diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index c4098e08c..d47125972 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -84,6 +84,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -108,9 +111,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.auditbeat:
       index_sorting: False
       index_template:
@@ -138,6 +138,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -162,9 +165,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.cloudbeat:
       index_sorting: False
       index_template:
@@ -216,9 +216,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false    
     so-logs-elastic_agent.endpoint_security:
       index_sorting: False
       index_template:
@@ -246,6 +243,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -270,9 +270,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.filebeat:
       index_sorting: False
       index_template:
@@ -324,9 +321,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.fleet_server:
       index_sorting: False
       index_template:
@@ -354,6 +348,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -378,9 +375,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.heartbeat:
       index_sorting: False
       index_template:
@@ -432,9 +426,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent:
       index_sorting: False
       index_template:
@@ -462,6 +453,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -486,9 +480,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.metricbeat:
       index_sorting: False
       index_template:
@@ -516,6 +507,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -540,9 +534,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.osquerybeat:
       index_sorting: False
       index_template:
@@ -570,6 +561,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -594,9 +588,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-logs-elastic_agent.packetbeat:
       index_sorting: False
       index_template:
@@ -624,6 +615,9 @@ elasticsearch:
           - "so-fleet_globals-1"
           - "so-fleet_agent_id_verification-1"
         priority: 200
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
       policy:
         phases:
           hot:
@@ -648,9 +642,6 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-        data_stream:
-          hidden: false
-          allow_custom_routing: false
     so-aws:
       warm: 7
       close: 30