diff --git a/.gitignore b/.gitignore
index 07cacdab..a7e0b73c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,8 +5,10 @@ sensoroni
 jobs/
 logs/
 nsm/
+coverage/
 .vscode/
 .DS_Store
+node_modules/
 
 # Pytest output
 __pycache__
diff --git a/config/clientparameters.go b/config/clientparameters.go
index 7856e3ea..0e3604eb 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -16,27 +16,27 @@ const DEFAULT_CHART_LABEL_OTHER_LIMIT = 10
 const DEFAULT_CHART_LABEL_FIELD_SEPARATOR = ", "
 
 type ClientParameters struct {
-	HuntingParams       HuntingParameters   `json:"hunt"`
-	AlertingParams      HuntingParameters   `json:"alerts"`
-	CasesParams         HuntingParameters   `json:"cases"`
-	CaseParams          CaseParameters      `json:"case"`
-	DashboardsParams    HuntingParameters   `json:"dashboards"`
-	JobParams           HuntingParameters   `json:"job"`
-	DetectionsParams    DetectionParameters `json:"detections"`
-	DetectionParams     DetectionParameters `json:"detection"`
-	DocsUrl             string              `json:"docsUrl"`
-	CheatsheetUrl       string              `json:"cheatsheetUrl"`
-	ReleaseNotesUrl     string              `json:"releaseNotesUrl"`
-	GridParams          GridParameters      `json:"grid"`
-	WebSocketTimeoutMs  int                 `json:"webSocketTimeoutMs"`
-	TipTimeoutMs        int                 `json:"tipTimeoutMs"`
-	ApiTimeoutMs        int                 `json:"apiTimeoutMs"`
-	CacheExpirationMs   int                 `json:"cacheExpirationMs"`
-	InactiveTools       []string            `json:"inactiveTools"`
-	Tools               []ClientTool        `json:"tools"`
-	CasesEnabled        bool                `json:"casesEnabled"`
-	EnableReverseLookup bool                `json:"enableReverseLookup"`
-	DetectionsEnabled   bool                `json:"detectionsEnabled"`
+	HuntingParams       HuntingParameters    `json:"hunt"`
+	AlertingParams      HuntingParameters    `json:"alerts"`
+	CasesParams         HuntingParameters    `json:"cases"`
+	CaseParams          CaseParameters       `json:"case"`
+	DashboardsParams    HuntingParameters    `json:"dashboards"`
+	JobParams           HuntingParameters    `json:"job"`
+	DetectionsParams    DetectionsParameters `json:"detections"`
+	DetectionParams     DetectionParameters  `json:"detection"`
+	DocsUrl             string               `json:"docsUrl"`
+	CheatsheetUrl       string               `json:"cheatsheetUrl"`
+	ReleaseNotesUrl     string               `json:"releaseNotesUrl"`
+	GridParams          GridParameters       `json:"grid"`
+	WebSocketTimeoutMs  int                  `json:"webSocketTimeoutMs"`
+	TipTimeoutMs        int                  `json:"tipTimeoutMs"`
+	ApiTimeoutMs        int                  `json:"apiTimeoutMs"`
+	CacheExpirationMs   int                  `json:"cacheExpirationMs"`
+	InactiveTools       []string             `json:"inactiveTools"`
+	Tools               []ClientTool         `json:"tools"`
+	CasesEnabled        bool                 `json:"casesEnabled"`
+	EnableReverseLookup bool                 `json:"enableReverseLookup"`
+	DetectionsEnabled   bool                 `json:"detectionsEnabled"`
 }
 
 func (config *ClientParameters) Verify() error {
@@ -190,15 +190,23 @@ type GridParameters struct {
 	StaleMetricsMs uint64 `json:"staleMetricsMs,omitempty"`
 }
 
-type DetectionParameters struct {
+type DetectionsParameters struct {
 	HuntingParameters
 	Presets              map[string]PresetParameters `json:"presets"`
+}
+
+type DetectionParameters struct {
+	Presets              map[string]PresetParameters `json:"presets"`
 	SeverityTranslations map[string]string           `json:"severityTranslations"`
+	TemplateDetections   map[string]string           `json:"templateDetections"`
 }
 
-func (params *DetectionParameters) Verify() error {
+func (params *DetectionsParameters) Verify() error {
 	err := params.HuntingParameters.Verify()
 
 	return err
+}
 
+func (params *DetectionParameters) Verify() error {
+	return nil
 }
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index 2289de0f..b9b0e267 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -91,3 +91,10 @@ func TestVerifyCaseParams(tester *testing.T) {
 	assert.Nil(tester, err)
 	assert.Equal(tester, params.MostRecentlyUsedLimit, 0)
 }
+
+func TestVerifyDetectionsParams(t *testing.T) {
+	params := &DetectionsParameters{}
+	err := params.Verify()
+	assert.Nil(t, err)
+	verifyInitialHuntingParams(t, &params.HuntingParameters)
+}
diff --git a/config/serverconfig.go b/config/serverconfig.go
index c1b06b23..6cec2dcb 100644
--- a/config/serverconfig.go
+++ b/config/serverconfig.go
@@ -37,6 +37,9 @@ type ServerConfig struct {
 	IdleConnectionTimeoutMs int                    `json:"idleConnectionTimeoutMs"`
 	TimezoneScript          string                 `json:"timezoneScript"`
 	MaxUploadSizeBytes      int                    `json:"maxUploadSizeBytes"`
+	Proxy                   string                 `json:"proxy"`
+	AdditionalCA            string                 `json:"additionalCA"`
+	InsecureSkipVerify      bool                   `json:"insecureSkipVerify"`
 	SrvKey                  string                 `json:"srvKey"`
 	SrvKeyBytes             []byte
 	SrvExpSeconds           int `json:"srvExpSeconds"`
diff --git a/go.mod b/go.mod
index 9406e4c6..d65134af 100644
--- a/go.mod
+++ b/go.mod
@@ -11,31 +11,32 @@ require (
 	github.com/gorilla/websocket v1.5.1
 	github.com/influxdata/influxdb-client-go/v2 v2.13.0
 	github.com/kennygrant/sanitize v1.2.4
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/tidwall/gjson v1.17.0
-	golang.org/x/crypto v0.21.0
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/crypto v0.23.0
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	github.com/go-git/go-git/v5 v5.11.0
+	github.com/go-git/go-git/v5 v5.12.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/pierrec/lz4/v4 v4.1.21
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
 	go.uber.org/mock v0.3.0
+	golang.org/x/mod v0.17.0
 )
 
 require (
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -49,13 +50,11 @@ require (
 	github.com/oapi-codegen/runtime v1.0.0 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/tools v0.16.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
index bb7cb388..9f7f307d 100644
--- a/go.sum
+++ b/go.sum
@@ -1,10 +1,10 @@
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
+github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
@@ -21,10 +21,11 @@ github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cloudflare/circl v1.3.8 h1:j+V8jJt09PoeMFIu2uh5JUyEaIHTXVOHslFoLNAKqwI=
+github.com/cloudflare/circl v1.3.8/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
+github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
+github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,8 +39,8 @@ github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
+github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=
+github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
@@ -48,8 +49,8 @@ github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+
 github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
-github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
+github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
+github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -117,11 +118,11 @@ github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUz
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
-github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
+github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
@@ -131,8 +132,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
 github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
@@ -159,16 +160,16 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -178,14 +179,12 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -202,15 +201,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -219,15 +218,13 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
-golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -240,7 +237,7 @@ gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/html/css/app.css b/html/css/app.css
index ac039959..51bb074f 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -534,6 +534,11 @@ td {
   margin-top: 20px;
 }
 
+.detection-source-button-row {
+  margin-top: 6px;
+  margin-bottom: -8px;
+}
+
 .header {
   font-size: 1.3em;
   font-weight: bold;
@@ -628,4 +633,27 @@ td {
 #override-filter-edit-buttons {
   display: flex;
   justify-content: end;
+}
+
+.prism {
+  /* you must provide font-family font-size line-height. Example:*/
+  font-family: Fira code, Fira Mono, Consolas, Menlo, Courier, monospace;
+  font-size: 14px;
+  line-height: 1.5;
+  padding: 5px;
+  border: 1px solid gray;
+  border-radius: 3px;
+}
+
+.prism-editor__container {
+  min-height: 10em;
+}
+
+/* optional class for removing the outline */
+.prism-editor__textarea:focus {
+  outline: none;
+}
+
+code {
+  background-color: unset !important;
 }
\ No newline at end of file
diff --git a/html/css/external/prism-custom-dark-v1.29.0.css b/html/css/external/prism-custom-dark-v1.29.0.css
new file mode 100644
index 00000000..2c7bd1af
--- /dev/null
+++ b/html/css/external/prism-custom-dark-v1.29.0.css
@@ -0,0 +1,3 @@
+/* PrismJS 1.29.0
+http://localhost:8080/download.html#themes=prism-tomorrow&languages=suricata+yaml+yara */
+code[class*=language-],pre[class*=language-]{color:#ccc;background:0 0;font-family:Consolas,Monaco,'Andale Mono','Ubuntu Mono',monospace;font-size:1em;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none}pre[class*=language-]{padding:1em;margin:.5em 0;overflow:auto}:not(pre)>code[class*=language-],pre[class*=language-]{background:#2d2d2d}:not(pre)>code[class*=language-]{padding:.1em;border-radius:.3em;white-space:normal}.token.block-comment,.token.cdata,.token.comment,.token.doctype,.token.prolog{color:#999}.token.punctuation{color:#ccc}.token.attr-name,.token.deleted,.token.namespace,.token.tag{color:#e2777a}.token.function-name{color:#6196cc}.token.boolean,.token.function,.token.number{color:#f08d49}.token.class-name,.token.constant,.token.property,.token.symbol{color:#f8c555}.token.atrule,.token.builtin,.token.important,.token.keyword,.token.selector{color:#cc99cd}.token.attr-value,.token.char,.token.regex,.token.string,.token.variable{color:#7ec699}.token.entity,.token.operator,.token.url{color:#67cdcc}.token.bold,.token.important{font-weight:700}.token.italic{font-style:italic}.token.entity{cursor:help}.token.inserted{color:green}
diff --git a/html/css/external/prism-custom-light-v1.29.0.css b/html/css/external/prism-custom-light-v1.29.0.css
new file mode 100644
index 00000000..74180531
--- /dev/null
+++ b/html/css/external/prism-custom-light-v1.29.0.css
@@ -0,0 +1,3 @@
+/* PrismJS 1.29.0
+http://localhost:8080/download.html#themes=prism&languages=markup+css+clike+javascript */
+code[class*=language-],pre[class*=language-]{color:#000;background:0 0;text-shadow:0 1px #fff;font-family:Consolas,Monaco,'Andale Mono','Ubuntu Mono',monospace;font-size:1em;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none}code[class*=language-] ::-moz-selection,code[class*=language-]::-moz-selection,pre[class*=language-] ::-moz-selection,pre[class*=language-]::-moz-selection{text-shadow:none;background:#b3d4fc}code[class*=language-] ::selection,code[class*=language-]::selection,pre[class*=language-] ::selection,pre[class*=language-]::selection{text-shadow:none;background:#b3d4fc}@media print{code[class*=language-],pre[class*=language-]{text-shadow:none}}pre[class*=language-]{padding:1em;margin:.5em 0;overflow:auto}:not(pre)>code[class*=language-],pre[class*=language-]{background:#f5f2f0}:not(pre)>code[class*=language-]{padding:.1em;border-radius:.3em;white-space:normal}.token.cdata,.token.comment,.token.doctype,.token.prolog{color:#708090}.token.punctuation{color:#999}.token.namespace{opacity:.7}.token.boolean,.token.constant,.token.deleted,.token.number,.token.property,.token.symbol,.token.tag{color:#905}.token.attr-name,.token.builtin,.token.char,.token.inserted,.token.selector,.token.string{color:#690}.language-css .token.string,.style .token.string,.token.entity,.token.operator,.token.url{color:#9a6e3a;background:hsla(0,0%,100%,.5)}.token.atrule,.token.attr-value,.token.keyword{color:#07a}.token.class-name,.token.function{color:#dd4a68}.token.important,.token.regex,.token.variable{color:#e90}.token.bold,.token.important{font-weight:700}.token.italic{font-style:italic}.token.entity{cursor:help}
diff --git a/html/css/external/vue-prism-editor-v1.3.0.min.css b/html/css/external/vue-prism-editor-v1.3.0.min.css
new file mode 100644
index 00000000..0071160f
--- /dev/null
+++ b/html/css/external/vue-prism-editor-v1.3.0.min.css
@@ -0,0 +1 @@
+.prism-editor-wrapper{width:100%;height:100%;display:flex;align-items:flex-start;overflow:auto;-o-tab-size:1.5em;tab-size:1.5em;-moz-tab-size:1.5em}@media (-ms-high-contrast:active),(-ms-high-contrast:none){.prism-editor-wrapper .prism-editor__textarea{color:transparent!important}.prism-editor-wrapper .prism-editor__textarea::-moz-selection{background-color:#accef7!important;color:transparent!important}.prism-editor-wrapper .prism-editor__textarea::selection{background-color:#accef7!important;color:transparent!important}}.prism-editor-wrapper .prism-editor__container{position:relative;text-align:left;box-sizing:border-box;padding:0;overflow:hidden;width:100%}.prism-editor-wrapper .prism-editor__line-numbers{height:100%;overflow:hidden;flex-shrink:0;padding-top:4px;margin-top:0;margin-right:10px}.prism-editor-wrapper .prism-editor__line-number{text-align:right;white-space:nowrap}.prism-editor-wrapper .prism-editor__textarea{position:absolute;top:0;left:0;height:100%;width:100%;resize:none;color:inherit;overflow:hidden;-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;-webkit-text-fill-color:transparent}.prism-editor-wrapper .prism-editor__editor,.prism-editor-wrapper .prism-editor__textarea{margin:0;border:0;background:none;box-sizing:inherit;display:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant-ligatures:inherit;font-weight:inherit;letter-spacing:inherit;line-height:inherit;-moz-tab-size:inherit;-o-tab-size:inherit;tab-size:inherit;text-indent:inherit;text-rendering:inherit;text-transform:inherit;white-space:pre-wrap;word-wrap:keep-all;overflow-wrap:break-word;padding:0}.prism-editor-wrapper .prism-editor__textarea--empty{-webkit-text-fill-color:inherit!important}.prism-editor-wrapper .prism-editor__editor{position:relative;pointer-events:none}
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index a79737b4..07db1ddc 100644
--- a/html/index.html
+++ b/html/index.html
@@ -18,6 +18,8 @@
     <link rel="stylesheet" href="css/external/vuetify-v2.7.1.min.css">
     <link rel="stylesheet" href="css/external/all-6.5.1.min.css">
     <link rel="stylesheet" href="css/external/daterangepicker-3.14.1.css">
+    <link rel="stylesheet" href="css/external/vue-prism-editor-v1.3.0.min.css" />
+    <link rel="stylesheet" href="css/external/prism-custom-dark-v1.29.0.css" />
     <link rel="stylesheet" href="css/app.css?v=VERSION_PLACEHOLDER">
     <title>Security Onion</title>
     <script src="js/analytics.js?v=VERSION_PLACEHOLDER"></script>
@@ -165,8 +167,12 @@
         <v-spacer></v-spacer>
         <div id="connection-indicator" v-if="!connected || reconnecting">
           <v-icon class="mr-2" color="warning">fa-satellite-dish</v-icon>
-          <span v-if="reconnecting" v-text="i18n.reconnecting"></span>
-          <span v-if="!reconnecting" v-text="i18n.disconnected"></span>
+          <span v-if="reconnecting" v-text="i18n.reconnecting" class="d-none d-md-inline" data-aid="reconnecting_notice"></span>
+          <span v-if="!reconnecting" v-text="i18n.disconnected" class="d-none d-md-inline" data-aid="disconnected_notice"></span>
+        </div>
+        <div id="license-indicator" v-else-if="isLicenseExpiringSoon()">
+          <v-icon class="mr-2" color="warning">fa-key</v-icon>
+          <span v-text="i18n.licenseExpiringSoon" class="d-none d-md-inline" data-aid="license_expiring_notice"></span>
         </div>
         <v-spacer></v-spacer>
         <v-menu bottom left offset-y>
@@ -412,7 +418,7 @@ <h4 v-if="loaded" :data-aid="'event_total_' + category">{{ i18n.eventTotal }} {{
         </v-row>
         <v-row align="start">
           <v-col cols="12" :md="isCategory('detections') ? 10 : 7">
-            <v-textarea :clearable="isAdvanced()" :auto-grow="isAdvanced()" :readonly="!isAdvanced()" :disabled="loading()" @change="notifyInputsChanged" class="mx-2" v-model="$data[isAdvanced() ? 'query' : 'queryName']" :hint="isAdvanced() ? i18n.queryHelp : ''" rows="1" persistent-hint prepend-icon="fa-search" @keydown.enter.prevent="hunt" id="hunt-query-input" :data-aid="'query_input_' + category">
+            <v-textarea :clearable="isAdvanced()" :auto-grow="isAdvanced()" :readonly="!isAdvanced()" :disabled="loading()" @input="queryAltered = true" @change="queryModified" class="mx-2" v-model="$data[getDisplayedQueryVar()]" :hint="isAdvanced() ? i18n.queryHelp : ''" rows="1" persistent-hint prepend-icon="fa-search" @keydown.enter.prevent="submitQuery" id="hunt-query-input" :data-aid="'query_input_' + category">
               <template v-slot:prepend-inner>
                 <v-menu dense bottom three-line offset-y>
                   <template v-slot:activator="{ on: menu }">
@@ -447,6 +453,11 @@ <h4 v-if="loaded" :data-aid="'event_total_' + category">{{ i18n.eventTotal }} {{
                   </v-list>
                 </v-menu>
               </template>
+              <template v-if="isAdvanced()" v-slot:append>
+                <v-btn small icon id="toggle-full-query-button" :title="i18n.toggleFullQueryHelp" @click="showFullQuery = !showFullQuery" :disabled="queryAltered" :data-aid="'toggle_full_query_' + category">
+                  <v-icon>fa-ellipsis</v-icon>
+                </v-btn>
+              </template>
               <template v-if="!isCategory('hunt')" v-slot:append-outer>
                 <v-btn small icon id="switch-to-hunt-button" :title="i18n.huntHelp" @click="switchToHunt()" :data-aid="'nav_hunt_' + category">
                   <v-icon>fa-crosshairs</v-icon>
@@ -1045,6 +1056,20 @@ <h4 v-if="loaded" :data-aid="'event_total_' + category">{{ i18n.eventTotal }} {{
             </v-card-actions>
           </v-card>
         </v-dialog>
+
+        <v-dialog v-model="showBulkDeleteConfirmDialog" persistent max-width="400" data-aid="bulk_delete_confirmation">
+          <v-card>
+            <v-card-title class="text-h5" v-text="i18n.detectionDeleteConfirmationTitle" />
+            <v-card-text>
+              {{ i18n.detectionDeleteConfirmationBody.replace('{count}', (selectAllState === true ? totalEvents : selectedCount).toLocaleString()) }}
+            </v-card-text>
+            <v-card-actions>
+              <v-spacer></v-spacer>
+              <v-btn text id="detections-bulk-confirm" @click="bulkAction(true)" v-text="i18n.yes" data-aid="detection_bulk_action_confirm" />
+              <v-btn text id="detections-bulk-cancel" @click="bulkDeleteDialogCancel()" v-text="i18n.cancel" data-aid="detection_bulk_action_cancel" />
+            </v-card-actions>
+          </v-card>
+        </v-dialog>
       </v-container>
     </script>
 
@@ -1064,15 +1089,20 @@ <h2 id="detection-title">{{ detect.title }}</h2>
                   <div class="header">{{ i18n.add }} {{ i18n.detection }}</div>
                   <!-- Language -->
                   <span data-aid="detection_new_language_select">
-                    <v-select id="detection-language-create" v-model="detect.language" :items="getPresets('language')" persistent-hint :hint="i18n.language" :rules="[rules.required]" v-on:change="onDetectionChange"/>
+                    <v-select id="detection-language-create" v-model="detect.language" :items="getPresets('language')" persistent-hint :hint="i18n.language" :rules="[rules.required]" v-on:change="onNewDetectionLanguageChange"/>
                   </span>
 
                   <!-- License -->
-                  <v-text-field id="detection-license-create" class="mt-0" v-model="detect.license" persistent-hint :hint="i18n.license" data-aid="detection_license_input" />
+                  <span data-aid="detection_new_license_select">
+                    <v-select id="detection-license-create" v-if="!isPresetCustomEnabled('license')" v-model="detect.license" :items="getPresets('license')" persistent-hint :hint="i18n.license" :rules="[rules.required]"/>
+                    <v-combobox id="detection-license-create" v-if="isPresetCustomEnabled('license')" v-model="detect.license" :items="getPresets('license')" persistent-hint :hint="i18n.license" :rules="[rules.required]"/>
+                  </span>
 
                   <!-- Signature -->
                   <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
-                  <v-textarea id="signature-source" class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" @input="onDetectionChange()" data-aid="detection_signature_input" />
+                  <span data-aid="detection_signature_input">
+                    <prism-editor class="prism" :highlight="highlighter" v-model="detect.content"></prism-editor>
+                  </span>
                 </div>
                 <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
@@ -1131,7 +1161,7 @@ <h2 id="detection-title">{{ detect.title }}</h2>
                     </div>
                     <div class="header">{{i18n.detectionLogic}}</div>
                     <div class="extracted-content" data-aid="detection_logic_display">
-                      <pre>{{extractedLogic}}</pre>
+                      <pre><code :class="extractedLogicClass">{{extractedLogic}}</code></pre>
                     </div>
                   </v-col>
                 </v-row>
@@ -1143,7 +1173,7 @@ <h2 id="detection-title">{{ detect.title }}</h2>
                       <v-btn :title="i18n.addCommentHelp" color="primary" @click.stop="prepareForInput('comment-input')" id="add-comment-button" data-aid="detection_comments_new">
                         <v-icon>fa-plus</v-icon>
                       </v-btn>
-                      <v-btn class="mx-1" :title="i18n.refreshCommentsHelp" color="secondary" @click.stop="reloadAssociation(true)" id="refresh-comments-button" data-aid="detection_comments_refresh">
+                      <v-btn class="mx-1" :title="i18n.refreshCommentsHelp" color="secondary" @click.stop="loadComments(true)" id="refresh-comments-button" data-aid="detection_comments_refresh">
                         <v-icon>fa-sync</v-icon>
                       </v-btn>
                     </v-toolbar>
@@ -1260,25 +1290,25 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
               </v-tab-item>
 
               <v-tab-item value="source" data-aid="detection_source">
-                <v-row class="contrast-bg rounded rounded-md pa-4">
-                  <v-col>
-                    <!-- Signature -->
-                    <v-textarea class="config-editor" :readonly="detect.isCommunity" solo flat v-model="detect.content" auto-grow rows="15" data-aid="detection_source_input" />
-                    <div class="d-flex align-center align-self-end justify-end text-body-2">
-                      <div class="d-inline-flex justify-end">
-                        <v-btn v-if="canConvert()" id="detection-convert" text small color="primary" class="align-self-end" @click="convertDetection()" data-aid="detection_source_convert">
-                          {{ i18n.convert }}
-                        </v-btn>
-                        <v-btn id="detection-cancel" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="cancelDetection()" data-aid="detection_source_cancel">
-                          {{ i18n.cancel }}
-                        </v-btn>
-                        <v-btn id="detection-update" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="saveDetection(false, true)" data-aid="detection_source_save">
-                          {{i18n.update}}
-                        </v-btn>
-                      </div>
+                <v-col class="contrast-bg rounded rounded-md pa-4">
+                  <!-- Signature -->
+                  <span data-aid="detection_source_input">
+                    <prism-editor class="prism" :highlight="highlighter" v-model="detect.content" :readonly="detect.isCommunity"></prism-editor>
+                  </span>
+                  <div class="d-flex align-self-end justify-end detection-source-button-row">
+                    <div class="d-inline-flex">
+                      <v-btn v-if="canConvert()" id="detection-convert" text small color="primary" class="align-self-end" @click="convertDetection()" data-aid="detection_source_convert">
+                        {{ i18n.convert }}
+                      </v-btn>
+                      <v-btn id="detection-cancel" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="cancelDetection()" data-aid="detection_source_cancel">
+                        {{ i18n.cancel }}
+                      </v-btn>
+                      <v-btn id="detection-update" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="saveDetection(false, true)" data-aid="detection_source_save">
+                        {{i18n.update}}
+                      </v-btn>
                     </div>
-                  </v-col>
-                </v-row>
+                  </div>
+                </v-col>
               </v-tab-item>
 
               <v-tab-item value="tuning" data-aid="detection_tuning">
@@ -1321,7 +1351,13 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                         <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="getTrackOptions(newOverride.type)" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
                       </span>
                       <!-- ip -->
-                      <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr" data-aid="detection_new_override_suppress_ip_input"></v-text-field>
+                      <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr" data-aid="detection_new_override_suppress_ip_input">
+                        <template v-slot:append-outer>
+                          <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars', a: '1', e: '1' }}" target="_blank" data-aid="new_override_ip_edit_config_shortcut">
+                            <v-icon>fa fa-gear</v-icon>
+                          </router-link>
+                        </template>
+                      </v-text-field>
                       <!-- count -->
                       <v-text-field v-if="newOverride.type === 'threshold'" id="new-override-count-edit" v-model="newOverride.count" :rules="[rules.required, rules.number]" persistent-hint :hint="i18n.count" data-aid="detection_new_override_threshold_count_input"></v-text-field>
                       <!-- seconds -->
@@ -1347,7 +1383,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                     </div>
                   </v-form>
                 </div>
-                <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
+                <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders[detect.engine]"
                   :items="detect.overrides" item-key="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
                   <template v-slot:item="{ item, index, expand, isExpanded }">
                     <tr>
@@ -1357,7 +1393,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                           <v-icon v-else :alt="i18n.overrideExpand" :title="i18n.eventExpandHelp" data-aid="detection_overrides_expand">fa-angle-right</v-icon>
                         </v-btn>
                       </td>
-                      <td v-for="field in overrideHeaders" :key="field.value" data-aid="detection_overrides_headers_display">
+                      <td v-for="field in overrideHeaders[detect.engine]" :key="field.value" data-aid="detection_overrides_headers_display">
                         <div class="d-inline-block">
                           <span v-if="!field.format">{{ item[field.value] }}</span>
                           <span v-else v-text="$root.formatLocalTimestamp(item[field.value], zone)"/>
@@ -1426,7 +1462,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                                 {{ i18n.save }}
                               </v-btn>
                             </div>
-                          </span>  
+                          </span>
                         </div>
                         <!-- type (threshold) -->
                         <div v-if="item.type === 'threshold'" @click="startOverrideEdit('override-threshold-type', item, 'thresholdType')" :class="{ clicktoedit: !isOverrideEdit('override-threshold-type') }" data-aid="detection_override_threshold_type_select">
@@ -1458,7 +1494,13 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                           </span>
                           <span v-else>
                             <v-text-field id="override-ip-edit" ref="override-ip" hide-details="auto" outlined v-model="item.ip" :rules="[rules.required, rules.cidrFormat]"
-                              persistent-hint :hint="i18n.cidr" v-on:keyup.enter="isFieldValid('override-ip') && stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)" data-aid="detection_override_suppress_ip_input"></v-text-field>
+                              persistent-hint :hint="i18n.ipCidr" v-on:keyup.enter="isFieldValid('override-ip') && stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)" data-aid="detection_override_suppress_ip_input">
+                            <template v-slot:append-outer>
+                              <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars', a: '1', e: '1' }}" target="_blank" data-aid="override_ip_edit_config_shortcut">
+                                <v-icon>fa fa-gear</v-icon>
+                              </router-link>
+                            </template>
+                            </v-text-field>
                             <div id="override-ip-edit-buttons">
                               <v-btn @click.stop="stopOverrideEdit(false)" text small class="align-self-end" data-aid="detection_override_ip_cancel">
                                 {{ i18n.cancel }}
@@ -1584,7 +1626,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                   <v-text-field v-model="historyTableOpts.search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details data-aid="detection_history_filter_input"></v-text-field>
                   <v-data-table ref="historyTable" :sort-by.sync="historyTableOpts.sortBy" :sort-desc.sync="historyTableOpts.sortDesc" :items-per-page.sync="historyTableOpts.itemsPerPage"
                     :search="historyTableOpts.search" :footer-props="historyTableOpts.footerProps" must-sort :headers="historyTableOpts.headers"
-                    :items="history" item-key="id" :loading="historyTableOpts.loading" :expanded="historyTableOpts.expanded" class="history-table">
+                    :items="history" item-key="id" :loading="historyTableOpts.loading" :expanded="historyTableOpts.expanded" class="history-table" :custom-sort="$root.dateAwareSort">
                     <template v-slot:item="{item, index, expand, isExpanded}">
                       <tr>
                         <td class="associated actions">
@@ -2215,7 +2257,7 @@ <h4 v-if="!$root.loading">{{ i18n.usersEnabled }} {{ countUsersEnabled() }} / {{
                         <v-col cols="12" lg="4">
                           <v-card>
                             <v-card-title>{{ i18n.roles }}</v-card-title>
-                            <v-card-text data-aid="'users_details_role_toggle">
+                            <v-card-text data-aid="users_details_role_toggle">
                               <v-checkbox v-for="role in roles" :key="role" :id="'role-checkbox-' + role" dense :input-value="hasRole(item, role)" :label="role" @click.stop="return toggleRole(item, role)">
                             </v-card-text>
                           </v-card>
@@ -3084,7 +3126,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-text-field v-model="associatedTable['evidence'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="evidenceTable" :sort-by.sync="associatedTable['evidence'].sortBy" :sort-desc.sync="associatedTable['evidence'].sortDesc" :items-per-page.sync="associatedTable['evidence'].itemsPerPage"
                     :search="associatedTable['evidence'].search" :footer-props="associatedTable['evidence'].footerProps" must-sort :headers="associatedTable['evidence'].headers"
-                    :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded" class="case-table">
+                    :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded" class="case-table" :custom-sort="$root.dateAwareSort">
                     <template v-slot:item="props">
                       <tr>
                         <td class="association actions">
@@ -3433,7 +3475,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-text-field v-model="associatedTable['history'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details data-aid="case_history_filter_input"></v-text-field>
                   <v-data-table ref="historyTable" :sort-by.sync="associatedTable['history'].sortBy" :sort-desc.sync="associatedTable['history'].sortDesc" :items-per-page.sync="associatedTable['history'].itemsPerPage"
                     :search="associatedTable['history'].search" :footer-props="associatedTable['history'].footerProps" must-sort :headers="associatedTable['history'].headers"
-                    :items="associations['history']" item-key="id" :loading="associatedTable['history'].loading" :expanded="associatedTable['history'].expanded" class="case-table">
+                    :items="associations['history']" item-key="id" :loading="associatedTable['history'].loading" :expanded="associatedTable['history'].expanded" class="case-table" :custom-sort="$root.dateAwareSort">
                     <template v-slot:item="props">
                       <tr>
                         <td class="associated actions">
@@ -4672,6 +4714,12 @@ <h4 v-if="!$root.loading">{{ i18n.settingsCustomized }} {{ settingsCustomized }}
                     <li>
                       {{i18n.configQLElasticsearchHeader}}
                       <ul>
+                        <li>
+                          <router-link data-aid="config_quicklink_es_warm" :to="{ name: 'config', query: {s: 'elasticsearch.index_settings.global_overrides.policy.phases.warm.min_age'}}">{{i18n.configQLElasticsearchWarm}}</router-link>
+                        </li>
+                        <li>
+                          <router-link data-aid="config_quicklink_es_cold" :to="{ name: 'config', query: {s: 'elasticsearch.index_settings.global_overrides.policy.phases.cold.min_age'}}">{{i18n.configQLElasticsearchCold}}</router-link>
+                        </li>
                         <li>
                           <router-link data-aid="config_quicklink_es_delete" :to="{ name: 'config', query: {s: 'elasticsearch.index_settings.global_overrides.policy.phases.delete.min_age'}}">{{i18n.configQLElasticsearchDelete}}</router-link>
                         </li>
@@ -5123,6 +5171,8 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/external/chartjs-adapter-moment-1.0.0.min.js"></script>
     <script src="js/external/js-yaml.4.1.0.min.js"></script>
     <script src="js/external/lz-string.1.5.0.min.js"></script>
+    <script src="js/external/vue-prism-editor-v1.3.0.umd.production.min.js"></script>
+    <script src="js/external/prism-custom-v1.29.0.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/app.js b/html/js/app.js
index b9503bc0..6ebbf417 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -15,6 +15,8 @@ const LICENSE_STATUS_INVALID = "invalid";
 const LICENSE_STATUS_PENDING = "pending";
 const LICENSE_STATUS_UNPROVISIONED = "unprovisioned";
 
+const LICENSE_EXPIRES_SOON_DAYS = 45;
+
 const UNREALISTIC_AGE = 1700000000; // About 54 years
 
 const USER_PASSWORD_LENGTH_MIN = 8;
@@ -86,6 +88,7 @@ $(document).ready(function() {
       parameterCallback: null,
       parameterSection: null,
       chartsInitialized: false,
+      editorInitialized: false,
       tools: [],
       casesEnabled: false,
       detectionsEnabled: false,
@@ -308,6 +311,16 @@ $(document).ready(function() {
           this.removeSearchParam('r');
         }
       },
+      isLicenseExpiringSoon() {
+        if (this.licenseStatus == LICENSE_STATUS_ACTIVE && this.licenseKey.expiration) {
+          const now = Date.now();
+          const exp = Date.parse(this.licenseKey.expiration);
+          const timeToExpirationMs = exp - now;
+          const minTimeToExpirationMs = LICENSE_EXPIRES_SOON_DAYS * 24 * 60 * 60 * 1000;
+          return timeToExpirationMs < minTimeToExpirationMs;
+        }
+        return false;
+      },
       async loadServerSettings(background) {
         // This version element ensures we're passed the login screen.
         if (document.getElementById("version")) {
@@ -455,7 +468,8 @@ $(document).ready(function() {
       },
       toggleTheme() {
         this.$vuetify.theme.dark = !this.$vuetify.theme.dark
-        this.timestamp=Date.now();
+        this.timestamp = Date.now();
+        this.updateEditorTheme();
       },
       setFavicon() {
         const colorSchemeString = window.matchMedia && window.matchMedia("(prefers-color-scheme: dark)").matches
@@ -687,11 +701,22 @@ $(document).ready(function() {
       loadLocalSettings() {
         if (localStorage['settings.app.dark'] != undefined) {
           this.$vuetify.theme.dark = localStorage['settings.app.dark'] == "true";
+          this.updateEditorTheme();
         }
         if (localStorage['settings.app.navbar'] != undefined) {
           this.toolbar = localStorage['settings.app.navbar'] == "true";
         }
       },
+      updateEditorTheme() {
+        var link = $('link[href^="css/external/prism-custom-"]')[0];
+        if (link) {
+          if (this.$vuetify.theme.dark) {
+            link.href = "css/external/prism-custom-dark-v1.29.0.css";
+          } else {
+            link.href = "css/external/prism-custom-light-v1.29.0.css";
+          }
+        }
+      },
       subscribe(kind, fn) {
         this.ensureConnected();
         var list = this.subscriptions[kind];
@@ -860,6 +885,15 @@ $(document).ready(function() {
 
         this.chartsInitialized = true;
       },
+      registerEditor() {
+        Vue.component('prism-editor', PrismEditor.component);
+      },
+      initializeEditor() {
+        if (this.editorInitialized) return;
+        this.registerEditor();
+
+        this.editorInitialized = true;
+      },
       getColor(colorName, percent = 0) {
         percent = this.$root.$vuetify && this.$root.$vuetify.theme.dark ? percent * -1 : percent;
         var color = colorName;
@@ -1020,7 +1054,7 @@ $(document).ready(function() {
       },
       isDetectionsUpdating() {
         return this.currentStatus != null && this.currentStatus.detections != null &&
-          !this.isDetectionsUnhealthy() && 
+          !this.isDetectionsUnhealthy() &&
           ( this.currentStatus.detections.elastalert.importing === true ||
             this.currentStatus.detections.elastalert.migrating === true ||
             this.currentStatus.detections.elastalert.syncing === true ||
@@ -1142,6 +1176,27 @@ $(document).ready(function() {
 
         return '';
       },
+      dateAwareSort(items, index, isDesc) {
+        items.sort((a, b) => {
+          if (index[0] === 'createTime' || index[0] === 'updateTime') {
+            if (!isDesc[0]) {
+              return new Date(a[index]) - new Date(b[index]);
+            }
+
+            return new Date(b[index]) - new Date(a[index]);
+          }
+
+          if (typeof a[index] !== 'undefined') {
+            if (!isDesc[0]) {
+              return a[index].toLowerCase().localeCompare(b[index].toLowerCase());
+            }
+
+            return b[index].toLowerCase().localeCompare(a[index].toLowerCase());
+          }
+        });
+
+        return items;
+      },
     },
     created() {
       this.log("Initializing application components");
diff --git a/html/js/app.test.js b/html/js/app.test.js
index ad87e4c1..9725b4d7 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -534,7 +534,7 @@ test('isDetectionsUnhealthy', () => {
   verifyEngineFailureStates(false, false, false, false, false, false, true, true, true, true);
   verifyEngineFailureStates(false, false, false, false, false, false, false, true, true, true);
   verifyEngineFailureStates(false, false, false, false, false, false, false, false, true, true);
-  
+
   // Healthy
   verifyEngineFailureStates(false, false, false, false, false, false, false, false, false, false);
 
@@ -658,7 +658,7 @@ test('getDetectionEngineStatus', () => {
 
 test('isAttentionNeeded', () => {
   app.connected =  true;
-  app.currentStatus = { 
+  app.currentStatus = {
     detections: {
       elastalert: {
         integrityFailure: false,
@@ -708,3 +708,61 @@ test('isAttentionNeeded', () => {
   // Back to normal
   expect(app.isAttentionNeeded()).toBe(false);
 })
+
+test('dateAwareSort', () => {
+  let items = [
+    { string: 'May 28, 2024 10:00:00 AM', createTime: 'May 28, 2024 10:00:00 AM', strOrder: 1, dateOrder: 0 },
+    { string: 'May 28, 2024 11:00:00 AM', createTime: 'May 28, 2024 11:00:00 AM', strOrder: 2, dateOrder: 1 },
+    { string: 'May 28, 2024 12:00:00 PM', createTime: 'May 28, 2024 12:00:00 PM', strOrder: 3, dateOrder: 2 },
+    { string: 'May 28, 2024 1:00:00 PM', createTime: 'May 28, 2024 1:00:00 PM', strOrder: 0, dateOrder: 3 },
+    { string: 'May 28, 2024 2:00:00 PM', createTime: 'May 28, 2024 2:00:00 PM', strOrder: 4, dateOrder: 4 },
+  ];
+  let index = ["string"];
+  let isDesc = [false];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].strOrder).toBe(i);
+  }
+
+  // Reverse the sort
+  isDesc = [true];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].strOrder).toBe(items.length - i - 1);
+  }
+
+  // revert order, change sortby
+  index = ["createTime"];
+  isDesc = [false];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].dateOrder).toBe(i);
+  }
+
+  // Reverse the sort
+  isDesc = [true];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].dateOrder).toBe(items.length - i - 1);
+  }
+});
+
+test('licenseExpiringSoon', () => {
+  const date = new Date();
+  app.licenseKey = { expiration: date.toISOString() };
+  expect(app.isLicenseExpiringSoon()).toBe(true);
+  
+  app.licenseKey = { expiration: "2024-01-01T01:01:01Z" };
+  expect(app.isLicenseExpiringSoon()).toBe(true);
+
+  app.licenseKey = { expiration: "2054-01-01T01:01:01Z" };
+  expect(app.isLicenseExpiringSoon()).toBe(false);
+});
\ No newline at end of file
diff --git a/html/js/external/prism-custom-v1.29.0.js b/html/js/external/prism-custom-v1.29.0.js
new file mode 100644
index 00000000..43e9de61
--- /dev/null
+++ b/html/js/external/prism-custom-v1.29.0.js
@@ -0,0 +1,7 @@
+/* PrismJS 1.29.0
+http://127.0.0.1:8080/download.html#themes=prism&languages=suricata+suricata-logic+yaml+yara */
+var _self="undefined"!=typeof window?window:"undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?self:{},Prism=function(e){var n=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,r={},a={manual:e.Prism&&e.Prism.manual,disableWorkerMessageHandler:e.Prism&&e.Prism.disableWorkerMessageHandler,util:{encode:function e(n){return n instanceof i?new i(n.type,e(n.content),n.alias):Array.isArray(n)?n.map(e):n.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(n,t){var r,i;switch(t=t||{},a.util.type(n)){case"Object":if(i=a.util.objId(n),t[i])return t[i];for(var l in r={},t[i]=r,n)n.hasOwnProperty(l)&&(r[l]=e(n[l],t));return r;case"Array":return i=a.util.objId(n),t[i]?t[i]:(r=[],t[i]=r,n.forEach((function(n,a){r[a]=e(n,t)})),r);default:return n}},getLanguage:function(e){for(;e;){var t=n.exec(e.className);if(t)return t[1].toLowerCase();e=e.parentElement}return"none"},setLanguage:function(e,t){e.className=e.className.replace(RegExp(n,"gi"),""),e.classList.add("language-"+t)},currentScript:function(){if("undefined"==typeof document)return null;if("currentScript"in document)return document.currentScript;try{throw new Error}catch(r){var e=(/at [^(\r\n]*\((.*):[^:]+:[^:]+\)$/i.exec(r.stack)||[])[1];if(e){var n=document.getElementsByTagName("script");for(var t in n)if(n[t].src==e)return n[t]}return null}},isActive:function(e,n,t){for(var r="no-"+n;e;){var a=e.classList;if(a.contains(n))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!t}},languages:{plain:r,plaintext:r,text:r,txt:r,extend:function(e,n){var t=a.util.clone(a.languages[e]);for(var r in n)t[r]=n[r];return t},insertBefore:function(e,n,t,r){var i=(r=r||a.languages)[e],l={};for(var o in i)if(i.hasOwnProperty(o)){if(o==n)for(var s in t)t.hasOwnProperty(s)&&(l[s]=t[s]);t.hasOwnProperty(o)||(l[o]=i[o])}var u=r[e];return r[e]=l,a.languages.DFS(a.languages,(function(n,t){t===u&&n!=e&&(this[n]=l)})),l},DFS:function e(n,t,r,i){i=i||{};var l=a.util.objId;for(var o in n)if(n.hasOwnProperty(o)){t.call(n,o,n[o],r||o);var s=n[o],u=a.util.type(s);"Object"!==u||i[l(s)]?"Array"!==u||i[l(s)]||(i[l(s)]=!0,e(s,t,o,i)):(i[l(s)]=!0,e(s,t,null,i))}}},plugins:{},highlightAll:function(e,n){a.highlightAllUnder(document,e,n)},highlightAllUnder:function(e,n,t){var r={callback:t,container:e,selector:'code[class*="language-"], [class*="language-"] code, code[class*="lang-"], [class*="lang-"] code'};a.hooks.run("before-highlightall",r),r.elements=Array.prototype.slice.apply(r.container.querySelectorAll(r.selector)),a.hooks.run("before-all-elements-highlight",r);for(var i,l=0;i=r.elements[l++];)a.highlightElement(i,!0===n,r.callback)},highlightElement:function(n,t,r){var i=a.util.getLanguage(n),l=a.languages[i];a.util.setLanguage(n,i);var o=n.parentElement;o&&"pre"===o.nodeName.toLowerCase()&&a.util.setLanguage(o,i);var s={element:n,language:i,grammar:l,code:n.textContent};function u(e){s.highlightedCode=e,a.hooks.run("before-insert",s),s.element.innerHTML=s.highlightedCode,a.hooks.run("after-highlight",s),a.hooks.run("complete",s),r&&r.call(s.element)}if(a.hooks.run("before-sanity-check",s),(o=s.element.parentElement)&&"pre"===o.nodeName.toLowerCase()&&!o.hasAttribute("tabindex")&&o.setAttribute("tabindex","0"),!s.code)return a.hooks.run("complete",s),void(r&&r.call(s.element));if(a.hooks.run("before-highlight",s),s.grammar)if(t&&e.Worker){var c=new Worker(a.filename);c.onmessage=function(e){u(e.data)},c.postMessage(JSON.stringify({language:s.language,code:s.code,immediateClose:!0}))}else u(a.highlight(s.code,s.grammar,s.language));else u(a.util.encode(s.code))},highlight:function(e,n,t){var r={code:e,grammar:n,language:t};if(a.hooks.run("before-tokenize",r),!r.grammar)throw new Error('The language "'+r.language+'" has no grammar.');return r.tokens=a.tokenize(r.code,r.grammar),a.hooks.run("after-tokenize",r),i.stringify(a.util.encode(r.tokens),r.language)},tokenize:function(e,n){var t=n.rest;if(t){for(var r in t)n[r]=t[r];delete n.rest}var a=new s;return u(a,a.head,e),o(e,a,n,a.head,0),function(e){for(var n=[],t=e.head.next;t!==e.tail;)n.push(t.value),t=t.next;return n}(a)},hooks:{all:{},add:function(e,n){var t=a.hooks.all;t[e]=t[e]||[],t[e].push(n)},run:function(e,n){var t=a.hooks.all[e];if(t&&t.length)for(var r,i=0;r=t[i++];)r(n)}},Token:i};function i(e,n,t,r){this.type=e,this.content=n,this.alias=t,this.length=0|(r||"").length}function l(e,n,t,r){e.lastIndex=n;var a=e.exec(t);if(a&&r&&a[1]){var i=a[1].length;a.index+=i,a[0]=a[0].slice(i)}return a}function o(e,n,t,r,s,g){for(var f in t)if(t.hasOwnProperty(f)&&t[f]){var h=t[f];h=Array.isArray(h)?h:[h];for(var d=0;d<h.length;++d){if(g&&g.cause==f+","+d)return;var v=h[d],p=v.inside,m=!!v.lookbehind,y=!!v.greedy,k=v.alias;if(y&&!v.pattern.global){var x=v.pattern.toString().match(/[imsuy]*$/)[0];v.pattern=RegExp(v.pattern.source,x+"g")}for(var b=v.pattern||v,w=r.next,A=s;w!==n.tail&&!(g&&A>=g.reach);A+=w.value.length,w=w.next){var E=w.value;if(n.length>e.length)return;if(!(E instanceof i)){var P,L=1;if(y){if(!(P=l(b,A,e,m))||P.index>=e.length)break;var S=P.index,O=P.index+P[0].length,j=A;for(j+=w.value.length;S>=j;)j+=(w=w.next).value.length;if(A=j-=w.value.length,w.value instanceof i)continue;for(var C=w;C!==n.tail&&(j<O||"string"==typeof C.value);C=C.next)L++,j+=C.value.length;L--,E=e.slice(A,j),P.index-=A}else if(!(P=l(b,0,E,m)))continue;S=P.index;var N=P[0],_=E.slice(0,S),M=E.slice(S+N.length),W=A+E.length;g&&W>g.reach&&(g.reach=W);var z=w.prev;if(_&&(z=u(n,z,_),A+=_.length),c(n,z,L),w=u(n,z,new i(f,p?a.tokenize(N,p):N,k,N)),M&&u(n,w,M),L>1){var I={cause:f+","+d,reach:W};o(e,n,t,w.prev,A,I),g&&I.reach>g.reach&&(g.reach=I.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},n={value:null,prev:e,next:null};e.next=n,this.head=e,this.tail=n,this.length=0}function u(e,n,t){var r=n.next,a={value:t,prev:n,next:r};return n.next=a,r.prev=a,e.length++,a}function c(e,n,t){for(var r=n.next,a=0;a<t&&r!==e.tail;a++)r=r.next;n.next=r,r.prev=n,e.length-=a}if(e.Prism=a,i.stringify=function e(n,t){if("string"==typeof n)return n;if(Array.isArray(n)){var r="";return n.forEach((function(n){r+=e(n,t)})),r}var i={type:n.type,content:e(n.content,t),tag:"span",classes:["token",n.type],attributes:{},language:t},l=n.alias;l&&(Array.isArray(l)?Array.prototype.push.apply(i.classes,l):i.classes.push(l)),a.hooks.run("wrap",i);var o="";for(var s in i.attributes)o+=" "+s+'="'+(i.attributes[s]||"").replace(/"/g,"&quot;")+'"';return"<"+i.tag+' class="'+i.classes.join(" ")+'"'+o+">"+i.content+"</"+i.tag+">"},!e.document)return e.addEventListener?(a.disableWorkerMessageHandler||e.addEventListener("message",(function(n){var t=JSON.parse(n.data),r=t.language,i=t.code,l=t.immediateClose;e.postMessage(a.highlight(i,a.languages[r],r)),l&&e.close()}),!1),a):a;var g=a.util.currentScript();function f(){a.manual||a.highlightAll()}if(g&&(a.filename=g.src,g.hasAttribute("data-manual")&&(a.manual=!0)),!a.manual){var h=document.readyState;"loading"===h||"interactive"===h&&g&&g.defer?document.addEventListener("DOMContentLoaded",f):window.requestAnimationFrame?window.requestAnimationFrame(f):window.setTimeout(f,16)}return a}(_self);"undefined"!=typeof module&&module.exports&&(module.exports=Prism),"undefined"!=typeof global&&(global.Prism=Prism);
+Prism.languages.suricata={protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,alias:"selector"},action:{pattern:/\b(alert|pass|drop|reject|rejectsrc|rejectdst|rejectboth)\b/,alias:"namespace"},direction:{pattern:/(->|<>)/,alias:"operator"},options:{pattern:/\(.*\)?/,greedy:!0,alias:"text",inside:{"opening-paren":{pattern:/^\(/,alias:"operator"},"closing-paren":{pattern:/\)$/,alias:"operator"},string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"option-key":{pattern:/\w+:/,alias:"selector"},"flag-option":{pattern:/(noalert|fast_pattern);/,alias:"tag"}}},comment:[{pattern:/#.*/,lookbehind:!0,greedy:!0}]};
+Prism.languages["suricata-logic"]={string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,alias:"selector"},direction:{pattern:/(->|<>)/,alias:"operator"},"flag-option":{pattern:/(noalert|fast_pattern)/,alias:"tag"},"option-key":{pattern:/\w+:/,alias:"selector"}};
+!function(e){var n=/[*&][^\s[\]{},]+/,r=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,t="(?:"+r.source+"(?:[ \t]+"+n.source+")?|"+n.source+"(?:[ \t]+"+r.source+")?)",a="(?:[^\\s\\x00-\\x08\\x0e-\\x1f!\"#%&'*,\\-:>?@[\\]`{|}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*".replace(/<PLAIN>/g,(function(){return"[^\\s\\x00-\\x08\\x0e-\\x1f,[\\]{}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]"})),d="\"(?:[^\"\\\\\r\n]|\\\\.)*\"|'(?:[^'\\\\\r\n]|\\\\.)*'";function o(e,n){n=(n||"").replace(/m/g,"")+"m";var r="([:\\-,[{]\\s*(?:\\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\\]|\\}|(?:[\r\n]\\s*)?#))".replace(/<<prop>>/g,(function(){return t})).replace(/<<value>>/g,(function(){return e}));return RegExp(r,n)}e.languages.yaml={scalar:{pattern:RegExp("([\\-:]\\s*(?:\\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\\S[^\r\n]*(?:\\2[^\r\n]+)*)".replace(/<<prop>>/g,(function(){return t}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp("((?:^|[:\\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\\s*:\\s)".replace(/<<prop>>/g,(function(){return t})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+d+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:o("\\d{4}-\\d\\d?-\\d\\d?(?:[tT]|[ \t]+)\\d\\d?:\\d{2}:\\d{2}(?:\\.\\d*)?(?:[ \t]*(?:Z|[-+]\\d\\d?(?::\\d{2})?))?|\\d{4}-\\d{2}-\\d{2}|\\d\\d?:\\d{2}(?::\\d{2}(?:\\.\\d*)?)?"),lookbehind:!0,alias:"number"},boolean:{pattern:o("false|true","i"),lookbehind:!0,alias:"important"},null:{pattern:o("null|~","i"),lookbehind:!0,alias:"important"},string:{pattern:o(d),lookbehind:!0,greedy:!0},number:{pattern:o("[+-]?(?:0x[\\da-f]+|0o[0-7]+|(?:\\d+(?:\\.\\d*)?|\\.\\d+)(?:e[+-]?\\d+)?|\\.inf|\\.nan)","i"),lookbehind:!0},tag:r,important:n,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(Prism);
+Prism.languages.yara={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/"(?:\\.|[^"\\\r\n])*"/,greedy:!0},"rule-signature":{pattern:/(private\s+)?rule\s*[a-z_][a-z0-9_]{0,127}\s*(:(\s*[a-z_][a-z0-9_]{0,50})+)?/i,alias:"text",inside:{"tag-separator":{pattern:/:/,alias:"operator"},identifier:{pattern:/(rule\s+)[a-z_][a-z0-9_]{0,127}/i,lookbehind:!0,alias:"text"},"private-rule":{pattern:/^(private\s+)?rule\b/i,alias:"keyword"},tag:{pattern:/[a-z_][a-z0-9_]{0,50}/i,alias:"property"}}},"category-header":{pattern:/(\n\s*)\w+:/,lookbehind:!0,alias:"keyword"},"byte-sequence":{pattern:/\{[a-f0-9 \[\]\?]*\}/i,alias:"string"},keyword:{pattern:/\b(all|and|any|ascii|at|base64(wide)?|condition|(i)?contains|(i)?endswith|entrypoint|false|filesize|for|fullword|global|import|in|include|(u)?int16(be)?|(u)?int32(be)?|(u)?int8(be)?|iequals|(i)?startswith|matches|meta|nocase|none|not|of|or|private|rule|strings|them|true|wide|xor|defined)\b/i}},Prism.languages.YARA=Prism.languages.yara;
diff --git a/html/js/external/vue-prism-editor-v1.3.0.umd.production.min.js b/html/js/external/vue-prism-editor-v1.3.0.umd.production.min.js
new file mode 100644
index 00000000..244a1515
--- /dev/null
+++ b/html/js/external/vue-prism-editor-v1.3.0.umd.production.min.js
@@ -0,0 +1,2 @@
+!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("vue")):"function"==typeof define&&define.amd?define(["exports","vue"],e):e((t=t||self).PrismEditor={},t.Vue)}(this,(function(t,e){"use strict";var i=void 0!==typeof self?self:this;function s(){return(s=Object.assign||function(t){for(var e=1;e<arguments.length;e++){var i=arguments[e];for(var s in i)Object.prototype.hasOwnProperty.call(i,s)&&(t[s]=i[s])}return t}).apply(this,arguments)}e=e&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e;var n="undefined"!=typeof window&&navigator&&/Win/i.test(navigator.platform),r="undefined"!=typeof window&&navigator&&/(Mac|iPhone|iPod|iPad)/i.test(navigator.platform),o=e.extend({props:{lineNumbers:{type:Boolean,default:!1},autoStyleLineNumbers:{type:Boolean,default:!0},readonly:{type:Boolean,default:!1},value:{type:String,default:""},highlight:{type:Function,required:!0},tabSize:{type:Number,default:2},insertSpaces:{type:Boolean,default:!0},ignoreTabKey:{type:Boolean,default:!1},placeholder:{type:String,default:""}},data:function(){return{capture:!0,history:{stack:[],offset:-1},lineNumbersHeight:"20px",codeData:""}},watch:{value:{immediate:!0,handler:function(t){this.codeData=t||""}},content:{immediate:!0,handler:function(){var t=this;this.lineNumbers&&this.$nextTick((function(){t.setLineNumbersHeight()}))}},lineNumbers:function(){var t=this;this.$nextTick((function(){t.styleLineNumbers(),t.setLineNumbersHeight()}))}},computed:{isEmpty:function(){return 0===this.codeData.length},content:function(){return this.highlight(this.codeData)+"<br />"},lineNumbersCount:function(){return this.codeData.split(/\r\n|\n/).length}},mounted:function(){this._recordCurrentState(),this.styleLineNumbers()},methods:{setLineNumbersHeight:function(){this.lineNumbersHeight=getComputedStyle(this.$refs.pre).height},styleLineNumbers:function(){if(this.lineNumbers&&this.autoStyleLineNumbers){var t=this.$refs.pre,e=this.$el.querySelector(".prism-editor__line-numbers"),i=window.getComputedStyle(t);this.$nextTick((function(){var s="border-top-left-radius",n="border-bottom-left-radius";e&&(e.style[s]=i[s],e.style[n]=i[n],t.style[s]="0",t.style[n]="0",["background-color","margin-top","padding-top","font-family","font-size","line-height"].forEach((function(t){e.style[t]=i[t]})),e.style["margin-bottom"]="-"+i["padding-top"])}))}},_recordCurrentState:function(){var t=this.$refs.textarea;t&&this._recordChange({value:t.value,selectionStart:t.selectionStart,selectionEnd:t.selectionEnd})},_getLines:function(t,e){return t.substring(0,e).split("\n")},_applyEdits:function(t){var e=this.$refs.textarea,i=this.history.stack[this.history.offset];i&&e&&(this.history.stack[this.history.offset]=s({},i,{selectionStart:e.selectionStart,selectionEnd:e.selectionEnd})),this._recordChange(t),this._updateInput(t)},_recordChange:function(t,e){void 0===e&&(e=!1);var i=this.history,n=i.stack,r=i.offset;if(n.length&&r>-1){this.history.stack=n.slice(0,r+1);var o=this.history.stack.length;if(o>100){var a=o-100;this.history.stack=n.slice(a,o),this.history.offset=Math.max(this.history.offset-a,0)}}var l=Date.now();if(e){var h=this.history.stack[this.history.offset];if(h&&l-h.timestamp<3e3){var u,d,c=/[^a-z0-9]([a-z0-9]+)$/i,f=null===(u=this._getLines(h.value,h.selectionStart).pop())||void 0===u?void 0:u.match(c),p=null===(d=this._getLines(t.value,t.selectionStart).pop())||void 0===d?void 0:d.match(c);if(f&&p&&p[1].startsWith(f[1]))return void(this.history.stack[this.history.offset]=s({},t,{timestamp:l}))}}this.history.stack.push(s({},t,{timestamp:l})),this.history.offset++},_updateInput:function(t){var e=this.$refs.textarea;e&&(e.value=t.value,e.selectionStart=t.selectionStart,e.selectionEnd=t.selectionEnd,this.$emit("input",t.value))},handleChange:function(t){var e=t.target,i=e.value;this._recordChange({value:i,selectionStart:e.selectionStart,selectionEnd:e.selectionEnd},!0),this.$emit("input",i)},_undoEdit:function(){var t=this.history,e=t.offset,i=t.stack[e-1];i&&(this._updateInput(i),this.history.offset=Math.max(e-1,0))},_redoEdit:function(){var t=this.history,e=t.stack,i=t.offset,s=e[i+1];s&&(this._updateInput(s),this.history.offset=Math.min(i+1,e.length-1))},handleKeyDown:function(t){var e=this.tabSize,i=this.insertSpaces,s=this.ignoreTabKey;if(!this.$listeners.keydown||(this.$emit("keydown",t),!t.defaultPrevented)){27===t.keyCode&&(t.target.blur(),this.$emit("blur",t));var o=t.target,a=o.value,l=o.selectionStart,h=o.selectionEnd,u=(i?" ":"\t").repeat(e);if(9===t.keyCode&&!s&&this.capture)if(t.preventDefault(),t.shiftKey){var d=this._getLines(a,l),c=d.length-1,f=this._getLines(a,h).length-1,p=a.split("\n").map((function(t,e){return e>=c&&e<=f&&t.startsWith(u)?t.substring(u.length):t})).join("\n");a!==p&&this._applyEdits({value:p,selectionStart:d[c].startsWith(u)?l-u.length:l,selectionEnd:h-(a.length-p.length)})}else if(l!==h){var y=this._getLines(a,l),m=y.length-1,v=this._getLines(a,h).length-1,g=y[m];this._applyEdits({value:a.split("\n").map((function(t,e){return e>=m&&e<=v?u+t:t})).join("\n"),selectionStart:/\S/.test(g)?l+u.length:l,selectionEnd:h+u.length*(v-m+1)})}else{var b=l+u.length;this._applyEdits({value:a.substring(0,l)+u+a.substring(h),selectionStart:b,selectionEnd:b})}else if(8===t.keyCode){var _=l!==h;if(a.substring(0,l).endsWith(u)&&!_){t.preventDefault();var k=l-u.length;this._applyEdits({value:a.substring(0,l-u.length)+a.substring(h),selectionStart:k,selectionEnd:k})}}else if(13===t.keyCode){if(l===h){var C=this._getLines(a,l).pop(),E=null==C?void 0:C.match(/^\s+/);if(E&&E[0]){t.preventDefault();var S="\n"+E[0],w=l+S.length;this._applyEdits({value:a.substring(0,l)+S+a.substring(h),selectionStart:w,selectionEnd:w})}}}else if(57===t.keyCode||219===t.keyCode||222===t.keyCode||192===t.keyCode){var K;57===t.keyCode&&t.shiftKey?K=["(",")"]:219===t.keyCode?K=t.shiftKey?["{","}"]:["[","]"]:222===t.keyCode?K=t.shiftKey?['"','"']:["'","'"]:192!==t.keyCode||t.shiftKey||(K=["`","`"]),l!==h&&K&&(t.preventDefault(),this._applyEdits({value:a.substring(0,l)+K[0]+a.substring(l,h)+K[1]+a.substring(h),selectionStart:l,selectionEnd:h+2}))}else!(r?t.metaKey&&90===t.keyCode:t.ctrlKey&&90===t.keyCode)||t.shiftKey||t.altKey?(r?t.metaKey&&90===t.keyCode&&t.shiftKey:n?t.ctrlKey&&89===t.keyCode:t.ctrlKey&&90===t.keyCode&&t.shiftKey)&&!t.altKey?(t.preventDefault(),this._redoEdit()):77!==t.keyCode||!t.ctrlKey||r&&!t.shiftKey||(t.preventDefault(),this.capture=!this.capture):(t.preventDefault(),this._undoEdit())}}},render:function(t){var e=this,i=t("div",{attrs:{class:"prism-editor__line-width-calc",style:"height: 0px; visibility: hidden; pointer-events: none;"}},"999"),s=t("div",{staticClass:"prism-editor__line-numbers",style:{"min-height":this.lineNumbersHeight},attrs:{"aria-hidden":"true"}},[i,Array.from(Array(this.lineNumbersCount).keys()).map((function(e,i){return t("div",{attrs:{class:"prism-editor__line-number token comment"}},""+ ++i)}))]),n=t("textarea",{ref:"textarea",on:{input:this.handleChange,keydown:this.handleKeyDown,click:function(t){e.$emit("click",t)},keyup:function(t){e.$emit("keyup",t)},focus:function(t){e.$emit("focus",t)},blur:function(t){e.$emit("blur",t)}},staticClass:"prism-editor__textarea",class:{"prism-editor__textarea--empty":this.isEmpty},attrs:{spellCheck:"false",autocapitalize:"off",autocomplete:"off",autocorrect:"off","data-gramm":"false",placeholder:this.placeholder,"data-testid":"textarea",readonly:this.readonly},domProps:{value:this.codeData}}),r=t("pre",{ref:"pre",staticClass:"prism-editor__editor",attrs:{"data-testid":"preview"},domProps:{innerHTML:this.content}}),o=t("div",{staticClass:"prism-editor__container"},[n,r]);return t("div",{staticClass:"prism-editor-wrapper"},[this.lineNumbers&&s,o])}});t.PrismEditor=o,Object.defineProperty(t,"__esModule",{value:!0});let a=null;"undefined"!=typeof window?a=window.Vue:void 0!==i&&(a=i.Vue),a&&a.component("PrismEditor",o)}));
+//# sourceMappingURL=prismeditor.umd.production.min.js.map
diff --git a/html/js/i18n.js b/html/js/i18n.js
index f4a3dab8..8cfc0d9a 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -36,10 +36,14 @@ const i18n = {
       actionHuntHelp: 'Hunt for this field',
       actionPcap: 'PCAP',
       actionPcapHelp: 'Show PCAP for this event',
+      actionProcessAllInfo: 'Process All Info',
+      actionProcessAllInfoHelp: 'Show all logs that include this process\'s entity_id in any field',
       actionProcessAncestors: 'Process Ancestors',
       actionProcessAncestorsHelp: 'Show all parent processes for this process',
+      actionProcessChildInfo: 'Process and Child Info',
+      actionProcessChildInfoHelp: 'Show all logs that include this process\'s entity_id in either the process.entity_id or process.parent.entity_id fields',
       actionProcessInfo: 'Process Info',
-      actionProcessInfoHelp: 'Show all logs for this process',
+      actionProcessInfoHelp: 'Show all logs that include this process\'s entity_id in the process.entity_id field',
       actionRelatedAlerts: 'Related Alerts',
       actionRelatedAlertsHelp: 'Find alerts related to this detection',
       actionSublime: 'Sublime Platform Email Review',
@@ -120,9 +124,13 @@ const i18n = {
       beginTimeHelp: 'Filter start time in RFC 3339 format (Ex: 2020-10-16 13:00:00.230-04:00). Unused for imported PCAPs.',
       betweenOp: 'Between',
       blog: 'Blog',
+      both: 'Both',
       bulkAction: 'Bulk Action:',
+      bulkActionStarted: 'Updating {total} detections. This may take awhile.',
+      bulkActionDeleteStarted: 'Deleting {total} detections. This may take awhile.',
       bulkError: '',
-      bulkSuccess: 'Bulk update successfully updated {modified} of {total} events. ({time})',
+      bulkSuccessUpdate: 'Bulk update successfully updated {modified} of {total} events. ({time})',
+      bulkSuccessDelete: 'Bulk delete successfully deleted {modified} of {total} events. ({time})',
       bytes: 'Bytes',
       cancel: 'Cancel',
       captureLoss: 'Capture Loss',
@@ -186,8 +194,10 @@ const i18n = {
       config: 'Configuration',
       configTitle: 'Grid Configuration',
       configQLGridTitle: 'Grid Administration Quick Links',
-      configQLElasticsearchDelete: 'Elasticsearch ILM Deletion',
-      configQLElasticsearchHeader: 'Elasticsearch',
+      configQLElasticsearchCold: 'Cold Phase',
+      configQLElasticsearchDelete: 'Delete Phase',
+      configQLElasticsearchWarm: 'Warm Phase',
+      configQLElasticsearchHeader: 'Elasticsearch Global ILM Policy (applies to all indices)',
       configQLNTP: 'Specify custom Network Time Protocol server(s)',
       configQLNTPHeader: 'NTP',
       configQLFirewallHeader: 'Firewall',
@@ -291,6 +301,8 @@ const i18n = {
       detectionDefaultTitle: 'Detection title not yet provided - click here to update this title',
       detectionDefaultDescription: 'Detection description not yet provided',
       detectionDeleteSuccessful: 'Detection deleted. The deleted detection will still appear below until the list is refreshed.',
+      detectionDeleteConfirmationBody: 'Are you sure you want to delete {count} detections?',
+      detectionDeleteConfirmationTitle: 'Delete Detections',
       detectionDescription: 'Detection Description',
       detectionEnabled: 'Enabled',
       detectionEngineHealthy: 'OK',
@@ -388,6 +400,7 @@ const i18n = {
       extract: 'Extract',
       incomplete: 'Incomplete',
       invalidHours: 'Hours are not valid. Ex: 1.5',
+      ipVar: 'IP/Var',
       failedEvents: 'Failed Events',
       fault: 'Fault',
       featureRequiresAppliance: 'Feature Unavailable',
@@ -432,6 +445,7 @@ const i18n = {
       flags: 'Flags',
       gigabytes: 'GB',
       generate: 'Generate',
+      gmd: 'Guaranteed Message Delivery',
       go: 'GO',
       graphs: 'Graphs',
       grid: 'Grid',
@@ -516,8 +530,8 @@ const i18n = {
       interval24h: "24 hours",
       invalid: 'Invalid',
       ioWait: 'I/O Wait',
-      invalidCidr: 'Invalid CIDR Notation',
-      ipCidr: 'IP - CIDR Notation',
+      invalidCidrOrVar: 'Invalid CIDR Notation or Suricata Variable',
+      ipCidr: 'IP - CIDR Notation or Suricata Variable',
       job: 'Job',
       jobIncomplete: 'The job was unable to complete and will retry within a few minutes. Details are available below.',
       jobInProgress: 'This job is awaiting completion.',
@@ -537,6 +551,7 @@ const i18n = {
       licensePending: 'This grid is using a license that has not yet become active. If this is unexpected, contact your Security Onion account manager for assistance. Alternatively, make sure your grid is synchronized to the correct time.',
       licenseEffective: 'Effective',
       licenseExpiration: 'Expiration',
+      licenseExpiringSoon: 'This grid\'s Security Onion Pro license expires soon.',
       licenseId: 'ID',
       licensing: 'Licensing',
       licenseKey: 'License Key',
@@ -544,6 +559,7 @@ const i18n = {
       licenseShort: 'ELv2',
       licenseStatus: 'Status',
       licenseTerms: 'License Terms',
+      limit: 'Limit',
       lks: 'Encr. Disk',
       loadAverage: 'Load Average',
       loadAverageAbbr: 'Load 1m',
@@ -573,6 +589,7 @@ const i18n = {
       minutes: 'minutes',
       missingPublicIdErr: "This detection is missing its public Id. A public Id is required.",
       model: 'Model',
+      modify: 'Modify',
       module: 'Module',
       months: 'months',
       moreColumns: 'Show additional, sensor-related columns',
@@ -798,6 +815,7 @@ const i18n = {
       'so-sensor-keywords': 'Forward, Sensor, Sensoroni, Stenographer',
       'so-standalone': 'Standalone',
       'so-standalone-keywords': 'Elastic, Elasticsearch, Fleet, Forward, Ingest, Manager, Master, Search, Sensor, Sensoroni, Soc, Stenographer, Web',
+      toggleFullQueryHelp: 'Toggles between showing the full query or only the search filter. Disabled if query has been modified.',
       showPieChart: 'Show pie chart',
       showBarChart: 'Show bar chart',
       showSankeyChart: 'Show Sankey diagram',
@@ -829,6 +847,7 @@ const i18n = {
       stenoLossAbbr: 'Steno Loss',
       stg: 'Security Tech Impl Guides',
       summary: 'Summary',
+      suppress: 'Suppress',
       suricataLoss: 'Suricata Loss',
       suricataLossAbbr: 'Suri Loss',
       swapUsage: 'Swap Usage',
@@ -837,6 +856,7 @@ const i18n = {
       syncFailure: 'Something went wrong attempting to synchronize {engine} community rules. Check SOC logs for details.',
       systemUser: "System",
       tags: 'Tags',
+      threshold: 'Threshold',
       thresholdType: 'Threshold Type',
       throttledLogin: 'Excessive login requests detected. Login requests can resume momentarily.',
       time: 'Time',
@@ -960,6 +980,7 @@ const i18n = {
       ERROR_SALT_SEND_FILE: 'Unable to send file to minion; ensure that salt is running on the manager node and check salt logs.',
       ERROR_SALT_IMPORT: 'Unable to import file on minion; ensure that salt is running on the manager node and check salt logs.',
       ERROR_SALT_STATE: 'Unable to sync settings. Ensure that salt is running on the manager node and check salt logs.',
+      ERROR_BULK_COMMUNITY: 'Unable to complete bulk delete. Batch contains Community rules. No rules were deleted.',
 
       // correct casing
       cc_elastalert: 'ElastAlert',
diff --git a/html/js/routes/config.js b/html/js/routes/config.js
index 82514420..004310ce 100644
--- a/html/js/routes/config.js
+++ b/html/js/routes/config.js
@@ -63,11 +63,19 @@ routes.push({ path: '/config', name: 'config', component: {
   },
   methods: {
     processRouteParameters() {
+      if (this.$route.query.a == "1") {
+        this.advanced = true;
+      }
       if (this.$route.query.f) {
         this.search = this.$route.query.f;
       }
       if (this.$route.query.e == "1") {
         this.autoExpand = true;
+        if (this.advanced) {
+          this.$nextTick(() => {
+            this.autoExpand = true;
+          });
+        }
       }
       if (this.$route.query.s) {
         this.autoSelect = this.$route.query.s;
@@ -326,7 +334,7 @@ routes.push({ path: '/config', name: 'config', component: {
       }
       this.recomputeAvailableNodes(this.findActiveSetting());
       this.activeBackup = [...this.active];
-      this.showDuplicate = false; 
+      this.showDuplicate = false;
       this.showDefault = false;
       window.scrollTo(0,0);
     },
@@ -507,7 +515,7 @@ routes.push({ path: '/config', name: 'config', component: {
     },
     toggleDuplicate(setting) {
       this.duplicateId = this.suggestDuplicateName(setting);
-      this.showDuplicate = !this.showDuplicate; 
+      this.showDuplicate = !this.showDuplicate;
     },
     suggestDuplicateName(setting) {
       return setting.name + "_dup";
diff --git a/html/js/routes/config.test.js b/html/js/routes/config.test.js
index 160833ce..3405f347 100644
--- a/html/js/routes/config.test.js
+++ b/html/js/routes/config.test.js
@@ -9,11 +9,11 @@ require('./config.js');
 
 global.GridMemberAccepted = "accepted";
 
-const a = { 
-  category: 'general', 
-  id: 'fake.setting.foo', 
-  description: 'Nearby', 
-  title: 'Farout', 
+const a = {
+  category: 'general',
+  id: 'fake.setting.foo',
+  description: 'Nearby',
+  title: 'Farout',
   nodeValues: new Map(),
   regex: "True|False",
   regexFailureMessage: "Wrong!",
@@ -50,7 +50,7 @@ test('loadData', async () => {
   const expectedSettings = [{
       "advanced": undefined,
       "default": null,
-      "defaultAvailable": false, 
+      "defaultAvailable": false,
       "description": "Nearby",
       "duplicates": undefined,
       "file": undefined,
@@ -73,7 +73,7 @@ test('loadData', async () => {
     {
       "advanced": undefined,
       "default": undefined,
-      "defaultAvailable": undefined, 
+      "defaultAvailable": undefined,
       "description": "NADA",
       "duplicates": undefined,
       "file": undefined,
@@ -96,7 +96,7 @@ test('loadData', async () => {
     {
       "advanced": undefined,
       "default": undefined,
-      "defaultAvailable": undefined, 
+      "defaultAvailable": undefined,
       "description": "Cocoa",
       "duplicates": undefined,
       "file": undefined,
@@ -125,79 +125,79 @@ test('loadData', async () => {
           "children": [
             {
               "advanced": undefined,
-              "default": null, 
-              "defaultAvailable": false, 
-              "description": "Nearby", 
+              "default": null,
+              "defaultAvailable": false,
+              "description": "Nearby",
               "duplicates": undefined,
               "file": undefined,
-              "global": false, 
+              "global": false,
               "helpLink": undefined,
-              "id": "fake.setting.foo", 
-              "multiline": undefined, 
-              "name": "foo", 
-              "node": undefined, 
-              "nodeValues": m1, 
-              "readonly": undefined, 
+              "id": "fake.setting.foo",
+              "multiline": undefined,
+              "name": "foo",
+              "node": undefined,
+              "nodeValues": m1,
+              "readonly": undefined,
               "readonlyUi": undefined,
               "regex": "True|False",
               "regexFailureMessage": "Wrong!",
-              "sensitive": undefined, 
+              "sensitive": undefined,
               "syntax": undefined,
-              "title": "Farout", 
+              "title": "Farout",
               "value": null
-            }, 
+            },
             {
               "advanced": undefined,
               "default": undefined,
-              "defaultAvailable": undefined, 
-              "description": "Cocoa", 
+              "defaultAvailable": undefined,
+              "description": "Cocoa",
               "duplicates": undefined,
               "file": undefined,
-              "global": undefined, 
+              "global": undefined,
               "helpLink": undefined,
-              "id": "fake.setting.bar", 
-              "multiline": undefined, 
-              "name": "bar", 
-              "node": false, 
-              "nodeValues": new Map(), 
-              "readonly": undefined, 
+              "id": "fake.setting.bar",
+              "multiline": undefined,
+              "name": "bar",
+              "node": false,
+              "nodeValues": new Map(),
+              "readonly": undefined,
               "readonlyUi": undefined,
               "regex": undefined,
               "regexFailureMessage": undefined,
-              "sensitive": undefined, 
+              "sensitive": undefined,
               "syntax": undefined,
-              "title": "Barley", 
+              "title": "Barley",
               "value": undefined
             }
-          ], 
-          "id": "fake.setting", 
+          ],
+          "id": "fake.setting",
           "name": "setting"
         }
-      ], 
-      "id": "fake", 
+      ],
+      "id": "fake",
       "name": "fake"
-    }, 
+    },
     {
       "advanced": undefined,
       "default": undefined,
-      "defaultAvailable": undefined, 
-      "description": "NADA", 
+      "defaultAvailable": undefined,
+      "description": "NADA",
       "duplicates": undefined,
       "file": undefined,
-      "global": undefined, 
+      "global": undefined,
       "helpLink": undefined,
-      "id": "car", 
-      "multiline": undefined, 
-      "name": "car", 
-      "node": false, 
-      "nodeValues": new Map(), 
-      "readonly": undefined, 
+      "id": "car",
+      "multiline": undefined,
+      "name": "car",
+      "node": false,
+      "nodeValues": new Map(),
+      "readonly": undefined,
       "readonlyUi": undefined,
       "regex": undefined,
       "regexFailureMessage": undefined,
-      "sensitive": undefined, 
+      "sensitive": undefined,
       "syntax": undefined,
-      "title": "CCA", 
+      "title": "CCA",
       "value": undefined
     }
   ];
@@ -258,7 +258,7 @@ test('isPendingSave', () => {
   const values = new Map();
   values.set('bar', '123');
   const setting = { id: 'foo', value: "something", nodeValues: values};
-  
+
   // Form key is null, nothing pending
   var nodeId = null;
   expect(comp.isPendingSave(setting, nodeId)).toBe(false);
@@ -294,7 +294,7 @@ test('reset', () => {
 
 setupSettings = () => {
   comp.cancelDialog = true;
-  comp.nodes = [{id: "n1", status: GridMemberAccepted }, {id: "n1a", status: GridMemberAccepted }, 
+  comp.nodes = [{id: "n1", status: GridMemberAccepted }, {id: "n1a", status: GridMemberAccepted },
                 {id: "n2", name: "node2", role: "standalone", status: "accepted" }, {id:"n3", status: "pending" }];
 
   const nodeValues = new Map();
@@ -555,7 +555,7 @@ test('addNode', () => {
   expect(comp.settings[0].nodeValues.get('n2')).toBe(undefined);
   expect(comp.form.key).toBe("n1");
   expect(comp.form.value).toBe("touched-value");
-  expect(comp.cancelDialog).toBe(true);  
+  expect(comp.cancelDialog).toBe(true);
 });
 
 test('addToNode_Malformed', () => {
@@ -622,4 +622,65 @@ test('isReadOnly', () => {
   expect(comp.isReadOnly(setting)).toBe(true);
   setting.readonly = true;
   expect(comp.isReadOnly(setting)).toBe(true);
-});
\ No newline at end of file
+});
+
+test('processRouteParameters', () => {
+  comp.$route.query = {
+    f: 'search',
+  };
+  comp.$nextTick = jest.fn();
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('search');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(false);
+  expect(comp.searchFilter).toBe('search');
+  expect(comp.advanced).toBe(false);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(0);
+
+  comp.search = '';
+  comp.searchFilter = '';
+  comp.$route.query = {
+    e: '1',
+  };
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(true);
+  expect(comp.searchFilter).toBe('');
+  expect(comp.advanced).toBe(false);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(0);
+
+  comp.autoExpand = false;
+  comp.$route.query = {
+    a: '1',
+  };
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(false);
+  expect(comp.searchFilter).toBe('');
+  expect(comp.advanced).toBe(true);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(0);
+
+  comp.advanced = false
+  comp.$route.query = {
+    a: '1',
+    e: '1',
+    f: 'search',
+  };
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('search');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(true);
+  expect(comp.searchFilter).toBe('search');
+  expect(comp.advanced).toBe(true);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(1);
+});
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 1088f9cc..d10eb51a 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -47,9 +47,10 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
 				fileRequired: value => (value != null) || this.$root.i18n.required,
 				cidrFormat: value => (!value ||
+					/^!?\$[a-z_][a-z0-9_]*$/i.test(value) || // Suricata variable
 					/^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value) || // IPv4 CIDR
-					/^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/.test(value) // IPv6 CIDR
-				) || this.i18n.invalidCidr,
+					/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/i.test(value) // IPv6 CIDR
+				) || this.i18n.invalidCidrOrVar,
 			},
 			panel: [0, 1, 2],
 			activeTab: '',
@@ -58,20 +59,30 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			sortBy: 'createdAt',
 			sortDesc: false,
 			expanded: [],
-			overrideHeaders: [
-				{ text: 'Enabled', value: 'isEnabled' },
-				{ text: 'Type', value: 'type' },
-				{ text: 'Track', value: 'track' },
-				{ text: 'Created', value: 'createdAt', format: true },
-				{ text: 'Updated', value: 'updatedAt', format: true },
-			],
+			overrideHeaders: {
+				'elastalert': [
+					{ text: this.$root.i18n.enabled, value: 'isEnabled' },
+					{ text: this.$root.i18n.type, value: 'type' },
+					{ text: this.$root.i18n.track, value: 'track' },
+					{ text: this.$root.i18n.dateCreated, value: 'createdAt', format: true },
+					{ text: this.$root.i18n.dateModified, value: 'updatedAt', format: true },
+				],
+				'strelka': [], // no overrides
+				'suricata': [
+					{ text: this.$root.i18n.enabled, value: 'isEnabled' },
+					{ text: this.$root.i18n.type, value: 'type' },
+					{ text: this.$root.i18n.ipVar, value: 'ip' },
+					{ text: this.$root.i18n.dateCreated, value: 'createdAt', format: true },
+					{ text: this.$root.i18n.dateModified, value: 'updatedAt', format: true },
+				],
+			},
 			zone: moment.tz.guess(),
 			newOverride: null,
 			newOverrideValid: false,
 			thresholdTypes: [
-				{ value: 'threshold', text: 'Threshold' },
-				{ value: 'limit', text: 'Limit' },
-				{ value: 'both', text: 'Both' }
+				{ value: 'threshold', text: this.$root.i18n.threshold },
+				{ value: 'limit', text: this.$root.i18n.limit },
+				{ value: 'both', text: this.$root.i18n.both }
 			],
 			historyTableOpts: {
 				sortBy: 'updateTime',
@@ -93,6 +104,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			extractedSummary: '',
 			extractedReferences: [],
 			extractedLogic: '',
+			extractedLogicClass: '',
 			history: [],
 			extractedCreated: '',
 			extractedUpdated: '',
@@ -121,8 +133,15 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			convertedRule: '',
 			confirmDeleteDialog: false,
 			showDirtySourceDialog: false,
+			ruleTemplates: {},
+			languageToEngine: {
+				'suricata': 'suricata',
+				'sigma': 'elastalert',
+				'yara': 'strelka',
+			},
 	}},
 	created() {
+		this.$root.initializeEditor();
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
 	},
 	watch: {
@@ -135,12 +154,16 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
+	updated() {
+		Prism.highlightAll();
+	},
 	methods: {
 		async initDetection(params) {
 			this.params = params;
 			this.presets = params['presets'];
 			this.renderAbbreviatedCount = params["renderAbbreviatedCount"];
 			this.severityTranslations = params['severityTranslations'];
+			this.ruleTemplates = params['templateDetections'];
 
 			if (this.$route.params.id === 'create') {
 				this.detect = this.newDetection();
@@ -221,6 +244,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					}
 
 					break;
+				case 'elastalert':
+					const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+					if (yaml.description) {
+						this.extractedSummary = yaml.description;
+						break;
+					}
+					// else fall through
 				default:
 					if (this.detect.description) {
 						this.extractedSummary = this.detect.description;
@@ -304,16 +334,20 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		},
 		extractLogic() {
 			this.extractedLogic = '';
+			this.extractedLogicClass = '';
 
 			switch (this.detect.engine) {
 				case 'suricata':
 					this.extractSuricataLogic();
+					this.extractedLogicClass = 'language-suricata-logic';
 					break;
 				case 'strelka':
 					this.extractStrelkaLogic();
+					this.extractedLogicClass = 'language-yara';
 					break;
 				case 'elastalert':
 					this.extractElastAlertLogic();
+					this.extractedLogicClass = 'language-yaml';
 					break;
 			}
 		},
@@ -813,6 +847,27 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			}
 		},
+		async onNewDetectionLanguageChange() {
+			const lang = (this.detect.language || '').toLowerCase();
+			const engine = this.languageToEngine[lang];
+
+			if (engine) {
+				let publicId = '';
+
+				if (engine !== 'strelka') {
+					try {
+						const response = await this.$root.papi.get(`detection/${engine}/genpublicid`);
+						publicId = response.data.publicId;
+					} catch (error) {
+						this.$root.showError(error);
+					}
+				}
+
+				this.detect.content = this.ruleTemplates[engine].replaceAll('[publicId]', publicId);
+			}
+
+			this.onDetectionChange();
+		},
 		onDetectionChange() {
 			if (this.detect.engine) {
 				this.extractPublicID();
@@ -874,13 +929,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			switch (engine) {
 				case 'suricata':
 					return [
-						{ value: 'modify', text: 'Modify' },
-						{ value: 'suppress', text: 'Suppress' },
-						{ value: 'threshold', text: 'Threshold' }
+						{ value: 'modify', text: this.i18n.modify },
+						{ value: 'suppress', text: this.i18n.suppress },
+						{ value: 'threshold', text: this.i18n.threshold }
 					];
 				case 'elastalert':
 					return [
-						{ value: 'customFilter', text: 'Custom Filter' }
+						{ value: 'customFilter', text: this.i18n.customFilter }
 					];
 			}
 
@@ -1022,16 +1077,12 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			el.scrollIntoView()
 			el.focus();
 		},
-		async reloadComments(showLoadingIndicator = false) {
+		async loadComments(showLoadingIndicator = false) {
 			if (showLoadingIndicator) this.$root.startLoading();
-			this.comments = [];
-			await this.loadComments();
-			if (showLoadingIndicator) this.$root.stopLoading();
-		},
-		async loadComments() {
 			try {
 				const response = await this.$root.papi.get(`detection/${this.detect.id}/comment`);
 				if (response && response.data) {
+					this.comments = [];
 					for (var idx = 0; idx < response.data.length; idx++) {
 						const obj = response.data[idx];
 
@@ -1052,6 +1103,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			} catch (error) {
 				this.$root.showError(error);
+			} finally {
+				if (showLoadingIndicator) this.$root.stopLoading();
 			}
 		},
 		async addComment() {
@@ -1085,7 +1138,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 				if (response && response.data) {
 					if (isUpdate) {
-						this.reloadComments();
+						this.loadComments();
 					} else {
 						await this.$root.populateUserDetails(response.data, "userId", "owner");
 						this.comments.push(response.data);
@@ -1210,5 +1263,28 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			}
 			return true;
 		},
+		highlighter(code) {
+			let grammar = null;
+			let language = null;
+
+			switch ((this.detect.language || '').toLowerCase()) {
+				case 'sigma':
+					grammar = Prism.languages.yaml;
+					language = 'yaml';
+					break;
+				case 'suricata':
+					grammar = Prism.languages.suricata;
+					language = 'suricata';
+					break;
+				case 'yara':
+					grammar = Prism.languages.yara;
+					language = 'yara';
+					break;
+				default:
+					return code;
+			}
+
+			return Prism.highlight(code, grammar, language);
+		},
 	}
 }});
diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js
index 8e55af28..df276d3f 100644
--- a/html/js/routes/detection.test.js
+++ b/html/js/routes/detection.test.js
@@ -10,8 +10,9 @@ require('./detection.js');
 let comp;
 
 beforeEach(() => {
-  comp = getComponent("detection");
+	comp = getComponent("detection");
 	resetPapi();
+	comp.$root.initializeEditor = () => { };
 	comp.created();
 });
 
@@ -33,6 +34,7 @@ test('extract suricata', () => {
 		{ type: 'text', text: 'Research' },
 	]);
 	expect(comp.extractedLogic).toBe('any any <> any any');
+	expect(comp.extractedLogicClass).toBe('language-suricata-logic');
 	expect(comp.extractedCreated).toBe('2020-01-01');
 	expect(comp.extractedUpdated).toBe('2020-01-02');
 });
@@ -56,6 +58,7 @@ test('extract strelka', () => {
 		{ type: 'url', text:'example.com', link: 'http://example.com' },
 	]);
 	expect(comp.extractedLogic).toBe('strings:\n$a = "test"\ncondition:\n$a');
+	expect(comp.extractedLogicClass).toBe('language-yara');
 	expect(comp.extractedCreated).toBe('2020-01-01');
 	expect(comp.extractedUpdated).toBe('');
 });
@@ -73,14 +76,30 @@ test('extract elastalert', () => {
 	comp.extractLogic();
 	comp.extractDetails();
 
-	expect(comp.extractedSummary).toBe('Title');
+	expect(comp.extractedSummary).toBe('Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant');
 	expect(comp.extractedReferences).toEqual([
 		{ type: 'url', text: 'https://twitter.com/DrunkBinary/status/1063075530180886529', link: 'https://twitter.com/DrunkBinary/status/1063075530180886529' },
 		{ type: 'url', text: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign', link: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign' },
 	]);
 	expect(comp.extractedLogic).toBe('logsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n      - ds7002.lnk\n      - ds7002.pdf\n      - ds7002.zip\n    condition: selection');
+	expect(comp.extractedLogicClass).toBe('language-yaml');
 	expect(comp.extractedCreated).toBe('2018/11/20');
 	expect(comp.extractedUpdated).toBe('2023/02/20');
+
+	// content with no description
+	comp.detect.content = `title: APT29 2018 Phishing Campaign File Indicators\nid: 3a3f81ca-652c-482b-adeb-b1c804727f74\nrelated:\n  - id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation\n    type: derived\nstatus: stable\nreferences:\n  - https://twitter.com/DrunkBinary/status/1063075530180886529\n  - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nauthor: '@41thexplorer'\ndate: 2018/11/20\nmodified: 2023/02/20\ntags:\n  - attack.defense_evasion\n  - attack.t1218.011\n  - detection.emerging_threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n      - 'ds7002.lnk'\n      - 'ds7002.pdf'\n      - 'ds7002.zip'\n    condition: selection\nfalsepositives:\n  - Unlikely\nlevel: critical`;
+	comp.detect.description = 'Description'
+	comp.extractSummary();
+
+	// fallback first to detection Description...
+	expect(comp.extractedSummary).toBe('Description');
+
+	comp.detect.description = '';
+
+	comp.extractSummary();
+
+	// ... else fallback to title
+	expect(comp.extractedSummary).toBe('Title');
 });
 
 test('fixProtocol', () => {
@@ -327,7 +346,7 @@ test('deleteDetectionCancel', () => {
 	comp.cancelDeleteDetection();
 	expect(comp.confirmDeleteDialog).toBe(false);
 	comp.deleteDetection();
-})
+});
 
 test('deleteDetectionFailure', async () => {
 	resetPapi().mockPapi("delete", null, new Error("something bad"));
@@ -389,17 +408,70 @@ test('revertEnabled', () => {
 	comp.revertEnabled();
 	expect(comp.detect.isEnabled).toBe(false);
 	expect(comp.origDetect.isEnabled).toBe(false);
-})
+});
 
 test('isFieldValid', () => {
 	comp.$refs = {}
 	expect(comp.isFieldValid('foo')).toBe(true)
 
-	comp.$refs = {bar: { valid: false}}
+	comp.$refs = { bar: { valid: false } }
 	expect(comp.isFieldValid('foo')).toBe(true)
 	expect(comp.isFieldValid('bar')).toBe(false)
 
-	comp.$refs = {bar: { valid: true}}
+	comp.$refs = { bar: { valid: true } }
 	expect(comp.isFieldValid('bar')).toBe(true)
+});
 
-})
\ No newline at end of file
+test('onNewDetectionLanguageChange', async () => {
+	comp.ruleTemplates = {
+		"suricata": 'a [publicId]',
+		"strelka": 'b [publicId]',
+		"elastalert": 'c [publicId]',
+	}
+	// no language means no engine means no request means no change
+	comp.detect = { language: '', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('x');
+
+	// yara, no publicId, results in template without publicId
+	comp.detect = { language:'yara', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('b ');
+
+	// suricata, sid, results in template with publicId
+	resetPapi().mockPapi("get", { data: { publicId: 'X' } }, null);
+	comp.detect = { language:'suricata', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('a X');
+
+	// sigma, uuid, results in template with publicId
+	resetPapi().mockPapi("get", { data: { publicId: 'X' } }, null);
+	comp.detect = { language:'sigma', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('c X');
+});
+
+test('cidrFormat', () => {
+	const cidrFormat = comp.rules.cidrFormat;
+
+	expect(cidrFormat('$HOME_NET')).toBe(true);
+	expect(cidrFormat('$Home_Net')).toBe(true);
+	expect(cidrFormat('!$DNS')).toBe(true);
+	expect(cidrFormat('!$_')).toBe(true);
+	expect(cidrFormat('0.0.0.0/16')).toBe(true);
+	expect(cidrFormat('0::0/32')).toBe(true);
+	expect(cidrFormat('2001:DB88:3333:4444:CCCC:DDDD:EEEE:FFFF/64')).toBe(true);
+	expect(cidrFormat('2001:db88:3333:4444:cccc:dddd:eeee:ffff/64')).toBe(true);
+
+	expect(cidrFormat('x')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('#')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('!#')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('#1')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('!#1')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('_')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('1.2.3.4')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('0::0')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('256.256.256.256/32')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('0::0::0/16')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('google.com')).toBe(comp.i18n.invalidCidrOrVar);
+});
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 2804ad7a..2827cfb8 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -22,7 +22,10 @@ const huntComponent = {
     params: null,
     category: '',
     advanced: false,
+    queryAltered: false,
     query: '',
+    querySearch: '',
+    queryRemainder: '',
     queries: [],
     queryBaseFilter: "",
     queryName: '',
@@ -99,6 +102,7 @@ const huntComponent = {
     mruCases: [],
 
     autohunt: true,
+    showFullQuery: true,
 
     filterRouteInclude: "",
     filterRouteExclude: "",
@@ -146,10 +150,12 @@ const huntComponent = {
     bulkActions: [
       { text: this.$root.i18n.enable, value: 'enable' },
       { text: this.$root.i18n.disable, value: 'disable' },
+      { text: this.$root.i18n.delete, value: 'delete' },
     ],
     quickActionDetId: null,
     presets: {},
     manualSyncTargetEngine: null,
+    showBulkDeleteConfirmDialog: false,
   }},
   created() {
     this.$root.initializeCharts();
@@ -287,6 +293,19 @@ const huntComponent = {
         return [];
       }
     },
+    reconstructQuery() {
+      if (this.isAdvanced() && !this.showFullQuery) {
+        this.query = this.querySearch + " " + this.queryRemainder;
+      }
+    },
+    submitQuery() {
+      this.reconstructQuery();
+      this.hunt();
+    },
+    queryModified() {
+      this.reconstructQuery();
+      return this.notifyInputsChanged();
+    },
     notifyInputsChanged(replaceHistory = false) {
       var hunted = false;
       this.toggleQuickAction();
@@ -723,8 +742,21 @@ const huntComponent = {
       }
       return item;
     },
+    getDisplayedQueryVar() {
+      if (this.isAdvanced()) {
+        if (this.showFullQuery) {
+          return 'query'
+        } else {
+          return 'querySearch'
+        }
+      }
+      return 'queryName'
+    },
     obtainQueryDetails() {
+      this.queryAltered = false;
       this.queryName = "";
+      this.querySearch = "";
+      this.queryRemainder = "";
       this.queryFilters = [];
       this.queryGroupBys = [];
       this.queryGroupByOptions = [];
@@ -763,7 +795,11 @@ const huntComponent = {
         }
 
         if (segments.length > 0) {
-          var search = segments[0].trim();
+          this.querySearch = segments[0].trim();
+          if (segments.length > 1) {
+            // Used for reconstructing full query from simplified filter-only view
+            this.queryRemainder = this.query.substring(segmentDelimIdx);
+          }
           var matchingQueryName = this.i18n.custom;
           for (var i = 0; i < this.queries.length; i++) {
             if (this.query == this.queries[i].query) {
@@ -771,7 +807,7 @@ const huntComponent = {
             }
           }
           this.queryName = matchingQueryName;
-          search.split(" AND ").forEach(function(item, index) {
+          this.querySearch.split(" AND ").forEach(function(item, index) {
             item = item.trim();
             if (item.length > 0 && item != "*") {
               route.queryFilters.push(item);
@@ -2186,9 +2222,16 @@ const huntComponent = {
 
       this.selectedCount = count;
     },
-    async bulkAction() {
+    async bulkAction(confirmed) {
       let payload = {};
 
+      if (this.selectedAction === 'delete' && !confirmed) {
+        this.showBulkDeleteConfirmDialog = true;
+        return;
+      }
+
+      this.showBulkDeleteConfirmDialog = false;
+
       switch (this.selectAllState) {
         case true:
           payload.query = this.query;
@@ -2206,15 +2249,27 @@ const huntComponent = {
       }
 
       try {
-        await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
-      } catch (e) {
-        this.$root.handleError(e);
-      } finally {
+        const request = await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
+
+        let msg = this.i18n.bulkActionStarted;
+        if (this.selectedAction === 'delete') {
+          msg = this.i18n.bulkActionDeleteStarted;
+        }
+
+        msg = msg.replace('{total}', request.data.count.toLocaleString());
+
+        this.$root.showTip(msg);
+
         this.selectAllState = false;
         this.selectedCount = 0;
         this.hunt(false);
+      } catch (e) {
+        this.$root.showError(e);
       }
     },
+    bulkDeleteDialogCancel() {
+      this.showBulkDeleteConfirmDialog = false;
+    },
     bulkUpdateReport(stats) {
       if (stats.error > 0) {
         let msg = this.i18n.bulkError;
@@ -2244,7 +2299,8 @@ const huntComponent = {
 
         t += seconds.toFixed(0) + 's';
 
-        let msg = this.i18n.bulkSuccess;
+        let msg = stats.verb === 'delete' ? this.i18n.bulkSuccessDelete : this.i18n.bulkSuccessUpdate;
+
         msg = msg.replaceAll('{modified}', stats.modified.toLocaleString());
         msg = msg.replaceAll('{total}', stats.total.toLocaleString());
         msg = msg.replaceAll('{time}', t);
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index a9412ff6..ce51d5be 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -700,6 +700,8 @@ test('obtainQueryDetails_blank', () => {
   comp.query = ""
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("");
+  expect(comp.querySearch).toBe("");
+  expect(comp.queryRemainder).toBe("");
   expect(comp.queryFilters).toStrictEqual([]);
   expect(comp.queryGroupBys).toStrictEqual([]);
   expect(comp.queryGroupByOptions).toStrictEqual([]);
@@ -710,6 +712,8 @@ test('obtainQueryDetails_queryOnly', () => {
   comp.query = "foo: bar AND x:1"
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe("foo: bar AND x:1");
+  expect(comp.queryRemainder).toBe("");
   expect(comp.queryFilters).toStrictEqual(["foo: bar", "x:1"]);
   expect(comp.queryGroupBys).toStrictEqual([]);
   expect(comp.queryGroupByOptions).toStrictEqual([]);
@@ -720,6 +724,8 @@ test('obtainQueryDetails_queryGroupedOptionsTableSorted', () => {
   comp.query = "foo: bar AND x:1 | groupby -opt1 z | groupby -optB r^ | sortby y | table x y z"
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe("foo: bar AND x:1");
+  expect(comp.queryRemainder).toBe("| groupby -opt1 z | groupby -optB r^ | sortby y | table x y z");
   expect(comp.queryFilters).toStrictEqual(["foo: bar", "x:1"]);
   expect(comp.queryGroupBys).toStrictEqual([["z"], ["r^"]]);
   expect(comp.queryGroupByOptions).toStrictEqual([["opt1"], ["optB"]]);
@@ -731,6 +737,8 @@ test('obtainQueryDetails_queryGroupedFilterPipe', () => {
   comp.query = "foo: bar AND x:\"with | this\" | groupby z"
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe("foo: bar AND x:\"with | this\"");
+  expect(comp.queryRemainder).toBe("| groupby z");
   expect(comp.queryFilters).toStrictEqual(["foo: bar", "x:\"with | this\""]);
   expect(comp.queryGroupBys).toStrictEqual([["z"]]);
   expect(comp.queryGroupByOptions).toStrictEqual([[]]);
@@ -741,6 +749,8 @@ test('obtainQueryDetails_trickyEscapeSequence', () => {
   comp.query = `process.working_directory:"C:\\\\Windows\\\\system32\\\\" | groupby host.name`;
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe(`process.working_directory:"C:\\\\Windows\\\\system32\\\\"`);
+  expect(comp.queryRemainder).toBe("| groupby host.name");
   expect(comp.queryFilters).toStrictEqual([`process.working_directory:"C:\\\\Windows\\\\system32\\\\"`]);
   expect(comp.queryGroupBys).toStrictEqual([["host.name"]]);
   expect(comp.queryGroupByOptions).toStrictEqual([[]]);
@@ -1191,3 +1201,147 @@ test('toggleSelectAll', () => {
   expect(comp.selectedCount).toBe(0);
   expect(comp.isPageSelected()).toBe(false);
 });
+
+test('bulkAction - delete - pre-confirm', async () => {
+  comp.selectedAction = 'delete';
+  comp.selectedCount = 2;
+
+  await comp.bulkAction();
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(true);
+  expect(comp.selectedCount).toBe(2);
+  expect(comp.$root.tip).toBe(false);
+});
+
+test('bulkAction - enable', async () => {
+  comp.selectedAction = 'enable';
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.hunt = jest.fn();
+  const mock = resetPapi().mockPapi('post', { data: { count: 2 }, }, null);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/enable', { ids: ["1", "3"] });
+  expect(comp.hunt).toHaveBeenCalledTimes(1);
+  expect(comp.hunt).toHaveBeenCalledWith(false);
+  expect(comp.$root.tip).toBe(true);
+  expect(comp.$root.tipMessage).toBe('Updating 2 detections. This may take awhile.');
+});
+
+test('bulkAction - disable', async () => {
+  comp.selectedAction = 'disable';
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.hunt = jest.fn();
+  const mock = resetPapi().mockPapi('post', { data: { count: 2 } }, null);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/disable', { ids: ["1", "3"] });
+  expect(comp.hunt).toHaveBeenCalledTimes(1);
+  expect(comp.hunt).toHaveBeenCalledWith(false);
+  expect(comp.$root.tip).toBe(true);
+  expect(comp.$root.tipMessage).toBe('Updating 2 detections. This may take awhile.');
+});
+
+test('bulkAction - delete - confirm - success', async () => {
+  comp.selectedAction = 'delete';
+  comp.showBulkDeleteConfirmDialog = true;
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.hunt = jest.fn();
+  const mock = resetPapi().mockPapi('post', { data: { count: 2 } }, null);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/delete', { ids: ["1", "3"] });
+  expect(comp.hunt).toHaveBeenCalledTimes(1);
+  expect(comp.hunt).toHaveBeenCalledWith(false);
+  expect(comp.$root.tip).toBe(true);
+  expect(comp.$root.tipMessage).toBe('Deleting 2 detections. This may take awhile.');
+});
+
+test('bulkAction - delete - confirm - failure', async () => {
+  comp.selectedAction = 'delete';
+  comp.showBulkDeleteConfirmDialog = true;
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.$root.showError = jest.fn();
+  const err = { response: { data: "ERROR_BULK_COMMUNITY" } }
+  const mock = resetPapi().mockPapi('post', null, err);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe('indeterminate');
+  expect(comp.selectedCount).toBe(2);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/delete', { ids: ["1", "3"] });
+  expect(comp.$root.showError).toHaveBeenCalledTimes(1);
+  expect(comp.$root.showError).toHaveBeenCalledWith(err);
+});
+
+test('reconstructQuery', () => {
+  comp.query = "bar: 'hi' | groupby x"
+  comp.obtainQueryDetails();
+  comp.reconstructQuery();
+  comp.querySearch = "foo: 1"
+
+  // Advanced mode and showFullQuery false so should reconstruct query using new custom filter
+  comp.advanced = true;
+  comp.showFullQuery = false;
+  comp.queryModified();
+  expect(comp.query).toBe("foo: 1 | groupby x");
+});
+
+test('queryModified', () => {
+  comp.$root.loading = true; // prevent any notification logic from running
+  comp.query = "bar: 'hi' | groupby x"
+  comp.obtainQueryDetails();
+  comp.querySearch = "foo: 1"
+
+  // Basic mode, should not reconstruct query
+  comp.queryModified();
+  expect(comp.query).toBe("bar: 'hi' | groupby x");
+
+  // Advanced mode, but showFullQuery is true so should not reconstruct query
+  comp.advanced = true;
+  comp.showFullQuery = true;
+  comp.queryModified();
+  expect(comp.query).toBe("bar: 'hi' | groupby x");
+
+  // Advanced mode and showFullQuery false so should reconstruct query using new custom filter
+  comp.advanced = true;
+  comp.showFullQuery = false;
+  comp.queryModified();
+  expect(comp.query).toBe("foo: 1 | groupby x");
+});
+
+test('getDisplayedQueryVar', () => {
+  expect(comp.getDisplayedQueryVar()).toBe('queryName');
+
+  comp.advanced = true;
+  comp.showFullQuery = true;
+  expect(comp.getDisplayedQueryVar()).toBe('query');
+
+  comp.advanced = true;
+  comp.showFullQuery = false;
+  expect(comp.getDisplayedQueryVar()).toBe('querySearch');
+});
\ No newline at end of file
diff --git a/licensing/license_manager.go b/licensing/license_manager.go
index e3a3d7cc..19759542 100644
--- a/licensing/license_manager.go
+++ b/licensing/license_manager.go
@@ -40,10 +40,11 @@ const LICENSE_STATUS_PENDING = "pending"
 const LICENSE_STATUS_UNPROVISIONED = "unprovisioned"
 
 const FEAT_FPS = "fps"
-const FEAT_ODC = "odc"
+const FEAT_GMD = "gmd"
+const FEAT_LKS = "lks"
 const FEAT_NTF = "ntf"
+const FEAT_ODC = "odc"
 const FEAT_STG = "stg"
-const FEAT_LKS = "lks"
 const FEAT_TTR = "ttr"
 
 const PUBLIC_KEY = `
@@ -166,11 +167,12 @@ func verify(key string) (*LicenseKey, error) {
 func CreateAvailableFeatureList() []string {
 	available := make([]string, 0, 0)
 	available = append(available, FEAT_FPS)
+	available = append(available, FEAT_GMD)
 	available = append(available, FEAT_LKS)
+	available = append(available, FEAT_NTF)
 	available = append(available, FEAT_ODC)
 	available = append(available, FEAT_STG)
 	available = append(available, FEAT_TTR)
-	available = append(available, FEAT_NTF)
 	return available
 }
 
diff --git a/licensing/license_manager_test.go b/licensing/license_manager_test.go
index 312f62da..e330bcf9 100644
--- a/licensing/license_manager_test.go
+++ b/licensing/license_manager_test.go
@@ -123,13 +123,14 @@ func TestListAvailableFeatures(tester *testing.T) {
 
 	Init(EXPIRED_KEY)
 	manager.status = LICENSE_STATUS_ACTIVE
-	assert.Len(tester, ListAvailableFeatures(), 6)
+	assert.Len(tester, ListAvailableFeatures(), 7)
 	assert.Equal(tester, ListAvailableFeatures()[0], FEAT_FPS)
-	assert.Equal(tester, ListAvailableFeatures()[1], FEAT_LKS)
-	assert.Equal(tester, ListAvailableFeatures()[2], FEAT_ODC)
-	assert.Equal(tester, ListAvailableFeatures()[3], FEAT_STG)
-	assert.Equal(tester, ListAvailableFeatures()[4], FEAT_TTR)
-	assert.Equal(tester, ListAvailableFeatures()[5], FEAT_NTF)
+	assert.Equal(tester, ListAvailableFeatures()[1], FEAT_GMD)
+	assert.Equal(tester, ListAvailableFeatures()[2], FEAT_LKS)
+	assert.Equal(tester, ListAvailableFeatures()[3], FEAT_NTF)
+	assert.Equal(tester, ListAvailableFeatures()[4], FEAT_ODC)
+	assert.Equal(tester, ListAvailableFeatures()[5], FEAT_STG)
+	assert.Equal(tester, ListAvailableFeatures()[6], FEAT_TTR)
 }
 
 func TestListEnabledFeaturesUnprovisioned(tester *testing.T) {
@@ -139,13 +140,14 @@ func TestListEnabledFeaturesUnprovisioned(tester *testing.T) {
 	assert.Len(tester, ListEnabledFeatures(), 0)
 
 	Init(EXPIRED_KEY)
-	assert.Len(tester, ListEnabledFeatures(), 6)
+	assert.Len(tester, ListEnabledFeatures(), 7)
 	assert.Equal(tester, ListEnabledFeatures()[0], FEAT_FPS)
-	assert.Equal(tester, ListEnabledFeatures()[1], FEAT_LKS)
-	assert.Equal(tester, ListEnabledFeatures()[2], FEAT_ODC)
-	assert.Equal(tester, ListEnabledFeatures()[3], FEAT_STG)
-	assert.Equal(tester, ListEnabledFeatures()[4], FEAT_TTR)
-	assert.Equal(tester, ListEnabledFeatures()[5], FEAT_NTF)
+	assert.Equal(tester, ListEnabledFeatures()[1], FEAT_GMD)
+	assert.Equal(tester, ListEnabledFeatures()[2], FEAT_LKS)
+	assert.Equal(tester, ListEnabledFeatures()[3], FEAT_NTF)
+	assert.Equal(tester, ListEnabledFeatures()[4], FEAT_ODC)
+	assert.Equal(tester, ListEnabledFeatures()[5], FEAT_STG)
+	assert.Equal(tester, ListEnabledFeatures()[6], FEAT_TTR)
 
 	Init(EXPIRED_KEY)
 	manager.licenseKey.Features = append(manager.licenseKey.Features, "foo")
@@ -164,14 +166,14 @@ func TestGetLicenseKey(tester *testing.T) {
 	assert.Equal(tester, key.Nodes, 1)
 	assert.Equal(tester, key.SocUrl, "https://somewhere.invalid")
 	assert.Equal(tester, key.DataUrl, "https://another.place")
-	assert.Len(tester, key.Features, 6)
+	assert.Len(tester, key.Features, 7)
 
 	// Modify the returned object and make sure it doesn't affect the orig object
 	key.Users = 100
 	key.Features = append(key.Features, "foo")
 	assert.Equal(tester, GetLicenseKey().Users, 1)
-	assert.Len(tester, key.Features, 7)
-	assert.Len(tester, GetLicenseKey().Features, 6)
+	assert.Len(tester, key.Features, 8)
+	assert.Len(tester, GetLicenseKey().Features, 7)
 }
 
 func TestGetStatus(tester *testing.T) {
@@ -290,7 +292,8 @@ func TestValidateFeature(tester *testing.T) {
 	assert.Len(tester, manager.limits, 3)
 }
 
-func DisabledDueToJobInstability_TestPillarMonitor(tester *testing.T) {
+/* Disabled licensing tests due to test thread instability (run locally when making changes)
+func TestPillarMonitor(tester *testing.T) {
 	defer setup()()
 
 	Test("stg", 0, 0, "", "")
@@ -307,7 +310,7 @@ features:
 	assert.Contains(tester, string(contents), expected)
 }
 
-func DisabledDueToJobInstability_TestPillarMonitorAllFeatures(tester *testing.T) {
+func TestPillarMonitorAllFeatures(tester *testing.T) {
 	defer setup()()
 
 	Test("", 0, 0, "", "")
@@ -332,7 +335,9 @@ func DisabledDueToJobInstability_TestPillarMonitorAllFeatures(tester *testing.T)
 license_id: test
 features:
 - fps
+- gmd
 - lks
+- ntf
 - odc
 - stg
 - ttr
@@ -340,6 +345,7 @@ features:
 
 	assert.Equal(tester, expected, string(contents))
 }
+*/
 
 func TestPillarMonitor_Fail(tester *testing.T) {
 	defer setup()()
diff --git a/model/custom_ruleset.go b/model/custom_ruleset.go
new file mode 100644
index 00000000..b627e777
--- /dev/null
+++ b/model/custom_ruleset.go
@@ -0,0 +1,102 @@
+package model
+
+import (
+	"fmt"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/apex/log"
+)
+
+type CustomRuleset struct {
+	Community  bool   `json:"community"`
+	License    string `json:"license"`
+	Url        string `json:"url"`
+	TargetFile string `json:"target-file"`
+	File       string `json:"file"`
+	Ruleset    string `json:"ruleset"`
+}
+
+func GetCustomRulesetsDefault(cfg map[string]interface{}, field string, dflt []*CustomRuleset) ([]*CustomRuleset, error) {
+	cfgInter, ok := cfg[field]
+	if !ok || cfgInter == nil {
+		// config doesn't have any customRulesets, no error, return defaults
+		return dflt, nil
+	}
+
+	ruleMaps, ok := cfgInter.([]interface{})
+	if !ok {
+		return nil, fmt.Errorf(`top level config value "%s" is not an array of objects`, field)
+	}
+
+	rulesets := make([]*CustomRuleset, 0, len(ruleMaps))
+
+	for _, item := range ruleMaps {
+		obj, ok := item.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf(`"%s" entry is not an object`, field)
+		}
+
+		file, _ := obj["file"].(string)
+		url, _ := obj["url"].(string)
+		target, _ := obj["target-file"].(string)
+
+		if file == "" && url == "" && target == "" {
+			return nil, fmt.Errorf(`missing "file" or "url"+"target-file" from "%s" entry`, field)
+		}
+
+		if url != "" && target == "" {
+			return nil, fmt.Errorf(`missing "target-file" from "%s" entry`, field)
+		}
+		if target != "" && url == "" {
+			return nil, fmt.Errorf(`missing "url" from "%s" entry`, field)
+		}
+
+		ruleset, ok := obj["ruleset"].(string)
+		if !ok {
+			return nil, fmt.Errorf(`missing "ruleset" from "%s" entry`, field)
+		}
+
+		license, ok := obj["license"].(string)
+		if !ok {
+			return nil, fmt.Errorf(`missing "license" from "%s" entry`, field)
+		}
+
+		isCommunity := false
+
+		community := obj["community"]
+		switch c := community.(type) {
+		case bool:
+			isCommunity = c
+		case int:
+			isCommunity = c != 0
+		case string:
+			var err error
+			isCommunity, err = strconv.ParseBool(c)
+			if err != nil {
+				isCommunity = false
+			}
+		}
+
+		ext := filepath.Ext(file)
+		if strings.ToLower(ext) != ".rules" {
+			log.WithFields(log.Fields{
+				"customRulesetFile": file,
+			}).Warn("customRulesets file should have a .rules extension")
+		}
+
+		r := &CustomRuleset{
+			File:       file,
+			Url:        url,
+			TargetFile: target,
+			License:    license,
+			Community:  isCommunity,
+			Ruleset:    ruleset,
+		}
+
+		rulesets = append(rulesets, r)
+	}
+
+	return rulesets, nil
+}
diff --git a/model/custom_ruleset_test.go b/model/custom_ruleset_test.go
new file mode 100644
index 00000000..5402768e
--- /dev/null
+++ b/model/custom_ruleset_test.go
@@ -0,0 +1,235 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/tj/assert"
+)
+
+func TestGetCustomRulesetsDefault(t *testing.T) {
+	tests := []struct {
+		Name     string
+		Cfg      map[string]interface{}
+		Default  []*CustomRuleset
+		Expected []*CustomRuleset
+		ExpError string
+	}{
+		{
+			Name: "Missing",
+			Cfg:  map[string]interface{}{},
+			Default: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+			Expected: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+		},
+		{
+			Name: "Empty",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{},
+			},
+			Default: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+			Expected: []*CustomRuleset{},
+		},
+		{
+			Name: "Nil",
+			Cfg: map[string]interface{}{
+				"customRulesets": nil,
+			},
+			Default: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+			Expected: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+		},
+		{
+			Name: "Valid",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"community":   true,
+						"url":         "https://example.com",
+						"target-file": "example.rules",
+						"ruleset":     "example",
+						"license":     "MIT",
+					},
+					map[string]interface{}{
+						"community": 1,
+						"file":      "example2.rules",
+						"ruleset":   "example2",
+						"license":   "MIT",
+					},
+					map[string]interface{}{
+						"community":   "T",
+						"url":         "https://example3.com",
+						"target-file": "example3.rules",
+						"ruleset":     "example3",
+						"license":     "MIT",
+					},
+					map[string]interface{}{
+						"community":   "definitely",
+						"url":         "https://example4.com",
+						"target-file": "example4.rules",
+						"ruleset":     "example4",
+						"license":     "DRL",
+					},
+				},
+			},
+			Default: []*CustomRuleset{},
+			Expected: []*CustomRuleset{
+				{
+					Community:  true,
+					Url:        "https://example.com",
+					TargetFile: "example.rules",
+					Ruleset:    "example",
+					License:    "MIT",
+				},
+				{
+					Community: true,
+					File:      "example2.rules",
+					Ruleset:   "example2",
+					License:   "MIT",
+				},
+				{
+					Community:  true,
+					Url:        "https://example3.com",
+					TargetFile: "example3.rules",
+					Ruleset:    "example3",
+					License:    "MIT",
+				},
+				{
+					Community:  false,
+					Url:        "https://example4.com",
+					TargetFile: "example4.rules",
+					Ruleset:    "example4",
+					License:    "DRL",
+				},
+			},
+		},
+		{
+			Name: "Invalid Type",
+			Cfg: map[string]interface{}{
+				"customRulesets": "invalid",
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `top level config value "customRulesets" is not an array of objects`,
+		},
+		{
+			Name: "Invalid Entry",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					"invalid",
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `"customRulesets" entry is not an object`,
+		},
+		{
+			Name: "Invalid Key/Value Pairs",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"wrong": "key/value",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "file" or "url"+"target-file" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing URL",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"target-file": "example.rules",
+						"ruleset":     "example",
+						"license":     "MIT",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "url" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing Target",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"url":     "https://example.com",
+						"ruleset": "example",
+						"license": "MIT",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "target-file" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing Ruleset",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"url":         "https://example.com",
+						"target-file": "example.rules",
+						"license":     "MIT",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "ruleset" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing License",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"url":         "https://example.com",
+						"target-file": "example.rules",
+						"ruleset":     "example",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "license" from "customRulesets" entry`,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			out, err := GetCustomRulesetsDefault(test.Cfg, "customRulesets", test.Default)
+			if test.ExpError != "" {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), test.ExpError)
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, test.Expected, out)
+		})
+	}
+}
diff --git a/model/detection_options.go b/model/detection_options.go
new file mode 100644
index 00000000..7be55f81
--- /dev/null
+++ b/model/detection_options.go
@@ -0,0 +1,23 @@
+package model
+
+import "fmt"
+
+type GetAllOption func(query string, schemaPrefix string) string
+
+func WithEngine(engine EngineName) GetAllOption {
+	return func(query string, schemaPrefix string) string {
+		return fmt.Sprintf(`%s AND %sdetection.engine:"%s"`, query, schemaPrefix, engine)
+	}
+}
+
+func WithEnabled(isEnabled bool) GetAllOption {
+	return func(query string, schemaPrefix string) string {
+		return fmt.Sprintf(`%s AND %sdetection.isEnabled:"%t"`, query, schemaPrefix, isEnabled)
+	}
+}
+
+func WithCommunity(isCommunity bool) GetAllOption {
+	return func(query string, schemaPrefix string) string {
+		return fmt.Sprintf(`%s AND %sdetection.isCommunity:"%t"`, query, schemaPrefix, isCommunity)
+	}
+}
diff --git a/model/detection_options_test.go b/model/detection_options_test.go
new file mode 100644
index 00000000..90284981
--- /dev/null
+++ b/model/detection_options_test.go
@@ -0,0 +1,45 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestWithEngine(t *testing.T) {
+	queryModder := WithEngine(EngineNameElastAlert)
+	query := queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"elastalert"`)
+
+	queryModder = WithEngine(EngineNameStrelka)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"strelka"`)
+
+	queryModder = WithEngine(EngineNameSuricata)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"suricata"`)
+
+	queryModder = WithEngine(EngineName("unknown"))
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"unknown"`)
+}
+
+func TestWithEnabled(t *testing.T) {
+	queryModder := WithEnabled(true)
+	query := queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isEnabled:"true"`)
+
+	queryModder = WithEnabled(false)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isEnabled:"false"`)
+}
+
+func TestWithCommunity(t *testing.T) {
+	queryModder := WithCommunity(true)
+	query := queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isCommunity:"true"`)
+
+	queryModder = WithCommunity(false)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isCommunity:"false"`)
+}
diff --git a/model/node.go b/model/node.go
index 70080c4d..1edaa4ec 100644
--- a/model/node.go
+++ b/model/node.go
@@ -8,6 +8,8 @@ package model
 
 import (
 	"time"
+
+	"github.com/security-onion-solutions/securityonion-soc/json"
 )
 
 const NodeRoleDesktop = "so-desktop"
@@ -69,6 +71,7 @@ type Node struct {
 	DiskUsedElasticGB    float64   `json:"diskUsedElasticGB"`
 	DiskUsedInfluxDbGB   float64   `json:"diskUsedInfluxDbGB"`
 	HighstateAgeSeconds  int       `json:"highstateAgeSeconds"`
+	GmdEnabled           int       `json:"gmdEnabled"`
 	LksEnabled           int       `json:"lksEnabled"`
 	FpsEnabled           int       `json:"fpsEnabled"`
 }
@@ -144,3 +147,28 @@ func (node *Node) UpdateOverallStatus(enhancedStatusEnabled bool) bool {
 	node.MetricsEnabled = enhancedStatusEnabled
 	return oldStatus != node.Status
 }
+
+func (node *Node) IsProcessRunning(match string) bool {
+	nodeStatus := NodeStatus{}
+	err := json.LoadJson([]byte(node.ProcessJson), &nodeStatus)
+	if err != nil {
+		return false
+	}
+	for _, process := range nodeStatus.Containers {
+		if process.Name == match {
+			return process.Status == "running"
+		}
+	}
+	return false
+}
+
+type NodeStatus struct {
+	StatusCode int             `json:"status_code"`
+	Containers []ProcessStatus `json:"containers"`
+}
+
+type ProcessStatus struct {
+	Name    string `json:"Name"`
+	Status  string `json:"Status"`
+	Details string `json:"Details"`
+}
diff --git a/model/node_test.go b/model/node_test.go
index 9fb3bf1d..7c0eb347 100644
--- a/model/node_test.go
+++ b/model/node_test.go
@@ -204,3 +204,14 @@ func TestUpdateNodeStatusPending(tester *testing.T) {
 	testStatus(tester, true, NodeStatusOk, NodeStatusOk, NodeStatusOk, NodeStatusOk, NodeStatusOk, 1, NodeStatusRestart)
 	testStatus(tester, true, NodeStatusPending, NodeStatusFault, NodeStatusOk, NodeStatusOk, NodeStatusOk, 1, NodeStatusFault)
 }
+
+func TestIsProcessRunning(tester *testing.T) {
+	node := NewNode("")
+	assert.False(tester, node.IsProcessRunning("so-test"))
+	node.ProcessJson = "{}"
+	assert.False(tester, node.IsProcessRunning("so-test"))
+	node.ProcessJson = `{"containers":[{"Name":"so-foo", "Status":"running"}]}`
+	assert.False(tester, node.IsProcessRunning("so-test"))
+	node.ProcessJson = `{"containers":[{"Name":"so-test", "Status":"running"}]}`
+	assert.True(tester, node.IsProcessRunning("so-test"))
+}
diff --git a/server/detectionengine.go b/server/detectionengine.go
index a4b88f8f..465a95e4 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -19,6 +19,7 @@ type DetectionEngine interface {
 	InterruptSync(forceFull bool, notify bool)
 	DuplicateDetection(ctx context.Context, detection *model.Detection) (*model.Detection, error)
 	GetState() *model.EngineState
+	GenerateUnusedPublicId(ctx context.Context) (string, error)
 }
 
 type SyncStatus struct {
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index be09c8e4..e18d215c 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -28,6 +28,7 @@ type BulkOp struct {
 	IDs       []string `json:"ids"`
 	Query     *string  `json:"query"`
 	NewStatus bool     `json:"-"`
+	Delete    bool     `json:"-"`
 }
 
 type DetectionHandler struct {
@@ -65,6 +66,8 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 
 		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
 		r.Post("/sync/{engine}/{type}", h.syncEngineDetections)
+
+		r.Get("/{engine}/genpublicid", h.genPublicId)
 	})
 }
 
@@ -156,6 +159,12 @@ func (h *DetectionHandler) createDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
+	_, err = engine.ValidateRule(detect.Content)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid rule: %w", err))
+		return
+	}
+
 	err = engine.ExtractDetails(detect)
 	if err != nil {
 		if err.Error() == "rule does not contain a public Id" {
@@ -274,6 +283,12 @@ func (h *DetectionHandler) updateDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
+	_, err = engine.ValidateRule(detect.Content)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid rule: %w", err))
+		return
+	}
+
 	err = h.PrepareForSave(ctx, detect, engine)
 	if err != nil {
 		if err.Error() == "Object not found" {
@@ -366,9 +381,12 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	newStatus := chi.URLParam(r, "newStatus") // "enable" or "disable"
 
 	var enabled bool
+	var delete bool
 	switch strings.ToLower(newStatus) {
 	case "enable", "disable":
 		enabled = strings.ToLower(newStatus) == "enable"
+	case "delete":
+		delete = true
 	default:
 		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid status; must be 'enable' or 'disable'"))
 		return
@@ -382,6 +400,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	body.NewStatus = enabled
+	body.Delete = delete
 
 	err = h.server.CheckAuthorized(ctx, "write", "detections")
 	if err != nil {
@@ -389,87 +408,155 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		return
 	}
 
+	IDs := []string{}
+	containsCommunity := false
+
+	if body.Query != nil {
+		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
+
+		var results []interface{}
+
+		results, err = h.server.Detectionstore.Query(ctx, query, -1)
+		if err != nil {
+			return
+		}
+		for _, d := range results {
+			det := d.(*model.Detection)
+			if det.IsCommunity {
+				containsCommunity = true
+				if delete {
+					break
+				}
+			}
+
+			IDs = append(IDs, det.Id)
+		}
+	} else {
+		for _, id := range body.IDs {
+			IDs = append(IDs, id)
+			if body.Delete {
+				det, err := h.server.Detectionstore.GetDetection(ctx, id)
+				if err != nil {
+					web.Respond(w, r, http.StatusInternalServerError, err)
+					return
+				}
+
+				if det.IsCommunity {
+					containsCommunity = true
+					if delete {
+						break
+					}
+				}
+			}
+		}
+	}
+
+	if containsCommunity && body.Delete {
+		web.Respond(w, r, http.StatusBadRequest, "ERROR_BULK_COMMUNITY")
+		return
+	}
+
 	// new context that doesn't contain a timeout or deadline, but does include
 	// the user we're making requests to ES on behalf of.
 	noTimeOutCtx := context.WithValue(context.Background(), web.ContextKeyRequestor, ctx.Value(web.ContextKeyRequestor).(*model.User))
 	noTimeOutCtx = context.WithValue(noTimeOutCtx, web.ContextKeyRequestorId, ctx.Value(web.ContextKeyRequestorId).(string))
 	noTimeOutCtx = web.MarkChangedByUser(noTimeOutCtx, true)
 
-	go h.bulkUpdateDetectionAsync(noTimeOutCtx, body)
+	go h.bulkUpdateDetectionAsync(noTimeOutCtx, body, IDs)
 
-	web.Respond(w, r, http.StatusAccepted, nil)
+	web.Respond(w, r, http.StatusAccepted, map[string]interface{}{
+		"count": len(IDs),
+	})
 }
 
-func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *BulkOp) {
+// bulkUpdateDetectionAsync is a helper function that performs the bulk update in a separate goroutine.
+// Note that the IdList is SOC Ids, not Public Ids.
+func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *BulkOp, IdList []string) {
 	var err error
 	var update, sync time.Duration
 	errMap := map[string]string{} // map[id]error
 	IDs := map[string]struct{}{}
 	modified := []*model.Detection{}
+	deleted := []*model.Detection{}
+
+	for _, id := range IdList {
+		IDs[id] = struct{}{}
+	}
 
 	totalTimeStart := time.Now()
 
 	defer func() {
 		totalTime := time.Since(totalTimeStart)
 
-		log.WithFields(log.Fields{
+		withStats := log.WithFields(log.Fields{
 			"error":      len(errMap),
 			"total":      len(IDs),
 			"modified":   len(modified),
+			"deleted":    len(deleted),
 			"updateTime": update.Seconds(),
 			"syncTime":   sync.Seconds(),
 			"totalTime":  totalTime.Seconds(),
-		}).Error("bulk update Detections finished")
+		})
+
+		if len(errMap) != 0 {
+			withStats.Error("bulk action Detections finished")
+		} else {
+			withStats.Info("bulk action Detections finished")
+		}
+
+		verb := "update"
+		if body.Delete {
+			verb = "delete"
+		}
 
 		h.server.Host.Broadcast("detections:bulkUpdate", "detections", map[string]interface{}{
 			"error":    len(errMap),
+			"verb":     verb,
 			"total":    len(IDs),
-			"modified": len(modified),
+			"modified": len(modified) + len(deleted),
 			"time":     totalTime.Seconds(),
 		})
 	}()
 
-	for _, id := range body.IDs {
-		IDs[id] = struct{}{}
-	}
-
-	if body.Query != nil {
-		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
-
-		var results []interface{}
-
-		results, err = h.server.Detectionstore.Query(ctx, query, -1)
-		if err != nil {
-			return
-		}
-		for _, d := range results {
-			det := d.(*model.Detection)
-			id := det.Id
-			IDs[id] = struct{}{}
-		}
-	}
-
 	log.WithField("count", len(IDs)).Info("bulk update ID count")
 
 	modified = make([]*model.Detection, 0, len(IDs))
 
 	start := time.Now()
 
-	for id := range IDs {
-		mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": body.NewStatus})
-		if err != nil {
-			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+	if !body.Delete {
+		for id := range IDs {
+			mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": body.NewStatus})
+			if err != nil {
+				errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
 
-			continue
+				continue
+			}
+
+			modified = append(modified, mod)
 		}
+	} else {
+		for id := range IDs {
+			mod, err := h.server.Detectionstore.DeleteDetection(ctx, id)
+			if err != nil {
+				errMap[id] = fmt.Sprintf("unable to delete detection; reason=%s", err.Error())
+
+				continue
+			}
 
-		modified = append(modified, mod)
+			mod.IsEnabled = false
+			mod.PendingDelete = true
+
+			deleted = append(deleted, mod)
+		}
 	}
 
 	update = time.Since(start)
 	start = time.Now()
 
-	addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
+	dirty := append(modified, deleted...)
+
+	addErrMap, err := SyncLocalDetections(ctx, h.server, dirty)
 	if err != nil {
 		return
 	}
@@ -487,7 +574,7 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 	}
 
 	log.WithFields(log.Fields{
-		"modifiedCount": len(modified),
+		"modifiedCount": len(dirty),
 		"errorCount":    len(errMap),
 	}).Info("bulk update detection")
 
@@ -683,6 +770,32 @@ func (h *DetectionHandler) syncEngineDetections(w http.ResponseWriter, r *http.R
 	web.Respond(w, r, http.StatusOK, nil)
 }
 
+func (h *DetectionHandler) genPublicId(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	engine := chi.URLParam(r, "engine")
+
+	eng, ok := h.server.DetectionEngines[model.EngineName(engine)]
+	if !ok {
+		web.Respond(w, r, http.StatusBadRequest, errors.New("unsupported engine"))
+		return
+	}
+
+	id, err := eng.GenerateUnusedPublicId(ctx)
+	if err != nil {
+		if err.Error() == "not implemented" {
+			web.Respond(w, r, http.StatusNotImplemented, nil)
+		} else {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+		}
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, map[string]string{
+		"publicId": id,
+	})
+}
+
 func (h *DetectionHandler) PrepareForSave(ctx context.Context, detect *model.Detection, e DetectionEngine) error {
 	err := e.ExtractDetails(detect)
 	if err != nil {
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 05dd8150..e8ac11ee 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -19,7 +19,7 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
-	GetAllDetections(ctx context.Context, engine *model.EngineName, isEnabled *bool, isCommunity *bool) (map[string]*model.Detection, error) // map[detection.PublicId]detection
+	GetAllDetections(ctx context.Context, opts ...model.GetAllOption) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 	Query(ctx context.Context, query string, max int) ([]interface{}, error)
 	GetDetectionHistory(ctx context.Context, detectID string) ([]interface{}, error)
 
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
index 6aa627b6..614d4c9c 100644
--- a/server/mock/mock_detectionstore.go
+++ b/server/mock/mock_detectionstore.go
@@ -114,18 +114,23 @@ func (mr *MockDetectionstoreMockRecorder) DoesTemplateExist(arg0, arg1 any) *gom
 }
 
 // GetAllDetections mocks base method.
-func (m *MockDetectionstore) GetAllDetections(arg0 context.Context, arg1 *model.EngineName, arg2, arg3 *bool) (map[string]*model.Detection, error) {
+func (m *MockDetectionstore) GetAllDetections(arg0 context.Context, arg1 ...model.GetAllOption) (map[string]*model.Detection, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAllDetections", arg0, arg1, arg2, arg3)
+	varargs := []any{arg0}
+	for _, a := range arg1 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetAllDetections", varargs...)
 	ret0, _ := ret[0].(map[string]*model.Detection)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
 // GetAllDetections indicates an expected call of GetAllDetections.
-func (mr *MockDetectionstoreMockRecorder) GetAllDetections(arg0, arg1, arg2, arg3 any) *gomock.Call {
+func (mr *MockDetectionstoreMockRecorder) GetAllDetections(arg0 any, arg1 ...any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllDetections", reflect.TypeOf((*MockDetectionstore)(nil).GetAllDetections), arg0, arg1, arg2, arg3)
+	varargs := append([]any{arg0}, arg1...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllDetections", reflect.TypeOf((*MockDetectionstore)(nil).GetAllDetections), varargs...)
 }
 
 // GetComment mocks base method.
diff --git a/server/modules/detections/detengine_helpers.go b/server/modules/detections/detengine_helpers.go
index a68f3da7..3a277a37 100644
--- a/server/modules/detections/detengine_helpers.go
+++ b/server/modules/detections/detengine_helpers.go
@@ -13,10 +13,12 @@ import (
 	"strings"
 	"time"
 
+	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 
 	"github.com/apex/log"
 	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing/transport"
 )
 
 var doubleQuoteEscaper = regexp.MustCompile(`\\([\s\S])|(")`)
@@ -106,13 +108,14 @@ func WriteStateFile(iom IOManager, path string) {
 	}
 }
 
-type DirtyRepo struct {
-	WasModified bool
+type RepoOnDisk struct {
 	Repo        *model.RuleRepo
+	Path        string
+	WasModified bool
 }
 
-func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo) (allRepos map[string]*DirtyRepo, anythingNew bool, err error) {
-	allRepos = map[string]*DirtyRepo{} // map[repoPath]repo
+func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, cfg *config.ServerConfig) (allRepos []*RepoOnDisk, anythingNew bool, err error) {
+	allRepos = make([]*RepoOnDisk, 0, len(rulesRepos))
 
 	// read existing repos
 	entries, err := os.ReadDir(baseRepoFolder)
@@ -146,13 +149,20 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 		_, lastFolder := path.Split(parser.Path)
 		repoPath := filepath.Join(baseRepoFolder, lastFolder)
 
-		dirty := &DirtyRepo{
+		dirty := &RepoOnDisk{
 			Repo: repo,
+			Path: repoPath,
 		}
 
-		allRepos[repoPath] = dirty
+		allRepos = append(allRepos, dirty)
 		reclone := false
 
+		proxyOpts, err := proxyToTransportOptions(cfg.Proxy)
+		if err != nil {
+			log.WithError(err).WithField("proxy", cfg.Proxy).Error("failed to parse proxy URL, not using the proxy")
+			// no return here, not a bug
+		}
+
 		_, ok := existingRepos[lastFolder]
 		if ok {
 			var work *git.Worktree
@@ -187,19 +197,21 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 			}
 
 			ctx, cancel = context.WithTimeout(context.Background(), time.Minute*5)
+			defer cancel()
 
 			err = work.PullContext(ctx, &git.PullOptions{
-				Depth:        1,
-				SingleBranch: true,
+				Depth:           1,
+				SingleBranch:    true,
+				ProxyOptions:    proxyOpts,
+				CABundle:        []byte(cfg.AdditionalCA),
+				InsecureSkipTLS: cfg.InsecureSkipVerify,
 			})
 			if err != nil && err != git.NoErrAlreadyUpToDate {
-				cancel()
 				log.WithError(err).WithField("repoPath", repoPath).Error("failed to pull repo, doing nothing with it")
 				reclone = true
 
 				goto skippull
 			}
-			cancel()
 
 			if err == nil {
 				anythingNew = true
@@ -224,9 +236,12 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 		if !ok || reclone {
 			// repo does not exist or was just deleted, clone
 			_, err = git.PlainClone(repoPath, false, &git.CloneOptions{
-				Depth:        1,
-				SingleBranch: true,
-				URL:          repo.Repo,
+				Depth:           1,
+				SingleBranch:    true,
+				URL:             repo.Repo,
+				ProxyOptions:    proxyOpts,
+				CABundle:        []byte(cfg.AdditionalCA),
+				InsecureSkipTLS: cfg.InsecureSkipVerify,
 			})
 			if err != nil {
 				log.WithError(err).WithField("repoPath", repoPath).Error("failed to clone repo, doing nothing with it")
@@ -252,6 +267,32 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 	return allRepos, anythingNew, nil
 }
 
+func proxyToTransportOptions(proxy string) (transport.ProxyOptions, error) {
+	if proxy == "" {
+		return transport.ProxyOptions{}, nil
+	}
+
+	p, err := url.Parse(proxy)
+	if err != nil {
+		return transport.ProxyOptions{}, err
+	}
+
+	if p.Scheme == "" {
+		p.Scheme = "http"
+	}
+
+	username := p.User.Username()
+	password, _ := p.User.Password()
+
+	p.User = nil
+
+	return transport.ProxyOptions{
+		URL:      p.String(),
+		Username: username,
+		Password: password,
+	}, nil
+}
+
 func CheckWriteNoRead(ctx context.Context, DetStore GetterByPublicId, writeNoRead *string) (shouldFail bool) {
 	if writeNoRead == nil {
 		return false
@@ -312,4 +353,28 @@ func AddUser(previous string, user *model.User, sep string) string {
 
 func EscapeDoubleQuotes(str string) string {
 	return doubleQuoteEscaper.ReplaceAllString(str, "\\$1$2")
-}
\ No newline at end of file
+}
+
+func DeduplicateByPublicId(detects []*model.Detection) []*model.Detection {
+	set := map[string]*model.Detection{}
+	deduped := make([]*model.Detection, 0, len(detects))
+
+	for _, detect := range detects {
+		existing, inSet := set[detect.PublicID]
+		if inSet {
+			log.WithFields(log.Fields{
+				"publicId":         detect.PublicID,
+				"engine":           detect.Engine,
+				"existingRuleset":  existing.Ruleset,
+				"duplicateRuleset": detect.Ruleset,
+				"existingTitle":    existing.Title,
+				"duplicateTitle":   detect.Title,
+			}).Warn("duplicate publicId found, skipping")
+		} else {
+			set[detect.PublicID] = detect
+			deduped = append(deduped, detect)
+		}
+	}
+
+	return deduped
+}
diff --git a/server/modules/detections/detengine_helpers_test.go b/server/modules/detections/detengine_helpers_test.go
index e4d539f5..4a41b75f 100644
--- a/server/modules/detections/detengine_helpers_test.go
+++ b/server/modules/detections/detengine_helpers_test.go
@@ -12,6 +12,8 @@ import (
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/detections/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/tj/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -212,3 +214,122 @@ func TestEscapeDoubleQuotes(t *testing.T) {
 		})
 	}
 }
+
+func TestProxyToTransportOptions(t *testing.T) {
+	tests := []struct {
+		Name     string
+		Proxy    string
+		Opts     transport.ProxyOptions
+		ExpError *string
+	}{
+		{
+			Name:  "Empty",
+			Proxy: "",
+			Opts:  transport.ProxyOptions{},
+		},
+		{
+			Name:  "No Auth",
+			Proxy: "http://localhost:8080",
+			Opts: transport.ProxyOptions{
+				URL: "http://localhost:8080",
+			},
+		},
+		{
+			Name:  "No Port",
+			Proxy: "http://proxyHost",
+			Opts: transport.ProxyOptions{
+				URL: "http://proxyHost",
+			},
+		},
+		{
+			Name:  "With Auth",
+			Proxy: "http://user:pass@proxyHost:3128",
+			Opts: transport.ProxyOptions{
+				URL:      "http://proxyHost:3128",
+				Username: "user",
+				Password: "pass",
+			},
+		},
+		{
+			Name:  "Assume HTTP Schema",
+			Proxy: "proxyHost",
+			Opts: transport.ProxyOptions{
+				URL: "http://proxyHost",
+			},
+		},
+		{
+			Name:     "Invalid URL",
+			Proxy:    "%",
+			ExpError: util.Ptr(`parse "%": invalid URL escape "%"`),
+			Opts:     transport.ProxyOptions{},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			opts, err := proxyToTransportOptions(test.Proxy)
+			if test.ExpError != nil {
+				assert.Error(t, err)
+				assert.Equal(t, *test.ExpError, err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, test.Opts, opts)
+		})
+	}
+}
+
+func TestDeduplicateByPublicId(t *testing.T) {
+	tests := []struct {
+		Name      string
+		InputIds  []string
+		ExpOutput []string
+	}{
+		{
+			Name:      "Empty",
+			InputIds:  []string{},
+			ExpOutput: []string{},
+		},
+		{
+			Name:      "No Duplicates",
+			InputIds:  []string{"1", "2", "3"},
+			ExpOutput: []string{"1", "2", "3"},
+		},
+		{
+			Name:      "Only Duplicates",
+			InputIds:  []string{"1", "1", "1", "1", "1", "1", "1", "1", "1", "1"},
+			ExpOutput: []string{"1"},
+		},
+		{
+			Name:      "Mixed",
+			InputIds:  []string{"1", "2", "1", "3", "2", "4", "1", "5", "2", "6"},
+			ExpOutput: []string{"1", "2", "3", "4", "5", "6"},
+		},
+		{
+			Name:      "One Duplicate",
+			InputIds:  []string{"1", "2", "3", "4", "5", "6", "1"},
+			ExpOutput: []string{"1", "2", "3", "4", "5", "6"},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			dets := make([]*model.Detection, 0, len(test.InputIds))
+			for _, id := range test.InputIds {
+				dets = append(dets, &model.Detection{PublicID: id})
+			}
+
+			deduped := DeduplicateByPublicId(dets)
+
+			output := make([]string, 0, len(deduped))
+			for _, det := range deduped {
+				output = append(output, det.PublicID)
+			}
+
+			assert.Equal(t, test.ExpOutput, output)
+		})
+	}
+}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index f8e49850..108daf38 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -10,6 +10,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -17,6 +19,7 @@ import (
 	"io"
 	"io/fs"
 	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -126,10 +129,14 @@ func checkRulesetEnabled(e *ElastAlertEngine, det *model.Detection) {
 }
 
 func NewElastAlertEngine(srv *server.Server) *ElastAlertEngine {
-	return &ElastAlertEngine{
-		srv:       srv,
-		IOManager: &ResourceManager{},
+	engine := &ElastAlertEngine{
+		srv: srv,
 	}
+
+	resMan := &ResourceManager{Engine: engine}
+	engine.IOManager = resMan
+
+	return engine
 }
 
 func (e *ElastAlertEngine) PrerequisiteModules() []string {
@@ -572,9 +579,6 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			templateFound = true
 		}
 
-		allRepos := map[string]*model.RuleRepo{}
-		var repoChanges bool
-
 		var zips map[string][]byte
 		var errMap map[string]error
 		var regenNeeded bool
@@ -610,9 +614,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			continue
 		}
 
-		var dirtyRepos map[string]*detections.DirtyRepo
-
-		dirtyRepos, repoChanges, err = detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos)
+		dirtyRepos, repoChanges, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
 				break
@@ -630,10 +632,6 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			continue
 		}
 
-		for k, v := range dirtyRepos {
-			allRepos[k] = v.Repo
-		}
-
 		zipHashes := map[string]string{}
 		for pkg, data := range zips {
 			h := sha256.Sum256(data)
@@ -707,7 +705,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			break
 		}
 
-		repoDets, errMap := e.parseRepoRules(allRepos)
+		repoDets, errMap := e.parseRepoRules(dirtyRepos)
 		if errMap != nil {
 			log.WithField("sigmaParseError", errMap).Error("something went wrong while parsing sigma rule files from repos")
 		}
@@ -718,6 +716,8 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 
 		detects = append(detects, repoDets...)
 
+		detects = detections.DeduplicateByPublicId(detects)
+
 		errMap, err = e.syncCommunityDetections(ctx, detects)
 		if err != nil {
 			if err == errModuleStopped {
@@ -857,11 +857,13 @@ func (e *ElastAlertEngine) parseZipRules(pkgZips map[string][]byte) (detections
 		}
 	}()
 
-	for pkg, zipData := range pkgZips {
+	for _, pkg := range e.sigmaRulePackages {
 		if !e.isRunning {
 			return nil, map[string]error{"module": errModuleStopped}
 		}
 
+		zipData := pkgZips[pkg]
+
 		reader, err := zip.NewReader(bytes.NewReader(zipData), int64(len(zipData)))
 		if err != nil {
 			errMap[pkg] = err
@@ -918,7 +920,7 @@ func (e *ElastAlertEngine) parseZipRules(pkgZips map[string][]byte) (detections
 	return detections, errMap
 }
 
-func (e *ElastAlertEngine) parseRepoRules(allRepos map[string]*model.RuleRepo) (detections []*model.Detection, errMap map[string]error) {
+func (e *ElastAlertEngine) parseRepoRules(allRepos []*detections.RepoOnDisk) (detections []*model.Detection, errMap map[string]error) {
 	errMap = map[string]error{} // map[repoName]error
 	defer func() {
 		if len(errMap) == 0 {
@@ -926,14 +928,14 @@ func (e *ElastAlertEngine) parseRepoRules(allRepos map[string]*model.RuleRepo) (
 		}
 	}()
 
-	for repopath, repo := range allRepos {
+	for _, repo := range allRepos {
 		if !e.isRunning {
 			return nil, map[string]error{"module": errModuleStopped}
 		}
 
-		baseDir := repopath
-		if repo.Folder != nil {
-			baseDir = filepath.Join(baseDir, *repo.Folder)
+		baseDir := repo.Path
+		if repo.Repo.Folder != nil {
+			baseDir = filepath.Join(baseDir, *repo.Repo.Folder)
 		}
 
 		err := e.WalkDir(baseDir, func(path string, d fs.DirEntry, err error) error {
@@ -967,16 +969,16 @@ func (e *ElastAlertEngine) parseRepoRules(allRepos map[string]*model.RuleRepo) (
 				return nil
 			}
 
-			ruleset := filepath.Base(repopath)
+			ruleset := filepath.Base(repo.Path)
 
-			det := rule.ToDetection(ruleset, repo.License, repo.Community)
+			det := rule.ToDetection(ruleset, repo.Repo.License, repo.Repo.Community)
 
 			detections = append(detections, det)
 
 			return nil
 		})
 		if err != nil {
-			log.WithError(err).WithField("elastAlertRuleRepo", repopath).Error("Failed to walk repo")
+			log.WithError(err).WithField("elastAlertRuleRepo", repo.Path).Error("Failed to walk repo")
 			continue
 		}
 	}
@@ -990,7 +992,7 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detects
 		return nil, err
 	}
 
-	community, err := e.srv.Detectionstore.GetAllDetections(ctx, util.Ptr(model.EngineNameElastAlert), nil, util.Ptr(true))
+	community, err := e.srv.Detectionstore.GetAllDetections(ctx, model.WithEngine(model.EngineNameElastAlert), model.WithCommunity(true))
 	if err != nil {
 		return nil, err
 	}
@@ -1006,16 +1008,6 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detects
 		}
 	}
 
-	// carry forward existing overrides
-	for i := range detects {
-		det := detects[i]
-
-		comDet, exists := community[det.PublicID]
-		if exists {
-			det.Overrides = comDet.Overrides
-		}
-	}
-
 	results := struct {
 		Added     int
 		Updated   int
@@ -1333,7 +1325,7 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Det
 	return query, nil
 }
 
-func (e *ElastAlertEngine) generateUnusedPublicId(ctx context.Context) (string, error) {
+func (e *ElastAlertEngine) GenerateUnusedPublicId(ctx context.Context) (string, error) {
 	id := uuid.New().String()
 
 	i := 0
@@ -1359,7 +1351,7 @@ func (e *ElastAlertEngine) generateUnusedPublicId(ctx context.Context) (string,
 }
 
 func (e *ElastAlertEngine) DuplicateDetection(ctx context.Context, detection *model.Detection) (*model.Detection, error) {
-	id, err := e.generateUnusedPublicId(ctx)
+	id, err := e.GenerateUnusedPublicId(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -1601,7 +1593,7 @@ func (e *ElastAlertEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameElastAlert), util.Ptr(true), nil)
+	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameElastAlert), model.WithEnabled(true))
 	if err != nil {
 		logger.WithError(err).Error("unable to query for enabled detections")
 		return detections.ErrIntCheckFailed
@@ -1666,7 +1658,10 @@ func (e *ElastAlertEngine) getDeployedPublicIds() (publicIds []string, err error
 // go install go.uber.org/mock/mockgen@latest
 //go:generate mockgen -destination mock/mock_iomanager.go -package mock . IOManager
 
-type ResourceManager struct{}
+type ResourceManager struct {
+	Engine  *ElastAlertEngine
+	_client *http.Client
+}
 
 func (_ *ResourceManager) ReadFile(path string) ([]byte, error) {
 	return os.ReadFile(path)
@@ -1684,8 +1679,47 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 	return os.ReadDir(path)
 }
 
-func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
-	return http.DefaultClient.Do(req)
+func (resman *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
+	if resman._client == nil {
+		// cache for reuse, the config values can't change without a server restart
+		resman._client = resman.buildHttpClient()
+	}
+
+	return resman._client.Do(req)
+}
+
+func (resman *ResourceManager) buildHttpClient() *http.Client {
+	transport := &http.Transport{}
+
+	if resman.Engine.srv.Config.Proxy != "" {
+		p, err := url.Parse(resman.Engine.srv.Config.Proxy)
+		if err != nil {
+			log.WithError(err).WithField("proxy", resman.Engine.srv.Config.Proxy).Error("unable to parse proxy URL, not using proxy")
+		} else {
+			transport.Proxy = http.ProxyURL(p)
+		}
+	}
+
+	if resman.Engine.srv.Config.InsecureSkipVerify {
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
+	if resman.Engine.srv.Config.AdditionalCA != "" {
+		if transport.TLSClientConfig == nil {
+			transport.TLSClientConfig = &tls.Config{}
+		}
+
+		pool, err := x509.SystemCertPool()
+		if err != nil {
+			pool = x509.NewCertPool()
+		}
+
+		pool.AppendCertsFromPEM([]byte(resman.Engine.srv.Config.AdditionalCA))
+
+		transport.TLSClientConfig.RootCAs = pool
+	}
+
+	return &http.Client{Transport: transport}
 }
 
 func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index e77b29b9..3d328f0a 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -22,10 +22,12 @@ import (
 	"testing"
 	"time"
 
+	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/detections"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 
@@ -528,7 +530,8 @@ level: high
 	}
 
 	engine := ElastAlertEngine{
-		isRunning: true,
+		isRunning:         true,
+		sigmaRulePackages: []string{"all_rules"},
 	}
 	engine.allowRegex = regexp.MustCompile("00000000-0000-0000-0000-00000000")
 	engine.denyRegex = regexp.MustCompile("deny")
@@ -577,11 +580,14 @@ level: high
 license: Elastic-2.0
 `
 
-	repos := map[string]*model.RuleRepo{
-		"repo-path": {
-			Repo:      "github.com/repo-user/repo-path",
-			License:   "DRL",
-			Community: true,
+	repos := []*detections.RepoOnDisk{
+		{
+			Repo: &model.RuleRepo{
+				Repo:      "github.com/repo-user/repo-path",
+				License:   "DRL",
+				Community: true,
+			},
+			Path: "repo-path",
 		},
 	}
 
@@ -1027,3 +1033,108 @@ func TestGetDeployedPublicIds(t *testing.T) {
 	assert.Contains(t, ids, "00000000-0000-0000-0000-000000000000")
 	assert.Contains(t, ids, "11111111-1111-1111-1111-111111111111")
 }
+
+func TestBuildHttpClient(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		Name                 string
+		Proxy                string
+		RootCA               string
+		InsecureSkipVerify   bool
+		ExpectEmptyTransport bool
+	}{
+		{
+			Name:                 "Empty",
+			ExpectEmptyTransport: true,
+		},
+		{
+			Name:  "Has Proxy",
+			Proxy: "http://myProxy:3128",
+		},
+		{
+			Name:   "Has Root CA",
+			RootCA: "pubkey",
+		},
+		{
+			Name:               "InvalidSkipVerify",
+			InsecureSkipVerify: true,
+		},
+		{
+			Name:   "Proxy + Root CA",
+			Proxy:  "http://myProxy:3128",
+			RootCA: "pubkey",
+		},
+		{
+			Name:               "Proxy + InsecureSkipVerify",
+			Proxy:              "http://myProxy:3128",
+			InsecureSkipVerify: true,
+		},
+		{
+			Name:               "Proxy + Root CA + InsecureSkipVerify",
+			Proxy:              "http://myProxy:3128",
+			RootCA:             "pubkey",
+			InsecureSkipVerify: true,
+		},
+		{
+			Name:                 "Invalid Proxy",
+			Proxy:                "%",
+			ExpectEmptyTransport: true,
+		},
+	}
+
+	proxy := "http://myProxy:3128"
+
+	resman := &ResourceManager{
+		Engine: &ElastAlertEngine{
+			srv: &server.Server{
+				Config: &config.ServerConfig{
+					Proxy: "",
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			resman.Engine.srv.Config.Proxy = test.Proxy
+			resman.Engine.srv.Config.AdditionalCA = test.RootCA
+			resman.Engine.srv.Config.InsecureSkipVerify = test.InsecureSkipVerify
+
+			client := resman.buildHttpClient()
+			transport := client.Transport.(*http.Transport)
+
+			if test.ExpectEmptyTransport {
+				assert.Equal(t, &http.Transport{}, transport)
+				return
+			}
+
+			if test.Proxy != "" {
+				assert.NotNil(t, transport)
+				assert.NotNil(t, transport.Proxy)
+
+				proxyURL, err := transport.Proxy(nil)
+				assert.NoError(t, err)
+				assert.Equal(t, proxy, proxyURL.String())
+			}
+
+			if test.RootCA != "" {
+				assert.NotNil(t, transport.TLSClientConfig)
+				assert.NotNil(t, transport.TLSClientConfig.RootCAs)
+			} else {
+				if transport.TLSClientConfig != nil {
+					assert.Nil(t, transport.TLSClientConfig.RootCAs)
+				}
+			}
+
+			if test.InsecureSkipVerify {
+				assert.True(t, transport.TLSClientConfig.InsecureSkipVerify)
+			} else {
+				if transport.TLSClientConfig != nil {
+					assert.False(t, transport.TLSClientConfig.InsecureSkipVerify)
+				}
+			}
+		})
+	}
+}
diff --git a/server/modules/elastalert/validate_test.go b/server/modules/elastalert/validate_test.go
index 89637d2a..5ab12ca9 100644
--- a/server/modules/elastalert/validate_test.go
+++ b/server/modules/elastalert/validate_test.go
@@ -189,7 +189,7 @@ func TestGenerateUnusedPublicId(t *testing.T) {
 		isRunning: true,
 	}
 
-	id, err := eng.generateUnusedPublicId(ctx)
+	id, err := eng.GenerateUnusedPublicId(ctx)
 
 	assert.Empty(t, id)
 	assert.Error(t, err)
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 42ec7f18..77fb7c28 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -68,7 +68,7 @@ func (store *ElasticDetectionstore) validateId(id string, label string) error {
 func (store *ElasticDetectionstore) validatePublicId(id string, label string) error {
 	var err error
 
-	isValidId := regexp.MustCompile(`^[A-Za-z0-9-_]{5,128}$`).MatchString
+	isValidId := regexp.MustCompile(`^[A-Za-z0-9-_]{3,128}$`).MatchString
 	if !isValidId(id) {
 		err = fmt.Errorf("invalid ID for %s", label)
 	}
@@ -516,6 +516,12 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 		return nil, err
 	}
 
+	// prepareForSave clears Id creating a side effect for the caller
+	id := detect.Id
+	defer func() {
+		detect.Id = id
+	}()
+
 	results, err := store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
 	if err != nil {
 		return nil, err
@@ -619,19 +625,11 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, id stri
 	return detect, err
 }
 
-func (store *ElasticDetectionstore) GetAllDetections(ctx context.Context, engine *model.EngineName, isEnabled *bool, isCommunity *bool) (map[string]*model.Detection, error) {
+func (store *ElasticDetectionstore) GetAllDetections(ctx context.Context, opts ...model.GetAllOption) (map[string]*model.Detection, error) {
 	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection")
 
-	if engine != nil {
-		query += fmt.Sprintf(` AND %sdetection.engine:"%s"`, store.schemaPrefix, *engine)
-	}
-
-	if isEnabled != nil {
-		query += fmt.Sprintf(` AND %sdetection.isEnabled:%t`, store.schemaPrefix, *isEnabled)
-	}
-
-	if isCommunity != nil {
-		query += fmt.Sprintf(` AND %sdetection.isCommunity:%t`, store.schemaPrefix, *isCommunity)
+	for _, opt := range opts {
+		query = opt(query, store.schemaPrefix)
 	}
 
 	all, err := store.Query(ctx, query, -1)
diff --git a/server/modules/elastic/elasticdetectionstore_test.go b/server/modules/elastic/elasticdetectionstore_test.go
index 6f51b0dd..506652fd 100644
--- a/server/modules/elastic/elasticdetectionstore_test.go
+++ b/server/modules/elastic/elasticdetectionstore_test.go
@@ -15,6 +15,7 @@ import (
 	modmock "github.com/security-onion-solutions/securityonion-soc/server/modules/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/tidwall/gjson"
 )
@@ -121,6 +122,9 @@ func TestDetectionValidatePublicIdValid(t *testing.T) {
 	err := store.validatePublicId("12345", "test")
 	assert.NoError(t, err)
 
+	err = store.validatePublicId("123", "test")
+	assert.NoError(t, err)
+
 	err = store.validatePublicId("123456", "test")
 	assert.NoError(t, err)
 
@@ -693,6 +697,7 @@ func TestUpdateDetectionValid(t *testing.T) {
 	reqDet.UpdateTime = nil
 	reqDet.Overrides = nil
 	detWithoutId.CreateTime = nil
+	detWithoutId.Id = ""
 	assert.Equal(t, detWithoutId, reqDet)
 
 	body, err := io.ReadAll(reqs[1].Body)
@@ -1091,12 +1096,12 @@ func TestGetAllCommunitySIDs(t *testing.T) {
 
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
-	sids, err := store.GetAllDetections(ctx, nil, nil, nil)
+	sids, err := store.GetAllDetections(ctx)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, len(sids))
 	assert.NotNil(t, sids["ABC123"])
 
-	sids, err = store.GetAllDetections(ctx, util.Ptr(model.EngineName("suricata")), nil, nil)
+	sids, err = store.GetAllDetections(ctx, model.WithEngine(model.EngineNameSuricata))
 	assert.NoError(t, err)
 	assert.Equal(t, 1, len(sids))
 	assert.NotNil(t, sids["ABC123"])
diff --git a/server/modules/influxdb/influxdbmetrics.go b/server/modules/influxdb/influxdbmetrics.go
index 35d35680..2ac247e7 100644
--- a/server/modules/influxdb/influxdbmetrics.go
+++ b/server/modules/influxdb/influxdbmetrics.go
@@ -72,8 +72,8 @@ type InfluxDBMetrics struct {
 	diskUsedElasticGB        map[string]float64
 	diskUsedInfluxDbGB       map[string]float64
 	highstateAgeSeconds      map[string]int
-	lksEnabled               map[string]int
 	fpsEnabled               map[string]int
+	lksEnabled               map[string]int
 }
 
 func NewInfluxDBMetrics(srv *server.Server) *InfluxDBMetrics {
@@ -303,8 +303,8 @@ func (metrics *InfluxDBMetrics) updateOsStatus() {
 		identity := 1.0
 
 		metrics.osNeedsRestart = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("os", "restart", "", ""))
-		metrics.lksEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "lks", "", ""))
 		metrics.fpsEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "fps", "", ""))
+		metrics.lksEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "lks", "", ""))
 		metrics.osUptime = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("system", "uptime", "", ""))
 		metrics.diskTotalRootGB = metrics.convertValuesToFloat64(metrics.fetchLatestValuesByHost("disk", "total", "", "|> filter(fn: (r) => r[\"path\"] == \"/\")"), bytesToGB)
 		metrics.diskUsedRootPct = metrics.convertValuesToFloat64(metrics.fetchLatestValuesByHost("disk", "used_percent", "", "|> filter(fn: (r) => r[\"path\"] == \"/\")"), identity)
@@ -495,13 +495,14 @@ func (metrics *InfluxDBMetrics) UpdateNodeMetrics(ctx context.Context, node *mod
 		node.DiskUsedElasticGB = metrics.diskUsedElasticGB[node.Id]
 		node.DiskUsedInfluxDbGB = metrics.diskUsedInfluxDbGB[node.Id]
 		node.HighstateAgeSeconds = metrics.highstateAgeSeconds[node.Id]
-		node.LksEnabled = metrics.lksEnabled[node.Id]
 		node.FpsEnabled = metrics.fpsEnabled[node.Id]
+		node.LksEnabled = metrics.lksEnabled[node.Id]
 
 		enhancedStatusEnabled := (metrics.client != nil)
 		status = node.UpdateOverallStatus(enhancedStatusEnabled)
 
 		licensing.ValidateFeature(licensing.FEAT_FPS, node.FpsEnabled == 1)
+		licensing.ValidateFeature(licensing.FEAT_GMD, node.IsProcessRunning("so-kafka"))
 		licensing.ValidateFeature(licensing.FEAT_LKS, node.LksEnabled == 1)
 	}
 	return status
diff --git a/server/modules/influxdb/influxdbmetrics_test.go b/server/modules/influxdb/influxdbmetrics_test.go
index eeae84b7..f144d9b0 100644
--- a/server/modules/influxdb/influxdbmetrics_test.go
+++ b/server/modules/influxdb/influxdbmetrics_test.go
@@ -139,16 +139,10 @@ func TestGetOsNeedsRestart(tester *testing.T) {
 	assert.Equal(tester, 0, metrics.getOsNeedsRestart("missing"))
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsLksUnlicensed(tester *testing.T) {
-	licensing.Test("odc", 0, 0, "", "")
+func updateNodeMetricsFeature(tester *testing.T, featureId string, metrics *InfluxDBMetrics, expectedStatus string) {
+	licensing.Test(featureId, 0, 0, "", "")
 	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
 
-	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
-	metrics.lastOsUpdateTime = time.Now()
-	metrics.lksEnabled = make(map[string]int)
-	metrics.lksEnabled["id1"] = 1
-	metrics.lksEnabled["id2"] = 0
-
 	node1 := model.NewNode("id1")
 	node2 := model.NewNode("id2")
 	node3 := model.NewNode("id3")
@@ -158,71 +152,43 @@ func DisabledDueToJobInstability_TestUpdateNodeMetricsLksUnlicensed(tester *test
 	metrics.UpdateNodeMetrics(context.Background(), node2)
 	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
 	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_EXCEEDED, licensing.GetStatus())
+	assert.Equal(tester, expectedStatus, licensing.GetStatus())
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsLksLicensed(tester *testing.T) {
-	licensing.Test("lks", 0, 0, "", "")
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-
+/* Disabled licensing tests due to test thread instability (run locally when making changes)
+func TestUpdateNodeMetricsLksFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
+	metrics.lastProcessUpdateTime = time.Now()
+	metrics.cacheExpirationMs = 99999
 	metrics.lksEnabled = make(map[string]int)
 	metrics.lksEnabled["id1"] = 1
 	metrics.lksEnabled["id2"] = 0
-
-	node1 := model.NewNode("id1")
-	node2 := model.NewNode("id2")
-	node3 := model.NewNode("id3")
-
-	metrics.UpdateNodeMetrics(context.Background(), node3)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node2)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
+	updateNodeMetricsFeature(tester, "odc", metrics, licensing.LICENSE_STATUS_EXCEEDED)
+	updateNodeMetricsFeature(tester, "lks", metrics, licensing.LICENSE_STATUS_ACTIVE)
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsFpsUnlicensed(tester *testing.T) {
-	licensing.Test("odc", 0, 0, "", "")
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-
+func TestUpdateNodeMetricsFpsFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
+	metrics.lastProcessUpdateTime = time.Now()
+	metrics.cacheExpirationMs = 99999
 	metrics.fpsEnabled = make(map[string]int)
 	metrics.fpsEnabled["id1"] = 1
 	metrics.fpsEnabled["id2"] = 0
-
-	node1 := model.NewNode("id1")
-	node2 := model.NewNode("id2")
-	node3 := model.NewNode("id3")
-
-	metrics.UpdateNodeMetrics(context.Background(), node3)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node2)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_EXCEEDED, licensing.GetStatus())
+	updateNodeMetricsFeature(tester, "odc", metrics, licensing.LICENSE_STATUS_EXCEEDED)
+	updateNodeMetricsFeature(tester, "fps", metrics, licensing.LICENSE_STATUS_ACTIVE)
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsFpsLicensed(tester *testing.T) {
-	licensing.Test("fps", 0, 0, "", "")
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-
+func TestUpdateNodeMetricsGmdFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
-	metrics.fpsEnabled = make(map[string]int)
-	metrics.fpsEnabled["id1"] = 1
-	metrics.fpsEnabled["id2"] = 0
-
-	node1 := model.NewNode("id1")
-	node2 := model.NewNode("id2")
-	node3 := model.NewNode("id3")
-
-	metrics.UpdateNodeMetrics(context.Background(), node3)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node2)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
+	metrics.lastProcessUpdateTime = time.Now()
+	metrics.cacheExpirationMs = 99999
+	metrics.processJson = make(map[string]string)
+	metrics.processJson["id1"] = `{"containers":[{"Name":"so-kafka", "Status":"running"}]}`
+	metrics.processJson["id2"] = `{"containers":[{"Name":"so-kafka", "Status":"stopped"}]}`
+	updateNodeMetricsFeature(tester, "odc", metrics, licensing.LICENSE_STATUS_EXCEEDED)
+	updateNodeMetricsFeature(tester, "gmd", metrics, licensing.LICENSE_STATUS_ACTIVE)
 }
+*/
diff --git a/server/modules/strelka/mock/mock_iomanager.go b/server/modules/strelka/mock/mock_iomanager.go
index e30a25b2..bd06aeae 100644
--- a/server/modules/strelka/mock/mock_iomanager.go
+++ b/server/modules/strelka/mock/mock_iomanager.go
@@ -10,7 +10,6 @@ package mock
 
 import (
 	fs "io/fs"
-	http "net/http"
 	exec "os/exec"
 	reflect "reflect"
 	time "time"
@@ -72,21 +71,6 @@ func (mr *MockIOManagerMockRecorder) ExecCommand(arg0 any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecCommand", reflect.TypeOf((*MockIOManager)(nil).ExecCommand), arg0)
 }
 
-// MakeRequest mocks base method.
-func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MakeRequest", arg0)
-	ret0, _ := ret[0].(*http.Response)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// MakeRequest indicates an expected call of MakeRequest.
-func (mr *MockIOManagerMockRecorder) MakeRequest(arg0 any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MakeRequest", reflect.TypeOf((*MockIOManager)(nil).MakeRequest), arg0)
-}
-
 // ReadDir mocks base method.
 func (m *MockIOManager) ReadDir(arg0 string) ([]fs.DirEntry, error) {
 	m.ctrl.T.Helper()
@@ -117,6 +101,20 @@ func (mr *MockIOManagerMockRecorder) ReadFile(arg0 any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadFile", reflect.TypeOf((*MockIOManager)(nil).ReadFile), arg0)
 }
 
+// WalkDir mocks base method.
+func (m *MockIOManager) WalkDir(arg0 string, arg1 fs.WalkDirFunc) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "WalkDir", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// WalkDir indicates an expected call of WalkDir.
+func (mr *MockIOManagerMockRecorder) WalkDir(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WalkDir", reflect.TypeOf((*MockIOManager)(nil).WalkDir), arg0, arg1)
+}
+
 // WriteFile mocks base method.
 func (m *MockIOManager) WriteFile(arg0 string, arg1 []byte, arg2 fs.FileMode) error {
 	m.ctrl.T.Helper()
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index f8ac6e94..51011870 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -14,7 +14,6 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
-	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -60,8 +59,8 @@ type IOManager interface {
 	WriteFile(path string, contents []byte, perm fs.FileMode) error
 	DeleteFile(path string) error
 	ReadDir(path string) ([]os.DirEntry, error)
-	MakeRequest(*http.Request) (*http.Response, error)
 	ExecCommand(cmd *exec.Cmd) ([]byte, int, time.Duration, error)
+	WalkDir(root string, fn fs.WalkDirFunc) error
 }
 
 type StrelkaEngine struct {
@@ -398,9 +397,7 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 			templateFound = true
 		}
 
-		upToDate := map[string]*model.RuleRepo{}
-
-		allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos)
+		allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
 				break
@@ -439,13 +436,7 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 			continue
 		}
 
-		for k, v := range allRepos {
-			if v.WasModified || forceSync {
-				upToDate[k] = v.Repo
-			}
-		}
-
-		communityDetections, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameStrelka), nil, util.Ptr(true))
+		communityDetections, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameStrelka), model.WithCommunity(true))
 		if err != nil {
 			log.WithError(err).Error("Failed to get all community SIDs")
 
@@ -465,20 +456,24 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 		}
 
 		et := detections.NewErrorTracker(e.failAfterConsecutiveErrorCount)
-		failSync := false
+		detects := []*model.Detection{}
 
 		// parse *.yar files in repos
-		for repopath, repo := range upToDate {
+		for repopath, repo := range allRepos {
 			if !e.isRunning {
 				return
 			}
 
-			baseDir := repopath
-			if repo.Folder != nil {
-				baseDir = filepath.Join(baseDir, *repo.Folder)
+			if !repo.WasModified && !forceSync {
+				continue
+			}
+
+			baseDir := repo.Path
+			if repo.Repo.Folder != nil {
+				baseDir = filepath.Join(baseDir, *repo.Repo.Folder)
 			}
 
-			err = filepath.WalkDir(baseDir, func(path string, d fs.DirEntry, err error) error {
+			err = e.WalkDir(baseDir, func(path string, d fs.DirEntry, err error) error {
 				if err != nil {
 					log.WithError(err).WithField("repoPath", path).Error("Failed to walk path")
 					return nil
@@ -510,97 +505,108 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 				}
 
 				for _, rule := range parsed {
-					det := rule.ToDetection(repo.License, filepath.Base(repopath), repo.Community)
-					log.WithFields(log.Fields{
-						"rule.uuid": det.PublicID,
-						"rule.name": det.Title,
-					}).Info("Strelka community sync - processing YARA rule")
-
-					comRule, exists := communityDetections[det.PublicID]
-					if exists {
-						if comRule.Content != det.Content || comRule.Ruleset != det.Ruleset || len(det.Overrides) != 0 {
-							// pre-existing detection, update it
-							det.IsEnabled = comRule.IsEnabled
-							det.Id = comRule.Id
-							det.Overrides = comRule.Overrides
-							det.CreateTime = comRule.CreateTime
-
-							log.WithFields(log.Fields{
-								"rule.uuid": det.PublicID,
-								"rule.name": det.Title,
-							}).Info("Updating Yara detection")
-
-							_, err = e.srv.Detectionstore.UpdateDetection(e.srv.Context, det)
-							if err != nil && err.Error() == "Object not found" {
-								log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
-
-								writeNoRead = util.Ptr(det.PublicID)
-								failSync = true
-
-								return err
-							}
-
-							eterr := et.AddError(err)
-							if eterr != nil {
-								return eterr
-							}
+					det := rule.ToDetection(repo.Repo.License, filepath.Base(repo.Path), repo.Repo.Community)
+					detects = append(detects, det)
+				}
 
-							if err != nil {
-								log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to update detection")
-								continue
-							}
-						}
+				return nil
+			})
+			if err != nil {
+				log.WithError(err).WithField("strelkaRepo", repopath).Error("failed while walking repo")
 
-						delete(toDelete, det.PublicID)
-					} else {
-						// new detection, create it
-						log.WithFields(log.Fields{
-							"rule.uuid": det.PublicID,
-							"rule.name": det.Title,
-						}).Info("Creating new Yara detection")
+				continue
+			}
+		}
 
-						checkRulesetEnabled(e, det)
+		var eterr error
+		detects = detections.DeduplicateByPublicId(detects)
 
-						_, err = e.srv.Detectionstore.CreateDetection(e.srv.Context, det)
-						if err != nil && err.Error() == "Object not found" {
-							log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
+		for _, det := range detects {
+			log.WithFields(log.Fields{
+				"rule.uuid": det.PublicID,
+				"rule.name": det.Title,
+			}).Info("Strelka community sync - processing YARA rule")
 
-							writeNoRead = util.Ptr(det.PublicID)
-							failSync = true
+			comRule, exists := communityDetections[det.PublicID]
+			if exists {
+				if comRule.Content != det.Content || comRule.Ruleset != det.Ruleset || len(det.Overrides) != 0 {
+					// pre-existing detection, update it
+					det.IsEnabled = comRule.IsEnabled
+					det.Id = comRule.Id
+					det.Overrides = comRule.Overrides
+					det.CreateTime = comRule.CreateTime
 
-							return err
-						}
+					log.WithFields(log.Fields{
+						"rule.uuid": det.PublicID,
+						"rule.name": det.Title,
+					}).Info("Updating Yara detection")
 
-						eterr := et.AddError(err)
-						if eterr != nil {
-							failSync = true
+					_, err = e.srv.Detectionstore.UpdateDetection(e.srv.Context, det)
+					if err != nil && err.Error() == "Object not found" {
+						writeNoRead = util.Ptr(det.PublicID)
+						log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
 
-							return eterr
-						}
+						break
+					}
 
-						if err != nil {
-							log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to create detection")
-							continue
-						}
+					eterr = et.AddError(err)
+					if eterr != nil {
+						break
+					}
 
-						delete(toDelete, det.PublicID)
+					if err != nil {
+						log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to update detection")
+						continue
 					}
 				}
 
-				return nil
-			})
-			if err != nil {
-				log.WithError(err).WithField("strelkaRepo", repopath).Error("failed while walking repo")
+				delete(toDelete, det.PublicID)
+			} else {
+				// new detection, create it
+				log.WithFields(log.Fields{
+					"rule.uuid": det.PublicID,
+					"rule.name": det.Title,
+				}).Info("Creating new Yara detection")
+
+				checkRulesetEnabled(e, det)
+
+				_, err = e.srv.Detectionstore.CreateDetection(e.srv.Context, det)
+				if err != nil && err.Error() == "Object not found" {
+					writeNoRead = util.Ptr(det.PublicID)
+					log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
 
-				if failSync {
 					break
 				}
 
-				continue
+				eterr = et.AddError(err)
+				if eterr != nil {
+					break
+				}
+
+				if err != nil {
+					log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to create detection")
+					continue
+				}
+
+				delete(toDelete, det.PublicID)
 			}
 		}
 
-		if failSync {
+		if eterr != nil || writeNoRead != nil {
+			if eterr != nil {
+				log.WithError(eterr).Error("unable to sync YARA community detections")
+			}
+			if writeNoRead != nil {
+				log.Warn("detection was written but not read back, attempting read before continuing")
+			}
+
+			if e.notify {
+				e.srv.Host.Broadcast("detection-sync", "detections", server.SyncStatus{
+					Engine: model.EngineNameElastAlert,
+					Status: "error",
+				})
+			}
+
 			continue
 		}
 
@@ -902,7 +908,7 @@ func buildImportChecker(pkg string) *regexp.Regexp {
 }
 
 func (e *StrelkaEngine) syncDetections(ctx context.Context) (errMap map[string]string, err error) {
-	results, err := e.srv.Detectionstore.GetAllDetections(ctx, util.Ptr(model.EngineNameStrelka), util.Ptr(true), nil)
+	results, err := e.srv.Detectionstore.GetAllDetections(ctx, model.WithEngine(model.EngineNameStrelka), model.WithEnabled(true))
 	if err != nil {
 		return nil, err
 	}
@@ -1003,6 +1009,12 @@ func (e *StrelkaEngine) DuplicateDetection(ctx context.Context, detection *model
 	return det, nil
 }
 
+func (e *StrelkaEngine) GenerateUnusedPublicId(ctx context.Context) (string, error) {
+	// PublicIDs for Strelka are the rule name which should correlate with what the rule does.
+	// Cannot generate arbitrary but still useful public IDs
+	return "", fmt.Errorf("not implemented")
+}
+
 func (e *StrelkaEngine) IntegrityCheck(canInterrupt bool) error {
 	// escape
 	if canInterrupt && !e.IntegrityCheckerData.IsRunning {
@@ -1058,7 +1070,7 @@ func (e *StrelkaEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameStrelka), util.Ptr(true), nil)
+	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameStrelka), model.WithEnabled(true))
 	if err != nil {
 		logger.WithError(err).Error("unable to query for enabled detections")
 		return detections.ErrIntCheckFailed
@@ -1167,10 +1179,6 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 	return os.ReadDir(path)
 }
 
-func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
-	return http.DefaultClient.Do(req)
-}
-
 func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
 	start := time.Now()
 	output, err = cmd.CombinedOutput()
@@ -1180,3 +1188,7 @@ func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode in
 
 	return output, exitCode, runtime, err
 }
+
+func (_ *ResourceManager) WalkDir(root string, fn fs.WalkDirFunc) error {
+	return filepath.WalkDir(root, fn)
+}
diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go
index 162d5166..5630145f 100644
--- a/server/modules/strelka/strelka_test.go
+++ b/server/modules/strelka/strelka_test.go
@@ -17,6 +17,7 @@ import (
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/strelka/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
+
 	"github.com/tj/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -272,14 +273,14 @@ func TestSyncStrelka(t *testing.T) {
 		{
 			Name: "Enable Simple Rules",
 			InitMock: func(mockDetStore *servermock.MockDetectionstore, mio *mock.MockIOManager) {
-				mockDetStore.EXPECT().GetAllDetections(gomock.Any(), util.Ptr(model.EngineNameStrelka), util.Ptr(true), nil).Return(map[string]*model.Detection{
-					"1": &model.Detection{
+				mockDetStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{
+					"1": {
 						PublicID:  "1",
 						Engine:    model.EngineNameStrelka,
 						Content:   simpleRule,
 						IsEnabled: true,
 					},
-					"2": &model.Detection{
+					"2": {
 						PublicID:  "2",
 						Engine:    model.EngineNameStrelka,
 						Content:   simpleRule,
diff --git a/server/modules/suricata/migration-2.4.70.go b/server/modules/suricata/migration-2.4.70.go
index 001f5ecd..297c28b7 100644
--- a/server/modules/suricata/migration-2.4.70.go
+++ b/server/modules/suricata/migration-2.4.70.go
@@ -7,9 +7,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
-	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/apex/log"
 	"gopkg.in/yaml.v3"
 )
 
@@ -45,7 +45,7 @@ func (e *SuricataEngine) Migration2470(statePath string) error {
 	dirty := map[string]struct{}{} // map[sid]X
 
 	// retrieve all suricata rules
-	detects, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameSuricata), nil, nil)
+	detects, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameSuricata))
 	if err != nil {
 		return err
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 60508f38..d595be18 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -47,6 +48,7 @@ var licenseBySource = map[string]string{
 
 const (
 	DEFAULT_COMMUNITY_RULES_FILE                  = "/nsm/rules/suricata/emerging-all.rules"
+	DEFAULT_ALL_RULES_FILE                        = "/opt/sensoroni/nids/all.rules"
 	DEFAULT_RULES_FINGERPRINT_FILE                = "/opt/sensoroni/fingerprints/emerging-all.fingerprint"
 	DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECS = 86400
 	DEFAULT_STATE_FILE_PATH                       = "/opt/sensoroni/fingerprints/suricataengine.state"
@@ -55,6 +57,8 @@ const (
 	DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS     = 300
 	DEFAULT_FAIL_AFTER_CONSECUTIVE_ERROR_COUNT    = 10
 	DEFAULT_INTEGRITY_CHECK_FREQUENCY_SECONDS     = 600
+
+	CUSTOM_RULE_LOC = "/nsm/rules/detect-suricata/custom_temp"
 )
 
 type IOManager interface {
@@ -67,6 +71,7 @@ type IOManager interface {
 type SuricataEngine struct {
 	srv                                  *server.Server
 	communityRulesFile                   string
+	allRulesFile                         string
 	rulesFingerprintFile                 string
 	communityRulesImportFrequencySeconds int
 	communityRulesImportErrorSeconds     int
@@ -80,6 +85,7 @@ type SuricataEngine struct {
 	notify                               bool
 	stateFilePath                        string
 	migrations                           map[string]func(string) error
+	customRulesets                       []*model.CustomRuleset
 	detections.IntegrityCheckerData
 	model.EngineState
 	IOManager
@@ -113,6 +119,7 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) {
 	e.IntegrityCheckerData.Interrupt = make(chan bool, 1)
 
 	e.communityRulesFile = module.GetStringDefault(config, "communityRulesFile", DEFAULT_COMMUNITY_RULES_FILE)
+	e.allRulesFile = module.GetStringDefault(config, "allRulesFile", DEFAULT_ALL_RULES_FILE)
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", DEFAULT_RULES_FINGERPRINT_FILE)
 	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECS)
 	e.communityRulesImportErrorSeconds = module.GetIntDefault(config, "communityRulesImportErrorSeconds", DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS)
@@ -139,6 +146,10 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) {
 	}
 
 	e.stateFilePath = module.GetStringDefault(config, "stateFilePath", DEFAULT_STATE_FILE_PATH)
+	e.customRulesets, err = model.GetCustomRulesetsDefault(config, "customRulesets", []*model.CustomRuleset{})
+	if err != nil {
+		return fmt.Errorf("unable to get custom rulesets: %w", err)
+	}
 
 	return nil
 }
@@ -510,6 +521,24 @@ func (e *SuricataEngine) watchCommunityRules() {
 			d.IsCommunity = true
 		}
 
+		dets, err := e.ReadCustomRulesets()
+		if err != nil {
+			if e.notify {
+				e.srv.Host.Broadcast("detection-sync", "detections", server.SyncStatus{
+					Engine: model.EngineNameSuricata,
+					Status: "error",
+				})
+			}
+
+			log.WithError(err).Error("unable to parse custom rulesets")
+
+			continue
+		}
+
+		commDetections = append(commDetections, dets...)
+
+		commDetections = detections.DeduplicateByPublicId(commDetections)
+
 		errMap, err := e.syncCommunityDetections(ctx, commDetections, true, allSettings)
 		if err != nil {
 			if err == errModuleStopped {
@@ -696,6 +725,15 @@ func readFingerprint(path string) (fingerprint *string, ok bool, err error) {
 }
 
 func (e *SuricataEngine) ValidateRule(rule string) (string, error) {
+	lines := strings.Split(rule, "\n")
+	nonEmpty := lo.Filter(lines, func(line string, _ int) bool {
+		return strings.TrimSpace(line) != ""
+	})
+
+	if len(nonEmpty) != 1 {
+		return "", fmt.Errorf("suricata rules must be a single line")
+	}
+
 	parsed, err := ParseSuricataRule(rule)
 	if err != nil {
 		return rule, err
@@ -1208,7 +1246,7 @@ func (e *SuricataEngine) syncCommunityDetections(ctx context.Context, detects []
 		return nil, err
 	}
 
-	commSIDs, err := e.srv.Detectionstore.GetAllDetections(ctx, util.Ptr(model.EngineNameSuricata), nil, util.Ptr(true))
+	commSIDs, err := e.srv.Detectionstore.GetAllDetections(ctx, model.WithEngine(model.EngineNameSuricata), model.WithCommunity(true))
 	if err != nil {
 		return nil, err
 	}
@@ -1506,7 +1544,7 @@ func lookupLicense(ruleset string) string {
 	return license
 }
 
-func (e *SuricataEngine) generateUnusedPublicId(ctx context.Context) (string, error) {
+func (e *SuricataEngine) GenerateUnusedPublicId(ctx context.Context) (string, error) {
 	id := strconv.Itoa(rand.IntN(1000000) + 1000000) // [1000000, 2000000)
 
 	i := 0
@@ -1532,7 +1570,7 @@ func (e *SuricataEngine) generateUnusedPublicId(ctx context.Context) (string, er
 }
 
 func (e *SuricataEngine) DuplicateDetection(ctx context.Context, detection *model.Detection) (*model.Detection, error) {
-	id, err := e.generateUnusedPublicId(ctx)
+	id, err := e.GenerateUnusedPublicId(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -1576,6 +1614,54 @@ func (e *SuricataEngine) DuplicateDetection(ctx context.Context, detection *mode
 	return det, nil
 }
 
+func (e *SuricataEngine) ReadCustomRulesets() (detects []*model.Detection, err error) {
+	detects = []*model.Detection{}
+
+	for _, custom := range e.customRulesets {
+		var content []byte
+
+		if custom.File != "" {
+			content, err = e.ReadFile(custom.File)
+			if err != nil {
+				log.WithError(err).WithField("customRulesetFilePath", custom.File).Error("unable to read custom ruleset File, skipping")
+
+				return nil, err
+			}
+		} else if custom.Url != "" && custom.TargetFile != "" {
+			path := filepath.Join(CUSTOM_RULE_LOC, custom.TargetFile)
+
+			content, err = e.ReadFile(path)
+			if err != nil {
+				log.WithError(err).WithField("customRulesetTargetFilePath", path).Error("unable to read custom ruleset TargetFile, skipping")
+
+				return nil, err
+			}
+		} else {
+			log.WithFields(log.Fields{
+				"rulesetName": custom.Ruleset,
+			}).Error("invalid custom ruleset, skipping")
+
+			return nil, errors.New("invalid custom ruleset")
+		}
+
+		dets, err := e.ParseRules(string(content), custom.Ruleset, false)
+		if err != nil {
+			log.WithError(err).WithField("customRulesetName", custom.Ruleset).Error("unable to parse custom ruleset, skipping")
+
+			return nil, err
+		}
+
+		for _, detect := range dets {
+			detect.IsCommunity = custom.Community
+			detect.License = custom.License
+
+			detects = append(detects, detect)
+		}
+	}
+
+	return detects, nil
+}
+
 func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 	// escape
 	if canInterrupt && !e.IntegrityCheckerData.IsRunning {
@@ -1598,17 +1684,12 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	commRules, err := e.ReadFile(e.communityRulesFile)
+	allRules, err := e.ReadFile(e.allRulesFile)
 	if err != nil {
-		logger.WithError(err).WithField("path", e.communityRulesFile).Error("unable to read community rules file")
+		logger.WithError(err).WithField("path", e.allRulesFile).Error("unable to read all.rules file")
 		return err
 	}
 
-	local := settingByID(allSettings, "idstools.rules.local__rules")
-	if local == nil {
-		return fmt.Errorf("unable to find local rules setting")
-	}
-
 	disabled := settingByID(allSettings, "idstools.sids.disabled")
 	if disabled == nil {
 		return fmt.Errorf("unable to find disabled setting")
@@ -1627,8 +1708,7 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 	// unpack settings into lines/indices
 	disabledLines := strings.Split(disabled.Value, "\n")
 	modifyLines := strings.Split(modify.Value, "\n")
-	rulesLines := strings.Split(local.Value, "\n")
-	rulesLines = append(rulesLines, strings.Split(string(commRules), "\n")...)
+	rulesLines := strings.Split(string(allRules), "\n")
 
 	disabledIndex := indexEnabled(disabledLines, true)
 	modifyIndex := indexModify(modifyLines, true, true)
@@ -1654,7 +1734,7 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameSuricata), util.Ptr(true), util.Ptr(true))
+	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameSuricata), model.WithEnabled(true))
 	if err != nil {
 		logger.WithError(err).Error("unable to query for enabled detections")
 		return detections.ErrIntCheckFailed
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 0cd182b2..973cb7b5 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -7,6 +7,7 @@ package suricata
 
 import (
 	"context"
+	"errors"
 	"regexp"
 	"sort"
 	"strings"
@@ -16,8 +17,10 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/suricata/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -290,7 +293,7 @@ func TestValidate(t *testing.T) {
 	table := []struct {
 		Name        string
 		Input       string
-		ExpectedErr *string
+		ExpectedErr string
 	}{
 		{
 			Name:  "Valid Rule",
@@ -307,17 +310,17 @@ func TestValidate(t *testing.T) {
 		{
 			Name:        "Invalid Direction",
 			Input:       `alert http any any <-> any any (msg:"This rule has an invalid direction";)`,
-			ExpectedErr: util.Ptr("invalid direction, must be '<>' or '->', got <->"),
+			ExpectedErr: "invalid direction, must be '<>' or '->', got <->",
 		},
 		{
 			Name:        "Unexpected Suffix",
 			Input:       SimpleRule + "x",
-			ExpectedErr: util.Ptr("invalid rule, expected end of rule, got 1 more bytes"),
+			ExpectedErr: "invalid rule, expected end of rule, got 1 more bytes",
 		},
 		{
 			Name:        "Unexpected End of Rule",
 			Input:       "x",
-			ExpectedErr: util.Ptr("invalid rule, unexpected end of rule"),
+			ExpectedErr: "invalid rule, unexpected end of rule",
 		},
 		{
 			Name:  "Parentheses in Unquoted Option",
@@ -327,6 +330,29 @@ func TestValidate(t *testing.T) {
 			Name:  "Unescaped Double Quote in PCRE Option",
 			Input: `alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Unhidebody Function Observed in Phishing Landing"; flow:established,to_client; file.data; content:"function unhideBody()"; nocase; fast_pattern; content:"var bodyElems = document.getElementsByTagName(|22|body|22|)|3b|"; nocase; content:"bodyElems[0].style.visibility =|20 22|visible|22 3b|"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; content:"method="; nocase; pcre:"/^["']?post/Ri"; classtype:social-engineering; sid:2029732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_24;)`,
 		},
+		{
+			Name:  "Accidental Whitespace",
+			Input: SimpleRule + "\n",
+		},
+		{
+			Name:  "Excessive Whitespace",
+			Input: "\n\n" + SimpleRule + "\n\n",
+		},
+		{
+			Name:        "Rule w/ Comment",
+			Input:       "# This rule does X, Y, and Z\n" + SimpleRule,
+			ExpectedErr: "suricata rules must be a single line",
+		},
+		{
+			Name:        "Multiple Rules",
+			Input:       FlowbitsRuleA + "\n" + FlowbitsRuleB,
+			ExpectedErr: "suricata rules must be a single line",
+		},
+		{
+			Name:        "Multiple Rules, One Line",
+			Input:       FlowbitsRuleA + " " + FlowbitsRuleB,
+			ExpectedErr: "invalid rule, expected end of rule, got 126 more bytes",
+		},
 	}
 
 	for _, test := range table {
@@ -337,7 +363,7 @@ func TestValidate(t *testing.T) {
 			mod := NewSuricataEngine(&server.Server{})
 
 			_, err := mod.ValidateRule(test.Input)
-			if test.ExpectedErr == nil {
+			if test.ExpectedErr == "" {
 				assert.NoError(t, err)
 
 				// this rule seems valid, attempt to parse, serialize, re-parse
@@ -347,7 +373,7 @@ func TestValidate(t *testing.T) {
 				_, err = ParseSuricataRule(parsed.String())
 				assert.NoError(t, err)
 			} else {
-				assert.Equal(t, *test.ExpectedErr, err.Error())
+				assert.Equal(t, test.ExpectedErr, err.Error())
 			}
 		})
 	}
@@ -770,6 +796,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
+					Auditable:   model.Auditable{Id: "1"},
 					PublicID:    SimpleRuleSID,
 					Content:     SimpleRule,
 					IsEnabled:   true,
@@ -777,7 +804,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 				},
 			},
 			InitMock: func(detStore *servermock.MockDetectionstore) {
-				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
+				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
 				detStore.EXPECT().CreateDetection(gomock.Any(), gomock.Any()).Return(nil, nil)
 			},
 			ExpectedSettings: map[string]string{
@@ -792,6 +819,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
+					Auditable:   model.Auditable{Id: "1"},
 					PublicID:    SimpleRuleSID,
 					Content:     SimpleRule,
 					IsEnabled:   true,
@@ -800,7 +828,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			},
 			ChangedByUser: true,
 			InitMock: func(detStore *servermock.MockDetectionstore) {
-				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
+				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
 				detStore.EXPECT().CreateDetection(gomock.Any(), gomock.Any()).Return(nil, nil)
 			},
 			ExpectedSettings: map[string]string{
@@ -810,6 +838,51 @@ func TestSyncCommunitySuricata(t *testing.T) {
 				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
+		{
+			Name: "update existing community rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: SimpleRule},
+				{Id: "idstools.sids.enabled"},
+				{Id: "idstools.sids.disabled"},
+				{Id: "idstools.sids.modify"},
+				{Id: "suricata.thresholding.sids__yaml"},
+			},
+			Detections: []*model.Detection{
+				{
+					Auditable:   model.Auditable{Id: "1"},
+					PublicID:    SimpleRuleSID,
+					Content:     SimpleRule,
+					IsEnabled:   false,
+					IsCommunity: true,
+				},
+			},
+			ChangedByUser: true,
+			InitMock: func(detStore *servermock.MockDetectionstore) {
+				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{
+					SimpleRuleSID: {
+						Auditable:   model.Auditable{Id: "1"},
+						PublicID:    SimpleRuleSID,
+						Content:     SimpleRule,
+						IsEnabled:   true,
+						IsCommunity: true,
+					},
+				}, nil)
+				detStore.EXPECT().UpdateDetection(gomock.Any(), gomock.Any()).Return(&model.Detection{
+					Auditable:   model.Auditable{Id: "1"},
+					PublicID:    SimpleRuleSID,
+					Content:     SimpleRule,
+					IsEnabled:   false,
+					IsCommunity: true,
+				}, nil)
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      SimpleRule,
+				"idstools.sids.enabled":            "",
+				"idstools.sids.disabled":           SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
+			},
+		},
 	}
 
 	ctrl := gomock.NewController(t)
@@ -839,6 +912,10 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			assert.Equal(t, test.ExpectedErr, err)
 			assert.Equal(t, test.ExpectedErrMap, errMap)
 
+			for _, det := range test.Detections {
+				assert.NotEmpty(t, det.Id)
+			}
+
 			set, err := mCfgStore.GetSettings(ctx)
 			assert.NoError(t, err, "GetSettings should not return an error")
 
@@ -1501,3 +1578,166 @@ func TestRemoveFromIndex(t *testing.T) {
 		"300000": 2,
 	}, localIndex)
 }
+
+func TestReadCustomRulesets(t *testing.T) {
+	tests := []struct {
+		Name          string
+		Rulesets      []*model.CustomRuleset
+		InitMock      func(io *mock.MockIOManager)
+		ExpDetections []*model.Detection
+		ExpError      string
+	}{
+		{
+			Name:          "Empty",
+			Rulesets:      []*model.CustomRuleset{},
+			ExpDetections: []*model.Detection{},
+		},
+		{
+			Name: "Simple File",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community: true,
+					License:   "DRL",
+					File:      "testdata/simple.rules",
+					Ruleset:   "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("testdata/simple.rules").Return([]byte(SimpleRule), nil)
+			},
+			ExpDetections: []*model.Detection{
+				{
+					PublicID: SimpleRuleSID,
+
+					Title:       "GPL ATTACK_RESPONSE id check returned root",
+					Severity:    model.SeverityUnknown,
+					Author:      "ruleset",
+					Category:    "GPL ATTACK_RESPONSE",
+					Content:     "alert http any any -> any any (msg:\"GPL ATTACK_RESPONSE id check returned root\"; content:\"uid=0|28|root|29|\"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)",
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     "ruleset",
+					License:     "DRL",
+				},
+			},
+		},
+		{
+			Name: "Simple URL",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community:  true,
+					License:    "DRL",
+					Url:        "x",
+					TargetFile: "target.file",
+					Ruleset:    "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("/nsm/rules/detect-suricata/custom_temp/target.file").Return([]byte(SimpleRule), nil)
+			},
+			ExpDetections: []*model.Detection{
+				{
+					PublicID: SimpleRuleSID,
+
+					Title:       "GPL ATTACK_RESPONSE id check returned root",
+					Severity:    model.SeverityUnknown,
+					Author:      "ruleset",
+					Category:    "GPL ATTACK_RESPONSE",
+					Content:     "alert http any any -> any any (msg:\"GPL ATTACK_RESPONSE id check returned root\"; content:\"uid=0|28|root|29|\"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)",
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     "ruleset",
+					License:     "DRL",
+				},
+			},
+		},
+		{
+			Name: "Bad File, Good Url",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community:  true,
+					License:    "DRL",
+					Url:        "x",
+					TargetFile: "target.file",
+					Ruleset:    "ruleset",
+				},
+				{
+					Community: true,
+					License:   "DRL",
+					File:      "testdata/simple.rules",
+					Ruleset:   "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("/nsm/rules/detect-suricata/custom_temp/target.file").Return([]byte(SimpleRule), nil)
+				io.EXPECT().ReadFile("testdata/simple.rules").Return(nil, errors.New("bad file"))
+			},
+			ExpError: "bad file",
+		},
+		{
+			Name: "Bad Url, Good File",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community: true,
+					License:   "DRL",
+					File:      "testdata/simple.rules",
+					Ruleset:   "ruleset",
+				},
+				{
+					Community:  true,
+					License:    "DRL",
+					Url:        "x",
+					TargetFile: "target.file",
+					Ruleset:    "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("testdata/simple.rules").Return([]byte(SimpleRule), nil)
+				io.EXPECT().ReadFile("/nsm/rules/detect-suricata/custom_temp/target.file").Return(nil, errors.New("bad file"))
+			},
+			ExpError: "bad file",
+		},
+		{
+			Name: "Bad Custom Ruleset",
+			Rulesets: []*model.CustomRuleset{
+				{},
+			},
+			ExpError: "invalid custom ruleset",
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			io := mock.NewMockIOManager(ctrl)
+
+			e := &SuricataEngine{
+				customRulesets: test.Rulesets,
+				IOManager:      io,
+				isRunning:      true,
+			}
+
+			if test.InitMock != nil {
+				test.InitMock(io)
+			}
+
+			detects, err := e.ReadCustomRulesets()
+
+			if test.ExpError != "" {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), test.ExpError)
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, test.ExpDetections, detects)
+		})
+	}
+}
diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index a01baa09..66bd1708 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -7,6 +7,7 @@ package suricata
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 	"unicode"
@@ -45,6 +46,8 @@ const (
 	stateOptions
 )
 
+var unescaper = regexp.MustCompile(`\\(.)`)
+
 func ParseSuricataRule(rule string) (*SuricataRule, error) {
 	rule = strings.TrimSpace(rule)
 	r := strings.NewReader(rule)
@@ -239,9 +242,13 @@ func (rule *SuricataRule) UpdateForDuplication(publicId string) {
 			setPublicId = true
 		} else if strings.EqualFold(opt.Name, "msg") {
 			if opt.Value != nil {
-				*opt.Value = util.Unquote(*opt.Value) + " (copy)"
+				v := util.Unquote(*opt.Value)
+				v += " (copy)"
+				v = strconv.Quote(v)
+				v = unescaper.ReplaceAllString(v, `$1`)
+				*opt.Value = v
 			} else {
-				opt.Value = util.Ptr("(copy)")
+				opt.Value = util.Ptr(`"(copy)"`)
 			}
 
 			setTitle = true
@@ -249,7 +256,7 @@ func (rule *SuricataRule) UpdateForDuplication(publicId string) {
 	}
 
 	if !setTitle {
-		rule.Options = append([]*RuleOption{{Name: "msg", Value: util.Ptr("(copy)")}}, rule.Options...)
+		rule.Options = append([]*RuleOption{{Name: "msg", Value: util.Ptr(`"(copy)"`)}}, rule.Options...)
 	}
 
 	if !setPublicId {
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 74341d65..606f876b 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -215,7 +215,7 @@ func TestGenerateUnusedPublicId(t *testing.T) {
 		isRunning: true,
 	}
 
-	id, err := eng.generateUnusedPublicId(ctx)
+	id, err := eng.GenerateUnusedPublicId(ctx)
 
 	assert.Empty(t, id)
 	assert.Error(t, err)
@@ -234,37 +234,48 @@ func TestUpdateForDuplication(t *testing.T) {
 	}{
 		{
 			Name:          "Normal Options",
-			Input:         `alert any any <> any any (msg:"test"; sid:1; rev:1;)`,
+			Input:         `alert http any any <> any any (msg:"test"; sid:1; rev:1;)`,
 			OptionsBefore: 3,
 			OptionsAfter:  3,
 			ExpectedOptions: []*RuleOption{
-				{Name: "msg", Value: util.Ptr("test (copy)")},
+				{Name: "msg", Value: util.Ptr(`"test (copy)"`)},
 				{Name: "sid", Value: util.Ptr(publicId)},
 				{Name: "rev", Value: util.Ptr("1")},
 			},
 		},
 		{
 			Name:          "Present but Empty Options",
-			Input:         `alert any any <> any any (msg; sid; rev;)`,
+			Input:         `alert http any any <> any any (msg; sid; rev;)`,
 			OptionsBefore: 3,
 			OptionsAfter:  3,
 			ExpectedOptions: []*RuleOption{
-				{Name: "msg", Value: util.Ptr("(copy)")},
+				{Name: "msg", Value: util.Ptr(`"(copy)"`)},
 				{Name: "sid", Value: util.Ptr(publicId)},
 				{Name: "rev", Value: nil},
 			},
 		},
 		{
 			Name:          "Missing Options",
-			Input:         `alert any any <> any any (rev;)`,
+			Input:         `alert http any any <> any any (rev;)`,
 			OptionsBefore: 1,
 			OptionsAfter:  3,
 			ExpectedOptions: []*RuleOption{
-				{Name: "msg", Value: util.Ptr("(copy)")},
+				{Name: "msg", Value: util.Ptr(`"(copy)"`)},
 				{Name: "sid", Value: util.Ptr(publicId)},
 				{Name: "rev", Value: nil},
 			},
 		},
+		{
+			Name:          "Double Quotes in Title",
+			Input:         `alert http any any <> any any (msg:"\"test\""; sid:1; rev:1;)`,
+			OptionsBefore: 3,
+			OptionsAfter:  3,
+			ExpectedOptions: []*RuleOption{
+				{Name: "msg", Value: util.Ptr(`"\"test\" (copy)"`)},
+				{Name: "sid", Value: util.Ptr(publicId)},
+				{Name: "rev", Value: util.Ptr("1")},
+			},
+		},
 	}
 
 	for _, test := range tests {
@@ -291,41 +302,4 @@ func TestUpdateForDuplication(t *testing.T) {
 			}
 		})
 	}
-
-	// rule, err = ParseSuricataRule(`alert any any <> any any (rev:1;)`)
-	// assert.NoError(t, err)
-	// assert.NotNil(t, rule)
-	//
-	// assert.Equal(t, len(rule.Options), 1)
-	// rev, ok = rule.GetOption("rev")
-	// assert.True(t, ok)
-	// assert.NotNil(t, rev)
-	// assert.Equal(t, "1", *rev)
-	//
-	// sid, ok = rule.GetOption("sid")
-	// assert.False(t, ok)
-	// assert.Nil(t, sid)
-	//
-	// msg, ok = rule.GetOption("msg")
-	// assert.False(t, ok)
-	// assert.Nil(t, msg)
-	//
-	// rule.UpdateForDuplication("1")
-	//
-	// assert.Equal(t, len(rule.Options), 3)
-	//
-	// sid, ok = rule.GetOption("sid")
-	// assert.True(t, ok)
-	// assert.NotNil(t, sid)
-	// assert.Equal(t, "1", *sid)
-	//
-	// msg, ok = rule.GetOption("msg")
-	// assert.True(t, ok)
-	// assert.NotNil(t, msg)
-	// assert.Equal(t, "(copy)", *msg)
-	//
-	// rev, ok = rule.GetOption("rev")
-	// assert.True(t, ok)
-	// assert.NotNil(t, rev)
-	// assert.Equal(t, "1", *rev)
 }