diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load
new file mode 100644
index 000000000..2780ab59e
--- /dev/null
+++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load
@@ -0,0 +1,19 @@
+#/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
+
+# Set up ILM policies
+echo
+echo "Setting up default Security Onion index lifecycle management policies..."
+
+# Zeek logs
+echo
+echo "Setting up Zeek ILM policy..."
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "1gb", "max_age": "30d" } } } } } }'
+echo