From 193c9d202eb4005388db7a191a9c284211138c0b Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 9 Nov 2023 14:30:00 -0500
Subject: [PATCH 1/2] Remove unneeded datastreams

---
 salt/manager/tools/sbin_jinja/so-elastic-fleet-reset | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset b/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
index 558590601..068b3ce8f 100644
--- a/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
+++ b/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
@@ -59,6 +59,15 @@ do
     done
 done
 
+status "Deleting Fleet-related Data Streams..."
+DATASTREAMS="logs-suricata-so","logs-kratos-so","logs-soc-so","logs-zeek-so"
+JSON_STRING=$( jq -n \
+                --arg DATASTREAMLIST "$DATASTREAMS" \
+                '{"dataStreams":[$DATASTREAMLIST]}'
+                )
+curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/index_management/delete_data_streams" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+
+
 status "Restarting Kibana..."
 so-kibana-restart --force
 

From 551f7831decf0d0d73fa2dd9e2814fa37d1fabe0 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 9 Nov 2023 15:01:56 -0500
Subject: [PATCH 2/2] Add more clarity to message

---
 salt/manager/tools/sbin_jinja/so-elastic-fleet-reset | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset b/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
index 068b3ce8f..564156af9 100644
--- a/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
+++ b/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
@@ -13,7 +13,10 @@ require_manager
 
 # Inform user we are about to remove Elastic Fleet data
 echo
-echo "This script will remove the current Elastic Fleet install & all of its data and rerun Elastic Fleet setup."
+echo "This script will remove the current Elastic Fleet install and all of its data and then rerun Elastic Fleet setup."
+echo "This includes data previously ingested with Fleet such as Zeek and Suricata logs."
+echo "Deployed Elastic Agents will no longer be enrolled and will need to be reinstalled."
+echo "This script should only be used as a last resort to reinstall Elastic Fleet." 
 echo
 echo "If you would like to proceed, type AGREE and hit ENTER."
 echo