From 73776f8d11ac14269bf531cc0c6cefbe548413f3 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 27 Aug 2025 12:46:19 -0600
Subject: [PATCH] Cleaning up New ES Indexes

---
 salt/elasticsearch/defaults.yaml              | 74 +++++++++++++++++++
 ...ings.json => assistant-chat-mappings.json} |  0
 ...ings.json => assistant-chat-settings.json} |  0
 .../so/assistant-session-mappings.json        | 44 +++++++++++
 .../so/assistant-session-settings.json        |  7 ++
 5 files changed, 125 insertions(+)
 rename salt/elasticsearch/templates/component/so/{assistant-mappings.json => assistant-chat-mappings.json} (100%)
 rename salt/elasticsearch/templates/component/so/{assistant-settings.json => assistant-chat-settings.json} (100%)
 create mode 100644 salt/elasticsearch/templates/component/so/assistant-session-mappings.json
 create mode 100644 salt/elasticsearch/templates/component/so/assistant-session-settings.json

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 1200701c9..b5031b9b2 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -284,6 +284,80 @@ elasticsearch:
           hot:
             actions: {}
             min_age: 0ms
+    so-assistant-chat:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - assistant-chat-mappings
+        - assistant-chat-settings
+        ignore_missing_component_templates: []
+        index_patterns:
+        - so-assistant-chat*
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              lifecycle:
+                name: so-assistant-chat-logs
+              mapping:
+                total_fields:
+                  limit: 1500
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 1s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          hot:
+            actions: {}
+            min_age: 0ms
+    so-assistant-session:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - assistant-session-mappings
+        - assistant-session-settings
+        ignore_missing_component_templates: []
+        index_patterns:
+        - so-assistant-session*
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              lifecycle:
+                name: so-assistant-session-logs
+              mapping:
+                total_fields:
+                  limit: 1500
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 1s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          hot:
+            actions: {}
+            min_age: 0ms
     so-endgame:
       index_sorting: false
       index_template:
diff --git a/salt/elasticsearch/templates/component/so/assistant-mappings.json b/salt/elasticsearch/templates/component/so/assistant-chat-mappings.json
similarity index 100%
rename from salt/elasticsearch/templates/component/so/assistant-mappings.json
rename to salt/elasticsearch/templates/component/so/assistant-chat-mappings.json
diff --git a/salt/elasticsearch/templates/component/so/assistant-settings.json b/salt/elasticsearch/templates/component/so/assistant-chat-settings.json
similarity index 100%
rename from salt/elasticsearch/templates/component/so/assistant-settings.json
rename to salt/elasticsearch/templates/component/so/assistant-chat-settings.json
diff --git a/salt/elasticsearch/templates/component/so/assistant-session-mappings.json b/salt/elasticsearch/templates/component/so/assistant-session-mappings.json
new file mode 100644
index 000000000..b72bbb389
--- /dev/null
+++ b/salt/elasticsearch/templates/component/so/assistant-session-mappings.json
@@ -0,0 +1,44 @@
+{
+	"template": {
+		"mappings": {
+			"properties": {
+				"@timestamp": {
+					"type": "date"
+				},
+				"so_kind": {
+					"ignore_above": 1024,
+					"type": "keyword"
+				},
+				"so_session": {
+					"properties": {
+						"title": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"sessionId": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"createTime": {
+							"type": "date"
+						},
+						"deleteTime": {
+							"type": "date"
+						},
+						"tags": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"userId": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						}
+					}
+				}
+			}
+		}
+	},
+	"_meta": {
+		"ecs_version": "1.12.2"
+	}
+}
diff --git a/salt/elasticsearch/templates/component/so/assistant-session-settings.json b/salt/elasticsearch/templates/component/so/assistant-session-settings.json
new file mode 100644
index 000000000..0281fa0e1
--- /dev/null
+++ b/salt/elasticsearch/templates/component/so/assistant-session-settings.json
@@ -0,0 +1,7 @@
+{
+	"template": {},
+	"version": 1,
+	"_meta": {
+		"description": "default settings for common Security Onion Assistant indices"
+	}
+}