveSuccess: 'Save successful!',
       seconds: 'seconds',
@@ -749,6 +755,7 @@ const i18n = {
       suricataLoss: 'Suricata Loss',
       suricataLossAbbr: 'Suri Loss',
       swapUsage: 'Swap Usage',
+      tags: 'Tags',
       thresholdType: 'Threshold Type',
       throttledLogin: 'Excessive login requests detected. Login requests can resume momentarily.',
       time: 'Time',
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
index 8920c5b55..f40d5ac8e 100644
--- a/server/modules/strelka/validate.go
+++ b/server/modules/strelka/validate.go
@@ -71,7 +71,7 @@ func (md *Metadata) Set(key, value string) {
 }
 
 func (rule *YaraRule) GetID() string {
-	if rule.Meta.Rest["id"] != "" {
+	if rule.Meta.ID != nil {
 		return *rule.Meta.ID
 	}
 

From 460c643a6b85b46b315b95eae3856e1074ff9854 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 8 Feb 2024 15:49:15 -0700
Subject: [PATCH 042/102] WIP: UI Updates

Hidden tags. Hard wrap on detection logic. Suricata classtype for Summary, fallback to title. Reference links get a protocol if they're missing one. "None" when no references. "Signature" => "Detection Logic" on Overview tab. Remove classtype from Detection Logic. "Enable" => "Status". Duplicate and Delete buttons under the Status. Delete is disabled if looking at community rule. "Detection Type" => "Type". Public Id added above SOC Id. Use "Id" over "ID". Author changes for suricata rules. Bottom metadata spacing fixed.

TODO: License, rule-specific dates, buttons on "Detection Source" tab.
---
 html/css/app.css            | 13 ++++++-
 html/index.html             | 69 ++++++++++++++++++++++++-------------
 html/js/i18n.js             |  5 ++-
 html/js/routes/detection.js | 34 ++++++++++++++++--
 4 files changed, 93 insertions(+), 28 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 5ffae166d..9fe017fdb 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -562,12 +562,14 @@ td {
 
 .extracted-content > pre {
   text-wrap: wrap;
+  word-break: break-word;
 }
 
 .detect-reference {
   font-size: small;
   display: table;
   width: 100%;
+  margin-top: 12px;
 }
 
 .detect-reference > div {
@@ -593,4 +595,13 @@ td {
   margin-top: 0 !important;
   padding-top: 0 !important;
   height: 24px !important;
-}
\ No newline at end of file
+}
+
+#ops-buttons {
+  margin-top: 12px;
+  display: grid;
+  grid-auto-flow: column;
+  justify-items: stretch;
+  grid-template-columns: 50% 50%;
+  grid-gap: 12px;
+}
diff --git a/html/index.html b/html/index.html
index 00399ef1f..d9b6aa8ff 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1010,7 +1010,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="i18n.detectionDescription" auto-grow rows="5"></v-textarea>
 
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="i18n.publicID">
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="i18n.publicId">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
@@ -1075,20 +1075,20 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <div class="col pt-5 summary-backdrop">
                   <div>
                     <div class="header">{{i18n.summary}}</div>
-                    <div v-if="detect.description">
-                      {{detect.description}}
-                    </div>
-                    <div v-else>
-                      {{detect.title}}
+                    <div>
+                      {{ detectionSummary }}
                     </div>
                     <div class="header">{{i18n.references}}</div>
                     <div>
                       <div v-for="r in extractedReferences">
-                        <a :href="r.value" v-if="r.type==='url'" target="_blank">{{r.value}}</a>
-                        <span v-else>{{r.value}}</span>
+                        <a :href="r.link" v-if="r.type==='url'" target="_blank">{{r.text}}</a>
+                        <span v-else>{{r.text}}</span>
                       </div>
+                      <span v-if="extractedReferences === null || extractedReferences.length === 0">
+                        {{ i18n.none }}
+                      </span>
                     </div>
-                    <div class="header">{{i18n.signature}}</div>
+                    <div class="header">{{i18n.detectionLogic}}</div>
                     <div class="extracted-content">
                       <pre>{{extractedLogic}}</pre>
                     </div>
@@ -1137,7 +1137,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-tab-item value="signature">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicId" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
                       <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
                     </template>
@@ -1572,11 +1572,11 @@ <h3>{{ i18n.operations }}</h3>
                 <v-expansion-panel-content>
                   <!-- <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/> -->
                   <div class="ops-header">
-                    {{ i18n.enabled }}:
+                    {{ i18n.status }}:
                   </div>
                   <div class="ops-value">
                     <span @click="startEdit('detection-enabled', 'isEnabled')" v-if="!isEdit('detection-enabled')">
-                      {{ detect.isEnabled ? 'True' : 'False' }}
+                      {{ detect.isEnabled ? i18n.enabled : i18n.disabled }}
                     </span>
                     <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" v-else @change="stopEdit(true)" />
                   </div>
@@ -1586,14 +1586,13 @@ <h3>{{ i18n.operations }}</h3>
                   <div class="ops-value">
                     TODO
                   </div> -->
-                  <div class="ops-header">
-                    {{ i18n.tags }}:
-                  </div>
-                  <div class="ops-value">
-                    <div>
-                      <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
-                      <span v-if="detect.tags === null || detect.tags.length === 0">None</span>
-                    </div>
+                  <div id="ops-buttons">
+                    <v-btn id="detection-duplicate" color="primary" @click="duplicateDetection()">
+                      {{i18n.duplicate}}
+                    </v-btn>
+                    <v-btn :disabled="detect.isCommunity" id="detection-delete" color="error" @click="deleteDetection()">
+                      {{i18n.delete}}
+                    </v-btn>
                   </div>
                 </v-expansion-panel-content>
               </v-expansion-panel>
@@ -1603,7 +1602,7 @@ <h3>{{ i18n.details }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
                   <div class="ops-header">
-                    {{ i18n.detectionType }}:
+                    {{ i18n.type }}:
                   </div>
                   <div class="ops-value">
                     {{ detect.engine }}
@@ -1620,13 +1619,30 @@ <h3>{{ i18n.details }}</h3>
                   <div class="ops-value" v-if="detect.isCommunity">
                     {{ detect.ruleset }}
                   </div>
+                  <!-- <div class="ops-header">
+                    {{ i18n.tags }}:
+                  </div>
+                  <div class="ops-value">
+                    <div>
+                      <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
+                      <span v-if="detect.tags === null || detect.tags.length === 0">None</span>
+                    </div>
+                  </div> -->
                 </v-expansion-panel-content>
               </v-expansion-panel>
             </v-expansion-panels>
             <div class="detect-reference" v-if="!isNew()">
               <div>
                 <div class="key">
-                  {{i18n.detectionId}}:
+                  {{ i18n.publicId }}:
+                </div>
+                <div class="value">
+                  {{ detect.publicId }}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  {{i18n.socId}}:
                 </div>
                 <div class="value">
                   {{ detect.id }}
@@ -1637,7 +1653,12 @@ <h3>{{ i18n.details }}</h3>
                   {{ i18n.author }}:
                 </div>
                 <div class="value">
-                  {{ detect.author }}
+                  <span v-if="detect.language !== 'suricata'">
+                    {{ detect.author }}
+                  </span>
+                  <span v-else>
+                    {{ detect.ruleset }}
+                  </span>
                 </div>
               </div>
               <div>
@@ -1699,7 +1720,7 @@ <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isE
               <v-tab-item value="notes">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="i18n.publicId" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!playbook.publicId">
                       <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 9734bc913..cff11fe13 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -268,10 +268,12 @@ const i18n = {
       detectionDescription: 'Detection Description',
       detectionEnabled: 'Enabled',
       detectionId: 'Detection Id',
+      detectionLogic: 'Detection Logic',
       detectionSeverity: 'Severity',
       detectionTitle: 'Detection Title',
       detectionType: 'Detection Type',
       disable: 'Disable',
+      disabled: 'Disabled',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -593,7 +595,7 @@ const i18n = {
       pending: 'Pending',
       product: 'Security Onion',
       profile: 'Profile',
-      publicID: 'Public ID',
+      publicId: 'Public Id',
       queriesHelp: 'Choose from several pre-defined queries',
       queryHelp: 'Specify a query in Onion Query Language (OQL)',
       quickActions: 'Actions',
@@ -734,6 +736,7 @@ const i18n = {
       sidMultipleErr: 'Suricata rules can only specify one SID.',
       sidMismatchErr: "The SID in this suricata rule must match the detection's Public ID.",
       signature: 'Signature',
+      socId: 'SOC Id',
       socUrl: 'SOC Url',
       socExcludeToggle: 'Exclude SOC logs',
       sortedBy: 'Sort:',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index a2bc579df..1ea5890cf 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -89,6 +89,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			expanded: [],
 			loading: false,
 		},
+		detectionSummary: '',
 		history: [],
 		extractedReferences: [],
 		extractedLogic: '',
@@ -158,10 +159,33 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.$root.stopLoading();
 		},
 		loadAssociations() {
+			this.extractSummary();
 			this.extractReferences();
 			this.extractLogic();
 			this.loadHistory();
 		},
+		extractSummary() {
+			switch (this.detect.engine) {
+				case 'suricata':
+					const classTypeMatcher = /classtype:([^;]+);/i;
+					const match = this.detect.content.match(classTypeMatcher);
+
+					if (match) {
+						this.detectionSummary = match[1];
+					} else {
+						this.detectionSummary = this.detect.title;
+					}
+
+					break;
+				default:
+					if (this.detect.description) {
+						this.detectionSummary = this.detect.description;
+					} else {
+						this.detectionSummary = this.detect.title;
+					}
+					break;
+			}
+		},
 		extractReferences() {
 			switch (this.detect.engine) {
 				case 'suricata':
@@ -180,8 +204,14 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			const matches = [...this.detect.content.matchAll(refFinder)];
 
 			this.extractedReferences = [];
+			// ensure the value has a protocol
 			for (let i = 0; i < matches.length; i++) {
-				this.extractedReferences.push({ type: matches[i][1], value: matches[i][2] });
+				let url = matches[i][2];
+				if (!url.startsWith('http://') && !url.startsWith('https://')) {
+					url = 'http://' + url;
+				}
+
+				this.extractedReferences.push({ type: matches[i][1], text: matches[i][2], link: url });
 			}
 		},
 		extractStrelkaReferences() {
@@ -225,7 +255,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				if (!opt) return false;
 
 				const key = opt.split(':', 2)[0].trim().toLowerCase();
-				return ['msg', 'reference', 'metadata', 'sid', 'rev'].indexOf(key) === -1;
+				return ['msg', 'reference', 'metadata', 'sid', 'rev', 'classtype'].indexOf(key) === -1;
 			}).map(opt => opt.trim());
 
 			this.extractedLogic = [head, ...meta].join('\n\n');

From 47ee245d8f3a57a23c91bec68b312c56ae688c1e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 9 Feb 2024 10:45:28 -0700
Subject: [PATCH 043/102] WIP: Fix References

All references now have their protocols fixed instead of just suricata.
---
 html/js/routes/detection.js | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 1ea5890cf..864a3df4d 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -206,12 +206,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.extractedReferences = [];
 			// ensure the value has a protocol
 			for (let i = 0; i < matches.length; i++) {
-				let url = matches[i][2];
-				if (!url.startsWith('http://') && !url.startsWith('https://')) {
-					url = 'http://' + url;
-				}
-
-				this.extractedReferences.push({ type: matches[i][1], text: matches[i][2], link: url });
+				this.extractedReferences.push({ type: matches[i][1], text: matches[i][2], link: this.fixProtocol(matches[i][2]) });
 			}
 		},
 		extractStrelkaReferences() {
@@ -220,17 +215,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			this.extractedReferences = [];
 			for (let i = 0; i < matches.length; i++) {
-				this.extractedReferences.push({ type: "url", value: matches[i][1] });
+				this.extractedReferences.push({ type: "url", text: matches[i][1], link: this.fixProtocol(matches[i][1]) });
 			}
 		},
 		extractElastAlertReferences() {
 			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
 			if (yaml['references']) {
 				this.extractedReferences = yaml['references'].map(r => {
-					return { type: "url", value: r };
+					return { type: "url", text: r, link: this.fixProtocol(r) };
 				});
 			}
 		},
+		fixProtocol(url) {
+			if (!url.startsWith('http://') && !url.startsWith('https://')) {
+				url = 'http://' + url;
+			}
+
+			return url;
+		},
 		extractLogic() {
 			switch (this.detect.engine) {
 				case 'suricata':

From 64143e786ca13a1bee61c4f6f8d0192509aef315 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 9 Feb 2024 14:18:37 -0700
Subject: [PATCH 044/102] WIP: License, Rule Extracted Data

Finished up the right hand column of the detections view by including License and several pieces of data extracted from the rule.

Updated the backend to add licenses in places we know them. Except for Yara, community rules are tagged with appropriate licenses as they're imported.
---
 html/css/app.css                        |   4 +
 html/index.html                         |  44 +++++++---
 html/js/routes/detection.js             | 106 +++++++++++++++++++++---
 model/detection.go                      |   5 ++
 server/modules/elastalert/elastalert.go |   1 +
 server/modules/elastic/converter.go     |   3 +
 server/modules/suricata/suricata.go     |  15 ++++
 7 files changed, 157 insertions(+), 21 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 9fe017fdb..7ea378b17 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -605,3 +605,7 @@ td {
   grid-template-columns: 50% 50%;
   grid-gap: 12px;
 }
+
+.case-title {
+  text-transform: capitalize;
+}
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index d9b6aa8ff..03c16833b 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1076,7 +1076,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <div>
                     <div class="header">{{i18n.summary}}</div>
                     <div>
-                      {{ detectionSummary }}
+                      {{ extractedSummary }}
                     </div>
                     <div class="header">{{i18n.references}}</div>
                     <div>
@@ -1602,15 +1602,21 @@ <h3>{{ i18n.details }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
                   <div class="ops-header">
-                    {{ i18n.type }}:
+                    {{ i18n.publicId }}:
                   </div>
                   <div class="ops-value">
+                    {{ detect.publicId }}
+                  </div>
+                  <div class="ops-header">
+                    {{ i18n.type }}:
+                  </div>
+                  <div class="ops-value case-title">
                     {{ detect.engine }}
                   </div>
                   <div class="ops-header">
                     {{ i18n.severity }}:
                   </div>
-                  <div class="ops-value">
+                  <div class="ops-value case-title">
                     {{ detect.severity }}
                   </div>
                   <div class="ops-header" v-if="detect.isCommunity">
@@ -1619,6 +1625,30 @@ <h3>{{ i18n.details }}</h3>
                   <div class="ops-value" v-if="detect.isCommunity">
                     {{ detect.ruleset }}
                   </div>
+                  <div class="ops-header">
+                    {{ i18n.license }}:
+                  </div>
+                  <div class="ops-value">
+                    {{ detect.license }}
+                  </div>
+                  <div class="ops-header" v-if="extractedCreated">
+                    {{ i18n.dateCreated }}:
+                  </div>
+                  <div class="ops-value" v-if="extractedCreated">
+                    {{ extractedCreated }}
+                  </div>
+                  <div class="ops-header" v-if="extractedUpdated">
+                    {{ i18n.dateModified }}:
+                  </div>
+                  <div class="ops-value"  v-if="extractedUpdated">
+                    {{ extractedUpdated }}
+                  </div>
+                  <div class="ops-header" v-if="extractedAuthor">
+                    {{ i18n.author }}:
+                  </div>
+                  <div class="ops-value"  v-if="extractedAuthor">
+                    {{ extractedAuthor }}
+                  </div>
                   <!-- <div class="ops-header">
                     {{ i18n.tags }}:
                   </div>
@@ -1632,14 +1662,6 @@ <h3>{{ i18n.details }}</h3>
               </v-expansion-panel>
             </v-expansion-panels>
             <div class="detect-reference" v-if="!isNew()">
-              <div>
-                <div class="key">
-                  {{ i18n.publicId }}:
-                </div>
-                <div class="value">
-                  {{ detect.publicId }}
-                </div>
-              </div>
               <div>
                 <div class="key">
                   {{i18n.socId}}:
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 864a3df4d..0142432ad 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -89,10 +89,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			expanded: [],
 			loading: false,
 		},
-		detectionSummary: '',
-		history: [],
+		extractedSummary: '',
 		extractedReferences: [],
 		extractedLogic: '',
+		history: [],
+		extractedCreated: '',
+		extractedUpdated: '',
+		extractedAuthor: '',
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -162,6 +165,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.extractSummary();
 			this.extractReferences();
 			this.extractLogic();
+			this.extractDetails();
 			this.loadHistory();
 		},
 		extractSummary() {
@@ -171,22 +175,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					const match = this.detect.content.match(classTypeMatcher);
 
 					if (match) {
-						this.detectionSummary = match[1];
+						this.extractedSummary = match[1];
 					} else {
-						this.detectionSummary = this.detect.title;
+						this.extractedSummary = this.detect.title;
 					}
 
 					break;
 				default:
 					if (this.detect.description) {
-						this.detectionSummary = this.detect.description;
+						this.extractedSummary = this.detect.description;
 					} else {
-						this.detectionSummary = this.detect.title;
+						this.extractedSummary = this.detect.title;
 					}
 					break;
 			}
 		},
 		extractReferences() {
+			this.extractedReferences = [];
+
 			switch (this.detect.engine) {
 				case 'suricata':
 					this.extractSuricataReferences();
@@ -220,11 +226,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		},
 		extractElastAlertReferences() {
 			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
-			if (yaml['references']) {
-				this.extractedReferences = yaml['references'].map(r => {
-					return { type: "url", text: r, link: this.fixProtocol(r) };
-				});
+			if (!yaml['references']) {
+				return;
 			}
+
+			this.extractedReferences = yaml['references'].map(r => {
+				return { type: "url", text: r, link: this.fixProtocol(r) };
+			});
 		},
 		fixProtocol(url) {
 			if (!url.startsWith('http://') && !url.startsWith('https://')) {
@@ -234,6 +242,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			return url;
 		},
 		extractLogic() {
+			this.extractedLogic = '';
+
 			switch (this.detect.engine) {
 				case 'suricata':
 					this.extractSuricataLogic();
@@ -250,6 +260,10 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			const suricataParser = /^\w+\s+(.*?)\((.*)\)$/gi;
 			const matches = suricataParser.exec(this.detect.content.trim());
 
+			if (!matches) {
+				return;
+			}
+
 			const head = matches[1];
 
 			let meta = matches[2].split(';').filter(opt => {
@@ -319,6 +333,78 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			this.extractedLogic = jsyaml.dump({ logsource: logSource, detection: detection });
 		},
+		extractDetails() {
+			this.extractedAuthor = this.extractedCreated = this.extractedUpdated = '';
+
+			switch (this.detect.engine) {
+				case 'suricata':
+					this.extractSuricataDetails();
+					break;
+				case 'strelka':
+					this.extractStrelkaDetails();
+					break;
+				case 'elastalert':
+					this.extractElastAlertDetails();
+					break;
+			}
+		},
+		extractSuricataDetails() {
+			const metadataExtractor = /metadata:([^;]+);/i;
+			const match = this.detect.content.match(metadataExtractor);
+
+			if (!match) {
+				return;
+			}
+
+			const metadata = match[1].split(',').map(opt => opt.trim());
+			const ymd = /\d{4}[-_]\d{1,2}[-_]\d{1,2}/;
+			const leading0 = /^0/;
+
+			for (let i = 0; i < metadata.length; i++) {
+				let md = metadata[i];
+
+				if (md.indexOf('created_at') > -1) {
+					let date = md.match(ymd);
+					if (date) {
+						this.extractedCreated = date[0];
+					}
+				}
+
+				if (md.indexOf('updated_at') > -1) {
+					let date = md.match(ymd);
+					if (date) {
+						this.extractedUpdated = date[0];
+					}
+				}
+
+				if (md.indexOf('author') > -1) {
+					this.extractedAuthor = md.replace('author', '').trim();
+				}
+			}
+		},
+		extractStrelkaDetails() {
+			const authorExtractor = /^\s*author\s*=\s*"(.*)"/im;
+			const dateExtractor = /^\s*date\s*=\s*"(.*)"/im;
+
+			const authorMatch = authorExtractor.exec(this.detect.content);
+
+			if (authorMatch) {
+				this.extractedAuthor = authorMatch[1];
+			}
+
+			const dateMatch = dateExtractor.exec(this.detect.content);
+
+			if (dateMatch) {
+				this.extractedCreated = dateMatch[1];
+			}
+		},
+		extractElastAlertDetails() {
+			const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+
+			this.extractedAuthor = yaml['author'];
+			this.extractedCreated = yaml['date'];
+			this.extractedUpdated = yaml['modified'];
+		},
 		async loadHistory() {
 			const route = this;
 			const id = route.$route.params.id;
diff --git a/model/detection.go b/model/detection.go
index 65d959ec2..d99605c73 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -46,6 +46,10 @@ const (
 	OverrideTypeThreshold    OverrideType = "threshold"
 	OverrideTypeModify       OverrideType = "modify"
 	OverrideTypeCustomFilter OverrideType = "customFilter"
+
+	LicenseDRL = "DRL"
+	LicenseCommercial = "Commercial"
+	LicenseBSD = "BSD"
 )
 
 var (
@@ -102,6 +106,7 @@ type Detection struct {
 	Overrides   []*Override `json:"overrides"` // Tuning
 	Tags        []string    `json:"tags"`
 	Ruleset     *string     `json:"ruleset"`
+	License     string      `json:"license"`
 }
 
 // Note: JSON tags are used when storing the object in ElasticSearch,
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index f24b1076a..97d38c841 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -370,6 +370,7 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 				Engine:      model.EngineNameElastAlert,
 				Language:    model.SigLangSigma,
 				Ruleset:     util.Ptr(pkg),
+				License:     model.LicenseDRL,
 			})
 		}
 	}
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 753098f69..2d626e68a 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -706,6 +706,9 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 			if value, ok := event.Payload[schemaPrefix+"detection.language"]; ok {
 				obj.Language = model.SigLanguage(value.(string))
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.license"]; ok {
+				obj.License = value.(string)
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.tags"]; ok && value != nil {
 				arr := value.([]interface{})
 				obj.Tags = make([]string, 0, len(arr))
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index eecb8a859..204fda68d 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -34,6 +34,11 @@ const modifyFromTo = `"flowbits" "noalert; flowbits"`
 
 var errModuleStopped = fmt.Errorf("module has stopped running")
 
+var licenseBySource = map[string]string{
+	"etopen": model.LicenseBSD,
+	"etpro":  model.LicenseCommercial,
+}
+
 type SuricataEngine struct {
 	srv                                  *server.Server
 	communityRulesFile                   string
@@ -289,6 +294,7 @@ func (s *SuricataEngine) parseRules(content string, ruleset string) ([]*model.De
 			Engine:      model.EngineNameSuricata,
 			Language:    model.SigLangSuricata,
 			Ruleset:     util.Ptr(ruleset),
+			License:     lookupLicense(ruleset),
 		})
 	}
 
@@ -682,3 +688,12 @@ func indexThreshold(content string) (map[string][]*model.Override, error) {
 
 	return index, nil
 }
+
+func lookupLicense(ruleset string) string {
+	license, ok := licenseBySource[strings.ToLower(ruleset)]
+	if !ok {
+		license = "Unknown"
+	}
+
+	return license
+}

From 1f9d4702c4d95d8303db658c1be3c89fba8402bc Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 12 Feb 2024 14:20:55 -0700
Subject: [PATCH 045/102] WIP: Updated Tests to Include License Checks

---
 server/modules/elastalert/elastalert_test.go | 1 +
 server/modules/suricata/suricata_test.go     | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index a3ab7417a..072b583f5 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -351,6 +351,7 @@ level: high
 		Engine:      model.EngineNameElastAlert,
 		Language:    model.SigLangSigma,
 		Ruleset:     util.Ptr("all_rules"),
+		License:     model.LicenseDRL,
 	}
 
 	dets, errMap := engine.parseRules(pkgZips)
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index dbb7fe836..600f7b3d4 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -305,7 +305,7 @@ func TestParse(t *testing.T) {
 		ExpectedError      *string
 	}{
 		{
-			Name: "Sunny Day Path w/ Edge Cases",
+			Name: "Sunny Day Path with Edge Cases",
 			Lines: []string{
 				"# Comment",
 				SimpleRule,
@@ -323,6 +323,7 @@ func TestParse(t *testing.T) {
 					Engine:      model.EngineNameSuricata,
 					Language:    model.SigLangSuricata,
 					Ruleset:     ruleset,
+					License:     "Unknown",
 				},
 				{
 					PublicID:    "20000",
@@ -333,6 +334,7 @@ func TestParse(t *testing.T) {
 					Engine:      model.EngineNameSuricata,
 					Language:    model.SigLangSuricata,
 					Ruleset:     ruleset,
+					License:     "Unknown",
 				},
 			},
 		},

From 11f6a8d42a6e53c1a5e4a97bf499d86c5f270d6c Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Mon, 12 Feb 2024 19:31:30 -0500
Subject: [PATCH 046/102] Titles for Detections columns

---
 html/js/i18n.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index e8309fbe8..8fa604fb0 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -345,12 +345,15 @@ const i18n = {
       featureRequiresAppliance: 'Feature Unavailable',
       features: 'Features',
       fetchLimit: 'Fetch Limit',
-
       'field_so_case.assigneeId': 'Assignee',
       'field_so_case.createTime': 'Create Date',
       'field_so_case.severity': 'Severity',
       'field_so_case.status': 'Status',
       'field_so_case.title': 'Title',
+      'field_so_detection.language': 'Type',
+      'field_so_detection.severity': 'Severity',
+      'field_so_detection.isEnabled': 'Enabled',
+      'field_so_detection.title': 'Title',
       field_count: 'Count',
       field_soc_id: 'Event ID',
       field_soc_timestamp: 'Timestamp',

From a05fce1bfc2524c0314c3aeabbe7ca4f3e752b48 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Tue, 13 Feb 2024 13:38:21 -0500
Subject: [PATCH 047/102] Dont enable Sigma rules upon import

---
 html/index.html                         | 2 +-
 server/modules/elastalert/elastalert.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/index.html b/html/index.html
index 36c0053e3..5f95f456e 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1611,7 +1611,7 @@ <h3>{{ i18n.details }}</h3>
                     {{ i18n.type }}:
                   </div>
                   <div class="ops-value case-title">
-                    {{ detect.engine }}
+                    {{ detect.language }}
                   </div>
                   <div class="ops-header">
                     {{ i18n.severity }}:
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 1770daffd..2101e949d 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -433,7 +433,7 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 				results.Unchanged++
 			}
 		} else {
-			det.IsEnabled = true
+			det.IsEnabled = false
 
 			_, err = e.srv.Detectionstore.CreateDetection(ctx, det)
 			if err != nil {

From d56518b8ee2d065f9fe82b951b407a191ad9d142 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 25 Aug 2023 09:52:36 -0600
Subject: [PATCH 048/102] WIP: Demo + CleanUp

Contains hardcoded config values in infohandler, mock data inside the JS. Very much a prototype.
---
 config/clientparameters.go                    |   2 +
 html/index.html                               | 351 ++++++++++++-
 html/js/i18n.js                               |   2 +
 html/js/routes/detection.js                   | 157 ++++++
 html/js/routes/hunt.js                        | 204 ++++++--
 html/js/routes/playbook.js                    | 461 ++++++++++++++++++
 model/detection.go                            |  91 ++++
 server/casestore.go                           |   5 +
 server/detectionhandler.go                    | 109 +++++
 server/infohandler.go                         |  45 ++
 server/modules/elastic/converter.go           |  95 ++++
 server/modules/elastic/elasticcasestore.go    | 114 +++++
 .../modules/elasticcases/elasticcasestore.go  |  16 +
 server/modules/generichttp/httpcasestore.go   |  16 +
 server/modules/thehive/thehivecasestore.go    |  16 +
 server/server.go                              |   1 +
 16 files changed, 1647 insertions(+), 38 deletions(-)
 create mode 100644 html/js/routes/detection.js
 create mode 100644 html/js/routes/playbook.js
 create mode 100644 model/detection.go
 create mode 100644 server/detectionhandler.go

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 2acb62811..7681ae6e6 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -22,6 +22,8 @@ type ClientParameters struct {
 	CaseParams          CaseParameters    `json:"case"`
 	DashboardsParams    HuntingParameters `json:"dashboards"`
 	JobParams           HuntingParameters `json:"job"`
+	DetectionsParams    HuntingParameters `json:"detections"`
+	PlaybooksParams     HuntingParameters `json:"playbooks"`
 	DocsUrl             string            `json:"docsUrl"`
 	CheatsheetUrl       string            `json:"cheatsheetUrl"`
 	ReleaseNotesUrl     string            `json:"releaseNotesUrl"`
diff --git a/html/index.html b/html/index.html
index b93a7c941..b998a4597 100644
--- a/html/index.html
+++ b/html/index.html
@@ -68,6 +68,22 @@
               <v-list-item-title v-text="i18n.cases"></v-list-item-title>
             </v-list-item-content>
           </v-list-item>
+          <v-list-item @click="" to="/detections">
+            <v-list-item-action>
+              <v-icon>fa-magnifying-glass</v-icon>
+            </v-list-item-action>
+            <v-list-item-content>
+              <v-list-item-title v-text="i18n.detections"></v-list-item-title>
+            </v-list-item-content>
+          </v-list-item>
+          <v-list-item @click="" to="/playbooks">
+            <v-list-item-action>
+              <v-icon>fa-book-bookmark</v-icon>
+            </v-list-item-action>
+            <v-list-item-content>
+              <v-list-item-title v-text="i18n.playbooks"></v-list-item-title>
+            </v-list-item-content>
+          </v-list-item>
           <v-list-item @click="" to="/jobs">
             <v-list-item-action>
               <v-icon>fa-stream</v-icon>
@@ -667,7 +683,13 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                           :color="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? 'secondary' : 'primary'">
                           <v-icon :title="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? i18n.alertEscalated : i18n.escalate">fa-exclamation-triangle</v-icon>
                         </v-btn>
-                        <router-link :to="{ name: 'case', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled">
+                        <router-link :to="{ name: 'case', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'cases'">
+                          <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
+                        </router-link>
+                        <router-link :to="{ name: 'detection', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'detections'">
+                          <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
+                        </router-link>
+                        <router-link :to="{ name: 'playbook', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'playbooks'">
                           <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
                         </router-link>
                       </td>
@@ -938,6 +960,331 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
       </v-container>
     </script>
 
+    <script type="text/x-template" id="page-detection">
+      <v-container fluid v-if="detect">
+        <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
+          <!-- Title -->
+          <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
+          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="'Detection Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+        </div>
+
+        <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
+          <div class="main col-md-9 order-md-1 col-12 order-2">
+            <v-tabs grow v-model="activeTab">
+              <v-tab id="detection_summaryTab" href="#summary">
+                <v-icon left>fa-clipboard</v-icon>
+                <div class="d-none d-lg-block">Summary</div>
+              </v-tab>
+              <v-tab id="detection_detailsTab" href="#details">
+                <v-icon left>fa-circle-info</v-icon>
+                <div class="d-none d-lg-block">Details</div>
+              </v-tab>
+              <v-tab id="detection_notesTab" href="#notes">
+                <v-icon left>fa-pencil</v-icon>
+                <div class="d-none d-lg-block">Notes</div>
+              </v-tab>
+              <v-tab id="detection_signatureTab" href="#signature">
+                <v-icon left>fa-signature</v-icon>
+                <div class="d-none d-lg-block">Signature</div>
+              </v-tab>
+              <v-tab id="detection_playbookTab" href="#playbook">
+                <v-icon left>fa-book-bookmark</v-icon>
+                <div class="d-none d-lg-block">Investigative Playbook</div>
+              </v-tab>
+              <v-tab id="detection_tuningTab" href="#tuning">
+                <v-icon left>fa-wrench</v-icon>
+                <div class="d-none d-lg-block">Tuning</div>
+              </v-tab>
+              <v-tab id="detection_historyTab" href="#history">
+                <v-icon left>fa-history</v-icon>
+                <div class="d-none d-lg-block">History</div>
+              </v-tab>
+
+              <v-tab-item value="summary">
+                <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <div>
+                    <!-- Description -->
+                    <span class="font-weight-bold">Description:</span><br/>
+                    <span id="detection-description" @click="startEdit('detection-description', 'description')" v-if="!isEdit('detection-description')">{{ detect.description }}</span>
+                    <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+                  </div>
+                  <!-- Engine -->
+                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="engineOptions" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <!-- Enabled -->
+                  <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Enabled"/>
+                  <!-- Reporting -->
+                  <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Reporting"/>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="details">
+                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- PublicID -->
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!detect.publicId">
+                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                    </template>
+                  </v-text-field>
+                  <!-- Author -->
+                  <v-text-field id="detection-author-edit" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="'Author'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+                  <!-- Severity -->
+                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-create" text small color="primary" class="align-self-end" @click="saveDetection(true)" v-if="isNew()">
+                      {{ i18n.create }}
+                    </v-btn>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)" v-else>
+                      {{i18n.update}}
+                    </v-btn>
+                  </div>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="notes">
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- Notes -->
+                  <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
+                </div>
+              </v-tab-item>
+              <v-tab-item value="signature">
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- Signature -->
+                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
+                </div>
+              </v-tab-item>
+              <v-tab-item value="playbook">
+                <div class="col pa-2" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <div class="col ma-2">
+                    <div class="row my-2">
+                      <span class="font-weight-bold">Title:&nbsp;</span>
+                      <a :href="'#/playbook/' + associatedPlaybook.onionId" style="text-decoration: none; cursor: 'pointer'">
+                        {{associatedPlaybook.title}}
+                      </router-link>
+                    </div>
+                    <div class="row my-2">
+                      <span class="font-weight-bold">Description:&nbsp;</span>{{associatedPlaybook.description}}
+                    </div>
+                    <div class="row my-2">
+                      <span class="font-weight-bold">Severity:&nbsp;</span>{{associatedPlaybook.severity}}
+                    </div>
+                  </div>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="tuning">
+                Coming Soon!
+              </v-tab-item>
+              <v-tab-item value="history">
+                Coming Soon!
+              </v-tab-item>
+            </v-tabs>
+          </div>
+          <div class="col-md-3 order-md-2 col-12 order-1">
+            <v-expansion-panels focusable multiple v-model="panel">
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="detection-related-playbooks">
+                  <h3>Cases</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Related Cases:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="detection-related-playbooks">
+                  <h3>Alerts</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Recent Alerts:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+            </v-expansion-panels>
+          </div>
+        </div>
+      </v-container>
+    </script>
+
+    <script type="text/x-template" id="page-playbook">
+      <v-container fluid v-if="playbook">
+        <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
+          <!-- Title -->
+          <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isEdit('playbook-title')">{{ playbook.title }}</h2>
+          <v-text-field id="playbook-title-edit" v-else hide-details="auto" outlined v-model="playbook.title" :rules="[rules.required]" persistent-hint :hint="'Playbook Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+        </div>
+
+        <div class="row mb-6 mb-md-1 mt-2 mx-lg-6 mx-sm-12">
+          <!-- Description -->
+          <span id="playbook-description" @click="startEdit('playbook-description', 'description')" v-if="!isEdit('playbook-description')">{{ playbook.description }}</span>
+          <v-textarea id="playbook-description-edit" v-else hide-details="auto" outlined v-model="playbook.description" :rules="[rules.required]" persistent-hint :hint="'Playbook Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+        </div>
+
+        <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
+          <div class="main col-md-9 order-md-1 col-12 order-2">
+            <v-tabs grow v-model="activeTab">
+              <v-tab id="playbook_notesTab" href="#notes">
+                <v-icon left>fa-comments</v-icon>
+                <div class="d-none d-lg-block">Observational Notes</div>
+              </v-tab>
+              <v-tab id="playbook_questionsTab" href="#questions">
+                <v-icon left>fa-circle-question</v-icon>
+                <div class="d-none d-lg-block">Investigative Questions</div>
+              </v-tab>
+              <v-tab id="playbook_casesTab" href="#cases">
+                <v-icon left>fa-briefcase</v-icon>
+                <div class="d-none d-lg-block">Cases</div>
+              </v-tab>
+              <v-tab id="playbook_historyTab" href="#history">
+                <v-icon left>fa-history</v-icon>
+                <div class="d-none d-lg-block">{{ i18n.history }}</div>
+              </v-tab>
+
+              <v-tab-item value="notes">
+                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- PublicID -->
+                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!playbook.publicId">
+                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                    </template>
+                  </v-text-field>
+                  <!-- Contributors -->
+                  <v-combobox id="playbook-contributors" v-model="playbook.contributors" persistent-hint :hint="'Contributors'" multiple>
+                    <template #selection="{ item }">
+                      <v-chip color="primary">{{item}}</v-chip>
+                    </template>
+                  </v-combobox>
+
+                  <!-- Severity -->
+                  <v-select id="playbook-severity-edit" v-model="playbook.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+
+                  <!-- Mechanism -->
+                  <v-select id="playbook-engine-edit" v-model="playbook.mechanism" :items="engineOptions" persistent-hint :hint="'Mechanism'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+
+                  <!-- Tags -->
+                  <v-combobox id="playbook-tags" v-model="playbook.tags" :items="tags" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                    <template #selection="{ item }">
+                      <v-chip color="primary">{{item}}</v-chip>
+                    </template>
+                  </v-combobox>
+
+                  <!-- IsCommunity -->
+                  <div class="my-3">
+                    <span class="font-weight-bold">Community Playbook:</span> {{ playbook.userEditable ? 'No' : 'Yes' }}
+                  </div>
+                  <div class="row">
+                    <div class="col">
+                      <!-- Content -->
+                      <span class="font-weight-bold">Note:</span>
+                      <v-textarea class="config-editor" outlined v-model="playbook.note" auto-grow rows="5" />
+                    </div>
+                  </div>
+                </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="playbook-cancel" text small color="primary" class="align-self-end" @click="cancelPlaybook()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="playbook-create" text small color="primary" class="align-self-end" @click="savePlaybook(true)" v-if="isNew()">
+                      {{ i18n.create }}
+                    </v-btn>
+                    <v-btn id="playbook-update" text small color="primary" class="align-self-end" @click="savePlaybook(false)" v-else>
+                      {{ i18n.update }}
+                    </v-btn>
+                  </div>
+                </div>
+              </v-tab-item>
+
+              <v-tab-item value="questions">
+                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <h2>Add Investigative Question</h2>
+                  <v-text-field id="playbook-question-add" v-model="addQuestion" persistent-hint :hint="'The investigative question written in plain language for human consumption, in the form of a question'"></v-text-field>
+                  <v-text-field id="playbook-context-add" v-model="addContext" persistent-hint :hint="'Provide optional context'"></v-text-field>
+                  <v-combobox id="playbook-datasources-add" v-model="addDataSources" persistent-hint :hint="'The data sources that can be used to answer the question'" multiple>
+                    <template #selection="{ item }">
+                      <v-chip color="primary">{{item}}</v-chip>
+                    </template>
+                  </v-combobox>
+
+                  <v-btn id="playbook-add-question" color="primary" class="mt-2" @click="appendQuestion()">
+                    Add
+                  </v-btn>
+                </div>
+
+                <v-text-field v-model="search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line></v-text-field>
+                <div v-for="q in playbook.questions" class="col px-5 py-2" style="background-color: rgb(40, 40, 40); border-radius: 4px;">
+                  <div class="font-italic my-2">{{q.question}}</div>
+                  <div class="my-2"><span class="font-weight-bold">Context:</span> {{ q.context }}</div>
+                  <div class="my-2"><span class="font-weight-bold">Data Sources:</span> {{ q.dataSources.join(', ') }}</div>
+                  <div class="my-2">
+                    <div><span class="font-weight-bold">Query:</span> {{ q.query }}</div>
+                    <v-data-table v-if="q.query" :headers="questionHeaders" :items="q.results">
+                      <template v-slot:item="result">
+                        <tr>
+                          <td v-text="result.item.payload['@timestamp']"></td>
+                          <td v-text="result.item.payload['@version']"></td>
+                          <td v-text="result.item.payload['message']"></td>
+                        </tr>
+                      </template>
+                    </v-data-table>
+                  </div>
+                </div>
+              </v-tab-item>
+              <v-tab-item value="cases">
+                Coming Soon!
+              </v-tab-item>
+              <v-tab-item value="history">
+                Coming Soon!
+              </v-tab-item>
+            </v-tabs>
+          </div>
+          <div class="col-md-3 order-md-2 col-12 order-1">
+            <v-expansion-panels focusable multiple v-model="panel">
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="playbook-related-playbooks">
+                  <h3>Playbooks</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Related Playbooks:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+              <v-expansion-panel v-if="!isNew()">
+                <v-expansion-panel-header id="detection-related-playbooks">
+                  <h3>Alerts</h3>
+                </v-expansion-panel-header>
+                <v-expansion-panel-content>
+                  Recent Alerts:
+                  <ul>
+                    <li>123</li>
+                    <li>456</li>
+                    <li>ABC</li>
+                    <li>XYZ</li>
+                  </ul>
+                </v-expansion-panel-content>
+              </v-expansion-panel>
+            </v-expansion-panels>
+          </div>
+        </div>
+      </v-container>
+    </script>
+
     <script type="text/x-template" id="page-terms">
       <v-container fluid>
         <v-row>
@@ -4119,6 +4466,8 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/routes/gridmembers.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/terms.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/users.js?v=VERSION_PLACEHOLDER"></script>
+    <script src="js/routes/detection.js?v=VERSION_PLACEHOLDER"></script>
+    <script src="js/routes/playbook.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/custom.js?v=VERSION_PLACEHOLDER"></script>
   </body>
 </html>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 385472ed2..b1a97fe86 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -259,6 +259,7 @@ const i18n = {
       description: 'Description',
       destination: 'Destination',
       details: 'Details',
+      detections: 'Detections',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -550,6 +551,7 @@ const i18n = {
       passwordRequired: 'A password must be specified.',
       passwordReset: 'Change Password',
       passwordNeedsChanged: 'User has not yet changed their password',
+      playbooks: 'Playbooks',
       profileDetails: 'Profile Details',
       profileInstructions: 'You may be prompted to login again when updating your profile. This is a security measure to protect your account.',
       pcap: 'PCAP',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
new file mode 100644
index 000000000..b1e2e61ed
--- /dev/null
+++ b/html/js/routes/detection.js
@@ -0,0 +1,157 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+routes.push({ path: '/detection/:id', name: 'detection', component: {
+  template: '#page-detection',
+  data() { return {
+		i18n: this.$root.i18n,
+		params: {},
+		detect: null,
+		origDetect: null,
+		curEditTarget: null, // string containing element ID, null if not editing
+		origValue: null,
+		editField: null,
+		rules: {
+      required: value => (value && value.length > 0) || this.$root.i18n.required,
+      number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+      hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
+      shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+      longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+      fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+      fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+      fileRequired: value => (value != null) || this.$root.i18n.required,
+		},
+		severityOptions: ['low', 'medium', 'high'],
+		engineOptions: ['suricata', 'yara', 'elastalert'],
+		panel: [0, 1, 2],
+		activeTab: '',
+		associatedPlaybook: {
+			onionId: 'y5IYKIoB9-Z7uL2kmy_o',
+			publicId: "4020131e-223a-421e-8ebe-8a211a5ac4d6",
+			title: "Find the baddies",
+			severity: "high",
+			description: "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
+			mechanism: "suricata",
+			tags: ["one", "two", "three"],
+			relatedPlaybooks: [],
+			contributors: ["Corey Ogburn"],
+			userEditable: true,
+			createTime: "2023-08-22T12:49:47.302819008-06:00",
+			userId: "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
+		},
+  }},
+  created() {
+  },
+  watch: {
+	},
+	mounted() {
+		this.$root.loadParameters('detection', this.initDetection);
+	},
+  methods: {
+		async initDetection(params) {
+			this.params = params;
+			if (this.$route.params.id === 'create') {
+				this.detect = this.newDetection();
+			} else {
+				await this.loadData();
+			}
+
+			this.origDetect = Object.assign({}, this.detect);
+
+			this.loadUrlParameters();
+		},
+		loadUrlParameters() {
+
+		},
+		newDetection() {
+			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');
+			return {
+				title: 'Detection title not yet provided - click here to update this title',
+				description: 'Detection description not yet provided - click here to update this description',
+				author: author,
+				publicId: '',
+				severity: 'low',
+				content: '',
+				isEnabled: false,
+				isReporting: false,
+				engine: '',
+			}
+		},
+		async loadData() {
+			this.$root.startLoading();
+
+			try {
+					const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
+				this.detect = response.data;
+				this.detect.note = 'This is a note.';
+      } catch (error) {
+        if (error.response != undefined && error.response.status == 404) {
+          this.$root.showError(this.i18n.notFound);
+        } else {
+          this.$root.showError(error);
+        }
+			}
+
+      this.$root.stopLoading();
+		},
+		isNew() {
+			return this.$route.params.id === 'create';
+		},
+		cancelDetection() {
+			if (this.isNew()) {
+				this.$router.push({name: 'detections'});
+			} else {
+				this.detect = this.origDetect;
+			}
+		},
+		async startEdit(target, field) {
+			if (this.curEditTarget === target) return;
+			if (this.curEditTarget !== null) await this.stopEdit(false);
+
+			this.curEditTarget = target;
+			this.origValue = this.detect[field];
+			this.editField = field;
+
+			this.$nextTick(() => {
+				const el = document.getElementById(target + '-edit');
+				if (el) {
+					el.focus();
+					el.select();
+				}
+			});
+		},
+		generatePublicID() {
+			this.detect.publicId = crypto.randomUUID();
+		},
+		isEdit(target) {
+			return this.curEditTarget === target;
+		},
+		async stopEdit(commit) {
+			if (!commit) {
+				this.detect[this.editField] = this.origValue;
+			} else if (!this.isNew()) {
+				const response = await this.$root.papi.put('/detection', this.detect);
+
+        console.log('UPDATE', response);
+			}
+
+			this.curEditTarget = null;
+			this.origValue = null;
+			this.editField = null;
+		},
+		saveDetection(createNew) {
+			if (createNew) {
+				this.$root.papi.post('/detection', this.detect);
+			} else {
+				this.$root.papi.put('/detection', this.detect);
+			}
+			this.origDetect = Object.assign({}, this.detect);
+		},
+		print(x) {
+			console.log(x);
+		},
+  }
+}});
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 089d6bfaf..c8c6c3ff8 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -260,10 +260,15 @@ const huntComponent = {
       }
     },
     applyQuerySubstitutions(queries) {
-      queries.forEach(query => {
-        query.query = query.query.replace(/\{myId\}/g, this.$root.user.id);
-      });
-      return queries;
+      if (Array.isArray(queries)) {
+        queries.forEach(query => {
+          query.query = query.query.replace(/\{myId\}/g, this.$root.user.id);
+        });
+
+        return queries;
+      } else {
+        return [];
+      }
     },
     notifyInputsChanged(replaceHistory = false) {
       var hunted = false;
@@ -338,19 +343,21 @@ const huntComponent = {
         q = this.queryBaseFilter;
       }
 
-      for (var i = 0; i < this.filterToggles.length; i++) {
-        filter = this.filterToggles[i];
+      if (Array.isArray(this.filterToggles)) {
+        for (var i = 0; i < this.filterToggles.length; i++) {
+          filter = this.filterToggles[i];
 
-        if (filter.enabled) {
-          if (q.length > 0) {
-            q = q + " AND ";
-          }
-          q = q + filter.filter;
-        } else if (filter.exclusive) {
-          if (q.length > 0) {
-            q = q + " AND ";
+          if (filter.enabled) {
+            if (q.length > 0) {
+              q = q + " AND ";
+            }
+            q = q + filter.filter;
+          } else if (filter.exclusive) {
+            if (q.length > 0) {
+              q = q + " AND ";
+            }
+            q = q + "NOT " + filter.filter;
           }
-          q = q + "NOT " + filter.filter;
         }
       }
 
@@ -424,20 +431,22 @@ const huntComponent = {
         this.groupQuery(this.$route.query.groupByField, this.$route.query.groupByGroup);
         reRoute = true;
       }
-      for (const q in this.$route.query) {
-        this.filterToggles.forEach(toggle => {
-          if (toggle.name === q) {
-            const orig = toggle.enabled;
-            let enabled = this.$route.query[q];
-            if (typeof enabled === 'string') {
-              enabled = enabled.toLowerCase() === 'true';
-            }
-            toggle.enabled = enabled;
-            if (orig !== toggle.enabled) {
-              reRoute = true;
+      if (Array.isArray(this.filterToggles)) {
+        for (const q in this.$route.query) {
+          this.filterToggles.forEach(toggle => {
+            if (toggle.name === q) {
+              const orig = toggle.enabled;
+              let enabled = this.$route.query[q];
+              if (typeof enabled === 'string') {
+                enabled = enabled.toLowerCase() === 'true';
+              }
+              toggle.enabled = enabled;
+              if (orig !== toggle.enabled) {
+                reRoute = true;
+              }
             }
-          }
-        });
+          });
+        }
       }
       if (reRoute) return false;
       return true;
@@ -454,14 +463,74 @@ const huntComponent = {
         // This must occur before the following await, so that Vue flushes the old groupby DOM renders
         this.groupBys.splice(0);
 
-        const response = await this.$root.papi.get('events/', { params: {
-          query: await this.getQuery(),
-          range: this.dateRange,
-          format: this.i18n.timePickerSample,
-          zone: this.zone,
-          metricLimit: this.groupByLimit,
-          eventLimit: this.eventLimit
-        }});
+        let response;
+        if (this.category === 'playbooks') {
+          response = {
+            data: {
+              "metrics": {
+                "timeline": null,
+              },
+              "elapsedMs": 668,
+	            "errors": [],
+	            "criteria": {
+		            "query": "(_id:*) AND _index:\"*:so-case\" AND so_kind:detection",
+		            "dateRange": "",
+		            "metricLimit": 0,
+		            "eventLimit": 50,
+                "BeginTime": "2021-08-23T15:41:39-06:00",
+                "EndTime": "2023-08-23T15:41:39-06:00",
+                "CreateTime": "2023-08-23T15:41:39.446264196-06:00",
+                "ParsedQuery": {
+                  "Segments": [
+                    {}
+                  ]
+                },
+                "SortFields": null
+              },
+              "events": [
+                {
+                  "source": "manager:so-case",
+                  "Time": "2023-08-23T14:48:17.140438075-06:00",
+                  "timestamp": "2023-08-23T14:48:17.140Z",
+                  "id": "RDmUHooB-8rNCo4d3nIc",
+                  "type": "",
+                  "score": 3.287682,
+                  "payload": {
+                    "@timestamp": "2023-08-23T14:48:17.140438075-06:00",
+                    "so_playbook.onionId": "75332a3c-b029-46a0-9392-509ff90737a8",
+                    "so_playbook.publicId": "4020131e-223a-421e-8ebe-8a211a5ac4d6",
+                    "so_playbook.title": "Find the baddies",
+                    "so_playbook.severity": "high",
+                    "so_playbook.description": "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
+                    "so_playbook.mechanism": "suricata",
+                    "so_playbook.tags": ["one", "two", "three"],
+                    "so_playbook.relatedPlaybooks": [],
+                    "so_playbook.contributors": ["Jim Bob"],
+                    "so_playbook.userEditable": true,
+                    "so_playbook.createTime": "2023-08-22T12:49:47.302819008-06:00",
+                    "so_playbook.kind": "playbook",
+                    "so_playbook.userId": "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
+                    "so_kind": "playbook"
+                  }
+                }
+              ],
+              createTime: moment().subtract(2, 'seconds').toISOString(),
+              completeTime: moment().toISOString(),
+            }
+          };
+          response.data.totalEvents = response.data.events.length;
+        } else {
+          response = await this.$root.papi.get('events/', {
+            params: {
+              query: await this.getQuery(),
+              range: this.dateRange,
+              format: this.i18n.timePickerSample,
+              zone: this.zone,
+              metricLimit: this.groupByLimit,
+              eventLimit: this.eventLimit
+            }
+          });
+        }
 
         this.eventPage = 1;
         this.groupByPage = 1;
@@ -2037,7 +2106,62 @@ const huntComponent = {
       }
 
       window.open(url, target);
-    }
+    },
+    async CreateDetection() {
+      const response = await this.$root.papi.post('/detection', {
+        publicId: 'ABCDEF',
+        title: 'First!',
+        severity: 'low',
+        author: 'Corey Ogburn',
+        description: 'first try',
+        content: 'rule goes here',
+        isEnabled: true,
+        isReporting: true,
+        Engine: 'suricata'
+      });
+
+      console.log('CREATE', response);
+      this.onionID = response.data.id;
+      console.log('onionID', this.onionID);
+    },
+    async GetDetection() {
+      if (this.onionID) {
+        const response = await this.$root.papi.get('/detection/' + this.onionID);
+
+        console.log('GET', response);
+      } else {
+        console.log('No onionID');
+      }
+    },
+    async UpdateDetection() {
+      if (this.onionID) {
+        const response = await this.$root.papi.put('/detection', {
+          id: this.onionID,
+          publicId: 'ABCDEF',
+          title: 'Second!',
+          severity: 'low',
+          author: 'Corey Ogburn',
+          description: 'first try',
+          content: 'rule goes here',
+          isEnabled: true,
+          isReporting: true,
+          Engine: 'suricata'
+        });
+
+        console.log('UPDATE', response);
+      } else {
+        console.log('No onionID');
+      }
+    },
+    async DeleteDetection() {
+      if (this.onionID) {
+        const response = await this.$root.papi.delete('/detection/' + this.onionID);
+
+        console.log('DELETE', response);
+      } else {
+        console.log('No onionID');
+      }
+    },
   }
 };
 
@@ -2051,3 +2175,9 @@ routes.push({ path: '/cases', name: 'cases', component: casesComponent});
 
 const dashboardsComponent = Object.assign({}, huntComponent);
 routes.push({ path: '/dashboards', name: 'dashboards', component: dashboardsComponent});
+
+const detectionsComponent = Object.assign({}, huntComponent);
+routes.push({ path: '/detections', name: 'detections', component: detectionsComponent });
+
+const playbooksComponent = Object.assign({}, huntComponent);
+routes.push({ path: '/playbooks', name: 'playbooks', component: playbooksComponent });
diff --git a/html/js/routes/playbook.js b/html/js/routes/playbook.js
new file mode 100644
index 000000000..3db5a5f02
--- /dev/null
+++ b/html/js/routes/playbook.js
@@ -0,0 +1,461 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+routes.push({ path: '/playbook/:id', name: 'playbook', component: {
+  template: '#page-playbook',
+  data() { return {
+		i18n: this.$root.i18n,
+		params: {},
+		rules: {
+      required: value => (value && value.length > 0) || this.$root.i18n.required,
+      number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+      hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
+      shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+      longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+      fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+      fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+      fileRequired: value => (value != null) || this.$root.i18n.required,
+		},
+		playbook: null,
+		origPlaybook: null,
+		curEditTarget: null, // string containing element ID, null if not editing
+		origValue: null,
+		editField: null,
+		severityOptions: ['low', 'medium', 'high'],
+		engineOptions: ['none', 'suricata', 'yara', 'elastalert'],
+		panel: [0, 1, 2],
+		activeTab: '',
+		tags: [],
+		addQuestion: '',
+		addContext: '',
+		addDataSources: [],
+		addQuery: '',
+		search: '',
+		questionHeaders: [{ title: '@timestamp', key: 'item.payload["@timestamp"]' }, { title: '@version', value: '@version' }, { title: 'message', value: 'message' }],
+  }},
+  created() {
+  },
+  watch: {
+	},
+	mounted() {
+		this.$root.loadParameters('playbooks', this.initPlaybook);
+	},
+  methods: {
+		async initPlaybook(params) {
+			this.params = params;
+			if (this.$route.params.id === 'create') {
+				this.detect = this.newPlaybook();
+			} else {
+				await this.loadData();
+			}
+
+			this.origPlaybook = Object.assign({}, this.playbook);
+
+			this.loadUrlParameters();
+		},
+		loadUrlParameters() {
+
+		},
+		newPlaybook() {
+			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');
+			return {
+				publicId: '',
+				title: 'Detection title not yet provided - click here to update this title',
+				description: 'Detection description not yet provided - click here to update this description',
+				mechanism: '',
+				tags: [],
+				relatedPlaybooks: [],
+				detectionLinks: [],
+				contributors: [author],
+				userEditable: true,
+				questions: [],
+				note: '',
+			}
+		},
+		async loadData() {
+			this.$root.startLoading();
+
+			// try {
+			// 		const response = await this.$root.papi.get('playbook/' + encodeURIComponent(this.$route.params.id));
+			// 		this.detect = response.data;
+      // } catch (error) {
+      //   if (error.response != undefined && error.response.status == 404) {
+      //     this.$root.showError(this.i18n.notFound);
+      //   } else {
+      //     this.$root.showError(error);
+      //   }
+			// }
+			if (this.isNew()) {
+				this.playbook = this.newPlaybook();
+			} else {
+				this.playbook = {
+					onionId: this.$route.params.id,
+					publicId: "4020131e-223a-421e-8ebe-8a211a5ac4d6",
+					title: "Find the baddies",
+					severity: "high",
+					description: "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
+					mechanism: "suricata",
+					tags: ["one", "two", "three"],
+					relatedPlaybooks: [],
+					contributors: ["Corey Ogburn"],
+					userEditable: true,
+					createTime: "2023-08-22T12:49:47.302819008-06:00",
+					userId: "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
+					questions: [
+						{
+							question: "What network resources did they access?",
+							context: "Bad actors do bad things to network resources",
+							dataSources: ['windows_security', 'process_auditing'],
+							query: '*',
+							results: [
+								{
+									"source": "manager:.ds-logs-elastic_agent-default-2023.08.21-000001",
+									"Time": "2023-08-24T15:10:05.747Z",
+									"timestamp": "2023-08-24T15:10:05.747Z",
+									"id": "y5IYKIoB9-Z7uL2kmy_o",
+									"type": "",
+									"score": 2,
+									"payload": {
+										"@timestamp": "2023-08-24T15:10:05.747Z",
+										"@version": "1",
+										"agent.ephemeral_id": "b36260f3-7e22-4ada-9736-7825bba61050",
+										"agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"agent.name": "manager",
+										"agent.type": "filebeat",
+										"agent.version": "8.8.2",
+										"container.id": "elastic-agent-cdc5ba",
+										"data_stream.dataset": "elastic_agent",
+										"data_stream.namespace": "default",
+										"data_stream.type": "logs",
+										"ecs.version": "8.0.0",
+										"elastic_agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"elastic_agent.snapshot": false,
+										"elastic_agent.version": "8.8.2",
+										"event.agent_id_status": "auth_metadata_missing",
+										"event.dataset": "elastic_agent",
+										"event.ingested": "2023-08-24T15:10:16Z",
+										"event.module": "elastic_agent",
+										"host.architecture": "x86_64",
+										"host.containerized": false,
+										"host.hostname": "manager",
+										"host.id": "9b909224852841ee9e8394c0ccb6f345",
+										"host.ip": [
+											"192.168.122.119",
+											"172.17.1.1",
+											"172.17.0.1"
+										],
+										"host.mac": [
+											"02-42-F7-90-7C-0F",
+											"02-42-FD-01-4C-18",
+											"22-69-52-DA-7E-60",
+											"26-32-CC-C2-D0-96",
+											"32-5D-A3-D9-5E-BB",
+											"36-30-04-3E-2A-74",
+											"3A-47-4A-42-2D-42",
+											"52-54-00-17-A5-16",
+											"52-54-00-79-9B-AF",
+											"56-22-21-D2-59-BB",
+											"5A-84-1E-33-78-6F",
+											"5A-B1-C1-9E-26-54",
+											"5E-07-4D-47-FC-B6",
+											"66-FE-30-61-E6-77",
+											"82-20-8F-6D-BA-2B",
+											"86-14-06-40-98-7D",
+											"86-29-18-6F-10-88",
+											"8E-AD-CA-9F-EA-F6",
+											"96-4D-FB-AD-AB-8E",
+											"AA-FB-73-2B-C4-24",
+											"B2-68-3A-55-50-88",
+											"BE-53-9A-99-67-0C",
+											"CA-68-C4-C1-5B-4D",
+											"E2-0C-CE-E7-DA-50",
+											"EE-F2-CD-8D-0A-17",
+											"FE-99-5F-39-DF-D1"
+										],
+										"host.name": "manager",
+										"host.os.family": "redhat",
+										"host.os.kernel": "5.15.0-103.114.4.el9uek.x86_64",
+										"host.os.name": "Oracle Linux Server",
+										"host.os.platform": "ol",
+										"host.os.type": "linux",
+										"host.os.version": "9.2",
+										"input.type": "filestream",
+										"log.file.path": "/opt/Elastic/Agent/data/elastic-agent-cdc5ba/logs/elastic-agent-20230824.ndjson",
+										"log.level": "info",
+										"log.offset": 311104,
+										"log.origin.file.line": 821,
+										"log.origin.file.name": "coordinator/coordinator.go",
+										"log.source": "elastic-agent",
+										"message": "Updating running component model",
+										"metadata.beat": "filebeat",
+										"metadata.input.beats.host.ip": "172.17.1.1",
+										"metadata.input_id": "filestream-monitoring-agent",
+										"metadata.raw_index": "logs-elastic_agent-default",
+										"metadata.stream_id": "filestream-monitoring-agent",
+										"metadata.type": "_doc",
+										"metadata.version": "8.8.2",
+										"tags": [
+											"elastic-agent",
+											"input-manager",
+											"beats_input_codec_plain_applied"
+										]
+									}
+								},
+								{
+									"source": "manager:.ds-logs-elastic_agent-default-2023.08.21-000001",
+									"Time": "2023-08-24T15:09:25.702Z",
+									"timestamp": "2023-08-24T15:09:25.702Z",
+									"id": "GJIXKIoB9-Z7uL2k7C-E",
+									"type": "",
+									"score": 2,
+									"payload": {
+										"@timestamp": "2023-08-24T15:09:25.702Z",
+										"@version": "1",
+										"agent.ephemeral_id": "b36260f3-7e22-4ada-9736-7825bba61050",
+										"agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"agent.name": "manager",
+										"agent.type": "filebeat",
+										"agent.version": "8.8.2",
+										"container.id": "elastic-agent-cdc5ba",
+										"data_stream.dataset": "elastic_agent",
+										"data_stream.namespace": "default",
+										"data_stream.type": "logs",
+										"ecs.version": "8.0.0",
+										"elastic_agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"elastic_agent.snapshot": false,
+										"elastic_agent.version": "8.8.2",
+										"event.agent_id_status": "auth_metadata_missing",
+										"event.dataset": "elastic_agent",
+										"event.ingested": "2023-08-24T15:09:31Z",
+										"event.module": "elastic_agent",
+										"host.architecture": "x86_64",
+										"host.containerized": false,
+										"host.hostname": "manager",
+										"host.id": "9b909224852841ee9e8394c0ccb6f345",
+										"host.ip": [
+											"192.168.122.119",
+											"172.17.1.1",
+											"172.17.0.1"
+										],
+										"host.mac": [
+											"02-42-F7-90-7C-0F",
+											"02-42-FD-01-4C-18",
+											"22-69-52-DA-7E-60",
+											"26-32-CC-C2-D0-96",
+											"32-5D-A3-D9-5E-BB",
+											"36-30-04-3E-2A-74",
+											"3A-47-4A-42-2D-42",
+											"52-54-00-17-A5-16",
+											"52-54-00-79-9B-AF",
+											"56-22-21-D2-59-BB",
+											"5A-84-1E-33-78-6F",
+											"5A-B1-C1-9E-26-54",
+											"5E-07-4D-47-FC-B6",
+											"66-FE-30-61-E6-77",
+											"82-20-8F-6D-BA-2B",
+											"86-14-06-40-98-7D",
+											"86-29-18-6F-10-88",
+											"8E-AD-CA-9F-EA-F6",
+											"96-4D-FB-AD-AB-8E",
+											"AA-FB-73-2B-C4-24",
+											"AE-49-EF-7B-5E-B9",
+											"B2-68-3A-55-50-88",
+											"BE-53-9A-99-67-0C",
+											"CA-68-C4-C1-5B-4D",
+											"E2-0C-CE-E7-DA-50",
+											"EE-F2-CD-8D-0A-17",
+											"FE-99-5F-39-DF-D1"
+										],
+										"host.name": "manager",
+										"host.os.family": "redhat",
+										"host.os.kernel": "5.15.0-103.114.4.el9uek.x86_64",
+										"host.os.name": "Oracle Linux Server",
+										"host.os.platform": "ol",
+										"host.os.type": "linux",
+										"host.os.version": "9.2",
+										"input.type": "filestream",
+										"log.file.path": "/opt/Elastic/Agent/data/elastic-agent-cdc5ba/logs/elastic-agent-20230824.ndjson",
+										"log.level": "error",
+										"log.offset": 304406,
+										"log.origin.file.line": 221,
+										"log.origin.file.name": "fleet/fleet_gateway.go",
+										"log.source": "elastic-agent",
+										"message": "Checkin request to fleet-server succeeded after 2 failures",
+										"metadata.beat": "filebeat",
+										"metadata.input.beats.host.ip": "172.17.1.1",
+										"metadata.input_id": "filestream-monitoring-agent",
+										"metadata.raw_index": "logs-elastic_agent-default",
+										"metadata.stream_id": "filestream-monitoring-agent",
+										"metadata.type": "_doc",
+										"metadata.version": "8.8.2",
+										"tags": [
+											"elastic-agent",
+											"input-manager",
+											"beats_input_codec_plain_applied"
+										]
+									}
+								},
+								{
+									"source": "manager:.ds-logs-elastic_agent-default-2023.08.21-000001",
+									"Time": "2023-08-24T15:08:46.446Z",
+									"timestamp": "2023-08-24T15:08:46.446Z",
+									"id": "lZIXKIoB9-Z7uL2kTy6x",
+									"type": "",
+									"score": 2,
+									"payload": {
+										"@timestamp": "2023-08-24T15:08:46.446Z",
+										"@version": "1",
+										"agent.ephemeral_id": "b36260f3-7e22-4ada-9736-7825bba61050",
+										"agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"agent.name": "manager",
+										"agent.type": "filebeat",
+										"agent.version": "8.8.2",
+										"container.id": "elastic-agent-cdc5ba",
+										"data_stream.dataset": "elastic_agent",
+										"data_stream.namespace": "default",
+										"data_stream.type": "logs",
+										"ecs.version": "8.0.0",
+										"elastic_agent.id": "6a7d0533-85fe-4aab-ad23-25659d59415f",
+										"elastic_agent.snapshot": false,
+										"elastic_agent.version": "8.8.2",
+										"event.agent_id_status": "auth_metadata_missing",
+										"event.dataset": "elastic_agent",
+										"event.ingested": "2023-08-24T15:08:50Z",
+										"event.module": "elastic_agent",
+										"host.architecture": "x86_64",
+										"host.containerized": false,
+										"host.hostname": "manager",
+										"host.id": "9b909224852841ee9e8394c0ccb6f345",
+										"host.ip": [
+											"192.168.122.119",
+											"172.17.1.1",
+											"172.17.0.1"
+										],
+										"host.mac": [
+											"02-42-F7-90-7C-0F",
+											"02-42-FD-01-4C-18",
+											"22-69-52-DA-7E-60",
+											"26-32-CC-C2-D0-96",
+											"32-5D-A3-D9-5E-BB",
+											"36-30-04-3E-2A-74",
+											"3A-47-4A-42-2D-42",
+											"52-54-00-17-A5-16",
+											"52-54-00-79-9B-AF",
+											"56-22-21-D2-59-BB",
+											"5A-84-1E-33-78-6F",
+											"5A-B1-C1-9E-26-54",
+											"5E-07-4D-47-FC-B6",
+											"66-FE-30-61-E6-77",
+											"82-20-8F-6D-BA-2B",
+											"86-14-06-40-98-7D",
+											"86-29-18-6F-10-88",
+											"8E-AD-CA-9F-EA-F6",
+											"96-4D-FB-AD-AB-8E",
+											"AA-FB-73-2B-C4-24",
+											"AE-49-EF-7B-5E-B9",
+											"B2-68-3A-55-50-88",
+											"BE-53-9A-99-67-0C",
+											"CA-68-C4-C1-5B-4D",
+											"E2-0C-CE-E7-DA-50",
+											"EE-F2-CD-8D-0A-17",
+											"FE-99-5F-39-DF-D1"
+										],
+										"host.name": "manager",
+										"host.os.family": "redhat",
+										"host.os.kernel": "5.15.0-103.114.4.el9uek.x86_64",
+										"host.os.name": "Oracle Linux Server",
+										"host.os.platform": "ol",
+										"host.os.type": "linux",
+										"host.os.version": "9.2",
+										"input.type": "filestream",
+										"log.file.path": "/opt/Elastic/Agent/data/elastic-agent-cdc5ba/logs/elastic-agent-20230824.ndjson",
+										"log.level": "info",
+										"log.offset": 296546,
+										"log.origin.file.line": 821,
+										"log.origin.file.name": "coordinator/coordinator.go",
+										"log.source": "elastic-agent",
+										"message": "Updating running component model",
+										"metadata.beat": "filebeat",
+										"metadata.input.beats.host.ip": "172.17.1.1",
+										"metadata.input_id": "filestream-monitoring-agent",
+										"metadata.raw_index": "logs-elastic_agent-default",
+										"metadata.stream_id": "filestream-monitoring-agent",
+										"metadata.type": "_doc",
+										"metadata.version": "8.8.2",
+										"tags": [
+											"elastic-agent",
+											"input-manager",
+											"beats_input_codec_plain_applied"
+										]
+									}
+								},
+							]
+						}
+					],
+					note: "This is a note",
+				};
+			}
+
+      this.$root.stopLoading();
+		},
+		isNew() {
+			return this.$route.params.id === 'create';
+		},
+		cancelPlaybook() {
+			if (this.isNew()) {
+				this.$router.push({name: 'playbooks'});
+			} else {
+				this.playbook = this.origPlaybook;
+			}
+		},
+		generatePublicID() {
+			this.playbook.publicId = crypto.randomUUID();
+		},
+		async startEdit(target, field) {
+			if (this.curEditTarget === target) return;
+			if (this.curEditTarget !== null) await this.stopEdit(false);
+
+			this.curEditTarget = target;
+			this.origValue = this.playbook[field];
+			this.editField = field;
+
+			this.$nextTick(() => {
+				const el = document.getElementById(target + '-edit');
+				if (el) {
+					el.focus();
+					el.select();
+				}
+			});
+		},
+		isEdit(target) {
+			return this.curEditTarget === target;
+		},
+		async stopEdit(commit) {
+			if (!commit) {
+				this.playbook[this.editField] = this.origValue;
+			} else if (!this.isNew()) {
+				// const response = await this.$root.papi.put('/playbook', this.playbook);
+        // console.log('UPDATE', response);
+			}
+
+			this.curEditTarget = null;
+			this.origValue = null;
+			this.editField = null;
+		},
+		savePlaybook(createNew) {
+			// if (createNew) {
+			// 	this.$root.papi.post('/playbook', this.playbook);
+			// } else {
+			// 	this.$root.papi.put('/playbook', this.playbook);
+			// }
+
+			this.origPlaybook = Object.assign({}, this.playbook);
+		},
+		print(x) {
+			console.log(x);
+		},
+  }
+}});
diff --git a/model/detection.go b/model/detection.go
new file mode 100644
index 000000000..54b2ed801
--- /dev/null
+++ b/model/detection.go
@@ -0,0 +1,91 @@
+package model
+
+import (
+	"errors"
+	"strings"
+)
+
+type ScanType string
+type SigLanguage string
+type Severity string
+type IDType string
+type EngineName = string
+
+const (
+	ScanTypeFiles           ScanType = "files"
+	ScanTypePackets         ScanType = "packets"
+	ScanTypePacketsAndFiles ScanType = "files,packets"
+	ScanTypeElastic         ScanType = "elastic"
+
+	SigLangElastic  SigLanguage = "elastic"  // yaml
+	SigLangSigma    SigLanguage = "sigma"    // yaml
+	SigLangSuricata SigLanguage = "suricata" // action, header, options
+	SigLangYara     SigLanguage = "yara"
+	SigLangZeek     SigLanguage = "zeek"
+
+	SeverityLow    Severity = "low"
+	SeverityMedium Severity = "medium"
+	SeverityHigh   Severity = "high"
+
+	IDTypeUUID IDType = "uuid"
+	IDTypeSID  IDType = "sid"
+
+	EngineNameSuricata   EngineName = "suricata"
+	EngineNameYara       EngineName = "yara"
+	EngineNameElastAlert EngineName = "elastalert"
+)
+
+var (
+	EnginesByName = map[EngineName]*DetectionEngine{
+		EngineNameSuricata: {
+			Name:        string(EngineNameSuricata),
+			IDType:      IDTypeSID,
+			ScanType:    ScanTypePackets,
+			SigLanguage: SigLangSuricata,
+		},
+		EngineNameYara: {
+			Name:        string(EngineNameYara),
+			IDType:      IDTypeUUID,
+			ScanType:    ScanTypeFiles,
+			SigLanguage: SigLangYara,
+		},
+		EngineNameElastAlert: {
+			Name:        string(EngineNameElastAlert),
+			IDType:      IDTypeUUID,
+			ScanType:    ScanTypeElastic,
+			SigLanguage: SigLangElastic,
+		},
+	}
+
+	ErrUnsupportedEngine = errors.New("unsupported engine")
+)
+
+type DetectionEngine struct {
+	Name        string      `json:"name"`
+	IDType      IDType      `json:"idType"`
+	ScanType    ScanType    `json:"scanType"`
+	SigLanguage SigLanguage `json:"sigLanguage"`
+}
+
+type Detection struct {
+	Auditable
+	PublicID    string     `json:"publicId"`
+	Title       string     `json:"title"`
+	Severity    Severity   `json:"severity"`
+	Author      string     `json:"author"`
+	Description string     `json:"description"`
+	Content     string     `json:"content"`
+	IsEnabled   bool       `json:"isEnabled"`
+	IsReporting bool       `json:"isReporting"`
+	Engine      EngineName `json:"engine"`
+}
+
+func (detect *Detection) Validate() error {
+	detect.Engine = strings.ToLower(detect.Engine)
+	_, engIsSupported := EnginesByName[detect.Engine]
+	if !engIsSupported {
+		return ErrUnsupportedEngine
+	}
+
+	return nil
+}
diff --git a/server/casestore.go b/server/casestore.go
index be9d6536e..1f5bcb204 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -38,4 +38,9 @@ type Casestore interface {
 	CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error)
 	GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error)
 	DeleteArtifactStream(ctx context.Context, id string) error
+
+	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
+	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	DeleteDetection(ctx context.Context, detectID string) error
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
new file mode 100644
index 000000000..fa1bb4396
--- /dev/null
+++ b/server/detectionhandler.go
@@ -0,0 +1,109 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package server
+
+import (
+	"net/http"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/web"
+
+	"github.com/go-chi/chi"
+)
+
+type DetectionHandler struct {
+	server *Server
+}
+
+func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
+	h := &DetectionHandler{
+		server: srv,
+	}
+
+	r.Route(prefix, func(r chi.Router) {
+		r.Get("/{onionId}", h.getDetection)
+
+		r.Post("/", h.postDetection)
+
+		r.Put("/", h.putDetection)
+
+		r.Delete("/{onionId}", h.deleteDetection)
+	})
+}
+
+func (h *DetectionHandler) getDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detectId := chi.URLParam(r, "onionId")
+
+	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	if err != nil {
+		if err.Error() == "Object not found" {
+			web.Respond(w, r, http.StatusNotFound, nil)
+		} else {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+		}
+
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
+}
+
+func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detect := &model.Detection{}
+
+	err := web.ReadJson(r, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusCreated, detect)
+}
+
+func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detect := &model.Detection{}
+
+	err := web.ReadJson(r, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	detect, err = h.server.Casestore.UpdateDetection(ctx, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
+}
+
+func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	id := chi.URLParam(r, "onionId")
+
+	err := h.server.Casestore.DeleteDetection(ctx, id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, nil)
+}
diff --git a/server/infohandler.go b/server/infohandler.go
index 783c41e81..c97960eb6 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 
+	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -61,5 +62,49 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		SrvToken:       srvToken,
 	}
 
+	info.Parameters.DetectionsParams.Queries = []*config.HuntingQuery{
+		{
+			Name:  "All",
+			Query: "_id:*",
+		},
+	}
+
+	info.Parameters.DetectionsParams.ViewEnabled = true
+	info.Parameters.DetectionsParams.CreateLink = "/detection/create"
+	info.Parameters.DetectionsParams.EventFetchLimit = 500
+	info.Parameters.DetectionsParams.EventItemsPerPage = 50
+	info.Parameters.DetectionsParams.GroupFetchLimit = 50
+	info.Parameters.DetectionsParams.MostRecentlyUsedLimit = 5
+	info.Parameters.DetectionsParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
+	info.Parameters.DetectionsParams.EventFields = map[string][]string{
+		"default": {
+			"soc_timestamp",
+			"so_detection.publicId",
+			"so_detection.title",
+			"so_detection.severity",
+			"so_detection.isEnabled",
+			"so_detection.engine",
+		},
+	}
+
+	info.Parameters.PlaybooksParams.ViewEnabled = true
+	info.Parameters.PlaybooksParams.CreateLink = "/playbook/create"
+	info.Parameters.PlaybooksParams.EventFetchLimit = 500
+	info.Parameters.PlaybooksParams.EventItemsPerPage = 50
+	info.Parameters.PlaybooksParams.GroupFetchLimit = 50
+	info.Parameters.PlaybooksParams.MostRecentlyUsedLimit = 5
+	info.Parameters.PlaybooksParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
+	info.Parameters.PlaybooksParams.Queries = []*config.HuntingQuery{
+		{Query: "*"},
+	}
+	info.Parameters.PlaybooksParams.EventFields = map[string][]string{
+		"default": {
+			"soc_timestamp",
+			"so_playbook.title",
+			"so_playbook.publicId",
+			"so_playbook.mechanism",
+		},
+	}
+
 	web.Respond(w, r, http.StatusOK, info)
 }
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index bdd4d2be2..f200b7405 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -639,6 +639,99 @@ func convertElasticEventToArtifactStream(event *model.EventRecord, schemaPrefix
 	return obj, err
 }
 
+func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix string) (*model.Detection, error) {
+	var err error
+	var obj *model.Detection
+
+	if event != nil {
+		obj = &model.Detection{}
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
+		if err == nil {
+			if value, ok := event.Payload[schemaPrefix+"detection.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.isReporting"]; ok {
+				obj.IsReporting = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.description"]; ok {
+				obj.Description = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.isEnabled"]; ok {
+				obj.IsEnabled = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
+				obj.Engine = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.publicId"]; ok {
+				obj.PublicID = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.severity"]; ok {
+				obj.Severity = model.Severity(value.(string))
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.content"]; ok {
+				obj.Content = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.author"]; ok {
+				obj.Author = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.title"]; ok {
+				obj.Title = value.(string)
+			}
+			// if value, ok := event.Payload[schemaPrefix+"artifact.caseId"]; ok {
+			// 	obj.CaseId = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.groupType"]; ok {
+			// 	obj.GroupType = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.groupId"]; ok {
+			// 	obj.GroupId = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.description"]; ok {
+			// 	obj.Description = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.artifactType"]; ok {
+			// 	obj.ArtifactType = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.streamLength"]; ok {
+			// 	obj.StreamLen = int(value.(float64))
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.streamId"]; ok {
+			// 	obj.StreamId = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.mimeType"]; ok {
+			// 	obj.MimeType = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.value"]; ok {
+			// 	obj.Value = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.tlp"]; ok {
+			// 	obj.Tlp = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.tags"]; ok && value != nil {
+			// 	obj.Tags = convertToStringArray(value.([]interface{}))
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.ioc"]; ok {
+			// 	obj.Ioc = value.(bool)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.md5"]; ok {
+			// 	obj.Md5 = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.sha1"]; ok {
+			// 	obj.Sha1 = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.sha256"]; ok {
+			// 	obj.Sha256 = value.(string)
+			// }
+			// if value, ok := event.Payload[schemaPrefix+"artifact.protected"]; ok {
+			// 	obj.Protected = value.(bool)
+			// }
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"detection.createTime")
+		}
+	}
+
+	return obj, err
+}
+
 func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string) (interface{}, error) {
 	var obj interface{}
 	var err error
@@ -655,6 +748,8 @@ func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string)
 			obj, err = convertElasticEventToArtifact(event, schemaPrefix)
 		case "artifactstream":
 			obj, err = convertElasticEventToArtifactStream(event, schemaPrefix)
+		case "detection":
+			obj, err = convertElasticEventToDetection(event, schemaPrefix)
 		}
 	} else {
 		err = errors.New("Unknown object kind; id=" + event.Id)
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 5eeaf0d42..acd8eb3e6 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -273,6 +273,46 @@ func (store *ElasticCasestore) validateArtifactStream(artifactstream *model.Arti
 	return err
 }
 
+func (store *ElasticCasestore) validateDetection(detect *model.Detection) error {
+	var err error
+
+	if err == nil && detect.Id != "" {
+		err = store.validateId(detect.Id, "onionId")
+	}
+
+	if err == nil && detect.PublicID != "" {
+		err = store.validateId(detect.PublicID, "publicId")
+	}
+
+	if err == nil && detect.Title != "" {
+		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
+	}
+
+	if err == nil && detect.Severity != "" {
+		err = store.validateString(string(detect.Severity), SHORT_STRING_MAX, "severity")
+	}
+
+	if err == nil && detect.Author != "" {
+		err = store.validateString(detect.Author, SHORT_STRING_MAX, "author")
+	}
+
+	if err == nil && detect.Description != "" {
+		err = store.validateString(detect.Description, LONG_STRING_MAX, "description")
+	}
+
+	if err == nil && detect.Content != "" {
+		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
+	}
+
+	if err == nil {
+		_, okEngine := model.EnginesByName[detect.Engine]
+		if !okEngine {
+			err = errors.New("invalid engine")
+		}
+	}
+	return err
+}
+
 func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
 	obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
 
@@ -900,3 +940,77 @@ func (store *ElasticCasestore) ExtractCommonObservables(ctx context.Context, eve
 	}
 	return nil
 }
+
+func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	var err error
+
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id != "" {
+		return nil, errors.New("Unexpected ID found in new comment")
+	}
+
+	now := time.Now()
+	detect.CreateTime = &now
+	var results *model.EventIndexResults
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err == nil {
+		// Read object back to get new modify date, etc
+		detect, err = store.GetDetection(ctx, results.DocumentId)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (detect *model.Detection, err error) {
+	err = store.validateId(detectId, "detectId")
+	if err != nil {
+		return nil, err
+	}
+
+	obj, err := store.get(ctx, detectId, "detection")
+	if err == nil && obj != nil {
+		detect = obj.(*model.Detection)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	err := store.validateDetection(detect)
+	if err == nil {
+		if detect.Id == "" {
+			err = errors.New("Missing detection onion ID")
+			return nil, err
+		}
+
+		var old *model.Detection
+		old, err = store.GetDetection(ctx, detect.Id)
+		if err == nil {
+			var results *model.EventIndexResults
+
+			// Preserve read-only fields
+			detect.CreateTime = old.CreateTime
+
+			results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+			if err == nil {
+				// Read object back to get new modify date, etc
+				detect, err = store.GetDetection(ctx, results.DocumentId)
+			}
+		}
+	}
+
+	return detect, err
+}
+
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) error {
+	detect, err := store.GetDetection(ctx, onionID)
+	if err == nil {
+		err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	}
+
+	return err
+}
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index 4250e0a6c..9d8357e8c 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -144,3 +144,19 @@ func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
+
+func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) error {
+	return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 69c256901..f74c58a93 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -149,3 +149,19 @@ func (store *HttpCasestore) GetArtifactStream(ctx context.Context, id string) (*
 func (store *HttpCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
+
+func (store *HttpCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) error {
+	return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 44a5cf3a5..04740aa10 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -141,3 +141,19 @@ func (store *TheHiveCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *TheHiveCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
+
+func (store *TheHiveCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) error {
+	return errors.New("Unsupported operation by this module")
+}
diff --git a/server/server.go b/server/server.go
index 185217326..1894bb1c5 100644
--- a/server/server.go
+++ b/server/server.go
@@ -87,6 +87,7 @@ func (server *Server) Start() {
 		RegisterConfigRoutes(server, r, "/api/config")
 		RegisterGridMemberRoutes(server, r, "/api/gridmembers")
 		RegisterRolesRoutes(server, r, "/api/roles")
+		RegisterDetectionRoutes(server, r, "/api/detection")
 		RegisterUtilRoutes(server, r, "/api/util")
 
 		server.Host.RegisterRouter("/api/", r)

From 52d30c70f1cabeac98c528d4b6b790a9ef97c0cb Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 1 Sep 2023 15:24:15 -0600
Subject: [PATCH 049/102] WIP: More Detections Work

Walked back playbooks to focus on detections.

Made detections more data driven. Added form validation when creating a detection. TODO: form validation when editing.

Added Duplicate functionality to the API/UI, added Bulk enable/disable to API.

Touched the surface on how detections will sync.
---
 config/clientparameters.go                    |  53 +++++---
 html/index.html                               | 109 ++++++++++++++---
 html/js/i18n.js                               |   7 ++
 html/js/routes/detection.js                   |  63 +++++++---
 html/js/routes/hunt.js                        |   3 +
 model/detection.go                            |  22 ++++
 server/casestore.go                           |   3 +-
 server/detectionhandler.go                    | 115 +++++++++++++++++-
 server/infohandler.go                         |  98 +++++++++------
 server/modules/elastic/converter.go           |  95 ++++-----------
 server/modules/elastic/elasticcasestore.go    |  89 +++++++++++---
 .../modules/elasticcases/elasticcasestore.go  |   8 +-
 server/modules/generichttp/httpcasestore.go   |   8 +-
 server/modules/thehive/thehivecasestore.go    |   8 +-
 server/server.go                              |  12 --
 util/ptr.go                                   |  13 ++
 16 files changed, 495 insertions(+), 211 deletions(-)
 create mode 100644 util/ptr.go

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 7681ae6e6..ee31adf90 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -16,26 +16,27 @@ const DEFAULT_CHART_LABEL_OTHER_LIMIT = 10
 const DEFAULT_CHART_LABEL_FIELD_SEPARATOR = ", "
 
 type ClientParameters struct {
-	HuntingParams       HuntingParameters `json:"hunt"`
-	AlertingParams      HuntingParameters `json:"alerts"`
-	CasesParams         HuntingParameters `json:"cases"`
-	CaseParams          CaseParameters    `json:"case"`
-	DashboardsParams    HuntingParameters `json:"dashboards"`
-	JobParams           HuntingParameters `json:"job"`
-	DetectionsParams    HuntingParameters `json:"detections"`
-	PlaybooksParams     HuntingParameters `json:"playbooks"`
-	DocsUrl             string            `json:"docsUrl"`
-	CheatsheetUrl       string            `json:"cheatsheetUrl"`
-	ReleaseNotesUrl     string            `json:"releaseNotesUrl"`
-	GridParams          GridParameters    `json:"grid"`
-	WebSocketTimeoutMs  int               `json:"webSocketTimeoutMs"`
-	TipTimeoutMs        int               `json:"tipTimeoutMs"`
-	ApiTimeoutMs        int               `json:"apiTimeoutMs"`
-	CacheExpirationMs   int               `json:"cacheExpirationMs"`
-	InactiveTools       []string          `json:"inactiveTools"`
-	Tools               []ClientTool      `json:"tools"`
-	CasesEnabled        bool              `json:"casesEnabled"`
-	EnableReverseLookup bool              `json:"enableReverseLookup"`
+	HuntingParams       HuntingParameters   `json:"hunt"`
+	AlertingParams      HuntingParameters   `json:"alerts"`
+	CasesParams         HuntingParameters   `json:"cases"`
+	CaseParams          CaseParameters      `json:"case"`
+	DashboardsParams    HuntingParameters   `json:"dashboards"`
+	JobParams           HuntingParameters   `json:"job"`
+	DetectionsParams    HuntingParameters   `json:"detections"`
+	DetectionParams     DetectionParameters `json:"detection"`
+	PlaybooksParams     HuntingParameters   `json:"playbooks"`
+	DocsUrl             string              `json:"docsUrl"`
+	CheatsheetUrl       string              `json:"cheatsheetUrl"`
+	ReleaseNotesUrl     string              `json:"releaseNotesUrl"`
+	GridParams          GridParameters      `json:"grid"`
+	WebSocketTimeoutMs  int                 `json:"webSocketTimeoutMs"`
+	TipTimeoutMs        int                 `json:"tipTimeoutMs"`
+	ApiTimeoutMs        int                 `json:"apiTimeoutMs"`
+	CacheExpirationMs   int                 `json:"cacheExpirationMs"`
+	InactiveTools       []string            `json:"inactiveTools"`
+	Tools               []ClientTool        `json:"tools"`
+	CasesEnabled        bool                `json:"casesEnabled"`
+	EnableReverseLookup bool                `json:"enableReverseLookup"`
 }
 
 func (config *ClientParameters) Verify() error {
@@ -188,3 +189,15 @@ type GridParameters struct {
 	MaxUploadSize  uint64 `json:"maxUploadSize,omitempty"`
 	StaleMetricsMs uint64 `json:"staleMetricsMs,omitempty"`
 }
+
+type DetectionParameters struct {
+	HuntingParameters
+	Presets map[string]PresetParameters `json:"presets"`
+}
+
+func (params *DetectionParameters) Verify() error {
+	err := params.HuntingParameters.Verify()
+
+	return err
+
+}
diff --git a/html/index.html b/html/index.html
index b998a4597..c3efa8425 100644
--- a/html/index.html
+++ b/html/index.html
@@ -76,14 +76,14 @@
               <v-list-item-title v-text="i18n.detections"></v-list-item-title>
             </v-list-item-content>
           </v-list-item>
-          <v-list-item @click="" to="/playbooks">
+          <!-- <v-list-item @click="" to="/playbooks">
             <v-list-item-action>
               <v-icon>fa-book-bookmark</v-icon>
             </v-list-item-action>
             <v-list-item-content>
               <v-list-item-title v-text="i18n.playbooks"></v-list-item-title>
             </v-list-item-content>
-          </v-list-item>
+          </v-list-item> -->
           <v-list-item @click="" to="/jobs">
             <v-list-item-action>
               <v-icon>fa-stream</v-icon>
@@ -970,7 +970,50 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
           <div class="main col-md-9 order-md-1 col-12 order-2">
-            <v-tabs grow v-model="activeTab">
+            <!-- Edit View -->
+            <div v-if="isNew()">
+              <v-form ref="detection" v-model="editForm.valid">
+                <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  <!-- Description -->
+                  <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" auto-grow rows="5"></v-textarea>
+
+                  <!-- PublicID -->
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'">
+                    <template v-slot:append v-if="!detect.publicId">
+                      <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                    </template>
+                  </v-text-field>
+
+                  <!-- Author -->
+                  <v-text-field id="detection-author-create" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="i18n.author"></v-text-field>
+
+                  <!-- Severity -->
+                  <v-select id="detection-severity-create" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.detectionSeverity"/>
+
+                  <!-- Engine -->
+                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]"/>
+
+                  <!-- Reporting -->
+                  <v-checkbox id="detection-reporting-create" class="mt-5" v-model="detect.isReporting" :label="i18n.reporting"/>
+
+                  <!-- Signature -->
+                  <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
+                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="10" :rules="[rules.required]" />
+                </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-create-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-create-create" text small color="primary" class="align-self-end" @click="saveDetection(true)">
+                      {{ i18n.create }}
+                    </v-btn>
+                  </div>
+                </div>
+              </v-form>
+            </div>
+
+            <v-tabs grow v-model="activeTab" v-else>
               <v-tab id="detection_summaryTab" href="#summary">
                 <v-icon left>fa-clipboard</v-icon>
                 <div class="d-none d-lg-block">Summary</div>
@@ -987,10 +1030,10 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <v-icon left>fa-signature</v-icon>
                 <div class="d-none d-lg-block">Signature</div>
               </v-tab>
-              <v-tab id="detection_playbookTab" href="#playbook">
+              <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
                 <div class="d-none d-lg-block">Investigative Playbook</div>
-              </v-tab>
+              </v-tab> -->
               <v-tab id="detection_tuningTab" href="#tuning">
                 <v-icon left>fa-wrench</v-icon>
                 <div class="d-none d-lg-block">Tuning</div>
@@ -1009,12 +1052,19 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
                   </div>
                   <!-- Engine -->
-                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="engineOptions" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                   <!-- Enabled -->
                   <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Enabled"/>
                   <!-- Reporting -->
                   <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Reporting"/>
                 </div>
+                <div class="d-flex justify-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn v-if="!isNew()" id="detection-duplicate" text small color="primary" class="align-self-end" @click="duplicateDetection()">
+                      {{i18n.duplicate}}
+                    </v-btn>
+                  </div>
+                </div>
               </v-tab-item>
               <v-tab-item value="details">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
@@ -1027,35 +1077,52 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Author -->
                   <v-text-field id="detection-author-edit" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="'Author'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
                   <!-- Severity -->
-                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                 </div>
-                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <!-- <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-create" text small color="primary" class="align-self-end" @click="saveDetection(true)" v-if="isNew()">
-                      {{ i18n.create }}
-                    </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)" v-else>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
-                </div>
+                </div> -->
               </v-tab-item>
               <v-tab-item value="notes">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Notes -->
                   <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
                 </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                      {{i18n.update}}
+                    </v-btn>
+                  </div>
+                </div>
               </v-tab-item>
               <v-tab-item value="signature">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Signature -->
                   <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
+                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                  <div class="d-inline-flex justify-end">
+                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                      {{i18n.update}}
+                    </v-btn>
+                  </div>
+                </div>
               </v-tab-item>
-              <v-tab-item value="playbook">
+              <!-- <v-tab-item value="playbook">
                 <div class="col pa-2" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <div class="col ma-2">
                     <div class="row my-2">
@@ -1072,12 +1139,16 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     </div>
                   </div>
                 </div>
-              </v-tab-item>
+              </v-tab-item> -->
               <v-tab-item value="tuning">
-                Coming Soon!
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  Coming Soon!
+                </div>
               </v-tab-item>
               <v-tab-item value="history">
-                Coming Soon!
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                  Coming Soon!
+                </div>
               </v-tab-item>
             </v-tabs>
           </div>
@@ -1708,7 +1779,6 @@ <h2 v-if="!isKind('pcap')" v-text="kind"></h2>
       </v-container>
     </script>
 
-
     <script type="text/x-template" id="page-job">
       <v-container fluid @click="jobClickHandler()">
         <v-row>
@@ -3324,7 +3394,6 @@ <h3>{{ i18n.details }}</h3>
       </v-container>
     </script>
 
-
     <script type="text/x-template" id="page-grid">
       <v-container fluid>
         <v-row>
@@ -4467,7 +4536,7 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/routes/terms.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/users.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/detection.js?v=VERSION_PLACEHOLDER"></script>
-    <script src="js/routes/playbook.js?v=VERSION_PLACEHOLDER"></script>
+    <!-- <script src="js/routes/playbook.js?v=VERSION_PLACEHOLDER"></script> -->
     <script src="js/custom.js?v=VERSION_PLACEHOLDER"></script>
   </body>
 </html>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index b1a97fe86..709fae654 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -260,6 +260,9 @@ const i18n = {
       destination: 'Destination',
       details: 'Details',
       detections: 'Detections',
+      detectionDefaultTitle: 'Detection title not yet provided - click here to update this title',
+      detectionDefaultDescription: 'Detection description not yet provided',
+      detectionSeverity: 'Severity',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -277,6 +280,7 @@ const i18n = {
       dstIpHelp: 'Optional destination IP address to include in this job filter',
       dstPort: 'Destination Port',
       dstPortHelp: 'Optional destination TCP port to include in this job filter',
+      duplicate: 'Duplicate',
       edit: 'Edit',
       edited: '(edited)',
       email: 'Email Address',
@@ -284,6 +288,7 @@ const i18n = {
       emailRequired: 'An email address must be specified.',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
+      engine: 'Engine',
       eps: 'EPS',
       epsProduction: 'Production EPS:',
       epsConsumption: 'Consumption EPS:',
@@ -581,6 +586,7 @@ const i18n = {
       relatedEventId: 'Related Event ID',
       relativeTimeHelp: 'Click the clock icon to change to absolute time',
       remove: 'Remove',
+      reporting: 'Reporting',
       required: 'Required.',
       reset: 'Reset',
       resetDefaults: 'Reset Defaults',
@@ -688,6 +694,7 @@ const i18n = {
       showBarChart: 'Show bar chart',
       showSankeyChart: 'Show Sankey diagram',
       showTable: 'Show table',
+      signature: 'Signature',
       socUrl: 'SOC Url',
       socExcludeToggle: 'Exclude SOC logs',
       sortedBy: 'Sort:',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index b1e2e61ed..5fd098061 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -8,12 +8,14 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
   template: '#page-detection',
   data() { return {
 		i18n: this.$root.i18n,
+		presets: {},
 		params: {},
 		detect: null,
 		origDetect: null,
 		curEditTarget: null, // string containing element ID, null if not editing
 		origValue: null,
 		editField: null,
+		editForm: { valid: true },
 		rules: {
       required: value => (value && value.length > 0) || this.$root.i18n.required,
       number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
@@ -24,35 +26,25 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
       fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
       fileRequired: value => (value != null) || this.$root.i18n.required,
 		},
-		severityOptions: ['low', 'medium', 'high'],
-		engineOptions: ['suricata', 'yara', 'elastalert'],
 		panel: [0, 1, 2],
 		activeTab: '',
-		associatedPlaybook: {
-			onionId: 'y5IYKIoB9-Z7uL2kmy_o',
-			publicId: "4020131e-223a-421e-8ebe-8a211a5ac4d6",
-			title: "Find the baddies",
-			severity: "high",
-			description: "A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines. A long description that spans multiple lines.",
-			mechanism: "suricata",
-			tags: ["one", "two", "three"],
-			relatedPlaybooks: [],
-			contributors: ["Corey Ogburn"],
-			userEditable: true,
-			createTime: "2023-08-22T12:49:47.302819008-06:00",
-			userId: "83656890-2acd-4c0b-8ab9-7c73e71ddaf3",
-		},
   }},
   created() {
   },
   watch: {
 	},
 	mounted() {
+		this.$watch(
+      () => this.$route.params,
+      (to, prev) => {
+				this.loadData();
+    	});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
   methods: {
 		async initDetection(params) {
 			this.params = params;
+			this.presets = params['presets'];
 			if (this.$route.params.id === 'create') {
 				this.detect = this.newDetection();
 			} else {
@@ -69,11 +61,11 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		newDetection() {
 			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');
 			return {
-				title: 'Detection title not yet provided - click here to update this title',
-				description: 'Detection description not yet provided - click here to update this description',
+				title: this.i18n.detectionDefaultTitle,
+				description: this.i18n.detectionDefaultDescription,
 				author: author,
 				publicId: '',
-				severity: 'low',
+				severity: this.getDefaultPreset('severity'),
 				content: '',
 				isEnabled: false,
 				isReporting: false,
@@ -86,7 +78,6 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			try {
 					const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
-				this.detect.note = 'This is a note.';
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -97,6 +88,27 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
       this.$root.stopLoading();
 		},
+		getDefaultPreset(preset) {
+      if (this.presets) {
+        const presets = this.presets[preset];
+        if (presets && presets.labels && presets.labels.length > 0) {
+          return presets.labels[0];
+        }
+      }
+      return "";
+    },
+    getPresets(kind) {
+      if (this.presets && this.presets[kind]) {
+        return this.presets[kind].labels;
+      }
+      return [];
+    },
+    isPresetCustomEnabled(kind) {
+      if (this.presets && this.presets[kind]) {
+        return this.presets[kind].customEnabled == true;
+      }
+      return false;
+    },
 		isNew() {
 			return this.$route.params.id === 'create';
 		},
@@ -143,12 +155,23 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.editField = null;
 		},
 		saveDetection(createNew) {
+			if (this.curEditTarget !== null) this.stopEdit(true);
+
+			this.$refs['detection'].validate();
+			if (!this.editForm.valid) return;
+
 			if (createNew) {
 				this.$root.papi.post('/detection', this.detect);
 			} else {
 				this.$root.papi.put('/detection', this.detect);
 			}
 			this.origDetect = Object.assign({}, this.detect);
+
+			this.$root.showTip(this.i18n.saveSuccess);
+		},
+		async duplicateDetection() {
+			const response = await this.$root.papi.post('/detection/' + encodeURIComponent(this.$route.params.id) + '/duplicate');
+			this.$router.push({name: 'detection', params: {id: response.data.id}});
 		},
 		print(x) {
 			console.log(x);
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index c8c6c3ff8..6c7f3496b 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2162,6 +2162,9 @@ const huntComponent = {
         console.log('No onionID');
       }
     },
+    print(x) {
+      console.log(x);
+    }
   }
 };
 
diff --git a/model/detection.go b/model/detection.go
index 54b2ed801..4d3f06a1c 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -77,6 +77,8 @@ type Detection struct {
 	Content     string     `json:"content"`
 	IsEnabled   bool       `json:"isEnabled"`
 	IsReporting bool       `json:"isReporting"`
+	IsCommunity bool       `json:"isCommunity"`
+	Note        string     `json:"note"`
 	Engine      EngineName `json:"engine"`
 }
 
@@ -89,3 +91,23 @@ func (detect *Detection) Validate() error {
 
 	return nil
 }
+
+func SyncDetections(detections []*Detection) error {
+	byEngine := map[EngineName][]*Detection{}
+	for _, detect := range detections {
+		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
+	}
+
+	if len(byEngine[EngineNameSuricata]) > 0 {
+		err := syncSuricata(byEngine[EngineNameSuricata])
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func syncSuricata(detections []*Detection) error {
+	return nil
+}
diff --git a/server/casestore.go b/server/casestore.go
index 1f5bcb204..6d6eda5ac 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -42,5 +42,6 @@ type Casestore interface {
 	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	DeleteDetection(ctx context.Context, detectID string) error
+	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
+	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index fa1bb4396..56806f1bd 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -7,7 +7,9 @@
 package server
 
 import (
+	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -25,20 +27,23 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 	}
 
 	r.Route(prefix, func(r chi.Router) {
-		r.Get("/{onionId}", h.getDetection)
+		r.Get("/{id}", h.getDetection)
 
 		r.Post("/", h.postDetection)
+		r.Post("/{id}/duplicate", h.duplicateDetection)
 
 		r.Put("/", h.putDetection)
 
-		r.Delete("/{onionId}", h.deleteDetection)
+		r.Delete("/{id}", h.deleteDetection)
+
+		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
 	})
 }
 
 func (h *DetectionHandler) getDetection(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	detectId := chi.URLParam(r, "onionId")
+	detectId := chi.URLParam(r, "id")
 
 	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
 	if err != nil {
@@ -71,7 +76,42 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	web.Respond(w, r, http.StatusCreated, detect)
+	err = model.SyncDetections([]*model.Detection{detect})
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
+}
+
+func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detectId := chi.URLParam(r, "id")
+
+	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	detect.Id = ""
+	detect.PublicID = ""
+	detect.Title = fmt.Sprintf("%s (copy)", detect.Title)
+	detect.CreateTime = nil
+	detect.UpdateTime = nil
+	detect.IsEnabled = false
+	detect.IsReporting = false
+	detect.IsCommunity = false
+
+	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, detect)
 }
 
 func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request) {
@@ -91,15 +131,27 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	err = model.SyncDetections([]*model.Detection{detect})
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
 func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	id := chi.URLParam(r, "onionId")
+	id := chi.URLParam(r, "id")
 
-	err := h.server.Casestore.DeleteDetection(ctx, id)
+	old, err := h.server.Casestore.DeleteDetection(ctx, id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	err = model.SyncDetections([]*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -107,3 +159,54 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 
 	web.Respond(w, r, http.StatusOK, nil)
 }
+
+func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	newStatus := chi.URLParam(r, "newStatus") // "enable" or "disable"
+
+	var enabled bool
+	switch strings.ToLower(newStatus) {
+	case "enable", "disable":
+		enabled = strings.ToLower(newStatus) == "enable"
+	default:
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid status; must be 'enable' or 'disable'"))
+		return
+	}
+
+	body := []string{}
+	err := web.ReadJson(r, body)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	IDs := map[string]struct{}{}
+
+	for _, id := range body {
+		IDs[id] = struct{}{}
+	}
+
+	errMap := map[string]string{} // map[id]error
+	modified := []*model.Detection{}
+
+	for id := range IDs {
+		det, mod, err := h.server.Casestore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
+		if err != nil {
+			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			continue
+		}
+
+		if mod {
+			modified = append(modified, det)
+		}
+	}
+
+	err = model.SyncDetections(modified)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, errMap)
+}
diff --git a/server/infohandler.go b/server/infohandler.go
index c97960eb6..3d7604f31 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -62,48 +62,70 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		SrvToken:       srvToken,
 	}
 
-	info.Parameters.DetectionsParams.Queries = []*config.HuntingQuery{
-		{
-			Name:  "All",
-			Query: "_id:*",
-		},
-	}
+	{
+		detections := &info.Parameters.DetectionsParams
 
-	info.Parameters.DetectionsParams.ViewEnabled = true
-	info.Parameters.DetectionsParams.CreateLink = "/detection/create"
-	info.Parameters.DetectionsParams.EventFetchLimit = 500
-	info.Parameters.DetectionsParams.EventItemsPerPage = 50
-	info.Parameters.DetectionsParams.GroupFetchLimit = 50
-	info.Parameters.DetectionsParams.MostRecentlyUsedLimit = 5
-	info.Parameters.DetectionsParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
-	info.Parameters.DetectionsParams.EventFields = map[string][]string{
-		"default": {
-			"soc_timestamp",
-			"so_detection.publicId",
-			"so_detection.title",
-			"so_detection.severity",
-			"so_detection.isEnabled",
-			"so_detection.engine",
-		},
+		detections.ViewEnabled = true
+		detections.CreateLink = "/detection/create"
+		detections.EventFetchLimit = 500
+		detections.EventItemsPerPage = 50
+		detections.GroupFetchLimit = 50
+		detections.MostRecentlyUsedLimit = 5
+		detections.SafeStringMaxLength = 100
+		detections.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
+		detections.EventFields = map[string][]string{
+			"default": {
+				"so_detection.title",
+				"so_detection.isEnabled",
+				"so_detection.engine",
+				"@timestamp",
+			},
+		}
+		detections.Queries = []*config.HuntingQuery{
+			{
+				Name:  "All",
+				Query: "_id:*",
+			},
+		}
 	}
 
-	info.Parameters.PlaybooksParams.ViewEnabled = true
-	info.Parameters.PlaybooksParams.CreateLink = "/playbook/create"
-	info.Parameters.PlaybooksParams.EventFetchLimit = 500
-	info.Parameters.PlaybooksParams.EventItemsPerPage = 50
-	info.Parameters.PlaybooksParams.GroupFetchLimit = 50
-	info.Parameters.PlaybooksParams.MostRecentlyUsedLimit = 5
-	info.Parameters.PlaybooksParams.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
-	info.Parameters.PlaybooksParams.Queries = []*config.HuntingQuery{
-		{Query: "*"},
+	{
+		detection := &info.Parameters.DetectionParams
+
+		detection.Presets = map[string]config.PresetParameters{
+			"severity": {
+				CustomEnabled: false,
+				Labels:        []string{"low", "medium", "high"},
+			},
+			"engine": {
+				CustomEnabled: false,
+				Labels:        []string{"suricata", "yara", "elastalert"},
+			},
+		}
 	}
-	info.Parameters.PlaybooksParams.EventFields = map[string][]string{
-		"default": {
-			"soc_timestamp",
-			"so_playbook.title",
-			"so_playbook.publicId",
-			"so_playbook.mechanism",
-		},
+
+	{
+		playbooks := &info.Parameters.PlaybooksParams
+
+		playbooks.ViewEnabled = true
+		playbooks.CreateLink = "/playbook/create"
+		playbooks.EventFetchLimit = 500
+		playbooks.EventItemsPerPage = 50
+		playbooks.GroupFetchLimit = 50
+		playbooks.MostRecentlyUsedLimit = 5
+		playbooks.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
+		playbooks.SafeStringMaxLength = 100
+		playbooks.Queries = []*config.HuntingQuery{
+			{Query: "*"},
+		}
+		playbooks.EventFields = map[string][]string{
+			"default": {
+				"soc_timestamp",
+				"so_playbook.title",
+				"so_playbook.publicId",
+				"so_playbook.mechanism",
+			},
+		}
 	}
 
 	web.Respond(w, r, http.StatusOK, info)
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index f200b7405..8b8fbeaf5 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -227,7 +227,7 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 		sortBySegment := segment.(*model.SortBySegment)
 		fields := sortBySegment.RawFields()
 		if len(fields) > 0 {
-			sorting := make([]map[string]map[string]string, 0, 0)
+			sorting := []map[string]map[string]string{}
 			for _, field := range fields {
 				newSort := make(map[string]map[string]string)
 				order := "desc"
@@ -260,7 +260,7 @@ func parseAggregation(name string, aggObj interface{}, keys []interface{}, resul
 	if buckets != nil {
 		metrics := results.Metrics[name]
 		if metrics == nil {
-			metrics = make([]*model.EventMetric, 0, 0)
+			metrics = []*model.EventMetric{}
 		}
 		for _, bucketObj := range buckets.([]interface{}) {
 			bucket := bucketObj.(map[string]interface{})
@@ -293,9 +293,9 @@ func parseAggregation(name string, aggObj interface{}, keys []interface{}, resul
 func flattenKeyValue(store *ElasticEventstore, fieldMap map[string]interface{}, prefix string, value map[string]interface{}) {
 	for key, value := range value {
 		flattenedKey := prefix + key
-		switch value.(type) {
+		switch v := value.(type) {
 		case map[string]interface{}:
-			flattenKeyValue(store, fieldMap, flattenedKey+".", value.(map[string]interface{}))
+			flattenKeyValue(store, fieldMap, flattenedKey+".", v)
 		default:
 			fieldMap[store.unmapElasticField(flattenedKey)] = value
 		}
@@ -650,81 +650,40 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 			if value, ok := event.Payload[schemaPrefix+"detection.userId"]; ok {
 				obj.UserId = value.(string)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.isReporting"]; ok {
-				obj.IsReporting = value.(bool)
-			}
-			if value, ok := event.Payload[schemaPrefix+"detection.description"]; ok {
-				obj.Description = value.(string)
-			}
-			if value, ok := event.Payload[schemaPrefix+"detection.isEnabled"]; ok {
-				obj.IsEnabled = value.(bool)
-			}
-			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
-				obj.Engine = value.(string)
-			}
 			if value, ok := event.Payload[schemaPrefix+"detection.publicId"]; ok {
 				obj.PublicID = value.(string)
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.title"]; ok {
+				obj.Title = value.(string)
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.severity"]; ok {
 				obj.Severity = model.Severity(value.(string))
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.author"]; ok {
+				obj.Author = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.description"]; ok {
+				obj.Description = value.(string)
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.content"]; ok {
 				obj.Content = value.(string)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.author"]; ok {
-				obj.Author = value.(string)
+			if value, ok := event.Payload[schemaPrefix+"detection.isEnabled"]; ok {
+				obj.IsEnabled = value.(bool)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.title"]; ok {
-				obj.Title = value.(string)
+			if value, ok := event.Payload[schemaPrefix+"detection.isReporting"]; ok {
+				obj.IsReporting = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.isCommunity"]; ok {
+				obj.IsCommunity = value.(bool)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.note"]; ok {
+				obj.Note = value.(string)
 			}
-			// if value, ok := event.Payload[schemaPrefix+"artifact.caseId"]; ok {
-			// 	obj.CaseId = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.groupType"]; ok {
-			// 	obj.GroupType = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.groupId"]; ok {
-			// 	obj.GroupId = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.description"]; ok {
-			// 	obj.Description = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.artifactType"]; ok {
-			// 	obj.ArtifactType = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.streamLength"]; ok {
-			// 	obj.StreamLen = int(value.(float64))
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.streamId"]; ok {
-			// 	obj.StreamId = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.mimeType"]; ok {
-			// 	obj.MimeType = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.value"]; ok {
-			// 	obj.Value = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.tlp"]; ok {
-			// 	obj.Tlp = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.tags"]; ok && value != nil {
-			// 	obj.Tags = convertToStringArray(value.([]interface{}))
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.ioc"]; ok {
-			// 	obj.Ioc = value.(bool)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.md5"]; ok {
-			// 	obj.Md5 = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.sha1"]; ok {
-			// 	obj.Sha1 = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.sha256"]; ok {
-			// 	obj.Sha256 = value.(string)
-			// }
-			// if value, ok := event.Payload[schemaPrefix+"artifact.protected"]; ok {
-			// 	obj.Protected = value.(bool)
-			// }
+			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
+				obj.Engine = value.(string)
+			}
+
 			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"detection.createTime")
 		}
 	}
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index acd8eb3e6..651f2fe0a 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"sort"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/apex/log"
@@ -304,6 +305,10 @@ func (store *ElasticCasestore) validateDetection(detect *model.Detection) error
 		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
 	}
 
+	if err == nil && detect.Note != "" {
+		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
+	}
+
 	if err == nil {
 		_, okEngine := model.EnginesByName[detect.Engine]
 		if !okEngine {
@@ -981,36 +986,80 @@ func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string
 
 func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
 	err := store.validateDetection(detect)
-	if err == nil {
-		if detect.Id == "" {
-			err = errors.New("Missing detection onion ID")
-			return nil, err
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id == "" {
+		err = errors.New("Missing detection onion ID")
+		return nil, err
+	}
+
+	var old *model.Detection
+	old, err = store.GetDetection(ctx, detect.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	var results *model.EventIndexResults
+
+	// Preserve read-only fields
+	detect.CreateTime = old.CreateTime
+
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err != nil {
+		return nil, err
+	}
+	// Read object back to get new modify date, etc
+	return store.GetDetection(ctx, results.DocumentId)
+}
+
+func (store *ElasticCasestore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
+	var modified bool
+
+	detect, err := store.GetDetection(ctx, id)
+	if err != nil {
+		return nil, false, err
+	}
+
+	switch strings.ToLower(field) {
+	case "isenabled":
+		bVal, ok := value.(bool)
+		if !ok {
+			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
 		}
 
-		var old *model.Detection
-		old, err = store.GetDetection(ctx, detect.Id)
-		if err == nil {
-			var results *model.EventIndexResults
+		if detect.IsEnabled != bVal {
+			detect.IsEnabled = bVal
+			modified = true
+		}
+	}
 
-			// Preserve read-only fields
-			detect.CreateTime = old.CreateTime
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, false, err
+	}
 
-			results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-			if err == nil {
-				// Read object back to get new modify date, etc
-				detect, err = store.GetDetection(ctx, results.DocumentId)
-			}
+	if modified {
+		var results *model.EventIndexResults
+
+		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+		if err == nil {
+			// Read object back to get new modify date, etc
+			detect, err = store.GetDetection(ctx, results.DocumentId)
 		}
 	}
 
-	return detect, err
+	return detect, modified, err
 }
 
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) error {
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
 	detect, err := store.GetDetection(ctx, onionID)
-	if err == nil {
-		err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err != nil {
+		return nil, err
 	}
 
-	return err
+	err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+
+	return detect, err
 }
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index 9d8357e8c..f41d09181 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -157,6 +157,10 @@ func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *mode
 	return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) error {
-	return errors.New("Unsupported operation by this module")
+func (store *ElasticCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
+	return nil, false, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
 }
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index f74c58a93..1fac51103 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -162,6 +162,10 @@ func (store *HttpCasestore) UpdateDetection(ctx context.Context, detect *model.D
 	return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) error {
-	return errors.New("Unsupported operation by this module")
+func (store *HttpCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
+	return nil, false, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
 }
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 04740aa10..99ad5041f 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -154,6 +154,10 @@ func (store *TheHiveCasestore) UpdateDetection(ctx context.Context, detect *mode
 	return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) error {
-	return errors.New("Unsupported operation by this module")
+func (store *TheHiveCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
+	return nil, false, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
+	return nil, errors.New("Unsupported operation by this module")
 }
diff --git a/server/server.go b/server/server.go
index 1894bb1c5..5080baf4e 100644
--- a/server/server.go
+++ b/server/server.go
@@ -736,15 +736,3 @@ func (server *Server) GetTimezones() []string {
 	}
 	return zones
 }
-
-func Ptr[T any](x T) *T {
-	return &x
-}
-
-func Copy[T any](x *T) *T {
-	if x == nil {
-		return nil
-	}
-
-	return Ptr(*x)
-}
diff --git a/util/ptr.go b/util/ptr.go
new file mode 100644
index 000000000..fe1477027
--- /dev/null
+++ b/util/ptr.go
@@ -0,0 +1,13 @@
+package util
+
+func Ptr[T any](x T) *T {
+	return &x
+}
+
+func Copy[T any](x *T) *T {
+	if x == nil {
+		return nil
+	}
+
+	return Ptr(*x)
+}

From 8963f20821179abb180a5ff047d012623255ae81 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 8 Sep 2023 15:24:33 -0600
Subject: [PATCH 050/102] WIP: Suricata Rule Parsing

Enabling/Disabling rules that use flowbits is different than rules that don't.

Parsing needs testing, currently failing because the rule I'm testing with uses angled quotes instead of straight quotes.

Can now delete a Detection from the UI.

UI now performs some light validation before saving a Detection.
---
 html/index.html                             |  13 +-
 html/js/i18n.js                             |   4 +
 html/js/routes/detection.js                 |  46 ++++-
 model/detection.go                          |  20 --
 server/detectionhandler.go                  | 203 +++++++++++++++++++-
 server/modules/elastic/elasticeventstore.go |   4 +-
 syntax/suricata.go                          | 156 +++++++++++++++
 7 files changed, 409 insertions(+), 37 deletions(-)
 create mode 100644 syntax/suricata.go

diff --git a/html/index.html b/html/index.html
index c3efa8425..ef99cdc6b 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1063,6 +1063,9 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     <v-btn v-if="!isNew()" id="detection-duplicate" text small color="primary" class="align-self-end" @click="duplicateDetection()">
                       {{i18n.duplicate}}
                     </v-btn>
+                    <v-btn v-if="!isNew()" id="detection-delete" text small color="error" class="align-self-end" @click="deleteDetection()">
+                      {{i18n.delete}}
+                    </v-btn>
                   </div>
                 </div>
               </v-tab-item>
@@ -1071,7 +1074,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- PublicID -->
                   <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!detect.publicId">
-                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
+                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">{{i18n.generate}}</v-btn>
                     </template>
                   </v-text-field>
                   <!-- Author -->
@@ -1079,7 +1082,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Severity -->
                   <v-select id="detection-severity-edit" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                 </div>
-                <!-- <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
@@ -1088,14 +1091,14 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                       {{i18n.update}}
                     </v-btn>
                   </div>
-                </div> -->
+                </div>
               </v-tab-item>
               <v-tab-item value="notes">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Notes -->
                   <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
                 </div>
-                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
@@ -1111,7 +1114,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Signature -->
                   <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
-                <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 709fae654..f9dcbe00d 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -358,6 +358,7 @@ const i18n = {
       firstName: 'First Name',
       flags: 'Flags',
       gigabytes: 'GB',
+      generate: 'Generate',
       graphs: 'Graphs',
       grid: 'Grid',
       gridEps: 'Grid EPS:',
@@ -694,6 +695,9 @@ const i18n = {
       showBarChart: 'Show bar chart',
       showSankeyChart: 'Show Sankey diagram',
       showTable: 'Show table',
+      sidMissingErr: "This suricata rule is missing it's SID.",
+      sidMultipleErr: 'Suricata rules can only specify one SID.',
+      sidMismatchErr: "The SID in this suricata rule must match the detection's Public ID.",
       signature: 'Signature',
       socUrl: 'SOC Url',
       socExcludeToggle: 'Exclude SOC logs',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 5fd098061..cb29827cc 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -157,8 +157,22 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		saveDetection(createNew) {
 			if (this.curEditTarget !== null) this.stopEdit(true);
 
-			this.$refs['detection'].validate();
-			if (!this.editForm.valid) return;
+			if (this.isNew()) {
+				this.$refs['detection'].validate();
+				if (!this.editForm.valid) return;
+			}
+
+			switch (this.detect.engine) {
+				case 'yara':
+					this.validateYara();
+					break;
+				case 'sigma':
+					this.validateSigma();
+					break;
+				case 'suricata':
+					this.validateSuricata();
+					break;
+			}
 
 			if (createNew) {
 				this.$root.papi.post('/detection', this.detect);
@@ -173,6 +187,34 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			const response = await this.$root.papi.post('/detection/' + encodeURIComponent(this.$route.params.id) + '/duplicate');
 			this.$router.push({name: 'detection', params: {id: response.data.id}});
 		},
+		async deleteDetection() {
+			await this.$root.papi.delete('/detection/' + encodeURIComponent(this.$route.params.id));
+			this.$router.push({ name: 'detections' });
+		},
+		validateYara() { },
+		validateSigma() {},
+		validateSuricata() {
+			const sidExtract = /\bsid: ?['"]?(.*?)['"]?;/
+			const results = sidExtract.exec(this.detect.content);
+
+			if (!results || results.length < 2) {
+				// sid not present in rule
+				this.$root.showError(this.i18n.sidMissingErr);
+				return;
+			} else if (results && results.length > 2) {
+				// multiple sids present in rule
+				this.$root.showError(this.i18n.sidMultipleErr);
+				return;
+			}
+
+			const sid = results[1];
+
+			if (this.detect.publicId !== sid) {
+				// sid doesn't match metadata
+				this.$root.showError(this.i18n.sidMismatchErr);
+				return;
+			}
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/model/detection.go b/model/detection.go
index 4d3f06a1c..8d3f8c912 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -91,23 +91,3 @@ func (detect *Detection) Validate() error {
 
 	return nil
 }
-
-func SyncDetections(detections []*Detection) error {
-	byEngine := map[EngineName][]*Detection{}
-	for _, detect := range detections {
-		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
-	}
-
-	if len(byEngine[EngineNameSuricata]) > 0 {
-		err := syncSuricata(byEngine[EngineNameSuricata])
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func syncSuricata(detections []*Detection) error {
-	return nil
-}
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 56806f1bd..fef9141e7 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -7,16 +7,23 @@
 package server
 
 import (
+	"context"
 	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 
+	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/syntax"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
 	"github.com/go-chi/chi"
 )
 
+var sidExtracter = regexp.MustCompile(`\bsid: ?['"]?(.*?)['"]?;`)
+
 type DetectionHandler struct {
 	server *Server
 }
@@ -76,12 +83,17 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	err = model.SyncDetections([]*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
+	if len(errMap) != 0 {
+		web.Respond(w, r, http.StatusInternalServerError, errMap)
+		return
+	}
+
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
@@ -131,12 +143,17 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	err = model.SyncDetections([]*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
+	if len(errMap) != 0 {
+		web.Respond(w, r, http.StatusInternalServerError, errMap)
+		return
+	}
+
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
@@ -151,13 +168,13 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	err = model.SyncDetections([]*model.Detection{old})
+	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
-	web.Respond(w, r, http.StatusOK, nil)
+	web.Respond(w, r, http.StatusOK, errMap)
 }
 
 func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Request) {
@@ -202,11 +219,181 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		}
 	}
 
-	err = model.SyncDetections(modified)
-	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
-		return
+	if len(modified) != 0 {
+		addErrMap, err := SyncDetections(ctx, h.server.Configstore, modified)
+		if err != nil {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+			return
+		}
+
+		// merge error maps
+		for k, v := range addErrMap {
+			origK, hasK := errMap[k]
+			if hasK {
+				errMap[k] = fmt.Sprintf("%s; %s", origK, v)
+			} else {
+				errMap[k] = v
+			}
+		}
 	}
 
 	web.Respond(w, r, http.StatusOK, errMap)
 }
+
+func SyncDetections(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (errMap map[string]string, err error) {
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	byEngine := map[model.EngineName][]*model.Detection{}
+	for _, detect := range detections {
+		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
+	}
+
+	if len(byEngine[model.EngineNameSuricata]) > 0 {
+		errMap, err = syncSuricata(ctx, cfgStore, byEngine[model.EngineNameSuricata])
+		if err != nil {
+			return errMap, err
+		}
+	}
+
+	return errMap, nil
+}
+
+func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (map[string]string, error) {
+	allSettings, err := cfgStore.GetSettings(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	local := settingByID(allSettings, "idstools.rules.local__rules")
+	if local == nil {
+		return nil, fmt.Errorf("unable to find local rules setting")
+	}
+
+	enabled := settingByID(allSettings, "idstools.sids.enabled")
+	if enabled == nil {
+		return nil, fmt.Errorf("unable to find enabled setting")
+	}
+
+	localLines := strings.Split(local.Value, "\n")
+	enabledLines := strings.Split(enabled.Value, "\n")
+
+	localIndex := indexRules(localLines)
+	enabledIndex := indexSIDs(enabledLines)
+
+	errMap := map[string]string{} // map[sid]error
+
+	for _, detect := range detections {
+		parsedRule, err := syntax.ParseSuricataRule(detect.Content)
+		if err != nil {
+			errMap[detect.PublicID] = fmt.Sprintf("unable to parse rule; reason=%s", err.Error())
+			continue
+		}
+
+		opt, ok := parsedRule.GetOption("sid")
+		if !ok || opt == nil {
+			errMap[detect.PublicID] = fmt.Sprintf("rule does not contain a SID; rule=%s", detect.Content)
+			continue
+		}
+
+		sid := *opt
+		_, isFlowbits := parsedRule.GetOption("flowbits")
+
+		_ = isFlowbits
+
+		lineNum, inLocal := localIndex[sid]
+		if !inLocal {
+			localLines = append(localLines, detect.Content)
+			lineNum = len(localLines) - 1
+			localIndex[sid] = lineNum
+		} else {
+			localLines[lineNum] = detect.Content
+		}
+
+		lineNum, inEnabled := enabledIndex[sid]
+		if !inEnabled {
+			line := detect.PublicID
+			if !detect.IsEnabled {
+				line = "# " + line
+			}
+
+			enabledLines = append(enabledLines, line)
+			lineNum = len(enabledLines) - 1
+			enabledIndex[sid] = lineNum
+		} else {
+			line := detect.PublicID
+			if !detect.IsEnabled {
+				line = "# " + line
+			}
+
+			enabledLines[lineNum] = line
+		}
+	}
+
+	local.Value = strings.Join(localLines, "\n")
+	enabled.Value = strings.Join(enabledLines, "\n")
+
+	err = cfgStore.UpdateSetting(ctx, local, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = cfgStore.UpdateSetting(ctx, enabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	return errMap, nil
+}
+
+func settingByID(all []*model.Setting, id string) *model.Setting {
+	found, ok := lo.Find(all, func(s *model.Setting) bool {
+		return s.Id == id
+	})
+	if !ok {
+		return nil
+	}
+
+	return found
+}
+
+func extractSID(rule string) *string {
+	sids := sidExtracter.FindStringSubmatch(rule)
+	if len(sids) != 2 { // 0: Full Match, 1: Capture Group
+		return nil
+	}
+
+	return util.Ptr(strings.TrimSpace(sids[1]))
+}
+
+func indexRules(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		sid := extractSID(line)
+		if sid == nil {
+			continue
+		}
+
+		index[*sid] = i
+	}
+
+	return index
+}
+
+func indexSIDs(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+
+		if line != "" {
+			index[line] = i
+		}
+	}
+
+	return index
+}
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index 7207307fa..f2f7db717 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -580,8 +580,8 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 
 	query := fmt.Sprintf(`
     {
-      "query" : { 
-        "bool": { 
+      "query" : {
+        "bool": {
           "must": [
             { "match" : { "%s" : "%s" }}%s
           ]
diff --git a/syntax/suricata.go b/syntax/suricata.go
new file mode 100644
index 000000000..90ca8af83
--- /dev/null
+++ b/syntax/suricata.go
@@ -0,0 +1,156 @@
+package syntax
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+)
+
+type SuricataRule struct {
+	Action      string
+	Protocol    string
+	Source      string
+	Direction   string
+	Destination string
+	Options     []*RuleOption
+}
+
+type RuleOption struct {
+	Name  string
+	Value *string
+}
+
+type state int
+
+const (
+	stateAction state = iota
+	stateProtocol
+	stateSource
+	stateDirection
+	stateDestination
+	stateOptions
+)
+
+func ParseSuricataRule(rule string) (*SuricataRule, error) {
+	r := strings.NewReader(rule)
+	curState := stateAction
+	buf := strings.Builder{}
+	inQuotes := false
+	isEscaping := false
+
+	out := &SuricataRule{
+		Options: []*RuleOption{},
+	}
+
+	for r.Len() != 0 {
+		// TODO: Parse Source and Destination into Address and Ports
+		ch, _, _ := r.ReadRune()
+
+		switch curState {
+		case stateAction:
+			if ch == ' ' {
+				out.Action = strings.TrimSpace(buf.String())
+				buf.Reset()
+				curState = stateProtocol
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateProtocol:
+			if ch == ' ' {
+				out.Protocol = strings.TrimSpace(buf.String())
+				buf.Reset()
+				curState = stateSource
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateSource:
+			if ch == '<' || ch == '-' {
+				out.Source = strings.TrimSpace(buf.String())
+				buf.Reset()
+				buf.WriteRune(ch)
+				curState = stateDirection
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateDirection:
+			if ch == ' ' {
+				out.Direction = strings.TrimSpace(buf.String())
+				if out.Direction != "<>" && out.Direction != "->" {
+					return nil, fmt.Errorf("invalid direction, must be '<>' or '->', got %s", out.Direction)
+				}
+
+				buf.Reset()
+				curState = stateDestination
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateDestination:
+			if ch == '(' {
+				out.Destination = strings.TrimSpace(buf.String())
+				buf.Reset()
+				curState = stateOptions
+			} else {
+				buf.WriteRune(ch)
+			}
+		case stateOptions:
+			if ch == ')' && !inQuotes && !isEscaping {
+				if r.Len() != 0 {
+					// end of options, but not end of rule?
+					return nil, fmt.Errorf("invalid rule, expected end of rule, got %d more bytes", r.Len())
+				}
+			} else if ch == ';' && !inQuotes && !isEscaping {
+				option := strings.TrimSpace(buf.String())
+				buf.Reset()
+
+				split := strings.SplitN(option, ":", 2)
+				opt := &RuleOption{
+					Name: strings.TrimSpace(split[0]),
+				}
+
+				if len(split) == 2 {
+					opt.Value = util.Ptr(strings.TrimSpace(split[1]))
+				}
+
+				out.Options = append(out.Options, opt)
+			} else if ch == '"' { // TODO: current test rule has angled quotes, needs fixing
+				buf.WriteRune(ch)
+				if isEscaping {
+					isEscaping = false
+				} else {
+					inQuotes = !inQuotes
+				}
+			} else if ch == '\\' {
+				isEscaping = true
+				buf.WriteRune(ch)
+			} else {
+				buf.WriteRune(ch)
+			}
+		}
+	}
+
+	return out, nil
+}
+
+func (rule *SuricataRule) GetOption(key string) (value *string, ok bool) {
+	for _, opt := range rule.Options {
+		if opt.Name == key {
+			return opt.Value, true
+		}
+	}
+
+	return nil, false
+}
+
+func (rule *SuricataRule) String() string {
+	opts := make([]string, 0, len(rule.Options))
+	for _, opt := range rule.Options {
+		if opt.Value == nil {
+			opts = append(opts, fmt.Sprintf("%s;", opt.Name))
+		} else {
+			opts = append(opts, fmt.Sprintf("%s:%s;", opt.Name, *opt.Value))
+		}
+	}
+
+	return fmt.Sprintf("%s %s %s %s %s (%s)", rule.Action, rule.Protocol, rule.Source, rule.Direction, rule.Destination, strings.Join(opts, " "))
+}

From 1baa496f6fccdfe4c2f1e6a398130146a9d4d39e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 19 Sep 2023 18:27:51 -0600
Subject: [PATCH 051/102] WIP: alerts

---
 html/js/routes/detection.js | 35 +++++++++++++++-------
 server/detectionhandler.go  | 60 +++++++++++++++++++++++++++++++------
 2 files changed, 75 insertions(+), 20 deletions(-)

diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index cb29827cc..a1d346eb9 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -162,18 +162,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				if (!this.editForm.valid) return;
 			}
 
+			let err;
 			switch (this.detect.engine) {
 				case 'yara':
-					this.validateYara();
+					err = this.validateYara();
 					break;
 				case 'sigma':
-					this.validateSigma();
+					err = this.validateSigma();
 					break;
 				case 'suricata':
-					this.validateSuricata();
+					err = this.validateSuricata();
 					break;
 			}
 
+			if (err) {
+				this.$root.showError(err);
+				return;
+			}
+
 			if (createNew) {
 				this.$root.papi.post('/detection', this.detect);
 			} else {
@@ -191,29 +197,36 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			await this.$root.papi.delete('/detection/' + encodeURIComponent(this.$route.params.id));
 			this.$router.push({ name: 'detections' });
 		},
-		validateYara() { },
-		validateSigma() {},
+		validateYara() {
+			return null;
+		},
+		validateSigma() {
+			return null;
+		},
 		validateSuricata() {
 			const sidExtract = /\bsid: ?['"]?(.*?)['"]?;/
 			const results = sidExtract.exec(this.detect.content);
 
 			if (!results || results.length < 2) {
 				// sid not present in rule
-				this.$root.showError(this.i18n.sidMissingErr);
-				return;
+				return this.i18n.sidMissingErr;
 			} else if (results && results.length > 2) {
 				// multiple sids present in rule
-				this.$root.showError(this.i18n.sidMultipleErr);
-				return;
+				return this.i18n.sidMultipleErr;
 			}
 
 			const sid = results[1];
 
 			if (this.detect.publicId !== sid) {
 				// sid doesn't match metadata
-				this.$root.showError(this.i18n.sidMismatchErr);
-				return;
+				return this.i18n.sidMismatchErr;
 			}
+
+			// normalize quotes
+			this.detect.content = this.detect.content.replaceAll('”', '"');
+			this.detect.content = this.detect.content.replaceAll('“', '"');
+
+			return null;
 		},
 		print(x) {
 			console.log(x);
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index fef9141e7..bc8c6b696 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -24,6 +24,8 @@ import (
 
 var sidExtracter = regexp.MustCompile(`\bsid: ?['"]?(.*?)['"]?;`)
 
+const suricataModifyFromTo = `"flowbits" "noalert; flowbits"`
+
 type DetectionHandler struct {
 	server *Server
 }
@@ -278,11 +280,18 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return nil, fmt.Errorf("unable to find enabled setting")
 	}
 
+	modify := settingByID(allSettings, "idstools.sids.modify")
+	if modify == nil {
+		return nil, fmt.Errorf("unable to find modify setting")
+	}
+
 	localLines := strings.Split(local.Value, "\n")
 	enabledLines := strings.Split(enabled.Value, "\n")
+	modifyLines := strings.Split(modify.Value, "\n")
 
-	localIndex := indexRules(localLines)
-	enabledIndex := indexSIDs(enabledLines)
+	localIndex := indexLocal(localLines)
+	enabledIndex := indexEnabled(enabledLines)
+	modifyIndex := indexModified(modifyLines)
 
 	errMap := map[string]string{} // map[sid]error
 
@@ -302,8 +311,6 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		sid := *opt
 		_, isFlowbits := parsedRule.GetOption("flowbits")
 
-		_ = isFlowbits
-
 		lineNum, inLocal := localIndex[sid]
 		if !inLocal {
 			localLines = append(localLines, detect.Content)
@@ -316,7 +323,7 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		lineNum, inEnabled := enabledIndex[sid]
 		if !inEnabled {
 			line := detect.PublicID
-			if !detect.IsEnabled {
+			if !detect.IsEnabled && !isFlowbits {
 				line = "# " + line
 			}
 
@@ -325,16 +332,32 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 			enabledIndex[sid] = lineNum
 		} else {
 			line := detect.PublicID
-			if !detect.IsEnabled {
+			if !detect.IsEnabled && !isFlowbits {
 				line = "# " + line
 			}
 
 			enabledLines[lineNum] = line
 		}
+
+		if isFlowbits {
+			lineNum, inModify := modifyIndex[sid]
+			if !inModify && !detect.IsEnabled {
+				// not in the modify file, but should be
+				line := fmt.Sprintf("%s %s", detect.PublicID, suricataModifyFromTo)
+				modifyLines = append(modifyLines, line)
+				lineNum = len(modifyLines) - 1
+				modifyIndex[sid] = lineNum
+			} else if inModify && detect.IsEnabled {
+				// in modify, but shouldn't be
+				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
+				delete(modifyIndex, sid)
+			}
+		}
 	}
 
 	local.Value = strings.Join(localLines, "\n")
 	enabled.Value = strings.Join(enabledLines, "\n")
+	modify.Value = strings.Join(modifyLines, "\n")
 
 	err = cfgStore.UpdateSetting(ctx, local, false)
 	if err != nil {
@@ -346,6 +369,11 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return errMap, err
 	}
 
+	err = cfgStore.UpdateSetting(ctx, modify, false)
+	if err != nil {
+		return errMap, err
+	}
+
 	return errMap, nil
 }
 
@@ -369,7 +397,7 @@ func extractSID(rule string) *string {
 	return util.Ptr(strings.TrimSpace(sids[1]))
 }
 
-func indexRules(lines []string) map[string]int {
+func indexLocal(lines []string) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
@@ -384,12 +412,11 @@ func indexRules(lines []string) map[string]int {
 	return index
 }
 
-func indexSIDs(lines []string) map[string]int {
+func indexEnabled(lines []string) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
 		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
-
 		if line != "" {
 			index[line] = i
 		}
@@ -397,3 +424,18 @@ func indexSIDs(lines []string) map[string]int {
 
 	return index
 }
+
+func indexModified(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, " \t"))
+		parts := strings.SplitN(line, " ", 2)
+
+		if strings.Contains(line, suricataModifyFromTo) {
+			index[parts[0]] = i
+		}
+	}
+
+	return index
+}

From 11e1b0981e0f70b6c1524274108d0e6fe0d03998 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 21 Sep 2023 16:33:01 -0600
Subject: [PATCH 052/102] WIP: Various improvements

Properly adds SIDs to disabled file.

MinLength now set in UI to match server requirement of 5.

After creating a detection, you're taken to the edit page for that detection instead of being left at a filled in create page.

If creating fails, a banner is shown.

Case insensitive sidExtractor. The extractSID function now returns nil if more than 1 SID is specified.

Tests for pure functions.
---
 html/index.html                 |   6 +-
 html/js/routes/detection.js     |  41 ++++----
 server/detectionhandler.go      |  52 ++++++++--
 server/detectionhandler_test.go | 164 ++++++++++++++++++++++++++++++++
 4 files changed, 235 insertions(+), 28 deletions(-)
 create mode 100644 server/detectionhandler_test.go

diff --git a/html/index.html b/html/index.html
index ef99cdc6b..462c7a8d2 100644
--- a/html/index.html
+++ b/html/index.html
@@ -970,15 +970,15 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
           <div class="main col-md-9 order-md-1 col-12 order-2">
-            <!-- Edit View -->
             <div v-if="isNew()">
+              <!-- Create View -->
               <v-form ref="detection" v-model="editForm.valid">
                 <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Description -->
                   <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" auto-grow rows="5"></v-textarea>
 
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'">
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
@@ -1072,7 +1072,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-tab-item value="details">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">{{i18n.generate}}</v-btn>
                     </template>
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index a1d346eb9..e88abc266 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -17,14 +17,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		editField: null,
 		editForm: { valid: true },
 		rules: {
-      required: value => (value && value.length > 0) || this.$root.i18n.required,
-      number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
-      hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
-      shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
-      longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
-      fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
-      fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
-      fileRequired: value => (value != null) || this.$root.i18n.required,
+			required: value => (value && value.length > 0) || this.$root.i18n.required,
+			number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+			hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
+			minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
+			shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+			longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+			fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+			fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+			fileRequired: value => (value != null) || this.$root.i18n.required,
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
@@ -154,7 +155,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.origValue = null;
 			this.editField = null;
 		},
-		saveDetection(createNew) {
+		async saveDetection(createNew) {
 			if (this.curEditTarget !== null) this.stopEdit(true);
 
 			if (this.isNew()) {
@@ -180,14 +181,22 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				return;
 			}
 
-			if (createNew) {
-				this.$root.papi.post('/detection', this.detect);
-			} else {
-				this.$root.papi.put('/detection', this.detect);
-			}
-			this.origDetect = Object.assign({}, this.detect);
+			try {
+				let response;
+				if (createNew) {
+					response = await this.$root.papi.post('/detection', this.detect);
+				} else {
+					response = await this.$root.papi.put('/detection', this.detect);
+				}
+
+				this.origDetect = Object.assign({}, this.detect);
 
-			this.$root.showTip(this.i18n.saveSuccess);
+				this.$root.showTip(this.i18n.saveSuccess);
+
+				this.$router.push({name: 'detection', params: {id: response.data.id}});
+			} catch (error) {
+				this.$root.showError(error);
+			}
 		},
 		async duplicateDetection() {
 			const response = await this.$root.papi.post('/detection/' + encodeURIComponent(this.$route.params.id) + '/duplicate');
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index bc8c6b696..dc17abda2 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -22,7 +22,7 @@ import (
 	"github.com/go-chi/chi"
 )
 
-var sidExtracter = regexp.MustCompile(`\bsid: ?['"]?(.*?)['"]?;`)
+var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
 
 const suricataModifyFromTo = `"flowbits" "noalert; flowbits"`
 
@@ -280,6 +280,11 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return nil, fmt.Errorf("unable to find enabled setting")
 	}
 
+	disabled := settingByID(allSettings, "idstools.sids.disabled")
+	if disabled == nil {
+		return nil, fmt.Errorf("unable to find disabled setting")
+	}
+
 	modify := settingByID(allSettings, "idstools.sids.modify")
 	if modify == nil {
 		return nil, fmt.Errorf("unable to find modify setting")
@@ -287,11 +292,13 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 
 	localLines := strings.Split(local.Value, "\n")
 	enabledLines := strings.Split(enabled.Value, "\n")
+	disabledLines := strings.Split(disabled.Value, "\n")
 	modifyLines := strings.Split(modify.Value, "\n")
 
 	localIndex := indexLocal(localLines)
 	enabledIndex := indexEnabled(enabledLines)
-	modifyIndex := indexModified(modifyLines)
+	disabledIndex := indexEnabled(disabledLines)
+	modifyIndex := indexModify(modifyLines)
 
 	errMap := map[string]string{} // map[sid]error
 
@@ -339,6 +346,27 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 			enabledLines[lineNum] = line
 		}
 
+		if !isFlowbits {
+			lineNum, inDisabled := disabledIndex[sid]
+			if !inDisabled {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines = append(disabledLines, line)
+				lineNum = len(disabledLines) - 1
+				disabledIndex[sid] = lineNum
+			} else {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines[lineNum] = line
+			}
+		}
+
 		if isFlowbits {
 			lineNum, inModify := modifyIndex[sid]
 			if !inModify && !detect.IsEnabled {
@@ -357,6 +385,7 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 
 	local.Value = strings.Join(localLines, "\n")
 	enabled.Value = strings.Join(enabledLines, "\n")
+	disabled.Value = strings.Join(disabledLines, "\n")
 	modify.Value = strings.Join(modifyLines, "\n")
 
 	err = cfgStore.UpdateSetting(ctx, local, false)
@@ -369,6 +398,11 @@ func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model
 		return errMap, err
 	}
 
+	err = cfgStore.UpdateSetting(ctx, disabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
 	err = cfgStore.UpdateSetting(ctx, modify, false)
 	if err != nil {
 		return errMap, err
@@ -389,12 +423,12 @@ func settingByID(all []*model.Setting, id string) *model.Setting {
 }
 
 func extractSID(rule string) *string {
-	sids := sidExtracter.FindStringSubmatch(rule)
-	if len(sids) != 2 { // 0: Full Match, 1: Capture Group
+	sids := sidExtracter.FindAllStringSubmatch(rule, 2)
+	if len(sids) != 1 { // 1 match = 1 sid
 		return nil
 	}
 
-	return util.Ptr(strings.TrimSpace(sids[1]))
+	return util.Ptr(strings.TrimSpace(sids[0][1]))
 }
 
 func indexLocal(lines []string) map[string]int {
@@ -425,14 +459,14 @@ func indexEnabled(lines []string) map[string]int {
 	return index
 }
 
-func indexModified(lines []string) map[string]int {
+func indexModify(lines []string) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, " \t"))
-		parts := strings.SplitN(line, " ", 2)
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
 
-		if strings.Contains(line, suricataModifyFromTo) {
+		if strings.HasSuffix(line, suricataModifyFromTo) {
+			parts := strings.SplitN(line, " ", 2)
 			index[parts[0]] = i
 		}
 	}
diff --git a/server/detectionhandler_test.go b/server/detectionhandler_test.go
new file mode 100644
index 000000000..f1be97606
--- /dev/null
+++ b/server/detectionhandler_test.go
@@ -0,0 +1,164 @@
+package server
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSettingByID(t *testing.T) {
+	allSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+	byId := map[string]*model.Setting{
+		"1": allSettings[0],
+		"2": allSettings[1],
+		"3": allSettings[2],
+	}
+
+	table := []struct {
+		Name          string
+		SettingID     string
+		ExpectedValue *string
+	}{
+		{Name: "Get 1", SettingID: "1", ExpectedValue: util.Ptr("one")},
+		{Name: "Get 2", SettingID: "2", ExpectedValue: util.Ptr("two")},
+		{Name: "Get 3", SettingID: "3", ExpectedValue: util.Ptr("three")},
+		{Name: "Get 4", SettingID: "4", ExpectedValue: nil},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			value := settingByID(allSettings, test.SettingID)
+			if test.ExpectedValue == nil {
+				assert.Nil(t, value)
+			} else {
+				assert.Equal(t, *test.ExpectedValue, value.Value)
+				assert.Same(t, value, byId[test.SettingID])
+			}
+		})
+	}
+}
+
+func TestExtractSID(t *testing.T) {
+	table := []struct {
+		Name   string
+		Input  string
+		Output *string
+	}{
+		{Name: "Simple SID", Input: "sid:10000;", Output: util.Ptr("10000")},
+		{Name: "Empty SID", Input: "sid: ;", Output: util.Ptr("")},
+		{Name: "Capital SID", Input: "SID:10000;", Output: util.Ptr("10000")},
+		{Name: "UUID SID", Input: "sid: 82ca7105-9001-40b7-a8cc-4eaebaf17815;", Output: util.Ptr("82ca7105-9001-40b7-a8cc-4eaebaf17815")},
+		{Name: "No SID", Input: "nid: 10000", Output: nil},
+		{Name: "Single-Quoted SID", Input: "sid: '10000';", Output: util.Ptr("10000")},
+		{Name: "Double-Quoted SID", Input: `sid:"10000";`, Output: util.Ptr("10000")},
+		{Name: "Single-Quoted Empty SID", Input: "sid:'';", Output: util.Ptr("")},
+		{Name: "Double-Quoted Empty SID", Input: `sid: "";`, Output: util.Ptr("")},
+		{Name: "Multiple SIDs", Input: "sid: 10000; sid: 10001;", Output: nil},
+		{Name: "Sample Rule", Input: `alert http any any -> any any (msg:"RULE B"; flowbits: isset, test; flow: established,to_client; content:"uid=0"; sid:60000;)`, Output: util.Ptr("60000")},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			output := extractSID(test.Input)
+			assert.Equal(t, test.Output, output)
+		})
+	}
+}
+
+func TestIndexLocal(t *testing.T) {
+	lines := []string{
+		"sid: 10000;",
+		" ",
+		"# sid: 20000;",
+		"sid: 30000;",
+		"# 40000", // note: extractSID won't find anything here
+		"50000",
+	}
+
+	output := indexLocal(lines)
+	assert.Equal(t, 3, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 0)
+	assert.Contains(t, output, "20000")
+	assert.Equal(t, output["20000"], 2)
+	assert.Contains(t, output, "30000")
+	assert.Equal(t, output["30000"], 3)
+	assert.NotContains(t, output, "40000")
+	assert.NotContains(t, output, "50000")
+}
+
+func TestIndexEnabled(t *testing.T) {
+	lines := []string{
+		"10000",
+		" ",
+		"# 20000   ",
+		"30000 ",
+		"#   40000", // note: extractSID won't find anything here
+		"   50000",
+		" not a number ",
+		"#  24adee9b-6010-46ed-9c4a-9cb7a9c972a1",
+	}
+
+	output := indexEnabled(lines)
+
+	assert.Equal(t, 7, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 0)
+	assert.Contains(t, output, "20000")
+	assert.Equal(t, output["20000"], 2)
+	assert.Contains(t, output, "30000")
+	assert.Equal(t, output["30000"], 3)
+	assert.Contains(t, output, "40000")
+	assert.Equal(t, output["40000"], 4)
+	assert.Contains(t, output, "50000")
+	assert.Equal(t, output["50000"], 5)
+	assert.Contains(t, output, "not a number")
+	assert.Equal(t, output["not a number"], 6)
+	assert.Contains(t, output, "24adee9b-6010-46ed-9c4a-9cb7a9c972a1")
+	assert.Equal(t, output["24adee9b-6010-46ed-9c4a-9cb7a9c972a1"], 7)
+}
+
+func TestIndexModify(t *testing.T) {
+	lines := []string{
+		`90000 this that`,
+		`10000 "flowbits" "noalert; flowbits"`,
+		`# 20000 "flowbits" "noalert; flowbits"`,
+		`30000 "flowbits" "noalert; flowbits" # we'll turn this on later`,
+		`# An unrelated comment`,
+		`a83ba97b-a8e8-4258-be1b-022aff230e6e "flowbits" "noalert; flowbits"`,
+		` # 23220e49-7229-43a1-92d5-d68e46d27105 "flowbits" "noalert; flowbits"`,
+		`e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5 that this`,
+	}
+
+	// Reminder: We only care about the lines that the API has added,
+	// if a line doesn't end with suricataModifyFromTo (`"flowbits" "noalert; flowbits"`)
+	// then it's a line we don't want to touch.
+
+	output := indexModify(lines)
+
+	assert.Equal(t, 4, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 1)
+	assert.Contains(t, output, "20000")
+	assert.Equal(t, output["20000"], 2)
+	assert.Contains(t, output, "a83ba97b-a8e8-4258-be1b-022aff230e6e")
+	assert.Equal(t, output["a83ba97b-a8e8-4258-be1b-022aff230e6e"], 5)
+	assert.Contains(t, output, "23220e49-7229-43a1-92d5-d68e46d27105")
+	assert.Equal(t, output["23220e49-7229-43a1-92d5-d68e46d27105"], 6)
+	assert.NotContains(t, output, "90000")
+	assert.NotContains(t, output, "30000")
+	assert.NotContains(t, output, "e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5")
+}

From d46987d91421e9e2551c18557458a1aa935b0a18 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 22 Sep 2023 15:05:47 -0600
Subject: [PATCH 053/102] WIP: Tests

Added MemConfigStore to facilitate testing.

Test rule parsing, enabling/disabling of rules, and various helper functions.
---
 server/detectionhandler_test.go  |  51 +++++++++++++
 server/memconfigstore.go         |  46 ++++++++++++
 server/memconfigstore_test.go    | 112 ++++++++++++++++++++++++++++
 server/modules/salt/saltstore.go |   3 +-
 syntax/suricata_test.go          | 124 +++++++++++++++++++++++++++++++
 5 files changed, 335 insertions(+), 1 deletion(-)
 create mode 100644 server/memconfigstore.go
 create mode 100644 server/memconfigstore_test.go
 create mode 100644 syntax/suricata_test.go

diff --git a/server/detectionhandler_test.go b/server/detectionhandler_test.go
index f1be97606..e1449f03f 100644
--- a/server/detectionhandler_test.go
+++ b/server/detectionhandler_test.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"context"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
@@ -162,3 +163,53 @@ func TestIndexModify(t *testing.T) {
 	assert.NotContains(t, output, "30000")
 	assert.NotContains(t, output, "e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5")
 }
+
+func TestSyncSuricata(t *testing.T) {
+	emptySettings := []*model.Setting{
+		{Id: "idstools.rules.local__rules"},
+		{Id: "idstools.rules.enabled"},
+		{Id: "idstools.rules.disabled"},
+		{Id: "idstools.rules.modify"},
+	}
+	table := []struct {
+		Name string
+		InitialSettings []*model.Setting
+		Detections []*model.Detection // Content (Valid Rule), PublicID, IsEnabled
+		ExpectedSettings map[string]string
+		ExpectedErr error
+		ExpectedErrMap map[string]string
+	}{
+		{
+			Name: "Simple Add",
+			InitialSettings: emptySettings,
+			Detections: []*model.Detection{
+				{},
+			},
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			mCfgStore := NewMemConfigStore(test.InitialSettings)
+
+			errMap, err := syncSuricata(ctx, mCfgStore, test.Detections)
+
+			assert.Equal(t, test.ExpectedErr, err)
+			assert.Equal(t, test.ExpectedErrMap, errMap)
+
+			set, err := mCfgStore.GetSettings(ctx)
+			assert.NoError(t, err)
+
+			for id, expectedValue := range test.ExpectedSettings {
+				setting := settingByID(set, id)
+				assert.NotNil(t, setting)
+				assert.Equal(t, expectedValue, setting.Value)
+			}
+		})
+	}
+}
\ No newline at end of file
diff --git a/server/memconfigstore.go b/server/memconfigstore.go
new file mode 100644
index 000000000..c0dcddc0e
--- /dev/null
+++ b/server/memconfigstore.go
@@ -0,0 +1,46 @@
+package server
+
+import (
+	"context"
+
+	"github.com/samber/lo"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+)
+
+type MemConfigStore struct {
+	settings []*model.Setting
+}
+
+func NewMemConfigStore(settings []*model.Setting) *MemConfigStore {
+	return &MemConfigStore{
+		settings: settings,
+	}
+}
+
+func (m *MemConfigStore) GetSettings(ctx context.Context) ([]*model.Setting, error) {
+	return m.settings, nil
+}
+
+func (m *MemConfigStore) UpdateSetting(ctx context.Context, setting *model.Setting, remove bool) error {
+	_, index, ok := lo.FindIndexOf(m.settings, func(s *model.Setting) bool {
+		return s.Id == setting.Id
+	})
+
+	if remove {
+		if ok {
+			m.settings = append(m.settings[:index], m.settings[index+1:]...)
+		}
+	} else {
+		if ok {
+			m.settings[index] = setting
+		} else {
+			m.settings = append(m.settings, setting)
+		}
+	}
+
+	return nil
+}
+
+func (m *MemConfigStore) SyncSettings(ctx context.Context) error {
+	return nil
+}
diff --git a/server/memconfigstore_test.go b/server/memconfigstore_test.go
new file mode 100644
index 000000000..c1d550a85
--- /dev/null
+++ b/server/memconfigstore_test.go
@@ -0,0 +1,112 @@
+package server
+
+import (
+	"context"
+	"testing"
+
+	"github.com/samber/lo"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMemConfigStoreNew(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	assert.Implements(t, (*Configstore)(nil), mCfgStore)
+
+	ctx := context.Background()
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Same(t, &origSettings[0], &set[0])
+}
+
+func TestMemConfigStoreUpdate(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+
+	ctx := context.Background()
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	err := mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "1", Value: "new"}, false)
+	assert.NoError(t, err)
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 3)
+
+	s, ok := lo.Find(set, func(s *model.Setting) bool {
+		return s.Id == "1"
+	})
+	assert.True(t, ok)
+	assert.Equal(t, "new", s.Value)
+}
+
+func TestMemConfigStoreUpdateAdd(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+
+	ctx := context.Background()
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	err := mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "4", Value: "four"}, false)
+	assert.NoError(t, err)
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 4)
+
+	s, ok := lo.Find(set, func(s *model.Setting) bool {
+		return s.Id == "4"
+	})
+	assert.True(t, ok)
+	assert.Equal(t, "four", s.Value)
+}
+
+func TestMemConfigStoreUpdateRemove(t *testing.T) {
+	origSettings := []*model.Setting{
+		{Id: "1", Value: "one"},
+		{Id: "2", Value: "two"},
+		{Id: "3", Value: "three"},
+	}
+
+	ctx := context.Background()
+	mCfgStore := NewMemConfigStore(origSettings)
+
+	err := mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "4"}, true)
+	assert.NoError(t, err)
+
+	set, err := mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 3)
+
+	err = mCfgStore.UpdateSetting(ctx, &model.Setting{Id: "2"}, true)
+	assert.NoError(t, err)
+
+	set, err = mCfgStore.GetSettings(ctx)
+	assert.NoError(t, err)
+	assert.Len(t, set, 2)
+
+	s, ok := lo.Find(set, func(s *model.Setting) bool {
+		return s.Id == "2"
+	})
+	assert.False(t, ok)
+	assert.Nil(t, s)
+}
+
+func TestMemConfigStoreSync(t *testing.T) {
+	mCfgStore := NewMemConfigStore(nil)
+	err := mCfgStore.SyncSettings(context.Background())
+	assert.NoError(t, err)
+}
diff --git a/server/modules/salt/saltstore.go b/server/modules/salt/saltstore.go
index b901ad5c8..75906edf5 100644
--- a/server/modules/salt/saltstore.go
+++ b/server/modules/salt/saltstore.go
@@ -17,13 +17,14 @@ import (
 	"strings"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/json"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/salt/options"
 	"github.com/security-onion-solutions/securityonion-soc/syntax"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+
+	"github.com/apex/log"
 	"gopkg.in/yaml.v3"
 )
 
diff --git a/syntax/suricata_test.go b/syntax/suricata_test.go
new file mode 100644
index 000000000..f9b2d7f0f
--- /dev/null
+++ b/syntax/suricata_test.go
@@ -0,0 +1,124 @@
+package syntax
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+	"github.com/tj/assert"
+)
+
+func TestParseSuricata(t *testing.T) {
+	table := []struct {
+		Name   string
+		Input  string
+		Output *SuricataRule
+		Error  *string
+	}{
+		{
+			Name:  "Minimal Rule",
+			Input: `a b source port <> destination port ()`,
+			Output: &SuricataRule{
+				Action:      "a",
+				Protocol:    "b",
+				Source:      "source port",
+				Direction:   "<>",
+				Destination: "destination port",
+				Options:     []*RuleOption{},
+			},
+		},
+		{
+			Name:  "Bad Direction",
+			Input: `a b source port <- destination port ()`,
+			Error: util.Ptr("invalid direction, must be '<>' or '->', got <-"),
+		},
+		{
+			Name:  "Unnecessary Suffix",
+			Input: `a b source port <> destination port () x`,
+			Error: util.Ptr("invalid rule, expected end of rule, got 2 more bytes"),
+		},
+		{
+			Name:  "Escaped Option",
+			Input: `a b source port <> destination port (msg:"\\\"";)`,
+			Output: &SuricataRule{
+				Action:      "a",
+				Protocol:    "b",
+				Source:      "source port",
+				Direction:   "<>",
+				Destination: "destination port",
+				Options: []*RuleOption{
+					{Name: "msg", Value: util.Ptr(`"\\\""`)},
+				},
+			},
+		},
+		{
+			Name:  "Real rule",
+			Input: `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+			Output: &SuricataRule{
+				Action:      "alert",
+				Protocol:    "http",
+				Source:      "any any",
+				Direction:   "->",
+				Destination: "any any",
+				Options: []*RuleOption{
+					{Name: "msg", Value: util.Ptr(`"GPL ATTACK_RESPONSE id check returned root"`)},
+					{Name: "content", Value: util.Ptr(`"uid=0|28|root|29|"`)},
+					{Name: "classtype", Value: util.Ptr("bad-unknown")},
+					{Name: "sid", Value: util.Ptr("2100498")},
+					{Name: "rev", Value: util.Ptr("7")},
+					{Name: "metadata", Value: util.Ptr("created_at 2010_09_23, updated_at 2010_09_23")},
+				},
+			},
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			rule, err := ParseSuricataRule(test.Input)
+			if test.Error != nil {
+				assert.Nil(t, rule)
+				assert.Equal(t, *test.Error, err.Error())
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.Output, rule)
+			}
+		})
+	}
+}
+
+func TestSuricataRule(t *testing.T) {
+	input := `a b source port <> destination port (msg:"\\\""; noalert; sid:12345; rev: "9"; )`
+
+	rule, err := ParseSuricataRule(input)
+	assert.NoError(t, err)
+
+	rule2, err := ParseSuricataRule(rule.String())
+	assert.NoError(t, err)
+
+	assert.Equal(t, rule, rule2)
+
+	opt, ok := rule.GetOption("msg")
+	assert.True(t, ok)
+	assert.NotNil(t, opt)
+	assert.Equal(t, `"\\\""`, *opt)
+
+	opt, ok = rule.GetOption("sid")
+	assert.True(t, ok)
+	assert.NotNil(t, opt)
+	assert.Equal(t, "12345", *opt)
+
+	opt, ok = rule.GetOption("rev")
+	assert.True(t, ok)
+	assert.NotNil(t, opt)
+	assert.Equal(t, `"9"`, *opt)
+
+	opt, ok = rule.GetOption("noalert")
+	assert.True(t, ok)
+	assert.Nil(t, opt)
+
+	opt, ok = rule.GetOption("notfound")
+	assert.False(t, ok)
+	assert.Nil(t, opt)
+}

From a239976b48f219a4d460a401dd526756ffbd3cc5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 25 Sep 2023 16:01:29 -0600
Subject: [PATCH 054/102] WIP: Modulaization and Elastic Index Change

Moved Casestore functions relating to Detections to a brand new Detectionstore.

TODO: TestSyncSuricata needs more tests, it currently only covers the bare minimum. Also, more testing needs to take place around what happens when the detections module is disabled.
---
 server/casestore.go                           |   6 -
 server/detectionengine.go                     |  12 +
 server/detectionhandler.go                    | 251 +-----------
 server/detectionstore.go                      |  21 +
 server/infohandler.go                         |   4 +-
 server/modules/elastic/elastic.go             |  22 ++
 server/modules/elastic/elasticcasestore.go    | 163 --------
 .../modules/elastic/elasticdetectionstore.go  | 360 ++++++++++++++++++
 server/modules/modules.go                     |   3 +
 server/modules/modules_test.go                |   1 +
 server/modules/suricata/suricata.go           | 269 +++++++++++++
 .../suricata/suricata_test.go}                | 126 +++++-
 .../modules/suricata/validate.go              |   2 +-
 .../modules/suricata/validate_test.go         |   2 +-
 server/server.go                              |   9 +-
 15 files changed, 828 insertions(+), 423 deletions(-)
 create mode 100644 server/detectionengine.go
 create mode 100644 server/detectionstore.go
 create mode 100644 server/modules/elastic/elasticdetectionstore.go
 create mode 100644 server/modules/suricata/suricata.go
 rename server/{detectionhandler_test.go => modules/suricata/suricata_test.go} (52%)
 rename syntax/suricata.go => server/modules/suricata/validate.go (99%)
 rename syntax/suricata_test.go => server/modules/suricata/validate_test.go (99%)

diff --git a/server/casestore.go b/server/casestore.go
index 6d6eda5ac..be9d6536e 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -38,10 +38,4 @@ type Casestore interface {
 	CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error)
 	GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error)
 	DeleteArtifactStream(ctx context.Context, id string) error
-
-	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
-	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
-	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 }
diff --git a/server/detectionengine.go b/server/detectionengine.go
new file mode 100644
index 000000000..09d430e1b
--- /dev/null
+++ b/server/detectionengine.go
@@ -0,0 +1,12 @@
+package server
+
+import (
+	"context"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+)
+
+type DetectionEngine interface {
+	ValidateRule(rule string) (string, error)
+	SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
+}
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index dc17abda2..4462b3c8c 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -10,22 +10,14 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"regexp"
 	"strings"
 
-	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
-	"github.com/security-onion-solutions/securityonion-soc/syntax"
-	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
 	"github.com/go-chi/chi"
 )
 
-var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
-
-const suricataModifyFromTo = `"flowbits" "noalert; flowbits"`
-
 type DetectionHandler struct {
 	server *Server
 }
@@ -54,7 +46,7 @@ func (h *DetectionHandler) getDetection(w http.ResponseWriter, r *http.Request)
 
 	detectId := chi.URLParam(r, "id")
 
-	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	detect, err := h.server.Detectionstore.GetDetection(ctx, detectId)
 	if err != nil {
 		if err.Error() == "Object not found" {
 			web.Respond(w, r, http.StatusNotFound, nil)
@@ -79,13 +71,13 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -104,7 +96,7 @@ func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Req
 
 	detectId := chi.URLParam(r, "id")
 
-	detect, err := h.server.Casestore.GetDetection(ctx, detectId)
+	detect, err := h.server.Detectionstore.GetDetection(ctx, detectId)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -119,7 +111,7 @@ func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Req
 	detect.IsReporting = false
 	detect.IsCommunity = false
 
-	detect, err = h.server.Casestore.CreateDetection(ctx, detect)
+	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -139,13 +131,13 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	detect, err = h.server.Casestore.UpdateDetection(ctx, detect)
+	detect, err = h.server.Detectionstore.UpdateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusNotFound, err)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{detect})
+	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -164,13 +156,13 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 
 	id := chi.URLParam(r, "id")
 
-	old, err := h.server.Casestore.DeleteDetection(ctx, id)
+	old, err := h.server.Detectionstore.DeleteDetection(ctx, id)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server.Configstore, []*model.Detection{old})
+	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -210,7 +202,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	modified := []*model.Detection{}
 
 	for id := range IDs {
-		det, mod, err := h.server.Casestore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
+		det, mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
 		if err != nil {
 			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
 			continue
@@ -222,7 +214,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	if len(modified) != 0 {
-		addErrMap, err := SyncDetections(ctx, h.server.Configstore, modified)
+		addErrMap, err := SyncDetections(ctx, h.server, modified)
 		if err != nil {
 			web.Respond(w, r, http.StatusInternalServerError, err)
 			return
@@ -242,7 +234,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
-func SyncDetections(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (errMap map[string]string, err error) {
+func SyncDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
@@ -254,222 +246,17 @@ func SyncDetections(ctx context.Context, cfgStore Configstore, detections []*mod
 		byEngine[detect.Engine] = append(byEngine[detect.Engine], detect)
 	}
 
-	if len(byEngine[model.EngineNameSuricata]) > 0 {
-		errMap, err = syncSuricata(ctx, cfgStore, byEngine[model.EngineNameSuricata])
-		if err != nil {
-			return errMap, err
-		}
-	}
-
-	return errMap, nil
-}
-
-func syncSuricata(ctx context.Context, cfgStore Configstore, detections []*model.Detection) (map[string]string, error) {
-	allSettings, err := cfgStore.GetSettings(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	local := settingByID(allSettings, "idstools.rules.local__rules")
-	if local == nil {
-		return nil, fmt.Errorf("unable to find local rules setting")
-	}
-
-	enabled := settingByID(allSettings, "idstools.sids.enabled")
-	if enabled == nil {
-		return nil, fmt.Errorf("unable to find enabled setting")
-	}
-
-	disabled := settingByID(allSettings, "idstools.sids.disabled")
-	if disabled == nil {
-		return nil, fmt.Errorf("unable to find disabled setting")
-	}
-
-	modify := settingByID(allSettings, "idstools.sids.modify")
-	if modify == nil {
-		return nil, fmt.Errorf("unable to find modify setting")
-	}
-
-	localLines := strings.Split(local.Value, "\n")
-	enabledLines := strings.Split(enabled.Value, "\n")
-	disabledLines := strings.Split(disabled.Value, "\n")
-	modifyLines := strings.Split(modify.Value, "\n")
-
-	localIndex := indexLocal(localLines)
-	enabledIndex := indexEnabled(enabledLines)
-	disabledIndex := indexEnabled(disabledLines)
-	modifyIndex := indexModify(modifyLines)
-
-	errMap := map[string]string{} // map[sid]error
-
-	for _, detect := range detections {
-		parsedRule, err := syntax.ParseSuricataRule(detect.Content)
-		if err != nil {
-			errMap[detect.PublicID] = fmt.Sprintf("unable to parse rule; reason=%s", err.Error())
-			continue
-		}
-
-		opt, ok := parsedRule.GetOption("sid")
-		if !ok || opt == nil {
-			errMap[detect.PublicID] = fmt.Sprintf("rule does not contain a SID; rule=%s", detect.Content)
-			continue
-		}
-
-		sid := *opt
-		_, isFlowbits := parsedRule.GetOption("flowbits")
-
-		lineNum, inLocal := localIndex[sid]
-		if !inLocal {
-			localLines = append(localLines, detect.Content)
-			lineNum = len(localLines) - 1
-			localIndex[sid] = lineNum
-		} else {
-			localLines[lineNum] = detect.Content
-		}
-
-		lineNum, inEnabled := enabledIndex[sid]
-		if !inEnabled {
-			line := detect.PublicID
-			if !detect.IsEnabled && !isFlowbits {
-				line = "# " + line
+	for name, engine := range srv.DetectionEngines {
+		if len(byEngine[name]) != 0 {
+			eMap, err := engine.SyncDetections(ctx, byEngine[name])
+			for sid, e := range eMap {
+				errMap[sid] = e
 			}
-
-			enabledLines = append(enabledLines, line)
-			lineNum = len(enabledLines) - 1
-			enabledIndex[sid] = lineNum
-		} else {
-			line := detect.PublicID
-			if !detect.IsEnabled && !isFlowbits {
-				line = "# " + line
+			if err != nil {
+				return errMap, err
 			}
-
-			enabledLines[lineNum] = line
 		}
-
-		if !isFlowbits {
-			lineNum, inDisabled := disabledIndex[sid]
-			if !inDisabled {
-				line := detect.PublicID
-				if detect.IsEnabled {
-					line = "# " + line
-				}
-
-				disabledLines = append(disabledLines, line)
-				lineNum = len(disabledLines) - 1
-				disabledIndex[sid] = lineNum
-			} else {
-				line := detect.PublicID
-				if detect.IsEnabled {
-					line = "# " + line
-				}
-
-				disabledLines[lineNum] = line
-			}
-		}
-
-		if isFlowbits {
-			lineNum, inModify := modifyIndex[sid]
-			if !inModify && !detect.IsEnabled {
-				// not in the modify file, but should be
-				line := fmt.Sprintf("%s %s", detect.PublicID, suricataModifyFromTo)
-				modifyLines = append(modifyLines, line)
-				lineNum = len(modifyLines) - 1
-				modifyIndex[sid] = lineNum
-			} else if inModify && detect.IsEnabled {
-				// in modify, but shouldn't be
-				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
-				delete(modifyIndex, sid)
-			}
-		}
-	}
-
-	local.Value = strings.Join(localLines, "\n")
-	enabled.Value = strings.Join(enabledLines, "\n")
-	disabled.Value = strings.Join(disabledLines, "\n")
-	modify.Value = strings.Join(modifyLines, "\n")
-
-	err = cfgStore.UpdateSetting(ctx, local, false)
-	if err != nil {
-		return errMap, err
-	}
-
-	err = cfgStore.UpdateSetting(ctx, enabled, false)
-	if err != nil {
-		return errMap, err
-	}
-
-	err = cfgStore.UpdateSetting(ctx, disabled, false)
-	if err != nil {
-		return errMap, err
-	}
-
-	err = cfgStore.UpdateSetting(ctx, modify, false)
-	if err != nil {
-		return errMap, err
 	}
 
 	return errMap, nil
 }
-
-func settingByID(all []*model.Setting, id string) *model.Setting {
-	found, ok := lo.Find(all, func(s *model.Setting) bool {
-		return s.Id == id
-	})
-	if !ok {
-		return nil
-	}
-
-	return found
-}
-
-func extractSID(rule string) *string {
-	sids := sidExtracter.FindAllStringSubmatch(rule, 2)
-	if len(sids) != 1 { // 1 match = 1 sid
-		return nil
-	}
-
-	return util.Ptr(strings.TrimSpace(sids[0][1]))
-}
-
-func indexLocal(lines []string) map[string]int {
-	index := map[string]int{}
-
-	for i, line := range lines {
-		sid := extractSID(line)
-		if sid == nil {
-			continue
-		}
-
-		index[*sid] = i
-	}
-
-	return index
-}
-
-func indexEnabled(lines []string) map[string]int {
-	index := map[string]int{}
-
-	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
-		if line != "" {
-			index[line] = i
-		}
-	}
-
-	return index
-}
-
-func indexModify(lines []string) map[string]int {
-	index := map[string]int{}
-
-	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
-
-		if strings.HasSuffix(line, suricataModifyFromTo) {
-			parts := strings.SplitN(line, " ", 2)
-			index[parts[0]] = i
-		}
-	}
-
-	return index
-}
diff --git a/server/detectionstore.go b/server/detectionstore.go
new file mode 100644
index 000000000..726e41823
--- /dev/null
+++ b/server/detectionstore.go
@@ -0,0 +1,21 @@
+// Copyright 2019 Jason Ertel (github.com/jertel).
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package server
+
+import (
+	"context"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+)
+
+type Detectionstore interface {
+	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
+	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
+	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
+	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
+}
diff --git a/server/infohandler.go b/server/infohandler.go
index 3d7604f31..974478ef0 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -72,7 +72,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		detections.GroupFetchLimit = 50
 		detections.MostRecentlyUsedLimit = 5
 		detections.SafeStringMaxLength = 100
-		detections.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:detection"
+		detections.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:detection"
 		detections.EventFields = map[string][]string{
 			"default": {
 				"so_detection.title",
@@ -113,7 +113,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		playbooks.EventItemsPerPage = 50
 		playbooks.GroupFetchLimit = 50
 		playbooks.MostRecentlyUsedLimit = 5
-		playbooks.QueryBaseFilter = "_index:\"*:so-case\" AND so_kind:playbook"
+		playbooks.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:playbook"
 		playbooks.SafeStringMaxLength = 100
 		playbooks.Queries = []*config.HuntingQuery{
 			{Query: "*"},
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 148074bf8..e017bdbf0 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -28,6 +28,10 @@ const DEFAULT_ASYNC_THRESHOLD = 10
 const DEFAULT_INTERVALS = 25
 const DEFAULT_MAX_LOG_LENGTH = 1024
 const DEFAULT_CASE_SCHEMA_PREFIX = "so_"
+const DEFAULT_DETECTION_INDEX = "*:so-detection"
+const DEFAULT_DETECTION_AUDIT_INDEX = "*:so-detectionhistory"
+const DEFAULT_DETECTION_ASSOCIATIONS_MAX = 1000
+const DEFAULT_DETECTION_SCHEMA_PREFIX = "so_"
 
 type Elastic struct {
 	config module.ModuleConfig
@@ -68,6 +72,7 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 	maxLogLength := module.GetIntDefault(cfg, "maxLogLength", DEFAULT_MAX_LOG_LENGTH)
 	casesEnabled := module.GetBoolDefault(cfg, "casesEnabled", true)
 	lookupTunnelParent := module.GetBoolDefault(cfg, "lookupTunnelParent", true)
+	detectionsEnabled := module.GetBoolDefault(cfg, "detectionsEnabled", true)
 	err := elastic.store.Init(host, remoteHosts, username, password, verifyCert, timeShiftMs, defaultDurationMs,
 		esSearchOffsetMs, timeoutMs, cacheMs, index, asyncThreshold, intervals, maxLogLength, lookupTunnelParent)
 	if err == nil && elastic.server != nil {
@@ -81,12 +86,29 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 				maxCaseAssociations := module.GetIntDefault(cfg, "maxCaseAssociations", DEFAULT_CASE_ASSOCIATIONS_MAX)
 				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_CASE_SCHEMA_PREFIX)
 				casestore := NewElasticCasestore(elastic.server)
+
 				err = casestore.Init(caseIndex, auditIndex, maxCaseAssociations, schemaPrefix, commonObservables)
 				if err == nil {
 					elastic.server.Casestore = casestore
 				}
 			}
 		}
+		if detectionsEnabled {
+			if elastic.server.Detectionstore != nil {
+				err = errors.New("Multiple detection modules cannot be enabled concurrently")
+			} else {
+				detIndex := module.GetStringDefault(cfg, "detectionIndex", DEFAULT_DETECTION_INDEX)
+				detAuditIndex := module.GetStringDefault(cfg, "detectionAuditIndex", DEFAULT_DETECTION_AUDIT_INDEX)
+				maxDetAssociations := module.GetIntDefault(cfg, "maxDetectionAssociations", DEFAULT_DETECTION_ASSOCIATIONS_MAX)
+				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_DETECTION_SCHEMA_PREFIX)
+				detstore := NewElasticDetectionstore(elastic.server)
+
+				err = detstore.Init(detIndex, detAuditIndex, maxDetAssociations, schemaPrefix)
+				if err == nil {
+					elastic.server.Detectionstore = detstore
+				}
+			}
+		}
 	}
 
 	licensing.ValidateDataUrl(host)
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 651f2fe0a..5eeaf0d42 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -13,7 +13,6 @@ import (
 	"regexp"
 	"sort"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/apex/log"
@@ -274,50 +273,6 @@ func (store *ElasticCasestore) validateArtifactStream(artifactstream *model.Arti
 	return err
 }
 
-func (store *ElasticCasestore) validateDetection(detect *model.Detection) error {
-	var err error
-
-	if err == nil && detect.Id != "" {
-		err = store.validateId(detect.Id, "onionId")
-	}
-
-	if err == nil && detect.PublicID != "" {
-		err = store.validateId(detect.PublicID, "publicId")
-	}
-
-	if err == nil && detect.Title != "" {
-		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
-	}
-
-	if err == nil && detect.Severity != "" {
-		err = store.validateString(string(detect.Severity), SHORT_STRING_MAX, "severity")
-	}
-
-	if err == nil && detect.Author != "" {
-		err = store.validateString(detect.Author, SHORT_STRING_MAX, "author")
-	}
-
-	if err == nil && detect.Description != "" {
-		err = store.validateString(detect.Description, LONG_STRING_MAX, "description")
-	}
-
-	if err == nil && detect.Content != "" {
-		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
-	}
-
-	if err == nil && detect.Note != "" {
-		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
-	}
-
-	if err == nil {
-		_, okEngine := model.EnginesByName[detect.Engine]
-		if !okEngine {
-			err = errors.New("invalid engine")
-		}
-	}
-	return err
-}
-
 func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
 	obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
 
@@ -945,121 +900,3 @@ func (store *ElasticCasestore) ExtractCommonObservables(ctx context.Context, eve
 	}
 	return nil
 }
-
-func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	var err error
-
-	err = store.validateDetection(detect)
-	if err != nil {
-		return nil, err
-	}
-
-	if detect.Id != "" {
-		return nil, errors.New("Unexpected ID found in new comment")
-	}
-
-	now := time.Now()
-	detect.CreateTime = &now
-	var results *model.EventIndexResults
-	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-	if err == nil {
-		// Read object back to get new modify date, etc
-		detect, err = store.GetDetection(ctx, results.DocumentId)
-	}
-
-	return detect, err
-}
-
-func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (detect *model.Detection, err error) {
-	err = store.validateId(detectId, "detectId")
-	if err != nil {
-		return nil, err
-	}
-
-	obj, err := store.get(ctx, detectId, "detection")
-	if err == nil && obj != nil {
-		detect = obj.(*model.Detection)
-	}
-
-	return detect, err
-}
-
-func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	err := store.validateDetection(detect)
-	if err != nil {
-		return nil, err
-	}
-
-	if detect.Id == "" {
-		err = errors.New("Missing detection onion ID")
-		return nil, err
-	}
-
-	var old *model.Detection
-	old, err = store.GetDetection(ctx, detect.Id)
-	if err != nil {
-		return nil, err
-	}
-
-	var results *model.EventIndexResults
-
-	// Preserve read-only fields
-	detect.CreateTime = old.CreateTime
-
-	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-	if err != nil {
-		return nil, err
-	}
-	// Read object back to get new modify date, etc
-	return store.GetDetection(ctx, results.DocumentId)
-}
-
-func (store *ElasticCasestore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
-	var modified bool
-
-	detect, err := store.GetDetection(ctx, id)
-	if err != nil {
-		return nil, false, err
-	}
-
-	switch strings.ToLower(field) {
-	case "isenabled":
-		bVal, ok := value.(bool)
-		if !ok {
-			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
-		}
-
-		if detect.IsEnabled != bVal {
-			detect.IsEnabled = bVal
-			modified = true
-		}
-	}
-
-	err = store.validateDetection(detect)
-	if err != nil {
-		return nil, false, err
-	}
-
-	if modified {
-		var results *model.EventIndexResults
-
-		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-		if err == nil {
-			// Read object back to get new modify date, etc
-			detect, err = store.GetDetection(ctx, results.DocumentId)
-		}
-	}
-
-	return detect, modified, err
-}
-
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
-	detect, err := store.GetDetection(ctx, onionID)
-	if err != nil {
-		return nil, err
-	}
-
-	err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-
-	return detect, err
-}
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
new file mode 100644
index 000000000..35f0e6264
--- /dev/null
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -0,0 +1,360 @@
+package elastic
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/apex/log"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/web"
+)
+
+type ElasticDetectionstore struct {
+	server          *server.Server
+	index           string
+	auditIndex      string
+	maxAssociations int
+	schemaPrefix    string
+}
+
+func NewElasticDetectionstore(srv *server.Server) *ElasticDetectionstore {
+	return &ElasticDetectionstore{
+		server: srv,
+	}
+}
+
+func (store *ElasticDetectionstore) Init(index string, auditIndex string, maxAssociations int, schemaPrefix string) error {
+	store.index = index
+	store.auditIndex = auditIndex
+	store.maxAssociations = maxAssociations
+	store.schemaPrefix = schemaPrefix
+
+	return nil
+}
+
+func (store *ElasticDetectionstore) validateId(id string, label string) error {
+	var err error
+
+	isValidId := regexp.MustCompile(`^[A-Za-z0-9-_]{5,50}$`).MatchString
+	if !isValidId(id) {
+		err = fmt.Errorf("invalid ID for %s", label)
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) validateString(str string, max int, label string) error {
+	return store.validateStringRequired(str, 0, max, label)
+}
+
+func (store *ElasticDetectionstore) validateStringRequired(str string, min int, max int, label string) error {
+	var err error
+
+	length := len(str)
+	if length > max {
+		err = errors.New(fmt.Sprintf("%s is too long (%d/%d)", label, length, max))
+	} else if length < min {
+		err = errors.New(fmt.Sprintf("%s is too short (%d/%d)", label, length, min))
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) error {
+	var err error
+
+	if err == nil && detect.Id != "" {
+		err = store.validateId(detect.Id, "onionId")
+	}
+
+	if err == nil && detect.PublicID != "" {
+		err = store.validateId(detect.PublicID, "publicId")
+	}
+
+	if err == nil && detect.Title != "" {
+		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
+	}
+
+	if err == nil && detect.Severity != "" {
+		err = store.validateString(string(detect.Severity), SHORT_STRING_MAX, "severity")
+	}
+
+	if err == nil && detect.Author != "" {
+		err = store.validateString(detect.Author, SHORT_STRING_MAX, "author")
+	}
+
+	if err == nil && detect.Description != "" {
+		err = store.validateString(detect.Description, LONG_STRING_MAX, "description")
+	}
+
+	if err == nil && detect.Content != "" {
+		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
+	}
+
+	if err == nil && detect.Note != "" {
+		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
+	}
+
+	if err == nil {
+		_, okEngine := model.EnginesByName[detect.Engine]
+		if !okEngine {
+			err = errors.New("invalid engine")
+		}
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, kind string, id string) (*model.EventIndexResults, error) {
+	var results *model.EventIndexResults
+	var err error
+
+	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+		document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+		document[store.schemaPrefix+"kind"] = kind
+
+		results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
+		if err == nil {
+			document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
+
+			if id == "" {
+				document[store.schemaPrefix+"operation"] = "create"
+			} else {
+				document[store.schemaPrefix+"operation"] = "update"
+			}
+
+			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+			if err != nil {
+				log.WithFields(log.Fields{
+					"documentId": results.DocumentId,
+					"kind":       kind,
+				}).WithError(err).Error("Object indexed successfully however audit record failed to index")
+			}
+		}
+	}
+
+	return results, err
+}
+
+func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{}, kind string, id string) error {
+	var err error
+
+	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+		err = store.server.Eventstore.Delete(ctx, store.index, id)
+		if err == nil {
+			document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+			document[store.schemaPrefix+AUDIT_DOC_ID] = id
+			document[store.schemaPrefix+"kind"] = kind
+			document[store.schemaPrefix+"operation"] = "delete"
+
+			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+			if err != nil {
+				log.WithFields(log.Fields{
+					"documentId": id,
+					"kind":       kind,
+				}).WithError(err).Error("Object deleted successfully however audit record failed to index")
+			}
+		}
+	}
+
+	return err
+}
+
+func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind string) (interface{}, error) {
+	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s" AND _id:"%s"`, store.index, store.schemaPrefix, kind, id)
+
+	objects, err := store.getAll(ctx, query, 1)
+	if err == nil {
+		if len(objects) > 0 {
+			return objects[0], err
+		}
+
+		err = errors.New("Object not found")
+	}
+
+	return nil, err
+}
+
+func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, max int) ([]interface{}, error) {
+	var err error
+	var objects []interface{}
+
+	if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
+		criteria := model.NewEventSearchCriteria()
+		format := "2006-01-02 3:04:05 PM"
+
+		var zeroTime time.Time
+
+		zeroTimeStr := zeroTime.Format(format)
+		now := time.Now()
+		endTime := now.Format(format)
+		zone := now.Location().String()
+
+		err = criteria.Populate(query,
+			zeroTimeStr+" - "+endTime, // timeframe range
+			format,                    // timeframe format
+			zone,                      // timezone
+			"0",                       // no metrics
+			strconv.Itoa(max))
+
+		if err == nil {
+			var results *model.EventSearchResults
+
+			results, err = store.server.Eventstore.Search(ctx, criteria)
+			if err == nil {
+				for _, event := range results.Events {
+					var obj interface{}
+
+					obj, err = convertElasticEventToObject(event, store.schemaPrefix)
+					if err == nil {
+						objects = append(objects, obj)
+					} else {
+						log.WithField("event", event).WithError(err).Error("Unable to convert case object")
+					}
+				}
+			}
+		}
+	}
+
+	return objects, err
+}
+
+func (store *ElasticDetectionstore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
+	obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
+
+	// Don't waste space by saving the these values which are already part of ES documents
+	id := obj.Id
+	obj.Id = ""
+	obj.UpdateTime = nil
+
+	return id
+}
+
+func (store *ElasticDetectionstore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	var err error
+
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id != "" {
+		return nil, errors.New("Unexpected ID found in new comment")
+	}
+
+	now := time.Now()
+	detect.CreateTime = &now
+
+	var results *model.EventIndexResults
+
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+	if err == nil {
+		// Read object back to get new modify date, etc
+		detect, err = store.GetDetection(ctx, results.DocumentId)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticDetectionstore) GetDetection(ctx context.Context, detectId string) (detect *model.Detection, err error) {
+	err = store.validateId(detectId, "detectId")
+	if err != nil {
+		return nil, err
+	}
+
+	obj, err := store.get(ctx, detectId, "detection")
+	if err == nil && obj != nil {
+		detect = obj.(*model.Detection)
+	}
+
+	return detect, err
+}
+
+func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
+	err := store.validateDetection(detect)
+	if err != nil {
+		return nil, err
+	}
+
+	if detect.Id == "" {
+		err = errors.New("Missing detection onion ID")
+		return nil, err
+	}
+
+	var old *model.Detection
+
+	old, err = store.GetDetection(ctx, detect.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	var results *model.EventIndexResults
+
+	// Preserve read-only fields
+	detect.CreateTime = old.CreateTime
+
+	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+
+	if err != nil {
+		return nil, err
+	}
+
+	// Read object back to get new modify date, etc
+	return store.GetDetection(ctx, results.DocumentId)
+}
+
+func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
+	var modified bool
+
+	detect, err := store.GetDetection(ctx, id)
+	if err != nil {
+		return nil, false, err
+	}
+
+	switch strings.ToLower(field) {
+	case "isenabled":
+		bVal, ok := value.(bool)
+		if !ok {
+			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
+		}
+
+		if detect.IsEnabled != bVal {
+			detect.IsEnabled = bVal
+			modified = true
+		}
+	}
+
+	err = store.validateDetection(detect)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if modified {
+		var results *model.EventIndexResults
+
+		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+		if err == nil {
+			// Read object back to get new modify date, etc
+			detect, err = store.GetDetection(ctx, results.DocumentId)
+		}
+	}
+
+	return detect, modified, err
+}
+
+func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
+	detect, err := store.GetDetection(ctx, onionID)
+	if err != nil {
+		return nil, err
+	}
+
+	err = store.delete(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
+
+	return detect, err
+}
diff --git a/server/modules/modules.go b/server/modules/modules.go
index 02e2538fb..c766934f8 100644
--- a/server/modules/modules.go
+++ b/server/modules/modules.go
@@ -19,6 +19,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/sostatus"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/statickeyauth"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/staticrbac"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/suricata"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/thehive"
 )
 
@@ -35,5 +36,7 @@ func BuildModuleMap(srv *server.Server) map[string]module.Module {
 	moduleMap["statickeyauth"] = statickeyauth.NewStaticKeyAuth(srv)
 	moduleMap["staticrbac"] = staticrbac.NewStaticRbac(srv)
 	moduleMap["thehive"] = thehive.NewTheHive(srv)
+	moduleMap["suricataengine"] = suricata.NewSuricataEngine(srv)
+
 	return moduleMap
 }
diff --git a/server/modules/modules_test.go b/server/modules/modules_test.go
index fae430a34..efb5b0f7e 100644
--- a/server/modules/modules_test.go
+++ b/server/modules/modules_test.go
@@ -25,6 +25,7 @@ func TestBuildModuleMap(tester *testing.T) {
 	findModule(tester, mm, "sostatus")
 	findModule(tester, mm, "statickeyauth")
 	findModule(tester, mm, "thehive")
+	findModule(tester, mm, "suricataengine")
 }
 
 func findModule(tester *testing.T, mm map[string]module.Module, module string) {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
new file mode 100644
index 000000000..3f5133336
--- /dev/null
+++ b/server/modules/suricata/suricata.go
@@ -0,0 +1,269 @@
+package suricata
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/samber/lo"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/util"
+)
+
+var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
+
+const modifyFromTo = `"flowbits" "noalert; flowbits"`
+
+type SuricataEngine struct {
+	srv *server.Server
+}
+
+func NewSuricataEngine(srv *server.Server) *SuricataEngine {
+	return &SuricataEngine{
+		srv: srv,
+	}
+}
+
+func (s *SuricataEngine) PrerequisiteModules() []string {
+	return nil
+}
+
+func (s *SuricataEngine) Init(config module.ModuleConfig) error {
+	return nil
+}
+
+func (s *SuricataEngine) Start() error {
+	s.srv.DetectionEngines[model.EngineNameSuricata] = s
+	return nil
+}
+
+func (s *SuricataEngine) Stop() error {
+	return nil
+}
+
+func (s *SuricataEngine) IsRunning() bool {
+	return false
+}
+
+func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
+	return rule, nil
+}
+
+func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	allSettings, err := s.srv.Configstore.GetSettings(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	local := settingByID(allSettings, "idstools.rules.local__rules")
+	if local == nil {
+		return nil, fmt.Errorf("unable to find local rules setting")
+	}
+
+	enabled := settingByID(allSettings, "idstools.sids.enabled")
+	if enabled == nil {
+		return nil, fmt.Errorf("unable to find enabled setting")
+	}
+
+	disabled := settingByID(allSettings, "idstools.sids.disabled")
+	if disabled == nil {
+		return nil, fmt.Errorf("unable to find disabled setting")
+	}
+
+	modify := settingByID(allSettings, "idstools.sids.modify")
+	if modify == nil {
+		return nil, fmt.Errorf("unable to find modify setting")
+	}
+
+	localLines := strings.Split(local.Value, "\n")
+	enabledLines := strings.Split(enabled.Value, "\n")
+	disabledLines := strings.Split(disabled.Value, "\n")
+	modifyLines := strings.Split(modify.Value, "\n")
+
+	localIndex := indexLocal(localLines)
+	enabledIndex := indexEnabled(enabledLines)
+	disabledIndex := indexEnabled(disabledLines)
+	modifyIndex := indexModify(modifyLines)
+
+	errMap = map[string]string{} // map[sid]error
+
+	for _, detect := range detections {
+		parsedRule, err := ParseSuricataRule(detect.Content)
+		if err != nil {
+			errMap[detect.PublicID] = fmt.Sprintf("unable to parse rule; reason=%s", err.Error())
+			continue
+		}
+
+		opt, ok := parsedRule.GetOption("sid")
+		if !ok || opt == nil {
+			errMap[detect.PublicID] = fmt.Sprintf("rule does not contain a SID; rule=%s", detect.Content)
+			continue
+		}
+
+		sid := *opt
+		_, isFlowbits := parsedRule.GetOption("flowbits")
+
+		lineNum, inLocal := localIndex[sid]
+		if !inLocal {
+			localLines = append(localLines, detect.Content)
+			lineNum = len(localLines) - 1
+			localIndex[sid] = lineNum
+		} else {
+			localLines[lineNum] = detect.Content
+		}
+
+		lineNum, inEnabled := enabledIndex[sid]
+		if !inEnabled {
+			line := detect.PublicID
+			if !detect.IsEnabled && !isFlowbits {
+				line = "# " + line
+			}
+
+			enabledLines = append(enabledLines, line)
+			lineNum = len(enabledLines) - 1
+			enabledIndex[sid] = lineNum
+		} else {
+			line := detect.PublicID
+			if !detect.IsEnabled && !isFlowbits {
+				line = "# " + line
+			}
+
+			enabledLines[lineNum] = line
+		}
+
+		if !isFlowbits {
+			lineNum, inDisabled := disabledIndex[sid]
+			if !inDisabled {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines = append(disabledLines, line)
+				lineNum = len(disabledLines) - 1
+				disabledIndex[sid] = lineNum
+			} else {
+				line := detect.PublicID
+				if detect.IsEnabled {
+					line = "# " + line
+				}
+
+				disabledLines[lineNum] = line
+			}
+		}
+
+		if isFlowbits {
+			lineNum, inModify := modifyIndex[sid]
+			if !inModify && !detect.IsEnabled {
+				// not in the modify file, but should be
+				line := fmt.Sprintf("%s %s", detect.PublicID, modifyFromTo)
+				modifyLines = append(modifyLines, line)
+				lineNum = len(modifyLines) - 1
+				modifyIndex[sid] = lineNum
+			} else if inModify && detect.IsEnabled {
+				// in modify, but shouldn't be
+				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
+				delete(modifyIndex, sid)
+			}
+		}
+	}
+
+	local.Value = strings.Join(localLines, "\n")
+	enabled.Value = strings.Join(enabledLines, "\n")
+	disabled.Value = strings.Join(disabledLines, "\n")
+	modify.Value = strings.Join(modifyLines, "\n")
+
+	err = s.srv.Configstore.UpdateSetting(ctx, local, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = s.srv.Configstore.UpdateSetting(ctx, enabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = s.srv.Configstore.UpdateSetting(ctx, disabled, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	err = s.srv.Configstore.UpdateSetting(ctx, modify, false)
+	if err != nil {
+		return errMap, err
+	}
+
+	return errMap, nil
+}
+
+func settingByID(all []*model.Setting, id string) *model.Setting {
+	found, ok := lo.Find(all, func(s *model.Setting) bool {
+		return s.Id == id
+	})
+	if !ok {
+		return nil
+	}
+
+	return found
+}
+
+func extractSID(rule string) *string {
+	sids := sidExtracter.FindAllStringSubmatch(rule, 2)
+	if len(sids) != 1 { // 1 match = 1 sid
+		return nil
+	}
+
+	return util.Ptr(strings.TrimSpace(sids[0][1]))
+}
+
+func indexLocal(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		sid := extractSID(line)
+		if sid == nil {
+			continue
+		}
+
+		index[*sid] = i
+	}
+
+	return index
+}
+
+func indexEnabled(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+		if line != "" {
+			index[line] = i
+		}
+	}
+
+	return index
+}
+
+func indexModify(lines []string) map[string]int {
+	index := map[string]int{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+
+		if strings.HasSuffix(line, modifyFromTo) {
+			parts := strings.SplitN(line, " ", 2)
+			index[parts[0]] = i
+		}
+	}
+
+	return index
+}
diff --git a/server/detectionhandler_test.go b/server/modules/suricata/suricata_test.go
similarity index 52%
rename from server/detectionhandler_test.go
rename to server/modules/suricata/suricata_test.go
index e1449f03f..7e9cbcdfd 100644
--- a/server/detectionhandler_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -1,15 +1,35 @@
-package server
+package suricata
 
 import (
 	"context"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/util"
-
 	"github.com/stretchr/testify/assert"
 )
 
+func TestSuricataModule(t *testing.T) {
+	srv := &server.Server{
+		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+	}
+	mod := NewSuricataEngine(srv)
+
+	assert.Implements(t, (*module.Module)(nil), mod)
+	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
+
+	err := mod.Start()
+	assert.Nil(t, err)
+
+	err = mod.Stop()
+	assert.Nil(t, err)
+
+	assert.Equal(t, 1, len(srv.DetectionEngines))
+	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameSuricata])
+}
+
 func TestSettingByID(t *testing.T) {
 	allSettings := []*model.Setting{
 		{Id: "1", Value: "one"},
@@ -167,23 +187,94 @@ func TestIndexModify(t *testing.T) {
 func TestSyncSuricata(t *testing.T) {
 	emptySettings := []*model.Setting{
 		{Id: "idstools.rules.local__rules"},
-		{Id: "idstools.rules.enabled"},
-		{Id: "idstools.rules.disabled"},
-		{Id: "idstools.rules.modify"},
+		{Id: "idstools.sids.enabled"},
+		{Id: "idstools.sids.disabled"},
+		{Id: "idstools.sids.modify"},
 	}
 	table := []struct {
-		Name string
-		InitialSettings []*model.Setting
-		Detections []*model.Detection // Content (Valid Rule), PublicID, IsEnabled
+		Name             string
+		InitialSettings  []*model.Setting
+		Detections       []*model.Detection // Content (Valid Rule), PublicID, IsEnabled
 		ExpectedSettings map[string]string
-		ExpectedErr error
-		ExpectedErrMap map[string]string
+		ExpectedErr      error
+		ExpectedErrMap   map[string]string
 	}{
 		{
-			Name: "Simple Add",
+			Name:            "Enable New Simple Rule",
+			InitialSettings: emptySettings,
+			Detections: []*model.Detection{
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+				"idstools.sids.enabled":       "\n10000",
+				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name: "Disable Existing Simple Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`},
+				{Id: "idstools.sids.enabled", Value: "10000"},
+				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.sids.modify"},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+				"idstools.sids.enabled":       "# 10000",
+				"idstools.sids.disabled":      "10000",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name:            "Enable New Flowbits Rule",
 			InitialSettings: emptySettings,
 			Detections: []*model.Detection{
-				{},
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+				"idstools.sids.enabled":       "\n10000",
+				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name: "Disable Existing Flowbits Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`},
+				{Id: "idstools.sids.enabled", Value: "10000"},
+				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.sids.modify", Value: ""},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  "10000",
+					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+				"idstools.sids.enabled":       "10000",
+				"idstools.sids.disabled":      "# 10000",
+				"idstools.sids.modify":        "\n" + `10000 "flowbits" "noalert; flowbits"`,
 			},
 		},
 	}
@@ -195,9 +286,14 @@ func TestSyncSuricata(t *testing.T) {
 		t.Run(test.Name, func(t *testing.T) {
 			t.Parallel()
 
-			mCfgStore := NewMemConfigStore(test.InitialSettings)
+			mCfgStore := server.NewMemConfigStore(test.InitialSettings)
+			mod := NewSuricataEngine(&server.Server{
+				Configstore:      mCfgStore,
+				DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+			})
+			mod.srv.DetectionEngines[model.EngineNameSuricata] = mod
 
-			errMap, err := syncSuricata(ctx, mCfgStore, test.Detections)
+			errMap, err := mod.SyncDetections(ctx, test.Detections)
 
 			assert.Equal(t, test.ExpectedErr, err)
 			assert.Equal(t, test.ExpectedErrMap, errMap)
@@ -212,4 +308,4 @@ func TestSyncSuricata(t *testing.T) {
 			}
 		})
 	}
-}
\ No newline at end of file
+}
diff --git a/syntax/suricata.go b/server/modules/suricata/validate.go
similarity index 99%
rename from syntax/suricata.go
rename to server/modules/suricata/validate.go
index 90ca8af83..68ca6731d 100644
--- a/syntax/suricata.go
+++ b/server/modules/suricata/validate.go
@@ -1,4 +1,4 @@
-package syntax
+package suricata
 
 import (
 	"fmt"
diff --git a/syntax/suricata_test.go b/server/modules/suricata/validate_test.go
similarity index 99%
rename from syntax/suricata_test.go
rename to server/modules/suricata/validate_test.go
index f9b2d7f0f..261cc8b4f 100644
--- a/syntax/suricata_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -1,4 +1,4 @@
-package syntax
+package suricata
 
 import (
 	"testing"
diff --git a/server/server.go b/server/server.go
index 5080baf4e..4b281b5e5 100644
--- a/server/server.go
+++ b/server/server.go
@@ -33,6 +33,7 @@ type Server struct {
 	Rolestore        Rolestore
 	Eventstore       Eventstore
 	Casestore        Casestore
+	Detectionstore   Detectionstore
 	Configstore      Configstore
 	GridMembersstore GridMembersstore
 	Metrics          Metrics
@@ -40,13 +41,15 @@ type Server struct {
 	Authorizer       rbac.Authorizer
 	Agent            *model.User
 	Context          context.Context
+	DetectionEngines map[model.EngineName]DetectionEngine
 }
 
 func NewServer(cfg *config.ServerConfig, version string) *Server {
 	server := &Server{
-		Config:      cfg,
-		Host:        web.NewHost(cfg.BindAddress, cfg.HtmlDir, cfg.IdleConnectionTimeoutMs, version, cfg.SrvKeyBytes, AGENT_ID),
-		stoppedChan: make(chan bool, 1),
+		Config:           cfg,
+		Host:             web.NewHost(cfg.BindAddress, cfg.HtmlDir, cfg.IdleConnectionTimeoutMs, version, cfg.SrvKeyBytes, AGENT_ID),
+		stoppedChan:      make(chan bool, 1),
+		DetectionEngines: map[model.EngineName]DetectionEngine{},
 	}
 	server.initContext()
 

From 1f61e4069892deb4912dfe9df75334fee0f35a60 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 26 Sep 2023 11:05:49 -0600
Subject: [PATCH 055/102] WIP: Tests

Converted repeated strings to fixtures.

Fleshed out the rest of SyncSuricata's tests.

Added validation tests.
---
 server/modules/suricata/suricata.go      |   7 +-
 server/modules/suricata/suricata_test.go | 260 +++++++++++++++++++----
 server/modules/suricata/validate.go      |   5 +
 3 files changed, 231 insertions(+), 41 deletions(-)

diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 3f5133336..b9725882d 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -49,7 +49,12 @@ func (s *SuricataEngine) IsRunning() bool {
 }
 
 func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
-	return rule, nil
+	parsed, err := ParseSuricataRule(rule)
+	if err != nil {
+		return rule, err
+	}
+
+	return parsed.String(), nil
 }
 
 func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 7e9cbcdfd..0a497f305 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -11,6 +11,24 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+const (
+	SimpleRuleSID    = "10000"
+	SimpleRule       = `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`
+	FlowbitsRuleASID = "50000"
+	FlowbitsRuleA    = `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:50000;)`
+	FlowbitsRuleBSID = "60000"
+	FlowbitsRuleB    = `alert http any any -> any any (msg:"RULE B"; flowbits: isset, test; flow: established,to_client; content:"uid=0"; sid:60000;)`
+)
+
+func emptySettings() []*model.Setting {
+	return []*model.Setting{
+		{Id: "idstools.rules.local__rules"},
+		{Id: "idstools.sids.enabled"},
+		{Id: "idstools.sids.disabled"},
+		{Id: "idstools.sids.modify"},
+	}
+}
+
 func TestSuricataModule(t *testing.T) {
 	srv := &server.Server{
 		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
@@ -20,7 +38,10 @@ func TestSuricataModule(t *testing.T) {
 	assert.Implements(t, (*module.Module)(nil), mod)
 	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
 
-	err := mod.Start()
+	err := mod.Init(nil)
+	assert.Nil(t, err)
+
+	err = mod.Start()
 	assert.Nil(t, err)
 
 	err = mod.Stop()
@@ -85,7 +106,7 @@ func TestExtractSID(t *testing.T) {
 		{Name: "Single-Quoted Empty SID", Input: "sid:'';", Output: util.Ptr("")},
 		{Name: "Double-Quoted Empty SID", Input: `sid: "";`, Output: util.Ptr("")},
 		{Name: "Multiple SIDs", Input: "sid: 10000; sid: 10001;", Output: nil},
-		{Name: "Sample Rule", Input: `alert http any any -> any any (msg:"RULE B"; flowbits: isset, test; flow: established,to_client; content:"uid=0"; sid:60000;)`, Output: util.Ptr("60000")},
+		{Name: "Sample Rule", Input: SimpleRule, Output: util.Ptr(SimpleRuleSID)},
 	}
 
 	for _, test := range table {
@@ -184,13 +205,66 @@ func TestIndexModify(t *testing.T) {
 	assert.NotContains(t, output, "e4bd794a-8156-4fcc-b6a9-9fb2c9ecadc5")
 }
 
-func TestSyncSuricata(t *testing.T) {
-	emptySettings := []*model.Setting{
-		{Id: "idstools.rules.local__rules"},
-		{Id: "idstools.sids.enabled"},
-		{Id: "idstools.sids.disabled"},
-		{Id: "idstools.sids.modify"},
+func TestValidate(t *testing.T) {
+	table := []struct {
+		Name        string
+		Input       string
+		ExpectedErr *string
+	}{
+		{
+			Name:  "Valid Rule",
+			Input: SimpleRule,
+		},
+		{
+			Name:  "Valid Rule with Flowbits",
+			Input: FlowbitsRuleA,
+		},
+		{
+			Name:  "Valid Rule with Escaped Quotes",
+			Input: `alert http any any -> any any (msg:"This rule has \"escaped quotes\"";)`,
+		},
+		{
+			Name:        "Invalid Direction",
+			Input:       `alert http any any <-> any any (msg:"This rule has an invalid direction";)`,
+			ExpectedErr: util.Ptr("invalid direction, must be '<>' or '->', got <->"),
+		},
+		{
+			Name:        "Unexpected Suffix",
+			Input:       SimpleRule + "x",
+			ExpectedErr: util.Ptr("invalid rule, expected end of rule, got 1 more bytes"),
+		},
+		{
+			Name:        "Unexpected End of Rule",
+			Input:       "x",
+			ExpectedErr: util.Ptr("invalid rule, unexpected end of rule"),
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			mod := NewSuricataEngine(&server.Server{})
+
+			_, err := mod.ValidateRule(test.Input)
+			if test.ExpectedErr == nil {
+				assert.NoError(t, err)
+
+				// this rule seems valid, attempt to parse, serialize, re-parse
+				parsed, err := ParseSuricataRule(test.Input)
+				assert.NoError(t, err)
+
+				_, err = ParseSuricataRule(parsed.String())
+				assert.NoError(t, err)
+			} else {
+				assert.Equal(t, *test.ExpectedErr, err.Error())
+			}
+		})
 	}
+}
+
+func TestSyncSuricata(t *testing.T) {
 	table := []struct {
 		Name             string
 		InitialSettings  []*model.Setting
@@ -201,80 +275,186 @@ func TestSyncSuricata(t *testing.T) {
 	}{
 		{
 			Name:            "Enable New Simple Rule",
-			InitialSettings: emptySettings,
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + SimpleRule,
+				"idstools.sids.enabled":       "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":      "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name:            "Disable New Simple Rule",
+			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + SimpleRule,
+				"idstools.sids.enabled":       "\n# " + SimpleRuleSID,
+				"idstools.sids.disabled":      "\n" + SimpleRuleSID,
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name: "Enable Existing Simple Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: SimpleRule},
+				{Id: "idstools.sids.enabled", Value: "# " + SimpleRuleSID},
+				{Id: "idstools.sids.disabled", Value: SimpleRuleSID},
+				{Id: "idstools.sids.modify"},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
 					IsEnabled: true,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
-				"idstools.sids.enabled":       "\n10000",
-				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.rules.local__rules": SimpleRule,
+				"idstools.sids.enabled":       SimpleRuleSID,
+				"idstools.sids.disabled":      "# " + SimpleRuleSID,
 				"idstools.sids.modify":        "",
 			},
 		},
 		{
 			Name: "Disable Existing Simple Rule",
 			InitialSettings: []*model.Setting{
-				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`},
-				{Id: "idstools.sids.enabled", Value: "10000"},
-				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.rules.local__rules", Value: SimpleRule},
+				{Id: "idstools.sids.enabled", Value: SimpleRuleSID},
+				{Id: "idstools.sids.disabled", Value: "# " + SimpleRuleSID},
 				{Id: "idstools.sids.modify"},
 			},
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
 					IsEnabled: false,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": `alert http any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`,
-				"idstools.sids.enabled":       "# 10000",
-				"idstools.sids.disabled":      "10000",
+				"idstools.rules.local__rules": SimpleRule,
+				"idstools.sids.enabled":       "# " + SimpleRuleSID,
+				"idstools.sids.disabled":      SimpleRuleSID,
 				"idstools.sids.modify":        "",
 			},
 		},
 		{
 			Name:            "Enable New Flowbits Rule",
-			InitialSettings: emptySettings,
+			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					PublicID:  FlowbitsRuleASID,
+					Content:   FlowbitsRuleA,
 					IsEnabled: true,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
-				"idstools.sids.enabled":       "\n10000",
-				"idstools.sids.disabled":      "\n# 10000",
+				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":      "",
+				"idstools.sids.modify":        "",
+			},
+		},
+		{
+			Name:            "Disable New Flowbits Rule",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  FlowbitsRuleASID,
+					Content:   FlowbitsRuleA,
+					IsEnabled: false,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":      "",
+				"idstools.sids.modify":        "\n" + FlowbitsRuleASID + ` "flowbits" "noalert; flowbits"`,
+			},
+		},
+		{
+			Name: "Enable Existing Flowbits Rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: FlowbitsRuleB},
+				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
+				{Id: "idstools.sids.disabled", Value: ""},
+				{Id: "idstools.sids.modify", Value: FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`},
+			},
+			Detections: []*model.Detection{
+				{
+					PublicID:  FlowbitsRuleBSID,
+					Content:   FlowbitsRuleB,
+					IsEnabled: true,
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules": FlowbitsRuleB,
+				"idstools.sids.enabled":       FlowbitsRuleBSID,
+				"idstools.sids.disabled":      "",
 				"idstools.sids.modify":        "",
 			},
 		},
 		{
 			Name: "Disable Existing Flowbits Rule",
 			InitialSettings: []*model.Setting{
-				{Id: "idstools.rules.local__rules", Value: `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`},
-				{Id: "idstools.sids.enabled", Value: "10000"},
-				{Id: "idstools.sids.disabled", Value: "# 10000"},
+				{Id: "idstools.rules.local__rules", Value: FlowbitsRuleB},
+				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
+				{Id: "idstools.sids.disabled", Value: "# " + FlowbitsRuleBSID},
 				{Id: "idstools.sids.modify", Value: ""},
 			},
 			Detections: []*model.Detection{
 				{
-					PublicID:  "10000",
-					Content:   `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
+					PublicID:  FlowbitsRuleBSID,
+					Content:   FlowbitsRuleB,
 					IsEnabled: false,
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": `alert http any any -> any any ( msg:"RULE A"; flow: established,to_server; http.method; content:"POST"; http.content_type; content:"x-www-form-urlencoded"; flowbits: set, test; sid:10000;)`,
-				"idstools.sids.enabled":       "10000",
-				"idstools.sids.disabled":      "# 10000",
-				"idstools.sids.modify":        "\n" + `10000 "flowbits" "noalert; flowbits"`,
+				"idstools.rules.local__rules": FlowbitsRuleB,
+				"idstools.sids.enabled":       FlowbitsRuleBSID,
+				"idstools.sids.disabled":      "# " + FlowbitsRuleBSID,
+				"idstools.sids.modify":        "\n" + FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`,
+			},
+		},
+		{
+			Name:            "Completely Invalid Rule",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  "0",
+					Content:   "x",
+					IsEnabled: true,
+				},
+			},
+			ExpectedErrMap: map[string]string{
+				"0": "unable to parse rule; reason=invalid rule, unexpected end of rule",
+			},
+		},
+		{
+			Name:            "Rule Missing SID",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  "0",
+					Content:   `alert http any any -> any any (msg:"This rule doesn't have a SID";)`, // missing closing paren
+					IsEnabled: true,
+				},
+			},
+			ExpectedErrMap: map[string]string{
+				"0": `rule does not contain a SID; rule=alert http any any -> any any (msg:"This rule doesn't have a SID";)`,
 			},
 		},
 	}
@@ -299,12 +479,12 @@ func TestSyncSuricata(t *testing.T) {
 			assert.Equal(t, test.ExpectedErrMap, errMap)
 
 			set, err := mCfgStore.GetSettings(ctx)
-			assert.NoError(t, err)
+			assert.NoError(t, err, "GetSettings should not return an error")
 
 			for id, expectedValue := range test.ExpectedSettings {
 				setting := settingByID(set, id)
-				assert.NotNil(t, setting)
-				assert.Equal(t, expectedValue, setting.Value)
+				assert.NotNil(t, setting, "Setting %s", id)
+				assert.Equal(t, expectedValue, setting.Value, "Setting %s", id)
 			}
 		})
 	}
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index 68ca6731d..aac0d6c66 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -129,6 +129,11 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 		}
 	}
 
+	if curState != stateOptions || len(strings.TrimSpace(buf.String())) != 0 {
+		// We're unexpectedly done parsing the rule.
+		return nil, fmt.Errorf("invalid rule, unexpected end of rule")
+	}
+
 	return out, nil
 }
 

From 04ec7c2dfe60db0cd93b8e833bcdcc91be684cad Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Sep 2023 09:18:19 -0600
Subject: [PATCH 056/102] WIP: Sync Community Detections

Removed permission checks left over from creating ElasticDetectionstore from ElasticCasestore.

Jerry rigged the config to always have a `suricataengine` module section so I don't have to fight salt.

Expanded on detection severity types.

Expanded the DetectionEngine interface to support how we're importing community rules.

First pass at a SyncCommunityRules.

Solved some issues around ParseSuricataRule and whitespace.
---
 config/config.go                              |   3 +
 model/detection.go                            |   8 +-
 server/detectionengine.go                     |   4 +-
 server/detectionhandler.go                    |  58 ++++++-
 server/detectionstore.go                      |   1 +
 .../modules/elastic/elasticdetectionstore.go  | 136 +++++++++-------
 server/modules/suricata/suricata.go           | 154 +++++++++++++++++-
 server/modules/suricata/suricata_test.go      |  69 +++++++-
 server/modules/suricata/validate.go           |  50 +++++-
 server/modules/suricata/validate_test.go      |   2 +-
 10 files changed, 402 insertions(+), 83 deletions(-)

diff --git a/config/config.go b/config/config.go
index c0cd1ff18..75ce93534 100644
--- a/config/config.go
+++ b/config/config.go
@@ -44,5 +44,8 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 			err = cfg.Server.Verify()
 		}
 	}
+
+	cfg.Server.Modules["suricataengine"] = map[string]interface{}{} // TODO: remove when put in config file
+
 	return cfg, err
 }
diff --git a/model/detection.go b/model/detection.go
index 8d3f8c912..4edc9a953 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -23,9 +23,11 @@ const (
 	SigLangYara     SigLanguage = "yara"
 	SigLangZeek     SigLanguage = "zeek"
 
-	SeverityLow    Severity = "low"
-	SeverityMedium Severity = "medium"
-	SeverityHigh   Severity = "high"
+	SeverityUnknown       Severity = "unknown"
+	SeverityInformational Severity = "informational"
+	SeverityMinor         Severity = "minor"
+	SeverityMajor         Severity = "major"
+	SeverityCritical      Severity = "critical"
 
 	IDTypeUUID IDType = "uuid"
 	IDTypeSID  IDType = "sid"
diff --git a/server/detectionengine.go b/server/detectionengine.go
index 09d430e1b..63bcf88b8 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -8,5 +8,7 @@ import (
 
 type DetectionEngine interface {
 	ValidateRule(rule string) (string, error)
-	SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
+	ParseRules(content string) ([]*model.Detection, error)
+	SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
+	SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 4462b3c8c..c3313f1d7 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -9,6 +9,7 @@ package server
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 
@@ -38,6 +39,7 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Delete("/{id}", h.deleteDetection)
 
 		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
+		r.Post("/sync/{engine}", h.syncCommunityDetections)
 	})
 }
 
@@ -77,7 +79,7 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
+	errMap, err := SyncLocalDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -137,7 +139,7 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{detect})
+	errMap, err := SyncLocalDetections(ctx, h.server, []*model.Detection{detect})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -162,7 +164,7 @@ func (h *DetectionHandler) deleteDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	errMap, err := SyncDetections(ctx, h.server, []*model.Detection{old})
+	errMap, err := SyncLocalDetections(ctx, h.server, []*model.Detection{old})
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
@@ -214,7 +216,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	if len(modified) != 0 {
-		addErrMap, err := SyncDetections(ctx, h.server, modified)
+		addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
 		if err != nil {
 			web.Respond(w, r, http.StatusInternalServerError, err)
 			return
@@ -234,7 +236,51 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
-func SyncDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
+func (h *DetectionHandler) syncCommunityDetections(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	engineParam := chi.URLParam(r, "engine")
+
+	engine, ok := h.server.DetectionEngines[model.EngineName(engineParam)]
+	if !ok {
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid engine"))
+		return
+	}
+
+	err := r.ParseMultipartForm(int64(h.server.Config.MaxUploadSizeBytes))
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	file, _, err := r.FormFile("file")
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	content, err := io.ReadAll(file)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	detections, err := engine.ParseRules(string(content))
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	errMap, err := engine.SyncCommunityDetections(ctx, detections)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, errMap)
+}
+
+func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
@@ -248,7 +294,7 @@ func SyncDetections(ctx context.Context, srv *Server, detections []*model.Detect
 
 	for name, engine := range srv.DetectionEngines {
 		if len(byEngine[name]) != 0 {
-			eMap, err := engine.SyncDetections(ctx, byEngine[name])
+			eMap, err := engine.SyncLocalDetections(ctx, byEngine[name])
 			for sid, e := range eMap {
 				errMap[sid] = e
 			}
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 726e41823..de8b5f8fc 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -18,4 +18,5 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
+	GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) // map[detection.PublicId]detection.Id
 }
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 35f0e6264..34383adc6 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -115,29 +115,29 @@ func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, k
 	var results *model.EventIndexResults
 	var err error
 
-	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
-		document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
-		document[store.schemaPrefix+"kind"] = kind
+	// if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+	document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+	document[store.schemaPrefix+"kind"] = kind
 
-		results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
-		if err == nil {
-			document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
+	results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
+	if err == nil {
+		document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
 
-			if id == "" {
-				document[store.schemaPrefix+"operation"] = "create"
-			} else {
-				document[store.schemaPrefix+"operation"] = "update"
-			}
+		if id == "" {
+			document[store.schemaPrefix+"operation"] = "create"
+		} else {
+			document[store.schemaPrefix+"operation"] = "update"
+		}
 
-			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
-			if err != nil {
-				log.WithFields(log.Fields{
-					"documentId": results.DocumentId,
-					"kind":       kind,
-				}).WithError(err).Error("Object indexed successfully however audit record failed to index")
-			}
+		_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+		if err != nil {
+			log.WithFields(log.Fields{
+				"documentId": results.DocumentId,
+				"kind":       kind,
+			}).WithError(err).Error("Object indexed successfully however audit record failed to index")
 		}
 	}
+	// }
 
 	return results, err
 }
@@ -145,23 +145,23 @@ func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, k
 func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{}, kind string, id string) error {
 	var err error
 
-	if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
-		err = store.server.Eventstore.Delete(ctx, store.index, id)
-		if err == nil {
-			document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
-			document[store.schemaPrefix+AUDIT_DOC_ID] = id
-			document[store.schemaPrefix+"kind"] = kind
-			document[store.schemaPrefix+"operation"] = "delete"
-
-			_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
-			if err != nil {
-				log.WithFields(log.Fields{
-					"documentId": id,
-					"kind":       kind,
-				}).WithError(err).Error("Object deleted successfully however audit record failed to index")
-			}
+	// if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+	err = store.server.Eventstore.Delete(ctx, store.index, id)
+	if err == nil {
+		document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+		document[store.schemaPrefix+AUDIT_DOC_ID] = id
+		document[store.schemaPrefix+"kind"] = kind
+		document[store.schemaPrefix+"operation"] = "delete"
+
+		_, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+		if err != nil {
+			log.WithFields(log.Fields{
+				"documentId": id,
+				"kind":       kind,
+			}).WithError(err).Error("Object deleted successfully however audit record failed to index")
 		}
 	}
+	// }
 
 	return err
 }
@@ -185,42 +185,42 @@ func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, ma
 	var err error
 	var objects []interface{}
 
-	if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
-		criteria := model.NewEventSearchCriteria()
-		format := "2006-01-02 3:04:05 PM"
+	// if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
+	criteria := model.NewEventSearchCriteria()
+	format := "2006-01-02 3:04:05 PM"
 
-		var zeroTime time.Time
+	var zeroTime time.Time
 
-		zeroTimeStr := zeroTime.Format(format)
-		now := time.Now()
-		endTime := now.Format(format)
-		zone := now.Location().String()
+	zeroTimeStr := zeroTime.Format(format)
+	now := time.Now()
+	endTime := now.Format(format)
+	zone := now.Location().String()
+
+	err = criteria.Populate(query,
+		zeroTimeStr+" - "+endTime, // timeframe range
+		format,                    // timeframe format
+		zone,                      // timezone
+		"0",                       // no metrics
+		strconv.Itoa(max))
 
-		err = criteria.Populate(query,
-			zeroTimeStr+" - "+endTime, // timeframe range
-			format,                    // timeframe format
-			zone,                      // timezone
-			"0",                       // no metrics
-			strconv.Itoa(max))
+	if err == nil {
+		var results *model.EventSearchResults
 
+		results, err = store.server.Eventstore.Search(ctx, criteria)
 		if err == nil {
-			var results *model.EventSearchResults
-
-			results, err = store.server.Eventstore.Search(ctx, criteria)
-			if err == nil {
-				for _, event := range results.Events {
-					var obj interface{}
-
-					obj, err = convertElasticEventToObject(event, store.schemaPrefix)
-					if err == nil {
-						objects = append(objects, obj)
-					} else {
-						log.WithField("event", event).WithError(err).Error("Unable to convert case object")
-					}
+			for _, event := range results.Events {
+				var obj interface{}
+
+				obj, err = convertElasticEventToObject(event, store.schemaPrefix)
+				if err == nil {
+					objects = append(objects, obj)
+				} else {
+					log.WithField("event", event).WithError(err).Error("Unable to convert case object")
 				}
 			}
 		}
 	}
+	// }
 
 	return objects, err
 }
@@ -358,3 +358,19 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 
 	return detect, err
 }
+
+func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) {
+	// TODO: 10000? Is that enough?
+	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), 10000)
+	if err != nil {
+		return nil, err
+	}
+
+	sids := map[string]string{}
+	for _, det := range all {
+		detection := det.(*model.Detection)
+		sids[detection.PublicID] = detection.Id
+	}
+
+	return sids, nil
+}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index b9725882d..6c8705c82 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"fmt"
 	"regexp"
+	"strconv"
 	"strings"
 
+	"github.com/apex/log"
 	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
@@ -57,7 +59,92 @@ func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	return parsed.String(), nil
 }
 
-func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+func (s *SuricataEngine) ParseRules(content string) ([]*model.Detection, error) {
+	// expecting one rule per line
+	lines := strings.Split(content, "\n")
+	dets := []*model.Detection{}
+
+	for i, line := range lines {
+		line = strings.TrimSpace(line)
+		if line == "" || strings.HasPrefix(line, "#") {
+			// empty or commented line, ignore
+			continue
+		}
+
+		line, err := s.ValidateRule(line)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse line %d: %w", i+1, err)
+		}
+
+		parsed, err := ParseSuricataRule(line)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse line %d: %w", i+1, err)
+		}
+
+		// extract details
+		sidOpt, ok := parsed.GetOption("sid")
+		if !ok || sidOpt == nil || len(*sidOpt) == 0 {
+			return nil, fmt.Errorf("unable to parse line %d: rule does not contain a SID", i+1)
+		}
+
+		sid, err := strconv.Unquote(*sidOpt)
+		if err != nil {
+			sid = *sidOpt
+		}
+
+		msg := sid
+
+		msgOpt, ok := parsed.GetOption("msg")
+		if ok && msgOpt != nil && len(*msgOpt) != 0 {
+			msg = *msgOpt
+		}
+
+		msg = strings.ReplaceAll(msg, `\;`, `;`)
+
+		title, err := strconv.Unquote(msg)
+		if err != nil {
+			title = msg
+		}
+
+		title = strings.ReplaceAll(title, `\"`, `"`)
+		title = strings.ReplaceAll(title, `\\`, `\`)
+
+		severity := model.SeverityUnknown // TODO: Default severity?
+
+		md := parsed.ParseMetaData()
+		if md != nil {
+			sigsev, ok := lo.Find(md, func(m *MetaData) bool {
+				return strings.EqualFold(m.Key, "signature_severity")
+			})
+			if ok {
+				switch strings.ToUpper(sigsev.Value) {
+				case "INFORMATIONAL":
+					severity = model.SeverityInformational
+				case "MINOR":
+					severity = model.SeverityMinor
+				case "MAJOR":
+					severity = model.SeverityMajor
+				case "CRITICAL":
+					severity = model.SeverityCritical
+				}
+			}
+		}
+
+		dets = append(dets, &model.Detection{
+			PublicID:    sid,
+			Title:       title,
+			Severity:    severity,
+			Content:     line,
+			IsEnabled:   true, // is this true?
+			IsCommunity: true,
+			Engine:      model.EngineNameSuricata,
+		})
+	}
+
+	return dets, nil
+}
+
+func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
@@ -210,6 +297,71 @@ func (s *SuricataEngine) SyncDetections(ctx context.Context, detections []*model
 	return errMap, nil
 }
 
+func (s *SuricataEngine) SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+	errMap = map[string]string{}
+
+	results := struct {
+		Added   int
+		Updated int
+		Removed int
+	}{}
+
+	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	toDelete := map[string]struct{}{}
+	for sid := range commSIDs {
+		toDelete[sid] = struct{}{}
+	}
+
+	for _, detect := range detections {
+		id, exists := commSIDs[detect.PublicID]
+		if exists {
+			detect.Id = id
+
+			_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
+			if err != nil {
+				errMap[detect.PublicID] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			} else {
+				results.Updated++
+				delete(toDelete, detect.PublicID)
+			}
+		} else {
+			_, err = s.srv.Detectionstore.CreateDetection(ctx, detect)
+			if err != nil {
+				errMap[detect.PublicID] = fmt.Sprintf("unable to create detection; reason=%s", err.Error())
+			} else {
+				results.Added++
+			}
+		}
+	}
+
+	for sid := range toDelete {
+		_, err = s.srv.Detectionstore.DeleteDetection(ctx, sid)
+		if err != nil {
+			errMap[sid] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+		} else {
+			results.Removed++
+		}
+	}
+
+	log.WithFields(log.Fields{
+		"added":   results.Added,
+		"updated": results.Updated,
+		"removed": results.Removed,
+		"errors":  errMap,
+	}).Info("Suricata community detections synced")
+
+	return errMap, nil
+}
+
 func settingByID(all []*model.Setting, id string) *model.Setting {
 	found, ok := lo.Find(all, func(s *model.Setting) bool {
 		return s.Id == id
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 0a497f305..215adc34a 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -2,6 +2,7 @@ package suricata
 
 import (
 	"context"
+	"strings"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
@@ -39,13 +40,13 @@ func TestSuricataModule(t *testing.T) {
 	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
 
 	err := mod.Init(nil)
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 
 	err = mod.Start()
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 
 	err = mod.Stop()
-	assert.Nil(t, err)
+	assert.NoError(t, err)
 
 	assert.Equal(t, 1, len(srv.DetectionEngines))
 	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameSuricata])
@@ -264,6 +265,66 @@ func TestValidate(t *testing.T) {
 	}
 }
 
+func TestParse(t *testing.T) {
+	table := []struct {
+		Name               string
+		Lines              []string
+		ExpectedDetections []*model.Detection
+		ExpectedError      *string
+	}{
+		{
+			Name: "Sunny Day Path w/ Edge Cases",
+			Lines: []string{
+				"# Comment",
+				SimpleRule,
+				"",
+				` alert  http any any  <>   any any (metadata:signature_severity   Informational; sid: "20000"; msg:"a \"tricky\"\;\\ msg";)`,
+				" # " + FlowbitsRuleA,
+			},
+			ExpectedDetections: []*model.Detection{
+				{
+					PublicID:    SimpleRuleSID,
+					Title:       `GPL ATTACK_RESPONSE id check returned root`,
+					Severity:    model.SeverityUnknown,
+					Content:     SimpleRule,
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+				},
+				{
+					PublicID:    "20000",
+					Title:       `a "tricky";\ msg`,
+					Severity:    model.SeverityInformational,
+					Content:     `alert http any any <> any any (metadata:signature_severity Informational; sid:"20000"; msg:"a \"tricky\"\;\\ msg";)`,
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+				},
+			},
+		},
+	}
+
+	mod := NewSuricataEngine(&server.Server{})
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			data := strings.Join(test.Lines, "\n")
+
+			detections, err := mod.ParseRules(data)
+			if test.ExpectedError == nil {
+				assert.NoError(t, err)
+				assert.Equal(t, test.ExpectedDetections, detections)
+			} else {
+				assert.Equal(t, *test.ExpectedError, err.Error())
+				assert.Empty(t, detections)
+			}
+		})
+	}
+}
+
 func TestSyncSuricata(t *testing.T) {
 	table := []struct {
 		Name             string
@@ -473,7 +534,7 @@ func TestSyncSuricata(t *testing.T) {
 			})
 			mod.srv.DetectionEngines[model.EngineNameSuricata] = mod
 
-			errMap, err := mod.SyncDetections(ctx, test.Detections)
+			errMap, err := mod.SyncLocalDetections(ctx, test.Detections)
 
 			assert.Equal(t, test.ExpectedErr, err)
 			assert.Equal(t, test.ExpectedErrMap, errMap)
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index aac0d6c66..8f9d1b89f 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -3,7 +3,9 @@ package suricata
 import (
 	"fmt"
 	"strings"
+	"unicode"
 
+	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 )
 
@@ -21,6 +23,11 @@ type RuleOption struct {
 	Value *string
 }
 
+type MetaData struct {
+	Key string
+	Value string
+}
+
 type state int
 
 const (
@@ -49,19 +56,19 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 
 		switch curState {
 		case stateAction:
-			if ch == ' ' {
+			if ch == ' ' && buf.Len() != 0 {
 				out.Action = strings.TrimSpace(buf.String())
 				buf.Reset()
 				curState = stateProtocol
-			} else {
+			} else if !unicode.IsSpace(ch) {
 				buf.WriteRune(ch)
 			}
 		case stateProtocol:
-			if ch == ' ' {
+			if ch == ' ' && buf.Len() != 0 {
 				out.Protocol = strings.TrimSpace(buf.String())
 				buf.Reset()
 				curState = stateSource
-			} else {
+			} else if !unicode.IsSpace(ch) {
 				buf.WriteRune(ch)
 			}
 		case stateSource:
@@ -113,7 +120,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				}
 
 				out.Options = append(out.Options, opt)
-			} else if ch == '"' { // TODO: current test rule has angled quotes, needs fixing
+			} else if ch == '"' {
 				buf.WriteRune(ch)
 				if isEscaping {
 					isEscaping = false
@@ -124,6 +131,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				isEscaping = true
 				buf.WriteRune(ch)
 			} else {
+				isEscaping = false
 				buf.WriteRune(ch)
 			}
 		}
@@ -139,7 +147,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 
 func (rule *SuricataRule) GetOption(key string) (value *string, ok bool) {
 	for _, opt := range rule.Options {
-		if opt.Name == key {
+		if strings.EqualFold(opt.Name, key) {
 			return opt.Value, true
 		}
 	}
@@ -147,10 +155,38 @@ func (rule *SuricataRule) GetOption(key string) (value *string, ok bool) {
 	return nil, false
 }
 
+func (rule *SuricataRule) ParseMetaData() []*MetaData {
+	mdOpt, ok := rule.GetOption("metadata")
+	if !ok || mdOpt == nil {
+		return nil
+	}
+
+	md := []*MetaData{}
+
+	parts := strings.Split(*mdOpt, ",")
+	for _, part := range parts {
+		part = strings.TrimSuffix(strings.TrimSpace(part), ",")
+		kv := strings.SplitN(part, " ", 2)
+		if len(kv) == 1 {
+			kv = append(kv, "")
+		}
+
+		md = append(md, &MetaData{Key: strings.TrimSpace(kv[0]), Value: strings.TrimSpace(kv[1])})
+	}
+
+	return md
+}
+
 func (rule *SuricataRule) String() string {
 	opts := make([]string, 0, len(rule.Options))
+	md := rule.ParseMetaData()
 	for _, opt := range rule.Options {
-		if opt.Value == nil {
+		if opt.Name == "metadata" && len(md) != 0 {
+			value := strings.Join(lo.Map(md, func(m *MetaData, _ int) string {
+				return fmt.Sprintf("%s %s", m.Key, m.Value)
+			}), ", ")
+			opts = append(opts, fmt.Sprintf("%s:%s;", opt.Name, value))
+		} else if opt.Value == nil {
 			opts = append(opts, fmt.Sprintf("%s;", opt.Name))
 		} else {
 			opts = append(opts, fmt.Sprintf("%s:%s;", opt.Name, *opt.Value))
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 261cc8b4f..1217cf3fa 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -114,7 +114,7 @@ func TestSuricataRule(t *testing.T) {
 	assert.NotNil(t, opt)
 	assert.Equal(t, `"9"`, *opt)
 
-	opt, ok = rule.GetOption("noalert")
+	opt, ok = rule.GetOption("NoAlErT")
 	assert.True(t, ok)
 	assert.Nil(t, opt)
 

From 326828700d8d346cf5b69a3420ab19deffcadc7a Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Sep 2023 15:07:16 -0600
Subject: [PATCH 057/102] WIP: Community Detections Sync

Removed the sync endpoint from detections handler. Instead of so-rule-update attempting to upload the file or trigger a sync, the SuricataEngine module will watch files on disks for changes and respond to them. The DetectionEngine interface was cleaned up in response to this change.

All sync logic was moved the SuricataEngine module. The module now maintains a long-lived goroutine that checks a configurable file at a configurable interval for changes and applies them when seen. A fingerprint of the rules file is saved in a configurable location.

TODO: Tests.
---
 config/config.go                         |   7 +-
 server/detectionengine.go                |   2 -
 server/detectionhandler.go               |  46 ----------
 server/modules/suricata/suricata.go      | 107 +++++++++++++++++++++--
 server/modules/suricata/suricata_test.go |   2 +-
 5 files changed, 109 insertions(+), 55 deletions(-)

diff --git a/config/config.go b/config/config.go
index 75ce93534..9558286a8 100644
--- a/config/config.go
+++ b/config/config.go
@@ -45,7 +45,12 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		}
 	}
 
-	cfg.Server.Modules["suricataengine"] = map[string]interface{}{} // TODO: remove when put in config file
+	// TODO: remove when put in config file
+	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
+		"communityRulesFile":                   "/nsm/rules/suricata/emerging-all.rules",
+		"rulesFingerprintFile":                 "/opt/so/conf/soc/emerging-all.fingerprint",
+		"communityRulesImportFrequencySeconds": float64(5),
+	}
 
 	return cfg, err
 }
diff --git a/server/detectionengine.go b/server/detectionengine.go
index 63bcf88b8..e6f1d4c1a 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -8,7 +8,5 @@ import (
 
 type DetectionEngine interface {
 	ValidateRule(rule string) (string, error)
-	ParseRules(content string) ([]*model.Detection, error)
 	SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
-	SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index c3313f1d7..7743da32b 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -9,7 +9,6 @@ package server
 import (
 	"context"
 	"fmt"
-	"io"
 	"net/http"
 	"strings"
 
@@ -39,7 +38,6 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Delete("/{id}", h.deleteDetection)
 
 		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
-		r.Post("/sync/{engine}", h.syncCommunityDetections)
 	})
 }
 
@@ -236,50 +234,6 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
-func (h *DetectionHandler) syncCommunityDetections(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-
-	engineParam := chi.URLParam(r, "engine")
-
-	engine, ok := h.server.DetectionEngines[model.EngineName(engineParam)]
-	if !ok {
-		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid engine"))
-		return
-	}
-
-	err := r.ParseMultipartForm(int64(h.server.Config.MaxUploadSizeBytes))
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	file, _, err := r.FormFile("file")
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	content, err := io.ReadAll(file)
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	detections, err := engine.ParseRules(string(content))
-	if err != nil {
-		web.Respond(w, r, http.StatusBadRequest, err)
-		return
-	}
-
-	errMap, err := engine.SyncCommunityDetections(ctx, detections)
-	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
-		return
-	}
-
-	web.Respond(w, r, http.StatusOK, errMap)
-}
-
 func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 6c8705c82..f7cf2573f 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -2,10 +2,16 @@ package suricata
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
+	"io"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
+	"time"
 
 	"github.com/apex/log"
 	"github.com/samber/lo"
@@ -20,7 +26,12 @@ var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
 const modifyFromTo = `"flowbits" "noalert; flowbits"`
 
 type SuricataEngine struct {
-	srv *server.Server
+	srv                                  *server.Server
+	communityRulesFile                   string
+	rulesFingerprintFile                 string
+	communityRulesImportFrequencySeconds int
+	isRunning                            bool
+	thread                               *sync.WaitGroup
 }
 
 func NewSuricataEngine(srv *server.Server) *SuricataEngine {
@@ -33,21 +44,107 @@ func (s *SuricataEngine) PrerequisiteModules() []string {
 	return nil
 }
 
-func (s *SuricataEngine) Init(config module.ModuleConfig) error {
+func (s *SuricataEngine) Init(config module.ModuleConfig) (err error) {
+	s.communityRulesFile = module.GetStringDefault(config, "communityRulesFile", "/nsm/rules/suricata/emerging-all.rules")
+	s.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/emerging-all.fingerprint")
+	s.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 5)
+
 	return nil
 }
 
 func (s *SuricataEngine) Start() error {
 	s.srv.DetectionEngines[model.EngineNameSuricata] = s
+	s.thread = &sync.WaitGroup{}
+	s.thread.Add(1)
+	s.isRunning = true
+
+	go s.watchCommunityRules()
+
 	return nil
 }
 
 func (s *SuricataEngine) Stop() error {
+	s.isRunning = false
+	s.thread.Wait()
+
 	return nil
 }
 
 func (s *SuricataEngine) IsRunning() bool {
-	return false
+	return s.isRunning
+}
+
+func (s *SuricataEngine) watchCommunityRules() {
+	defer func() {
+		s.thread.Done()
+		s.isRunning = false
+	}()
+
+	for s.isRunning {
+		time.Sleep(time.Second * time.Duration(s.communityRulesImportFrequencySeconds))
+		if !s.isRunning {
+			break
+		}
+
+		rules, hash, err := readAndHash(s.communityRulesFile)
+		if err != nil {
+			log.WithError(err).Error("unable to read community rules file")
+			continue
+		}
+
+		haveFP := true
+
+		fingerprint, err := os.ReadFile(s.rulesFingerprintFile)
+		if err != nil {
+			if !os.IsNotExist(err) {
+				haveFP = false
+			} else {
+				log.WithError(err).Error("unable to read rules fingerprint file")
+				continue
+			}
+		}
+
+		if haveFP && strings.EqualFold(string(fingerprint), hash) {
+			// if we have a fingerprint and the hashes are equal, there's nothing to do
+			continue
+		}
+
+		commDetections, err := s.parseRules(rules)
+		if err != nil {
+			log.WithError(err).Error("unable to parse community rules")
+			continue
+		}
+
+		errMap, err := s.syncCommunityDetections(context.Background(), commDetections)
+		if err != nil {
+			log.WithError(err).Error("unable to sync community detections")
+			continue
+		}
+
+		if len(errMap) > 0 {
+			log.WithFields(log.Fields{
+				"errors": errMap,
+			}).Error("unable to sync all community detections")
+		}
+	}
+}
+
+func readAndHash(path string) (content string, sha256Hash string, err error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return "", "", err
+	}
+	defer f.Close()
+
+	hasher := sha256.New()
+	data := io.TeeReader(f, hasher)
+
+	raw, err := io.ReadAll(data)
+	if err != nil {
+		return "", "", err
+	}
+
+	return string(raw), hex.EncodeToString(hasher.Sum(nil)), nil
 }
 
 func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
@@ -59,7 +156,7 @@ func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	return parsed.String(), nil
 }
 
-func (s *SuricataEngine) ParseRules(content string) ([]*model.Detection, error) {
+func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error) {
 	// expecting one rule per line
 	lines := strings.Split(content, "\n")
 	dets := []*model.Detection{}
@@ -297,7 +394,7 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	return errMap, nil
 }
 
-func (s *SuricataEngine) SyncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 215adc34a..d21faafc2 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -313,7 +313,7 @@ func TestParse(t *testing.T) {
 
 			data := strings.Join(test.Lines, "\n")
 
-			detections, err := mod.ParseRules(data)
+			detections, err := mod.parseRules(data)
 			if test.ExpectedError == nil {
 				assert.NoError(t, err)
 				assert.Equal(t, test.ExpectedDetections, detections)

From e1a9267220dfcf4a54db6fd7f5f254bba76875c9 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 3 Oct 2023 16:31:41 -0600
Subject: [PATCH 058/102] Service Account Ctx, Community Rules, permissions

The context that the server initializes is being put to use and slightly modified. As I find new permissions I need, I'm adding roles to cover them. When the dust settles, I'll re-evaluate.

Search criteria now determine what permissions they need to check the user account for. Hints can be given but the search criteria's index and kind are tested to see if alternate permissions need to be checked.

detection/read and detection/write were quickly added to the rbac/permissions file. The roles they're attached to has not been finalized and will almost certainly change.

Lengthened the allowed title as many community rules have titles longer than 100 chars.

When RoundTrip'ing with ElasticTransport, do not add the es-security-runas-user header when the server's agent is in the ctx.

Added 2 new test rules to TestValidate inspired by community rules that couldn't parse but should've.

Successfully imported 30,000+ community rules!
---
 config/config.go                              |  2 +-
 model/event.go                                | 38 +++++++++
 rbac/permissions                              |  5 +-
 .../modules/elastic/elasticdetectionstore.go  |  2 +-
 server/modules/elastic/elasticeventstore.go   | 29 ++++---
 server/modules/elastic/elastictransport.go    | 23 ++++--
 .../staticrbac/staticrbacauthorizer.go        |  2 +
 server/modules/suricata/suricata.go           | 82 +++++++++++++++----
 server/modules/suricata/suricata_test.go      | 24 +++++-
 server/modules/suricata/validate.go           | 17 +++-
 server/server.go                              |  6 +-
 11 files changed, 187 insertions(+), 43 deletions(-)

diff --git a/config/config.go b/config/config.go
index 9558286a8..f19f83053 100644
--- a/config/config.go
+++ b/config/config.go
@@ -48,7 +48,7 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 	// TODO: remove when put in config file
 	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
 		"communityRulesFile":                   "/nsm/rules/suricata/emerging-all.rules",
-		"rulesFingerprintFile":                 "/opt/so/conf/soc/emerging-all.fingerprint",
+		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
 		"communityRulesImportFrequencySeconds": float64(5),
 	}
 
diff --git a/model/event.go b/model/event.go
index e75abc2fc..0f8f50036 100644
--- a/model/event.go
+++ b/model/event.go
@@ -7,6 +7,7 @@
 package model
 
 import (
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -14,6 +15,9 @@ import (
 	"github.com/apex/log"
 )
 
+var indexExtractor = regexp.MustCompile(`_index:[ \t]?"([^ \t]+)"`)
+var kindExtractor = regexp.MustCompile(`so_kind:[ \t]?"([^ \t]+)"`)
+
 type EventResults struct {
 	CreateTime   time.Time `json:"createTime"`
 	CompleteTime time.Time `json:"completeTime"`
@@ -115,6 +119,40 @@ func (criteria *EventSearchCriteria) Populate(query string, dateRange string, da
 	return err
 }
 
+func (criteria *EventSearchCriteria) DeterminePermissions(hintVerb string, hintNoun string) (verb string, noun string) {
+	var index, kind string
+
+	for _, seg := range criteria.ParsedQuery.Segments {
+		segStr := seg.String()
+
+		indexMatches := indexExtractor.FindStringSubmatch(segStr)
+		if len(indexMatches) != 0 {
+			index = indexMatches[1]
+		}
+
+		kindMatches := kindExtractor.FindStringSubmatch(segStr)
+		if len(kindMatches) != 0 {
+			kind = kindMatches[1]
+		}
+
+		if index != "" && kind != "" {
+			break
+		}
+	}
+
+	index = strings.ToLower(strings.TrimPrefix(strings.TrimSpace(index), "*:"))
+	kind = strings.ToLower(strings.TrimSpace(kind))
+
+	switch index {
+	case "so-detection":
+		return hintVerb, "detection"
+	}
+
+	_ = kind
+
+	return hintVerb, hintNoun
+}
+
 type EventMetric struct {
 	Keys  []interface{} `json:"keys"`
 	Value int           `json:"value"`
diff --git a/rbac/permissions b/rbac/permissions
index 603820686..8869dc270 100644
--- a/rbac/permissions
+++ b/rbac/permissions
@@ -29,7 +29,10 @@ roles/write:      user-admin
 users/read:       user-monitor
 users/write:      user-admin
 users/delete:     user-admin
-
+detection/read:   agent
+detection/write:  agent
+detection/read:   event-monitor
+detection/write:  event-admin
 
 # Define low-level permission set inheritence relationships
 # Syntax      => roleB: roleA
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 34383adc6..918a5c3b2 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -78,7 +78,7 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 	}
 
 	if err == nil && detect.Title != "" {
-		err = store.validateString(detect.Title, SHORT_STRING_MAX, "title")
+		err = store.validateString(detect.Title, LONG_STRING_MAX, "title")
 	}
 
 	if err == nil && detect.Severity != "" {
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index f2f7db717..f081b8ff8 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -179,21 +179,28 @@ func (store *ElasticEventstore) unmapElasticField(field string) string {
 func (store *ElasticEventstore) Search(ctx context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error) {
 	var err error
 	results := model.NewEventSearchResults()
-	if err = store.server.CheckAuthorized(ctx, "read", "events"); err == nil {
-		store.refreshCache(ctx)
+	verb, noun := criteria.DeterminePermissions("read", "events")
 
-		var query string
-		query, err = convertToElasticRequest(store, criteria)
+	err = store.server.CheckAuthorized(ctx, verb, noun)
+	if err != nil {
+		return nil, err
+	}
+
+	store.refreshCache(ctx)
+
+	var query string
+	query, err = convertToElasticRequest(store, criteria)
+	if err == nil {
+		var response string
+		response, err = store.luceneSearch(ctx, query)
 		if err == nil {
-			var response string
-			response, err = store.luceneSearch(ctx, query)
-			if err == nil {
-				err = convertFromElasticResults(store, response, results)
-				results.Criteria = criteria
-			}
+			err = convertFromElasticResults(store, response, results)
+			results.Criteria = criteria
 		}
 	}
+
 	results.Complete()
+
 	return results, err
 }
 
@@ -338,7 +345,9 @@ func (store *ElasticEventstore) indexSearch(ctx context.Context, query string, i
 		"query":     store.truncate(query),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Info("Searching Elasticsearch")
+
 	var json string
+
 	res, err := store.esClient.Search(
 		store.esClient.Search.WithContext(ctx),
 		store.esClient.Search.WithIndex(indexes...),
diff --git a/server/modules/elastic/elastictransport.go b/server/modules/elastic/elastictransport.go
index a4c8c6ace..e5606fb74 100644
--- a/server/modules/elastic/elastictransport.go
+++ b/server/modules/elastic/elastictransport.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 )
 
@@ -42,16 +43,20 @@ func NewElasticTransport(user string, pass string, timeoutMs time.Duration, veri
 
 func (transport *ElasticTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if user, ok := req.Context().Value(web.ContextKeyRequestor).(*model.User); ok {
-		log.WithFields(log.Fields{
-			"username":       user.Email,
-			"searchUsername": user.SearchUsername,
-			"requestId":      req.Context().Value(web.ContextKeyRequestId),
-		}).Debug("Executing Elastic request on behalf of user")
-		username := user.Email
-		if user.SearchUsername != "" {
-			username = user.SearchUsername
+		if user.Id != server.AGENT_ID {
+			log.WithFields(log.Fields{
+				"username":       user.Email,
+				"searchUsername": user.SearchUsername,
+				"requestId":      req.Context().Value(web.ContextKeyRequestId),
+			}).Debug("Executing Elastic request on behalf of user")
+			username := user.Email
+			if user.SearchUsername != "" {
+				username = user.SearchUsername
+			}
+			req.Header.Set("es-security-runas-user", username)
+		} else {
+			log.Info("Executing Elastic request without es-security-runas-user")
 		}
-		req.Header.Set("es-security-runas-user", username)
 	} else {
 		log.Warn("User not found in context")
 	}
diff --git a/server/modules/staticrbac/staticrbacauthorizer.go b/server/modules/staticrbac/staticrbacauthorizer.go
index a1a5463cf..5c1029b90 100644
--- a/server/modules/staticrbac/staticrbacauthorizer.go
+++ b/server/modules/staticrbac/staticrbacauthorizer.go
@@ -294,6 +294,8 @@ func (impl *StaticRbacAuthorizer) scanNow() {
 
 		// Ensure agent user/role exists
 		impl.AddRoleToUser(impl.server.Agent, "agent")
+		impl.AddRoleToUser(impl.server.Agent, "config-admin")
+		impl.AddRoleToUser(impl.server.Agent, "event-admin")
 
 		impl.previousUserHash = hash
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index f7cf2573f..1b234278a 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -80,31 +80,29 @@ func (s *SuricataEngine) watchCommunityRules() {
 		s.isRunning = false
 	}()
 
+	ctx := s.srv.Context
+
 	for s.isRunning {
 		time.Sleep(time.Second * time.Duration(s.communityRulesImportFrequencySeconds))
 		if !s.isRunning {
 			break
 		}
 
+		start := time.Now()
+
 		rules, hash, err := readAndHash(s.communityRulesFile)
 		if err != nil {
 			log.WithError(err).Error("unable to read community rules file")
 			continue
 		}
 
-		haveFP := true
-
-		fingerprint, err := os.ReadFile(s.rulesFingerprintFile)
+		fingerprint, haveFP, err := readFingerprint(s.rulesFingerprintFile)
 		if err != nil {
-			if !os.IsNotExist(err) {
-				haveFP = false
-			} else {
-				log.WithError(err).Error("unable to read rules fingerprint file")
-				continue
-			}
+			log.WithError(err).Error("unable to read rules fingerprint file")
+			continue
 		}
 
-		if haveFP && strings.EqualFold(string(fingerprint), hash) {
+		if haveFP && strings.EqualFold(*fingerprint, hash) {
 			// if we have a fingerprint and the hashes are equal, there's nothing to do
 			continue
 		}
@@ -115,7 +113,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 			continue
 		}
 
-		errMap, err := s.syncCommunityDetections(context.Background(), commDetections)
+		errMap, err := s.syncCommunityDetections(ctx, commDetections)
 		if err != nil {
 			log.WithError(err).Error("unable to sync community detections")
 			continue
@@ -125,7 +123,18 @@ func (s *SuricataEngine) watchCommunityRules() {
 			log.WithFields(log.Fields{
 				"errors": errMap,
 			}).Error("unable to sync all community detections")
+		} else {
+			err = os.WriteFile(s.rulesFingerprintFile, []byte(hash), 0644)
+			if err != nil {
+				log.WithError(err).WithField("path", s.rulesFingerprintFile).Error("unable to write rules fingerprint file")
+			}
 		}
+
+		dur := time.Since(start)
+
+		log.WithFields(log.Fields{
+			"durationSeconds": dur.Seconds(),
+		}).Info("Suricata community rules synced")
 	}
 }
 
@@ -147,6 +156,26 @@ func readAndHash(path string) (content string, sha256Hash string, err error) {
 	return string(raw), hex.EncodeToString(hasher.Sum(nil)), nil
 }
 
+func readFingerprint(path string) (fingerprint *string, ok bool, err error) {
+	_, err = os.Stat(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, false, nil
+		}
+
+		return nil, false, err
+	}
+
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return nil, false, err
+	}
+
+	fingerprint = util.Ptr(strings.TrimSpace(string(raw)))
+
+	return fingerprint, true, nil
+}
+
 func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	parsed, err := ParseSuricataRule(rule)
 	if err != nil {
@@ -279,8 +308,8 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	modifyLines := strings.Split(modify.Value, "\n")
 
 	localIndex := indexLocal(localLines)
-	enabledIndex := indexEnabled(enabledLines)
-	disabledIndex := indexEnabled(disabledLines)
+	enabledIndex := indexEnabled(enabledLines, false)
+	disabledIndex := indexEnabled(disabledLines, false)
 	modifyIndex := indexModify(modifyLines)
 
 	errMap = map[string]string{} // map[sid]error
@@ -408,6 +437,19 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		Removed int
 	}{}
 
+	allSettings, err := s.srv.Configstore.GetSettings(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	disabled := settingByID(allSettings, "idstools.sids.disabled")
+	if disabled == nil {
+		return nil, fmt.Errorf("unable to find disabled setting")
+	}
+
+	disabledLines := strings.Split(disabled.Value, "\n")
+	disabledIndex := indexEnabled(disabledLines, true)
+
 	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
 	if err != nil {
 		return nil, err
@@ -419,6 +461,9 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for _, detect := range detections {
+		_, disabled := disabledIndex[detect.PublicID]
+		detect.IsEnabled = !disabled
+
 		id, exists := commSIDs[detect.PublicID]
 		if exists {
 			detect.Id = id
@@ -454,7 +499,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		"updated": results.Updated,
 		"removed": results.Removed,
 		"errors":  errMap,
-	}).Info("Suricata community detections synced")
+	}).Info("suricata community diff")
 
 	return errMap, nil
 }
@@ -494,11 +539,16 @@ func indexLocal(lines []string) map[string]int {
 	return index
 }
 
-func indexEnabled(lines []string) map[string]int {
+func indexEnabled(lines []string, ignoreComments bool) map[string]int {
 	index := map[string]int{}
 
 	for i, line := range lines {
-		line = strings.TrimSpace(strings.TrimLeft(line, "# \t"))
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "#") && ignoreComments {
+			continue
+		}
+
+		line = strings.TrimLeft(line, "# \t")
 		if line != "" {
 			index[line] = i
 		}
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index d21faafc2..e816e4562 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -155,7 +155,7 @@ func TestIndexEnabled(t *testing.T) {
 		"#  24adee9b-6010-46ed-9c4a-9cb7a9c972a1",
 	}
 
-	output := indexEnabled(lines)
+	output := indexEnabled(lines, false)
 
 	assert.Equal(t, 7, len(output))
 	assert.Contains(t, output, "10000")
@@ -172,6 +172,20 @@ func TestIndexEnabled(t *testing.T) {
 	assert.Equal(t, output["not a number"], 6)
 	assert.Contains(t, output, "24adee9b-6010-46ed-9c4a-9cb7a9c972a1")
 	assert.Equal(t, output["24adee9b-6010-46ed-9c4a-9cb7a9c972a1"], 7)
+
+	output = indexEnabled(lines, true)
+	assert.Equal(t, 4, len(output))
+	assert.Contains(t, output, "10000")
+	assert.Equal(t, output["10000"], 0)
+	assert.NotContains(t, output, "20000")
+	assert.Contains(t, output, "30000")
+	assert.Equal(t, output["30000"], 3)
+	assert.NotContains(t, output, "40000")
+	assert.Contains(t, output, "50000")
+	assert.Equal(t, output["50000"], 5)
+	assert.Contains(t, output, "not a number")
+	assert.Equal(t, output["not a number"], 6)
+	assert.NotContains(t, output, "24adee9b-6010-46ed-9c4a-9cb7a9c972a1")
 }
 
 func TestIndexModify(t *testing.T) {
@@ -239,6 +253,14 @@ func TestValidate(t *testing.T) {
 			Input:       "x",
 			ExpectedErr: util.Ptr("invalid rule, unexpected end of rule"),
 		},
+		{
+			Name:  "Parentheses in Unquoted Option",
+			Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`,
+		},
+		{
+			Name:  "Unescaped Double Quote in PCRE Option",
+			Input: `alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Unhidebody Function Observed in Phishing Landing"; flow:established,to_client; file.data; content:"function unhideBody()"; nocase; fast_pattern; content:"var bodyElems = document.getElementsByTagName(|22|body|22|)|3b|"; nocase; content:"bodyElems[0].style.visibility =|20 22|visible|22 3b|"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; content:"method="; nocase; pcre:"/^["']?post/Ri"; classtype:social-engineering; sid:2029732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_24;)`,
+		},
 	}
 
 	for _, test := range table {
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index 8f9d1b89f..f3ee8e707 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -24,7 +24,7 @@ type RuleOption struct {
 }
 
 type MetaData struct {
-	Key string
+	Key   string
 	Value string
 }
 
@@ -101,7 +101,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				buf.WriteRune(ch)
 			}
 		case stateOptions:
-			if ch == ')' && !inQuotes && !isEscaping {
+			if ch == ')' && !inQuotes && !isEscaping && len(strings.TrimSpace(buf.String())) == 0 {
 				if r.Len() != 0 {
 					// end of options, but not end of rule?
 					return nil, fmt.Errorf("invalid rule, expected end of rule, got %d more bytes", r.Len())
@@ -125,7 +125,18 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 				if isEscaping {
 					isEscaping = false
 				} else {
-					inQuotes = !inQuotes
+					if strings.Contains(buf.String(), "pcre:") {
+						// is the current option a regular expression?
+						// if so, only end the quotes if the next character is a semicolon
+						next, _, _ := r.ReadRune()
+						r.UnreadRune()
+
+						if next == ';' {
+							inQuotes = false
+						}
+					} else {
+						inQuotes = !inQuotes
+					}
 				}
 			} else if ch == '\\' {
 				isEscaping = true
diff --git a/server/server.go b/server/server.go
index 4b281b5e5..9a41e1a77 100644
--- a/server/server.go
+++ b/server/server.go
@@ -63,7 +63,11 @@ func (server *Server) initContext() {
 	server.Agent = model.NewUser()
 	server.Agent.Id = AGENT_ID
 	server.Agent.Email = server.Agent.Id
-	server.Context = context.WithValue(context.Background(), web.ContextKeyRequestor, server.Agent)
+
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestor, server.Agent)
+	ctx = context.WithValue(ctx, web.ContextKeyRequestorId, AGENT_ID)
+
+	server.Context = ctx
 }
 
 func (server *Server) Start() {

From a9e0e10e4ad3e74304acbc2798cdafe5356337f6 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 5 Oct 2023 12:23:43 -0600
Subject: [PATCH 059/102] WIP: GetAll that gets all

Uses elasticsearch's `search_after` to page through results when the max documents of -1 is passed in.
---
 model/event.go                                |  2 +
 server/modules/elastic/converter.go           | 14 ++++
 .../modules/elastic/elasticdetectionstore.go  | 72 ++++++++++++++-----
 server/modules/suricata/suricata.go           | 28 ++++++--
 4 files changed, 93 insertions(+), 23 deletions(-)

diff --git a/model/event.go b/model/event.go
index 0f8f50036..9f9306e8c 100644
--- a/model/event.go
+++ b/model/event.go
@@ -66,6 +66,7 @@ type EventSearchCriteria struct {
 	CreateTime  time.Time
 	ParsedQuery *Query
 	SortFields  []*SortCriteria
+	SearchAfter []interface{}
 }
 
 func (criteria *EventSearchCriteria) initSearchCriteria() {
@@ -166,6 +167,7 @@ type EventRecord struct {
 	Type      string                 `json:"type"`
 	Score     float64                `json:"score"`
 	Payload   map[string]interface{} `json:"payload"`
+	Sort      []interface{}          `json:"sort"`
 }
 
 type EventUpdateCriteria struct {
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 8b8fbeaf5..549e42e3e 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -196,6 +196,10 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 	esMap["size"] = criteria.EventLimit
 	esMap["query"] = makeQuery(store, criteria.ParsedQuery, criteria.BeginTime, criteria.EndTime)
 
+	if len(criteria.SearchAfter) != 0 {
+		esMap["search_after"] = criteria.SearchAfter
+	}
+
 	aggregations := make(map[string]interface{})
 
 	if criteria.MetricLimit > 0 {
@@ -244,6 +248,13 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 			}
 			esMap["sort"] = sorting
 		}
+	} else {
+		sort := map[string]string{}
+		for _, field := range criteria.SortFields {
+			sort[field.Field] = field.Order
+		}
+
+		esMap["sort"] = sort
 	}
 
 	bytes, err := json.WriteJson(esMap)
@@ -342,6 +353,9 @@ func convertFromElasticResults(store *ElasticEventstore, esJson string, results
 			event.Score = esRecord["_score"].(float64)
 		}
 		event.Payload = flatten(store, esRecord["_source"].(map[string]interface{}))
+		if esRecord["sort"] != nil {
+			event.Sort = esRecord["sort"].([]interface{})
+		}
 
 		if event.Payload["@timestamp"] != nil {
 			event.Time, _ = time.Parse(time.RFC3339, event.Payload["@timestamp"].(string))
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 918a5c3b2..c2bd36003 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -196,30 +196,65 @@ func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, ma
 	endTime := now.Format(format)
 	zone := now.Location().String()
 
-	err = criteria.Populate(query,
-		zeroTimeStr+" - "+endTime, // timeframe range
-		format,                    // timeframe format
-		zone,                      // timezone
-		"0",                       // no metrics
-		strconv.Itoa(max))
+	unlimited := false
+	if max == -1 {
+		max = 10000
+		unlimited = true
+	}
+
+	sort := []interface{}{}
+
+	for {
+		err = criteria.Populate(query,
+			zeroTimeStr+" - "+endTime, // timeframe range
+			format,                    // timeframe format
+			zone,                      // timezone
+			"0",                       // no metrics
+			strconv.Itoa(max))
+
+		if err != nil {
+			return nil, err
+		}
+
+		if unlimited {
+			// need a deterministic sort order for paging
+			criteria.SortFields = []*model.SortCriteria{
+				{
+					Field: "@timestamp",
+					Order: "desc",
+				},
+			}
+
+			if len(sort) != 0 {
+				criteria.SearchAfter = sort
+			}
+		}
 
-	if err == nil {
 		var results *model.EventSearchResults
 
 		results, err = store.server.Eventstore.Search(ctx, criteria)
-		if err == nil {
-			for _, event := range results.Events {
-				var obj interface{}
-
-				obj, err = convertElasticEventToObject(event, store.schemaPrefix)
-				if err == nil {
-					objects = append(objects, obj)
-				} else {
-					log.WithField("event", event).WithError(err).Error("Unable to convert case object")
-				}
+		if err != nil {
+			return nil, err
+		}
+
+		for _, event := range results.Events {
+			var obj interface{}
+
+			obj, err = convertElasticEventToObject(event, store.schemaPrefix)
+			if err == nil {
+				objects = append(objects, obj)
+			} else {
+				log.WithField("event", event).WithError(err).Error("Unable to convert case object")
 			}
 		}
+
+		if !unlimited || len(results.Events) == 0 {
+			break
+		}
+
+		sort = results.Events[len(results.Events)-1].Sort
 	}
+
 	// }
 
 	return objects, err
@@ -360,8 +395,7 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 }
 
 func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) {
-	// TODO: 10000? Is that enough?
-	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), 10000)
+	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), -1)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 1b234278a..0b641e706 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -25,6 +25,8 @@ var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
 
 const modifyFromTo = `"flowbits" "noalert; flowbits"`
 
+var errModuleStopped = fmt.Errorf("module has stopped running")
+
 type SuricataEngine struct {
 	srv                                  *server.Server
 	communityRulesFile                   string
@@ -115,6 +117,11 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		errMap, err := s.syncCommunityDetections(ctx, commDetections)
 		if err != nil {
+			if err == errModuleStopped {
+				log.Info("incomplete sync of suricata community detections due to module stopping")
+				return
+			}
+
 			log.WithError(err).Error("unable to sync community detections")
 			continue
 		}
@@ -134,7 +141,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		log.WithFields(log.Fields{
 			"durationSeconds": dur.Seconds(),
-		}).Info("Suricata community rules synced")
+		}).Info("suricata community rules synced")
 	}
 }
 
@@ -447,8 +454,16 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		return nil, fmt.Errorf("unable to find disabled setting")
 	}
 
+	modify := settingByID(allSettings, "idstools.sids.modify")
+	if modify == nil {
+		return nil, fmt.Errorf("unable to find modify setting")
+	}
+
 	disabledLines := strings.Split(disabled.Value, "\n")
+	modifyLines := strings.Split(modify.Value, "\n")
+
 	disabledIndex := indexEnabled(disabledLines, true)
+	modifyIndex := indexModify(modifyLines)
 
 	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
 	if err != nil {
@@ -461,8 +476,13 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for _, detect := range detections {
+		if !s.isRunning {
+			return errMap, errModuleStopped
+		}
+
 		_, disabled := disabledIndex[detect.PublicID]
-		detect.IsEnabled = !disabled
+		_, modified := modifyIndex[detect.PublicID]
+		detect.IsEnabled = !(disabled || modified)
 
 		id, exists := commSIDs[detect.PublicID]
 		if exists {
@@ -486,9 +506,9 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for sid := range toDelete {
-		_, err = s.srv.Detectionstore.DeleteDetection(ctx, sid)
+		_, err = s.srv.Detectionstore.DeleteDetection(ctx, commSIDs[sid])
 		if err != nil {
-			errMap[sid] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			errMap[sid] = fmt.Sprintf("unable to delete detection; reason=%s", err.Error())
 		} else {
 			results.Removed++
 		}

From 277495532427d09e1af711c9a89b722ba557b111 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 11 Oct 2023 15:48:18 -0600
Subject: [PATCH 060/102] WIP: Tightening Suricata Bolts

Added logic to disallow editing of community rules. Adjusted detection's form validation rules so that community rules aren't validated at the form level.

Removed "Details" Detection tab and reordered the controls under it to the "Summary" and "Signature" tabs. Rearranged some tabs.

Cleaned up the strings used in dropdowns (engine, severity) with capitalization. Cleaner UI, but the correct casing is still passed over the wire.

Refactored PublicID's "Generate" button to be "Extract" so that it fills the field using the SID in the rule. May eventually make this field readonly except for this modification.

Updated infohandler's response to use the same severity values the rules use.

Converted more strings to i18n references.

`indexDocument` and `deleteDocument` on the ElasticEventstore now pass the ctx in. This removes the WARN log message about making a request without a user. Needs more thorough testing to be sure there's no unwanted side effects.
---
 html/index.html                             | 86 ++++++++-------------
 html/js/i18n.js                             | 17 +++-
 html/js/routes/detection.js                 | 81 ++++++++++++++-----
 server/infohandler.go                       |  2 +-
 server/modules/elastic/converter.go         |  2 +-
 server/modules/elastic/elasticeventstore.go |  6 +-
 server/modules/suricata/suricata.go         |  2 +
 7 files changed, 118 insertions(+), 78 deletions(-)

diff --git a/html/index.html b/html/index.html
index 462c7a8d2..ce82d58d8 100644
--- a/html/index.html
+++ b/html/index.html
@@ -965,7 +965,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
         <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
           <!-- Title -->
           <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
-          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="'Detection Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="i18n.detectionTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
         </div>
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
@@ -975,10 +975,10 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-form ref="detection" v-model="editForm.valid">
                 <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- Description -->
-                  <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" auto-grow rows="5"></v-textarea>
+                  <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="i18n.detectionDescription" auto-grow rows="5"></v-textarea>
 
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'">
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="i18n.publicID">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
@@ -1018,18 +1018,14 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <v-icon left>fa-clipboard</v-icon>
                 <div class="d-none d-lg-block">Summary</div>
               </v-tab>
-              <v-tab id="detection_detailsTab" href="#details">
-                <v-icon left>fa-circle-info</v-icon>
-                <div class="d-none d-lg-block">Details</div>
+              <v-tab id="detection_signatureTab" href="#signature">
+                <v-icon left>fa-signature</v-icon>
+                <div class="d-none d-lg-block">Signature</div>
               </v-tab>
               <v-tab id="detection_notesTab" href="#notes">
                 <v-icon left>fa-pencil</v-icon>
                 <div class="d-none d-lg-block">Notes</div>
               </v-tab>
-              <v-tab id="detection_signatureTab" href="#signature">
-                <v-icon left>fa-signature</v-icon>
-                <div class="d-none d-lg-block">Signature</div>
-              </v-tab>
               <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
                 <div class="d-none d-lg-block">Investigative Playbook</div>
@@ -1047,47 +1043,49 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <div>
                     <!-- Description -->
-                    <span class="font-weight-bold">Description:</span><br/>
+                    <span class="font-weight-bold">{{i18n.description}}:</span><br/>
                     <span id="detection-description" @click="startEdit('detection-description', 'description')" v-if="!isEdit('detection-description')">{{ detect.description }}</span>
-                    <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="'Detection Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+                    <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.detectionDescription" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
                   </div>
                   <!-- Engine -->
-                  <v-select id="detection-engine-edit" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="'Engine'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="detection-engine-edit" v-model="detect.engine" :readonly="detect.isCommunity" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <!-- Author -->
+                  <v-text-field id="detection-author-edit" v-model="detect.author" :readonly="detect.isCommunity" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.author" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+                  <!-- Severity -->
+                  <v-select id="detection-severity-edit" class="text-capitalize" :readonly="detect.isCommunity" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.severity" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
                   <!-- Enabled -->
-                  <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Enabled"/>
+                  <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/>
                   <!-- Reporting -->
-                  <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" label="Reporting"/>
+                  <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" :label="i18n.reporting"/>
                 </div>
                 <div class="d-flex justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn v-if="!isNew()" id="detection-duplicate" text small color="primary" class="align-self-end" @click="duplicateDetection()">
                       {{i18n.duplicate}}
                     </v-btn>
-                    <v-btn v-if="!isNew()" id="detection-delete" text small color="error" class="align-self-end" @click="deleteDetection()">
+                    <v-btn v-if="!isNew() && !detect.isCommunity" id="detection-delete" text small color="error" class="align-self-end" @click="deleteDetection()">
                       {{i18n.delete}}
                     </v-btn>
                   </div>
                 </div>
               </v-tab-item>
-              <v-tab-item value="details">
-                <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+              <v-tab-item value="signature">
+                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
-                    <template v-slot:append v-if="!detect.publicId">
-                      <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">{{i18n.generate}}</v-btn>
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
+                      <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
                     </template>
                   </v-text-field>
-                  <!-- Author -->
-                  <v-text-field id="detection-author-edit" v-model="detect.author" :rules="[rules.required]" persistent-hint :hint="'Author'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
-                  <!-- Severity -->
-                  <v-select id="detection-severity-edit" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <!-- Signature -->
+                  <v-textarea class="config-editor mt-2" :readonly="detect.isCommunity" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
                 <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                    <v-btn id="detection-update" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
@@ -1109,22 +1107,6 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   </div>
                 </div>
               </v-tab-item>
-              <v-tab-item value="signature">
-                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <!-- Signature -->
-                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="15" />
-                </div>
-                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
-                  <div class="d-inline-flex justify-end">
-                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
-                      {{ i18n.cancel }}
-                    </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
-                      {{i18n.update}}
-                    </v-btn>
-                  </div>
-                </div>
-              </v-tab-item>
               <!-- <v-tab-item value="playbook">
                 <div class="col pa-2" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <div class="col ma-2">
@@ -1196,13 +1178,13 @@ <h3>Alerts</h3>
         <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
           <!-- Title -->
           <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isEdit('playbook-title')">{{ playbook.title }}</h2>
-          <v-text-field id="playbook-title-edit" v-else hide-details="auto" outlined v-model="playbook.title" :rules="[rules.required]" persistent-hint :hint="'Playbook Title'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
+          <v-text-field id="playbook-title-edit" v-else hide-details="auto" outlined v-model="playbook.title" :rules="[rules.required]" persistent-hint :hint="i18n.playbookTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
         </div>
 
         <div class="row mb-6 mb-md-1 mt-2 mx-lg-6 mx-sm-12">
           <!-- Description -->
           <span id="playbook-description" @click="startEdit('playbook-description', 'description')" v-if="!isEdit('playbook-description')">{{ playbook.description }}</span>
-          <v-textarea id="playbook-description-edit" v-else hide-details="auto" outlined v-model="playbook.description" :rules="[rules.required]" persistent-hint :hint="'Playbook Description'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
+          <v-textarea id="playbook-description-edit" v-else hide-details="auto" outlined v-model="playbook.description" :rules="[rules.required]" persistent-hint :hint="i18n.playbookDescription" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
         </div>
 
         <div class="row mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
@@ -1228,23 +1210,23 @@ <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isE
               <v-tab-item value="notes">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="'Public ID'" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!playbook.publicId">
                       <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
                   </v-text-field>
                   <!-- Contributors -->
-                  <v-combobox id="playbook-contributors" v-model="playbook.contributors" persistent-hint :hint="'Contributors'" multiple>
+                  <v-combobox id="playbook-contributors" v-model="playbook.contributors" persistent-hint :hint="i18n.contributors" multiple>
                     <template #selection="{ item }">
                       <v-chip color="primary">{{item}}</v-chip>
                     </template>
                   </v-combobox>
 
                   <!-- Severity -->
-                  <v-select id="playbook-severity-edit" v-model="playbook.severity" :items="severityOptions" persistent-hint :hint="'Severity'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="playbook-severity-edit" v-model="playbook.severity" :items="severityOptions" persistent-hint :hint="i18n.severity" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
 
                   <!-- Mechanism -->
-                  <v-select id="playbook-engine-edit" v-model="playbook.mechanism" :items="engineOptions" persistent-hint :hint="'Mechanism'" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
+                  <v-select id="playbook-engine-edit" v-model="playbook.mechanism" :items="engineOptions" persistent-hint :hint="i18n.playbookMechanism" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
 
                   <!-- Tags -->
                   <v-combobox id="playbook-tags" v-model="playbook.tags" :items="tags" persistent-hint :hint="i18n.caseTagsHelp" multiple>
@@ -1283,9 +1265,9 @@ <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isE
               <v-tab-item value="questions">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <h2>Add Investigative Question</h2>
-                  <v-text-field id="playbook-question-add" v-model="addQuestion" persistent-hint :hint="'The investigative question written in plain language for human consumption, in the form of a question'"></v-text-field>
-                  <v-text-field id="playbook-context-add" v-model="addContext" persistent-hint :hint="'Provide optional context'"></v-text-field>
-                  <v-combobox id="playbook-datasources-add" v-model="addDataSources" persistent-hint :hint="'The data sources that can be used to answer the question'" multiple>
+                  <v-text-field id="playbook-question-add" v-model="addQuestion" persistent-hint :hint="i18n.playbookQuestionHint"></v-text-field>
+                  <v-text-field id="playbook-context-add" v-model="addContext" persistent-hint :hint="i18n.playbookAddContext"></v-text-field>
+                  <v-combobox id="playbook-datasources-add" v-model="addDataSources" persistent-hint :hint="i18n.playbookDatasources" multiple>
                     <template #selection="{ item }">
                       <v-chip color="primary">{{item}}</v-chip>
                     </template>
@@ -3749,7 +3731,7 @@ <h4 v-if="metricsEnabled">{{ i18n.gridEps }} {{ gridEps | formatCount }}</h4>
                                 <v-btn v-if="canTest(item)" id="test-minion" icon :title="i18n.nodeTest" @click="showTestConfirm(item.id + '_' + item.role)">
                                   <v-icon>fa-file-import</v-icon>
                                 </v-btn>
-                                <v-btn v-if="canUpload(item)" id="import-minion" icon :title="i18n.uploadPcap" @click="showUploadConfirm(item)">
+                                <v-btn v-if="canUpload(item)" id="import-minion" icon :title="i18n.uploadPCAPEVTX" @click="showUploadConfirm(item)">
                                   <v-icon>fa-upload</v-icon>
                                 </v-btn>
                                 <v-btn id="restart-minion" icon :title="item.osNeedsRestart == 1 ? i18n.restartRequiredHelp : i18n.restartMinionHelp" @click="showRestartConfirm(item.id + '_' + item.role)">
diff --git a/html/js/i18n.js b/html/js/i18n.js
index f9dcbe00d..5cab16f35 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -97,7 +97,6 @@ const i18n = {
       artifactIocHelp: 'Enable this field if this is an Indicator of Compromise',
       artifactGroupType: 'Group Type',
       artifactGroupId: 'Group ID',
-      artifactDescription: 'Description',
       artifactProtected: 'Protected',
       artifactProtectedHint: 'Protected attachments are automatically zipped prior to downloading. This helps prevent analysts from accidentally executing the potentially infected attachment.',
       artifactType: 'Type',
@@ -209,6 +208,7 @@ const i18n = {
       container: 'Container',
       containerStatus: 'Container Status',
       continue: 'Would you like to continue?',
+      contributors: 'Contributors',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
       copyEventToClipboardAsKvp: 'Copy full event as field:value pairs',
       copyFieldToClipboard: 'Copy this value only',
@@ -262,7 +262,10 @@ const i18n = {
       detections: 'Detections',
       detectionDefaultTitle: 'Detection title not yet provided - click here to update this title',
       detectionDefaultDescription: 'Detection description not yet provided',
+      detectionDescription: 'Detection Description',
+      detectionEnabled: 'Enabled',
       detectionSeverity: 'Severity',
+      detectionTitle: 'Detection Title',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -321,6 +324,7 @@ const i18n = {
       expand: 'Expand',
       expandHelp: 'Expand and show detailed data',
       expired: 'Expired',
+      extract: 'Extract',
       incomplete: 'Incomplete',
       invalidHours: 'Hours are not valid. Ex: 1.5',
       failedEvents: 'Failed Events',
@@ -558,6 +562,12 @@ const i18n = {
       passwordReset: 'Change Password',
       passwordNeedsChanged: 'User has not yet changed their password',
       playbooks: 'Playbooks',
+      playbookAddContext: 'Provide optional context',
+      playbookDatasources: 'The data sources that can be used to answer the question',
+      playbookDescription: 'Playbook Description',
+      playbookTitle: 'Playbook Title',
+      playbookMechanism: 'Mechanism',
+      playbookQuestionHint: 'The investigative question written in plain language for human consumption, in the form of a question',
       profileDetails: 'Profile Details',
       profileInstructions: 'You may be prompted to login again when updating your profile. This is a security measure to protect your account.',
       pcap: 'PCAP',
@@ -568,6 +578,7 @@ const i18n = {
       profile: 'Profile',
       protocol: 'Protocol',
       protocolHelp: 'Optional protocol, such as "icmp" or "tcp".',
+      publicID: 'Public ID',
       queriesHelp: 'Choose from several pre-defined queries',
       queryHelp: 'Specify a query in Onion Query Language (OQL)',
       quickActions: 'Actions',
@@ -657,6 +668,8 @@ const i18n = {
       setting_fake_setting_foo: 'Fake Setting Translated',
       settingHelp_fake_setting_foo: 'This is a transalated fake setting description.',
 
+      severity: 'Severity',
+
       sha1: 'SHA1',
       sha256: 'SHA256',
       share: 'Clipboard',
@@ -778,7 +791,7 @@ const i18n = {
       unwrapHelp: 'Unwrap packets from encapsulation (Ex: VXLAN)',
       update: 'Update',
       upload: 'Upload',
-      uploadPcap: 'Upload PCAP/EVTX',
+      uploadPCAPEVTX: 'Upload PCAP/EVTX',
       updateProfile: 'Update Profile',
       updateSettings: 'Settings',
       updateSuccessful: 'Update successful',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index e88abc266..5ddcaebf2 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -29,6 +29,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
+		sidExtract: /\bsid: ?['"]?(.*?)['"]?;/,
   }},
   created() {
   },
@@ -99,11 +100,33 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
       return "";
     },
     getPresets(kind) {
-      if (this.presets && this.presets[kind]) {
-        return this.presets[kind].labels;
+			if (this.presets && this.presets[kind]) {
+				switch (kind) {
+					case 'severity':
+					case 'engine':
+						return this.capitalizeOptions(this.presets[kind].labels);
+					default:
+						return this.presets[kind].labels;
+				}
       }
       return [];
-    },
+		},
+		capitalizeOptions(opts) {
+			return opts.map(opt => {
+				const cap = opt.charAt(0).toUpperCase() + opt.slice(1).toLowerCase();
+				return {
+					text: cap,
+					value: opt,
+				}
+			})
+		},
+		requestRules(rules) {
+			if (this.detect.isCommunity) {
+				return [];
+			}
+
+			return rules;
+		},
     isPresetCustomEnabled(kind) {
       if (this.presets && this.presets[kind]) {
         return this.presets[kind].customEnabled == true;
@@ -123,6 +146,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		async startEdit(target, field) {
 			if (this.curEditTarget === target) return;
 			if (this.curEditTarget !== null) await this.stopEdit(false);
+			if (this.detect.isCommunity) return;
 
 			this.curEditTarget = target;
 			this.origValue = this.detect[field];
@@ -136,8 +160,19 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			});
 		},
-		generatePublicID() {
-			this.detect.publicId = crypto.randomUUID();
+		extractPublicID() {
+			let pid = '';
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						pid = this.extractSuricataPublicID();
+					} catch (e) {
+						// nothing, clear publicId
+					}
+					break;
+			}
+
+			this.detect.publicId = pid;
 		},
 		isEdit(target) {
 			return this.curEditTarget === target;
@@ -213,22 +248,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			return null;
 		},
 		validateSuricata() {
-			const sidExtract = /\bsid: ?['"]?(.*?)['"]?;/
-			const results = sidExtract.exec(this.detect.content);
-
-			if (!results || results.length < 2) {
-				// sid not present in rule
-				return this.i18n.sidMissingErr;
-			} else if (results && results.length > 2) {
-				// multiple sids present in rule
-				return this.i18n.sidMultipleErr;
-			}
-
-			const sid = results[1];
+			try {
+				const sid = this.extractSuricataPublicID();
 
-			if (this.detect.publicId !== sid) {
-				// sid doesn't match metadata
-				return this.i18n.sidMismatchErr;
+				if (this.detect.publicId !== sid) {
+					// sid doesn't match metadata
+					return this.i18n.sidMismatchErr;
+				}
+			} catch (e) {
+				return e;
 			}
 
 			// normalize quotes
@@ -237,6 +265,19 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return null;
 		},
+		extractSuricataPublicID() {
+			const results = this.sidExtract.exec(this.detect.content);
+
+			if (!results || results.length < 2) {
+				// sid not present in rule
+				throw this.i18n.sidMissingErr;
+			} else if (results && results.length > 2) {
+				// multiple sids present in rule
+				throw this.i18n.sidMultipleErr;
+			}
+
+			return results[1];
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/server/infohandler.go b/server/infohandler.go
index 974478ef0..79de50894 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -95,7 +95,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		detection.Presets = map[string]config.PresetParameters{
 			"severity": {
 				CustomEnabled: false,
-				Labels:        []string{"low", "medium", "high"},
+				Labels:        []string{"unknown", "informational", "minor", "major", "critical"},
 			},
 			"engine": {
 				CustomEnabled: false,
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 549e42e3e..e160f59b0 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -369,7 +369,7 @@ func convertFromElasticResults(store *ElasticEventstore, esJson string, results
 	aggs := esResults["aggregations"]
 	if aggs != nil {
 		for name, aggObj := range aggs.(map[string]interface{}) {
-			keys := make([]interface{}, 0, 0)
+			keys := make([]interface{}, 0)
 			parseAggregation(name, aggObj, keys, results)
 		}
 	}
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index f081b8ff8..62afb5c81 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -377,7 +377,9 @@ func (store *ElasticEventstore) indexDocument(ctx context.Context, index string,
 	res, err := store.esClient.Index(store.transformIndex(index),
 		strings.NewReader(document),
 		store.esClient.Index.WithRefresh("true"),
-		store.esClient.Index.WithDocumentID(id))
+		store.esClient.Index.WithDocumentID(id),
+		store.esClient.Index.WithContext(ctx),
+	)
 
 	if err != nil {
 		log.WithError(err).Error("Unable to index document into Elasticsearch")
@@ -400,7 +402,7 @@ func (store *ElasticEventstore) deleteDocument(ctx context.Context, index string
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Deleting document from Elasticsearch")
 
-	res, err := store.esClient.Delete(store.transformIndex(index), id)
+	res, err := store.esClient.Delete(store.transformIndex(index), id, store.esClient.Delete.WithContext(ctx))
 
 	if err != nil {
 		log.WithFields(log.Fields{
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 0b641e706..1205dde5e 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -127,6 +127,8 @@ func (s *SuricataEngine) watchCommunityRules() {
 		}
 
 		if len(errMap) > 0 {
+			// there were errors, don't save the fingerprint.
+			// idempotency means we might fix it if we try again later.
 			log.WithFields(log.Fields{
 				"errors": errMap,
 			}).Error("unable to sync all community detections")

From af01da5e6bc773c39c20cc8acf7705eb526abf06 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 19 Oct 2023 16:32:23 -0600
Subject: [PATCH 061/102] Early implementation of ElastAlert's DetectionEngine.

New library: go-git. We use it to clone/pull the sigma repo.

Prevent community rules from being updated through the detection CRUD endpoints.

Improved change detection in suricata's community importer. If a community rule's content hasn't changed then it isn't updated, significantly improving the time it takes to update community rules.

Improved support for sort criteria when querying elasticsearch.

Linting.
---
 config/config.go                              |   7 +
 go.mod                                        |  26 +-
 go.sum                                        |  99 +++-
 server/detectionhandler.go                    |  27 +
 server/detectionstore.go                      |   2 +-
 server/infohandler.go                         |   2 +-
 server/modules/elastalert/elastalert.go       | 145 ++++++
 server/modules/elastalert/elastalert_test.go  |  34 ++
 server/modules/elastalert/oneormore.go        |  39 ++
 server/modules/elastalert/oneormore_test.go   |  58 +++
 server/modules/elastalert/validate.go         | 112 ++++
 server/modules/elastalert/validate_test.go    |  52 ++
 server/modules/elastic/converter.go           |  13 +-
 server/modules/elastic/converter_test.go      | 482 +++++++++---------
 .../modules/elastic/elasticdetectionstore.go  |   7 +-
 server/modules/modules.go                     |   2 +
 server/modules/modules_test.go                |  29 +-
 server/modules/suricata/suricata.go           |  39 +-
 server/modules/suricata/suricata_test.go      |   2 +
 19 files changed, 904 insertions(+), 273 deletions(-)
 create mode 100644 server/modules/elastalert/elastalert.go
 create mode 100644 server/modules/elastalert/elastalert_test.go
 create mode 100644 server/modules/elastalert/oneormore.go
 create mode 100644 server/modules/elastalert/oneormore_test.go
 create mode 100644 server/modules/elastalert/validate.go
 create mode 100644 server/modules/elastalert/validate_test.go

diff --git a/config/config.go b/config/config.go
index f19f83053..2469e9e6a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -52,5 +52,12 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		"communityRulesImportFrequencySeconds": float64(5),
 	}
 
+	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
+		"communityRulesImportFrequencySeconds": float64(600),
+		"sigmaRepo":                            "https://github.com/SigmaHQ/sigma",
+		"sigmaRepoRoot":                        "/tmp/socdev/so/rules/sigma",
+		"gitTimeout":                           float64(600),
+	}
+
 	return cfg, err
 }
diff --git a/go.mod b/go.mod
index b7f6870f7..16b274a14 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/security-onion-solutions/securityonion-soc
 
-go 1.20
+go 1.21
 
 require (
 	github.com/apex/log v1.9.0
@@ -20,19 +20,41 @@ require (
 )
 
 require (
+	github.com/go-git/go-git/v5 v5.9.0
+	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
-	github.com/oapi-codegen/runtime v1.1.0 // indirect
+	github.com/deepmap/oapi-codegen v1.12.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/skeema/knownhosts v1.2.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
index 186a8a75d..6ce8fe3f2 100644
--- a/go.sum
+++ b/go.sum
@@ -1,4 +1,15 @@
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
+github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
@@ -6,9 +17,16 @@ github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -17,17 +35,41 @@ github.com/elastic/elastic-transport-go/v8 v8.3.0 h1:DJGxovyQLXGr62e9nDMPSxRyWIO
 github.com/elastic/elastic-transport-go/v8 v8.3.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.11.1 h1:1VgTgUTbpqQZ4uE+cPjkOvy/8aw1ZvKcU0ZUE5Cn1mc=
 github.com/elastic/go-elasticsearch/v8 v8.11.1/go.mod h1:GU1BJHO7WeamP7UhuElYwzzHtvf9SDmeVpSSy9+o6Qg=
+github.com/deepmap/oapi-codegen v1.12.4 h1:pPmn6qI9MuOtCz82WY2Xaw46EQjgvxednXXrP7g5Q2s=
+github.com/deepmap/oapi-codegen v1.12.4/go.mod h1:3lgHGMu6myQ2vqbbTXH2H1o4eXFTGnFiDaOaKKl5yas=
+github.com/elastic/elastic-transport-go/v8 v8.2.0 h1:hkK5IIs/15mpSXzd5THWVlWTKJyMw6cbCWM3T/B2S5E=
+github.com/elastic/elastic-transport-go/v8 v8.2.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
+github.com/elastic/go-elasticsearch/v8 v8.7.0 h1:ZvbT1YHppBC0QxGnMmaDUxoDa26clwhRaB3Gp5E3UcY=
+github.com/elastic/go-elasticsearch/v8 v8.7.0/go.mod h1:lVb8SvJV8McVkdswpL8YR5QKIkhlWaoSq60YpHilOLI=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
 github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
 github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
 github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
+github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
+github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -42,17 +84,26 @@ github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 h1:W9WBk7
 github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf h1:7JTmneyiNEwVBOHSjoMxiWAqB992atOeepeFYegn5RU=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o=
 github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
+github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
@@ -64,17 +115,28 @@ github.com/oapi-codegen/runtime v1.1.0 h1:rJpoNUawn5XTvekgfkvSZr0RqEnoYpFkyvrzfW
 github.com/oapi-codegen/runtime v1.1.0/go.mod h1:BeSfBkWWWnAnGdyS+S/GnlbmHKzf8/hwkvelJZDeKA8=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
 github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM=
+github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
@@ -82,7 +144,9 @@ github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKk
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -102,6 +166,9 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -113,6 +180,10 @@ golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AW
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -120,6 +191,10 @@ golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -128,16 +203,34 @@ golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 7743da32b..9ece4c656 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -12,10 +12,12 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
 	"github.com/go-chi/chi"
+	"github.com/pkg/errors"
 )
 
 type DetectionHandler struct {
@@ -71,6 +73,11 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	if detect.IsCommunity {
+		web.Respond(w, r, http.StatusBadRequest, errors.New("cannot create community detections using this endpoint"))
+		return
+	}
+
 	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
@@ -131,6 +138,26 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	if old.IsCommunity {
+		// the only editable fields for community rules are IsEnabled, IsReporting, and Note
+		old.IsEnabled = detect.IsEnabled
+		old.IsReporting = detect.IsReporting
+		old.Note = detect.Note
+
+		detect = old
+
+		log.Infof("existing detection %s is a community rule, only updating IsEnabled, IsReporting, and Note", detect.Id)
+	} else if detect.IsCommunity {
+		web.Respond(w, r, http.StatusBadRequest, errors.New("cannot update an existing non-community detection to make it a community detection"))
+		return
+	}
+
 	detect, err = h.server.Detectionstore.UpdateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusNotFound, err)
diff --git a/server/detectionstore.go b/server/detectionstore.go
index de8b5f8fc..2c1a1730a 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -18,5 +18,5 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
-	GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) // map[detection.PublicId]detection.Id
+	GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 }
diff --git a/server/infohandler.go b/server/infohandler.go
index 79de50894..dceeefaef 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -99,7 +99,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 			},
 			"engine": {
 				CustomEnabled: false,
-				Labels:        []string{"suricata", "yara", "elastalert"},
+				Labels:        []string{"suricata", "elastalert"},
 			},
 		}
 	}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
new file mode 100644
index 000000000..21322c5c4
--- /dev/null
+++ b/server/modules/elastalert/elastalert.go
@@ -0,0 +1,145 @@
+package elastalert
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/apex/log"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+
+	"github.com/go-git/go-git/v5"
+	_ "github.com/go-git/go-git/v5"
+)
+
+type ElastAlertEngine struct {
+	srv                                  *server.Server
+	communityRulesImportFrequencySeconds int
+	sigmaRepo                            string
+	sigmaRepoRoot                        string
+	gitTimeout                           int
+	isRunning                            bool
+	thread                               *sync.WaitGroup
+}
+
+func NewElastAlertEngine(srv *server.Server) *ElastAlertEngine {
+	return &ElastAlertEngine{
+		srv: srv,
+	}
+}
+
+func (e *ElastAlertEngine) PrerequisiteModules() []string {
+	return nil
+}
+
+func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
+	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
+	e.sigmaRepo = module.GetStringDefault(config, "sigmaRepo", "https://github.com/SigmaHQ/sigma")
+	e.sigmaRepoRoot = module.GetStringDefault(config, "sigmaRepoRoot", "/opt/so/rules/sigma")
+	e.gitTimeout = module.GetIntDefault(config, "gitTimeout", 600)
+
+	return nil
+}
+
+func (e *ElastAlertEngine) Start() error {
+	e.srv.DetectionEngines[model.EngineNameElastAlert] = e
+	e.isRunning = true
+
+	go e.startCommunityRuleImport()
+
+	return nil
+}
+
+func (e *ElastAlertEngine) Stop() error {
+	e.isRunning = false
+
+	return nil
+}
+
+func (e *ElastAlertEngine) IsRunning() bool {
+	return e.isRunning
+}
+
+func (e *ElastAlertEngine) ValidateRule(data string) (string, error) {
+	_, err := ParseElastAlertRule([]byte(data))
+	if err != nil {
+		return "", err
+	}
+
+	return string(data), nil
+}
+
+func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	return nil, nil
+}
+
+func (e *ElastAlertEngine) startCommunityRuleImport() {
+	defer func() {
+		e.thread.Done()
+		e.isRunning = false
+	}()
+
+	ctx := e.srv.Context
+
+	for e.isRunning {
+		time.Sleep(time.Duration(e.communityRulesImportFrequencySeconds) * time.Second)
+		if !e.isRunning {
+			return
+		}
+
+		err := e.ensureUpToDateRepo(ctx)
+		if err != nil {
+			log.WithField("error", err).Error("something went wrong while ensuring the sigma repo is up to date")
+			continue
+		}
+	}
+}
+
+func (e *ElastAlertEngine) ensureUpToDateRepo(ctx context.Context) error {
+	readme := filepath.Join(e.sigmaRepoRoot, "README.md")
+
+	gitCtx, cancel := context.WithTimeout(ctx, time.Duration(e.gitTimeout)*time.Second)
+	defer cancel()
+
+	_, err := os.Stat(readme)
+	if os.IsNotExist(err) {
+		err = os.MkdirAll(e.sigmaRepoRoot, 0755)
+		if err != nil {
+			return fmt.Errorf("unable to create repo root directory: %w", err)
+		}
+
+		_, err = git.PlainCloneContext(gitCtx, e.sigmaRepoRoot, false, &git.CloneOptions{
+			URL:   e.sigmaRepo,
+			Depth: 1,
+		})
+		if err != nil {
+			return fmt.Errorf("unable to clone repo: %w", err)
+		}
+	} else if err == nil {
+		repo, err := git.PlainOpen(e.sigmaRepoRoot)
+		if err != nil {
+			return fmt.Errorf("unable to open existing repo: %w", err)
+		}
+
+		w, err := repo.Worktree()
+		if err != nil {
+			return fmt.Errorf("unable to get worktree of existing repo: %w", err)
+		}
+
+		err = w.PullContext(gitCtx, &git.PullOptions{
+			Depth: 1,
+		})
+		if err != nil && err != git.NoErrAlreadyUpToDate {
+			return fmt.Errorf("unable to pull repo: %w", err)
+		}
+	} else {
+		return fmt.Errorf("unable to determine if README.md exists: %w", err)
+	}
+
+	return nil
+}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
new file mode 100644
index 000000000..f78c05398
--- /dev/null
+++ b/server/modules/elastalert/elastalert_test.go
@@ -0,0 +1,34 @@
+package elastalert
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/tj/assert"
+)
+
+func TestElastAlertModule(t *testing.T) {
+	srv := &server.Server{
+		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+	}
+	mod := NewElastAlertEngine(srv)
+
+	assert.Implements(t, (*module.Module)(nil), mod)
+	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
+
+	err := mod.Init(nil)
+	assert.NoError(t, err)
+
+	err = mod.Start()
+	assert.NoError(t, err)
+
+	assert.True(t, mod.IsRunning())
+
+	err = mod.Stop()
+	assert.NoError(t, err)
+
+	assert.Equal(t, 1, len(srv.DetectionEngines))
+	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameElastAlert])
+}
diff --git a/server/modules/elastalert/oneormore.go b/server/modules/elastalert/oneormore.go
new file mode 100644
index 000000000..959a47360
--- /dev/null
+++ b/server/modules/elastalert/oneormore.go
@@ -0,0 +1,39 @@
+package elastalert
+
+type OneOrMore[T comparable] struct {
+	Value  T
+	Values []T
+}
+
+func (om *OneOrMore[T]) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var multi []T
+
+	err := unmarshal(&multi)
+	if err != nil {
+		var single T
+
+		err := unmarshal(&single)
+		if err != nil {
+			return err
+		}
+
+		om.Value = single
+	} else {
+		om.Values = multi
+	}
+
+	return nil
+}
+
+func (om OneOrMore[T]) MarshalYAML() (interface{}, error) {
+	if om.Values != nil {
+		return om.Values, nil
+	}
+
+	return om.Value, nil
+}
+
+func (om *OneOrMore[T]) HasValue() bool {
+	var zero T
+	return om != nil && (om.Values != nil || om.Value != zero)
+}
diff --git a/server/modules/elastalert/oneormore_test.go b/server/modules/elastalert/oneormore_test.go
new file mode 100644
index 000000000..aec7a077f
--- /dev/null
+++ b/server/modules/elastalert/oneormore_test.go
@@ -0,0 +1,58 @@
+package elastalert
+
+import (
+	"testing"
+
+	"github.com/tj/assert"
+	"gopkg.in/yaml.v3"
+)
+
+func TestOneOrMore(t *testing.T) {
+	type TestStruct struct {
+		Value *OneOrMore[string] `yaml:"value"`
+	}
+
+	// One
+	data := []byte(`value: test`)
+	ts := TestStruct{}
+
+	err := yaml.Unmarshal(data, &ts)
+	assert.NoError(t, err)
+	assert.True(t, ts.Value.HasValue())
+	assert.Equal(t, "test", ts.Value.Value)
+	assert.Empty(t, ts.Value.Values)
+
+	data, err = yaml.Marshal(ts)
+	assert.NoError(t, err)
+	assert.Equal(t, "value: test\n", string(data))
+
+	// ...OrMore
+	data = []byte(`value: [test1, test2]`)
+	ts = TestStruct{}
+
+	err = yaml.Unmarshal(data, &ts)
+	assert.NoError(t, err)
+	assert.True(t, ts.Value.HasValue())
+	assert.Empty(t, ts.Value.Value)
+	assert.Equal(t, []string{"test1", "test2"}, ts.Value.Values)
+
+	data, err = yaml.Marshal(ts)
+	assert.NoError(t, err)
+	assert.Equal(t, "value:\n    - test1\n    - test2\n", string(data))
+
+	// nil
+	data = []byte(`value: null`)
+	ts = TestStruct{}
+
+	err = yaml.Unmarshal(data, &ts)
+	assert.NoError(t, err)
+	assert.False(t, ts.Value.HasValue())
+	assert.Empty(t, ts)
+
+	data, err = yaml.Marshal(ts)
+	assert.NoError(t, err)
+	assert.Equal(t, "value: null\n", string(data))
+
+	null := (*OneOrMore[string])(nil)
+	assert.False(t, null.HasValue())
+}
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
new file mode 100644
index 000000000..9591ab3e0
--- /dev/null
+++ b/server/modules/elastalert/validate.go
@@ -0,0 +1,112 @@
+package elastalert
+
+import (
+	"fmt"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+type SigmaStatus string
+
+const (
+	SigmaStatusStable       SigmaStatus = "stable"
+	SigmaStatusTest         SigmaStatus = "test"
+	SigmaStatusExperimental SigmaStatus = "experimental"
+	SigmaStatusDeprecated   SigmaStatus = "deprecated"
+	SigmaStatusUnsupported  SigmaStatus = "unsupported"
+)
+
+type SigmaLevel string
+
+const (
+	SigmaLevelInformational SigmaLevel = "informational"
+	SigmaLevelLow           SigmaLevel = "low"
+	SigmaLevelMedium        SigmaLevel = "medium"
+	SigmaLevelHigh          SigmaLevel = "high"
+	SigmaLevelCritical      SigmaLevel = "critical"
+)
+
+type RelatedRuleType string
+
+const (
+	RelatedRuleTypeDerived   RelatedRuleType = "derived"
+	RelatedRuleTypeObsoletes RelatedRuleType = "obsoletes"
+	RelatedRuleTypeMerged    RelatedRuleType = "merged"
+	RelatedRuleTypeRenamed   RelatedRuleType = "renamed"
+	RelatedRuleTypeSimilar   RelatedRuleType = "similar"
+)
+
+type SigmaRule struct {
+	Title          string                 `yaml:"title"`
+	LogSource      LogSource              `yaml:"logsource"`
+	Detection      Detection              `yaml:"detection"`
+	Status         *SigmaStatus           `yaml:"status"`
+	Description    *string                `yaml:"description"`
+	License        *string                `yaml:"license"`
+	Reference      []string               `yaml:"reference"`
+	Related        []*RelatedRule         `yaml:"related"`
+	Author         *string                `yaml:"author"`
+	Date           *string                `yaml:"date"`
+	Modified       *string                `yaml:"modified"`
+	Fields         []string               `yaml:"fields"`
+	FalsePositives OneOrMore[string]      `yaml:"falsepositives"`
+	Level          *SigmaLevel            `yaml:"level"`
+	Rest           map[string]interface{} `yaml:",inline"`
+}
+
+type LogSource struct {
+	Category   *string `yaml:"category"`
+	Product    *string `yaml:"product"`
+	Service    *string `yaml:"service"`
+	Definition *string `yaml:"definition"`
+}
+
+type Detection struct {
+	Condition OneOrMore[string]      `yaml:"condition"`
+	Rest      map[string]interface{} `yaml:",inline"`
+}
+
+type RelatedRule struct {
+	ID   string          `yaml:"id"`
+	Type RelatedRuleType `yaml:"type"`
+}
+
+func ParseElastAlertRule(data []byte) (*SigmaRule, error) {
+	rule := &SigmaRule{}
+
+	err := yaml.Unmarshal(data, rule)
+	if err != nil {
+		return nil, err
+	}
+
+	err = rule.Validate()
+	if err != nil {
+		return nil, err
+	}
+
+	return rule, nil
+}
+
+func (e *SigmaRule) Validate() error {
+	// check required fields
+	requiredFields := []string{}
+
+	if len(e.Title) == 0 {
+		requiredFields = append(requiredFields, "title")
+	}
+
+	if e.LogSource == (LogSource{}) {
+		requiredFields = append(requiredFields, "logsource")
+	}
+
+	if len(e.Detection.Condition.Values) == 0 && e.Detection.Condition.Value == "" {
+		requiredFields = append(requiredFields, "detection.condition")
+	}
+
+	if len(requiredFields) > 0 {
+		return fmt.Errorf("missing required fields: %s", strings.Join(requiredFields, ", "))
+	}
+
+	return nil
+}
diff --git a/server/modules/elastalert/validate_test.go b/server/modules/elastalert/validate_test.go
new file mode 100644
index 000000000..c52809952
--- /dev/null
+++ b/server/modules/elastalert/validate_test.go
@@ -0,0 +1,52 @@
+package elastalert
+
+import (
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseRule(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name          string
+		Input         string
+		ExpectedError *string
+	}{
+		{
+			Name:          "Empty Rule",
+			Input:         `{}`,
+			ExpectedError: util.Ptr("missing required fields: title, logsource, detection.condition"),
+		},
+		{
+			Name:          "Detection but No Condition",
+			Input:         `{ title: "title", logsource: { category: "test" }, detection: {}}`,
+			ExpectedError: util.Ptr("missing required fields: detection.condition"),
+		},
+		{
+			Name:  "Minimal Rule With Single Detection Condition",
+			Input: `{ title: "title", logsource: { category: "test" }, detection: { condition: "condition" }}`,
+		},
+		{
+			Name:  "Minimal Rule With Multiple Detection Condition",
+			Input: `{ title: "title", logsource: { category: "test" }, detection: { condition: [ "conditionOne", "conditionTwo" ] }}`,
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := ParseElastAlertRule([]byte(test.Input))
+			if test.ExpectedError == nil {
+				assert.NoError(t, err)
+			} else {
+				assert.Error(t, err)
+				assert.Equal(t, *test.ExpectedError, err.Error())
+			}
+		})
+	}
+}
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index e160f59b0..e8aca634f 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -103,7 +103,7 @@ func makeQuery(store *ElasticEventstore, parsedQuery *model.Query, beginTime tim
 
 	query := make(map[string]interface{})
 	query["query_string"] = queryDetails
-	must := make([]interface{}, 0, 0)
+	must := make([]interface{}, 0)
 	must = append(must, query)
 
 	if !endTime.IsZero() {
@@ -246,7 +246,10 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 				newSort[field] = sortParams
 				sorting = append(sorting, newSort)
 			}
-			esMap["sort"] = sorting
+
+			if len(sorting) != 0 {
+				esMap["sort"] = sorting
+			}
 		}
 	} else {
 		sort := map[string]string{}
@@ -254,7 +257,9 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 			sort[field.Field] = field.Order
 		}
 
-		esMap["sort"] = sort
+		if len(sort) != 0 {
+			esMap["sort"] = sort
+		}
 	}
 
 	bytes, err := json.WriteJson(esMap)
@@ -501,7 +506,7 @@ func convertElasticEventToCase(event *model.EventRecord, schemaPrefix string) (*
 }
 
 func convertToStringArray(input []interface{}) []string {
-	out := make([]string, len(input), len(input))
+	out := make([]string, len(input))
 	for idx, value := range input {
 		out[idx] = value.(string)
 	}
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index eb79ad5eb..1a3b535bc 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -23,170 +23,196 @@ func NewTestStore() *ElasticEventstore {
 	}
 }
 
-func TestMakeAggregation(tester *testing.T) {
+func TestMakeAggregation(t *testing.T) {
 	keys := []string{"one*", "two", "three*"}
 	agg, name := makeAggregation(NewTestStore(), "groupby_0", keys, 10, false)
-	assert.Equal(tester, "groupby_0|one", name)
+	assert.Equal(t, "groupby_0|one", name)
 
-	assert.NotNil(tester, agg["terms"])
+	assert.NotNil(t, agg["terms"])
 	terms := agg["terms"].(map[string]interface{})
-	assert.Equal(tester, "one", terms["field"])
-	assert.Equal(tester, "__missing__", terms["missing"])
-	assert.Equal(tester, 10, terms["size"])
+	assert.Equal(t, "one", terms["field"])
+	assert.Equal(t, "__missing__", terms["missing"])
+	assert.Equal(t, 10, terms["size"])
 
-	assert.NotNil(tester, terms["order"])
+	assert.NotNil(t, terms["order"])
 	order := terms["order"].(map[string]interface{})
-	assert.Equal(tester, "desc", order["_count"])
+	assert.Equal(t, "desc", order["_count"])
 
-	assert.NotNil(tester, agg["aggs"])
+	assert.NotNil(t, agg["aggs"])
 	secondAggs := agg["aggs"].(map[string]interface{})
-	assert.NotNil(tester, secondAggs["groupby_0|one|two"])
+	assert.NotNil(t, secondAggs["groupby_0|one|two"])
 	secondAgg := secondAggs["groupby_0|one|two"].(map[string]interface{})
-	assert.NotNil(tester, secondAgg["aggs"])
+	assert.NotNil(t, secondAgg["aggs"])
 	terms = secondAgg["terms"].(map[string]interface{})
-	assert.Nil(tester, terms["missing"])
+	assert.Nil(t, terms["missing"])
 
 	thirdAggs := secondAgg["aggs"].(map[string]interface{})
-	assert.NotNil(tester, thirdAggs["groupby_0|one|two|three"])
+	assert.NotNil(t, thirdAggs["groupby_0|one|two|three"])
 	thirdAgg := thirdAggs["groupby_0|one|two|three"].(map[string]interface{})
-	assert.Nil(tester, thirdAgg["aggs"])
+	assert.Nil(t, thirdAgg["aggs"])
 	terms = thirdAgg["terms"].(map[string]interface{})
-	assert.Equal(tester, "__missing__", terms["missing"])
+	assert.Equal(t, "__missing__", terms["missing"])
 }
 
-func TestMakeTimeline(tester *testing.T) {
+func TestMakeTimeline(t *testing.T) {
 	timeline := makeTimeline("30m")
-	assert.NotNil(tester, timeline["date_histogram"])
+	assert.NotNil(t, timeline["date_histogram"])
 	terms := timeline["date_histogram"].(map[string]interface{})
-	assert.Equal(tester, "@timestamp", terms["field"])
-	assert.Equal(tester, "30m", terms["fixed_interval"])
-	assert.Equal(tester, 1, terms["min_doc_count"])
+	assert.Equal(t, "@timestamp", terms["field"])
+	assert.Equal(t, "30m", terms["fixed_interval"])
+	assert.Equal(t, 1, terms["min_doc_count"])
 }
 
-func TestCalcTimelineInterval(tester *testing.T) {
+func TestCalcTimelineInterval(t *testing.T) {
 	start, _ := time.Parse(time.RFC3339, "2021-01-02T05:00:00Z")
 	end, _ := time.Parse(time.RFC3339, "2021-01-02T13:00:00Z")
 	interval := calcTimelineInterval(25, start, end)
-	assert.Equal(tester, "15m", interval)
+	assert.Equal(t, "15m", interval)
 
 	// Boundaries
 	start, _ = time.Parse(time.RFC3339, "2021-01-02T13:00:00Z")
 	end, _ = time.Parse(time.RFC3339, "2021-01-02T13:00:01Z")
 	interval = calcTimelineInterval(25, start, end)
-	assert.Equal(tester, "1s", interval)
+	assert.Equal(t, "1s", interval)
 
 	start, _ = time.Parse(time.RFC3339, "1990-01-02T05:00:00Z")
 	end, _ = time.Parse(time.RFC3339, "2021-01-02T13:00:00Z")
 	interval = calcTimelineInterval(25, start, end)
-	assert.Equal(tester, "30d", interval)
+	assert.Equal(t, "30d", interval)
 }
 
-func TestConvertToElasticRequestEmptyCriteria(tester *testing.T) {
+func TestConvertToElasticRequestEmptyCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
 	criteria.MetricLimit = 0
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"*"}}],"must_not":[],"should":[]}},"size":25}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertToElasticRequestGroupByCriteria(tester *testing.T) {
+func TestConvertToElasticRequestGroupByCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby -something "ghi" jkl*`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+
+	err := criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby -something "ghi" jkl*`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	assert.NoError(t, err)
+
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"aggs":{"bottom":{"terms":{"field":"ghi","order":{"_count":"asc"},"size":10}},"groupby_0|ghi":{"aggs":{"groupby_0|ghi|jkl":{"terms":{"field":"jkl","missing":"__missing__","order":{"_count":"desc"},"size":10}}},"terms":{"field":"ghi","order":{"_count":"desc"},"size":10}},"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertToElasticRequestSortByCriteria(tester *testing.T) {
+func TestConvertToElasticRequestSortByCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | sortby "ghi" jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+
+	err := criteria.Populate(`abc AND def AND q:"\\\\file\\path" | sortby "ghi" jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	assert.NoError(t, err)
+
+	criteria.SortFields = []*model.SortCriteria{
+		{Field: "ignored", Order: "ignored"},
+	}
+
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"aggs":{"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":{"missing":"_last","order":"desc","unmapped_type":"date"}},{"jkl":{"missing":"_last","order":"asc","unmapped_type":"date"}}]}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertToElasticRequestGroupBySortByCriteria(tester *testing.T) {
+func TestConvertToElasticRequestGroupBySortByCriteria(t *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby ghi jkl* | groupby mno | sortby ghi jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	err := criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby ghi jkl* | groupby mno | sortby ghi jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	assert.NoError(t, err)
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"aggs":{"bottom":{"terms":{"field":"ghi","order":{"_count":"asc"},"size":10}},"groupby_0|ghi":{"aggs":{"groupby_0|ghi|jkl":{"terms":{"field":"jkl","missing":"__missing__","order":{"_count":"desc"},"size":10}}},"terms":{"field":"ghi","order":{"_count":"desc"},"size":10}},"groupby_1|mno":{"terms":{"field":"mno","order":{"_count":"desc"},"size":10}},"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":{"missing":"_last","order":"desc","unmapped_type":"date"}},{"jkl":{"missing":"_last","order":"asc","unmapped_type":"date"}}]}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
-func TestConvertFromElasticResultsSuccess(tester *testing.T) {
+func TestConvertToElasticRequestProgrammaticSortBy(t *testing.T) {
+	criteria := model.NewEventSearchCriteria()
+	criteria.MetricLimit = 0
+	criteria.SortFields = []*model.SortCriteria{
+		{Field: "name", Order: "asc"},
+	}
+	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
+	assert.Nil(t, err)
+
+	expectedJson := `{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"*"}}],"must_not":[],"should":[]}},"size":25,"sort":{"name":"asc"}}`
+	assert.Equal(t, expectedJson, actualJson)
+}
+
+func TestConvertFromElasticResultsSuccess(t *testing.T) {
 	esData, err := os.ReadFile("converter_response.json")
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	results := model.NewEventSearchResults()
 	err = convertFromElasticResults(NewTestStore(), string(esData), results)
-	if assert.Nil(tester, err) {
-		assert.Equal(tester, 9534, results.ElapsedMs)
-		assert.Equal(tester, 23689430, results.TotalEvents)
-		assert.Len(tester, results.Events, 25)
-		assert.Equal(tester, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
-		assert.Equal(tester, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
-		assert.Equal(tester, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
+	if assert.Nil(t, err) {
+		assert.Equal(t, 9534, results.ElapsedMs)
+		assert.Equal(t, 23689430, results.TotalEvents)
+		assert.Len(t, results.Events, 25)
+		assert.Equal(t, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
+		assert.Equal(t, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
+		assert.Equal(t, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
 	}
 }
 
-func TestConvertFromElasticResultsFailure(tester *testing.T) {
+func TestConvertFromElasticResultsFailure(t *testing.T) {
 	esData, err := os.ReadFile("converter_response_failure.json")
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	results := model.NewEventSearchResults()
 	err = convertFromElasticResults(NewTestStore(), string(esData), results)
-	if assert.NotNil(tester, err) {
-		assert.Error(tester, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
-		assert.Equal(tester, 9534, results.ElapsedMs)
-		assert.Equal(tester, 23689430, results.TotalEvents)
-		assert.Len(tester, results.Events, 25)
-		assert.Equal(tester, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
-		assert.Equal(tester, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
-		assert.Equal(tester, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
-		assert.NotNil(tester, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
+	if assert.NotNil(t, err) {
+		assert.Error(t, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
+		assert.Equal(t, 9534, results.ElapsedMs)
+		assert.Equal(t, 23689430, results.TotalEvents)
+		assert.Len(t, results.Events, 25)
+		assert.Equal(t, "2020-04-24T03:00:55.300Z", results.Events[0].Timestamp)
+		assert.Equal(t, "2020-04-24T03:00:55.038Z", results.Events[1].Timestamp) // Check for alternate timestamp field
+		assert.Equal(t, "so16:logstash-bro-2020.04.24", results.Events[0].Source)
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol"])
+		assert.NotNil(t, results.Metrics["groupby_0|source_ip|destination_ip|protocol|destination_port"])
 	}
 }
 
-func TestConvertFromElasticResultsTimedOut(tester *testing.T) {
+func TestConvertFromElasticResultsTimedOut(t *testing.T) {
 	results := model.NewEventSearchResults()
 	err := convertFromElasticResults(NewTestStore(), `{ "took": 123, "timed_out": true, "hits": {} }`, results)
-	assert.Error(tester, err)
+	assert.Error(t, err)
 
-	assert.Equal(tester, 123, results.ElapsedMs, "ElapsedMs should exist even on timeout.")
+	assert.Equal(t, 123, results.ElapsedMs, "ElapsedMs should exist even on timeout.")
 }
 
-func TestConvertFromElasticResultsInvalid(tester *testing.T) {
+func TestConvertFromElasticResultsInvalid(t *testing.T) {
 	results := model.NewEventSearchResults()
 	err := convertFromElasticResults(NewTestStore(), `{ }`, results)
-	assert.Error(tester, err)
+	assert.Error(t, err)
 }
 
-func TestConvertToElasticUpdateRequest(tester *testing.T) {
+func TestConvertToElasticUpdateRequest(t *testing.T) {
 	criteria := model.NewEventUpdateCriteria()
 	criteria.AddUpdateScript("ctx._source.event.acknowledged=true")
 	criteria.AddUpdateScript("ctx._source.event.escalated=true")
-	criteria.Populate("event.dataset:alerts", "2020/09/24 10:11:12 AM - 2020/09/24 12:14:15 PM", "2006/01/02 3:04:05 PM", "America/New_York", "0", "0")
+
+	err := criteria.Populate("event.dataset:alerts", "2020/09/24 10:11:12 AM - 2020/09/24 12:14:15 PM", "2006/01/02 3:04:05 PM", "America/New_York", "0", "0")
+	assert.NoError(t, err)
 
 	actualJson, err := convertToElasticUpdateRequest(NewTestStore(), criteria)
-	assert.Nil(tester, err)
+	assert.Nil(t, err)
 
 	expectedJson := `{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"event.dataset:alerts"}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-09-24T10:11:12-04:00","lte":"2020-09-24T12:14:15-04:00"}}}],"must_not":[],"should":[]}},"script":{"inline":"ctx._source.event.acknowledged=true; ctx._source.event.escalated=true","lang":"painless"}}`
-	assert.Equal(tester, expectedJson, actualJson)
+	assert.Equal(t, expectedJson, actualJson)
 }
 
 const updateResponse = `{
@@ -208,17 +234,17 @@ const updateResponse = `{
   "failures" : [ ]
 }`
 
-func TestConvertFromElasticUpdateResultsSuccess(tester *testing.T) {
+func TestConvertFromElasticUpdateResultsSuccess(t *testing.T) {
 	results := model.NewEventUpdateResults()
 	err := convertFromElasticUpdateResults(NewTestStore(), updateResponse, results)
-	if assert.Nil(tester, err) {
-		assert.Equal(tester, 202, results.ElapsedMs)
-		assert.Equal(tester, 3, results.UpdatedCount)
-		assert.Equal(tester, 2, results.UnchangedCount)
+	if assert.Nil(t, err) {
+		assert.Equal(t, 202, results.ElapsedMs)
+		assert.Equal(t, 3, results.UpdatedCount)
+		assert.Equal(t, 2, results.UnchangedCount)
 	}
 }
 
-func TestAddEventUpdateResults(tester *testing.T) {
+func TestAddEventUpdateResults(t *testing.T) {
 	results1 := model.NewEventUpdateResults()
 	results1.ElapsedMs = 100
 	results1.UpdatedCount = 200
@@ -229,23 +255,23 @@ func TestAddEventUpdateResults(tester *testing.T) {
 	results2.UnchangedCount = 4
 
 	results1.AddEventUpdateResults(results2)
-	assert.Equal(tester, 112, results1.ElapsedMs)
-	assert.Equal(tester, 202, results1.UpdatedCount)
-	assert.Equal(tester, 404, results1.UnchangedCount)
+	assert.Equal(t, 112, results1.ElapsedMs)
+	assert.Equal(t, 202, results1.UpdatedCount)
+	assert.Equal(t, 404, results1.UnchangedCount)
 }
 
-func validateFormatSearch(tester *testing.T, original string, expected string) {
+func validateFormatSearch(t *testing.T, original string, expected string) {
 	output := formatSearch(original)
-	assert.Equal(tester, expected, output)
+	assert.Equal(t, expected, output)
 }
 
-func TestFormatSearch(tester *testing.T) {
-	validateFormatSearch(tester, "", "*")
-	validateFormatSearch(tester, " ", "*")
-	validateFormatSearch(tester, "\\foo\\bar", "\\foo\\bar")
+func TestFormatSearch(t *testing.T) {
+	validateFormatSearch(t, "", "*")
+	validateFormatSearch(t, " ", "*")
+	validateFormatSearch(t, "\\foo\\bar", "\\foo\\bar")
 }
 
-func validateMappedQuery(tester *testing.T, original string, expected string) {
+func validateMappedQuery(t *testing.T, original string, expected string) {
 	store := NewTestStore()
 	store.fieldDefs["foo"] = &FieldDefinition{aggregatable: false}
 	store.fieldDefs["foo.keyword"] = &FieldDefinition{aggregatable: true}
@@ -254,63 +280,63 @@ func validateMappedQuery(tester *testing.T, original string, expected string) {
 	search := query.NamedSegment(model.SegmentKind_Search)
 	mapSearch(store, search.(*model.SearchSegment))
 	output := search.String()
-	assert.Equal(tester, expected, output)
+	assert.Equal(t, expected, output)
 }
 
-func TestMapSearch(tester *testing.T) {
-	validateMappedQuery(tester, "foo: \"bar\"", "foo.keyword: \"bar\"")
-	validateMappedQuery(tester, "foo: \"bar\" AND barfoo: \"blue\"", "foo.keyword: \"bar\" AND barfoo: \"blue\"")
-	validateMappedQuery(tester, "foo: 123", "foo.keyword: 123")
-	validateMappedQuery(tester, "(foo: \"123\")", "(foo: \"123\")")
-	validateMappedQuery(tester, "foo2: \"bar\"", "foo2: \"bar\"")
-	validateMappedQuery(tester, "barfoo: \"bar\"", "barfoo: \"bar\"")
-	validateMappedQuery(tester, "barfoo: \"foo: bar\"", "barfoo: \"foo: bar\"")
+func TestMapSearch(t *testing.T) {
+	validateMappedQuery(t, "foo: \"bar\"", "foo.keyword: \"bar\"")
+	validateMappedQuery(t, "foo: \"bar\" AND barfoo: \"blue\"", "foo.keyword: \"bar\" AND barfoo: \"blue\"")
+	validateMappedQuery(t, "foo: 123", "foo.keyword: 123")
+	validateMappedQuery(t, "(foo: \"123\")", "(foo: \"123\")")
+	validateMappedQuery(t, "foo2: \"bar\"", "foo2: \"bar\"")
+	validateMappedQuery(t, "barfoo: \"bar\"", "barfoo: \"bar\"")
+	validateMappedQuery(t, "barfoo: \"foo: bar\"", "barfoo: \"foo: bar\"")
 }
 
-func TestConvertObjectToDocumentMap(tester *testing.T) {
+func TestConvertObjectToDocumentMap(t *testing.T) {
 	caseObj := model.NewCase()
 	actual := convertObjectToDocumentMap("test", caseObj, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NotNil(tester, actual)
-	assert.Equal(tester, caseObj, actual["so_test"])
-	assert.NotNil(tester, actual["@timestamp"])
+	assert.NotNil(t, actual)
+	assert.Equal(t, caseObj, actual["so_test"])
+	assert.NotNil(t, actual["@timestamp"])
 }
 
-func TestConvertToElasticIndexRequest(tester *testing.T) {
+func TestConvertToElasticIndexRequest(t *testing.T) {
 	store := NewTestStore()
 	event := make(map[string]interface{})
 	event["foo"] = "bar"
 	expected := `{"foo":"bar"}`
 
 	actual, err := convertToElasticIndexRequest(store, event)
-	assert.NoError(tester, err)
-	assert.Equal(tester, expected, actual)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, actual)
 }
 
-func TestConvertFromElasticIndexResults(tester *testing.T) {
+func TestConvertFromElasticIndexResults(t *testing.T) {
 	store := NewTestStore()
 	results := model.NewEventIndexResults()
 	json := `{"_version":1, "_id":"123abc", "result": "successful"}`
 
 	err := convertFromElasticIndexResults(store, json, results)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 }
 
-func TestConvertFromElasticResults_Failure(tester *testing.T) {
+func TestConvertFromElasticResults_Failure(t *testing.T) {
 	store := NewTestStore()
 	results := model.NewEventSearchResults()
 	json := `{"took" : 11,"timed_out" : false,"_shards" : {"total" : 28,"successful" : 16,"skipped" : 0,"failed" : 12,"failures" : [{"shard" : 0,"index" : "manager:.ds-logs-elastic_agent-default-2023.09.29-000002","node" : null,"reason" : {"type" : "no_shard_available_action_exception","reason" : "no"}},{"shard" : 0,"index" : "manager:.ds-logs-elastic_agent.filebeat-default-2023.09.29-000002","node" : null,"reason" : {"type" : null,"reason" : null}},{"shard" : 0,"index" : "manager:.ds-logs-elastic_agent.fleet_server-default-2023.09.29-000002","node" : null,"reason" : {"type" : "no_shard_available_action_exception","reason" : null}}]}, "hits":{"hits":[],"total":{"value": 0}}}`
 
 	err := convertFromElasticResults(store, json, results)
-	assert.Error(tester, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
+	assert.Error(t, err, "ERROR_QUERY_FAILED_ELASTICSEARCH")
 }
 
-func TestConvertElasticEventToCaseNil(tester *testing.T) {
+func TestConvertElasticEventToCaseNil(t *testing.T) {
 	caseObj, err := convertElasticEventToCase(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, caseObj)
+	assert.NoError(t, err)
+	assert.Nil(t, caseObj)
 }
 
-func TestConvertElasticEventToCaseWithoutTags(tester *testing.T) {
+func TestConvertElasticEventToCaseWithoutTags(t *testing.T) {
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
 	event.Payload["kind"] = "case"
@@ -318,10 +344,10 @@ func TestConvertElasticEventToCaseWithoutTags(tester *testing.T) {
 	event.Payload["case.tags"] = nil
 
 	_, err := convertElasticEventToCase(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 }
 
-func TestConvertElasticEventToCase(tester *testing.T) {
+func TestConvertElasticEventToCase(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 	myCompleteTime := myTime.Add(time.Hour * -2)
@@ -342,7 +368,7 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	event.Payload["so_case.tlp"] = "myTlp"
 	event.Payload["so_case.pap"] = "myPap"
 	event.Payload["so_case.category"] = "myCategory"
-	tags := make([]interface{}, 2, 2)
+	tags := make([]interface{}, 2)
 	tags[0] = "tag1"
 	tags[1] = "tag2"
 	event.Payload["so_case.tags"] = tags
@@ -351,36 +377,36 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	event.Payload["so_case.completeTime"] = myCompleteTime
 	event.Payload["so_case.startTime"] = myStartTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	caseObj := interf.(*model.Case)
-	assert.Equal(tester, "case", caseObj.Kind)
-	assert.Equal(tester, "update", caseObj.Operation)
-	assert.Equal(tester, "myTitle", caseObj.Title)
-	assert.Equal(tester, "myDesc", caseObj.Description)
-	assert.Equal(tester, 123, caseObj.Priority)
-	assert.Equal(tester, "medium", caseObj.Severity)
-	assert.Equal(tester, "myStatus", caseObj.Status)
-	assert.Equal(tester, "myTemplate", caseObj.Template)
-	assert.Equal(tester, "myUserId", caseObj.UserId)
-	assert.Equal(tester, "myAssigneeId", caseObj.AssigneeId)
-	assert.Equal(tester, "myPap", caseObj.Pap)
-	assert.Equal(tester, "myTlp", caseObj.Tlp)
-	assert.Equal(tester, "myCategory", caseObj.Category)
-	assert.Equal(tester, tags[0], "tag1")
-	assert.Equal(tester, tags[1], "tag2")
-	assert.Equal(tester, &myTime, caseObj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, caseObj.CreateTime)
-	assert.Equal(tester, &myCompleteTime, caseObj.CompleteTime)
-	assert.Equal(tester, &myStartTime, caseObj.StartTime)
-}
-
-func TestConvertElasticEventToArtifactNil(tester *testing.T) {
+	assert.Equal(t, "case", caseObj.Kind)
+	assert.Equal(t, "update", caseObj.Operation)
+	assert.Equal(t, "myTitle", caseObj.Title)
+	assert.Equal(t, "myDesc", caseObj.Description)
+	assert.Equal(t, 123, caseObj.Priority)
+	assert.Equal(t, "medium", caseObj.Severity)
+	assert.Equal(t, "myStatus", caseObj.Status)
+	assert.Equal(t, "myTemplate", caseObj.Template)
+	assert.Equal(t, "myUserId", caseObj.UserId)
+	assert.Equal(t, "myAssigneeId", caseObj.AssigneeId)
+	assert.Equal(t, "myPap", caseObj.Pap)
+	assert.Equal(t, "myTlp", caseObj.Tlp)
+	assert.Equal(t, "myCategory", caseObj.Category)
+	assert.Equal(t, tags[0], "tag1")
+	assert.Equal(t, tags[1], "tag2")
+	assert.Equal(t, &myTime, caseObj.UpdateTime)
+	assert.Equal(t, &myCreateTime, caseObj.CreateTime)
+	assert.Equal(t, &myCompleteTime, caseObj.CompleteTime)
+	assert.Equal(t, &myStartTime, caseObj.StartTime)
+}
+
+func TestConvertElasticEventToArtifactNil(t *testing.T) {
 	artifactObj, err := convertElasticEventToArtifact(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, artifactObj)
+	assert.NoError(t, err)
+	assert.Nil(t, artifactObj)
 }
 
-func TestConvertElasticEventToArtifactWithoutTags(tester *testing.T) {
+func TestConvertElasticEventToArtifactWithoutTags(t *testing.T) {
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
 	event.Payload["so_kind"] = "artifact"
@@ -388,10 +414,10 @@ func TestConvertElasticEventToArtifactWithoutTags(tester *testing.T) {
 	event.Payload["so_case.tags"] = nil
 
 	_, err := convertElasticEventToCase(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 }
 
-func TestConvertElasticEventToArtifact(tester *testing.T) {
+func TestConvertElasticEventToArtifact(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -420,37 +446,37 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_artifact.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	artifactObj := interf.(*model.Artifact)
-	assert.Equal(tester, "artifact", artifactObj.Kind)
-	assert.Equal(tester, "update", artifactObj.Operation)
-	assert.Equal(tester, "myValue", artifactObj.Value)
-	assert.Equal(tester, "myDesc", artifactObj.Description)
-	assert.Equal(tester, 123, artifactObj.StreamLen)
-	assert.Equal(tester, "myStreamId", artifactObj.StreamId)
-	assert.Equal(tester, "myGroupType", artifactObj.GroupType)
-	assert.Equal(tester, "myGroupId", artifactObj.GroupId)
-	assert.Equal(tester, "myUserId", artifactObj.UserId)
-	assert.Equal(tester, "myArtifactType", artifactObj.ArtifactType)
-	assert.Equal(tester, "myTlp", artifactObj.Tlp)
-	assert.Equal(tester, "myMimeType", artifactObj.MimeType)
-	assert.Equal(tester, true, artifactObj.Ioc)
-	assert.Equal(tester, tags[0], "tag1")
-	assert.Equal(tester, tags[1], "tag2")
-	assert.Equal(tester, "myMd5", artifactObj.Md5)
-	assert.Equal(tester, "mySha1", artifactObj.Sha1)
-	assert.Equal(tester, "mySha256", artifactObj.Sha256)
-	assert.Equal(tester, &myTime, artifactObj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, artifactObj.CreateTime)
-}
-
-func TestConvertElasticEventToArtifactStreamNil(tester *testing.T) {
+	assert.Equal(t, "artifact", artifactObj.Kind)
+	assert.Equal(t, "update", artifactObj.Operation)
+	assert.Equal(t, "myValue", artifactObj.Value)
+	assert.Equal(t, "myDesc", artifactObj.Description)
+	assert.Equal(t, 123, artifactObj.StreamLen)
+	assert.Equal(t, "myStreamId", artifactObj.StreamId)
+	assert.Equal(t, "myGroupType", artifactObj.GroupType)
+	assert.Equal(t, "myGroupId", artifactObj.GroupId)
+	assert.Equal(t, "myUserId", artifactObj.UserId)
+	assert.Equal(t, "myArtifactType", artifactObj.ArtifactType)
+	assert.Equal(t, "myTlp", artifactObj.Tlp)
+	assert.Equal(t, "myMimeType", artifactObj.MimeType)
+	assert.Equal(t, true, artifactObj.Ioc)
+	assert.Equal(t, tags[0], "tag1")
+	assert.Equal(t, tags[1], "tag2")
+	assert.Equal(t, "myMd5", artifactObj.Md5)
+	assert.Equal(t, "mySha1", artifactObj.Sha1)
+	assert.Equal(t, "mySha256", artifactObj.Sha256)
+	assert.Equal(t, &myTime, artifactObj.UpdateTime)
+	assert.Equal(t, &myCreateTime, artifactObj.CreateTime)
+}
+
+func TestConvertElasticEventToArtifactStreamNil(t *testing.T) {
 	artifactObj, err := convertElasticEventToArtifactStream(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, artifactObj)
+	assert.NoError(t, err)
+	assert.Nil(t, artifactObj)
 }
 
-func TestConvertElasticEventToArtifactStream(tester *testing.T) {
+func TestConvertElasticEventToArtifactStream(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -463,48 +489,48 @@ func TestConvertElasticEventToArtifactStream(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_artifactstream.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	obj := interf.(*model.ArtifactStream)
-	assert.Equal(tester, "artifactstream", obj.Kind)
-	assert.Equal(tester, "create", obj.Operation)
-	assert.Equal(tester, "myUserId", obj.UserId)
-	assert.Equal(tester, &myTime, obj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, obj.CreateTime)
-	assert.Equal(tester, "myValue", obj.Content)
+	assert.Equal(t, "artifactstream", obj.Kind)
+	assert.Equal(t, "create", obj.Operation)
+	assert.Equal(t, "myUserId", obj.UserId)
+	assert.Equal(t, &myTime, obj.UpdateTime)
+	assert.Equal(t, &myCreateTime, obj.CreateTime)
+	assert.Equal(t, "myValue", obj.Content)
 }
 
-func TestParseTime(tester *testing.T) {
+func TestParseTime(t *testing.T) {
 	m := make(map[string]interface{})
 
 	format := "2006-01-02 03:04pm"
-	t, _ := time.Parse(format, "2021-12-20 12:43pm")
-	m["obj"] = t
-	m["ptr"] = &t
+	tm, _ := time.Parse(format, "2021-12-20 12:43pm")
+	m["obj"] = tm
+	m["ptr"] = &tm
 	m["str"] = "2021-12-20T12:43:00Z"
 	m["bad"] = 12
 
 	expected := "2021-12-20 12:43pm"
 
 	actual := parseTime(m, "obj").Format(format)
-	assert.Equal(tester, expected, actual)
+	assert.Equal(t, expected, actual)
 
 	actual = parseTime(m, "ptr").Format(format)
-	assert.Equal(tester, expected, actual)
+	assert.Equal(t, expected, actual)
 
 	actual = parseTime(m, "str").Format(format)
-	assert.Equal(tester, expected, actual)
+	assert.Equal(t, expected, actual)
 
 	actualObj := parseTime(m, "bad")
-	assert.True(tester, actualObj.IsZero())
+	assert.True(t, actualObj.IsZero())
 }
 
-func TestConvertElasticEventToCommentNil(tester *testing.T) {
+func TestConvertElasticEventToCommentNil(t *testing.T) {
 	obj, err := convertElasticEventToComment(nil, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
-	assert.Nil(tester, obj)
+	assert.NoError(t, err)
+	assert.Nil(t, obj)
 }
 
-func TestConvertElasticEventToComment(tester *testing.T) {
+func TestConvertElasticEventToComment(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -521,19 +547,19 @@ func TestConvertElasticEventToComment(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_comment.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	obj := interf.(*model.Comment)
-	assert.Equal(tester, "comment", obj.Kind)
-	assert.Equal(tester, "create", obj.Operation)
-	assert.Equal(tester, "myDesc", obj.Description)
-	assert.Equal(tester, 1.52, obj.Hours)
-	assert.Equal(tester, "myUserId", obj.UserId)
-	assert.Equal(tester, "myCaseId", obj.CaseId)
-	assert.Equal(tester, &myTime, obj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, obj.CreateTime)
+	assert.Equal(t, "comment", obj.Kind)
+	assert.Equal(t, "create", obj.Operation)
+	assert.Equal(t, "myDesc", obj.Description)
+	assert.Equal(t, 1.52, obj.Hours)
+	assert.Equal(t, "myUserId", obj.UserId)
+	assert.Equal(t, "myCaseId", obj.CaseId)
+	assert.Equal(t, &myTime, obj.UpdateTime)
+	assert.Equal(t, &myCreateTime, obj.CreateTime)
 }
 
-func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
+func TestConvertElasticEventToRelatedEvent(t *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)
 
@@ -547,31 +573,31 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 	event.Time = myTime
 	event.Payload["so_related.createTime"] = myCreateTime
 	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NoError(tester, err)
+	assert.NoError(t, err)
 	obj := interf.(*model.RelatedEvent)
-	assert.Equal(tester, "related", obj.Kind)
-	assert.Equal(tester, "create", obj.Operation)
-	assert.Equal(tester, "myUserId", obj.UserId)
-	assert.Equal(tester, "myCaseId", obj.CaseId)
-	assert.Equal(tester, &myTime, obj.UpdateTime)
-	assert.Equal(tester, &myCreateTime, obj.CreateTime)
-	assert.Len(tester, obj.Fields, 1)
-	assert.Equal(tester, "bar", obj.Fields["foo"])
-}
-
-func TestConvertSeverity(tester *testing.T) {
-	assert.Equal(tester, "high", convertSeverity(""))
-	assert.Equal(tester, "unknown", convertSeverity("unknown"))
-	assert.Equal(tester, "low", convertSeverity("low"))
-	assert.Equal(tester, "low", convertSeverity("Low"))
-	assert.Equal(tester, "low", convertSeverity("1"))
-	assert.Equal(tester, "medium", convertSeverity("medium"))
-	assert.Equal(tester, "medium", convertSeverity("Medium"))
-	assert.Equal(tester, "medium", convertSeverity("2"))
-	assert.Equal(tester, "high", convertSeverity("high"))
-	assert.Equal(tester, "high", convertSeverity("High"))
-	assert.Equal(tester, "high", convertSeverity("3"))
-	assert.Equal(tester, "critical", convertSeverity("critical"))
-	assert.Equal(tester, "critical", convertSeverity("4"))
-	assert.Equal(tester, "critical", convertSeverity("Critical"))
+	assert.Equal(t, "related", obj.Kind)
+	assert.Equal(t, "create", obj.Operation)
+	assert.Equal(t, "myUserId", obj.UserId)
+	assert.Equal(t, "myCaseId", obj.CaseId)
+	assert.Equal(t, &myTime, obj.UpdateTime)
+	assert.Equal(t, &myCreateTime, obj.CreateTime)
+	assert.Len(t, obj.Fields, 1)
+	assert.Equal(t, "bar", obj.Fields["foo"])
+}
+
+func TestConvertSeverity(t *testing.T) {
+	assert.Equal(t, "high", convertSeverity(""))
+	assert.Equal(t, "unknown", convertSeverity("unknown"))
+	assert.Equal(t, "low", convertSeverity("low"))
+	assert.Equal(t, "low", convertSeverity("Low"))
+	assert.Equal(t, "low", convertSeverity("1"))
+	assert.Equal(t, "medium", convertSeverity("medium"))
+	assert.Equal(t, "medium", convertSeverity("Medium"))
+	assert.Equal(t, "medium", convertSeverity("2"))
+	assert.Equal(t, "high", convertSeverity("high"))
+	assert.Equal(t, "high", convertSeverity("High"))
+	assert.Equal(t, "high", convertSeverity("3"))
+	assert.Equal(t, "critical", convertSeverity("critical"))
+	assert.Equal(t, "critical", convertSeverity("4"))
+	assert.Equal(t, "critical", convertSeverity("Critical"))
 }
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index c2bd36003..be1b7b0e0 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -335,7 +335,6 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 	detect.CreateTime = old.CreateTime
 
 	results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-
 	if err != nil {
 		return nil, err
 	}
@@ -394,16 +393,16 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 	return detect, err
 }
 
-func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]string, error) {
+func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) {
 	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), -1)
 	if err != nil {
 		return nil, err
 	}
 
-	sids := map[string]string{}
+	sids := map[string]*model.Detection{}
 	for _, det := range all {
 		detection := det.(*model.Detection)
-		sids[detection.PublicID] = detection.Id
+		sids[detection.PublicID] = detection
 	}
 
 	return sids, nil
diff --git a/server/modules/modules.go b/server/modules/modules.go
index c766934f8..abb9ca71b 100644
--- a/server/modules/modules.go
+++ b/server/modules/modules.go
@@ -9,6 +9,7 @@ package modules
 import (
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastic"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/elasticcases"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/filedatastore"
@@ -37,6 +38,7 @@ func BuildModuleMap(srv *server.Server) map[string]module.Module {
 	moduleMap["staticrbac"] = staticrbac.NewStaticRbac(srv)
 	moduleMap["thehive"] = thehive.NewTheHive(srv)
 	moduleMap["suricataengine"] = suricata.NewSuricataEngine(srv)
+	moduleMap["elastalertengine"] = elastalert.NewElastAlertEngine(srv)
 
 	return moduleMap
 }
diff --git a/server/modules/modules_test.go b/server/modules/modules_test.go
index efb5b0f7e..e4880a6f6 100644
--- a/server/modules/modules_test.go
+++ b/server/modules/modules_test.go
@@ -13,22 +13,23 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestBuildModuleMap(tester *testing.T) {
+func TestBuildModuleMap(t *testing.T) {
 	mm := BuildModuleMap(nil)
-	findModule(tester, mm, "elastic")
-	findModule(tester, mm, "elasticcases")
-	findModule(tester, mm, "filedatastore")
-	findModule(tester, mm, "salt")
-	findModule(tester, mm, "httpcase")
-	findModule(tester, mm, "kratos")
-	findModule(tester, mm, "influxdb")
-	findModule(tester, mm, "sostatus")
-	findModule(tester, mm, "statickeyauth")
-	findModule(tester, mm, "thehive")
-	findModule(tester, mm, "suricataengine")
+	findModule(t, mm, "elastic")
+	findModule(t, mm, "elasticcases")
+	findModule(t, mm, "filedatastore")
+	findModule(t, mm, "salt")
+	findModule(t, mm, "httpcase")
+	findModule(t, mm, "kratos")
+	findModule(t, mm, "influxdb")
+	findModule(t, mm, "sostatus")
+	findModule(t, mm, "statickeyauth")
+	findModule(t, mm, "thehive")
+	findModule(t, mm, "suricataengine")
+	findModule(t, mm, "elastalertengine")
 }
 
-func findModule(tester *testing.T, mm map[string]module.Module, module string) {
+func findModule(t *testing.T, mm map[string]module.Module, module string) {
 	_, ok := mm[module]
-	assert.True(tester, ok)
+	assert.True(t, ok)
 }
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 1205dde5e..742f29263 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -141,7 +141,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		dur := time.Since(start)
 
-		log.WithFields(log.Fields{
+ 		log.WithFields(log.Fields{
 			"durationSeconds": dur.Seconds(),
 		}).Info("suricata community rules synced")
 	}
@@ -441,9 +441,10 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	errMap = map[string]string{}
 
 	results := struct {
-		Added   int
-		Updated int
-		Removed int
+		Added     int
+		Updated   int
+		Removed   int
+		Unchanged int
 	}{}
 
 	allSettings, err := s.srv.Configstore.GetSettings(ctx)
@@ -486,15 +487,20 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		_, modified := modifyIndex[detect.PublicID]
 		detect.IsEnabled = !(disabled || modified)
 
-		id, exists := commSIDs[detect.PublicID]
+		orig, exists := commSIDs[detect.PublicID]
 		if exists {
-			detect.Id = id
-
-			_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
-			if err != nil {
-				errMap[detect.PublicID] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+			if orig.Content != detect.Content {
+				detect.Id = orig.Id
+
+				_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
+				if err != nil {
+					errMap[detect.PublicID] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+				} else {
+					results.Updated++
+					delete(toDelete, detect.PublicID)
+				}
 			} else {
-				results.Updated++
+				results.Unchanged++
 				delete(toDelete, detect.PublicID)
 			}
 		} else {
@@ -508,7 +514,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	for sid := range toDelete {
-		_, err = s.srv.Detectionstore.DeleteDetection(ctx, commSIDs[sid])
+		_, err = s.srv.Detectionstore.DeleteDetection(ctx, commSIDs[sid].Id)
 		if err != nil {
 			errMap[sid] = fmt.Sprintf("unable to delete detection; reason=%s", err.Error())
 		} else {
@@ -517,10 +523,11 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	}
 
 	log.WithFields(log.Fields{
-		"added":   results.Added,
-		"updated": results.Updated,
-		"removed": results.Removed,
-		"errors":  errMap,
+		"added":     results.Added,
+		"updated":   results.Updated,
+		"removed":   results.Removed,
+		"unchanged": results.Unchanged,
+		"errors":    errMap,
 	}).Info("suricata community diff")
 
 	return errMap, nil
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index e816e4562..00a2fdf2a 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -45,6 +45,8 @@ func TestSuricataModule(t *testing.T) {
 	err = mod.Start()
 	assert.NoError(t, err)
 
+	assert.True(t, mod.IsRunning())
+
 	err = mod.Stop()
 	assert.NoError(t, err)
 

From fef86362d1e756583ff6c12f796796bbd4af1038 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 26 Oct 2023 15:44:41 -0600
Subject: [PATCH 062/102] WIP: ElastAlert

ElastAlert community rules are imported from zips in SigmaHQ's release page on github. The configured packages are downloaded, parsed, and fingerprinted. Currently the sigma converter isn't completely implemented until some networking issues are fixed.

GetAllCommunitySIDs can now filter by engine (or no filter if nil is passed).

Updated detection severities to match our pickiest engine so far: elastalert.

Added ID field to SigmaRules. Although it's not required, all community rules have one. This is the corresponding field to a detection's PublicID.

TODO: tests
---
 config/config.go                              |   9 +-
 go.mod                                        |  17 +-
 go.sum                                        |  80 +--
 model/detection.go                            |   5 +-
 server/detectionstore.go                      |   2 +-
 server/modules/elastalert/elastalert.go       | 508 ++++++++++++++++--
 server/modules/elastalert/validate.go         |   2 +
 .../modules/elastic/elasticdetectionstore.go  |   9 +-
 server/modules/suricata/suricata.go           |  10 +-
 9 files changed, 511 insertions(+), 131 deletions(-)

diff --git a/config/config.go b/config/config.go
index 2469e9e6a..1d7065951 100644
--- a/config/config.go
+++ b/config/config.go
@@ -53,10 +53,11 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 	}
 
 	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
-		"communityRulesImportFrequencySeconds": float64(600),
-		"sigmaRepo":                            "https://github.com/SigmaHQ/sigma",
-		"sigmaRepoRoot":                        "/tmp/socdev/so/rules/sigma",
-		"gitTimeout":                           float64(600),
+		"communityRulesImportFrequencySeconds": float64(5), // not a recommended value, I'm impatient
+		"elastAlertRulesFolder":                "/tmp/socdev/so/rules/elastalert",
+		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/sigma.fingerprint",
+		"sigmaRulePackages":                    "all",
+		"sigconverterUrl":                      "http://localhost:8000/sigma",
 	}
 
 	return cfg, err
diff --git a/go.mod b/go.mod
index 16b274a14..e502bf9f8 100644
--- a/go.mod
+++ b/go.mod
@@ -20,20 +20,14 @@ require (
 )
 
 require (
-	github.com/go-git/go-git/v5 v5.9.0
+	github.com/google/go-github/v56 v56.0.0
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
 )
 
 require (
-	dario.cat/mergo v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
-	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
@@ -46,15 +40,14 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/skeema/knownhosts v1.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )
diff --git a/go.sum b/go.sum
index 6ce8fe3f2..faac69a56 100644
--- a/go.sum
+++ b/go.sum
@@ -1,15 +1,4 @@
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
-github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
-github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
@@ -17,16 +6,10 @@ github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -41,14 +24,8 @@ github.com/elastic/elastic-transport-go/v8 v8.2.0 h1:hkK5IIs/15mpSXzd5THWVlWTKJy
 github.com/elastic/elastic-transport-go/v8 v8.2.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.7.0 h1:ZvbT1YHppBC0QxGnMmaDUxoDa26clwhRaB3Gp5E3UcY=
 github.com/elastic/go-elasticsearch/v8 v8.7.0/go.mod h1:lVb8SvJV8McVkdswpL8YR5QKIkhlWaoSq60YpHilOLI=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
-github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
-github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
 github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
 github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
@@ -64,12 +41,15 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod
 github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
 github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-github/v56 v56.0.0 h1:TysL7dMa/r7wsQi44BjqlwaHvwlFlqkK8CtBWCX3gb4=
+github.com/google/go-github/v56 v56.0.0/go.mod h1:D8cdcX98YWJvi7TLo7zM4/h8ZTx6u6fwGEkCdisopo0=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -91,19 +71,15 @@ github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgb
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o=
 github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak=
-github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
-github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
-github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
@@ -115,16 +91,14 @@ github.com/oapi-codegen/runtime v1.1.0 h1:rJpoNUawn5XTvekgfkvSZr0RqEnoYpFkyvrzfW
 github.com/oapi-codegen/runtime v1.1.0/go.mod h1:BeSfBkWWWnAnGdyS+S/GnlbmHKzf8/hwkvelJZDeKA8=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
-github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
-github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
-github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
@@ -132,11 +106,6 @@ github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXn
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM=
-github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
@@ -144,9 +113,7 @@ github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKk
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -166,9 +133,6 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
-github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
-github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -180,10 +144,6 @@ golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AW
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -191,10 +151,6 @@ golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -203,34 +159,18 @@ golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/model/detection.go b/model/detection.go
index 4edc9a953..f8089fbf9 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -25,8 +25,9 @@ const (
 
 	SeverityUnknown       Severity = "unknown"
 	SeverityInformational Severity = "informational"
-	SeverityMinor         Severity = "minor"
-	SeverityMajor         Severity = "major"
+	SeverityLow           Severity = "low"
+	SeverityMedium        Severity = "medium"
+	SeverityHigh          Severity = "high"
 	SeverityCritical      Severity = "critical"
 
 	IDTypeUUID IDType = "uuid"
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 2c1a1730a..92f1c0533 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -18,5 +18,5 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
-	GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) // map[detection.PublicId]detection
+	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 }
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 21322c5c4..87d85066d 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1,28 +1,41 @@
 package elastalert
 
 import (
+	"archive/zip"
+	"bytes"
 	"context"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"path/filepath"
+	"reflect"
+	"strings"
 	"sync"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 
-	"github.com/go-git/go-git/v5"
-	_ "github.com/go-git/go-git/v5"
+	"github.com/apex/log"
+	"github.com/google/go-github/v56/github"
 )
 
+var errModuleStopped = fmt.Errorf("module has stopped running")
+
 type ElastAlertEngine struct {
 	srv                                  *server.Server
 	communityRulesImportFrequencySeconds int
 	sigmaRepo                            string
-	sigmaRepoRoot                        string
-	gitTimeout                           int
+	elastAlertRulesFolder                string
+	rulesFingerprintFile                 string
+	sigconverterUrl                      string
+	sigmaRulePackages                    []string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
 }
@@ -40,8 +53,12 @@ func (e *ElastAlertEngine) PrerequisiteModules() []string {
 func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
 	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
 	e.sigmaRepo = module.GetStringDefault(config, "sigmaRepo", "https://github.com/SigmaHQ/sigma")
-	e.sigmaRepoRoot = module.GetStringDefault(config, "sigmaRepoRoot", "/opt/so/rules/sigma")
-	e.gitTimeout = module.GetIntDefault(config, "gitTimeout", 600)
+	e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/rules/elastalert")
+	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/sigma.fingerprint")
+	e.sigconverterUrl = module.GetStringDefault(config, "sigconverterUrl", "http://manager:8000/sigma")
+
+	pkgs := module.GetStringDefault(config, "sigmaRulePackages", "core")
+	e.parseSigmaPackages(pkgs)
 
 	return nil
 }
@@ -74,6 +91,49 @@ func (e *ElastAlertEngine) ValidateRule(data string) (string, error) {
 	return string(data), nil
 }
 
+func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
+	pkgs := strings.Split(strings.ToLower(cfg), "\n")
+	set := map[string]struct{}{}
+
+	for _, pkg := range pkgs {
+		switch pkg {
+		case "all":
+			set["all_rules"] = struct{}{}
+		case "emerging_threats_addon":
+			set["emerging_threats"] = struct{}{}
+		default:
+			pkg = strings.TrimSpace(pkg)
+			if pkg != "" {
+				set[pkg] = struct{}{}
+			}
+		}
+	}
+
+	_, ok := set["all_rules"]
+	if ok {
+		delete(set, "core++")
+		delete(set, "core+")
+		delete(set, "core")
+		delete(set, "emerging_threats")
+	}
+
+	_, ok = set["core++"]
+	if ok {
+		delete(set, "core+")
+		delete(set, "core")
+	}
+
+	_, ok = set["core+"]
+	if ok {
+		delete(set, "core")
+	}
+
+	e.sigmaRulePackages = make([]string, 0, len(set))
+	for pkg := range set {
+		e.sigmaRulePackages = append(e.sigmaRulePackages, pkg)
+	}
+}
+
 func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
 	return nil, nil
 }
@@ -92,54 +152,432 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			return
 		}
 
-		err := e.ensureUpToDateRepo(ctx)
+		start := time.Now()
+
+		zips, errMap := e.downloadSigmaPackages(ctx)
+		if len(errMap) != 0 {
+			log.WithField("errorMap", errMap).Error("something went wrong downloading sigma packages")
+			continue
+		}
+
+		zipHashes := map[string]string{}
+		for pkg, data := range zips {
+			h := sha256.Sum256(data)
+			zipHashes[pkg] = base64.StdEncoding.EncodeToString(h[:])
+		}
+
+		raw, err := os.ReadFile(e.rulesFingerprintFile)
+		if err != nil && !os.IsNotExist(err) {
+			log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to read rules fingerprint file")
+			continue
+		} else if err == nil {
+			oldHashes := map[string]string{}
+
+			err = json.Unmarshal(raw, &oldHashes)
+			if err != nil {
+				log.WithError(err).Error("unable to unmarshal rules fingerprint file")
+				continue
+			}
+
+			if reflect.DeepEqual(oldHashes, zipHashes) {
+				// only an exact match means no work needs to be done.
+				// If there's extra hashes in the old file, we need to remove them.
+				// If there's extra hashes in the new file, we need to add them.
+				// If there's a mix of new and old hashes, we need to include them all
+				// or the old ones would be removed.
+				log.Info("no sigma package changes to sync")
+				continue
+			}
+		}
+
+		detections, errMap := e.parseRules(zips)
+		if errMap != nil {
+			log.WithField("error", errMap).Error("something went wrong while parsing sigma rule files")
+			continue
+		}
+
+		errMap, err = e.syncCommunityDetections(ctx, detections)
 		if err != nil {
-			log.WithField("error", err).Error("something went wrong while ensuring the sigma repo is up to date")
+			if err == errModuleStopped {
+				log.Info("incomplete sync of elastalert community detections due to module stopping")
+				return
+			}
+
+			log.WithError(err).Error("unable to sync elastalert community detections")
 			continue
 		}
+
+		if len(errMap) > 0 {
+			// there were errors, don't save the fingerprint.
+			// idempotency means we might fix it if we try again later.
+			log.WithFields(log.Fields{
+				"errors": errMap,
+			}).Error("unable to sync all community detections")
+		} else {
+			fingerprints, err := json.Marshal(zipHashes)
+			if err != nil {
+				log.WithError(err).Error("unable to marshal rules fingerprints")
+			} else {
+				err = os.WriteFile(e.rulesFingerprintFile, fingerprints, 0644)
+				if err != nil {
+					log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to write rules fingerprint file")
+				}
+			}
+		}
+
+		dur := time.Since(start)
+
+		log.WithFields(log.Fields{
+			"durationSeconds": dur.Seconds(),
+		}).Info("elastalert community rules synced")
 	}
 }
 
-func (e *ElastAlertEngine) ensureUpToDateRepo(ctx context.Context) error {
-	readme := filepath.Join(e.sigmaRepoRoot, "README.md")
+func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*model.Detection, errMap map[string]error) {
+	errMap = map[string]error{} // map[pkgName|fileName]error
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
 
-	gitCtx, cancel := context.WithTimeout(ctx, time.Duration(e.gitTimeout)*time.Second)
-	defer cancel()
+	acceptedExtensions := map[string]bool{
+		".yml":  true,
+		".yaml": true,
+	}
 
-	_, err := os.Stat(readme)
-	if os.IsNotExist(err) {
-		err = os.MkdirAll(e.sigmaRepoRoot, 0755)
+	for pkg, zipData := range pkgZips {
+		reader, err := zip.NewReader(bytes.NewReader(zipData), int64(len(zipData)))
 		if err != nil {
-			return fmt.Errorf("unable to create repo root directory: %w", err)
+			errMap[pkg] = err
+			continue
+		}
+
+		for _, file := range reader.File {
+			if file.FileInfo().IsDir() || !acceptedExtensions[strings.ToLower(filepath.Ext(file.Name))] {
+				continue
+			}
+
+			f, err := file.Open()
+			if err != nil {
+				errMap[file.Name] = err
+				continue
+			}
+
+			data, err := io.ReadAll(f)
+			if err != nil {
+				f.Close()
+				errMap[file.Name] = err
+				continue
+			}
+
+			f.Close()
+
+			rule, err := ParseElastAlertRule(data)
+			if err != nil {
+				errMap[file.Name] = err
+				continue
+			}
+
+			id := rule.Title
+
+			if rule.ID != nil {
+				id = *rule.ID
+			} else {
+				fmt.Println()
+			}
+
+			sev := model.SeverityUnknown
+
+			if rule.Level != nil {
+				switch strings.ToLower(string(*rule.Level)) {
+				case "informational":
+					sev = model.SeverityInformational
+				case "low":
+					sev = model.SeverityLow
+				case "medium":
+					sev = model.SeverityMedium
+				case "high":
+					sev = model.SeverityHigh
+				case "critical":
+					sev = model.SeverityCritical
+				}
+			}
+
+			detections = append(detections, &model.Detection{
+				PublicID:    id,
+				Title:       rule.Title,
+				Severity:    sev,
+				Content:     string(data),
+				IsCommunity: true,
+				Engine:      model.EngineNameElastAlert,
+			})
 		}
+	}
+
+	return detections, errMap
+}
+
+func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
+	index, err := e.indexExistingRules()
+	if err != nil {
+		return nil, err
+	}
+
+	community, err := e.srv.Detectionstore.GetAllCommunitySIDs(ctx, util.Ptr(model.EngineNameElastAlert))
+	if err != nil {
+		return nil, err
+	}
+
+	toDelete := map[string]struct{}{} // map[publicID]struct{}
+	for _, det := range community {
+		toDelete[det.PublicID] = struct{}{}
+	}
+
+	results := struct {
+		Added     int
+		Updated   int
+		Removed   int
+		Unchanged int
+	}{}
+
+	errMap = map[string]error{} // map[publicID]error
+
+	// detections = []*model.Detection{}
+	for _, det := range detections {
+		path, ok := index[det.PublicID]
+		if !ok {
+			path = index[det.Title]
+		}
+
+		det.IsEnabled = path != ""
+
+		// 1. Save sigma Detection to ElasticSearch
+		oldDet, exists := community[det.PublicID]
+		if exists {
+			det.Id = oldDet.Id
+			if oldDet.Content != det.Content {
+				_, err = e.srv.Detectionstore.UpdateDetection(ctx, det)
+				if err != nil {
+					errMap[det.PublicID] = fmt.Errorf("unable to update detection: %s", err)
+					continue
+				}
+
+				delete(toDelete, det.PublicID)
+				results.Updated++
+			} else {
+				delete(toDelete, det.PublicID)
+				results.Unchanged++
+			}
+		} else {
+			_, err = e.srv.Detectionstore.CreateDetection(ctx, det)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to create detection: %s", err)
+				continue
+			}
+
+			delete(toDelete, det.PublicID)
+			results.Added++
+		}
+
+		if det.IsEnabled {
+			// 2. if enabled, send data to docker container to get converted to query
+
+			rule, err := e.sigmaToElastAlert(ctx, det.Content) // get sigma from docker container
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to convert sigma to elastalert: %s", err)
+				continue
+			}
+
+			_ = rule
+			// 3. put query in /opt/so/rules/sigma for salt to pick up
+
+			err = nil // os.WriteFile(path, []byte(rule), 0644)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to write enabled detection file: %s", err)
+				continue
+			}
+		}
+	}
 
-		_, err = git.PlainCloneContext(gitCtx, e.sigmaRepoRoot, false, &git.CloneOptions{
-			URL:   e.sigmaRepo,
-			Depth: 1,
-		})
+	for publicId := range toDelete {
+		_, err = e.srv.Detectionstore.DeleteDetection(ctx, community[publicId].Id)
 		if err != nil {
-			return fmt.Errorf("unable to clone repo: %w", err)
+			errMap[publicId] = fmt.Errorf("unable to delete detection: %s", err)
+			continue
+		}
+
+		results.Removed++
+	}
+
+	log.WithFields(log.Fields{
+		"added":     results.Added,
+		"updated":   results.Updated,
+		"removed":   results.Removed,
+		"unchanged": results.Unchanged,
+		"errors":    errMap,
+	}).Info("elastalert community diff")
+
+	return errMap, nil
+}
+
+func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData map[string][]byte, errMap map[string]error) {
+	errMap = map[string]error{} // map[pkgName]error
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	gh := github.NewClient(nil)
+
+	release, _, err := gh.Repositories.GetLatestRelease(ctx, "SigmaHQ", "sigma")
+	if err != nil {
+		errMap["sigma"] = err
+		return nil, errMap
+	}
+
+	pkgs := map[string]string{} // map[pkgName]downloadUrl
+
+	// organize assets
+	for _, asset := range release.Assets {
+		name := strings.ToLower(asset.GetName())
+		if !strings.HasSuffix(name, ".zip") {
+			continue
 		}
-	} else if err == nil {
-		repo, err := git.PlainOpen(e.sigmaRepoRoot)
+
+		link := asset.GetBrowserDownloadURL()
+
+		// Must be if/else-if so the order is correct.
+		// A switch statement might check "core" before "core++"
+		if strings.Contains(name, "all_rules") {
+			pkgs["all_rules"] = link
+		} else if strings.Contains(name, "core++") {
+			pkgs["core++"] = link
+		} else if strings.Contains(name, "core+") {
+			pkgs["core+"] = link
+		} else if strings.Contains(name, "core") {
+			pkgs["core"] = link
+		} else if strings.Contains(name, "emerging_threats") {
+			pkgs["emerging_threats"] = link
+		}
+	}
+
+	stats := map[string]int{} // map[pkgName]fileSize
+	zipData = map[string][]byte{}
+
+	for _, pkg := range e.sigmaRulePackages {
+		download, ok := pkgs[pkg]
+		if !ok {
+			log.WithField("package", pkg).Warn("unknown sigma package")
+			continue
+		}
+
+		resp, err := http.Get(download)
 		if err != nil {
-			return fmt.Errorf("unable to open existing repo: %w", err)
+			errMap[pkg] = err
+			continue
 		}
 
-		w, err := repo.Worktree()
+		if resp.StatusCode < 200 || resp.StatusCode > 299 {
+			errMap[pkg] = fmt.Errorf("non-200 status code during download: %d", resp.StatusCode)
+			continue
+		}
+
+		zipData[pkg], err = io.ReadAll(resp.Body)
 		if err != nil {
-			return fmt.Errorf("unable to get worktree of existing repo: %w", err)
+			errMap[pkg] = err
+			continue
 		}
 
-		err = w.PullContext(gitCtx, &git.PullOptions{
-			Depth: 1,
-		})
-		if err != nil && err != git.NoErrAlreadyUpToDate {
-			return fmt.Errorf("unable to pull repo: %w", err)
+		stats[pkg] = len(zipData[pkg])
+	}
+
+	log.WithField("downloadSizes", stats).Info("downloaded sigma packages")
+
+	return zipData, nil
+}
+
+func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err error) {
+	index = map[string]string{} // map[id | title]path
+
+	rules, err := os.ReadDir(e.elastAlertRulesFolder)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read elastalert rules directory: %w", err)
+	}
+
+	for _, rule := range rules {
+		if rule.IsDir() {
+			continue
+		}
+
+		filename := filepath.Join(e.elastAlertRulesFolder, rule.Name())
+
+		data, err := os.ReadFile(filename)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read elastalert rule file %s: %w", filename, err)
+		}
+
+		rule, err := ParseElastAlertRule(data)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse elastalert rule file %s: %w", filename, err)
 		}
-	} else {
-		return fmt.Errorf("unable to determine if README.md exists: %w", err)
+
+		id := rule.Title
+
+		if rule.ID != nil {
+			id = *rule.ID
+		}
+
+		index[id] = filename
 	}
 
-	return nil
+	return index, nil
+}
+
+func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string) (string, error) {
+	// wrapper for the payload
+	ruleWrapper := struct {
+		Rule     string   `json:"rule"`
+		Pipeline []string `json:"pipeline"`
+		Target   string   `json:"target"`
+		Format   string   `json:"format"`
+	}{
+		Rule:     base64.StdEncoding.EncodeToString([]byte(sigma)),
+		Pipeline: []string{},
+		Target:   "eql",
+		Format:   "default",
+	}
+
+	payload, err := json.Marshal(ruleWrapper)
+	if err != nil {
+		return "", err
+	}
+
+	// build request
+	req, err := http.NewRequest(http.MethodPost, e.sigconverterUrl, bytes.NewReader(payload))
+	if err != nil {
+		return "", err
+	}
+
+	req = req.WithContext(ctx)
+	req.Header.Add("Content-Type", "application/json")
+
+	// send request
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode < 200 || resp.StatusCode > 299 {
+		return "", fmt.Errorf("sigconverter returned non-200 status code: %d", resp.StatusCode)
+	}
+
+	elastRule, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	return string(elastRule), nil
 }
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
index 9591ab3e0..84583f83e 100644
--- a/server/modules/elastalert/validate.go
+++ b/server/modules/elastalert/validate.go
@@ -20,6 +20,7 @@ const (
 type SigmaLevel string
 
 const (
+	SigmaLevelUnknown       SigmaLevel = "unknown"
 	SigmaLevelInformational SigmaLevel = "informational"
 	SigmaLevelLow           SigmaLevel = "low"
 	SigmaLevelMedium        SigmaLevel = "medium"
@@ -39,6 +40,7 @@ const (
 
 type SigmaRule struct {
 	Title          string                 `yaml:"title"`
+	ID             *string                `yaml:"id"`
 	LogSource      LogSource              `yaml:"logsource"`
 	Detection      Detection              `yaml:"detection"`
 	Status         *SigmaStatus           `yaml:"status"`
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index be1b7b0e0..7824b3298 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -393,8 +393,13 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID
 	return detect, err
 }
 
-func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context) (map[string]*model.Detection, error) {
-	all, err := store.getAll(ctx, fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection"), -1)
+func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) {
+	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection")
+	if engine != nil {
+		query += fmt.Sprintf(` AND %sdetection.engine:"%s"`, store.schemaPrefix, *engine)
+	}
+
+	all, err := store.getAll(ctx, query, -1)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 742f29263..32f18a6a9 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -122,7 +122,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 				return
 			}
 
-			log.WithError(err).Error("unable to sync community detections")
+			log.WithError(err).Error("unable to sync suricata community detections")
 			continue
 		}
 
@@ -141,7 +141,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		dur := time.Since(start)
 
- 		log.WithFields(log.Fields{
+		log.WithFields(log.Fields{
 			"durationSeconds": dur.Seconds(),
 		}).Info("suricata community rules synced")
 	}
@@ -256,9 +256,9 @@ func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error)
 				case "INFORMATIONAL":
 					severity = model.SeverityInformational
 				case "MINOR":
-					severity = model.SeverityMinor
+					severity = model.SeverityLow
 				case "MAJOR":
-					severity = model.SeverityMajor
+					severity = model.SeverityHigh
 				case "CRITICAL":
 					severity = model.SeverityCritical
 				}
@@ -468,7 +468,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 	disabledIndex := indexEnabled(disabledLines, true)
 	modifyIndex := indexModify(modifyLines)
 
-	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx)
+	commSIDs, err := s.srv.Detectionstore.GetAllCommunitySIDs(ctx, util.Ptr(model.EngineNameSuricata))
 	if err != nil {
 		return nil, err
 	}

From 59c891a277ee73024019e2f3b778b494f6b5083f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 6 Nov 2023 16:30:42 -0700
Subject: [PATCH 063/102] WIP ElastAlert Improvements

Backend:

Removed go-github. Instead, we're using a configurable url template.

Updated config values to impact how the UI renders.

Replaced all references of github.com/tj/assert with references to github.com/stretchr/testify/assert for consistency.

Fixed an issue where errors resulted in more errors when syncing local detections in elastalert.

ElastAlert's SyncLocalDetections now implemented.

ElastAlert's syncCommunityDetections is further implemented.

Fixed a bug where syncing community detections resulted in purging local detections.

Tests. Refactor to make some functions more testable.

UI:

Hide charts when on detections page in advanced mode.

Removed auto-grow from rule text area. For large rules, modifying the rule would adjust the text area size which would adjust the browser's scroll position sometimes with counter productive effects.

Include js-yaml library to parse yaml (i.e. sigma) to retrieve values. Used to extract the PublicID field from a sigma rule. More uses to come.
---
 config/config.go                             |   7 +-
 go.mod                                       |   2 -
 go.sum                                       |   8 -
 html/index.html                              |   9 +-
 html/js/external/js-yaml.min.js              |   2 +
 html/js/routes/detection.js                  |   9 +
 licensing/license_manager_test.go            |   2 +-
 server/detectionhandler.go                   |   1 +
 server/infohandler.go                        |  22 +-
 server/modules/elastalert/elastalert.go      | 363 +++++++++++++++----
 server/modules/elastalert/elastalert_test.go | 334 ++++++++++++++++-
 server/modules/elastalert/oneormore_test.go  |   2 +-
 server/modules/suricata/validate_test.go     |   3 +-
 web/middleware_test.go                       |   2 +-
 14 files changed, 662 insertions(+), 104 deletions(-)
 create mode 100644 html/js/external/js-yaml.min.js

diff --git a/config/config.go b/config/config.go
index 1d7065951..21b18350e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -47,13 +47,12 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 
 	// TODO: remove when put in config file
 	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
-		"communityRulesFile":                   "/nsm/rules/suricata/emerging-all.rules",
-		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
-		"communityRulesImportFrequencySeconds": float64(5),
+		"communityRulesFile":   "/nsm/rules/suricata/emerging-all.rules",
+		"rulesFingerprintFile": "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
 	}
 
 	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
-		"communityRulesImportFrequencySeconds": float64(5), // not a recommended value, I'm impatient
+		"communityRulesImportFrequencySeconds": float64(61), // not a recommended value, I'm impatient
 		"elastAlertRulesFolder":                "/tmp/socdev/so/rules/elastalert",
 		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/sigma.fingerprint",
 		"sigmaRulePackages":                    "all",
diff --git a/go.mod b/go.mod
index e502bf9f8..29ef986ef 100644
--- a/go.mod
+++ b/go.mod
@@ -20,10 +20,8 @@ require (
 )
 
 require (
-	github.com/google/go-github/v56 v56.0.0
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
-	github.com/tj/assert v0.0.3
 )
 
 require (
diff --git a/go.sum b/go.sum
index faac69a56..e87a28ca7 100644
--- a/go.sum
+++ b/go.sum
@@ -43,13 +43,6 @@ github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-github/v56 v56.0.0 h1:TysL7dMa/r7wsQi44BjqlwaHvwlFlqkK8CtBWCX3gb4=
-github.com/google/go-github/v56 v56.0.0/go.mod h1:D8cdcX98YWJvi7TLo7zM4/h8ZTx6u6fwGEkCdisopo0=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -162,7 +155,6 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/html/index.html b/html/index.html
index ce82d58d8..c7912b911 100644
--- a/html/index.html
+++ b/html/index.html
@@ -347,7 +347,7 @@ <h2 v-text="i18n[category]"></h2>
               <v-expansion-panel>
                 <v-expansion-panel-header id="huntOptionsHeader">{{i18n.options}}</v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  <v-switch v-if="isCategory('alerts') || isCategory('cases')" id="enable-advanced" :disabled="loading()" v-model="advanced" dense hide-details class="my-0" :label="i18n.advanced"></v-switch>
+                  <v-switch v-if="isCategory('alerts') || isCategory('cases') || isCategory('detections')" id="enable-advanced" :disabled="loading()" v-model="advanced" dense hide-details class="my-0" :label="i18n.advanced"></v-switch>
                   <v-switch v-if="isAdvanced()" id="auto-hunt" :disabled="loading()" v-model="autohunt" dense hide-details class="my-0" :label="i18n.autohunt"></v-switch>
                   <v-switch v-for="toggle in filterToggles" :key="toggle.name"
                     :id="'filterToggle-' + toggle.name"
@@ -466,7 +466,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
             </span>
           </v-col>
         </v-row>
-        <v-col id="graphs" v-if="loaded && isAdvanced()">
+        <v-col id="graphs" v-if="loaded && isAdvanced() && !isCategory('detections')">
           <v-toolbar dense flat>
             <v-toolbar-title>{{ i18n.standardMetrics }}</v-toolbar-title>
             <v-spacer />
@@ -998,7 +998,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
                   <!-- Signature -->
                   <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
-                  <v-textarea class="config-editor" outlined v-model="detect.content" auto-grow rows="10" :rules="[rules.required]" />
+                  <v-textarea class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" />
                 </div>
                 <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
@@ -1670,7 +1670,7 @@ <h4 v-if="!$root.loading">{{ i18n.usersEnabled }} {{ countUsersEnabled() }} / {{
                               <v-alert v-if="item.oidcStatus == 'enabled'" class="mt-2" type="warning" icon="fa-shield-halved" text dense>
                                 {{ i18n.oidcResetPasswordHelp }}
                               </v-alert>
-              
+
                               <v-form v-model="form.valid">
                                 <v-text-field id="password-input" v-model="form.password" :placeholder="i18n.passwordChange" :type="showPassword ? 'text' : 'password'"
                                   @click:append="showPassword = !showPassword" :append-icon="showPassword ? 'fa-eye-slash' : 'fa-eye'"
@@ -4505,6 +4505,7 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/external/purify-3.0.6.min.js"></script>
     <script src="js/external/chartjs-chart-sankey-0.12.0.min.js"></script>
     <script src="js/external/chartjs-adapter-moment-1.0.0.min.js"></script>
+    <script src="js/external/js-yaml.min.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/external/js-yaml.min.js b/html/js/external/js-yaml.min.js
new file mode 100644
index 000000000..bdd8eef54
--- /dev/null
+++ b/html/js/external/js-yaml.min.js
@@ -0,0 +1,2 @@
+/*! js-yaml 4.1.0 https://github.com/nodeca/js-yaml @license MIT */
+!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).jsyaml={})}(this,(function(e){"use strict";function t(e){return null==e}var n={isNothing:t,isObject:function(e){return"object"==typeof e&&null!==e},toArray:function(e){return Array.isArray(e)?e:t(e)?[]:[e]},repeat:function(e,t){var n,i="";for(n=0;n<t;n+=1)i+=e;return i},isNegativeZero:function(e){return 0===e&&Number.NEGATIVE_INFINITY===1/e},extend:function(e,t){var n,i,r,o;if(t)for(n=0,i=(o=Object.keys(t)).length;n<i;n+=1)e[r=o[n]]=t[r];return e}};function i(e,t){var n="",i=e.reason||"(unknown reason)";return e.mark?(e.mark.name&&(n+='in "'+e.mark.name+'" '),n+="("+(e.mark.line+1)+":"+(e.mark.column+1)+")",!t&&e.mark.snippet&&(n+="\n\n"+e.mark.snippet),i+" "+n):i}function r(e,t){Error.call(this),this.name="YAMLException",this.reason=e,this.mark=t,this.message=i(this,!1),Error.captureStackTrace?Error.captureStackTrace(this,this.constructor):this.stack=(new Error).stack||""}r.prototype=Object.create(Error.prototype),r.prototype.constructor=r,r.prototype.toString=function(e){return this.name+": "+i(this,e)};var o=r;function a(e,t,n,i,r){var o="",a="",l=Math.floor(r/2)-1;return i-t>l&&(t=i-l+(o=" ... ").length),n-i>l&&(n=i+l-(a=" ...").length),{str:o+e.slice(t,n).replace(/\t/g,"→")+a,pos:i-t+o.length}}function l(e,t){return n.repeat(" ",t-e.length)+e}var c=function(e,t){if(t=Object.create(t||null),!e.buffer)return null;t.maxLength||(t.maxLength=79),"number"!=typeof t.indent&&(t.indent=1),"number"!=typeof t.linesBefore&&(t.linesBefore=3),"number"!=typeof t.linesAfter&&(t.linesAfter=2);for(var i,r=/\r?\n|\r|\0/g,o=[0],c=[],s=-1;i=r.exec(e.buffer);)c.push(i.index),o.push(i.index+i[0].length),e.position<=i.index&&s<0&&(s=o.length-2);s<0&&(s=o.length-1);var u,p,f="",d=Math.min(e.line+t.linesAfter,c.length).toString().length,h=t.maxLength-(t.indent+d+3);for(u=1;u<=t.linesBefore&&!(s-u<0);u++)p=a(e.buffer,o[s-u],c[s-u],e.position-(o[s]-o[s-u]),h),f=n.repeat(" ",t.indent)+l((e.line-u+1).toString(),d)+" | "+p.str+"\n"+f;for(p=a(e.buffer,o[s],c[s],e.position,h),f+=n.repeat(" ",t.indent)+l((e.line+1).toString(),d)+" | "+p.str+"\n",f+=n.repeat("-",t.indent+d+3+p.pos)+"^\n",u=1;u<=t.linesAfter&&!(s+u>=c.length);u++)p=a(e.buffer,o[s+u],c[s+u],e.position-(o[s]-o[s+u]),h),f+=n.repeat(" ",t.indent)+l((e.line+u+1).toString(),d)+" | "+p.str+"\n";return f.replace(/\n$/,"")},s=["kind","multi","resolve","construct","instanceOf","predicate","represent","representName","defaultStyle","styleAliases"],u=["scalar","sequence","mapping"];var p=function(e,t){if(t=t||{},Object.keys(t).forEach((function(t){if(-1===s.indexOf(t))throw new o('Unknown option "'+t+'" is met in definition of "'+e+'" YAML type.')})),this.options=t,this.tag=e,this.kind=t.kind||null,this.resolve=t.resolve||function(){return!0},this.construct=t.construct||function(e){return e},this.instanceOf=t.instanceOf||null,this.predicate=t.predicate||null,this.represent=t.represent||null,this.representName=t.representName||null,this.defaultStyle=t.defaultStyle||null,this.multi=t.multi||!1,this.styleAliases=function(e){var t={};return null!==e&&Object.keys(e).forEach((function(n){e[n].forEach((function(e){t[String(e)]=n}))})),t}(t.styleAliases||null),-1===u.indexOf(this.kind))throw new o('Unknown kind "'+this.kind+'" is specified for "'+e+'" YAML type.')};function f(e,t){var n=[];return e[t].forEach((function(e){var t=n.length;n.forEach((function(n,i){n.tag===e.tag&&n.kind===e.kind&&n.multi===e.multi&&(t=i)})),n[t]=e})),n}function d(e){return this.extend(e)}d.prototype.extend=function(e){var t=[],n=[];if(e instanceof p)n.push(e);else if(Array.isArray(e))n=n.concat(e);else{if(!e||!Array.isArray(e.implicit)&&!Array.isArray(e.explicit))throw new o("Schema.extend argument should be a Type, [ Type ], or a schema definition ({ implicit: [...], explicit: [...] })");e.implicit&&(t=t.concat(e.implicit)),e.explicit&&(n=n.concat(e.explicit))}t.forEach((function(e){if(!(e instanceof p))throw new o("Specified list of YAML types (or a single Type object) contains a non-Type object.");if(e.loadKind&&"scalar"!==e.loadKind)throw new o("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.");if(e.multi)throw new o("There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.")})),n.forEach((function(e){if(!(e instanceof p))throw new o("Specified list of YAML types (or a single Type object) contains a non-Type object.")}));var i=Object.create(d.prototype);return i.implicit=(this.implicit||[]).concat(t),i.explicit=(this.explicit||[]).concat(n),i.compiledImplicit=f(i,"implicit"),i.compiledExplicit=f(i,"explicit"),i.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{},multi:{scalar:[],sequence:[],mapping:[],fallback:[]}};function i(e){e.multi?(n.multi[e.kind].push(e),n.multi.fallback.push(e)):n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e<t;e+=1)arguments[e].forEach(i);return n}(i.compiledImplicit,i.compiledExplicit),i};var h=d,g=new p("tag:yaml.org,2002:str",{kind:"scalar",construct:function(e){return null!==e?e:""}}),m=new p("tag:yaml.org,2002:seq",{kind:"sequence",construct:function(e){return null!==e?e:[]}}),y=new p("tag:yaml.org,2002:map",{kind:"mapping",construct:function(e){return null!==e?e:{}}}),b=new h({explicit:[g,m,y]});var A=new p("tag:yaml.org,2002:null",{kind:"scalar",resolve:function(e){if(null===e)return!0;var t=e.length;return 1===t&&"~"===e||4===t&&("null"===e||"Null"===e||"NULL"===e)},construct:function(){return null},predicate:function(e){return null===e},represent:{canonical:function(){return"~"},lowercase:function(){return"null"},uppercase:function(){return"NULL"},camelcase:function(){return"Null"},empty:function(){return""}},defaultStyle:"lowercase"});var v=new p("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"});function w(e){return 48<=e&&e<=55}function k(e){return 48<=e&&e<=57}var C=new p("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i=e.length,r=0,o=!1;if(!i)return!1;if("-"!==(t=e[r])&&"+"!==t||(t=e[++r]),"0"===t){if(r+1===i)return!0;if("b"===(t=e[++r])){for(r++;r<i;r++)if("_"!==(t=e[r])){if("0"!==t&&"1"!==t)return!1;o=!0}return o&&"_"!==t}if("x"===t){for(r++;r<i;r++)if("_"!==(t=e[r])){if(!(48<=(n=e.charCodeAt(r))&&n<=57||65<=n&&n<=70||97<=n&&n<=102))return!1;o=!0}return o&&"_"!==t}if("o"===t){for(r++;r<i;r++)if("_"!==(t=e[r])){if(!w(e.charCodeAt(r)))return!1;o=!0}return o&&"_"!==t}}if("_"===t)return!1;for(;r<i;r++)if("_"!==(t=e[r])){if(!k(e.charCodeAt(r)))return!1;o=!0}return!(!o||"_"===t)},construct:function(e){var t,n=e,i=1;if(-1!==n.indexOf("_")&&(n=n.replace(/_/g,"")),"-"!==(t=n[0])&&"+"!==t||("-"===t&&(i=-1),t=(n=n.slice(1))[0]),"0"===n)return 0;if("0"===t){if("b"===n[1])return i*parseInt(n.slice(2),2);if("x"===n[1])return i*parseInt(n.slice(2),16);if("o"===n[1])return i*parseInt(n.slice(2),8)}return i*parseInt(n,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&e%1==0&&!n.isNegativeZero(e)},represent:{binary:function(e){return e>=0?"0b"+e.toString(2):"-0b"+e.toString(2).slice(1)},octal:function(e){return e>=0?"0o"+e.toString(8):"-0o"+e.toString(8).slice(1)},decimal:function(e){return e.toString(10)},hexadecimal:function(e){return e>=0?"0x"+e.toString(16).toUpperCase():"-0x"+e.toString(16).toUpperCase().slice(1)}},defaultStyle:"decimal",styleAliases:{binary:[2,"bin"],octal:[8,"oct"],decimal:[10,"dec"],hexadecimal:[16,"hex"]}}),x=new RegExp("^(?:[-+]?(?:[0-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var I=/^[-+]?[0-9]+e/;var S=new p("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!x.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n;return n="-"===(t=e.replace(/_/g,"").toLowerCase())[0]?-1:1,"+-".indexOf(t[0])>=0&&(t=t.slice(1)),".inf"===t?1===n?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===t?NaN:n*parseFloat(t,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||n.isNegativeZero(e))},represent:function(e,t){var i;if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(n.isNegativeZero(e))return"-0.0";return i=e.toString(10),I.test(i)?i.replace("e",".e"):i},defaultStyle:"lowercase"}),O=b.extend({implicit:[A,v,C,S]}),j=O,T=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9])-([0-9][0-9])$"),N=new RegExp("^([0-9][0-9][0-9][0-9])-([0-9][0-9]?)-([0-9][0-9]?)(?:[Tt]|[ \\t]+)([0-9][0-9]?):([0-9][0-9]):([0-9][0-9])(?:\\.([0-9]*))?(?:[ \\t]*(Z|([-+])([0-9][0-9]?)(?::([0-9][0-9]))?))?$");var F=new p("tag:yaml.org,2002:timestamp",{kind:"scalar",resolve:function(e){return null!==e&&(null!==T.exec(e)||null!==N.exec(e))},construct:function(e){var t,n,i,r,o,a,l,c,s=0,u=null;if(null===(t=T.exec(e))&&(t=N.exec(e)),null===t)throw new Error("Date resolve error");if(n=+t[1],i=+t[2]-1,r=+t[3],!t[4])return new Date(Date.UTC(n,i,r));if(o=+t[4],a=+t[5],l=+t[6],t[7]){for(s=t[7].slice(0,3);s.length<3;)s+="0";s=+s}return t[9]&&(u=6e4*(60*+t[10]+ +(t[11]||0)),"-"===t[9]&&(u=-u)),c=new Date(Date.UTC(n,i,r,o,a,l,s)),u&&c.setTime(c.getTime()-u),c},instanceOf:Date,represent:function(e){return e.toISOString()}});var E=new p("tag:yaml.org,2002:merge",{kind:"scalar",resolve:function(e){return"<<"===e||null===e}}),M="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\n\r";var L=new p("tag:yaml.org,2002:binary",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i=0,r=e.length,o=M;for(n=0;n<r;n++)if(!((t=o.indexOf(e.charAt(n)))>64)){if(t<0)return!1;i+=6}return i%8==0},construct:function(e){var t,n,i=e.replace(/[\r\n=]/g,""),r=i.length,o=M,a=0,l=[];for(t=0;t<r;t++)t%4==0&&t&&(l.push(a>>16&255),l.push(a>>8&255),l.push(255&a)),a=a<<6|o.indexOf(i.charAt(t));return 0===(n=r%4*6)?(l.push(a>>16&255),l.push(a>>8&255),l.push(255&a)):18===n?(l.push(a>>10&255),l.push(a>>2&255)):12===n&&l.push(a>>4&255),new Uint8Array(l)},predicate:function(e){return"[object Uint8Array]"===Object.prototype.toString.call(e)},represent:function(e){var t,n,i="",r=0,o=e.length,a=M;for(t=0;t<o;t++)t%3==0&&t&&(i+=a[r>>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]),r=(r<<8)+e[t];return 0===(n=o%3)?(i+=a[r>>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]):2===n?(i+=a[r>>10&63],i+=a[r>>4&63],i+=a[r<<2&63],i+=a[64]):1===n&&(i+=a[r>>2&63],i+=a[r<<4&63],i+=a[64],i+=a[64]),i}}),_=Object.prototype.hasOwnProperty,D=Object.prototype.toString;var U=new p("tag:yaml.org,2002:omap",{kind:"sequence",resolve:function(e){if(null===e)return!0;var t,n,i,r,o,a=[],l=e;for(t=0,n=l.length;t<n;t+=1){if(i=l[t],o=!1,"[object Object]"!==D.call(i))return!1;for(r in i)if(_.call(i,r)){if(o)return!1;o=!0}if(!o)return!1;if(-1!==a.indexOf(r))return!1;a.push(r)}return!0},construct:function(e){return null!==e?e:[]}}),q=Object.prototype.toString;var Y=new p("tag:yaml.org,2002:pairs",{kind:"sequence",resolve:function(e){if(null===e)return!0;var t,n,i,r,o,a=e;for(o=new Array(a.length),t=0,n=a.length;t<n;t+=1){if(i=a[t],"[object Object]"!==q.call(i))return!1;if(1!==(r=Object.keys(i)).length)return!1;o[t]=[r[0],i[r[0]]]}return!0},construct:function(e){if(null===e)return[];var t,n,i,r,o,a=e;for(o=new Array(a.length),t=0,n=a.length;t<n;t+=1)i=a[t],r=Object.keys(i),o[t]=[r[0],i[r[0]]];return o}}),R=Object.prototype.hasOwnProperty;var B=new p("tag:yaml.org,2002:set",{kind:"mapping",resolve:function(e){if(null===e)return!0;var t,n=e;for(t in n)if(R.call(n,t)&&null!==n[t])return!1;return!0},construct:function(e){return null!==e?e:{}}}),K=j.extend({implicit:[F,E],explicit:[L,U,Y,B]}),P=Object.prototype.hasOwnProperty,W=/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F\uFFFE\uFFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]/,H=/[\x85\u2028\u2029]/,$=/[,\[\]\{\}]/,G=/^(?:!|!!|![a-z\-]+!)$/i,V=/^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i;function Z(e){return Object.prototype.toString.call(e)}function J(e){return 10===e||13===e}function Q(e){return 9===e||32===e}function z(e){return 9===e||32===e||10===e||13===e}function X(e){return 44===e||91===e||93===e||123===e||125===e}function ee(e){var t;return 48<=e&&e<=57?e-48:97<=(t=32|e)&&t<=102?t-97+10:-1}function te(e){return 48===e?"\0":97===e?"":98===e?"\b":116===e||9===e?"\t":110===e?"\n":118===e?"\v":102===e?"\f":114===e?"\r":101===e?"":32===e?" ":34===e?'"':47===e?"/":92===e?"\\":78===e?"…":95===e?" ":76===e?"\u2028":80===e?"\u2029":""}function ne(e){return e<=65535?String.fromCharCode(e):String.fromCharCode(55296+(e-65536>>10),56320+(e-65536&1023))}for(var ie=new Array(256),re=new Array(256),oe=0;oe<256;oe++)ie[oe]=te(oe)?1:0,re[oe]=te(oe);function ae(e,t){this.input=e,this.filename=t.filename||null,this.schema=t.schema||K,this.onWarning=t.onWarning||null,this.legacy=t.legacy||!1,this.json=t.json||!1,this.listener=t.listener||null,this.implicitTypes=this.schema.compiledImplicit,this.typeMap=this.schema.compiledTypeMap,this.length=e.length,this.position=0,this.line=0,this.lineStart=0,this.lineIndent=0,this.firstTabInLine=-1,this.documents=[]}function le(e,t){var n={name:e.filename,buffer:e.input.slice(0,-1),position:e.position,line:e.line,column:e.position-e.lineStart};return n.snippet=c(n),new o(t,n)}function ce(e,t){throw le(e,t)}function se(e,t){e.onWarning&&e.onWarning.call(null,le(e,t))}var ue={YAML:function(e,t,n){var i,r,o;null!==e.version&&ce(e,"duplication of %YAML directive"),1!==n.length&&ce(e,"YAML directive accepts exactly one argument"),null===(i=/^([0-9]+)\.([0-9]+)$/.exec(n[0]))&&ce(e,"ill-formed argument of the YAML directive"),r=parseInt(i[1],10),o=parseInt(i[2],10),1!==r&&ce(e,"unacceptable YAML version of the document"),e.version=n[0],e.checkLineBreaks=o<2,1!==o&&2!==o&&se(e,"unsupported YAML version of the document")},TAG:function(e,t,n){var i,r;2!==n.length&&ce(e,"TAG directive accepts exactly two arguments"),i=n[0],r=n[1],G.test(i)||ce(e,"ill-formed tag handle (first argument) of the TAG directive"),P.call(e.tagMap,i)&&ce(e,'there is a previously declared suffix for "'+i+'" tag handle'),V.test(r)||ce(e,"ill-formed tag prefix (second argument) of the TAG directive");try{r=decodeURIComponent(r)}catch(t){ce(e,"tag prefix is malformed: "+r)}e.tagMap[i]=r}};function pe(e,t,n,i){var r,o,a,l;if(t<n){if(l=e.input.slice(t,n),i)for(r=0,o=l.length;r<o;r+=1)9===(a=l.charCodeAt(r))||32<=a&&a<=1114111||ce(e,"expected valid JSON character");else W.test(l)&&ce(e,"the stream contains non-printable characters");e.result+=l}}function fe(e,t,i,r){var o,a,l,c;for(n.isObject(i)||ce(e,"cannot merge mappings; the provided source object is unacceptable"),l=0,c=(o=Object.keys(i)).length;l<c;l+=1)a=o[l],P.call(t,a)||(t[a]=i[a],r[a]=!0)}function de(e,t,n,i,r,o,a,l,c){var s,u;if(Array.isArray(r))for(s=0,u=(r=Array.prototype.slice.call(r)).length;s<u;s+=1)Array.isArray(r[s])&&ce(e,"nested arrays are not supported inside keys"),"object"==typeof r&&"[object Object]"===Z(r[s])&&(r[s]="[object Object]");if("object"==typeof r&&"[object Object]"===Z(r)&&(r="[object Object]"),r=String(r),null===t&&(t={}),"tag:yaml.org,2002:merge"===i)if(Array.isArray(o))for(s=0,u=o.length;s<u;s+=1)fe(e,t,o[s],n);else fe(e,t,o,n);else e.json||P.call(n,r)||!P.call(t,r)||(e.line=a||e.line,e.lineStart=l||e.lineStart,e.position=c||e.position,ce(e,"duplicated mapping key")),"__proto__"===r?Object.defineProperty(t,r,{configurable:!0,enumerable:!0,writable:!0,value:o}):t[r]=o,delete n[r];return t}function he(e){var t;10===(t=e.input.charCodeAt(e.position))?e.position++:13===t?(e.position++,10===e.input.charCodeAt(e.position)&&e.position++):ce(e,"a line break is expected"),e.line+=1,e.lineStart=e.position,e.firstTabInLine=-1}function ge(e,t,n){for(var i=0,r=e.input.charCodeAt(e.position);0!==r;){for(;Q(r);)9===r&&-1===e.firstTabInLine&&(e.firstTabInLine=e.position),r=e.input.charCodeAt(++e.position);if(t&&35===r)do{r=e.input.charCodeAt(++e.position)}while(10!==r&&13!==r&&0!==r);if(!J(r))break;for(he(e),r=e.input.charCodeAt(e.position),i++,e.lineIndent=0;32===r;)e.lineIndent++,r=e.input.charCodeAt(++e.position)}return-1!==n&&0!==i&&e.lineIndent<n&&se(e,"deficient indentation"),i}function me(e){var t,n=e.position;return!(45!==(t=e.input.charCodeAt(n))&&46!==t||t!==e.input.charCodeAt(n+1)||t!==e.input.charCodeAt(n+2)||(n+=3,0!==(t=e.input.charCodeAt(n))&&!z(t)))}function ye(e,t){1===t?e.result+=" ":t>1&&(e.result+=n.repeat("\n",t-1))}function be(e,t){var n,i,r=e.tag,o=e.anchor,a=[],l=!1;if(-1!==e.firstTabInLine)return!1;for(null!==e.anchor&&(e.anchorMap[e.anchor]=a),i=e.input.charCodeAt(e.position);0!==i&&(-1!==e.firstTabInLine&&(e.position=e.firstTabInLine,ce(e,"tab characters must not be used in indentation")),45===i)&&z(e.input.charCodeAt(e.position+1));)if(l=!0,e.position++,ge(e,!0,-1)&&e.lineIndent<=t)a.push(null),i=e.input.charCodeAt(e.position);else if(n=e.line,we(e,t,3,!1,!0),a.push(e.result),ge(e,!0,-1),i=e.input.charCodeAt(e.position),(e.line===n||e.lineIndent>t)&&0!==i)ce(e,"bad indentation of a sequence entry");else if(e.lineIndent<t)break;return!!l&&(e.tag=r,e.anchor=o,e.kind="sequence",e.result=a,!0)}function Ae(e){var t,n,i,r,o=!1,a=!1;if(33!==(r=e.input.charCodeAt(e.position)))return!1;if(null!==e.tag&&ce(e,"duplication of a tag property"),60===(r=e.input.charCodeAt(++e.position))?(o=!0,r=e.input.charCodeAt(++e.position)):33===r?(a=!0,n="!!",r=e.input.charCodeAt(++e.position)):n="!",t=e.position,o){do{r=e.input.charCodeAt(++e.position)}while(0!==r&&62!==r);e.position<e.length?(i=e.input.slice(t,e.position),r=e.input.charCodeAt(++e.position)):ce(e,"unexpected end of the stream within a verbatim tag")}else{for(;0!==r&&!z(r);)33===r&&(a?ce(e,"tag suffix cannot contain exclamation marks"):(n=e.input.slice(t-1,e.position+1),G.test(n)||ce(e,"named tag handle cannot contain such characters"),a=!0,t=e.position+1)),r=e.input.charCodeAt(++e.position);i=e.input.slice(t,e.position),$.test(i)&&ce(e,"tag suffix cannot contain flow indicator characters")}i&&!V.test(i)&&ce(e,"tag name cannot contain such characters: "+i);try{i=decodeURIComponent(i)}catch(t){ce(e,"tag name is malformed: "+i)}return o?e.tag=i:P.call(e.tagMap,n)?e.tag=e.tagMap[n]+i:"!"===n?e.tag="!"+i:"!!"===n?e.tag="tag:yaml.org,2002:"+i:ce(e,'undeclared tag handle "'+n+'"'),!0}function ve(e){var t,n;if(38!==(n=e.input.charCodeAt(e.position)))return!1;for(null!==e.anchor&&ce(e,"duplication of an anchor property"),n=e.input.charCodeAt(++e.position),t=e.position;0!==n&&!z(n)&&!X(n);)n=e.input.charCodeAt(++e.position);return e.position===t&&ce(e,"name of an anchor node must contain at least one character"),e.anchor=e.input.slice(t,e.position),!0}function we(e,t,i,r,o){var a,l,c,s,u,p,f,d,h,g=1,m=!1,y=!1;if(null!==e.listener&&e.listener("open",e),e.tag=null,e.anchor=null,e.kind=null,e.result=null,a=l=c=4===i||3===i,r&&ge(e,!0,-1)&&(m=!0,e.lineIndent>t?g=1:e.lineIndent===t?g=0:e.lineIndent<t&&(g=-1)),1===g)for(;Ae(e)||ve(e);)ge(e,!0,-1)?(m=!0,c=a,e.lineIndent>t?g=1:e.lineIndent===t?g=0:e.lineIndent<t&&(g=-1)):c=!1;if(c&&(c=m||o),1!==g&&4!==i||(d=1===i||2===i?t:t+1,h=e.position-e.lineStart,1===g?c&&(be(e,h)||function(e,t,n){var i,r,o,a,l,c,s,u=e.tag,p=e.anchor,f={},d=Object.create(null),h=null,g=null,m=null,y=!1,b=!1;if(-1!==e.firstTabInLine)return!1;for(null!==e.anchor&&(e.anchorMap[e.anchor]=f),s=e.input.charCodeAt(e.position);0!==s;){if(y||-1===e.firstTabInLine||(e.position=e.firstTabInLine,ce(e,"tab characters must not be used in indentation")),i=e.input.charCodeAt(e.position+1),o=e.line,63!==s&&58!==s||!z(i)){if(a=e.line,l=e.lineStart,c=e.position,!we(e,n,2,!1,!0))break;if(e.line===o){for(s=e.input.charCodeAt(e.position);Q(s);)s=e.input.charCodeAt(++e.position);if(58===s)z(s=e.input.charCodeAt(++e.position))||ce(e,"a whitespace character is expected after the key-value separator within a block mapping"),y&&(de(e,f,d,h,g,null,a,l,c),h=g=m=null),b=!0,y=!1,r=!1,h=e.tag,g=e.result;else{if(!b)return e.tag=u,e.anchor=p,!0;ce(e,"can not read an implicit mapping pair; a colon is missed")}}else{if(!b)return e.tag=u,e.anchor=p,!0;ce(e,"can not read a block mapping entry; a multiline key may not be an implicit key")}}else 63===s?(y&&(de(e,f,d,h,g,null,a,l,c),h=g=m=null),b=!0,y=!0,r=!0):y?(y=!1,r=!0):ce(e,"incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line"),e.position+=1,s=i;if((e.line===o||e.lineIndent>t)&&(y&&(a=e.line,l=e.lineStart,c=e.position),we(e,t,4,!0,r)&&(y?g=e.result:m=e.result),y||(de(e,f,d,h,g,m,a,l,c),h=g=m=null),ge(e,!0,-1),s=e.input.charCodeAt(e.position)),(e.line===o||e.lineIndent>t)&&0!==s)ce(e,"bad indentation of a mapping entry");else if(e.lineIndent<t)break}return y&&de(e,f,d,h,g,null,a,l,c),b&&(e.tag=u,e.anchor=p,e.kind="mapping",e.result=f),b}(e,h,d))||function(e,t){var n,i,r,o,a,l,c,s,u,p,f,d,h=!0,g=e.tag,m=e.anchor,y=Object.create(null);if(91===(d=e.input.charCodeAt(e.position)))a=93,s=!1,o=[];else{if(123!==d)return!1;a=125,s=!0,o={}}for(null!==e.anchor&&(e.anchorMap[e.anchor]=o),d=e.input.charCodeAt(++e.position);0!==d;){if(ge(e,!0,t),(d=e.input.charCodeAt(e.position))===a)return e.position++,e.tag=g,e.anchor=m,e.kind=s?"mapping":"sequence",e.result=o,!0;h?44===d&&ce(e,"expected the node content, but found ','"):ce(e,"missed comma between flow collection entries"),f=null,l=c=!1,63===d&&z(e.input.charCodeAt(e.position+1))&&(l=c=!0,e.position++,ge(e,!0,t)),n=e.line,i=e.lineStart,r=e.position,we(e,t,1,!1,!0),p=e.tag,u=e.result,ge(e,!0,t),d=e.input.charCodeAt(e.position),!c&&e.line!==n||58!==d||(l=!0,d=e.input.charCodeAt(++e.position),ge(e,!0,t),we(e,t,1,!1,!0),f=e.result),s?de(e,o,y,p,u,f,n,i,r):l?o.push(de(e,null,y,p,u,f,n,i,r)):o.push(u),ge(e,!0,t),44===(d=e.input.charCodeAt(e.position))?(h=!0,d=e.input.charCodeAt(++e.position)):h=!1}ce(e,"unexpected end of the stream within a flow collection")}(e,d)?y=!0:(l&&function(e,t){var i,r,o,a,l,c=1,s=!1,u=!1,p=t,f=0,d=!1;if(124===(a=e.input.charCodeAt(e.position)))r=!1;else{if(62!==a)return!1;r=!0}for(e.kind="scalar",e.result="";0!==a;)if(43===(a=e.input.charCodeAt(++e.position))||45===a)1===c?c=43===a?3:2:ce(e,"repeat of a chomping mode identifier");else{if(!((o=48<=(l=a)&&l<=57?l-48:-1)>=0))break;0===o?ce(e,"bad explicit indentation width of a block scalar; it cannot be less than one"):u?ce(e,"repeat of an indentation width identifier"):(p=t+o-1,u=!0)}if(Q(a)){do{a=e.input.charCodeAt(++e.position)}while(Q(a));if(35===a)do{a=e.input.charCodeAt(++e.position)}while(!J(a)&&0!==a)}for(;0!==a;){for(he(e),e.lineIndent=0,a=e.input.charCodeAt(e.position);(!u||e.lineIndent<p)&&32===a;)e.lineIndent++,a=e.input.charCodeAt(++e.position);if(!u&&e.lineIndent>p&&(p=e.lineIndent),J(a))f++;else{if(e.lineIndent<p){3===c?e.result+=n.repeat("\n",s?1+f:f):1===c&&s&&(e.result+="\n");break}for(r?Q(a)?(d=!0,e.result+=n.repeat("\n",s?1+f:f)):d?(d=!1,e.result+=n.repeat("\n",f+1)):0===f?s&&(e.result+=" "):e.result+=n.repeat("\n",f):e.result+=n.repeat("\n",s?1+f:f),s=!0,u=!0,f=0,i=e.position;!J(a)&&0!==a;)a=e.input.charCodeAt(++e.position);pe(e,i,e.position,!1)}}return!0}(e,d)||function(e,t){var n,i,r;if(39!==(n=e.input.charCodeAt(e.position)))return!1;for(e.kind="scalar",e.result="",e.position++,i=r=e.position;0!==(n=e.input.charCodeAt(e.position));)if(39===n){if(pe(e,i,e.position,!0),39!==(n=e.input.charCodeAt(++e.position)))return!0;i=e.position,e.position++,r=e.position}else J(n)?(pe(e,i,r,!0),ye(e,ge(e,!1,t)),i=r=e.position):e.position===e.lineStart&&me(e)?ce(e,"unexpected end of the document within a single quoted scalar"):(e.position++,r=e.position);ce(e,"unexpected end of the stream within a single quoted scalar")}(e,d)||function(e,t){var n,i,r,o,a,l,c;if(34!==(l=e.input.charCodeAt(e.position)))return!1;for(e.kind="scalar",e.result="",e.position++,n=i=e.position;0!==(l=e.input.charCodeAt(e.position));){if(34===l)return pe(e,n,e.position,!0),e.position++,!0;if(92===l){if(pe(e,n,e.position,!0),J(l=e.input.charCodeAt(++e.position)))ge(e,!1,t);else if(l<256&&ie[l])e.result+=re[l],e.position++;else if((a=120===(c=l)?2:117===c?4:85===c?8:0)>0){for(r=a,o=0;r>0;r--)(a=ee(l=e.input.charCodeAt(++e.position)))>=0?o=(o<<4)+a:ce(e,"expected hexadecimal character");e.result+=ne(o),e.position++}else ce(e,"unknown escape sequence");n=i=e.position}else J(l)?(pe(e,n,i,!0),ye(e,ge(e,!1,t)),n=i=e.position):e.position===e.lineStart&&me(e)?ce(e,"unexpected end of the document within a double quoted scalar"):(e.position++,i=e.position)}ce(e,"unexpected end of the stream within a double quoted scalar")}(e,d)?y=!0:!function(e){var t,n,i;if(42!==(i=e.input.charCodeAt(e.position)))return!1;for(i=e.input.charCodeAt(++e.position),t=e.position;0!==i&&!z(i)&&!X(i);)i=e.input.charCodeAt(++e.position);return e.position===t&&ce(e,"name of an alias node must contain at least one character"),n=e.input.slice(t,e.position),P.call(e.anchorMap,n)||ce(e,'unidentified alias "'+n+'"'),e.result=e.anchorMap[n],ge(e,!0,-1),!0}(e)?function(e,t,n){var i,r,o,a,l,c,s,u,p=e.kind,f=e.result;if(z(u=e.input.charCodeAt(e.position))||X(u)||35===u||38===u||42===u||33===u||124===u||62===u||39===u||34===u||37===u||64===u||96===u)return!1;if((63===u||45===u)&&(z(i=e.input.charCodeAt(e.position+1))||n&&X(i)))return!1;for(e.kind="scalar",e.result="",r=o=e.position,a=!1;0!==u;){if(58===u){if(z(i=e.input.charCodeAt(e.position+1))||n&&X(i))break}else if(35===u){if(z(e.input.charCodeAt(e.position-1)))break}else{if(e.position===e.lineStart&&me(e)||n&&X(u))break;if(J(u)){if(l=e.line,c=e.lineStart,s=e.lineIndent,ge(e,!1,-1),e.lineIndent>=t){a=!0,u=e.input.charCodeAt(e.position);continue}e.position=o,e.line=l,e.lineStart=c,e.lineIndent=s;break}}a&&(pe(e,r,o,!1),ye(e,e.line-l),r=o=e.position,a=!1),Q(u)||(o=e.position+1),u=e.input.charCodeAt(++e.position)}return pe(e,r,o,!1),!!e.result||(e.kind=p,e.result=f,!1)}(e,d,1===i)&&(y=!0,null===e.tag&&(e.tag="?")):(y=!0,null===e.tag&&null===e.anchor||ce(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===g&&(y=c&&be(e,h))),null===e.tag)null!==e.anchor&&(e.anchorMap[e.anchor]=e.result);else if("?"===e.tag){for(null!==e.result&&"scalar"!==e.kind&&ce(e,'unacceptable node kind for !<?> tag; it should be "scalar", not "'+e.kind+'"'),s=0,u=e.implicitTypes.length;s<u;s+=1)if((f=e.implicitTypes[s]).resolve(e.result)){e.result=f.construct(e.result),e.tag=f.tag,null!==e.anchor&&(e.anchorMap[e.anchor]=e.result);break}}else if("!"!==e.tag){if(P.call(e.typeMap[e.kind||"fallback"],e.tag))f=e.typeMap[e.kind||"fallback"][e.tag];else for(f=null,s=0,u=(p=e.typeMap.multi[e.kind||"fallback"]).length;s<u;s+=1)if(e.tag.slice(0,p[s].tag.length)===p[s].tag){f=p[s];break}f||ce(e,"unknown tag !<"+e.tag+">"),null!==e.result&&f.kind!==e.kind&&ce(e,"unacceptable node kind for !<"+e.tag+'> tag; it should be "'+f.kind+'", not "'+e.kind+'"'),f.resolve(e.result,e.tag)?(e.result=f.construct(e.result,e.tag),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):ce(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")}return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||y}function ke(e){var t,n,i,r,o=e.position,a=!1;for(e.version=null,e.checkLineBreaks=e.legacy,e.tagMap=Object.create(null),e.anchorMap=Object.create(null);0!==(r=e.input.charCodeAt(e.position))&&(ge(e,!0,-1),r=e.input.charCodeAt(e.position),!(e.lineIndent>0||37!==r));){for(a=!0,r=e.input.charCodeAt(++e.position),t=e.position;0!==r&&!z(r);)r=e.input.charCodeAt(++e.position);for(i=[],(n=e.input.slice(t,e.position)).length<1&&ce(e,"directive name must not be less than one character in length");0!==r;){for(;Q(r);)r=e.input.charCodeAt(++e.position);if(35===r){do{r=e.input.charCodeAt(++e.position)}while(0!==r&&!J(r));break}if(J(r))break;for(t=e.position;0!==r&&!z(r);)r=e.input.charCodeAt(++e.position);i.push(e.input.slice(t,e.position))}0!==r&&he(e),P.call(ue,n)?ue[n](e,n,i):se(e,'unknown document directive "'+n+'"')}ge(e,!0,-1),0===e.lineIndent&&45===e.input.charCodeAt(e.position)&&45===e.input.charCodeAt(e.position+1)&&45===e.input.charCodeAt(e.position+2)?(e.position+=3,ge(e,!0,-1)):a&&ce(e,"directives end mark is expected"),we(e,e.lineIndent-1,4,!1,!0),ge(e,!0,-1),e.checkLineBreaks&&H.test(e.input.slice(o,e.position))&&se(e,"non-ASCII line breaks are interpreted as content"),e.documents.push(e.result),e.position===e.lineStart&&me(e)?46===e.input.charCodeAt(e.position)&&(e.position+=3,ge(e,!0,-1)):e.position<e.length-1&&ce(e,"end of the stream or a document separator is expected")}function Ce(e,t){t=t||{},0!==(e=String(e)).length&&(10!==e.charCodeAt(e.length-1)&&13!==e.charCodeAt(e.length-1)&&(e+="\n"),65279===e.charCodeAt(0)&&(e=e.slice(1)));var n=new ae(e,t),i=e.indexOf("\0");for(-1!==i&&(n.position=i,ce(n,"null byte is not allowed in input")),n.input+="\0";32===n.input.charCodeAt(n.position);)n.lineIndent+=1,n.position+=1;for(;n.position<n.length-1;)ke(n);return n.documents}var xe={loadAll:function(e,t,n){null!==t&&"object"==typeof t&&void 0===n&&(n=t,t=null);var i=Ce(e,n);if("function"!=typeof t)return i;for(var r=0,o=i.length;r<o;r+=1)t(i[r])},load:function(e,t){var n=Ce(e,t);if(0!==n.length){if(1===n.length)return n[0];throw new o("expected a single document in the stream, but found more")}}},Ie=Object.prototype.toString,Se=Object.prototype.hasOwnProperty,Oe=65279,je={0:"\\0",7:"\\a",8:"\\b",9:"\\t",10:"\\n",11:"\\v",12:"\\f",13:"\\r",27:"\\e",34:'\\"',92:"\\\\",133:"\\N",160:"\\_",8232:"\\L",8233:"\\P"},Te=["y","Y","yes","Yes","YES","on","On","ON","n","N","no","No","NO","off","Off","OFF"],Ne=/^[-+]?[0-9_]+(?::[0-9_]+)+(?:\.[0-9_]*)?$/;function Fe(e){var t,i,r;if(t=e.toString(16).toUpperCase(),e<=255)i="x",r=2;else if(e<=65535)i="u",r=4;else{if(!(e<=4294967295))throw new o("code point within a string may not be greater than 0xFFFFFFFF");i="U",r=8}return"\\"+i+n.repeat("0",r-t.length)+t}function Ee(e){this.schema=e.schema||K,this.indent=Math.max(1,e.indent||2),this.noArrayIndent=e.noArrayIndent||!1,this.skipInvalid=e.skipInvalid||!1,this.flowLevel=n.isNothing(e.flowLevel)?-1:e.flowLevel,this.styleMap=function(e,t){var n,i,r,o,a,l,c;if(null===t)return{};for(n={},r=0,o=(i=Object.keys(t)).length;r<o;r+=1)a=i[r],l=String(t[a]),"!!"===a.slice(0,2)&&(a="tag:yaml.org,2002:"+a.slice(2)),(c=e.compiledTypeMap.fallback[a])&&Se.call(c.styleAliases,l)&&(l=c.styleAliases[l]),n[a]=l;return n}(this.schema,e.styles||null),this.sortKeys=e.sortKeys||!1,this.lineWidth=e.lineWidth||80,this.noRefs=e.noRefs||!1,this.noCompatMode=e.noCompatMode||!1,this.condenseFlow=e.condenseFlow||!1,this.quotingType='"'===e.quotingType?2:1,this.forceQuotes=e.forceQuotes||!1,this.replacer="function"==typeof e.replacer?e.replacer:null,this.implicitTypes=this.schema.compiledImplicit,this.explicitTypes=this.schema.compiledExplicit,this.tag=null,this.result="",this.duplicates=[],this.usedDuplicates=null}function Me(e,t){for(var i,r=n.repeat(" ",t),o=0,a=-1,l="",c=e.length;o<c;)-1===(a=e.indexOf("\n",o))?(i=e.slice(o),o=c):(i=e.slice(o,a+1),o=a+1),i.length&&"\n"!==i&&(l+=r),l+=i;return l}function Le(e,t){return"\n"+n.repeat(" ",e.indent*t)}function _e(e){return 32===e||9===e}function De(e){return 32<=e&&e<=126||161<=e&&e<=55295&&8232!==e&&8233!==e||57344<=e&&e<=65533&&e!==Oe||65536<=e&&e<=1114111}function Ue(e){return De(e)&&e!==Oe&&13!==e&&10!==e}function qe(e,t,n){var i=Ue(e),r=i&&!_e(e);return(n?i:i&&44!==e&&91!==e&&93!==e&&123!==e&&125!==e)&&35!==e&&!(58===t&&!r)||Ue(t)&&!_e(t)&&35===e||58===t&&r}function Ye(e,t){var n,i=e.charCodeAt(t);return i>=55296&&i<=56319&&t+1<e.length&&(n=e.charCodeAt(t+1))>=56320&&n<=57343?1024*(i-55296)+n-56320+65536:i}function Re(e){return/^\n* /.test(e)}function Be(e,t,n,i,r,o,a,l){var c,s,u=0,p=null,f=!1,d=!1,h=-1!==i,g=-1,m=De(s=Ye(e,0))&&s!==Oe&&!_e(s)&&45!==s&&63!==s&&58!==s&&44!==s&&91!==s&&93!==s&&123!==s&&125!==s&&35!==s&&38!==s&&42!==s&&33!==s&&124!==s&&61!==s&&62!==s&&39!==s&&34!==s&&37!==s&&64!==s&&96!==s&&function(e){return!_e(e)&&58!==e}(Ye(e,e.length-1));if(t||a)for(c=0;c<e.length;u>=65536?c+=2:c++){if(!De(u=Ye(e,c)))return 5;m=m&&qe(u,p,l),p=u}else{for(c=0;c<e.length;u>=65536?c+=2:c++){if(10===(u=Ye(e,c)))f=!0,h&&(d=d||c-g-1>i&&" "!==e[g+1],g=c);else if(!De(u))return 5;m=m&&qe(u,p,l),p=u}d=d||h&&c-g-1>i&&" "!==e[g+1]}return f||d?n>9&&Re(e)?5:a?2===o?5:2:d?4:3:!m||a||r(e)?2===o?5:2:1}function Ke(e,t,n,i,r){e.dump=function(){if(0===t.length)return 2===e.quotingType?'""':"''";if(!e.noCompatMode&&(-1!==Te.indexOf(t)||Ne.test(t)))return 2===e.quotingType?'"'+t+'"':"'"+t+"'";var a=e.indent*Math.max(1,n),l=-1===e.lineWidth?-1:Math.max(Math.min(e.lineWidth,40),e.lineWidth-a),c=i||e.flowLevel>-1&&n>=e.flowLevel;switch(Be(t,c,e.indent,l,(function(t){return function(e,t){var n,i;for(n=0,i=e.implicitTypes.length;n<i;n+=1)if(e.implicitTypes[n].resolve(t))return!0;return!1}(e,t)}),e.quotingType,e.forceQuotes&&!i,r)){case 1:return t;case 2:return"'"+t.replace(/'/g,"''")+"'";case 3:return"|"+Pe(t,e.indent)+We(Me(t,a));case 4:return">"+Pe(t,e.indent)+We(Me(function(e,t){var n,i,r=/(\n+)([^\n]*)/g,o=(l=e.indexOf("\n"),l=-1!==l?l:e.length,r.lastIndex=l,He(e.slice(0,l),t)),a="\n"===e[0]||" "===e[0];var l;for(;i=r.exec(e);){var c=i[1],s=i[2];n=" "===s[0],o+=c+(a||n||""===s?"":"\n")+He(s,t),a=n}return o}(t,l),a));case 5:return'"'+function(e){for(var t,n="",i=0,r=0;r<e.length;i>=65536?r+=2:r++)i=Ye(e,r),!(t=je[i])&&De(i)?(n+=e[r],i>=65536&&(n+=e[r+1])):n+=t||Fe(i);return n}(t)+'"';default:throw new o("impossible error: invalid scalar style")}}()}function Pe(e,t){var n=Re(e)?String(t):"",i="\n"===e[e.length-1];return n+(i&&("\n"===e[e.length-2]||"\n"===e)?"+":i?"":"-")+"\n"}function We(e){return"\n"===e[e.length-1]?e.slice(0,-1):e}function He(e,t){if(""===e||" "===e[0])return e;for(var n,i,r=/ [^ ]/g,o=0,a=0,l=0,c="";n=r.exec(e);)(l=n.index)-o>t&&(i=a>o?a:l,c+="\n"+e.slice(o,i),o=i+1),a=l;return c+="\n",e.length-o>t&&a>o?c+=e.slice(o,a)+"\n"+e.slice(a+1):c+=e.slice(o),c.slice(1)}function $e(e,t,n,i){var r,o,a,l="",c=e.tag;for(r=0,o=n.length;r<o;r+=1)a=n[r],e.replacer&&(a=e.replacer.call(n,String(r),a)),(Ve(e,t+1,a,!0,!0,!1,!0)||void 0===a&&Ve(e,t+1,null,!0,!0,!1,!0))&&(i&&""===l||(l+=Le(e,t)),e.dump&&10===e.dump.charCodeAt(0)?l+="-":l+="- ",l+=e.dump);e.tag=c,e.dump=l||"[]"}function Ge(e,t,n){var i,r,a,l,c,s;for(a=0,l=(r=n?e.explicitTypes:e.implicitTypes).length;a<l;a+=1)if(((c=r[a]).instanceOf||c.predicate)&&(!c.instanceOf||"object"==typeof t&&t instanceof c.instanceOf)&&(!c.predicate||c.predicate(t))){if(n?c.multi&&c.representName?e.tag=c.representName(t):e.tag=c.tag:e.tag="?",c.represent){if(s=e.styleMap[c.tag]||c.defaultStyle,"[object Function]"===Ie.call(c.represent))i=c.represent(t,s);else{if(!Se.call(c.represent,s))throw new o("!<"+c.tag+'> tag resolver accepts not "'+s+'" style');i=c.represent[s](t,s)}e.dump=i}return!0}return!1}function Ve(e,t,n,i,r,a,l){e.tag=null,e.dump=n,Ge(e,n,!1)||Ge(e,n,!0);var c,s=Ie.call(e.dump),u=i;i&&(i=e.flowLevel<0||e.flowLevel>t);var p,f,d="[object Object]"===s||"[object Array]"===s;if(d&&(f=-1!==(p=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||f||2!==e.indent&&t>0)&&(r=!1),f&&e.usedDuplicates[p])e.dump="*ref_"+p;else{if(d&&f&&!e.usedDuplicates[p]&&(e.usedDuplicates[p]=!0),"[object Object]"===s)i&&0!==Object.keys(e.dump).length?(!function(e,t,n,i){var r,a,l,c,s,u,p="",f=e.tag,d=Object.keys(n);if(!0===e.sortKeys)d.sort();else if("function"==typeof e.sortKeys)d.sort(e.sortKeys);else if(e.sortKeys)throw new o("sortKeys must be a boolean or a function");for(r=0,a=d.length;r<a;r+=1)u="",i&&""===p||(u+=Le(e,t)),c=n[l=d[r]],e.replacer&&(c=e.replacer.call(n,l,c)),Ve(e,t+1,l,!0,!0,!0)&&((s=null!==e.tag&&"?"!==e.tag||e.dump&&e.dump.length>1024)&&(e.dump&&10===e.dump.charCodeAt(0)?u+="?":u+="? "),u+=e.dump,s&&(u+=Le(e,t)),Ve(e,t+1,c,!0,s)&&(e.dump&&10===e.dump.charCodeAt(0)?u+=":":u+=": ",p+=u+=e.dump));e.tag=f,e.dump=p||"{}"}(e,t,e.dump,r),f&&(e.dump="&ref_"+p+e.dump)):(!function(e,t,n){var i,r,o,a,l,c="",s=e.tag,u=Object.keys(n);for(i=0,r=u.length;i<r;i+=1)l="",""!==c&&(l+=", "),e.condenseFlow&&(l+='"'),a=n[o=u[i]],e.replacer&&(a=e.replacer.call(n,o,a)),Ve(e,t,o,!1,!1)&&(e.dump.length>1024&&(l+="? "),l+=e.dump+(e.condenseFlow?'"':"")+":"+(e.condenseFlow?"":" "),Ve(e,t,a,!1,!1)&&(c+=l+=e.dump));e.tag=s,e.dump="{"+c+"}"}(e,t,e.dump),f&&(e.dump="&ref_"+p+" "+e.dump));else if("[object Array]"===s)i&&0!==e.dump.length?(e.noArrayIndent&&!l&&t>0?$e(e,t-1,e.dump,r):$e(e,t,e.dump,r),f&&(e.dump="&ref_"+p+e.dump)):(!function(e,t,n){var i,r,o,a="",l=e.tag;for(i=0,r=n.length;i<r;i+=1)o=n[i],e.replacer&&(o=e.replacer.call(n,String(i),o)),(Ve(e,t,o,!1,!1)||void 0===o&&Ve(e,t,null,!1,!1))&&(""!==a&&(a+=","+(e.condenseFlow?"":" ")),a+=e.dump);e.tag=l,e.dump="["+a+"]"}(e,t,e.dump),f&&(e.dump="&ref_"+p+" "+e.dump));else{if("[object String]"!==s){if("[object Undefined]"===s)return!1;if(e.skipInvalid)return!1;throw new o("unacceptable kind of an object to dump "+s)}"?"!==e.tag&&Ke(e,e.dump,t,a,u)}null!==e.tag&&"?"!==e.tag&&(c=encodeURI("!"===e.tag[0]?e.tag.slice(1):e.tag).replace(/!/g,"%21"),c="!"===e.tag[0]?"!"+c:"tag:yaml.org,2002:"===c.slice(0,18)?"!!"+c.slice(18):"!<"+c+">",e.dump=c+" "+e.dump)}return!0}function Ze(e,t){var n,i,r=[],o=[];for(Je(e,r,o),n=0,i=o.length;n<i;n+=1)t.duplicates.push(r[o[n]]);t.usedDuplicates=new Array(i)}function Je(e,t,n){var i,r,o;if(null!==e&&"object"==typeof e)if(-1!==(r=t.indexOf(e)))-1===n.indexOf(r)&&n.push(r);else if(t.push(e),Array.isArray(e))for(r=0,o=e.length;r<o;r+=1)Je(e[r],t,n);else for(r=0,o=(i=Object.keys(e)).length;r<o;r+=1)Je(e[i[r]],t,n)}function Qe(e,t){return function(){throw new Error("Function yaml."+e+" is removed in js-yaml 4. Use yaml."+t+" instead, which is now safe by default.")}}var ze=p,Xe=h,et=b,tt=O,nt=j,it=K,rt=xe.load,ot=xe.loadAll,at={dump:function(e,t){var n=new Ee(t=t||{});n.noRefs||Ze(e,n);var i=e;return n.replacer&&(i=n.replacer.call({"":i},"",i)),Ve(n,0,i,!0,!0)?n.dump+"\n":""}}.dump,lt=o,ct={binary:L,float:S,map:y,null:A,pairs:Y,set:B,timestamp:F,bool:v,int:C,merge:E,omap:U,seq:m,str:g},st=Qe("safeLoad","load"),ut=Qe("safeLoadAll","loadAll"),pt=Qe("safeDump","dump"),ft={Type:ze,Schema:Xe,FAILSAFE_SCHEMA:et,JSON_SCHEMA:tt,CORE_SCHEMA:nt,DEFAULT_SCHEMA:it,load:rt,loadAll:ot,dump:at,YAMLException:lt,types:ct,safeLoad:st,safeLoadAll:ut,safeDump:pt};e.CORE_SCHEMA=nt,e.DEFAULT_SCHEMA=it,e.FAILSAFE_SCHEMA=et,e.JSON_SCHEMA=tt,e.Schema=Xe,e.Type=ze,e.YAMLException=lt,e.default=ft,e.dump=at,e.load=rt,e.loadAll=ot,e.safeDump=pt,e.safeLoad=st,e.safeLoadAll=ut,e.types=ct,Object.defineProperty(e,"__esModule",{value:!0})}));
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 5ddcaebf2..52470ca5e 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -170,6 +170,11 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 						// nothing, clear publicId
 					}
 					break;
+				case 'elastalert':
+					try {
+						pid = this.extractElastAlertPublicID();
+					} catch (e) {}
+					break;
 			}
 
 			this.detect.publicId = pid;
@@ -278,6 +283,10 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return results[1];
 		},
+		extractElastAlertPublicID() {
+			const yaml = jsyaml.load(this.detect.content);
+			return yaml['id'];
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/licensing/license_manager_test.go b/licensing/license_manager_test.go
index f83d08e09..897fe92a9 100644
--- a/licensing/license_manager_test.go
+++ b/licensing/license_manager_test.go
@@ -18,7 +18,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/tj/assert"
+	"github.com/stretchr/testify/assert"
 )
 
 const EXPIRED_KEY = ` H4sIAIvZnGMAA22QR4+bUBSF9/kVFlvPBExz2ZlqijHVNo6yeMaPYsOjPWMgyn8PMyNFihTpLm75zjnS/UXAOIYRzjpIbAiaohfv1Ef5FLX5rAvxRsC+yhqAsxJ9MfR/GASKDwcftnhmZhFELZy9z6yDP1MO7izw5JlmzWz3IAWirx2sSZHdJj4GD/hOUYtpzr9UHy7KtP3rYsBhusYQ4GcDW2Lz4+cb8WxhM7WLKbe8wa+uLaOgySd1inHVbkiyLQv4SmEDv2eoA/mU90bcAAb/UgCVeIK+VzmI4ES0WYI+oyYm8VBxAEZUFbKlp2ugz6t9n15kiX0uligc+es1jf3A7HldUAoctnhtxZ6f7R3+Rc5tOdqqcM5J/F0UyZJh4raOdcNTa6EEyoq+CXR0PloieilIUFlTgwa748r0chJZj2TdmAq3owZi3iFFk4vzx9mUGV41U1N3yLA/GEnCN+tdLa3uAR1zwn6MEh+EmDxefX9VulSjqi6F08hfcQLfYGNXnWxMFpwkKY3h6bJp8bs2z/zRfvCZEu7z3VDh8HRzoOMPa/51S8ho6LrBw7KZgu3qkq7KVGeHu+1Q9LZXkzJDJwaLnnwKpJAbnfkQstcyAlq0ho++q5YLDw11nES0xj+3NmfgvLhYC7rXKFGO927oPHg7oql6MNvDqxMWYxPuBkg/K+Uum/bxnGT90mwjrvZD4+yJmly1Llo+rsGZdZugo307jKf/FbdR950Vr1BHnRrlZMwsACQml/XKq8J5iV5HxgF7sub6Xueyvk7Gfo2Km1AuVZYsWNOv0FEtB4H1WJW/ayfh1S0ZZiB+f/sDb9bxLiEDAAA= 	`
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 9ece4c656..b515b05ff 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -262,6 +262,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 }
 
 func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
+	errMap = map[string]string{} // map[det.PublicID]error
 	defer func() {
 		if len(errMap) == 0 {
 			errMap = nil
diff --git a/server/infohandler.go b/server/infohandler.go
index dceeefaef..21743094f 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -86,6 +86,26 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "All",
 				Query: "_id:*",
 			},
+			{
+				Name:  "Enabled",
+				Query: "so_detection.isEnabled:true",
+			},
+			{
+				Name:  "Suricata",
+				Query: "so_detection.engine:suricata",
+			},
+			{
+				Name:  "ElastAlert",
+				Query: "so_detection.engine:elastalert",
+			},
+			{
+				Name:  "Suricata Enabled",
+				Query: "so_detection.engine:suricata AND so_detection.isEnabled:true",
+			},
+			{
+				Name:  "ElastAlert Enabled",
+				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:true",
+			},
 		}
 	}
 
@@ -95,7 +115,7 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		detection.Presets = map[string]config.PresetParameters{
 			"severity": {
 				CustomEnabled: false,
-				Labels:        []string{"unknown", "informational", "minor", "major", "critical"},
+				Labels:        []string{"unknown", "informational", "low", "medium", "high", "critical"},
 			},
 			"engine": {
 				CustomEnabled: false,
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 87d85066d..4baf06fd5 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -23,19 +23,25 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/util"
 
 	"github.com/apex/log"
-	"github.com/google/go-github/v56/github"
+	"gopkg.in/yaml.v3"
 )
 
 var errModuleStopped = fmt.Errorf("module has stopped running")
 
+var acceptedExtensions = map[string]bool{
+	".yml":  true,
+	".yaml": true,
+}
+
 type ElastAlertEngine struct {
 	srv                                  *server.Server
 	communityRulesImportFrequencySeconds int
-	sigmaRepo                            string
+	sigmaPackageDownloadTemplate         string
 	elastAlertRulesFolder                string
 	rulesFingerprintFile                 string
 	sigconverterUrl                      string
 	sigmaRulePackages                    []string
+	sigmaConversionTarget                string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
 }
@@ -51,11 +57,14 @@ func (e *ElastAlertEngine) PrerequisiteModules() []string {
 }
 
 func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
+	e.thread = &sync.WaitGroup{}
+
 	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
-	e.sigmaRepo = module.GetStringDefault(config, "sigmaRepo", "https://github.com/SigmaHQ/sigma")
+	e.sigmaPackageDownloadTemplate = module.GetStringDefault(config, "sigmaPackageDownloadTemplate", "https://github.com/SigmaHQ/sigma/releases/latest/download/sigma_%s.zip")
 	e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/rules/elastalert")
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/sigma.fingerprint")
 	e.sigconverterUrl = module.GetStringDefault(config, "sigconverterUrl", "http://manager:8000/sigma")
+	e.sigmaConversionTarget = module.GetStringDefault(config, "sigmaConversionTarget", "eql")
 
 	pkgs := module.GetStringDefault(config, "sigmaRulePackages", "core")
 	e.parseSigmaPackages(pkgs)
@@ -96,13 +105,13 @@ func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
 	set := map[string]struct{}{}
 
 	for _, pkg := range pkgs {
+		pkg = strings.TrimSpace(pkg)
 		switch pkg {
 		case "all":
 			set["all_rules"] = struct{}{}
-		case "emerging_threats_addon":
-			set["emerging_threats"] = struct{}{}
+		case "emerging_threats":
+			set["emerging_threats_addon"] = struct{}{}
 		default:
-			pkg = strings.TrimSpace(pkg)
 			if pkg != "" {
 				set[pkg] = struct{}{}
 			}
@@ -114,7 +123,7 @@ func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
 		delete(set, "core++")
 		delete(set, "core+")
 		delete(set, "core")
-		delete(set, "emerging_threats")
+		delete(set, "emerging_threats_addon")
 	}
 
 	_, ok = set["core++"]
@@ -135,10 +144,51 @@ func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
 }
 
 func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
-	return nil, nil
+	errMap = map[string]string{} // map[publicID]error
+	defer func() {
+		if len(errMap) == 0 {
+			errMap = nil
+		}
+	}()
+
+	index, err := e.indexExistingRules()
+	if err != nil {
+		return nil, fmt.Errorf("unable to index existing rules: %w", err)
+	}
+
+	for _, det := range detections {
+		path := index[det.PublicID]
+		if path == "" {
+			path = filepath.Join(e.elastAlertRulesFolder, fmt.Sprintf("%s.yml", det.PublicID))
+		}
+
+		if det.IsEnabled {
+			eaRule, err := e.sigmaToElastAlert(ctx, det)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Sprintf("unable to convert sigma to elastalert: %s", err)
+				continue
+			}
+
+			err = os.WriteFile(path, []byte(eaRule), 0644)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Sprintf("unable to write enabled detection file: %s", err)
+				continue
+			}
+		} else {
+			// was enabled, no longer is enabled: Disable
+			err = os.Remove(path)
+			if err != nil && !os.IsNotExist(err) {
+				errMap[det.PublicID] = fmt.Sprintf("unable to remove disabled detection file: %s", err)
+				continue
+			}
+		}
+	}
+
+	return errMap, nil
 }
 
 func (e *ElastAlertEngine) startCommunityRuleImport() {
+	e.thread.Add(1)
 	defer func() {
 		e.thread.Done()
 		e.isRunning = false
@@ -241,11 +291,6 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 		}
 	}()
 
-	acceptedExtensions := map[string]bool{
-		".yml":  true,
-		".yaml": true,
-	}
-
 	for pkg, zipData := range pkgZips {
 		reader, err := zip.NewReader(bytes.NewReader(zipData), int64(len(zipData)))
 		if err != nil {
@@ -283,8 +328,6 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 
 			if rule.ID != nil {
 				id = *rule.ID
-			} else {
-				fmt.Println()
 			}
 
 			sev := model.SeverityUnknown
@@ -319,7 +362,7 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 }
 
 func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
-	index, err := e.indexExistingRules()
+	existing, err := e.indexExistingRules()
 	if err != nil {
 		return nil, err
 	}
@@ -329,9 +372,15 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 		return nil, err
 	}
 
+	index := map[string]string{}
 	toDelete := map[string]struct{}{} // map[publicID]struct{}
 	for _, det := range community {
 		toDelete[det.PublicID] = struct{}{}
+
+		path, ok := existing[det.PublicID]
+		if ok {
+			index[det.PublicID] = path
+		}
 	}
 
 	results := struct {
@@ -350,12 +399,10 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 			path = index[det.Title]
 		}
 
-		det.IsEnabled = path != ""
-
 		// 1. Save sigma Detection to ElasticSearch
 		oldDet, exists := community[det.PublicID]
 		if exists {
-			det.Id = oldDet.Id
+			det.IsEnabled, det.Id = oldDet.IsEnabled, oldDet.Id
 			if oldDet.Content != det.Content {
 				_, err = e.srv.Detectionstore.UpdateDetection(ctx, det)
 				if err != nil {
@@ -383,20 +430,29 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 		if det.IsEnabled {
 			// 2. if enabled, send data to docker container to get converted to query
 
-			rule, err := e.sigmaToElastAlert(ctx, det.Content) // get sigma from docker container
+			rule, err := e.sigmaToElastAlert(ctx, det) // get sigma from docker container
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to convert sigma to elastalert: %s", err)
 				continue
 			}
 
-			_ = rule
 			// 3. put query in /opt/so/rules/sigma for salt to pick up
+			if path == "" {
+				path = filepath.Join(e.elastAlertRulesFolder, fmt.Sprintf("%s.yml", det.PublicID))
+			}
 
-			err = nil // os.WriteFile(path, []byte(rule), 0644)
+			err = os.WriteFile(path, []byte(rule), 0644)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to write enabled detection file: %s", err)
 				continue
 			}
+		} else if path != "" {
+			// detection is disabled but a file exists, remove it
+			err = os.Remove(path)
+			if err != nil {
+				errMap[det.PublicID] = fmt.Errorf("unable to remove disabled detection file: %s", err)
+				continue
+			}
 		}
 	}
 
@@ -429,49 +485,11 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 		}
 	}()
 
-	gh := github.NewClient(nil)
-
-	release, _, err := gh.Repositories.GetLatestRelease(ctx, "SigmaHQ", "sigma")
-	if err != nil {
-		errMap["sigma"] = err
-		return nil, errMap
-	}
-
-	pkgs := map[string]string{} // map[pkgName]downloadUrl
-
-	// organize assets
-	for _, asset := range release.Assets {
-		name := strings.ToLower(asset.GetName())
-		if !strings.HasSuffix(name, ".zip") {
-			continue
-		}
-
-		link := asset.GetBrowserDownloadURL()
-
-		// Must be if/else-if so the order is correct.
-		// A switch statement might check "core" before "core++"
-		if strings.Contains(name, "all_rules") {
-			pkgs["all_rules"] = link
-		} else if strings.Contains(name, "core++") {
-			pkgs["core++"] = link
-		} else if strings.Contains(name, "core+") {
-			pkgs["core+"] = link
-		} else if strings.Contains(name, "core") {
-			pkgs["core"] = link
-		} else if strings.Contains(name, "emerging_threats") {
-			pkgs["emerging_threats"] = link
-		}
-	}
-
 	stats := map[string]int{} // map[pkgName]fileSize
 	zipData = map[string][]byte{}
 
 	for _, pkg := range e.sigmaRulePackages {
-		download, ok := pkgs[pkg]
-		if !ok {
-			log.WithField("package", pkg).Warn("unknown sigma package")
-			continue
-		}
+		download := fmt.Sprintf(e.sigmaPackageDownloadTemplate, pkg)
 
 		resp, err := http.Get(download)
 		if err != nil {
@@ -495,9 +513,11 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 
 	log.WithField("downloadSizes", stats).Info("downloaded sigma packages")
 
-	return zipData, nil
+	return zipData, errMap
 }
 
+// indexExistingRules maps the publicID of a detection to the path of the rule file.
+// Note that it indexes ALL rules and not just community rules.
 func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err error) {
 	index = map[string]string{} // map[id | title]path
 
@@ -513,21 +533,12 @@ func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err er
 
 		filename := filepath.Join(e.elastAlertRulesFolder, rule.Name())
 
-		data, err := os.ReadFile(filename)
-		if err != nil {
-			return nil, fmt.Errorf("unable to read elastalert rule file %s: %w", filename, err)
-		}
-
-		rule, err := ParseElastAlertRule(data)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse elastalert rule file %s: %w", filename, err)
+		ext := filepath.Ext(rule.Name())
+		if !acceptedExtensions[strings.ToLower(ext)] {
+			continue
 		}
 
-		id := rule.Title
-
-		if rule.ID != nil {
-			id = *rule.ID
-		}
+		id := strings.TrimSuffix(rule.Name(), ext)
 
 		index[id] = filename
 	}
@@ -535,7 +546,7 @@ func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err er
 	return index, nil
 }
 
-func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string) (string, error) {
+func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Detection) (string, error) {
 	// wrapper for the payload
 	ruleWrapper := struct {
 		Rule     string   `json:"rule"`
@@ -543,9 +554,9 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string)
 		Target   string   `json:"target"`
 		Format   string   `json:"format"`
 	}{
-		Rule:     base64.StdEncoding.EncodeToString([]byte(sigma)),
+		Rule:     base64.StdEncoding.EncodeToString([]byte(det.Content)),
 		Pipeline: []string{},
-		Target:   "eql",
+		Target:   e.sigmaConversionTarget,
 		Format:   "default",
 	}
 
@@ -570,14 +581,206 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, sigma string)
 	}
 	defer resp.Body.Close()
 
+	rawRule, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
 		return "", fmt.Errorf("sigconverter returned non-200 status code: %d", resp.StatusCode)
 	}
 
-	elastRule, err := io.ReadAll(resp.Body)
+	rule := string(rawRule)
+
+	if strings.HasPrefix(rule, "Error:") {
+		rule = strings.TrimSpace(strings.TrimPrefix(rule, "Error:"))
+		return "", fmt.Errorf("sigconverter returned error: %s", rule)
+	}
+
+	elastRule, err := wrapRule(det, string(rawRule))
+	if err != nil {
+		return "", fmt.Errorf("unable to wrap rule: %w", err)
+	}
+
+	return elastRule, nil
+}
+
+type CustomWrapper struct {
+	PlayTitle     string   `yaml:"play_title"`
+	PlayID        string   `yaml:"play_id"`
+	EventModule   string   `yaml:"event.module"`
+	EventDataset  string   `yaml:"event.dataset"`
+	EventSeverity int      `yaml:"event.severity"`
+	RuleCategory  string   `yaml:"rule.category"`
+	SigmaLevel    string   `yaml:"sigma_level"`
+	Alert         []string `yaml:"alert"`
+
+	Index       string                   `yaml:"index"`
+	Name        string                   `yaml:"name"`
+	Realert     *TimeFrame               `yaml:"realert,omitempty"` // or 0
+	Type        string                   `yaml:"type"`
+	Filter      []map[string]interface{} `yaml:"filter"`
+	PlayUrl     string                   `yaml:"play_url"`
+	KibanaPivot string                   `yaml:"kibana_pivot"`
+	SocPivot    string                   `yaml:"soc_pivot"`
+}
+
+type TimeFrame struct {
+	Milliseconds *int    `yaml:"milliseconds,omitempty"`
+	Seconds      *int    `yaml:"seconds,omitempty"`
+	Minutes      *int    `yaml:"minutes,omitempty"`
+	Hours        *int    `yaml:"hours,omitempty"`
+	Days         *int    `yaml:"days,omitempty"`
+	Weeks        *int    `yaml:"weeks,omitempty"`
+	Schedule     *string `yaml:"schedule,omitempty"`
+}
+
+func (dur *TimeFrame) SetSeconds(s int) {
+	dur.Milliseconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Seconds = util.Ptr(s)
+}
+
+func (dur *TimeFrame) SetMilliseconds(m int) {
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Milliseconds = util.Ptr(m)
+}
+
+func (dur *TimeFrame) SetMinutes(m int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Minutes = util.Ptr(m)
+}
+
+func (dur *TimeFrame) SetHours(h int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Hours = util.Ptr(h)
+}
+
+func (dur *TimeFrame) SetDays(d int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Weeks = nil
+	dur.Schedule = nil
+	dur.Days = util.Ptr(d)
+}
+
+func (dur *TimeFrame) SetWeeks(w int) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Schedule = nil
+	dur.Weeks = util.Ptr(w)
+}
+
+func (dur *TimeFrame) SetSchedule(w string) {
+	dur.Milliseconds = nil
+	dur.Seconds = nil
+	dur.Minutes = nil
+	dur.Hours = nil
+	dur.Days = nil
+	dur.Weeks = nil
+	dur.Schedule = util.Ptr(w)
+}
+
+func (dur TimeFrame) MarshalYAML() (interface{}, error) {
+	if dur.Milliseconds == nil &&
+		dur.Seconds == nil &&
+		dur.Minutes == nil &&
+		dur.Hours == nil &&
+		dur.Days == nil &&
+		dur.Weeks == nil &&
+		dur.Schedule == nil {
+		return 0, nil
+	}
+
+	type Alias TimeFrame
+
+	return struct {
+		Alias `yaml:",inline"`
+	}{(Alias)(dur)}, nil
+}
+
+func (dur *TimeFrame) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var zero int
+
+	err := unmarshal(&zero)
+	if err == nil {
+		return nil
+	}
+
+	type Alias *TimeFrame
+
+	dur = &TimeFrame{}
+
+	err = unmarshal(struct {
+		A Alias `yaml:",inline"`
+	}{(Alias)(dur)})
+
+	return err
+}
+
+func wrapRule(det *model.Detection, rule string) (string, error) {
+	severities := map[model.Severity]int{
+		model.SeverityUnknown:       0,
+		model.SeverityInformational: 1,
+		model.SeverityLow:           2,
+		model.SeverityMedium:        3,
+		model.SeverityHigh:          4,
+		model.SeverityCritical:      5,
+	}
+
+	sevNum := severities[det.Severity]
+
+	wrapper := &CustomWrapper{
+		PlayTitle:     det.Title,
+		PlayID:        det.Id,
+		EventModule:   "elastalert",
+		EventDataset:  "elastalert.alert",
+		EventSeverity: sevNum,
+		RuleCategory:  "TBD",
+		SigmaLevel:    string(det.Severity),
+		Alert:         []string{"modules.so.playbook-es.PlaybookESAlerter"},
+		Index:         ".ds-logs-*",
+		Name:          fmt.Sprintf("%s - %s", det.Title, det.Id),
+		Realert:       nil,
+		Type:          "any",
+		Filter: []map[string]interface{}{
+			{
+				"eql": rule,
+			},
+		},
+		PlayUrl:     "play_url",
+		KibanaPivot: "kibana_pivot",
+		SocPivot:    "soc_pivot",
+	}
+
+	rawYaml, err := yaml.Marshal(wrapper)
 	if err != nil {
 		return "", err
 	}
 
-	return string(elastRule), nil
+	return string(rawYaml), nil
 }
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index f78c05398..0839027ca 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -1,12 +1,20 @@
 package elastalert
 
 import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sort"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
-	"github.com/tj/assert"
+	"gopkg.in/yaml.v3"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestElastAlertModule(t *testing.T) {
@@ -32,3 +40,327 @@ func TestElastAlertModule(t *testing.T) {
 	assert.Equal(t, 1, len(srv.DetectionEngines))
 	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameElastAlert])
 }
+
+func TestParseSigmaPackages(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name     string
+		Input    string
+		Expected []string
+	}{
+		{
+			Name:     "Simple Sunny Day Path",
+			Input:    "core",
+			Expected: []string{"core"},
+		},
+		{
+			Name:     "Multiple Packages",
+			Input:    "core+\nemerging_threats",
+			Expected: []string{"core+", "emerging_threats_addon"},
+		},
+		{
+			Name:     "Rename (all => all_rules)",
+			Input:    "all",
+			Expected: []string{"all_rules"},
+		},
+		{
+			Name:     "Rename (emerging_threats_addon => emerging_threats)",
+			Input:    "emerging_threats",
+			Expected: []string{"emerging_threats_addon"},
+		},
+		{
+			Name:     "Normalize",
+			Input:    "CoRe++\n",
+			Expected: []string{"core++"},
+		},
+		{
+			Name:     "Account For Nesting Packages",
+			Input:    "core\ncore+\ncore++\nall_rules\nemerging_threats",
+			Expected: []string{"all_rules"},
+		},
+	}
+
+	for _, tt := range table {
+		tt := tt
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+
+			engine := ElastAlertEngine{}
+
+			engine.parseSigmaPackages(tt.Input)
+
+			sort.Strings(engine.sigmaRulePackages)
+			sort.Strings(tt.Expected)
+
+			assert.Equal(t, tt.Expected, engine.sigmaRulePackages)
+		})
+	}
+}
+
+func TestTimeFrame(t *testing.T) {
+	tf := TimeFrame{}
+
+	tf.SetWeeks(1)
+	assert.Equal(t, 1, *tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetDays(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Equal(t, 1, *tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetHours(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Equal(t, 1, *tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetMinutes(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Equal(t, 1, *tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetSeconds(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Equal(t, 1, *tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetMilliseconds(1)
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Equal(t, 1, *tf.Milliseconds)
+	assert.Nil(t, tf.Schedule)
+
+	tf.SetSchedule("0 0 0 * * *")
+	assert.Nil(t, tf.Weeks)
+	assert.Nil(t, tf.Days)
+	assert.Nil(t, tf.Hours)
+	assert.Nil(t, tf.Minutes)
+	assert.Nil(t, tf.Seconds)
+	assert.Nil(t, tf.Milliseconds)
+	assert.Equal(t, "0 0 0 * * *", *tf.Schedule)
+
+	tf.Schedule = nil // everything is now nil
+
+	yml, err := yaml.Marshal(tf)
+	assert.NoError(t, err)
+	assert.Equal(t, "0\n", string(yml))
+
+	err = yaml.Unmarshal(yml, &tf)
+	assert.NoError(t, err)
+	assert.Empty(t, tf)
+
+	tf.SetWeeks(1)
+
+	yml, err = yaml.Marshal(tf)
+	assert.NoError(t, err)
+	assert.Equal(t, "weeks: 1\n", string(yml))
+
+	err = yaml.Unmarshal(yml, &tf)
+	assert.NoError(t, err)
+	assert.Equal(t, 1, *tf.Weeks)
+}
+
+func TestSigmaToElastAlertSunnyDay(t *testing.T) {
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method)
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("<eql>"))
+
+		callCount++
+	}))
+	defer srv.Close()
+
+	engine := ElastAlertEngine{
+		sigconverterUrl:       srv.URL,
+		sigmaConversionTarget: "eql",
+	}
+
+	det := &model.Detection{
+		Auditable: model.Auditable{
+			Id: "00000000-0000-0000-0000-000000000000",
+		},
+		Content:  "totally good sigma",
+		Title:    "Test Detection",
+		Severity: model.SeverityHigh,
+	}
+
+	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
+	assert.NoError(t, err)
+
+	expected := `play_title: Test Detection
+play_id: 00000000-0000-0000-0000-000000000000
+event.module: elastalert
+event.dataset: elastalert.alert
+event.severity: 4
+rule.category: TBD
+sigma_level: high
+alert:
+    - modules.so.playbook-es.PlaybookESAlerter
+index: .ds-logs-*
+name: Test Detection - 00000000-0000-0000-0000-000000000000
+type: any
+filter:
+    - eql: <eql>
+play_url: play_url
+kibana_pivot: kibana_pivot
+soc_pivot: soc_pivot
+`
+	assert.YAMLEq(t, expected, wrappedRule)
+	assert.Equal(t, 1, callCount)
+}
+
+func TestSigmaToElastAlertError(t *testing.T) {
+	callCount := 0
+	msg := "something went wrong"
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method)
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("Error: " + msg))
+
+		callCount++
+	}))
+	defer srv.Close()
+
+	engine := ElastAlertEngine{
+		sigconverterUrl:       srv.URL,
+		sigmaConversionTarget: "eql",
+	}
+
+	det := &model.Detection{
+		Auditable: model.Auditable{
+			Id: "00000000-0000-0000-0000-000000000000",
+		},
+		Content:  "totally good sigma",
+		Title:    "Test Detection",
+		Severity: model.SeverityHigh,
+	}
+
+	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
+	assert.Equal(t, "", wrappedRule)
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, msg)
+}
+
+func TestParseRules(t *testing.T) {
+	data := `title: Always Alert
+id: 00000000-0000-0000-0000-00000000
+status: experimental
+description: Always Alerts
+author: Corey Ogburn
+date: 2023/11/03
+modified: 2023/11/03
+logsource:
+    product: windows
+detection:
+    filter:
+       event.module: "zeek"
+    condition: "filter"
+level: high
+`
+
+	buf := bytes.NewBuffer([]byte{})
+
+	writer := zip.NewWriter(buf)
+	aa, err := writer.Create("rules/always_alert.yml")
+	assert.NoError(t, err)
+
+	_, err = aa.Write([]byte(data))
+	assert.NoError(t, err)
+
+	bad, err := writer.Create("rules/bad.yml")
+	assert.NoError(t, err)
+
+	_, err = bad.Write([]byte("bad data"))
+	assert.NoError(t, err)
+
+	err = writer.Close()
+	assert.NoError(t, err)
+
+	pkgZips := map[string][]byte{
+		"all_rules": buf.Bytes(),
+	}
+
+	engine := ElastAlertEngine{}
+
+	expected := &model.Detection{
+		PublicID:    "00000000-0000-0000-0000-00000000",
+		Title:       "Always Alert",
+		Severity:    model.SeverityHigh,
+		Content:     data,
+		IsCommunity: true,
+		Engine:      model.EngineNameElastAlert,
+	}
+
+	dets, errMap := engine.parseRules(pkgZips)
+	assert.NotNil(t, errMap)
+	assert.Error(t, errMap["rules/bad.yml"])
+	assert.Len(t, dets, 1)
+	assert.Equal(t, expected, dets[0])
+}
+
+func TestDownloadSigmaPackages(t *testing.T) {
+	t.Parallel()
+
+	callCount := 0
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+
+		if r.RequestURI == "/fake.zip" {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+
+		assert.Equal(t, http.MethodGet, r.Method)
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("data"))
+
+	}))
+	defer srv.Close()
+
+	pkgs := []string{"core", "core+", "core++", "emerging_threats_addon", "all_rules", "fake"}
+
+	engine := ElastAlertEngine{
+		sigmaRulePackages:            pkgs,
+		sigmaPackageDownloadTemplate: srv.URL + "/%s.zip",
+	}
+
+	pkgZips, errMap := engine.downloadSigmaPackages(context.Background())
+	assert.NotNil(t, errMap)
+	assert.Error(t, errMap["fake"])
+	assert.Len(t, pkgZips, len(pkgs)-1)
+
+	for _, pkg := range pkgs[:len(pkgs)-1] {
+		assert.Equal(t, []byte("data"), pkgZips[pkg])
+	}
+
+	assert.Equal(t, len(pkgs), callCount)
+}
diff --git a/server/modules/elastalert/oneormore_test.go b/server/modules/elastalert/oneormore_test.go
index aec7a077f..43b5c35ff 100644
--- a/server/modules/elastalert/oneormore_test.go
+++ b/server/modules/elastalert/oneormore_test.go
@@ -3,7 +3,7 @@ package elastalert
 import (
 	"testing"
 
-	"github.com/tj/assert"
+	"github.com/stretchr/testify/assert"
 	"gopkg.in/yaml.v3"
 )
 
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 1217cf3fa..2ce0d1a41 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -4,7 +4,8 @@ import (
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/util"
-	"github.com/tj/assert"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestParseSuricata(t *testing.T) {
diff --git a/web/middleware_test.go b/web/middleware_test.go
index 3627b5eb6..d38f28c1e 100644
--- a/web/middleware_test.go
+++ b/web/middleware_test.go
@@ -13,7 +13,7 @@ import (
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 
-	"github.com/tj/assert"
+	"github.com/stretchr/testify/assert"
 )
 
 type TestHandler struct {

From 4cb0d47024b5df2b257c7fc75c7e1dd2eae93375 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 7 Nov 2023 11:07:05 -0700
Subject: [PATCH 064/102] WIP: License Text, Linting

`make([]any, x, x)` only needs to specify len, cap will match.

`x == nil || len(x) == 0` only the len check is necessary. len(nil) is 0.

`time.Now().Sub(...)` should be `time.Since(...)`.

Define, init, return simplified to return.

Unlike other languages, go doesn't require `break` statements at the end of cases in a switch.
---
 agent/jobmanager_test.go                      |  5 +++++
 html/js/routes/detection.js                   |  1 -
 html/js/routes/home.test.js                   |  5 +++++
 model/detection.go                            |  5 +++++
 model/event.go                                |  2 +-
 model/query.go                                | 22 +++++++++----------
 server/detectionengine.go                     |  5 +++++
 server/eventstore_fake.go                     |  6 ++---
 server/gridmembershandler_test.go             |  5 +++++
 server/memconfigstore.go                      |  5 +++++
 server/memconfigstore_test.go                 |  5 +++++
 server/modules/elastalert/elastalert.go       |  5 +++++
 server/modules/elastalert/elastalert_test.go  |  5 +++++
 server/modules/elastalert/oneormore.go        |  5 +++++
 server/modules/elastalert/oneormore_test.go   |  5 +++++
 server/modules/elastalert/validate.go         |  5 +++++
 server/modules/elastalert/validate_test.go    |  5 +++++
 server/modules/elastic/converter_test.go      |  2 +-
 .../modules/elastic/elasticdetectionstore.go  |  5 +++++
 server/modules/elastic/elasticeventstore.go   |  2 +-
 .../modules/elastic/elasticeventstore_test.go |  2 +-
 .../filedatastore/filedatastoreimpl.go        |  4 +---
 server/modules/kratos/kratosuser_test.go      |  2 +-
 server/modules/salt/options/context.go        |  5 +++++
 server/modules/salt/options/context_test.go   |  5 +++++
 server/modules/salt/saltstore.go              | 19 ++++++++--------
 server/modules/sostatus/sostatus.go           |  2 +-
 .../statickeyauth/statickeyauthimpl.go        |  2 +-
 server/modules/staticrbac/staticrbac_test.go  |  4 ++--
 server/modules/suricata/suricata.go           |  5 +++++
 server/modules/suricata/suricata_test.go      |  5 +++++
 server/modules/suricata/validate.go           |  5 +++++
 server/modules/suricata/validate_test.go      |  5 +++++
 server/queryhandler_test.go                   |  5 +++++
 server/server_fake.go                         |  2 +-
 server/utilhandler.go                         |  5 +++++
 server/utilhandler_test.go                    |  5 +++++
 util/ptr.go                                   |  5 +++++
 web/host.go                                   |  2 +-
 web/middleware.go                             |  5 +++++
 web/middleware_test.go                        |  5 +++++
 41 files changed, 165 insertions(+), 39 deletions(-)

diff --git a/agent/jobmanager_test.go b/agent/jobmanager_test.go
index 10c4c6801..1e32a40a9 100644
--- a/agent/jobmanager_test.go
+++ b/agent/jobmanager_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package agent
 
 import (
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 52470ca5e..2b1e93b27 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -1,4 +1,3 @@
-// Copyright 2019 Jason Ertel (github.com/jertel).
 // Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 // or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 // https://securityonion.net/license; you may not use this file except in compliance with the
diff --git a/html/js/routes/home.test.js b/html/js/routes/home.test.js
index 0f654f17d..473a3c629 100644
--- a/html/js/routes/home.test.js
+++ b/html/js/routes/home.test.js
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 require('../test_common.js');
 require('./home.js');
 
diff --git a/model/detection.go b/model/detection.go
index f8089fbf9..4bb5583bd 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package model
 
 import (
diff --git a/model/event.go b/model/event.go
index 9f9306e8c..73f410725 100644
--- a/model/event.go
+++ b/model/event.go
@@ -44,7 +44,7 @@ type EventSearchResults struct {
 
 func NewEventSearchResults() *EventSearchResults {
 	results := &EventSearchResults{
-		Events:  make([]*EventRecord, 0, 0),
+		Events:  make([]*EventRecord, 0),
 		Metrics: make(map[string]([]*EventMetric)),
 	}
 	results.initEventResults()
diff --git a/model/query.go b/model/query.go
index 076d0ee48..720d162a6 100644
--- a/model/query.go
+++ b/model/query.go
@@ -111,7 +111,7 @@ func (segment *BaseSegment) TermsAsString() string {
 }
 
 func (segment *BaseSegment) Clear() {
-	segment.terms = make([]*QueryTerm, 0, 0)
+	segment.terms = make([]*QueryTerm, 0)
 }
 
 func (segment *BaseSegment) RemoveTermsWith(raw string) int {
@@ -173,13 +173,13 @@ type SearchSegment struct {
 func NewSearchSegmentEmpty() *SearchSegment {
 	return &SearchSegment{
 		&BaseSegment{
-			terms: make([]*QueryTerm, 0, 0),
+			terms: make([]*QueryTerm, 0),
 		},
 	}
 }
 
 func NewSearchSegment(terms []*QueryTerm) (*SearchSegment, error) {
-	if terms == nil || len(terms) == 0 {
+	if len(terms) == 0 {
 		return nil, errors.New("ERROR_QUERY_INVALID__SEARCH_TERMS_MISSING")
 	}
 
@@ -267,13 +267,13 @@ type GroupBySegment struct {
 func NewGroupBySegmentEmpty() *GroupBySegment {
 	return &GroupBySegment{
 		&BaseSegment{
-			terms: make([]*QueryTerm, 0, 0),
+			terms: make([]*QueryTerm, 0),
 		},
 	}
 }
 
 func NewGroupBySegment(terms []*QueryTerm) (*GroupBySegment, error) {
-	if terms == nil || len(terms) == 0 {
+	if len(terms) == 0 {
 		return nil, errors.New("ERROR_QUERY_INVALID__GROUPBY_TERMS_MISSING")
 	}
 
@@ -329,13 +329,13 @@ type SortBySegment struct {
 func NewSortBySegmentEmpty() *SortBySegment {
 	return &SortBySegment{
 		&BaseSegment{
-			terms: make([]*QueryTerm, 0, 0),
+			terms: make([]*QueryTerm, 0),
 		},
 	}
 }
 
 func NewSortBySegment(terms []*QueryTerm) (*SortBySegment, error) {
-	if terms == nil || len(terms) == 0 {
+	if len(terms) == 0 {
 		return nil, errors.New("ERROR_QUERY_INVALID__SORTBY_TERMS_MISSING")
 	}
 
@@ -359,7 +359,7 @@ type Query struct {
 
 func NewQuery() *Query {
 	return &Query{
-		Segments: make([]QuerySegment, 0, 0),
+		Segments: make([]QuerySegment, 0),
 	}
 }
 
@@ -373,7 +373,7 @@ func (query *Query) NamedSegment(name string) QuerySegment {
 }
 
 func (query *Query) NamedSegments(name string) []QuerySegment {
-	segments := make([]QuerySegment, 0, 0)
+	segments := make([]QuerySegment, 0)
 	for _, segment := range query.Segments {
 		if segment.Kind() == name {
 			segments = append(segments, segment)
@@ -397,7 +397,7 @@ func (query *Query) RemoveSegment(name string) QuerySegment {
 }
 
 func (query *Query) Parse(str string) error {
-	currentSegmentTerms := make([]*QueryTerm, 0, 0)
+	currentSegmentTerms := make([]*QueryTerm, 0)
 	currentSegmentKind := SegmentKind_Search
 	var currentTermBuilder strings.Builder
 	escaping := false
@@ -440,7 +440,7 @@ func (query *Query) Parse(str string) error {
 					}
 					query.AddSegment(segment)
 					currentSegmentKind = ""
-					currentSegmentTerms = make([]*QueryTerm, 0, 0)
+					currentSegmentTerms = make([]*QueryTerm, 0)
 				} else if !escaping && (ch == ' ' || ch == ',' || ch == '\n' || ch == '\t') {
 					if currentTermBuilder.Len() > 0 {
 						term, err := NewQueryTerm(currentTermBuilder.String())
diff --git a/server/detectionengine.go b/server/detectionengine.go
index e6f1d4c1a..97868c885 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/eventstore_fake.go b/server/eventstore_fake.go
index 44071b02e..17ecf61eb 100644
--- a/server/eventstore_fake.go
+++ b/server/eventstore_fake.go
@@ -38,11 +38,11 @@ func NewFakeEventstore() *FakeEventstore {
 	store.InputSearchCriterias = make([]*model.EventSearchCriteria, 0)
 	store.InputUpdateCriterias = make([]*model.EventUpdateCriteria, 0)
 	store.InputAckCriterias = make([]*model.EventAckCriteria, 0)
-	store.SearchResults = make([]*model.EventSearchResults, 0, 0)
+	store.SearchResults = make([]*model.EventSearchResults, 0)
 	store.SearchResults = append(store.SearchResults, model.NewEventSearchResults())
-	store.IndexResults = make([]*model.EventIndexResults, 0, 0)
+	store.IndexResults = make([]*model.EventIndexResults, 0)
 	store.IndexResults = append(store.IndexResults, model.NewEventIndexResults())
-	store.UpdateResults = make([]*model.EventUpdateResults, 0, 0)
+	store.UpdateResults = make([]*model.EventUpdateResults, 0)
 	store.UpdateResults = append(store.UpdateResults, model.NewEventUpdateResults())
 	return store
 }
diff --git a/server/gridmembershandler_test.go b/server/gridmembershandler_test.go
index 3dbadccce..5f550ad8b 100644
--- a/server/gridmembershandler_test.go
+++ b/server/gridmembershandler_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/memconfigstore.go b/server/memconfigstore.go
index c0dcddc0e..cbb32dd45 100644
--- a/server/memconfigstore.go
+++ b/server/memconfigstore.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/memconfigstore_test.go b/server/memconfigstore_test.go
index c1d550a85..449609573 100644
--- a/server/memconfigstore_test.go
+++ b/server/memconfigstore_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 4baf06fd5..38206d5a7 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 0839027ca..c6cda090a 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/oneormore.go b/server/modules/elastalert/oneormore.go
index 959a47360..b958383ce 100644
--- a/server/modules/elastalert/oneormore.go
+++ b/server/modules/elastalert/oneormore.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 type OneOrMore[T comparable] struct {
diff --git a/server/modules/elastalert/oneormore_test.go b/server/modules/elastalert/oneormore_test.go
index 43b5c35ff..07193cee3 100644
--- a/server/modules/elastalert/oneormore_test.go
+++ b/server/modules/elastalert/oneormore_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
index 84583f83e..6dbb69594 100644
--- a/server/modules/elastalert/validate.go
+++ b/server/modules/elastalert/validate.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastalert/validate_test.go b/server/modules/elastalert/validate_test.go
index c52809952..dcfcb3d17 100644
--- a/server/modules/elastalert/validate_test.go
+++ b/server/modules/elastalert/validate_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastalert
 
 import (
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 1a3b535bc..793f72850 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -439,7 +439,7 @@ func TestConvertElasticEventToArtifact(t *testing.T) {
 	event.Payload["so_artifact.md5"] = "myMd5"
 	event.Payload["so_artifact.sha1"] = "mySha1"
 	event.Payload["so_artifact.sha256"] = "mySha256"
-	tags := make([]interface{}, 2, 2)
+	tags := make([]interface{}, 2)
 	tags[0] = "tag1"
 	tags[1] = "tag2"
 	event.Payload["so_artifact.tags"] = tags
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 7824b3298..c59044b35 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package elastic
 
 import (
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index 62afb5c81..64857c383 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -453,7 +453,7 @@ func (store *ElasticEventstore) updateDocuments(ctx context.Context, client *ela
 func (store *ElasticEventstore) refreshCache(ctx context.Context) {
 	store.cacheLock.Lock()
 	defer store.cacheLock.Unlock()
-	if store.cacheTime.IsZero() || time.Now().Sub(store.cacheTime) > store.cacheMs {
+	if store.cacheTime.IsZero() || time.Since(store.cacheTime) > store.cacheMs {
 		err := store.refreshCacheFromFieldCaps(ctx)
 		if err == nil {
 			store.cacheTime = time.Now()
diff --git a/server/modules/elastic/elasticeventstore_test.go b/server/modules/elastic/elasticeventstore_test.go
index b07017f23..dbef2ce94 100644
--- a/server/modules/elastic/elasticeventstore_test.go
+++ b/server/modules/elastic/elasticeventstore_test.go
@@ -120,7 +120,7 @@ func TestReadErrorFromJson(tester *testing.T) {
 
 func TestDisableCrossClusterIndexing(tester *testing.T) {
 	store := &ElasticEventstore{}
-	indexes := make([]string, 2, 2)
+	indexes := make([]string, 2)
 	indexes[0] = "*:so-*"
 	indexes[1] = "my-*"
 	newIndexes := store.disableCrossClusterIndexing(indexes)
diff --git a/server/modules/filedatastore/filedatastoreimpl.go b/server/modules/filedatastore/filedatastoreimpl.go
index 1783700ce..4e5e8ef4d 100644
--- a/server/modules/filedatastore/filedatastoreimpl.go
+++ b/server/modules/filedatastore/filedatastoreimpl.go
@@ -63,9 +63,7 @@ func (datastore *FileDatastoreImpl) Init(cfg module.ModuleConfig) error {
 }
 
 func (datastore *FileDatastoreImpl) CreateNode(ctx context.Context, id string) *model.Node {
-	var node *model.Node
-	node = model.NewNode(id)
-	return node
+	return model.NewNode(id)
 }
 
 func (datastore *FileDatastoreImpl) GetNodes(ctx context.Context) []*model.Node {
diff --git a/server/modules/kratos/kratosuser_test.go b/server/modules/kratos/kratosuser_test.go
index 30d60bcc0..fb9180354 100644
--- a/server/modules/kratos/kratosuser_test.go
+++ b/server/modules/kratos/kratosuser_test.go
@@ -44,7 +44,7 @@ func TestCopyToUser(tester *testing.T) {
 	kratosUser.Credentials = make(map[string]*KratosCredential)
 	kratosUser.Credentials["totp"] = &KratosCredential{Type: "totp"}
 	kratosUser.Credentials["webauthn"] = &KratosCredential{Type: "webauthn"}
-	oidcIds := make([]string, 1, 1)
+	oidcIds := make([]string, 1)
 	oidcIds[0] = "test"
 	kratosUser.Credentials["oidc"] = &KratosCredential{Type: "oidc", Identifiers: oidcIds}
 	kratosUser.Credentials["password"] = &KratosCredential{Type: "password"}
diff --git a/server/modules/salt/options/context.go b/server/modules/salt/options/context.go
index 8edadb074..e8eb17323 100644
--- a/server/modules/salt/options/context.go
+++ b/server/modules/salt/options/context.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package options
 
 import "context"
diff --git a/server/modules/salt/options/context_test.go b/server/modules/salt/options/context_test.go
index 8ad8eab18..b37de0cad 100644
--- a/server/modules/salt/options/context_test.go
+++ b/server/modules/salt/options/context_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package options
 
 import (
diff --git a/server/modules/salt/saltstore.go b/server/modules/salt/saltstore.go
index 75906edf5..fdb1cc014 100644
--- a/server/modules/salt/saltstore.go
+++ b/server/modules/salt/saltstore.go
@@ -136,7 +136,7 @@ func (store *Saltstore) GetSettings(ctx context.Context) ([]*model.Setting, erro
 		return nil, err
 	}
 
-	settings := make([]*model.Setting, 0, 0)
+	settings := make([]*model.Setting, 0)
 
 	// Parse the default values first.
 	err = filepath.Walk(store.saltstackDir+"/default", func(path string, info os.FileInfo, err error) error {
@@ -418,7 +418,6 @@ func (store *Saltstore) recursivelyParseAnnotations(
 			}
 		default:
 			foundAnnotation = true
-			break
 		}
 	}
 	return settings, foundAnnotation
@@ -714,7 +713,7 @@ func (store *Saltstore) alignInt64List(newValue string) ([]int64, error) {
 	var newList []int64
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]int64, 0, 0)
+		newList = make([]int64, 0)
 		for _, str := range tmp {
 			i, err := strconv.ParseInt(str, 10, 64)
 			if err != nil {
@@ -730,7 +729,7 @@ func (store *Saltstore) alignBoolList(newValue string) ([]bool, error) {
 	var newList []bool
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]bool, 0, 0)
+		newList = make([]bool, 0)
 		for _, str := range tmp {
 			b, err := strconv.ParseBool(str)
 			if err != nil {
@@ -746,7 +745,7 @@ func (store *Saltstore) alignFloat64List(newValue string) ([]float64, error) {
 	var newList []float64
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]float64, 0, 0)
+		newList = make([]float64, 0)
 		for _, str := range tmp {
 			f, err := strconv.ParseFloat(str, 64)
 			if err != nil {
@@ -762,9 +761,9 @@ func (store *Saltstore) alignListList(newValue string) ([][]interface{}, error)
 	var newList [][]interface{}
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([][]interface{}, 0, 0)
+		newList = make([][]interface{}, 0)
 		for _, str := range tmp {
-			l := make([]interface{}, 0, 0)
+			l := make([]interface{}, 0)
 			err := json.LoadJson([]byte(str), &l)
 			if err != nil {
 				return nil, err
@@ -779,7 +778,7 @@ func (store *Saltstore) alignMapList(newValue string) ([]map[string]interface{},
 	var newList []map[string]interface{}
 	if len(newValue) > 0 {
 		tmp := strings.Split(newValue, "\n")
-		newList = make([]map[string]interface{}, 0, 0)
+		newList = make([]map[string]interface{}, 0)
 		for _, str := range tmp {
 			m := make(map[string]interface{})
 			err := json.LoadJson([]byte(str), &m)
@@ -818,7 +817,7 @@ func (store *Saltstore) alignBestGuess(newValue string) interface{} {
 		}
 	}
 	if strings.HasPrefix(newValue, "[") && strings.HasSuffix(newValue, "]") {
-		tmp := make([]interface{}, 0, 0)
+		tmp := make([]interface{}, 0)
 		err := json.LoadJson([]byte(newValue), &tmp)
 		if err == nil {
 			return tmp
@@ -941,7 +940,7 @@ func getMembersFromJson(err error, output []byte) ([]*model.GridMember, error) {
 		response := &ListResponse{}
 		err = json.LoadJson(output, response)
 		if err == nil {
-			members = make([]*model.GridMember, 0, 0)
+			members = make([]*model.GridMember, 0)
 			for id, fingerprint := range response.Accepted {
 				members = append(members, model.NewGridMember(id, model.GridMemberAccepted, fingerprint))
 			}
diff --git a/server/modules/sostatus/sostatus.go b/server/modules/sostatus/sostatus.go
index 1755defca..ef119c1b9 100644
--- a/server/modules/sostatus/sostatus.go
+++ b/server/modules/sostatus/sostatus.go
@@ -98,7 +98,7 @@ func (status *SoStatus) refreshGrid(ctx context.Context) {
 	nodes := status.server.Datastore.GetNodes(ctx)
 	for _, node := range nodes {
 
-		staleMs := int(time.Now().Sub(node.UpdateTime) / time.Millisecond)
+		staleMs := int(time.Since(node.UpdateTime) / time.Millisecond)
 		if staleMs > status.offlineThresholdMs {
 			if node.ConnectionStatus != model.NodeStatusFault {
 				log.WithFields(log.Fields{
diff --git a/server/modules/statickeyauth/statickeyauthimpl.go b/server/modules/statickeyauth/statickeyauthimpl.go
index e75450b3e..98604abb6 100644
--- a/server/modules/statickeyauth/statickeyauthimpl.go
+++ b/server/modules/statickeyauth/statickeyauthimpl.go
@@ -106,7 +106,7 @@ func (auth *StaticKeyAuthImpl) validateAuthorization(ctx context.Context, key st
 
 func (auth *StaticKeyAuthImpl) validateApiKey(key string) bool {
 	pieces := strings.Split(key, " ")
-	if pieces != nil && len(pieces) > 0 {
+	if len(pieces) > 0 {
 		key = pieces[len(pieces)-1]
 	}
 	return key == auth.apiKey
diff --git a/server/modules/staticrbac/staticrbac_test.go b/server/modules/staticrbac/staticrbac_test.go
index c198843e4..176a0a9bf 100644
--- a/server/modules/staticrbac/staticrbac_test.go
+++ b/server/modules/staticrbac/staticrbac_test.go
@@ -23,11 +23,11 @@ func TestInit(tester *testing.T) {
 	err := auth.Init(cfg)
 	assert.Error(tester, err)
 
-	array := make([]interface{}, 1, 1)
+	array := make([]interface{}, 1)
 	array[0] = "MyValue1"
 	cfg["roleFiles"] = array
 
-	array = make([]interface{}, 1, 1)
+	array = make([]interface{}, 1)
 	array[0] = "MyValue2"
 	cfg["userFiles"] = array
 	err = auth.Init(cfg)
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 32f18a6a9..3fcefffac 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 00a2fdf2a..81110b21f 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index f3ee8e707..daa3bd07e 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 2ce0d1a41..5e93d94ff 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package suricata
 
 import (
diff --git a/server/queryhandler_test.go b/server/queryhandler_test.go
index a4bd0caf7..71498ddbe 100644
--- a/server/queryhandler_test.go
+++ b/server/queryhandler_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/server_fake.go b/server/server_fake.go
index e2d2bcba2..baacfa691 100644
--- a/server/server_fake.go
+++ b/server/server_fake.go
@@ -170,7 +170,7 @@ func NewFakeServer(authorized bool, roleMap map[string][]string) *Server {
 		roleMap: roleMap,
 	}
 
-	users := make([]*model.User, 0, 0)
+	users := make([]*model.User, 0)
 	users = append(users, &model.User{
 		Id:    "user-id-1",
 		Email: "user1@somewhere.invalid",
diff --git a/server/utilhandler.go b/server/utilhandler.go
index 997f7c2ed..bfbf4ed4b 100644
--- a/server/utilhandler.go
+++ b/server/utilhandler.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/server/utilhandler_test.go b/server/utilhandler_test.go
index 8699cce6f..6d92acdb9 100644
--- a/server/utilhandler_test.go
+++ b/server/utilhandler_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package server
 
 import (
diff --git a/util/ptr.go b/util/ptr.go
index fe1477027..fea87a3c5 100644
--- a/util/ptr.go
+++ b/util/ptr.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package util
 
 func Ptr[T any](x T) *T {
diff --git a/web/host.go b/web/host.go
index 0a67f35cd..57ce9af93 100644
--- a/web/host.go
+++ b/web/host.go
@@ -180,7 +180,7 @@ func (host *Host) pruneConnections() {
 
 	activeConnections := make([]*Connection, 0)
 	for _, connection := range host.connections {
-		durationSinceLastPing := int(time.Now().Sub(connection.lastPingTime).Milliseconds())
+		durationSinceLastPing := int(time.Since(connection.lastPingTime).Milliseconds())
 		if durationSinceLastPing < host.idleConnectionTimeoutMs {
 			activeConnections = append(activeConnections, connection)
 		} else if connection.websocket != nil {
diff --git a/web/middleware.go b/web/middleware.go
index bd06833fd..4c2bd4d70 100644
--- a/web/middleware.go
+++ b/web/middleware.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package web
 
 import (
diff --git a/web/middleware_test.go b/web/middleware_test.go
index d38f28c1e..64af02f89 100644
--- a/web/middleware_test.go
+++ b/web/middleware_test.go
@@ -1,3 +1,8 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
 package web
 
 import (

From c4320b13624677b946b367ebb1d62c77412315b5 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 16 Nov 2023 13:31:51 -0700
Subject: [PATCH 065/102] WIP: Overrides in the Tuning Tab

SeverityTranslations. A map used to translate one engine's severity levels to the levels we support in SOC's detections.

A lot of UI work around CRUDing overrides in the Tuning tab of a detection.

A little cleanup in hunt.js. Removed helper functions from the early days of detections. Could/should have been removed a long time ago.

Initial logic for applying overrides when syncing detections started, but the modified threshold file isn't updated yet until I revisit and test everything.
---
 config/clientparameters.go                   |   3 +-
 html/index.html                              | 191 +++++++++-
 html/js/i18n.js                              |  10 +
 html/js/routes/detection.js                  | 369 +++++++++++++++++--
 html/js/routes/hunt.js                       |  55 ---
 model/detection.go                           | 155 +++++++-
 server/detectionhandler.go                   |  26 +-
 server/infohandler.go                        |  10 +
 server/modules/elastalert/elastalert_test.go |   6 +-
 server/modules/elastalert/validate.go        |   4 +-
 server/modules/elastic/converter.go          |  63 +++-
 server/modules/suricata/suricata.go          |  53 ++-
 12 files changed, 825 insertions(+), 120 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index ee31adf90..72af921f4 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -192,7 +192,8 @@ type GridParameters struct {
 
 type DetectionParameters struct {
 	HuntingParameters
-	Presets map[string]PresetParameters `json:"presets"`
+	Presets              map[string]PresetParameters `json:"presets"`
+	SeverityTranslations map[string]string           `json:"severityTranslations"`
 }
 
 func (params *DetectionParameters) Verify() error {
diff --git a/html/index.html b/html/index.html
index c7912b911..2d33b6e6d 100644
--- a/html/index.html
+++ b/html/index.html
@@ -991,14 +991,14 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <v-select id="detection-severity-create" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.detectionSeverity"/>
 
                   <!-- Engine -->
-                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]"/>
+                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]" v-on:change="onDetectionChange"/>
 
                   <!-- Reporting -->
                   <v-checkbox id="detection-reporting-create" class="mt-5" v-model="detect.isReporting" :label="i18n.reporting"/>
 
                   <!-- Signature -->
                   <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
-                  <v-textarea class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" />
+                  <v-textarea class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" @input="onDetectionChange()" />
                 </div>
                 <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
@@ -1127,7 +1127,192 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab-item> -->
               <v-tab-item value="tuning">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  Coming Soon!
+                  <v-col cols="12" style="padding-left: 0px; padding-right: 0px;">
+                    <v-toolbar class="elevation-0" fixed>
+                      <v-btn color="primary" id="add-override-button" style="text-decoration: none; cursor: 'pointer'" @click="createNewOverride()">
+                        <v-icon :title="i18n.create">fa-plus</v-icon>
+                      </v-btn>
+                    </v-toolbar>
+                    <div v-if="newOverride != null">
+                      <v-form ref="OverrideCreate">
+                        <v-select id="new-override-type" v-model="newOverride.type" :items="getOverrideTypes()" persistent-hint :hint="i18n.type" @change="createOverrideTypeChange()"></v-select>
+                        <!--
+                          1. Regex   - modify
+                          2. Value   - modify
+                          3. Type    - threshold
+                          3. Track   - suppress, threshold
+                          4. IP      - suppress
+                          5. Count   - threshold
+                          6. Seconds - threshold
+                          7. Custom Filter - engine:elastalert
+                        -->
+                        <!-- Suricata -->
+                        <div v-if="detect.engine === 'suricata'">
+                          <!-- regex -->
+                          <v-text-field v-if="newOverride.type === 'modify'" id="new-override-regex-edit" v-model="newOverride.regex" :rules="[rules.required]" persistent-hint :hint="i18n.regex"></v-text-field>
+                          <!-- value -->
+                          <v-text-field v-if="newOverride.type === 'modify'" id="new-override-value-edit" v-model="newOverride.value" :rules="[rules.required]" persistent-hint :hint="i18n.value"></v-text-field>
+                          <!-- (threshold) type -->
+                          <v-select v-if="newOverride.type === 'threshold'" id="new-override-threshold-type-edit" v-model="newOverride.thresholdType" :items="thresholdTypes" :rules="[rules.required]" persistent-hint :hint="i18n.thresholdType"></v-select>
+                          <!-- track -->
+                          <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
+                          <!-- ip -->
+                          <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr"></v-text-field>
+                          <!-- count -->
+                          <v-text-field v-if="newOverride.type === 'threshold'" id="new-override-count-edit" v-model="newOverride.count" :rules="[rules.required, rules.number]" persistent-hint :hint="i18n.count"></v-text-field>
+                          <!-- seconds -->
+                          <v-text-field v-if="newOverride.type === 'threshold'" id="new-override-seconds-edit" v-model="newOverride.seconds" :rules="[rules.required, rules.number]" persistent-hint :hint="i18n.secondsLabel"></v-text-field>
+                        </div>
+                        <!-- ElastAlert -->
+                        <div v-if="detect.engine === 'elastalert'">
+                          <!-- custom filter -->
+                          <v-text-field id="new-override-custom-filter-edit" v-model="newOverride.customFilter" :rules="[rules.required]" persistent-hint :hint="i18n.customFilter"></v-text-field>
+                        </div>
+                        <div v-if="newOverride" class="d-flex justify-end text-body-2 mt-2">
+                          <div class="d-inline-flex">
+                            <v-btn id="detection-create-cancel" text small color="primary" class="align-self-end" @click="newOverride = null">
+                              {{ i18n.cancel }}
+                            </v-btn>
+                            <v-btn v-if="newOverride.type" id="detection-create-create" text small color="primary" class="align-self-end" @click="addNewOverride()">
+                              {{ i18n.create }}
+                            </v-btn>
+                          </div>
+                        </div>
+                      </v-form>
+                    </div>
+                  </v-col>
+                  <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
+                    :items="detect.overrides" :item-key="'index'" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
+                    <template v-slot:item="{ item, index }">
+                      <tr>
+                        <td>
+                          <v-btn id="expandOverrideArrow" icon small @click="expand(item)">
+                            <v-icon v-if="isExpanded(item)" :alt="i18n.overrideExpand" :title="i18n.eventExpandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded(item)" :alt="i18n.overrideExpand" :title="i18n.eventExpandHelp">fa-angle-right</v-icon>
+                          </v-btn>
+                        </td>
+                        <td v-for="field in overrideHeaders" :key="field.value">
+                          <div class="d-inline-block">
+                            <span v-if="!field.format">{{ item[field.value] }}</span>
+                            <span v-else v-text="$root.formatLocalTimestamp(item[field.value], zone)"/>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="{ headers, item }">
+                      <tr>
+                        <td :colspan="headers.length" class="pa-4" v-if="detect.engine === 'suricata'">
+                          <!--
+                            1. Regex   - modify
+                            2. Value   - modify
+                            3. Type    - threshold
+                            3. Track   - suppress, threshold
+                            4. IP      - suppress
+                            5. Count   - threshold
+                            6. Seconds - threshold
+                            7. Custom Filter - engine:elastalert
+                          -->
+                          <!-- regex -->
+                          <div v-if="item.type === 'modify'">
+                            <div class="font-weight-bold mt-2">
+                              Regex:
+                            </div>
+                            <span id="override-regex" v-if="!isOverrideEdit('override-regex')" @click="startOverrideEdit('override-regex', item, 'regex')">
+                              {{item.regex}}
+                            </span>
+                            <v-text-field v-else id="override-regex-edit" ref="override-regex" hide-details="auto" outlined v-model="item.regex" :rules="[rules.required]"
+                              persistent-hint :hint="i18n.regex" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- value -->
+                          <div v-if="item.type === 'modify'">
+                            <div class="font-weight-bold mt-2">
+                              Value:
+                            </div>
+                            <span id="override-value" v-if="!isOverrideEdit('override-value')" @click="startOverrideEdit('override-value', item, 'value')">
+                              {{item.value}}
+                            </span>
+                            <v-text-field v-else id="override-value-edit" ref="override-value" hide-details="auto" outlined v-model="item.value" :rules="[rules.required]"
+                              persistent-hint :hint="i18n.value" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- type (threshold) -->
+                          <div v-if="item.type === 'threshold'">
+                            <div class="font-weight-bold mt-2">
+                              Type:
+                            </div>
+                            <span id="override-threshold-type" v-if="!isOverrideEdit('override-threshold-type')" @click="startOverrideEdit('override-threshold-type', item, 'thresholdType')">
+                              {{item.thresholdType}}
+                            </span>
+                            <v-select v-else id="override-threshold-type-edit" ref="override-threshold-type" v-model="item.thresholdType" :items="thresholdTypes" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
+                          </div>
+                          <!-- track -->
+                          <div v-if="['suppress', 'threshold'].includes(item.type)">
+                            <div class="font-weight-bold mt-2">
+                              Track:
+                            </div>
+                            <span id="override-track" v-if="!isOverrideEdit('override-track')" @click="startOverrideEdit('override-track', item, 'track')">
+                              {{item.track}}
+                            </span>
+                            <v-select v-else id="override-track-edit" ref="override-track" v-model="item.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
+                          </div>
+                          <!-- ip -->
+                          <div v-if="item.type === 'suppress'">
+                            <div class="font-weight-bold mt-2">
+                              IP:
+                            </div>
+                            <span id="override-ip" v-if="!isOverrideEdit('override-ip')" @click="startOverrideEdit('override-ip', item, 'ip')">
+                              {{item.ip}}
+                            </span>
+                            <v-text-field v-else id="override-ip-edit" ref="override-ip" hide-details="auto" outlined v-model="item.ip" :rules="[rules.required, rules.ciderFormat]"
+                              persistent-hint :hint="i18n.cidr" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- count -->
+                          <div v-if="item.type === 'threshold'">
+                            <div class="font-weight-bold mt-2">
+                              Count:
+                            </div>
+                            <span id="override-count" v-if="!isOverrideEdit('override-count')" @click="startOverrideEdit('override-count', item, 'count')">
+                              {{item.count}}
+                            </span>
+                            <v-text-field v-else id="override-count-edit" ref="override-count" hide-details="auto" outlined v-model="item.count" :rules="[rules.required, rules.number]"
+                              persistent-hint :hint="i18n.count" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- seconds -->
+                          <div v-if="item.type === 'threshold'">
+                            <div class="font-weight-bold mt-2">
+                              Seconds:
+                            </div>
+                            <span id="override-seconds" v-if="!isOverrideEdit('override-seconds')" @click="startOverrideEdit('override-seconds', item, 'seconds')">
+                              {{item.seconds}}
+                            </span>
+                            <v-text-field v-else id="override-seconds-edit" ref="override-seconds" hide-details="auto" outlined v-model="item.seconds" :rules="[rules.required, rules.number]"
+                              persistent-hint :hint="i18n.secondsLabel" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                          <!-- <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
+                          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="i18n.detectionTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field> -->
+                          <div class="d-flex justify-end text-body-2 mt-2">
+                            <div class="d-inline-flex">
+                              <v-btn id="override-edit-delete" text small color="red" @click="deleteOverride(item)">
+                                {{ i18n.delete }}
+                              </v-btn>
+                            </div>
+                          </div>
+                        </td>
+                        <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'elastalert'">
+                          <div>
+                            <div class="font-weight-bold">
+                              Custom Filter:
+                            </div>
+                            <span id="override-custom-filter" v-if="!isOverrideEdit('override-custom-filter')" @click="startOverrideEdit('override-custom-filter', item, 'customFilter')">
+                              {{item.customFilter}}
+                            </span>
+                            <v-text-field v-else id="override-custom-filter-edit" ref="override-custom-filter" hide-details="auto" outlined v-model="item.customFilter" :rules="[rules.required]"
+                              persistent-hint :hint="i18n.customFilter" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
+                          </div>
+                        </td>
+                        <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'yara'"></td>
+                      </tr>
+                    </template>
+                  </v-data-table>
                 </div>
               </v-tab-item>
               <v-tab-item value="history">
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 5cab16f35..22514505f 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -156,6 +156,7 @@ const i18n = {
       chartTitleTimeline: 'Timeline',
       chartTitleTop: 'Most Occurrences',
       cheatsheet: 'Cheat Sheet',
+      cidr: 'CIDR Notation',
       clear: 'Clear',
       clickForMoreInformation: 'Click for more information',
       collapse: 'Collapse',
@@ -214,11 +215,13 @@ const i18n = {
       copyFieldToClipboard: 'Copy this value only',
       copyFieldValueToClipboard: 'Copy as field:value',
       copyToClipboard: 'Copy to clipboard',
+      count: 'Count',
       cpuUsage: 'CPU Usage',
       cpuUsageAbbr: 'CPU',
       create: 'Create',
       createNewCase: 'Create a new case...',
       custom: 'Custom',
+      customFilter: 'Custom Filter',
       darkMode: 'Dark Mode',
       dashboards: 'Dashboards',
       dataset: 'Dataset',
@@ -445,6 +448,8 @@ const i18n = {
       interval24h: "24 hours",
       invalid: 'Invalid',
       ioWait: 'I/O Wait',
+      invalidCidr: 'Invalid CIDR Notation',
+      ipCidr: 'IP - CIDR Notation',
       job: 'Job',
       jobIncomplete: 'The job was unable to complete and will retry within a few minutes. Details are available below.',
       jobInProgress: 'This job is awaiting completion.',
@@ -547,6 +552,7 @@ const i18n = {
       order: 'Order',
       osUptime: 'OS Uptime',
       other: 'Other',
+      overrideExpand: 'Show all override fields',
       owner: 'Owner',
       packages: 'Packages',
       packets: 'Captured Packets',
@@ -592,6 +598,7 @@ const i18n = {
       refreshObservablesHelp: 'Refresh to view all recently added observables for this case.',
       refreshEventsHelp: 'Refresh to view all recently escalated events for this case.',
       refreshHistoryHelp: 'Refresh to view the latest history for this case.',
+      regex: 'Regex',
       reject: 'Reject',
       rejected: 'Rejected',
       related: 'Events',
@@ -619,6 +626,7 @@ const i18n = {
       save: 'Save',
       saveSuccess: 'Save successful!',
       seconds: 'seconds',
+      secondsLabel: 'Seconds',
       security: 'Security',
       securityInstructions: 'You may be prompted to login again when updating your security settings. If submitting a new password, you will need to verify your identity first with the old password. This is a security measure to protect your account.',
       securityInstructionsTotp: 'IMPORTANT: If you changed your password recently you must logout and login again with the new password before attempting to activate TOTP. Failure to relogin will result in the TOTP validation failing. If this occurs you will need to remove the TOTP code from your authenticator app, login to SOC with the new password, and then activate TOTP again.',
@@ -734,6 +742,7 @@ const i18n = {
       suricataLoss: 'Suricata Loss',
       suricataLossAbbr: 'Suri Loss',
       swapUsage: 'Swap Usage',
+      thresholdType: 'Threshold Type',
       throttledLogin: 'Excessive login requests detected. Login requests can resume momentarily.',
       time: 'Time',
       timePickerHelp: 'Choose the timespan to search, or click the calendar icon to switch to relative time',
@@ -769,6 +778,7 @@ const i18n = {
       totpDeactivate: 'Deactivate TOTP',
       totpSecretInstructions: 'If you are unable to scan the QR code, use the secret provided below instead.',
       totpUnlinkInstructions: 'If you no longer have access to your authenticator app, you can deactivate the TOTP.',
+      track: 'Track',
       trafficMonIn: 'Inbound Monitor Traffic',
       trafficMonInAbbr: 'Mon In',
       trafficMonInDrops: 'Dropped Monitor Traffic',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 2b1e93b27..5964fc929 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -3,17 +3,36 @@
 // https://securityonion.net/license; you may not use this file except in compliance with the
 // Elastic License 2.0.
 
+function debounce(fn, wait) {
+	let timer;
+	return (...args) => {
+		if(timer) {
+			clearTimeout(timer); // clear any pre-existing timer
+		}
+
+		const context = this; // get the current context
+		timer = setTimeout(()=>{
+			fn.apply(context, args); // call the function if time expires
+		}, wait);
+	}
+}
+
 routes.push({ path: '/detection/:id', name: 'detection', component: {
   template: '#page-detection',
   data() { return {
 		i18n: this.$root.i18n,
 		presets: {},
+		severityTranslations: {},
 		params: {},
 		detect: null,
 		origDetect: null,
 		curEditTarget: null, // string containing element ID, null if not editing
 		origValue: null,
 		editField: null,
+		curOverrideEditTarget: null,
+		origOverrideValue: null,
+		overrideEditField: null,
+		editOverride: null, // the override we're currently editing
 		editForm: { valid: true },
 		rules: {
 			required: value => (value && value.length > 0) || this.$root.i18n.required,
@@ -22,15 +41,38 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
 			shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
 			longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+			cidrFormat: value => (!value || /^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value)) || this.i18n.invalidCidr,
 			fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
 			fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
 			fileRequired: value => (value != null) || this.$root.i18n.required,
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
-		sidExtract: /\bsid: ?['"]?(.*?)['"]?;/,
+		sidExtract: /\bsid: ?['"]?(.*?)['"]?;/, // option
+		severityExtract: /\bsignature_severity ['"]?(.*?)['"]?[,;]/, // metadata
+		authorExtract: /\bauthor: ?['"]?(.*?)['"]?;/, // option
+		authorMetaExtract: /\bauthor ['"]?(.*?)['"]?[,;]/, // metadata
+		sortBy: 'createdAt',
+		sortDesc: false,
+		expanded: [],
+		overrideHeaders: [
+			{ text: 'Enabled', value: 'isEnabled' },
+			{ text: 'Type', value: 'type' },
+			{ text: 'Track', value: 'track' },
+			{ text: 'Created', value: 'createdAt', format: true },
+			{ text: 'Updated', value: 'updatedAt', format: true },
+		],
+		zone: moment.tz.guess(),
+		newOverride: null,
+		thresholdTypes: [
+			{ value: 'threshold', text: 'Threshold' },
+			{ value: 'limit', text: 'Limit' },
+			{ value: 'both', text: 'Both' }
+		],
+		trackOptions: ['by_src', 'by_dst', 'by_both'],
   }},
-  created() {
+	created() {
+		this.onDetectionChange = debounce(this.onDetectionChange, 300);
   },
   watch: {
 	},
@@ -39,13 +81,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
       () => this.$route.params,
       (to, prev) => {
 				this.loadData();
-    	});
+			});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
   methods: {
 		async initDetection(params) {
 			this.params = params;
 			this.presets = params['presets'];
+			this.severityTranslations = params['severityTranslations'];
+
 			if (this.$route.params.id === 'create') {
 				this.detect = this.newDetection();
 			} else {
@@ -77,8 +121,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.$root.startLoading();
 
 			try {
-					const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
+				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
+				if (this.detect.overrides) {
+					for (let i = 0; i < this.detect.overrides.length; i++) {
+						this.detect.overrides[i].index = i;
+					}
+				}
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -159,25 +208,6 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			});
 		},
-		extractPublicID() {
-			let pid = '';
-			switch (this.detect.engine) {
-				case 'suricata':
-					try {
-						pid = this.extractSuricataPublicID();
-					} catch (e) {
-						// nothing, clear publicId
-					}
-					break;
-				case 'elastalert':
-					try {
-						pid = this.extractElastAlertPublicID();
-					} catch (e) {}
-					break;
-			}
-
-			this.detect.publicId = pid;
-		},
 		isEdit(target) {
 			return this.curEditTarget === target;
 		},
@@ -186,8 +216,6 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				this.detect[this.editField] = this.origValue;
 			} else if (!this.isNew()) {
 				const response = await this.$root.papi.put('/detection', this.detect);
-
-        console.log('UPDATE', response);
 			}
 
 			this.curEditTarget = null;
@@ -198,7 +226,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			if (this.curEditTarget !== null) this.stopEdit(true);
 
 			if (this.isNew()) {
-				this.$refs['detection'].validate();
+				this.$refs.detection.validate();
 				if (!this.editForm.valid) return;
 			}
 
@@ -220,6 +248,12 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				return;
 			}
 
+			if (this.detect.overrides) {
+				for (let i = 0; i < this.detect.overrides.length; i++) {
+					this.detect.overrides[i] = this.cleanupOverride(this.detect.engine, this.detect.overrides[i]);
+				}
+			}
+
 			try {
 				let response;
 				if (createNew) {
@@ -232,7 +266,9 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 				this.$root.showTip(this.i18n.saveSuccess);
 
-				this.$router.push({name: 'detection', params: {id: response.data.id}});
+				if (createNew) {
+					this.$router.push({ name: 'detection', params: { id: response.data.id } });
+				}
 			} catch (error) {
 				this.$root.showError(error);
 			}
@@ -269,23 +305,286 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return null;
 		},
+		extractPublicID() {
+			let pid = this.detect.publicId;
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						pid = this.extractSuricataPublicID();
+					} catch {}
+					break;
+				case 'elastalert':
+					try {
+						const id = this.extractElastAlertPublicID();
+						if (id) pid = id;
+					} catch {}
+					break;
+			}
+
+			this.detect.publicId = pid;
+		},
+		extractSeverity() {
+			let sev = this.detect.severity;
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						sev = this.extractSuricataSeverity();
+					} catch {}
+					break;
+				case 'elastalert':
+					try {
+						const s = this.extractElastAlertSeverity();
+						if (s) sev = s;
+					} catch {}
+					break;
+			}
+
+			this.detect.severity = sev;
+		},
+		extractAuthor() {
+			let author = this.detect.author;
+			switch (this.detect.engine) {
+				case 'suricata':
+					try {
+						const a = this.extractSuricataAuthor();
+						if (a) author = a;
+					} catch {}
+					break;
+				case 'elastalert':
+					try {
+						const a = this.extractElastAlertAuthor();
+						if (a) author = a;
+					} catch {}
+					break;
+			}
+
+			this.detect.author = author;
+		},
 		extractSuricataPublicID() {
 			const results = this.sidExtract.exec(this.detect.content);
+			return results[1];
+		},
+		extractSuricataSeverity() {
+			const results = this.severityExtract.exec(this.detect.content);
 
-			if (!results || results.length < 2) {
-				// sid not present in rule
-				throw this.i18n.sidMissingErr;
-			} else if (results && results.length > 2) {
-				// multiple sids present in rule
-				throw this.i18n.sidMultipleErr;
+			let sev = (results[1] || '').toLowerCase();
+			if (this.severityTranslations[sev]) {
+				sev = this.severityTranslations[sev]
 			}
 
-			return results[1];
+			if (!this.presets['severity'].labels.includes(sev)) {
+				sev = this.getDefaultPreset('severity');
+			}
+
+			return sev;
+		},
+		extractSuricataAuthor() {
+			// do suricata rules even have a place for an author?
+
+			// first look for an option labeled author
+			const author = this.authorExtract.exec(this.detect.content);
+			if (author && author.length >= 2) return author[1];
+
+			// if no option, check metadata for a field labeled author
+			const authorMeta = this.authorMetaExtract.exec(this.detect.content);
+			if (authorMeta && authorMeta.length >= 2) return authorMeta[1];
 		},
 		extractElastAlertPublicID() {
-			const yaml = jsyaml.load(this.detect.content);
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
 			return yaml['id'];
 		},
+		extractElastAlertSeverity() {
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
+			const level = yaml['level'];
+
+			for (let lvl in this.presets['severity'].labels) {
+				if (this.presets['severity'].labels[lvl].toUpperCase() === level.toUpperCase()) {
+					return this.presets['severity'].labels[lvl];
+				}
+			}
+		},
+		extractElastAlertAuthor() {
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
+			return yaml['author'];
+		},
+		onDetectionChange() {
+			if (this.detect.engine) {
+				this.extractPublicID();
+				this.extractSeverity();
+				this.extractAuthor();
+			}
+		},
+		saveSetting(name, value, defaultValue = null) {
+      var item = 'settings.detection.' + name;
+      if (defaultValue == null || value != defaultValue) {
+        localStorage[item] = value;
+      } else {
+        localStorage.removeItem(item);
+      }
+    },
+    saveLocalSettings() {
+      this.saveSetting('sortDesc', this.sortDesc, true);
+      this.saveSetting('itemsPerPage', this.itemsPerPage, this.params['eventItemsPerPage']);
+      this.saveSetting('relativeTimeValue', this.relativeTimeValue, this.params['relativeTimeValue']);
+      this.saveSetting('relativeTimeUnit', this.relativeTimeUnit, this.params['relativeTimeUnit']);
+		},
+		sortOverrides(items, index, isDesc) {
+      const route = this;
+      if (index && index.length > 0) {
+        index = index[0];
+      }
+      if (isDesc && isDesc.length > 0) {
+        isDesc = isDesc[0];
+      }
+      items.sort((a, b) => {
+        if (index === "event.severity_label") {
+          return route.defaultSort(route.lookupAlertSeverityScore(a[index]), route.lookupAlertSeverityScore(b[index]), isDesc);
+        } else {
+          return route.defaultSort(a[index], b[index], isDesc);
+        }
+      });
+      return items
+		},
+		defaultSort(a, b, isDesc) {
+      if (!isDesc) {
+        return a < b ? -1 : 1;
+      }
+      return b < a ? -1 : 1;
+    },
+		expand(item) {
+      if (this.isExpanded(item)) {
+        this.expanded = [];
+      } else {
+        this.expanded = [item];
+			}
+		},
+		isExpanded(item) {
+      return (this.expanded.length > 0 && this.expanded[0] === item);
+		},
+		createNewOverride() {
+			this.newOverride = {
+				type: null,
+				isEnabled: false,
+				regex: null,
+				value: null,
+				track: null,
+				count: null,
+				seconds: null,
+				customFilter: null,
+			};
+		},
+		getOverrideTypes(engine) {
+			engine = engine || this.detect.engine;
+
+			switch (engine) {
+				case 'suricata':
+					return [
+						{ value: 'modify', text: 'Modify' },
+						{ value: 'suppress', text: 'Suppress' },
+						{ value: 'threshold', text: 'Threshold' }
+					];
+				case 'elastalert':
+					return [
+						{ value: 'custom filter', text: 'Custom Filter' }
+					];
+			}
+
+			return [];
+		},
+		cleanupOverride(engine, o) {
+			// ensures an override about to be saved
+			// only has the fields relevant to the engine
+			// and type selected
+			let out = {
+				type: o.type,
+				isEnabled: o.isEnabled,
+			};
+
+			if (engine === 'elastalert') {
+				out.customFilter = o.customFilter;
+			} else {
+				out.type = o.type
+
+				switch (o.type) {
+					case 'modify':
+						out.regex = o.regex;
+						out.value = o.value;
+						break;
+					case 'threshold':
+						out.thresholdType = o.thresholdType;
+						out.track = o.track;
+						out.count = parseInt(o.count);
+						out.seconds = parseInt(o.seconds);
+						break;
+					case 'suppress':
+						out.track = o.track;
+						out.ip = o.ip;
+						break;
+				}
+			}
+
+			return out;
+		},
+		createOverrideTypeChange() {
+			// reset the form, but we want the selected type to persist
+			const t = this.newOverride.type;
+			this.$refs.OverrideCreate.reset();
+			this.newOverride.type = t;
+		},
+		cancelNewOverride() {
+			this.$refs.OverrideCreate.reset();
+			this.newOverride = null;
+		},
+		addNewOverride() {
+			if (!this.newOverride) return;
+
+			if (!this.detect.overrides) {
+				this.detect.overrides = [];
+			}
+
+			this.detect.overrides.push(this.newOverride);
+
+			this.saveDetection(false);
+			this.newOverride = null;
+		},
+		async startOverrideEdit(target, override, field) {
+			if (this.curOverrideEditTarget === target) return;
+			if (this.curOverrideEditTarget !== null) await this.stopOverrideEdit(false);
+
+			this.curOverrideEditTarget = target;
+			this.origOverrideValue = override[field];
+			this.overrideEditField = field;
+			this.editOverride = override;
+
+			this.$nextTick(() => {
+				const el = document.getElementById(target + '-edit');
+				if (el) {
+					el.focus();
+					el.select();
+				}
+			});
+		},
+		isOverrideEdit(target) {
+			return this.curOverrideEditTarget === target;
+		},
+		async stopOverrideEdit(commit) {
+			if (commit && this.$refs[this.curOverrideEditTarget].hasError) return;
+
+			if (!commit) {
+				this.editOverride[this.overrideEditField] = this.origOverrideValue;
+			} else {
+				this.saveDetection(false);
+			}
+
+			this.curOverrideEditTarget = null;
+			this.origOverrideValue = null;
+			this.overrideEditField = null;
+			this.editOverride = null;
+		},
+		deleteOverride(item) {
+			this.detect.overrides = this.detect.overrides.filter(o => o !== item);
+			this.saveDetection(false);
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 6c7f3496b..321f515ed 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2107,61 +2107,6 @@ const huntComponent = {
 
       window.open(url, target);
     },
-    async CreateDetection() {
-      const response = await this.$root.papi.post('/detection', {
-        publicId: 'ABCDEF',
-        title: 'First!',
-        severity: 'low',
-        author: 'Corey Ogburn',
-        description: 'first try',
-        content: 'rule goes here',
-        isEnabled: true,
-        isReporting: true,
-        Engine: 'suricata'
-      });
-
-      console.log('CREATE', response);
-      this.onionID = response.data.id;
-      console.log('onionID', this.onionID);
-    },
-    async GetDetection() {
-      if (this.onionID) {
-        const response = await this.$root.papi.get('/detection/' + this.onionID);
-
-        console.log('GET', response);
-      } else {
-        console.log('No onionID');
-      }
-    },
-    async UpdateDetection() {
-      if (this.onionID) {
-        const response = await this.$root.papi.put('/detection', {
-          id: this.onionID,
-          publicId: 'ABCDEF',
-          title: 'Second!',
-          severity: 'low',
-          author: 'Corey Ogburn',
-          description: 'first try',
-          content: 'rule goes here',
-          isEnabled: true,
-          isReporting: true,
-          Engine: 'suricata'
-        });
-
-        console.log('UPDATE', response);
-      } else {
-        console.log('No onionID');
-      }
-    },
-    async DeleteDetection() {
-      if (this.onionID) {
-        const response = await this.$root.papi.delete('/detection/' + this.onionID);
-
-        console.log('DELETE', response);
-      } else {
-        console.log('No onionID');
-      }
-    },
     print(x) {
       console.log(x);
     }
diff --git a/model/detection.go b/model/detection.go
index 4bb5583bd..bde5a004b 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -8,13 +8,15 @@ package model
 import (
 	"errors"
 	"strings"
+	"time"
 )
 
 type ScanType string
 type SigLanguage string
 type Severity string
 type IDType string
-type EngineName = string
+type EngineName string
+type OverrideType string
 
 const (
 	ScanTypeFiles           ScanType = "files"
@@ -41,6 +43,11 @@ const (
 	EngineNameSuricata   EngineName = "suricata"
 	EngineNameYara       EngineName = "yara"
 	EngineNameElastAlert EngineName = "elastalert"
+
+	OverrideTypeSuppress     OverrideType = "suppress"
+	OverrideTypeThreshold    OverrideType = "threshold"
+	OverrideTypeModify       OverrideType = "modify"
+	OverrideTypeCustomFilter OverrideType = "customFilter"
 )
 
 var (
@@ -77,25 +84,147 @@ type DetectionEngine struct {
 
 type Detection struct {
 	Auditable
-	PublicID    string     `json:"publicId"`
-	Title       string     `json:"title"`
-	Severity    Severity   `json:"severity"`
-	Author      string     `json:"author"`
-	Description string     `json:"description"`
-	Content     string     `json:"content"`
-	IsEnabled   bool       `json:"isEnabled"`
-	IsReporting bool       `json:"isReporting"`
-	IsCommunity bool       `json:"isCommunity"`
-	Note        string     `json:"note"`
-	Engine      EngineName `json:"engine"`
+	PublicID    string      `json:"publicId"`
+	Title       string      `json:"title"`
+	Severity    Severity    `json:"severity"`
+	Author      string      `json:"author"`
+	Description string      `json:"description"`
+	Content     string      `json:"content"`
+	IsEnabled   bool        `json:"isEnabled"`
+	IsReporting bool        `json:"isReporting"`
+	IsCommunity bool        `json:"isCommunity"`
+	Note        string      `json:"note"`
+	Engine      EngineName  `json:"engine"`
+	Overrides   []*Override `json:"overrides"` // Tuning
+}
+
+// Note: JSON tags are used when storing the object in ElasticSearch,
+// YAML tags are used when storing the object in a YAML config file (Suricata).
+
+type Override struct {
+	Type               OverrideType `json:"type" yaml:"type"`
+	IsEnabled          bool         `json:"isEnabled" yaml:"-"`
+	CreatedAt          time.Time    `json:"createdAt" yaml:"-"`
+	UpdatedAt          time.Time    `json:"updatedAt" yaml:"-"`
+	OverrideParameters `yaml:",inline"`
+}
+
+type OverrideParameters struct {
+	// suricata
+	Regex         *string `json:"regex,omitempty" yaml:"regex,omitempty"`                 // modify
+	Value         *string `json:"value,omitempty" yaml:"value,omitempty"`                 // modify
+	GenID         *int    `json:"-" yaml:"genId,omitempty"`                               // suppress, threshold
+	ThresholdType *string `json:"thresholdType,omitempty" yaml:"thresholdType,omitempty"` // threshold
+	Track         *string `json:"track,omitempty" yaml:"track,omitempty"`                 // suppress, threshold
+	IP            *string `json:"ip,omitempty" yaml:"ip,omitempty"`                       // suppress
+	Count         *int    `json:"count,omitempty" yaml:"count,omitempty"`                 // threshold
+	Seconds       *int    `json:"seconds,omitempty" yaml:"seconds,omitempty"`             // threshold
+
+	// elastalert
+	CustomFilter *string `json:"customFilter,omitempty" yaml:"customFilter,omitempty"` // modify
+}
+
+func (o Override) MarshalYAML() (interface{}, error) {
+	out := map[string]*OverrideParameters{
+		string(o.Type): &o.OverrideParameters,
+	}
+
+	return out, nil
+}
+
+func (o *Override) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var m map[string]*OverrideParameters
+	if err := unmarshal(&m); err != nil {
+		return err
+	}
+
+	for k, v := range m {
+		o.Type = OverrideType(k)
+		o.IsEnabled = true
+		o.OverrideParameters = *v
+	}
+
+	return nil
 }
 
 func (detect *Detection) Validate() error {
-	detect.Engine = strings.ToLower(detect.Engine)
+	detect.Engine = EngineName(strings.ToLower(string(detect.Engine)))
 	_, engIsSupported := EnginesByName[detect.Engine]
 	if !engIsSupported {
 		return ErrUnsupportedEngine
 	}
 
+	for _, o := range detect.Overrides {
+		if err := o.Validate(detect.Engine); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (o *Override) Validate(engine EngineName) error {
+	if o.Type == "" {
+		return errors.New("override type is required")
+	}
+
+	if engine == EngineNameSuricata {
+		switch o.Type {
+		case OverrideTypeModify:
+			if o.Regex == nil || o.Value == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.GenID != nil ||
+				o.ThresholdType != nil ||
+				o.Track != nil ||
+				o.Count != nil ||
+				o.Seconds != nil ||
+				o.CustomFilter != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		case OverrideTypeSuppress:
+			if o.Value == nil || o.Track == nil || o.Count == nil || o.Seconds == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.Regex != nil ||
+				o.GenID != nil ||
+				o.ThresholdType != nil ||
+				o.CustomFilter != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		case OverrideTypeThreshold:
+			if o.ThresholdType == nil || o.Track == nil || o.Count == nil || o.Seconds == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.Regex != nil ||
+				o.Value != nil ||
+				o.GenID != nil ||
+				o.CustomFilter != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		}
+
+	} else if engine == EngineNameElastAlert {
+		switch o.Type {
+		case OverrideTypeCustomFilter:
+			if o.CustomFilter == nil {
+				return errors.New("missing required parameter(s)")
+			}
+
+			if o.Regex != nil ||
+				o.Value != nil ||
+				o.GenID != nil ||
+				o.ThresholdType != nil ||
+				o.Track != nil ||
+				o.Count != nil ||
+				o.Seconds != nil {
+				return errors.New("unnecessary fields in override")
+			}
+		}
+	}
+
 	return nil
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index b515b05ff..6f881e7ac 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
@@ -78,6 +79,16 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	for _, over := range detect.Overrides {
+		if over.CreatedAt.IsZero() {
+			over.CreatedAt = time.Now()
+		}
+
+		if over.UpdatedAt.IsZero() {
+			over.UpdatedAt = time.Now()
+		}
+	}
+
 	detect, err = h.server.Detectionstore.CreateDetection(ctx, detect)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
@@ -138,6 +149,16 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	for _, over := range detect.Overrides {
+		if over.CreatedAt.IsZero() {
+			over.CreatedAt = time.Now()
+		}
+
+		if over.UpdatedAt.IsZero() {
+			over.UpdatedAt = time.Now()
+		}
+	}
+
 	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
 	if err != nil {
 		web.Respond(w, r, http.StatusInternalServerError, err)
@@ -145,14 +166,15 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 	}
 
 	if old.IsCommunity {
-		// the only editable fields for community rules are IsEnabled, IsReporting, and Note
+		// the only editable fields for community rules are IsEnabled, IsReporting, Note, and Overrides
 		old.IsEnabled = detect.IsEnabled
 		old.IsReporting = detect.IsReporting
 		old.Note = detect.Note
+		old.Overrides = detect.Overrides
 
 		detect = old
 
-		log.Infof("existing detection %s is a community rule, only updating IsEnabled, IsReporting, and Note", detect.Id)
+		log.Infof("existing detection %s is a community rule, only updating IsEnabled, IsReporting, Note, and Overrides", detect.Id)
 	} else if detect.IsCommunity {
 		web.Respond(w, r, http.StatusBadRequest, errors.New("cannot update an existing non-community detection to make it a community detection"))
 		return
diff --git a/server/infohandler.go b/server/infohandler.go
index 21743094f..3993ce79c 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -86,6 +86,10 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "All",
 				Query: "_id:*",
 			},
+			{
+				Name:  "Local Rules",
+				Query: "* AND so_detection.isCommunity:false",
+			},
 			{
 				Name:  "Enabled",
 				Query: "so_detection.isEnabled:true",
@@ -122,6 +126,12 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Labels:        []string{"suricata", "elastalert"},
 			},
 		}
+
+		detection.SeverityTranslations = map[string]string{
+			// informational and critical already map correctly
+			"minor": "low",
+			"major": "high",
+		}
 	}
 
 	{
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index c6cda090a..e5e39cb92 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -196,7 +196,8 @@ func TestSigmaToElastAlertSunnyDay(t *testing.T) {
 		assert.Equal(t, http.MethodPost, r.Method)
 
 		w.WriteHeader(http.StatusOK)
-		w.Write([]byte("<eql>"))
+		_, err := w.Write([]byte("<eql>"))
+		assert.NoError(t, err)
 
 		callCount++
 	}))
@@ -248,7 +249,8 @@ func TestSigmaToElastAlertError(t *testing.T) {
 		assert.Equal(t, http.MethodPost, r.Method)
 
 		w.WriteHeader(http.StatusOK)
-		w.Write([]byte("Error: " + msg))
+		_, err := w.Write([]byte("Error: " + msg))
+		assert.NoError(t, err)
 
 		callCount++
 	}))
diff --git a/server/modules/elastalert/validate.go b/server/modules/elastalert/validate.go
index 6dbb69594..1be0f8972 100644
--- a/server/modules/elastalert/validate.go
+++ b/server/modules/elastalert/validate.go
@@ -47,7 +47,7 @@ type SigmaRule struct {
 	Title          string                 `yaml:"title"`
 	ID             *string                `yaml:"id"`
 	LogSource      LogSource              `yaml:"logsource"`
-	Detection      Detection              `yaml:"detection"`
+	Detection      SigmaDetection              `yaml:"detection"`
 	Status         *SigmaStatus           `yaml:"status"`
 	Description    *string                `yaml:"description"`
 	License        *string                `yaml:"license"`
@@ -69,7 +69,7 @@ type LogSource struct {
 	Definition *string `yaml:"definition"`
 }
 
-type Detection struct {
+type SigmaDetection struct {
 	Condition OneOrMore[string]      `yaml:"condition"`
 	Rest      map[string]interface{} `yaml:",inline"`
 }
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index e8aca634f..0012c20b2 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -16,6 +16,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/json"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 )
 
 func stripSegmentOptions(keys []string) []string {
@@ -409,13 +410,13 @@ func parseTime(fieldmap map[string]interface{}, key string) *time.Time {
 	var t time.Time
 
 	if value, ok := fieldmap[key]; ok {
-		switch value.(type) {
+		switch v := value.(type) {
 		case time.Time:
-			t = value.(time.Time)
+			t = v
 		case *time.Time:
-			t = *(value.(*time.Time))
+			t = *v
 		case string:
-			t, _ = time.Parse(time.RFC3339, value.(string))
+			t, _ = time.Parse(time.RFC3339, v)
 		}
 	}
 
@@ -700,7 +701,10 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 				obj.Note = value.(string)
 			}
 			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
-				obj.Engine = value.(string)
+				obj.Engine = model.EngineName(value.(string))
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.overrides"]; ok && value != nil {
+				obj.Overrides = convertElasticEventToOverride(value.([]interface{}))
 			}
 
 			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"detection.createTime")
@@ -710,6 +714,55 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 	return obj, err
 }
 
+func convertElasticEventToOverride(overrides []interface{}) []*model.Override {
+	overs := make([]*model.Override, 0, len(overrides))
+	for _, inter := range overrides {
+		override := inter.(map[string]interface{})
+		over := &model.Override{}
+
+		if value, ok := override["type"]; ok {
+			over.Type = model.OverrideType(value.(string))
+		}
+		if value, ok := override["isEnabled"]; ok {
+			over.IsEnabled = value.(bool)
+		}
+		if value, ok := override["createdAt"]; ok {
+			over.CreatedAt, _ = time.Parse(time.RFC3339, value.(string))
+		}
+		if value, ok := override["updatedAt"]; ok {
+			over.UpdatedAt, _ = time.Parse(time.RFC3339, value.(string))
+		}
+		if value, ok := override["thresholdType"]; ok && value != nil {
+			over.ThresholdType = util.Ptr(value.(string))
+		}
+		if value, ok := override["regex"]; ok && value != nil {
+			over.Regex = util.Ptr(value.(string))
+		}
+		if value, ok := override["value"]; ok && value != nil {
+			over.Value = util.Ptr(value.(string))
+		}
+		if value, ok := override["ip"]; ok && value != nil {
+			over.IP = util.Ptr(value.(string))
+		}
+		if value, ok := override["track"]; ok && value != nil {
+			over.Track = util.Ptr(value.(string))
+		}
+		if value, ok := override["count"]; ok && value != nil {
+			over.Count = util.Ptr(int(value.(float64)))
+		}
+		if value, ok := override["seconds"]; ok && value != nil {
+			over.Seconds = util.Ptr(int(value.(float64)))
+		}
+		if value, ok := override["customFilter"]; ok && value != nil {
+			over.CustomFilter = util.Ptr(value.(string))
+		}
+
+		overs = append(overs, over)
+	}
+
+	return overs
+}
+
 func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string) (interface{}, error) {
 	var obj interface{}
 	var err error
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 3fcefffac..88172d45e 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -18,12 +18,14 @@ import (
 	"sync"
 	"time"
 
-	"github.com/apex/log"
-	"github.com/samber/lo"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/apex/log"
+	"github.com/samber/lo"
+	"gopkg.in/yaml.v3"
 )
 
 var sidExtracter = regexp.MustCompile(`(?i)\bsid: ?['"]?(.*?)['"]?;`)
@@ -316,6 +318,8 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 		return nil, fmt.Errorf("unable to find modify setting")
 	}
 
+	threshold := settingByID(allSettings, "suricata.thresholding.sids__yaml")
+
 	localLines := strings.Split(local.Value, "\n")
 	enabledLines := strings.Split(enabled.Value, "\n")
 	disabledLines := strings.Split(disabled.Value, "\n")
@@ -326,6 +330,11 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	disabledIndex := indexEnabled(disabledLines, false)
 	modifyIndex := indexModify(modifyLines)
 
+	thresholdIndex, err := indexThreshold(threshold.Value)
+	if err != nil {
+		return nil, err
+	}
+
 	errMap = map[string]string{} // map[sid]error
 
 	for _, detect := range detections {
@@ -407,6 +416,34 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 				delete(modifyIndex, sid)
 			}
 		}
+
+		// tuning
+		delete(thresholdIndex, detect.PublicID)
+		detOverrides := lo.Filter(detect.Overrides, func(o *model.Override, _ int) bool {
+			return o.IsEnabled
+		})
+
+		if len(detOverrides) > 0 {
+			// the only place we care about genID, we don't get it from the user except
+			// through the content of the rule. Default to 1 if we can't find it.
+			genID := 1
+
+			gid, ok := parsedRule.GetOption("gid")
+			if ok && gid != nil {
+				id, err := strconv.Atoi(*gid)
+				if err != nil {
+					genID = id
+				}
+			}
+
+			for _, o := range detOverrides {
+				if o.Type == model.OverrideTypeSuppress || o.Type == model.OverrideTypeThreshold {
+					o.GenID = util.Ptr(genID)
+				}
+			}
+
+			thresholdIndex[detect.PublicID] = detOverrides
+		}
 	}
 
 	local.Value = strings.Join(localLines, "\n")
@@ -496,6 +533,7 @@ func (s *SuricataEngine) syncCommunityDetections(ctx context.Context, detections
 		if exists {
 			if orig.Content != detect.Content {
 				detect.Id = orig.Id
+				detect.Overrides = orig.Overrides
 
 				_, err = s.srv.Detectionstore.UpdateDetection(ctx, detect)
 				if err != nil {
@@ -605,3 +643,14 @@ func indexModify(lines []string) map[string]int {
 
 	return index
 }
+
+func indexThreshold(content string) (map[string][]*model.Override, error) {
+	index := map[string][]*model.Override{}
+
+	err := yaml.Unmarshal([]byte(content), &index)
+	if err != nil {
+		return nil, err
+	}
+
+	return index, nil
+}

From b18e835ede4fa036438758fc81b577c423000585 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 27 Nov 2023 09:08:57 -0700
Subject: [PATCH 066/102] WIP: Save Overrides

Overrides can now be enabled/disabled.

When saving a detection, add the saving overlay so multiple edits can't take place at once.

Apply CustomFilter overrides when wrapping.

Save threshold modifications to disk after syncing local detections and their overrides in suricata.
---
 html/index.html                         | 54 +++++++++++++++++++------
 html/js/i18n.js                         |  1 +
 html/js/routes/detection.js             | 52 ++++++++++++++++++++----
 model/detection.go                      | 10 +++++
 server/detectionhandler.go              |  6 +++
 server/modules/elastalert/elastalert.go | 10 ++++-
 server/modules/suricata/suricata.go     | 12 ++++++
 7 files changed, 124 insertions(+), 21 deletions(-)

diff --git a/html/index.html b/html/index.html
index 2d33b6e6d..4b6cf5665 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1127,7 +1127,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab-item> -->
               <v-tab-item value="tuning">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <v-col cols="12" style="padding-left: 0px; padding-right: 0px;">
+                  <v-col v-if="canAddOverride()" cols="12" style="padding-left: 0px; padding-right: 0px;">
                     <v-toolbar class="elevation-0" fixed>
                       <v-btn color="primary" id="add-override-button" style="text-decoration: none; cursor: 'pointer'" @click="createNewOverride()">
                         <v-icon :title="i18n.create">fa-plus</v-icon>
@@ -1182,7 +1182,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     </div>
                   </v-col>
                   <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
-                    :items="detect.overrides" :item-key="'index'" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
+                    :items="detect.overrides" item-value="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
                     <template v-slot:item="{ item, index }">
                       <tr>
                         <td>
@@ -1212,9 +1212,20 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             6. Seconds - threshold
                             7. Custom Filter - engine:elastalert
                           -->
+                          <!-- isEnabled -->
+                          <div>
+                            <div class="font-weight-bold mt-4">
+                              {{i18n.enabled}}:
+                            </div>
+                            <span id="override-enabled" v-if="!isOverrideEdit('override-enabled')" @click="startOverrideEdit('override-enabled', item, 'isEnabled')">
+                              {{item.isEnabled}}
+                            </span>
+                            <v-checkbox v-else id="override-enabled-edit" ref="override-enabled" hide-details="auto" outlined v-model="item.isEnabled"
+                              persistent-hint :hint="i18n.enabled" v-on:change="stopOverrideEdit(true)"></v-checkbox>
+                          </div>
                           <!-- regex -->
                           <div v-if="item.type === 'modify'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Regex:
                             </div>
                             <span id="override-regex" v-if="!isOverrideEdit('override-regex')" @click="startOverrideEdit('override-regex', item, 'regex')">
@@ -1225,7 +1236,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- value -->
                           <div v-if="item.type === 'modify'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Value:
                             </div>
                             <span id="override-value" v-if="!isOverrideEdit('override-value')" @click="startOverrideEdit('override-value', item, 'value')">
@@ -1236,7 +1247,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- type (threshold) -->
                           <div v-if="item.type === 'threshold'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Type:
                             </div>
                             <span id="override-threshold-type" v-if="!isOverrideEdit('override-threshold-type')" @click="startOverrideEdit('override-threshold-type', item, 'thresholdType')">
@@ -1246,7 +1257,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- track -->
                           <div v-if="['suppress', 'threshold'].includes(item.type)">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Track:
                             </div>
                             <span id="override-track" v-if="!isOverrideEdit('override-track')" @click="startOverrideEdit('override-track', item, 'track')">
@@ -1256,7 +1267,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- ip -->
                           <div v-if="item.type === 'suppress'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               IP:
                             </div>
                             <span id="override-ip" v-if="!isOverrideEdit('override-ip')" @click="startOverrideEdit('override-ip', item, 'ip')">
@@ -1267,7 +1278,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- count -->
                           <div v-if="item.type === 'threshold'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Count:
                             </div>
                             <span id="override-count" v-if="!isOverrideEdit('override-count')" @click="startOverrideEdit('override-count', item, 'count')">
@@ -1278,7 +1289,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                           <!-- seconds -->
                           <div v-if="item.type === 'threshold'">
-                            <div class="font-weight-bold mt-2">
+                            <div class="font-weight-bold mt-4">
                               Seconds:
                             </div>
                             <span id="override-seconds" v-if="!isOverrideEdit('override-seconds')" @click="startOverrideEdit('override-seconds', item, 'seconds')">
@@ -1287,9 +1298,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             <v-text-field v-else id="override-seconds-edit" ref="override-seconds" hide-details="auto" outlined v-model="item.seconds" :rules="[rules.required, rules.number]"
                               persistent-hint :hint="i18n.secondsLabel" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
                           </div>
-                          <!-- <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!isEdit('detection-title')">{{ detect.title }}</h2>
-                          <v-text-field id="detection-title-edit" v-else hide-details="auto" outlined v-model="detect.title" :rules="[rules.required]" persistent-hint :hint="i18n.detectionTitle" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field> -->
-                          <div class="d-flex justify-end text-body-2 mt-2">
+                          <div class="d-flex justify-end text-body-2 mt-4">
                             <div class="d-inline-flex">
                               <v-btn id="override-edit-delete" text small color="red" @click="deleteOverride(item)">
                                 {{ i18n.delete }}
@@ -1298,8 +1307,20 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           </div>
                         </td>
                         <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'elastalert'">
+                          <!-- isEnabled -->
+                          <div>
+                            <div class="font-weight-bold mt-2">
+                              {{i18n.enabled}}:
+                            </div>
+                            <span id="override-enabled" v-if="!isOverrideEdit('override-enabled')" @click="startOverrideEdit('override-enabled', item, 'isEnabled')">
+                              {{item.isEnabled}}
+                            </span>
+                            <v-checkbox v-else id="override-enabled-edit" ref="override-enabled" hide-details="auto" outlined v-model="item.isEnabled"
+                              persistent-hint :hint="i18n.enabled" @change="stopOverrideEdit(true, $event)"></v-checkbox>
+                          </div>
+                          <!-- custom filter -->
                           <div>
-                            <div class="font-weight-bold">
+                            <div class="font-weight-bold mt-2">
                               Custom Filter:
                             </div>
                             <span id="override-custom-filter" v-if="!isOverrideEdit('override-custom-filter')" @click="startOverrideEdit('override-custom-filter', item, 'customFilter')">
@@ -1308,6 +1329,13 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             <v-text-field v-else id="override-custom-filter-edit" ref="override-custom-filter" hide-details="auto" outlined v-model="item.customFilter" :rules="[rules.required]"
                               persistent-hint :hint="i18n.customFilter" v-on:keyup.enter="stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)"></v-text-field>
                           </div>
+                          <div class="d-flex justify-end text-body-2 mt-2">
+                            <div class="d-inline-flex">
+                              <v-btn id="override-edit-delete" text small color="red" @click="deleteOverride(item)">
+                                {{ i18n.delete }}
+                              </v-btn>
+                            </div>
+                          </div>
                         </td>
                         <td :colspan="headers.length" class="pa-4" v-else-if="detect.engine === 'yara'"></td>
                       </tr>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 22514505f..5d77a4ef9 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -292,6 +292,7 @@ const i18n = {
       email: 'Email Address',
       emailHelp: 'Specify a valid email address. Contact your administrator for new account creation.',
       emailRequired: 'An email address must be specified.',
+      enabled: 'Enabled',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
       engine: 'Engine',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 5964fc929..b757c8c55 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -123,11 +123,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			try {
 				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
-				if (this.detect.overrides) {
-					for (let i = 0; i < this.detect.overrides.length; i++) {
-						this.detect.overrides[i].index = i;
-					}
-				}
+				this.tagOverrides();
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -214,13 +210,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		async stopEdit(commit) {
 			if (!commit) {
 				this.detect[this.editField] = this.origValue;
-			} else if (!this.isNew()) {
-				const response = await this.$root.papi.put('/detection', this.detect);
 			}
 
 			this.curEditTarget = null;
 			this.origValue = null;
 			this.editField = null;
+
+			if (commit && !this.isNew()) {
+				this.saveDetection(false);
+			}
 		},
 		async saveDetection(createNew) {
 			if (this.curEditTarget !== null) this.stopEdit(true);
@@ -256,21 +254,39 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			try {
 				let response;
+				this.$root.startLoading();
+
 				if (createNew) {
 					response = await this.$root.papi.post('/detection', this.detect);
 				} else {
 					response = await this.$root.papi.put('/detection', this.detect);
 				}
 
+				// get any expanded overrides before updating this.detect
+				let index = -1;
+				if (this.expanded && this.expanded.length) {
+					index = this.expanded[0].index;
+				}
+
+				this.detect = response.data;
+				this.tagOverrides();
 				this.origDetect = Object.assign({}, this.detect);
 
+				// reinstate expanded override
+				if (index != -1 && this.detect.overrides && this.detect.overrides.length > index) {
+					this.expand(this.detect.overrides[index]);
+				}
+
 				this.$root.showTip(this.i18n.saveSuccess);
 
 				if (createNew) {
 					this.$router.push({ name: 'detection', params: { id: response.data.id } });
 				}
+
 			} catch (error) {
 				this.$root.showError(error);
+			} finally {
+				this.$root.stopLoading();
 			}
 		},
 		async duplicateDetection() {
@@ -585,6 +601,28 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.detect.overrides = this.detect.overrides.filter(o => o !== item);
 			this.saveDetection(false);
 		},
+		canAddOverride() {
+			if (this.detect.engine === 'elastalert') {
+				if (this.detect.overrides && this.detect.overrides.length > 0) {
+					for (let i = 0; i < this.detect.overrides.length; i++) {
+						if (this.detect.overrides[i].type === 'custom filter') {
+							// elastalert detections that already have a custom filter
+							// cannot have any other custom filter overrides
+							return false;
+						}
+					}
+				}
+			}
+
+			return true;
+		},
+		tagOverrides() {
+			if (this.detect.overrides) {
+				for (let i = 0; i < this.detect.overrides.length; i++) {
+					this.detect.overrides[i].index = i;
+				}
+			}
+		},
 		print(x) {
 			console.log(x);
 		},
diff --git a/model/detection.go b/model/detection.go
index bde5a004b..eb3b2059d 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -154,10 +154,20 @@ func (detect *Detection) Validate() error {
 		return ErrUnsupportedEngine
 	}
 
+	customs := 0
+
 	for _, o := range detect.Overrides {
 		if err := o.Validate(detect.Engine); err != nil {
 			return err
 		}
+
+		if o.Type == OverrideTypeCustomFilter {
+			customs++
+		}
+	}
+
+	if detect.Engine == EngineNameElastAlert && customs > 1 {
+		return errors.New("only one custom filter override is allowed per ElastAlert detection")
 	}
 
 	return nil
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 6f881e7ac..503f7aa47 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -149,6 +149,12 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	err = detect.Validate()
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
 	for _, over := range detect.Overrides {
 		if over.CreatedAt.IsZero() {
 			over.CreatedAt = time.Now()
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 38206d5a7..74dba2c8f 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -602,7 +602,7 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Det
 		return "", fmt.Errorf("sigconverter returned error: %s", rule)
 	}
 
-	elastRule, err := wrapRule(det, string(rawRule))
+	elastRule, err := wrapRule(det, rule)
 	if err != nil {
 		return "", fmt.Errorf("unable to wrap rule: %w", err)
 	}
@@ -759,6 +759,14 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 
 	sevNum := severities[det.Severity]
 
+	// apply the first (should only have 1) CustomFilter override if any
+	for _, o := range det.Overrides {
+		if o.Type == model.OverrideTypeCustomFilter && o.CustomFilter != nil {
+			rule = fmt.Sprintf("(%s) and %s", rule, *o.CustomFilter)
+			break
+		}
+	}
+
 	wrapper := &CustomWrapper{
 		PlayTitle:     det.Title,
 		PlayID:        det.Id,
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 88172d45e..4715a325f 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -451,6 +451,13 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 	disabled.Value = strings.Join(disabledLines, "\n")
 	modify.Value = strings.Join(modifyLines, "\n")
 
+	yamlThreshold, err := yaml.Marshal(thresholdIndex)
+	if err != nil {
+		return errMap, err
+	}
+
+	threshold.Value = string(yamlThreshold)
+
 	err = s.srv.Configstore.UpdateSetting(ctx, local, false)
 	if err != nil {
 		return errMap, err
@@ -471,6 +478,11 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 		return errMap, err
 	}
 
+	err = s.srv.Configstore.UpdateSetting(ctx, threshold, false)
+	if err != nil {
+		return errMap, err
+	}
+
 	return errMap, nil
 }
 

From 3d0b2a64a8b255d4e53bd0829a5d04580bc38b60 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 28 Nov 2023 12:50:31 -0700
Subject: [PATCH 067/102] WIP: Overrides

Expanding one override would expand all the rows. Fixed.

Expanded CIDR checking to include IPv6.

Changed OverrideParameters yaml tags: genId => gen_id, thresholdType => type, and no yaml output for CustomFilter.
---
 html/index.html             |  2 +-
 html/js/routes/detection.js | 15 +++++++++++++--
 model/detection.go          | 23 +++++++++++++----------
 3 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/html/index.html b/html/index.html
index 4b6cf5665..79fc6ec22 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1182,7 +1182,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                     </div>
                   </v-col>
                   <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
-                    :items="detect.overrides" item-value="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
+                    :items="detect.overrides" item-key="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
                     <template v-slot:item="{ item, index }">
                       <tr>
                         <td>
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index b757c8c55..0323155fe 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -41,10 +41,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
 			shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
 			longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
-			cidrFormat: value => (!value || /^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value)) || this.i18n.invalidCidr,
 			fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
 			fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
 			fileRequired: value => (value != null) || this.$root.i18n.required,
+			cidrFormat: value => (!value ||
+				/^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value) || // IPv4 CIDR
+				/^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/.test(value) // IPv6 CIDR
+			) || this.i18n.invalidCidr,
 		},
 		panel: [0, 1, 2],
 		activeTab: '',
@@ -69,7 +72,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			{ value: 'limit', text: 'Limit' },
 			{ value: 'both', text: 'Both' }
 		],
-		trackOptions: ['by_src', 'by_dst', 'by_both'],
+		trackOptions: ['by_src', 'by_dst', 'by_either'],
   }},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -516,6 +519,14 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				isEnabled: o.isEnabled,
 			};
 
+			if (o.createdAt) {
+				out.createdAt = o.createdAt;
+			}
+
+			if (o.updatedAt) {
+				out.updatedAt = o.updatedAt;
+			}
+
 			if (engine === 'elastalert') {
 				out.customFilter = o.customFilter;
 			} else {
diff --git a/model/detection.go b/model/detection.go
index eb3b2059d..0e3eef025 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -111,17 +111,17 @@ type Override struct {
 
 type OverrideParameters struct {
 	// suricata
-	Regex         *string `json:"regex,omitempty" yaml:"regex,omitempty"`                 // modify
-	Value         *string `json:"value,omitempty" yaml:"value,omitempty"`                 // modify
-	GenID         *int    `json:"-" yaml:"genId,omitempty"`                               // suppress, threshold
-	ThresholdType *string `json:"thresholdType,omitempty" yaml:"thresholdType,omitempty"` // threshold
-	Track         *string `json:"track,omitempty" yaml:"track,omitempty"`                 // suppress, threshold
-	IP            *string `json:"ip,omitempty" yaml:"ip,omitempty"`                       // suppress
-	Count         *int    `json:"count,omitempty" yaml:"count,omitempty"`                 // threshold
-	Seconds       *int    `json:"seconds,omitempty" yaml:"seconds,omitempty"`             // threshold
+	Regex         *string `json:"regex,omitempty" yaml:"regex,omitempty"`        // modify
+	Value         *string `json:"value,omitempty" yaml:"value,omitempty"`        // modify
+	GenID         *int    `json:"-" yaml:"gen_id,omitempty"`                     // suppress, threshold
+	ThresholdType *string `json:"thresholdType,omitempty" yaml:"type,omitempty"` // threshold
+	Track         *string `json:"track,omitempty" yaml:"track,omitempty"`        // suppress, threshold
+	IP            *string `json:"ip,omitempty" yaml:"ip,omitempty"`              // suppress
+	Count         *int    `json:"count,omitempty" yaml:"count,omitempty"`        // threshold
+	Seconds       *int    `json:"seconds,omitempty" yaml:"seconds,omitempty"`    // threshold
 
 	// elastalert
-	CustomFilter *string `json:"customFilter,omitempty" yaml:"customFilter,omitempty"` // modify
+	CustomFilter *string `json:"customFilter,omitempty" yaml:"-"` // modify
 }
 
 func (o Override) MarshalYAML() (interface{}, error) {
@@ -194,13 +194,16 @@ func (o *Override) Validate(engine EngineName) error {
 				return errors.New("unnecessary fields in override")
 			}
 		case OverrideTypeSuppress:
-			if o.Value == nil || o.Track == nil || o.Count == nil || o.Seconds == nil {
+			if o.IP == nil || o.Track == nil {
 				return errors.New("missing required parameter(s)")
 			}
 
 			if o.Regex != nil ||
+				o.Value != nil ||
 				o.GenID != nil ||
 				o.ThresholdType != nil ||
+				o.Count != nil ||
+				o.Seconds != nil ||
 				o.CustomFilter != nil {
 				return errors.New("unnecessary fields in override")
 			}

From 74301417876740e252d3f7dba5f0e18d386c276a Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 28 Nov 2023 16:28:44 -0700
Subject: [PATCH 068/102] WIP: Track Options, Override UpdatedAt

Track is a field for both Suppress and Threshold type overrides but it contains different enum values depending on which of those two types, basically Threshold doesn't have `by_either`.

When saving a detection, update the UpdatedAt field for an override when the old detection doesn't have an override with the exact same values regardless of order.
---
 html/index.html             |   4 +-
 html/js/routes/detection.js | 151 +++++++++++++++++++-----------------
 server/detectionhandler.go  |  34 ++++++--
 3 files changed, 108 insertions(+), 81 deletions(-)

diff --git a/html/index.html b/html/index.html
index 79fc6ec22..cdb0134bc 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1155,7 +1155,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                           <!-- (threshold) type -->
                           <v-select v-if="newOverride.type === 'threshold'" id="new-override-threshold-type-edit" v-model="newOverride.thresholdType" :items="thresholdTypes" :rules="[rules.required]" persistent-hint :hint="i18n.thresholdType"></v-select>
                           <!-- track -->
-                          <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
+                          <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="getTrackOptions(newOverride.type)" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
                           <!-- ip -->
                           <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr"></v-text-field>
                           <!-- count -->
@@ -1263,7 +1263,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             <span id="override-track" v-if="!isOverrideEdit('override-track')" @click="startOverrideEdit('override-track', item, 'track')">
                               {{item.track}}
                             </span>
-                            <v-select v-else id="override-track-edit" ref="override-track" v-model="item.track" :items="trackOptions" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
+                            <v-select v-else id="override-track-edit" ref="override-track" v-model="item.track" :items="getTrackOptions(item.type)" :rules="[rules.required]" persistent-hint :hint="i18n.type" @change="stopOverrideEdit(true)"></v-select>
                           </div>
                           <!-- ip -->
                           <div v-if="item.type === 'suppress'">
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 0323155fe..47f4d1a7c 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -18,8 +18,8 @@ function debounce(fn, wait) {
 }
 
 routes.push({ path: '/detection/:id', name: 'detection', component: {
-  template: '#page-detection',
-  data() { return {
+	template: '#page-detection',
+	data() { return {
 		i18n: this.$root.i18n,
 		presets: {},
 		severityTranslations: {},
@@ -72,22 +72,21 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			{ value: 'limit', text: 'Limit' },
 			{ value: 'both', text: 'Both' }
 		],
-		trackOptions: ['by_src', 'by_dst', 'by_either'],
-  }},
+	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
-  },
-  watch: {
+	},
+	watch: {
 	},
 	mounted() {
 		this.$watch(
-      () => this.$route.params,
-      (to, prev) => {
+			() => this.$route.params,
+			(to, prev) => {
 				this.loadData();
 			});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
-  methods: {
+	methods: {
 		async initDetection(params) {
 			this.params = params;
 			this.presets = params['presets'];
@@ -127,26 +126,26 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
 				this.tagOverrides();
-      } catch (error) {
-        if (error.response != undefined && error.response.status == 404) {
-          this.$root.showError(this.i18n.notFound);
-        } else {
-          this.$root.showError(error);
-        }
+			} catch (error) {
+				if (error.response != undefined && error.response.status == 404) {
+					this.$root.showError(this.i18n.notFound);
+				} else {
+					this.$root.showError(error);
+				}
 			}
 
-      this.$root.stopLoading();
+			this.$root.stopLoading();
 		},
 		getDefaultPreset(preset) {
-      if (this.presets) {
-        const presets = this.presets[preset];
-        if (presets && presets.labels && presets.labels.length > 0) {
-          return presets.labels[0];
-        }
-      }
-      return "";
-    },
-    getPresets(kind) {
+			if (this.presets) {
+				const presets = this.presets[preset];
+				if (presets && presets.labels && presets.labels.length > 0) {
+					return presets.labels[0];
+				}
+			}
+			return "";
+		},
+		getPresets(kind) {
 			if (this.presets && this.presets[kind]) {
 				switch (kind) {
 					case 'severity':
@@ -155,8 +154,18 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					default:
 						return this.presets[kind].labels;
 				}
-      }
-      return [];
+			}
+			return [];
+		},
+		getTrackOptions(type) {
+			switch (type) {
+				case 'threshold':
+					return ['by_src', 'by_dst'];
+				case 'suppress':
+					return ['by_src', 'by_dst', 'by_either'];
+			}
+
+			return [];
 		},
 		capitalizeOptions(opts) {
 			return opts.map(opt => {
@@ -174,12 +183,12 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			return rules;
 		},
-    isPresetCustomEnabled(kind) {
-      if (this.presets && this.presets[kind]) {
-        return this.presets[kind].customEnabled == true;
-      }
-      return false;
-    },
+		isPresetCustomEnabled(kind) {
+			if (this.presets && this.presets[kind]) {
+				return this.presets[kind].customEnabled == true;
+			}
+			return false;
+		},
 		isNew() {
 			return this.$route.params.id === 'create';
 		},
@@ -434,51 +443,51 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			}
 		},
 		saveSetting(name, value, defaultValue = null) {
-      var item = 'settings.detection.' + name;
-      if (defaultValue == null || value != defaultValue) {
-        localStorage[item] = value;
-      } else {
-        localStorage.removeItem(item);
-      }
-    },
-    saveLocalSettings() {
-      this.saveSetting('sortDesc', this.sortDesc, true);
-      this.saveSetting('itemsPerPage', this.itemsPerPage, this.params['eventItemsPerPage']);
-      this.saveSetting('relativeTimeValue', this.relativeTimeValue, this.params['relativeTimeValue']);
-      this.saveSetting('relativeTimeUnit', this.relativeTimeUnit, this.params['relativeTimeUnit']);
+			var item = 'settings.detection.' + name;
+			if (defaultValue == null || value != defaultValue) {
+				localStorage[item] = value;
+			} else {
+				localStorage.removeItem(item);
+			}
+		},
+		saveLocalSettings() {
+			this.saveSetting('sortDesc', this.sortDesc, true);
+			this.saveSetting('itemsPerPage', this.itemsPerPage, this.params['eventItemsPerPage']);
+			this.saveSetting('relativeTimeValue', this.relativeTimeValue, this.params['relativeTimeValue']);
+			this.saveSetting('relativeTimeUnit', this.relativeTimeUnit, this.params['relativeTimeUnit']);
 		},
 		sortOverrides(items, index, isDesc) {
-      const route = this;
-      if (index && index.length > 0) {
-        index = index[0];
-      }
-      if (isDesc && isDesc.length > 0) {
-        isDesc = isDesc[0];
-      }
-      items.sort((a, b) => {
-        if (index === "event.severity_label") {
-          return route.defaultSort(route.lookupAlertSeverityScore(a[index]), route.lookupAlertSeverityScore(b[index]), isDesc);
-        } else {
-          return route.defaultSort(a[index], b[index], isDesc);
-        }
-      });
-      return items
+			const route = this;
+			if (index && index.length > 0) {
+				index = index[0];
+			}
+			if (isDesc && isDesc.length > 0) {
+				isDesc = isDesc[0];
+			}
+			items.sort((a, b) => {
+				if (index === "event.severity_label") {
+					return route.defaultSort(route.lookupAlertSeverityScore(a[index]), route.lookupAlertSeverityScore(b[index]), isDesc);
+				} else {
+					return route.defaultSort(a[index], b[index], isDesc);
+				}
+			});
+			return items
 		},
 		defaultSort(a, b, isDesc) {
-      if (!isDesc) {
-        return a < b ? -1 : 1;
-      }
-      return b < a ? -1 : 1;
-    },
+			if (!isDesc) {
+				return a < b ? -1 : 1;
+			}
+			return b < a ? -1 : 1;
+		},
 		expand(item) {
-      if (this.isExpanded(item)) {
-        this.expanded = [];
-      } else {
-        this.expanded = [item];
+			if (this.isExpanded(item)) {
+				this.expanded = [];
+			} else {
+				this.expanded = [item];
 			}
 		},
 		isExpanded(item) {
-      return (this.expanded.length > 0 && this.expanded[0] === item);
+			return (this.expanded.length > 0 && this.expanded[0] === item);
 		},
 		createNewOverride() {
 			this.newOverride = {
@@ -637,5 +646,5 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		print(x) {
 			console.log(x);
 		},
-  }
+	}
 }});
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 503f7aa47..b3b837155 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -155,20 +155,38 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	now := time.Now()
+
 	for _, over := range detect.Overrides {
 		if over.CreatedAt.IsZero() {
-			over.CreatedAt = time.Now()
+			over.CreatedAt = now
 		}
 
-		if over.UpdatedAt.IsZero() {
-			over.UpdatedAt = time.Now()
+		update := true
+		for i, oldOver := range old.Overrides {
+			if *over == *oldOver {
+				// Did the old detection contain an override with the EXACT same parameters?
+				// If so, we don't need to update the UpdatedAt field.
+				update = false
+
+				// A match was found, the old override can be removed from the list so it
+				// isn't compared to other overrides. i.e. removing it means it can only
+				// match one override in the new list.
+				old.Overrides = append(old.Overrides[:i], old.Overrides[i+1:]...)
+
+				break
+			}
 		}
-	}
 
-	old, err := h.server.Detectionstore.GetDetection(ctx, detect.Id)
-	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
-		return
+		if over.UpdatedAt.IsZero() || update {
+			over.UpdatedAt = now
+		}
 	}
 
 	if old.IsCommunity {

From 24328d09fc6ff376264b97d88fa07f6101117894 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 30 Nov 2023 15:03:53 -0700
Subject: [PATCH 069/102] WIP: ElastAlert enable new community detections

ElastAlert now enables first seen detections from the community. The infohandler now returns more predetermined search queries.
---
 server/infohandler.go                   | 12 ++++++++++++
 server/modules/elastalert/elastalert.go |  2 ++
 2 files changed, 14 insertions(+)

diff --git a/server/infohandler.go b/server/infohandler.go
index 3993ce79c..2295806e4 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -94,6 +94,10 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "Enabled",
 				Query: "so_detection.isEnabled:true",
 			},
+			{
+				Name:  "Disabled",
+				Query: "so_detection.isEnabled:false",
+			},
 			{
 				Name:  "Suricata",
 				Query: "so_detection.engine:suricata",
@@ -106,10 +110,18 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 				Name:  "Suricata Enabled",
 				Query: "so_detection.engine:suricata AND so_detection.isEnabled:true",
 			},
+			{
+				Name:  "Suricata Disabled",
+				Query: "so_detection.engine:suricata AND so_detection.isEnabled:false",
+			},
 			{
 				Name:  "ElastAlert Enabled",
 				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:true",
 			},
+			{
+				Name:  "ElastAlert Disabled",
+				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:false",
+			},
 		}
 	}
 
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 74dba2c8f..2b781102a 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -422,6 +422,8 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 				results.Unchanged++
 			}
 		} else {
+			det.IsEnabled = true
+
 			_, err = e.srv.Detectionstore.CreateDetection(ctx, det)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to create detection: %s", err)

From 05ddbf1884bd8358d46f2f36b80e16350cd52e71 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 19 Dec 2023 11:56:04 -0700
Subject: [PATCH 070/102] WIP: Post-Rebase go mod tidy

Also updated new chi references to chi/v5
---
 go.mod                     | 13 +------------
 go.sum                     | 33 ---------------------------------
 server/detectionhandler.go |  2 +-
 3 files changed, 2 insertions(+), 46 deletions(-)

diff --git a/go.mod b/go.mod
index 29ef986ef..f3e82605c 100644
--- a/go.mod
+++ b/go.mod
@@ -29,23 +29,12 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
-	github.com/deepmap/oapi-codegen v1.12.4 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
+	github.com/oapi-codegen/runtime v1.0.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
-	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )
diff --git a/go.sum b/go.sum
index e87a28ca7..21746b7b6 100644
--- a/go.sum
+++ b/go.sum
@@ -13,33 +13,14 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deepmap/oapi-codegen v1.16.2/go.mod h1:rdYoEA2GE+riuZ91DvpmBX9hJbQpuY9wchXpfQ3n+ho=
 github.com/elastic/elastic-transport-go/v8 v8.3.0 h1:DJGxovyQLXGr62e9nDMPSxRyWION0Bh6d9eCFBriiHo=
 github.com/elastic/elastic-transport-go/v8 v8.3.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.11.1 h1:1VgTgUTbpqQZ4uE+cPjkOvy/8aw1ZvKcU0ZUE5Cn1mc=
 github.com/elastic/go-elasticsearch/v8 v8.11.1/go.mod h1:GU1BJHO7WeamP7UhuElYwzzHtvf9SDmeVpSSy9+o6Qg=
-github.com/deepmap/oapi-codegen v1.12.4 h1:pPmn6qI9MuOtCz82WY2Xaw46EQjgvxednXXrP7g5Q2s=
-github.com/deepmap/oapi-codegen v1.12.4/go.mod h1:3lgHGMu6myQ2vqbbTXH2H1o4eXFTGnFiDaOaKKl5yas=
-github.com/elastic/elastic-transport-go/v8 v8.2.0 h1:hkK5IIs/15mpSXzd5THWVlWTKJyMw6cbCWM3T/B2S5E=
-github.com/elastic/elastic-transport-go/v8 v8.2.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
-github.com/elastic/go-elasticsearch/v8 v8.7.0 h1:ZvbT1YHppBC0QxGnMmaDUxoDa26clwhRaB3Gp5E3UcY=
-github.com/elastic/go-elasticsearch/v8 v8.7.0/go.mod h1:lVb8SvJV8McVkdswpL8YR5QKIkhlWaoSq60YpHilOLI=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
-github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
-github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
-github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -53,12 +34,8 @@ github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZH
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/influxdata/influxdb-client-go/v2 v2.13.0 h1:ioBbLmR5NMbAjP4UVA5r9b5xGjpABD7j65pI8kFphDM=
 github.com/influxdata/influxdb-client-go/v2 v2.13.0/go.mod h1:k+spCbt9hcvqvUiz0sr5D8LolXHqAAOfPw9v/RIRHl4=
-github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 h1:W9WBk7wlPfJLvMCdtV4zPulc4uCPrlywQOmbFOhgQNU=
-github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf h1:7JTmneyiNEwVBOHSjoMxiWAqB992atOeepeFYegn5RU=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
@@ -80,8 +57,6 @@ github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/oapi-codegen/runtime v1.0.0 h1:P4rqFX5fMFWqRzY9M/3YF9+aPSPPB06IzP2P7oOxrWo=
 github.com/oapi-codegen/runtime v1.0.0/go.mod h1:LmCUMQuPB4M/nLXilQXhHw+BLZdDb18B34OO356yJ/A=
-github.com/oapi-codegen/runtime v1.1.0 h1:rJpoNUawn5XTvekgfkvSZr0RqEnoYpFkyvrzfWeFKWM=
-github.com/oapi-codegen/runtime v1.1.0/go.mod h1:BeSfBkWWWnAnGdyS+S/GnlbmHKzf8/hwkvelJZDeKA8=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -94,8 +69,6 @@ github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
-github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
-github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
@@ -104,12 +77,8 @@ github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
@@ -131,8 +100,6 @@ golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17 h1:3MTrJm4PyNL9NBqvYDSj3DHl46qQakyfqfWo4jgfaEM=
-golang.org/x/exp v0.0.0-20220303212507-bbda1eaf7a17/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index b3b837155..6d0f85748 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -17,7 +17,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/pkg/errors"
 )
 

From 4029190859763ed95248dfae1e747b62d838fe00 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 20 Dec 2023 15:26:51 -0700
Subject: [PATCH 071/102] WIP: ElastAlertEngine Tests

Refactored the ElastAlertEngine to use a new interface for interacting with external resources (Disk and Network). This allows for mocking these resources in the new tests.

Also updated Suricata's tests to include the new thresholding config value used by overrides.
---
 go.mod                                        |   1 +
 go.sum                                        |   2 +
 server/modules/elastalert/elastalert.go       |  75 ++++-
 server/modules/elastalert/elastalert_test.go  | 294 +++++++++++++++---
 .../modules/elastalert/mock/mock_iomanager.go | 113 +++++++
 server/modules/suricata/suricata_test.go      | 163 ++++++++--
 6 files changed, 555 insertions(+), 93 deletions(-)
 create mode 100644 server/modules/elastalert/mock/mock_iomanager.go

diff --git a/go.mod b/go.mod
index f3e82605c..55f718020 100644
--- a/go.mod
+++ b/go.mod
@@ -22,6 +22,7 @@ require (
 require (
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
+	go.uber.org/mock v0.3.0
 )
 
 require (
diff --git a/go.sum b/go.sum
index 21746b7b6..78e55c5b3 100644
--- a/go.sum
+++ b/go.sum
@@ -95,6 +95,8 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
+go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
+go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 2b781102a..bc38fb1b9 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -14,6 +14,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/fs"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -38,6 +39,14 @@ var acceptedExtensions = map[string]bool{
 	".yaml": true,
 }
 
+type IOManager interface {
+	ReadFile(path string) ([]byte, error)
+	WriteFile(path string, contents []byte, perm fs.FileMode) error
+	DeleteFile(path string) error
+	ReadDir(path string) ([]os.DirEntry, error)
+	MakeRequest(*http.Request) (*http.Response, error)
+}
+
 type ElastAlertEngine struct {
 	srv                                  *server.Server
 	communityRulesImportFrequencySeconds int
@@ -49,11 +58,13 @@ type ElastAlertEngine struct {
 	sigmaConversionTarget                string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
+	IOManager
 }
 
 func NewElastAlertEngine(srv *server.Server) *ElastAlertEngine {
 	return &ElastAlertEngine{
-		srv: srv,
+		srv:       srv,
+		IOManager: &ResourceManager{},
 	}
 }
 
@@ -156,7 +167,7 @@ func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections [
 		}
 	}()
 
-	index, err := e.indexExistingRules()
+	index, err := e.IndexExistingRules()
 	if err != nil {
 		return nil, fmt.Errorf("unable to index existing rules: %w", err)
 	}
@@ -174,14 +185,14 @@ func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections [
 				continue
 			}
 
-			err = os.WriteFile(path, []byte(eaRule), 0644)
+			err = e.WriteFile(path, []byte(eaRule), 0644)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Sprintf("unable to write enabled detection file: %s", err)
 				continue
 			}
 		} else {
 			// was enabled, no longer is enabled: Disable
-			err = os.Remove(path)
+			err = e.DeleteFile(path)
 			if err != nil && !os.IsNotExist(err) {
 				errMap[det.PublicID] = fmt.Sprintf("unable to remove disabled detection file: %s", err)
 				continue
@@ -221,7 +232,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			zipHashes[pkg] = base64.StdEncoding.EncodeToString(h[:])
 		}
 
-		raw, err := os.ReadFile(e.rulesFingerprintFile)
+		raw, err := e.ReadFile(e.rulesFingerprintFile)
 		if err != nil && !os.IsNotExist(err) {
 			log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to read rules fingerprint file")
 			continue
@@ -273,7 +284,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			if err != nil {
 				log.WithError(err).Error("unable to marshal rules fingerprints")
 			} else {
-				err = os.WriteFile(e.rulesFingerprintFile, fingerprints, 0644)
+				err = e.WriteFile(e.rulesFingerprintFile, fingerprints, 0644)
 				if err != nil {
 					log.WithError(err).WithField("path", e.rulesFingerprintFile).Error("unable to write rules fingerprint file")
 				}
@@ -367,7 +378,7 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 }
 
 func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
-	existing, err := e.indexExistingRules()
+	existing, err := e.IndexExistingRules()
 	if err != nil {
 		return nil, err
 	}
@@ -397,7 +408,6 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 
 	errMap = map[string]error{} // map[publicID]error
 
-	// detections = []*model.Detection{}
 	for _, det := range detections {
 		path, ok := index[det.PublicID]
 		if !ok {
@@ -448,14 +458,14 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 				path = filepath.Join(e.elastAlertRulesFolder, fmt.Sprintf("%s.yml", det.PublicID))
 			}
 
-			err = os.WriteFile(path, []byte(rule), 0644)
+			err = e.WriteFile(path, []byte(rule), 0644)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to write enabled detection file: %s", err)
 				continue
 			}
 		} else if path != "" {
 			// detection is disabled but a file exists, remove it
-			err = os.Remove(path)
+			err = e.DeleteFile(path)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Errorf("unable to remove disabled detection file: %s", err)
 				continue
@@ -498,7 +508,13 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 	for _, pkg := range e.sigmaRulePackages {
 		download := fmt.Sprintf(e.sigmaPackageDownloadTemplate, pkg)
 
-		resp, err := http.Get(download)
+		req, err := http.NewRequest(http.MethodGet, download, nil)
+		if err != nil {
+			errMap[pkg] = err
+			continue
+		}
+
+		resp, err := e.MakeRequest(req)
 		if err != nil {
 			errMap[pkg] = err
 			continue
@@ -523,12 +539,12 @@ func (e *ElastAlertEngine) downloadSigmaPackages(ctx context.Context) (zipData m
 	return zipData, errMap
 }
 
-// indexExistingRules maps the publicID of a detection to the path of the rule file.
+// IndexExistingRules maps the publicID of a detection to the path of the rule file.
 // Note that it indexes ALL rules and not just community rules.
-func (e *ElastAlertEngine) indexExistingRules() (index map[string]string, err error) {
+func (e *ElastAlertEngine) IndexExistingRules() (index map[string]string, err error) {
 	index = map[string]string{} // map[id | title]path
 
-	rules, err := os.ReadDir(e.elastAlertRulesFolder)
+	rules, err := e.ReadDir(e.elastAlertRulesFolder)
 	if err != nil {
 		return nil, fmt.Errorf("unable to read elastalert rules directory: %w", err)
 	}
@@ -582,7 +598,7 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Det
 	req.Header.Add("Content-Type", "application/json")
 
 	// send request
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := e.MakeRequest(req)
 	if err != nil {
 		return "", err
 	}
@@ -763,7 +779,7 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 
 	// apply the first (should only have 1) CustomFilter override if any
 	for _, o := range det.Overrides {
-		if o.Type == model.OverrideTypeCustomFilter && o.CustomFilter != nil {
+		if o.IsEnabled && o.Type == model.OverrideTypeCustomFilter && o.CustomFilter != nil {
 			rule = fmt.Sprintf("(%s) and %s", rule, *o.CustomFilter)
 			break
 		}
@@ -775,7 +791,7 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 		EventModule:   "elastalert",
 		EventDataset:  "elastalert.alert",
 		EventSeverity: sevNum,
-		RuleCategory:  "TBD",
+		RuleCategory:  "", // TODO: what should this be?
 		SigmaLevel:    string(det.Severity),
 		Alert:         []string{"modules.so.playbook-es.PlaybookESAlerter"},
 		Index:         ".ds-logs-*",
@@ -799,3 +815,28 @@ func wrapRule(det *model.Detection, rule string) (string, error) {
 
 	return string(rawYaml), nil
 }
+
+// go install go.uber.org/mock/mockgen@latest
+//go:generate mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+
+type ResourceManager struct{}
+
+func (_ *ResourceManager) ReadFile(path string) ([]byte, error) {
+	return os.ReadFile(path)
+}
+
+func (_ *ResourceManager) WriteFile(path string, contents []byte, perm fs.FileMode) error {
+	return os.WriteFile(path, contents, perm)
+}
+
+func (_ *ResourceManager) DeleteFile(path string) error {
+	return os.Remove(path)
+}
+
+func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
+	return os.ReadDir(path)
+}
+
+func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
+	return http.DefaultClient.Do(req)
+}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index e5e39cb92..f304deaed 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -9,17 +9,23 @@ import (
 	"archive/zip"
 	"bytes"
 	"context"
+	"io"
+	"io/fs"
 	"net/http"
-	"net/http/httptest"
 	"sort"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
-	"gopkg.in/yaml.v3"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert/mock"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 
 	"github.com/stretchr/testify/assert"
+	"go.uber.org/mock/gomock"
+	"gopkg.in/yaml.v3"
 )
 
 func TestElastAlertModule(t *testing.T) {
@@ -191,21 +197,20 @@ func TestTimeFrame(t *testing.T) {
 }
 
 func TestSigmaToElastAlertSunnyDay(t *testing.T) {
-	callCount := 0
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, http.MethodPost, r.Method)
+	ctrl := gomock.NewController(t)
 
-		w.WriteHeader(http.StatusOK)
-		_, err := w.Write([]byte("<eql>"))
-		assert.NoError(t, err)
-
-		callCount++
-	}))
-	defer srv.Close()
+	mio := mock.NewMockIOManager(ctrl)
+	body := "<eql>"
+	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
+		StatusCode:    http.StatusOK,
+		Body:          io.NopCloser(strings.NewReader(body)),
+		ContentLength: int64(len(body)),
+	}, nil)
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       srv.URL,
+		sigconverterUrl:       "localhost:8000/convert",
 		sigmaConversionTarget: "eql",
+		IOManager:             mio,
 	}
 
 	det := &model.Detection{
@@ -225,7 +230,7 @@ play_id: 00000000-0000-0000-0000-000000000000
 event.module: elastalert
 event.dataset: elastalert.alert
 event.severity: 4
-rule.category: TBD
+rule.category: ""
 sigma_level: high
 alert:
     - modules.so.playbook-es.PlaybookESAlerter
@@ -239,26 +244,24 @@ kibana_pivot: kibana_pivot
 soc_pivot: soc_pivot
 `
 	assert.YAMLEq(t, expected, wrappedRule)
-	assert.Equal(t, 1, callCount)
 }
 
 func TestSigmaToElastAlertError(t *testing.T) {
-	callCount := 0
-	msg := "something went wrong"
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, http.MethodPost, r.Method)
+	ctrl := gomock.NewController(t)
 
-		w.WriteHeader(http.StatusOK)
-		_, err := w.Write([]byte("Error: " + msg))
-		assert.NoError(t, err)
-
-		callCount++
-	}))
-	defer srv.Close()
+	mio := mock.NewMockIOManager(ctrl)
+	msg := "something went wrong"
+	body := "Error: " + msg
+	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
+		StatusCode:    http.StatusOK,
+		Body:          io.NopCloser(strings.NewReader(body)),
+		ContentLength: int64(len(body)),
+	}, nil)
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       srv.URL,
+		sigconverterUrl:       "localhost:3000/convert",
 		sigmaConversionTarget: "eql",
+		IOManager:             mio,
 	}
 
 	det := &model.Detection{
@@ -271,7 +274,7 @@ func TestSigmaToElastAlertError(t *testing.T) {
 	}
 
 	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
-	assert.Equal(t, "", wrappedRule)
+	assert.Empty(t, wrappedRule)
 	assert.Error(t, err)
 	assert.ErrorContains(t, err, msg)
 }
@@ -336,28 +339,31 @@ level: high
 func TestDownloadSigmaPackages(t *testing.T) {
 	t.Parallel()
 
-	callCount := 0
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		callCount++
-
-		if r.RequestURI == "/fake.zip" {
-			w.WriteHeader(http.StatusNotFound)
-			return
-		}
+	ctrl := gomock.NewController(t)
 
-		assert.Equal(t, http.MethodGet, r.Method)
+	mio := mock.NewMockIOManager(ctrl)
+	body := "data"
 
-		w.WriteHeader(http.StatusOK)
-		w.Write([]byte("data"))
+	for i := 0; i < 5; i++ {
+		// can't use mock's Times(x) because the first response's body
+		// closing will result in remaining requests getting 0 data
+		mio.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+			StatusCode:    http.StatusOK,
+			Body:          io.NopCloser(strings.NewReader(body)),
+			ContentLength: int64(len(body)),
+		}, nil)
+	}
 
-	}))
-	defer srv.Close()
+	mio.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+		StatusCode: http.StatusNotFound,
+	}, nil)
 
 	pkgs := []string{"core", "core+", "core++", "emerging_threats_addon", "all_rules", "fake"}
 
 	engine := ElastAlertEngine{
 		sigmaRulePackages:            pkgs,
-		sigmaPackageDownloadTemplate: srv.URL + "/%s.zip",
+		sigmaPackageDownloadTemplate: "localhost:3000/%s.zip",
+		IOManager:                    mio,
 	}
 
 	pkgZips, errMap := engine.downloadSigmaPackages(context.Background())
@@ -366,8 +372,208 @@ func TestDownloadSigmaPackages(t *testing.T) {
 	assert.Len(t, pkgZips, len(pkgs)-1)
 
 	for _, pkg := range pkgs[:len(pkgs)-1] {
-		assert.Equal(t, []byte("data"), pkgZips[pkg])
+		assert.Equal(t, []byte(body), pkgZips[pkg])
 	}
+}
+
+const (
+	SimpleRuleSID = "10000"
+	SimpleRule    = `title: Griffon Malware Attack Pattern
+	id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
+	status: experimental
+	description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
+	references:
+			- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
+	author: Nasreddine Bencherchali (Nextron Systems)
+	date: 2023/03/09
+	tags:
+			- attack.execution
+			- detection.emerging_threats
+	logsource:
+			category: process_creation
+			product: windows
+	detection:
+			selection:
+					CommandLine|contains|all:
+							- '\local\temp\'
+							- '//b /e:jscript'
+							- '.txt'
+			condition: selection
+	falsepositives:
+			- Unlikely
+	level: critical`
+)
+
+type MockDirEntry struct {
+	name  string
+	isDir bool
+	typ   fs.FileMode
+}
 
-	assert.Equal(t, len(pkgs), callCount)
+func (mde *MockDirEntry) Name() string {
+	return mde.name
+}
+
+func (mde *MockDirEntry) IsDir() bool {
+	return mde.isDir
+}
+
+func (mde *MockDirEntry) Type() fs.FileMode {
+	return mde.typ
+}
+
+func (mde *MockDirEntry) ModTime() time.Time {
+	return time.Now()
+}
+
+func (mde *MockDirEntry) Mode() fs.FileMode {
+	return mde.typ
+}
+
+func (mde *MockDirEntry) Size() int64 {
+	return 100
+}
+
+func (mde *MockDirEntry) Sys() any {
+	return nil
+}
+
+func (mde *MockDirEntry) Info() (fs.FileInfo, error) {
+	return mde, nil
+}
+
+func TestSyncElastAlert(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name           string
+		Detections     []*model.Detection
+		InitMock       func(*ElastAlertEngine, *mock.MockIOManager)
+		ExpectedErr    error
+		ExpectedErrMap map[string]string
+	}{
+		{
+			Name: "Enable New Simple Rule",
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Title:     "TEST",
+					Auditable: model.Auditable{
+						Id: SimpleRuleSID,
+					},
+					Severity: model.SeverityMedium,
+				},
+			},
+			InitMock: func(mod *ElastAlertEngine, m *mock.MockIOManager) {
+				// IndexExistingRules
+				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
+				// sigmaToElastAlert
+				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+					StatusCode: http.StatusOK,
+					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
+				}, nil)
+				// WriteFile when enabling
+				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: '[sigma rule]'\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
+			},
+		},
+		{
+			Name: "Disable Simple Rule",
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					IsEnabled: false,
+				},
+			},
+			InitMock: func(mod *ElastAlertEngine, m *mock.MockIOManager) {
+				// IndexExistingRules
+				filename := SimpleRuleSID + ".yml"
+				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{
+					&MockDirEntry{
+						name: filename,
+					},
+					&MockDirEntry{
+						name:  "ignored_dir",
+						isDir: true,
+					},
+					&MockDirEntry{
+						name: "ignored.txt",
+					},
+				}, nil)
+				// DeleteFile when disabling
+				m.EXPECT().DeleteFile(filename).Return(nil)
+			},
+		},
+		{
+			Name: "Enable Rule w/Override",
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Title:     "TEST",
+					Auditable: model.Auditable{
+						Id: SimpleRuleSID,
+					},
+					Severity: model.SeverityMedium,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeCustomFilter,
+							IsEnabled: false,
+							OverrideParameters: model.OverrideParameters{
+								CustomFilter: util.Ptr("FALSE"),
+							},
+						},
+						{
+							Type:      model.OverrideTypeCustomFilter,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								CustomFilter: util.Ptr("TRUE"),
+							},
+						},
+					},
+				},
+			},
+			InitMock: func(mod *ElastAlertEngine, m *mock.MockIOManager) {
+				// IndexExistingRules
+				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
+				// sigmaToElastAlert
+				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
+					StatusCode: http.StatusOK,
+					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
+				}, nil)
+				// WriteFile when enabling
+				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: ([sigma rule]) and TRUE\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
+			},
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+			ctrl := gomock.NewController(t)
+
+			mockIO := mock.NewMockIOManager(ctrl)
+
+			mod := NewElastAlertEngine(&server.Server{
+				DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+			})
+
+			mod.IOManager = mockIO
+			mod.srv.DetectionEngines[model.EngineNameElastAlert] = mod
+
+			if test.InitMock != nil {
+				test.InitMock(mod, mockIO)
+			}
+
+			errMap, err := mod.SyncLocalDetections(ctx, test.Detections)
+
+			assert.Equal(t, test.ExpectedErr, err)
+			assert.Equal(t, test.ExpectedErrMap, errMap)
+		})
+	}
 }
diff --git a/server/modules/elastalert/mock/mock_iomanager.go b/server/modules/elastalert/mock/mock_iomanager.go
new file mode 100644
index 000000000..a1508daf0
--- /dev/null
+++ b/server/modules/elastalert/mock/mock_iomanager.go
@@ -0,0 +1,113 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert (interfaces: IOManager)
+//
+// Generated by this command:
+//
+//	mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+//
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	fs "io/fs"
+	http "net/http"
+	reflect "reflect"
+
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockIOManager is a mock of IOManager interface.
+type MockIOManager struct {
+	ctrl     *gomock.Controller
+	recorder *MockIOManagerMockRecorder
+}
+
+// MockIOManagerMockRecorder is the mock recorder for MockIOManager.
+type MockIOManagerMockRecorder struct {
+	mock *MockIOManager
+}
+
+// NewMockIOManager creates a new mock instance.
+func NewMockIOManager(ctrl *gomock.Controller) *MockIOManager {
+	mock := &MockIOManager{ctrl: ctrl}
+	mock.recorder = &MockIOManagerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockIOManager) EXPECT() *MockIOManagerMockRecorder {
+	return m.recorder
+}
+
+// DeleteFile mocks base method.
+func (m *MockIOManager) DeleteFile(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteFile", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteFile indicates an expected call of DeleteFile.
+func (mr *MockIOManagerMockRecorder) DeleteFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteFile", reflect.TypeOf((*MockIOManager)(nil).DeleteFile), arg0)
+}
+
+// MakeRequest mocks base method.
+func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "MakeRequest", arg0)
+	ret0, _ := ret[0].(*http.Response)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// MakeRequest indicates an expected call of MakeRequest.
+func (mr *MockIOManagerMockRecorder) MakeRequest(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MakeRequest", reflect.TypeOf((*MockIOManager)(nil).MakeRequest), arg0)
+}
+
+// ReadDir mocks base method.
+func (m *MockIOManager) ReadDir(arg0 string) ([]fs.DirEntry, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadDir", arg0)
+	ret0, _ := ret[0].([]fs.DirEntry)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadDir indicates an expected call of ReadDir.
+func (mr *MockIOManagerMockRecorder) ReadDir(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadDir", reflect.TypeOf((*MockIOManager)(nil).ReadDir), arg0)
+}
+
+// ReadFile mocks base method.
+func (m *MockIOManager) ReadFile(arg0 string) ([]byte, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadFile", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadFile indicates an expected call of ReadFile.
+func (mr *MockIOManagerMockRecorder) ReadFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadFile", reflect.TypeOf((*MockIOManager)(nil).ReadFile), arg0)
+}
+
+// WriteFile mocks base method.
+func (m *MockIOManager) WriteFile(arg0 string, arg1 []byte, arg2 fs.FileMode) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "WriteFile", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// WriteFile indicates an expected call of WriteFile.
+func (mr *MockIOManagerMockRecorder) WriteFile(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WriteFile", reflect.TypeOf((*MockIOManager)(nil).WriteFile), arg0, arg1, arg2)
+}
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 81110b21f..c1eea1de4 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -32,6 +32,7 @@ func emptySettings() []*model.Setting {
 		{Id: "idstools.sids.enabled"},
 		{Id: "idstools.sids.disabled"},
 		{Id: "idstools.sids.modify"},
+		{Id: "suricata.thresholding.sids__yaml"},
 	}
 }
 
@@ -374,10 +375,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + SimpleRule,
-				"idstools.sids.enabled":       "\n" + SimpleRuleSID,
-				"idstools.sids.disabled":      "\n# " + SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -391,10 +393,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + SimpleRule,
-				"idstools.sids.enabled":       "\n# " + SimpleRuleSID,
-				"idstools.sids.disabled":      "\n" + SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n# " + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n" + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -404,6 +407,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: "# " + SimpleRuleSID},
 				{Id: "idstools.sids.disabled", Value: SimpleRuleSID},
 				{Id: "idstools.sids.modify"},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -413,10 +417,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": SimpleRule,
-				"idstools.sids.enabled":       SimpleRuleSID,
-				"idstools.sids.disabled":      "# " + SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      SimpleRule,
+				"idstools.sids.enabled":            SimpleRuleSID,
+				"idstools.sids.disabled":           "# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -426,6 +431,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: SimpleRuleSID},
 				{Id: "idstools.sids.disabled", Value: "# " + SimpleRuleSID},
 				{Id: "idstools.sids.modify"},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -435,10 +441,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": SimpleRule,
-				"idstools.sids.enabled":       "# " + SimpleRuleSID,
-				"idstools.sids.disabled":      SimpleRuleSID,
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      SimpleRule,
+				"idstools.sids.enabled":            "# " + SimpleRuleSID,
+				"idstools.sids.disabled":           SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -452,10 +459,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
-				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
-				"idstools.sids.disabled":      "",
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":            "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":           "",
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -469,10 +477,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": "\n" + FlowbitsRuleA,
-				"idstools.sids.enabled":       "\n" + FlowbitsRuleASID,
-				"idstools.sids.disabled":      "",
-				"idstools.sids.modify":        "\n" + FlowbitsRuleASID + ` "flowbits" "noalert; flowbits"`,
+				"idstools.rules.local__rules":      "\n" + FlowbitsRuleA,
+				"idstools.sids.enabled":            "\n" + FlowbitsRuleASID,
+				"idstools.sids.disabled":           "",
+				"idstools.sids.modify":             "\n" + FlowbitsRuleASID + ` "flowbits" "noalert; flowbits"`,
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -482,6 +491,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
 				{Id: "idstools.sids.disabled", Value: ""},
 				{Id: "idstools.sids.modify", Value: FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -491,10 +501,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": FlowbitsRuleB,
-				"idstools.sids.enabled":       FlowbitsRuleBSID,
-				"idstools.sids.disabled":      "",
-				"idstools.sids.modify":        "",
+				"idstools.rules.local__rules":      FlowbitsRuleB,
+				"idstools.sids.enabled":            FlowbitsRuleBSID,
+				"idstools.sids.disabled":           "",
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -504,6 +515,7 @@ func TestSyncSuricata(t *testing.T) {
 				{Id: "idstools.sids.enabled", Value: FlowbitsRuleBSID},
 				{Id: "idstools.sids.disabled", Value: "# " + FlowbitsRuleBSID},
 				{Id: "idstools.sids.modify", Value: ""},
+				{Id: "suricata.thresholding.sids__yaml"},
 			},
 			Detections: []*model.Detection{
 				{
@@ -513,10 +525,11 @@ func TestSyncSuricata(t *testing.T) {
 				},
 			},
 			ExpectedSettings: map[string]string{
-				"idstools.rules.local__rules": FlowbitsRuleB,
-				"idstools.sids.enabled":       FlowbitsRuleBSID,
-				"idstools.sids.disabled":      "# " + FlowbitsRuleBSID,
-				"idstools.sids.modify":        "\n" + FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`,
+				"idstools.rules.local__rules":      FlowbitsRuleB,
+				"idstools.sids.enabled":            FlowbitsRuleBSID,
+				"idstools.sids.disabled":           "# " + FlowbitsRuleBSID,
+				"idstools.sids.modify":             "\n" + FlowbitsRuleBSID + ` "flowbits" "noalert; flowbits"`,
+				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
 		{
@@ -547,6 +560,92 @@ func TestSyncSuricata(t *testing.T) {
 				"0": `rule does not contain a SID; rule=alert http any any -> any any (msg:"This rule doesn't have a SID";)`,
 			},
 		},
+		{
+			Name:            "Thresholding (Modify)",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeModify,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								Regex: util.Ptr("rev:7;"),
+								Value: util.Ptr("rev:8;"),
+							},
+						},
+					},
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "\"10000\":\n    - modify:\n        regex: rev:7;\n        value: rev:8;\n",
+			},
+		},
+		{
+			Name:            "Thresholding (Suppress)",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeSuppress,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								Track: util.Ptr("by_src"),
+								IP:    util.Ptr("0.0.0.0"),
+							},
+						},
+					},
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "\"10000\":\n    - suppress:\n        gen_id: 1\n        track: by_src\n        ip: 0.0.0.0\n",
+			},
+		},
+		{
+			Name:            "Thresholding (Threshold)",
+			InitialSettings: emptySettings(),
+			Detections: []*model.Detection{
+				{
+					PublicID:  SimpleRuleSID,
+					Content:   SimpleRule,
+					IsEnabled: true,
+					Overrides: []*model.Override{
+						{
+							Type:      model.OverrideTypeThreshold,
+							IsEnabled: true,
+							OverrideParameters: model.OverrideParameters{
+								ThresholdType: util.Ptr("limit"),
+								Track:         util.Ptr("by_src"),
+								Count:         util.Ptr(5),
+								Seconds:       util.Ptr(60),
+							},
+						},
+					},
+				},
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      "\n" + SimpleRule,
+				"idstools.sids.enabled":            "\n" + SimpleRuleSID,
+				"idstools.sids.disabled":           "\n# " + SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "\"10000\":\n    - threshold:\n        gen_id: 1\n        type: limit\n        track: by_src\n        count: 5\n        seconds: 60\n",
+			},
+		},
 	}
 
 	ctx := context.Background()

From 38df3b0f0962ef0930034c0673c2a44c8d4dbc33 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Dec 2023 15:00:43 -0700
Subject: [PATCH 072/102] WIP: Yara Parser

To thoroughly test the parser, the process loads all the stored rules from the yara rules folder but does not attempt to sync them to elasticsearch. Also includes tests with hand crafted queries with "features" found in the community rules.

Currently the only error this should run across is a legitimate error in a source rule: https://github.com/Security-Onion-Solutions/securityonion-yara/blob/master/yara/cn_pentestset_webshells.yar#L744
---
 config/config.go                        |   4 +
 model/detection.go                      |   6 +-
 server/modules/modules.go               |   2 +
 server/modules/modules_test.go          |   1 +
 server/modules/strelka/strelka.go       | 174 ++++++++++
 server/modules/strelka/validate.go      | 331 +++++++++++++++++++
 server/modules/strelka/validate_test.go | 414 ++++++++++++++++++++++++
 7 files changed, 929 insertions(+), 3 deletions(-)
 create mode 100644 server/modules/strelka/strelka.go
 create mode 100644 server/modules/strelka/validate.go
 create mode 100644 server/modules/strelka/validate_test.go

diff --git a/config/config.go b/config/config.go
index 21b18350e..d6523bbfc 100644
--- a/config/config.go
+++ b/config/config.go
@@ -59,5 +59,9 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		"sigconverterUrl":                      "http://localhost:8000/sigma",
 	}
 
+	cfg.Server.Modules["strelkaengine"] = map[string]interface{}{
+		"yaraRulesFolder": "/tmp/socdev/so/conf/strelka/rules",
+	}
+
 	return cfg, err
 }
diff --git a/model/detection.go b/model/detection.go
index 0e3eef025..a72fa445c 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -41,7 +41,7 @@ const (
 	IDTypeSID  IDType = "sid"
 
 	EngineNameSuricata   EngineName = "suricata"
-	EngineNameYara       EngineName = "yara"
+	EngineNameStrelka       EngineName = "strelka"
 	EngineNameElastAlert EngineName = "elastalert"
 
 	OverrideTypeSuppress     OverrideType = "suppress"
@@ -58,8 +58,8 @@ var (
 			ScanType:    ScanTypePackets,
 			SigLanguage: SigLangSuricata,
 		},
-		EngineNameYara: {
-			Name:        string(EngineNameYara),
+		EngineNameStrelka: {
+			Name:        string(EngineNameStrelka),
 			IDType:      IDTypeUUID,
 			ScanType:    ScanTypeFiles,
 			SigLanguage: SigLangYara,
diff --git a/server/modules/modules.go b/server/modules/modules.go
index abb9ca71b..ce07a6892 100644
--- a/server/modules/modules.go
+++ b/server/modules/modules.go
@@ -20,6 +20,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/sostatus"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/statickeyauth"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/staticrbac"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/strelka"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/suricata"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/thehive"
 )
@@ -39,6 +40,7 @@ func BuildModuleMap(srv *server.Server) map[string]module.Module {
 	moduleMap["thehive"] = thehive.NewTheHive(srv)
 	moduleMap["suricataengine"] = suricata.NewSuricataEngine(srv)
 	moduleMap["elastalertengine"] = elastalert.NewElastAlertEngine(srv)
+	moduleMap["strelkaengine"] = strelka.NewStrelkaEngine(srv)
 
 	return moduleMap
 }
diff --git a/server/modules/modules_test.go b/server/modules/modules_test.go
index e4880a6f6..8387a0afc 100644
--- a/server/modules/modules_test.go
+++ b/server/modules/modules_test.go
@@ -27,6 +27,7 @@ func TestBuildModuleMap(t *testing.T) {
 	findModule(t, mm, "thehive")
 	findModule(t, mm, "suricataengine")
 	findModule(t, mm, "elastalertengine")
+	findModule(t, mm, "strelkaengine")
 }
 
 func findModule(t *testing.T, mm map[string]module.Module, module string) {
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
new file mode 100644
index 000000000..b6866957d
--- /dev/null
+++ b/server/modules/strelka/strelka.go
@@ -0,0 +1,174 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package strelka
+
+import (
+	"context"
+	"io/fs"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/apex/log"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+)
+
+type IOManager interface {
+	ReadFile(path string) ([]byte, error)
+	WriteFile(path string, contents []byte, perm fs.FileMode) error
+	DeleteFile(path string) error
+	ReadDir(path string) ([]os.DirEntry, error)
+	MakeRequest(*http.Request) (*http.Response, error)
+}
+
+type StrelkaEngine struct {
+	srv             *server.Server
+	isRunning       bool
+	thread          *sync.WaitGroup
+	yaraRulesFolder string
+	IOManager
+}
+
+func NewStrelkaEngine(srv *server.Server) *StrelkaEngine {
+	return &StrelkaEngine{
+		srv:       srv,
+		IOManager: &ResourceManager{},
+	}
+}
+
+func (e *StrelkaEngine) PrerequisiteModules() []string {
+	return nil
+}
+
+func (e *StrelkaEngine) Init(config module.ModuleConfig) error {
+	e.thread = &sync.WaitGroup{}
+
+	e.yaraRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/conf/strelka/rules")
+
+	return nil
+}
+
+func (e *StrelkaEngine) Start() error {
+	e.srv.DetectionEngines[model.EngineNameStrelka] = e
+	e.isRunning = true
+
+	go e.startCommunityRuleImport()
+
+	return nil
+}
+
+func (e *StrelkaEngine) Stop() error {
+	e.isRunning = false
+
+	return nil
+}
+
+func (e *StrelkaEngine) IsRunning() bool {
+	return e.isRunning
+}
+
+func (e *StrelkaEngine) ValidateRule(data string) (string, error) {
+	_, err := ParseYaraRules([]byte(data))
+	if err != nil {
+		return "", err
+	}
+
+	return string(data), nil
+}
+
+func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
+	return nil, nil
+}
+
+func (e *StrelkaEngine) startCommunityRuleImport() {
+	for e.isRunning {
+		time.Sleep(time.Second * 10)
+		if !e.isRunning {
+			break
+		}
+
+		start := time.Now()
+
+		files, err := e.ReadDir(e.yaraRulesFolder)
+		if err != nil {
+			log.WithError(err).Error("Failed to read yara rules folder")
+			continue
+		}
+
+		rules := []*YaraRule{}
+		errors := 0
+
+		for _, file := range files {
+			ext := filepath.Ext(file.Name())
+			if file.IsDir() || strings.ToLower(ext) != ".yar" {
+				continue
+			}
+
+			filename := e.yaraRulesFolder + "/" + file.Name()
+
+			raw, err := e.ReadFile(filename)
+			if err != nil {
+				log.WithError(err).WithField("file", filename).Error("failed to read yara rule file")
+				errors++
+
+				continue
+			}
+
+			parsed, err := ParseYaraRules(raw)
+			if err != nil {
+				log.WithError(err).WithField("file", filename).Error("failed to parse yara rule file")
+				errors++
+
+				continue
+			}
+
+			rules = append(rules, parsed...)
+		}
+
+		log.WithFields(log.Fields{
+			"files":  len(files),
+			"rules":  len(rules),
+			"errors": errors,
+			"exTime": time.Since(start).Seconds(),
+		}).Info("parsed yara community rules")
+
+		_, _ = e.syncCommunityDetections(context.Background(), nil)
+	}
+}
+
+func (e *StrelkaEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
+	return nil, nil
+}
+
+// go install go.uber.org/mock/mockgen@latest
+//go:generate mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+
+type ResourceManager struct{}
+
+func (_ *ResourceManager) ReadFile(path string) ([]byte, error) {
+	return os.ReadFile(path)
+}
+
+func (_ *ResourceManager) WriteFile(path string, contents []byte, perm fs.FileMode) error {
+	return os.WriteFile(path, contents, perm)
+}
+
+func (_ *ResourceManager) DeleteFile(path string) error {
+	return os.Remove(path)
+}
+
+func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
+	return os.ReadDir(path)
+}
+
+func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
+	return http.DefaultClient.Do(req)
+}
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
new file mode 100644
index 000000000..e2a0f8b3c
--- /dev/null
+++ b/server/modules/strelka/validate.go
@@ -0,0 +1,331 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package strelka
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+)
+
+type parseState int
+
+const (
+	parseStateImportsID parseState = iota
+	parseStateWatchForHeader
+	parseStateInSection
+)
+
+type YaraRule struct {
+	Imports    []string
+	Identifier string
+	Meta       Metadata
+	Strings    []string
+	Condition  string
+}
+
+type Metadata struct {
+	Author      *string
+	Date        *string
+	Version     *string
+	Reference   *string
+	Description *string
+	Rest        map[string]string
+}
+
+func (md *Metadata) IsEmpty() bool {
+	return md.Author == nil && md.Date == nil && md.Version == nil && md.Reference == nil && md.Description == nil && len(md.Rest) == 0
+}
+
+func (md *Metadata) Set(key, value string) {
+	key = strings.ToLower(key)
+	switch key {
+	case "author":
+		md.Author = util.Ptr(value)
+	case "date":
+		md.Date = util.Ptr(value)
+	case "version":
+		md.Version = util.Ptr(value)
+	case "reference":
+		md.Reference = util.Ptr(value)
+	case "description":
+		md.Description = util.Ptr(value)
+	default:
+		if md.Rest == nil {
+			md.Rest = make(map[string]string)
+		}
+		md.Rest[key] = value
+	}
+}
+
+func ParseYaraRules(data []byte) ([]*YaraRule, error) {
+	rules := []*YaraRule{}
+	rule := &YaraRule{}
+
+	state := parseStateImportsID
+
+	raw := string(data)
+	buffer := bytes.NewBuffer([]byte{})
+	last := ' '
+	curCommentType := ' ' // either '/' or '*' if in a comment, ' ' if not in comment
+	curHeader := ""       // meta, strings, condition, or empty if not yet in a section
+	curQuotes := ' '      // either ' or " if in a string, ' ' if not in a string
+
+	for i, r := range raw {
+		if r == '\r' {
+			continue
+		}
+		if (curCommentType == '*' && last == '*' && r == '/') ||
+			(curCommentType == '/' && r == '\n') {
+			curCommentType = ' '
+
+			if last == '*' {
+				last = r
+				continue
+			}
+		}
+
+		if last == '/' && curQuotes == ' ' && curCommentType == ' ' {
+			if r == '/' {
+				curCommentType = '/'
+				if buffer.Len() != 0 {
+					buffer.Truncate(buffer.Len() - 1)
+				}
+			} else if r == '*' {
+				curCommentType = '*'
+				if buffer.Len() != 0 {
+					buffer.Truncate(buffer.Len() - 1)
+				}
+			}
+		}
+
+		if curCommentType != ' ' {
+			// in a comment, skip everything
+			last = r
+			continue
+		}
+
+	reevaluateState:
+		switch state {
+		case parseStateImportsID:
+			switch r {
+			case '\n':
+				// is this an import?
+				buf := buffer.String() // expected: `import "foo"`
+				if strings.HasPrefix(buf, "import ") {
+					buf = strings.TrimSpace(strings.TrimPrefix(buf, "import "))
+					buf = strings.Trim(buf, `"`)
+
+					rule.Imports = append(rule.Imports, buf)
+
+					buffer.Reset()
+				}
+			case '{':
+				buf := strings.TrimSpace(buffer.String()) // expected: `rule foo {` or `rule foo\n{`
+				buf = strings.TrimSpace(strings.TrimPrefix(buf, "rule"))
+
+				if strings.Contains(buf, ":") {
+					// gets rid of inheritance?
+					// rule This : That {...} becomes "This"
+					parts := strings.SplitN(buf, ":", 2)
+					buf = strings.TrimSpace(parts[0])
+				}
+
+				if buf != "" {
+					rule.Identifier = buf
+				} else {
+					return nil, errors.New(fmt.Sprintf("expected rule identifier at %d", i))
+				}
+
+				buffer.Reset()
+
+				state = parseStateWatchForHeader
+			default:
+				buffer.WriteRune(r)
+			}
+		case parseStateWatchForHeader:
+			buf := strings.TrimSpace(buffer.String())
+			if r == '\n' && len(buf) != 0 && buf[len(buf)-1] == ':' {
+				curHeader = strings.ToLower(strings.TrimSpace(strings.TrimSuffix(buf, ":")))
+				buffer.Reset()
+
+				if curHeader != "meta" &&
+					curHeader != "strings" &&
+					curHeader != "condition" {
+					return nil, errors.New(fmt.Sprintf("unexpected header at %d: %s", i, curHeader))
+				}
+
+				state = parseStateInSection
+			} else {
+				buffer.WriteRune(r)
+			}
+		case parseStateInSection:
+			if r == '\n' {
+				buf := strings.TrimSpace(buffer.String())
+				if len(buf) != 0 && buf[len(buf)-1] == ':' && !strings.HasPrefix(buf, "for ") {
+					// found a header, new section
+					state = parseStateWatchForHeader
+					goto reevaluateState
+				} else {
+					if buf != "" {
+						switch curHeader {
+						case "meta":
+							parts := strings.SplitN(buf, "=", 2)
+							if len(parts) != 2 {
+								return nil, errors.New(fmt.Sprintf("invalid meta line at %d: %s", i, buf))
+							}
+
+							key := strings.TrimSpace(parts[0])
+							value := strings.TrimSpace(parts[1])
+
+							rule.Meta.Set(key, value)
+						case "strings":
+							rule.Strings = append(rule.Strings, buf)
+						case "condition":
+							rule.Condition = strings.TrimSpace(rule.Condition + " " + buf)
+						}
+					}
+
+					buffer.Reset()
+				}
+			} else if r == '}' && len(strings.TrimSpace(buffer.String())) == 0 && curQuotes != '}' {
+				// end of rule
+				rules = append(rules, rule)
+				imports := rule.Imports
+				buffer.Reset()
+
+				state = parseStateImportsID
+				curHeader = ""
+				curQuotes = ' '
+				rule = &YaraRule{}
+
+				if len(imports) > 0 {
+					rule.Imports = append([]string{}, imports...)
+				}
+			} else {
+				buffer.WriteRune(r)
+				if (r == '\'' || r == '"' || r == '{') && last != '\\' && curQuotes == ' ' {
+					// starting a string
+					if r == '{' {
+						curQuotes = '}'
+					} else {
+						curQuotes = r
+					}
+				} else if curQuotes != ' ' && r == curQuotes && last != '\\' {
+					// ending a string
+					curQuotes = ' '
+				}
+			}
+		}
+
+		if r == '\\' && last == '\\' && curQuotes != ' ' {
+			// this is an escaped slash in the middle of a string,
+			// so we need to remove the previous slash so it's not
+			// mistaken for an escape character in case this is the
+			// last character in the string
+			last = ' '
+		} else {
+			last = r
+		}
+	}
+
+	if state != parseStateImportsID || len(strings.TrimSpace(buffer.String())) != 0 {
+		return nil, errors.New("unexpected end of rule")
+	}
+
+	return rules, nil
+}
+
+func (r *YaraRule) String() string {
+	buffer := bytes.NewBuffer([]byte{})
+
+	// imports
+	for _, i := range r.Imports {
+		line := fmt.Sprintf("import \"%s\"\n", i)
+		buffer.WriteString(line)
+	}
+
+	if len(r.Imports) > 0 {
+		buffer.WriteString("\n")
+	}
+
+	// identifier
+	buffer.WriteString(fmt.Sprintf("rule %s {\n", r.Identifier))
+
+	// meta
+	if !r.Meta.IsEmpty() {
+		buffer.WriteString("\tmeta:\n")
+
+		if r.Meta.Author != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tauthor = %s\n", *r.Meta.Author))
+		}
+
+		if r.Meta.Date != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tdate = %s\n", *r.Meta.Date))
+		}
+
+		if r.Meta.Version != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tversion = %s\n", *r.Meta.Version))
+		}
+
+		if r.Meta.Reference != nil {
+			buffer.WriteString(fmt.Sprintf("\t\treference = %s\n", *r.Meta.Reference))
+		}
+
+		if r.Meta.Description != nil {
+			buffer.WriteString(fmt.Sprintf("\t\tdescription = %s\n", *r.Meta.Description))
+		}
+
+		keys := []string{}
+		for k := range r.Meta.Rest {
+			keys = append(keys, k)
+		}
+
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			buffer.WriteString(fmt.Sprintf("\t\t%s = %s\n", k, r.Meta.Rest[k]))
+		}
+
+		buffer.WriteString("\n")
+	}
+
+	// strings
+	if len(r.Strings) > 0 {
+		buffer.WriteString("\tstrings:\n")
+
+		for _, s := range r.Strings {
+			buffer.WriteString(fmt.Sprintf("\t\t%s\n", s))
+		}
+	}
+
+	// condition and closing bracket
+	buffer.WriteString(fmt.Sprintf("\n\tcondition:\n\t\t%s\n}", r.Condition))
+
+	return buffer.String()
+}
+
+func (r *YaraRule) Validate() error {
+	missing := []string{}
+
+	if r.Identifier == "" {
+		missing = append(missing, "identifier")
+	}
+
+	if r.Condition == "" {
+		missing = append(missing, "condition")
+	}
+
+	if len(missing) > 0 {
+		return fmt.Errorf("missing required fields: %s", strings.Join(missing, ", "))
+	}
+
+	return nil
+}
diff --git a/server/modules/strelka/validate_test.go b/server/modules/strelka/validate_test.go
new file mode 100644
index 000000000..4439afd4c
--- /dev/null
+++ b/server/modules/strelka/validate_test.go
@@ -0,0 +1,414 @@
+// Copyright 2020-2023 Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+// https://securityonion.net/license; you may not use this file except in compliance with the
+// Elastic License 2.0.
+
+package strelka
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/security-onion-solutions/securityonion-soc/util"
+	"github.com/stretchr/testify/assert"
+)
+
+const BasicRule = `rule ExampleRule
+{
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const BasicRuleWMeta = `import "pe"
+
+rule MetadataExample {
+	meta:
+		author = "John Doe"
+		date = "2023-12-27"
+		version = "1.0"
+		reference = "http://somewhere.invalid"
+		description = "Example Rule"
+		my_identifier_1 = "Some string data"
+		mY_iDeNtIfIeR_2 = 24
+		MY_IDENTIFIER_3 = true
+
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const NormalizedBasicRuleWMeta = `import "pe"
+
+rule MetadataExample {
+	meta:
+		author = "John Doe"
+		date = "2023-12-27"
+		version = "1.0"
+		reference = "http://somewhere.invalid"
+		description = "Example Rule"
+		my_identifier_1 = "Some string data"
+		my_identifier_2 = 24
+		my_identifier_3 = true
+
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const RegexRule = `rule RegExpExample1
+{
+	strings:
+		$re1 = /md5: [0-9a-fA-F]{32}/
+		$re2 = /state: (on|off)/
+
+	condition:
+		$re1 and $re2
+}`
+
+const ImportRule = `import "pe"
+
+rule Test
+{
+    strings:
+        $a = "some string"
+
+    condition:
+        $a and pe.entry_point == 0x1000
+}`
+
+const UnexpectedHeader = `rule ExampleRule
+{
+	extra:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const RuleWithComments = `rule ExampleRule
+{
+	/*
+		Multiline comment
+	*/
+	strings:
+		$my_text_string = "text here"
+		// $my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const NoIdentifier = `rule {}`
+
+const BadMeta = `rule ExampleRule
+{
+	meta:
+		copyrighted
+		author = "Some Guy"
+}`
+
+const WeirdRule = `import "pe"
+
+rule ExampleRule : FILE
+{` + "\r\n" + `
+strings:
+$my_text_string = "text here"
+$my_hex_string = { E2 34 A1 C8 23 FB }
+$badslashes = "\\var\\www\\html\\"
+$multilinehex = {
+46 DC EA D3 17 FE 45 D8 09 23
+EB 97 E4 95 64 10 D4 CD B2 C2
+}
+condition : // comment
+$my_text_string or $my_hex_string
+}`
+
+func TestMetaSet(t *testing.T) {
+	t.Parallel()
+
+	meta := Metadata{}
+	assert.True(t, meta.IsEmpty())
+
+	meta.Set("author", "John Doe")
+
+	assert.Equal(t, "John Doe", *meta.Author)
+	assert.False(t, meta.IsEmpty())
+
+	meta.Author = nil
+
+	assert.True(t, meta.IsEmpty())
+
+	meta.Set("date", "2023-12-27")
+	meta.Set("version", "1.0")
+	meta.Set("reference", "http://somewhere.invalid")
+	meta.Set("description", "Example Rule")
+	meta.Set("my_identifier_1", "Some string data")
+
+	assert.Nil(t, meta.Author)
+	assert.Equal(t, "2023-12-27", *meta.Date)
+	assert.Equal(t, "1.0", *meta.Version)
+	assert.Equal(t, "http://somewhere.invalid", *meta.Reference)
+	assert.Equal(t, "Example Rule", *meta.Description)
+	assert.Equal(t, "Some string data", meta.Rest["my_identifier_1"])
+	assert.False(t, meta.IsEmpty())
+}
+
+func TestParseRule(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name          string
+		Input         string
+		ExpectedRules []*YaraRule
+		ExpectedError *string
+	}{
+		{
+			Name:  "Basic Rule",
+			Input: BasicRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:  "Basic Rule With Metadata",
+			Input: BasicRuleWMeta,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "MetadataExample",
+					Meta: Metadata{
+						Author:      util.Ptr(`"John Doe"`),
+						Date:        util.Ptr(`"2023-12-27"`),
+						Version:     util.Ptr(`"1.0"`),
+						Reference:   util.Ptr(`"http://somewhere.invalid"`),
+						Description: util.Ptr(`"Example Rule"`),
+						Rest: map[string]string{
+							"my_identifier_1": "\"Some string data\"",
+							"my_identifier_2": "24",
+							"my_identifier_3": "true",
+						},
+					},
+					Strings: []string{
+						"$my_text_string = \"text here\"",
+						"$my_hex_string = { E2 34 A1 C8 23 FB }",
+					},
+					Condition: "$my_text_string or $my_hex_string",
+				},
+			},
+		},
+		{
+			Name:  "Rule With Regex",
+			Input: RegexRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "RegExpExample1",
+					Strings: []string{
+						"$re1 = /md5: [0-9a-fA-F]{32}/",
+						"$re2 = /state: (on|off)/",
+					},
+					Condition: "$re1 and $re2",
+				},
+			},
+		},
+		{
+			Name:  "Rule With Import",
+			Input: ImportRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "Test",
+					Strings: []string{
+						`$a = "some string"`,
+					},
+					Condition: `$a and pe.entry_point == 0x1000`,
+				},
+			},
+		},
+		{
+			Name:          "Rule With Unexpected Header",
+			Input:         UnexpectedHeader,
+			ExpectedError: util.Ptr(`unexpected header at 26: extra`),
+		},
+		{
+			Name:  "Basic Rule With Comments",
+			Input: RuleWithComments,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:  "Multiple Rules",
+			Input: ImportRule + "\n\n" + BasicRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "Test",
+					Strings: []string{
+						`$a = "some string"`,
+					},
+					Condition: `$a and pe.entry_point == 0x1000`,
+				},
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:  "Rule With Oddities",
+			Input: WeirdRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+						`$badslashes = "\\var\\www\\html\\"`,
+						`$multilinehex = {`,
+						`46 DC EA D3 17 FE 45 D8 09 23`,
+						`EB 97 E4 95 64 10 D4 CD B2 C2`,
+						`}`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+				},
+			},
+		},
+		{
+			Name:          "Missing Identifier",
+			Input:         NoIdentifier,
+			ExpectedError: util.Ptr("expected rule identifier at 5"),
+		},
+		{
+			Name:          "Invalid Metadata",
+			Input:         BadMeta,
+			ExpectedError: util.Ptr("invalid meta line at 39: copyrighted"),
+		},
+		{
+			Name:          "Unexpected End Of Rule",
+			Input:         BasicRule[:len(BasicRule)-1],
+			ExpectedError: util.Ptr("unexpected end of rule"),
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			rules, err := ParseYaraRules([]byte(test.Input))
+			if test.ExpectedError == nil {
+				assert.NoError(t, err)
+				assert.NotNil(t, rules)
+
+				assert.Equal(t, test.ExpectedRules, rules)
+			} else {
+				assert.Error(t, err)
+				assert.Equal(t, *test.ExpectedError, err.Error())
+
+				assert.Empty(t, rules)
+			}
+		})
+	}
+}
+
+func TestRuleString(t *testing.T) {
+	rules, err := ParseYaraRules([]byte(BasicRuleWMeta))
+	assert.NoError(t, err)
+	assert.NotEmpty(t, rules)
+
+	raw := rules[0].String()
+	fmt.Println(raw)
+	assert.Equal(t, NormalizedBasicRuleWMeta, raw)
+}
+
+func TestValidate(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name string
+		Rule *YaraRule
+		Err  *string
+	}{
+		{
+			Name: "Minimally Valid Rule",
+			Rule: &YaraRule{
+				Identifier: "ExampleRule",
+				Condition:  "false",
+			},
+		},
+		{
+			Name: "Missing Identifier",
+			Rule: &YaraRule{
+				Condition: "false",
+			},
+			Err: util.Ptr("missing required fields: identifier"),
+		},
+		{
+			Name: "Missing Condition",
+			Rule: &YaraRule{
+				Identifier: "ExampleRule",
+			},
+			Err: util.Ptr("missing required fields: condition"),
+		},
+		{
+			Name: "Missing Multiple Fields",
+			Rule: &YaraRule{},
+			Err:  util.Ptr("missing required fields: identifier, condition"),
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			err := test.Rule.Validate()
+			if test.Err == nil {
+				assert.NoError(t, err)
+			} else {
+				assert.Error(t, err)
+				assert.Equal(t, *test.Err, err.Error())
+			}
+		})
+	}
+}

From 67a9bfadac03790dab91243c13ffbef6d5584663 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 11 Jan 2024 15:22:18 -0700
Subject: [PATCH 073/102] WIP: Bulk Actions, Removal of Date Range from
 Detections Search

Detections can now be selected for bulk actions. The Select All checkbox toggles between selecting the entire current page and clearing all selection. If the current page is selected, a prompt to select ALL of the results becomes available. Currently the only actions that can be taken are the enabling or disabling of selected detections.

If picking individual IDs, then those IDs are sent up to the API to be modified. If ALL are selected, then the query is sent and detections matching the query will be modified.

A few component tests were added to hunt.test.js testing the SelectAll logic. Cypress tests will be added later.

UpdateDetectionField has been updated to update a detection field (i.e. without having the entire object) faster. Also should no longer be limited to one field although the functionality is not tested or implemented.

The ElasticDetectionstore now gets an ElasticSearch client passed into it so actions don't have to be run against Eventstore.

An error was fixed in the suricata parser. Better care is taken around modifying settings files that may be empty.

Settings' validator that used to check for Jinja now checks for opening AND closing jinja tags to prevent accidental false positives such as the suricata rule that contained `{%` in a URL.
---
 html/css/app.css                              |  34 +++++
 html/index.html                               |  50 +++++--
 html/js/i18n.js                               |   6 +
 html/js/routes/hunt.js                        | 141 +++++++++++++++++-
 html/js/routes/hunt.test.js                   |  98 ++++++++++++
 server/detectionhandler.go                    | 108 ++++++++++----
 server/detectionstore.go                      |   3 +-
 server/modules/elastic/elastic.go             |   2 +-
 .../modules/elastic/elasticdetectionstore.go  |  87 +++++++----
 server/modules/strelka/strelka.go             |   4 +-
 server/modules/suricata/suricata.go           |   9 +-
 server/modules/suricata/validate.go           |   1 -
 syntax/validator.go                           |   4 +-
 13 files changed, 471 insertions(+), 76 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 7531b1125..c246c1192 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -499,3 +499,37 @@ td {
 .theme--light .resolved-host {
   color: rgba(0, 0, 0, 0.5);
 }
+
+.multiselect-container {
+  width: 100%;
+  position: relative;
+  display: flex;
+  justify-content: flex-start;
+}
+
+#multiselect-checkbox {
+  display: inline-block;
+  position: absolute;
+  left: 50%;
+  transform: translateX(-50%);
+}
+
+.detection-selection {
+  display: inline-block;
+  vertical-align: sub;
+}
+
+.selection-counter {
+  margin-left: auto;
+  padding-right: 12px;
+}
+
+.bulk-actions {
+  display: inline-block;
+  max-width: 100px;
+  margin: 0 4px;
+}
+
+.detection-hunt-btn {
+  margin-top: 20px;
+}
diff --git a/html/index.html b/html/index.html
index cdb0134bc..da5fdb76e 100644
--- a/html/index.html
+++ b/html/index.html
@@ -379,7 +379,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
           </v-col>
         </v-row>
         <v-row align="start">
-          <v-col cols="12" md="7">
+          <v-col cols="12" :md="isCategory('detections') ? 10 : 7">
             <v-textarea :clearable="isAdvanced()" :auto-grow="isAdvanced()" :readonly="!isAdvanced()" :disabled="loading()" @change="notifyInputsChanged" class="mx-2" v-model="$data[isAdvanced() ? 'query' : 'queryName']" :hint="isAdvanced() ? i18n.queryHelp : ''" rows="1" persistent-hint prepend-icon="fa-search" @keydown.enter.prevent="hunt" id="hunt-query-input">
               <template v-slot:prepend-inner>
                 <v-menu dense bottom three-line offset-y>
@@ -422,8 +422,8 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
               </template>
             </v-textarea>
           </v-col>
-          <v-col cols="12" md="5" class="d-flex flex-nowrap align-center">
-            <v-text-field :disabled="loading()" v-if="relativeTimeEnabled" id="huntrelativetimevalue" @change="notifyInputsChanged" class="mx-2"
+          <v-col cols="12" :md="isCategory('detections') ? 2 : 5" class="d-flex flex-nowrap align-center">
+            <v-text-field :disabled="loading()" v-if="relativeTimeEnabled && !isCategory('detections')" id="huntrelativetimevalue" @change="notifyInputsChanged" class="mx-2"
                 v-model="relativeTimeValue" :hint="i18n.relativeTimeHelp" persistent-hint="true" type="number">
               <template v-slot:prepend>
                 <v-btn v-if="relativeTimeEnabled" icon x-small @click="showAbsoluteTime" id="show-absolute-time">
@@ -438,7 +438,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                   v-model="relativeTimeUnit" :items="relativeTimeUnits"></v-select>
               </template>
             </v-text-field>
-            <v-text-field :disabled="loading()" v-if="!relativeTimeEnabled" id="huntdaterange" @change="notifyInputsChanged" class="mx-2"
+            <v-text-field :disabled="loading()" v-if="!relativeTimeEnabled && !isCategory('detections')" id="huntdaterange" @change="notifyInputsChanged" class="mx-2"
               v-model="dateRange" :hint="i18n.timePickerHelp" persistent-hint="true"
               prepend-inner-icon="fa-angle-down" @click:prepend-inner="showDateRangePicker">
               <template v-slot:prepend>
@@ -447,7 +447,7 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                 </v-btn>
               </template>
             </v-text-field>
-            <v-btn id="hunt" :disabled="loading()" :color="huntPending ? 'light-green accent-4' : (autoRefreshInterval ? 'secondary' : 'primary')" @click.stop="hunt">
+            <v-btn id="hunt" :class="isCategory('detections') ? 'detection-hunt-btn' : ''" :disabled="loading()" :color="huntPending ? 'light-green accent-4' : (autoRefreshInterval ? 'secondary' : 'primary')" @click.stop="hunt">
               <span v-if="isCategory('hunt')" class="d-sm-none d-lg-inline pr-2" v-text="i18n.hunt"></span>
               <span v-if="!isCategory('hunt')" class="d-sm-none d-lg-inline pr-2" v-text="i18n.refresh"></span>
               <v-icon v-if="isCategory('hunt') && !autoRefreshInterval">fa-crosshairs</v-icon>
@@ -631,10 +631,10 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
           <v-expand-transition>
             <v-row v-if="isExpandedSection('hunt-events')">
               <v-col cols="12">
-                <v-data-table :search="eventFilter" :sort-by.sync="sortBy" item-key="soc_id" :expanded.sync="expanded" :sort-desc.sync="sortDesc" :footer-props="footerProps"
-                  :items-per-page.sync="itemsPerPage" must-sort :headers="eventHeaders" :items="eventData" show-expand :page.sync="eventPage" :custom-sort="sortEvents">
-                  <template v-slot:top v-if="isAdvanced()">
-                    <v-container fluid>
+                <v-data-table ref="eventTable" :search="eventFilter" :sort-by.sync="sortBy" item-key="soc_id" :expanded.sync="expanded" :sort-desc.sync="sortDesc" :footer-props="footerProps"
+                  :items-per-page.sync="itemsPerPage" must-sort :headers="eventHeaders" :items="eventData" :page.sync="eventPage" show-select :custom-sort="sortEvents">
+                  <template v-slot:top>
+                    <v-container v-if="isAdvanced()" fluid>
                       <v-row>
                         <v-col cols="4"></v-col>
                         <v-col cols="2">
@@ -645,6 +645,36 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                         </v-col>
                       </v-row>
                     </v-container>
+                    <v-container v-if="isCategory('detections') && selectAllState !== false">
+                      <div>
+                          {{ i18n.selected }} {{ (selectAllState === true ? totalEvents : selectedCount).toLocaleString() }}
+                        <span class="ml-2" v-if="selectAllState === 'indeterminate' && isPageSelected() && totalEvents >= itemsPerPage">
+                          {{ i18n.selectAll.replaceAll('[[count]]', totalEvents.toLocaleString()) }}
+                          <v-btn @click="selectAllEvents(true, true)">
+                            {{ i18n.yes }}
+                          </v-btn>
+                        </span>
+                      </div>
+
+                      <span>
+                        {{ i18n.bulkAction }}
+                        <v-select class="bulk-actions" :disabled="loading()" v-model="selectedAction" :items="bulkActions"></v-select>
+                        <v-btn :disabled="selectAllState === false" @click="bulkAction()">{{ i18n.go }}</v-btn>
+                      </span>
+                    </v-container>
+
+                  </template>
+                  <template v-if="isMultiSelect()" v-slot:header.data-table-select="{ on, props }">
+                    <div class="multiselect-container">
+                      <v-simple-checkbox id="multiselect-checkbox"
+                        color="blue"
+                        v-bind="props"
+                        v-on="on"
+                        :indeterminate="selectAllState === 'indeterminate'"
+                        :value="selectAllState"
+                        @click="toggleSelectAll()"
+                      ></v-simple-checkbox>
+                    </div>
                   </template>
                   <template v-for="(header, headerIdx) in eventHeaders" v-slot:["header." + header.value]="{ props }">
                     <span :id="'col_' + header.value">
@@ -683,6 +713,8 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                           :color="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? 'secondary' : 'primary'">
                           <v-icon :title="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? i18n.alertEscalated : i18n.escalate">fa-exclamation-triangle</v-icon>
                         </v-btn>
+                        <v-checkbox class="detection-selection" @change="updateBulkSelector(item)" v-if="isMultiSelect()" v-model="item._isSelected">
+                        </v-checkbox>
                         <router-link :to="{ name: 'case', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled && category === 'cases'">
                           <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
                         </router-link>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 5d77a4ef9..8ab6365f8 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -114,6 +114,7 @@ const i18n = {
       beginTimeHelp: 'Filter start time in RFC 3339 format (Ex: 2020-10-16 13:00:00.230-04:00). Unused for imported PCAPs.',
       betweenOp: 'Between',
       blog: 'Blog',
+      bulkAction: 'Bulk Action:',
       bytes: 'Bytes',
       cancel: 'Cancel',
       captureLoss: 'Capture Loss',
@@ -269,6 +270,7 @@ const i18n = {
       detectionEnabled: 'Enabled',
       detectionSeverity: 'Severity',
       detectionTitle: 'Detection Title',
+      disable: 'Disable',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -292,6 +294,7 @@ const i18n = {
       email: 'Email Address',
       emailHelp: 'Specify a valid email address. Contact your administrator for new account creation.',
       emailRequired: 'An email address must be specified.',
+      enable: 'Enable',
       enabled: 'Enabled',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
@@ -367,6 +370,7 @@ const i18n = {
       flags: 'Flags',
       gigabytes: 'GB',
       generate: 'Generate',
+      go: 'GO',
       graphs: 'Graphs',
       grid: 'Grid',
       gridEps: 'Grid EPS:',
@@ -631,6 +635,8 @@ const i18n = {
       security: 'Security',
       securityInstructions: 'You may be prompted to login again when updating your security settings. If submitting a new password, you will need to verify your identity first with the old password. This is a security measure to protect your account.',
       securityInstructionsTotp: 'IMPORTANT: If you changed your password recently you must logout and login again with the new password before attempting to activate TOTP. Failure to relogin will result in the TOTP validation failing. If this occurs you will need to remove the TOTP code from your authenticator app, login to SOC with the new password, and then activate TOTP again.',
+      selected: 'Selected: ',
+      selectAll: 'Would you like to select all [[count]] events?',
       sensor: 'Sensor',
       sensorId: 'Sensor ID',
       sensorIdRequired: 'The Sensor ID must be entered before adding a new job.',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 321f515ed..76d8b9f07 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -140,6 +140,13 @@ const huntComponent = {
     mruCases: [],
     selectedMruCase: null,
     disableRouteLoad: false,
+    selectAllState: false,
+    selectedCount: 0,
+    selectedAction: 'enable',
+    bulkActions: [
+      { text: this.$root.i18n.enable, value: 'enable' },
+      { text: this.$root.i18n.disable, value: 'disable' },
+    ],
   }},
   created() {
     this.$root.initializeCharts();
@@ -1305,6 +1312,7 @@ const huntComponent = {
       if (events != null && events.length > 0) {
         let batch = [];
 
+        const multiSelect = this.isMultiSelect();
         events.forEach(function(event, index) {
           var record = event.payload;
           record.soc_id = event.id;
@@ -1313,6 +1321,11 @@ const huntComponent = {
           record.soc_timestamp = event.timestamp;
           record.soc_source = event.source;
           route.lookupSocIds(record);
+
+          if (multiSelect) {
+            record._isSelected = false;
+          }
+
           records.push(record);
 
           for (const key in record) {
@@ -1428,13 +1441,13 @@ const huntComponent = {
     removeColumnHeader(field) {
       this.populateQueryTableFields();
       this.queryTableFields = this.queryTableFields.filter(item => item != field);
-      
+
       // do not revert back to the predefined headers if this was the last column that was just removed. Otherwise
       // users would get frustrated if they're trying to remove all the columns to then add their own.
       this.repopulateEventHeaders(); // no defaults fields provided
     },
     isColumnHeader(field) {
-      return this.eventHeaders.find((item) => { 
+      return this.eventHeaders.find((item) => {
         if (item.value == field) {
           return true;
         }
@@ -1563,11 +1576,19 @@ const huntComponent = {
     isExpanded(item) {
       return (this.expanded.length > 0 && this.expanded[0] == item);
     },
+    isMultiSelect() {
+      return this.isCategory('detections');
+    },
     getExpandedData() {
       var records = []
       if (this.expanded.length > 0) {
         var data = this.expanded[0];
         for (key in data) {
+          if (key === '_isSelected') {
+            // Should we exclude all fields beginning with an underscore?
+            continue;
+          }
+
           var record = {};
           record.key = key;
           record.value = data[key];
@@ -2107,8 +2128,120 @@ const huntComponent = {
 
       window.open(url, target);
     },
-    print(x) {
-      console.log(x);
+    updateBulkSelector(item) {
+      if (item._isSelected) {
+        this.selectedCount = Math.min(this.selectedCount + 1, this.totalEvents);
+      } else {
+        this.selectedCount = Math.max(this.selectedCount - 1, 0);
+      }
+
+      switch (this.selectedCount) {
+        case 0:
+          this.selectAllState = false;
+          break;
+        case this.totalEvents:
+          this.selectAllState = true;
+          break;
+        default:
+          this.selectAllState = 'indeterminate';
+          break;
+      }
+    },
+    toggleSelectAll() {
+      switch (this.selectAllState) {
+        case 'indeterminate':
+          this.selectAllState = false;
+          this.selectAllEvents(false);
+          this.selectedCount = 0;
+          break;
+        case false:
+          this.selectAllState = 'indeterminate';
+          this.selectCurrentPage(true);
+          break;
+        case true:
+          this.selectAllState = false;
+          this.selectAllEvents(false);
+          break;
+      }
+    },
+    selectAllEvents(selection = true, ALL = false) {
+      for (let i = 0; i < this.eventData.length; i++) {
+        if (this.eventData[i]._isSelected !== selection) {
+          this.eventData[i]._isSelected = selection;
+          if (selection) {
+            this.selectedCount++;
+          } else {
+            this.selectedCount--;
+          }
+        }
+      }
+
+      this.selectedCount = Math.max(Math.min(this.selectedCount, this.totalEvents), 0);
+
+      if (ALL && selection) {
+        this.selectAllState = true;
+      }
+    },
+    selectCurrentPage(selection = true) {
+      this.$refs.eventTable._data.internalCurrentItems.forEach((item) => {
+        if (item._isSelected !== selection) {
+          item._isSelected = selection;
+          if (selection) {
+            this.selectedCount++;
+          } else {
+            this.selectedCount--;
+          }
+        }
+      });
+
+      this.selectedCount = Math.max(Math.min(this.selectedCount, this.totalEvents), 0);
+    },
+    isPageSelected() {
+      return this.$refs.eventTable._data.internalCurrentItems.every((item) => item._isSelected);
+    },
+    countSelected() {
+      let count = 0;
+      for (let i = 0; i < this.eventData.length; i++) {
+        if (this.eventData[i]._isSelected) {
+          count++;
+        }
+      }
+
+      this.selectedCount = count;
+    },
+    async bulkAction() {
+      this.$root.startLoading();
+
+      let payload = {};
+
+      switch (this.selectAllState) {
+        case true:
+          payload.query = this.query;
+          break;
+        case 'indeterminate':
+          let ids = [];
+          for (let i = 0; i < this.eventData.length; i++) {
+            if (this.eventData[i]._isSelected) {
+              ids.push(this.eventData[i].soc_id);
+            }
+          }
+
+          payload.ids = ids;
+          break;
+      }
+
+      try {
+        const response = await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
+
+        this.selectAllState = false;
+        this.selectedCount = 0;
+
+        this.hunt(false);
+      } catch (e) {
+        this.$root.handleError(e);
+      }
+
+      this.$root.stopLoading();
     }
   }
 };
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index 1028639e1..a9412ff6f 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -1093,3 +1093,101 @@ test('moveColumnHeader', () => {
   // double check that repopulateEventHeaders was invoked
   expect(comp.eventHeaders).toStrictEqual([{"text":"x", "value":"x"},{"text":"y", "value":"y"},{"text":"z", "value": "z"}]);
 });
+
+test('updateBulkSelector', () => {
+  const selected = { _isSelected: true };
+  const unselected = { _isSelected: false };
+
+  comp.totalEvents = 2;
+
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.selectAllState).toBe(false);
+
+  comp.updateBulkSelector(selected);
+
+  expect(comp.selectedCount).toBe(1);
+  expect(comp.selectAllState).toBe('indeterminate');
+
+  comp.updateBulkSelector(selected);
+
+  expect(comp.selectedCount).toBe(2);
+  expect(comp.selectAllState).toBe(true);
+
+  comp.updateBulkSelector(unselected);
+
+  expect(comp.selectedCount).toBe(1);
+  expect(comp.selectAllState).toBe('indeterminate');
+
+  comp.updateBulkSelector(unselected);
+
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.selectAllState).toBe(false);
+});
+
+test('toggleSelectAll', () => {
+  comp.totalEvents = 11;
+  comp.eventData = [];
+  comp.$refs = {
+    eventTable: {
+      _data: {
+        internalCurrentItems: []
+      }
+    }
+  };
+
+  for (let i = 0; i < comp.totalEvents; i++) {
+    let obj = { _isSelected: i === 0 };
+    comp.eventData.push(obj);
+    if (comp.$refs.eventTable._data.internalCurrentItems.length < 10) {
+      comp.$refs.eventTable._data.internalCurrentItems.push(obj);
+    }
+  }
+
+  comp.selectAllState = 'indeterminate';
+  comp.countSelected();
+
+  expect(comp.selectedCount).toBe(1);
+  expect(comp.isPageSelected()).toBe(false);
+
+  // the comp has 11 eventData, the first 10 are in the eventTable's internalCurrentItems
+  // eventData[0] is the only one selected
+
+  // some selected => none selected
+  comp.toggleSelectAll();
+
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.eventData[0]._isSelected).toBe(false);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.isPageSelected()).toBe(false);
+
+  // none selected => page selected
+  comp.toggleSelectAll();
+
+  expect(comp.selectAllState).toBe('indeterminate');
+  expect(comp.selectedCount).toBe(10);
+  expect(comp.eventData[10]._isSelected).toBe(false);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(10);
+  expect(comp.isPageSelected()).toBe(true);
+
+  // page selected => all selected
+  comp.selectAllEvents(true, true);
+
+  expect(comp.selectAllState).toBe(true);
+  expect(comp.selectedCount).toBe(11);
+  expect(comp.eventData[10]._isSelected).toBe(true);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(11);
+  expect(comp.isPageSelected()).toBe(true);
+
+  // all selected => none selected
+  comp.toggleSelectAll();
+
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  comp.countSelected();
+  expect(comp.selectedCount).toBe(0);
+  expect(comp.isPageSelected()).toBe(false);
+});
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 6d0f85748..45212232a 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/apex/log"
@@ -258,8 +259,13 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	body := []string{}
-	err := web.ReadJson(r, body)
+	type BulkOp struct {
+		IDs   []string `json:"ids"`
+		Query *string  `json:"query"`
+	}
+
+	body := BulkOp{}
+	err := web.ReadJson(r, &body)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
 		return
@@ -267,43 +273,95 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 
 	IDs := map[string]struct{}{}
 
-	for _, id := range body {
+	for _, id := range body.IDs {
 		IDs[id] = struct{}{}
 	}
 
-	errMap := map[string]string{} // map[id]error
-	modified := []*model.Detection{}
+	if body.Query != nil {
+		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
 
-	for id := range IDs {
-		det, mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, "IsEnabled", enabled)
+		results, err := h.server.Detectionstore.Query(ctx, query, -1)
 		if err != nil {
-			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
-			continue
+			web.Respond(w, r, http.StatusInternalServerError, err)
+			return
 		}
-
-		if mod {
-			modified = append(modified, det)
+		for _, d := range results {
+			det := d.(*model.Detection)
+			id := det.Id
+			IDs[id] = struct{}{}
 		}
 	}
 
-	if len(modified) != 0 {
-		addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
-		if err != nil {
-			web.Respond(w, r, http.StatusInternalServerError, err)
-			return
-		}
+	log.WithField("count", len(IDs)).Info("bulk update ID count")
+
+	errMap := map[string]string{} // map[id]error
+	modified := make([]*model.Detection, 0, len(IDs))
+
+	start := time.Now()
+
+	c := make(chan string, 100)
+	mMod := &sync.Mutex{}
+	mErr := &sync.Mutex{}
+	wg := sync.WaitGroup{}
+
+	for i := 0; i < 2; i++ {
+		wg.Add(1)
+
+		go func() {
+			for id := range c {
+				mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": enabled})
+				if err != nil {
+					mErr.Lock()
+					errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+					mErr.Unlock()
 
-		// merge error maps
-		for k, v := range addErrMap {
-			origK, hasK := errMap[k]
-			if hasK {
-				errMap[k] = fmt.Sprintf("%s; %s", origK, v)
-			} else {
-				errMap[k] = v
+					continue
+				}
+
+				mMod.Lock()
+				modified = append(modified, mod)
+				mMod.Unlock()
 			}
+
+			wg.Done()
+		}()
+	}
+
+	for id := range IDs {
+		c <- id
+	}
+	close(c)
+
+	wg.Wait()
+
+	update := time.Since(start)
+	start = time.Now()
+
+	addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	sync := time.Since(start)
+
+	// merge error maps
+	for k, v := range addErrMap {
+		origK, hasK := errMap[k]
+		if hasK {
+			errMap[k] = fmt.Sprintf("%s; %s", origK, v)
+		} else {
+			errMap[k] = v
 		}
 	}
 
+	log.WithFields(log.Fields{
+		"updateTime":    update.Seconds(),
+		"syncTime":      sync.Seconds(),
+		"modifiedCount": len(modified),
+		"errorCount":    len(errMap),
+	}).Info("bulk update detection")
+
 	web.Respond(w, r, http.StatusOK, errMap)
 }
 
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 92f1c0533..ad168a3a5 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -16,7 +16,8 @@ type Detectionstore interface {
 	CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	GetDetection(ctx context.Context, detectId string) (*model.Detection, error)
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
-	UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error)
+	UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
+	Query(ctx context.Context, query string, max int) ([]interface{}, error)
 }
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index e017bdbf0..abc5766e3 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -101,7 +101,7 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 				detAuditIndex := module.GetStringDefault(cfg, "detectionAuditIndex", DEFAULT_DETECTION_AUDIT_INDEX)
 				maxDetAssociations := module.GetIntDefault(cfg, "maxDetectionAssociations", DEFAULT_DETECTION_ASSOCIATIONS_MAX)
 				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_DETECTION_SCHEMA_PREFIX)
-				detstore := NewElasticDetectionstore(elastic.server)
+				detstore := NewElasticDetectionstore(elastic.server, elastic.store.esClient)
 
 				err = detstore.Init(detIndex, detAuditIndex, maxDetAssociations, schemaPrefix)
 				if err == nil {
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index c59044b35..67ce910a3 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -7,6 +7,7 @@ package elastic
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"regexp"
@@ -15,6 +16,8 @@ import (
 	"time"
 
 	"github.com/apex/log"
+	"github.com/elastic/go-elasticsearch/v8"
+	"github.com/elastic/go-elasticsearch/v8/esapi"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -22,15 +25,17 @@ import (
 
 type ElasticDetectionstore struct {
 	server          *server.Server
+	esClient        *elasticsearch.Client
 	index           string
 	auditIndex      string
 	maxAssociations int
 	schemaPrefix    string
 }
 
-func NewElasticDetectionstore(srv *server.Server) *ElasticDetectionstore {
+func NewElasticDetectionstore(srv *server.Server, client *elasticsearch.Client) *ElasticDetectionstore {
 	return &ElasticDetectionstore{
-		server: srv,
+		server:   srv,
+		esClient: client,
 	}
 }
 
@@ -174,7 +179,7 @@ func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{},
 func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind string) (interface{}, error) {
 	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s" AND _id:"%s"`, store.index, store.schemaPrefix, kind, id)
 
-	objects, err := store.getAll(ctx, query, 1)
+	objects, err := store.Query(ctx, query, 1)
 	if err == nil {
 		if len(objects) > 0 {
 			return objects[0], err
@@ -186,7 +191,7 @@ func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind str
 	return nil, err
 }
 
-func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, max int) ([]interface{}, error) {
+func (store *ElasticDetectionstore) Query(ctx context.Context, query string, max int) ([]interface{}, error) {
 	var err error
 	var objects []interface{}
 
@@ -348,43 +353,65 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 	return store.GetDetection(ctx, results.DocumentId)
 }
 
-func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, field string, value any) (*model.Detection, bool, error) {
-	var modified bool
-
-	detect, err := store.GetDetection(ctx, id)
-	if err != nil {
-		return nil, false, err
+func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error) {
+	if len(fields) == 0 {
+		return nil, errors.New("no fields to update")
 	}
 
-	switch strings.ToLower(field) {
-	case "isenabled":
-		bVal, ok := value.(bool)
-		if !ok {
-			return nil, false, fmt.Errorf("invalid value for field isEnabled (expected bool): %[1]v (%[1]T)", value)
-		}
+	unQtemplate := `ctx._source.%s=%v`
+	Qtemplate := `ctx._source.%s='%v'`
 
-		if detect.IsEnabled != bVal {
-			detect.IsEnabled = bVal
-			modified = true
+	lines := make([]string, 0, len(fields)+1)
+
+	for field, value := range fields {
+		switch strings.ToLower(field) {
+		case "isenabled":
+			newField := store.schemaPrefix + "detection.isEnabled"
+			lines = append(lines, fmt.Sprintf(unQtemplate, newField, value))
+		default:
+			return nil, fmt.Errorf("unsupported field: %s", field)
 		}
 	}
 
-	err = store.validateDetection(detect)
+	lines = append(lines, fmt.Sprintf(Qtemplate, store.schemaPrefix+"detection.userId", ctx.Value(web.ContextKeyRequestorId).(string)))
+
+	opts := []func(*esapi.UpdateRequest){
+		store.esClient.Update.WithContext(ctx),
+		store.esClient.Update.WithSource("true"),
+	}
+
+	script := strings.Join(lines, "; ")
+
+	res, err := store.esClient.Update("so-detection", id, strings.NewReader(fmt.Sprintf(`{"script": "%s"}`, script)), opts...)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
 
-	if modified {
-		var results *model.EventIndexResults
+	if res.IsError() {
+		return nil, fmt.Errorf("update error: %s", res.String())
+	}
 
-		results, err = store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
-		if err == nil {
-			// Read object back to get new modify date, etc
-			detect, err = store.GetDetection(ctx, results.DocumentId)
-		}
+	type DetectionExtractor struct {
+		Result string `json:"result"`
+		Get    struct {
+			Source struct {
+				Detection *model.Detection `json:"so_detection"`
+			} `json:"_source"`
+		} `json:"get"`
+	}
+
+	ex := DetectionExtractor{}
+
+	err = json.NewDecoder(res.Body).Decode(&ex)
+	if err != nil {
+		return nil, err
+	}
+
+	if ex.Result != "updated" {
+		log.Debug("problem")
 	}
 
-	return detect, modified, err
+	return ex.Get.Source.Detection, nil
 }
 
 func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
@@ -404,7 +431,7 @@ func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, eng
 		query += fmt.Sprintf(` AND %sdetection.engine:"%s"`, store.schemaPrefix, *engine)
 	}
 
-	all, err := store.getAll(ctx, query, -1)
+	all, err := store.Query(ctx, query, -1)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index b6866957d..e174e0f6f 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -90,7 +90,7 @@ func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, detections []*m
 
 func (e *StrelkaEngine) startCommunityRuleImport() {
 	for e.isRunning {
-		time.Sleep(time.Second * 10)
+		time.Sleep(time.Second * 600)
 		if !e.isRunning {
 			break
 		}
@@ -126,8 +126,6 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 			if err != nil {
 				log.WithError(err).WithField("file", filename).Error("failed to parse yara rule file")
 				errors++
-
-				continue
 			}
 
 			rules = append(rules, parsed...)
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 4715a325f..281a1cd03 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -412,7 +412,14 @@ func (s *SuricataEngine) SyncLocalDetections(ctx context.Context, detections []*
 				modifyIndex[sid] = lineNum
 			} else if inModify && detect.IsEnabled {
 				// in modify, but shouldn't be
-				modifyLines = append(modifyLines[:lineNum], modifyLines[lineNum+1:]...)
+				var after []string
+				before := modifyLines[:lineNum]
+
+				if lineNum+1 < len(modifyLines) {
+					after = modifyLines[lineNum+1:]
+				}
+
+				modifyLines = append(before, after...)
 				delete(modifyIndex, sid)
 			}
 		}
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index daa3bd07e..33ddf0b09 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -56,7 +56,6 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 	}
 
 	for r.Len() != 0 {
-		// TODO: Parse Source and Destination into Address and Ports
 		ch, _, _ := r.ReadRune()
 
 		switch curState {
diff --git a/syntax/validator.go b/syntax/validator.go
index 97fd0f405..6ab2b3231 100644
--- a/syntax/validator.go
+++ b/syntax/validator.go
@@ -14,7 +14,9 @@ import (
 func Validate(value string, syntax string) error {
 	var err error
 
-	if strings.Contains(value, "{#") || strings.Contains(value, "{{") || strings.Contains(value, "{%") {
+	if (strings.Contains(value, "{#") && strings.Contains(value, "#}")) ||
+		(strings.Contains(value, "{{") && strings.Contains(value, "}}")) ||
+		(strings.Contains(value, "{%") && strings.Contains(value, "%}")) {
 		err = errors.New("ERROR_JINJA_NOT_SUPPORTED")
 	} else {
 		switch strings.ToLower(syntax) {

From fea0d27d1efbd8bda680225db6bdcf4bbd850870 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 11 Jan 2024 15:50:19 -0700
Subject: [PATCH 074/102] WIP: Fix for removed Date Range from Detections

When hunting, the daterange for detections will always be from the unix epoch to now. This helps us treat detections like a traditional model instead of a timescale DB entry.
---
 html/js/routes/hunt.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 76d8b9f07..930da4011 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -527,10 +527,14 @@ const huntComponent = {
           };
           response.data.totalEvents = response.data.events.length;
         } else {
+          let range = this.dateRange;
+          if (this.isCategory('detections')) {
+            range = moment(0).format(this.i18n.timePickerFormat) + " - " + moment().format(this.i18n.timePickerFormat);
+          }
           response = await this.$root.papi.get('events/', {
             params: {
               query: await this.getQuery(),
-              range: this.dateRange,
+              range: range,
               format: this.i18n.timePickerSample,
               zone: this.zone,
               metricLimit: this.groupByLimit,

From 36b6d284398bbf900854432516047d9654d8dc0f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 17 Jan 2024 13:08:06 -0700
Subject: [PATCH 075/102] WIP: Async Bulk Operations

Submitting a bulk operation against detections now results in a 202 (Accepted) and the work is done in a goroutine. At the end, the results are broadcast back to the client.
---
 html/js/i18n.js                               |   4 +
 html/js/routes/hunt.js                        |  58 ++++++--
 server/detectionhandler.go                    | 122 ++++++++++-------
 server/modules/elastic/elastic.go             |   2 +-
 .../modules/elastic/elasticdetectionstore.go  | 128 ++++++++++++++++--
 5 files changed, 240 insertions(+), 74 deletions(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index 8ab6365f8..b1c5109cc 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -115,6 +115,8 @@ const i18n = {
       betweenOp: 'Between',
       blog: 'Blog',
       bulkAction: 'Bulk Action:',
+      bulkError: '',
+      bulkSuccess: 'Bulk update successfully updated {modified} of {total} events. ({time})',
       bytes: 'Bytes',
       cancel: 'Cancel',
       captureLoss: 'Capture Loss',
@@ -303,6 +305,8 @@ const i18n = {
       epsProduction: 'Production EPS:',
       epsConsumption: 'Consumption EPS:',
       error: 'Error',
+      errorSingular: 'error',
+      errorPlural: 'errors',
       errorHelp: 'See the Help section of the Security Onion documentation for additional troubleshooting guidance.',
       escalate: 'Escalate',
       escalationInvalid: 'Invalid alert - cannot escalate to a case due to insufficient alert information',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 930da4011..f63bf4ea9 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -181,11 +181,16 @@ const huntComponent = {
   beforeDestroy() {
     this.$root.setSubtitle("");
     this.stopRefreshTimer();
+    this.$root.unsubscribe('detections:bulkUpdate', this.bulkUpdateReport);
   },
   mounted() {
     this.$root.startLoading();
     this.category = this.$route.path.replace("/", "");
     this.$root.loadParameters(this.category, this.initHunt);
+
+    if (this.isCategory('detections')) {
+      this.$root.subscribe('detections:bulkUpdate', this.bulkUpdateReport);
+    }
   },
   watch: {
     '$route': 'loadData',
@@ -323,6 +328,9 @@ const huntComponent = {
       }
       this.resetRefreshTimer();
 
+      this.selectAllState = false;
+      this.selectedCount = 0;
+
       if (document.activeElement) {
         // Release focus to avoid clicking away causing a second hunt
         document.activeElement.blur();
@@ -2214,8 +2222,6 @@ const huntComponent = {
       this.selectedCount = count;
     },
     async bulkAction() {
-      this.$root.startLoading();
-
       let payload = {};
 
       switch (this.selectAllState) {
@@ -2235,18 +2241,52 @@ const huntComponent = {
       }
 
       try {
-        const response = await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
-
+        await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
+      } catch (e) {
+        this.$root.handleError(e);
+      } finally {
         this.selectAllState = false;
         this.selectedCount = 0;
-
         this.hunt(false);
-      } catch (e) {
-        this.$root.handleError(e);
       }
+    },
+    bulkUpdateReport(stats) {
+      if (stats.error > 0) {
+        let msg = this.i18n.bulkError;
+        msg += ' ' + stats.error.toLocaleString() + ' ' + (stats.error == 1 ? this.i18n.errorSingular : this.i18n.errorPlural) + '.';
 
-      this.$root.stopLoading();
-    }
+        this.$root.showError(msg);
+      } else {
+        let seconds = Math.floor(stats.time);
+        let hours = Math.floor(seconds / 3600);
+        seconds %= 3600;
+        let minutes = Math.floor(seconds / 60);
+        seconds = Math.floor(seconds % 60);
+
+        let t = '';
+
+        if (hours > 0) {
+          t += hours + 'h ';
+        }
+
+        if (minutes > 0 || t.length > 0) {
+          if (t.length > 0) {
+            minutes = `0${minutes}`;
+          }
+
+          t += minutes + 'm ';
+        }
+
+        t += seconds.toFixed(0) + 's';
+
+        let msg = this.i18n.bulkSuccess;
+        msg = msg.replaceAll('{modified}', stats.modified.toLocaleString());
+        msg = msg.replaceAll('{total}', stats.total.toLocaleString());
+        msg = msg.replaceAll('{time}', t);
+
+        this.$root.showInfo(msg);
+      }
+    },
   }
 };
 
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 45212232a..e3c530ded 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
-	"sync"
 	"time"
 
 	"github.com/apex/log"
@@ -22,6 +21,12 @@ import (
 	"github.com/pkg/errors"
 )
 
+type BulkOp struct {
+	IDs       []string `json:"ids"`
+	Query     *string  `json:"query"`
+	NewStatus bool     `json:"-"`
+}
+
 type DetectionHandler struct {
 	server *Server
 }
@@ -259,19 +264,55 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	type BulkOp struct {
-		IDs   []string `json:"ids"`
-		Query *string  `json:"query"`
-	}
-
-	body := BulkOp{}
-	err := web.ReadJson(r, &body)
+	body := &BulkOp{}
+	err := web.ReadJson(r, body)
 	if err != nil {
 		web.Respond(w, r, http.StatusBadRequest, err)
 		return
 	}
 
+	body.NewStatus = enabled
+
+	// TODO: Check any permissions needing to be checked, we can't return a 4XX after this point
+
+	// new context that doesn't contain a timeout or deadline, but does include
+	// the user we're making requests to ES on behalf of.
+	noTimeOutCtx := context.WithValue(context.Background(), web.ContextKeyRequestor, ctx.Value(web.ContextKeyRequestor).(*model.User))
+	noTimeOutCtx = context.WithValue(noTimeOutCtx, web.ContextKeyRequestorId, ctx.Value(web.ContextKeyRequestorId).(string))
+
+	go h.bulkUpdateDetectionAsync(noTimeOutCtx, body)
+
+	web.Respond(w, r, http.StatusAccepted, nil)
+}
+
+func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *BulkOp) {
+	var err error
+	var update, sync time.Duration
+	errMap := map[string]string{} // map[id]error
 	IDs := map[string]struct{}{}
+	modified := []*model.Detection{}
+
+	totalTimeStart := time.Now()
+
+	defer func() {
+		totalTime := time.Since(totalTimeStart)
+
+		log.WithFields(log.Fields{
+			"error":      len(errMap),
+			"total":      len(IDs),
+			"modified":   len(modified),
+			"updateTime": update.Seconds(),
+			"syncTime":   sync.Seconds(),
+			"totalTime":  totalTime.Seconds(),
+		}).Error("bulk update Detections finished")
+
+		h.server.Host.Broadcast("detections:bulkUpdate", "detection", map[string]interface{}{
+			"error":    len(errMap),
+			"total":    len(IDs),
+			"modified": len(modified),
+			"time":     totalTime.Seconds(),
+		})
+	}()
 
 	for _, id := range body.IDs {
 		IDs[id] = struct{}{}
@@ -280,9 +321,10 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	if body.Query != nil {
 		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
 
-		results, err := h.server.Detectionstore.Query(ctx, query, -1)
+		var results []interface{}
+
+		results, err = h.server.Detectionstore.Query(ctx, query, -1)
 		if err != nil {
-			web.Respond(w, r, http.StatusInternalServerError, err)
 			return
 		}
 		for _, d := range results {
@@ -294,56 +336,30 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 
 	log.WithField("count", len(IDs)).Info("bulk update ID count")
 
-	errMap := map[string]string{} // map[id]error
-	modified := make([]*model.Detection, 0, len(IDs))
+	modified = make([]*model.Detection, 0, len(IDs))
 
 	start := time.Now()
 
-	c := make(chan string, 100)
-	mMod := &sync.Mutex{}
-	mErr := &sync.Mutex{}
-	wg := sync.WaitGroup{}
-
-	for i := 0; i < 2; i++ {
-		wg.Add(1)
-
-		go func() {
-			for id := range c {
-				mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": enabled})
-				if err != nil {
-					mErr.Lock()
-					errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
-					mErr.Unlock()
-
-					continue
-				}
-
-				mMod.Lock()
-				modified = append(modified, mod)
-				mMod.Unlock()
-			}
+	for id := range IDs {
+		mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": body.NewStatus})
+		if err != nil {
+			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
 
-			wg.Done()
-		}()
-	}
+			continue
+		}
 
-	for id := range IDs {
-		c <- id
+		modified = append(modified, mod)
 	}
-	close(c)
 
-	wg.Wait()
-
-	update := time.Since(start)
+	update = time.Since(start)
 	start = time.Now()
 
 	addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
 	if err != nil {
-		web.Respond(w, r, http.StatusInternalServerError, err)
 		return
 	}
 
-	sync := time.Since(start)
+	sync = time.Since(start)
 
 	// merge error maps
 	for k, v := range addErrMap {
@@ -356,13 +372,21 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	log.WithFields(log.Fields{
-		"updateTime":    update.Seconds(),
-		"syncTime":      sync.Seconds(),
 		"modifiedCount": len(modified),
 		"errorCount":    len(errMap),
 	}).Info("bulk update detection")
 
-	web.Respond(w, r, http.StatusOK, errMap)
+	if len(errMap) != 0 {
+		fields := log.Fields{}
+		for k, v := range errMap {
+			fields[k] = v
+			if len(fields) == 10 {
+				break
+			}
+		}
+
+		log.WithFields(fields).Error("sample of bulk update detection errors")
+	}
 }
 
 func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.Detection) (errMap map[string]string, err error) {
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index abc5766e3..f28b8726f 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -101,7 +101,7 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
 				detAuditIndex := module.GetStringDefault(cfg, "detectionAuditIndex", DEFAULT_DETECTION_AUDIT_INDEX)
 				maxDetAssociations := module.GetIntDefault(cfg, "maxDetectionAssociations", DEFAULT_DETECTION_ASSOCIATIONS_MAX)
 				schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_DETECTION_SCHEMA_PREFIX)
-				detstore := NewElasticDetectionstore(elastic.server, elastic.store.esClient)
+				detstore := NewElasticDetectionstore(elastic.server, elastic.store.esClient, maxLogLength)
 
 				err = detstore.Init(detIndex, detAuditIndex, maxDetAssociations, schemaPrefix)
 				if err == nil {
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 67ce910a3..842514c42 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -6,10 +6,12 @@
 package elastic
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"regexp"
 	"strconv"
 	"strings"
@@ -21,6 +23,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+	"github.com/tidwall/gjson"
 )
 
 type ElasticDetectionstore struct {
@@ -30,12 +33,14 @@ type ElasticDetectionstore struct {
 	auditIndex      string
 	maxAssociations int
 	schemaPrefix    string
+	maxLogLength    int
 }
 
-func NewElasticDetectionstore(srv *server.Server, client *elasticsearch.Client) *ElasticDetectionstore {
+func NewElasticDetectionstore(srv *server.Server, client *elasticsearch.Client, maxLogLength int) *ElasticDetectionstore {
 	return &ElasticDetectionstore{
-		server:   srv,
-		esClient: client,
+		server:       srv,
+		esClient:     client,
+		maxLogLength: maxLogLength,
 	}
 }
 
@@ -391,27 +396,34 @@ func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id
 		return nil, fmt.Errorf("update error: %s", res.String())
 	}
 
-	type DetectionExtractor struct {
-		Result string `json:"result"`
-		Get    struct {
-			Source struct {
-				Detection *model.Detection `json:"so_detection"`
-			} `json:"_source"`
-		} `json:"get"`
+	raw, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
 	}
 
-	ex := DetectionExtractor{}
+	det := &model.Detection{}
+
+	rawDet := gjson.Get(string(raw), "get._source.so_detection").Raw
 
-	err = json.NewDecoder(res.Body).Decode(&ex)
+	err = json.Unmarshal([]byte(rawDet), det)
 	if err != nil {
 		return nil, err
 	}
 
-	if ex.Result != "updated" {
-		log.Debug("problem")
+	document := convertObjectToDocumentMap("detection", json.RawMessage(rawDet), store.schemaPrefix)
+	document[store.schemaPrefix+AUDIT_DOC_ID] = id
+	document[store.schemaPrefix+"kind"] = "detection"
+	document[store.schemaPrefix+"operation"] = "update"
+
+	err = store.audit(ctx, document, id)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"documentId": id,
+			"kind":       "detection",
+		}).WithError(err).Error("Detection updated successfully however audit record failed to index")
 	}
 
-	return ex.Get.Source.Detection, nil
+	return det, nil
 }
 
 func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, onionID string) (*model.Detection, error) {
@@ -444,3 +456,89 @@ func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, eng
 
 	return sids, nil
 }
+
+func (store *ElasticDetectionstore) audit(ctx context.Context, document map[string]interface{}, id string) error {
+	var err error
+
+	// TODO: Rethink permissions here
+	// if err = store.server.CheckAuthorized(ctx, "write", "events"); err == nil {
+	// store.refreshCache(ctx)
+
+	var request string
+	request, err = convertToElasticIndexRequest(nil, document)
+	if err == nil {
+		log.Debug("Sending index request to primary Elasticsearch client")
+		_, err = store.indexDocument(ctx, store.disableCrossClusterIndex(store.auditIndex), request, id)
+		if err != nil {
+			log.WithError(err).Error("Encountered error while indexing document into elasticsearch")
+		}
+	}
+	// }
+	return err
+}
+
+func (store *ElasticDetectionstore) indexDocument(ctx context.Context, index string, document string, id string) (string, error) {
+	log.WithFields(log.Fields{
+		"index":     index,
+		"id":        id,
+		"document":  store.truncate(document),
+		"requestId": ctx.Value(web.ContextKeyRequestId),
+	}).Debug("Adding document to Elasticsearch")
+
+	res, err := store.esClient.Index(index,
+		strings.NewReader(document),
+		store.esClient.Index.WithRefresh("true"),
+		store.esClient.Index.WithDocumentID(id),
+		store.esClient.Index.WithContext(ctx),
+	)
+
+	if err != nil {
+		log.WithError(err).Error("Unable to index document into Elasticsearch")
+		return "", err
+	}
+	defer res.Body.Close()
+	json, err := store.readJsonFromResponse(res)
+
+	log.WithFields(log.Fields{
+		"response":  store.truncate(json),
+		"requestId": ctx.Value(web.ContextKeyRequestId),
+	}).Debug("Index new document finished")
+	return json, err
+}
+
+func (store *ElasticDetectionstore) truncate(input string) string {
+	if len(input) > store.maxLogLength {
+		return input[:store.maxLogLength] + "..."
+	}
+	return input
+}
+
+func (store *ElasticDetectionstore) disableCrossClusterIndex(index string) string {
+	pieces := strings.SplitN(index, ":", 2)
+	if len(pieces) == 2 {
+		index = pieces[1]
+	}
+	return index
+}
+
+func (store *ElasticDetectionstore) readErrorFromJson(json string) error {
+	errorType := gjson.Get(json, "error.type").String()
+	errorReason := gjson.Get(json, "error.reason").String()
+	errorDetails := json
+	if len(json) > MAX_ERROR_LENGTH {
+		errorDetails = json[0:MAX_ERROR_LENGTH]
+	}
+	err := errors.New(errorType + ": " + errorReason + " -> " + errorDetails)
+	return err
+}
+
+func (store *ElasticDetectionstore) readJsonFromResponse(res *esapi.Response) (string, error) {
+	var err error
+	var b bytes.Buffer
+	b.ReadFrom(res.Body)
+	json := b.String()
+	if res.IsError() {
+		err = store.readErrorFromJson(json)
+	}
+	return json, err
+}

From d37e91ed4a3247b4fc2284cdfa8e2c949d1009f4 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 29 Jan 2024 16:00:08 -0700
Subject: [PATCH 076/102] WIP: Strelka/Yara Community Rule Import, ElastAlert
 now translates with SigmaCLI

There's some side effects because the default `yaraRulesFolder` is still being used to store non-compiled rules by salt.

Updated tests around the new ExecCommand added to IOManagers.

This also includes ElastAlert switching to using the sigma cli instead of the sigconverter.io container. All references to the container have been removed.
---
 config/config.go                              |   5 +-
 go.mod                                        |  23 +-
 go.sum                                        | 111 ++++++-
 model/event.go                                |   2 +-
 server/detectionstore.go                      |   2 +
 server/mock/mock_detectionstore.go            | 145 +++++++++
 server/modules/elastalert/elastalert.go       |  74 ++---
 server/modules/elastalert/elastalert_test.go  |  74 +++--
 .../modules/elastalert/mock/mock_iomanager.go |  19 ++
 server/modules/strelka/mock/mock_iomanager.go | 132 ++++++++
 server/modules/strelka/strelka.go             | 297 ++++++++++++++++--
 server/modules/strelka/strelka_test.go        | 130 ++++++++
 server/modules/strelka/validate.go            |  22 ++
 server/modules/suricata/suricata.go           |   2 +-
 14 files changed, 921 insertions(+), 117 deletions(-)
 create mode 100644 server/mock/mock_detectionstore.go
 create mode 100644 server/modules/strelka/mock/mock_iomanager.go
 create mode 100644 server/modules/strelka/strelka_test.go

diff --git a/config/config.go b/config/config.go
index d6523bbfc..07d29a383 100644
--- a/config/config.go
+++ b/config/config.go
@@ -60,7 +60,10 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 	}
 
 	cfg.Server.Modules["strelkaengine"] = map[string]interface{}{
-		"yaraRulesFolder": "/tmp/socdev/so/conf/strelka/rules",
+		"yaraRulesFolder":             "/tmp/socdev/so/conf/strelka/rules",
+		"reposFolder":                 "/tmp/socdev/so/conf/strelka/repos",
+		"rulesRepos":                  []interface{}{"https://github.com/Security-Onion-Solutions/securityonion-yara"},
+		"compileYaraPythonScriptPath": "/tmp/socdev/so/conf/strelka/compile_yara.py",
 	}
 
 	return cfg, err
diff --git a/go.mod b/go.mod
index 55f718020..55f842da8 100644
--- a/go.mod
+++ b/go.mod
@@ -20,22 +20,39 @@ require (
 )
 
 require (
+	github.com/go-git/go-git/v5 v5.11.0
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
+	github.com/tj/assert v0.0.3
 	go.uber.org/mock v0.3.0
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/oapi-codegen/runtime v1.0.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
index 78e55c5b3..f0ee841c5 100644
--- a/go.sum
+++ b/go.sum
@@ -1,4 +1,13 @@
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
@@ -6,10 +15,16 @@ github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -17,13 +32,31 @@ github.com/elastic/elastic-transport-go/v8 v8.3.0 h1:DJGxovyQLXGr62e9nDMPSxRyWIO
 github.com/elastic/elastic-transport-go/v8 v8.3.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI=
 github.com/elastic/go-elasticsearch/v8 v8.11.1 h1:1VgTgUTbpqQZ4uE+cPjkOvy/8aw1ZvKcU0ZUE5Cn1mc=
 github.com/elastic/go-elasticsearch/v8 v8.11.1/go.mod h1:GU1BJHO7WeamP7UhuElYwzzHtvf9SDmeVpSSy9+o6Qg=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
+github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -36,14 +69,18 @@ github.com/influxdata/influxdb-client-go/v2 v2.13.0 h1:ioBbLmR5NMbAjP4UVA5r9b5xG
 github.com/influxdata/influxdb-client-go/v2 v2.13.0/go.mod h1:k+spCbt9hcvqvUiz0sr5D8LolXHqAAOfPw9v/RIRHl4=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf h1:7JTmneyiNEwVBOHSjoMxiWAqB992atOeepeFYegn5RU=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kennygrant/sanitize v1.2.4 h1:gN25/otpP5vAsO2djbMhF/LQX6R7+O1TB4yv8NzpJ3o=
 github.com/kennygrant/sanitize v1.2.4/go.mod h1:LGsjYYtgxbetdg5owWB2mpgUL6e2nfw2eObZ0u0qvak=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -59,25 +96,34 @@ github.com/oapi-codegen/runtime v1.0.0 h1:P4rqFX5fMFWqRzY9M/3YF9+aPSPPB06IzP2P7o
 github.com/oapi-codegen/runtime v1.0.0/go.mod h1:LmCUMQuPB4M/nLXilQXhHw+BLZdDb18B34OO356yJ/A=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
+github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
@@ -95,34 +141,88 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
 go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -130,8 +230,11 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/model/event.go b/model/event.go
index 73f410725..e93dad44d 100644
--- a/model/event.go
+++ b/model/event.go
@@ -145,7 +145,7 @@ func (criteria *EventSearchCriteria) DeterminePermissions(hintVerb string, hintN
 	kind = strings.ToLower(strings.TrimSpace(kind))
 
 	switch index {
-	case "so-detection":
+	case "so-detection", "*:so-detection":
 		return hintVerb, "detection"
 	}
 
diff --git a/server/detectionstore.go b/server/detectionstore.go
index ad168a3a5..af5184dc7 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -21,3 +21,5 @@ type Detectionstore interface {
 	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 	Query(ctx context.Context, query string, max int) ([]interface{}, error)
 }
+
+//go:generate mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
new file mode 100644
index 000000000..1d30b4a46
--- /dev/null
+++ b/server/mock/mock_detectionstore.go
@@ -0,0 +1,145 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/security-onion-solutions/securityonion-soc/server (interfaces: Detectionstore)
+//
+// Generated by this command:
+//
+//	mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
+//
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	context "context"
+	reflect "reflect"
+
+	model "github.com/security-onion-solutions/securityonion-soc/model"
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockDetectionstore is a mock of Detectionstore interface.
+type MockDetectionstore struct {
+	ctrl     *gomock.Controller
+	recorder *MockDetectionstoreMockRecorder
+}
+
+// MockDetectionstoreMockRecorder is the mock recorder for MockDetectionstore.
+type MockDetectionstoreMockRecorder struct {
+	mock *MockDetectionstore
+}
+
+// NewMockDetectionstore creates a new mock instance.
+func NewMockDetectionstore(ctrl *gomock.Controller) *MockDetectionstore {
+	mock := &MockDetectionstore{ctrl: ctrl}
+	mock.recorder = &MockDetectionstoreMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockDetectionstore) EXPECT() *MockDetectionstoreMockRecorder {
+	return m.recorder
+}
+
+// CreateDetection mocks base method.
+func (m *MockDetectionstore) CreateDetection(arg0 context.Context, arg1 *model.Detection) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateDetection indicates an expected call of CreateDetection.
+func (mr *MockDetectionstoreMockRecorder) CreateDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateDetection", reflect.TypeOf((*MockDetectionstore)(nil).CreateDetection), arg0, arg1)
+}
+
+// DeleteDetection mocks base method.
+func (m *MockDetectionstore) DeleteDetection(arg0 context.Context, arg1 string) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DeleteDetection indicates an expected call of DeleteDetection.
+func (mr *MockDetectionstoreMockRecorder) DeleteDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteDetection", reflect.TypeOf((*MockDetectionstore)(nil).DeleteDetection), arg0, arg1)
+}
+
+// GetAllCommunitySIDs mocks base method.
+func (m *MockDetectionstore) GetAllCommunitySIDs(arg0 context.Context, arg1 *model.EngineName) (map[string]*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAllCommunitySIDs", arg0, arg1)
+	ret0, _ := ret[0].(map[string]*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetAllCommunitySIDs indicates an expected call of GetAllCommunitySIDs.
+func (mr *MockDetectionstoreMockRecorder) GetAllCommunitySIDs(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllCommunitySIDs", reflect.TypeOf((*MockDetectionstore)(nil).GetAllCommunitySIDs), arg0, arg1)
+}
+
+// GetDetection mocks base method.
+func (m *MockDetectionstore) GetDetection(arg0 context.Context, arg1 string) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetDetection indicates an expected call of GetDetection.
+func (mr *MockDetectionstoreMockRecorder) GetDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDetection", reflect.TypeOf((*MockDetectionstore)(nil).GetDetection), arg0, arg1)
+}
+
+// Query mocks base method.
+func (m *MockDetectionstore) Query(arg0 context.Context, arg1 string, arg2 int) ([]any, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Query", arg0, arg1, arg2)
+	ret0, _ := ret[0].([]any)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Query indicates an expected call of Query.
+func (mr *MockDetectionstoreMockRecorder) Query(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Query", reflect.TypeOf((*MockDetectionstore)(nil).Query), arg0, arg1, arg2)
+}
+
+// UpdateDetection mocks base method.
+func (m *MockDetectionstore) UpdateDetection(arg0 context.Context, arg1 *model.Detection) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateDetection", arg0, arg1)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateDetection indicates an expected call of UpdateDetection.
+func (mr *MockDetectionstoreMockRecorder) UpdateDetection(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDetection", reflect.TypeOf((*MockDetectionstore)(nil).UpdateDetection), arg0, arg1)
+}
+
+// UpdateDetectionField mocks base method.
+func (m *MockDetectionstore) UpdateDetectionField(arg0 context.Context, arg1 string, arg2 map[string]any) (*model.Detection, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateDetectionField", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*model.Detection)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateDetectionField indicates an expected call of UpdateDetectionField.
+func (mr *MockDetectionstoreMockRecorder) UpdateDetectionField(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDetectionField", reflect.TypeOf((*MockDetectionstore)(nil).UpdateDetectionField), arg0, arg1, arg2)
+}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index bc38fb1b9..59f14c63c 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -17,6 +17,7 @@ import (
 	"io/fs"
 	"net/http"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"reflect"
 	"strings"
@@ -45,6 +46,7 @@ type IOManager interface {
 	DeleteFile(path string) error
 	ReadDir(path string) ([]os.DirEntry, error)
 	MakeRequest(*http.Request) (*http.Response, error)
+	ExecCommand(cmd *exec.Cmd) ([]byte, int, time.Duration, error)
 }
 
 type ElastAlertEngine struct {
@@ -53,9 +55,7 @@ type ElastAlertEngine struct {
 	sigmaPackageDownloadTemplate         string
 	elastAlertRulesFolder                string
 	rulesFingerprintFile                 string
-	sigconverterUrl                      string
 	sigmaRulePackages                    []string
-	sigmaConversionTarget                string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
 	IOManager
@@ -79,8 +79,6 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
 	e.sigmaPackageDownloadTemplate = module.GetStringDefault(config, "sigmaPackageDownloadTemplate", "https://github.com/SigmaHQ/sigma/releases/latest/download/sigma_%s.zip")
 	e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/rules/elastalert")
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/sigma.fingerprint")
-	e.sigconverterUrl = module.GetStringDefault(config, "sigconverterUrl", "http://manager:8000/sigma")
-	e.sigmaConversionTarget = module.GetStringDefault(config, "sigmaConversionTarget", "eql")
 
 	pkgs := module.GetStringDefault(config, "sigmaRulePackages", "core")
 	e.parseSigmaPackages(pkgs)
@@ -570,57 +568,35 @@ func (e *ElastAlertEngine) IndexExistingRules() (index map[string]string, err er
 }
 
 func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Detection) (string, error) {
-	// wrapper for the payload
-	ruleWrapper := struct {
-		Rule     string   `json:"rule"`
-		Pipeline []string `json:"pipeline"`
-		Target   string   `json:"target"`
-		Format   string   `json:"format"`
-	}{
-		Rule:     base64.StdEncoding.EncodeToString([]byte(det.Content)),
-		Pipeline: []string{},
-		Target:   e.sigmaConversionTarget,
-		Format:   "default",
-	}
+	args := []string{"convert", "-t", "eql", "-p", "windows-logsources", "-p", "ecs_windows", "/dev/stdin"}
 
-	payload, err := json.Marshal(ruleWrapper)
-	if err != nil {
-		return "", err
-	}
+	cmd := exec.CommandContext(ctx, "sigma", args...)
+	cmd.Stdin = strings.NewReader(det.Content)
 
-	// build request
-	req, err := http.NewRequest(http.MethodPost, e.sigconverterUrl, bytes.NewReader(payload))
-	if err != nil {
-		return "", err
-	}
+	raw, code, runtime, err := e.ExecCommand(cmd)
 
-	req = req.WithContext(ctx)
-	req.Header.Add("Content-Type", "application/json")
+	log.WithFields(log.Fields{
+		"code":     code,
+		"output":   string(raw),
+		"command":  cmd.String(),
+		"execTime": runtime.Seconds(),
+		"error":    err,
+	}).Info("executing sigma cli")
 
-	// send request
-	resp, err := e.MakeRequest(req)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("problem with sigma cli: %w", err)
 	}
-	defer resp.Body.Close()
 
-	rawRule, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", err
-	}
+	query := string(raw)
 
-	if resp.StatusCode < 200 || resp.StatusCode > 299 {
-		return "", fmt.Errorf("sigconverter returned non-200 status code: %d", resp.StatusCode)
+	firstLine := strings.Index(string(raw), "\n")
+	if firstLine != -1 {
+		query = query[firstLine+1:]
 	}
 
-	rule := string(rawRule)
-
-	if strings.HasPrefix(rule, "Error:") {
-		rule = strings.TrimSpace(strings.TrimPrefix(rule, "Error:"))
-		return "", fmt.Errorf("sigconverter returned error: %s", rule)
-	}
+	query = strings.TrimSpace(query)
 
-	elastRule, err := wrapRule(det, rule)
+	elastRule, err := wrapRule(det, query)
 	if err != nil {
 		return "", fmt.Errorf("unable to wrap rule: %w", err)
 	}
@@ -840,3 +816,13 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
 	return http.DefaultClient.Do(req)
 }
+
+func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
+	start := time.Now()
+	output, err = cmd.CombinedOutput()
+	runtime = time.Since(start)
+
+	exitCode = cmd.ProcessState.ExitCode()
+
+	return output, exitCode, runtime, err
+}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index f304deaed..4940475e7 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -9,9 +9,12 @@ import (
 	"archive/zip"
 	"bytes"
 	"context"
+	"errors"
 	"io"
 	"io/fs"
 	"net/http"
+	"os/exec"
+	"slices"
 	"sort"
 	"strings"
 	"testing"
@@ -198,19 +201,28 @@ func TestTimeFrame(t *testing.T) {
 
 func TestSigmaToElastAlertSunnyDay(t *testing.T) {
 	ctrl := gomock.NewController(t)
-
 	mio := mock.NewMockIOManager(ctrl)
-	body := "<eql>"
-	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
-		StatusCode:    http.StatusOK,
-		Body:          io.NopCloser(strings.NewReader(body)),
-		ContentLength: int64(len(body)),
-	}, nil)
+
+	mio.EXPECT().ExecCommand(gomock.Cond(func(x any) bool {
+		cmd := x.(*exec.Cmd)
+
+		if !strings.HasSuffix(cmd.Path, "sigma") {
+			return false
+		}
+
+		if !slices.Contains(cmd.Args, "convert") {
+			return false
+		}
+
+		if cmd.Stdin == nil {
+			return false
+		}
+
+		return true
+	})).Return([]byte("<eql>"), 0, time.Duration(0), nil)
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       "localhost:8000/convert",
-		sigmaConversionTarget: "eql",
-		IOManager:             mio,
+		IOManager: mio,
 	}
 
 	det := &model.Detection{
@@ -248,20 +260,28 @@ soc_pivot: soc_pivot
 
 func TestSigmaToElastAlertError(t *testing.T) {
 	ctrl := gomock.NewController(t)
-
 	mio := mock.NewMockIOManager(ctrl)
-	msg := "something went wrong"
-	body := "Error: " + msg
-	mio.EXPECT().MakeRequest(gomock.Any()).Times(1).Return(&http.Response{
-		StatusCode:    http.StatusOK,
-		Body:          io.NopCloser(strings.NewReader(body)),
-		ContentLength: int64(len(body)),
-	}, nil)
+
+	mio.EXPECT().ExecCommand(gomock.Cond(func(x any) bool {
+		cmd := x.(*exec.Cmd)
+
+		if !strings.HasSuffix(cmd.Path, "sigma") {
+			return false
+		}
+
+		if !slices.Contains(cmd.Args, "convert") {
+			return false
+		}
+
+		if cmd.Stdin == nil {
+			return false
+		}
+
+		return true
+	})).Return([]byte("Error: something went wrong"), 1, time.Duration(0), errors.New("non-zero return"))
 
 	engine := ElastAlertEngine{
-		sigconverterUrl:       "localhost:3000/convert",
-		sigmaConversionTarget: "eql",
-		IOManager:             mio,
+		IOManager: mio,
 	}
 
 	det := &model.Detection{
@@ -276,7 +296,7 @@ func TestSigmaToElastAlertError(t *testing.T) {
 	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
 	assert.Empty(t, wrappedRule)
 	assert.Error(t, err)
-	assert.ErrorContains(t, err, msg)
+	assert.ErrorContains(t, err, "problem with sigma cli")
 }
 
 func TestParseRules(t *testing.T) {
@@ -470,10 +490,7 @@ func TestSyncElastAlert(t *testing.T) {
 				// IndexExistingRules
 				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
 				// sigmaToElastAlert
-				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
-					StatusCode: http.StatusOK,
-					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
-				}, nil)
+				m.EXPECT().ExecCommand(gomock.Any()).Return([]byte("[sigma rule]"), 0, time.Duration(0), nil)
 				// WriteFile when enabling
 				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: '[sigma rule]'\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
 			},
@@ -539,10 +556,7 @@ func TestSyncElastAlert(t *testing.T) {
 				// IndexExistingRules
 				m.EXPECT().ReadDir(mod.elastAlertRulesFolder).Return([]fs.DirEntry{}, nil)
 				// sigmaToElastAlert
-				m.EXPECT().MakeRequest(gomock.Any()).Return(&http.Response{
-					StatusCode: http.StatusOK,
-					Body:       io.NopCloser(strings.NewReader("[sigma rule]")),
-				}, nil)
+				m.EXPECT().ExecCommand(gomock.Any()).Return([]byte("[sigma rule]"), 0, time.Duration(0), nil)
 				// WriteFile when enabling
 				m.EXPECT().WriteFile("10000.yml", []byte("play_title: TEST\nplay_id: \"10000\"\nevent.module: elastalert\nevent.dataset: elastalert.alert\nevent.severity: 3\nrule.category: \"\"\nsigma_level: medium\nalert:\n    - modules.so.playbook-es.PlaybookESAlerter\nindex: .ds-logs-*\nname: TEST - 10000\ntype: any\nfilter:\n    - eql: ([sigma rule]) and TRUE\nplay_url: play_url\nkibana_pivot: kibana_pivot\nsoc_pivot: soc_pivot\n"), fs.FileMode(0644)).Return(nil)
 			},
diff --git a/server/modules/elastalert/mock/mock_iomanager.go b/server/modules/elastalert/mock/mock_iomanager.go
index a1508daf0..30e22c3cb 100644
--- a/server/modules/elastalert/mock/mock_iomanager.go
+++ b/server/modules/elastalert/mock/mock_iomanager.go
@@ -11,7 +11,9 @@ package mock
 import (
 	fs "io/fs"
 	http "net/http"
+	exec "os/exec"
 	reflect "reflect"
+	time "time"
 
 	gomock "go.uber.org/mock/gomock"
 )
@@ -53,6 +55,23 @@ func (mr *MockIOManagerMockRecorder) DeleteFile(arg0 any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteFile", reflect.TypeOf((*MockIOManager)(nil).DeleteFile), arg0)
 }
 
+// ExecCommand mocks base method.
+func (m *MockIOManager) ExecCommand(arg0 *exec.Cmd) ([]byte, int, time.Duration, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ExecCommand", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(int)
+	ret2, _ := ret[2].(time.Duration)
+	ret3, _ := ret[3].(error)
+	return ret0, ret1, ret2, ret3
+}
+
+// ExecCommand indicates an expected call of ExecCommand.
+func (mr *MockIOManagerMockRecorder) ExecCommand(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecCommand", reflect.TypeOf((*MockIOManager)(nil).ExecCommand), arg0)
+}
+
 // MakeRequest mocks base method.
 func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
 	m.ctrl.T.Helper()
diff --git a/server/modules/strelka/mock/mock_iomanager.go b/server/modules/strelka/mock/mock_iomanager.go
new file mode 100644
index 000000000..e30a25b2d
--- /dev/null
+++ b/server/modules/strelka/mock/mock_iomanager.go
@@ -0,0 +1,132 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/security-onion-solutions/securityonion-soc/server/modules/strelka (interfaces: IOManager)
+//
+// Generated by this command:
+//
+//	mockgen -destination mock/mock_iomanager.go -package mock . IOManager
+//
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	fs "io/fs"
+	http "net/http"
+	exec "os/exec"
+	reflect "reflect"
+	time "time"
+
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockIOManager is a mock of IOManager interface.
+type MockIOManager struct {
+	ctrl     *gomock.Controller
+	recorder *MockIOManagerMockRecorder
+}
+
+// MockIOManagerMockRecorder is the mock recorder for MockIOManager.
+type MockIOManagerMockRecorder struct {
+	mock *MockIOManager
+}
+
+// NewMockIOManager creates a new mock instance.
+func NewMockIOManager(ctrl *gomock.Controller) *MockIOManager {
+	mock := &MockIOManager{ctrl: ctrl}
+	mock.recorder = &MockIOManagerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockIOManager) EXPECT() *MockIOManagerMockRecorder {
+	return m.recorder
+}
+
+// DeleteFile mocks base method.
+func (m *MockIOManager) DeleteFile(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteFile", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteFile indicates an expected call of DeleteFile.
+func (mr *MockIOManagerMockRecorder) DeleteFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteFile", reflect.TypeOf((*MockIOManager)(nil).DeleteFile), arg0)
+}
+
+// ExecCommand mocks base method.
+func (m *MockIOManager) ExecCommand(arg0 *exec.Cmd) ([]byte, int, time.Duration, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ExecCommand", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(int)
+	ret2, _ := ret[2].(time.Duration)
+	ret3, _ := ret[3].(error)
+	return ret0, ret1, ret2, ret3
+}
+
+// ExecCommand indicates an expected call of ExecCommand.
+func (mr *MockIOManagerMockRecorder) ExecCommand(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecCommand", reflect.TypeOf((*MockIOManager)(nil).ExecCommand), arg0)
+}
+
+// MakeRequest mocks base method.
+func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "MakeRequest", arg0)
+	ret0, _ := ret[0].(*http.Response)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// MakeRequest indicates an expected call of MakeRequest.
+func (mr *MockIOManagerMockRecorder) MakeRequest(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MakeRequest", reflect.TypeOf((*MockIOManager)(nil).MakeRequest), arg0)
+}
+
+// ReadDir mocks base method.
+func (m *MockIOManager) ReadDir(arg0 string) ([]fs.DirEntry, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadDir", arg0)
+	ret0, _ := ret[0].([]fs.DirEntry)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadDir indicates an expected call of ReadDir.
+func (mr *MockIOManagerMockRecorder) ReadDir(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadDir", reflect.TypeOf((*MockIOManager)(nil).ReadDir), arg0)
+}
+
+// ReadFile mocks base method.
+func (m *MockIOManager) ReadFile(arg0 string) ([]byte, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadFile", arg0)
+	ret0, _ := ret[0].([]byte)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadFile indicates an expected call of ReadFile.
+func (mr *MockIOManagerMockRecorder) ReadFile(arg0 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadFile", reflect.TypeOf((*MockIOManager)(nil).ReadFile), arg0)
+}
+
+// WriteFile mocks base method.
+func (m *MockIOManager) WriteFile(arg0 string, arg1 []byte, arg2 fs.FileMode) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "WriteFile", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// WriteFile indicates an expected call of WriteFile.
+func (mr *MockIOManagerMockRecorder) WriteFile(arg0, arg1, arg2 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WriteFile", reflect.TypeOf((*MockIOManager)(nil).WriteFile), arg0, arg1, arg2)
+}
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index e174e0f6f..fb60f9b9b 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -6,19 +6,27 @@
 package strelka
 
 import (
+	"bytes"
 	"context"
 	"io/fs"
 	"net/http"
+	"net/url"
 	"os"
+	"os/exec"
+	"path"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/apex/log"
+	"github.com/go-git/go-git/v5"
 )
 
 type IOManager interface {
@@ -27,13 +35,18 @@ type IOManager interface {
 	DeleteFile(path string) error
 	ReadDir(path string) ([]os.DirEntry, error)
 	MakeRequest(*http.Request) (*http.Response, error)
+	ExecCommand(cmd *exec.Cmd) ([]byte, int, time.Duration, error)
 }
 
 type StrelkaEngine struct {
-	srv             *server.Server
-	isRunning       bool
-	thread          *sync.WaitGroup
-	yaraRulesFolder string
+	srv                                  *server.Server
+	isRunning                            bool
+	thread                               *sync.WaitGroup
+	communityRulesImportFrequencySeconds int
+	yaraRulesFolder                      string
+	reposFolder                          string
+	rulesRepos                           []string
+	compileYaraPythonScriptPath          string
 	IOManager
 }
 
@@ -51,7 +64,11 @@ func (e *StrelkaEngine) PrerequisiteModules() []string {
 func (e *StrelkaEngine) Init(config module.ModuleConfig) error {
 	e.thread = &sync.WaitGroup{}
 
-	e.yaraRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/conf/strelka/rules")
+	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 600)
+	e.yaraRulesFolder = module.GetStringDefault(config, "yaraRulesFolder", "/opt/so/conf/strelka/rules")
+	e.reposFolder = module.GetStringDefault(config, "reposFolder", "/opt/so/conf/strelka/repos")
+	e.rulesRepos = module.GetStringArrayDefault(config, "rulesRepos", []string{"github.com/Security-Onion-Solutions/securityonion-yara"})
+	e.compileYaraPythonScriptPath = module.GetStringDefault(config, "compileYaraPythonScriptPath", "/opt/so/conf/strelka/compile_yara.py")
 
 	return nil
 }
@@ -84,65 +101,269 @@ func (e *StrelkaEngine) ValidateRule(data string) (string, error) {
 	return string(data), nil
 }
 
-func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error) {
-	return nil, nil
+func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, _ []*model.Detection) (errMap map[string]string, err error) {
+	return e.syncDetections(ctx)
 }
 
 func (e *StrelkaEngine) startCommunityRuleImport() {
 	for e.isRunning {
-		time.Sleep(time.Second * 600)
+		time.Sleep(time.Duration(e.communityRulesImportFrequencySeconds) * time.Second)
 		if !e.isRunning {
 			break
 		}
 
 		start := time.Now()
 
-		files, err := e.ReadDir(e.yaraRulesFolder)
+		// read existing repos
+		entries, err := os.ReadDir(e.reposFolder)
 		if err != nil {
-			log.WithError(err).Error("Failed to read yara rules folder")
+			log.WithError(err).Error("Failed to read yara repos folder")
 			continue
 		}
 
-		rules := []*YaraRule{}
-		errors := 0
+		existingRepos := map[string]struct{}{}
 
-		for _, file := range files {
-			ext := filepath.Ext(file.Name())
-			if file.IsDir() || strings.ToLower(ext) != ".yar" {
+		for _, entry := range entries {
+			if !entry.IsDir() {
 				continue
 			}
 
-			filename := e.yaraRulesFolder + "/" + file.Name()
+			existingRepos[entry.Name()] = struct{}{}
+		}
 
-			raw, err := e.ReadFile(filename)
-			if err != nil {
-				log.WithError(err).WithField("file", filename).Error("failed to read yara rule file")
-				errors++
+		upToDate := map[string]struct{}{}
 
+		// pull or clone repos
+		for _, repo := range e.rulesRepos {
+			parser, err := url.Parse(repo)
+			if err != nil {
+				log.WithError(err).WithField("repo", repo).Error("Failed to parse repo URL, doing nothing with it")
 				continue
 			}
 
-			parsed, err := ParseYaraRules(raw)
+			_, lastFolder := path.Split(parser.Path)
+			repoPath := filepath.Join(e.reposFolder, lastFolder)
+
+			if _, ok := existingRepos[lastFolder]; ok {
+				// repo already exists, pull
+				repo, err := git.PlainOpen(repoPath)
+				if err != nil {
+					log.WithError(err).WithField("repo", repo).Error("Failed to open repo, doing nothing with it")
+					continue
+				}
+
+				work, err := repo.Worktree()
+				if err != nil {
+					log.WithError(err).WithField("repo", repo).Error("Failed to get worktree, doing nothing with it")
+					continue
+				}
+
+				ctx, cancel := context.WithTimeout(e.srv.Context, time.Minute*5)
+
+				err = work.PullContext(ctx, &git.PullOptions{
+					Depth:        1,
+					SingleBranch: true,
+				})
+				if err != nil && err != git.NoErrAlreadyUpToDate {
+					cancel()
+					log.WithError(err).WithField("repo", repo).Error("Failed to pull repo, doing nothing with it")
+					continue
+				}
+				cancel()
+
+				if err == nil {
+					upToDate[repoPath] = struct{}{}
+				}
+			} else {
+				// repo does not exist, clone
+				_, err = git.PlainClone(repoPath, false, &git.CloneOptions{
+					Depth:        1,
+					SingleBranch: true,
+					URL:          repo,
+				})
+				if err != nil {
+					log.WithError(err).WithField("repo", repo).Error("Failed to clone repo, doing nothing with it")
+					continue
+				}
+
+				upToDate[repoPath] = struct{}{}
+			}
+		}
+
+		if len(upToDate) == 0 {
+			// no updates, skip
+			log.Info("All repos are up to date, ending import")
+			continue
+		}
+
+		communityDetections, err := e.srv.Detectionstore.GetAllCommunitySIDs(e.srv.Context, util.Ptr(model.EngineNameStrelka))
+		if err != nil {
+			log.WithError(err).Error("Failed to get all community SIDs")
+			continue
+		}
+
+		// parse *.yar files in repos
+		for repo := range upToDate {
+			err = filepath.WalkDir(repo, func(path string, d fs.DirEntry, err error) error {
+				if err != nil {
+					log.WithError(err).WithField("path", path).Error("Failed to walk path")
+					return nil
+				}
+
+				if d.IsDir() {
+					return nil
+				}
+
+				ext := filepath.Ext(d.Name())
+				if strings.ToLower(ext) != ".yar" {
+					return nil
+				}
+
+				raw, err := e.ReadFile(path)
+				if err != nil {
+					log.WithError(err).WithField("file", path).Error("failed to read yara rule file")
+					return nil
+				}
+
+				parsed, err := ParseYaraRules(raw)
+				if err != nil {
+					log.WithError(err).WithField("file", path).Error("failed to parse yara rule file")
+					return nil
+				}
+
+				for _, rule := range parsed {
+					sev := model.SeverityUnknown
+
+					metaSev, err := strconv.Atoi(rule.Meta.Rest["severity"])
+					if err == nil {
+						metaSev = 0
+					}
+
+					switch {
+					case metaSev >= 1 && metaSev < 20:
+						sev = model.SeverityInformational
+					case metaSev >= 20 && metaSev < 40:
+						sev = model.SeverityLow
+					case metaSev >= 40 && metaSev < 60:
+						sev = model.SeverityMedium
+					case metaSev >= 60 && metaSev < 80:
+						sev = model.SeverityHigh
+					case metaSev >= 80:
+						sev = model.SeverityCritical
+					}
+
+					det := &model.Detection{
+						Engine:      model.EngineNameStrelka,
+						PublicID:    rule.GetID(),
+						Title:       rule.Identifier,
+						Severity:    sev,
+						Content:     rule.String(),
+						IsCommunity: true,
+					}
+
+					comRule, exists := communityDetections[det.PublicID]
+					if exists {
+						det.Id = comRule.Id
+						det.Note = comRule.Note
+						det.IsEnabled = comRule.IsEnabled
+					}
+
+					if rule.Meta.Author != nil {
+						det.Author = *rule.Meta.Author
+					}
+
+					if rule.Meta.Description != nil {
+						det.Description = *rule.Meta.Description
+					}
+
+					if exists {
+						// pre-existing detection, update it
+						det, err = e.srv.Detectionstore.UpdateDetection(e.srv.Context, det)
+						if err != nil {
+							log.WithError(err).WithField("det", det).Error("Failed to update detection")
+							continue
+						}
+					} else {
+						// new detection, create it
+						det, err = e.srv.Detectionstore.CreateDetection(e.srv.Context, det)
+						if err != nil {
+							log.WithError(err).WithField("det", det).Error("Failed to create detection")
+							continue
+						}
+					}
+				}
+
+				return nil
+			})
 			if err != nil {
-				log.WithError(err).WithField("file", filename).Error("failed to parse yara rule file")
-				errors++
+				log.WithError(err).WithField("repo", repo).Error("Failed to walk repo")
+				continue
 			}
+		}
 
-			rules = append(rules, parsed...)
+		errMap, err := e.syncDetections(e.srv.Context)
+		if err != nil {
+			log.WithError(err).Error("Failed to sync community detections")
 		}
 
 		log.WithFields(log.Fields{
-			"files":  len(files),
-			"rules":  len(rules),
-			"errors": errors,
-			"exTime": time.Since(start).Seconds(),
-		}).Info("parsed yara community rules")
-
-		_, _ = e.syncCommunityDetections(context.Background(), nil)
+			"errMap": errMap,
+			"time":   time.Since(start).Seconds(),
+		}).Info("synced community detections")
 	}
 }
 
-func (e *StrelkaEngine) syncCommunityDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]error, err error) {
+func (e *StrelkaEngine) syncDetections(ctx context.Context) (errMap map[string]string, err error) {
+	results, err := e.srv.Detectionstore.Query(ctx, `so_detection.engine:strelka AND so_detection.isEnabled:true AND _index:"*:so-detection"`, -1)
+	if err != nil {
+		return nil, err
+	}
+
+	enabledDetections := map[string]*model.Detection{}
+	for _, det := range results {
+		d := det.(*model.Detection)
+		enabledDetections[d.PublicID] = d
+	}
+
+	filename := filepath.Join(e.yaraRulesFolder, "enabled_rules.yar")
+
+	if len(enabledDetections) == 0 {
+		err = e.DeleteFile(filename)
+		if err != nil && !os.IsNotExist(err) {
+			return nil, err
+		}
+
+		return nil, nil
+	}
+
+	buf := bytes.Buffer{}
+
+	for _, det := range enabledDetections {
+		buf.WriteString(det.Content + "\n")
+	}
+
+	err = e.WriteFile(filename, buf.Bytes(), 0644)
+	if err != nil {
+		return nil, err
+	}
+
+	// compile yara rules
+	cmd := exec.CommandContext(ctx, "python3", e.compileYaraPythonScriptPath, e.yaraRulesFolder)
+
+	raw, code, dur, err := e.ExecCommand(cmd)
+
+	log.WithFields(log.Fields{
+		"command":  cmd.String(),
+		"output":   string(raw),
+		"code":     code,
+		"execTime": dur.Seconds(),
+		"error":    err,
+	}).Info("yara compilation results")
+
+	if err != nil {
+		return nil, err
+	}
+
 	return nil, nil
 }
 
@@ -170,3 +391,13 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
 	return http.DefaultClient.Do(req)
 }
+
+func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
+	start := time.Now()
+	output, err = cmd.CombinedOutput()
+	runtime = time.Since(start)
+
+	exitCode = cmd.ProcessState.ExitCode()
+
+	return output, exitCode, runtime, err
+}
diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go
new file mode 100644
index 000000000..cdc26a1b3
--- /dev/null
+++ b/server/modules/strelka/strelka_test.go
@@ -0,0 +1,130 @@
+package strelka
+
+import (
+	"context"
+	"io/fs"
+	"os/exec"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/strelka/mock"
+	"github.com/tj/assert"
+	"go.uber.org/mock/gomock"
+)
+
+const simpleRule = `rule dummy {
+	condition:
+	  false
+}`
+
+func TestStrelkaModule(t *testing.T) {
+	srv := &server.Server{
+		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+	}
+	mod := NewStrelkaEngine(srv)
+
+	assert.Implements(t, (*module.Module)(nil), mod)
+	assert.Implements(t, (*server.DetectionEngine)(nil), mod)
+
+	err := mod.Init(nil)
+	assert.NoError(t, err)
+
+	err = mod.Start()
+	assert.NoError(t, err)
+
+	assert.True(t, mod.IsRunning())
+
+	err = mod.Stop()
+	assert.NoError(t, err)
+
+	assert.Equal(t, 1, len(srv.DetectionEngines))
+	assert.Same(t, mod, srv.DetectionEngines[model.EngineNameStrelka])
+}
+
+func TestSyncSuricata(t *testing.T) {
+	table := []struct {
+		Name           string
+		InitMock       func(*servermock.MockDetectionstore, *mock.MockIOManager)
+		ExpectedErr    error
+		ExpectedErrMap map[string]string
+	}{
+		{
+			Name: "Enable Simple Rules",
+			InitMock: func(mockDetStore *servermock.MockDetectionstore, mio *mock.MockIOManager) {
+				mockDetStore.EXPECT().Query(gomock.Any(), gomock.Any(), gomock.Any()).Return([]interface{}{
+					&model.Detection{
+						PublicID:  "1",
+						Engine:    model.EngineNameStrelka,
+						Content:   simpleRule,
+						IsEnabled: true,
+					},
+					&model.Detection{
+						PublicID:  "2",
+						Engine:    model.EngineNameStrelka,
+						Content:   simpleRule,
+						IsEnabled: true,
+					},
+				}, nil)
+
+				mio.EXPECT().WriteFile(gomock.Any(), []byte(simpleRule+"\n"+simpleRule+"\n"), fs.FileMode(0644)).Return(nil)
+
+				mio.EXPECT().ExecCommand(gomock.Cond(func(c any) bool {
+					cmd := c.(*exec.Cmd)
+
+					if !strings.HasSuffix(cmd.Path, "python3") {
+						return false
+					}
+
+					if slices.Equal(cmd.Args, []string{"compileYaraPythonScriptPath", "yaraRulesFolder"}) {
+						return false
+					}
+
+					return true
+				})).Return([]byte{}, 0, time.Duration(0), nil)
+			},
+		},
+		{
+			Name: "No Enabled Rules",
+			InitMock: func(mockDetStore *servermock.MockDetectionstore, mio *mock.MockIOManager) {
+				mockDetStore.EXPECT().Query(gomock.Any(), gomock.Any(), gomock.Any()).Return([]interface{}{}, nil)
+				mio.EXPECT().DeleteFile("yaraRulesFolder/enabled_rules.yar").Return(nil)
+			},
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			ctrl := gomock.NewController(t)
+			mockDetStore := servermock.NewMockDetectionstore(ctrl)
+			mio := mock.NewMockIOManager(ctrl)
+
+			mod := NewStrelkaEngine(&server.Server{
+				DetectionEngines: map[model.EngineName]server.DetectionEngine{},
+				Detectionstore:   mockDetStore,
+			})
+			mod.srv.DetectionEngines[model.EngineNameSuricata] = mod
+			mod.IOManager = mio
+
+			mod.compileYaraPythonScriptPath = "compileYaraPythonScriptPath"
+			mod.yaraRulesFolder = "yaraRulesFolder"
+
+			test.InitMock(mockDetStore, mio)
+
+			errMap, err := mod.SyncLocalDetections(ctx, nil)
+
+			assert.Equal(t, test.ExpectedErr, err)
+			assert.Equal(t, test.ExpectedErrMap, errMap)
+		})
+	}
+}
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
index e2a0f8b3c..fc6663286 100644
--- a/server/modules/strelka/validate.go
+++ b/server/modules/strelka/validate.go
@@ -7,6 +7,7 @@ package strelka
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"sort"
@@ -32,6 +33,7 @@ type YaraRule struct {
 }
 
 type Metadata struct {
+	ID          *string
 	Author      *string
 	Date        *string
 	Version     *string
@@ -47,6 +49,8 @@ func (md *Metadata) IsEmpty() bool {
 func (md *Metadata) Set(key, value string) {
 	key = strings.ToLower(key)
 	switch key {
+	case "id":
+		md.ID = util.Ptr(value)
 	case "author":
 		md.Author = util.Ptr(value)
 	case "date":
@@ -65,6 +69,24 @@ func (md *Metadata) Set(key, value string) {
 	}
 }
 
+func (rule *YaraRule) GetID() string {
+	if rule.Meta.Rest["id"] != "" {
+		return *rule.Meta.ID
+	}
+
+	hash := sha256.Sum256([]byte(rule.Identifier))
+
+	hash[6] = 0x40 | (hash[6] & 0x0f)
+	hash[8] = 0x80 | (hash[8] & 0x3f)
+	id := fmt.Sprintf("%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
+		hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], hash[8],
+		hash[9], hash[10], hash[11], hash[12], hash[13], hash[14], hash[15])
+
+	rule.Meta.ID = util.Ptr(id)
+
+	return id
+}
+
 func ParseYaraRules(data []byte) ([]*YaraRule, error) {
 	rules := []*YaraRule{}
 	rule := &YaraRule{}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 281a1cd03..207a62798 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -92,7 +92,7 @@ func (s *SuricataEngine) watchCommunityRules() {
 	ctx := s.srv.Context
 
 	for s.isRunning {
-		time.Sleep(time.Second * time.Duration(s.communityRulesImportFrequencySeconds))
+		time.Sleep(time.Duration(s.communityRulesImportFrequencySeconds) * time.Second)
 		if !s.isRunning {
 			break
 		}

From 43f134fb34b19788e008cb682b84e1d259bb112c Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 30 Jan 2024 13:14:58 -0700
Subject: [PATCH 077/102] WIP: Fix Suricata Parser Bug

Fixed a bug where 2 slashes before ending a string resulted in the parser not recognizing that the string terminated.

Updated "Parentheses in Unquoted Option" test to also test this case.
---
 server/modules/suricata/suricata_test.go | 2 +-
 server/modules/suricata/validate.go      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index c1eea1de4..a3d8a6bc5 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -263,7 +263,7 @@ func TestValidate(t *testing.T) {
 		},
 		{
 			Name:  "Parentheses in Unquoted Option",
-			Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`,
+			Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)\\"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`,
 		},
 		{
 			Name:  "Unescaped Double Quote in PCRE Option",
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index 33ddf0b09..fcb16a752 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -142,7 +142,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) {
 						inQuotes = !inQuotes
 					}
 				}
-			} else if ch == '\\' {
+			} else if ch == '\\' && !isEscaping {
 				isEscaping = true
 				buf.WriteRune(ch)
 			} else {

From 95b3deee47c2228da0bcba38ae106f2bafb014f6 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 31 Jan 2024 10:43:44 -0700
Subject: [PATCH 078/102] WIP: Cleanup

At one point detections was piggy backing off of CaseStore and some functions were added to fill out the interface's changes. Since then, detections have their own store and these filler functions are no longer needed.
---
 .../modules/elasticcases/elasticcasestore.go  | 20 -------------------
 server/modules/generichttp/httpcasestore.go   | 20 -------------------
 server/modules/thehive/thehivecasestore.go    | 20 -------------------
 3 files changed, 60 deletions(-)

diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index f41d09181..4250e0a6c 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -144,23 +144,3 @@ func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
-
-func (store *ElasticCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
-	return nil, false, errors.New("Unsupported operation by this module")
-}
-
-func (store *ElasticCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 1fac51103..69c256901 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -149,23 +149,3 @@ func (store *HttpCasestore) GetArtifactStream(ctx context.Context, id string) (*
 func (store *HttpCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
-
-func (store *HttpCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
-	return nil, false, errors.New("Unsupported operation by this module")
-}
-
-func (store *HttpCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 99ad5041f..44a5cf3a5 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -141,23 +141,3 @@ func (store *TheHiveCasestore) GetArtifactStream(ctx context.Context, id string)
 func (store *TheHiveCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
 	return errors.New("Unsupported operation by this module")
 }
-
-func (store *TheHiveCasestore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) GetDetection(ctx context.Context, detectId string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) UpdateDetectionField(context.Context, string, string, any) (*model.Detection, bool, error) {
-	return nil, false, errors.New("Unsupported operation by this module")
-}
-
-func (store *TheHiveCasestore) DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error) {
-	return nil, errors.New("Unsupported operation by this module")
-}

From b9efd279c5750176f55c5e140192cc2a0cdde606 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 31 Jan 2024 15:31:16 -0700
Subject: [PATCH 079/102] WIP: First pass at including sigma-cli in the
 dockerfile

---
 Dockerfile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2b1408e12..34d5a538d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@
 
 FROM ghcr.io/security-onion-solutions/golang:1.21.5-alpine as builder
 ARG VERSION=0.0.0
-RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv
+RUN apk update && apk add libpcap-dev bash git musl-dev gcc npm python3 py3-pip py3-virtualenv python3-dev openssl-dev linux-headers
 COPY . /build
 WORKDIR /build
 RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
@@ -22,6 +22,8 @@ RUN if [ "$VERSION" != "0.0.0" ]; then mkdir gitdocs && cd gitdocs && \
 RUN npm install jest jest-environment-jsdom --global
 RUN ./build.sh "$VERSION"
 
+RUN pip3 install sigma-cli pysigma-backend-elasticsearch pysigma-pipeline-windows yara-python --break-system-packages
+
 FROM ghcr.io/security-onion-solutions/python:3-slim
 
 ARG UID=939
@@ -30,7 +32,7 @@ ARG VERSION=0.0.0
 ARG ELASTIC_VERSION=0.0.0
 ARG WAZUH_VERSION=0.0.0
 
-RUN apt update -y 
+RUN apt update -y
 RUN apt install -y bash tzdata ca-certificates wget curl tcpdump unzip tshark
 RUN update-ca-certificates
 RUN addgroup --gid "$GID" socore
@@ -46,6 +48,8 @@ COPY --from=builder /build/LICENSE .
 COPY --from=builder /build/README.md .
 COPY --from=builder /build/sensoroni.json .
 COPY --from=builder /build/gitdocs/_build/html ./html/docs
+COPY --from=builder /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages
+COPY --from=builder /usr/bin/sigma /usr/bin/sigma
 RUN find html/js -name "*test*.js" -delete
 RUN chmod u+x scripts/*
 RUN chown 939:939 scripts/*

From 9c6dd15caa397284268415ae83b56b1a6d91334a Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 1 Feb 2024 09:46:40 -0700
Subject: [PATCH 080/102] WIP: Remove Custom Config, Suricata Community Rules
 Start Disabled

Was overloading config values for easier development. Removed for a cleaner install to Kilo.

Suricata community rules seen for the first time are now disabled by default. Updated test to notice this change.
---
 config/config.go                         | 21 ---------------------
 server/modules/suricata/suricata.go      |  1 -
 server/modules/suricata/suricata_test.go |  2 --
 3 files changed, 24 deletions(-)

diff --git a/config/config.go b/config/config.go
index 07d29a383..9a740d85a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -45,26 +45,5 @@ func LoadConfig(filename string, version string, buildTime time.Time) (*Config,
 		}
 	}
 
-	// TODO: remove when put in config file
-	cfg.Server.Modules["suricataengine"] = map[string]interface{}{
-		"communityRulesFile":   "/nsm/rules/suricata/emerging-all.rules",
-		"rulesFingerprintFile": "/tmp/socdev/so/conf/soc/emerging-all.fingerprint", // "/opt/so/conf/soc/emerging-all.fingerprint",
-	}
-
-	cfg.Server.Modules["elastalertengine"] = map[string]interface{}{
-		"communityRulesImportFrequencySeconds": float64(61), // not a recommended value, I'm impatient
-		"elastAlertRulesFolder":                "/tmp/socdev/so/rules/elastalert",
-		"rulesFingerprintFile":                 "/tmp/socdev/so/conf/soc/sigma.fingerprint",
-		"sigmaRulePackages":                    "all",
-		"sigconverterUrl":                      "http://localhost:8000/sigma",
-	}
-
-	cfg.Server.Modules["strelkaengine"] = map[string]interface{}{
-		"yaraRulesFolder":             "/tmp/socdev/so/conf/strelka/rules",
-		"reposFolder":                 "/tmp/socdev/so/conf/strelka/repos",
-		"rulesRepos":                  []interface{}{"https://github.com/Security-Onion-Solutions/securityonion-yara"},
-		"compileYaraPythonScriptPath": "/tmp/socdev/so/conf/strelka/compile_yara.py",
-	}
-
 	return cfg, err
 }
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 207a62798..fe0860aa4 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -277,7 +277,6 @@ func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error)
 			Title:       title,
 			Severity:    severity,
 			Content:     line,
-			IsEnabled:   true, // is this true?
 			IsCommunity: true,
 			Engine:      model.EngineNameSuricata,
 		})
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index a3d8a6bc5..1d11c507f 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -317,7 +317,6 @@ func TestParse(t *testing.T) {
 					Title:       `GPL ATTACK_RESPONSE id check returned root`,
 					Severity:    model.SeverityUnknown,
 					Content:     SimpleRule,
-					IsEnabled:   true,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
 				},
@@ -326,7 +325,6 @@ func TestParse(t *testing.T) {
 					Title:       `a "tricky";\ msg`,
 					Severity:    model.SeverityInformational,
 					Content:     `alert http any any <> any any (metadata:signature_severity Informational; sid:"20000"; msg:"a \"tricky\"\;\\ msg";)`,
-					IsEnabled:   true,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
 				},

From 159ff6407af68f3a09af5b2393f8d6f8e9a5b938 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 1 Feb 2024 14:39:37 -0700
Subject: [PATCH 081/102] WIP: Fix Sigma Shebang, Copy Site-Packages to New
 Location

This should help fix issues with soc running sigma.
---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 34d5a538d..e19d4aff3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,7 @@ RUN npm install jest jest-environment-jsdom --global
 RUN ./build.sh "$VERSION"
 
 RUN pip3 install sigma-cli pysigma-backend-elasticsearch pysigma-pipeline-windows yara-python --break-system-packages
+RUN sed -i 's/#!\/usr\/bin\/python3/#!\/usr\/bin\/env python/g' /usr/bin/sigma
 
 FROM ghcr.io/security-onion-solutions/python:3-slim
 
@@ -48,7 +49,7 @@ COPY --from=builder /build/LICENSE .
 COPY --from=builder /build/README.md .
 COPY --from=builder /build/sensoroni.json .
 COPY --from=builder /build/gitdocs/_build/html ./html/docs
-COPY --from=builder /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages
+COPY --from=builder /usr/lib/python3.11/site-packages /usr/local/lib/python3.9/site-packages
 COPY --from=builder /usr/bin/sigma /usr/bin/sigma
 RUN find html/js -name "*test*.js" -delete
 RUN chmod u+x scripts/*

From 0f203442f11439805f7311d506e6a4996a0c32a8 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 2 Feb 2024 11:42:26 -0700
Subject: [PATCH 082/102] WIP: Removed Hardcoded Config Values

Moved hardcoded config values to the config in securityonion.
---
 server/infohandler.go | 109 ------------------------------------------
 1 file changed, 109 deletions(-)

diff --git a/server/infohandler.go b/server/infohandler.go
index 2295806e4..783c41e81 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -11,7 +11,6 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/web"
@@ -62,113 +61,5 @@ func (h *InfoHandler) getInfo(w http.ResponseWriter, r *http.Request) {
 		SrvToken:       srvToken,
 	}
 
-	{
-		detections := &info.Parameters.DetectionsParams
-
-		detections.ViewEnabled = true
-		detections.CreateLink = "/detection/create"
-		detections.EventFetchLimit = 500
-		detections.EventItemsPerPage = 50
-		detections.GroupFetchLimit = 50
-		detections.MostRecentlyUsedLimit = 5
-		detections.SafeStringMaxLength = 100
-		detections.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:detection"
-		detections.EventFields = map[string][]string{
-			"default": {
-				"so_detection.title",
-				"so_detection.isEnabled",
-				"so_detection.engine",
-				"@timestamp",
-			},
-		}
-		detections.Queries = []*config.HuntingQuery{
-			{
-				Name:  "All",
-				Query: "_id:*",
-			},
-			{
-				Name:  "Local Rules",
-				Query: "* AND so_detection.isCommunity:false",
-			},
-			{
-				Name:  "Enabled",
-				Query: "so_detection.isEnabled:true",
-			},
-			{
-				Name:  "Disabled",
-				Query: "so_detection.isEnabled:false",
-			},
-			{
-				Name:  "Suricata",
-				Query: "so_detection.engine:suricata",
-			},
-			{
-				Name:  "ElastAlert",
-				Query: "so_detection.engine:elastalert",
-			},
-			{
-				Name:  "Suricata Enabled",
-				Query: "so_detection.engine:suricata AND so_detection.isEnabled:true",
-			},
-			{
-				Name:  "Suricata Disabled",
-				Query: "so_detection.engine:suricata AND so_detection.isEnabled:false",
-			},
-			{
-				Name:  "ElastAlert Enabled",
-				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:true",
-			},
-			{
-				Name:  "ElastAlert Disabled",
-				Query: "so_detection.engine:elastalert AND so_detection.isEnabled:false",
-			},
-		}
-	}
-
-	{
-		detection := &info.Parameters.DetectionParams
-
-		detection.Presets = map[string]config.PresetParameters{
-			"severity": {
-				CustomEnabled: false,
-				Labels:        []string{"unknown", "informational", "low", "medium", "high", "critical"},
-			},
-			"engine": {
-				CustomEnabled: false,
-				Labels:        []string{"suricata", "elastalert"},
-			},
-		}
-
-		detection.SeverityTranslations = map[string]string{
-			// informational and critical already map correctly
-			"minor": "low",
-			"major": "high",
-		}
-	}
-
-	{
-		playbooks := &info.Parameters.PlaybooksParams
-
-		playbooks.ViewEnabled = true
-		playbooks.CreateLink = "/playbook/create"
-		playbooks.EventFetchLimit = 500
-		playbooks.EventItemsPerPage = 50
-		playbooks.GroupFetchLimit = 50
-		playbooks.MostRecentlyUsedLimit = 5
-		playbooks.QueryBaseFilter = "_index:\"*:so-detection\" AND so_kind:playbook"
-		playbooks.SafeStringMaxLength = 100
-		playbooks.Queries = []*config.HuntingQuery{
-			{Query: "*"},
-		}
-		playbooks.EventFields = map[string][]string{
-			"default": {
-				"soc_timestamp",
-				"so_playbook.title",
-				"so_playbook.publicId",
-				"so_playbook.mechanism",
-			},
-		}
-	}
-
 	web.Respond(w, r, http.StatusOK, info)
 }

From ac389ef3c20123819cbd6bf8899c5faa41d0da68 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 2 Feb 2024 12:16:01 -0700
Subject: [PATCH 083/102] WIP: Detection History

Previous versions of a Detection's history are now presented in the History tab. With Refresh, Sort, Search, and Details.
---
 html/index.html                               | 172 +++++++++++++++++-
 html/js/i18n.js                               |   7 +-
 html/js/routes/detection.js                   |  55 +++++-
 server/detectionhandler.go                    |  19 ++
 server/detectionstore.go                      |   1 +
 server/mock/mock_detectionstore.go            |  15 ++
 .../modules/elastic/elasticdetectionstore.go  |   7 +
 7 files changed, 269 insertions(+), 7 deletions(-)

diff --git a/html/index.html b/html/index.html
index da5fdb76e..8c725b65e 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1376,9 +1376,173 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 </div>
               </v-tab-item>
               <v-tab-item value="history">
-                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  Coming Soon!
-                </div>
+                <v-row>
+                  <v-col>
+                    <v-toolbar class="elevation-0" fixed>
+                      <v-btn :title="i18n.refreshDetectionHistoryHelp" color="secondary" @click.stop="loadHistory()" id="refresh-history-button">
+                        <v-icon>fa-sync</v-icon>
+                      </v-btn>
+                    </v-toolbar>
+                  </v-col>
+                </v-row>
+                <!-- <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;"> -->
+                  <v-text-field v-model="historyTableOpts.search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
+                  <v-data-table ref="historyTable" :sort-by.sync="historyTableOpts.sortBy" :sort-desc.sync="historyTableOpts.sortDesc" :items-per-page.sync="historyTableOpts.itemsPerPage"
+                    :search="historyTableOpts.search" :footer-props="historyTableOpts.footerProps" must-sort :headers="historyTableOpts.headers"
+                    :items="history" item-key="id" :loading="historyTableOpts.loading" :expanded="historyTableOpts.expanded" class="history-table">
+                    <template v-slot:item="props">
+                      <tr>
+                        <td class="associated actions">
+                          <v-btn :id="`history-${props.index}-expand`" icon small @click="expandRow(props.item)">
+                            <v-icon v-if="isExpanded(props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded(props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
+                          </v-btn>
+                        </td>
+                        <td class="associated">
+                          <v-avatar color="primary" class="mr-2 white--text" size="28">
+                            <div class="font-weight-bold" :title="props.item.owner">
+                              {{ $root.getAvatar(props.item.owner) }}
+                            </div>
+                          </v-avatar>
+                          {{ props.item.owner }}
+                        </td>
+                        <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
+                        <td class="associated">
+                          <v-icon>fa-magnifying-glass</v-icon>
+                          <span class="rounded ml-2">{{ props.item.kind }}</span>
+                        </td>
+                        <td class="associated">
+                          <v-icon v-if="props.item.operation.toLowerCase() == i18n.create.toLowerCase()">fa-plus</v-icon>
+                          <v-icon v-if="props.item.operation.toLowerCase() == i18n.delete.toLowerCase()">fa-circle-xmark</v-icon>
+                          <v-icon v-if="props.item.operation.toLowerCase() == i18n.update.toLowerCase()">fa-pencil-alt</v-icon>
+                          <span class="rounded ml-2">{{ props.item.operation }}</span>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="props">
+                      <tr>
+                        <td colspan="5" class="case">
+                          <div class="mt-2">
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.id }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.id }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.kind }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.kind }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.operation }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.operation }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.dateCreated }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.createTime | formatDateTime }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.dateModified }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.updateTime | formatDateTime }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.title }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.title }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.description }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.description }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.author }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.author }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.enabled }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.isEnabled ? 'True' : 'False' }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.community }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.isCommunity ? 'True' : 'False' }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.reporting }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.isReporting ? 'True' : 'False' }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.severity }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.severity }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.engine }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.engine }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.content }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.content }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.note }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.note }}</span></v-col>
+                            </v-row>
+                          </div>
+
+                          <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
+                            <v-spacer/>
+                            <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
+                              <div class="case avatar-font" :title="props.item.owner">
+                                {{ $root.getAvatar(props.item.owner) }}
+                              </div>
+                            </v-avatar>
+                            <div class="mr-1">
+                              {{ props.item.owner }}
+                            </div>
+                            <div class="mr-1 d-none d-sm-block">
+                              &bull;
+                            </div>
+                            <div>
+                              {{ props.item.updateTime | formatDateTime }}
+                            </div>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:no-results>
+                      <v-alert :value="true" color="info" icon="fa-info">
+                        {{ i18n.noSearchResults }}
+                      </v-alert>
+                    </template>
+                  </v-data-table>
+                  <div class="text-xs-center pt-2 d-none">
+                      <v-btn v-text="i18n.loadMore" @click="loadHistory()"></v-btn>
+                  </div>
+                <!-- </div> -->
               </v-tab-item>
             </v-tabs>
           </div>
@@ -3096,7 +3260,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-row>
                     <v-col>
                       <v-toolbar class="elevation-0" fixed>
-                        <v-btn :title="i18n.refreshHistoryHelp" color="secondary" @click.stop="reloadAssociation('history', true)" id="refresh-history-button">
+                        <v-btn :title="i18n.refreshCaseHistoryHelp" color="secondary" @click.stop="reloadAssociation('history', true)" id="refresh-history-button">
                           <v-icon>fa-sync</v-icon>
                         </v-btn>
                       </v-toolbar>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index b1c5109cc..27f90e37e 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -173,6 +173,7 @@ const i18n = {
       commentHours: 'Work Hours',
       commentHoursHelp: 'Hours spent working on this update (leave blank for 0 hours)',
       commentRequired: 'Comments cannot be empty.',
+      community: 'Community',
       completed: 'Completed',
       config: 'Configuration',
       configTitle: 'Grid Configuration',
@@ -211,6 +212,7 @@ const i18n = {
       configQLZeekThreads: 'Change number of Zeek workers (threads)',
       container: 'Container',
       containerStatus: 'Container Status',
+      content: 'Content',
       continue: 'Would you like to continue?',
       contributors: 'Contributors',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
@@ -298,6 +300,7 @@ const i18n = {
       emailRequired: 'An email address must be specified.',
       enable: 'Enable',
       enabled: 'Enabled',
+      enabledLabel: 'Enabled:',
       endTime: 'Filter End',
       endTimeHelp: 'Filter end time in RFC 3339 format (Ex: 2020-10-16 15:30:00.230-04:00). Unused for imported PCAPs.',
       engine: 'Engine',
@@ -603,10 +606,11 @@ const i18n = {
       redisQueueSize: 'Redis Queue Size',
       refresh: 'Refresh',
       refreshAttachmentsHelp: 'Refresh to view all recently added attachments for this case.',
+      refreshCaseHistoryHelp: 'Refresh to view the latest history for this case.',
+      refreshDetectionHistoryHelp: 'Refresh to view the latest history for this detection.',
       refreshCommentsHelp: 'Refresh to view all recently added comments for this case.',
       refreshObservablesHelp: 'Refresh to view all recently added observables for this case.',
       refreshEventsHelp: 'Refresh to view all recently escalated events for this case.',
-      refreshHistoryHelp: 'Refresh to view the latest history for this case.',
       regex: 'Regex',
       reject: 'Reject',
       rejected: 'Rejected',
@@ -763,6 +767,7 @@ const i18n = {
       timestampFormat: 'YYYY-MM-DD HH:mm:ss.SSS Z',
       timezone: 'Time Zone:',
       timezoneHelp: 'Time Zone',
+      title: 'Title',
       toggleLegend: 'Toggle Legend',
       toolCyberchef: 'CyberChef',
       toolCyberchefHelp: 'Data decoding and transformation tools',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 47f4d1a7c..7178ec8e1 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -72,6 +72,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			{ value: 'limit', text: 'Limit' },
 			{ value: 'both', text: 'Both' }
 		],
+		historyTableOpts: {
+			sortBy: 'updateTime',
+			sortDesc: false,
+			search: '',
+			headers: [
+				{ text: this.$root.i18n.actions, width: '10.0em' },
+				{ text: this.$root.i18n.username, value: 'owner' },
+				{ text: this.$root.i18n.time, value: 'updateTime' },
+				{ text: this.$root.i18n.kind, value: 'kind' },
+				{ text: this.$root.i18n.operation, value: 'operation' },
+			],
+			itemsPerPage: 10,
+			footerProps: { 'items-per-page-options': [10,50,250,1000] },
+			count: 500,
+			expanded: [],
+			loading: false,
+		},
+		history: [],
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -126,6 +144,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.$route.params.id));
 				this.detect = response.data;
 				this.tagOverrides();
+				this.loadAssociations();
 			} catch (error) {
 				if (error.response != undefined && error.response.status == 404) {
 					this.$root.showError(this.i18n.notFound);
@@ -136,6 +155,17 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			this.$root.stopLoading();
 		},
+		loadAssociations() {
+			this.loadHistory();
+		},
+		async loadHistory() {
+			const route = this;
+			const id = route.$route.params.id;
+			const response = await this.$root.papi.get(`detection/${id}/history`);
+			if (response && response.data) {
+				this.history = response.data;
+			}
+		},
 		getDefaultPreset(preset) {
 			if (this.presets) {
 				const presets = this.presets[preset];
@@ -632,6 +662,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 						}
 					}
 				}
+			} else if (this.detect.engine === 'strelka') {
+				return false;
 			}
 
 			return true;
@@ -641,10 +673,29 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				for (let i = 0; i < this.detect.overrides.length; i++) {
 					this.detect.overrides[i].index = i;
 				}
+			} else {
+				this.detect.overrides = [];
 			}
 		},
-		print(x) {
-			console.log(x);
+		isExpanded(row) {
+			const expanded = this.historyTableOpts.expanded;
+			for (var i = 0; i < expanded.length; i++) {
+				if (expanded[i].id == row.id) {
+					return true;
+				}
+			}
+			return false;
 		},
+		async expandRow(row) {
+			const expanded = this.historyTableOpts.expanded;
+			for (var i = 0; i < expanded.length; i++) {
+				if (expanded[i].id == row.id) {
+					expanded.splice(i, 1);
+					return;
+				}
+			}
+
+			expanded.push(row);
+		}
 	}
 }});
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index e3c530ded..c38d73f71 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -42,6 +42,8 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Post("/", h.postDetection)
 		r.Post("/{id}/duplicate", h.duplicateDetection)
 
+		r.Get("/{id}/history", h.getDetectionHistory)
+
 		r.Put("/", h.putDetection)
 
 		r.Delete("/{id}", h.deleteDetection)
@@ -115,6 +117,23 @@ func (h *DetectionHandler) postDetection(w http.ResponseWriter, r *http.Request)
 	web.Respond(w, r, http.StatusOK, detect)
 }
 
+func (h *DetectionHandler) getDetectionHistory(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	id := chi.URLParam(r, "id")
+	if id == "" {
+		id = r.URL.Query().Get("id")
+	}
+
+	obj, err := h.server.Detectionstore.GetDetectionHistory(ctx, id)
+	if err != nil {
+		web.Respond(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, obj)
+}
+
 func (h *DetectionHandler) duplicateDetection(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
diff --git a/server/detectionstore.go b/server/detectionstore.go
index af5184dc7..c73416b7e 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -20,6 +20,7 @@ type Detectionstore interface {
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
 	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 	Query(ctx context.Context, query string, max int) ([]interface{}, error)
+	GetDetectionHistory(ctx context.Context, detectID string) ([]interface{}, error)
 }
 
 //go:generate mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
index 1d30b4a46..60cf76910 100644
--- a/server/mock/mock_detectionstore.go
+++ b/server/mock/mock_detectionstore.go
@@ -99,6 +99,21 @@ func (mr *MockDetectionstoreMockRecorder) GetDetection(arg0, arg1 any) *gomock.C
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDetection", reflect.TypeOf((*MockDetectionstore)(nil).GetDetection), arg0, arg1)
 }
 
+// GetDetectionHistory mocks base method.
+func (m *MockDetectionstore) GetDetectionHistory(arg0 context.Context, arg1 string) ([]any, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetDetectionHistory", arg0, arg1)
+	ret0, _ := ret[0].([]any)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetDetectionHistory indicates an expected call of GetDetectionHistory.
+func (mr *MockDetectionstoreMockRecorder) GetDetectionHistory(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDetectionHistory", reflect.TypeOf((*MockDetectionstore)(nil).GetDetectionHistory), arg0, arg1)
+}
+
 // Query mocks base method.
 func (m *MockDetectionstore) Query(arg0 context.Context, arg1 string, arg2 int) ([]any, error) {
 	m.ctrl.T.Helper()
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 842514c42..6cde993f5 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -457,6 +457,13 @@ func (store *ElasticDetectionstore) GetAllCommunitySIDs(ctx context.Context, eng
 	return sids, nil
 }
 
+func (store *ElasticDetectionstore) GetDetectionHistory(ctx context.Context, detectID string) ([]interface{}, error) {
+	query := fmt.Sprintf(`_index:"%s" AND %s%s:"%s" | sortby @timestamp^`, store.auditIndex, store.schemaPrefix, AUDIT_DOC_ID, detectID)
+	history, err := store.Query(ctx, query, store.maxAssociations)
+
+	return history, err
+}
+
 func (store *ElasticDetectionstore) audit(ctx context.Context, document map[string]interface{}, id string) error {
 	var err error
 

From 21fef2ba2632aee05c5dcb6dbadf0616536d8408 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 6 Feb 2024 13:33:31 -0700
Subject: [PATCH 084/102] WIP: UI Changes

Updated the Detection Overview tab.

Fixed an issue where some strelka metadata was coming through quoted. Added tests for new approach.

Next step: add some missing data to the model, conversion process, and validation process so we can finish the Overview tab.
---
 html/css/app.css                   |  61 ++++++++++
 html/index.html                    | 174 +++++++++++++++++++++--------
 html/js/routes/detection.js        | 131 +++++++++++++++++++++-
 server/modules/strelka/strelka.go  |   6 +-
 server/modules/strelka/validate.go |   1 +
 util/strings.go                    |  13 +++
 util/strings_test.go               |  67 +++++++++++
 7 files changed, 402 insertions(+), 51 deletions(-)
 create mode 100644 util/strings.go
 create mode 100644 util/strings_test.go

diff --git a/html/css/app.css b/html/css/app.css
index c246c1192..8703f0bb3 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -533,3 +533,64 @@ td {
 .detection-hunt-btn {
   margin-top: 20px;
 }
+
+.summary-backdrop {
+  background-color: rgb(53, 53, 53);
+  border-radius: 4px;
+}
+
+.summary-backdrop > div {
+  background-color: #2a2a2a;
+  border-radius: 4px;
+  padding: 16px;
+}
+
+.header {
+  font-size: 1.3em;
+  font-weight: bold;
+}
+
+.header:not(:first-child) {
+  margin-top: 16px;
+}
+
+.extracted-content {
+  background-color: #404040;
+  border-radius: 4px;
+  padding: 8px;
+}
+
+.extracted-content > pre {
+  text-wrap: wrap;
+}
+
+.detect-reference {
+  font-size: small;
+  display: table;
+  width: 100%;
+}
+
+.detect-reference > div {
+  display: table-row;
+}
+
+.detect-reference > div > div {
+  display: table-cell;
+  padding: 0 4px;
+}
+
+.detect-reference .key {
+  font-weight: bold;
+  text-align: right;
+}
+
+.ops-header {
+  font-weight: bold;
+  margin-top: 16px;
+}
+
+.ops-value > .v-input--selection-controls {
+  margin-top: 0 !important;
+  padding-top: 0 !important;
+  height: 24px !important;
+}
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index 8c725b65e..cfd2d4340 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1047,23 +1047,23 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
             <v-tabs grow v-model="activeTab" v-else>
               <v-tab id="detection_summaryTab" href="#summary">
-                <v-icon left>fa-clipboard</v-icon>
-                <div class="d-none d-lg-block">Summary</div>
-              </v-tab>
-              <v-tab id="detection_signatureTab" href="#signature">
-                <v-icon left>fa-signature</v-icon>
-                <div class="d-none d-lg-block">Signature</div>
+                <v-icon left>fa-comments</v-icon>
+                <div class="d-none d-lg-block">Overview</div>
               </v-tab>
               <v-tab id="detection_notesTab" href="#notes">
-                <v-icon left>fa-pencil</v-icon>
-                <div class="d-none d-lg-block">Notes</div>
+                <v-icon left>fa-paperclip</v-icon>
+                <div class="d-none d-lg-block">Operational Notes</div>
+              </v-tab>
+              <v-tab id="detection_signatureTab" href="#signature">
+                <v-icon left>fa-eye</v-icon>
+                <div class="d-none d-lg-block">Detection Source</div>
               </v-tab>
               <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
                 <div class="d-none d-lg-block">Investigative Playbook</div>
               </v-tab> -->
               <v-tab id="detection_tuningTab" href="#tuning">
-                <v-icon left>fa-wrench</v-icon>
+                <v-icon left>fa-link</v-icon>
                 <div class="d-none d-lg-block">Tuning</div>
               </v-tab>
               <v-tab id="detection_historyTab" href="#history">
@@ -1072,22 +1072,39 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab>
 
               <v-tab-item value="summary">
-                <div class="col pt-5" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
+                <div class="col pt-5 summary-backdrop">
                   <div>
-                    <!-- Description -->
+                    <div class="header">Summary</div>
+                    <div v-if="detect.description">
+                      {{detect.description}}
+                    </div>
+                    <div v-else>
+                      {{detect.title}}
+                    </div>
+                    <div class="header">References</div>
+                    <div>
+                      <div v-for="r in extractedReferences">
+                        <a :href="r.value" v-if="r.type==='url'" target="_blank">{{r.value}}</a>
+                        <span v-else>{{r.value}}</span>
+                      </div>
+                    </div>
+                    <div class="header">Signature</div>
+                    <div class="extracted-content">
+                      <pre>{{extractedLogic}}</pre>
+                    </div>
+                  </div>
+                  <!-- <div>
                     <span class="font-weight-bold">{{i18n.description}}:</span><br/>
                     <span id="detection-description" @click="startEdit('detection-description', 'description')" v-if="!isEdit('detection-description')">{{ detect.description }}</span>
                     <v-textarea id="detection-description-edit" v-else hide-details="auto" outlined v-model="detect.description" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.detectionDescription" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)" auto-grow rows="5"></v-textarea>
                   </div>
-                  <!-- Engine -->
                   <v-select id="detection-engine-edit" v-model="detect.engine" :readonly="detect.isCommunity" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
-                  <!-- Author -->
                   <v-text-field id="detection-author-edit" v-model="detect.author" :readonly="detect.isCommunity" :rules="requestRules([rules.required])" persistent-hint :hint="i18n.author" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"></v-text-field>
-                  <!-- Severity -->
+
                   <v-select id="detection-severity-edit" class="text-capitalize" :readonly="detect.isCommunity" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.severity" @change="stopEdit(true)" v-on:keyup.esc="stopEdit(false)"/>
-                  <!-- Enabled -->
+
                   <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/>
-                  <!-- Reporting -->
+
                   <v-checkbox id="detection-reporting-edit" v-model="detect.isReporting" @change="stopEdit(true)" :label="i18n.reporting"/>
                 </div>
                 <div class="d-flex justify-end text-body-2 mt-2">
@@ -1099,41 +1116,41 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                       {{i18n.delete}}
                     </v-btn>
                   </div>
-                </div>
+                </div> -->
               </v-tab-item>
-              <v-tab-item value="signature">
+              <v-tab-item value="notes">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
-                    <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
-                      <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
-                    </template>
-                  </v-text-field>
-                  <!-- Signature -->
-                  <v-textarea class="config-editor mt-2" :readonly="detect.isCommunity" outlined v-model="detect.content" auto-grow rows="15" />
+                  <!-- Notes -->
+                  <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
                 </div>
                 <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-update" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
                 </div>
               </v-tab-item>
-              <v-tab-item value="notes">
+              <v-tab-item value="signature">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <!-- Notes -->
-                  <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
+                  <!-- PublicID -->
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                    <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
+                      <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
+                    </template>
+                  </v-text-field>
+                  <!-- Signature -->
+                  <v-textarea class="config-editor mt-2" :readonly="detect.isCommunity" outlined v-model="detect.content" auto-grow rows="15" />
                 </div>
                 <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
                     <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
+                    <v-btn id="detection-update" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="saveDetection(false)">
                       {{i18n.update}}
                     </v-btn>
                   </div>
@@ -1550,33 +1567,96 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
             <v-expansion-panels focusable multiple v-model="panel">
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Cases</h3>
+                  <h3>Operations</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  Related Cases:
-                  <ul>
-                    <li>123</li>
-                    <li>456</li>
-                    <li>ABC</li>
-                    <li>XYZ</li>
-                  </ul>
+                  <!-- <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/> -->
+                  <div class="ops-header">
+                    Enabled:
+                  </div>
+                  <div class="ops-value">
+                    <span @click="startEdit('detection-enabled', 'isEnabled')" v-if="!isEdit('detection-enabled')">
+                      {{detect.isEnabled ? 'True' : 'False'}}
+                    </span>
+                    <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" v-else @change="stopEdit(true)" />
+                  </div>
+                  <div class="ops-header">
+                    DetectionType:
+                  </div>
+                  <div class="ops-value">
+                    {{detect.engine}}
+                  </div>
+                  <div class="ops-header">
+                    Severity:
+                  </div>
+                  <div class="ops-value">
+                    {{detect.severity}}
+                  </div>
+                  <div class="ops-header">
+                    Ruleset:
+                  </div>
+                  <div class="ops-value">
+                    TODO
+                  </div>
+                  <!-- <div class="ops-header">
+                    Related-Playbooks:
+                  </div>
+                  <div class="ops-value">
+                    TODO
+                  </div> -->
+                  <div class="ops-header">
+                    Tags:
+                  </div>
+                  <div class="ops-value">
+                    <div>
+                      <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
+                    </div>
+                  </div>
                 </v-expansion-panel-content>
               </v-expansion-panel>
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Alerts</h3>
+                  <h3>Details</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  Recent Alerts:
-                  <ul>
-                    <li>123</li>
-                    <li>456</li>
-                    <li>ABC</li>
-                    <li>XYZ</li>
-                  </ul>
+                  [detail stuff goes here]
                 </v-expansion-panel-content>
               </v-expansion-panel>
             </v-expansion-panels>
+            <div class="detect-reference">
+              <div>
+                <div class="key">
+                  Detection Id:
+                </div>
+                <div class="value">
+                  {{ detect.id }}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  Author:
+                </div>
+                <div class="value">
+                  {{ detect.author }}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  Created:
+                </div>
+                <div class="value">
+                  {{ detect.createTime | formatDateTime}}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  Updated:
+                </div>
+                <div class="value">
+                  {{ detect.updateTime | formatDateTime }}
+                </div>
+              </div>
+            </div>
           </div>
         </div>
       </v-container>
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 7178ec8e1..a2bc579df 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -90,6 +90,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			loading: false,
 		},
 		history: [],
+		extractedReferences: [],
+		extractedLogic: '',
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -156,8 +158,135 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.$root.stopLoading();
 		},
 		loadAssociations() {
+			this.extractReferences();
+			this.extractLogic();
 			this.loadHistory();
 		},
+		extractReferences() {
+			switch (this.detect.engine) {
+				case 'suricata':
+					this.extractSuricataReferences();
+					break;
+				case 'strelka':
+					this.extractStrelkaReferences();
+					break;
+				case 'elastalert':
+					this.extractElastAlertReferences();
+					break;
+			}
+		},
+		extractSuricataReferences() {
+			const refFinder = /reference:([^;]*),([^;]*);/ig;
+			const matches = [...this.detect.content.matchAll(refFinder)];
+
+			this.extractedReferences = [];
+			for (let i = 0; i < matches.length; i++) {
+				this.extractedReferences.push({ type: matches[i][1], value: matches[i][2] });
+			}
+		},
+		extractStrelkaReferences() {
+			const refFinder = /reference\d*\s*=\s*['"]([^'"]*)['"]/ig;
+			const matches = [...this.detect.content.matchAll(refFinder)];
+
+			this.extractedReferences = [];
+			for (let i = 0; i < matches.length; i++) {
+				this.extractedReferences.push({ type: "url", value: matches[i][1] });
+			}
+		},
+		extractElastAlertReferences() {
+			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
+			if (yaml['references']) {
+				this.extractedReferences = yaml['references'].map(r => {
+					return { type: "url", value: r };
+				});
+			}
+		},
+		extractLogic() {
+			switch (this.detect.engine) {
+				case 'suricata':
+					this.extractSuricataLogic();
+					break;
+				case 'strelka':
+					this.extractStrelkaLogic();
+					break;
+				case 'elastalert':
+					this.extractElastAlertLogic();
+					break;
+			}
+		},
+		extractSuricataLogic() {
+			const suricataParser = /^\w+\s+(.*?)\((.*)\)$/gi;
+			const matches = suricataParser.exec(this.detect.content.trim());
+
+			const head = matches[1];
+
+			let meta = matches[2].split(';').filter(opt => {
+				opt = opt.trim();
+				if (!opt) return false;
+
+				const key = opt.split(':', 2)[0].trim().toLowerCase();
+				return ['msg', 'reference', 'metadata', 'sid', 'rev'].indexOf(key) === -1;
+			}).map(opt => opt.trim());
+
+			this.extractedLogic = [head, ...meta].join('\n\n');
+		},
+		extractStrelkaLogic() {
+			// from strings to the end of the rule
+			let stringsStart = this.detect.content.indexOf('strings:');
+			let ruleStop = this.detect.content.lastIndexOf('}');
+
+			// back up to the beginning of the strings line
+			while (this.detect.content[stringsStart] !== '\n') {
+				stringsStart--;
+			}
+			stringsStart++;
+
+			// cut out the part we want
+			const dump = this.detect.content.substring(stringsStart, ruleStop);
+
+			// begin unindenting
+			let lines = dump.split('\n');
+
+			// check if the first line begins with whitespace
+			const ws = dump[0];
+			if (ws !== ' ' && ws !== '\t') {
+				// does not begin with whitespace, no indentation to remove
+				return dump
+			}
+
+			// find the line with the least whitespace, don't count blank lines
+			let min = 1000000;
+			for (let i = 0; i < lines.length; i++) {
+				if (lines[i].length === 0) continue;
+				let linemin = 0;
+				for (let j = 0; j < lines[i].length; j++) {
+					if (lines[i][j] === ws) {
+						linemin++;
+					} else {
+						break;
+					}
+				}
+
+				if (linemin < min) {
+					min = linemin;
+				}
+			}
+
+			if (min === 0) {
+				// the line with the least amount of whitespace is already 0
+				return dump;
+			}
+
+			// remove the minimum amount of whitespace from each line
+			this.extractedLogic = lines.map(l => l.length >= min ? l.substring(min) : l).join('\n');
+		},
+		extractElastAlertLogic() {
+			const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+			const logSource = yaml['logsource'];
+			const detection = yaml['detection'];
+
+			this.extractedLogic = jsyaml.dump({ logsource: logSource, detection: detection });
+		},
 		async loadHistory() {
 			const route = this;
 			const id = route.$route.params.id;
@@ -232,7 +361,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		async startEdit(target, field) {
 			if (this.curEditTarget === target) return;
 			if (this.curEditTarget !== null) await this.stopEdit(false);
-			if (this.detect.isCommunity) return;
+			if (this.detect.isCommunity && field !== 'isEnabled') return;
 
 			this.curEditTarget = target;
 			this.origValue = this.detect[field];
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index fb60f9b9b..f6794fa21 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -264,16 +264,16 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 					comRule, exists := communityDetections[det.PublicID]
 					if exists {
 						det.Id = comRule.Id
-						det.Note = comRule.Note
 						det.IsEnabled = comRule.IsEnabled
 					}
 
 					if rule.Meta.Author != nil {
-						det.Author = *rule.Meta.Author
+						det.Author = util.Unquote(*rule.Meta.Author)
+
 					}
 
 					if rule.Meta.Description != nil {
-						det.Description = *rule.Meta.Description
+						det.Description = util.Unquote(*rule.Meta.Description)
 					}
 
 					if exists {
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
index fc6663286..8920c5b55 100644
--- a/server/modules/strelka/validate.go
+++ b/server/modules/strelka/validate.go
@@ -48,6 +48,7 @@ func (md *Metadata) IsEmpty() bool {
 
 func (md *Metadata) Set(key, value string) {
 	key = strings.ToLower(key)
+
 	switch key {
 	case "id":
 		md.ID = util.Ptr(value)
diff --git a/util/strings.go b/util/strings.go
new file mode 100644
index 000000000..5749b44c0
--- /dev/null
+++ b/util/strings.go
@@ -0,0 +1,13 @@
+package util
+
+import "strings"
+
+func Unquote(value string) string {
+	if strings.HasPrefix(value, `"`) && strings.HasSuffix(value, `"`) {
+		value = strings.TrimSuffix(strings.TrimPrefix(value, `"`), `"`)
+	} else if strings.HasPrefix(value, "'") && strings.HasSuffix(value, "'") {
+		value = strings.TrimSuffix(strings.TrimPrefix(value, "'"), "'")
+	}
+
+	return value
+}
diff --git a/util/strings_test.go b/util/strings_test.go
new file mode 100644
index 000000000..c4c08ab1f
--- /dev/null
+++ b/util/strings_test.go
@@ -0,0 +1,67 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/tj/assert"
+)
+
+func TestUnquote(t *testing.T) {
+	table := []struct {
+		Name     string
+		Input    string
+		Expected string
+	}{
+		{
+			Name:     "Empty",
+			Input:    "",
+			Expected: "",
+		}, {
+			Name:     "Unquoted",
+			Input:    "foo",
+			Expected: "foo",
+		}, {
+			Name:     "DoubleQuoted",
+			Input:    `"foo"`,
+			Expected: "foo",
+		}, {
+			Name:     "SingleQuoted",
+			Input:    "'foo'",
+			Expected: "foo",
+		}, {
+			Name:     "Double DoubleQuoted",
+			Input:    `""foo""`,
+			Expected: `"foo"`,
+		}, {
+			Name:     "Double SingleQuoted",
+			Input:    `''foo''`,
+			Expected: `'foo'`,
+		}, {
+			Name:     "Lopsided Quotes A",
+			Input:    `"foo'`,
+			Expected: `"foo'`,
+		}, {
+			Name:     "Lopsided Quotes B",
+			Input:    `'foo"`,
+			Expected: `'foo"`,
+		}, {
+			Name:     "Intermingled Quotes A",
+			Input:    `"foo'"bar"`,
+			Expected: `foo'"bar`,
+		}, {
+			Name:     "Intermingled Quotes B",
+			Input:    `'foo'"bar'`,
+			Expected: `foo'"bar`,
+		},
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+			actual := Unquote(test.Input)
+
+			assert.Equal(t, test.Expected, actual)
+		})
+	}
+}

From 914e24074bf3b53a7ada1903565daa91ad688920 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 6 Feb 2024 16:34:41 -0700
Subject: [PATCH 085/102] WIP: Detection Tags, Ruleset, and Language

Detections now have tags, a ruleset, and a language.

Suricata's ruleset is looked up from the config and should either be ETOPEN, ETPRO, or emerging_rules.

Strelka's ruleset is named after the repo the rule was downloaded from.

ElastAlert's ruleset is the zip pkg we downloaded the rule from (core, core+, all_rules, etc).

Queries, converters, and tests have been updated to include the new fields.

TODO: Change how detections are created to ask for language (and tags) instead of engine. Also show language instead of engine in search result columns.
---
 html/index.html                               |  7 +++---
 model/detection.go                            | 18 ++++++++++-----
 server/detectionhandler.go                    |  1 -
 server/modules/elastalert/elastalert.go       |  2 ++
 server/modules/elastalert/elastalert_test.go  |  4 ++++
 server/modules/elastic/converter.go           | 15 +++++++++++--
 .../modules/elastic/elasticdetectionstore.go  | 22 ++++++++++++++++---
 server/modules/strelka/strelka.go             |  5 ++++-
 server/modules/suricata/suricata.go           | 14 ++++++++++--
 server/modules/suricata/suricata_test.go      |  8 ++++++-
 10 files changed, 77 insertions(+), 19 deletions(-)

diff --git a/html/index.html b/html/index.html
index cfd2d4340..396f73dd4 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1592,11 +1592,11 @@ <h3>Operations</h3>
                   <div class="ops-value">
                     {{detect.severity}}
                   </div>
-                  <div class="ops-header">
+                  <div class="ops-header" v-if="detect.isCommunity">
                     Ruleset:
                   </div>
-                  <div class="ops-value">
-                    TODO
+                  <div class="ops-value" v-if="detect.isCommunity">
+                    {{detect.ruleset}}
                   </div>
                   <!-- <div class="ops-header">
                     Related-Playbooks:
@@ -1610,6 +1610,7 @@ <h3>Operations</h3>
                   <div class="ops-value">
                     <div>
                       <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
+                      <span v-if="detect.tags === null || detect.tags.length === 0">None</span>
                     </div>
                   </div>
                 </v-expansion-panel-content>
diff --git a/model/detection.go b/model/detection.go
index a72fa445c..65d959ec2 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -24,11 +24,9 @@ const (
 	ScanTypePacketsAndFiles ScanType = "files,packets"
 	ScanTypeElastic         ScanType = "elastic"
 
-	SigLangElastic  SigLanguage = "elastic"  // yaml
 	SigLangSigma    SigLanguage = "sigma"    // yaml
 	SigLangSuricata SigLanguage = "suricata" // action, header, options
-	SigLangYara     SigLanguage = "yara"
-	SigLangZeek     SigLanguage = "zeek"
+	SigLangYara     SigLanguage = "yara"     // meta, strings, condition
 
 	SeverityUnknown       Severity = "unknown"
 	SeverityInformational Severity = "informational"
@@ -41,7 +39,7 @@ const (
 	IDTypeSID  IDType = "sid"
 
 	EngineNameSuricata   EngineName = "suricata"
-	EngineNameStrelka       EngineName = "strelka"
+	EngineNameStrelka    EngineName = "strelka"
 	EngineNameElastAlert EngineName = "elastalert"
 
 	OverrideTypeSuppress     OverrideType = "suppress"
@@ -68,10 +66,16 @@ var (
 			Name:        string(EngineNameElastAlert),
 			IDType:      IDTypeUUID,
 			ScanType:    ScanTypeElastic,
-			SigLanguage: SigLangElastic,
+			SigLanguage: SigLangSigma,
 		},
 	}
 
+	SupportedLanguages = map[SigLanguage]struct{}{
+		SigLangSigma:    {},
+		SigLangSuricata: {},
+		SigLangYara:     {},
+	}
+
 	ErrUnsupportedEngine = errors.New("unsupported engine")
 )
 
@@ -93,9 +97,11 @@ type Detection struct {
 	IsEnabled   bool        `json:"isEnabled"`
 	IsReporting bool        `json:"isReporting"`
 	IsCommunity bool        `json:"isCommunity"`
-	Note        string      `json:"note"`
 	Engine      EngineName  `json:"engine"`
+	Language    SigLanguage `json:"language"`
 	Overrides   []*Override `json:"overrides"` // Tuning
+	Tags        []string    `json:"tags"`
+	Ruleset     *string     `json:"ruleset"`
 }
 
 // Note: JSON tags are used when storing the object in ElasticSearch,
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index c38d73f71..0654d0543 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -218,7 +218,6 @@ func (h *DetectionHandler) putDetection(w http.ResponseWriter, r *http.Request)
 		// the only editable fields for community rules are IsEnabled, IsReporting, Note, and Overrides
 		old.IsEnabled = detect.IsEnabled
 		old.IsReporting = detect.IsReporting
-		old.Note = detect.Note
 		old.Overrides = detect.Overrides
 
 		detect = old
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 59f14c63c..f24b1076a 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -368,6 +368,8 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 				Content:     string(data),
 				IsCommunity: true,
 				Engine:      model.EngineNameElastAlert,
+				Language:    model.SigLangSigma,
+				Ruleset:     util.Ptr(pkg),
 			})
 		}
 	}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 4940475e7..a3ab7417a 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -300,6 +300,8 @@ func TestSigmaToElastAlertError(t *testing.T) {
 }
 
 func TestParseRules(t *testing.T) {
+	t.Parallel()
+
 	data := `title: Always Alert
 id: 00000000-0000-0000-0000-00000000
 status: experimental
@@ -347,6 +349,8 @@ level: high
 		Content:     data,
 		IsCommunity: true,
 		Engine:      model.EngineNameElastAlert,
+		Language:    model.SigLangSigma,
+		Ruleset:     util.Ptr("all_rules"),
 	}
 
 	dets, errMap := engine.parseRules(pkgZips)
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 0012c20b2..753098f69 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -697,12 +697,23 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 			if value, ok := event.Payload[schemaPrefix+"detection.isCommunity"]; ok {
 				obj.IsCommunity = value.(bool)
 			}
-			if value, ok := event.Payload[schemaPrefix+"detection.note"]; ok {
-				obj.Note = value.(string)
+			if value, ok := event.Payload[schemaPrefix+"detection.ruleset"]; ok {
+				obj.Ruleset = util.Ptr(value.(string))
 			}
 			if value, ok := event.Payload[schemaPrefix+"detection.engine"]; ok {
 				obj.Engine = model.EngineName(value.(string))
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.language"]; ok {
+				obj.Language = model.SigLanguage(value.(string))
+			}
+			if value, ok := event.Payload[schemaPrefix+"detection.tags"]; ok && value != nil {
+				arr := value.([]interface{})
+				obj.Tags = make([]string, 0, len(arr))
+
+				for _, tag := range arr {
+					obj.Tags = append(obj.Tags, tag.(string))
+				}
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.overrides"]; ok && value != nil {
 				obj.Overrides = convertElasticEventToOverride(value.([]interface{}))
 			}
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 6cde993f5..5ae53b1a5 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -85,7 +85,7 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 	var err error
 
 	if err == nil && detect.Id != "" {
-		err = store.validateId(detect.Id, "onionId")
+		err = store.validateId(detect.Id, "Id")
 	}
 
 	if err == nil && detect.PublicID != "" {
@@ -112,8 +112,17 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 		err = store.validateString(detect.Content, LONG_STRING_MAX, "content")
 	}
 
-	if err == nil && detect.Note != "" {
-		err = store.validateString(detect.Note, LONG_STRING_MAX, "note")
+	if err == nil && detect.IsCommunity && detect.Ruleset == nil {
+		err = store.validateStringRequired(*detect.Ruleset, 0, SHORT_STRING_MAX, "ruleset")
+	}
+
+	if err == nil && len(detect.Tags) > 0 {
+		for _, tag := range detect.Tags {
+			err = store.validateString(tag, SHORT_STRING_MAX, "tag")
+			if err != nil {
+				break
+			}
+		}
 	}
 
 	if err == nil {
@@ -123,6 +132,13 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 		}
 	}
 
+	if err == nil {
+		_, okLang := model.SupportedLanguages[model.SigLanguage(detect.Language)]
+		if !okLang {
+			err = errors.New("invalid language")
+		}
+	}
+
 	return err
 }
 
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index f6794fa21..78d3402f4 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -252,6 +252,8 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 						sev = model.SeverityCritical
 					}
 
+					ruleset := filepath.Base(repo)
+
 					det := &model.Detection{
 						Engine:      model.EngineNameStrelka,
 						PublicID:    rule.GetID(),
@@ -259,6 +261,8 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 						Severity:    sev,
 						Content:     rule.String(),
 						IsCommunity: true,
+						Language:    model.SigLangYara,
+						Ruleset:     util.Ptr(ruleset),
 					}
 
 					comRule, exists := communityDetections[det.PublicID]
@@ -269,7 +273,6 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 
 					if rule.Meta.Author != nil {
 						det.Author = util.Unquote(*rule.Meta.Author)
-
 					}
 
 					if rule.Meta.Description != nil {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index fe0860aa4..eecb8a859 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -116,7 +116,15 @@ func (s *SuricataEngine) watchCommunityRules() {
 			continue
 		}
 
-		commDetections, err := s.parseRules(rules)
+		allSettings, err := s.srv.Configstore.GetSettings(ctx)
+		if err != nil {
+			log.WithError(err).Error("unable to get settings")
+			continue
+		}
+
+		ruleset := settingByID(allSettings, "idstools.config.ruleset")
+
+		commDetections, err := s.parseRules(rules, ruleset.Value)
 		if err != nil {
 			log.WithError(err).Error("unable to parse community rules")
 			continue
@@ -201,7 +209,7 @@ func (s *SuricataEngine) ValidateRule(rule string) (string, error) {
 	return parsed.String(), nil
 }
 
-func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error) {
+func (s *SuricataEngine) parseRules(content string, ruleset string) ([]*model.Detection, error) {
 	// expecting one rule per line
 	lines := strings.Split(content, "\n")
 	dets := []*model.Detection{}
@@ -279,6 +287,8 @@ func (s *SuricataEngine) parseRules(content string) ([]*model.Detection, error)
 			Content:     line,
 			IsCommunity: true,
 			Engine:      model.EngineNameSuricata,
+			Language:    model.SigLangSuricata,
+			Ruleset:     util.Ptr(ruleset),
 		})
 	}
 
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 1d11c507f..dbb7fe836 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -296,6 +296,8 @@ func TestValidate(t *testing.T) {
 }
 
 func TestParse(t *testing.T) {
+	ruleset := util.Ptr("ruleset")
+
 	table := []struct {
 		Name               string
 		Lines              []string
@@ -319,6 +321,8 @@ func TestParse(t *testing.T) {
 					Content:     SimpleRule,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     ruleset,
 				},
 				{
 					PublicID:    "20000",
@@ -327,6 +331,8 @@ func TestParse(t *testing.T) {
 					Content:     `alert http any any <> any any (metadata:signature_severity Informational; sid:"20000"; msg:"a \"tricky\"\;\\ msg";)`,
 					IsCommunity: true,
 					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     ruleset,
 				},
 			},
 		},
@@ -341,7 +347,7 @@ func TestParse(t *testing.T) {
 
 			data := strings.Join(test.Lines, "\n")
 
-			detections, err := mod.parseRules(data)
+			detections, err := mod.parseRules(data, *ruleset)
 			if test.ExpectedError == nil {
 				assert.NoError(t, err)
 				assert.Equal(t, test.ExpectedDetections, detections)

From 9914a52c2ae3e3ce2b4161f4786809bc2387e049 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 8 Feb 2024 09:48:06 -0700
Subject: [PATCH 086/102] WIP: Reworked UI

New Operations and Details panels implemented in Detections view.

Small consistency change to how YaraRule's check if they already have an ID before generating one.
---
 html/index.html                    | 69 +++++++++++++++---------------
 html/js/i18n.js                    |  7 +++
 server/modules/strelka/validate.go |  2 +-
 3 files changed, 42 insertions(+), 36 deletions(-)

diff --git a/html/index.html b/html/index.html
index 396f73dd4..bddff6388 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1022,8 +1022,8 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <!-- Severity -->
                   <v-select id="detection-severity-create" v-model="detect.severity" :items="getPresets('severity')" persistent-hint :hint="i18n.detectionSeverity"/>
 
-                  <!-- Engine -->
-                  <v-select id="detection-engine-create" v-model="detect.engine" :items="getPresets('engine')" persistent-hint :hint="i18n.engine" :rules="[rules.required]" v-on:change="onDetectionChange"/>
+                  <!-- Language -->
+                  <v-select id="detection-language-create" v-model="detect.language" :items="getPresets('language')" persistent-hint :hint="i18n.language" :rules="[rules.required]" v-on:change="onDetectionChange"/>
 
                   <!-- Reporting -->
                   <v-checkbox id="detection-reporting-create" class="mt-5" v-model="detect.isReporting" :label="i18n.reporting"/>
@@ -1074,21 +1074,21 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-tab-item value="summary">
                 <div class="col pt-5 summary-backdrop">
                   <div>
-                    <div class="header">Summary</div>
+                    <div class="header">{{i18n.summary}}</div>
                     <div v-if="detect.description">
                       {{detect.description}}
                     </div>
                     <div v-else>
                       {{detect.title}}
                     </div>
-                    <div class="header">References</div>
+                    <div class="header">{{i18n.references}}</div>
                     <div>
                       <div v-for="r in extractedReferences">
                         <a :href="r.value" v-if="r.type==='url'" target="_blank">{{r.value}}</a>
                         <span v-else>{{r.value}}</span>
                       </div>
                     </div>
-                    <div class="header">Signature</div>
+                    <div class="header">{{i18n.signature}}</div>
                     <div class="extracted-content">
                       <pre>{{extractedLogic}}</pre>
                     </div>
@@ -1567,45 +1567,27 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
             <v-expansion-panels focusable multiple v-model="panel">
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Operations</h3>
+                  <h3>{{ i18n.operations }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
                   <!-- <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/> -->
                   <div class="ops-header">
-                    Enabled:
+                    {{ i18n.enabled }}:
                   </div>
                   <div class="ops-value">
                     <span @click="startEdit('detection-enabled', 'isEnabled')" v-if="!isEdit('detection-enabled')">
-                      {{detect.isEnabled ? 'True' : 'False'}}
+                      {{ detect.isEnabled ? 'True' : 'False' }}
                     </span>
                     <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" v-else @change="stopEdit(true)" />
                   </div>
-                  <div class="ops-header">
-                    DetectionType:
-                  </div>
-                  <div class="ops-value">
-                    {{detect.engine}}
-                  </div>
-                  <div class="ops-header">
-                    Severity:
-                  </div>
-                  <div class="ops-value">
-                    {{detect.severity}}
-                  </div>
-                  <div class="ops-header" v-if="detect.isCommunity">
-                    Ruleset:
-                  </div>
-                  <div class="ops-value" v-if="detect.isCommunity">
-                    {{detect.ruleset}}
-                  </div>
                   <!-- <div class="ops-header">
-                    Related-Playbooks:
+                    Related Playbooks:
                   </div>
                   <div class="ops-value">
                     TODO
                   </div> -->
                   <div class="ops-header">
-                    Tags:
+                    {{ i18n.tags }}:
                   </div>
                   <div class="ops-value">
                     <div>
@@ -1617,17 +1599,34 @@ <h3>Operations</h3>
               </v-expansion-panel>
               <v-expansion-panel v-if="!isNew()">
                 <v-expansion-panel-header id="detection-related-playbooks">
-                  <h3>Details</h3>
+                  <h3>{{ i18n.details }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
-                  [detail stuff goes here]
+                  <div class="ops-header">
+                    {{ i18n.detectionType }}:
+                  </div>
+                  <div class="ops-value">
+                    {{ detect.engine }}
+                  </div>
+                  <div class="ops-header">
+                    {{ i18n.severity }}:
+                  </div>
+                  <div class="ops-value">
+                    {{ detect.severity }}
+                  </div>
+                  <div class="ops-header" v-if="detect.isCommunity">
+                    {{ i18n.ruleset }}:
+                  </div>
+                  <div class="ops-value" v-if="detect.isCommunity">
+                    {{ detect.ruleset }}
+                  </div>
                 </v-expansion-panel-content>
               </v-expansion-panel>
             </v-expansion-panels>
-            <div class="detect-reference">
+            <div class="detect-reference" v-if="!isNew()">
               <div>
                 <div class="key">
-                  Detection Id:
+                  {{i18n.detectionId}}:
                 </div>
                 <div class="value">
                   {{ detect.id }}
@@ -1635,7 +1634,7 @@ <h3>Details</h3>
               </div>
               <div>
                 <div class="key">
-                  Author:
+                  {{ i18n.author }}:
                 </div>
                 <div class="value">
                   {{ detect.author }}
@@ -1643,7 +1642,7 @@ <h3>Details</h3>
               </div>
               <div>
                 <div class="key">
-                  Created:
+                  {{ i18n.dateCreated }}:
                 </div>
                 <div class="value">
                   {{ detect.createTime | formatDateTime}}
@@ -1651,7 +1650,7 @@ <h3>Details</h3>
               </div>
               <div>
                 <div class="key">
-                  Updated:
+                  {{ i18n.dateModified }}:
                 </div>
                 <div class="value">
                   {{ detect.updateTime | formatDateTime }}
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 27f90e37e..4caa18e88 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -272,8 +272,10 @@ const i18n = {
       detectionDefaultDescription: 'Detection description not yet provided',
       detectionDescription: 'Detection Description',
       detectionEnabled: 'Enabled',
+      detectionId: 'Detection Id',
       detectionSeverity: 'Severity',
       detectionTitle: 'Detection Title',
+      detectionType: 'Detection Type',
       disable: 'Disable',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
@@ -468,6 +470,7 @@ const i18n = {
       jobs: 'PCAP',
       keywords: 'Filter Keywords',
       kind: 'Kind',
+      language: 'Language',
       last: 'Last',
       lastHighstate: 'Last Synchronized',
       lastName: 'Last Name',
@@ -560,6 +563,7 @@ const i18n = {
       offline: 'Offline',
       online: 'Online',
       operation: 'Operation',
+      operations: 'Operations',
       options: 'Options',
       order: 'Order',
       osUptime: 'OS Uptime',
@@ -604,6 +608,7 @@ const i18n = {
       reason: 'Reason',
       reconnecting: 'Attempting to connect to manager',
       redisQueueSize: 'Redis Queue Size',
+      references: 'References',
       refresh: 'Refresh',
       refreshAttachmentsHelp: 'Refresh to view all recently added attachments for this case.',
       refreshCaseHistoryHelp: 'Refresh to view the latest history for this case.',
@@ -636,6 +641,7 @@ const i18n = {
       ruleMinLen: 'The provided value is too short',
       ruleMaxLen: 'The provided value is too long',
       rulePassBadChars: 'The password must not contain the following characters: " \' $ & !',
+      ruleset: 'Ruleset',
       save: 'Save',
       saveSuccess: 'Save successful!',
       seconds: 'seconds',
@@ -757,6 +763,7 @@ const i18n = {
       suricataLoss: 'Suricata Loss',
       suricataLossAbbr: 'Suri Loss',
       swapUsage: 'Swap Usage',
+      tags: 'Tags',
       thresholdType: 'Threshold Type',
       throttledLogin: 'Excessive login requests detected. Login requests can resume momentarily.',
       time: 'Time',
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
index 8920c5b55..f40d5ac8e 100644
--- a/server/modules/strelka/validate.go
+++ b/server/modules/strelka/validate.go
@@ -71,7 +71,7 @@ func (md *Metadata) Set(key, value string) {
 }
 
 func (rule *YaraRule) GetID() string {
-	if rule.Meta.Rest["id"] != "" {
+	if rule.Meta.ID != nil {
 		return *rule.Meta.ID
 	}
 

From 88fd8a19849c3fcdfb914e32b376c51c01f674a9 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 8 Feb 2024 15:49:15 -0700
Subject: [PATCH 087/102] WIP: UI Updates

Hidden tags. Hard wrap on detection logic. Suricata classtype for Summary, fallback to title. Reference links get a protocol if they're missing one. "None" when no references. "Signature" => "Detection Logic" on Overview tab. Remove classtype from Detection Logic. "Enable" => "Status". Duplicate and Delete buttons under the Status. Delete is disabled if looking at community rule. "Detection Type" => "Type". Public Id added above SOC Id. Use "Id" over "ID". Author changes for suricata rules. Bottom metadata spacing fixed.

TODO: License, rule-specific dates, buttons on "Detection Source" tab.
---
 html/css/app.css            | 13 ++++++-
 html/index.html             | 69 ++++++++++++++++++++++++-------------
 html/js/i18n.js             |  5 ++-
 html/js/routes/detection.js | 34 ++++++++++++++++--
 4 files changed, 93 insertions(+), 28 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 8703f0bb3..9759260f5 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -562,12 +562,14 @@ td {
 
 .extracted-content > pre {
   text-wrap: wrap;
+  word-break: break-word;
 }
 
 .detect-reference {
   font-size: small;
   display: table;
   width: 100%;
+  margin-top: 12px;
 }
 
 .detect-reference > div {
@@ -593,4 +595,13 @@ td {
   margin-top: 0 !important;
   padding-top: 0 !important;
   height: 24px !important;
-}
\ No newline at end of file
+}
+
+#ops-buttons {
+  margin-top: 12px;
+  display: grid;
+  grid-auto-flow: column;
+  justify-items: stretch;
+  grid-template-columns: 50% 50%;
+  grid-gap: 12px;
+}
diff --git a/html/index.html b/html/index.html
index bddff6388..90081b729 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1010,7 +1010,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <v-textarea id="detection-description-create" hide-details="auto" outlined v-model="detect.description" :rules="[rules.required]" persistent-hint :hint="i18n.detectionDescription" auto-grow rows="5"></v-textarea>
 
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="i18n.publicID">
+                  <v-text-field id="detection-publicId-create" class="mt-0" v-model="detect.publicId" :rules="[rules.required, rules.minLength(5)]" persistent-hint :hint="i18n.publicId">
                     <template v-slot:append v-if="!detect.publicId">
                       <v-btn id="gen-public-id-create" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
@@ -1075,20 +1075,20 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <div class="col pt-5 summary-backdrop">
                   <div>
                     <div class="header">{{i18n.summary}}</div>
-                    <div v-if="detect.description">
-                      {{detect.description}}
-                    </div>
-                    <div v-else>
-                      {{detect.title}}
+                    <div>
+                      {{ detectionSummary }}
                     </div>
                     <div class="header">{{i18n.references}}</div>
                     <div>
                       <div v-for="r in extractedReferences">
-                        <a :href="r.value" v-if="r.type==='url'" target="_blank">{{r.value}}</a>
-                        <span v-else>{{r.value}}</span>
+                        <a :href="r.link" v-if="r.type==='url'" target="_blank">{{r.text}}</a>
+                        <span v-else>{{r.text}}</span>
                       </div>
+                      <span v-if="extractedReferences === null || extractedReferences.length === 0">
+                        {{ i18n.none }}
+                      </span>
                     </div>
-                    <div class="header">{{i18n.signature}}</div>
+                    <div class="header">{{i18n.detectionLogic}}</div>
                     <div class="extracted-content">
                       <pre>{{extractedLogic}}</pre>
                     </div>
@@ -1137,7 +1137,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               <v-tab-item value="signature">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicId" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!detect.publicId && !detect.isCommunity">
                       <v-btn id="gen-public-id" text small color="primary" @click="extractPublicID()">{{i18n.extract}}</v-btn>
                     </template>
@@ -1572,11 +1572,11 @@ <h3>{{ i18n.operations }}</h3>
                 <v-expansion-panel-content>
                   <!-- <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" @change="stopEdit(true)" :label="i18n.detectionEnabled"/> -->
                   <div class="ops-header">
-                    {{ i18n.enabled }}:
+                    {{ i18n.status }}:
                   </div>
                   <div class="ops-value">
                     <span @click="startEdit('detection-enabled', 'isEnabled')" v-if="!isEdit('detection-enabled')">
-                      {{ detect.isEnabled ? 'True' : 'False' }}
+                      {{ detect.isEnabled ? i18n.enabled : i18n.disabled }}
                     </span>
                     <v-checkbox id="detection-enabled-edit" v-model="detect.isEnabled" v-else @change="stopEdit(true)" />
                   </div>
@@ -1586,14 +1586,13 @@ <h3>{{ i18n.operations }}</h3>
                   <div class="ops-value">
                     TODO
                   </div> -->
-                  <div class="ops-header">
-                    {{ i18n.tags }}:
-                  </div>
-                  <div class="ops-value">
-                    <div>
-                      <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
-                      <span v-if="detect.tags === null || detect.tags.length === 0">None</span>
-                    </div>
+                  <div id="ops-buttons">
+                    <v-btn id="detection-duplicate" color="primary" @click="duplicateDetection()">
+                      {{i18n.duplicate}}
+                    </v-btn>
+                    <v-btn :disabled="detect.isCommunity" id="detection-delete" color="error" @click="deleteDetection()">
+                      {{i18n.delete}}
+                    </v-btn>
                   </div>
                 </v-expansion-panel-content>
               </v-expansion-panel>
@@ -1603,7 +1602,7 @@ <h3>{{ i18n.details }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
                   <div class="ops-header">
-                    {{ i18n.detectionType }}:
+                    {{ i18n.type }}:
                   </div>
                   <div class="ops-value">
                     {{ detect.engine }}
@@ -1620,13 +1619,30 @@ <h3>{{ i18n.details }}</h3>
                   <div class="ops-value" v-if="detect.isCommunity">
                     {{ detect.ruleset }}
                   </div>
+                  <!-- <div class="ops-header">
+                    {{ i18n.tags }}:
+                  </div>
+                  <div class="ops-value">
+                    <div>
+                      <v-chip class="mx-1" v-for="tag in detect.tags" color="primary">{{ tag }}</v-chip>
+                      <span v-if="detect.tags === null || detect.tags.length === 0">None</span>
+                    </div>
+                  </div> -->
                 </v-expansion-panel-content>
               </v-expansion-panel>
             </v-expansion-panels>
             <div class="detect-reference" v-if="!isNew()">
               <div>
                 <div class="key">
-                  {{i18n.detectionId}}:
+                  {{ i18n.publicId }}:
+                </div>
+                <div class="value">
+                  {{ detect.publicId }}
+                </div>
+              </div>
+              <div>
+                <div class="key">
+                  {{i18n.socId}}:
                 </div>
                 <div class="value">
                   {{ detect.id }}
@@ -1637,7 +1653,12 @@ <h3>{{ i18n.details }}</h3>
                   {{ i18n.author }}:
                 </div>
                 <div class="value">
-                  {{ detect.author }}
+                  <span v-if="detect.language !== 'suricata'">
+                    {{ detect.author }}
+                  </span>
+                  <span v-else>
+                    {{ detect.ruleset }}
+                  </span>
                 </div>
               </div>
               <div>
@@ -1699,7 +1720,7 @@ <h2 id="playbook-title" @click="startEdit('playbook-title', 'title')" v-if="!isE
               <v-tab-item value="notes">
                 <div class="col pt-0" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
-                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="i18n.publicID" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
+                  <v-text-field id="playbook-publicId-edit" v-model="playbook.publicId" :rules="[rules.required]" persistent-hint :hint="i18n.publicId" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
                     <template v-slot:append v-if="!playbook.publicId">
                       <v-btn id="gen-public-id" text small color="primary" @click="generatePublicID()">Generate</v-btn>
                     </template>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 4caa18e88..e95e43c6d 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -273,10 +273,12 @@ const i18n = {
       detectionDescription: 'Detection Description',
       detectionEnabled: 'Enabled',
       detectionId: 'Detection Id',
+      detectionLogic: 'Detection Logic',
       detectionSeverity: 'Severity',
       detectionTitle: 'Detection Title',
       detectionType: 'Detection Type',
       disable: 'Disable',
+      disabled: 'Disabled',
       disconnected: 'Disconnected from manager',
       diskUsageElastic: 'Elastic Storage Used',
       diskUsageInfluxDb: 'InfluxDB Storage Used',
@@ -600,7 +602,7 @@ const i18n = {
       profile: 'Profile',
       protocol: 'Protocol',
       protocolHelp: 'Optional protocol, such as "icmp" or "tcp".',
-      publicID: 'Public ID',
+      publicId: 'Public Id',
       queriesHelp: 'Choose from several pre-defined queries',
       queryHelp: 'Specify a query in Onion Query Language (OQL)',
       quickActions: 'Actions',
@@ -741,6 +743,7 @@ const i18n = {
       sidMultipleErr: 'Suricata rules can only specify one SID.',
       sidMismatchErr: "The SID in this suricata rule must match the detection's Public ID.",
       signature: 'Signature',
+      socId: 'SOC Id',
       socUrl: 'SOC Url',
       socExcludeToggle: 'Exclude SOC logs',
       sortedBy: 'Sort:',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index a2bc579df..1ea5890cf 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -89,6 +89,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			expanded: [],
 			loading: false,
 		},
+		detectionSummary: '',
 		history: [],
 		extractedReferences: [],
 		extractedLogic: '',
@@ -158,10 +159,33 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.$root.stopLoading();
 		},
 		loadAssociations() {
+			this.extractSummary();
 			this.extractReferences();
 			this.extractLogic();
 			this.loadHistory();
 		},
+		extractSummary() {
+			switch (this.detect.engine) {
+				case 'suricata':
+					const classTypeMatcher = /classtype:([^;]+);/i;
+					const match = this.detect.content.match(classTypeMatcher);
+
+					if (match) {
+						this.detectionSummary = match[1];
+					} else {
+						this.detectionSummary = this.detect.title;
+					}
+
+					break;
+				default:
+					if (this.detect.description) {
+						this.detectionSummary = this.detect.description;
+					} else {
+						this.detectionSummary = this.detect.title;
+					}
+					break;
+			}
+		},
 		extractReferences() {
 			switch (this.detect.engine) {
 				case 'suricata':
@@ -180,8 +204,14 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			const matches = [...this.detect.content.matchAll(refFinder)];
 
 			this.extractedReferences = [];
+			// ensure the value has a protocol
 			for (let i = 0; i < matches.length; i++) {
-				this.extractedReferences.push({ type: matches[i][1], value: matches[i][2] });
+				let url = matches[i][2];
+				if (!url.startsWith('http://') && !url.startsWith('https://')) {
+					url = 'http://' + url;
+				}
+
+				this.extractedReferences.push({ type: matches[i][1], text: matches[i][2], link: url });
 			}
 		},
 		extractStrelkaReferences() {
@@ -225,7 +255,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				if (!opt) return false;
 
 				const key = opt.split(':', 2)[0].trim().toLowerCase();
-				return ['msg', 'reference', 'metadata', 'sid', 'rev'].indexOf(key) === -1;
+				return ['msg', 'reference', 'metadata', 'sid', 'rev', 'classtype'].indexOf(key) === -1;
 			}).map(opt => opt.trim());
 
 			this.extractedLogic = [head, ...meta].join('\n\n');

From 0230529242adeb528b90ae1934fbf7c1db0a692b Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 9 Feb 2024 10:45:28 -0700
Subject: [PATCH 088/102] WIP: Fix References

All references now have their protocols fixed instead of just suricata.
---
 html/js/routes/detection.js | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 1ea5890cf..864a3df4d 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -206,12 +206,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.extractedReferences = [];
 			// ensure the value has a protocol
 			for (let i = 0; i < matches.length; i++) {
-				let url = matches[i][2];
-				if (!url.startsWith('http://') && !url.startsWith('https://')) {
-					url = 'http://' + url;
-				}
-
-				this.extractedReferences.push({ type: matches[i][1], text: matches[i][2], link: url });
+				this.extractedReferences.push({ type: matches[i][1], text: matches[i][2], link: this.fixProtocol(matches[i][2]) });
 			}
 		},
 		extractStrelkaReferences() {
@@ -220,17 +215,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			this.extractedReferences = [];
 			for (let i = 0; i < matches.length; i++) {
-				this.extractedReferences.push({ type: "url", value: matches[i][1] });
+				this.extractedReferences.push({ type: "url", text: matches[i][1], link: this.fixProtocol(matches[i][1]) });
 			}
 		},
 		extractElastAlertReferences() {
 			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
 			if (yaml['references']) {
 				this.extractedReferences = yaml['references'].map(r => {
-					return { type: "url", value: r };
+					return { type: "url", text: r, link: this.fixProtocol(r) };
 				});
 			}
 		},
+		fixProtocol(url) {
+			if (!url.startsWith('http://') && !url.startsWith('https://')) {
+				url = 'http://' + url;
+			}
+
+			return url;
+		},
 		extractLogic() {
 			switch (this.detect.engine) {
 				case 'suricata':

From d375e950c918e9aa72b04dfe0b2c5695687fcc7f Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 9 Feb 2024 14:18:37 -0700
Subject: [PATCH 089/102] WIP: License, Rule Extracted Data

Finished up the right hand column of the detections view by including License and several pieces of data extracted from the rule.

Updated the backend to add licenses in places we know them. Except for Yara, community rules are tagged with appropriate licenses as they're imported.
---
 html/css/app.css                        |   4 +
 html/index.html                         |  44 +++++++---
 html/js/routes/detection.js             | 106 +++++++++++++++++++++---
 model/detection.go                      |   5 ++
 server/modules/elastalert/elastalert.go |   1 +
 server/modules/elastic/converter.go     |   3 +
 server/modules/suricata/suricata.go     |  15 ++++
 7 files changed, 157 insertions(+), 21 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 9759260f5..72641cd57 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -605,3 +605,7 @@ td {
   grid-template-columns: 50% 50%;
   grid-gap: 12px;
 }
+
+.case-title {
+  text-transform: capitalize;
+}
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index 90081b729..c5d0cfe45 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1076,7 +1076,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   <div>
                     <div class="header">{{i18n.summary}}</div>
                     <div>
-                      {{ detectionSummary }}
+                      {{ extractedSummary }}
                     </div>
                     <div class="header">{{i18n.references}}</div>
                     <div>
@@ -1602,15 +1602,21 @@ <h3>{{ i18n.details }}</h3>
                 </v-expansion-panel-header>
                 <v-expansion-panel-content>
                   <div class="ops-header">
-                    {{ i18n.type }}:
+                    {{ i18n.publicId }}:
                   </div>
                   <div class="ops-value">
+                    {{ detect.publicId }}
+                  </div>
+                  <div class="ops-header">
+                    {{ i18n.type }}:
+                  </div>
+                  <div class="ops-value case-title">
                     {{ detect.engine }}
                   </div>
                   <div class="ops-header">
                     {{ i18n.severity }}:
                   </div>
-                  <div class="ops-value">
+                  <div class="ops-value case-title">
                     {{ detect.severity }}
                   </div>
                   <div class="ops-header" v-if="detect.isCommunity">
@@ -1619,6 +1625,30 @@ <h3>{{ i18n.details }}</h3>
                   <div class="ops-value" v-if="detect.isCommunity">
                     {{ detect.ruleset }}
                   </div>
+                  <div class="ops-header">
+                    {{ i18n.license }}:
+                  </div>
+                  <div class="ops-value">
+                    {{ detect.license }}
+                  </div>
+                  <div class="ops-header" v-if="extractedCreated">
+                    {{ i18n.dateCreated }}:
+                  </div>
+                  <div class="ops-value" v-if="extractedCreated">
+                    {{ extractedCreated }}
+                  </div>
+                  <div class="ops-header" v-if="extractedUpdated">
+                    {{ i18n.dateModified }}:
+                  </div>
+                  <div class="ops-value"  v-if="extractedUpdated">
+                    {{ extractedUpdated }}
+                  </div>
+                  <div class="ops-header" v-if="extractedAuthor">
+                    {{ i18n.author }}:
+                  </div>
+                  <div class="ops-value"  v-if="extractedAuthor">
+                    {{ extractedAuthor }}
+                  </div>
                   <!-- <div class="ops-header">
                     {{ i18n.tags }}:
                   </div>
@@ -1632,14 +1662,6 @@ <h3>{{ i18n.details }}</h3>
               </v-expansion-panel>
             </v-expansion-panels>
             <div class="detect-reference" v-if="!isNew()">
-              <div>
-                <div class="key">
-                  {{ i18n.publicId }}:
-                </div>
-                <div class="value">
-                  {{ detect.publicId }}
-                </div>
-              </div>
               <div>
                 <div class="key">
                   {{i18n.socId}}:
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 864a3df4d..0142432ad 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -89,10 +89,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			expanded: [],
 			loading: false,
 		},
-		detectionSummary: '',
-		history: [],
+		extractedSummary: '',
 		extractedReferences: [],
 		extractedLogic: '',
+		history: [],
+		extractedCreated: '',
+		extractedUpdated: '',
+		extractedAuthor: '',
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -162,6 +165,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.extractSummary();
 			this.extractReferences();
 			this.extractLogic();
+			this.extractDetails();
 			this.loadHistory();
 		},
 		extractSummary() {
@@ -171,22 +175,24 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					const match = this.detect.content.match(classTypeMatcher);
 
 					if (match) {
-						this.detectionSummary = match[1];
+						this.extractedSummary = match[1];
 					} else {
-						this.detectionSummary = this.detect.title;
+						this.extractedSummary = this.detect.title;
 					}
 
 					break;
 				default:
 					if (this.detect.description) {
-						this.detectionSummary = this.detect.description;
+						this.extractedSummary = this.detect.description;
 					} else {
-						this.detectionSummary = this.detect.title;
+						this.extractedSummary = this.detect.title;
 					}
 					break;
 			}
 		},
 		extractReferences() {
+			this.extractedReferences = [];
+
 			switch (this.detect.engine) {
 				case 'suricata':
 					this.extractSuricataReferences();
@@ -220,11 +226,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		},
 		extractElastAlertReferences() {
 			const yaml = jsyaml.load(this.detect.content, {schema: jsyaml.FAILSAFE_SCHEMA});
-			if (yaml['references']) {
-				this.extractedReferences = yaml['references'].map(r => {
-					return { type: "url", text: r, link: this.fixProtocol(r) };
-				});
+			if (!yaml['references']) {
+				return;
 			}
+
+			this.extractedReferences = yaml['references'].map(r => {
+				return { type: "url", text: r, link: this.fixProtocol(r) };
+			});
 		},
 		fixProtocol(url) {
 			if (!url.startsWith('http://') && !url.startsWith('https://')) {
@@ -234,6 +242,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			return url;
 		},
 		extractLogic() {
+			this.extractedLogic = '';
+
 			switch (this.detect.engine) {
 				case 'suricata':
 					this.extractSuricataLogic();
@@ -250,6 +260,10 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			const suricataParser = /^\w+\s+(.*?)\((.*)\)$/gi;
 			const matches = suricataParser.exec(this.detect.content.trim());
 
+			if (!matches) {
+				return;
+			}
+
 			const head = matches[1];
 
 			let meta = matches[2].split(';').filter(opt => {
@@ -319,6 +333,78 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 			this.extractedLogic = jsyaml.dump({ logsource: logSource, detection: detection });
 		},
+		extractDetails() {
+			this.extractedAuthor = this.extractedCreated = this.extractedUpdated = '';
+
+			switch (this.detect.engine) {
+				case 'suricata':
+					this.extractSuricataDetails();
+					break;
+				case 'strelka':
+					this.extractStrelkaDetails();
+					break;
+				case 'elastalert':
+					this.extractElastAlertDetails();
+					break;
+			}
+		},
+		extractSuricataDetails() {
+			const metadataExtractor = /metadata:([^;]+);/i;
+			const match = this.detect.content.match(metadataExtractor);
+
+			if (!match) {
+				return;
+			}
+
+			const metadata = match[1].split(',').map(opt => opt.trim());
+			const ymd = /\d{4}[-_]\d{1,2}[-_]\d{1,2}/;
+			const leading0 = /^0/;
+
+			for (let i = 0; i < metadata.length; i++) {
+				let md = metadata[i];
+
+				if (md.indexOf('created_at') > -1) {
+					let date = md.match(ymd);
+					if (date) {
+						this.extractedCreated = date[0];
+					}
+				}
+
+				if (md.indexOf('updated_at') > -1) {
+					let date = md.match(ymd);
+					if (date) {
+						this.extractedUpdated = date[0];
+					}
+				}
+
+				if (md.indexOf('author') > -1) {
+					this.extractedAuthor = md.replace('author', '').trim();
+				}
+			}
+		},
+		extractStrelkaDetails() {
+			const authorExtractor = /^\s*author\s*=\s*"(.*)"/im;
+			const dateExtractor = /^\s*date\s*=\s*"(.*)"/im;
+
+			const authorMatch = authorExtractor.exec(this.detect.content);
+
+			if (authorMatch) {
+				this.extractedAuthor = authorMatch[1];
+			}
+
+			const dateMatch = dateExtractor.exec(this.detect.content);
+
+			if (dateMatch) {
+				this.extractedCreated = dateMatch[1];
+			}
+		},
+		extractElastAlertDetails() {
+			const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+
+			this.extractedAuthor = yaml['author'];
+			this.extractedCreated = yaml['date'];
+			this.extractedUpdated = yaml['modified'];
+		},
 		async loadHistory() {
 			const route = this;
 			const id = route.$route.params.id;
diff --git a/model/detection.go b/model/detection.go
index 65d959ec2..d99605c73 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -46,6 +46,10 @@ const (
 	OverrideTypeThreshold    OverrideType = "threshold"
 	OverrideTypeModify       OverrideType = "modify"
 	OverrideTypeCustomFilter OverrideType = "customFilter"
+
+	LicenseDRL = "DRL"
+	LicenseCommercial = "Commercial"
+	LicenseBSD = "BSD"
 )
 
 var (
@@ -102,6 +106,7 @@ type Detection struct {
 	Overrides   []*Override `json:"overrides"` // Tuning
 	Tags        []string    `json:"tags"`
 	Ruleset     *string     `json:"ruleset"`
+	License     string      `json:"license"`
 }
 
 // Note: JSON tags are used when storing the object in ElasticSearch,
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index f24b1076a..97d38c841 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -370,6 +370,7 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 				Engine:      model.EngineNameElastAlert,
 				Language:    model.SigLangSigma,
 				Ruleset:     util.Ptr(pkg),
+				License:     model.LicenseDRL,
 			})
 		}
 	}
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 753098f69..2d626e68a 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -706,6 +706,9 @@ func convertElasticEventToDetection(event *model.EventRecord, schemaPrefix strin
 			if value, ok := event.Payload[schemaPrefix+"detection.language"]; ok {
 				obj.Language = model.SigLanguage(value.(string))
 			}
+			if value, ok := event.Payload[schemaPrefix+"detection.license"]; ok {
+				obj.License = value.(string)
+			}
 			if value, ok := event.Payload[schemaPrefix+"detection.tags"]; ok && value != nil {
 				arr := value.([]interface{})
 				obj.Tags = make([]string, 0, len(arr))
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index eecb8a859..204fda68d 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -34,6 +34,11 @@ const modifyFromTo = `"flowbits" "noalert; flowbits"`
 
 var errModuleStopped = fmt.Errorf("module has stopped running")
 
+var licenseBySource = map[string]string{
+	"etopen": model.LicenseBSD,
+	"etpro":  model.LicenseCommercial,
+}
+
 type SuricataEngine struct {
 	srv                                  *server.Server
 	communityRulesFile                   string
@@ -289,6 +294,7 @@ func (s *SuricataEngine) parseRules(content string, ruleset string) ([]*model.De
 			Engine:      model.EngineNameSuricata,
 			Language:    model.SigLangSuricata,
 			Ruleset:     util.Ptr(ruleset),
+			License:     lookupLicense(ruleset),
 		})
 	}
 
@@ -682,3 +688,12 @@ func indexThreshold(content string) (map[string][]*model.Override, error) {
 
 	return index, nil
 }
+
+func lookupLicense(ruleset string) string {
+	license, ok := licenseBySource[strings.ToLower(ruleset)]
+	if !ok {
+		license = "Unknown"
+	}
+
+	return license
+}

From 4a05909c96a252610ad36b17d50052ff56fe4bf9 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 12 Feb 2024 14:20:55 -0700
Subject: [PATCH 090/102] WIP: Updated Tests to Include License Checks

---
 server/modules/elastalert/elastalert_test.go | 1 +
 server/modules/suricata/suricata_test.go     | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index a3ab7417a..072b583f5 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -351,6 +351,7 @@ level: high
 		Engine:      model.EngineNameElastAlert,
 		Language:    model.SigLangSigma,
 		Ruleset:     util.Ptr("all_rules"),
+		License:     model.LicenseDRL,
 	}
 
 	dets, errMap := engine.parseRules(pkgZips)
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index dbb7fe836..600f7b3d4 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -305,7 +305,7 @@ func TestParse(t *testing.T) {
 		ExpectedError      *string
 	}{
 		{
-			Name: "Sunny Day Path w/ Edge Cases",
+			Name: "Sunny Day Path with Edge Cases",
 			Lines: []string{
 				"# Comment",
 				SimpleRule,
@@ -323,6 +323,7 @@ func TestParse(t *testing.T) {
 					Engine:      model.EngineNameSuricata,
 					Language:    model.SigLangSuricata,
 					Ruleset:     ruleset,
+					License:     "Unknown",
 				},
 				{
 					PublicID:    "20000",
@@ -333,6 +334,7 @@ func TestParse(t *testing.T) {
 					Engine:      model.EngineNameSuricata,
 					Language:    model.SigLangSuricata,
 					Ruleset:     ruleset,
+					License:     "Unknown",
 				},
 			},
 		},

From a6810b2322a0e1c6f7c80dc2cf385fd1931ab48a Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 13 Feb 2024 12:46:20 -0700
Subject: [PATCH 091/102] WIP: Comments, Permissions

Detections no longer have a Note field. Instead they have comments that work like case comments.

Detections now check read/write permissions before contacting ElasticSearch.
---
 html/index.html                               | 136 ++++++-
 html/js/i18n.js                               |   1 +
 html/js/routes/detection.js                   | 347 ++++++++++++++----
 model/detection.go                            |  10 +-
 server/detectionhandler.go                    |  98 +++++
 server/detectionstore.go                      |   6 +
 server/mock/mock_detectionstore.go            |  74 ++++
 server/modules/elastic/converter.go           |  26 ++
 .../modules/elastic/elasticdetectionstore.go  | 226 ++++++++++--
 9 files changed, 808 insertions(+), 116 deletions(-)

diff --git a/html/index.html b/html/index.html
index c5d0cfe45..6367c38bd 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1050,9 +1050,9 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <v-icon left>fa-comments</v-icon>
                 <div class="d-none d-lg-block">Overview</div>
               </v-tab>
-              <v-tab id="detection_notesTab" href="#notes">
+              <v-tab id="detection_commentsTab" href="#comments">
                 <v-icon left>fa-paperclip</v-icon>
-                <div class="d-none d-lg-block">Operational Notes</div>
+                <div class="d-none d-lg-block">Comments</div>
               </v-tab>
               <v-tab id="detection_signatureTab" href="#signature">
                 <v-icon left>fa-eye</v-icon>
@@ -1118,21 +1118,127 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                   </div>
                 </div> -->
               </v-tab-item>
-              <v-tab-item value="notes">
-                <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
-                  <!-- Notes -->
-                  <v-textarea class="config-editor" outlined v-model="detect.note" auto-grow rows="15" />
-                </div>
-                <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
-                  <div class="d-inline-flex justify-end">
-                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
-                      {{ i18n.cancel }}
-                    </v-btn>
-                    <v-btn id="detection-update" text small color="primary" class="align-self-end" @click="saveDetection(false)">
-                      {{i18n.update}}
-                    </v-btn>
+              <v-tab-item value="comments">
+                <v-row>
+                  <v-col>
+                    <v-toolbar class="elevation-0" fixed>
+                      <v-btn :title="i18n.addCommentHelp" color="primary" @click.stop="prepareForInput('comment-input')" id="add-comment-button">
+                        <v-icon>fa-plus</v-icon>
+                      </v-btn>
+                      <v-btn class="mx-1" :title="i18n.refreshCommentsHelp" color="secondary" @click.stop="reloadAssociation(true)" id="refresh-comments-button">
+                        <v-icon>fa-sync</v-icon>
+                      </v-btn>
+                    </v-toolbar>
+                  </v-col>
+                </v-row>
+                <div id="comment-list">
+                  <div v-for="(comment, index) in comments" class="mb-8" v-if="shouldRenderComment(comment, index)">
+                    <div class="d-flex flex-column align-start my-4">
+                      <v-col class="d-flex flex-column align-start pt-2 pt-md-0">
+                        <div class="mt-1 mt-md-3 pt-1 pb-2 px-2 contrast-bg rounded rounded-md" style="width: 100%;">
+                          <div class="d-flex flex-column align-start">
+                            <div v-if="!isEdit(`comment-${index}`)" class="case d-block comment-body mt-2">
+                              <div class="mb-2">
+                                <div :id="`comment-${index}`" class="markdown-body" :inner-html.prop="comment.value | formatMarkdown"></div>
+                              </div>
+                            </div>
+                            <div v-else class="d-flex flex-column" style="width: 100%;">
+                              <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-1">
+                                <a class="case markdown-icon" href="https://www.markdownguide.org/cheat-sheet/" :target="$root.target('_blank')" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                              </div>
+                              <div class="mb-3">
+                                <v-form v-model="editForm.valid" @submit.prevent>
+                                  <v-textarea id="comment-value-input" solo flat hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" class="mb-1" :rules="[rules.required]"/>
+                                </v-form>
+                                <div class="d-inline-flex justify-end">
+                                  <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                    {{ i18n.cancel }}
+                                  </v-btn>
+                                  <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                    {{ i18n.update }}
+                                  </v-btn>
+                                </div>
+                              </div>
+                            </div>
+
+                            <div class="d-flex flex-column flex-sm-row align-self-end text-body-2">
+                              <div class="d-inline-flex align-center mr-1">
+                                <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
+                                  <div class="case avatar-font" :title="comment.owner">
+                                    {{ $root.getAvatar(comment.owner) }}
+                                  </div>
+                                </v-avatar>
+                                <div >
+                                  {{ comment.owner }}
+                                </div>
+                              </div>
+                              <div class="mt-1 mr-1 d-none d-sm-block">
+                                &bull;
+                              </div>
+                              <div class="mt-1">
+                                {{ comment.createTime | formatDateTime }}
+                              </div>
+                              <div v-if="isEdited(comment)" :title="$root.formatDateTime(comment.updateTime)" class="mx-sm-2">
+                                {{ i18n.edited }}
+                              </div>
+                              <div class="ml-1 d-flex mt-1 mt-sm-0">
+                                <v-btn text small icon color="primary" v-if="!isEdit(`comment-${index}`)" @click="startCommentEdit(`comment-${index}`, 'comment-input', comment)"
+                                  @keypress.space.prevent="startCommentEdit(`comment-${index}`, 'comment-input', comment)">
+                                  <v-icon class="tiny-icon">fa-edit</v-icon>
+                                </v-btn>
+                                <v-btn text small color="red" @click="deleteComment(comment)" icon><v-icon class="tiny-icon">fa-circle-xmark</v-icon></v-btn>
+                              </div>
+                            </div>
+                          </div>
+                        </div>
+                      </v-col>
+                    </div>
+                    <div v-if="shouldRenderShowAll(index)" class="d-flex-block justify-center my-4 show-all">
+                      <div class="d-flex justify-center">
+                        <div>{{ getUnrenderedCount('comments') }} {{ i18n.hidden }} {{ i18n.comments }}</div>
+                      </div>
+                      <div class="d-flex justify-center">
+                        <v-btn @click="renderAllComments()">{{ i18n.showAll }}</v-btn>
+                      </div>
+                    </div>
                   </div>
                 </div>
+                <div class="d-flex flex-column align-start my-4">
+                  <v-col id="new-comment" class="d-flex flex-column align-start pt-2 pt-md-0">
+                    <div class="mt-1 mt-md-3 pb-3 pt-1 contrast-bg rounded rounded-md" style="width: 100%;">
+                      <div class="d-flex flex-column align-start">
+                        <div class="d-inline-flex align-center mt-3 mx-2 mb-4">
+                          <v-avatar color="primary" size="28" class="mr-2 white--text">
+                            <div class="font-weight-bold" :title="$root.username">
+                            {{ $root.getAvatar($root.username) }}
+                            </div>
+                          </v-avatar>
+                          <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
+                        </div>
+                        <div class="d-flex flex-column" style="width: 100%;">
+                          <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-3">
+                            <a class="case markdown-icon" href="https://www.markdownguide.org/cheat-sheet/" :target="$root.target('_blank')" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                          </div>
+                          <div class="mx-2">
+                            <v-form ref="detection-comment" v-model="commentsForm.valid" @submit.prevent>
+                              <v-textarea id="comment-input" solo flat hide-details="auto" rows="5" color="text--black" :value="commentsForm.value" @change="val => commentsForm.value = val" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionDetectionHelp"/>
+                            </v-form>
+                          </div>
+                        </div>
+                      </div>
+                    </div>
+                    <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                      <div class="d-inline-flex justify-end">
+                        <v-btn text small color="primary" class="align-self-end" @click="resetForm()">
+                        {{ i18n.cancel }}
+                        </v-btn>
+                        <v-btn :disabled="!commentsForm.valid" text small color="primary" class="align-self-end" @click="addComment()">
+                        {{ origComment ? i18n.update : i18n.add }}
+                        </v-btn>
+                      </div>
+                    </div>
+                  </v-col>
+                </div>
               </v-tab-item>
               <v-tab-item value="signature">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
diff --git a/html/js/i18n.js b/html/js/i18n.js
index e95e43c6d..9e595c51c 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -170,6 +170,7 @@ const i18n = {
       commentAdd: 'Add Comment',
       commentDescription: 'Comment',
       commentDescriptionHelp: 'Provide follow-up information to this case',
+      commentDescriptionDetectionHelp: 'Provide follow-up information to this detection',
       commentHours: 'Work Hours',
       commentHoursHelp: 'Hours spent working on this update (leave blank for 0 hours)',
       commentRequired: 'Comments cannot be empty.',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 0142432ad..ca1c5192f 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -19,83 +19,106 @@ function debounce(fn, wait) {
 
 routes.push({ path: '/detection/:id', name: 'detection', component: {
 	template: '#page-detection',
-	data() { return {
-		i18n: this.$root.i18n,
-		presets: {},
-		severityTranslations: {},
-		params: {},
-		detect: null,
-		origDetect: null,
-		curEditTarget: null, // string containing element ID, null if not editing
-		origValue: null,
-		editField: null,
-		curOverrideEditTarget: null,
-		origOverrideValue: null,
-		overrideEditField: null,
-		editOverride: null, // the override we're currently editing
-		editForm: { valid: true },
-		rules: {
-			required: value => (value && value.length > 0) || this.$root.i18n.required,
-			number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
-			hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
-			minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
-			shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
-			longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
-			fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
-			fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
-			fileRequired: value => (value != null) || this.$root.i18n.required,
-			cidrFormat: value => (!value ||
-				/^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value) || // IPv4 CIDR
-				/^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/.test(value) // IPv6 CIDR
-			) || this.i18n.invalidCidr,
-		},
-		panel: [0, 1, 2],
-		activeTab: '',
-		sidExtract: /\bsid: ?['"]?(.*?)['"]?;/, // option
-		severityExtract: /\bsignature_severity ['"]?(.*?)['"]?[,;]/, // metadata
-		authorExtract: /\bauthor: ?['"]?(.*?)['"]?;/, // option
-		authorMetaExtract: /\bauthor ['"]?(.*?)['"]?[,;]/, // metadata
-		sortBy: 'createdAt',
-		sortDesc: false,
-		expanded: [],
-		overrideHeaders: [
-			{ text: 'Enabled', value: 'isEnabled' },
-			{ text: 'Type', value: 'type' },
-			{ text: 'Track', value: 'track' },
-			{ text: 'Created', value: 'createdAt', format: true },
-			{ text: 'Updated', value: 'updatedAt', format: true },
-		],
-		zone: moment.tz.guess(),
-		newOverride: null,
-		thresholdTypes: [
-			{ value: 'threshold', text: 'Threshold' },
-			{ value: 'limit', text: 'Limit' },
-			{ value: 'both', text: 'Both' }
-		],
-		historyTableOpts: {
-			sortBy: 'updateTime',
+	data() {
+		return {
+			i18n: this.$root.i18n,
+			presets: {},
+			severityTranslations: {},
+			params: {},
+			detect: null,
+			origDetect: null,
+			curEditTarget: null, // string containing element ID, null if not editing
+			origValue: null,
+			editField: null,
+			curOverrideEditTarget: null,
+			origOverrideValue: null,
+			overrideEditField: null,
+			editOverride: null, // the override we're currently editing
+			editForm: { valid: true },
+			commentsForm: { valid: true, value: '' },
+			rules: {
+				required: value => (value && value.length > 0) || this.$root.i18n.required,
+				number: value => (!isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+				hours: value => (!value || /^\d{1,4}(\.\d{1,4})?$/.test(value)) || this.$root.i18n.invalidHours,
+				minLength: limit => value => (value && value.length >= limit) || this.$root.i18n.ruleMinLen,
+				shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+				longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+				fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+				fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+				fileRequired: value => (value != null) || this.$root.i18n.required,
+				cidrFormat: value => (!value ||
+					/^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value) || // IPv4 CIDR
+					/^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/.test(value) // IPv6 CIDR
+				) || this.i18n.invalidCidr,
+			},
+			panel: [0, 1, 2],
+			activeTab: '',
+			sidExtract: /\bsid: ?['"]?(.*?)['"]?;/, // option
+			severityExtract: /\bsignature_severity ['"]?(.*?)['"]?[,;]/, // metadata
+			authorExtract: /\bauthor: ?['"]?(.*?)['"]?;/, // option
+			authorMetaExtract: /\bauthor ['"]?(.*?)['"]?[,;]/, // metadata
+			sortBy: 'createdAt',
 			sortDesc: false,
-			search: '',
-			headers: [
-				{ text: this.$root.i18n.actions, width: '10.0em' },
-				{ text: this.$root.i18n.username, value: 'owner' },
-				{ text: this.$root.i18n.time, value: 'updateTime' },
-				{ text: this.$root.i18n.kind, value: 'kind' },
-				{ text: this.$root.i18n.operation, value: 'operation' },
-			],
-			itemsPerPage: 10,
-			footerProps: { 'items-per-page-options': [10,50,250,1000] },
-			count: 500,
 			expanded: [],
-			loading: false,
-		},
-		extractedSummary: '',
-		extractedReferences: [],
-		extractedLogic: '',
-		history: [],
-		extractedCreated: '',
-		extractedUpdated: '',
-		extractedAuthor: '',
+			overrideHeaders: [
+				{ text: 'Enabled', value: 'isEnabled' },
+				{ text: 'Type', value: 'type' },
+				{ text: 'Track', value: 'track' },
+				{ text: 'Created', value: 'createdAt', format: true },
+				{ text: 'Updated', value: 'updatedAt', format: true },
+			],
+			zone: moment.tz.guess(),
+			newOverride: null,
+			thresholdTypes: [
+				{ value: 'threshold', text: 'Threshold' },
+				{ value: 'limit', text: 'Limit' },
+				{ value: 'both', text: 'Both' }
+			],
+			historyTableOpts: {
+				sortBy: 'updateTime',
+				sortDesc: false,
+				search: '',
+				headers: [
+					{ text: this.$root.i18n.actions, width: '10.0em' },
+					{ text: this.$root.i18n.username, value: 'owner' },
+					{ text: this.$root.i18n.time, value: 'updateTime' },
+					{ text: this.$root.i18n.kind, value: 'kind' },
+					{ text: this.$root.i18n.operation, value: 'operation' },
+				],
+				itemsPerPage: 10,
+				footerProps: { 'items-per-page-options': [10, 50, 250, 1000] },
+				count: 500,
+				expanded: [],
+				loading: false,
+			},
+			extractedSummary: '',
+			extractedReferences: [],
+			extractedLogic: '',
+			history: [],
+			extractedCreated: '',
+			extractedUpdated: '',
+			extractedAuthor: '',
+			comments: [],
+			commentsTable: {
+				showAll: false,
+				sortBy: 'createTime',
+				sortDesc: false,
+				search: '',
+				headers: [
+					{ text: this.$root.i18n.username, value: 'owner' },
+					{ text: this.$root.i18n.dateCreated, value: 'createTime' },
+					{ text: this.$root.i18n.dateModified, value: 'updateTime' },
+					{ text: this.$root.i18n.commentDescription, value: 'description' },
+				],
+				itemsPerPage: 10,
+				footerProps: { 'items-per-page-options': [10, 50, 250, 1000] },
+				count: 500,
+				expanded: [],
+				loading: false,
+			},
+			renderAbbreviatedCount: 30,
+			curCommentEditTarget: null,
+			origComment: null,
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -114,6 +137,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		async initDetection(params) {
 			this.params = params;
 			this.presets = params['presets'];
+			this.renderAbbreviatedCount = params["renderAbbreviatedCount"];
 			this.severityTranslations = params['severityTranslations'];
 
 			if (this.$route.params.id === 'create') {
@@ -167,6 +191,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.extractLogic();
 			this.extractDetails();
 			this.loadHistory();
+			this.loadComments();
 		},
 		extractSummary() {
 			switch (this.detect.engine) {
@@ -493,6 +518,22 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			});
 		},
+		async startCommentEdit(target, focusId, comment) {
+			if (this.curCommentEditTarget === target) return;
+			if (this.curCommentEditTarget !== null) this.resetForm();
+
+			this.commentsForm.value = comment.value;
+			this.curCommentEditTarget = target;
+			this.origComment = comment;
+
+			this.$nextTick(() => {
+				const el = document.getElementById(focusId);
+				if (el) {
+					el.focus();
+					el.select();
+				}
+			});
+		},
 		isEdit(target) {
 			return this.curEditTarget === target;
 		},
@@ -943,6 +984,160 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			}
 
 			expanded.push(row);
-		}
+		},
+		prepareForInput(id) {
+			const el = document.getElementById(id)
+			el.scrollIntoView()
+			el.focus();
+		},
+		async reloadComments(showLoadingIndicator = false) {
+			if (showLoadingIndicator) this.$root.startLoading();
+			this.comments = [];
+			await this.loadComments();
+			if (showLoadingIndicator) this.$root.stopLoading();
+		},
+		async loadComments() {
+			try {
+				const response = await this.$root.papi.get(`detection/${this.detect.id}/comment`);
+				if (response && response.data) {
+					for (var idx = 0; idx < response.data.length; idx++) {
+						const obj = response.data[idx];
+
+						// Don't await the user details -- takes too long for the task scheduler to
+						// complete all these futures when looping across hundreds of records. Let
+						// the UI update as they finish, for a better user experience.
+						this.$root.populateUserDetails(obj, "userId", "owner");
+						if (obj.assigneeId) {
+							this.$root.populateUserDetails(obj, "assigneeId", "assignee");
+						}
+
+						obj.operation = this.$root.localizeMessage(obj.operation);
+
+						this.comments.push(obj);
+					}
+
+					this.resetForm();
+				}
+			} catch (error) {
+				this.$root.showError(error);
+			}
+		},
+		async addComment() {
+			if (this.$refs && this.$refs['detection-comment'] && !this.$refs['detection-comment'].validate()) {
+				return;
+			}
+
+			this.$root.startLoading();
+			try {
+				let isUpdate = false;
+				const form = this.commentsForm;
+				form.detectionId = this.detect.id;
+				form.id = '';
+				if (this.origComment) {
+					form.id = this.origComment.id;
+					isUpdate = true;
+				}
+				if (form.value) {
+					form.value = form.value.trim();
+				}
+
+				let data = JSON.stringify(form);
+				delete data.valid;
+
+				let response;
+				if (isUpdate) {
+					response = await this.$root.papi.put(`detection/comment/${form.id}`, data);
+				} else {
+					response = await this.$root.papi.post(`detection/${this.detect.id}/comment`, data);
+				}
+
+				if (response && response.data) {
+					if (isUpdate) {
+						this.reloadComments();
+					} else {
+						await this.$root.populateUserDetails(response.data, "userId", "owner");
+						this.comments.push(response.data);
+					}
+
+					this.resetForm();
+				}
+
+				this.$root.showTip(this.i18n.saveSuccess);
+			} catch (error) {
+				this.$root.showError(error);
+			}
+
+			this.$root.stopLoading();
+		},
+		resetForm() {
+			this.origComment = null;
+			if (this.$refs && this.$refs['detection-comment']) this.$refs['detection-comment'].reset();
+			this.commentsForm  = { valid: true, value: '' };
+		},
+		shouldRenderComment(obj, index) {
+			var render = true;
+			if (!this.commentsTable.showAll && this.renderAbbreviatedCount) {
+				const count = this.comments ? this.comments.length : 0;
+				const lowerCutoff = Math.floor(this.renderAbbreviatedCount / 2);
+				if (count - this.renderAbbreviatedCount > lowerCutoff) {
+					const upperCutoff = count - lowerCutoff;
+					if (index >= lowerCutoff && index < upperCutoff) {
+						render = false;
+					}
+				}
+			}
+
+			return render;
+		},
+		isEdited(obj) {
+			const createTime = Date.parse(obj.createTime);
+			const updateTime = Date.parse(obj.updateTime);
+			return Math.abs(updateTime - createTime) >= 1000;
+		},
+		shouldRenderShowAll(index) {
+			var render = false;
+			if (!this.commentsTable.showAll && this.renderAbbreviatedCount) {
+				const count = this.comments ? this.comments.length : 0;
+				const lowerCutoff = Math.floor(this.renderAbbreviatedCount / 2);
+				if (count - this.renderAbbreviatedCount > lowerCutoff) {
+					if (index == lowerCutoff-1) {
+						render = true;
+					}
+				}
+			}
+
+			return render;
+		},
+		getUnrenderedCount() {
+			var hiddenCount = 0;
+			if (!this.commentsTable.showAll && this.renderAbbreviatedCount) {
+				const count = this.comments ? this.comments.length : 0;
+				if (count > this.renderAbbreviatedCount) {
+					hiddenCount = count - this.renderAbbreviatedCount;
+				}
+			}
+
+			return hiddenCount;
+		},
+		renderAllComments() {
+			this.commentsTable.showAll = true;
+		},
+		async deleteComment(obj) {
+			const idx = this.comments.indexOf(obj);
+			if (idx > -1) {
+				this.$root.startLoading();
+				try {
+					await this.$root.papi.delete(`detection/comment/${obj.id}`);
+					this.comments.splice(idx, 1);
+				} catch (error) {
+					if (error.response != undefined && error.response.status == 404) {
+						this.$root.showError(this.i18n.notFound);
+					} else {
+						this.$root.showError(error);
+					}
+				}
+				this.$root.stopLoading();
+			}
+		},
 	}
 }});
diff --git a/model/detection.go b/model/detection.go
index d99605c73..27de817e7 100644
--- a/model/detection.go
+++ b/model/detection.go
@@ -47,9 +47,9 @@ const (
 	OverrideTypeModify       OverrideType = "modify"
 	OverrideTypeCustomFilter OverrideType = "customFilter"
 
-	LicenseDRL = "DRL"
+	LicenseDRL        = "DRL"
 	LicenseCommercial = "Commercial"
-	LicenseBSD = "BSD"
+	LicenseBSD        = "BSD"
 )
 
 var (
@@ -109,6 +109,12 @@ type Detection struct {
 	License     string      `json:"license"`
 }
 
+type DetectionComment struct {
+	Auditable
+	DetectionId string `json:"detectionId"`
+	Value       string `json:"value"`
+}
+
 // Note: JSON tags are used when storing the object in ElasticSearch,
 // YAML tags are used when storing the object in a YAML config file (Suricata).
 
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 0654d0543..cb161143f 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -42,6 +42,12 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Post("/", h.postDetection)
 		r.Post("/{id}/duplicate", h.duplicateDetection)
 
+		r.Post("/{id}/comment", h.createComment)
+		r.Get("/comment/{id}", h.getDetectionComment)
+		r.Put("/comment/{id}", h.updateComment)
+		r.Delete("/comment/{id}", h.deleteComment)
+		r.Get("/{id}/comment", h.getDetectionComments)
+
 		r.Get("/{id}/history", h.getDetectionHistory)
 
 		r.Put("/", h.putDetection)
@@ -434,3 +440,95 @@ func SyncLocalDetections(ctx context.Context, srv *Server, detections []*model.D
 
 	return errMap, nil
 }
+
+func (h *DetectionHandler) createComment(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	detectId := chi.URLParam(r, "id")
+
+	body := &model.DetectionComment{}
+
+	err := web.ReadJson(r, &body)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	body.DetectionId = detectId
+
+	obj, err := h.server.Detectionstore.CreateComment(ctx, body)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, obj)
+}
+
+func (h *DetectionHandler) getDetectionComment(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	id := chi.URLParam(r, "id")
+
+	obj, err := h.server.Detectionstore.GetComment(ctx, id)
+	if err != nil {
+		web.Respond(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, obj)
+}
+
+func (h *DetectionHandler) updateComment(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	commentId := chi.URLParam(r, "id")
+
+	body := &model.DetectionComment{}
+
+	err := web.ReadJson(r, &body)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, err)
+		return
+	}
+
+	body.Id = commentId
+
+	obj, err := h.server.Detectionstore.UpdateComment(ctx, body)
+	if err != nil {
+		web.Respond(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, obj)
+}
+
+func (h *DetectionHandler) deleteComment(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	commentId := chi.URLParam(r, "id")
+
+	err := h.server.Detectionstore.DeleteComment(ctx, commentId)
+	if err != nil {
+		web.Respond(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, nil)
+}
+
+func (h *DetectionHandler) getDetectionComments(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	detectId := chi.URLParam(r, "id")
+
+	obj, err := h.server.Detectionstore.GetComments(ctx, detectId)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			web.Respond(w, r, http.StatusNotFound, err)
+		} else {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+		}
+
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, obj)
+}
diff --git a/server/detectionstore.go b/server/detectionstore.go
index c73416b7e..38203c834 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -21,6 +21,12 @@ type Detectionstore interface {
 	GetAllCommunitySIDs(ctx context.Context, engine *model.EngineName) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 	Query(ctx context.Context, query string, max int) ([]interface{}, error)
 	GetDetectionHistory(ctx context.Context, detectID string) ([]interface{}, error)
+
+	CreateComment(ctx context.Context, newComment *model.DetectionComment) (*model.DetectionComment, error)
+	GetComment(ctx context.Context, commentId string) (*model.DetectionComment, error)
+	GetComments(ctx context.Context, detectionId string) ([]*model.DetectionComment, error)
+	UpdateComment(ctx context.Context, comment *model.DetectionComment) (*model.DetectionComment, error)
+	DeleteComment(ctx context.Context, id string) error
 }
 
 //go:generate mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
index 60cf76910..4ad9246ad 100644
--- a/server/mock/mock_detectionstore.go
+++ b/server/mock/mock_detectionstore.go
@@ -39,6 +39,21 @@ func (m *MockDetectionstore) EXPECT() *MockDetectionstoreMockRecorder {
 	return m.recorder
 }
 
+// CreateComment mocks base method.
+func (m *MockDetectionstore) CreateComment(arg0 context.Context, arg1 *model.DetectionComment) (*model.DetectionComment, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateComment", arg0, arg1)
+	ret0, _ := ret[0].(*model.DetectionComment)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateComment indicates an expected call of CreateComment.
+func (mr *MockDetectionstoreMockRecorder) CreateComment(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateComment", reflect.TypeOf((*MockDetectionstore)(nil).CreateComment), arg0, arg1)
+}
+
 // CreateDetection mocks base method.
 func (m *MockDetectionstore) CreateDetection(arg0 context.Context, arg1 *model.Detection) (*model.Detection, error) {
 	m.ctrl.T.Helper()
@@ -54,6 +69,20 @@ func (mr *MockDetectionstoreMockRecorder) CreateDetection(arg0, arg1 any) *gomoc
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateDetection", reflect.TypeOf((*MockDetectionstore)(nil).CreateDetection), arg0, arg1)
 }
 
+// DeleteComment mocks base method.
+func (m *MockDetectionstore) DeleteComment(arg0 context.Context, arg1 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteComment", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteComment indicates an expected call of DeleteComment.
+func (mr *MockDetectionstoreMockRecorder) DeleteComment(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteComment", reflect.TypeOf((*MockDetectionstore)(nil).DeleteComment), arg0, arg1)
+}
+
 // DeleteDetection mocks base method.
 func (m *MockDetectionstore) DeleteDetection(arg0 context.Context, arg1 string) (*model.Detection, error) {
 	m.ctrl.T.Helper()
@@ -84,6 +113,36 @@ func (mr *MockDetectionstoreMockRecorder) GetAllCommunitySIDs(arg0, arg1 any) *g
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllCommunitySIDs", reflect.TypeOf((*MockDetectionstore)(nil).GetAllCommunitySIDs), arg0, arg1)
 }
 
+// GetComment mocks base method.
+func (m *MockDetectionstore) GetComment(arg0 context.Context, arg1 string) (*model.DetectionComment, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetComment", arg0, arg1)
+	ret0, _ := ret[0].(*model.DetectionComment)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetComment indicates an expected call of GetComment.
+func (mr *MockDetectionstoreMockRecorder) GetComment(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetComment", reflect.TypeOf((*MockDetectionstore)(nil).GetComment), arg0, arg1)
+}
+
+// GetComments mocks base method.
+func (m *MockDetectionstore) GetComments(arg0 context.Context, arg1 string) ([]*model.DetectionComment, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetComments", arg0, arg1)
+	ret0, _ := ret[0].([]*model.DetectionComment)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetComments indicates an expected call of GetComments.
+func (mr *MockDetectionstoreMockRecorder) GetComments(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetComments", reflect.TypeOf((*MockDetectionstore)(nil).GetComments), arg0, arg1)
+}
+
 // GetDetection mocks base method.
 func (m *MockDetectionstore) GetDetection(arg0 context.Context, arg1 string) (*model.Detection, error) {
 	m.ctrl.T.Helper()
@@ -129,6 +188,21 @@ func (mr *MockDetectionstoreMockRecorder) Query(arg0, arg1, arg2 any) *gomock.Ca
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Query", reflect.TypeOf((*MockDetectionstore)(nil).Query), arg0, arg1, arg2)
 }
 
+// UpdateComment mocks base method.
+func (m *MockDetectionstore) UpdateComment(arg0 context.Context, arg1 *model.DetectionComment) (*model.DetectionComment, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateComment", arg0, arg1)
+	ret0, _ := ret[0].(*model.DetectionComment)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateComment indicates an expected call of UpdateComment.
+func (mr *MockDetectionstoreMockRecorder) UpdateComment(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateComment", reflect.TypeOf((*MockDetectionstore)(nil).UpdateComment), arg0, arg1)
+}
+
 // UpdateDetection mocks base method.
 func (m *MockDetectionstore) UpdateDetection(arg0 context.Context, arg1 *model.Detection) (*model.Detection, error) {
 	m.ctrl.T.Helper()
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 2d626e68a..251499329 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -543,6 +543,30 @@ func convertElasticEventToComment(event *model.EventRecord, schemaPrefix string)
 	return obj, err
 }
 
+func convertElasticEventToDetectionComment(event *model.EventRecord, schemaPrefix string) (*model.DetectionComment, error) {
+	var err error
+	var obj *model.DetectionComment
+
+	if event != nil {
+		obj = &model.DetectionComment{}
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
+		if err == nil {
+			if value, ok := event.Payload[schemaPrefix+"detectioncomment.value"]; ok {
+				obj.Value = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detectioncomment.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload[schemaPrefix+"detectioncomment.detectionId"]; ok {
+				obj.DetectionId = value.(string)
+			}
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"detectioncomment.createTime")
+		}
+	}
+
+	return obj, err
+}
+
 func convertElasticEventToRelatedEvent(event *model.EventRecord, schemaPrefix string) (*model.RelatedEvent, error) {
 	var err error
 	var obj *model.RelatedEvent
@@ -787,6 +811,8 @@ func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string)
 			obj, err = convertElasticEventToCase(event, schemaPrefix)
 		case "comment":
 			obj, err = convertElasticEventToComment(event, schemaPrefix)
+		case "detectioncomment":
+			obj, err = convertElasticEventToDetectionComment(event, schemaPrefix)
 		case "related":
 			obj, err = convertElasticEventToRelatedEvent(event, schemaPrefix)
 		case "artifact":
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 5ae53b1a5..64aa53275 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -22,6 +22,7 @@ import (
 	"github.com/elastic/go-elasticsearch/v8/esapi"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 	"github.com/tidwall/gjson"
 )
@@ -143,14 +144,14 @@ func (store *ElasticDetectionstore) validateDetection(detect *model.Detection) e
 }
 
 func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, kind string, id string) (*model.EventIndexResults, error) {
-	var results *model.EventIndexResults
-	var err error
+	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
+		return nil, err
+	}
 
-	// if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
 	document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
 	document[store.schemaPrefix+"kind"] = kind
 
-	results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
+	results, err := store.server.Eventstore.Index(ctx, store.index, document, id)
 	if err == nil {
 		document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
 
@@ -168,16 +169,16 @@ func (store *ElasticDetectionstore) save(ctx context.Context, obj interface{}, k
 			}).WithError(err).Error("Object indexed successfully however audit record failed to index")
 		}
 	}
-	// }
 
 	return results, err
 }
 
 func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{}, kind string, id string) error {
-	var err error
+	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
+		return err
+	}
 
-	// if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
-	err = store.server.Eventstore.Delete(ctx, store.index, id)
+	err := store.server.Eventstore.Delete(ctx, store.index, id)
 	if err == nil {
 		document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
 		document[store.schemaPrefix+AUDIT_DOC_ID] = id
@@ -192,12 +193,15 @@ func (store *ElasticDetectionstore) delete(ctx context.Context, obj interface{},
 			}).WithError(err).Error("Object deleted successfully however audit record failed to index")
 		}
 	}
-	// }
 
 	return err
 }
 
 func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind string) (interface{}, error) {
+	if err := store.server.CheckAuthorized(ctx, "read", "detection"); err != nil {
+		return nil, err
+	}
+
 	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s" AND _id:"%s"`, store.index, store.schemaPrefix, kind, id)
 
 	objects, err := store.Query(ctx, query, 1)
@@ -212,11 +216,58 @@ func (store *ElasticDetectionstore) get(ctx context.Context, id string, kind str
 	return nil, err
 }
 
+func (store *ElasticDetectionstore) getAll(ctx context.Context, query string, max int) ([]interface{}, error) {
+	if err := store.server.CheckAuthorized(ctx, "read", "detection"); err != nil {
+		return nil, err
+	}
+
+	criteria := model.NewEventSearchCriteria()
+	format := "2006-01-02 3:04:05 PM"
+
+	var zeroTime time.Time
+	zeroTimeStr := zeroTime.Format(format)
+	now := time.Now()
+	endTime := now.Format(format)
+	zone := now.Location().String()
+
+	err := criteria.Populate(query,
+		zeroTimeStr+" - "+endTime, // timeframe range
+		format,                    // timeframe format
+		zone,                      // timezone
+		"0",                       // no metrics
+		strconv.Itoa(max))
+	if err != nil {
+		return nil, err
+	}
+
+	results, err := store.server.Eventstore.Search(ctx, criteria)
+	if err != nil {
+		return nil, err
+	}
+
+	objects := make([]interface{}, 0, len(results.Events))
+
+	for _, event := range results.Events {
+		obj, err := convertElasticEventToObject(event, store.schemaPrefix)
+		if err != nil {
+			log.WithField("event", event).WithError(err).Error("Unable to convert detection object")
+			continue
+		}
+
+		objects = append(objects, obj)
+	}
+
+	return objects, err
+}
+
 func (store *ElasticDetectionstore) Query(ctx context.Context, query string, max int) ([]interface{}, error) {
 	var err error
 	var objects []interface{}
 
-	// if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
+	if err = store.server.CheckAuthorized(ctx, "read", "detection"); err != nil {
+		return nil, err
+	}
+
 	criteria := model.NewEventSearchCriteria()
 	format := "2006-01-02 3:04:05 PM"
 
@@ -286,8 +337,6 @@ func (store *ElasticDetectionstore) Query(ctx context.Context, query string, max
 		sort = results.Events[len(results.Events)-1].Sort
 	}
 
-	// }
-
 	return objects, err
 }
 
@@ -303,9 +352,7 @@ func (store *ElasticDetectionstore) prepareForSave(ctx context.Context, obj *mod
 }
 
 func (store *ElasticDetectionstore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
-	var err error
-
-	err = store.validateDetection(detect)
+	err := store.validateDetection(detect)
 	if err != nil {
 		return nil, err
 	}
@@ -375,6 +422,10 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 }
 
 func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error) {
+	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
+		return nil, err
+	}
+
 	if len(fields) == 0 {
 		return nil, errors.New("no fields to update")
 	}
@@ -481,14 +532,11 @@ func (store *ElasticDetectionstore) GetDetectionHistory(ctx context.Context, det
 }
 
 func (store *ElasticDetectionstore) audit(ctx context.Context, document map[string]interface{}, id string) error {
-	var err error
-
-	// TODO: Rethink permissions here
-	// if err = store.server.CheckAuthorized(ctx, "write", "events"); err == nil {
-	// store.refreshCache(ctx)
+	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
+		return err
+	}
 
-	var request string
-	request, err = convertToElasticIndexRequest(nil, document)
+	request, err := convertToElasticIndexRequest(nil, document)
 	if err == nil {
 		log.Debug("Sending index request to primary Elasticsearch client")
 		_, err = store.indexDocument(ctx, store.disableCrossClusterIndex(store.auditIndex), request, id)
@@ -496,11 +544,15 @@ func (store *ElasticDetectionstore) audit(ctx context.Context, document map[stri
 			log.WithError(err).Error("Encountered error while indexing document into elasticsearch")
 		}
 	}
-	// }
+
 	return err
 }
 
 func (store *ElasticDetectionstore) indexDocument(ctx context.Context, index string, document string, id string) (string, error) {
+	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
+		return "", err
+	}
+
 	log.WithFields(log.Fields{
 		"index":     index,
 		"id":        id,
@@ -565,3 +617,131 @@ func (store *ElasticDetectionstore) readJsonFromResponse(res *esapi.Response) (s
 	}
 	return json, err
 }
+
+func (store *ElasticDetectionstore) validateComment(comment *model.DetectionComment) error {
+	var err error
+
+	if err == nil && comment.Id != "" {
+		err = store.validateId(comment.Id, "commentId")
+	}
+	if err == nil && comment.DetectionId != "" {
+		err = store.validateId(comment.DetectionId, "detectionId")
+	}
+	if err == nil && comment.UserId != "" {
+		err = store.validateId(comment.UserId, "userId")
+	}
+	if err == nil && len(comment.Kind) > 0 {
+		err = errors.New("Field 'Kind' must not be specified")
+	}
+	if err == nil && len(comment.Operation) > 0 {
+		err = errors.New("Field 'Operation' must not be specified")
+	}
+	if err == nil {
+		err = store.validateStringRequired(comment.Value, 1, LONG_STRING_MAX, "value")
+	}
+	return err
+}
+
+func (store *ElasticDetectionstore) CreateComment(ctx context.Context, comment *model.DetectionComment) (*model.DetectionComment, error) {
+	err := store.validateComment(comment)
+	if err != nil {
+		return nil, err
+	}
+
+	if comment.Id != "" {
+		return nil, errors.New("Unexpected ID found in new comment")
+	}
+
+	if comment.DetectionId == "" {
+		return nil, errors.New("Missing Detection ID in new comment")
+	}
+
+	_, err = store.GetDetection(ctx, comment.DetectionId)
+	if err != nil {
+		return nil, err
+	}
+
+	now := time.Now()
+	comment.CreateTime = util.Ptr(now)
+
+	results, err := store.save(ctx, comment, "detectioncomment", store.prepareForSave(ctx, &comment.Auditable))
+	if err != nil {
+		return nil, err
+	}
+
+	// Read object back to get new modify date, etc
+	return store.GetComment(ctx, results.DocumentId)
+}
+
+func (store *ElasticDetectionstore) GetComment(ctx context.Context, commentId string) (*model.DetectionComment, error) {
+	var comment *model.DetectionComment
+
+	err := store.validateId(commentId, "commentId")
+	if err != nil {
+		return nil, err
+	}
+
+	obj, err := store.get(ctx, commentId, "detectioncomment")
+	if err == nil {
+		comment = obj.(*model.DetectionComment)
+	}
+
+	return comment, err
+}
+
+func (store *ElasticDetectionstore) GetComments(ctx context.Context, detectionId string) ([]*model.DetectionComment, error) {
+	err := store.validateId(detectionId, "detectionId")
+	if err != nil {
+		return nil, err
+	}
+
+	comments := []*model.DetectionComment{}
+	query := fmt.Sprintf(`_index:"%s" AND %skind:"detectioncomment" AND %sdetectioncomment.detectionId:"%s" | sortby %sdetectioncomment.createTime^`, store.index, store.schemaPrefix, store.schemaPrefix, detectionId, store.schemaPrefix)
+
+	objects, err := store.getAll(ctx, query, store.maxAssociations)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, obj := range objects {
+		comments = append(comments, obj.(*model.DetectionComment))
+	}
+
+	return comments, err
+}
+
+func (store *ElasticDetectionstore) UpdateComment(ctx context.Context, comment *model.DetectionComment) (*model.DetectionComment, error) {
+	err := store.validateComment(comment)
+	if err != nil {
+		return nil, err
+	}
+
+	if comment.Id == "" {
+		return nil, errors.New("Missing comment ID")
+	}
+
+	old, err := store.GetComment(ctx, comment.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	// Preserve read-only fields
+	comment.CreateTime = old.CreateTime
+
+	results, err := store.save(ctx, comment, "detectioncomment", store.prepareForSave(ctx, &comment.Auditable))
+	if err != nil {
+		return nil, err
+	}
+
+	// Read object back to get new modify date, etc
+	return store.GetComment(ctx, results.DocumentId)
+}
+
+func (store *ElasticDetectionstore) DeleteComment(ctx context.Context, id string) error {
+	comment, err := store.GetComment(ctx, id)
+	if err != nil {
+		return err
+	}
+
+	return store.delete(ctx, comment, "detectioncomment", store.prepareForSave(ctx, &comment.Auditable))
+}

From a603daf7e8888fbbafdf9cd6c6d721c43aae4f78 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 14 Feb 2024 09:53:41 -0700
Subject: [PATCH 092/102] Query parameter can select ActiveTab

`/detection/{id}?tab=[summary|comments|source|tuning|history]`

Also added the tab names to i18n.
---
 html/index.html             | 14 +++++++-------
 html/js/i18n.js             |  3 +++
 html/js/routes/detection.js |  6 +++++-
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/html/index.html b/html/index.html
index 4e3fae7bd..519e98bc0 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1048,15 +1048,15 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
             <v-tabs grow v-model="activeTab" v-else>
               <v-tab id="detection_summaryTab" href="#summary">
                 <v-icon left>fa-comments</v-icon>
-                <div class="d-none d-lg-block">Overview</div>
+                <div class="d-none d-lg-block">{{ i18n.overview }}</div>
               </v-tab>
               <v-tab id="detection_commentsTab" href="#comments">
                 <v-icon left>fa-paperclip</v-icon>
-                <div class="d-none d-lg-block">Comments</div>
+                <div class="d-none d-lg-block">{{ i18n.comments }}</div>
               </v-tab>
-              <v-tab id="detection_signatureTab" href="#signature">
+              <v-tab id="detection_signatureTab" href="#source">
                 <v-icon left>fa-eye</v-icon>
-                <div class="d-none d-lg-block">Detection Source</div>
+                <div class="d-none d-lg-block">{{ i18n.detectionSource }}</div>
               </v-tab>
               <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
@@ -1064,11 +1064,11 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab> -->
               <v-tab id="detection_tuningTab" href="#tuning">
                 <v-icon left>fa-link</v-icon>
-                <div class="d-none d-lg-block">Tuning</div>
+                <div class="d-none d-lg-block">{{ i18n.tuning }}</div>
               </v-tab>
               <v-tab id="detection_historyTab" href="#history">
                 <v-icon left>fa-history</v-icon>
-                <div class="d-none d-lg-block">History</div>
+                <div class="d-none d-lg-block">{{ i18n.history }}</div>
               </v-tab>
 
               <v-tab-item value="summary">
@@ -4767,7 +4767,7 @@ <h4 v-if="!$root.loading">{{ i18n.settingsCustomized }} {{ settingsCustomized }}
                     <li>
                       {{i18n.configQLSigmaHeader}}
                       <ul>
-                        <li>                               
+                        <li>
                           <router-link :to="{name: 'config', query: {s: 'soc.config.server.modules.elastalertengine.sigmaRulePackages'}}">{{i18n.configQLSigmaRuleset}}</router-link>
                         </li>
                       </ul>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index fce7cf2c4..c6e58da20 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -276,6 +276,7 @@ const i18n = {
       detectionId: 'Detection Id',
       detectionLogic: 'Detection Logic',
       detectionSeverity: 'Severity',
+      detectionSource: 'Detection Source',
       detectionTitle: 'Detection Title',
       detectionType: 'Detection Type',
       disable: 'Disable',
@@ -575,6 +576,7 @@ const i18n = {
       osUptime: 'OS Uptime',
       other: 'Other',
       overrideExpand: 'Show all override fields',
+      overview: 'Overview',
       owner: 'Owner',
       packages: 'Packages',
       packets: 'Captured Packets',
@@ -819,6 +821,7 @@ const i18n = {
       trafficManOutAbbr: 'Mgmt Out',
       transcriptCyberChefHelp: 'Send the transcript to CyberChef',
       ttr: 'Time Tracking',
+      tuning: 'Tuning',
       type: 'Type',
       unaccepted: 'Pending',
       unassigned: 'unassigned',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index ca1c5192f..19369f752 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -151,7 +151,11 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.loadUrlParameters();
 		},
 		loadUrlParameters() {
-
+			this.$nextTick(() => {
+				if (this.$route.query.tab) {
+					this.activeTab = this.$route.query.tab;
+				}
+			});
 		},
 		newDetection() {
 			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');

From 0c262a83dddb572074c99c3cdcc9dc664fae274a Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 14 Feb 2024 09:53:41 -0700
Subject: [PATCH 093/102] Query parameter can select ActiveTab

`/detection/{id}?tab=[summary|comments|source|tuning|history]`

Also added the tab names to i18n.
---
 html/index.html             | 16 ++++++++--------
 html/js/i18n.js             |  3 +++
 html/js/routes/detection.js |  6 +++++-
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/html/index.html b/html/index.html
index 4e3fae7bd..3875c3d0b 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1048,15 +1048,15 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
             <v-tabs grow v-model="activeTab" v-else>
               <v-tab id="detection_summaryTab" href="#summary">
                 <v-icon left>fa-comments</v-icon>
-                <div class="d-none d-lg-block">Overview</div>
+                <div class="d-none d-lg-block">{{ i18n.overview }}</div>
               </v-tab>
               <v-tab id="detection_commentsTab" href="#comments">
                 <v-icon left>fa-paperclip</v-icon>
-                <div class="d-none d-lg-block">Comments</div>
+                <div class="d-none d-lg-block">{{ i18n.comments }}</div>
               </v-tab>
-              <v-tab id="detection_signatureTab" href="#signature">
+              <v-tab id="detection_signatureTab" href="#source">
                 <v-icon left>fa-eye</v-icon>
-                <div class="d-none d-lg-block">Detection Source</div>
+                <div class="d-none d-lg-block">{{ i18n.detectionSource }}</div>
               </v-tab>
               <!-- <v-tab id="detection_playbookTab" href="#playbook">
                 <v-icon left>fa-book-bookmark</v-icon>
@@ -1064,11 +1064,11 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
               </v-tab> -->
               <v-tab id="detection_tuningTab" href="#tuning">
                 <v-icon left>fa-link</v-icon>
-                <div class="d-none d-lg-block">Tuning</div>
+                <div class="d-none d-lg-block">{{ i18n.tuning }}</div>
               </v-tab>
               <v-tab id="detection_historyTab" href="#history">
                 <v-icon left>fa-history</v-icon>
-                <div class="d-none d-lg-block">History</div>
+                <div class="d-none d-lg-block">{{ i18n.history }}</div>
               </v-tab>
 
               <v-tab-item value="summary">
@@ -1240,7 +1240,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                   </v-col>
                 </div>
               </v-tab-item>
-              <v-tab-item value="signature">
+              <v-tab-item value="source">
                 <div class="col" style="background-color: rgb(53, 53, 53); border-radius: 4px;">
                   <!-- PublicID -->
                   <v-text-field id="detection-publicId-edit" v-model="detect.publicId" :readonly="detect.isCommunity" :rules="requestRules([rules.required, rules.minLength(5)])" persistent-hint :hint="i18n.publicId" v-on:keyup.enter="stopEdit(true)" v-on:keyup.esc="stopEdit(false)">
@@ -4767,7 +4767,7 @@ <h4 v-if="!$root.loading">{{ i18n.settingsCustomized }} {{ settingsCustomized }}
                     <li>
                       {{i18n.configQLSigmaHeader}}
                       <ul>
-                        <li>                               
+                        <li>
                           <router-link :to="{name: 'config', query: {s: 'soc.config.server.modules.elastalertengine.sigmaRulePackages'}}">{{i18n.configQLSigmaRuleset}}</router-link>
                         </li>
                       </ul>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index fce7cf2c4..c6e58da20 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -276,6 +276,7 @@ const i18n = {
       detectionId: 'Detection Id',
       detectionLogic: 'Detection Logic',
       detectionSeverity: 'Severity',
+      detectionSource: 'Detection Source',
       detectionTitle: 'Detection Title',
       detectionType: 'Detection Type',
       disable: 'Disable',
@@ -575,6 +576,7 @@ const i18n = {
       osUptime: 'OS Uptime',
       other: 'Other',
       overrideExpand: 'Show all override fields',
+      overview: 'Overview',
       owner: 'Owner',
       packages: 'Packages',
       packets: 'Captured Packets',
@@ -819,6 +821,7 @@ const i18n = {
       trafficManOutAbbr: 'Mgmt Out',
       transcriptCyberChefHelp: 'Send the transcript to CyberChef',
       ttr: 'Time Tracking',
+      tuning: 'Tuning',
       type: 'Type',
       unaccepted: 'Pending',
       unassigned: 'unassigned',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index ca1c5192f..19369f752 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -151,7 +151,11 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.loadUrlParameters();
 		},
 		loadUrlParameters() {
-
+			this.$nextTick(() => {
+				if (this.$route.query.tab) {
+					this.activeTab = this.$route.query.tab;
+				}
+			});
 		},
 		newDetection() {
 			let author = [this.$root.user.firstName, this.$root.user.lastName].filter(x => x).join(' ');

From 6f3c59264fd40f3d24acde7ad9fe307fa604713d Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 14 Feb 2024 15:56:35 -0700
Subject: [PATCH 094/102] Convert and Test ElastAlert Sigma

ElastAlert's Sigma rules can now be converted, viewed, and tested in Kibana.
---
 html/css/app.css                             | 17 ++++++++++
 html/index.html                              | 27 +++++++++++++++-
 html/js/external/lz-string.min.js            |  1 +
 html/js/i18n.js                              |  3 ++
 html/js/routes/detection.js                  | 34 ++++++++++++++++++++
 server/detectionengine.go                    |  1 +
 server/detectionhandler.go                   | 32 ++++++++++++++++++
 server/modules/elastalert/elastalert.go      | 23 +++++++++----
 server/modules/elastalert/elastalert_test.go |  9 ++++--
 server/modules/strelka/strelka.go            |  5 +++
 server/modules/suricata/suricata.go          |  4 +++
 11 files changed, 145 insertions(+), 11 deletions(-)
 create mode 100644 html/js/external/lz-string.min.js

diff --git a/html/css/app.css b/html/css/app.css
index 72641cd57..dfb4894cf 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -608,4 +608,21 @@ td {
 
 .case-title {
   text-transform: capitalize;
+}
+
+.sigma-dialog-body {
+  background-color: #404040;
+  margin: 12px;
+  padding: 12px;
+}
+
+#convert-button-container {
+  display: flex;
+  flex-direction: row;
+  justify-content: end;
+  padding: 24px;
+}
+
+#convert-button-container > * {
+  margin-left: 12px;
 }
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index 3875c3d0b..0b75a4e3f 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1253,7 +1253,10 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                 </div>
                 <div class="d-flex align-center align-self-end justify-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
-                    <v-btn id="detection-cancel" text small color="primary" class="align-self-end" @click="cancelDetection()">
+                    <v-btn v-if="detect.engine === 'elastalert'" id="detection-convert" text small color="primary" class="align-self-end" @click="convertDetection()">
+                      {{ i18n.convert }}
+                    </v-btn>
+                    <v-btn id="detection-cancel" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="cancelDetection()">
                       {{ i18n.cancel }}
                     </v-btn>
                     <v-btn id="detection-update" v-if="!detect.isCommunity" text small color="primary" class="align-self-end" @click="saveDetection(false)">
@@ -1668,6 +1671,27 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                 <!-- </div> -->
               </v-tab-item>
             </v-tabs>
+            <v-dialog v-model="showSigmaDialog" persistent width="800px">
+              <v-card>
+                <v-card-title class="lighten-4 py-4 title">{{ i18n.convertToElasticsearch }}</v-card-title>
+                <v-container>
+                  <div class="sigma-dialog-body">
+                    {{ convertedRule }}
+                  </div>
+                </v-container>
+                <div id="convert-button-container">
+                  <v-btn outlined color="primary" @click="cancelConvert()">
+                    {{ i18n.cancel }}
+                  </v-btn>
+                  <v-btn outlined color="primary" @click="copyConvertToClipboard()">
+                    {{ i18n.copyToClipboard }}
+                  </v-btn>
+                  <v-btn outlined color="primary" @click="runQueryInDiscover()">
+                    {{ i18n.viewInDiscover }}
+                  </v-btn>
+                </div>
+              </v-card>
+            </v-dialog>
           </div>
           <div class="col-md-3 order-md-2 col-12 order-1">
             <v-expansion-panels focusable multiple v-model="panel">
@@ -5142,6 +5166,7 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/external/chartjs-chart-sankey-0.12.0.min.js"></script>
     <script src="js/external/chartjs-adapter-moment-1.0.0.min.js"></script>
     <script src="js/external/js-yaml.min.js"></script>
+    <script src="js/external/lz-string.min.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/external/lz-string.min.js b/html/js/external/lz-string.min.js
new file mode 100644
index 000000000..f7c26ae2b
--- /dev/null
+++ b/html/js/external/lz-string.min.js
@@ -0,0 +1 @@
+var LZString=function(){var r=String.fromCharCode,o="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",n="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-$",e={};function t(r,o){if(!e[r]){e[r]={};for(var n=0;n<r.length;n++)e[r][r.charAt(n)]=n}return e[r][o]}var i={compressToBase64:function(r){if(null==r)return"";var n=i._compress(r,6,function(r){return o.charAt(r)});switch(n.length%4){default:case 0:return n;case 1:return n+"===";case 2:return n+"==";case 3:return n+"="}},decompressFromBase64:function(r){return null==r?"":""==r?null:i._decompress(r.length,32,function(n){return t(o,r.charAt(n))})},compressToUTF16:function(o){return null==o?"":i._compress(o,15,function(o){return r(o+32)})+" "},decompressFromUTF16:function(r){return null==r?"":""==r?null:i._decompress(r.length,16384,function(o){return r.charCodeAt(o)-32})},compressToUint8Array:function(r){for(var o=i.compress(r),n=new Uint8Array(2*o.length),e=0,t=o.length;e<t;e++){var s=o.charCodeAt(e);n[2*e]=s>>>8,n[2*e+1]=s%256}return n},decompressFromUint8Array:function(o){if(null==o)return i.decompress(o);for(var n=new Array(o.length/2),e=0,t=n.length;e<t;e++)n[e]=256*o[2*e]+o[2*e+1];var s=[];return n.forEach(function(o){s.push(r(o))}),i.decompress(s.join(""))},compressToEncodedURIComponent:function(r){return null==r?"":i._compress(r,6,function(r){return n.charAt(r)})},decompressFromEncodedURIComponent:function(r){return null==r?"":""==r?null:(r=r.replace(/ /g,"+"),i._decompress(r.length,32,function(o){return t(n,r.charAt(o))}))},compress:function(o){return i._compress(o,16,function(o){return r(o)})},_compress:function(r,o,n){if(null==r)return"";var e,t,i,s={},u={},a="",p="",c="",l=2,f=3,h=2,d=[],m=0,v=0;for(i=0;i<r.length;i+=1)if(a=r.charAt(i),Object.prototype.hasOwnProperty.call(s,a)||(s[a]=f++,u[a]=!0),p=c+a,Object.prototype.hasOwnProperty.call(s,p))c=p;else{if(Object.prototype.hasOwnProperty.call(u,c)){if(c.charCodeAt(0)<256){for(e=0;e<h;e++)m<<=1,v==o-1?(v=0,d.push(n(m)),m=0):v++;for(t=c.charCodeAt(0),e=0;e<8;e++)m=m<<1|1&t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t>>=1}else{for(t=1,e=0;e<h;e++)m=m<<1|t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t=0;for(t=c.charCodeAt(0),e=0;e<16;e++)m=m<<1|1&t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t>>=1}0==--l&&(l=Math.pow(2,h),h++),delete u[c]}else for(t=s[c],e=0;e<h;e++)m=m<<1|1&t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t>>=1;0==--l&&(l=Math.pow(2,h),h++),s[p]=f++,c=String(a)}if(""!==c){if(Object.prototype.hasOwnProperty.call(u,c)){if(c.charCodeAt(0)<256){for(e=0;e<h;e++)m<<=1,v==o-1?(v=0,d.push(n(m)),m=0):v++;for(t=c.charCodeAt(0),e=0;e<8;e++)m=m<<1|1&t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t>>=1}else{for(t=1,e=0;e<h;e++)m=m<<1|t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t=0;for(t=c.charCodeAt(0),e=0;e<16;e++)m=m<<1|1&t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t>>=1}0==--l&&(l=Math.pow(2,h),h++),delete u[c]}else for(t=s[c],e=0;e<h;e++)m=m<<1|1&t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t>>=1;0==--l&&(l=Math.pow(2,h),h++)}for(t=2,e=0;e<h;e++)m=m<<1|1&t,v==o-1?(v=0,d.push(n(m)),m=0):v++,t>>=1;for(;;){if(m<<=1,v==o-1){d.push(n(m));break}v++}return d.join("")},decompress:function(r){return null==r?"":""==r?null:i._decompress(r.length,32768,function(o){return r.charCodeAt(o)})},_decompress:function(o,n,e){var t,i,s,u,a,p,c,l=[],f=4,h=4,d=3,m="",v=[],g={val:e(0),position:n,index:1};for(t=0;t<3;t+=1)l[t]=t;for(s=0,a=Math.pow(2,2),p=1;p!=a;)u=g.val&g.position,g.position>>=1,0==g.position&&(g.position=n,g.val=e(g.index++)),s|=(u>0?1:0)*p,p<<=1;switch(s){case 0:for(s=0,a=Math.pow(2,8),p=1;p!=a;)u=g.val&g.position,g.position>>=1,0==g.position&&(g.position=n,g.val=e(g.index++)),s|=(u>0?1:0)*p,p<<=1;c=r(s);break;case 1:for(s=0,a=Math.pow(2,16),p=1;p!=a;)u=g.val&g.position,g.position>>=1,0==g.position&&(g.position=n,g.val=e(g.index++)),s|=(u>0?1:0)*p,p<<=1;c=r(s);break;case 2:return""}for(l[3]=c,i=c,v.push(c);;){if(g.index>o)return"";for(s=0,a=Math.pow(2,d),p=1;p!=a;)u=g.val&g.position,g.position>>=1,0==g.position&&(g.position=n,g.val=e(g.index++)),s|=(u>0?1:0)*p,p<<=1;switch(c=s){case 0:for(s=0,a=Math.pow(2,8),p=1;p!=a;)u=g.val&g.position,g.position>>=1,0==g.position&&(g.position=n,g.val=e(g.index++)),s|=(u>0?1:0)*p,p<<=1;l[h++]=r(s),c=h-1,f--;break;case 1:for(s=0,a=Math.pow(2,16),p=1;p!=a;)u=g.val&g.position,g.position>>=1,0==g.position&&(g.position=n,g.val=e(g.index++)),s|=(u>0?1:0)*p,p<<=1;l[h++]=r(s),c=h-1,f--;break;case 2:return v.join("")}if(0==f&&(f=Math.pow(2,d),d++),l[c])m=l[c];else{if(c!==h)return null;m=i+i.charAt(0)}v.push(m),l[h++]=i+m.charAt(0),i=m,0==--f&&(f=Math.pow(2,d),d++)}}};return i}();"function"==typeof define&&define.amd?define(function(){return LZString}):"undefined"!=typeof module&&null!=module?module.exports=LZString:"undefined"!=typeof angular&&null!=angular&&angular.module("LZString",[]).factory("LZString",function(){return LZString});
\ No newline at end of file
diff --git a/html/js/i18n.js b/html/js/i18n.js
index c6e58da20..486824336 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -216,6 +216,8 @@ const i18n = {
       content: 'Content',
       continue: 'Would you like to continue?',
       contributors: 'Contributors',
+      convert: 'Convert',
+      convertToElasticsearch: 'Convert to Elasticsearch',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
       copyEventToClipboardAsKvp: 'Copy full event as field:value pairs',
       copyFieldToClipboard: 'Copy this value only',
@@ -859,6 +861,7 @@ const i18n = {
       version: 'Version',
       view: 'View',
       viewCase: 'Case Details',
+      viewInDiscover: 'View in Discover',
       viewResults: 'View Results',
       webauthn: 'Security Keys (WebAuthn / PassKey)',
       webauthnActive: 'Webauthn / Security Keys Active',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 19369f752..d951c764b 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -119,6 +119,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			renderAbbreviatedCount: 30,
 			curCommentEditTarget: null,
 			origComment: null,
+			showSigmaDialog: false,
+			convertedRule: '',
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -1143,5 +1145,37 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				this.$root.stopLoading();
 			}
 		},
+		async convertDetection() {
+			this.$root.startLoading();
+			try {
+				const response = await this.$root.papi.get('detection/' + encodeURIComponent(this.detect.id) + '/convert');
+				if (response && response.data) {
+					this.convertedRule = response.data.query;
+					this.showSigmaDialog = true;
+				}
+			} catch (error) {
+				this.$root.showError(error);
+			} finally {
+				this.$root.stopLoading();
+			}
+		},
+		cancelConvert() {
+			this.convertedRule = '';
+			this.showSigmaDialog = false;
+		},
+		copyConvertToClipboard() {
+			this.$root.copyToClipboard(this.convertedRule);
+		},
+		runQueryInDiscover() {
+			let query = `GET /so-*/_eql/search
+{
+	"query": """
+	${this.convertedRule}
+	"""
+}`;
+			const compress = LZString.compressToEncodedURIComponent(query);
+			const url = `/kibana/app/dev_tools#/console?load_from=data:text/plain,${compress}`;
+			window.open(url, '_blank');
+		}
 	}
 }});
diff --git a/server/detectionengine.go b/server/detectionengine.go
index 97868c885..7509afd14 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -14,4 +14,5 @@ import (
 type DetectionEngine interface {
 	ValidateRule(rule string) (string, error)
 	SyncLocalDetections(ctx context.Context, detections []*model.Detection) (errMap map[string]string, err error)
+	ConvertRule(ctx context.Context, detect *model.Detection) (string, error)
 }
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index cb161143f..41b4e09af 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -49,6 +49,7 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 		r.Get("/{id}/comment", h.getDetectionComments)
 
 		r.Get("/{id}/history", h.getDetectionHistory)
+		r.Get("/{id}/convert", h.convertDetection)
 
 		r.Put("/", h.putDetection)
 
@@ -532,3 +533,34 @@ func (h *DetectionHandler) getDetectionComments(w http.ResponseWriter, r *http.R
 
 	web.Respond(w, r, http.StatusOK, obj)
 }
+
+func (h *DetectionHandler) convertDetection(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	id := chi.URLParam(r, "id")
+
+	detect, err := h.server.Detectionstore.GetDetection(ctx, id)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			web.Respond(w, r, http.StatusNotFound, err)
+		} else {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+		}
+
+		return
+	}
+
+	if detect.Engine != model.EngineNameElastAlert {
+		web.Respond(w, r, http.StatusBadRequest, errors.New("currently only ElastAlert detections support conversion"))
+		return
+	}
+
+	eaQuery, err := h.server.DetectionEngines[model.EngineNameElastAlert].ConvertRule(ctx, detect)
+	if err != nil {
+		web.Respond(w, r, http.StatusInternalServerError, err)
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, map[string]string{
+		"query": eaQuery,
+	})
+}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 2101e949d..2557906ae 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -114,6 +114,10 @@ func (e *ElastAlertEngine) ValidateRule(data string) (string, error) {
 	return string(data), nil
 }
 
+func (s *ElastAlertEngine) ConvertRule(ctx context.Context, detect *model.Detection) (string, error) {
+	return s.sigmaToElastAlert(ctx, detect)
+}
+
 func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
 	pkgs := strings.Split(strings.ToLower(cfg), "\n")
 	set := map[string]struct{}{}
@@ -183,7 +187,12 @@ func (e *ElastAlertEngine) SyncLocalDetections(ctx context.Context, detections [
 				continue
 			}
 
-			err = e.WriteFile(path, []byte(eaRule), 0644)
+			wrapped, err := wrapRule(det, eaRule)
+			if err != nil {
+				continue
+			}
+
+			err = e.WriteFile(path, []byte(wrapped), 0644)
 			if err != nil {
 				errMap[det.PublicID] = fmt.Sprintf("unable to write enabled detection file: %s", err)
 				continue
@@ -454,6 +463,11 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detectio
 				continue
 			}
 
+			rule, err = wrapRule(det, rule)
+			if err != nil {
+				continue
+			}
+
 			// 3. put query in /opt/so/rules/sigma for salt to pick up
 			if path == "" {
 				path = filepath.Join(e.elastAlertRulesFolder, fmt.Sprintf("%s.yml", det.PublicID))
@@ -599,12 +613,7 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Det
 
 	query = strings.TrimSpace(query)
 
-	elastRule, err := wrapRule(det, query)
-	if err != nil {
-		return "", fmt.Errorf("unable to wrap rule: %w", err)
-	}
-
-	return elastRule, nil
+	return query, nil
 }
 
 type CustomWrapper struct {
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 072b583f5..602e20d1e 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -234,7 +234,10 @@ func TestSigmaToElastAlertSunnyDay(t *testing.T) {
 		Severity: model.SeverityHigh,
 	}
 
-	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
+	query, err := engine.sigmaToElastAlert(context.Background(), det)
+	assert.NoError(t, err)
+
+	wrappedRule, err := wrapRule(det, query)
 	assert.NoError(t, err)
 
 	expected := `play_title: Test Detection
@@ -293,8 +296,8 @@ func TestSigmaToElastAlertError(t *testing.T) {
 		Severity: model.SeverityHigh,
 	}
 
-	wrappedRule, err := engine.sigmaToElastAlert(context.Background(), det)
-	assert.Empty(t, wrappedRule)
+	query, err := engine.sigmaToElastAlert(context.Background(), det)
+	assert.Empty(t, query)
 	assert.Error(t, err)
 	assert.ErrorContains(t, err, "problem with sigma cli")
 }
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index 78d3402f4..819f81580 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -8,6 +8,7 @@ package strelka
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"io/fs"
 	"net/http"
 	"net/url"
@@ -101,6 +102,10 @@ func (e *StrelkaEngine) ValidateRule(data string) (string, error) {
 	return string(data), nil
 }
 
+func (s *StrelkaEngine) ConvertRule(ctx context.Context, detect *model.Detection) (string, error) {
+	return "", fmt.Errorf("not implemented")
+}
+
 func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, _ []*model.Detection) (errMap map[string]string, err error) {
 	return e.syncDetections(ctx)
 }
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 204fda68d..a3c640748 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -88,6 +88,10 @@ func (s *SuricataEngine) IsRunning() bool {
 	return s.isRunning
 }
 
+func (s *SuricataEngine) ConvertRule(ctx context.Context, detect *model.Detection) (string, error) {
+	return "", fmt.Errorf("not implemented")
+}
+
 func (s *SuricataEngine) watchCommunityRules() {
 	defer func() {
 		s.thread.Done()

From 5e806f5f768b5b907672e503ddcd2e5a1ec4b082 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 15 Feb 2024 10:36:15 -0700
Subject: [PATCH 095/102] sigmaRulePackages is a string array in the config

Having a string value that needs to be parsed into an array is not the better choice over the config just using an array.
---
 server/modules/elastalert/elastalert.go      |  9 ++++-----
 server/modules/elastalert/elastalert_test.go | 14 +++++++-------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 2557906ae..bc8df2312 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -80,7 +80,7 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
 	e.elastAlertRulesFolder = module.GetStringDefault(config, "elastAlertRulesFolder", "/opt/so/rules/elastalert")
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/sigma.fingerprint")
 
-	pkgs := module.GetStringDefault(config, "sigmaRulePackages", "core")
+	pkgs := module.GetStringArrayDefault(config, "sigmaRulePackages", []string{"core"})
 	e.parseSigmaPackages(pkgs)
 
 	return nil
@@ -118,18 +118,17 @@ func (s *ElastAlertEngine) ConvertRule(ctx context.Context, detect *model.Detect
 	return s.sigmaToElastAlert(ctx, detect)
 }
 
-func (e *ElastAlertEngine) parseSigmaPackages(cfg string) {
-	pkgs := strings.Split(strings.ToLower(cfg), "\n")
+func (e *ElastAlertEngine) parseSigmaPackages(pkgs []string) {
 	set := map[string]struct{}{}
 
 	for _, pkg := range pkgs {
-		pkg = strings.TrimSpace(pkg)
+		pkg = strings.ToLower(strings.TrimSpace(pkg))
 		switch pkg {
 		case "all":
 			set["all_rules"] = struct{}{}
 		case "emerging_threats":
 			set["emerging_threats_addon"] = struct{}{}
-		default:
+		case "core++", "core+", "core", "emerging_threats_addon", "all_rules":
 			if pkg != "" {
 				set[pkg] = struct{}{}
 			}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 602e20d1e..22f2419e8 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -60,37 +60,37 @@ func TestParseSigmaPackages(t *testing.T) {
 
 	table := []struct {
 		Name     string
-		Input    string
+		Input    []string
 		Expected []string
 	}{
 		{
 			Name:     "Simple Sunny Day Path",
-			Input:    "core",
+			Input:    []string{"core"},
 			Expected: []string{"core"},
 		},
 		{
 			Name:     "Multiple Packages",
-			Input:    "core+\nemerging_threats",
+			Input:    []string{"core+", "emerging_threats"},
 			Expected: []string{"core+", "emerging_threats_addon"},
 		},
 		{
 			Name:     "Rename (all => all_rules)",
-			Input:    "all",
+			Input:    []string{"all"},
 			Expected: []string{"all_rules"},
 		},
 		{
 			Name:     "Rename (emerging_threats_addon => emerging_threats)",
-			Input:    "emerging_threats",
+			Input:    []string{"emerging_threats"},
 			Expected: []string{"emerging_threats_addon"},
 		},
 		{
 			Name:     "Normalize",
-			Input:    "CoRe++\n",
+			Input:    []string{"CoRe++"},
 			Expected: []string{"core++"},
 		},
 		{
 			Name:     "Account For Nesting Packages",
-			Input:    "core\ncore+\ncore++\nall_rules\nemerging_threats",
+			Input:    []string{"core", "core+", "core++", "all_rules", "emerging_threats"},
 			Expected: []string{"all_rules"},
 		},
 	}

From 4e9c34e6b2b925aa353c1242583e229d5d04a52b Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Fri, 16 Feb 2024 08:48:37 -0500
Subject: [PATCH 096/102] Tweak Wording

---
 html/index.html | 10 +++++-----
 html/js/i18n.js |  8 +++++---
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/html/index.html b/html/index.html
index 0b75a4e3f..d1f1bcc82 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1047,15 +1047,15 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
 
             <v-tabs grow v-model="activeTab" v-else>
               <v-tab id="detection_summaryTab" href="#summary">
-                <v-icon left>fa-comments</v-icon>
+                <v-icon left>fa-circle-nodes</v-icon>
                 <div class="d-none d-lg-block">{{ i18n.overview }}</div>
               </v-tab>
               <v-tab id="detection_commentsTab" href="#comments">
                 <v-icon left>fa-paperclip</v-icon>
-                <div class="d-none d-lg-block">{{ i18n.comments }}</div>
+                <div class="d-none d-lg-block">{{ i18n.detectionComments }}</div>
               </v-tab>
               <v-tab id="detection_signatureTab" href="#source">
-                <v-icon left>fa-eye</v-icon>
+                <v-icon left>fa-code</v-icon>
                 <div class="d-none d-lg-block">{{ i18n.detectionSource }}</div>
               </v-tab>
               <!-- <v-tab id="detection_playbookTab" href="#playbook">
@@ -1063,7 +1063,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                 <div class="d-none d-lg-block">Investigative Playbook</div>
               </v-tab> -->
               <v-tab id="detection_tuningTab" href="#tuning">
-                <v-icon left>fa-link</v-icon>
+                <v-icon left>fa-wrench</v-icon>
                 <div class="d-none d-lg-block">{{ i18n.tuning }}</div>
               </v-tab>
               <v-tab id="detection_historyTab" href="#history">
@@ -1213,7 +1213,7 @@ <h2 id="detection-title" @click="startEdit('detection-title', 'title')" v-if="!i
                             {{ $root.getAvatar($root.username) }}
                             </div>
                           </v-avatar>
-                          <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
+                          <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                         </div>
                         <div class="d-flex flex-column" style="width: 100%;">
                           <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-3">
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 486824336..de257783c 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -168,9 +168,10 @@ const i18n = {
       comment: 'Comments',
       comments: 'Comments',
       commentAdd: 'Add Comment',
+      commentAddDetection: 'Add Note',
       commentDescription: 'Comment',
       commentDescriptionHelp: 'Provide follow-up information to this case',
-      commentDescriptionDetectionHelp: 'Provide follow-up information to this detection',
+      commentDescriptionDetectionHelp: 'Operational notes for this detection',
       commentHours: 'Work Hours',
       commentHoursHelp: 'Hours spent working on this update (leave blank for 0 hours)',
       commentRequired: 'Comments cannot be empty.',
@@ -217,7 +218,7 @@ const i18n = {
       continue: 'Would you like to continue?',
       contributors: 'Contributors',
       convert: 'Convert',
-      convertToElasticsearch: 'Convert to Elasticsearch',
+      convertToElasticsearch: 'Convert to EQL',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
       copyEventToClipboardAsKvp: 'Copy full event as field:value pairs',
       copyFieldToClipboard: 'Copy this value only',
@@ -271,6 +272,7 @@ const i18n = {
       destination: 'Destination',
       details: 'Details',
       detections: 'Detections',
+      detectionComments: 'Operational Notes',
       detectionDefaultTitle: 'Detection title not yet provided - click here to update this title',
       detectionDefaultDescription: 'Detection description not yet provided',
       detectionDescription: 'Detection Description',
@@ -861,7 +863,7 @@ const i18n = {
       version: 'Version',
       view: 'View',
       viewCase: 'Case Details',
-      viewInDiscover: 'View in Discover',
+      viewInDiscover: 'Test in Kibana',
       viewResults: 'View Results',
       webauthn: 'Security Keys (WebAuthn / PassKey)',
       webauthnActive: 'Webauthn / Security Keys Active',

From d8f14141ddd8c1ce302a0c443dc9ba78d727377f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Fri, 16 Feb 2024 09:56:02 -0500
Subject: [PATCH 097/102] Switch to Language

---
 html/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/index.html b/html/index.html
index d1f1bcc82..1dfe1ff8a 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1741,7 +1741,7 @@ <h3>{{ i18n.details }}</h3>
                     {{ i18n.type }}:
                   </div>
                   <div class="ops-value case-title">
-                    {{ detect.engine }}
+                    {{ detect.language }}
                   </div>
                   <div class="ops-header">
                     {{ i18n.severity }}:

From d2979e19cc92ee83231ed83641f496bd7afbe079 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 16 Feb 2024 15:44:37 -0700
Subject: [PATCH 098/102] Allow and Deny Regexes per Detection Engine

(Also includes CSS fixes for Detection DB details being better centered below the detail boxes.)

ElastAlert, Suricata, and Strelka now support `allowRegex` and `denyRegex` config options. These regexes are applied to community rules during the import process. The regex is applied to the entire rule body, one rule at a time. The rules are optional and case sensitive.

ElastAlert and Suricata regexes are applied before parsing the rules. Since Yara files tend to contain multiple rules, the rules must be parsed first and then filtered.

If an allowRegex is specified, the rule must match to be included. If a denyRegex is specified, the rule must NOT match to be included. If both regexes are specified and match, the rule will be denied. If both regexes are specified but do not match, the rule will be denied. Rules filtered out will not be stored in ElasticSearch or SOC.

Yara imports now are only including for the immediate following rule body and not all remaining rules in the file. Yara imports are considered part of the rule body when testing the regexes.

Changing any regex for any engine will not have an impact on already imported rules. However, existing rules may have their updates denied by these regexes. Due to the regexes being defined in soc.json, changing their values requires restarting the SOC service.

Updated tests.
---
 html/css/app.css                             |   2 +-
 server/modules/elastalert/elastalert.go      |  33 ++
 server/modules/elastalert/elastalert_test.go |  21 ++
 server/modules/strelka/strelka.go            | 224 +++++++++++-
 server/modules/strelka/strelka_test.go       | 362 +++++++++++++++++++
 server/modules/strelka/validate.go           | 180 +--------
 server/modules/strelka/validate_test.go      | 319 ----------------
 server/modules/suricata/suricata.go          |  31 ++
 server/modules/suricata/suricata_test.go     |   9 +-
 9 files changed, 678 insertions(+), 503 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index dfb4894cf..a7523c250 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -568,8 +568,8 @@ td {
 .detect-reference {
   font-size: small;
   display: table;
-  width: 100%;
   margin-top: 12px;
+  margin-left: 12px;
 }
 
 .detect-reference > div {
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index bc8df2312..ebd00981c 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -20,6 +20,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"reflect"
+	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -58,6 +59,8 @@ type ElastAlertEngine struct {
 	sigmaRulePackages                    []string
 	isRunning                            bool
 	thread                               *sync.WaitGroup
+	allowRegex                           *regexp.Regexp
+	denyRegex                            *regexp.Regexp
 	IOManager
 }
 
@@ -83,6 +86,25 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) error {
 	pkgs := module.GetStringArrayDefault(config, "sigmaRulePackages", []string{"core"})
 	e.parseSigmaPackages(pkgs)
 
+	allow := module.GetStringDefault(config, "allowRegex", "")
+	deny := module.GetStringDefault(config, "denyRegex", "")
+
+	if allow != "" {
+		var err error
+		e.allowRegex, err = regexp.Compile(allow)
+		if err != nil {
+			return fmt.Errorf("unable to compile ElastAlert's allowRegex: %w", err)
+		}
+	}
+
+	if deny != "" {
+		var err error
+		e.denyRegex, err = regexp.Compile(deny)
+		if err != nil {
+			return fmt.Errorf("unable to compile ElastAlert's denyRegex: %w", err)
+		}
+	}
+
 	return nil
 }
 
@@ -335,6 +357,7 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 			if err != nil {
 				f.Close()
 				errMap[file.Name] = err
+
 				continue
 			}
 
@@ -346,6 +369,16 @@ func (e *ElastAlertEngine) parseRules(pkgZips map[string][]byte) (detections []*
 				continue
 			}
 
+			if e.denyRegex != nil && e.denyRegex.MatchString(string(data)) {
+				log.WithField("file", file.Name).Info("content matched ElastAlert's denyRegex")
+				continue
+			}
+
+			if e.allowRegex != nil && !e.allowRegex.MatchString(string(data)) {
+				log.WithField("file", file.Name).Info("content didn't match ElastAlert's allowRegex")
+				continue
+			}
+
 			id := rule.Title
 
 			if rule.ID != nil {
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 22f2419e8..349a1bd8b 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -14,6 +14,7 @@ import (
 	"io/fs"
 	"net/http"
 	"os/exec"
+	"regexp"
 	"slices"
 	"sort"
 	"strings"
@@ -336,6 +337,24 @@ level: high
 	_, err = bad.Write([]byte("bad data"))
 	assert.NoError(t, err)
 
+	denied, err := writer.Create("rules/deny.yml")
+	assert.NoError(t, err)
+
+	_, err = denied.Write([]byte("deny"))
+	assert.NoError(t, err)
+
+	allowThenDeny, err := writer.Create("rules/eventually_deny.yml")
+	assert.NoError(t, err)
+
+	_, err = allowThenDeny.Write([]byte("00000000-0000-0000-0000-00000000 deny"))
+	assert.NoError(t, err)
+
+	matchesNeither, err := writer.Create("rules/not_allowed.yml")
+	assert.NoError(t, err)
+
+	_, err = matchesNeither.Write([]byte("123"))
+	assert.NoError(t, err)
+
 	err = writer.Close()
 	assert.NoError(t, err)
 
@@ -344,6 +363,8 @@ level: high
 	}
 
 	engine := ElastAlertEngine{}
+	engine.allowRegex = regexp.MustCompile("00000000-0000-0000-0000-00000000")
+	engine.denyRegex = regexp.MustCompile("deny")
 
 	expected := &model.Detection{
 		PublicID:    "00000000-0000-0000-0000-00000000",
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index 819f81580..c7c358634 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -8,6 +8,7 @@ package strelka
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io/fs"
 	"net/http"
@@ -16,6 +17,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"sync"
@@ -48,6 +50,8 @@ type StrelkaEngine struct {
 	reposFolder                          string
 	rulesRepos                           []string
 	compileYaraPythonScriptPath          string
+	allowRegex                           *regexp.Regexp
+	denyRegex                            *regexp.Regexp
 	IOManager
 }
 
@@ -71,6 +75,25 @@ func (e *StrelkaEngine) Init(config module.ModuleConfig) error {
 	e.rulesRepos = module.GetStringArrayDefault(config, "rulesRepos", []string{"github.com/Security-Onion-Solutions/securityonion-yara"})
 	e.compileYaraPythonScriptPath = module.GetStringDefault(config, "compileYaraPythonScriptPath", "/opt/so/conf/strelka/compile_yara.py")
 
+	allow := module.GetStringDefault(config, "allowRegex", "")
+	deny := module.GetStringDefault(config, "denyRegex", "")
+
+	if allow != "" {
+		var err error
+		e.allowRegex, err = regexp.Compile(allow)
+		if err != nil {
+			return fmt.Errorf("unable to compile Strelka's allowRegex: %w", err)
+		}
+	}
+
+	if deny != "" {
+		var err error
+		e.denyRegex, err = regexp.Compile(deny)
+		if err != nil {
+			return fmt.Errorf("unable to compile Strelka's denyRegex: %w", err)
+		}
+	}
+
 	return nil
 }
 
@@ -94,7 +117,7 @@ func (e *StrelkaEngine) IsRunning() bool {
 }
 
 func (e *StrelkaEngine) ValidateRule(data string) (string, error) {
-	_, err := ParseYaraRules([]byte(data))
+	_, err := e.parseYaraRules([]byte(data), false)
 	if err != nil {
 		return "", err
 	}
@@ -230,7 +253,7 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 					return nil
 				}
 
-				parsed, err := ParseYaraRules(raw)
+				parsed, err := e.parseYaraRules(raw, true)
 				if err != nil {
 					log.WithError(err).WithField("file", path).Error("failed to parse yara rule file")
 					return nil
@@ -321,6 +344,203 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 	}
 }
 
+func (e *StrelkaEngine) parseYaraRules(data []byte, filter bool) ([]*YaraRule, error) {
+	rules := []*YaraRule{}
+	rule := &YaraRule{}
+
+	state := parseStateImportsID
+
+	raw := string(data)
+	buffer := bytes.NewBuffer([]byte{})
+	last := ' '
+	curCommentType := ' ' // either '/' or '*' if in a comment, ' ' if not in comment
+	curHeader := ""       // meta, strings, condition, or empty if not yet in a section
+	curQuotes := ' '      // either ' or " if in a string, ' ' if not in a string
+
+	for i, r := range raw {
+		rule.Src += string(r)
+
+		if r == '\r' {
+			continue
+		}
+
+		if (curCommentType == '*' && last == '*' && r == '/') ||
+			(curCommentType == '/' && r == '\n') {
+			curCommentType = ' '
+
+			if last == '*' {
+				last = r
+				continue
+			}
+		}
+
+		if last == '/' && curQuotes == ' ' && curCommentType == ' ' {
+			if r == '/' {
+				curCommentType = '/'
+				if buffer.Len() != 0 {
+					buffer.Truncate(buffer.Len() - 1)
+				}
+			} else if r == '*' {
+				curCommentType = '*'
+				if buffer.Len() != 0 {
+					buffer.Truncate(buffer.Len() - 1)
+				}
+			}
+		}
+
+		if curCommentType != ' ' {
+			// in a comment, skip everything
+			last = r
+			continue
+		}
+
+	reevaluateState:
+		switch state {
+		case parseStateImportsID:
+			switch r {
+			case '\n':
+				// is this an import?
+				buf := buffer.String() // expected: `import "foo"`
+				if strings.HasPrefix(buf, "import ") {
+					buf = strings.TrimSpace(strings.TrimPrefix(buf, "import "))
+					buf = strings.Trim(buf, `"`)
+
+					rule.Imports = append(rule.Imports, buf)
+
+					buffer.Reset()
+				}
+			case '{':
+				buf := strings.TrimSpace(buffer.String()) // expected: `rule foo {` or `rule foo\n{`
+				buf = strings.TrimSpace(strings.TrimPrefix(buf, "rule"))
+
+				if strings.Contains(buf, ":") {
+					// gets rid of inheritance?
+					// rule This : That {...} becomes "This"
+					parts := strings.SplitN(buf, ":", 2)
+					buf = strings.TrimSpace(parts[0])
+				}
+
+				if buf != "" {
+					rule.Identifier = buf
+				} else {
+					return nil, errors.New(fmt.Sprintf("expected rule identifier at %d", i))
+				}
+
+				buffer.Reset()
+
+				state = parseStateWatchForHeader
+			default:
+				buffer.WriteRune(r)
+			}
+		case parseStateWatchForHeader:
+			buf := strings.TrimSpace(buffer.String())
+			if r == '\n' && len(buf) != 0 && buf[len(buf)-1] == ':' {
+				curHeader = strings.ToLower(strings.TrimSpace(strings.TrimSuffix(buf, ":")))
+				buffer.Reset()
+
+				if curHeader != "meta" &&
+					curHeader != "strings" &&
+					curHeader != "condition" {
+					return nil, errors.New(fmt.Sprintf("unexpected header at %d: %s", i, curHeader))
+				}
+
+				state = parseStateInSection
+			} else {
+				buffer.WriteRune(r)
+			}
+		case parseStateInSection:
+			if r == '\n' {
+				buf := strings.TrimSpace(buffer.String())
+				if len(buf) != 0 && buf[len(buf)-1] == ':' && !strings.HasPrefix(buf, "for ") {
+					// found a header, new section
+					state = parseStateWatchForHeader
+					goto reevaluateState
+				} else {
+					if buf != "" {
+						switch curHeader {
+						case "meta":
+							parts := strings.SplitN(buf, "=", 2)
+							if len(parts) != 2 {
+								return nil, errors.New(fmt.Sprintf("invalid meta line at %d: %s", i, buf))
+							}
+
+							key := strings.TrimSpace(parts[0])
+							value := strings.TrimSpace(parts[1])
+
+							rule.Meta.Set(key, value)
+						case "strings":
+							rule.Strings = append(rule.Strings, buf)
+						case "condition":
+							rule.Condition = strings.TrimSpace(rule.Condition + " " + buf)
+						}
+					}
+
+					buffer.Reset()
+				}
+			} else if r == '}' && len(strings.TrimSpace(buffer.String())) == 0 && curQuotes != '}' {
+				// end of rule
+				rule.Src = strings.TrimSpace(rule.Src)
+				keep := true
+
+				if filter && e.denyRegex != nil && e.denyRegex.MatchString(rule.Src) {
+					log.WithField("id", rule.Identifier).Info("content matched Strelka's denyRegex")
+					keep = false
+				}
+
+				if filter && e.allowRegex != nil && !e.allowRegex.MatchString(rule.Src) {
+					log.WithField("id", rule.Identifier).Info("content didn't match Strelka's allowRegex")
+					keep = false
+				}
+
+				if keep {
+					rules = append(rules, rule)
+				}
+
+				imports := []string{}
+				buffer.Reset()
+
+				state = parseStateImportsID
+				curHeader = ""
+				curQuotes = ' '
+				rule = &YaraRule{}
+
+				if len(imports) > 0 {
+					rule.Imports = append([]string{}, imports...)
+				}
+			} else {
+				buffer.WriteRune(r)
+				if (r == '\'' || r == '"' || r == '{') && last != '\\' && curQuotes == ' ' {
+					// starting a string
+					if r == '{' {
+						curQuotes = '}'
+					} else {
+						curQuotes = r
+					}
+				} else if curQuotes != ' ' && r == curQuotes && last != '\\' {
+					// ending a string
+					curQuotes = ' '
+				}
+			}
+		}
+
+		if r == '\\' && last == '\\' && curQuotes != ' ' {
+			// this is an escaped slash in the middle of a string,
+			// so we need to remove the previous slash so it's not
+			// mistaken for an escape character in case this is the
+			// last character in the string
+			last = ' '
+		} else {
+			last = r
+		}
+	}
+
+	if state != parseStateImportsID || len(strings.TrimSpace(buffer.String())) != 0 {
+		return nil, errors.New("unexpected end of rule")
+	}
+
+	return rules, nil
+}
+
 func (e *StrelkaEngine) syncDetections(ctx context.Context) (errMap map[string]string, err error) {
 	results, err := e.srv.Detectionstore.Query(ctx, `so_detection.engine:strelka AND so_detection.isEnabled:true AND _index:"*:so-detection"`, -1)
 	if err != nil {
diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go
index cdc26a1b3..4aafff71d 100644
--- a/server/modules/strelka/strelka_test.go
+++ b/server/modules/strelka/strelka_test.go
@@ -2,8 +2,10 @@ package strelka
 
 import (
 	"context"
+	"fmt"
 	"io/fs"
 	"os/exec"
+	"regexp"
 	"slices"
 	"strings"
 	"testing"
@@ -14,6 +16,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/strelka/mock"
+	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/tj/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -23,6 +26,147 @@ const simpleRule = `rule dummy {
 	  false
 }`
 
+const MyBasicRule = `rule ExampleRule
+{
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const BasicRule = `rule ExampleRule
+{
+	strings:
+		$text_string = "text here"
+		$hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$text_string or $hex_string
+}`
+
+const DeniedRule = `rule DenyRule
+{
+	strings:
+		$text_string = "text here"
+		$hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$text_string or $hex_string
+}`
+
+const BasicRuleWMeta = `import "pe"
+
+rule MetadataExample {
+	meta:
+		author = "John Doe"
+		date = "2023-12-27"
+		version = "1.0"
+		reference = "http://somewhere.invalid"
+		description = "Example Rule"
+		my_identifier_1 = "Some string data"
+		mY_iDeNtIfIeR_2 = 24
+		MY_IDENTIFIER_3 = true
+
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const NormalizedBasicRuleWMeta = `import "pe"
+
+rule MetadataExample {
+	meta:
+		author = "John Doe"
+		date = "2023-12-27"
+		version = "1.0"
+		reference = "http://somewhere.invalid"
+		description = "Example Rule"
+		my_identifier_1 = "Some string data"
+		my_identifier_2 = 24
+		my_identifier_3 = true
+
+	strings:
+		$my_text_string = "text here"
+		$my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const RegexRule = `rule RegExpExample1
+{
+	strings:
+		$my_re1 = /md5: [0-9a-fA-F]{32}/
+		$my_re2 = /state: (on|off)/
+
+	condition:
+		$my_re1 and $my_re2
+}`
+
+const ImportRule = `import "pe"
+
+rule myTest
+{
+    strings:
+        $a = "some string"
+
+    condition:
+        $a and pe.entry_point == 0x1000
+}`
+
+const UnexpectedHeader = `rule ExampleRule
+{
+	extra:
+		$text_string = "text here"
+		$hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$text_string or $hex_string
+}`
+
+const RuleWithComments = `rule ExampleRule
+{
+	/*
+		Multiline comment
+	*/
+	strings:
+		$my_text_string = "text here"
+		// $my_hex_string = { E2 34 A1 C8 23 FB }
+
+	condition:
+		$my_text_string or $my_hex_string
+}`
+
+const NoIdentifier = `rule {}`
+
+const BadMeta = `rule ExampleRule
+{
+	meta:
+		copyrighted
+		author = "Some Guy"
+}`
+
+const WeirdRule = `import "pe"
+
+rule ExampleRule : FILE
+{` + "\r\n" + `
+strings:
+$my_text_string = "text here"
+$my_hex_string = { E2 34 A1 C8 23 FB }
+$badslashes = "\\var\\www\\html\\"
+$multilinehex = {
+46 DC EA D3 17 FE 45 D8 09 23
+EB 97 E4 95 64 10 D4 CD B2 C2
+}
+condition : // comment
+$my_text_string or $my_hex_string
+}`
+
 func TestStrelkaModule(t *testing.T) {
 	srv := &server.Server{
 		DetectionEngines: map[model.EngineName]server.DetectionEngine{},
@@ -128,3 +272,221 @@ func TestSyncSuricata(t *testing.T) {
 		})
 	}
 }
+
+func TestParseRule(t *testing.T) {
+	t.Parallel()
+
+	table := []struct {
+		Name          string
+		Input         string
+		ExpectedRules []*YaraRule
+		ExpectedError *string
+	}{
+		{
+			Name:  "Basic Rule",
+			Input: MyBasicRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+					Src:       MyBasicRule,
+				},
+			},
+		},
+		{
+			Name:  "Basic Rule With Metadata",
+			Input: BasicRuleWMeta,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "MetadataExample",
+					Meta: Metadata{
+						Author:      util.Ptr(`"John Doe"`),
+						Date:        util.Ptr(`"2023-12-27"`),
+						Version:     util.Ptr(`"1.0"`),
+						Reference:   util.Ptr(`"http://somewhere.invalid"`),
+						Description: util.Ptr(`"Example Rule"`),
+						Rest: map[string]string{
+							"my_identifier_1": "\"Some string data\"",
+							"my_identifier_2": "24",
+							"my_identifier_3": "true",
+						},
+					},
+					Strings: []string{
+						"$my_text_string = \"text here\"",
+						"$my_hex_string = { E2 34 A1 C8 23 FB }",
+					},
+					Condition: "$my_text_string or $my_hex_string",
+					Src:       BasicRuleWMeta,
+				},
+			},
+		},
+		{
+			Name:  "Rule With Regex",
+			Input: RegexRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "RegExpExample1",
+					Strings: []string{
+						"$my_re1 = /md5: [0-9a-fA-F]{32}/",
+						"$my_re2 = /state: (on|off)/",
+					},
+					Condition: "$my_re1 and $my_re2",
+					Src:       RegexRule,
+				},
+			},
+		},
+		{
+			Name:  "Rule With Import",
+			Input: ImportRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "myTest",
+					Strings: []string{
+						`$a = "some string"`,
+					},
+					Condition: `$a and pe.entry_point == 0x1000`,
+					Src:       ImportRule,
+				},
+			},
+		},
+		{
+			Name:          "Rule With Unexpected Header",
+			Input:         UnexpectedHeader,
+			ExpectedError: util.Ptr(`unexpected header at 26: extra`),
+		},
+		{
+			Name:  "Basic Rule With Comments",
+			Input: RuleWithComments,
+			ExpectedRules: []*YaraRule{
+				{
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+					Src:       RuleWithComments,
+				},
+			},
+		},
+		{
+			Name:  "Multiple Rules",
+			Input: ImportRule + "\n\n" + MyBasicRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "myTest",
+					Strings: []string{
+						`$a = "some string"`,
+					},
+					Condition: `$a and pe.entry_point == 0x1000`,
+					Src:       ImportRule,
+				},
+				{
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+					Src:       MyBasicRule,
+				},
+			},
+		},
+		{
+			Name:  "Rule With Oddities",
+			Input: WeirdRule,
+			ExpectedRules: []*YaraRule{
+				{
+					Imports: []string{
+						"pe",
+					},
+					Identifier: "ExampleRule",
+					Strings: []string{
+						`$my_text_string = "text here"`,
+						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
+						`$badslashes = "\\var\\www\\html\\"`,
+						`$multilinehex = {`,
+						`46 DC EA D3 17 FE 45 D8 09 23`,
+						`EB 97 E4 95 64 10 D4 CD B2 C2`,
+						`}`,
+					},
+					Condition: `$my_text_string or $my_hex_string`,
+					Src:       WeirdRule,
+				},
+			},
+		},
+		{
+			Name:          "Missing Identifier",
+			Input:         NoIdentifier,
+			ExpectedError: util.Ptr("expected rule identifier at 5"),
+		},
+		{
+			Name:          "Invalid Metadata",
+			Input:         BadMeta,
+			ExpectedError: util.Ptr("invalid meta line at 39: copyrighted"),
+		},
+		{
+			Name:          "Unexpected End Of Rule",
+			Input:         MyBasicRule[:len(MyBasicRule)-1],
+			ExpectedError: util.Ptr("unexpected end of rule"),
+		},
+		{
+			Name: "Filter Out",
+			// BasicRule doesn't match either filter and will be left out,
+			// DeniedRule will be filtered out by the denyRegex.
+			Input:         BasicRule + "\n\n" + DeniedRule,
+			ExpectedRules: []*YaraRule{},
+		},
+	}
+
+	e := &StrelkaEngine{
+		allowRegex: regexp.MustCompile("my"),
+		denyRegex:  regexp.MustCompile("Deny"), // case sensitive
+	}
+
+	for _, test := range table {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			rules, err := e.parseYaraRules([]byte(test.Input), true)
+			if test.ExpectedError == nil {
+				assert.NoError(t, err)
+				assert.NotNil(t, rules)
+
+				assert.Equal(t, test.ExpectedRules, rules)
+			} else {
+				assert.Error(t, err)
+				assert.Equal(t, *test.ExpectedError, err.Error())
+
+				assert.Empty(t, rules)
+			}
+		})
+	}
+}
+
+func TestRuleString(t *testing.T) {
+	e := &StrelkaEngine{}
+	e.allowRegex = regexp.MustCompile("thing not in rule")
+	e.denyRegex = regexp.MustCompile("Metadata Example")
+
+	rules, err := e.parseYaraRules([]byte(BasicRuleWMeta), false)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, rules)
+
+	raw := rules[0].String()
+	fmt.Println(raw)
+	assert.Equal(t, NormalizedBasicRuleWMeta, raw)
+}
diff --git a/server/modules/strelka/validate.go b/server/modules/strelka/validate.go
index f40d5ac8e..10e0f2bdb 100644
--- a/server/modules/strelka/validate.go
+++ b/server/modules/strelka/validate.go
@@ -8,7 +8,6 @@ package strelka
 import (
 	"bytes"
 	"crypto/sha256"
-	"errors"
 	"fmt"
 	"sort"
 	"strings"
@@ -30,6 +29,7 @@ type YaraRule struct {
 	Meta       Metadata
 	Strings    []string
 	Condition  string
+	Src        string
 }
 
 type Metadata struct {
@@ -88,184 +88,6 @@ func (rule *YaraRule) GetID() string {
 	return id
 }
 
-func ParseYaraRules(data []byte) ([]*YaraRule, error) {
-	rules := []*YaraRule{}
-	rule := &YaraRule{}
-
-	state := parseStateImportsID
-
-	raw := string(data)
-	buffer := bytes.NewBuffer([]byte{})
-	last := ' '
-	curCommentType := ' ' // either '/' or '*' if in a comment, ' ' if not in comment
-	curHeader := ""       // meta, strings, condition, or empty if not yet in a section
-	curQuotes := ' '      // either ' or " if in a string, ' ' if not in a string
-
-	for i, r := range raw {
-		if r == '\r' {
-			continue
-		}
-		if (curCommentType == '*' && last == '*' && r == '/') ||
-			(curCommentType == '/' && r == '\n') {
-			curCommentType = ' '
-
-			if last == '*' {
-				last = r
-				continue
-			}
-		}
-
-		if last == '/' && curQuotes == ' ' && curCommentType == ' ' {
-			if r == '/' {
-				curCommentType = '/'
-				if buffer.Len() != 0 {
-					buffer.Truncate(buffer.Len() - 1)
-				}
-			} else if r == '*' {
-				curCommentType = '*'
-				if buffer.Len() != 0 {
-					buffer.Truncate(buffer.Len() - 1)
-				}
-			}
-		}
-
-		if curCommentType != ' ' {
-			// in a comment, skip everything
-			last = r
-			continue
-		}
-
-	reevaluateState:
-		switch state {
-		case parseStateImportsID:
-			switch r {
-			case '\n':
-				// is this an import?
-				buf := buffer.String() // expected: `import "foo"`
-				if strings.HasPrefix(buf, "import ") {
-					buf = strings.TrimSpace(strings.TrimPrefix(buf, "import "))
-					buf = strings.Trim(buf, `"`)
-
-					rule.Imports = append(rule.Imports, buf)
-
-					buffer.Reset()
-				}
-			case '{':
-				buf := strings.TrimSpace(buffer.String()) // expected: `rule foo {` or `rule foo\n{`
-				buf = strings.TrimSpace(strings.TrimPrefix(buf, "rule"))
-
-				if strings.Contains(buf, ":") {
-					// gets rid of inheritance?
-					// rule This : That {...} becomes "This"
-					parts := strings.SplitN(buf, ":", 2)
-					buf = strings.TrimSpace(parts[0])
-				}
-
-				if buf != "" {
-					rule.Identifier = buf
-				} else {
-					return nil, errors.New(fmt.Sprintf("expected rule identifier at %d", i))
-				}
-
-				buffer.Reset()
-
-				state = parseStateWatchForHeader
-			default:
-				buffer.WriteRune(r)
-			}
-		case parseStateWatchForHeader:
-			buf := strings.TrimSpace(buffer.String())
-			if r == '\n' && len(buf) != 0 && buf[len(buf)-1] == ':' {
-				curHeader = strings.ToLower(strings.TrimSpace(strings.TrimSuffix(buf, ":")))
-				buffer.Reset()
-
-				if curHeader != "meta" &&
-					curHeader != "strings" &&
-					curHeader != "condition" {
-					return nil, errors.New(fmt.Sprintf("unexpected header at %d: %s", i, curHeader))
-				}
-
-				state = parseStateInSection
-			} else {
-				buffer.WriteRune(r)
-			}
-		case parseStateInSection:
-			if r == '\n' {
-				buf := strings.TrimSpace(buffer.String())
-				if len(buf) != 0 && buf[len(buf)-1] == ':' && !strings.HasPrefix(buf, "for ") {
-					// found a header, new section
-					state = parseStateWatchForHeader
-					goto reevaluateState
-				} else {
-					if buf != "" {
-						switch curHeader {
-						case "meta":
-							parts := strings.SplitN(buf, "=", 2)
-							if len(parts) != 2 {
-								return nil, errors.New(fmt.Sprintf("invalid meta line at %d: %s", i, buf))
-							}
-
-							key := strings.TrimSpace(parts[0])
-							value := strings.TrimSpace(parts[1])
-
-							rule.Meta.Set(key, value)
-						case "strings":
-							rule.Strings = append(rule.Strings, buf)
-						case "condition":
-							rule.Condition = strings.TrimSpace(rule.Condition + " " + buf)
-						}
-					}
-
-					buffer.Reset()
-				}
-			} else if r == '}' && len(strings.TrimSpace(buffer.String())) == 0 && curQuotes != '}' {
-				// end of rule
-				rules = append(rules, rule)
-				imports := rule.Imports
-				buffer.Reset()
-
-				state = parseStateImportsID
-				curHeader = ""
-				curQuotes = ' '
-				rule = &YaraRule{}
-
-				if len(imports) > 0 {
-					rule.Imports = append([]string{}, imports...)
-				}
-			} else {
-				buffer.WriteRune(r)
-				if (r == '\'' || r == '"' || r == '{') && last != '\\' && curQuotes == ' ' {
-					// starting a string
-					if r == '{' {
-						curQuotes = '}'
-					} else {
-						curQuotes = r
-					}
-				} else if curQuotes != ' ' && r == curQuotes && last != '\\' {
-					// ending a string
-					curQuotes = ' '
-				}
-			}
-		}
-
-		if r == '\\' && last == '\\' && curQuotes != ' ' {
-			// this is an escaped slash in the middle of a string,
-			// so we need to remove the previous slash so it's not
-			// mistaken for an escape character in case this is the
-			// last character in the string
-			last = ' '
-		} else {
-			last = r
-		}
-	}
-
-	if state != parseStateImportsID || len(strings.TrimSpace(buffer.String())) != 0 {
-		return nil, errors.New("unexpected end of rule")
-	}
-
-	return rules, nil
-}
-
 func (r *YaraRule) String() string {
 	buffer := bytes.NewBuffer([]byte{})
 
diff --git a/server/modules/strelka/validate_test.go b/server/modules/strelka/validate_test.go
index 4439afd4c..82fe1773b 100644
--- a/server/modules/strelka/validate_test.go
+++ b/server/modules/strelka/validate_test.go
@@ -6,134 +6,12 @@
 package strelka
 
 import (
-	"fmt"
 	"testing"
 
 	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/stretchr/testify/assert"
 )
 
-const BasicRule = `rule ExampleRule
-{
-	strings:
-		$my_text_string = "text here"
-		$my_hex_string = { E2 34 A1 C8 23 FB }
-
-	condition:
-		$my_text_string or $my_hex_string
-}`
-
-const BasicRuleWMeta = `import "pe"
-
-rule MetadataExample {
-	meta:
-		author = "John Doe"
-		date = "2023-12-27"
-		version = "1.0"
-		reference = "http://somewhere.invalid"
-		description = "Example Rule"
-		my_identifier_1 = "Some string data"
-		mY_iDeNtIfIeR_2 = 24
-		MY_IDENTIFIER_3 = true
-
-	strings:
-		$my_text_string = "text here"
-		$my_hex_string = { E2 34 A1 C8 23 FB }
-
-	condition:
-		$my_text_string or $my_hex_string
-}`
-
-const NormalizedBasicRuleWMeta = `import "pe"
-
-rule MetadataExample {
-	meta:
-		author = "John Doe"
-		date = "2023-12-27"
-		version = "1.0"
-		reference = "http://somewhere.invalid"
-		description = "Example Rule"
-		my_identifier_1 = "Some string data"
-		my_identifier_2 = 24
-		my_identifier_3 = true
-
-	strings:
-		$my_text_string = "text here"
-		$my_hex_string = { E2 34 A1 C8 23 FB }
-
-	condition:
-		$my_text_string or $my_hex_string
-}`
-
-const RegexRule = `rule RegExpExample1
-{
-	strings:
-		$re1 = /md5: [0-9a-fA-F]{32}/
-		$re2 = /state: (on|off)/
-
-	condition:
-		$re1 and $re2
-}`
-
-const ImportRule = `import "pe"
-
-rule Test
-{
-    strings:
-        $a = "some string"
-
-    condition:
-        $a and pe.entry_point == 0x1000
-}`
-
-const UnexpectedHeader = `rule ExampleRule
-{
-	extra:
-		$my_text_string = "text here"
-		$my_hex_string = { E2 34 A1 C8 23 FB }
-
-	condition:
-		$my_text_string or $my_hex_string
-}`
-
-const RuleWithComments = `rule ExampleRule
-{
-	/*
-		Multiline comment
-	*/
-	strings:
-		$my_text_string = "text here"
-		// $my_hex_string = { E2 34 A1 C8 23 FB }
-
-	condition:
-		$my_text_string or $my_hex_string
-}`
-
-const NoIdentifier = `rule {}`
-
-const BadMeta = `rule ExampleRule
-{
-	meta:
-		copyrighted
-		author = "Some Guy"
-}`
-
-const WeirdRule = `import "pe"
-
-rule ExampleRule : FILE
-{` + "\r\n" + `
-strings:
-$my_text_string = "text here"
-$my_hex_string = { E2 34 A1 C8 23 FB }
-$badslashes = "\\var\\www\\html\\"
-$multilinehex = {
-46 DC EA D3 17 FE 45 D8 09 23
-EB 97 E4 95 64 10 D4 CD B2 C2
-}
-condition : // comment
-$my_text_string or $my_hex_string
-}`
-
 func TestMetaSet(t *testing.T) {
 	t.Parallel()
 
@@ -164,203 +42,6 @@ func TestMetaSet(t *testing.T) {
 	assert.False(t, meta.IsEmpty())
 }
 
-func TestParseRule(t *testing.T) {
-	t.Parallel()
-
-	table := []struct {
-		Name          string
-		Input         string
-		ExpectedRules []*YaraRule
-		ExpectedError *string
-	}{
-		{
-			Name:  "Basic Rule",
-			Input: BasicRule,
-			ExpectedRules: []*YaraRule{
-				{
-					Identifier: "ExampleRule",
-					Strings: []string{
-						`$my_text_string = "text here"`,
-						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
-					},
-					Condition: `$my_text_string or $my_hex_string`,
-				},
-			},
-		},
-		{
-			Name:  "Basic Rule With Metadata",
-			Input: BasicRuleWMeta,
-			ExpectedRules: []*YaraRule{
-				{
-					Imports: []string{
-						"pe",
-					},
-					Identifier: "MetadataExample",
-					Meta: Metadata{
-						Author:      util.Ptr(`"John Doe"`),
-						Date:        util.Ptr(`"2023-12-27"`),
-						Version:     util.Ptr(`"1.0"`),
-						Reference:   util.Ptr(`"http://somewhere.invalid"`),
-						Description: util.Ptr(`"Example Rule"`),
-						Rest: map[string]string{
-							"my_identifier_1": "\"Some string data\"",
-							"my_identifier_2": "24",
-							"my_identifier_3": "true",
-						},
-					},
-					Strings: []string{
-						"$my_text_string = \"text here\"",
-						"$my_hex_string = { E2 34 A1 C8 23 FB }",
-					},
-					Condition: "$my_text_string or $my_hex_string",
-				},
-			},
-		},
-		{
-			Name:  "Rule With Regex",
-			Input: RegexRule,
-			ExpectedRules: []*YaraRule{
-				{
-					Identifier: "RegExpExample1",
-					Strings: []string{
-						"$re1 = /md5: [0-9a-fA-F]{32}/",
-						"$re2 = /state: (on|off)/",
-					},
-					Condition: "$re1 and $re2",
-				},
-			},
-		},
-		{
-			Name:  "Rule With Import",
-			Input: ImportRule,
-			ExpectedRules: []*YaraRule{
-				{
-					Imports: []string{
-						"pe",
-					},
-					Identifier: "Test",
-					Strings: []string{
-						`$a = "some string"`,
-					},
-					Condition: `$a and pe.entry_point == 0x1000`,
-				},
-			},
-		},
-		{
-			Name:          "Rule With Unexpected Header",
-			Input:         UnexpectedHeader,
-			ExpectedError: util.Ptr(`unexpected header at 26: extra`),
-		},
-		{
-			Name:  "Basic Rule With Comments",
-			Input: RuleWithComments,
-			ExpectedRules: []*YaraRule{
-				{
-					Identifier: "ExampleRule",
-					Strings: []string{
-						`$my_text_string = "text here"`,
-					},
-					Condition: `$my_text_string or $my_hex_string`,
-				},
-			},
-		},
-		{
-			Name:  "Multiple Rules",
-			Input: ImportRule + "\n\n" + BasicRule,
-			ExpectedRules: []*YaraRule{
-				{
-					Imports: []string{
-						"pe",
-					},
-					Identifier: "Test",
-					Strings: []string{
-						`$a = "some string"`,
-					},
-					Condition: `$a and pe.entry_point == 0x1000`,
-				},
-				{
-					Imports: []string{
-						"pe",
-					},
-					Identifier: "ExampleRule",
-					Strings: []string{
-						`$my_text_string = "text here"`,
-						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
-					},
-					Condition: `$my_text_string or $my_hex_string`,
-				},
-			},
-		},
-		{
-			Name:  "Rule With Oddities",
-			Input: WeirdRule,
-			ExpectedRules: []*YaraRule{
-				{
-					Imports: []string{
-						"pe",
-					},
-					Identifier: "ExampleRule",
-					Strings: []string{
-						`$my_text_string = "text here"`,
-						`$my_hex_string = { E2 34 A1 C8 23 FB }`,
-						`$badslashes = "\\var\\www\\html\\"`,
-						`$multilinehex = {`,
-						`46 DC EA D3 17 FE 45 D8 09 23`,
-						`EB 97 E4 95 64 10 D4 CD B2 C2`,
-						`}`,
-					},
-					Condition: `$my_text_string or $my_hex_string`,
-				},
-			},
-		},
-		{
-			Name:          "Missing Identifier",
-			Input:         NoIdentifier,
-			ExpectedError: util.Ptr("expected rule identifier at 5"),
-		},
-		{
-			Name:          "Invalid Metadata",
-			Input:         BadMeta,
-			ExpectedError: util.Ptr("invalid meta line at 39: copyrighted"),
-		},
-		{
-			Name:          "Unexpected End Of Rule",
-			Input:         BasicRule[:len(BasicRule)-1],
-			ExpectedError: util.Ptr("unexpected end of rule"),
-		},
-	}
-
-	for _, test := range table {
-		test := test
-		t.Run(test.Name, func(t *testing.T) {
-			t.Parallel()
-
-			rules, err := ParseYaraRules([]byte(test.Input))
-			if test.ExpectedError == nil {
-				assert.NoError(t, err)
-				assert.NotNil(t, rules)
-
-				assert.Equal(t, test.ExpectedRules, rules)
-			} else {
-				assert.Error(t, err)
-				assert.Equal(t, *test.ExpectedError, err.Error())
-
-				assert.Empty(t, rules)
-			}
-		})
-	}
-}
-
-func TestRuleString(t *testing.T) {
-	rules, err := ParseYaraRules([]byte(BasicRuleWMeta))
-	assert.NoError(t, err)
-	assert.NotEmpty(t, rules)
-
-	raw := rules[0].String()
-	fmt.Println(raw)
-	assert.Equal(t, NormalizedBasicRuleWMeta, raw)
-}
-
 func TestValidate(t *testing.T) {
 	t.Parallel()
 
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index a3c640748..dc5968f2c 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -46,6 +46,8 @@ type SuricataEngine struct {
 	communityRulesImportFrequencySeconds int
 	isRunning                            bool
 	thread                               *sync.WaitGroup
+	allowRegex                           *regexp.Regexp
+	denyRegex                            *regexp.Regexp
 }
 
 func NewSuricataEngine(srv *server.Server) *SuricataEngine {
@@ -63,6 +65,25 @@ func (s *SuricataEngine) Init(config module.ModuleConfig) (err error) {
 	s.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", "/opt/so/conf/soc/emerging-all.fingerprint")
 	s.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", 5)
 
+	allow := module.GetStringDefault(config, "allowRegex", "")
+	deny := module.GetStringDefault(config, "denyRegex", "")
+
+	if allow != "" {
+		var err error
+		s.allowRegex, err = regexp.Compile(allow)
+		if err != nil {
+			return fmt.Errorf("unable to compile Suricata's allowRegex: %w", err)
+		}
+	}
+
+	if deny != "" {
+		var err error
+		s.denyRegex, err = regexp.Compile(deny)
+		if err != nil {
+			return fmt.Errorf("unable to compile Suricata's denyRegex: %w", err)
+		}
+	}
+
 	return nil
 }
 
@@ -230,6 +251,16 @@ func (s *SuricataEngine) parseRules(content string, ruleset string) ([]*model.De
 			continue
 		}
 
+		if s.denyRegex != nil && s.denyRegex.MatchString(line) {
+			log.WithField("rule", line).Info("content matched Suricata's denyRegex")
+			continue
+		}
+
+		if s.allowRegex != nil && !s.allowRegex.MatchString(line) {
+			log.WithField("rule", line).Info("content didn't match Suricata's allowRegex")
+			continue
+		}
+
 		line, err := s.ValidateRule(line)
 		if err != nil {
 			return nil, fmt.Errorf("unable to parse line %d: %w", i+1, err)
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 600f7b3d4..907e00cf4 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -7,6 +7,7 @@ package suricata
 
 import (
 	"context"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -308,10 +309,12 @@ func TestParse(t *testing.T) {
 			Name: "Sunny Day Path with Edge Cases",
 			Lines: []string{
 				"# Comment",
-				SimpleRule,
+				SimpleRule, // allowRegex has the SID, should allow
 				"",
-				` alert  http any any  <>   any any (metadata:signature_severity   Informational; sid: "20000"; msg:"a \"tricky\"\;\\ msg";)`,
+				` alert  http any any  <>   any any (metadata:signature_severity   Informational; sid: "20000"; msg:"a \"tricky\"\;\\ msg";)`, // allowRegex has the SID, should allow
 				" # " + FlowbitsRuleA,
+				FlowbitsRuleB, // denyRegex will prevent this from being parsed
+				"alert http any any -> any any (msg:\"This rule doesn't have a SID\";)", // doesn't match either regex, will be left out
 			},
 			ExpectedDetections: []*model.Detection{
 				{
@@ -341,6 +344,8 @@ func TestParse(t *testing.T) {
 	}
 
 	mod := NewSuricataEngine(&server.Server{})
+	mod.allowRegex = regexp.MustCompile("[12]0000")
+	mod.denyRegex = regexp.MustCompile("flowbits")
 
 	for _, test := range table {
 		test := test

From 0909ad0aa1054d0ac2ba8863c1bc7dd6c92e9e37 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 20 Feb 2024 13:14:32 -0700
Subject: [PATCH 099/102] Strelka rules are compiled by default but can be
 disabled

A new config option allows strelka to leave yara rules uncompiled.
---
 server/modules/strelka/strelka.go      | 28 +++++++++++++++-----------
 server/modules/strelka/strelka_test.go |  1 +
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index c7c358634..347629e7a 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -52,6 +52,7 @@ type StrelkaEngine struct {
 	compileYaraPythonScriptPath          string
 	allowRegex                           *regexp.Regexp
 	denyRegex                            *regexp.Regexp
+	compileRules                         bool
 	IOManager
 }
 
@@ -74,6 +75,7 @@ func (e *StrelkaEngine) Init(config module.ModuleConfig) error {
 	e.reposFolder = module.GetStringDefault(config, "reposFolder", "/opt/so/conf/strelka/repos")
 	e.rulesRepos = module.GetStringArrayDefault(config, "rulesRepos", []string{"github.com/Security-Onion-Solutions/securityonion-yara"})
 	e.compileYaraPythonScriptPath = module.GetStringDefault(config, "compileYaraPythonScriptPath", "/opt/so/conf/strelka/compile_yara.py")
+	e.compileRules = module.GetBoolDefault(config, "compileRules", true)
 
 	allow := module.GetStringDefault(config, "allowRegex", "")
 	deny := module.GetStringDefault(config, "denyRegex", "")
@@ -575,21 +577,23 @@ func (e *StrelkaEngine) syncDetections(ctx context.Context) (errMap map[string]s
 		return nil, err
 	}
 
-	// compile yara rules
-	cmd := exec.CommandContext(ctx, "python3", e.compileYaraPythonScriptPath, e.yaraRulesFolder)
+	if e.compileRules {
+		// compile yara rules
+		cmd := exec.CommandContext(ctx, "python3", e.compileYaraPythonScriptPath, e.yaraRulesFolder)
 
-	raw, code, dur, err := e.ExecCommand(cmd)
+		raw, code, dur, err := e.ExecCommand(cmd)
 
-	log.WithFields(log.Fields{
-		"command":  cmd.String(),
-		"output":   string(raw),
-		"code":     code,
-		"execTime": dur.Seconds(),
-		"error":    err,
-	}).Info("yara compilation results")
+		log.WithFields(log.Fields{
+			"command":  cmd.String(),
+			"output":   string(raw),
+			"code":     code,
+			"execTime": dur.Seconds(),
+			"error":    err,
+		}).Info("yara compilation results")
 
-	if err != nil {
-		return nil, err
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	return nil, nil
diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go
index 4aafff71d..b8984de97 100644
--- a/server/modules/strelka/strelka_test.go
+++ b/server/modules/strelka/strelka_test.go
@@ -259,6 +259,7 @@ func TestSyncSuricata(t *testing.T) {
 			})
 			mod.srv.DetectionEngines[model.EngineNameSuricata] = mod
 			mod.IOManager = mio
+			mod.compileRules = true
 
 			mod.compileYaraPythonScriptPath = "compileYaraPythonScriptPath"
 			mod.yaraRulesFolder = "yaraRulesFolder"

From 4df7617eeedd177ae5d7d3c42d60b2ec7dbc7878 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 20 Feb 2024 14:07:33 -0700
Subject: [PATCH 100/102] Hide MultiSelect Checkbox unless in Detections

Apparently v-if on a v-slot doesn't make it conditional. Moved the v-if to the internal element achieves the intended results.
---
 html/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/index.html b/html/index.html
index 1dfe1ff8a..6823e3099 100644
--- a/html/index.html
+++ b/html/index.html
@@ -664,8 +664,8 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                     </v-container>
 
                   </template>
-                  <template v-if="isMultiSelect()" v-slot:header.data-table-select="{ on, props }">
-                    <div class="multiselect-container">
+                  <template v-slot:header.data-table-select="{ on, props }">
+                    <div v-if="isMultiSelect()" class="multiselect-container">
                       <v-simple-checkbox id="multiselect-checkbox"
                         color="blue"
                         v-bind="props"

From 0942c43ed12443e7dc1d2b263fb298dd75d00072 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 20 Feb 2024 16:11:34 -0700
Subject: [PATCH 101/102] Check for the existence of a template before starting
 community rule import

---
 server/detectionstore.go                        |  2 ++
 server/mock/mock_detectionstore.go              | 15 +++++++++++++++
 server/modules/elastalert/elastalert.go         | 11 +++++++++++
 server/modules/elastic/elasticdetectionstore.go | 17 ++++++++++++++---
 server/modules/strelka/strelka.go               | 11 +++++++++++
 server/modules/suricata/suricata.go             | 11 +++++++++++
 6 files changed, 64 insertions(+), 3 deletions(-)

diff --git a/server/detectionstore.go b/server/detectionstore.go
index 38203c834..9d1af97de 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -27,6 +27,8 @@ type Detectionstore interface {
 	GetComments(ctx context.Context, detectionId string) ([]*model.DetectionComment, error)
 	UpdateComment(ctx context.Context, comment *model.DetectionComment) (*model.DetectionComment, error)
 	DeleteComment(ctx context.Context, id string) error
+
+	DoesTemplateExist(ctx context.Context, tmpl string) (bool, error)
 }
 
 //go:generate mockgen -destination mock/mock_detectionstore.go -package mock . Detectionstore
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
index 4ad9246ad..d547ef0c3 100644
--- a/server/mock/mock_detectionstore.go
+++ b/server/mock/mock_detectionstore.go
@@ -98,6 +98,21 @@ func (mr *MockDetectionstoreMockRecorder) DeleteDetection(arg0, arg1 any) *gomoc
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteDetection", reflect.TypeOf((*MockDetectionstore)(nil).DeleteDetection), arg0, arg1)
 }
 
+// DoesTemplateExist mocks base method.
+func (m *MockDetectionstore) DoesTemplateExist(arg0 context.Context, arg1 string) (bool, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DoesTemplateExist", arg0, arg1)
+	ret0, _ := ret[0].(bool)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DoesTemplateExist indicates an expected call of DoesTemplateExist.
+func (mr *MockDetectionstoreMockRecorder) DoesTemplateExist(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DoesTemplateExist", reflect.TypeOf((*MockDetectionstore)(nil).DoesTemplateExist), arg0, arg1)
+}
+
 // GetAllCommunitySIDs mocks base method.
 func (m *MockDetectionstore) GetAllCommunitySIDs(arg0 context.Context, arg1 *model.EngineName) (map[string]*model.Detection, error) {
 	m.ctrl.T.Helper()
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index ebd00981c..3aaa579b9 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -248,6 +248,17 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 
 		start := time.Now()
 
+		exists, err := e.srv.Detectionstore.DoesTemplateExist(ctx, "so-detection")
+		if err != nil {
+			log.WithError(err).Error("unable to check for detection index template")
+			continue
+		}
+
+		if !exists {
+			log.Warn("detection index template does not exist, skipping import")
+			continue
+		}
+
 		zips, errMap := e.downloadSigmaPackages(ctx)
 		if len(errMap) != 0 {
 			log.WithField("errorMap", errMap).Error("something went wrong downloading sigma packages")
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index ea4447ff6..9bb163be3 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -350,6 +350,17 @@ func (store *ElasticDetectionstore) prepareForSave(ctx context.Context, obj *mod
 	return id
 }
 
+func (store *ElasticDetectionstore) DoesTemplateExist(ctx context.Context, tmpl string) (bool, error) {
+	response, err := store.esClient.Indices.GetIndexTemplate(
+		store.esClient.Indices.GetIndexTemplate.WithName(tmpl),
+	)
+	if err != nil {
+		return false, err
+	}
+
+	return response.StatusCode == 200, nil
+}
+
 func (store *ElasticDetectionstore) CreateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error) {
 	err := store.validateDetection(detect)
 	if err != nil {
@@ -424,7 +435,7 @@ func (store *ElasticDetectionstore) UpdateDetectionField(ctx context.Context, id
 	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
 		return nil, err
 	}
-  
+
 	if len(fields) == 0 {
 		return nil, errors.New("no fields to update")
 	}
@@ -543,7 +554,7 @@ func (store *ElasticDetectionstore) audit(ctx context.Context, document map[stri
 			log.WithError(err).Error("Encountered error while indexing document into elasticsearch")
 		}
 	}
-  
+
 	return err
 }
 
@@ -551,7 +562,7 @@ func (store *ElasticDetectionstore) indexDocument(ctx context.Context, index str
 	if err := store.server.CheckAuthorized(ctx, "write", "detection"); err != nil {
 		return "", err
 	}
-  
+
 	log.WithFields(log.Fields{
 		"index":     index,
 		"id":        id,
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index 347629e7a..4327bb315 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -144,6 +144,17 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 
 		start := time.Now()
 
+		exists, err := e.srv.Detectionstore.DoesTemplateExist(e.srv.Context, "so-detection")
+		if err != nil {
+			log.WithError(err).Error("unable to check for detection index template")
+			continue
+		}
+
+		if !exists {
+			log.Warn("detection index template does not exist, skipping import")
+			continue
+		}
+
 		// read existing repos
 		entries, err := os.ReadDir(e.reposFolder)
 		if err != nil {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index dc5968f2c..692efc273 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -129,6 +129,17 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		start := time.Now()
 
+		exists, err := s.srv.Detectionstore.DoesTemplateExist(ctx, "so-detection")
+		if err != nil {
+			log.WithError(err).Error("unable to check for detection index template")
+			continue
+		}
+
+		if !exists {
+			log.Warn("detection index template does not exist, skipping import")
+			continue
+		}
+
 		rules, hash, err := readAndHash(s.communityRulesFile)
 		if err != nil {
 			log.WithError(err).Error("unable to read community rules file")

From 23ef5da83e08e0c44b091c13f13f9ea313444309 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 21 Feb 2024 09:19:13 -0700
Subject: [PATCH 102/102] Improvements

Once a template is found, stop checking.
---
 server/modules/elastalert/elastalert.go | 21 +++++++++++++--------
 server/modules/strelka/strelka.go       | 22 ++++++++++++++--------
 server/modules/suricata/suricata.go     | 22 ++++++++++++++--------
 3 files changed, 41 insertions(+), 24 deletions(-)

diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 3aaa579b9..64d403177 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -239,6 +239,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 	}()
 
 	ctx := e.srv.Context
+	templateFound := false
 
 	for e.isRunning {
 		time.Sleep(time.Duration(e.communityRulesImportFrequencySeconds) * time.Second)
@@ -248,15 +249,19 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 
 		start := time.Now()
 
-		exists, err := e.srv.Detectionstore.DoesTemplateExist(ctx, "so-detection")
-		if err != nil {
-			log.WithError(err).Error("unable to check for detection index template")
-			continue
-		}
+		if !templateFound {
+			exists, err := e.srv.Detectionstore.DoesTemplateExist(ctx, "so-detection")
+			if err != nil {
+				log.WithError(err).Error("unable to check for detection index template")
+				continue
+			}
 
-		if !exists {
-			log.Warn("detection index template does not exist, skipping import")
-			continue
+			if !exists {
+				log.Warn("detection index template does not exist, skipping import")
+				continue
+			}
+
+			templateFound = true
 		}
 
 		zips, errMap := e.downloadSigmaPackages(ctx)
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index 4327bb315..684925c4a 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -136,6 +136,8 @@ func (e *StrelkaEngine) SyncLocalDetections(ctx context.Context, _ []*model.Dete
 }
 
 func (e *StrelkaEngine) startCommunityRuleImport() {
+	templateFound := false
+
 	for e.isRunning {
 		time.Sleep(time.Duration(e.communityRulesImportFrequencySeconds) * time.Second)
 		if !e.isRunning {
@@ -144,15 +146,19 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 
 		start := time.Now()
 
-		exists, err := e.srv.Detectionstore.DoesTemplateExist(e.srv.Context, "so-detection")
-		if err != nil {
-			log.WithError(err).Error("unable to check for detection index template")
-			continue
-		}
+		if !templateFound {
+			exists, err := e.srv.Detectionstore.DoesTemplateExist(e.srv.Context, "so-detection")
+			if err != nil {
+				log.WithError(err).Error("unable to check for detection index template")
+				continue
+			}
 
-		if !exists {
-			log.Warn("detection index template does not exist, skipping import")
-			continue
+			if !exists {
+				log.Warn("detection index template does not exist, skipping import")
+				continue
+			}
+
+			templateFound = true
 		}
 
 		// read existing repos
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 692efc273..c0391f1c0 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -121,6 +121,8 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 	ctx := s.srv.Context
 
+	templateFound := false
+
 	for s.isRunning {
 		time.Sleep(time.Duration(s.communityRulesImportFrequencySeconds) * time.Second)
 		if !s.isRunning {
@@ -129,15 +131,19 @@ func (s *SuricataEngine) watchCommunityRules() {
 
 		start := time.Now()
 
-		exists, err := s.srv.Detectionstore.DoesTemplateExist(ctx, "so-detection")
-		if err != nil {
-			log.WithError(err).Error("unable to check for detection index template")
-			continue
-		}
+		if !templateFound {
+			exists, err := s.srv.Detectionstore.DoesTemplateExist(ctx, "so-detection")
+			if err != nil {
+				log.WithError(err).Error("unable to check for detection index template")
+				continue
+			}
 
-		if !exists {
-			log.Warn("detection index template does not exist, skipping import")
-			continue
+			if !exists {
+				log.Warn("detection index template does not exist, skipping import")
+				continue
+			}
+
+			templateFound = true
 		}
 
 		rules, hash, err := readAndHash(s.communityRulesFile)