From 23e12811a1d76305db5841a191a2f9e49e77c1c3 Mon Sep 17 00:00:00 2001
From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com>
Date: Thu, 25 Sep 2025 09:51:32 -0500
Subject: [PATCH 1/3] make sure  fleet-default-output is not set as either
 default output policy

---
 salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
index 586c68a80..ee74d1056 100755
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
@@ -79,7 +79,7 @@ if DEFAULTPOLICY=$(fleet_api "outputs/fleet-default-output"); then
     fleet_default=$(echo "$DEFAULTPOLICY" | jq -er '.item.is_default')
     fleet_default_monitoring=$(echo "$DEFAULTPOLICY" | jq -er '.item.is_default_monitoring')
 #   Check that fleet-default-output isn't configured as a default for anything ( both variables return false )
-    if [[ $fleet_default ]] && [[ $fleet_default_monitoring ]]; then
+    if [[ ! $fleet_default ]] && [[ ! $fleet_default_monitoring ]]; then
         echo -e "\nso-manager_elasticsearch is configured as the current default policy..."
     else
         echo -e "\nVerification of so-manager_elasticsearch policy failed... The default 'fleet-default-output' output is still active..."

From d81d9a0722f2dbcc247e6f8882e94ea93a79eda8 Mon Sep 17 00:00:00 2001
From: Matthew Wright <matthew.wright@securityonionsolutions.com>
Date: Thu, 25 Sep 2025 14:45:06 -0400
Subject: [PATCH 2/3] small tweak to investigation prompt

---
 salt/soc/defaults.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 58b3a3827..6caeddbe3 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2545,7 +2545,7 @@ soc:
               level: 'high'  # info | low | medium | high | critical
         assistant:
           enabled: false
-          investigationPrompt: Investigate Alert ID {socid}
+          investigationPrompt: Investigate Alert ID {socId}
           contextLimitSmall: 200000
           contextLimitLarge: 1000000
           thresholdColorRatioLow: 0.5

From 3a2ceb0b6fb995d7e37d1e320268dbdf7eaf9a28 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 25 Sep 2025 15:40:00 -0400
Subject: [PATCH 3/3] retry kratos pulls since this is the first image to
 install during setup

---
 salt/kratos/enabled.sls | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls
index 31097ccf4..f0345edec 100644
--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -54,6 +54,9 @@ so-kratos:
       - file: kratosconfig
       - file: kratoslogdir
       - file: kratosdir
+    - retry:
+        attempts: 10
+        interval: 10
 
 delete_so-kratos_so-status.disabled:
   file.uncomment: