diff --git a/salt/elasticsearch/addsearchnode.sls b/salt/elasticsearch/addsearchnode.sls
new file mode 100644
index 000000000..c5b40df4a
--- /dev/null
+++ b/salt/elasticsearch/addsearchnode.sls
@@ -0,0 +1,29 @@
+so-soc container extrahosts
+seed_hosts elasticsearch.yaml
+so-elasticsearch container extrahosts
+so-logstash container extrahosts
+
+          ID: elasticfleet_sbin_jinja
+    Function: file.recurse
+        Name: /usr/sbin
+      Result: True
+     Comment: Recursively updated /usr/sbin
+     Started: 19:56:53.468894
+    Duration: 951.706 ms
+     Changes:
+              ----------
+              /usr/sbin/so-elastic-fleet-artifacts-url-update:
+                  ----------
+                  diff:
+                      ---
+                      +++
+                      @@ -26,7 +26,7 @@
+                       }
+
+                       # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
+                      -LOGSTASHNODES='{"manager": {"jpp70man1": {"ip": "10.66.166.231"}}, "searchnode": {"jpp70sea1": {"ip": "10.66.166.232"}, "jpp70sea2": {"ip": "10.66.166.142"}}}'
+                      +LOGSTASHNODES='{"manager": {"jpp70man1": {"ip": "10.66.166.231"}}, "searchnode": {"jpp70sea1": {"ip": "10.66.166.232"}}}'
+
+                       # Initialize an array for new hosts from Fleet Nodes
+                       declare -a NEW_LIST=()
+
diff --git a/salt/elasticsearch/download.sls b/salt/elasticsearch/download.sls
new file mode 100644
index 000000000..f74c7059a
--- /dev/null
+++ b/salt/elasticsearch/download.sls
@@ -0,0 +1,20 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+so-elasticsearch_image:
+  docker_image.present:
+    - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
diff --git a/salt/logstash/download.sls b/salt/logstash/download.sls
new file mode 100644
index 000000000..cf1c6176c
--- /dev/null
+++ b/salt/logstash/download.sls
@@ -0,0 +1,20 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+so-logstash_image:
+  docker_image.present:
+    - name: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion
index 79eea59fe..e0e892c3d 100755
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -604,6 +604,10 @@ function updateMineAndApplyStates() {
 	#checkMine "network.ip_addrs"
 	# calls so-common and set_minionid sets MINIONID to local minion id
 	set_minionid
+	# if this is a searchnode or heavynode, start downloading logstash and elasticsearch containers while the manager prepares for the new node
+	if [[ "$NODETYPE" == "SEARCHNODE" || "$NODETYPE" == "HEAVYNODE" ]]; then
+		salt-run state.orch orch.container_download pillar="{'setup': {'newnode': $MINION_ID }}" > /dev/null 2>&1 &
+	fi
 	# $MINIONID is the minion id of the manager and $MINION_ID is the target node or the node being configured
 	salt-run state.orch orch.deploy_newnode pillar="{'setup': {'manager': $MINIONID, 'newnode': $MINION_ID }}" > /dev/null 2>&1 &
 }
diff --git a/salt/orch/container_download.sls b/salt/orch/container_download.sls
new file mode 100644
index 000000000..c4aedaaba
--- /dev/null
+++ b/salt/orch/container_download.sls
@@ -0,0 +1,10 @@
+{% set NEWNODE = salt['pillar.get']('setup:newnode') %}
+
+{% if NEWNODE.split('_')|last in ['searchnode', 'heavynode'] %}
+{{NEWNODE}}_download_logstash_elasticsearch:
+  salt.state:
+    - tgt: {{ NEWNODE }}
+    - sls:
+      - logstash.download
+      - elasticsearch.download
+{% endif %}
diff --git a/salt/top.sls b/salt/top.sls
index d4852aa4d..2510356c4 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -143,13 +143,13 @@ base:
 
   '*_searchnode and G@saltversion:{{saltversion}}':
     - match: compound
+    - firewall
     - ssl
+    - elasticsearch
+    - logstash
     - sensoroni
     - telegraf
     - nginx
-    - firewall
-    - elasticsearch
-    - logstash
     - elasticfleet.install_agent_grid
     - stig