From 0f16b00563397c4a6b86b3951469f673bc6b6242 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 5 Mar 2025 13:57:47 -0600
Subject: [PATCH] osquery templates

---
 salt/elasticsearch/defaults.yaml          | 46 ++++++++++++++++++++---
 salt/elasticsearch/soc_elasticsearch.yaml |  6 ++-
 2 files changed, 45 insertions(+), 7 deletions(-)

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index a12bb5ac9..6bd46aa27 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -2659,7 +2659,25 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
-    so-logs-osquery_manager_x_action_x_responses:
+    so-logs-osquery-manager-action_x_responses:
+      index_sorting: false
+      index_template:
+        _meta:
+          managed: true
+          managed_by: security_onion
+          package:
+            name: elastic_agent
+        composed_of:
+        - logs-osquery_manager.action.responses
+        ignore_missing_component_templates: []
+        index_patterns:
+        - .logs-osquery_manager.action.responses*
+        priority: 501
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+    so-logs-osquery-manager_x_action_x_responses:
       index_sorting: false
       index_template:
         _meta:
@@ -2683,9 +2701,9 @@ elasticsearch:
         priority: 501
         template:
           settings:
+            lifecycle:
+              so-logs-osquery-manager.action.responses-logs
             index:
-              lifecycle:
-                name: so-logs-osquery_manager.action.responses-logs
               number_of_replicas: 0
       policy:
         phases:
@@ -2711,7 +2729,25 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
-    so-logs-osquery_manager_x_result:
+    so-logs-osquery-manager-actions:
+      index_sorting: false
+      index_template:
+        _meta:
+          managed: true
+          managed_by: security_onion
+          package:
+            name: elastic_agent
+        composed_of:
+        - logs-osquery_manager.actions
+        ignore_missing_component_templates: []
+        index_patterns:
+        - .logs-osquery_manager.actions*
+        priority: 501
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+    so-logs-osquery-manager_x_result:
       index_sorting: false
       index_template:
         _meta:
@@ -2737,7 +2773,7 @@ elasticsearch:
           settings:
             index:
               lifecycle:
-                name: so-logs-osquery_manager.result-logs
+                name: so-logs-osquery-manager.result-logs
               number_of_replicas: 0
       policy:
         phases:
diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml
index fe6c0c21e..ba85cd7b4 100644
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -368,8 +368,10 @@ elasticsearch:
     so-logs-detections_x_alerts: *indexSettings
     so-logs-http_endpoint_x_generic: *indexSettings
     so-logs-httpjson_x_generic: *indexSettings
-    so-logs-osquery_manager_x_action_x_responses: *indexSettings
-    so-logs-osquery_manager_x_result: *indexSettings
+    so-logs-osquery-manager-actions: *indexSettings
+    so-logs-osquery-manager-action_x_responses: *indexSettings
+    so-logs-osquery-manager_x_action_x_responses: *indexSettings
+    so-logs-osquery-manager_x_result: *indexSettings
     so-logs-elastic_agent_x_apm_server: *indexSettings
     so-logs-elastic_agent_x_auditbeat: *indexSettings
     so-logs-elastic_agent_x_cloudbeat: *indexSettings