Create custom threshold and define in global.sls

[dadam01]

I have a source scanner that is generating a lot of false positives. I created a custom mythreshold.conf file and added the proper syntax to suppress the src IP address.

Question, how do I define this new custom conf file in the global.sls? the https://docs.securityonion.net/en/2.3/managing-alerts.html?highlight=home_net#threshold doesn't show how to add the line to point to this new configuration file.

thank you.

[dougburks]

Rather than creating a separate mythreshold.conf file, have you tried adding the entries directly to /opt/so/saltstack/local/pillar/global.sls or /opt/so/saltstack/local/pillar/minions/<MINION_ID>.sls as explained at https://docs.securityonion.net/en/2.3/managing-alerts.html#threshold?

[dadam01]

I'm having trouble understanding what the doc is trying to tell me.
The doc says to "You can manage threshold.conf for Suricata using Salt pillars."

My mind went to adding a reference to a threshold conf File in to the global.sls, similar to how you would define a Logstash config:
logstash:
pipelines:
manager:
config:
- so/9000_output_zeek.conf.jinja.

But now it sounds like we don't have to create a separate file for the Threshold, instead I would just create a new line in the global.sls
thresholding:
sids:
2101777:
- suppress:
gen_id: 1
track: by_src
ip: 10.10.10.10

Hopefully I'm interpreting what you are telling me correctly.
Thank you.

[dougburks]

I've changed the documentation from You can manage threshold.conf to You can manage threshold entries and we just published a Youtube video that might help:
https://youtu.be/GQObGTcFl-4

[dadam01]

fantastic view, I wish I saw this earlier. it also help to answer a lot of my questions.
Thank you very much for the assistance.