diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile
index 372bd2210..72d86bf73 100644
--- a/Dockerfiles/dashboards-helper.Dockerfile
+++ b/Dockerfiles/dashboards-helper.Dockerfile
@@ -47,10 +47,10 @@ ENV DASHBOARDS_URL $DASHBOARDS_URL
 ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE
 ENV PATH="/data:${PATH}"
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV ECS_RELEASES_URL "https://api.github.com/repos/elastic/ecs/releases/latest"
diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index 566f90885..1ccbca95a 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -1,77 +1,4 @@
-# build ####################################################################
-FROM amazonlinux:2 AS build
-
-# Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
-
-# set up build environment for dashboard plugins built from source
-
-ARG DEFAULT_UID=1000
-ARG DEFAULT_GID=1000
-ENV DEFAULT_UID $DEFAULT_UID
-ENV DEFAULT_GID $DEFAULT_GID
-ENV PUSER "dashboarder"
-ENV PGROUP "dashboarder"
-
-ENV TERM xterm
-
-ARG OPENSEARCH_VERSION="2.8.0"
-ENV OPENSEARCH_VERSION $OPENSEARCH_VERSION
-
-ARG OPENSEARCH_DASHBOARDS_VERSION="2.8.0"
-ENV OPENSEARCH_DASHBOARDS_VERSION $OPENSEARCH_DASHBOARDS_VERSION
-
-# base system dependencies for checking out and building plugins
-
-USER root
-
-RUN amazon-linux-extras install -y epel && \
-    yum upgrade -y && \
-    yum install -y curl patch procps psmisc tar zip unzip gcc-c++ make moreutils jq git && \
-    amazon-linux-extras install -y python3.8 && \
-        ln -s -r -f /usr/bin/python3.8 /usr/bin/python3 && \
-        ln -s -r -f /usr/bin/pip3.8 /usr/bin/pip3 && \
-    groupadd -g ${DEFAULT_GID} ${PGROUP} && \
-    adduser -u ${DEFAULT_UID} -d /home/${PUSER} -s /bin/bash -G ${PGROUP} -g ${PUSER} ${PUSER} && \
-    mkdir -p /usr/share && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch --branch "${OPENSEARCH_VERSION}" https://github.com/opensearch-project/OpenSearch /usr/share/opensearch && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch --branch "${OPENSEARCH_DASHBOARDS_VERSION}" https://github.com/opensearch-project/OpenSearch-Dashboards /usr/share/opensearch-dashboards && \
-    chown -R ${DEFAULT_UID}:${DEFAULT_GID} /usr/share/opensearch-dashboards /usr/share/opensearch
-
-# build plugins as non-root
-
-USER ${PUSER}
-
-# use nodenv (https://github.com/nodenv/nodenv) to manage nodejs/yarn
-
-ENV PATH "/home/${PUSER}/.nodenv/bin:${PATH}"
-
-RUN git clone --single-branch --depth=1 --recurse-submodules --shallow-submodules https://github.com/nodenv/nodenv.git /home/${PUSER}/.nodenv && \
-    cd /home/${PUSER}/.nodenv && \
-    ./src/configure && \
-    make -C src && \
-    cd /tmp && \
-    eval "$(nodenv init -)" && \
-    mkdir -p "$(nodenv root)"/plugins && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch https://github.com/nodenv/node-build.git "$(nodenv root)"/plugins/node-build && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch https://github.com/nodenv/nodenv-update.git "$(nodenv root)"/plugins/nodenv-update && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch https://github.com/pine/nodenv-yarn-install.git "$(nodenv root)"/plugins/nodenv-yarn-install && \
-    nodenv install "$(cat /usr/share/opensearch-dashboards/.node-version)" && \
-    nodenv global "$(cat /usr/share/opensearch-dashboards/.node-version)"
-
-# check out and build plugins
-
-RUN eval "$(nodenv init -)" && \
-    mkdir -p /usr/share/opensearch-dashboards/plugins && \
-    git clone --depth 1 --recurse-submodules --shallow-submodules --single-branch --branch opensearch-v2-dashboards-compatibility https://github.com/mmguero-dev/osd_sankey_vis.git /usr/share/opensearch-dashboards/plugins/sankey_vis && \
-    cd /usr/share/opensearch-dashboards/plugins/sankey_vis && \
-    yarn osd bootstrap && \
-    yarn install && \
-    yarn build --opensearch-dashboards-version "${OPENSEARCH_DASHBOARDS_VERSION}" && \
-    mv ./build/kbnSankeyVis-"${OPENSEARCH_DASHBOARDS_VERSION}".zip ./build/kbnSankeyVis.zip
-
-# runtime ##################################################################
-
-FROM opensearchproject/opensearch-dashboards:2.8.0
+FROM opensearchproject/opensearch-dashboards:2.11.1
 
 LABEL maintainer="malcolm@inl.gov"
 LABEL org.opencontainers.image.authors='malcolm@inl.gov'
@@ -93,7 +20,7 @@ ENV PUSER_PRIV_DROP true
 ENV TERM xterm
 
 ENV TINI_VERSION v0.19.0
-ENV OSD_TRANSFORM_VIS_VERSION 2.8.0
+ENV OSD_TRANSFORM_VIS_VERSION 2.11.0
 
 ARG OPENSEARCH_URL="http://opensearch:9200"
 ARG OPENSEARCH_PRIMARY="opensearch-local"
@@ -115,22 +42,20 @@ ENV NODE_OPTIONS $NODE_OPTIONS
 
 USER root
 
-COPY --from=build /usr/share/opensearch-dashboards/plugins/sankey_vis/build/kbnSankeyVis.zip /tmp/kbnSankeyVis.zip
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/bin/tini
 ADD https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSFORM_VIS_VERSION/transformVis-$OSD_TRANSFORM_VIS_VERSION.zip /tmp/transformVis.zip
 
 RUN yum upgrade -y && \
-    yum install -y curl psmisc util-linux openssl rsync python3 zip unzip && \
+    yum install -y curl-minimal psmisc findutils util-linux openssl rsync python3 zip unzip && \
+    yum remove -y vim-* && \
     usermod -a -G tty ${PUSER} && \
     # Malcolm manages authentication and encryption via NGINX reverse proxy
     /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \
-    cd /usr/share/opensearch-dashboards/plugins && \
-    /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/kbnSankeyVis.zip --allow-root && \
     cd /tmp && \
-        # unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
-        # sed -i "s/2\.9\.0/2\.9\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \
-        # sed -i "s/2\.9\.0/2\.9\.0/g" opensearch-dashboards/transformVis/package.json && \
-        # zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
+        unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
+        sed -i "s/2\.11\.0/2\.11\.1/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \
+        sed -i "s/2\.11\.0/2\.11\.1/g" opensearch-dashboards/transformVis/package.json && \
+        zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
         cd /usr/share/opensearch-dashboards/plugins && \
         /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/transformVis.zip --allow-root && \
         rm -rf /tmp/transformVis /tmp/opensearch-dashboards && \
@@ -150,15 +75,32 @@ ADD scripts/malcolm_utils.py /usr/local/bin/
 # Yeah, I know about https://opensearch.org/docs/latest/dashboards/branding ... but I can't figure out a way
 # to specify the entries in the opensearch_dashboards.yml such that they are valid BOTH from the
 # internal opensearch code validating them AND the web browser retrieving them. So we're going scorched earth instead.
-ADD docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_logo.svg
-ADD docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_logo_dark_mode.svg
-ADD docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_logo_default_mode.svg
-ADD docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_mark_dark_mode.svg
-ADD docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/default_branding/opensearch_mark_default_mode.svg
-ADD docs/images/favicon/favicon.ico /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon.ico
-ADD docs/images/favicon/favicon16.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-16x16.png
-ADD docs/images/favicon/favicon32.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-32x32.png
-ADD docs/images/favicon/apple-touch-icon-precomposed.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/apple-touch-icon.png
+
+COPY --chmod=644 docs/images/favicon/favicon192.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-192x192.png
+COPY --chmod=644 docs/images/favicon/favicon512.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/android-chrome-512x512.png
+COPY --chmod=644 docs/images/favicon/apple-touch-icon-precomposed.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/apple-touch-icon.png
+COPY --chmod=644 docs/images/favicon/favicon16.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-16x16.png
+COPY --chmod=644 docs/images/favicon/favicon32.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon-32x32.png
+COPY --chmod=644 docs/images/favicon/favicon.ico /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/favicon.ico
+COPY --chmod=644 docs/images/favicon/favicon144.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-144x144.png
+COPY --chmod=644 docs/images/favicon/favicon150.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-150x150.png
+COPY --chmod=644 docs/images/favicon/favicon310.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-310x310.png
+COPY --chmod=644 docs/images/favicon/favicon70.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/mstile-70x70.png
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark_on_dark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_center_mark_on_light.svg
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_dashboards.svg
+COPY --chmod=644 docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_dashboards_on_dark.svg
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_dashboards_on_light.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_mark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_mark_on_dark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_mark_on_light.svg
+COPY --chmod=644 docs/images/logo/malcolm_logo.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_on_dark.svg
+COPY --chmod=644 docs/images/logo/Malcolm.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_on_light.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_spinner.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_spinner_on_dark.svg
+COPY --chmod=644 docs/images/icon/malcolm_mark_dashboards.svg /usr/share/opensearch-dashboards/src/core/server/core_app/assets/logos/opensearch_spinner_on_light.svg
 
 
 ENTRYPOINT ["/usr/bin/tini", \
diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile
index 7a3c48efe..6bfd6b86e 100644
--- a/Dockerfiles/file-monitor.Dockerfile
+++ b/Dockerfiles/file-monitor.Dockerfile
@@ -93,10 +93,10 @@ ENV EXTRACTED_FILE_HTTP_SERVER_ENCRYPT $EXTRACTED_FILE_HTTP_SERVER_ENCRYPT
 ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY
 ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/
diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile
index b64cc998e..35175bc9a 100644
--- a/Dockerfiles/file-upload.Dockerfile
+++ b/Dockerfiles/file-upload.Dockerfile
@@ -49,10 +49,10 @@ ENV FILEPOND_SERVER_BRANCH $FILEPOND_SERVER_BRANCH
 ARG STALE_UPLOAD_DELETE_MIN=360
 ENV STALE_UPLOAD_DELETE_MIN $STALE_UPLOAD_DELETE_MIN
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 COPY --from=npmget /usr/local/lib/node_modules/filepond /var/www/upload/filepond
diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index 38fed5933..b8c4fcdbc 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/beats/filebeat-oss:8.10.4
+FROM docker.elastic.co/beats/filebeat-oss:8.11.1
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
@@ -61,10 +61,10 @@ ARG FILEBEAT_TCP_PARSE_TARGET_FIELD=""
 ARG FILEBEAT_TCP_PARSE_DROP_FIELD=""
 ARG FILEBEAT_TCP_TAG="_malcolm_beats"
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV TINI_VERSION v0.19.0
diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index 80a7fb50a..ef0777b55 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/logstash/logstash-oss:8.10.4
+FROM docker.elastic.co/logstash/logstash-oss:8.11.1
 
 LABEL maintainer="malcolm@inl.gov"
 LABEL org.opencontainers.image.authors='malcolm@inl.gov'
@@ -32,6 +32,8 @@ ARG LOGSTASH_NETBOX_ENRICHMENT=false
 ARG LOGSTASH_NETBOX_ENRICHMENT_VERBOSE=false
 ARG LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE=true
 ARG LOGSTASH_NETBOX_AUTO_POPULATE=false
+ARG LOGSTASH_NETBOX_CACHE_SIZE=1000
+ARG LOGSTASH_NETBOX_CACHE_TTL=30
 
 ENV LOGSTASH_ENRICHMENT_PIPELINE $LOGSTASH_ENRICHMENT_PIPELINE
 ENV LOGSTASH_PARSE_PIPELINE_ADDRESSES $LOGSTASH_PARSE_PIPELINE_ADDRESSES
@@ -42,6 +44,8 @@ ENV LOGSTASH_NETBOX_ENRICHMENT $LOGSTASH_NETBOX_ENRICHMENT
 ENV LOGSTASH_NETBOX_ENRICHMENT_VERBOSE $LOGSTASH_NETBOX_ENRICHMENT_VERBOSE
 ENV LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE $LOGSTASH_NETBOX_ENRICHMENT_LOOKUP_SERVICE
 ENV LOGSTASH_NETBOX_AUTO_POPULATE $LOGSTASH_NETBOX_AUTO_POPULATE
+ENV LOGSTASH_NETBOX_CACHE_SIZE $LOGSTASH_NETBOX_CACHE_SIZE
+ENV LOGSTASH_NETBOX_CACHE_TTL $LOGSTASH_NETBOX_CACHE_TTL
 
 USER root
 
@@ -63,11 +67,12 @@ RUN set -x && \
     pip3 install ipaddress supervisor manuf pyyaml && \
     export JAVA_HOME=/usr/share/logstash/jdk && \
     /usr/share/logstash/vendor/jruby/bin/jruby -S gem install bundler && \
-    echo "gem 'lru_cache'" >> /usr/share/logstash/Gemfile && \
+    echo "gem 'concurrent-ruby'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'deep_merge'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'fuzzy-string-match'" >> /usr/share/logstash/Gemfile && \
-    echo "gem 'stringex'" >> /usr/share/logstash/Gemfile && \
+    echo "gem 'lru_redux'" >> /usr/share/logstash/Gemfile && \
     echo "gem 'psych'" >> /usr/share/logstash/Gemfile && \
+    echo "gem 'stringex'" >> /usr/share/logstash/Gemfile && \
     /usr/share/logstash/bin/ruby -S bundle install && \
     logstash-plugin install --preserve logstash-filter-translate logstash-filter-cidr logstash-filter-dns \
                                        logstash-filter-json logstash-filter-prune logstash-filter-http \
diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index 8fbb0a628..c075c03a2 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -1,4 +1,4 @@
-FROM netboxcommunity/netbox:v3.6.4
+FROM netboxcommunity/netbox:v3.6.6
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
@@ -24,10 +24,10 @@ ENV PUSER "ubuntu"
 ENV PGROUP "ubuntu"
 ENV PUSER_PRIV_DROP true
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV YQ_VERSION "4.33.3"
@@ -39,6 +39,7 @@ ARG NETBOX_DEVICETYPE_LIBRARY_PATH="/opt/netbox-devicetype-library"
 ARG NETBOX_DEFAULT_SITE=Malcolm
 ARG NETBOX_CRON=true
 ARG NETBOX_PRELOAD_PATH="/opt/netbox-preload"
+ARG NETBOX_PRELOAD_PREFIXES=false
 
 ENV NETBOX_PATH /opt/netbox
 ENV BASE_PATH netbox
@@ -46,6 +47,7 @@ ENV NETBOX_DEVICETYPE_LIBRARY_PATH $NETBOX_DEVICETYPE_LIBRARY_PATH
 ENV NETBOX_DEFAULT_SITE $NETBOX_DEFAULT_SITE
 ENV NETBOX_CRON $NETBOX_CRON
 ENV NETBOX_PRELOAD_PATH $NETBOX_PRELOAD_PATH
+ENV NETBOX_PRELOAD_PREFIXES $NETBOX_PRELOAD_PREFIXES
 
 ADD netbox/patch/* /tmp/netbox-patches/
 
@@ -53,11 +55,15 @@ RUN apt-get -q update && \
     apt-get -y -q --no-install-recommends upgrade && \
     apt-get install -q -y --no-install-recommends \
       gcc \
+      file \
       git \
       jq \
+      libmagic-dev \
+      libmagic1 \
       libpq-dev \
       libpq5 \
       patch \
+      postgresql-client \
       procps \
       psmisc \
       python3-dev \
@@ -68,6 +74,7 @@ RUN apt-get -q update && \
       'git+https://github.com/tobiasge/netbox-initializers' \
       psycopg2 \
       pynetbox \
+      python-magic \
       python-slugify \
       randomcolor && \
     cd "${NETBOX_PATH}" && \
diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile
index 12a43a9b8..5765943bd 100644
--- a/Dockerfiles/nginx.Dockerfile
+++ b/Dockerfiles/nginx.Dockerfile
@@ -117,8 +117,6 @@ RUN set -x ; \
     --with-http_addition_module \
     --with-http_sub_module \
     --with-http_dav_module \
-    --with-http_flv_module \
-    --with-http_mp4_module \
     --with-http_gunzip_module \
     --with-http_gzip_static_module \
     --with-http_random_index_module \
@@ -126,7 +124,6 @@ RUN set -x ; \
     --with-http_stub_status_module \
     --with-http_auth_request_module \
     --with-http_xslt_module=dynamic \
-    --with-http_image_filter_module=dynamic \
     --with-http_geoip_module=dynamic \
     --with-http_perl_module=dynamic \
     --with-threads \
@@ -154,7 +151,6 @@ RUN set -x ; \
   chown ${PUSER}:${PGROUP} /var/cache/nginx ; \
   apk add --no-cache --virtual .nginx-build-deps \
     gcc \
-    gd-dev \
     geoip-dev \
     gnupg \
     libc-dev \
@@ -178,7 +174,6 @@ RUN set -x ; \
   make -j$(getconf _NPROCESSORS_ONLN) ; \
   mv objs/nginx objs/nginx-debug ; \
   mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so ; \
-  mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so ; \
   mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so ; \
   mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so ; \
   mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so ; \
@@ -191,7 +186,6 @@ RUN set -x ; \
   install -m644 html/50x.html /usr/share/nginx/html/ ; \
   install -m755 objs/nginx-debug /usr/sbin/nginx-debug ; \
   install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so ; \
-  install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so ; \
   install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so ; \
   install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so ; \
   install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so ; \
@@ -214,7 +208,7 @@ RUN set -x ; \
       | xargs -r apk info --installed \
       | sort -u \
   )" ; \
-  apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap stunnel supervisor tini tzdata; \
+  apk add --no-cache --virtual .nginx-rundeps $runDeps ca-certificates bash wget openssl apache2-utils openldap shadow stunnel supervisor tini tzdata; \
   update-ca-certificates; \
   apk del .nginx-build-deps ; \
   apk del .gettext ; \
diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile
index 41845556a..95ea31bff 100644
--- a/Dockerfiles/opensearch.Dockerfile
+++ b/Dockerfiles/opensearch.Dockerfile
@@ -1,4 +1,4 @@
-FROM opensearchproject/opensearch:2.8.0
+FROM opensearchproject/opensearch:2.11.1
 
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="malcolm@inl.gov"
@@ -42,8 +42,9 @@ ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/
 
 # Remove the opensearch-security plugin - Malcolm manages authentication and encryption via NGINX reverse proxy
 # Remove the performance-analyzer plugin - Reduce resources in docker image
-RUN yum install -y openssl util-linux procps rsync && \
-  yum upgrade -y && \
+RUN yum upgrade -y && \
+  yum install -y openssl util-linux procps rsync findutils && \
+  yum remove -y vim-* && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-security --purge && \
   /usr/share/opensearch/bin/opensearch-plugin remove opensearch-performance-analyzer --purge && \
   echo -e 'cluster.name: "docker-cluster"\nnetwork.host: 0.0.0.0\nbootstrap.memory_lock: true\nhttp.cors.enabled: true\nhttp.cors.allow-origin: "*"\nhttp.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE\nhttp.cors.allow-headers: "kbn-version, Origin, X-Requested-With, Content-Type, Accept, Engaged-Auth-Token Authorization"' > /usr/share/opensearch/config/opensearch.yml && \
diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile
index 34c846a1e..ae4539970 100644
--- a/Dockerfiles/suricata.Dockerfile
+++ b/Dockerfiles/suricata.Dockerfile
@@ -30,10 +30,10 @@ ENV PGROUP "suricata"
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 ENV YQ_VERSION "4.33.3"
@@ -42,6 +42,7 @@ ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_
 ENV SURICATA_CONFIG_DIR /etc/suricata
 ENV SURICATA_CONFIG_FILE "$SURICATA_CONFIG_DIR"/suricata.yaml
 ENV SURICATA_CUSTOM_RULES_DIR /opt/suricata/rules
+ENV SURICATA_CUSTOM_CONFIG_DIR /opt/suricata/include-configs
 ENV SURICATA_LOG_DIR /var/log/suricata
 ENV SURICATA_MANAGED_DIR /var/lib/suricata
 ENV SURICATA_MANAGED_RULES_DIR "$SURICATA_MANAGED_DIR/rules"
@@ -51,6 +52,8 @@ ENV SURICATA_UPDATE_DIR "$SURICATA_MANAGED_DIR/update"
 ENV SURICATA_UPDATE_SOURCES_DIR "$SURICATA_UPDATE_DIR/sources"
 ENV SURICATA_UPDATE_CACHE_DIR "$SURICATA_UPDATE_DIR/cache"
 
+COPY --chmod=644 suricata/default-rules/ /tmp/default-rules/
+
 RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \
     apt-get -q update && \
     apt-get -y -q --no-install-recommends upgrade && \
@@ -114,10 +117,11 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour
       usermod -a -G tty ${PUSER} && \
     ln -sfr /usr/local/bin/pcap_processor.py /usr/local/bin/pcap_suricata_processor.py && \
         (echo "*/5 * * * * /usr/local/bin/eve-clean-logs.sh\n0 */6 * * * /bin/bash /usr/local/bin/suricata-update-rules.sh\n" > ${SUPERCRONIC_CRONTAB}) && \
-    mkdir -p "$SURICATA_CUSTOM_RULES_DIR" && \
-        chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" && \
+    mkdir -p "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \
+        chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \
     cp "$(dpkg -L suricata-update | grep 'update\.yaml$' | head -n 1)" \
         "$SURICATA_UPDATE_CONFIG_FILE" && \
+    find /tmp/default-rules/ -not -path '*/.gitignore' -type f -exec cp "{}" "$SURICATA_CONFIG_DIR"/rules/ \; && \
     suricata-update update-sources --verbose --data-dir "$SURICATA_MANAGED_DIR" --config "$SURICATA_UPDATE_CONFIG_FILE" --suricata-conf "$SURICATA_CONFIG_FILE" && \
     suricata-update update --fail --verbose --etopen --data-dir "$SURICATA_MANAGED_DIR" --config "$SURICATA_UPDATE_CONFIG_FILE" --suricata-conf "$SURICATA_CONFIG_FILE" && \
     chown root:${PGROUP} /sbin/ethtool /usr/bin/suricata && \
@@ -180,6 +184,7 @@ ENV PUSER_CHOWN "$SURICATA_CONFIG_DIR;$SURICATA_MANAGED_DIR;$SURICATA_LOG_DIR;$S
 
 VOLUME ["$SURICATA_CONFIG_DIR"]
 VOLUME ["$SURICATA_CUSTOM_RULES_DIR"]
+VOLUME ["$SURICATA_CUSTOM_CONFIG_DIR"]
 VOLUME ["$SURICATA_LOG_DIR"]
 VOLUME ["$SURICATA_MANAGED_DIR"]
 VOLUME ["$SURICATA_RUN_DIR"]
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index 0dbad75e9..6c5c0cfc4 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -4,7 +4,7 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm
 
 # for build
-ARG ZEEK_VERSION=6.0.1
+ARG ZEEK_VERSION=6.1.0
 ENV ZEEK_VERSION $ZEEK_VERSION
 ARG ZEEK_DBG=0
 ENV ZEEK_DBG $ZEEK_DBG
@@ -94,14 +94,14 @@ ENV PGROUP "zeeker"
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
 
-ENV SUPERCRONIC_VERSION "0.2.27"
+ENV SUPERCRONIC_VERSION "0.2.28"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64"
 ENV SUPERCRONIC "supercronic-linux-amd64"
-ENV SUPERCRONIC_SHA1SUM "7dadd4ac827e7bd60b386414dfefc898ae5b6c63"
+ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd"
 ENV SUPERCRONIC_CRONTAB "/etc/crontab"
 
 # for download and install
-ARG ZEEK_VERSION=6.0.0
+ARG ZEEK_VERSION=6.1.0
 ENV ZEEK_VERSION $ZEEK_VERSION
 
 # put Zeek and Spicy in PATH
@@ -200,7 +200,9 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
     ( find "${ZEEK_DIR}"/lib/zeek/plugins/packages -type f -name "*.hlto" -exec chmod 755 "{}" \; || true ) && \
     mkdir -p "${ZEEK_DIR}"/share/zeek/site/intel/STIX && \
       mkdir -p "${ZEEK_DIR}"/share/zeek/site/intel/MISP && \
+      mkdir -p "${ZEEK_DIR}"/share/zeek/site/custom && \
       touch "${ZEEK_DIR}"/share/zeek/site/intel/__load__.zeek && \
+      touch "${ZEEK_DIR}"/share/zeek/site/custom/__load__.zeek && \
     cd /usr/lib/locale && \
       ( ls | grep -Piv "^(en|en_US|en_US\.utf-?8|C\.utf-?8)$" | xargs -l -r rm -rf ) && \
     cd /tmp && \
@@ -226,8 +228,8 @@ ADD shared/bin/nic-capture-setup.sh /usr/local/bin/
 
 # sanity checks to make sure the plugins installed and copied over correctly
 # these ENVs should match the number of third party scripts/plugins installed by zeek_install_plugins.sh
-ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 23
-ENV ZEEK_THIRD_PARTY_PLUGINS_GREP  "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_LDAP_TCP|ANALYZER_SPICY_SYNCHROPHASOR_TCP|ANALYZER_SPICY_GENISYS_TCP|ANALYZER_S7COMM_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
+ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 22
+ENV ZEEK_THIRD_PARTY_PLUGINS_GREP  "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SYNCHROPHASOR_TCP|ANALYZER_GENISYS_TCP|ANALYZER_S7COMM_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
 ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 25
 ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP  "(bro-is-darknet/main|bro-simple-scan/scan|bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-22954/main|cve-2022-26809/main|CVE-2022-3602/__load__|hassh/hassh|http-more-files-names/main|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)"
 
@@ -309,6 +311,7 @@ ARG ZEEK_DISABLE_SPICY_HTTP=true
 ARG ZEEK_DISABLE_SPICY_IPSEC=
 ARG ZEEK_DISABLE_SPICY_LDAP=
 ARG ZEEK_DISABLE_SPICY_OPENVPN=
+ARG ZEEK_DISABLE_SPICY_QUIC=true
 ARG ZEEK_DISABLE_SPICY_STUN=
 ARG ZEEK_DISABLE_SPICY_TAILSCALE=
 ARG ZEEK_DISABLE_SPICY_TFTP=
@@ -327,6 +330,7 @@ ENV ZEEK_DISABLE_SPICY_HTTP $ZEEK_DISABLE_SPICY_HTTP
 ENV ZEEK_DISABLE_SPICY_IPSEC $ZEEK_DISABLE_SPICY_IPSEC
 ENV ZEEK_DISABLE_SPICY_LDAP $ZEEK_DISABLE_SPICY_LDAP
 ENV ZEEK_DISABLE_SPICY_OPENVPN $ZEEK_DISABLE_SPICY_OPENVPN
+ENV ZEEK_DISABLE_SPICY_QUIC $ZEEK_DISABLE_SPICY_QUIC
 ENV ZEEK_DISABLE_SPICY_STUN $ZEEK_DISABLE_SPICY_STUN
 ENV ZEEK_DISABLE_SPICY_TAILSCALE $ZEEK_DISABLE_SPICY_TAILSCALE
 ENV ZEEK_DISABLE_SPICY_TFTP $ZEEK_DISABLE_SPICY_TFTP
diff --git a/api/requirements.txt b/api/requirements.txt
index a2e4a9eb2..19243e4ca 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,9 +1,9 @@
 pytz==2021.3
 Flask==2.3.2
 gunicorn==20.1.0
-opensearch-py==2.3.2
+opensearch-py==2.4.2
 requests==2.31.0
 regex==2022.3.2
 dateparser==1.1.1
-elasticsearch==8.10.1
-elasticsearch-dsl==8.9.0
\ No newline at end of file
+elasticsearch==8.11.0
+elasticsearch-dsl==8.11.0
\ No newline at end of file
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
index 1175de8b5..3caf5a270 100644
--- a/arkime/etc/config.ini
+++ b/arkime/etc/config.ini
@@ -675,6 +675,7 @@ zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;
 zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Unit/Server ID;help:Unit/Server ID
 zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Transaction ID;help:Transaction ID
 zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:PDU Type;help:Request or Response
+zeek.modbus.mei_type=db:zeek.modbus.mei_type;group:modbus;kind:termfield;friendly:MEI Type;help:MEI Type
 
 # modbus_detailed.log
 # https://github.com/cisagov/ICSNPP
@@ -687,6 +688,15 @@ zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kin
 zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register
 zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register
 
+# modbus_read_device_identification.log
+# https://github.com/cisagov/icsnpp-modbus
+zeek.modbus_read_device_identification.conformity_level_code=db:zeek.modbus_read_device_identification.conformity_level_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level Code;help:Conformity Level Code
+zeek.modbus_read_device_identification.conformity_level=db:zeek.modbus_read_device_identification.conformity_level;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Conformity Level;help:Conformity Level
+zeek.modbus_read_device_identification.device_id_code=db:zeek.modbus_read_device_identification.device_id_code;group:zeek_modbus_read_device_identification;kind:integer;friendly:Device ID Code;help:Device ID Code
+zeek.modbus_read_device_identification.object_id_code=db:zeek.modbus_read_device_identification.object_id_code;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID Code;help:Object ID Code
+zeek.modbus_read_device_identification.object_id=db:zeek.modbus_read_device_identification.object_id;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object ID;help:Object ID
+zeek.modbus_read_device_identification.object_value=db:zeek.modbus_read_device_identification.object_value;group:zeek_modbus_read_device_identification;kind:termfield;friendly:Object Value;help:Object Value
+
 # modbus_read_write_multiple_registers.log
 # https://github.com/cisagov/ICSNPP
 zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;viewerOnly:true;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to
@@ -2600,9 +2610,10 @@ o_zeek_known_modbus=require:zeek.known_modbus;title:Zeek zeek.known_modbus.log;f
 o_zeek_ldap=require:zeek.ldap;title:Zeek ldap.log;fields:zeek.ldap.message_id,zeek.ldap.version,zeek.ldap.operation,zeek.ldap.result_code,zeek.ldap.result_message,zeek.ldap.object,zeek.ldap.argument
 o_zeek_ldap_search=require:zeek.ldap_search;title:Zeek ldap_search.log;fields:zeek.ldap_search.message_id,zeek.ldap_search.filter,zeek.ldap_search.attributes,zeek.ldap_search.scope,zeek.ldap_search.deref,zeek.ldap_search.base_object,zeek.ldap_search.result_count,zeek.ldap_search.result_code,zeek.ldap_search.result_message
 o_zeek_login=require:zeek.login;title:Zeek login.log;fields:zeek.login.client_user,zeek.login.confused,zeek.login.success
-o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception
+o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception,zeek.modbus.mei_type,
 o_zeek_modbus_detailed=require:zeek.modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek.modbus.unit_id,zeek.modbus.func,zeek.modbus.network_direction,zeek.modbus_detailed.address,zeek.modbus_detailed.quantity,zeek.modbus_detailed.values
 o_zeek_modbus_mask_write_register=require:zeek.modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_detailed.address,zeek.modbus_mask_write_register.and_mask,zeek.modbus_mask_write_register.or_mask
+o_zeek_modbus_read_device_identification=require:zeek.modbus_read_device_identification;title:Zeek modbus_read_device_identification.log;fields:zeek.modbus_read_device_identification.conformity_level_code,zeek.modbus_read_device_identification.conformity_level,zeek.modbus_read_device_identification.device_id_code,zeek.modbus_read_device_identification.object_id_code,zeek.modbus_read_device_identification.object_id,zeek.modbus_read_device_identification.object_value
 o_zeek_modbus_read_write_multiple_registers=require:zeek.modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_read_write_multiple_registers.write_start_address,zeek.modbus_read_write_multiple_registers.write_registers,zeek.modbus_read_write_multiple_registers.read_start_address,zeek.modbus_read_write_multiple_registers.read_quantity,zeek.modbus_read_write_multiple_registers.read_registers
 o_zeek_mqtt_connect=require:zeek.mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek.mqtt_connect.proto_name,zeek.mqtt_connect.proto_version,zeek.mqtt_connect.client_id,zeek.mqtt_connect.connect_status,zeek.mqtt_connect.will_topic,zeek.mqtt_connect.will_payload
 o_zeek_mqtt_publish=require:zeek.mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek.mqtt_publish.from_client,zeek.mqtt_publish.retain,zeek.mqtt_publish.qos,zeek.mqtt_publish.status,zeek.mqtt_publish.topic,zeek.mqtt_publish.payload,zeek.mqtt_publish.payload_len,zeek.mqtt_publish.payload_dict.messageType
diff --git a/arkime/scripts/docker_entrypoint.sh b/arkime/scripts/docker_entrypoint.sh
index 16a1ca30a..a7b2fe542 100755
--- a/arkime/scripts/docker_entrypoint.sh
+++ b/arkime/scripts/docker_entrypoint.sh
@@ -10,6 +10,7 @@ function urlencodeall() {
 
 ARKIME_DIR=${ARKIME_DIR:-"/opt/arkime"}
 ARKIME_PASSWORD_SECRET=${ARKIME_PASSWORD_SECRET:-"Malcolm"}
+ARKIME_FREESPACEG=${ARKIME_FREESPACEG:-"10%"}
 
 MALCOLM_PROFILE=${MALCOLM_PROFILE:-"malcolm"}
 OPENSEARCH_URL_FINAL=${OPENSEARCH_URL:-"http://opensearch:9200"}
@@ -48,6 +49,7 @@ if [[ -r "${ARKIME_DIR}"/etc/config.orig.ini ]]; then
     cp "${ARKIME_DIR}"/etc/config.orig.ini "${ARKIME_DIR}"/etc/config.ini
     sed -i "s|^\(elasticsearch=\).*|\1"${OPENSEARCH_URL_FINAL}"|" "${ARKIME_DIR}"/etc/config.ini
     sed -i "s/^\(passwordSecret=\).*/\1"${ARKIME_PASSWORD_SECRET}"/" "${ARKIME_DIR}"/etc/config.ini
+    sed -i "s/^\(freeSpaceG=\).*/\1"${ARKIME_FREESPACEG}"/" "${ARKIME_DIR}"/etc/config.ini
     if [[ "$MALCOLM_PROFILE" == "hedgehog" ]]; then
         sed -i "s/^\(userNameHeader=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini
         sed -i "s/^\(userAuthIps=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini
diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
index ecdfd3412..ddd1b0e1c 100644
--- a/arkime/wise/source.zeeklogs.js
+++ b/arkime/wise/source.zeeklogs.js
@@ -1116,11 +1116,18 @@ class MalcolmSource extends WISESource {
       "zeek.modbus.network_direction",
       "zeek.modbus.trans_id",
       "zeek.modbus.unit_id",
+      "zeek.modbus.mei_type",
       "zeek.modbus_detailed.address",
       "zeek.modbus_detailed.quantity",
       "zeek.modbus_detailed.values",
       "zeek.modbus_mask_write_register.and_mask",
       "zeek.modbus_mask_write_register.or_mask",
+      "zeek.modbus_read_device_identification.conformity_level_code",
+      "zeek.modbus_read_device_identification.conformity_level",
+      "zeek.modbus_read_device_identification.device_id_code",
+      "zeek.modbus_read_device_identification.object_id_code",
+      "zeek.modbus_read_device_identification.object_id",
+      "zeek.modbus_read_device_identification.object_value",
       "zeek.modbus_read_write_multiple_registers.read_quantity",
       "zeek.modbus_read_write_multiple_registers.read_registers",
       "zeek.modbus_read_write_multiple_registers.read_start_address",
diff --git a/config/arkime.env.example b/config/arkime.env.example
index 183e970e3..8248a636d 100644
--- a/config/arkime.env.example
+++ b/config/arkime.env.example
@@ -1,6 +1,7 @@
 # Whether or not Arkime is allowed to delete uploaded/captured PCAP (see
 #   https://arkime.com/faq#pcap-deletion)
 MANAGE_PCAP_FILES=false
+ARKIME_FREESPACEG=10%
 # The number of Arkime capture processes allowed to run concurrently
 ARKIME_ANALYZE_PCAP_THREADS=1
 
diff --git a/config/logstash.env.example b/config/logstash.env.example
index 6370a05c1..b5e6f7e56 100644
--- a/config/logstash.env.example
+++ b/config/logstash.env.example
@@ -13,5 +13,8 @@ LOGSTASH_REVERSE_DNS=false
 LOGSTASH_NETBOX_ENRICHMENT=false
 # Whether or not unobserved network entities in Logstash data will be used to populate NetBox
 LOGSTASH_NETBOX_AUTO_POPULATE=false
+# Caching parameters for NetBox's LogStash lookups
+LOGSTASH_NETBOX_CACHE_SIZE=1000
+LOGSTASH_NETBOX_CACHE_TTL=30
 # Logstash memory allowance and other Java options
 LS_JAVA_OPTS=-server -Xms2500m -Xmx2500m -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true
\ No newline at end of file
diff --git a/config/netbox-common.env.example b/config/netbox-common.env.example
index 882cc64ae..000500b0c 100644
--- a/config/netbox-common.env.example
+++ b/config/netbox-common.env.example
@@ -3,6 +3,8 @@
 # The name of the default "site" to be created upon NetBox initialization, and to be queried
 #   for enrichment (see LOGSTASH_NETBOX_ENRICHMENT)
 NETBOX_DEFAULT_SITE=Malcolm
+# Whether or not to create catch-all IP Prefixes for private IP space
+NETBOX_PRELOAD_PREFIXES=false
 # Whether to disable Malcolm's NetBox instance ('true') or not ('false')
 NETBOX_DISABLED=true
 NETBOX_POSTGRES_DISABLED=true
diff --git a/config/zeek-live.env.example b/config/zeek-live.env.example
index ec6316eb8..3659dacac 100644
--- a/config/zeek-live.env.example
+++ b/config/zeek-live.env.example
@@ -6,4 +6,5 @@ ZEEK_PCAP_PROCESSOR=false
 ZEEK_CRON=true
 ZEEK_LOG_PATH=/zeek/live
 ZEEK_INTEL_PATH=/opt/zeek/share/zeek/site/intel
+ZEEK_CUSTOM_PATH=/opt/zeek/share/zeek/site/custom
 EXTRACT_FILES_PATH=/zeek/extract_files
\ No newline at end of file
diff --git a/config/zeek.env.example b/config/zeek.env.example
index e676366df..ca0c9d6c0 100644
--- a/config/zeek.env.example
+++ b/config/zeek.env.example
@@ -1,3 +1,8 @@
+# Specifies a comma-separated list of the networks that Zeek considers "local",
+#   for Site::local_nets and networks.cfg. e.g., 1.2.3.0/24,5.6.7.0/24.
+#   Note that by default, Zeek considers IANA-registered private address space
+#   such as 10/8 and 192.168/16 site-local.
+ZEEK_LOCAL_NETS=
 # Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable)
 ZEEK_INTEL_ITEM_EXPIRATION=-1min
 # When querying a TAXII or MISP feed, only process threat indicators that have
@@ -56,6 +61,7 @@ ZEEK_DISABLE_SPICY_HTTP=true
 ZEEK_DISABLE_SPICY_IPSEC=
 ZEEK_DISABLE_SPICY_LDAP=
 ZEEK_DISABLE_SPICY_OPENVPN=
+ZEEK_DISABLE_SPICY_QUIC=true
 ZEEK_DISABLE_SPICY_STUN=
 ZEEK_DISABLE_SPICY_TAILSCALE=
 ZEEK_DISABLE_SPICY_TFTP=
diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
index adcd93ba0..ce98e6a07 100644
--- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
+++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:38:35.641Z",
-      "version": "Wzk0OSwxXQ==",
+      "updated_at": "2023-11-10T19:05:19.809Z",
+      "version": "Wzk1NywxXQ==",
       "attributes": {
         "title": "Modbus",
         "hits": 0,
         "description": "Dashboard for the Modbus Protocol",
-        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":84,\"w\":48,\"h\":18,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":8,\"h\":18,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":40,\"y\":23,\"w\":8,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":23,\"w\":11,\"h\":18,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":8,\"h\":11,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"legendOpen\":true,\"table\":null,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":23,\"i\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\"},\"panelIndex\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":23,\"i\":\"218010cf-a0d9-4864-815b-f562bb67949d\"},\"panelIndex\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":23,\"w\":13,\"h\":18,\"i\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\"},\"panelIndex\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":41,\"w\":16,\"h\":26,\"i\":\"f8941a7d-be4b-4782-b72b-808645d02139\"},\"panelIndex\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":41,\"w\":16,\"h\":43,\"i\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\"},\"panelIndex\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":41,\"w\":16,\"h\":43,\"i\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\"},\"panelIndex\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":67,\"w\":16,\"h\":17,\"i\":\"a3049ec4-3c48-4a43-9899-99c018670773\"},\"panelIndex\":\"a3049ec4-3c48-4a43-9899-99c018670773\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":102,\"w\":48,\"h\":23,\"i\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\"},\"panelIndex\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"embeddableConfig\":{\"sort\":[[\"firstPacket\",\"asc\"]]},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":125,\"w\":48,\"h\":15,\"i\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\"},\"panelIndex\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":140,\"w\":48,\"h\":15,\"i\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\"},\"panelIndex\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":85,\"w\":48,\"h\":18,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":8,\"h\":18,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":40,\"y\":23,\"w\":8,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":23,\"w\":11,\"h\":18,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":8,\"h\":11,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"legendOpen\":true,\"table\":null,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":23,\"i\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\"},\"panelIndex\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":23,\"i\":\"218010cf-a0d9-4864-815b-f562bb67949d\"},\"panelIndex\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":19,\"y\":23,\"w\":13,\"h\":18,\"i\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\"},\"panelIndex\":\"5fd617f5-e213-4c2b-ae10-7a1643e739a7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":41,\"w\":16,\"h\":26,\"i\":\"f8941a7d-be4b-4782-b72b-808645d02139\"},\"panelIndex\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":41,\"w\":16,\"h\":26,\"i\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\"},\"panelIndex\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":32,\"y\":41,\"w\":16,\"h\":26,\"i\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\"},\"panelIndex\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":67,\"w\":16,\"h\":18,\"i\":\"a3049ec4-3c48-4a43-9899-99c018670773\"},\"panelIndex\":\"a3049ec4-3c48-4a43-9899-99c018670773\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":67,\"w\":32,\"h\":18,\"i\":\"7efb9ae4-4913-4ae3-a945-0d83e27377d3\"},\"panelIndex\":\"7efb9ae4-4913-4ae3-a945-0d83e27377d3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":103,\"w\":48,\"h\":23,\"i\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\"},\"panelIndex\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"embeddableConfig\":{\"sort\":[[\"firstPacket\",\"asc\"]]},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":126,\"w\":48,\"h\":15,\"i\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\"},\"panelIndex\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":141,\"w\":48,\"h\":15,\"i\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\"},\"panelIndex\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_16\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":156,\"w\":48,\"h\":19,\"i\":\"3711221b-ce64-447a-886b-6ad2c50322f9\"},\"panelIndex\":\"3711221b-ce64-447a-886b-6ad2c50322f9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_17\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -89,18 +89,28 @@
         },
         {
           "name": "panel_13",
+          "type": "visualization",
+          "id": "f6d09e10-7ffb-11ee-9964-dd538601517e"
+        },
+        {
+          "name": "panel_14",
           "type": "search",
           "id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681"
         },
         {
-          "name": "panel_14",
+          "name": "panel_15",
           "type": "search",
           "id": "10e72aa0-0816-11eb-987d-c591a71f172b"
         },
         {
-          "name": "panel_15",
+          "name": "panel_16",
           "type": "search",
           "id": "3ac0f900-0816-11eb-987d-c591a71f172b"
+        },
+        {
+          "name": "panel_17",
+          "type": "search",
+          "id": "624a1d80-7ffa-11ee-9964-dd538601517e"
         }
       ],
       "migrationVersion": {
@@ -113,7 +123,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:21:19.884Z",
+      "updated_at": "2023-11-10T18:35:25.331Z",
       "version": "Wzg1NywxXQ==",
       "attributes": {
         "title": "Network Logs",
@@ -136,7 +146,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNCwxXQ==",
       "attributes": {
         "title": "Modbus - Logs",
@@ -181,7 +191,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNSwxXQ==",
       "attributes": {
         "title": "Modbus - Source IP",
@@ -211,7 +221,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNiwxXQ==",
       "attributes": {
         "title": "Modbus - Destination IP",
@@ -241,7 +251,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzNywxXQ==",
       "attributes": {
         "title": "Modbus - Observed Clients and Servers",
@@ -271,7 +281,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzOCwxXQ==",
       "attributes": {
         "title": "Modbus - Observed Client/Server Ratio",
@@ -301,7 +311,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzEzOSwxXQ==",
       "attributes": {
         "title": "Modbus - Log Count",
@@ -330,7 +340,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0MCwxXQ==",
       "attributes": {
         "title": "Modbus - Logs Over Time",
@@ -359,7 +369,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0MSwxXQ==",
       "attributes": {
         "title": "Modbus - Functions and Exceptions",
@@ -389,8 +399,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
-      "version": "WzE0NSwxXQ==",
+      "updated_at": "2023-11-10T18:34:22.366Z",
+      "version": "WzE0MiwxXQ==",
       "attributes": {
         "title": "Modbus Detailed - Request and Response",
         "visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.modbus.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.modbus.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
@@ -419,11 +429,11 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:36:30.972Z",
-      "version": "Wzk0NywxXQ==",
+      "updated_at": "2023-11-10T18:56:50.612Z",
+      "version": "Wzk1NCwxXQ==",
       "attributes": {
         "title": "Modbus - Reads",
-        "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":30,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
+        "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
         "description": "Modbus read holding registers, input registers, discrete inputs, and coils overview from modbus_detailed.log",
         "version": 1,
@@ -449,11 +459,11 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:37:28.218Z",
-      "version": "Wzk0OCwxXQ==",
+      "updated_at": "2023-11-10T19:01:32.686Z",
+      "version": "Wzk1NSwxXQ==",
       "attributes": {
         "title": "Modbus - Writes",
-        "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":30,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
+        "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}}}",
         "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
         "description": "Modbus write register and write coil overview from modbus_detailed.log",
         "version": 1,
@@ -479,8 +489,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
-      "version": "WzE0MywxXQ==",
+      "updated_at": "2023-11-10T18:34:22.366Z",
+      "version": "WzE0NSwxXQ==",
       "attributes": {
         "title": "Modbus - Transport",
         "visState": "{\"title\":\"Modbus - Transport\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
@@ -503,13 +513,43 @@
         "visualization": "7.10.0"
       }
     },
+    {
+      "id": "f6d09e10-7ffb-11ee-9964-dd538601517e",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-10T19:04:24.945Z",
+      "version": "Wzk1NiwxXQ==",
+      "attributes": {
+        "title": "Modbus - Device Identification Objects",
+        "visState": "{\"title\":\"Modbus - Device Identification Objects\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.device_id_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device ID\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.object_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object ID\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.modbus_read_device_identification.object_value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Value\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+        "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":0,\"direction\":\"asc\"}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "624a1d80-7ffa-11ee-9964-dd538601517e"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
     {
       "id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0NiwxXQ==",
       "attributes": {
         "title": "Modbus - Detailed",
@@ -553,7 +593,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0NywxXQ==",
       "attributes": {
         "title": "Modbus - Mask Write",
@@ -597,7 +637,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0OCwxXQ==",
       "attributes": {
         "title": "Modbus - Read Write Multiple",
@@ -636,13 +676,61 @@
         "search": "7.9.3"
       }
     },
+    {
+      "id": "624a1d80-7ffa-11ee-9964-dd538601517e",
+      "type": "search",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-10T18:55:03.788Z",
+      "version": "Wzk1MiwxXQ==",
+      "attributes": {
+        "title": "Modbus - Read Device Identification",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "source.ip",
+          "destination.ip",
+          "zeek.modbus.network_direction",
+          "event.action",
+          "event.result",
+          "zeek.modbus.unit_id",
+          "zeek.modbus.trans_id",
+          "zeek.modbus_read_device_identification.device_id_code",
+          "zeek.modbus_read_device_identification.conformity_level",
+          "zeek.modbus_read_device_identification.object_id",
+          "zeek.modbus_read_device_identification.object_value",
+          "event.id"
+        ],
+        "sort": [
+          [
+            "firstPacket",
+            "desc"
+          ]
+        ],
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:modbus_read_device_identification\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "search": "7.9.3"
+      }
+    },
     {
       "id": "da7d99a0-ef74-11e9-91bd-23d686ac8389",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE0OSwxXQ==",
       "attributes": {
         "title": "Modbus - Known Clients and Servers Logs",
@@ -681,7 +769,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:20:16.971Z",
+      "updated_at": "2023-11-10T18:34:22.366Z",
       "version": "WzE1MCwxXQ==",
       "attributes": {
         "title": "Modbus - All Logs",
@@ -721,7 +809,7 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-07-19T23:21:16.791Z",
+      "updated_at": "2023-11-10T18:35:22.307Z",
       "version": "WzgzMiwxXQ==",
       "attributes": {
         "title": "Connections - Logs",
diff --git a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
index 441802ccc..a3db7ce3f 100644
--- a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
+++ b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.1.0",
+  "version": "2.8.0",
   "objects": [
     {
       "id": "37041ee1-79c0-4684-a436-3173b0e89876",
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T20:29:05.468Z",
-      "version": "Wzg5NiwxXQ==",
+      "updated_at": "2023-11-14T19:40:46.803Z",
+      "version": "Wzk1NCwxXQ==",
       "attributes": {
         "title": "HTTP",
         "hits": 0,
         "description": "",
-        "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":30,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":14,\"x\":20,\"y\":48},\"panelIndex\":\"5\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":14,\"x\":34,\"y\":48},\"panelIndex\":\"6\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":117},\"panelIndex\":\"8\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":10,\"x\":10,\"y\":48},\"panelIndex\":\"14\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"15\",\"w\":10,\"x\":0,\"y\":48},\"panelIndex\":\"15\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":99},\"panelIndex\":\"16\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":117},\"panelIndex\":\"17\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":24,\"x\":24,\"y\":66},\"panelIndex\":\"20\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":24,\"x\":0,\"y\":66},\"panelIndex\":\"21\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":7,\"i\":\"23\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"23\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"24\",\"w\":16,\"x\":32,\"y\":19},\"panelIndex\":\"24\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"w\":8,\"x\":8,\"y\":7},\"panelIndex\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"e2ba3677-11c6-4cd9-87f3-fb3473718d10\",\"w\":24,\"x\":8,\"y\":19},\"panelIndex\":\"e2ba3677-11c6-4cd9-87f3-fb3473718d10\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_14\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"w\":8,\"x\":0,\"y\":30},\"panelIndex\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_15\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_16\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":42,\"i\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"w\":48,\"x\":0,\"y\":135},\"panelIndex\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"version\":\"2.1.0\",\"panelRefName\":\"panel_17\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"h\":30,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":14,\"x\":20,\"y\":48},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":14,\"x\":34,\"y\":48},\"panelIndex\":\"6\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":117},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":10,\"x\":10,\"y\":48},\"panelIndex\":\"14\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"15\",\"w\":10,\"x\":0,\"y\":48},\"panelIndex\":\"15\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":99},\"panelIndex\":\"16\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":117},\"panelIndex\":\"17\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":24,\"x\":24,\"y\":66},\"panelIndex\":\"20\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":24,\"x\":0,\"y\":66},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":7,\"i\":\"23\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"23\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":29,\"i\":\"24\",\"w\":16,\"x\":32,\"y\":19},\"panelIndex\":\"24\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":12,\"i\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"w\":8,\"x\":8,\"y\":7},\"panelIndex\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"w\":8,\"x\":0,\"y\":30},\"panelIndex\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":13,\"i\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":42,\"i\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"w\":48,\"x\":0,\"y\":135},\"panelIndex\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_16\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":19,\"w\":24,\"h\":29,\"i\":\"42a27d88-4f13-4d7d-b267-0ffd2a39ca3f\"},\"panelIndex\":\"42a27d88-4f13-4d7d-b267-0ffd2a39ca3f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_17\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -95,22 +95,22 @@
         {
           "name": "panel_14",
           "type": "visualization",
-          "id": "db357c20-760d-11eb-8496-3528afc64ddb"
+          "id": "6efd67a0-760f-11eb-8496-3528afc64ddb"
         },
         {
           "name": "panel_15",
           "type": "visualization",
-          "id": "6efd67a0-760f-11eb-8496-3528afc64ddb"
+          "id": "7b56ed70-6faa-11eb-958c-51e33b5cae2a"
         },
         {
           "name": "panel_16",
-          "type": "visualization",
-          "id": "7b56ed70-6faa-11eb-958c-51e33b5cae2a"
+          "type": "search",
+          "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
         },
         {
           "name": "panel_17",
-          "type": "search",
-          "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
+          "type": "visualization",
+          "id": "9cfed8c0-8325-11ee-a28c-7361f03cd201"
         }
       ],
       "migrationVersion": {
@@ -123,8 +123,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:51:04.273Z",
-      "version": "WzgwNSwxXQ==",
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg1OSwxXQ==",
       "attributes": {
         "title": "Network Logs",
         "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
@@ -146,8 +146,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI3NywxXQ==",
       "attributes": {
         "title": "HTTP - Status Over Time",
         "visState": "{\"title\":\"HTTP - Status Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status Code\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T16:47:29.688Z\",\"max\":\"2020-02-12T16:47:29.689Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Status Code\",\"aggType\":\"terms\"}]},\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"labels\":{\"show\":true},\"legendPosition\":\"bottom\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]}}",
@@ -176,8 +176,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1NiwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI3OCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}",
         "description": "",
@@ -206,8 +206,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T20:28:57.331Z",
-      "version": "Wzg5NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI3OSwxXQ==",
       "attributes": {
         "title": "HTTP - Sites Hosting EXEs",
         "visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
@@ -235,8 +235,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1OCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}",
         "description": "",
@@ -265,8 +265,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI1OSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MSwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
         "description": "",
@@ -295,8 +295,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MiwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
         "description": "",
@@ -325,8 +325,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4MywxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.original\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}",
         "description": "",
@@ -355,8 +355,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MiwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.referrer\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
         "description": "",
@@ -385,8 +385,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2MywxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NSwxXQ==",
       "attributes": {
         "title": "HTTP - Destination Port",
         "visState": "{\"title\":\"HTTP - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
@@ -415,8 +415,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NiwxXQ==",
       "attributes": {
         "title": "HTTP - Destination Country",
         "visState": "{\"title\":\"HTTP - Destination Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":false,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}",
@@ -445,8 +445,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4NywxXQ==",
       "attributes": {
         "title": "HTTP - Log Count",
         "visState": "{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
@@ -475,8 +475,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NiwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4OCwxXQ==",
       "attributes": {
         "title": "HTTP  - Status and Method",
         "visState": "{\"title\":\"HTTP  - Status and Method\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status Message\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
@@ -505,8 +505,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2NywxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI4OSwxXQ==",
       "attributes": {
         "title": "HTTP - Unique Usernames and Passwords",
         "visState": "{\"title\":\"HTTP - Unique Usernames and Passwords\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}},{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"related.user\",\"customLabel\":\"Unique Usernames\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"related.password\",\"customLabel\":\"Unique Cleartext Passwords\"}}]}",
@@ -529,44 +529,14 @@
         "visualization": "7.10.0"
       }
     },
-    {
-      "id": "db357c20-760d-11eb-8496-3528afc64ddb",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2OCwxXQ==",
-      "attributes": {
-        "title": "HTTP - Method and Status",
-        "visState": "{\"title\":\"HTTP - Method and Status\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
     {
       "id": "6efd67a0-760f-11eb-8496-3528afc64ddb",
       "type": "visualization",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI2OSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI5MSwxXQ==",
       "attributes": {
         "title": "HTTP - Version",
         "visState": "{\"title\":\"HTTP - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HTTP Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100}}}",
@@ -595,8 +565,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI3MCwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI5MiwxXQ==",
       "attributes": {
         "title": "HTTP - File Type",
         "visState": "{\"title\":\"HTTP - File Type\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":false}}",
@@ -625,8 +595,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2022-07-08T19:50:26.471Z",
-      "version": "WzI3MSwxXQ==",
+      "updated_at": "2023-11-14T19:18:33.654Z",
+      "version": "WzI5MywxXQ==",
       "attributes": {
         "title": "HTTP - Logs",
         "description": "",
@@ -661,6 +631,29 @@
       "migrationVersion": {
         "search": "7.9.3"
       }
+    },
+    {
+      "id": "9cfed8c0-8325-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:40:06.603Z",
+      "version": "Wzk1MywxXQ==",
+      "attributes": {
+        "title": "HTTP - Method and Status",
+        "visState": "{\"title\":\"HTTP - Method and Status\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"event.action\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.result\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Method\\\", \\\"Status\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.action\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.result\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
     }
   ]
 }
\ No newline at end of file
diff --git a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
index 7be4c3e46..8bae2a4b5 100644
--- a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
+++ b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
@@ -1,5 +1,5 @@
 {
-  "version": "7.10.2",
+  "version": "2.8.0",
   "objects": [
     {
       "id": "4e5f106e-c60a-4226-8f64-d534abb912ab",
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T19:22:09.074Z",
-      "version": "WzExNzEsMV0=",
+      "updated_at": "2023-11-14T19:36:48.975Z",
+      "version": "Wzk1MiwxXQ==",
       "attributes": {
         "title": "SNMP",
         "hits": 0,
         "description": "",
-        "panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":33,\"w\":10,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":10,\"y\":33,\"w\":12,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":20,\"y\":14,\"w\":9,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":14,\"w\":12,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":29,\"y\":14,\"w\":19,\"h\":19,\"i\":\"21d58bff-8812-458a-9c96-ad6bff972ead\"},\"panelIndex\":\"21d58bff-8812-458a-9c96-ad6bff972ead\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":22,\"y\":33,\"w\":26,\"h\":19,\"i\":\"71465d94-06a3-4a70-8cb8-ad4036300379\"},\"panelIndex\":\"71465d94-06a3-4a70-8cb8-ad4036300379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":32,\"i\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\"},\"panelIndex\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":33,\"w\":10,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":10,\"y\":33,\"w\":12,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":20,\"y\":14,\"w\":9,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":14,\"w\":12,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":29,\"y\":14,\"w\":19,\"h\":19,\"i\":\"21d58bff-8812-458a-9c96-ad6bff972ead\"},\"panelIndex\":\"21d58bff-8812-458a-9c96-ad6bff972ead\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":32,\"i\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\"},\"panelIndex\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":22,\"y\":33,\"w\":26,\"h\":19,\"i\":\"c79c7ba6-abe8-41c6-af4a-809a8b405971\"},\"panelIndex\":\"c79c7ba6-abe8-41c6-af4a-809a8b405971\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -64,13 +64,13 @@
         },
         {
           "name": "panel_8",
-          "type": "visualization",
-          "id": "f0bd55b0-760b-11eb-8496-3528afc64ddb"
+          "type": "search",
+          "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
         },
         {
           "name": "panel_9",
-          "type": "search",
-          "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
+          "type": "visualization",
+          "id": "11c1b480-8325-11ee-a28c-7361f03cd201"
         }
       ],
       "migrationVersion": {
@@ -83,8 +83,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:47:06.069Z",
-      "version": "Wzg3NCwxXQ==",
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg1OSwxXQ==",
       "attributes": {
         "title": "Network Logs",
         "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
@@ -106,8 +106,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2MywxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NCwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"SNMP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"}}],\"listeners\":{}}",
         "description": "",
@@ -136,8 +136,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NCwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NSwxXQ==",
       "attributes": {
         "visState": "{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
         "description": "",
@@ -166,8 +166,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NSwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NiwxXQ==",
       "attributes": {
         "title": "SNMP - Destination IP Address",
         "visState": "{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
@@ -196,8 +196,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NiwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1NywxXQ==",
       "attributes": {
         "visState": "{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.snmp.duration\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}",
         "description": "",
@@ -226,8 +226,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2NywxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1OCwxXQ==",
       "attributes": {
         "title": "SNMP - Log Count",
         "visState": "{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"}}]}",
@@ -256,8 +256,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2OCwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM1OSwxXQ==",
       "attributes": {
         "title": "SNMP - Community String",
         "visState": "{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.snmp.community\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}",
@@ -286,8 +286,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ2OSwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM2MCwxXQ==",
       "attributes": {
         "title": "SNMP - PDU Type",
         "visState": "{\"title\":\"SNMP - PDU Type\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":true,\"orderBucketsBySum\":false}}",
@@ -310,44 +310,14 @@
         "visualization": "7.10.0"
       }
     },
-    {
-      "id": "f0bd55b0-760b-11eb-8496-3528afc64ddb",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2021-02-23T19:18:42.059Z",
-      "version": "WzEwOTcsMV0=",
-      "attributes": {
-        "title": "SNMP - Version and PDU Type",
-        "visState": "{\"title\":\"SNMP - Version and PDU Type\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
     {
       "id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2021-02-23T18:46:26.687Z",
-      "version": "WzQ3MCwxXQ==",
+      "updated_at": "2023-11-14T19:18:39.742Z",
+      "version": "WzM2MiwxXQ==",
       "attributes": {
         "title": "SNMP - Logs",
         "description": "",
@@ -382,6 +352,29 @@
       "migrationVersion": {
         "search": "7.9.3"
       }
+    },
+    {
+      "id": "11c1b480-8325-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:36:13.000Z",
+      "version": "Wzk1MSwxXQ==",
+      "attributes": {
+        "title": "SNMP - Version and PDU Type",
+        "visState": "{\"title\":\"SNMP - Version and PDU Type\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"network.protocol_version\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.action\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"SNMP Version\\\", \\\"Action\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol_version\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.action\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:snmp\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
     }
   ]
 }
\ No newline at end of file
diff --git a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
index 2fd7ec062..9de0cd9c9 100644
--- a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
+++ b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.4.1",
+  "version": "2.8.0",
   "objects": [
     {
       "id": "677ee170-809e-11ed-8d5b-07069f823b6f",
@@ -7,13 +7,13 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:22:02.745Z",
-      "version": "WzkzOCwxXQ==",
+      "updated_at": "2023-11-14T20:55:46.977Z",
+      "version": "Wzk1MSwxXQ==",
       "attributes": {
         "title": "Asset Interaction Analysis",
         "hits": 0,
         "description": "",
-        "panelsJSON": "[{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":36,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":12,\"h\":18,\"i\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\"},\"panelIndex\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":20,\"y\":0,\"w\":28,\"h\":18,\"i\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\"},\"panelIndex\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":8,\"y\":18,\"w\":12,\"h\":18,\"i\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\"},\"panelIndex\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":20,\"y\":18,\"w\":14,\"h\":37,\"i\":\"618fe049-9298-49e7-adf6-31da64a796ad\"},\"panelIndex\":\"618fe049-9298-49e7-adf6-31da64a796ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":34,\"y\":18,\"w\":14,\"h\":37,\"i\":\"707927bd-fd2e-48cd-a045-4db49fb90159\"},\"panelIndex\":\"707927bd-fd2e-48cd-a045-4db49fb90159\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":36,\"w\":20,\"h\":19,\"i\":\"447d6058-5433-4076-b0cc-60fb7f7b4c70\"},\"panelIndex\":\"447d6058-5433-4076-b0cc-60fb7f7b4c70\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":55,\"w\":11,\"h\":18,\"i\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\"},\"panelIndex\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":11,\"y\":55,\"w\":20,\"h\":18,\"i\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\"},\"panelIndex\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":31,\"y\":55,\"w\":17,\"h\":18,\"i\":\"64f0e91b-4263-4400-812d-c378cd6d8565\"},\"panelIndex\":\"64f0e91b-4263-4400-812d-c378cd6d8565\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":73,\"w\":24,\"h\":22,\"i\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\"},\"panelIndex\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":24,\"y\":73,\"w\":24,\"h\":22,\"i\":\"fe600b29-f6af-4d33-b226-26743ced5290\"},\"panelIndex\":\"fe600b29-f6af-4d33-b226-26743ced5290\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":95,\"w\":24,\"h\":18,\"i\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\"},\"panelIndex\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":24,\"y\":95,\"w\":24,\"h\":18,\"i\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\"},\"panelIndex\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":113,\"w\":48,\"h\":33,\"i\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\"},\"panelIndex\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.4.1\",\"gridData\":{\"x\":0,\"y\":146,\"w\":48,\"h\":31,\"i\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\"},\"panelIndex\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"h\":36,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\",\"w\":12,\"x\":8,\"y\":0},\"panelIndex\":\"2fe74242-3865-4c2e-87b4-ec2580f467eb\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":0,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\",\"w\":28,\"x\":20,\"y\":0},\"panelIndex\":\"a3985c0b-155d-4dbd-ae17-b620c23bcffd\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\",\"w\":12,\"x\":8,\"y\":18},\"panelIndex\":\"c1614a06-d5e7-4bba-93cc-e8fa63205e11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":0,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":37,\"i\":\"618fe049-9298-49e7-adf6-31da64a796ad\",\"w\":14,\"x\":20,\"y\":18},\"panelIndex\":\"618fe049-9298-49e7-adf6-31da64a796ad\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":37,\"i\":\"707927bd-fd2e-48cd-a045-4db49fb90159\",\"w\":14,\"x\":34,\"y\":18},\"panelIndex\":\"707927bd-fd2e-48cd-a045-4db49fb90159\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\",\"w\":11,\"x\":0,\"y\":55},\"panelIndex\":\"6d7baf85-fc04-49be-942e-e61f1fd7f0d0\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\",\"w\":20,\"x\":11,\"y\":55},\"panelIndex\":\"d7a5cbcd-1907-4d98-8def-0e6ed61cfe51\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"64f0e91b-4263-4400-812d-c378cd6d8565\",\"w\":17,\"x\":31,\"y\":55},\"panelIndex\":\"64f0e91b-4263-4400-812d-c378cd6d8565\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":3,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":22,\"i\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\",\"w\":24,\"x\":0,\"y\":73},\"panelIndex\":\"3c3e26f4-2485-4f09-a000-2ac61759bbc9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_9\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":22,\"i\":\"fe600b29-f6af-4d33-b226-26743ced5290\",\"w\":24,\"x\":24,\"y\":73},\"panelIndex\":\"fe600b29-f6af-4d33-b226-26743ced5290\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"2abbd1dd-532b-4204-a44d-c2914f47a6fe\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":3,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":18,\"i\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\",\"w\":24,\"x\":24,\"y\":95},\"panelIndex\":\"9b1cb1de-e704-4de8-9db5-253492ab5557\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":3,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_12\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":33,\"i\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\",\"w\":48,\"x\":0,\"y\":113},\"panelIndex\":\"e85559bf-0ca0-4218-ac74-cad3c4b2d1c6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":31,\"i\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\",\"w\":48,\"x\":0,\"y\":146},\"panelIndex\":\"aba4ed3d-64e5-435d-8b4d-80614ac32fca\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"2.8.0\",\"gridData\":{\"h\":19,\"i\":\"3b28bc9b-393b-4cf2-b31c-3510b0994281\",\"w\":20,\"x\":0,\"y\":36},\"panelIndex\":\"3b28bc9b-393b-4cf2-b31c-3510b0994281\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]",
         "optionsJSON": "{\"useMargins\":true}",
         "version": 1,
         "timeRestore": false,
@@ -55,52 +55,52 @@
         {
           "name": "panel_6",
           "type": "visualization",
-          "id": "5e7be470-8183-11ed-8ccb-af218b39580f"
+          "id": "34fb58a0-9787-11ed-a26e-595ac55a6057"
         },
         {
           "name": "panel_7",
           "type": "visualization",
-          "id": "34fb58a0-9787-11ed-a26e-595ac55a6057"
+          "id": "b8d19d20-8246-11ed-978d-3910915d0e0c"
         },
         {
           "name": "panel_8",
           "type": "visualization",
-          "id": "b8d19d20-8246-11ed-978d-3910915d0e0c"
+          "id": "1d4da4b0-8247-11ed-978d-3910915d0e0c"
         },
         {
           "name": "panel_9",
           "type": "visualization",
-          "id": "1d4da4b0-8247-11ed-978d-3910915d0e0c"
+          "id": "e40049c0-821d-11ed-9877-cfe49c9ac04f"
         },
         {
           "name": "panel_10",
           "type": "visualization",
-          "id": "e40049c0-821d-11ed-9877-cfe49c9ac04f"
+          "id": "f0167720-821d-11ed-9877-cfe49c9ac04f"
         },
         {
           "name": "panel_11",
           "type": "visualization",
-          "id": "f0167720-821d-11ed-9877-cfe49c9ac04f"
+          "id": "20a4ad80-8acf-11ed-95fa-1ba69c999d66"
         },
         {
           "name": "panel_12",
           "type": "visualization",
-          "id": "20a4ad80-8acf-11ed-95fa-1ba69c999d66"
+          "id": "5e0b84f0-8acf-11ed-95fa-1ba69c999d66"
         },
         {
           "name": "panel_13",
-          "type": "visualization",
-          "id": "5e0b84f0-8acf-11ed-95fa-1ba69c999d66"
+          "type": "search",
+          "id": "2e27c5e0-809e-11ed-8d5b-07069f823b6f"
         },
         {
           "name": "panel_14",
           "type": "search",
-          "id": "2e27c5e0-809e-11ed-8d5b-07069f823b6f"
+          "id": "8d302e10-9b74-11ed-a51c-3fd00aab0ddc"
         },
         {
           "name": "panel_15",
-          "type": "search",
-          "id": "8d302e10-9b74-11ed-a51c-3fd00aab0ddc"
+          "type": "visualization",
+          "id": "3d477aa0-8324-11ee-a28c-7361f03cd201"
         }
       ],
       "migrationVersion": {
@@ -113,8 +113,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:09:17.633Z",
-      "version": "WzgzNywxXQ==",
+      "updated_at": "2023-11-14T20:35:24.930Z",
+      "version": "Wzg2MCwxXQ==",
       "attributes": {
         "title": "Network Logs",
         "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
@@ -136,8 +136,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5NiwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQxNywxXQ==",
       "attributes": {
         "title": "Source Device Type",
         "visState": "{\"title\":\"Source Device Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -166,8 +166,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5NywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQxOCwxXQ==",
       "attributes": {
         "title": "Traffic by Network Segment",
         "visState": "{\"title\":\"Traffic by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Log Count\"},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Direction\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Segment\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Segment\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.packets\",\"customLabel\":\"Total Packets\"},\"schema\":\"metric\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.bytes\",\"customLabel\":\"Total Bytes\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -196,8 +196,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5OCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQxOSwxXQ==",
       "attributes": {
         "title": "Destination Device Type",
         "visState": "{\"title\":\"Destination Device Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -226,8 +226,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzM5OSwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyMCwxXQ==",
       "attributes": {
         "title": "Source Device Role",
         "visState": "{\"title\":\"Source Device Role\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Role\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":false}}",
@@ -256,8 +256,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyMSwxXQ==",
       "attributes": {
         "title": "Destination Device Role",
         "visState": "{\"title\":\"Destination Device Role\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Role\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":false}}",
@@ -280,48 +280,18 @@
         "visualization": "7.10.0"
       }
     },
-    {
-      "id": "5e7be470-8183-11ed-8ccb-af218b39580f",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMSwxXQ==",
-      "attributes": {
-        "title": "Cross Segment Traffic",
-        "visState": "{\"title\":\"Cross Segment Traffic\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Segment\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Segment\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"tags:cross_segment\",\"language\":\"lucene\"},\"filter\":[]}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "b1645e70-8182-11ed-8ccb-af218b39580f"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
     {
       "id": "34fb58a0-9787-11ed-a26e-595ac55a6057",
       "type": "visualization",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMiwxXQ==",
+      "updated_at": "2023-11-14T20:51:17.788Z",
+      "version": "Wzk0OSwxXQ==",
       "attributes": {
         "title": "Protocol by Network Segment",
-        "visState": "{\"title\":\"Protocol by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Family\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
+        "visState": "{\"title\":\"Protocol by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Family\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":150,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}},\"sortColumn\":{\"colIndex\":4,\"direction\":\"desc\"}}}",
         "description": "",
         "version": 1,
         "kibanaSavedObjectMeta": {
@@ -346,8 +316,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwMywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyMywxXQ==",
       "attributes": {
         "title": "Notice, Alert and Signature by Network Segment",
         "visState": "{\"title\":\"Notice, Alert and Signature by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Provider\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -376,8 +346,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNCwxXQ==",
       "attributes": {
         "title": "Event Severity by Network Segment",
         "visState": "{\"title\":\"Event Severity by Network Segment\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Segment\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.severity_tags\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity Tag\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"event.risk_score\",\"customLabel\":\"High Raw Severity\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -406,8 +376,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNSwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNSwxXQ==",
       "attributes": {
         "title": "Source Device Log Counts",
         "visState": "{\"title\":\"Source Device Log Counts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Log Count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.device.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -436,8 +406,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNiwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNiwxXQ==",
       "attributes": {
         "title": "Destination Device Log Counts",
         "visState": "{\"title\":\"Destination Device Log Counts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Log Count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.manufacturer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Manufacturer\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Type\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.role\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Role\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.device.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -466,8 +436,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwNywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyNywxXQ==",
       "attributes": {
         "title": "Uninventoried Internal Source IPs",
         "visState": "{\"title\":\"Uninventoried Internal Source IPs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Segment\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -496,8 +466,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwOCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyOCwxXQ==",
       "attributes": {
         "title": "Uninventoried Internal Destination IPs",
         "visState": "{\"title\":\"Uninventoried Internal Destination IPs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.site\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Site\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.segment.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Segment\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
@@ -526,8 +496,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQwOSwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQyOSwxXQ==",
       "attributes": {
         "title": "Uninventoried Internal Assets - Logs",
         "description": "",
@@ -568,8 +538,8 @@
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:20:40.561Z",
-      "version": "WzkzNywxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQzMCwxXQ==",
       "attributes": {
         "title": "Uninventoried Observed Services - Logs",
         "description": "",
@@ -603,14 +573,37 @@
         "search": "7.9.3"
       }
     },
+    {
+      "id": "3d477aa0-8324-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQzMSwxXQ==",
+      "attributes": {
+        "title": "Cross Segment Traffic",
+        "visState": "{\"title\":\"Cross Segment Traffic\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"source.segment.name\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"destination.segment.name\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Source Segment\\\", \\\"Destination Segment\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"source.segment.name\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"destination.segment.name\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"tags:cross_segment\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
     {
       "id": "b1645e70-8182-11ed-8ccb-af218b39580f",
       "type": "search",
       "namespaces": [
         "default"
       ],
-      "updated_at": "2023-01-23T23:08:39.281Z",
-      "version": "WzQxMCwxXQ==",
+      "updated_at": "2023-11-14T20:34:46.347Z",
+      "version": "WzQzMiwxXQ==",
       "attributes": {
         "title": "NetBox Enrichment - Candidate Logs",
         "description": "",
diff --git a/dashboards/dashboards/Vega.Sankey.txt b/dashboards/dashboards/Vega.Sankey.txt
new file mode 100644
index 000000000..7b710e97e
--- /dev/null
+++ b/dashboards/dashboards/Vega.Sankey.txt
@@ -0,0 +1,423 @@
+{
+  // thanks to:
+  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana
+  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/
+  $schema: https://vega.github.io/schema/vega/v3.0.json
+  data: [
+    {
+      // query ES based on the currently selected time range and filter string
+      name: rawData
+      url: {
+        %context%: true
+        %timefield%: firstPacket
+        index: arkime_sessions3-*
+        body: {
+          size: 0
+          aggs: {
+            table: {
+              composite: {
+                size: 10000
+                sources: [
+                  {
+                    stk1: {
+                      terms: {field: "source.ip"}
+                    }
+                  }
+                  {
+                    stk2: {
+                      terms: {field: "destination.ip"}
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+      // From the result, take just the data we are interested in
+      format: {property: "aggregations.table.buckets"}
+      // Convert key.stk1 -> stk1 for simpler access below
+      transform: [
+        {type: "formula", expr: "datum.key.stk1", as: "stk1"}
+        {type: "formula", expr: "datum.key.stk2", as: "stk2"}
+        {type: "formula", expr: "datum.doc_count", as: "size"}
+      ]
+    }
+    {
+      name: nodes
+      source: rawData
+      transform: [
+        // when a value is selected, filter out unrelated data
+        {
+          type: filter
+          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2
+        }
+        // Set new key for later lookups - identifies each node
+        {type: "formula", expr: "datum.stk1+datum.stk2", as: "key"}
+        // instead of each table row, create two new rows,
+        // one for the source (stack=stk1) and one for destination node (stack=stk2).
+        // The values stored in stk1 and stk2 fields is placed into grpId field.
+        {
+          type: fold
+          fields: ["stk1", "stk2"]
+          as: ["stack", "grpId"]
+        }
+        // Create a sortkey, different for stk1 and stk2 stacks.
+        // Space separator ensures proper sort order in some corner cases.
+        {
+          type: formula
+          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1
+          as: sortField
+        }
+        // Calculate y0 and y1 positions for stacking nodes one on top of the other,
+        // independently for each stack, and ensuring they are in the proper order,
+        // alphabetical from the top (reversed on the y axis)
+        {
+          type: stack
+          groupby: ["stack"]
+          sort: {field: "sortField", order: "descending"}
+          field: size
+        }
+        // calculate vertical center point for each node, used to draw edges
+        {type: "formula", expr: "(datum.y0+datum.y1)/2", as: "yc"}
+      ]
+    }
+    {
+      name: groups
+      source: nodes
+      transform: [
+        // combine all nodes into groups, summing up the doc counts
+        {
+          type: aggregate
+          groupby: ["stack", "grpId"]
+          fields: ["size"]
+          ops: ["sum"]
+          as: ["total"]
+        }
+        // re-calculate the stacking y0,y1 values
+        {
+          type: stack
+          groupby: ["stack"]
+          sort: {field: "grpId", order: "descending"}
+          field: total
+        }
+        // project y0 and y1 values to screen coordinates
+        // doing it once here instead of doing it several times in marks
+        {type: "formula", expr: "scale('y', datum.y0)", as: "scaledY0"}
+        {type: "formula", expr: "scale('y', datum.y1)", as: "scaledY1"}
+        // boolean flag if the label should be on the right of the stack
+        {type: "formula", expr: "datum.stack == 'stk1'", as: "rightLabel"}
+        // Calculate percentage for this value using "y" scale
+        // domain upper bound, which represents the total
+        {
+          type: formula
+          expr: datum.total/domain('y')[1]
+          as: percentage
+        }
+      ]
+    }
+    {
+      // This is a temp lookup table with all the 'stk2' stack nodes
+      name: destinationNodes
+      source: nodes
+      transform: [
+        {type: "filter", expr: "datum.stack == 'stk2'"}
+      ]
+    }
+    {
+      name: edges
+      source: nodes
+      transform: [
+        // we only want nodes from the left stack
+        {type: "filter", expr: "datum.stack == 'stk1'"}
+        // find corresponding node from the right stack, keep it as "target"
+        {
+          type: lookup
+          from: destinationNodes
+          key: key
+          fields: ["key"]
+          as: ["target"]
+        }
+        // calculate SVG link path between stk1 and stk2 stacks for the node pair
+        {
+          type: linkpath
+          orient: horizontal
+          shape: diagonal
+          sourceY: {expr: "scale('y', datum.yc)"}
+          sourceX: {expr: "scale('x', 'stk1') + bandwidth('x')"}
+          targetY: {expr: "scale('y', datum.target.yc)"}
+          targetX: {expr: "scale('x', 'stk2')"}
+        }
+        // A little trick to calculate the thickness of the line.
+        // The value needs to be the same as the hight of the node, but scaling
+        // size to screen's height gives inversed value because screen's Y
+        // coordinate goes from the top to the bottom, whereas the graph's Y=0
+        // is at the bottom. So subtracting scaled doc count from screen height
+        // (which is the "lower" bound of the "y" scale) gives us the right value
+        {
+          type: formula
+          expr: range('y')[0]-scale('y', datum.size)
+          as: strokeWidth
+        }
+        // Tooltip needs individual link's percentage of all values
+        {
+          type: formula
+          expr: datum.size/domain('y')[1]
+          as: percentage
+        }
+      ]
+    }
+  ]
+  scales: [
+    {
+      // calculates horizontal stack positioning
+      name: x
+      type: band
+      range: width
+      domain: ["stk1", "stk2"]
+      paddingOuter: 0.05
+      paddingInner: 0.95
+    }
+    {
+      // this scale goes up as high as the highest y1 value of all nodes
+      name: y
+      type: linear
+      range: height
+      domain: {data: "nodes", field: "y1"}
+    }
+    {
+      // use rawData to ensure the colors stay the same when clicking.
+      name: color
+      type: ordinal
+      range: category
+      domain: {data: "rawData", fields: ["stk1", "stk2"]}
+    }
+    {
+      // this scale is used to map internal ids (stk1, stk2) to stack names
+      name: stackNames
+      type: ordinal
+      range: ["Source IP", "Destination IP"]
+      domain: ["stk1", "stk2"]
+    }
+  ]
+  axes: [
+    {
+      // x axis should use custom label formatting to print proper stack names
+      orient: bottom
+      scale: x
+      encode: {
+        labels: {
+          update: {
+            text: {scale: "stackNames", field: "value"}
+          }
+        }
+      }
+    }
+    {orient: "left", scale: "y"}
+  ]
+  marks: [
+    {
+      // draw the connecting line between stacks
+      type: path
+      name: edgeMark
+      from: {data: "edges"}
+      // this prevents some autosizing issues with large strokeWidth for paths
+      clip: true
+      encode: {
+        update: {
+          // By default use color of the left node, except when showing contributors
+          // from just one value, in which case use destination color.
+          stroke: [
+            {
+              test: groupSelector && groupSelector.stack=='stk1'
+              scale: color
+              field: stk2
+            }
+            {scale: "color", field: "stk1"}
+          ]
+          strokeWidth: {field: "strokeWidth"}
+          path: {field: "path"}
+          // when showing all data, and hovering over a value,
+          // highlight the contributors for that value
+          strokeOpacity: {
+            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3
+          }
+          // Ensure that the hover-selected edges show on top
+          zindex: {
+            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0
+          }
+          // format tooltip string
+          tooltip: {
+            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'
+          }
+        }
+        // Simple mouseover highlighting of a single line
+        hover: {
+          strokeOpacity: {value: 1}
+        }
+      }
+    }
+    {
+      // draw stack groups (countries)
+      type: rect
+      name: groupMark
+      from: {data: "groups"}
+      encode: {
+        enter: {
+          fill: {scale: "color", field: "grpId"}
+          width: {scale: "x", band: 1}
+        }
+        update: {
+          x: {scale: "x", field: "stack"}
+          y: {field: "scaledY0"}
+          y2: {field: "scaledY1"}
+          fillOpacity: {value: 0.6}
+          tooltip: {
+            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'
+          }
+        }
+        hover: {
+          fillOpacity: {value: 1}
+        }
+      }
+    }
+    {
+      // draw labels on the inner side of the stack
+      type: text
+      from: {data: "groups"}
+      // don't process events for the labels - otherwise line mouseover is unclean
+      interactive: false
+      encode: {
+        update: {
+          // depending on which stack it is, position x with some padding
+          x: {
+            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)
+          }
+          // middle of the group
+          yc: {signal: "(datum.scaledY0 + datum.scaledY1)/2"}
+          align: {signal: "datum.rightLabel ? 'left' : 'right'"}
+          baseline: {value: "middle"}
+          fontWeight: {value: "bold"}
+          // only show text label if the group's height is large enough
+          text: {signal: "abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''"}
+        }
+      }
+    }
+    {
+      // Create a "show all" button. Shown only when a value is selected.
+      type: group
+      data: [
+        // We need to make the button show only when groupSelector signal is true.
+        // Each mark is drawn as many times as there are elements in the backing data.
+        // Which means that if values list is empty, it will not be drawn.
+        // Here I create a data source with one empty object, and filter that list
+        // based on the signal value. This can only be done in a group.
+        {
+          name: dataForShowAll
+          values: [{}]
+          transform: [{type: "filter", expr: "groupSelector"}]
+        }
+      ]
+      // Set button size and positioning
+      encode: {
+        enter: {
+          xc: {signal: "width/2"}
+          y: {value: 30}
+          width: {value: 80}
+          height: {value: 30}
+        }
+      }
+      marks: [
+        {
+          // This group is shown as a button with rounded corners.
+          type: group
+          // mark name allows signal capturing
+          name: groupReset
+          // Only shows button if dataForShowAll has values.
+          from: {data: "dataForShowAll"}
+          encode: {
+            enter: {
+              cornerRadius: {value: 6}
+              fill: {value: "#f5f5f5"}
+              stroke: {value: "#c1c1c1"}
+              strokeWidth: {value: 2}
+              // use parent group's size
+              height: {
+                field: {group: "height"}
+              }
+              width: {
+                field: {group: "width"}
+              }
+            }
+            update: {
+              // groups are transparent by default
+              opacity: {value: 1}
+            }
+            hover: {
+              opacity: {value: 0.7}
+            }
+          }
+          marks: [
+            {
+              type: text
+              // if true, it will prevent clicking on the button when over text.
+              interactive: false
+              encode: {
+                enter: {
+                  // center text in the paren group
+                  xc: {
+                    field: {group: "width"}
+                    mult: 0.5
+                  }
+                  yc: {
+                    field: {group: "height"}
+                    mult: 0.5
+                    offset: 2
+                  }
+                  align: {value: "center"}
+                  baseline: {value: "middle"}
+                  fontWeight: {value: "bold"}
+                  text: {value: "Show All"}
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+  signals: [
+    {
+      // used to highlight data to/from the same value
+      name: groupHover
+      value: {}
+      on: [
+        {
+          events: @groupMark:mouseover
+          update: "{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}"
+        }
+        {events: "mouseout", update: "{}"}
+      ]
+    }
+    // used to filter only the data related to the selected value
+    {
+      name: groupSelector
+      value: false
+      on: [
+        {
+          // Clicking groupMark sets this signal to the filter values
+          events: @groupMark:click!
+          update: "datum.stack=='stk1' ? opensearchDashboardsAddFilter({\"match_phrase\": { \"source.ip\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\"match_phrase\": { \"destination.ip\": datum.grpId } }, 'arkime_sessions3-*')"
+        }
+        {
+          // Clicking "show all" button, or double-clicking anywhere resets it
+          events: [
+            {type: "click", markname: "groupReset"}
+            {type: "dblclick"}
+          ]
+          update: "false"
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
index e60bda9b0..a00e4c84a 100644
--- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
+++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
@@ -1,314 +1,336 @@
-{
-  "version": "1.3.1",
-  "objects": [
-    {
-      "id": "a33e0a50-afcd-11ea-993f-b7d8522a8bed",
-      "type": "dashboard",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUxNiwxXQ==",
-      "attributes": {
-        "title": "Actions and Results",
-        "hits": 0,
-        "description": "",
-        "panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":46,\"i\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\"},\"panelIndex\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":13,\"h\":7,\"i\":\"12265d8d-1385-4adb-8974-941feadbc9a4\"},\"panelIndex\":\"12265d8d-1385-4adb-8974-941feadbc9a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":21,\"y\":0,\"w\":27,\"h\":15,\"i\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\"},\"panelIndex\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":7,\"w\":13,\"h\":8,\"i\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\"},\"panelIndex\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":15,\"w\":40,\"h\":31,\"i\":\"33f87f47-f981-46dd-8a9f-bb3c9ff7bf20\"},\"panelIndex\":\"33f87f47-f981-46dd-8a9f-bb3c9ff7bf20\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":46,\"w\":24,\"h\":18,\"i\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\"},\"panelIndex\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":24,\"y\":46,\"w\":24,\"h\":18,\"i\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\"},\"panelIndex\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":31,\"i\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\"},\"panelIndex\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]",
-        "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
-        "version": 1,
-        "timeRestore": false,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
-        }
-      },
-      "references": [
-        {
-          "name": "panel_0",
-          "type": "visualization",
-          "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
-        },
-        {
-          "name": "panel_1",
-          "type": "visualization",
-          "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed"
-        },
-        {
-          "name": "panel_2",
-          "type": "visualization",
-          "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed"
-        },
-        {
-          "name": "panel_3",
-          "type": "visualization",
-          "id": "AWDGyaGxxQT5EBNmq3K9"
-        },
-        {
-          "name": "panel_4",
-          "type": "visualization",
-          "id": "1c4354d0-7609-11eb-8496-3528afc64ddb"
-        },
-        {
-          "name": "panel_5",
-          "type": "visualization",
-          "id": "77bd1870-46ce-11ea-91c3-61991161aaaf"
-        },
-        {
-          "name": "panel_6",
-          "type": "visualization",
-          "id": "767e3d90-afce-11ea-993f-b7d8522a8bed"
-        },
-        {
-          "name": "panel_7",
-          "type": "search",
-          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
-        }
-      ],
-      "migrationVersion": {
-        "dashboard": "7.9.3"
-      }
-    },
-    {
-      "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:11:16.155Z",
-      "version": "Wzc4NSwxXQ==",
-      "attributes": {
-        "title": "Network Logs",
-        "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
-        }
-      },
-      "references": [],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUxOCwxXQ==",
-      "attributes": {
-        "title": "Filter by Application Protocol",
-        "visState": "{\"title\":\"Filter by Application Protocol\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1592309516260\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Application Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{}"
-        }
-      },
-      "references": [
-        {
-          "name": "control_0_index_pattern",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUxOSwxXQ==",
-      "attributes": {
-        "title": "Total Log Count Over Time by Application Protocol",
-        "visState": "{\"title\":\"Total Log Count Over Time by Application Protocol\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-01-14T21:31:46.075Z\",\"max\":\"2021-01-14T21:31:46.075Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}}]}",
-        "uiStateJSON": "{}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{}"
-        },
-        "savedSearchRefName": "search_0"
-      },
-      "references": [
-        {
-          "name": "search_0",
-          "type": "search",
-          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "AWDGyaGxxQT5EBNmq3K9",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:18:09.590Z",
-      "version": "WzEwNTEsMV0=",
-      "attributes": {
-        "title": "Total Number of Logs",
-        "visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Logs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Data Source\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"colorSchema\":\"Green to Red\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"},\"metricColorMode\":\"None\"}}}",
-        "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "1c4354d0-7609-11eb-8496-3528afc64ddb",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUyMSwxXQ==",
-      "attributes": {
-        "title": "Top Actions and Results by Service",
-        "visState": "{\"title\":\"Top Actions and Results by Service\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:* AND (event.action:* OR event.result:*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "77bd1870-46ce-11ea-91c3-61991161aaaf",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUyMiwxXQ==",
-      "attributes": {
-        "title": "Actions",
-        "visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "767e3d90-afce-11ea-993f-b7d8522a8bed",
-      "type": "visualization",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:10:51.772Z",
-      "version": "WzUyMywxXQ==",
-      "attributes": {
-        "title": "Results",
-        "visState": "{\"title\":\"Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}",
-        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
-        "description": "",
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "visualization": "7.10.0"
-      }
-    },
-    {
-      "id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
-      "type": "search",
-      "namespaces": [
-        "default"
-      ],
-      "updated_at": "2022-04-29T13:11:16.155Z",
-      "version": "Wzc5OCwxXQ==",
-      "attributes": {
-        "title": "All Logs",
-        "description": "",
-        "hits": 0,
-        "columns": [
-          "event.provider",
-          "event.dataset",
-          "network.protocol",
-          "event.action",
-          "event.result",
-          "source.ip",
-          "destination.ip",
-          "destination.port",
-          "event.id"
-        ],
-        "sort": [
-          [
-            "firstPacket",
-            "desc"
-          ]
-        ],
-        "version": 1,
-        "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
-        }
-      },
-      "references": [
-        {
-          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
-          "type": "index-pattern",
-          "id": "arkime_sessions3-*"
-        }
-      ],
-      "migrationVersion": {
-        "search": "7.9.3"
-      }
-    }
-  ]
+{
+  "version": "2.8.0",
+  "objects": [
+    {
+      "id": "a33e0a50-afcd-11ea-993f-b7d8522a8bed",
+      "type": "dashboard",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:25:52.249Z",
+      "version": "Wzk2MSwxXQ==",
+      "attributes": {
+        "title": "Actions and Results",
+        "hits": 0,
+        "description": "",
+        "panelsJSON": "[{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":46,\"i\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\"},\"panelIndex\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":13,\"h\":7,\"i\":\"12265d8d-1385-4adb-8974-941feadbc9a4\"},\"panelIndex\":\"12265d8d-1385-4adb-8974-941feadbc9a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":21,\"y\":0,\"w\":27,\"h\":15,\"i\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\"},\"panelIndex\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":7,\"w\":13,\"h\":8,\"i\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\"},\"panelIndex\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":8,\"y\":15,\"w\":20,\"h\":31,\"i\":\"505be51b-94ef-4386-a3be-aeeab4c7af74\"},\"panelIndex\":\"505be51b-94ef-4386-a3be-aeeab4c7af74\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":28,\"y\":15,\"w\":20,\"h\":31,\"i\":\"5f043fd6-3bfb-4203-b069-76557d93a035\"},\"panelIndex\":\"5f043fd6-3bfb-4203-b069-76557d93a035\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":46,\"w\":24,\"h\":18,\"i\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\"},\"panelIndex\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":24,\"y\":46,\"w\":24,\"h\":18,\"i\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\"},\"panelIndex\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.8.0\",\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":31,\"i\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\"},\"panelIndex\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]",
+        "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+        "version": 1,
+        "timeRestore": false,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
+        }
+      },
+      "references": [
+        {
+          "name": "panel_0",
+          "type": "visualization",
+          "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
+        },
+        {
+          "name": "panel_1",
+          "type": "visualization",
+          "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed"
+        },
+        {
+          "name": "panel_2",
+          "type": "visualization",
+          "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed"
+        },
+        {
+          "name": "panel_3",
+          "type": "visualization",
+          "id": "AWDGyaGxxQT5EBNmq3K9"
+        },
+        {
+          "name": "panel_4",
+          "type": "visualization",
+          "id": "a9a46620-832b-11ee-a28c-7361f03cd201"
+        },
+        {
+          "name": "panel_5",
+          "type": "visualization",
+          "id": "ddf69060-832b-11ee-a28c-7361f03cd201"
+        },
+        {
+          "name": "panel_6",
+          "type": "visualization",
+          "id": "77bd1870-46ce-11ea-91c3-61991161aaaf"
+        },
+        {
+          "name": "panel_7",
+          "type": "visualization",
+          "id": "767e3d90-afce-11ea-993f-b7d8522a8bed"
+        },
+        {
+          "name": "panel_8",
+          "type": "search",
+          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
+        }
+      ],
+      "migrationVersion": {
+        "dashboard": "7.9.3"
+      }
+    },
+    {
+      "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg1OSwxXQ==",
+      "attributes": {
+        "title": "Network Logs",
+        "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576)  \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405)  \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf)  \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330)  \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)  \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)  \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)  \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)  \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)  \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)  \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)  \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)  \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)  \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)  \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)  \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)  \\n[↪ NetBox](/netbox/)  \\n[↪ Arkime](/sessions)  \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406)   ●   [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e)   ●   [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9)   ●   [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48)   ●   [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876)   ●   [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3)   ●   [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673)   ●   [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24)   ●   [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105)   ●   [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6)   ●   [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37)   ●   [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586)   ●   [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0)   ●   [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c)   ●   [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970)   ●   [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0)   ●   [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26)   ●   [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa)   ●   [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773)   ●   [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f)   ●   [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab)   ●   [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238)   ●   [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3)   ●   [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd)   ●   [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d)   ●   [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88)   ●   [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2)   ●   [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194)   ●   [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad)   ●   [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3)   ●   [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4)   ●   [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194)   ●   [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7)   ●   [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8)   ●   [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4)   ●   [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194)   ●   [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194)   ●   [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4)   ●   [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5MywxXQ==",
+      "attributes": {
+        "title": "Filter by Application Protocol",
+        "visState": "{\"title\":\"Filter by Application Protocol\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1592309516260\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Application Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        }
+      },
+      "references": [
+        {
+          "name": "control_0_index_pattern",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5NCwxXQ==",
+      "attributes": {
+        "title": "Total Log Count Over Time by Application Protocol",
+        "visState": "{\"title\":\"Total Log Count Over Time by Application Protocol\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-01-14T21:31:46.075Z\",\"max\":\"2021-01-14T21:31:46.075Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}}]}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{}"
+        },
+        "savedSearchRefName": "search_0"
+      },
+      "references": [
+        {
+          "name": "search_0",
+          "type": "search",
+          "id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "AWDGyaGxxQT5EBNmq3K9",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5NSwxXQ==",
+      "attributes": {
+        "title": "Total Number of Logs",
+        "visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Logs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.provider\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Data Source\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"colorSchema\":\"Green to Red\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"},\"metricColorMode\":\"None\"}}}",
+        "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "a9a46620-832b-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:23:24.802Z",
+      "version": "Wzk1OSwxXQ==",
+      "attributes": {
+        "title": "Top Actions by Service",
+        "visState": "{\"title\":\"Top Actions by Service\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"event.action\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"network.protocol\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Action\\\", \\\"Protocol\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"left\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.action\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:* AND event.action:*\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "ddf69060-832b-11ee-a28c-7361f03cd201",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T20:24:52.582Z",
+      "version": "Wzk2MCwxXQ==",
+      "attributes": {
+        "title": "Top Results by Service",
+        "visState": "{\"title\":\"Top Results by Service\",\"type\":\"vega\",\"aggs\":[],\"params\":{\"spec\":\"{\\n  // thanks to:\\n  // - https://www.elastic.co/blog/sankey-visualization-with-vega-in-kibana\\n  // - https://blog.davidvassallo.me/2023/09/08/adding-opensearch-dashboards-kibana-filters-to-vega-visuals/\\n  $schema: https://vega.github.io/schema/vega/v3.0.json\\n  data: [\\n    {\\n      // query ES based on the currently selected time range and filter string\\n      name: rawData\\n      url: {\\n        %context%: true\\n        %timefield%: firstPacket\\n        index: arkime_sessions3-*\\n        body: {\\n          size: 0\\n          aggs: {\\n            table: {\\n              composite: {\\n                size: 10000\\n                sources: [\\n                  {\\n                    stk1: {\\n                      terms: {field: \\\"network.protocol\\\"}\\n                    }\\n                  }\\n                  {\\n                    stk2: {\\n                      terms: {field: \\\"event.result\\\"}\\n                    }\\n                  }\\n                ]\\n              }\\n            }\\n          }\\n        }\\n      }\\n      // From the result, take just the data we are interested in\\n      format: {property: \\\"aggregations.table.buckets\\\"}\\n      // Convert key.stk1 -> stk1 for simpler access below\\n      transform: [\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n        {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n      ]\\n    }\\n    {\\n      name: nodes\\n      source: rawData\\n      transform: [\\n        // when a value is selected, filter out unrelated data\\n        {\\n          type: filter\\n          expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n        }\\n        // Set new key for later lookups - identifies each node\\n        {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n        // instead of each table row, create two new rows,\\n        // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n        // The values stored in stk1 and stk2 fields is placed into grpId field.\\n        {\\n          type: fold\\n          fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n          as: [\\\"stack\\\", \\\"grpId\\\"]\\n        }\\n        // Create a sortkey, different for stk1 and stk2 stacks.\\n        // Space separator ensures proper sort order in some corner cases.\\n        {\\n          type: formula\\n          expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n          as: sortField\\n        }\\n        // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n        // independently for each stack, and ensuring they are in the proper order,\\n        // alphabetical from the top (reversed on the y axis)\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n          field: size\\n        }\\n        // calculate vertical center point for each node, used to draw edges\\n        {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n      ]\\n    }\\n    {\\n      name: groups\\n      source: nodes\\n      transform: [\\n        // combine all nodes into groups, summing up the doc counts\\n        {\\n          type: aggregate\\n          groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n          fields: [\\\"size\\\"]\\n          ops: [\\\"sum\\\"]\\n          as: [\\\"total\\\"]\\n        }\\n        // re-calculate the stacking y0,y1 values\\n        {\\n          type: stack\\n          groupby: [\\\"stack\\\"]\\n          sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n          field: total\\n        }\\n        // project y0 and y1 values to screen coordinates\\n        // doing it once here instead of doing it several times in marks\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n        {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n        // boolean flag if the label should be on the right of the stack\\n        {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n        // Calculate percentage for this value using \\\"y\\\" scale\\n        // domain upper bound, which represents the total\\n        {\\n          type: formula\\n          expr: datum.total/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n    {\\n      // This is a temp lookup table with all the 'stk2' stack nodes\\n      name: destinationNodes\\n      source: nodes\\n      transform: [\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n      ]\\n    }\\n    {\\n      name: edges\\n      source: nodes\\n      transform: [\\n        // we only want nodes from the left stack\\n        {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n        // find corresponding node from the right stack, keep it as \\\"target\\\"\\n        {\\n          type: lookup\\n          from: destinationNodes\\n          key: key\\n          fields: [\\\"key\\\"]\\n          as: [\\\"target\\\"]\\n        }\\n        // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n        {\\n          type: linkpath\\n          orient: horizontal\\n          shape: diagonal\\n          sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n          sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n          targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n          targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n        }\\n        // A little trick to calculate the thickness of the line.\\n        // The value needs to be the same as the hight of the node, but scaling\\n        // size to screen's height gives inversed value because screen's Y\\n        // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n        // is at the bottom. So subtracting scaled doc count from screen height\\n        // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n        {\\n          type: formula\\n          expr: range('y')[0]-scale('y', datum.size)\\n          as: strokeWidth\\n        }\\n        // Tooltip needs individual link's percentage of all values\\n        {\\n          type: formula\\n          expr: datum.size/domain('y')[1]\\n          as: percentage\\n        }\\n      ]\\n    }\\n  ]\\n  scales: [\\n    {\\n      // calculates horizontal stack positioning\\n      name: x\\n      type: band\\n      range: width\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n      paddingOuter: 0.05\\n      paddingInner: 0.95\\n    }\\n    {\\n      // this scale goes up as high as the highest y1 value of all nodes\\n      name: y\\n      type: linear\\n      range: height\\n      domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n    }\\n    {\\n      // use rawData to ensure the colors stay the same when clicking.\\n      name: color\\n      type: ordinal\\n      range: category\\n      domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n    }\\n    {\\n      // this scale is used to map internal ids (stk1, stk2) to stack names\\n      name: stackNames\\n      type: ordinal\\n      range: [\\\"Protocol\\\", \\\"Result\\\"]\\n      domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n    }\\n  ]\\n  axes: [\\n    {\\n      // x axis should use custom label formatting to print proper stack names\\n      orient: bottom\\n      scale: x\\n      encode: {\\n        labels: {\\n          update: {\\n            text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n          }\\n        }\\n      }\\n    }\\n    {orient: \\\"right\\\", scale: \\\"y\\\"}\\n  ]\\n  marks: [\\n    {\\n      // draw the connecting line between stacks\\n      type: path\\n      name: edgeMark\\n      from: {data: \\\"edges\\\"}\\n      // this prevents some autosizing issues with large strokeWidth for paths\\n      clip: true\\n      encode: {\\n        update: {\\n          // By default use color of the left node, except when showing contributors\\n          // from just one value, in which case use destination color.\\n          stroke: [\\n            {\\n              test: groupSelector && groupSelector.stack=='stk1'\\n              scale: color\\n              field: stk2\\n            }\\n            {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n          ]\\n          strokeWidth: {field: \\\"strokeWidth\\\"}\\n          path: {field: \\\"path\\\"}\\n          // when showing all data, and hovering over a value,\\n          // highlight the contributors for that value\\n          strokeOpacity: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n          }\\n          // Ensure that the hover-selected edges show on top\\n          zindex: {\\n            signal: !groupSelector && (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n          }\\n          // format tooltip string\\n          tooltip: {\\n            signal: datum.stk1 + ' → ' + datum.stk2 + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        // Simple mouseover highlighting of a single line\\n        hover: {\\n          strokeOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw stack groups (countries)\\n      type: rect\\n      name: groupMark\\n      from: {data: \\\"groups\\\"}\\n      encode: {\\n        enter: {\\n          fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n          width: {scale: \\\"x\\\", band: 1}\\n        }\\n        update: {\\n          x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n          y: {field: \\\"scaledY0\\\"}\\n          y2: {field: \\\"scaledY1\\\"}\\n          fillOpacity: {value: 0.6}\\n          tooltip: {\\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\\n          }\\n        }\\n        hover: {\\n          fillOpacity: {value: 1}\\n        }\\n      }\\n    }\\n    {\\n      // draw labels on the inner side of the stack\\n      type: text\\n      from: {data: \\\"groups\\\"}\\n      // don't process events for the labels - otherwise line mouseover is unclean\\n      interactive: false\\n      encode: {\\n        update: {\\n          // depending on which stack it is, position x with some padding\\n          x: {\\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n          }\\n          // middle of the group\\n          yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n          align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n          baseline: {value: \\\"middle\\\"}\\n          fontWeight: {value: \\\"bold\\\"}\\n          // only show text label if the group's height is large enough\\n          text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''\\\"}\\n        }\\n      }\\n    }\\n    {\\n      // Create a \\\"show all\\\" button. Shown only when a value is selected.\\n      type: group\\n      data: [\\n        // We need to make the button show only when groupSelector signal is true.\\n        // Each mark is drawn as many times as there are elements in the backing data.\\n        // Which means that if values list is empty, it will not be drawn.\\n        // Here I create a data source with one empty object, and filter that list\\n        // based on the signal value. This can only be done in a group.\\n        {\\n          name: dataForShowAll\\n          values: [{}]\\n          transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n        }\\n      ]\\n      // Set button size and positioning\\n      encode: {\\n        enter: {\\n          xc: {signal: \\\"width/2\\\"}\\n          y: {value: 30}\\n          width: {value: 80}\\n          height: {value: 30}\\n        }\\n      }\\n      marks: [\\n        {\\n          // This group is shown as a button with rounded corners.\\n          type: group\\n          // mark name allows signal capturing\\n          name: groupReset\\n          // Only shows button if dataForShowAll has values.\\n          from: {data: \\\"dataForShowAll\\\"}\\n          encode: {\\n            enter: {\\n              cornerRadius: {value: 6}\\n              fill: {value: \\\"#f5f5f5\\\"}\\n              stroke: {value: \\\"#c1c1c1\\\"}\\n              strokeWidth: {value: 2}\\n              // use parent group's size\\n              height: {\\n                field: {group: \\\"height\\\"}\\n              }\\n              width: {\\n                field: {group: \\\"width\\\"}\\n              }\\n            }\\n            update: {\\n              // groups are transparent by default\\n              opacity: {value: 1}\\n            }\\n            hover: {\\n              opacity: {value: 0.7}\\n            }\\n          }\\n          marks: [\\n            {\\n              type: text\\n              // if true, it will prevent clicking on the button when over text.\\n              interactive: false\\n              encode: {\\n                enter: {\\n                  // center text in the paren group\\n                  xc: {\\n                    field: {group: \\\"width\\\"}\\n                    mult: 0.5\\n                  }\\n                  yc: {\\n                    field: {group: \\\"height\\\"}\\n                    mult: 0.5\\n                    offset: 2\\n                  }\\n                  align: {value: \\\"center\\\"}\\n                  baseline: {value: \\\"middle\\\"}\\n                  fontWeight: {value: \\\"bold\\\"}\\n                  text: {value: \\\"Show All\\\"}\\n                }\\n              }\\n            }\\n          ]\\n        }\\n      ]\\n    }\\n  ]\\n  signals: [\\n    {\\n      // used to highlight data to/from the same value\\n      name: groupHover\\n      value: {}\\n      on: [\\n        {\\n          events: @groupMark:mouseover\\n          update: \\\"{stk1:datum.stack=='stk1' && datum.grpId, stk2:datum.stack=='stk2' && datum.grpId}\\\"\\n        }\\n        {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n      ]\\n    }\\n    // used to filter only the data related to the selected value\\n    {\\n      name: groupSelector\\n      value: false\\n      on: [\\n        {\\n          // Clicking groupMark sets this signal to the filter values\\n          events: @groupMark:click!\\n          update: \\\"datum.stack=='stk1' ? opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"network.protocol\\\\\\\": datum.grpId } }, 'arkime_sessions3-*') : opensearchDashboardsAddFilter({\\\\\\\"match_phrase\\\\\\\": { \\\\\\\"event.result\\\\\\\": datum.grpId } }, 'arkime_sessions3-*')\\\"\\n        }\\n        {\\n          // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n          events: [\\n            {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n            {type: \\\"dblclick\\\"}\\n          ]\\n          update: \\\"false\\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\"}}",
+        "uiStateJSON": "{}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:* AND event.result:*\",\"language\":\"kuery\"},\"filter\":[]}"
+        }
+      },
+      "references": [],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "77bd1870-46ce-11ea-91c3-61991161aaaf",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5NywxXQ==",
+      "attributes": {
+        "title": "Actions",
+        "visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "767e3d90-afce-11ea-993f-b7d8522a8bed",
+      "type": "visualization",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:00.972Z",
+      "version": "WzU5OCwxXQ==",
+      "attributes": {
+        "title": "Results",
+        "visState": "{\"title\":\"Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}",
+        "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+        "description": "",
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      }
+    },
+    {
+      "id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
+      "type": "search",
+      "namespaces": [
+        "default"
+      ],
+      "updated_at": "2023-11-14T19:19:25.240Z",
+      "version": "Wzg3MiwxXQ==",
+      "attributes": {
+        "title": "All Logs",
+        "description": "",
+        "hits": 0,
+        "columns": [
+          "event.provider",
+          "event.dataset",
+          "network.protocol",
+          "event.action",
+          "event.result",
+          "source.ip",
+          "destination.ip",
+          "destination.port",
+          "event.id"
+        ],
+        "sort": [
+          [
+            "firstPacket",
+            "desc"
+          ]
+        ],
+        "version": 1,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        }
+      },
+      "references": [
+        {
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern",
+          "id": "arkime_sessions3-*"
+        }
+      ],
+      "migrationVersion": {
+        "search": "7.9.3"
+      }
+    }
+  ]
 }
\ No newline at end of file
diff --git a/dashboards/opensearch_dashboards.yml b/dashboards/opensearch_dashboards.yml
index d562229fe..67d9f4f65 100644
--- a/dashboards/opensearch_dashboards.yml
+++ b/dashboards/opensearch_dashboards.yml
@@ -16,6 +16,22 @@ data_source.enabled: false
 
 opensearchDashboards.branding:
   applicationTitle: "Malcolm Dashboards"
+  useExpandedHeader: false
+  # Yeah, I know about https://opensearch.org/docs/latest/dashboards/branding ... but I can't figure out a way
+  # to specify the entries in the opensearch_dashboards.yml such that they are valid BOTH from the
+  # internal opensearch code validating them AND the web browser retrieving them. So we're going scorched earth instead
+  # by just overwriting the originals in our Dockerconfig.
+  #
+  # logo:
+  #   defaultUrl: "http://dashboards:5601/dashboards/ui/assets/Malcolm.svg"
+  #   darkModeUrl: "http://dashboards:5601/dashboards/ui/assets/malcolm_logo.svg"
+  # mark:
+  #   defaultUrl: "http://dashboards:5601/dashboards/ui/assets/icon.png"
+  #   darkModeUrl: "http://dashboards:5601/dashboards/ui/assets/icon_dark.png"
+  # loadingLogo:
+  #   defaultUrl: "http://dashboards:5601/dashboards/ui/assets/icon.png"
+  #   darkModeUrl: "http://dashboards:5601/dashboards/ui/assets/icon_dark.png"
+  # faviconUrl: "http://dashboards:5601/dashboards/ui/assets/favicon.ico"
 
 map.regionmap:
   includeOpenSearchMapsService: false
diff --git a/dashboards/scripts/create-arkime-sessions-index.sh b/dashboards/scripts/create-arkime-sessions-index.sh
index 0355d25b6..c839d0fd9 100755
--- a/dashboards/scripts/create-arkime-sessions-index.sh
+++ b/dashboards/scripts/create-arkime-sessions-index.sh
@@ -194,9 +194,18 @@ if [[ "$CREATE_OS_ARKIME_SESSION_INDEX" = "true" ]] ; then
           echo "Importing $DATASTORE_TYPE Dashboards saved objects..."
 
           # install default dashboards
-          for i in /opt/dashboards/*.json; do
+          DASHBOARDS_IMPORT_DIR="$(mktemp -d -t dashboards-XXXXXX)"
+          cp /opt/dashboards/*.json "${DASHBOARDS_IMPORT_DIR}"/
+          for i in "${DASHBOARDS_IMPORT_DIR}"/*.json; do
+            if [[ "$DATASTORE_TYPE" == "elasticsearch" ]]; then
+              # strip out Arkime and NetBox links from dashboards' navigation pane when doing Kibana import (idaholab/Malcolm#286)
+              sed -i 's/  \\\\n\[↪ NetBox\](\/netbox\/)  \\\\n\[↪ Arkime\](\/sessions)//' "$i"
+              # take care of a few other substitutions
+              sed -i 's/opensearchDashboardsAddFilter/kibanaAddFilter/g' "$i"
+            fi
             curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/$DASHBOARDS_URI_PATH/dashboards/import?force=true" -H "$XSRF_HEADER:true" -H 'Content-type:application/json' -d "@$i"
           done
+          rm -rf "${DASHBOARDS_IMPORT_DIR}"
 
           # beats will no longer import its dashbaords into OpenSearch
           # (see opensearch-project/OpenSearch-Dashboards#656 and
diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json
index 6a1870503..2ed2174ef 100644
--- a/dashboards/templates/composable/component/zeek_ot.json
+++ b/dashboards/templates/composable/component/zeek_ot.json
@@ -201,12 +201,19 @@
         "zeek.modbus.network_direction": { "type": "keyword" },
         "zeek.modbus.trans_id": { "type": "integer" },
         "zeek.modbus.unit_id": { "type": "integer" },
+        "zeek.modbus.mei_type": { "type": "keyword" },
         "zeek.modbus_detailed.address": { "type": "integer" },
         "zeek.modbus_detailed.quantity": { "type": "integer" },
         "zeek.modbus_detailed.values": { "type": "keyword" },
         "zeek.modbus_mask_write_register.address": { "type": "integer" },
         "zeek.modbus_mask_write_register.and_mask": { "type": "integer" },
         "zeek.modbus_mask_write_register.or_mask": { "type": "integer" },
+        "zeek.modbus_read_device_identification.conformity_level_code": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.conformity_level": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.device_id_code": { "type": "long" },
+        "zeek.modbus_read_device_identification.object_id_code": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.object_id": { "type": "keyword" },
+        "zeek.modbus_read_device_identification.object_value": { "type": "keyword" },
         "zeek.modbus_read_write_multiple_registers.read_quantity": { "type": "integer" },
         "zeek.modbus_read_write_multiple_registers.read_registers": { "type": "keyword" },
         "zeek.modbus_read_write_multiple_registers.read_start_address": { "type": "integer" },
diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 87aa7e02b..1963a0f74 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -2,14 +2,23 @@
 
 version: '3.7'
 
+x-logging:
+  &default-logging
+  driver: local
+  options:
+    max-size: 200m
+    max-file: 2
+    compress: "false"
+
 services:
   opensearch:
-    image: ghcr.io/idaholab/malcolm/opensearch:23.10.0
+    image: ghcr.io/idaholab/malcolm/opensearch:23.12.0
     # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
     #   OPENSEARCH_PRIMARY will be set to remote, which means the container will
     #   start but not actually run OpenSearch. It's included in both profiles to
     #   satisfy some other containers' depends_on.
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -42,8 +51,9 @@ services:
       retries: 3
       start_period: 180s
   dashboards-helper:
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -71,8 +81,9 @@ services:
       retries: 3
       start_period: 30s
   dashboards:
-    image: ghcr.io/idaholab/malcolm/dashboards:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -98,8 +109,9 @@ services:
       retries: 3
       start_period: 210s
   logstash:
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -141,8 +153,9 @@ services:
       retries: 3
       start_period: 600s
   filebeat:
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -175,9 +188,9 @@ services:
       retries: 3
       start_period: 60s
   arkime:
-    image: ghcr.io/idaholab/malcolm/arkime:23.10.0
-    # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
+    image: ghcr.io/idaholab/malcolm/arkime:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -215,8 +228,9 @@ services:
       retries: 3
       start_period: 210s
   zeek:
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -247,6 +261,7 @@ services:
       - ./zeek-logs/upload:/zeek/upload
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-zeek"]
       interval: 30s
@@ -254,8 +269,9 @@ services:
       retries: 3
       start_period: 60s
   zeek-live:
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -282,9 +298,11 @@ services:
       - ./zeek-logs/live:/zeek/live
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
   suricata:
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -311,6 +329,7 @@ services:
       - ./suricata-logs:/var/log/suricata
       - ./pcap:/data/pcap
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-suricata"]
       interval: 30s
@@ -318,8 +337,9 @@ services:
       retries: 3
       start_period: 120s
   suricata-live:
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -344,9 +364,11 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./suricata-logs:/var/log/suricata
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
   file-monitor:
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -372,8 +394,9 @@ services:
       retries: 3
       start_period: 60s
   pcap-capture:
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -395,8 +418,9 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./pcap/upload:/pcap
   pcap-monitor:
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -422,8 +446,9 @@ services:
       retries: 3
       start_period: 90s
   upload:
-    image: ghcr.io/idaholab/malcolm/file-upload:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-upload:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -448,8 +473,9 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.10.0
+    image: ghcr.io/idaholab/malcolm/htadmin:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -474,8 +500,9 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.10.0
+    image: ghcr.io/idaholab/malcolm/freq:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -497,8 +524,9 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.10.0
+    image: ghcr.io/idaholab/malcolm/netbox:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -530,8 +558,9 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.10.0
+    image: ghcr.io/idaholab/malcolm/postgresql:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -555,8 +584,9 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -584,8 +614,9 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -612,8 +643,9 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.10.0
+    image: ghcr.io/idaholab/malcolm/api:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     command: gunicorn --bind 0:5000 manage:app
     restart: "no"
     stdin_open: false
@@ -638,8 +670,9 @@ services:
       retries: 3
       start_period: 60s
   nginx-proxy:
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.10.0
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
diff --git a/docker-compose.yml b/docker-compose.yml
index cdfa5f761..85958b908 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,17 +2,26 @@
 
 version: '3.7'
 
+x-logging:
+  &default-logging
+  driver: local
+  options:
+    max-size: 200m
+    max-file: 2
+    compress: "false"
+
 services:
   opensearch:
     build:
       context: .
       dockerfile: Dockerfiles/opensearch.Dockerfile
-    image: ghcr.io/idaholab/malcolm/opensearch:23.10.0
+    image: ghcr.io/idaholab/malcolm/opensearch:23.12.0
     # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
     #   OPENSEARCH_PRIMARY will be set to remote, which means the container will
     #   start but not actually run OpenSearch. It's included in both profiles to
     #   satisfy some other containers' depends_on.
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -48,8 +57,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards-helper.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -80,8 +90,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/dashboards.Dockerfile
-    image: ghcr.io/idaholab/malcolm/dashboards:23.10.0
+    image: ghcr.io/idaholab/malcolm/dashboards:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -110,8 +121,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/logstash.Dockerfile
-    image: ghcr.io/idaholab/malcolm/logstash-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -160,8 +172,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/filebeat.Dockerfile
-    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.10.0
+    image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -197,9 +210,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/arkime.Dockerfile
-    image: ghcr.io/idaholab/malcolm/arkime:23.10.0
-    # todo: viewer/wise in hedgehog profile (and what about nginx reaching back?)
+    image: ghcr.io/idaholab/malcolm/arkime:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -243,8 +256,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -276,6 +290,7 @@ services:
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/config/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-zeek"]
       interval: 30s
@@ -286,8 +301,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/zeek.Dockerfile
-    image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+    image: ghcr.io/idaholab/malcolm/zeek:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -315,12 +331,14 @@ services:
       - ./zeek-logs/extract_files:/zeek/extract_files
       - ./zeek/config/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
       - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+      - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
   suricata:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -347,6 +365,7 @@ services:
       - ./suricata-logs:/var/log/suricata
       - ./pcap:/data/pcap
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
     healthcheck:
       test: ["CMD", "supervisorctl", "status", "pcap-suricata"]
       interval: 30s
@@ -357,8 +376,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/suricata.Dockerfile
-    image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+    image: ghcr.io/idaholab/malcolm/suricata:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -383,12 +403,14 @@ services:
       - ./nginx/ca-trust:/var/local/ca-trust:ro
       - ./suricata-logs:/var/log/suricata
       - ./suricata/rules:/opt/suricata/rules:ro
+      - ./suricata/include-configs:/opt/suricata/include-configs:ro
   file-monitor:
     build:
       context: .
       dockerfile: Dockerfiles/file-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -417,8 +439,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-capture.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-capture:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -443,8 +466,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/pcap-monitor.Dockerfile
-    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.10.0
+    image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0
     profiles: ["malcolm", "hedgehog"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -473,8 +497,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/file-upload.Dockerfile
-    image: ghcr.io/idaholab/malcolm/file-upload:23.10.0
+    image: ghcr.io/idaholab/malcolm/file-upload:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
@@ -499,8 +524,9 @@ services:
       retries: 3
       start_period: 60s
   htadmin:
-    image: ghcr.io/idaholab/malcolm/htadmin:23.10.0
+    image: ghcr.io/idaholab/malcolm/htadmin:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/htadmin.Dockerfile
@@ -528,8 +554,9 @@ services:
       retries: 3
       start_period: 60s
   freq:
-    image: ghcr.io/idaholab/malcolm/freq:23.10.0
+    image: ghcr.io/idaholab/malcolm/freq:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/freq.Dockerfile
@@ -554,8 +581,9 @@ services:
       retries: 3
       start_period: 60s
   netbox:
-    image: ghcr.io/idaholab/malcolm/netbox:23.10.0
+    image: ghcr.io/idaholab/malcolm/netbox:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/netbox.Dockerfile
@@ -590,8 +618,9 @@ services:
       retries: 3
       start_period: 120s
   netbox-postgres:
-    image: ghcr.io/idaholab/malcolm/postgresql:23.10.0
+    image: ghcr.io/idaholab/malcolm/postgresql:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/postgresql.Dockerfile
@@ -618,8 +647,9 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/redis.Dockerfile
@@ -650,8 +680,9 @@ services:
       retries: 3
       start_period: 45s
   netbox-redis-cache:
-    image: ghcr.io/idaholab/malcolm/redis:23.10.0
+    image: ghcr.io/idaholab/malcolm/redis:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/redis.Dockerfile
@@ -681,8 +712,9 @@ services:
       retries: 3
       start_period: 45s
   api:
-    image: ghcr.io/idaholab/malcolm/api:23.10.0
+    image: ghcr.io/idaholab/malcolm/api:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     build:
       context: .
       dockerfile: Dockerfiles/api.Dockerfile
@@ -713,8 +745,9 @@ services:
     build:
       context: .
       dockerfile: Dockerfiles/nginx.Dockerfile
-    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.10.0
+    image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0
     profiles: ["malcolm"]
+    logging: *default-logging
     restart: "no"
     stdin_open: false
     tty: true
diff --git a/docs/README.md b/docs/README.md
index d3aa19fd2..a1f428dc0 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -13,6 +13,7 @@ This enriched data is stored in an [OpenSearch](https://opensearch.org/) documen
 Malcolm can also easily be deployed locally on an ordinary consumer workstation or laptop for smaller networks, use at home, or in the field incident response engagements. Malcolm can process local artifacts such as locally generated Zeek logs, locally captured PCAP files, and PCAP files collected offline without the use of a dedicated sensor appliance.
 
 <a name="TableOfContents"></a>
+
 * [Quick start](quickstart.md#QuickStart)
     - [Getting Malcolm](quickstart.md#GetMalcolm)
     - [User interface](quickstart.md#UserInterfaceURLs)
@@ -72,6 +73,11 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation
             * [Screenshots](dashboards.md#NewVisualizationsGallery)
 * [Search Queries in Arkime and OpenSearch Dashboards](queries-cheat-sheet.md#SearchCheatSheet)
 * Other Malcolm features
+    - [Custom Rules and Scripts](custom-rules.md#CustomRulesAndScripts)
+        + [Suricata](custom-rules.md#Suricata)
+        + [Zeek](custom-rules.md#Zeek)
+        + [YARA](custom-rules.md#YARA)
+        + [Other Customizations](custom-rules.md#Other)
     - [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction)
     - [OpenSearch index management](index-management.md#IndexManagement)
     - [Event severity scoring](severity.md#Severity)
diff --git a/docs/asset-interaction-analysis.md b/docs/asset-interaction-analysis.md
index dced1e2ce..c3e0fc678 100644
--- a/docs/asset-interaction-analysis.md
+++ b/docs/asset-interaction-analysis.md
@@ -31,11 +31,11 @@ As Zeek logs and Suricata alerts are parsed and enriched (if the `LOGSTASH_NETBO
     - `destination.device.site` (`/dcim/sites/`)
     - `destination.device.url` (`/dcim/devices/`)
     - `destination.device.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#MalcolmConfigEnvVars))
-    - `destination.segment.id` (`/ipam/vrfs/{id}`)
-    - `destination.segment.name` (`/ipam/vrfs/`)
+    - `destination.segment.id` (`/ipam/prefixes/{id}`)
+    - `destination.segment.name` (`/ipam/prefixes/{description}`)
     - `destination.segment.site` (`/dcim/sites/`)
     - `destination.segment.tenant` (`/tenancy/tenants/`)
-    - `destination.segment.url` (`/ipam/vrfs/`)
+    - `destination.segment.url` (`/ipam/prefixes/`)
     - `destination.segment.details` (full JSON object, [only with `LOGSTASH_NETBOX_ENRICHMENT_VERBOSE: 'true'`](malcolm-config.md#MalcolmConfigEnvVars))
 * `source.…` same as `destination.…`
 * collected as `related` fields (the [same approach](https://www.elastic.co/guide/en/ecs/current/ecs-related.html) used in ECS)
@@ -78,7 +78,6 @@ The [Populating Data](https://docs.netbox.dev/en/stable/getting-started/populati
 The following elements of the NetBox data model are used by Malcolm for Asset Interaction Analysis.
 
 * Network segments
-    - [Virtual Routing and Forwarding (VRF)](https://docs.netbox.dev/en/stable/models/ipam/vrf/)
     - [Prefixes](https://docs.netbox.dev/en/stable/models/ipam/prefix/)
 * Network Hosts
     - [Devices](https://docs.netbox.dev/en/stable/models/dcim/device/)
@@ -99,7 +98,7 @@ However, careful consideration should be made before enabling this feature: the
 
 Devices created using this autopopulate method will have their `status` field set to `staged`. It is recommended that users periodically review automatically-created devices for correctness and to fill in known details that couldn't be determined from network traffic. For example, the `manufacturer` field for automatically-created devices will be set based on the organizational unique identifier (OUI) determined from the first three bytes of the observed MAC address, which may not be accurate if the device's traffic was observed across a router. If possible, observed hostnames will be used in the naming of the automatically-created devices, falling back to the device manufacturer otherwise (e.g., `MYHOSTNAME @ 10.10.0.123` vs. `Schweitzer Engineering @ 10.10.0.123`).
 
-Since device autocreation is based on IP address, information about network segments (including [virtual routing and forwarding (VRF)](https://docs.netbox.dev/en/stable/models/ipam/vrf/) and [prefixes](https://docs.netbox.dev/en/stable/models/ipam/prefix/)) must be first [manually specified](#NetBoxPopManual) in NetBox in order for devices to be automatically populated.
+Since device autocreation is based on IP address, information about network segments (IP [prefixes](https://docs.netbox.dev/en/stable/models/ipam/prefix/)) must be first [manually specified](#NetBoxPopManual) in NetBox in order for devices to be automatically populated. Users should populate the `description` field in the NetBox IPAM Prefixes data model to specify a name to be used for NetBox network segment autopopulation and enrichment, otherwise the IP prefix itself will be used.
 
 Although network devices can be automatically created using this method, [services](https://demo.netbox.dev/static/docs/core-functionality/services/#service-templates) should inventoried manually. The **Uninventoried Observed Services** visualization in the [**Zeek Known Summary** dashboard](dashboards.md#DashboardsVisualizations) can help users review network services to be created in NetBox.
 
@@ -128,11 +127,13 @@ $ ./scripts/netbox-backup
 NetBox configuration database saved to ('malcolm_netbox_backup_20230110-133855.gz', 'malcolm_netbox_backup_20230110-133855.media.tar.gz')
 ```
 
-To clear the existing NetBox database and restore a previous backup, run the following command (substituting the filename of the `netbox_….gz` you wish to restore) from within the Malcolm installation directory while Malcolm is running:
+To clear the existing NetBox database and restore a previous backup, run the following command (substituting the filename of the `netbox_….gz` to be restored) from within the Malcolm installation directory while Malcolm is running:
 
 ```
 ./scripts/netbox-restore --netbox-restore ./malcolm_netbox_backup_20230110-125756.gz
 
 ```
 
-Note that some of the data in the NetBox database is cryptographically signed with the value of the `SECRET_KEY` environment variable in the `./netbox/env/netbox-secret.env` environment file. A restored NetBox backup **will not work** if this value is different from when it was created.
+Users with a prior NetBox database backup (created with `netbox-backup` as described above) that they wish to be automatically restored on startup, that `.gz` file may be manually copied to the [`./netbox/preload`](#NetBoxPreload) directory. Upon startup that file will be extracted and used to populate the NetBox database, taking priority over the other preload files. This process does not remove the `.gz` file from the directory upon restoring it; it will be restored again on subsequent restarts unless manually removed.
+
+Note that [network log enrichment](#NetBoxEnrichment) will fail while a restore is in progress (indicated with `HTTP/1.1 403` messages in the output of the `netbox` container in the Malcolm debug logs), but should resume once the restore process has completed.
diff --git a/docs/authsetup.md b/docs/authsetup.md
index 4fb27eba8..49b707643 100644
--- a/docs/authsetup.md
+++ b/docs/authsetup.md
@@ -71,7 +71,7 @@ The contents of `nginx_ldap.conf` will vary depending on how the LDAP server is
 * **`group_attribute_is_dn`** - whether or not to search for the user's full distinguished name as the value in the group's member attribute
 * **`require`** and **`satisfy`** - `require user`, `require group` and `require valid_user` can be used in conjunction with `satisfy any` or `satisfy all` to limit the users that are allowed to access the Malcolm instance
 
-Before starting Malcolm, edit `nginx/nginx_ldap.conf` according to the specifics of your LDAP server and directory tree structure. Using a LDAP search tool such as [`ldapsearch`](https://www.openldap.org/software/man.cgi?query=ldapsearch) in Linux or [`dsquery`](https://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx) in Windows may be of help as you formulate the configuration. Your changes should be made within the curly braces of the `ldap_server ad_server { … }` section. You can troubleshoot configuration file syntax errors and LDAP connection or credentials issues by running `./scripts/logs` (or `docker-compose logs nginx`) and examining the output of the `nginx` container.
+Before starting Malcolm, edit `nginx/nginx_ldap.conf` according to the specifics of your LDAP server and directory tree structure. Using a LDAP search tool such as [`ldapsearch`](https://www.openldap.org/software/man.cgi?query=ldapsearch) in Linux or [`dsquery`](https://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx) in Windows may be of help as you formulate the configuration. Your changes should be made within the curly braces of the `ldap_server ad_server { … }` section. You can troubleshoot configuration file syntax errors and LDAP connection or credentials issues by running `./scripts/logs` (or `docker compose logs nginx`) and examining the output of the `nginx` container.
 
 The **Malcolm User Management** page described above is not available when using LDAP authentication.
 
@@ -119,7 +119,7 @@ options:
   -v [DEBUG], --verbose [DEBUG]
                         Verbose output
   -f <string>, --file <string>
-                        docker-compose or kubeconfig YML file
+                        Docker compose or kubeconfig YML file
   -e <string>, --environment-dir <string>
                         Directory containing Malcolm's .env files
 
diff --git a/docs/components.md b/docs/components.md
index df2895402..5a2b52538 100644
--- a/docs/components.md
+++ b/docs/components.md
@@ -25,6 +25,7 @@ Malcolm leverages the following excellent open source tools, among others.
 * [Mark Baggett](https://github.com/MarkBaggett)'s [freq](https://github.com/MarkBaggett/freq) - a tool for calculating entropy of strings
 * [Florian Roth](https://github.com/Neo23x0)'s [Signature-Base](https://github.com/Neo23x0/signature-base) Yara ruleset
 * [Bart Blaze](https://github.com/bartblaze)'s [Yara ruleset](https://github.com/bartblaze/Yara-rules)
+* [ReversingLabs'](https://github.com/reversinglabs) [Yara ruleset](https://github.com/reversinglabs/reversinglabs-yara-rules)
 * These Zeek plugins:
     * some of Amazon.com, Inc.'s [ICS protocol](https://github.com/amzn?q=zeek) analyzers
     * Andrew Klaus's [Sniffpass](https://github.com/cybera/zeek-sniffpass) plugin for detecting cleartext passwords in HTTP POST requests
diff --git a/docs/contributing-dashboards.md b/docs/contributing-dashboards.md
index 5cb37c561..dd0f36701 100644
--- a/docs/contributing-dashboards.md
+++ b/docs/contributing-dashboards.md
@@ -10,7 +10,7 @@ Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboa
 1. Export the dashboard with that ID and save it in the `./dashboards./dashboards/` directory with the following command:
    ```
     export DASHID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx && \
-      docker-compose exec dashboards curl -XGET \
+      docker compose exec dashboards curl -XGET \
       "http://localhost:5601/dashboards/api/opensearch-dashboards/dashboards/export?dashboard=$DASHID" > \
       ./dashboards/dashboards/$DASHID.json
     ```
@@ -37,5 +37,3 @@ Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboa
 ## <a name="DashboardsPlugins"></a>OpenSearch Dashboards plugins
 
 The [dashboards.Dockerfile]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles/dashboards.Dockerfile) installs the OpenSearch Dashboards plugins used by Malcolm (search for `opensearch-dashboards-plugin install` in that file). Additional Dashboards plugins could be installed by modifying this Dockerfile and [rebuilding](development.md#Build) the `dashboards` Docker image.
-
-Third-party or community plugins developed for Kibana will not install into OpenSearch dashboards without source code modification. Depending on the plugin, this could range from very smiple to very complex. As an illustrative example, the changes required to port the Sankey diagram visualization plugin from Kibana to OpenSearch Dashboards compatibility can be [viewed on GitHub](https://github.com/mmguero-dev/osd_sankey_vis/compare/edacf6b...main).
diff --git a/docs/contributing-guide.md b/docs/contributing-guide.md
index 47b984eeb..0b3cb4cee 100644
--- a/docs/contributing-guide.md
+++ b/docs/contributing-guide.md
@@ -2,6 +2,8 @@
 
 The purpose of this document is to provide some direction for those willing to modify Malcolm, whether for local customization or for contribution to the Malcolm project.
 
+It is recommended before reviewing this guide to read the documentation on [custom rules and scripts](custom-rules.md#CustomRulesAndScripts), which outlines customizations that can be made to the behavior of Suricata, Zeek, and YARA.
+
 <a name="ContribTableOfContents"></a>
 * [Local modifications](contributing-local-modifications.md#LocalMods)
     + [Docker bind mounts](contributing-local-modifications.md#Bind)
diff --git a/docs/contributing-local-modifications.md b/docs/contributing-local-modifications.md
index f449a9c11..53e32eddf 100644
--- a/docs/contributing-local-modifications.md
+++ b/docs/contributing-local-modifications.md
@@ -50,20 +50,24 @@ zeek:
     - ./zeek-logs/upload:/zeek/upload
     - ./zeek-logs/extract_files:/zeek/extract_files
     - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+    - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
 zeek-live:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./zeek-logs/live:/zeek/live
     - ./zeek-logs/extract_files:/zeek/extract_files
     - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+    - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro
 suricata:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./suricata-logs:/var/log/suricata
     - ./pcap:/data/pcap
     - ./suricata/rules:/opt/suricata/rules:ro
+    - ./suricata/include-configs:/opt/suricata/include-configs:ro
 suricata-live:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./suricata-logs:/var/log/suricata
     - ./suricata/rules:/opt/suricata/rules:ro
+    - ./suricata/include-configs:/opt/suricata/include-configs:ro
 file-monitor:
     - ./nginx/ca-trust:/var/local/ca-trust:ro
     - ./zeek-logs/extract_files:/zeek/extract_files
diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md
index c4ce70767..d8f0edd61 100644
--- a/docs/contributing-pcap.md
+++ b/docs/contributing-pcap.md
@@ -1,6 +1,6 @@
 # <a name="PCAP"></a>PCAP processors
 
-When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.10.0 release]({{ site.github.repository_url }}/releases/tag/v23.10.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
+When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.12.0 release]({{ site.github.repository_url }}/releases/tag/v23.12.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
 
 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section
     * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory
diff --git a/docs/custom-rules.md b/docs/custom-rules.md
new file mode 100644
index 000000000..2a69b77f0
--- /dev/null
+++ b/docs/custom-rules.md
@@ -0,0 +1,84 @@
+# <a name="CustomRulesAndScripts"></a>Custom Rules and Scripts
+
+* [Suricata](#Suricata)
+* [Zeek](#Zeek)
+* [YARA](#YARA)
+* [Other Customizations](#Other)
+
+Much of Malcolm's behavior can be adjusted through [environment variable files](malcolm-config.md#MalcolmConfigEnvVars). However, some components allow further customization through the use of custom scripts, configuration files, and rules.
+
+## <a name="Suricata"></a>Suricata
+
+### Rules
+
+In addition to the [default Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and [Emerging Threads Open ruleset](https://rules.emergingthreats.net/open/), users may provide custom rules files for use by Suricata in Malcolm.
+
+Suricata rules files (with the `*.rules` extension) may be placed in the `./suricata/rules/` subdirectory in the Malcolm installation directory. These new rules files will be picked up immediately for subsequent [PCAP upload](upload.md#Upload), and for [live analysis](live-analysis.md#LocalPCAP) will be applied by either restarting Malcolm or when the [automatic rule update process](https://suricata-update.readthedocs.io/en/latest/) runs (if automatic rule updates are enabled). This can also be done manually without restarting Malcolm by running the following command from the Malcolm installation directory:
+
+```
+docker compose exec supervisorctl suricata-live restart live-suricata
+```
+
+If the `SURICATA_CUSTOM_RULES_ONLY` [environment variable](malcolm-config.md#MalcolmConfigEnvVars) is set to `true`, Malcolm will bypass the default Suricata rulesets and use only the user-defined rules.
+
+### Configuration
+
+Suricata uses the [YAML format for configuration](https://docs.suricata.io/en/latest/configuration/suricata-yaml.html), and the main `suricata.yaml` file is generated by Malcolm [dynamically at runtime]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/suricata_config_populate.py).
+
+The contents of the `suricata.yaml` file can be adjusted via [environment variables](malcolm-config.md#MalcolmConfigEnvVars) found in [`suricata.env`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/config/suricata.env.example).
+
+For more control of the Suricata configuration, Suricata allows other configuration YAML files to be [included](https://docs.suricata.io/en/latest/configuration/includes.html), allowing the configuration to be broken into multiple files.
+
+Malcolm users may place additional Suricata configuration files (with the `.yaml` file extension) in the `./suricata/include-configs/` subdirectory in the Malcolm installation directory. When Malcolm creates the `suricata.yaml` file these additional files will be added at the end in an `include:` section.
+
+To apply new `.yaml` files immediately without restarting Malcolm's Suricata containers, users may run the following commands from the Malcolm installation directory:
+
+```
+docker compose exec suricata /usr/local/bin/docker_entrypoint.sh true
+```
+
+```
+docker compose exec suricata-live /usr/local/bin/docker_entrypoint.sh true
+```
+
+```
+docker compose exec suricata-live supervisorctl restart live-suricata
+```
+
+## <a name="Zeek"></a>Zeek
+
+Some aspects of Malcolm's instance of Zeek's [local site policy]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/local.zeek) can be adjusted via [environment variables](malcolm-config.md#MalcolmConfigEnvVars) found in [`zeek.env`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/config/zeek.env.example).
+
+For more control of Zeek's behavior, Malcolm's users may place Zeek files in the `./zeek/custom/` subdirectory in the Malcolm installation directory. The organization of this directory is left entirely up to the user: in other words, users placing files there will also need to create a `__load__.zeek` file there to [tell Zeek](https://docs.zeek.org/en/master/quickstart.html#telling-zeek-which-scripts-to-load) what to load from that directory.
+
+These new files should be picked up immediately for subsequent [PCAP upload](upload.md#Upload), and for [live analysis](live-analysis.md#LocalPCAP) they will take effect upon restarting Malcolm, or without restarting Malcolm by running the following command from the Malcolm installation directory:
+
+```
+docker compose exec supervisorctl zeek-live restart live-zeek
+```
+
+## <a name="YARA"></a>YARA
+
+[Custom rules](https://yara.readthedocs.io/en/stable/writingrules.html) files for [YARA](https://github.com/VirusTotal/yara) (with either the `*.yara` or `*.yar` file extension) may be placed in the `./yara/rules/` subdirectory in the Malcolm installation directory.
+
+New rules files will take effect by either restarting Malcolm (specifically the `file-monitor` container) or when the automatic rule update runs (if automatic rule updates are enabled). This can also be done manually without restarting Malcolm by running the following commands from the Malcolm installation directory:
+
+```
+docker compose exec file-monitor /usr/local/bin/yara_rules_setup.sh
+```
+
+```
+docker compose exec file-monitor supervisorctl restart yara
+```
+
+If the `EXTRACTED_FILE_YARA_CUSTOM_ONLY` [environment variable](malcolm-config.md#MalcolmConfigEnvVars) is set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base), [reversinglabs/reversinglabs-yara-rules](https://github.com/reversinglabs/reversinglabs-yara-rules), and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules`.
+
+## <a name="Other"></a>Other Customizations
+
+There are other areas of Malcolm that can be modified and customized to fit users' needs. Please see these other sections of the documentation for more information.
+
+* [Building your own visualizations and dashboards](dashboards.md#BuildDashboard)
+* [Customizing event severity scoring](severity.md#SeverityConfig)
+* [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel)
+* Populating the NetBox inventory [Manually](asset-interaction-analysis.md#NetBoxPopManual) or through [Preloading](asset-interaction-analysis.md#NetBoxPreload)
+* [Modifying or Contributing to Malcolm](contributing-guide.md#Contributing)
diff --git a/docs/development.md b/docs/development.md
index 37da486d6..8207e3582 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -38,7 +38,7 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{
 
 and the following files of special note:
 
-* `docker-compose.yml` - the configuration file used by `docker-compose` to build, start, and stop an instance of the Malcolm appliance
+* `docker-compose.yml` - the configuration file used by `docker compose` to build, start, and stop an instance of the Malcolm appliance
 * `docker-compose-standalone.yml` - similar to `docker-compose.yml`, only used for the ["packaged"](#Packager) installation of Malcolm
 
 ## <a name="Build"></a>Building from source
diff --git a/docs/download.md b/docs/download.md
index 933dc8fb7..1aca19bca 100644
--- a/docs/download.md
+++ b/docs/download.md
@@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [malcolm-23.10.0.iso](/iso/malcolm-23.10.0.iso) (5.4GiB) |  [`021103f8d8a4ac8a4c467dd4dc18e59fbb57f1b57c3927de702ef465953b0cf0`](/iso/malcolm-23.10.0.iso.sha256.txt) |
+| [malcolm-23.12.0.iso](/iso/malcolm-23.12.0.iso) (5.1GiB) |  [`3e836d09cd79a4e3f54c6fc365b032385312ad885b8483a0df156b59175d4909`](/iso/malcolm-23.12.0.iso.sha256.txt) |
 
 ## Hedgehog Linux
 
@@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno
 
 | ISO | SHA256 |
 |---|---|
-| [hedgehog-23.10.0.iso](/iso/hedgehog-23.10.0.iso) (2.6GiB) |  [`65f3d15c102ab3b518965eb87fec8f4b61ee10e1aa366654576105265cb2a9c8`](/iso/hedgehog-23.10.0.iso.sha256.txt) |
+| [hedgehog-23.12.0.iso](/iso/hedgehog-23.12.0.iso) (2.4GiB) |  [`835160cc0d2e3608754736989088d912c17372c49764244742e0572af9295d4b`](/iso/hedgehog-23.12.0.iso.sha256.txt) |
 
 ## Warning
 
diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md
index 466656a72..eb05c0ccb 100644
--- a/docs/hedgehog-iso-build.md
+++ b/docs/hedgehog-iso-build.md
@@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu
 
 ```
 …
-Finished, created "/sensor-build/hedgehog-23.10.0.iso"
+Finished, created "/sensor-build/hedgehog-23.12.0.iso"
 …
 ```
 
diff --git a/docs/host-config-linux.md b/docs/host-config-linux.md
index 7bea01eb6..57350c335 100644
--- a/docs/host-config-linux.md
+++ b/docs/host-config-linux.md
@@ -21,9 +21,9 @@ Docker starts automatically on DEB-based distributions. On RPM-based distributio
 
 You can test Docker by running `docker info`, or (assuming you have internet access), `docker run --rm hello-world`.
 
-## Installing docker-compose
+## Installing docker compose
 
-Please follow [this link](https://docs.docker.com/compose/install/) on docker.com for instructions on installing `docker-compose`.
+Please follow [this link](https://docs.docker.com/compose/install/) on docker.com for instructions on installing the Docker Compose plugin.
 
 ## Operating system configuration
 
diff --git a/docs/host-config-macos.md b/docs/host-config-macos.md
index 9ab66480e..200b7c485 100644
--- a/docs/host-config-macos.md
+++ b/docs/host-config-macos.md
@@ -14,27 +14,36 @@ $ brew install cask
 $ brew tap homebrew/cask-versions
 ```
 
-## Install docker-edge
+## Install docker
 
 ```
-$ brew install --cask docker-edge
+$ brew install --cask docker
 ```
 This will install the latest version of `docker`. It can be upgraded later using `brew` as well:
 ```
-$ brew upgrade --cask --no-quarantine docker-edge
+$ brew upgrade --cask --no-quarantine docker
 ```
 You can now run Docker from the Applications folder.
 
-## Install docker-compose
+## Install docker compose
 
 ```
 $ brew install docker-compose
 ```
-This will install the latest version of the `docker-compose` plugin. It can be upgraded later using `brew` as well:
+
+This will install the latest version of the Docker Compose plugin. It can be upgraded later using [`brew`] as well:
+
 ```
 $ brew upgrade --no-quarantine docker-compose
 ```
-You can now run `docker-compose` (at `/usr/local/opt/docker-compose/bin/docker-compose`) from the command-line
+
+The [brew formula for docker-compose notes](https://formulae.brew.sh/formula/docker-compose) has the following note about needing to symlink for Docker to find the compose plugin:
+
+```
+Compose is now a Docker plugin. For Docker to find this plugin, symlink it:
+    mkdir -p ~/.docker/cli-plugins
+    ln -sfn $HOMEBREW_PREFIX/opt/docker-compose/bin/docker-compose ~/.docker/cli-plugins/docker-compose
+```
 
 ## Configure docker daemon option
 
diff --git a/docs/images/favicon/favicon144.png b/docs/images/favicon/favicon144.png
new file mode 100644
index 000000000..e481f65eb
Binary files /dev/null and b/docs/images/favicon/favicon144.png differ
diff --git a/docs/images/favicon/favicon150.png b/docs/images/favicon/favicon150.png
new file mode 100644
index 000000000..29eb9771e
Binary files /dev/null and b/docs/images/favicon/favicon150.png differ
diff --git a/docs/images/favicon/favicon192.png b/docs/images/favicon/favicon192.png
new file mode 100644
index 000000000..921aaa86a
Binary files /dev/null and b/docs/images/favicon/favicon192.png differ
diff --git a/docs/images/favicon/favicon310.png b/docs/images/favicon/favicon310.png
new file mode 100644
index 000000000..d598696e0
Binary files /dev/null and b/docs/images/favicon/favicon310.png differ
diff --git a/docs/images/favicon/favicon512.png b/docs/images/favicon/favicon512.png
new file mode 100644
index 000000000..2f8c02ad4
Binary files /dev/null and b/docs/images/favicon/favicon512.png differ
diff --git a/docs/images/favicon/favicon70.png b/docs/images/favicon/favicon70.png
new file mode 100644
index 000000000..6d343b05d
Binary files /dev/null and b/docs/images/favicon/favicon70.png differ
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
index 82b7ec983..da570cb96 100644
--- a/docs/kubernetes.md
+++ b/docs/kubernetes.md
@@ -219,7 +219,7 @@ Settings that likely need to be changed in the underlying host running Kubernete
 
 The steps to configure and tune Malcolm for a Kubernetes deployment are [very similar](malcolm-config.md#ConfigAndTuning) to those for a Docker-based deployment. Both methods use [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) for Malcolm's runtime configuration.
 
-Malcolm's configuration and runtime scripts (e.g., `./scripts/configure`, `./scripts/auth_setup`, `./scripts/start`, etc.) are used for both Docker- and Kubernetes-based deployments. In order to indicate to these scripts that Kubernetes is being used rather than `docker-compose`, users can provide the script with the [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) used to communicate with the API server of the Kubernetes cluster (e.g., `./scripts/configure -f k3s.yaml` or `./scripts/start -f kubeconfig.yaml`, etc.). The scripts will detect whether the YAML file specified is a kubeconfig file or a Docker compose file and act accordingly.
+Malcolm's configuration and runtime scripts (e.g., `./scripts/configure`, `./scripts/auth_setup`, `./scripts/start`, etc.) are used for both Docker- and Kubernetes-based deployments. In order to indicate to these scripts that Kubernetes is being used rather than `docker compose`, users can provide the script with the [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) used to communicate with the API server of the Kubernetes cluster (e.g., `./scripts/configure -f k3s.yaml` or `./scripts/start -f kubeconfig.yaml`, etc.). The scripts will detect whether the YAML file specified is a kubeconfig file or a Docker compose file and act accordingly.
 
 Run `./scripts/configure` and answer the questions to configure Malcolm. For an in-depth treatment of these configuration questions, see the **Configuration** section in **[End-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig)**. Users will need to run [`./scripts/auth_setup`](authsetup.md#AuthSetup) to configure authentication.
 
@@ -272,28 +272,28 @@ agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     |
 agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     | 861.34m   | 14.36%      | 19.55Gi      | 9.29Gi       | 61.28Gi       | 11           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.10.0               |
-file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.10.0      |
-zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.10.0              |
-dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.10.0 |
-upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.10.0       |
-filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.10.0      |
-zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.10.0              |
-logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.10.0      |
-netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.10.0            |
-suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.10.0          |
-dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.10.0        |
-netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.10.0             |
-suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.10.0          |
-freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.10.0              |
-arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.10.0            |
-pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.10.0      |
-pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.10.0      |
-netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.10.0        |
-htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.10.0           |
-netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.10.0             |
-nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.10.0       |
-opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.10.0        |
+api-deployment-6f4686cf59-bn286                | Running | 10.42.2.14 | ReplicaSet | agent1      | 0.11m     | 59.62Mi      | api-container:0                | api:23.12.0               |
+file-monitor-deployment-855646bd75-vk7st       | Running | 10.42.2.16 | ReplicaSet | agent1      | 8.47m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.12.0      |
+zeek-live-deployment-64b69d4b6f-947vr          | Running | 10.42.2.17 | ReplicaSet | agent1      | 0.02m     | 12.44Mi      | zeek-live-container:0          | zeek:23.12.0              |
+dashboards-helper-deployment-69dc54f6b6-ln4sq  | Running | 10.42.2.15 | ReplicaSet | agent1      | 10.77m    | 38.43Mi      | dashboards-helper-container:0  | dashboards-helper:23.12.0 |
+upload-deployment-586568844b-4jnk9             | Running | 10.42.2.18 | ReplicaSet | agent1      | 0.15m     | 29.78Mi      | upload-container:0             | file-upload:23.12.0       |
+filebeat-deployment-6ff8bc444f-t7h49           | Running | 10.42.2.20 | ReplicaSet | agent1      | 2.84m     | 70.71Mi      | filebeat-container:0           | filebeat-oss:23.12.0      |
+zeek-offline-deployment-844f4865bd-g2sdm       | Running | 10.42.2.21 | ReplicaSet | agent1      | 0.17m     | 41.92Mi      | zeek-offline-container:0       | zeek:23.12.0              |
+logstash-deployment-6fbc9fdcd5-hwx8s           | Running | 10.42.2.22 | ReplicaSet | agent1      | 85.55m    | 2.91Gi       | logstash-container:0           | logstash-oss:23.12.0      |
+netbox-deployment-cdcff4977-hbbw5              | Running | 10.42.2.23 | ReplicaSet | agent1      | 807.64m   | 702.86Mi     | netbox-container:0             | netbox:23.12.0            |
+suricata-offline-deployment-6ccdb89478-z5696   | Running | 10.42.2.19 | ReplicaSet | agent1      | 0.22m     | 34.88Mi      | suricata-offline-container:0   | suricata:23.12.0          |
+dashboards-deployment-69b5465db-vz88g          | Running | 10.42.1.14 | ReplicaSet | agent2      | 0.94m     | 100.12Mi     | dashboards-container:0         | dashboards:23.12.0        |
+netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2      | 3.57m     | 7.36Mi       | netbox-redis-cache-container:0 | redis:23.12.0             |
+suricata-live-deployment-6494c77759-9rlnt      | Running | 10.42.1.16 | ReplicaSet | agent2      | 0.02m     | 9.69Mi       | suricata-live-container:0      | suricata:23.12.0          |
+freq-deployment-cfd84fd97-dnngf                | Running | 10.42.1.17 | ReplicaSet | agent2      | 0.2m      | 26.36Mi      | freq-container:0               | freq:23.12.0              |
+arkime-deployment-56999cdd66-s98pp             | Running | 10.42.1.18 | ReplicaSet | agent2      | 4.15m     | 113.07Mi     | arkime-container:0             | arkime:23.12.0            |
+pcap-monitor-deployment-594ff674c4-fsm7m       | Running | 10.42.1.19 | ReplicaSet | agent2      | 1.24m     | 48.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.12.0      |
+pcap-capture-deployment-7c8bf6957-jzpzn        | Running | 10.42.1.20 | ReplicaSet | agent2      | 0.02m     | 9.64Mi       | pcap-capture-container:0       | pcap-capture:23.12.0      |
+netbox-postgres-deployment-5879b8dffc-kkt56    | Running | 10.42.1.21 | ReplicaSet | agent2      | 70.91m    | 33.02Mi      | netbox-postgres-container:0    | postgresql:23.12.0        |
+htadmin-deployment-6fc46888b9-sq6ln            | Running | 10.42.1.23 | ReplicaSet | agent2      | 0.14m     | 30.53Mi      | htadmin-container:0            | htadmin:23.12.0           |
+netbox-redis-deployment-5bcd8f6c96-j5xpf       | Running | 10.42.1.24 | ReplicaSet | agent2      | 1.46m     | 7.34Mi       | netbox-redis-container:0       | redis:23.12.0             |
+nginx-proxy-deployment-69fcc4968d-f68tq        | Running | 10.42.1.22 | ReplicaSet | agent2      | 0.31m     | 22.63Mi      | nginx-proxy-container:0        | nginx-proxy:23.12.0       |
+opensearch-deployment-75498799f6-4zmwd         | Running | 10.42.1.25 | ReplicaSet | agent2      | 89.8m     | 11.03Gi      | opensearch-container:0         | opensearch:23.12.0        |
 ```
 
 The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes.
@@ -379,6 +379,8 @@ Determine oldest indices by name (instead of creation time)? (Y / n): y
 
 Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y / N): y
 
+Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.): 10%
+
 Automatically analyze all PCAP files with Suricata? (Y / n): y
 
 Download updated Suricata signatures periodically? (y / N): y
@@ -430,6 +432,8 @@ Should Malcolm automatically populate NetBox inventory based on observed network
 
 Specify default NetBox site name: Malcolm
 
+Should Malcolm create "catch-all" prefixes for private IP address space? (y / N): n
+
 Enable dark mode for OpenSearch Dashboards? (Y / n): y
 
 Malcolm has been installed to /home/user/Malcolm. See README.md for more information.
@@ -553,28 +557,28 @@ agent1    | agent1   | 192.168.56.11 | agent1      | k3s           | 6000m     |
 agent2    | agent2   | 192.168.56.12 | agent2      | k3s           | 6000m     | 552.71m   | 9.21%       | 19.55Gi      | 13.27Gi      | 61.28Gi       | 12           |
 
 Pod Name                                       | State   | Pod IP     | Pod Kind   | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts        | Container Image              |
-netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.10.0             |
-netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.10.0             |
-dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.10.0 |
-freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.10.0              |
-pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.10.0      |
-nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.10.0       |
-htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.10.0           |
-opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.10.0        |
-zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.10.0              |
-dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.10.0        |
-arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.10.0            |
-api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.10.0               |
-netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.10.0        |
-pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.10.0      |
-suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.10.0          |
-suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.10.0          |
-netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.10.0            |
-zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.10.0              |
-filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.10.0      |
-file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.10.0      |
-upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.10.0       |
-logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.10.0      |
+netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6  | ReplicaSet | agent2      | 1.89m     | 7.24Mi       | netbox-redis-cache-container:0 | redis:23.12.0             |
+netbox-redis-deployment-5bcd8f6c96-bkzmh       | Running | 10.42.2.5  | ReplicaSet | agent2      | 1.62m     | 7.52Mi       | netbox-redis-container:0       | redis:23.12.0             |
+dashboards-helper-deployment-69dc54f6b6-ks7ps  | Running | 10.42.2.4  | ReplicaSet | agent2      | 12.95m    | 40.75Mi      | dashboards-helper-container:0  | dashboards-helper:23.12.0 |
+freq-deployment-cfd84fd97-5bwp6                | Running | 10.42.2.8  | ReplicaSet | agent2      | 0.11m     | 26.33Mi      | freq-container:0               | freq:23.12.0              |
+pcap-capture-deployment-7c8bf6957-hkvkn        | Running | 10.42.2.12 | ReplicaSet | agent2      | 0.02m     | 9.21Mi       | pcap-capture-container:0       | pcap-capture:23.12.0      |
+nginx-proxy-deployment-69fcc4968d-m57rz        | Running | 10.42.2.10 | ReplicaSet | agent2      | 0.91m     | 22.72Mi      | nginx-proxy-container:0        | nginx-proxy:23.12.0       |
+htadmin-deployment-6fc46888b9-vpt7l            | Running | 10.42.2.7  | ReplicaSet | agent2      | 0.16m     | 30.21Mi      | htadmin-container:0            | htadmin:23.12.0           |
+opensearch-deployment-75498799f6-5v92w         | Running | 10.42.2.13 | ReplicaSet | agent2      | 139.2m    | 10.86Gi      | opensearch-container:0         | opensearch:23.12.0        |
+zeek-live-deployment-64b69d4b6f-fcb6n          | Running | 10.42.2.9  | ReplicaSet | agent2      | 0.02m     | 109.55Mi     | zeek-live-container:0          | zeek:23.12.0              |
+dashboards-deployment-69b5465db-kgsqk          | Running | 10.42.2.3  | ReplicaSet | agent2      | 14.98m    | 108.85Mi     | dashboards-container:0         | dashboards:23.12.0        |
+arkime-deployment-56999cdd66-xxpw9             | Running | 10.42.2.11 | ReplicaSet | agent2      | 208.95m   | 78.42Mi      | arkime-container:0             | arkime:23.12.0            |
+api-deployment-6f4686cf59-xt9md                | Running | 10.42.1.3  | ReplicaSet | agent1      | 0.14m     | 56.88Mi      | api-container:0                | api:23.12.0               |
+netbox-postgres-deployment-5879b8dffc-lb4qm    | Running | 10.42.1.6  | ReplicaSet | agent1      | 141.2m    | 48.02Mi      | netbox-postgres-container:0    | postgresql:23.12.0        |
+pcap-monitor-deployment-594ff674c4-fwq7g       | Running | 10.42.1.12 | ReplicaSet | agent1      | 3.93m     | 46.44Mi      | pcap-monitor-container:0       | pcap-monitor:23.12.0      |
+suricata-offline-deployment-6ccdb89478-j5fgj   | Running | 10.42.1.10 | ReplicaSet | agent1      | 10.42m    | 35.12Mi      | suricata-offline-container:0   | suricata:23.12.0          |
+suricata-live-deployment-6494c77759-rpt48      | Running | 10.42.1.8  | ReplicaSet | agent1      | 0.01m     | 9.62Mi       | suricata-live-container:0      | suricata:23.12.0          |
+netbox-deployment-cdcff4977-7ns2q              | Running | 10.42.1.7  | ReplicaSet | agent1      | 830.47m   | 530.7Mi      | netbox-container:0             | netbox:23.12.0            |
+zeek-offline-deployment-844f4865bd-7x68b       | Running | 10.42.1.9  | ReplicaSet | agent1      | 1.44m     | 43.66Mi      | zeek-offline-container:0       | zeek:23.12.0              |
+filebeat-deployment-6ff8bc444f-pdgzj           | Running | 10.42.1.11 | ReplicaSet | agent1      | 0.78m     | 75.25Mi      | filebeat-container:0           | filebeat-oss:23.12.0      |
+file-monitor-deployment-855646bd75-nbngq       | Running | 10.42.1.4  | ReplicaSet | agent1      | 1.69m     | 1.46Gi       | file-monitor-container:0       | file-monitor:23.12.0      |
+upload-deployment-586568844b-9s7f5             | Running | 10.42.1.13 | ReplicaSet | agent1      | 0.14m     | 29.62Mi      | upload-container:0             | file-upload:23.12.0       |
+logstash-deployment-6fbc9fdcd5-2hhx8           | Running | 10.42.1.5  | ReplicaSet | agent1      | 3236.29m  | 357.36Mi     | logstash-container:0           | logstash-oss:23.12.0      |
 ```
 
 View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`):
diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
index 1883172c2..fc2fe24c2 100644
--- a/docs/malcolm-config.md
+++ b/docs/malcolm-config.md
@@ -65,7 +65,7 @@ Although the configuration script automates many of the following configuration
 * **`suricata.env`**, **`suricata-live.env`** and **`suricata-offline.env`** - settings for [Suricata](https://suricata.io/)
     - `SURICATA_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Suricata, and the resulting logs will also be imported (default `false`)
     - `SURICATA_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Suricata logs (default `1`)
-    - `SURICATA_CUSTOM_RULES_ONLY` – if set to `true`, Malcolm will bypass the default [Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and use only user-defined rules (`./suricata/rules/*.rules`).
+    - `SURICATA_CUSTOM_RULES_ONLY` – if set to `true`, Malcolm will bypass the default [Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and use only [user-defined rules](custom-rules.md#Suricata) (`./suricata/rules/*.rules`).
     - `SURICATA_UPDATE_RULES` – if set to `true`, Suricata signatures will periodically be updated (default `false`)
     - `SURICATA_LIVE_CAPTURE` - if set to `true`, Suricata will monitor live traffic on the local interface(s) defined by `PCAP_FILTER`
     - `SURICATA_ROTATED_PCAP` - if set to `true`, Suricata can analyze PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `SURICATA_AUTO_ANALYZE_PCAP_FILES`); if `SURICATA_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Suricata will see duplicate traffic
@@ -86,7 +86,7 @@ Although the configuration script automates many of the following configuration
     - `EXTRACTED_FILE_IGNORE_EXISTING` – if set to `true`, files extant in `./zeek-logs/extract_files/`  directory will be ignored on startup rather than scanned
     - `EXTRACTED_FILE_PRESERVATION` – determines behavior for preservation of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction)
     - `EXTRACTED_FILE_UPDATE_RULES` – if set to `true`, file scanner engines (e.g., ClamAV, Capa, Yara) will periodically update their rule definitions (default `false`)
-    - `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base) and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules`
+    - `EXTRACTED_FILE_YARA_CUSTOM_ONLY` – if set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base), [reversinglabs/reversinglabs-yara-rules](https://github.com/reversinglabs/reversinglabs-yara-rules), and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only [user-defined rules](custom-rules.md#YARA) in `./yara/rules`
     - `VTOT_API2_KEY` – used to specify a [VirusTotal Public API v.20](https://www.virustotal.com/en/documentation/public-api/) key, which, if specified, will be used to submit hashes of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) to VirusTotal
     - `ZEEK_AUTO_ANALYZE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`)
     - `ZEEK_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Malcolm for analyzing Zeek logs (default `1`)
@@ -99,6 +99,7 @@ Although the configuration script automates many of the following configuration
     - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration)
     - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh)
     - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER`
+    - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local
     - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Zeek will see duplicate traffic
 
 ## <a name="CommandLineConfig"></a>Command-line arguments
diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md
index 492d8fe1f..a537f9f65 100644
--- a/docs/malcolm-hedgehog-e2e-iso-install.md
+++ b/docs/malcolm-hedgehog-e2e-iso-install.md
@@ -179,6 +179,8 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
         - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices.
     - **Should Arkime delete PCAP files based on available storage?**
         - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion).
+    - **Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.)**
+        - If [Arkime PCAP-deletion](https://arkime.com/faq#pcap-deletion) is enabled, Arkime will delete PCAP files when **free space** is lower than this value, specified as integer gigabytes (e.g., `500`) or a percentage (e.g., `10%`)
 * **Automatically analyze all PCAP files with Suricata?**
     - This option is used to enable [Suricata](https://suricata.io/) (an IDS and threat detection engine) to analyze PCAP files uploaded to Malcolm via its upload web interface.
 * **Download updated Suricata signatures periodically?**
@@ -255,6 +257,8 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
     - Answer **Y** to [populate the NetBox inventory](asset-interaction-analysis.md#NetBoxPopPassive) based on observed network traffic. Autopopulation is **not** recommended: [manual inventory population](asset-interaction-analysis.md#NetBoxPopManual) is the preferred method to create an accurate representation of the intended network design.
 * **Specify default NetBox site name**
     - NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/); this default site name will be used as a query parameter for these enrichment lookups.
+* **Should Malcolm create "catch-all" prefixes for private IP address space?**
+    - Answer **Y** to automatically create "catch-all" NetBox prefixes for private IP address space (i.e., one each for `10.0.0.0/8`, `172.16.0.0/12`, and `192.168.0.0/16`, respectively). This is not recommended for networks with more than one subnet.
 * **Should Malcolm capture live network traffic?**
     - Malcolm itself can perform [live analysis](live-analysis.md#LocalPCAP) of traffic it sees on another network interface (ideally not the same one used for its management). Answer **no** to this question in installations where Hedgehog Linux will be handling all network traffic capture. If users want Malcolm to observe and capture traffic instead of, or in addition to, a sensor running Hedgehog Linux, they should answer **yes** enable life traffic analysis using default settings, or select **customize** to proceed to answer the following related questions individually.
     - **Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?**
diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md
index a6db45fdd..309c48309 100644
--- a/docs/malcolm-iso.md
+++ b/docs/malcolm-iso.md
@@ -41,11 +41,11 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui
 
 ```
 …
-Finished, created "/malcolm-build/malcolm-iso/malcolm-23.10.0.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-23.12.0.iso"
 …
 ```
 
-By default, Malcolm's Docker images are not packaged with the installer ISO. Malcolm assumes instead that users will pull the [latest images](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) with a `docker-compose pull` command as described in the [Quick start](quickstart.md#QuickStart) section. To build an ISO with the latest Malcolm images included, follow the directions to create [pre-packaged installation files](development.md#Packager), which include a tarball with a name such as `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz`. Then, pass that images tarball to the ISO build script with a `-d`, like this:
+By default, Malcolm's Docker images are not packaged with the installer ISO. Malcolm assumes instead that users will pull the [latest images](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) with a `docker compose --profile malcolm pull` command as described in the [Quick start](quickstart.md#QuickStart) section. To build an ISO with the latest Malcolm images included, follow the directions to create [pre-packaged installation files](development.md#Packager), which include a tarball with a name such as `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz`. Then, pass that images tarball to the ISO build script with a `-d`, like this:
 
 ```
 $ ./malcolm-iso/build_via_vagrant.sh -f -d malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz
@@ -83,6 +83,6 @@ Following these prompts, the installer will reboot and the Malcolm base operatin
 
 When the system boots for the first time, the Malcolm Docker images will load if the installer was built with pre-packaged installation files as described above. Wait for this operation to continue (the progress dialog will disappear when they have finished loading) before continuing the setup.
 
-Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](quickstart.md#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](authsetup.md#AuthSetup) to configure authentication. If the ISO does not include pre-packaged Malcolm images, or to retrieve the latest updates, run `docker-compose pull`. Finalize the configuration by running `scripts/configure` and follow the prompts as illustrated in the [installation example](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig).
+Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](quickstart.md#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](authsetup.md#AuthSetup) to configure authentication. If the ISO does not include pre-packaged Malcolm images, or to retrieve the latest updates, run `docker compose --profile malcolm pull`. Finalize the configuration by running `scripts/configure` and follow the prompts as illustrated in the [installation example](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig).
 
 Once Malcolm is configured, users can [start Malcolm](running.md#Starting) via the command line or by clicking the circular yellow Malcolm icon in the menu bar.
\ No newline at end of file
diff --git a/docs/malcolm-upgrade.md b/docs/malcolm-upgrade.md
index db4bcda1b..284ad1359 100644
--- a/docs/malcolm-upgrade.md
+++ b/docs/malcolm-upgrade.md
@@ -20,7 +20,7 @@ Here are the basic steps to perform an upgrade if Malcolm was checked with a `gi
 1. pull changes from GitHub repository
     * `git pull --rebase`
 1. pull new Docker images (this will take a while)
-    * `docker-compose pull`
+    * `docker compose --profile malcolm pull`
 1. apply saved configuration change stashed earlier
     * `git stash pop`
 1. if `Merge conflict` messages appear, resolve the [conflicts](https://git-scm.com/book/en/v2/Git-Branching-Basic-Branching-and-Merging#_basic_merge_conflicts) with a text editor
@@ -51,7 +51,7 @@ If Malcolm was installed from [pre-packaged installation files]({{ site.github.r
         + using a file comparison tool (e.g., `diff`, `meld`, `Beyond Compare`, etc.), compare `docker-compose.yml` and the `docker-compare.yml` file backed up in Step 3, and manually migrate over any customizations in file
         + compare the contents of each  `.env` file  Malcolm's `./config/` directory with its corresponding `.env.example` file
 1. pull the new docker images (this will take a while)
-    * `docker-compose pull` to pull them from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) or `docker-compose load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` if an offline tarball of the Malcolm docker images is available
+    * `docker compose --profile malcolm pull` to pull them from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) or `docker compose load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` if an offline tarball of the Malcolm docker images is available
 1. start Malcolm
     * `./scripts/start`
 1. users may be prompted to [configure authentication](authsetup.md#AuthSetup) if there are new authentication-related files that need to be generated
@@ -63,7 +63,7 @@ If Malcolm was installed from [pre-packaged installation files]({{ site.github.r
 
 Technically minded users may wish to follow the debug output provided by `./scripts/start` (use `./scripts/logs` to re-open the log stream after it's been closed), although there is a lot there and it may be hard to distinguish whether or not something is okay.
 
-Running `docker-compose ps -a` should provide a good indication that all Malcolm's Docker containers started up and, in some cases, may be able to indicate if the containers are "healthy" or not.
+Running `docker compose ps -a` should provide a good indication that all Malcolm's Docker containers started up and, in some cases, may be able to indicate if the containers are "healthy" or not.
 
 After upgrading following one of the previous outlines, give Malcolm several minutes to get started. Once things are up and running, open one of Malcolm's [web interfaces](quickstart.md#UserInterfaceURLs) to verify that things are working.
 
diff --git a/docs/quickstart.md b/docs/quickstart.md
index 73aebc4b1..0a6accdb5 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -26,9 +26,9 @@ You must run [`auth_setup`](authsetup.md#AuthSetup) prior to pulling Malcolm's D
     
 ### Pull Malcolm's Docker images
 
-Malcolm's Docker images are periodically built and hosted on [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm). If you already have [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/), these prebuilt images can be pulled by navigating into the Malcolm directory (containing the `docker-compose.yml` file) and running `docker-compose pull` like this:
+Malcolm's Docker images are periodically built and hosted on [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm). If you already have [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/), these prebuilt images can be pulled by navigating into the Malcolm directory (containing the `docker-compose.yml` file) and running `docker compose --profile malcolm pull` like this:
 ```
-$ docker-compose pull
+$ docker compose --profile malcolm pull
 Pulling api               ... done
 Pulling arkime            ... done
 Pulling dashboards        ... done
@@ -54,25 +54,25 @@ You can then observe the images have been retrieved by running `docker images`:
 ```
 $ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.10.0           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.10.0           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.10.0           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.10.0           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.10.0           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.10.0           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.10.0           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.10.0           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.10.0           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.10.0           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.10.0           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.10.0           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.10.0           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.12.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.12.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.12.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.12.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.12.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.12.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.12.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.12.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.12.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.12.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.12.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.12.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.12.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 ### Import from pre-packaged tarballs
diff --git a/docs/running.md b/docs/running.md
index 48b633446..832be809f 100644
--- a/docs/running.md
+++ b/docs/running.md
@@ -37,13 +37,13 @@ To temporarily set the Malcolm user interfaces into read-only configuration, run
 First, to configure [Nginx](https://nginx.org/) to disable access to the upload and other interfaces for changing Malcolm settings, and to deny HTTP methods other than `GET` and `POST`:
 
 ```
-docker-compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
+docker compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
 ```
 
 Second, to set the existing OpenSearch data store to read-only:
 
 ```
-docker-compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster
+docker compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster
 ```
 
 These commands must be re-run every time Malcolm is restarted.
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
index b7bddc17d..9278935e1 100644
--- a/docs/ubuntu-install-example.md
+++ b/docs/ubuntu-install-example.md
@@ -47,10 +47,10 @@ Enter user account: user
 
 Add another non-root user to the "docker" group?: n
 
-"docker-compose version" failed, attempt to install docker-compose? (Y / n): y
+"docker compose version" failed, attempt to install docker compose? (Y / n): y
 
-Install docker-compose directly from docker github? (Y / n): y
-Download and installation of docker-compose apparently succeeded
+Install docker compose directly from docker github? (Y / n): y
+Download and installation of docker compose apparently succeeded
 
 fs.file-max increases allowed maximum for file handles
 fs.file-max= appears to be missing from /etc/sysctl.conf, append it? (Y / n): y
@@ -227,7 +227,7 @@ As an alternative to manually copying the files to the sensor, Malcolm can facil
 
 In this example, rather than [building Malcolm from scratch](development.md#Build), images may be pulled from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm):
 ```
-user@host:~/Malcolm$ docker-compose pull
+user@host:~/Malcolm$ docker compose pull
 Pulling api               ... done
 Pulling arkime            ... done
 Pulling dashboards        ... done
@@ -250,25 +250,25 @@ Pulling zeek              ... done
 
 user@host:~/Malcolm$ docker images
 REPOSITORY                                                     TAG               IMAGE ID       CREATED      SIZE
-ghcr.io/idaholab/malcolm/api                                   23.10.0           xxxxxxxxxxxx   3 days ago   158MB
-ghcr.io/idaholab/malcolm/arkime                                23.10.0           xxxxxxxxxxxx   3 days ago   816MB
-ghcr.io/idaholab/malcolm/dashboards                            23.10.0           xxxxxxxxxxxx   3 days ago   1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper                     23.10.0           xxxxxxxxxxxx   3 days ago   184MB
-ghcr.io/idaholab/malcolm/file-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   588MB
-ghcr.io/idaholab/malcolm/file-upload                           23.10.0           xxxxxxxxxxxx   3 days ago   259MB
-ghcr.io/idaholab/malcolm/filebeat-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   624MB
-ghcr.io/idaholab/malcolm/freq                                  23.10.0           xxxxxxxxxxxx   3 days ago   132MB
-ghcr.io/idaholab/malcolm/htadmin                               23.10.0           xxxxxxxxxxxx   3 days ago   242MB
-ghcr.io/idaholab/malcolm/logstash-oss                          23.10.0           xxxxxxxxxxxx   3 days ago   1.35GB
-ghcr.io/idaholab/malcolm/netbox                                23.10.0           xxxxxxxxxxxx   3 days ago   1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy                           23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/opensearch                            23.10.0           xxxxxxxxxxxx   3 days ago   1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture                          23.10.0           xxxxxxxxxxxx   3 days ago   121MB
-ghcr.io/idaholab/malcolm/pcap-monitor                          23.10.0           xxxxxxxxxxxx   3 days ago   213MB
-ghcr.io/idaholab/malcolm/postgresql                            23.10.0           xxxxxxxxxxxx   3 days ago   268MB
-ghcr.io/idaholab/malcolm/redis                                 23.10.0           xxxxxxxxxxxx   3 days ago   34.2MB
-ghcr.io/idaholab/malcolm/suricata                              23.10.0           xxxxxxxxxxxx   3 days ago   278MB
-ghcr.io/idaholab/malcolm/zeek                                  23.10.0           xxxxxxxxxxxx   3 days ago   1GB
+ghcr.io/idaholab/malcolm/api                                   23.12.0           xxxxxxxxxxxx   3 days ago   158MB
+ghcr.io/idaholab/malcolm/arkime                                23.12.0           xxxxxxxxxxxx   3 days ago   816MB
+ghcr.io/idaholab/malcolm/dashboards                            23.12.0           xxxxxxxxxxxx   3 days ago   1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper                     23.12.0           xxxxxxxxxxxx   3 days ago   184MB
+ghcr.io/idaholab/malcolm/file-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   588MB
+ghcr.io/idaholab/malcolm/file-upload                           23.12.0           xxxxxxxxxxxx   3 days ago   259MB
+ghcr.io/idaholab/malcolm/filebeat-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   624MB
+ghcr.io/idaholab/malcolm/freq                                  23.12.0           xxxxxxxxxxxx   3 days ago   132MB
+ghcr.io/idaholab/malcolm/htadmin                               23.12.0           xxxxxxxxxxxx   3 days ago   242MB
+ghcr.io/idaholab/malcolm/logstash-oss                          23.12.0           xxxxxxxxxxxx   3 days ago   1.35GB
+ghcr.io/idaholab/malcolm/netbox                                23.12.0           xxxxxxxxxxxx   3 days ago   1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy                           23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/opensearch                            23.12.0           xxxxxxxxxxxx   3 days ago   1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture                          23.12.0           xxxxxxxxxxxx   3 days ago   121MB
+ghcr.io/idaholab/malcolm/pcap-monitor                          23.12.0           xxxxxxxxxxxx   3 days ago   213MB
+ghcr.io/idaholab/malcolm/postgresql                            23.12.0           xxxxxxxxxxxx   3 days ago   268MB
+ghcr.io/idaholab/malcolm/redis                                 23.12.0           xxxxxxxxxxxx   3 days ago   34.2MB
+ghcr.io/idaholab/malcolm/suricata                              23.12.0           xxxxxxxxxxxx   3 days ago   278MB
+ghcr.io/idaholab/malcolm/zeek                                  23.12.0           xxxxxxxxxxxx   3 days ago   1GB
 ```
 
 Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing.
diff --git a/docs/zeek-intel.md b/docs/zeek-intel.md
index 065b7e701..20cd52427 100644
--- a/docs/zeek-intel.md
+++ b/docs/zeek-intel.md
@@ -13,7 +13,7 @@ Note that Malcolm does not manage updates for these intelligence files. You shou
 Adding and deleting intelligence files under this directory will take effect upon [restarting Malcolm](running.md#StopAndRestart). Alternately, you can use the `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` environment variable containing a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) to specify the interval at which the intel files should be refreshed. This can also be done manually without restarting Malcolm by running the following command from the Malcolm installation directory:
 
 ```
-docker-compose exec --user $(id -u) zeek /usr/local/bin/entrypoint.sh true
+docker compose exec --user $(id -u) zeek /usr/local/bin/entrypoint.sh true
 ```
 
 For a public example of Zeek intelligence files, see Critical Path Security's [repository](https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds), which aggregates data from various other threat feeds into Zeek's format.
diff --git a/file-upload/site/index.html b/file-upload/site/index.html
index fa4377939..a44a049d4 100644
--- a/file-upload/site/index.html
+++ b/file-upload/site/index.html
@@ -74,7 +74,6 @@ <h1 class="panel-title">Network Traffic Artifact Upload</h1>
     <script src="upload/filepond/dist/filepond.js"></script>
     <script src="upload/filepond-plugin-file-rename/dist/filepond-plugin-file-rename.js"></script>
     <script src="upload/filepond-plugin-file-metadata/dist/filepond-plugin-file-metadata.js"></script>
-    <script src="upload/filepond-plugin-file-validate-type/dist/filepond-plugin-file-validate-type.js"></script>
     <script src="upload/filepond-plugin-file-validate-size/dist/filepond-plugin-file-validate-size.js"></script>
 
     <script>
@@ -89,8 +88,7 @@ <h1 class="panel-title">Network Traffic Artifact Upload</h1>
             FilePond.registerPlugin(
                 FilePondPluginFileMetadata,
                 FilePondPluginFileRename,
-                FilePondPluginFileValidateSize,
-                FilePondPluginFileValidateType
+                FilePondPluginFileValidateSize
             );
 
             FilePond.setOptions({
@@ -100,23 +98,7 @@ <h1 class="panel-title">Network Traffic Artifact Upload</h1>
                 allowRemove: true,
                 allowRevert: true,
                 allowFileMetadata: true,
-                credits: false,
-                acceptedFileTypes: [
-                    'application/gzip',
-                    'application/octet-stream',
-                    'application/vnd.tcpdump.pcap',
-                    'application/x-7z-compressed',
-                    'application/x-bzip2',
-                    'application/x-cpio',
-                    'application/x-gzip',
-                    'application/x-lzip',
-                    'application/x-lzma',
-                    'application/x-pcapng',
-                    'application/x-rar-compressed',
-                    'application/x-tar',
-                    'application/x-xz',
-                    'application/zip'
-                ],
+                credits: false
             });
 
             // Turn a file input into a file pond
diff --git a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py
index 1dfccf54a..7139361b6 100755
--- a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py
+++ b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py
@@ -77,7 +77,7 @@ def file_processor(pathname, **kwargs):
 
             else:
                 # unhandled file type uploaded, delete it
-                logger.warning(f"{scriptName}:\t🗑\t{pathname} [{fileMime}]")
+                logger.warning(f"{scriptName}:\t🗑\t{pathname} [{fileMime} unsupported file type, deleted]")
                 os.unlink(pathname)
 
         except Exception as genericError:
diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml
index 78755cfc8..2f0ff97b0 100644
--- a/kubernetes/03-opensearch.yml
+++ b/kubernetes/03-opensearch.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: opensearch-container
-        image: ghcr.io/idaholab/malcolm/opensearch:23.10.0
+        image: ghcr.io/idaholab/malcolm/opensearch:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -69,7 +69,7 @@ spec:
             subPath: "opensearch"
       initContainers:
       - name: opensearch-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml
index 6e363303a..4817da142 100644
--- a/kubernetes/04-dashboards.yml
+++ b/kubernetes/04-dashboards.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-container
-        image: ghcr.io/idaholab/malcolm/dashboards:23.10.0
+        image: ghcr.io/idaholab/malcolm/dashboards:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml
index 6a01123cb..c2152f0d9 100644
--- a/kubernetes/05-upload.yml
+++ b/kubernetes/05-upload.yml
@@ -34,7 +34,7 @@ spec:
     spec:
       containers:
       - name: upload-container
-        image: ghcr.io/idaholab/malcolm/file-upload:23.10.0
+        image: ghcr.io/idaholab/malcolm/file-upload:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -73,7 +73,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: upload-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml
index 4338d398c..9a2287e41 100644
--- a/kubernetes/06-pcap-monitor.yml
+++ b/kubernetes/06-pcap-monitor.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: pcap-monitor-container
-        image: ghcr.io/idaholab/malcolm/pcap-monitor:23.10.0
+        image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -70,7 +70,7 @@ spec:
             name: pcap-monitor-zeek-volume
       initContainers:
       - name: pcap-monitor-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml
index 99eca49ec..863c46f73 100644
--- a/kubernetes/07-arkime.yml
+++ b/kubernetes/07-arkime.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: arkime-container
-        image: ghcr.io/idaholab/malcolm/arkime:23.10.0
+        image: ghcr.io/idaholab/malcolm/arkime:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "arkime"
       initContainers:
       - name: arkime-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml
index a178951a1..c158439fc 100644
--- a/kubernetes/08-api.yml
+++ b/kubernetes/08-api.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: api-container
-        image: ghcr.io/idaholab/malcolm/api:23.10.0
+        image: ghcr.io/idaholab/malcolm/api:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml
index 86f9a8dfc..a210c1b8d 100644
--- a/kubernetes/09-dashboards-helper.yml
+++ b/kubernetes/09-dashboards-helper.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: dashboards-helper-container
-        image: ghcr.io/idaholab/malcolm/dashboards-helper:23.10.0
+        image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index 8111d3e96..3e5c25046 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-offline-container
-        image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+        image: ghcr.io/idaholab/malcolm/zeek:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,12 +63,16 @@ spec:
           - mountPath: "/zeek/upload"
             name: zeek-offline-zeek-volume
             subPath: "upload"
+          - mountPath: "/opt/zeek/share/zeek/site/custom"
+            name: zeek-offline-custom-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel-preseed"
+            name: zeek-offline-intel-preseed-volume
           - mountPath: "/opt/zeek/share/zeek/site/intel"
-            name: zeek-offline-zeek-intel
+            name: zeek-offline-intel-volume
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -79,7 +83,7 @@ spec:
           - name: PUSER_MKDIR
             value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/pcap:processed;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
-          - name: zeek-offline-zeek-intel
+          - name: zeek-offline-intel-volume
             mountPath: "/data/config"
           - name: zeek-offline-pcap-volume
             mountPath: "/data/pcap"
@@ -95,6 +99,12 @@ spec:
         - name: zeek-offline-zeek-volume
           persistentVolumeClaim:
             claimName: zeek-claim
-        - name: zeek-offline-zeek-intel
+        - name: zeek-offline-custom-volume
+          configMap:
+            name: zeek-custom
+        - name: zeek-offline-intel-preseed-volume
+          configMap:
+            name: zeek-intel-preseed
+        - name: zeek-offline-intel-volume
           persistentVolumeClaim:
             claimName: config-claim
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index c4ca81169..b7ed63050 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-offline-container
-        image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+        image: ghcr.io/idaholab/malcolm/suricata:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -59,9 +59,11 @@ spec:
             name: suricata-offline-suricata-logs-volume
           - mountPath: "/opt/suricata/rules/configmap"
             name: suricata-offline-custom-rules-volume
+          - mountPath: "/opt/suricata/include-configs/configmap"
+            name: suricata-offline-custom-configs-volume
       initContainers:
       - name: suricata-offline-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -86,4 +88,7 @@ spec:
             claimName: suricata-claim
         - name: suricata-offline-custom-rules-volume
           configMap:
-            name: suricata-rules
\ No newline at end of file
+            name: suricata-rules
+        - name: suricata-offline-custom-configs-volume
+          configMap:
+            name: suricata-configs
\ No newline at end of file
diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml
index c39630321..a8e9afd94 100644
--- a/kubernetes/12-file-monitor.yml
+++ b/kubernetes/12-file-monitor.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: file-monitor-container
-        image: ghcr.io/idaholab/malcolm/file-monitor:23.10.0
+        image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -81,7 +81,7 @@ spec:
             name: file-monitor-yara-rules-custom-volume
       initContainers:
       - name: file-monitor-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml
index 5e4665be8..c38697906 100644
--- a/kubernetes/13-filebeat.yml
+++ b/kubernetes/13-filebeat.yml
@@ -33,7 +33,7 @@ spec:
     spec:
       containers:
       - name: filebeat-container
-        image: ghcr.io/idaholab/malcolm/filebeat-oss:23.10.0
+        image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: "nginx"
       initContainers:
       - name: filebeat-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml
index 46dbb5a95..4b2d03bb7 100644
--- a/kubernetes/14-logstash.yml
+++ b/kubernetes/14-logstash.yml
@@ -49,7 +49,7 @@ spec:
       #       topologyKey: "kubernetes.io/hostname"
       containers:
       - name: logstash-container
-        image: ghcr.io/idaholab/malcolm/logstash-oss:23.10.0
+        image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -113,7 +113,7 @@ spec:
             subPath: "logstash"
       initContainers:
       - name: logstash-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml
index 0040e5b27..6fc358ecc 100644
--- a/kubernetes/15-netbox-redis.yml
+++ b/kubernetes/15-netbox-redis.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-container
-        image: ghcr.io/idaholab/malcolm/redis:23.10.0
+        image: ghcr.io/idaholab/malcolm/redis:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -83,7 +83,7 @@ spec:
             subPath: netbox/redis
       initContainers:
       - name: netbox-redis-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml
index f6fff31b2..d8c7dc2f5 100644
--- a/kubernetes/16-netbox-redis-cache.yml
+++ b/kubernetes/16-netbox-redis-cache.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-redis-cache-container
-        image: ghcr.io/idaholab/malcolm/redis:23.10.0
+        image: ghcr.io/idaholab/malcolm/redis:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml
index 890f8e608..8bd333ede 100644
--- a/kubernetes/17-netbox-postgres.yml
+++ b/kubernetes/17-netbox-postgres.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: netbox-postgres-container
-        image: ghcr.io/idaholab/malcolm/postgresql:23.10.0
+        image: ghcr.io/idaholab/malcolm/postgresql:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -74,7 +74,7 @@ spec:
             subPath: netbox/postgres
       initContainers:
       - name: netbox-postgres-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml
index 8a4cc2ab4..8ca9d1fde 100644
--- a/kubernetes/18-netbox.yml
+++ b/kubernetes/18-netbox.yml
@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: netbox-container
-        image: ghcr.io/idaholab/malcolm/netbox:23.10.0
+        image: ghcr.io/idaholab/malcolm/netbox:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -88,7 +88,7 @@ spec:
             subPath: netbox/media
       initContainers:
       - name: netbox-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml
index d06397002..d402c9e1b 100644
--- a/kubernetes/19-htadmin.yml
+++ b/kubernetes/19-htadmin.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: htadmin-container
-        image: ghcr.io/idaholab/malcolm/htadmin:23.10.0
+        image: ghcr.io/idaholab/malcolm/htadmin:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -63,7 +63,7 @@ spec:
             subPath: "htadmin"
       initContainers:
       - name: htadmin-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml
index 147304a22..d82fd6274 100644
--- a/kubernetes/20-pcap-capture.yml
+++ b/kubernetes/20-pcap-capture.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: pcap-capture-container
-        image: ghcr.io/idaholab/malcolm/pcap-capture:23.10.0
+        image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -46,7 +46,7 @@ spec:
             subPath: "upload"
       initContainers:
       - name: pcap-capture-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index 1426b7270..725a21b10 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: zeek-live-container
-        image: ghcr.io/idaholab/malcolm/zeek:23.10.0
+        image: ghcr.io/idaholab/malcolm/zeek:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -55,12 +55,16 @@ spec:
           - mountPath: "/zeek/upload"
             name: zeek-live-zeek-volume
             subPath: "upload"
+          - mountPath: "/opt/zeek/share/zeek/site/custom"
+            name: zeek-live-custom-volume
+          - mountPath: "/opt/zeek/share/zeek/site/intel-preseed"
+            name: zeek-live-intel-preseed-volume
           - mountPath: "/opt/zeek/share/zeek/site/intel"
-            name: zeek-live-zeek-intel
+            name: zeek-live-intel-volume
             subPath: "zeek/intel"
       initContainers:
       - name: zeek-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -71,7 +75,7 @@ spec:
           - name: PUSER_MKDIR
             value: "/data/config:zeek/intel/MISP,zeek/intel/STIX;/data/zeek-logs:current,extract_files/preserved,extract_files/quarantine,live,processed,upload"
         volumeMounts:
-          - name: zeek-live-zeek-intel
+          - name: zeek-live-intel-volume
             mountPath: "/data/config"
           - name: zeek-live-zeek-volume
             mountPath: "/data/zeek-logs"
@@ -82,6 +86,12 @@ spec:
         - name: zeek-live-zeek-volume
           persistentVolumeClaim:
             claimName: zeek-claim
-        - name: zeek-live-zeek-intel
+        - name: zeek-live-custom-volume
+          configMap:
+            name: zeek-custom
+        - name: zeek-live-intel-preseed-volume
+          configMap:
+            name: zeek-intel-preseed
+        - name: zeek-live-intel-volume
           persistentVolumeClaim:
             claimName: config-claim
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index c15037e90..19e5763c8 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: suricata-live-container
-        image: ghcr.io/idaholab/malcolm/suricata:23.10.0
+        image: ghcr.io/idaholab/malcolm/suricata:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -49,9 +49,13 @@ spec:
             name: suricata-live-var-local-catrust-volume
           - mountPath: /var/log/suricata
             name: suricata-live-suricata-logs-volume
+          - mountPath: "/opt/suricata/rules/configmap"
+            name: suricata-live-custom-rules-volume
+          - mountPath: "/opt/suricata/include-configs/configmap"
+            name: suricata-live-custom-configs-volume
       initContainers:
       - name: suricata-live-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -70,4 +74,10 @@ spec:
             name: var-local-catrust
         - name: suricata-live-suricata-logs-volume
           persistentVolumeClaim:
-            claimName: suricata-claim
\ No newline at end of file
+            claimName: suricata-claim
+        - name: suricata-live-custom-rules-volume
+          configMap:
+            name: suricata-rules
+        - name: suricata-live-custom-configs-volume
+          configMap:
+            name: suricata-configs
\ No newline at end of file
diff --git a/kubernetes/23-freq.yml b/kubernetes/23-freq.yml
index 9b1d1dffc..5173b8d2a 100644
--- a/kubernetes/23-freq.yml
+++ b/kubernetes/23-freq.yml
@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
       - name: freq-container
-        image: ghcr.io/idaholab/malcolm/freq:23.10.0
+        image: ghcr.io/idaholab/malcolm/freq:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml
index cdfc843d0..1f293bd64 100644
--- a/kubernetes/98-nginx-proxy.yml
+++ b/kubernetes/98-nginx-proxy.yml
@@ -39,7 +39,7 @@ spec:
     spec:
       containers:
       - name: nginx-proxy-container
-        image: ghcr.io/idaholab/malcolm/nginx-proxy:23.10.0
+        image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
@@ -95,7 +95,7 @@ spec:
           subPath: "nginx"
       initContainers:
       - name: nginx-dirinit-container
-        image: ghcr.io/idaholab/malcolm/dirinit:23.10.0
+        image: ghcr.io/idaholab/malcolm/dirinit:23.12.0
         imagePullPolicy: Always
         stdin: false
         tty: true
diff --git a/logstash/pipelines/enrichment/21_netbox.conf b/logstash/pipelines/enrichment/21_netbox.conf
index 50731cc12..a4370ab8b 100644
--- a/logstash/pipelines/enrichment/21_netbox.conf
+++ b/logstash/pipelines/enrichment/21_netbox.conf
@@ -27,10 +27,12 @@ filter {
         script_params => {
           "source" => "[source][ip]"
           "target" => "[source][segment]"
-          "lookup_type" => "ip_vrf"
+          "lookup_type" => "ip_prefix"
           "lookup_site_env" => "NETBOX_DEFAULT_SITE"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
         }
       }
       ruby {
@@ -44,6 +46,8 @@ filter {
           "lookup_service" => "false"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
           "autopopulate_env" => "LOGSTASH_NETBOX_AUTO_POPULATE"
           "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
           "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
@@ -62,10 +66,12 @@ filter {
         script_params => {
           "source" => "[destination][ip]"
           "target" => "[destination][segment]"
-          "lookup_type" => "ip_vrf"
+          "lookup_type" => "ip_prefix"
           "lookup_site_env" => "NETBOX_DEFAULT_SITE"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
         }
       }
       ruby {
@@ -80,6 +86,8 @@ filter {
           "lookup_service_port_source" => "[destination][port]"
           "verbose_env" => "LOGSTASH_NETBOX_ENRICHMENT_VERBOSE"
           "netbox_token_env" => "SUPERUSER_API_TOKEN"
+          "cache_size_env" => "LOGSTASH_NETBOX_CACHE_SIZE"
+          "cache_ttl_env" => "LOGSTASH_NETBOX_CACHE_TTL"
           "autopopulate_env" => "LOGSTASH_NETBOX_AUTO_POPULATE"
           "default_manuf_env" => "NETBOX_DEFAULT_MANUFACTURER"
           "default_dtype_env" => "NETBOX_DEFAULT_DEVICE_TYPE"
diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
index 2853a8485..f6809839d 100644
--- a/logstash/pipelines/zeek/11_zeek_parse.conf
+++ b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -6,9 +6,9 @@
 #
 # to profile, debug:
 #   - get filters sorted by execution time (where in > 0)
-#   $ docker-compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4
+#   $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4
 #   - get filters where in != out
-#   $ docker-compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")'
+#   $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")'
 #
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 #######################
@@ -1764,6 +1764,12 @@ filter {
     mutate { id => "mutate_gsub_zeek_known_modbus_device_type"
              gsub => [ "[zeek_cols][device_type]", "Known::", "" ] }
 
+    mutate { id => "mutate_gsub_zeek_known_modbus_master"
+             gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] }
+
+    mutate { id => "mutate_gsub_zeek_known_modbus_slave"
+             gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] }
+
     mutate { id => "mutate_add_tag_ics_known_modbus_log"
              add_tag => [ "ics" ] }
 
@@ -1816,15 +1822,16 @@ filter {
   } else if ([log_source] == "ldap") {
     #############################################################################################################################
     # ldap.log
-    # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
+    # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
 
     dissect {
       id => "dissect_zeek_ldap"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][proto]}	%{[zeek_cols][message_id]}	%{[zeek_cols][version]}	%{[zeek_cols][operation]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][object]}	%{[zeek_cols][argument]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][message_id]}	%{[zeek_cols][version]}	%{[zeek_cols][operation]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][object]}	%{[zeek_cols][argument]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_ldap"
@@ -1833,28 +1840,32 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_ldap"
-        init => "$zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]"
+        init => "$zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]"
         code => "event.set('[zeek_cols]', $zeek_ldap_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_ldap"
-      add_field =>  { "[zeek_cols][service]" => "ldap" }
+      add_field => {
+        "[zeek_cols][service]" => "ldap"
+      }
+
     }
 
   } else if ([log_source] == "ldap_search") {
     #############################################################################################################################
     # ldap_search.log
-    # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek
+    # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
 
     dissect {
       id => "dissect_zeek_ldap_search"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][proto]}	%{[zeek_cols][message_id]}	%{[zeek_cols][scope]}	%{[zeek_cols][deref]}	%{[zeek_cols][base_object]}	%{[zeek_cols][result_count]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][filter]}	%{[zeek_cols][attributes]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][message_id]}	%{[zeek_cols][scope]}	%{[zeek_cols][deref]}	%{[zeek_cols][base_object]}	%{[zeek_cols][result_count]}	%{[zeek_cols][result_code]}	%{[zeek_cols][result_message]}	%{[zeek_cols][filter]}	%{[zeek_cols][attributes]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_ldap_search"
@@ -1863,14 +1874,17 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_ldap_search"
-        init => "$zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]"
+        init => "$zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]"
         code => "event.set('[zeek_cols]', $zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_ldap_search"
-      add_field =>  { "[zeek_cols][service]" => "ldap" }
+      add_field => {
+        "[zeek_cols][service]" => "ldap"
+      }
+
     }
 
   } else if ([log_source] == "login") {
@@ -1932,15 +1946,16 @@ filter {
   } else if ([log_source] == "modbus_detailed") {
     #############################################################################################################################
     # modbus_detailed.log
-    # https://github.com/cisagov/ICSNPP
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
 
     dissect {
       id => "dissect_zeek_modbus_detailed"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][quantity]}	%{[zeek_cols][values]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][quantity]}	%{[zeek_cols][values]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_modbus_detailed"
@@ -1949,29 +1964,32 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_modbus_detailed"
-        init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]"
+        init => "$zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]"
         code => "event.set('[zeek_cols]', $zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_modbus_detailed"
-      add_field =>  { "[zeek_cols][service]" => "modbus" }
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
       add_tag => [ "ics" ]
     }
 
   } else if ([log_source] == "modbus_mask_write_register") {
     #############################################################################################################################
     # modbus_mask_write_register.log
-    # https://github.com/cisagov/ICSNPP
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
 
     dissect {
       id => "dissect_zeek_modbus_mask_write_register"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][and_mask]}	%{[zeek_cols][or_mask]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][address]}	%{[zeek_cols][and_mask]}	%{[zeek_cols][or_mask]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_modbus_mask_write_register"
@@ -1980,28 +1998,66 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_modbus_mask_write_register"
-        init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]"
-        code => "event.set('[zeek_cols]', $zeek_modbus_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)"
+        init => "$zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]"
+        code => "event.set('[zeek_cols]', $zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
-      id => "mutate_add_fields_modbus_mask_write_register"
-      add_field =>  { "[zeek_cols][service]" => "modbus" }
+      id => "mutate_add_fields_zeek_modbus_mask_write_register"
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
+      add_tag => [ "ics" ]
+    }
+
+  } else if ([log_source] == "modbus_read_device_identification") {
+    #############################################################################################################################
+    # modbus_read_device_identification.log
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
+    dissect {
+      id => "dissect_zeek_modbus_read_device_identification"
+      # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+      mapping => {
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][mei_type]}	%{[zeek_cols][conformity_level_code]}	%{[zeek_cols][conformity_level]}	%{[zeek_cols][device_id_code]}	%{[zeek_cols][object_id_code]}	%{[zeek_cols][object_id]}	%{[zeek_cols][object_value]}"
+      }
+    }
+
+    if ("_dissectfailure" in [tags]) {
+      mutate {
+        id => "mutate_split_zeek_modbus_read_device_identification"
+        # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+        split => { "[message]" => "	" }
+      }
+      ruby {
+        id => "ruby_zip_zeek_modbus_read_device_identification"
+        init => "$zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]"
+        code => "event.set('[zeek_cols]', $zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)"
+      }
+    }
+
+    mutate {
+      id => "mutate_add_fields_zeek_modbus_read_device_identification"
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
       add_tag => [ "ics" ]
     }
 
   } else if ([log_source] == "modbus_read_write_multiple_registers") {
     #############################################################################################################################
     # modbus_read_write_multiple_registers.log
-    # https://github.com/cisagov/ICSNPP
+    # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
     dissect {
       id => "dissect_zeek_modbus_read_write_multiple_registers"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][write_start_address]}	%{[zeek_cols][write_registers]}	%{[zeek_cols][read_start_address]}	%{[zeek_cols][read_quantity]}	%{[zeek_cols][read_registers]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][drop_orig_h]}	%{[zeek_cols][drop_orig_p]}	%{[zeek_cols][drop_resp_h]}	%{[zeek_cols][drop_resp_p]}	%{[zeek_cols][is_orig]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][`]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][write_start_address]}	%{[zeek_cols][write_registers]}	%{[zeek_cols][read_start_address]}	%{[zeek_cols][read_quantity]}	%{[zeek_cols][read_registers]}"
       }
     }
+
     if ("_dissectfailure" in [tags]) {
       mutate {
         id => "mutate_split_zeek_modbus_read_write_multiple_registers"
@@ -2010,14 +2066,16 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_modbus_read_write_multiple_registers"
-        init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]"
+        init => "$zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]"
         code => "event.set('[zeek_cols]', $zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)"
       }
     }
 
     mutate {
       id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers"
-      add_field =>  { "[zeek_cols][service]" => "modbus" }
+      add_field => {
+        "[zeek_cols][service]" => "modbus"
+      }
       add_tag => [ "ics" ]
     }
 
diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
index fd9fdf627..83ed11143 100644
--- a/logstash/pipelines/zeek/12_zeek_mutate.conf
+++ b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -410,7 +410,7 @@ filter {
       ruby {
         id => "ruby_zeek_dns_answers_ip_extract"
         # todo: adjust this regex so it at least sort of catches IPv6 as well
-        code => "event.set('[@metadata][answers_ip]', event.get('[zeek][dns][answers]').scan(/\d+\.\d+\.\d+\.\d+/).join(','))"
+        code => "event.set('[@metadata][answers_ip]', event.get('[zeek][dns][answers]').scan(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/).join(','))"
       }
       mutate { id => "mutate_split_zeek_dns_answers"
                split => { "[zeek][dns][answers]" => "," } }
@@ -1020,11 +1020,12 @@ filter {
                split => { "[zeek][modbus_detailed][values]" => "," } }
     }
 
-    # rename a to make correlating modbus easier between logs
+    # rename some fields to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_detailed_fields"
       rename => { "[zeek][modbus_detailed][func]" => "[zeek][modbus][func]" }
       rename => { "[zeek][modbus_detailed][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_detailed][trans_id]" => "[zeek][modbus][trans_id]" }
       rename => { "[zeek][modbus_detailed][network_direction]" => "[zeek][modbus][network_direction]" }
     }
 
@@ -1032,13 +1033,28 @@ filter {
     #############################################################################################################################
     # modbus_mask_write_register.log specific logic
 
-    # rename a to make correlating modbus easier between logs
+    # rename some fields to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_mask_write_register_fields"
       rename => { "[zeek][modbus_mask_write_register][address]" => "[zeek][modbus_detailed][address]" }
       rename => { "[zeek][modbus_mask_write_register][func]" => "[zeek][modbus][func]" }
       rename => { "[zeek][modbus_mask_write_register][network_direction]" => "[zeek][modbus][network_direction]" }
       rename => { "[zeek][modbus_mask_write_register][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_mask_write_register][trans_id]" => "[zeek][modbus][trans_id]" }
+    }
+
+  } else if ([log_source] == "modbus_read_device_identification") {
+    #############################################################################################################################
+    # modbus_read_device_identification.log specific logic
+
+    # rename some fields to make correlating modbus easier between logs
+    mutate {
+      id => "mutate_rename_modbus_read_device_identification_fields"
+      rename => { "[zeek][modbus_read_device_identification][network_direction]" => "[zeek][modbus][network_direction]" }
+      rename => { "[zeek][modbus_read_device_identification][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_read_device_identification][trans_id]" => "[zeek][modbus][trans_id]" }
+      rename => { "[zeek][modbus_read_device_identification][func]" => "[zeek][modbus][func]" }
+      rename => { "[zeek][modbus_read_device_identification][mei_type]" => "[zeek][modbus][mei_type]" }
     }
 
   } else if ([log_source] == "modbus_read_write_multiple_registers") {
@@ -1055,11 +1071,12 @@ filter {
                split => { "[zeek][modbus_read_write_multiple_registers][write_registers]" => "," } }
     }
 
-    # rename a to make correlating modbus easier between logs
+    # rename some fields to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_read_write_multiple_registers_fields"
       rename => { "[zeek][modbus_read_write_multiple_registers][network_direction]" => "[zeek][modbus][network_direction]" }
       rename => { "[zeek][modbus_read_write_multiple_registers][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_read_write_multiple_registers][trans_id]" => "[zeek][modbus][trans_id]" }
       rename => { "[zeek][modbus_read_write_multiple_registers][func]" => "[zeek][modbus][func]" }
     }
 
diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf
index 4e735f962..c4e74423b 100644
--- a/logstash/pipelines/zeek/13_zeek_normalize.conf
+++ b/logstash/pipelines/zeek/13_zeek_normalize.conf
@@ -323,8 +323,17 @@ filter {
              merge => { "[event][action]" => "[@metadata][zeek_ldap_search_action]" } }
   }
 
-  if ([zeek][modbus][func])                      { mutate { id => "mutate_merge_normalize_zeek_modbus_func"
-                                                            merge => { "[event][action]" => "[zeek][modbus][func]" } } }
+  if ([zeek][modbus][func]) {
+    mutate { id => "mutate_gsub_zeek_modbus_master"
+             gsub => [ "[zeek][modbus][func]", "MASTER", "CLIENT" ] }
+    mutate { id => "mutate_gsub_zeek_modbus_slave"
+             gsub => [ "[zeek][modbus][func]", "SLAVE", "SERVER" ] }
+    mutate { id => "mutate_merge_normalize_zeek_modbus_func"
+             merge => { "[event][action]" => "[zeek][modbus][func]" } }
+  }
+
+  if ([zeek][modbus][mei_type]) { mutate { id => "mutate_merge_normalize_zeek_modbus_mei_type"
+                                           merge => { "[event][action]" => "[zeek][modbus][mei_type]" } } }
 
   if ([zeek][mqtt_connect][connect_status]) {
     # this log entry implicitly means "connect"
diff --git a/logstash/ruby/netbox_enrich.rb b/logstash/ruby/netbox_enrich.rb
index 6de233590..4eabb0bb4 100644
--- a/logstash/ruby/netbox_enrich.rb
+++ b/logstash/ruby/netbox_enrich.rb
@@ -20,7 +20,7 @@ def register(params)
   @source = params["source"]
 
   # lookup type
-  #   valid values are: ip_device, ip_vrf
+  #   valid values are: ip_device, ip_prefix
   @lookup_type = params.fetch("lookup_type", "").to_sym
 
   # site value to include in queries for enrichment lookups, either specified directly or read from ENV
@@ -45,9 +45,27 @@ def register(params)
   # API parameters
   @page_size = params.fetch("page_size", 50)
 
-  # caching parameters
-  @cache_size = params.fetch("cache_size", 1000)
-  @cache_ttl = params.fetch("cache_ttl", 600)
+  # caching parameters (default cache size = 1000, default cache TTL = 30 seconds)
+  _cache_size_val = params["cache_size"]
+  _cache_size_env = params["cache_size_env"]
+  if (!_cache_size_val.is_a?(Integer) || _cache_size_val <= 0) && !_cache_size_env.nil?
+    _cache_size_val = Integer(ENV[_cache_size_env], exception: false)
+  end
+  if _cache_size_val.is_a?(Integer) && (_cache_size_val > 0)
+    @cache_size = _cache_size_val
+  else
+    @cache_size = 1000
+  end
+  _cache_ttl_val = params["cache_ttl"]
+  _cache_ttl_env = params["cache_ttl_env"]
+  if (!_cache_ttl_val.is_a?(Integer) || _cache_ttl_val <= 0) && !_cache_ttl_env.nil?
+    _cache_ttl_val = Integer(ENV[_cache_ttl_env], exception: false)
+  end
+  if _cache_ttl_val.is_a?(Integer) && (_cache_ttl_val > 0)
+    @cache_ttl = _cache_ttl_val
+  else
+    @cache_ttl = 30
+  end
 
   # target field to store looked-up value
   @target = params["target"]
@@ -179,13 +197,13 @@ def register(params)
   @autopopulate_create_manuf = [1, true, '1', 'true', 't', 'on', 'enabled'].include?(_autopopulate_create_manuf_str.to_s.downcase)
 
   # case-insensitive hash of OUIs (https://standards-oui.ieee.org/) to Manufacturers (https://demo.netbox.dev/static/docs/core-functionality/device-types/)
-  @manuf_hash = LruRedux::ThreadSafeCache.new(params.fetch("manuf_cache_size", 2048))
+  @manuf_hash = LruRedux::TTL::ThreadSafeCache.new(params.fetch("manuf_cache_size", 2048), @cache_ttl)
 
   # case-insensitive hash of role names to IDs
-  @role_hash = LruRedux::ThreadSafeCache.new(params.fetch("role_cache_size", 128))
+  @role_hash = LruRedux::TTL::ThreadSafeCache.new(params.fetch("role_cache_size", 256), @cache_ttl)
 
   # case-insensitive hash of site names to IDs
-  @site_hash = LruRedux::ThreadSafeCache.new(params.fetch("site_cache_size", 128))
+  @site_hash = LruRedux::TTL::ThreadSafeCache.new(params.fetch("site_cache_size", 128), @cache_ttl)
 
   # end of autopopulation arguments
 
@@ -202,6 +220,8 @@ def filter(event)
   _url_base = @netbox_url_base
   _url_suffix = @netbox_url_suffix
   _token = @netbox_token
+  _cache_size = @cache_size
+  _cache_ttl = @cache_ttl
   _page_size = @page_size
   _verbose = @verbose
   _lookup_type = @lookup_type
@@ -219,7 +239,7 @@ def filter(event)
   _autopopulate_oui = event.get("#{@source_oui}")
 
   _result = @cache_hash.getset(_lookup_type){
-              LruRedux::TTL::ThreadSafeCache.new(@cache_size, @cache_ttl)
+              LruRedux::TTL::ThreadSafeCache.new(_cache_size, _cache_ttl)
             }.getset(_key){
 
               _nb = Faraday.new(_url) do |conn|
@@ -237,12 +257,12 @@ def filter(event)
               _autopopulate_ip = nil
               _autopopulate_manuf = nil
               _autopopulate_site = nil
-              _vrfs = nil
+              _prefixes = nil
               _devices = nil
               _exception_error = false
 
               # handle :ip_device first, because if we're doing autopopulate we're also going to use
-              # some of the logic from :ip_vrf
+              # some of the logic from :ip_prefix
 
               if (_lookup_type == :ip_device)
               #################################################################################
@@ -610,13 +630,13 @@ def filter(event)
                 _lookup_result = _devices
               end # _lookup_type == :ip_device
 
-              # this || is because we are going to need to do the VRF lookup if we're autopopulating
+              # this || is because we are going to need to do the prefix lookup if we're autopopulating
               # as well as if we're specifically requested to do that enrichment
 
-              if (_lookup_type == :ip_vrf) || !_autopopulate_device.nil?
+              if (_lookup_type == :ip_prefix) || !_autopopulate_device.nil?
               #################################################################################
-                # retrieve the list VRFs containing IP address prefixes containing the search key
-                _vrfs = Array.new
+                # retrieve the list of IP address prefixes containing the search key
+                _prefixes = Array.new
                 _query = { :contains => _key,
                            :offset => 0,
                            :limit => _page_size }
@@ -628,16 +648,18 @@ def filter(event)
                     then
                       _tmp_prefixes = _prefixes_response.fetch(:results, [])
                       _tmp_prefixes.each do |p|
-                        if (_vrf = p.fetch(:vrf, nil))
-                          # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
-                          # if _verbose, include entire object as :details
-                          _vrfs << { :name => _vrf.fetch(:name, _vrf.fetch(:display, nil)),
-                                     :id => _vrf.fetch(:id, nil),
-                                     :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
-                                     :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
-                                     :url => p.fetch(:url, _vrf.fetch(:url, nil)),
-                                     :details => _verbose ? _vrf.merge({:prefix => p.tap { |h| h.delete(:vrf) }}) : nil }
+                        # non-verbose output is flatter with just names { :name => "name", :id => "id", ... }
+                        # if _verbose, include entire object as :details
+                        _prefixName = p.fetch(:description, nil)
+                        if _prefixName.nil? || _prefixName.empty?
+                          _prefixName = p.fetch(:display, p.fetch(:prefix, nil))
                         end
+                        _prefixes << { :name => _prefixName,
+                                       :id => p.fetch(:id, nil),
+                                       :site => ((_site = p.fetch(:site, nil)) && _site&.has_key?(:name)) ? _site[:name] : _site&.fetch(:display, nil),
+                                       :tenant => ((_tenant = p.fetch(:tenant, nil)) && _tenant&.has_key?(:name)) ? _tenant[:name] : _tenant&.fetch(:display, nil),
+                                       :url => p.fetch(:url, p.fetch(:url, nil)),
+                                       :details => _verbose ? p : nil }
                       end
                       _query[:offset] += _tmp_prefixes.length()
                       break unless (_tmp_prefixes.length() >= _page_size)
@@ -649,9 +671,9 @@ def filter(event)
                   # give up aka do nothing
                   _exception_error = true
                 end
-                _vrfs = collect_values(crush(_vrfs))
-                _lookup_result = _vrfs unless (_lookup_type != :ip_vrf)
-              end # _lookup_type == :ip_vrf
+                _prefixes = collect_values(crush(_prefixes))
+                _lookup_result = _prefixes unless (_lookup_type != :ip_prefix)
+              end # _lookup_type == :ip_prefix
 
               if !_autopopulate_device.nil? && _autopopulate_device.fetch(:id, nil)&.nonzero?
                 # device has been created, we need to create an interface for it
@@ -661,9 +683,6 @@ def filter(event)
                 if !_autopopulate_mac.nil? && !_autopopulate_mac.empty?
                   _interface_data[:mac_address] = _autopopulate_mac.is_a?(Array) ? _autopopulate_mac.first : _autopopulate_mac
                 end
-                if !_vrfs.nil? && !_vrfs.empty?
-                  _interface_data[:vrf] = _vrfs.fetch(:id, []).first
-                end
                 if (_interface_create_reponse = _nb.post(_autopopulate_manuf[:vm] ? 'virtualization/interfaces/' : 'dcim/interfaces/', _interface_data.to_json, _nb_headers).body) &&
                    _interface_create_reponse.is_a?(Hash) &&
                    _interface_create_reponse.has_key?(:id)
@@ -677,11 +696,6 @@ def filter(event)
                                :assigned_object_type => _autopopulate_manuf[:vm] ? "virtualization.vminterface" : "dcim.interface",
                                :assigned_object_id => _autopopulate_interface[:id],
                                :status => "active" }
-                  if (_vrf = _autopopulate_interface.fetch(:vrf, nil)) &&
-                     (_vrf.has_key?(:id))
-                  then
-                    _ip_data[:vrf] = _vrf[:id]
-                  end
                   if (_ip_create_reponse = _nb.post('ipam/ip-addresses/', _ip_data.to_json, _nb_headers).body) &&
                      _ip_create_reponse.is_a?(Hash) &&
                      _ip_create_reponse.has_key?(:id)
diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh
index 44f795369..2f7fe76c4 100755
--- a/malcolm-iso/build.sh
+++ b/malcolm-iso/build.sh
@@ -114,6 +114,7 @@ if [ -d "$WORKDIR" ]; then
   mkdir -p "$MALCOLM_DEST_DIR/scripts/"
   mkdir -p "$MALCOLM_DEST_DIR/suricata-logs/live/"
   mkdir -p "$MALCOLM_DEST_DIR/suricata/rules/"
+  mkdir -p "$MALCOLM_DEST_DIR/suricata/include-configs/"
   mkdir -p "$MALCOLM_DEST_DIR/yara/rules/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/current/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/extract_files/preserved/"
@@ -121,6 +122,7 @@ if [ -d "$WORKDIR" ]; then
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/live/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/processed/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek-logs/upload/"
+  mkdir -p "$MALCOLM_DEST_DIR/zeek/custom/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/MISP/"
   mkdir -p "$MALCOLM_DEST_DIR/zeek/intel/STIX/"
   cp ./docker-compose-standalone.yml "$MALCOLM_DEST_DIR/docker-compose.yml"
diff --git a/malcolm-iso/config/includes.chroot/etc/bash.bash_functions b/malcolm-iso/config/includes.chroot/etc/bash.bash_functions
index bfc6b2487..6dba56c0c 100644
--- a/malcolm-iso/config/includes.chroot/etc/bash.bash_functions
+++ b/malcolm-iso/config/includes.chroot/etc/bash.bash_functions
@@ -477,7 +477,7 @@ function drun() {
 }
 
 # docker compose
-alias dc="docker-compose"
+alias dc="docker compose"
 
 # Get latest container ID
 alias dl="docker ps -l -q"
@@ -562,9 +562,9 @@ function malcolmmonitor () {
       select-pane -t 5 \; \
       send-keys 'while true; do clear; free -m | grep ^Mem: | cut -d" " -f2- | sed "s/[[:space:]]\+/,/g" | sed "s/^,//" ; sleep 60; done' C-m \; \
       select-pane -t 6 \; \
-      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg/event.dataset?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' | head -n $(( (MAX_HEIGHT / 2) - 1 )) ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
+      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg/event.dataset?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' | head -n $(( (MAX_HEIGHT / 2) - 1 )) ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
       select-pane -t 7 \; \
-      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker-compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
+      send-keys "while true; do clear; pushd ~/Malcolm >/dev/null 2>&1; docker compose exec -u $(id -u) api curl -sSL 'http://localhost:5000/mapi/agg?from=1970' | python3 -m json.tool | grep -P '\b(doc_count|key)\b' | tr -d '\", ' | cut -d: -f2 | paste - - -d'\t\t' ; popd >/dev/null 2>&1; sleep 60; done" C-m \; \
       split-window -v \; \
       select-pane -t 8 \; \
       send-keys "while true; do clear; find ~/Malcolm/zeek-logs/extract_files -type f | sed 's@.*/\(.*\)/.*@\1@' | sort | uniq -c | sort -nr; sleep 60; done" C-m \; \
diff --git a/netbox/preload/prefixes_defaults.yml b/netbox/preload/prefixes_defaults.yml
new file mode 100644
index 000000000..1788bb584
--- /dev/null
+++ b/netbox/preload/prefixes_defaults.yml
@@ -0,0 +1,6 @@
+- prefix: 10.0.0.0/8
+  site: NETBOX_DEFAULT_SITE
+- prefix: 172.16.0.0/12
+  site: NETBOX_DEFAULT_SITE
+- prefix: 192.168.0.0/16
+  site: NETBOX_DEFAULT_SITE
diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py
index 0e2f500fe..ac93af265 100755
--- a/netbox/scripts/netbox_init.py
+++ b/netbox/scripts/netbox_init.py
@@ -4,19 +4,27 @@
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 
 import argparse
+import glob
+import gzip
 import ipaddress
 import itertools
 import json
 import logging
+import magic
 import os
+import psycopg
 import pynetbox
 import randomcolor
 import re
+import shutil
 import sys
+import tarfile
+import tempfile
 import time
 import malcolm_utils
 
 from collections.abc import Iterable
+from distutils.dir_util import copy_tree
 from datetime import datetime
 from slugify import slugify
 from netbox_library_import import import_library
@@ -144,7 +152,7 @@ def main():
         dest='netboxToken',
         type=str,
         default=None,
-        required=True,
+        required=False,
         help="NetBox API Token",
     )
     parser.add_argument(
@@ -238,6 +246,56 @@ def main():
         required=False,
         help="Directory containing netbox-initializers files to preload",
     )
+    parser.add_argument(
+        '--preload-prefixes',
+        dest='preloadPrefixes',
+        type=malcolm_utils.str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=malcolm_utils.str2bool(os.getenv('NETBOX_PRELOAD_PREFIXES', default='False')),
+        help="Preload IPAM IP Prefixes for private IP space",
+    )
+    parser.add_argument(
+        '--preload-backup',
+        dest='preloadBackupFile',
+        type=str,
+        default=os.getenv('NETBOX_PRELOAD_GZ', default=''),
+        required=False,
+        help="Database dump .gz file to preload into postgreSQL",
+    )
+    parser.add_argument(
+        '--postgres-host',
+        dest='postgresHost',
+        type=str,
+        default=os.getenv('DB_HOST', 'netbox-postgres'),
+        required=False,
+        help="postgreSQL host for preloading an entire database dump .gz (specified with --preload-backup or loaded from the --preload directory)",
+    )
+    parser.add_argument(
+        '--postgres-db',
+        dest='postgresDB',
+        type=str,
+        default=os.getenv('DB_NAME', 'netbox'),
+        required=False,
+        help="postgreSQL database name",
+    )
+    parser.add_argument(
+        '--postgres-user',
+        dest='postgresUser',
+        type=str,
+        default=os.getenv('DB_USER', 'netbox'),
+        required=False,
+        help="postgreSQL user name",
+    )
+    parser.add_argument(
+        '--postgres-password',
+        dest='postgresPassword',
+        type=str,
+        default=os.getenv('DB_PASSWORD', ''),
+        required=False,
+        help="postgreSQL password",
+    )
     try:
         parser.error = parser.exit
         args = parser.parse_args()
@@ -255,419 +313,583 @@ def main():
     if args.verbose > logging.DEBUG:
         sys.tracebacklimit = 0
 
-    # create connection to netbox API
-    nb = pynetbox.api(
-        args.netboxUrl,
-        token=args.netboxToken,
-        threading=True,
-    )
-    sites = {}
-    groups = {}
-    permissions = {}
-    vrfs = {}
-    prefixes = {}
-    devices = {}
-    interfaces = {}
-    ipAddresses = {}
-    deviceTypes = {}
-    roles = {}
-    manufacturers = {}
-    randColor = randomcolor.RandomColor(seed=datetime.now().timestamp())
-
-    # wait for a good connection
-    while args.wait:
-        try:
-            [x.name for x in nb.dcim.sites.all()]
-            break
-        except Exception as e:
-            logging.info(f"{type(e).__name__}: {e}")
-            logging.debug("retrying in a few seconds...")
-            time.sleep(5)
-
-    # GROUPS #####################################################################################################
-    DEFAULT_GROUP_NAMES = (
-        args.staffGroupName,
-        args.defaultGroupName,
-    )
-
-    try:
-        groupsPreExisting = {x.name: x for x in nb.users.groups.all()}
-        logging.debug(f"groups (before): { {k:v.id for k, v in groupsPreExisting.items()} }")
-
-        # create groups that don't already exist
-        for groupName in [x for x in DEFAULT_GROUP_NAMES if x not in groupsPreExisting]:
-            try:
-                nb.users.groups.create({'name': groupName})
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing group \"{groupName}\": {nbe}")
-
-        groups = {x.name: x for x in nb.users.groups.all()}
-        logging.debug(f"groups (after): { {k:v.id for k, v in groups.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing groups: {e}")
-
-    # PERMISSIONS ##################################################################################################
-    DEFAULT_PERMISSIONS = {
-        f'{args.staffGroupName}_permission': {
-            'name': f'{args.staffGroupName}_permission',
-            'enabled': True,
-            'groups': [args.staffGroupName],
-            'actions': [
-                'view',
-                'add',
-                'change',
-                'delete',
-            ],
-            'exclude_objects': [],
-        },
-        f'{args.defaultGroupName}_permission': {
-            'name': f'{args.defaultGroupName}_permission',
-            'enabled': True,
-            'groups': [args.defaultGroupName],
-            'actions': [
-                'view',
-                'add',
-                'change',
-                'delete',
-            ],
-            'exclude_objects': [
-                'admin.logentry',
-                'auth.group',
-                'auth.permission',
-                'auth.user',
-                'users.admingroup',
-                'users.adminuser',
-                'users.objectpermission',
-                'users.token',
-                'users.userconfig',
-            ],
-        },
-    }
-
-    try:
-        # get all content types (for creating new permissions)
-        allContentTypeNames = [f'{x.app_label}.{x.model}' for x in nb.extras.content_types.all()]
-
-        permsPreExisting = {x.name: x for x in nb.users.permissions.all()}
-        logging.debug(f"permissions (before): { {k:v.id for k, v in permsPreExisting.items()} }")
-
-        # create permissions that don't already exist
-        for permName, permConfig in {
-            k: v for (k, v) in DEFAULT_PERMISSIONS.items() if v.get('name', None) and v['name'] not in permsPreExisting
-        }.items():
-            permConfig['groups'] = [groups[x].id for x in permConfig['groups']]
-            permConfig['object_types'] = [ct for ct in allContentTypeNames if ct not in permConfig['exclude_objects']]
-            permConfig.pop('exclude_objects', None)
-            try:
-                nb.users.permissions.create(permConfig)
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing permission \"{permConfig['name']}\": {nbe}")
-
-        permissions = {x.name: x for x in nb.users.permissions.all()}
-        logging.debug(f"permissions (after): { {k:v.id for k, v in permissions.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing permissions: {e}")
-
-    # ###### MANUFACTURERS #########################################################################################
-    try:
-        manufacturersPreExisting = {x.name: x for x in nb.dcim.manufacturers.all()}
-        logging.debug(f"Manufacturers (before): { {k:v.id for k, v in manufacturersPreExisting.items()} }")
-
-        # create manufacturers that don't already exist
-        for manufacturerName in [x for x in args.manufacturers if x not in manufacturersPreExisting]:
-            try:
-                nb.dcim.manufacturers.create(
-                    {
-                        "name": manufacturerName,
-                        "slug": slugify(manufacturerName),
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manufacturerName}\": {nbe}")
+    netboxVenvPy = os.path.join(os.path.join(os.path.join(args.netboxDir, 'venv'), 'bin'), 'python')
+    manageScript = os.path.join(os.path.join(args.netboxDir, 'netbox'), 'manage.py')
 
-        manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()}
-        logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing manufacturers: {e}")
+    # if there is a database backup .gz in the preload directory, load it up (preferring the newest)
+    # if there are multiple) instead of populating via API
+    preloadDatabaseFile = args.preloadBackupFile
+    preloadDatabaseSuccess = False
+    if (not os.path.isfile(preloadDatabaseFile)) and os.path.isdir(args.preloadDir):
+        preloadFiles = [
+            x
+            for x in list(filter(os.path.isfile, glob.glob(os.path.join(args.preloadDir, '*.gz'))))
+            if not x.endswith('.media.tar.gz')
+        ]
+        preloadFiles.sort(key=lambda x: os.path.getmtime(x))
+        preloadDatabaseFile = next(iter(preloadFiles), '')
+
+    if os.path.isfile(preloadDatabaseFile):
+        # we're loading an existing database directly with postgreSQL
+        # this should pretty much match what is in control.py:netboxRestore
+        try:
+            osEnv = os.environ.copy()
+            osEnv['PGPASSWORD'] = args.postgresPassword
+
+            # stop the netbox processes (besides this one)
+            cmd = [
+                'bash',
+                '-c',
+                "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl stop",
+            ]
+            err, results = malcolm_utils.run_process(cmd, logger=logging)
+            if err != 0:
+                logging.error(f'{err} stopping netbox:*: {results}')
+
+            # drop the existing netbox database
+            cmd = [
+                'dropdb',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+                '-f',
+                args.postgresDB,
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.warning(f'{err} dropping NetBox database: {results}')
+
+            # create a new netbox database
+            cmd = [
+                'createdb',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+                args.postgresDB,
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                raise Exception(f'Error {err} creating new NetBox database: {results}')
+
+            # make sure permissions are set up right
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+                '-c',
+                f'GRANT ALL PRIVILEGES ON DATABASE {args.postgresDB} TO {args.postgresUser}',
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.error(f'{err} setting NetBox database permissions: {results}')
+
+            # load the backed-up psql dump
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                args.postgresUser,
+            ]
+            with (
+                gzip.open(preloadDatabaseFile, 'rt')
+                if 'application/gzip' in magic.from_file(preloadDatabaseFile, mime=True)
+                else open(preloadDatabaseFile, 'r')
+            ) as f:
+                err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging, stdin=f.read())
+            if (err == 0) and results:
+                preloadDatabaseSuccess = True
+            else:
+                raise Exception(f'Error {err} loading NetBox database: {results}')
+
+            # with idaholab/Malcolm#280 we switched to use prefix.description instead of VRF for identifying subnets in NetBox,
+            # this will migrate ipam_vrf.name to ipam_prefix.description if we're coming from an older backup
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                {args.postgresUser},
+                '-c',
+                "UPDATE ipam_prefix SET description = (SELECT name from ipam_vrf WHERE id = ipam_prefix.vrf_id) WHERE ((description = '') IS NOT FALSE) AND (vrf_id > 0)",
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.error(f'{err} migrating ipam_vrf.name to ipam_prefix.description: {results}')
+
+            # don't restore auth_user, tokens, etc: they're created by Malcolm and may not be the same on this instance
+            cmd = [
+                'psql',
+                '-h',
+                args.postgresHost,
+                '-U',
+                {args.postgresUser},
+                '-c',
+                'TRUNCATE auth_user CASCADE',
+            ]
+            err, results = malcolm_utils.run_process(cmd, env=osEnv, logger=logging)
+            if err != 0:
+                logging.error(f'{err} truncating table auth_user table: {results}')
+
+            # start back up the netbox processes (except initialization)
+            cmd = [
+                'bash',
+                '-c',
+                "supervisorctl status netbox:* | grep -v :initialization | awk '{ print $1 }' | xargs -r -L 1 -P 4 supervisorctl start",
+            ]
+            err, results = malcolm_utils.run_process(cmd, logger=logging)
+            if err != 0:
+                logging.error(f'{err} starting netbox:*: {results}')
 
-    # ###### ROLES #################################################################################################
-    try:
-        rolesPreExisting = {x.name: x for x in nb.dcim.device_roles.all()}
-        logging.debug(f"Roles (before): { {k:v.id for k, v in rolesPreExisting.items()} }")
+            with malcolm_utils.pushd(os.path.dirname(manageScript)):
+                # migrations if needed
+                cmd = [
+                    netboxVenvPy,
+                    os.path.basename(manageScript),
+                    "migrate",
+                ]
+                err, results = malcolm_utils.run_process(cmd, logger=logging)
+                if (err != 0) or (not results):
+                    logging.error(f'{err} performing NetBox migration: {results}')
+
+                # create auth_user for superuser
+                cmd = [
+                    netboxVenvPy,
+                    os.path.basename(manageScript),
+                    "shell",
+                    "--interface",
+                    "python",
+                ]
+                with open('/usr/local/bin/netbox_superuser_create.py', 'r') as f:
+                    err, results = malcolm_utils.run_process(cmd, logger=logging, stdin=f.read())
+                if (err != 0) or (not results):
+                    logging.error(f'{err} setting up superuser: {results}')
+
+            # restore media directory
+            preloadDatabaseFileParts = os.path.splitext(preloadDatabaseFile)
+            mediaFileName = preloadDatabaseFileParts[0] + ".media.tar.gz"
+            mediaPath = os.path.join(args.netboxDir, os.path.join('netbox', 'media'))
+            if os.path.isfile(mediaFileName) and os.path.isdir(mediaPath):
+                try:
+                    malcolm_utils.RemoveEmptyFolders(mediaPath, removeRoot=False)
+                    with tarfile.open(mediaFileName) as t:
+                        t.extractall(mediaPath)
+                except Exception as e:
+                    logging.error(f"{type(e).__name__} processing restoring {os.path.basename(mediaFileName)}: {e}")
 
-        # create roles that don't already exist
-        for roleName in [x for x in args.roles if x not in rolesPreExisting]:
+        except Exception as e:
+            logging.error(f"{type(e).__name__} restoring {os.path.basename(preloadDatabaseFile)}: {e}")
+
+    # only proceed to do the regular population/preload if if we didn't preload a database backup, or
+    #   if we attempted (and failed) but they didn't explicitly specify a backup file
+    if not preloadDatabaseSuccess and (not args.preloadBackupFile):
+        # create connection to netbox API
+        nb = pynetbox.api(
+            args.netboxUrl,
+            token=args.netboxToken,
+            threading=True,
+        )
+        sites = {}
+        groups = {}
+        permissions = {}
+        prefixes = {}
+        devices = {}
+        interfaces = {}
+        ipAddresses = {}
+        deviceTypes = {}
+        roles = {}
+        manufacturers = {}
+        randColor = randomcolor.RandomColor(seed=datetime.now().timestamp())
+
+        # wait for a good connection
+        while args.wait:
             try:
-                nb.dcim.device_roles.create(
-                    {
-                        "name": roleName,
-                        "slug": slugify(roleName),
-                        "vm_role": True,
-                        "color": randColor.generate()[0][1:],
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing role \"{roleName}\": {nbe}")
-
-        roles = {x.name: x for x in nb.dcim.device_roles.all()}
-        logging.debug(f"Roles (after): { {k:v.id for k, v in roles.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing roles: {e}")
+                [x.name for x in nb.dcim.sites.all()]
+                break
+            except Exception as e:
+                logging.info(f"{type(e).__name__}: {e}")
+                logging.debug("retrying in a few seconds...")
+                time.sleep(5)
+
+        # GROUPS #####################################################################################################
+        DEFAULT_GROUP_NAMES = (
+            args.staffGroupName,
+            args.defaultGroupName,
+        )
 
-    # ###### DEVICE TYPES ##########################################################################################
-    try:
-        deviceTypesPreExisting = {x.model: x for x in nb.dcim.device_types.all()}
-        logging.debug(f"Device types (before): { {k:v.id for k, v in deviceTypesPreExisting.items()} }")
+        try:
+            groupsPreExisting = {x.name: x for x in nb.users.groups.all()}
+            logging.debug(f"groups (before): { {k:v.id for k, v in groupsPreExisting.items()} }")
 
-        # create device types that don't already exist
-        for deviceTypeModel in [x for x in args.deviceTypes if x not in deviceTypesPreExisting]:
-            try:
-                manuf = min_hash_value_by_value(manufacturers)
-                nb.dcim.device_types.create(
-                    {
-                        "model": deviceTypeModel,
-                        "slug": slugify(deviceTypeModel),
-                        "manufacturer": manuf.id if manuf else None,
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing device type \"{deviceTypeModel}\": {nbe}")
+            # create groups that don't already exist
+            for groupName in [x for x in DEFAULT_GROUP_NAMES if x not in groupsPreExisting]:
+                try:
+                    nb.users.groups.create({'name': groupName})
+                except pynetbox.RequestError as nbe:
+                    logging.warning(f"{type(nbe).__name__} processing group \"{groupName}\": {nbe}")
 
-        deviceTypes = {x.model: x for x in nb.dcim.device_types.all()}
-        logging.debug(f"Device types (after): { {k:v.id for k, v in deviceTypes.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing device types: {e}")
+            groups = {x.name: x for x in nb.users.groups.all()}
+            logging.debug(f"groups (after): { {k:v.id for k, v in groups.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing groups: {e}")
+
+        # PERMISSIONS ##################################################################################################
+        DEFAULT_PERMISSIONS = {
+            f'{args.staffGroupName}_permission': {
+                'name': f'{args.staffGroupName}_permission',
+                'enabled': True,
+                'groups': [args.staffGroupName],
+                'actions': [
+                    'view',
+                    'add',
+                    'change',
+                    'delete',
+                ],
+                'exclude_objects': [],
+            },
+            f'{args.defaultGroupName}_permission': {
+                'name': f'{args.defaultGroupName}_permission',
+                'enabled': True,
+                'groups': [args.defaultGroupName],
+                'actions': [
+                    'view',
+                    'add',
+                    'change',
+                    'delete',
+                ],
+                'exclude_objects': [
+                    'admin.logentry',
+                    'auth.group',
+                    'auth.permission',
+                    'auth.user',
+                    'users.admingroup',
+                    'users.adminuser',
+                    'users.objectpermission',
+                    'users.token',
+                    'users.userconfig',
+                ],
+            },
+        }
 
-    # ###### SITES #################################################################################################
-    try:
-        sitesPreExisting = {x.name: x for x in nb.dcim.sites.all()}
-        logging.debug(f"sites (before): { {k:v.id for k, v in sitesPreExisting.items()} }")
+        try:
+            # get all content types (for creating new permissions)
+            allContentTypeNames = [f'{x.app_label}.{x.model}' for x in nb.extras.content_types.all()]
+
+            permsPreExisting = {x.name: x for x in nb.users.permissions.all()}
+            logging.debug(f"permissions (before): { {k:v.id for k, v in permsPreExisting.items()} }")
+
+            # create permissions that don't already exist
+            for permName, permConfig in {
+                k: v
+                for (k, v) in DEFAULT_PERMISSIONS.items()
+                if v.get('name', None) and v['name'] not in permsPreExisting
+            }.items():
+                permConfig['groups'] = [groups[x].id for x in permConfig['groups']]
+                permConfig['object_types'] = [
+                    ct for ct in allContentTypeNames if ct not in permConfig['exclude_objects']
+                ]
+                permConfig.pop('exclude_objects', None)
+                try:
+                    nb.users.permissions.create(permConfig)
+                except pynetbox.RequestError as nbe:
+                    logging.warning(f"{type(nbe).__name__} processing permission \"{permConfig['name']}\": {nbe}")
 
-        # create sites that don't already exist
-        for siteName in [x for x in args.netboxSites if x not in sitesPreExisting]:
-            try:
-                nb.dcim.sites.create(
-                    {
-                        "name": siteName,
-                        "slug": slugify(siteName),
-                    },
-                )
-            except pynetbox.RequestError as nbe:
-                logging.warning(f"{type(nbe).__name__} processing site \"{siteName}\": {nbe}")
+            permissions = {x.name: x for x in nb.users.permissions.all()}
+            logging.debug(f"permissions (after): { {k:v.id for k, v in permissions.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing permissions: {e}")
 
-        sites = {x.name: x for x in nb.dcim.sites.all()}
-        logging.debug(f"sites (after): { {k:v.id for k, v in sites.items()} }")
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing sites: {e}")
+        # ###### MANUFACTURERS #########################################################################################
+        try:
+            manufacturersPreExisting = {x.name: x for x in nb.dcim.manufacturers.all()}
+            logging.debug(f"Manufacturers (before): { {k:v.id for k, v in manufacturersPreExisting.items()} }")
 
-    # ###### Net Map ###############################################################################################
-    try:
-        # load net-map.json from file
-        netMapJson = None
-        if args.netMapFileName is not None and os.path.isfile(args.netMapFileName):
-            with open(args.netMapFileName) as f:
-                netMapJson = json.load(f)
-        if netMapJson is not None:
-            # create new VRFs
-            vrfPreExisting = {x.name: x for x in nb.ipam.vrfs.all()}
-            logging.debug(f"VRFs (before): { {k:v.id for k, v in vrfPreExisting.items()} }")
-
-            for segment in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "segment")
-                and x.get('name', None)
-                and is_ip_network(x.get('address', None))
-                and x['name'] not in vrfPreExisting
-            ]:
+            # create manufacturers that don't already exist
+            for manufacturerName in [x for x in args.manufacturers if x not in manufacturersPreExisting]:
                 try:
-                    nb.ipam.vrfs.create(
+                    nb.dcim.manufacturers.create(
                         {
-                            "name": segment['name'],
-                            "enforce_unique": True,
+                            "name": manufacturerName,
+                            "slug": slugify(manufacturerName),
                         },
                     )
                 except pynetbox.RequestError as nbe:
-                    logging.warning(f"{type(nbe).__name__} processing VRF \"{segment['name']}\": {nbe}")
+                    logging.warning(f"{type(nbe).__name__} processing manufacturer \"{manufacturerName}\": {nbe}")
 
-            vrfs = {x.name: x for x in nb.ipam.vrfs.all()}
-            logging.debug(f"VRFs (after): { {k:v.id for k, v in vrfs.items()} }")
-
-            # create prefixes in VRFs
+            manufacturers = {x.name: x for x in nb.dcim.manufacturers.all()}
+            logging.debug(f"Manufacturers (after): { {k:v.id for k, v in manufacturers.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing manufacturers: {e}")
 
-            prefixesPreExisting = {x.prefix: x for x in nb.ipam.prefixes.all()}
-            logging.debug(f"prefixes (before): { {k:v.id for k, v in prefixesPreExisting.items()} }")
+        # ###### ROLES #################################################################################################
+        try:
+            rolesPreExisting = {x.name: x for x in nb.dcim.device_roles.all()}
+            logging.debug(f"Roles (before): { {k:v.id for k, v in rolesPreExisting.items()} }")
 
-            for segment in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "segment")
-                and x.get('name', None)
-                and is_ip_network(x.get('address', None))
-                and x['name'] in vrfs
-            ]:
+            # create roles that don't already exist
+            for roleName in [x for x in args.roles if x not in rolesPreExisting]:
                 try:
-                    site = min_hash_value_by_value(sites)
-                    nb.ipam.prefixes.create(
+                    nb.dcim.device_roles.create(
                         {
-                            "prefix": segment['address'],
-                            "site": site.id if site else None,
-                            "vrf": vrfs[segment['name']].id,
+                            "name": roleName,
+                            "slug": slugify(roleName),
+                            "vm_role": True,
+                            "color": randColor.generate()[0][1:],
                         },
                     )
                 except pynetbox.RequestError as nbe:
-                    logging.warning(
-                        f"{type(nbe).__name__} processing prefix \"{segment['address']}\" (\"{segment['name']}\"): {nbe}"
-                    )
+                    logging.warning(f"{type(nbe).__name__} processing role \"{roleName}\": {nbe}")
+
+            roles = {x.name: x for x in nb.dcim.device_roles.all()}
+            logging.debug(f"Roles (after): { {k:v.id for k, v in roles.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing roles: {e}")
+
+        # ###### DEVICE TYPES ##########################################################################################
+        try:
+            deviceTypesPreExisting = {x.model: x for x in nb.dcim.device_types.all()}
+            logging.debug(f"Device types (before): { {k:v.id for k, v in deviceTypesPreExisting.items()} }")
 
-            prefixes = {x.prefix: x for x in nb.ipam.prefixes.all()}
-            logging.debug(f"prefixes (after): { {k:v.id for k, v in prefixes.items()} }")
-
-            # create hosts as devices
-            devicesPreExisting = {x.name: x for x in nb.dcim.devices.all()}
-            logging.debug(f"devices (before): { {k:v.id for k, v in devicesPreExisting.items()} }")
-
-            for host in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "host")
-                and x.get('name', None)
-                and x.get('address', None)
-                and x['name'] not in devicesPreExisting
-            ]:
+            # create device types that don't already exist
+            for deviceTypeModel in [x for x in args.deviceTypes if x not in deviceTypesPreExisting]:
                 try:
-                    site = min_hash_value_by_value(sites)
-                    dType = min_hash_value_by_value(deviceTypes)
-                    role = min_hash_value_by_value(roles)
-                    deviceCreated = nb.dcim.devices.create(
+                    manuf = min_hash_value_by_value(manufacturers)
+                    nb.dcim.device_types.create(
                         {
-                            "name": host['name'],
-                            "site": site.id if site else None,
-                            "device_type": dType.id if dType else None,
-                            "role": role.id if role else None,
+                            "model": deviceTypeModel,
+                            "slug": slugify(deviceTypeModel),
+                            "manufacturer": manuf.id if manuf else None,
                         },
                     )
-                    if deviceCreated is not None:
-                        # create interface for the device
-                        if is_ip_address(host['address']):
-                            hostVrf = max_hash_value_by_key(
-                                {
-                                    ipaddress.ip_network(k): v
-                                    for k, v in prefixes.items()
-                                    if ipaddress.ip_address(host['address']) in ipaddress.ip_network(k)
-                                }
-                            )
-                            nb.dcim.interfaces.create(
-                                {
-                                    "device": deviceCreated.id,
-                                    "name": "default",
-                                    "type": "other",
-                                    "vrf": hostVrf.id if hostVrf else None,
-                                },
-                            )
-                        elif re.match(r'^([0-9a-f]{2}[:-]){5}([0-9a-f]{2})$', host['address'].lower()):
-                            nb.dcim.interfaces.create(
-                                {
-                                    "device": deviceCreated.id,
-                                    "name": "default",
-                                    "type": "other",
-                                    "mac_address": host['address'].lower(),
-                                },
-                            )
-
                 except pynetbox.RequestError as nbe:
-                    logging.warning(f"{type(nbe).__name__} processing device \"{host['name']}\": {nbe}")
-
-            devices = {x.name: x for x in nb.dcim.devices.all()}
-            logging.debug(f"devices (after): { {k:v.id for k, v in devices.items()} }")
-            interfaces = {x.device.id: x for x in nb.dcim.interfaces.all()}
-            logging.debug(f"interfaces (after): { {k:v.id for k, v in interfaces.items()} }")
-
-            # and associate IP addresses with them
-            ipAddressesPreExisting = {f"{x.address}:{x.vrf.id if x.vrf else ''}": x for x in nb.ipam.ip_addresses.all()}
-            logging.debug(f"IP addresses (before): { {k:v.id for k, v in ipAddressesPreExisting.items()} }")
-
-            for host in [
-                x
-                for x in get_iterable(netMapJson)
-                if isinstance(x, dict)
-                and (x.get('type', '') == "host")
-                and x.get('name', None)
-                and is_ip_address(x.get('address', None))
-                and x['name'] in devices
-            ]:
+                    logging.warning(f"{type(nbe).__name__} processing device type \"{deviceTypeModel}\": {nbe}")
+
+            deviceTypes = {x.model: x for x in nb.dcim.device_types.all()}
+            logging.debug(f"Device types (after): { {k:v.id for k, v in deviceTypes.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing device types: {e}")
+
+        # ###### SITES #################################################################################################
+        try:
+            sitesPreExisting = {x.name: x for x in nb.dcim.sites.all()}
+            logging.debug(f"sites (before): { {k:v.id for k, v in sitesPreExisting.items()} }")
+
+            # create sites that don't already exist
+            for siteName in [x for x in args.netboxSites if x not in sitesPreExisting]:
                 try:
-                    hostVrf = max_hash_value_by_key(
+                    nb.dcim.sites.create(
                         {
-                            ipaddress.ip_network(k): v
-                            for k, v in prefixes.items()
-                            if ipaddress.ip_address(host['address']) in ipaddress.ip_network(k)
-                        }
+                            "name": siteName,
+                            "slug": slugify(siteName),
+                        },
                     )
-                    hostKey = f"{host['address']}/{'32' if is_ip_v4_address(host['address']) else '128'}:{hostVrf.id if hostVrf else ''}"
-                    if hostKey not in ipAddressesPreExisting:
-                        ipCreated = nb.ipam.ip_addresses.create(
+                except pynetbox.RequestError as nbe:
+                    logging.warning(f"{type(nbe).__name__} processing site \"{siteName}\": {nbe}")
+
+            sites = {x.name: x for x in nb.dcim.sites.all()}
+            logging.debug(f"sites (after): { {k:v.id for k, v in sites.items()} }")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing sites: {e}")
+
+        # ###### Net Map ###############################################################################################
+        try:
+            # load net-map.json from file
+            netMapJson = None
+            if args.netMapFileName is not None and os.path.isfile(args.netMapFileName):
+                with open(args.netMapFileName) as f:
+                    netMapJson = json.load(f)
+            if netMapJson is not None:
+                # create IP prefixes
+
+                prefixesPreExisting = {x.prefix: x for x in nb.ipam.prefixes.all()}
+                logging.debug(f"prefixes (before): { {k:v.id for k, v in prefixesPreExisting.items()} }")
+
+                for segment in [
+                    x
+                    for x in get_iterable(netMapJson)
+                    if isinstance(x, dict)
+                    and (x.get('type', '') == "segment")
+                    and x.get('name', None)
+                    and is_ip_network(x.get('address', None))
+                ]:
+                    try:
+                        site = min_hash_value_by_value(sites)
+                        nb.ipam.prefixes.create(
                             {
-                                "address": host['address'],
-                                "vrf": hostVrf.id if hostVrf else None,
-                                "assigned_object_type": "dcim.interface",
-                                "assigned_object_id": interfaces[devices[host['name']].id].id,
+                                "prefix": segment['address'],
+                                "site": site.id if site else None,
+                                "description": segment['name'],
                             },
                         )
-                        if ipCreated is not None:
-                            # update device to set this as its primary IPv4 address
-                            deviceForIp = nb.dcim.devices.get(id=devices[host['name']].id)
-                            if deviceForIp is not None:
-                                if is_ip_v4_address(host['address']):
-                                    deviceForIp.primary_ip4 = ipCreated
-                                elif is_ip_v6_address(host['address']):
-                                    deviceForIp.primary_ip = ipCreated
-                                deviceForIp.save()
-
-                except pynetbox.RequestError as nbe:
-                    logging.warning(f"{type(nbe).__name__} processing address \"{host['address']}\": {nbe}")
+                    except pynetbox.RequestError as nbe:
+                        logging.warning(
+                            f"{type(nbe).__name__} processing prefix \"{segment['address']}\" (\"{segment['name']}\"): {nbe}"
+                        )
 
-            ipAddresses = {f"{x.address}:{x.vrf}": x for x in nb.ipam.ip_addresses.all()}
-            logging.debug(f"IP addresses (after): { {k:v.id for k, v in ipAddresses.items()} }")
+                prefixes = {x.prefix: x for x in nb.ipam.prefixes.all()}
+                logging.debug(f"prefixes (after): { {k:v.id for k, v in prefixes.items()} }")
+
+                # create hosts as devices
+                devicesPreExisting = {x.name: x for x in nb.dcim.devices.all()}
+                logging.debug(f"devices (before): { {k:v.id for k, v in devicesPreExisting.items()} }")
+
+                for host in [
+                    x
+                    for x in get_iterable(netMapJson)
+                    if isinstance(x, dict)
+                    and (x.get('type', '') == "host")
+                    and x.get('name', None)
+                    and x.get('address', None)
+                    and x['name'] not in devicesPreExisting
+                ]:
+                    try:
+                        site = min_hash_value_by_value(sites)
+                        dType = min_hash_value_by_value(deviceTypes)
+                        role = min_hash_value_by_value(roles)
+                        deviceCreated = nb.dcim.devices.create(
+                            {
+                                "name": host['name'],
+                                "site": site.id if site else None,
+                                "device_type": dType.id if dType else None,
+                                "role": role.id if role else None,
+                            },
+                        )
+                        if deviceCreated is not None:
+                            # create interface for the device
+                            if is_ip_address(host['address']):
+                                nb.dcim.interfaces.create(
+                                    {
+                                        "device": deviceCreated.id,
+                                        "name": "default",
+                                        "type": "other",
+                                    },
+                                )
+                            elif re.match(r'^([0-9a-f]{2}[:-]){5}([0-9a-f]{2})$', host['address'].lower()):
+                                nb.dcim.interfaces.create(
+                                    {
+                                        "device": deviceCreated.id,
+                                        "name": "default",
+                                        "type": "other",
+                                        "mac_address": host['address'].lower(),
+                                    },
+                                )
+
+                    except pynetbox.RequestError as nbe:
+                        logging.warning(f"{type(nbe).__name__} processing device \"{host['name']}\": {nbe}")
+
+                devices = {x.name: x for x in nb.dcim.devices.all()}
+                logging.debug(f"devices (after): { {k:v.id for k, v in devices.items()} }")
+                interfaces = {x.device.id: x for x in nb.dcim.interfaces.all()}
+                logging.debug(f"interfaces (after): { {k:v.id for k, v in interfaces.items()} }")
+
+                # and associate IP addresses with them
+                ipAddressesPreExisting = {x.address: x for x in nb.ipam.ip_addresses.all()}
+                logging.debug(f"IP addresses (before): { {k:v.id for k, v in ipAddressesPreExisting.items()} }")
+
+                for host in [
+                    x
+                    for x in get_iterable(netMapJson)
+                    if isinstance(x, dict)
+                    and (x.get('type', '') == "host")
+                    and x.get('name', None)
+                    and is_ip_address(x.get('address', None))
+                    and x['name'] in devices
+                ]:
+                    try:
+                        hostKey = f"{host['address']}/{'32' if is_ip_v4_address(host['address']) else '128'}"
+                        if hostKey not in ipAddressesPreExisting:
+                            ipCreated = nb.ipam.ip_addresses.create(
+                                {
+                                    "address": host['address'],
+                                    "assigned_object_type": "dcim.interface",
+                                    "assigned_object_id": interfaces[devices[host['name']].id].id,
+                                },
+                            )
+                            if ipCreated is not None:
+                                # update device to set this as its primary IPv4 address
+                                deviceForIp = nb.dcim.devices.get(id=devices[host['name']].id)
+                                if deviceForIp is not None:
+                                    if is_ip_v4_address(host['address']):
+                                        deviceForIp.primary_ip4 = ipCreated
+                                    elif is_ip_v6_address(host['address']):
+                                        deviceForIp.primary_ip = ipCreated
+                                    deviceForIp.save()
+
+                    except pynetbox.RequestError as nbe:
+                        logging.warning(f"{type(nbe).__name__} processing address \"{host['address']}\": {nbe}")
+
+                ipAddresses = {x.address: x for x in nb.ipam.ip_addresses.all()}
+                logging.debug(f"IP addresses (after): { {k:v.id for k, v in ipAddresses.items()} }")
 
-    except Exception as e:
-        logging.error(f"{type(e).__name__} processing net map JSON \"{args.netMapFileName}\": {e}")
+        except Exception as e:
+            logging.error(f"{type(e).__name__} processing net map JSON \"{args.netMapFileName}\": {e}")
 
-    # ###### Netbox-Initializers ###################################################################################
-    netboxVenvPy = os.path.join(os.path.join(os.path.join(args.netboxDir, 'venv'), 'bin'), 'python')
-    manageScript = os.path.join(os.path.join(args.netboxDir, 'netbox'), 'manage.py')
-    if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir):
+        # ###### Missing prefix descriptions from VRF names (see idaholab/Malcolm#280) ##################################
         try:
-            with malcolm_utils.pushd(os.path.dirname(manageScript)):
-                retcode, output = malcolm_utils.run_process(
-                    [
-                        netboxVenvPy,
-                        os.path.basename(manageScript),
-                        "load_initializer_data",
-                        "--path",
-                        args.preloadDir,
-                    ],
-                    logger=logging,
+            for prefix in [x for x in nb.ipam.prefixes.filter(description__empty=True) if x.vrf]:
+                logging.debug(f"Updating prefix {str(prefix)}'s description to {str(prefix.vrf)}")
+                prefix.update(
+                    {
+                        "description": str(prefix.vrf),
+                    }
                 )
-                if retcode == 0:
-                    logging.debug(f"netbox-initializers: {retcode} {output}")
-                else:
-                    logging.error(f"Error processing netbox-initializers: {retcode} {output}")
 
         except Exception as e:
-            logging.error(f"{type(e).__name__} processing netbox-initializers: {e}")
+            logging.error(f"{type(e).__name__} migrating prefix VRF to prefix description: {e}")
 
-    # ###### Library ###############################################################################################
-    if os.path.isdir(args.libraryDir):
-        try:
-            counter = import_library(nb, args.libraryDir)
-            logging.debug(f"import library results: { counter }")
+        # ###### Netbox-Initializers ###################################################################################
+        if os.path.isfile(netboxVenvPy) and os.path.isfile(manageScript) and os.path.isdir(args.preloadDir):
+            try:
+                with malcolm_utils.pushd(os.path.dirname(manageScript)):
+                    # make a local copy of the YMLs to preload
+                    with tempfile.TemporaryDirectory() as tmpPreloadDir:
+                        copy_tree(args.preloadDir, tmpPreloadDir)
+
+                        # only preload catch-all IP Prefixes if explicitly specified and they don't already exist
+                        if args.preloadPrefixes:
+                            defaultSiteName = next(iter([x for x in args.netboxSites]), None)
+                            for loadType in ('vrfs', 'prefixes'):
+                                defaultFileName = os.path.join(tmpPreloadDir, f'{loadType}_defaults.yml')
+                                loadFileName = os.path.join(tmpPreloadDir, f'{loadType}.yml')
+                                if os.path.isfile(defaultFileName) and (not os.path.isfile(loadFileName)):
+                                    try:
+                                        with open(defaultFileName, 'r') as infile:
+                                            with open(loadFileName, 'w') as outfile:
+                                                for line in infile:
+                                                    outfile.write(line.replace("NETBOX_DEFAULT_SITE", defaultSiteName))
+                                    except Exception:
+                                        pass
+
+                        retcode, output = malcolm_utils.run_process(
+                            [
+                                netboxVenvPy,
+                                os.path.basename(manageScript),
+                                "load_initializer_data",
+                                "--path",
+                                tmpPreloadDir,
+                            ],
+                            logger=logging,
+                        )
+                        if retcode == 0:
+                            logging.debug(f"netbox-initializers: {retcode} {output}")
+                        else:
+                            logging.error(f"Error processing netbox-initializers: {retcode} {output}")
 
-        except Exception as e:
-            logging.error(f"{type(e).__name__} processing library: {e}")
+            except Exception as e:
+                logging.error(f"{type(e).__name__} processing netbox-initializers: {e}")
+
+        # ###### Library ###############################################################################################
+        if os.path.isdir(args.libraryDir):
+            try:
+                counter = import_library(nb, args.libraryDir)
+                logging.debug(f"import library results: { counter }")
+
+            except Exception as e:
+                logging.error(f"{type(e).__name__} processing library: {e}")
 
 
 ###################################################################################################
diff --git a/netbox/scripts/netbox_superuser_create.py b/netbox/scripts/netbox_superuser_create.py
new file mode 100644
index 000000000..6fe8be2e3
--- /dev/null
+++ b/netbox/scripts/netbox_superuser_create.py
@@ -0,0 +1,15 @@
+from django.contrib.auth.models import User
+from users.models import Token
+from os import getenv
+
+# adapted from
+# - https://github.com/netbox-community/netbox-docker/blob/b47e85ab3f2261021adf99ae9de2e9692fd674c3/docker/docker-entrypoint.sh#L74-L80
+
+superUserName = getenv('SUPERUSER_NAME', '')
+superUserEmail = getenv('SUPERUSER_EMAIL', '')
+superUserPassword = getenv('SUPERUSER_PASSWORD', '')
+superUserToken = getenv('SUPERUSER_API_TOKEN', '')
+
+if not User.objects.filter(username=superUserName):
+    u = User.objects.create_superuser(superUserName, superUserEmail, superUserPassword)
+    Token.objects.create(user=u, key=superUserToken)
diff --git a/netbox/supervisord.conf b/netbox/supervisord.conf
index 44e997720..1703592bc 100644
--- a/netbox/supervisord.conf
+++ b/netbox/supervisord.conf
@@ -39,6 +39,12 @@ command=/opt/netbox/venv/bin/python /usr/local/bin/netbox_init.py
   --token "%(ENV_SUPERUSER_API_TOKEN)s"
   --net-map /usr/local/share/net-map.json
   --library "%(ENV_NETBOX_DEVICETYPE_LIBRARY_PATH)s"
+  --preload "%(ENV_NETBOX_PRELOAD_PATH)s"
+  --preload-prefixes %(ENV_NETBOX_PRELOAD_PREFIXES)s
+  --postgres-host "%(ENV_DB_HOST)s"
+  --postgres-db "%(ENV_DB_NAME)s"
+  --postgres-user "%(ENV_DB_USER)s"
+  --postgres-password "%(ENV_DB_PASSWORD)s"
 autostart=true
 autorestart=false
 startsecs=0
diff --git a/pcap-monitor/scripts/watch-pcap-uploads-folder.py b/pcap-monitor/scripts/watch-pcap-uploads-folder.py
index dbc9a7fa7..2b7847f0e 100755
--- a/pcap-monitor/scripts/watch-pcap-uploads-folder.py
+++ b/pcap-monitor/scripts/watch-pcap-uploads-folder.py
@@ -88,7 +88,7 @@ def file_processor(pathname, **kwargs):
 
             else:
                 # unhandled file type uploaded, delete it
-                logger.warning(f"{scriptName}:\t🗑\t{pathname} ({fileMime}/{fileType})")
+                logger.warning(f"{scriptName}:\t🗑\t{pathname} ({fileMime}/{fileType} unsupported file type, deleted)")
                 os.unlink(pathname)
 
         except Exception as genericError:
diff --git a/scripts/build.sh b/scripts/build.sh
index 1fd2251e1..a4ff97c27 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -15,21 +15,30 @@ if ! (type "$REALPATH" && type "$DIRNAME" && type "$GREP") > /dev/null; then
   exit 1
 fi
 
-if docker-compose version >/dev/null 2>&1; then
-  DOCKER_COMPOSE_BIN=docker-compose
+DOCKER_COMPOSE_BIN=()
+if docker compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker compose)
   DOCKER_BIN=docker
-elif $GREP -q Microsoft /proc/version && docker-compose.exe version >/dev/null 2>&1; then
-  DOCKER_COMPOSE_BIN=docker-compose.exe
-  DOCKER_BIN=docker.exe
+elif docker-compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker-compose)
+  DOCKER_BIN=docker
+elif $GREP -q Microsoft /proc/version; then
+  if docker.exe compose version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker.exe compose)
+    DOCKER_BIN=docker.exe
+  elif docker-compose.exe version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker-compose.exe)
+    DOCKER_BIN=docker.exe
+  fi
 fi
 
 if [[ -f "$1" ]]; then
   CONFIG_FILE="$1"
-  DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN --profile malcolm -f "$CONFIG_FILE""
+  DOCKER_COMPOSE_COMMAND="${DOCKER_COMPOSE_BIN[@]} --profile malcolm -f "$CONFIG_FILE""
   shift # use remainder of arguments for services
 else
   CONFIG_FILE="docker-compose.yml"
-  DOCKER_COMPOSE_COMMAND="$DOCKER_COMPOSE_BIN --profile malcolm"
+  DOCKER_COMPOSE_COMMAND="${DOCKER_COMPOSE_BIN[@]} --profile malcolm"
 fi
 
 function filesize_in_image() {
@@ -52,14 +61,14 @@ pushd "$SCRIPT_PATH/.." >/dev/null 2>&1
 # make sure docker is installed, at this point it's required
 if ! $DOCKER_BIN info >/dev/null 2>&1 ; then
   echo "Docker is not installed, or not runable as this user."
-  echo "Install docker (install.py may help with that) and try again later."
+  echo "Install Docker (install.py may help with that) and try again."
   exit 1
 fi
 
-# make sure docker-compose is installed, at this point it's required
-if ! $DOCKER_COMPOSE_BIN version >/dev/null 2>&1 ; then
+# make sure docker compose is installed, at this point it's required
+if (( ${#DOCKER_COMPOSE_BIN[@]} == 0 )); then
   echo "Docker Compose is not installed, or not runable as this user."
-  echo "Install docker-compose (install.py may help with that) and try again later."
+  echo "Install Docker Compose (install.py may help with that) and try again."
   exit 1
 fi
 
diff --git a/scripts/control.py b/scripts/control.py
index 798ab9da1..c6b39d6c9 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -60,6 +60,7 @@
     deep_get,
     dictsearch,
     eprint,
+    flatten,
     EscapeAnsi,
     EscapeForCurl,
     get_iterable,
@@ -114,6 +115,8 @@ def __exit__(self, *args):
 
 args = None
 dockerBin = None
+# dockerComposeBin might be e.g., ('docker', 'compose') or 'docker-compose',
+#   it will be flattened in run_process
 dockerComposeBin = None
 dockerComposeYaml = None
 kubeImported = None
@@ -580,127 +583,118 @@ def netboxRestore(backupFileName=None):
                 # execute as UID:GID in docker-compose.yml file
                 '-u',
                 f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}',
-            ]
-
-            # if the netbox_init.py process is happening, interrupt it
-            dockerCmd = dockerCmdBase + [
+                # run in the netbox container
                 'netbox',
-                'bash',
-                '-c',
-                'pgrep -f /usr/local/bin/netbox_init.py | xargs -r kill',
             ]
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) and args.debug:
-                eprint(f'Error interrupting netbox_init.py: {results}')
 
-            # drop the existing netbox database
-            dockerCmd = dockerCmdBase + ['netbox-postgres', 'dropdb', '-U', 'netbox', 'netbox', '--force']
+            # get remote temporary directory for restore
+            dockerCmd = dockerCmdBase + ['mktemp', '-d', '-t', 'restore.XXXXXXXXXX']
             err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if ((err != 0) or (len(results) == 0)) and args.debug:
-                eprint(f'Error dropping NetBox database: {results}')
+            if (err == 0) and results:
+                tmpRestoreDir = results[0]
+            else:
+                tmpRestoreDir = '/tmp'
 
-            # create a new netbox database
-            dockerCmd = dockerCmdBase + ['netbox-postgres', 'createdb', '-U', 'netbox', 'netbox']
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if err != 0:
-                raise Exception('Error creating new NetBox database')
+            try:
+                # copy database backup and media backup to remote temporary directory
+                for tmpFile in [
+                    x
+                    for x in [backupFileName, os.path.splitext(backupFileName)[0] + ".media.tar.gz"]
+                    if os.path.isfile(x)
+                ]:
+                    dockerCmd = dockerCmdBase + ['tee', os.path.join(tmpRestoreDir, os.path.basename(tmpFile))]
+                    with open(tmpFile, 'rb') as f:
+                        err, results = run_process(
+                            dockerCmd, env=osEnv, debug=args.debug, stdout=False, stderr=True, stdin=f.read()
+                        )
+                    if err != 0:
+                        raise Exception(
+                            f'Error {err} copying backed-up NetBox file {os.path.basename(tmpFile)} to {tmpRestoreDir}: {results}'
+                        )
 
-            # load the backed-up psql dump
-            dockerCmd = dockerCmdBase + ['netbox-postgres', 'psql', '-U', 'netbox']
-            with gzip.open(backupFileName, 'rt') as f:
-                err, results = run_process(dockerCmd, env=osEnv, debug=args.debug, stdin=f.read())
-            if (err != 0) or (len(results) == 0):
-                raise Exception('Error loading NetBox database')
+                # perform the restore inside the container
+                dockerCmd = dockerCmdBase + [
+                    '/opt/netbox/venv/bin/python',
+                    '/usr/local/bin/netbox_init.py',
+                    '--preload-backup',
+                    os.path.join(tmpRestoreDir, os.path.basename(backupFileName)),
+                ]
+                err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
+                if err != 0:
+                    raise Exception(
+                        f'Error {err} restoring NetBox database {os.path.basename(backupFileName)}: {results}'
+                    )
 
-            # migrations if needed
-            dockerCmd = dockerCmdBase + ['netbox', '/opt/netbox/netbox/manage.py', 'migrate']
-            err, results = run_process(dockerCmd, env=osEnv, debug=args.debug)
-            if (err != 0) or (len(results) == 0):
-                raise Exception('Error performing NetBox migration')
-
-            # restore media directory
-            backupFileParts = os.path.splitext(backupFileName)
-            backupMediaFileName = backupFileParts[0] + ".media.tar.gz"
-            mediaPath = os.path.join(os.path.join(MalcolmPath, 'netbox'), 'media')
-            if os.path.isfile(backupMediaFileName) and os.path.isdir(mediaPath):
-                RemoveEmptyFolders(mediaPath, removeRoot=False)
-                with tarfile.open(backupMediaFileName) as t:
-                    t.extractall(mediaPath)
+            finally:
+                # cleanup the remote directory
+                if tmpRestoreDir != '/tmp':
+                    dockerCmd = dockerCmdBase + ['rm', '-rf', tmpRestoreDir]
+                else:
+                    dockerCmd = dockerCmdBase + [
+                        'bash',
+                        '-c',
+                        f"rm -f {tmpRestoreDir}/{os.path.splitext(backupFileName)[0]}*",
+                    ]
+                run_process(dockerCmd, env=osEnv, debug=args.debug)
 
         elif orchMode is OrchestrationFramework.KUBERNETES:
-            # if the netbox_init.py process is happening, interrupt it
-            if podsResults := PodExec(
-                service='netbox',
-                namespace=args.namespace,
-                command=['bash', '-c', 'pgrep -f /usr/local/bin/netbox_init.py | xargs -r kill'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if (err != 0) and args.debug:
-                eprint(f'Error ({err}) interrupting netbox_init.py: {results}')
-
-            # drop the existing netbox database
-            if podsResults := PodExec(
-                service='netbox-postgres',
-                namespace=args.namespace,
-                command=['dropdb', '-U', 'netbox', 'netbox', '--force'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if ((err != 0) or (len(results) == 0)) and args.debug:
-                eprint(f'Error dropping NetBox database: {results}')
-
-            # create a new netbox database
-            if podsResults := PodExec(
-                service='netbox-postgres',
-                namespace=args.namespace,
-                command=['createdb', '-U', 'netbox', 'netbox'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if err != 0:
-                raise Exception(f'Error creating new NetBox database: {results}')
+            # copy database backup and media backup to remote temporary directory
+            try:
+                tmpRestoreDir = '/tmp'
+                tmpRestoreFile = os.path.join(
+                    tmpRestoreDir, os.path.splitext(os.path.basename(backupFileName))[0] + '.txt'
+                )
+                with gzip.open(backupFileName, 'rt') as f:
+                    if podsResults := PodExec(
+                        service='netbox',
+                        namespace=args.namespace,
+                        command=['tee', tmpRestoreFile],
+                        stdout=False,
+                        stderr=True,
+                        stdin=f.read(),
+                    ):
+                        err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
+                        results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
+                    else:
+                        err = 1
+                        results = []
+                if err != 0:
+                    raise Exception(
+                        f'Error {err} copying backed-up NetBox file {os.path.basename(backupFileName)} to {tmpRestoreFile}: {results}'
+                    )
 
-            # load the backed-up psql dump
-            with gzip.open(backupFileName, 'rt') as f:
+                # perform the restore inside the container
                 if podsResults := PodExec(
-                    service='netbox-postgres',
+                    service='netbox',
                     namespace=args.namespace,
-                    command=['psql', '-U', 'netbox'],
-                    stdin=f.read(),
+                    command=[
+                        '/opt/netbox/venv/bin/python',
+                        '/usr/local/bin/netbox_init.py',
+                        '--preload-backup',
+                        tmpRestoreFile,
+                    ],
                 ):
                     err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
                     results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
                 else:
                     err = 1
                     results = []
-            if (err != 0) or (len(results) == 0):
-                raise Exception(f'Error loading NetBox database: {results}')
-
-            # migrations if needed
-            if podsResults := PodExec(
-                service='netbox',
-                namespace=args.namespace,
-                command=['/opt/netbox/netbox/manage.py', 'migrate'],
-            ):
-                err = 0 if all([deep_get(v, ['err'], 1) == 0 for k, v in podsResults.items()]) else 1
-                results = list(chain(*[deep_get(v, ['output'], '') for k, v in podsResults.items()]))
-            else:
-                err = 1
-                results = []
-            if (err != 0) or (len(results) == 0):
-                raise Exception(f'Error performing NetBox migration: {results}')
+                if err != 0:
+                    raise Exception(
+                        f'Error {err} restoring NetBox database {os.path.basename(backupFileName)}: {results}'
+                    )
 
-            # TODO: can't restore netbox/media directory via kubernetes at the moment
+            finally:
+                # cleanup on other side
+                PodExec(
+                    service='netbox',
+                    namespace=args.namespace,
+                    command=[
+                        'bash',
+                        '-c',
+                        f"rm -f {tmpRestoreDir}/{os.path.splitext(backupFileName)[0]}*",
+                    ],
+                )
 
         else:
             raise Exception(
@@ -782,7 +776,7 @@ def logs():
 
     if cmd:
         process = Popen(
-            cmd,
+            list(flatten(cmd)),
             env=osEnv,
             stdout=PIPE,
             stderr=None if args.debug else DEVNULL,
@@ -804,6 +798,7 @@ def logs():
                 and (not args.cmdLogs)
                 and finishedStartingRegEx.match(output)
             ):
+                shuttingDown[0] = True
                 process.terminate()
                 try:
                     process.wait(timeout=5.0)
@@ -990,8 +985,9 @@ def start():
             # chmod 600 envFile
             os.chmod(envFile, stat.S_IRUSR | stat.S_IWUSR)
 
-    # touch the zeek intel file
+    # touch the zeek intel file and zeek custom file
     open(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('intel', '__load__.zeek'))), 'a').close()
+    open(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('custom', '__load__.zeek'))), 'a').close()
 
     # clean up any leftover intel update locks
     shutil.rmtree(os.path.join(MalcolmPath, os.path.join('zeek', os.path.join('intel', 'lock'))), ignore_errors=True)
@@ -1019,6 +1015,7 @@ def start():
             ),
             BoundPath("zeek", "/zeek/extract_files", False, None, None),
             BoundPath("zeek", "/zeek/upload", False, None, None),
+            BoundPath("zeek", "/opt/zeek/share/zeek/site/custom", False, None, None),
             BoundPath("zeek", "/opt/zeek/share/zeek/site/intel", False, ["MISP", "STIX"], None),
             BoundPath("zeek-live", "/zeek/live", False, ["spool"], None),
             BoundPath("filebeat", "/zeek", False, ["processed", "current", "live", "extract_files", "upload"], None),
@@ -2267,30 +2264,38 @@ def main():
         osEnv['TMPDIR'] = MalcolmTmpPath
 
         if orchMode is OrchestrationFramework.DOCKER_COMPOSE:
-            # make sure docker/docker-compose is available
+            # make sure docker and docker compose are available
             dockerBin = 'docker.exe' if ((pyPlatform == PLATFORM_WINDOWS) and which('docker.exe')) else 'docker'
-            if (pyPlatform == PLATFORM_WINDOWS) and which('docker-compose.exe'):
-                dockerComposeBin = 'docker-compose.exe'
-            elif which('docker-compose'):
-                dockerComposeBin = 'docker-compose'
-            elif os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
-                dockerComposeBin = '/usr/libexec/docker/cli-plugins/docker-compose'
-            elif os.path.isfile('/usr/local/opt/docker-compose/bin/docker-compose'):
-                dockerComposeBin = '/usr/local/opt/docker-compose/bin/docker-compose'
-            elif os.path.isfile('/usr/local/bin/docker-compose'):
-                dockerComposeBin = '/usr/local/bin/docker-compose'
-            elif os.path.isfile('/usr/bin/docker-compose'):
-                dockerComposeBin = '/usr/bin/docker-compose'
-            else:
-                dockerComposeBin = 'docker-compose'
             err, out = run_process([dockerBin, 'info'], debug=args.debug)
             if err != 0:
                 raise Exception(f'{ScriptName} requires docker, please run install.py')
+            # first check if compose is available as a docker plugin
+            dockerComposeBin = (dockerBin, 'compose')
             err, out = run_process(
                 [dockerComposeBin, '--profile', PROFILE_MALCOLM, '-f', args.composeFile, 'version'],
                 env=osEnv,
                 debug=args.debug,
             )
+            if err != 0:
+                if (pyPlatform == PLATFORM_WINDOWS) and which('docker-compose.exe'):
+                    dockerComposeBin = 'docker-compose.exe'
+                elif which('docker-compose'):
+                    dockerComposeBin = 'docker-compose'
+                elif os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
+                    dockerComposeBin = '/usr/libexec/docker/cli-plugins/docker-compose'
+                elif os.path.isfile('/usr/local/opt/docker-compose/bin/docker-compose'):
+                    dockerComposeBin = '/usr/local/opt/docker-compose/bin/docker-compose'
+                elif os.path.isfile('/usr/local/bin/docker-compose'):
+                    dockerComposeBin = '/usr/local/bin/docker-compose'
+                elif os.path.isfile('/usr/bin/docker-compose'):
+                    dockerComposeBin = '/usr/bin/docker-compose'
+                else:
+                    dockerComposeBin = 'docker-compose'
+                err, out = run_process(
+                    [dockerComposeBin, '--profile', PROFILE_MALCOLM, '-f', args.composeFile, 'version'],
+                    env=osEnv,
+                    debug=args.debug,
+                )
             if err != 0:
                 raise Exception(f'{ScriptName} requires docker-compose, please run install.py')
 
diff --git a/scripts/demo/reset_and_auto_populate.sh b/scripts/demo/reset_and_auto_populate.sh
index d07634217..38dea9057 100755
--- a/scripts/demo/reset_and_auto_populate.sh
+++ b/scripts/demo/reset_and_auto_populate.sh
@@ -57,6 +57,7 @@ NUMERIC_REGEX='^[0-9]+$'
 # get directory script is executing from
 [[ -n $MACOS ]] && REALPATH=grealpath || REALPATH=realpath
 [[ -n $MACOS ]] && DIRNAME=gdirname || DIRNAME=dirname
+[[ -n $MACOS ]] && GREP=ggrep || GREP=grep
 if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then
   echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME" >&2
   exit 1
@@ -77,6 +78,7 @@ RESTART="false"
 READ_ONLY="false"
 NGINX_DISABLE="false"
 MALCOLM_DOCKER_COMPOSE="$FULL_PWD"/docker-compose.yml
+MALCOLM_PROFILE=malcolm
 NETBOX_BACKUP_FILE=""
 PCAP_FILES=()
 PCAP_ADJUST_SCRIPT=""
@@ -86,7 +88,7 @@ PCAP_PROCESS_PRE_WAIT=120
 PCAP_PROCESS_IDLE_SECONDS=180
 PCAP_PROCESS_IDLE_MAX_SECONDS=3600
 NETBOX_INIT_MAX_SECONDS=300
-while getopts 'vwronlb:m:i:x:s:d:' OPTION; do
+while getopts 'vwronlb:m:i:x:s:d:p:' OPTION; do
   case "$OPTION" in
     v)
       VERBOSE_FLAG="-v"
@@ -120,6 +122,10 @@ while getopts 'vwronlb:m:i:x:s:d:' OPTION; do
       MALCOLM_DOCKER_COMPOSE="$OPTARG"
       ;;
 
+    p)
+      MALCOLM_PROFILE="$OPTARG"
+      ;;
+
     s)
       if [[ $OPTARG =~ $NUMERIC_REGEX ]] ; then
          PCAP_PROCESS_IDLE_SECONDS=$OPTARG
@@ -161,6 +167,19 @@ else
   PCAP_ADJUST_SCRIPT=""
 fi
 
+DOCKER_COMPOSE_BIN=()
+if docker compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker compose)
+elif docker-compose version >/dev/null 2>&1; then
+  DOCKER_COMPOSE_BIN=(docker-compose)
+elif [[ -n $WINDOWS ]]; then
+  if docker.exe compose version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker.exe compose)
+  elif docker-compose.exe version >/dev/null 2>&1; then
+    DOCKER_COMPOSE_BIN=(docker-compose.exe)
+  fi
+fi
+
 [[ -n $VERBOSE_FLAG ]] && echo "$(basename "${BASH_SOURCE[0]}") in \"${SCRIPT_PATH}\" called from \"${FULL_PWD}\"" >&2 && set -x
 
 ###############################################################################
@@ -199,7 +218,7 @@ function urlencode() {
 trap clean_up EXIT
 
 if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
-   which docker-compose >/dev/null 2>&1 && \
+   (( ${#DOCKER_COMPOSE_BIN[@]} > 0 )) && \
    which jq >/dev/null 2>&1; then
   mkdir -p "$WORKDIR"
 
@@ -267,11 +286,11 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
   fi
 
   if [[ "$NGINX_DISABLE" == "true" ]]; then
-    docker-compose -f "$MALCOLM_FILE" pause nginx-proxy
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" pause nginx-proxy
   fi
 
   # wait for logstash to be ready for Zeek logs to be ingested
-  until docker-compose -f "$MALCOLM_FILE" logs logstash 2>/dev/null | grep -q "Pipelines running"; do
+  until ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" logs logstash 2>/dev/null | $GREP -q "Pipelines running"; do
     [[ -n $VERBOSE_FLAG ]] && echo "waiting for Malcolm to become ready for PCAP data..." >&2
     sleep 10
   done
@@ -283,7 +302,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
     # wait for NetBox to be ready with the initial startup before we go mucking around
     CURRENT_TIME=$(date -u +%s)
     FIRST_NETBOX_INIT_CHECK_TIME=$CURRENT_TIME
-    until docker-compose -f "$MALCOLM_FILE" logs netbox 2>/dev/null | grep -q "Unit configuration loaded successfully"; do
+    until ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" logs netbox 2>/dev/null | $GREP -q "Unit configuration loaded successfully"; do
       [[ -n $VERBOSE_FLAG ]] && echo "waiting for NetBox initialization to complete..." >&2
       sleep 10
       # if it's been more than the maximum wait time, bail
@@ -318,7 +337,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
         fi
 
         # get the total number of session records in the database
-        NEW_LOG_COUNT=$(( docker-compose -f "$MALCOLM_FILE" exec -u $(id -u) -T api \
+        NEW_LOG_COUNT=$(( ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -u $(id -u) -T api \
                           curl -sSL "http://localhost:5000/mapi/agg/event.provider?from=1970" | \
                           jq -r '.. | .buckets? // empty | .[] | objects | [.doc_count|tostring] | join ("")' | \
                           awk '{s+=$1} END {print s}') 2>/dev/null )
@@ -349,7 +368,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
   fi
 
   if [[ "$NGINX_DISABLE" == "true" ]]; then
-    docker-compose -f "$MALCOLM_FILE" unpause nginx-proxy
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" unpause nginx-proxy
     sleep 10
   fi
 
@@ -357,8 +376,8 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
     [[ -n $VERBOSE_FLAG ]] && echo "Ensuring creation of user accounts prior to setting to read-only" >&2
     for USER in \
       $(cat nginx/htpasswd | cut -d: -f1) \
-      $(grep -q -P "NGINX_BASIC_AUTH\s*=s*no_authentication" "$MALCOLM_PATH"/config/auth-common.env && echo guest); do
-      docker-compose -f "$MALCOLM_FILE" exec -T arkime curl -ksSL -XGET \
+      $($GREP -q -P "NGINX_BASIC_AUTH\s*=s*no_authentication" "$MALCOLM_PATH"/config/auth-common.env && echo guest); do
+      ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -T arkime curl -ksSL -XGET \
         --header 'Content-type:application/json' \
         --header "http_auth_http_user:$USER" \
         --header "Authorization:" \
@@ -366,12 +385,12 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
     done
     sleep 5
     [[ -n $VERBOSE_FLAG ]] && echo "Setting cluster to read-only" >&2
-    docker-compose -f "$MALCOLM_FILE" exec -T nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -T nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
     sleep 5
-    docker-compose -f "$MALCOLM_FILE" exec -T dashboards-helper /data/opensearch_read_only.py -i _cluster
+    ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" exec -T dashboards-helper /data/opensearch_read_only.py -i _cluster
     sleep 5
     for CONTAINER in htadmin filebeat logstash upload pcap-monitor zeek zeek-live suricata suricata-live pcap-capture freq; do
-      docker-compose -f "$MALCOLM_FILE" pause "$CONTAINER" || true
+      ${DOCKER_COMPOSE_BIN[@]} --profile "$MALCOLM_PROFILE" -f "$MALCOLM_FILE" pause "$CONTAINER" || true
     done
     sleep 5
   fi
@@ -381,6 +400,6 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
   [[ -n $VERBOSE_FLAG ]] && echo "Finished" >&2
 else
   echo "must specify docker-compose.yml file with -m and PCAP file(s)" >&2
-  echo "also, pcap_time_shift.py, docker-compose and jq must be available"
+  echo "also, pcap_time_shift.py, docker compose and jq must be available"
   exit 1
 fi
\ No newline at end of file
diff --git a/scripts/install.py b/scripts/install.py
index 09285cef0..8408144ed 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -72,6 +72,7 @@
     DATABASE_MODE_ENUMS,
     deep_get,
     eprint,
+    flatten,
     run_process,
     same_file_or_dir,
     str2bool,
@@ -80,11 +81,12 @@
 )
 
 ###################################################################################################
-DOCKER_COMPOSE_INSTALL_VERSION = "2.20.3"
+DOCKER_COMPOSE_INSTALL_VERSION = "2.23.0"
 
 DEB_GPG_KEY_FINGERPRINT = '0EBFCD88'  # used to verify GPG key for Docker Debian repository
 
-MAC_BREW_DOCKER_PACKAGE = 'docker-edge'
+MAC_BREW_DOCKER_PACKAGE = 'docker'
+MAC_BREW_DOCKER_COMPOSE_PACKAGE = 'docker-compose'
 MAC_BREW_DOCKER_SETTINGS = '/Users/{}/Library/Group Containers/group.com.docker/settings.json'
 
 LOGSTASH_JAVA_OPTS_DEFAULT = '-server -Xms2500m -Xmx2500m -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true'
@@ -991,6 +993,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
         indexPruneSizeLimit = '0'
         indexPruneNameSort = False
         arkimeManagePCAP = False
+        arkimeFreeSpaceG = '10%'
 
         if InstallerYesOrNo(
             'Should Malcolm delete the oldest database indices and/or PCAP files based on available storage?'
@@ -1030,6 +1033,16 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
                     default=args.arkimeManagePCAP,
                 )
             )
+            if arkimeManagePCAP:
+                arkimeFreeSpaceGTmp = ''
+                loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP deletion threshold')
+                while (not re.match(r'^\d+%?$', arkimeFreeSpaceGTmp, flags=re.IGNORECASE)) and loopBreaker.increment():
+                    arkimeFreeSpaceGTmp = InstallerAskForString(
+                        'Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.)',
+                        default=args.arkimeFreeSpaceG,
+                    )
+                if arkimeFreeSpaceGTmp:
+                    arkimeFreeSpaceG = arkimeFreeSpaceGTmp
 
         autoSuricata = InstallerYesOrNo(
             'Automatically analyze all PCAP files with Suricata?', default=args.autoSuricata
@@ -1263,6 +1276,10 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
         )
         if len(netboxSiteName) == 0:
             netboxSiteName = 'Malcolm'
+        netboxPreloadPrefixes = netboxEnabled and InstallerYesOrNo(
+            'Should Malcolm create "catch-all" prefixes for private IP address space?',
+            default=args.netboxPreloadPrefixes,
+        )
 
         # input packet capture parameters
         pcapNetSniff = False
@@ -1284,41 +1301,38 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
             else 'unset'
         )
 
-        if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
-            captureOptions = ('no', 'yes', 'customize')
-            loopBreaker = CountUntilException(MaxAskForValueCount)
-            while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment():
-                captureSelection = InstallerChooseOne(
-                    'Should Malcolm capture live network traffic?',
-                    choices=[(x, '', x == captureOptions[0]) for x in captureOptions],
-                )[0]
-            if captureSelection == 'y':
-                pcapNetSniff = True
-                liveSuricata = True
-                liveZeek = True
-            elif captureSelection == 'c':
-                if InstallerYesOrNo(
-                    'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?',
-                    default=args.pcapNetSniff or args.pcapTcpDump or (malcolmProfile == PROFILE_HEDGEHOG),
-                ):
-                    pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=args.pcapNetSniff)
-                    if not pcapNetSniff:
-                        pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump)
-                liveSuricata = InstallerYesOrNo(
-                    'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata
+        captureOptions = ('no', 'yes', 'customize')
+        loopBreaker = CountUntilException(MaxAskForValueCount)
+        while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment():
+            captureSelection = InstallerChooseOne(
+                'Should Malcolm capture live network traffic?',
+                choices=[(x, '', x == captureOptions[0]) for x in captureOptions],
+            )[0]
+        if captureSelection == 'y':
+            pcapNetSniff = True
+            liveSuricata = True
+            liveZeek = True
+        elif captureSelection == 'c':
+            if InstallerYesOrNo(
+                'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?',
+                default=args.pcapNetSniff or args.pcapTcpDump or (malcolmProfile == PROFILE_HEDGEHOG),
+            ):
+                pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=args.pcapNetSniff)
+                if not pcapNetSniff:
+                    pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump)
+            liveSuricata = InstallerYesOrNo(
+                'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata
+            )
+            liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek)
+            if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
+                pcapFilter = InstallerAskForString(
+                    'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)',
+                    default=args.pcapFilter,
                 )
-                liveZeek = InstallerYesOrNo(
-                    'Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek
+                tweakIface = InstallerYesOrNo(
+                    'Disable capture interface hardware offloading and adjust ring buffer sizes?',
+                    default=args.tweakIface,
                 )
-                if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
-                    pcapFilter = InstallerAskForString(
-                        'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)',
-                        default=args.pcapFilter,
-                    )
-                    tweakIface = InstallerYesOrNo(
-                        'Disable capture interface hardware offloading and adjust ring buffer sizes?',
-                        default=args.tweakIface,
-                    )
 
         if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
             pcapIface = ''
@@ -1373,6 +1387,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
                 'MANAGE_PCAP_FILES',
                 TrueOrFalseNoQuote(arkimeManagePCAP),
             ),
+            # Threshold for Arkime PCAP deletion
+            EnvValue(
+                os.path.join(args.configDir, 'arkime.env'),
+                'ARKIME_FREESPACEG',
+                arkimeFreeSpaceG,
+            ),
             # authentication method: basic (true), ldap (false) or no_authentication
             EnvValue(
                 os.path.join(args.configDir, 'auth-common.env'),
@@ -1511,6 +1531,11 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
                 'NETBOX_DISABLED',
                 TrueOrFalseNoQuote(not netboxEnabled),
             ),
+            EnvValue(
+                os.path.join(args.configDir, 'netbox-common.env'),
+                'NETBOX_PRELOAD_PREFIXES',
+                TrueOrFalseNoQuote(netboxPreloadPrefixes),
+            ),
             # enable/disable netbox (postgres)
             EnvValue(
                 os.path.join(args.configDir, 'netbox-common.env'),
@@ -2564,22 +2589,27 @@ def install_docker_compose(self):
         result = False
 
         if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE:
-            dockerComposeCmd = 'docker-compose'
-            if not which(dockerComposeCmd, debug=self.debug):
-                if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
-                    dockerComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose'
-                elif os.path.isfile('/usr/local/bin/docker-compose'):
-                    dockerComposeCmd = '/usr/local/bin/docker-compose'
-
-            # first see if docker-compose is already installed and runnable (try non-root and root)
+            # first see if docker compose/docker-compose is already installed and runnable
+            #   (try non-root and root)
+            dockerComposeCmd = ('docker', 'compose')
             err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False)
             if err != 0:
                 err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True)
+                if err != 0:
+                    dockerComposeCmd = 'docker-compose'
+                    if not which(dockerComposeCmd, debug=self.debug):
+                        if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'):
+                            dockerComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose'
+                        elif os.path.isfile('/usr/local/bin/docker-compose'):
+                            dockerComposeCmd = '/usr/local/bin/docker-compose'
+                    err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False)
+                    if err != 0:
+                        err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True)
 
             if (err != 0) and InstallerYesOrNo(
-                '"docker-compose version" failed, attempt to install docker-compose?', default=True
+                'docker compose failed, attempt to install docker compose?', default=True
             ):
-                if InstallerYesOrNo('Install docker-compose directly from docker github?', default=True):
+                if InstallerYesOrNo('Install docker compose directly from docker github?', default=True):
                     # download docker-compose from github and put it in /usr/local/bin
 
                     # need to know some linux platform info
@@ -2611,7 +2641,7 @@ def install_docker_compose(self):
 
                 elif InstallerYesOrNo('Install docker-compose via pip (privileged)?', default=False):
                     # install docker-compose via pip (as root)
-                    err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=True)
+                    err, out = self.run_process([self.pipCmd, 'install', 'docker-compose'], privileged=True)
                     if err == 0:
                         eprint("Installation of docker-compose apparently succeeded")
                     else:
@@ -2619,7 +2649,7 @@ def install_docker_compose(self):
 
                 elif InstallerYesOrNo('Install docker-compose via pip (user)?', default=True):
                     # install docker-compose via pip (regular user)
-                    err, out = self.run_process([self.pipCmd, 'install', dockerComposeCmd], privileged=False)
+                    err, out = self.run_process([self.pipCmd, 'install', 'docker-compose'], privileged=False)
                     if err == 0:
                         eprint("Installation of docker-compose apparently succeeded")
                     else:
@@ -2633,11 +2663,11 @@ def install_docker_compose(self):
             if err == 0:
                 result = True
                 if self.debug:
-                    eprint('"docker-compose version" succeeded')
+                    eprint('docker compose succeeded')
 
             else:
                 raise Exception(
-                    f'{ScriptName} requires docker-compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}'
+                    f'{ScriptName} requires docker compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}'
                 )
 
         return result
@@ -2888,7 +2918,7 @@ def install_docker(self):
             elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True):
                 if self.useBrew:
                     # install docker via brew cask (requires user interaction)
-                    dockerPackages = [MAC_BREW_DOCKER_PACKAGE, "docker-compose"]
+                    dockerPackages = [MAC_BREW_DOCKER_PACKAGE, MAC_BREW_DOCKER_COMPOSE_PACKAGE]
                     eprint(f"Installing docker packages: {dockerPackages}")
                     if self.install_package(dockerPackages):
                         eprint("Installation of docker packages apparently succeeded")
@@ -2909,7 +2939,7 @@ def install_docker(self):
                     else:
                         tempFileName = os.path.join(self.tempDirName, 'Docker.dmg')
                     if DownloadToFile(
-                        'https://download.docker.com/mac/edge/Docker.dmg', tempFileName, debug=self.debug
+                        'https://desktop.docker.com/mac/main/amd64/Docker.dmg', tempFileName, debug=self.debug
                     ):
                         while True:
                             response = InstallerAskForString(
@@ -2926,12 +2956,10 @@ def install_docker(self):
                         eprint('"docker info" succeeded')
 
                 elif err != 0:
-                    raise Exception(
-                        f'{ScriptName} requires docker edge, please see {DOCKER_INSTALL_URLS[self.platform]}'
-                    )
+                    raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.platform]}')
 
             elif err != 0:
-                raise Exception(f'{ScriptName} requires docker edge, please see {DOCKER_INSTALL_URLS[self.platform]}')
+                raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.platform]}')
 
             # tweak CPU/RAM usage for Docker in Mac
             settingsFile = MAC_BREW_DOCKER_SETTINGS.format(self.scriptUser)
@@ -3460,6 +3488,15 @@ def main():
         default=False,
         help="Arkime should delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)",
     )
+    storageArgGroup.add_argument(
+        '--delete-pcap-threshold',
+        dest='arkimeFreeSpaceG',
+        required=False,
+        metavar='<string>',
+        type=str,
+        default='',
+        help=f'Threshold for Arkime PCAP deletion (see https://arkime.com/faq#pcap-deletion)',
+    )
     storageArgGroup.add_argument(
         '--delete-index-threshold',
         dest='indexPruneSizeLimit',
@@ -3671,6 +3708,16 @@ def main():
         default=False,
         help="Automatically populate NetBox inventory based on observed network traffic",
     )
+    netboxArgGroup.add_argument(
+        '--netbox-preload-prefixes',
+        dest='netboxPreloadPrefixes',
+        type=str2bool,
+        metavar="true|false",
+        nargs='?',
+        const=True,
+        default=False,
+        help="Preload NetBox IPAM IP Prefixes for private IP space",
+    )
     netboxArgGroup.add_argument(
         '--netbox-site-name',
         dest='netboxSiteName',
diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh
index b4bb406a5..3f7256549 100755
--- a/scripts/malcolm_appliance_packager.sh
+++ b/scripts/malcolm_appliance_packager.sh
@@ -82,6 +82,7 @@ if mkdir "$DESTDIR"; then
   mkdir $VERBOSE -p "$DESTDIR/scripts/"
   mkdir $VERBOSE -p "$DESTDIR/suricata-logs/live/"
   mkdir $VERBOSE -p "$DESTDIR/suricata/rules/"
+  mkdir $VERBOSE -p "$DESTDIR/suricata/include-configs/"
   mkdir $VERBOSE -p "$DESTDIR/yara/rules/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/current/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/extract_files/preserved/"
@@ -89,6 +90,7 @@ if mkdir "$DESTDIR"; then
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/live/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/processed/"
   mkdir $VERBOSE -p "$DESTDIR/zeek-logs/upload/"
+  mkdir $VERBOSE -p "$DESTDIR/zeek/custom/"
   mkdir $VERBOSE -p "$DESTDIR/zeek/intel/MISP/"
   mkdir $VERBOSE -p "$DESTDIR/zeek/intel/STIX/"
 
diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py
index ec7b7e45d..843af368a 100644
--- a/scripts/malcolm_common.py
+++ b/scripts/malcolm_common.py
@@ -99,6 +99,8 @@ class UserInterfaceMode(IntFlag):
 DOCKER_INSTALL_URLS[PLATFORM_MAC] = [
     'https://www.code2bits.com/how-to-install-docker-on-macos-using-homebrew/',
     'https://docs.docker.com/docker-for-mac/install/',
+    'https://formulae.brew.sh/formula/docker',
+    'https://formulae.brew.sh/formula/docker-compose',
 ]
 DOCKER_COMPOSE_INSTALL_URLS = defaultdict(lambda: 'https://docs.docker.com/compose/install/')
 HOMEBREW_INSTALL_URLS = defaultdict(lambda: 'https://brew.sh/')
@@ -700,8 +702,9 @@ def DownloadToFile(url, local_filename, debug=False):
   | esindices/list
   | executing\s+attempt_(transition|set_replica_count)\s+for
   | failed\s+to\s+get\s+tcp6?\s+stats\s+from\s+/proc
-  | GET\s+/(netbox/api|_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b
+  | GET\s+/(_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b
   | GET\s+/\s+.+\b200\b.+ELB-HealthChecker
+  | (GET|POST|PATCH)\s+/netbox/.+HTTP/[\d\.].+\b20[01]\b
   | loaded\s+config\s+'/etc/netbox/config/
   | LOG:\s+checkpoint\s+(complete|starting)
   | "netbox"\s+application\s+started
@@ -711,7 +714,6 @@ def DownloadToFile(url, local_filename, debug=False):
   | POST\s+/_bulk\s+HTTP/[\d\.].+\b20[01]\b
   | POST\s+/server/php/\s+HTTP/\d+\.\d+"\s+\d+\s+\d+.*:8443/
   | POST\s+HTTP/[\d\.].+\b200\b
-  | (POST|PATCH)\s+/netbox/api/.+HTTP/[\d\.].+\b20[01]\b
   | reaped\s+unknown\s+pid
   | redis.*(changes.+seconds.+Saving|Background\s+saving\s+(started|terminated)|DB\s+saved\s+on\s+disk|Fork\s+CoW)
   | remov(ed|ing)\s+(old\s+file|dead\s+symlink|empty\s+directory)
diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py
index 0f63ae26b..4bb7bc47c 100644
--- a/scripts/malcolm_kubernetes.py
+++ b/scripts/malcolm_kubernetes.py
@@ -119,6 +119,12 @@
             'path': os.path.join(MalcolmPath, os.path.join('suricata', 'rules')),
         },
     ],
+    'suricata-configs': [
+        {
+            'secret': False,
+            'path': os.path.join(MalcolmPath, os.path.join('suricata', 'include-configs')),
+        },
+    ],
     'filebeat-certs': [
         {
             'secret': True,
@@ -153,6 +159,18 @@
             'path': os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')),
         },
     ],
+    'zeek-custom': [
+        {
+            'secret': False,
+            'path': os.path.join(MalcolmPath, os.path.join('zeek', 'custom')),
+        },
+    ],
+    'zeek-intel-preseed': [
+        {
+            'secret': False,
+            'path': os.path.join(MalcolmPath, os.path.join('zeek', 'intel')),
+        },
+    ],
 }
 
 # the PersistentVolumes themselves aren't used directly,
diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py
index f7c80e85a..cab6703d1 100644
--- a/scripts/malcolm_utils.py
+++ b/scripts/malcolm_utils.py
@@ -297,6 +297,17 @@ def EVP_BytesToKey(key_length: int, iv_length: int, md, salt: bytes, data: bytes
     return key, iv
 
 
+###################################################################################################
+# flatten a collection, but don't split strings
+def flatten(coll):
+    for i in coll:
+        if isinstance(i, Iterable) and not isinstance(i, str):
+            for subc in flatten(i):
+                yield subc
+        else:
+            yield i
+
+
 ###################################################################################################
 # if the object is an iterable, return it, otherwise return a tuple with it as a single element.
 # useful if you want to user either a scalar or an array in a loop, etc.
@@ -534,6 +545,16 @@ def touch(filename):
     os.utime(filename, None)
 
 
+###################################################################################################
+# append strings to a text file
+def append_to_file(filename, value):
+    with open(filename, "a") as f:
+        if isinstance(value, Iterable) and not isinstance(value, str):
+            f.write('\n'.join(value))
+        else:
+            f.write(value)
+
+
 ###################################################################################################
 # read the contents of a file, first assuming text (with encoding), optionally falling back to binary
 def file_contents(filename, encoding='utf-8', binary_fallback=False):
@@ -634,12 +655,13 @@ def run_process(
 ):
     retcode = -1
     output = []
+    flat_command = list(flatten(get_iterable(command)))
 
     try:
         # run the command
         retcode, cmdout, cmderr = check_output_input(
-            command,
-            input=stdin.encode() if stdin else None,
+            flat_command,
+            input=(stdin.encode() if isinstance(stdin, str) else stdin) if stdin else None,
             cwd=cwd,
             env=env,
         )
@@ -652,11 +674,14 @@ def run_process(
 
     except (FileNotFoundError, OSError, IOError):
         if stderr:
-            output.append("Command {} not found or unable to execute".format(command))
+            output.append("Command {} not found or unable to execute".format(flat_command))
 
     if debug:
         dbgStr = "{}{} returned {}: {}".format(
-            command, "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if stdin else ""), retcode, output
+            flat_command,
+            "({})".format(stdin[:80] + bool(stdin[80:]) * '...' if (stdin and isinstance(stdin, str)) else ""),
+            retcode,
+            output,
         )
         if logger is not None:
             logger.debug(dbgStr)
@@ -666,7 +691,7 @@ def run_process(
     if (retcode != 0) and retry and (retry > 0):
         # sleep then retry
         time.sleep(retrySleepSec)
-        return run_process(command, stdout, stderr, stdin, retry - 1, retrySleepSec, cwd, env, debug, logger)
+        return run_process(flat_command, stdout, stderr, stdin, retry - 1, retrySleepSec, cwd, env, debug, logger)
     else:
         return retcode, output
 
diff --git a/scripts/third-party-environments/aws/ami/packer_vars.json.example b/scripts/third-party-environments/aws/ami/packer_vars.json.example
index 2b1f0a3b2..88031bc28 100644
--- a/scripts/third-party-environments/aws/ami/packer_vars.json.example
+++ b/scripts/third-party-environments/aws/ami/packer_vars.json.example
@@ -2,7 +2,7 @@
   "aws_access_key": "XXXXXXXXXXXXXXXXXXXX",
   "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
   "instance_type": "t2.micro",
-  "malcolm_tag": "v23.10.0",
+  "malcolm_tag": "v23.12.0",
   "malcolm_repo": "idaholab/Malcolm",
   "malcolm_uid": "1000",
   "ssh_username": "ec2-user",
diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
index 44113adf2..a1c4d1f80 100755
--- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
+++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
@@ -32,7 +32,7 @@ fi
 # -u UID      (user UID, e.g., 1000)
 VERBOSE_FLAG=
 MALCOLM_REPO=${MALCOLM_REPO:-idaholab/Malcolm}
-MALCOLM_TAG=${MALCOLM_TAG:-v23.05.1}
+MALCOLM_TAG=${MALCOLM_TAG:-v23.10.0}
 [[ -z "$MALCOLM_UID" ]] && ( [[ $EUID -eq 0 ]] && MALCOLM_UID=1000 || MALCOLM_UID="$(id -u)" )
 while getopts 'vr:t:u:' OPTION; do
   case "$OPTION" in
@@ -217,7 +217,7 @@ function InstallMalcolm {
         mv docker-compose-standalone.yml docker-compose.yml
         for ENVEXAMPLE in ./config/*.example; do ENVFILE="${ENVEXAMPLE%.*}"; cp "$ENVEXAMPLE" "$ENVFILE"; done
         echo "Pulling Docker images..." >&2
-        docker-compose pull >/dev/null 2>&1
+        docker-compose --profile malcolm pull >/dev/null 2>&1
         rm -f ./config/*.env
         docker images
         popd >/dev/null 2>&1
diff --git a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
index efe878dc3..229af538e 100644
--- a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
+++ b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
@@ -22,9 +22,17 @@ if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then
     "https://github.com/antonmedv/fx|^fx_linux_amd64$|"$HOME"/.local/bin/fx|755"
     "https://github.com/aptible/supercronic|^supercronic-linux-amd64$|"$HOME"/.local/bin/supercronic|755"
     "https://github.com/boringproxy/boringproxy|^boringproxy-linux-x86_64$|"$HOME"/.local/bin/boringproxy|755"
+    "https://github.com/eza-community/eza|^eza_x86_64-unknown-linux-musl\.tar\.gz$|/tmp/eza.tar.gz"
     "https://github.com/FiloSottile/age|^age-v.+-linux-amd64\.tar\.gz$|/tmp/age.tar.gz"
+    "https://github.com/neilotoole/sq|^sq-.+amd64-amd64\.tar\.gz$|/tmp/sq.tar.gz"
+    "https://github.com/peco/peco|^peco_linux_amd64\.tar\.gz$|/tmp/peco.tar.gz"
+    "https://github.com/sachaos/viddy|^viddy_Linux_x86_64\.tar\.gz$|/tmp/viddy.tar.gz"
     "https://github.com/schollz/croc|^croc_.+_Linux-64bit\.tar\.gz$|/tmp/croc.tar.gz"
+    "https://github.com/schollz/hostyoself|^hostyoself_.+_Linux-64bit\.tar\.gz$|/tmp/hostyoself.tar.gz"
     "https://github.com/smallstep/cli|^step_linux_.+_amd64\.tar\.gz$|/tmp/step.tar.gz"
+    "https://github.com/wader/fq|^fq_.+_linux_amd64\.tar\.gz$|/tmp/fq.tar.gz"
+    "https://github.com/watchexec/watchexec|^watchexec-.+-x86_64-unknown-linux-musl\.tar\.xz$|/tmp/watchexec.tar.xz"
+    "https://github.com/Wilfred/difftastic|^difft-x86_64-unknown-linux-gnu\.tar\.gz$|/tmp/difft.tar.gz"
   )
 
   for i in ${ASSETS[@]}; do
diff --git a/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
index 297e537da..148577384 100644
--- a/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
+++ b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml
@@ -46,8 +46,41 @@ popd
 # Configure Malcolm on first login
 if [[ $- == *i* ]] && [[ -d ~/Malcolm ]] &&  [[ ! -f ~/Malcolm/.configured ]]; then
     pushd ~/Malcolm >/dev/null 2>&1
-    ./scripts/configure
-    ./scripts/auth_setup
+
+    python3 ./scripts/configure \
+        --defaults \
+        --restart-malcolm \
+        --auto-suricata \
+        --auto-zeek \
+        --zeek-ics \
+        --zeek-ics-best-guess \
+        --auto-oui \
+        --auto-freq \
+        --file-extraction interesting \
+        --file-preservation quarantined \
+        --extracted-file-server \
+        --extracted-file-server-password infected \
+        --extracted-file-clamav \
+        --extracted-file-yara \
+        --netbox \
+        --netbox-enrich \
+        --netbox-autopopulate false \
+        --netbox-preload-prefixes \
+        --netbox-site-name malcolm
+
+    # username: analyst
+    # password: M@lc0lm
+    python3 ./scripts/auth_setup \
+        --auth-noninteractive \
+        --auth-admin-username analyst \
+        --auth-admin-password-openssl '$1$owXoS5pf$YesZKhhWS0d3zVUUhdcef0' \
+        --auth-admin-password-htpasswd '$2y$05$a8jiJsLZ1mFnt5srJD3HAOKC8IUaZcOlsqp8txBlmMjW6wUXUtN3S' \
+        --auth-generate-webcerts \
+        --auth-generate-fwcerts \
+        --auth-generate-netbox-passwords
+
+    python3 ./scripts/start
+
     popd >/dev/null 2>&1
     clear
     cat << 'EOT'
diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1
index bde65a2d5..2fa6f40dd 100644
--- a/scripts/third-party-logs/fluent-bit-setup.ps1
+++ b/scripts/third-party-logs/fluent-bit-setup.ps1
@@ -8,8 +8,8 @@
 # Copyright (c) 2023 Battelle Energy Alliance, LLC.  All rights reserved.
 ###############################################################################
 
-$fluent_bit_version = '2.1'
-$fluent_bit_full_version = '2.1.10'
+$fluent_bit_version = '2.2'
+$fluent_bit_full_version = '2.2.0'
 
 ###############################################################################
 # select an item from a menu provided in an array
diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py
index 42b9b366b..11c9857d3 100755
--- a/scripts/zeek_script_to_malcolm_boilerplate.py
+++ b/scripts/zeek_script_to_malcolm_boilerplate.py
@@ -50,6 +50,10 @@
     'resp_h',
     'resp_p',
     'resp_l2_addr',
+    'drop_orig_h',
+    'drop_orig_p',
+    'drop_resp_h',
+    'drop_resp_p',
     'proto',
     'service',
     'user',
diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh
index 36d50c276..0bc69ef89 100755
--- a/sensor-iso/build.sh
+++ b/sensor-iso/build.sh
@@ -5,7 +5,7 @@ IMAGE_PUBLISHER=idaholab
 IMAGE_VERSION=1.0.0
 IMAGE_DISTRIBUTION=bookworm
 
-BEATS_VER="8.10.4"
+BEATS_VER="8.11.1"
 BEATS_OSS="-oss"
 
 BUILD_ERROR_CODE=1
diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
index 9337beb09..161106cea 100755
--- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
+++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
@@ -66,8 +66,9 @@ EOF
 
 # set up default zeek local policy and sensor-related directories
 cp -f /usr/local/etc/zeek/*.zeek /usr/local/etc/zeek/*.txt "${ZEEK_DIR}"/share/zeek/site/
-mkdir -p /opt/sensor/sensor_ctl/zeek/intel/STIX /opt/sensor/sensor_ctl/zeek/intel/MISP /opt/sensor/sensor_ctl/fluentbit
+mkdir -p /opt/sensor/sensor_ctl/zeek/custom /opt/sensor/sensor_ctl/zeek/intel/STIX /opt/sensor/sensor_ctl/zeek/intel/MISP /opt/sensor/sensor_ctl/fluentbit
 touch /opt/sensor/sensor_ctl/zeek/intel/__load__.zeek
+touch /opt/sensor/sensor_ctl/zeek/custom/__load__.zeek
 [[ -f /usr/local/bin/zeek_intel_setup.sh ]] && mv /usr/local/bin/zeek_intel_setup.sh "${ZEEK_DIR}"/bin/
 [[ -f /usr/local/bin/zeek_intel_from_threat_feed.py ]] && mv /usr/local/bin/zeek*threat*.py "${ZEEK_DIR}"/bin/
 
diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index cc8674860..6b2c84695 100644
--- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -13,6 +13,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ?
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -20,6 +21,7 @@ global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
 global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
 global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
 global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
+global disable_spicy_quic = (getenv("ZEEK_DISABLE_SPICY_QUIC") == "") ? F : T;
 global disable_spicy_stun = (getenv("ZEEK_DISABLE_SPICY_STUN") == "") ? F : T;
 global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "") ? F : T;
 global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
@@ -87,9 +89,22 @@ redef ignore_checksums = T;
 
 @load packages
 @load /opt/sensor/sensor_ctl/zeek/intel
+@load /opt/sensor/sensor_ctl/zeek/custom
 
 event zeek_init() &priority=-5 {
 
+  if (zeek_local_nets_str != "") {
+    local nets_strs = split_string(zeek_local_nets_str, /,/);
+    if (|nets_strs| > 0) {
+      for (net_idx in nets_strs) {
+        local local_subnet = to_subnet(nets_strs[net_idx]);
+        if (local_subnet != [::]/0) {
+          add Site::local_nets[local_subnet];
+        }
+      }
+    }
+  }
+
   if (disable_ics_all || disable_ics_bacnet) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
   }
@@ -108,7 +123,7 @@ event zeek_init() &priority=-5 {
     PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT);
   }
   if (disable_ics_all || disable_ics_genisys) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_GENISYS_TCP);
   }
   if (disable_ics_all || disable_ics_opcua_binary) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY);
@@ -123,8 +138,8 @@ event zeek_init() &priority=-5 {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP);
   }
   if (disable_ics_all || disable_ics_synchrophasor) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP);
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_UDP);
   }
   if (disable_spicy_dhcp) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
@@ -141,7 +156,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
   }
   if (disable_spicy_ldap) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_UDP);
   }
   if (disable_spicy_openvpn) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
@@ -155,6 +171,9 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
   }
+  if (disable_spicy_quic) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_QUIC);
+  }
   if (disable_spicy_stun) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN_TCP);
@@ -185,10 +204,10 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|synch_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP, synch_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_TCP, synch_ports_tcp);
       }
       if (|synch_ports_udp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP, synch_ports_udp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_UDP, synch_ports_udp);
       }
     }
   }
@@ -204,7 +223,7 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|gen_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_GENISYS_TCP, gen_ports_tcp);
       }
     }
   }
diff --git a/sensor-iso/interface/requirements.txt b/sensor-iso/interface/requirements.txt
index d1b71390d..da47d54c9 100644
--- a/sensor-iso/interface/requirements.txt
+++ b/sensor-iso/interface/requirements.txt
@@ -13,4 +13,4 @@ python-dotenv==1.0.0
 requests==2.31.0
 six==1.16.0
 urllib3==1.26.18
-Werkzeug==2.3.3
+Werkzeug==3.0.1
diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf
index e0773a666..98301dae5 100644
--- a/sensor-iso/interface/sensor_ctl/control_vars.conf
+++ b/sensor-iso/interface/sensor_ctl/control_vars.conf
@@ -21,7 +21,8 @@ export ARKIME_COMPRESSION_LEVEL=0
 export ARKIME_VIEWER_CERT=viewer.crt
 export ARKIME_VIEWER_KEY=viewer.key
 # Password hash secret for Arkime viewer cluster (see https://arkime.com/settings)
-ARKIME_PASSWORD_SECRET=Malcolm
+export ARKIME_PASSWORD_SECRET=Malcolm
+export ARKIME_FREESPACEG=7%
 
 export DOCUMENTATION_PORT=8420
 export MISCBEAT_PORT=9516
@@ -44,6 +45,7 @@ export ZEEK_LB_PROCS=1
 export ZEEK_LB_METHOD=custom
 export ZEEK_AF_PACKET_BUFFER_SIZE=67108864
 
+export ZEEK_LOCAL_NETS=
 export ZEEK_RULESET=local
 export ZEEK_INTEL_ITEM_EXPIRATION=-1min
 export ZEEK_INTEL_FEED_SINCE=
@@ -62,6 +64,7 @@ export ZEEK_DISABLE_SPICY_HTTP=true
 export ZEEK_DISABLE_SPICY_IPSEC=
 export ZEEK_DISABLE_SPICY_LDAP=
 export ZEEK_DISABLE_SPICY_OPENVPN=
+export ZEEK_DISABLE_SPICY_QUIC=true
 export ZEEK_DISABLE_SPICY_STUN=
 export ZEEK_DISABLE_SPICY_TAILSCALE=
 export ZEEK_DISABLE_SPICY_TFTP=
diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh
index a47b80795..048e2944e 100644
--- a/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh
+++ b/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh
@@ -60,6 +60,11 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r "$SUPERVISOR_PATH"/arkime/config.ini ]]; t
     sed -r -i "s/(maxFileTimeM)\s*=\s*.*/\1=$PCAP_ROTATE_MINUTES/" "$ARKIME_CONFIG_FILE"
   fi
 
+  # pcap deletion threshold
+  if [[ -n $ARKIME_FREESPACEG ]]; then
+    sed -r -i "s/(freeSpaceG)\s*=\s*.*/\1=$ARKIME_FREESPACEG/" "$ARKIME_CONFIG_FILE"
+  fi
+
   # pcap compression
   COMPRESSION_TYPE="${ARKIME_COMPRESSION_TYPE:-none}"
   COMPRESSION_LEVEL="${ARKIME_COMPRESSION_LEVEL:-0}"
diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh
index 5ce6a4eae..96473ab4b 100644
--- a/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh
+++ b/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh
@@ -11,9 +11,11 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r /usr/local/bin/suricata_config_populate.py
     [[ ! -f "$SUPERVISOR_PATH"/suricata/suricata.yaml ]] && cp /etc/suricata/suricata.yaml "$SUPERVISOR_PATH"/suricata/suricata.yaml
     [[ ! -f "$SUPERVISOR_PATH"/suricata/update.yaml ]] && cp "$(dpkg -L suricata-update | grep 'update\.yaml' | head -n 1)" "$SUPERVISOR_PATH"/suricata/update.yaml
 
-    # specify the custom rules directory relative to the supervisor path
+    # specify the custom rules and configuration directories relative to the supervisor path
     SURICATA_CUSTOM_RULES_DIR="$SUPERVISOR_PATH"/suricata/rules
+    SURICATA_CUSTOM_CONFIG_DIR="$SUPERVISOR_PATH"/suricata/include-configs
     [[ -d "$SURICATA_CUSTOM_RULES_DIR" ]] && export SURICATA_CUSTOM_RULES_DIR
+    [[ -d "$SURICATA_CUSTOM_CONFIG_DIR" ]] && export SURICATA_CUSTOM_CONFIG_DIR
 
     # all other arguments are controlled via environment variables sourced from control_vars.conf
     python3 /usr/local/bin/suricata_config_populate.py
diff --git a/sensor-iso/interface/sensor_ctl/supervisor.sh b/sensor-iso/interface/sensor_ctl/supervisor.sh
index dc4920aee..7f1dc9241 100755
--- a/sensor-iso/interface/sensor_ctl/supervisor.sh
+++ b/sensor-iso/interface/sensor_ctl/supervisor.sh
@@ -81,7 +81,7 @@ mkdir -p "$SUPERVISOR_PATH/"{log,run}
 rm -f "$SUPERVISOR_PATH/"/log/*
 
 rm -rf /opt/sensor/sensor_ctl/zeek/intel/lock || true
-mkdir -p "$SUPERVISOR_PATH"/suricata/rules "$ZEEK_LOG_PATH"/suricata 2>/dev/null || true
+mkdir -p "$SUPERVISOR_PATH"/suricata/rules "$SUPERVISOR_PATH"/suricata/include-configs "$ZEEK_LOG_PATH"/suricata 2>/dev/null || true
 mkdir -p "$PCAP_PATH"/ 2>/dev/null || true
 mkdir -p "$SUPERVISOR_PATH"/supercronic 2>/dev/null && touch "$SUPERVISOR_PATH"/supercronic/crontab || true
 
diff --git a/sensor-iso/zeek/build-zeek-deb.sh b/sensor-iso/zeek/build-zeek-deb.sh
index be76ad437..4be53b1b8 100755
--- a/sensor-iso/zeek/build-zeek-deb.sh
+++ b/sensor-iso/zeek/build-zeek-deb.sh
@@ -13,7 +13,7 @@ export PYTHONDONTWRITEBYTECODE=1
 export PYTHONUNBUFFERED=1
 
 ZEEK_URL=https://github.com/zeek/zeek.git
-ZEEK_VERSION=6.0.1
+ZEEK_VERSION=6.1.0
 ZEEK_DIR=/opt/zeek
 BUILD_JOBS=0
 OUTPUT_DIR=/tmp
diff --git a/shared/bin/sensor-init.sh b/shared/bin/sensor-init.sh
index 95d8a05d4..7a081f9ef 100755
--- a/shared/bin/sensor-init.sh
+++ b/shared/bin/sensor-init.sh
@@ -66,7 +66,7 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then
   if dpkg -s suricata >/dev/null 2>&1 ; then
     mkdir -p /etc/suricata/rules /var/log/suricata /var/lib/suricata/rules
     if [[ -d /opt/sensor/sensor_ctl ]]; then
-      mkdir -p /opt/sensor/sensor_ctl/suricata/rules
+      mkdir -p /opt/sensor/sensor_ctl/suricata/rules /opt/sensor/sensor_ctl/suricata/include-configs
       [[ ! -f /opt/sensor/sensor_ctl/suricata/suricata.yaml ]] && cp /etc/suricata/suricata.yaml /opt/sensor/sensor_ctl/suricata/suricata.yaml
       [[ ! -f /opt/sensor/sensor_ctl/suricata/update.yaml ]] && cp "$(dpkg -L suricata-update | grep 'update\.yaml' | head -n 1)" /opt/sensor/sensor_ctl/suricata/update.yaml
     fi
diff --git a/shared/bin/suricata_config_populate.py b/shared/bin/suricata_config_populate.py
index 85977b525..612e30a15 100755
--- a/shared/bin/suricata_config_populate.py
+++ b/shared/bin/suricata_config_populate.py
@@ -27,7 +27,7 @@
 from shutil import move as MoveFile, copyfile as CopyFile
 from subprocess import PIPE, Popen
 
-from malcolm_utils import val2bool, deep_set, pushd, run_process
+from malcolm_utils import val2bool, deep_set, pushd, run_process, append_to_file
 
 ###################################################################################################
 args = None
@@ -49,26 +49,6 @@ def __call__(self, repr, data):
         return ret_val
 
 
-###################################################################################################
-def ObjToYamlStrLines(obj, options=None):
-    outputStr = None
-    if options is None:
-        options = {}
-
-    yaml = YAML()
-    yaml.preserve_quotes = False
-    yaml.representer.ignore_aliases = lambda x: True
-    yaml.representer.add_representer(type(None), NullRepresenter())
-    yaml.boolean_representation = ['no', 'yes']
-    yaml.version = YAML_VERSION
-
-    with StringIO() as stringStream:
-        yaml.dump(obj, stringStream, **options)
-        outputStr = stringStream.getvalue()
-
-    return outputStr.splitlines()
-
-
 ###################################################################################################
 
 DEFAULT_VARS = defaultdict(lambda: None)
@@ -155,6 +135,7 @@ def ObjToYamlStrLines(obj, options=None):
         'KRB5_ENABLED': True,
         'KRB5_EVE_ENABLED': False,
         'MANAGED_RULES_DIR': '/var/lib/suricata/rules',
+        'MAX_PENDING_PACKETS': 1024,
         'MODBUS_ENABLED': True,
         'MODBUS_EVE_ENABLED': False,
         'MODBUS_PORTS': 502,
@@ -542,6 +523,22 @@ def GetRuleSources(requireRulesExist=False):
     return ruleSources
 
 
+###################################################################################################
+def GetIncludeConfigSources():
+    global DEFAULT_VARS
+
+    configSources = list(
+        [
+            os.path.join(DEFAULT_VARS['CUSTOM_CONFIG_DIR'], x)
+            for x in fnmatch.filter(os.listdir(DEFAULT_VARS['CUSTOM_CONFIG_DIR']), '*.yaml')
+        ]
+        if DEFAULT_VARS['CUSTOM_CONFIG_DIR'] is not None
+        else []
+    )
+
+    return configSources
+
+
 ###################################################################################################
 def main():
     global args
@@ -643,6 +640,7 @@ def main():
         with open(args.input, 'r') as f:
             inYaml = YAML(typ='rt')
             inYaml.preserve_quotes = False
+            inYaml.allow_duplicate_keys = True
             inYaml.emitter.alt_null = None
             inYaml.representer.ignore_aliases = lambda x: True
             inYaml.boolean_representation = ['no', 'yes']
@@ -1024,35 +1022,36 @@ def main():
         ['app-layer', 'protocols', 'ssh', 'hassh', 'SSH_HASSH'],
         ['app-layer', 'protocols', 'tls', 'ja3-fingerprints', 'TLS_JA3'],
         ['app-layer', 'protocols', 'tls', 'encryption-handling', 'TLS_ENCRYPTION_HANDLING'],
-        ['runmode', 'RUNMODE'],
+        ['asn1-max-frames', 'ASN1_MAX_FRAMES'],
         ['autofp-scheduler', 'AUTOFP_SCHEDULER'],
         ['default-packet-size', 'PACKET_SIZE'],
-        ['asn1-max-frames', 'ASN1_MAX_FRAMES'],
-        ['pcre', 'match-limit', 'PCRE_MATCH_LIMIT'],
-        ['pcre', 'match-limit-recursion', 'PCRE_RECURSION'],
-        ['defrag', 'memcap', 'DEFRAG_MEMCAP'],
+        ['default-rule-path', 'MANAGED_RULES_DIR'],
         ['defrag', 'hash-size', 'DEFRAG_HASH_SIZE'],
-        ['defrag', 'trackers', 'DEFRAG_TRACKERS'],
         ['defrag', 'max-frags', 'DEFRAG_MAX_FRAGS'],
+        ['defrag', 'memcap', 'DEFRAG_MEMCAP'],
         ['defrag', 'prealloc', 'DEFRAG_PREALLOC'],
         ['defrag', 'timeout', 'DEFRAG_TIMEOUT'],
-        ['flow', 'memcap', 'FLOW_MEMCAP'],
+        ['defrag', 'trackers', 'DEFRAG_TRACKERS'],
+        ['flow', 'emergency-recovery', 'FLOW_EMERGENCY_RECOVERY'],
         ['flow', 'hash-size', 'FLOW_HASH_SIZE'],
+        ['flow', 'memcap', 'FLOW_MEMCAP'],
         ['flow', 'prealloc', 'FLOW_PREALLOC'],
-        ['flow', 'emergency-recovery', 'FLOW_EMERGENCY_RECOVERY'],
-        ['vlan', 'use-for-tracking', 'VLAN_USE_FOR_TRACKING'],
-        ['stream', 'memcap', 'STREAM_MEMCAP'],
+        ['host', 'hash-size', 'HOST_HASH_SIZE'],
+        ['host', 'memcap', 'HOST_MEMCAP'],
+        ['host', 'prealloc', 'HOST_PREALLOC'],
+        ['max-pending-packets', 'MAX_PENDING_PACKETS'],
+        ['pcre', 'match-limit', 'PCRE_MATCH_LIMIT'],
+        ['pcre', 'match-limit-recursion', 'PCRE_RECURSION'],
+        ['runmode', 'RUNMODE'],
         ['stream', 'checksum-validation', 'STREAM_CHECKSUM_VALIDATION'],
         ['stream', 'inline', 'STREAM_INLINE'],
-        ['stream', 'reassembly', 'memcap', 'STREAM_REASSEMBLY_MEMCAP'],
+        ['stream', 'memcap', 'STREAM_MEMCAP'],
         ['stream', 'reassembly', 'depth', 'STREAM_REASSEMBLY_DEPTH'],
-        ['stream', 'reassembly', 'toserver-chunk-size', 'STREAM_REASSEMBLY_TOSERVER_CHUNK_SIZE'],
-        ['stream', 'reassembly', 'toclient-chunk-size', 'STREAM_REASSEMBLY_TOCLIENT_CHUNK_SIZE'],
+        ['stream', 'reassembly', 'memcap', 'STREAM_REASSEMBLY_MEMCAP'],
         ['stream', 'reassembly', 'randomize-chunk-size', 'STREAM_REASSEMBLY_RANDOMIZE_CHUNK_SIZE'],
-        ['host', 'memcap', 'HOST_MEMCAP'],
-        ['host', 'hash-size', 'HOST_HASH_SIZE'],
-        ['host', 'prealloc', 'HOST_PREALLOC'],
-        ['default-rule-path', 'MANAGED_RULES_DIR'],
+        ['stream', 'reassembly', 'toclient-chunk-size', 'STREAM_REASSEMBLY_TOCLIENT_CHUNK_SIZE'],
+        ['stream', 'reassembly', 'toserver-chunk-size', 'STREAM_REASSEMBLY_TOSERVER_CHUNK_SIZE'],
+        ['vlan', 'use-for-tracking', 'VLAN_USE_FOR_TRACKING'],
     ):
         deep_set(
             cfg,
@@ -1073,20 +1072,41 @@ def main():
             os.path.join(DEFAULT_VARS['RUN_DIR'], 'suricata-command.socket'),
         )
 
+    extraConfigFiles = GetIncludeConfigSources()
+
     # validate suricata execution prior to calling it a day
     with tempfile.TemporaryDirectory() as tmpLogDir:
         with pushd(tmpLogDir):
             deep_set(cfg, ['stats', 'enabled'], True)
+
             cfg.pop('rule-files', None)
             deep_set(cfg, ['rule-files'], GetRuleSources(requireRulesExist=True))
+
+            # Hackety-hack, don't talk back! Despite the "Including multiple files" section of
+            #   https://docs.suricata.io/en/latest/configuration/includes.html#including-multiple-files
+            #   saying this can be set as an array, it does not seem to be working for me.
+            #   The sample suricata.yaml file shows it should be done like this:
+            #     include: include1.yaml
+            #     include: include2.yaml
+            # The reason this is a pain is that this is not actually valid YAML. So
+            #   what we are going to do is remove the 'include' section here,
+            #   write the YAML to a file, and then append the includes: afterwards
+            #   just in plain text.
+            cfg.pop('include', None)
+
             with open('suricata.yaml', 'w') as outTestFile:
                 outTestYaml = YAML(typ='rt')
                 outTestYaml.preserve_quotes = False
+                outTestYaml.allow_duplicate_keys = True
                 outTestYaml.representer.ignore_aliases = lambda x: True
                 outTestYaml.representer.add_representer(type(None), NullRepresenter())
                 outTestYaml.boolean_representation = ['no', 'yes']
                 outTestYaml.version = YAML_VERSION
                 outTestYaml.dump(cfg, outTestFile)
+
+            # see note on 'include' above
+            append_to_file('suricata.yaml', [''] + [f"include: {x}" for x in extraConfigFiles] + [''])
+
             script_return_code, output = run_process(
                 [
                     'suricata',
@@ -1109,18 +1129,25 @@ def main():
     cfg.pop('rule-files', None)
     deep_set(cfg, ['rule-files'], GetRuleSources(requireRulesExist=False))
 
+    # see note on 'include' above
+    cfg.pop('include', None)
+
     ##################################################################################################
 
     # write the new YAML file
     with open(args.output, 'w') as outfile:
         outYaml = YAML(typ='rt')
         outYaml.preserve_quotes = False
+        outYaml.allow_duplicate_keys = True
         outYaml.representer.ignore_aliases = lambda x: True
         outYaml.representer.add_representer(type(None), NullRepresenter())
         outYaml.boolean_representation = ['no', 'yes']
         outYaml.version = YAML_VERSION
         outYaml.dump(cfg, outfile)
 
+    # see note on 'include' above
+    append_to_file(args.output, [''] + [f"include: {x}" for x in extraConfigFiles] + [''])
+
     ##################################################################################################
 
     # remove the pidfile and command file for a new run (in case they weren't cleaned up before)
diff --git a/shared/bin/suricata_update_config_populate.py b/shared/bin/suricata_update_config_populate.py
index 6dda3c649..edcad9155 100755
--- a/shared/bin/suricata_update_config_populate.py
+++ b/shared/bin/suricata_update_config_populate.py
@@ -49,26 +49,6 @@ def __call__(self, repr, data):
         return ret_val
 
 
-###################################################################################################
-def ObjToYamlStrLines(obj, options=None):
-    outputStr = None
-    if options is None:
-        options = {}
-
-    yaml = YAML()
-    yaml.preserve_quotes = False
-    yaml.representer.ignore_aliases = lambda x: True
-    yaml.representer.add_representer(type(None), NullRepresenter())
-    yaml.boolean_representation = ['no', 'yes']
-    yaml.version = YAML_VERSION
-
-    with StringIO() as stringStream:
-        yaml.dump(obj, stringStream, **options)
-        outputStr = stringStream.getvalue()
-
-    return outputStr.splitlines()
-
-
 ###################################################################################################
 
 DEFAULT_VARS = defaultdict(lambda: None)
diff --git a/shared/bin/yara_rules_setup.sh b/shared/bin/yara_rules_setup.sh
index 26a936240..a6d0ecadd 100755
--- a/shared/bin/yara_rules_setup.sh
+++ b/shared/bin/yara_rules_setup.sh
@@ -96,13 +96,14 @@ mkdir -p "$YARA_RULES_SRC_DIR" "$YARA_RULES_DIR"
 # clone yara rules and create symlinks in destination directory
 pushd "$YARA_RULES_SRC_DIR" >/dev/null 2>&1
 YARA_RULE_GITHUB_URLS=(
-  "https://github.com/Neo23x0/signature-base|master"
   "https://github.com/bartblaze/Yara-rules|master"
+  "https://github.com/Neo23x0/signature-base|master"
+  "https://github.com/reversinglabs/reversinglabs-yara-rules|develop"
 )
 for i in ${YARA_RULE_GITHUB_URLS[@]}; do
   SRC_DIR="$(clone_github_repo "$i")"
   if [[ -d "$SRC_DIR" ]]; then
-    find "$SRC_DIR" -type f -iname "*.yar" -print0 | xargs -0 -r -I XXX ln $VERBOSE_FLAG -s -f "$("$REALPATH" "XXX")" "$YARA_RULES_DIR"/
+    find "$SRC_DIR" -type f \( -iname '*.yara' -o -iname '*.yar' \) -print0 | xargs -0 -r -I XXX ln $VERBOSE_FLAG -s -f "$("$REALPATH" "XXX")" "$YARA_RULES_DIR"/
   fi
 done
 popd >/dev/null 2>&1
diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 4931d874b..d1588bf8b 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -98,10 +98,10 @@ ZKG_GITHUB_URLS=(
   "https://github.com/corelight/zeek-spicy-ospf"
   "https://github.com/corelight/zeek-spicy-stun"
   "https://github.com/corelight/zeek-spicy-wireguard"
-  "https://github.com/corelight/zeek-xor-exe-plugin"
+  "https://github.com/corelight/zeek-xor-exe-plugin|master"
   "https://github.com/corelight/zerologon"
   "https://github.com/cybera/zeek-sniffpass"
-  "https://github.com/mitre-attack/bzar"
+  "https://github.com/mmguero-dev/bzar"
   "https://github.com/ncsa/bro-is-darknet"
   "https://github.com/ncsa/bro-simple-scan"
   "https://github.com/precurse/zeek-httpattacks"
@@ -111,7 +111,6 @@ ZKG_GITHUB_URLS=(
   "https://github.com/zeek/spicy-dhcp"
   "https://github.com/zeek/spicy-dns"
   "https://github.com/zeek/spicy-http"
-  "https://github.com/zeek/spicy-ldap"
   "https://github.com/zeek/spicy-pe"
   "https://github.com/zeek/spicy-tftp"
   "https://github.com/zeek/spicy-zip"
diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh
index 186b95538..077dade07 100755
--- a/shared/bin/zeek_intel_setup.sh
+++ b/shared/bin/zeek_intel_setup.sh
@@ -17,6 +17,7 @@ ZEEK_INTEL_ITEM_EXPIRATION=${ZEEK_INTEL_ITEM_EXPIRATION:-"-1min"}
 ZEEK_INTEL_FEED_SINCE=${ZEEK_INTEL_FEED_SINCE:-""}
 ZEEK_INTEL_REFRESH_THREADS=${ZEEK_INTEL_REFRESH_THREADS:-"2"}
 INTEL_DIR=${INTEL_DIR:-"${ZEEK_DIR}/share/zeek/site/intel"}
+INTEL_PRESEED_DIR=${INTEL_PRESEED_DIR:-"${ZEEK_DIR}/share/zeek/site/intel-preseed"}
 THREAT_FEED_TO_ZEEK_SCRIPT=${THREAT_FEED_TO_ZEEK_SCRIPT:-"${ZEEK_DIR}/bin/zeek_intel_from_threat_feed.py"}
 LOCK_DIR="${INTEL_DIR}/lock"
 
@@ -29,6 +30,21 @@ mkdir -p -- "$(dirname "$LOCK_DIR")"
 if mkdir -- "$LOCK_DIR" 2>/dev/null; then
     trap finish EXIT
 
+    # if we have a directory to seed the intel config for the first time, start from a blank slate with just its contents
+    if [[ -d "${INTEL_DIR}" ]] && [[ -d "${INTEL_PRESEED_DIR}" ]]; then
+
+        EXCLUDES=()
+        EXCLUDES+=( --exclude='..*' )
+        EXCLUDES+=( --exclude='.dockerignore' )
+        EXCLUDES+=( --exclude='.gitignore' )
+        while read MAP_DIR; do
+            EXCLUDES+=( --exclude="${MAP_DIR}/" )
+        done < <(echo "${CONFIG_MAP_DIR:-configmap;secretmap}" | tr ';' '\n')
+
+        rsync --recursive --delete --delete-excluded "${EXCLUDES[@]}" "${INTEL_PRESEED_DIR}"/ "${INTEL_DIR}"/
+        mkdir -p "${INTEL_DIR}"/MISP "${INTEL_DIR}"/STIX || true
+    fi
+
     # create directive to @load every subdirectory in /opt/zeek/share/zeek/site/intel
     if [[ -d "${INTEL_DIR}" ]] && (( $(find "${INTEL_DIR}" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | wc -l) > 0 )); then
         pushd "${INTEL_DIR}" >/dev/null 2>&1
@@ -48,7 +64,8 @@ EOF
         THREAT_JSON_FILES=()
 
         # process subdirectories under INTEL_DIR
-        for DIR in $(find . -mindepth 1 -maxdepth 1 -type d 2>/dev/null); do
+        for DIR in $(find . -mindepth 1 -maxdepth 1 -type d 2>/dev/null | grep -v -P "$(echo "${CONFIG_MAP_DIR:-configmap;secretmap}" | sed 's/\(.*\)/^.\/(\1)$/' | tr ';' '|')"); do
+
             if [[ "${DIR}" == "./STIX" ]]; then
                 # this directory contains STIX JSON files we'll need to convert to zeek intel files then load
                 while IFS= read -r line; do
@@ -73,7 +90,7 @@ EOF
         done
 
         # process STIX and MISP inputs by converting them to Zeek intel format
-        if ( (( ${#THREAT_JSON_FILES[@]} )) || [[ -r ./STIX/.stix_input.txt ]] || [[ -r ./STIX/.misp_input.txt ]] ) && [[ -x "${THREAT_FEED_TO_ZEEK_SCRIPT}" ]]; then
+        if ( (( ${#THREAT_JSON_FILES[@]} )) || [[ -r ./STIX/.stix_input.txt ]] || [[ -r ./MISP/.misp_input.txt ]] ) && [[ -x "${THREAT_FEED_TO_ZEEK_SCRIPT}" ]]; then
             "${THREAT_FEED_TO_ZEEK_SCRIPT}" \
                 --since "${ZEEK_INTEL_FEED_SINCE}" \
                 --threads ${ZEEK_INTEL_REFRESH_THREADS} \
diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh
index 35321e80b..0e2b2999e 100755
--- a/shared/bin/zeekdeploy.sh
+++ b/shared/bin/zeekdeploy.sh
@@ -62,6 +62,7 @@ fi
 [[ -z $ZEEK_EXTRACTOR_MODE ]] && ZEEK_EXTRACTOR_MODE="none"
 
 # some other defaults
+[[ -z $ZEEK_LOCAL_NETS ]] && ZEEK_LOCAL_NETS=
 [[ -z $ZEEK_LB_PROCS ]] && ZEEK_LB_PROCS="1"
 [[ -z $WORKER_LB_PROCS ]] && WORKER_LB_PROCS="$ZEEK_LB_PROCS"
 [[ -z $ZEEK_LB_METHOD ]] && ZEEK_LB_METHOD="custom"
@@ -88,11 +89,17 @@ ZEEK_EXTRACTOR_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_ZEEK_SCRI
 [[ -n "$ZEEK_INTEL_PATH" ]] && INTEL_DIR="$ZEEK_INTEL_PATH" || INTEL_DIR=/opt/sensor/sensor_ctl/zeek/intel
 export INTEL_DIR
 mkdir -p "$INTEL_DIR"/STIX "$INTEL_DIR"/MISP
-touch "$INTEL_DIR"/__load__.zeek
+touch "$INTEL_DIR"/__load__.zeek || true
 # autoconfigure load directives for intel files
 [[ -x "$ZEEK_INSTALL_PATH"/bin/zeek_intel_setup.sh ]] && "$ZEEK_INSTALL_PATH"/bin/zeek_intel_setup.sh /bin/true
 INTEL_UPDATE_TIME_PREV=0
 
+# make sure "custom" directory exists, even if empty
+[[ -n "$ZEEK_CUSTOM_PATH" ]] && CUSTOM_DIR="$ZEEK_CUSTOM_PATH" || CUSTOM_DIR=/opt/sensor/sensor_ctl/zeek/custom
+export CUSTOM_DIR
+mkdir -p "$CUSTOM_DIR"
+touch "$CUSTOM_DIR"/__load__.zeek || true
+
 # configure zeek cfg files
 pushd "$ZEEK_INSTALL_PATH"/etc >/dev/null 2>&1
 
@@ -208,7 +215,12 @@ EOF
   ZEEK_PROCS=$((ZEEK_PROCS+1))
 done
 
-# we'll assume we didn't mess with networks.cfg, leave it alone
+# populate networks.cfg from ZEEK_LOCAL_NETS
+echo "# \$ZEEK_LOCAL_NETS:" > ./networks.cfg
+echo "#   $ZEEK_LOCAL_NETS" >> ./networks.cfg
+for NET in ${ZEEK_LOCAL_NETS//,/ }; do
+  echo "$NET" | sed -re 's/^[[:blank:]]+|[[:blank:]]+$//g' -e 's/[[:blank:]]+/ /g' >> ./networks.cfg
+done
 
 popd >/dev/null 2>&1
 
diff --git a/suricata/default-rules/IT/.gitignore b/suricata/default-rules/IT/.gitignore
new file mode 100644
index 000000000..4397c3a32
--- /dev/null
+++ b/suricata/default-rules/IT/.gitignore
@@ -0,0 +1,2 @@
+!.gitignore
+
diff --git a/suricata/default-rules/OT/.gitignore b/suricata/default-rules/OT/.gitignore
new file mode 100644
index 000000000..4397c3a32
--- /dev/null
+++ b/suricata/default-rules/OT/.gitignore
@@ -0,0 +1,2 @@
+!.gitignore
+
diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules b/suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules
new file mode 100644
index 000000000..c2159496e
--- /dev/null
+++ b/suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules
@@ -0,0 +1,14 @@
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-TCP REQUEST"; content:"/rokform/advancedDiags?pageReq=tcp"; sid:1000039; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-SYSTEM DATA DETAIL"; content:"/rokform/SysDataDetail?name="; sid:1000040; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-UDP TABLE"; content:"/rokform/advancedDiags?pageReq=udptable"; sid:1000041; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-TCP CONNECT"; content:"rokform/advancedDiags?pageReq=tcpconn"; sid:1000042; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IP ROUTE"; content:"/rokform/advancedDiags?pageReq=iproute"; sid:1000043; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-GENERAL MEMORY"; content:"/rokform/advancedDiags?pageReq=genmem"; sid:1000044; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-HEAP REQUEST"; content:"/rokform/advancedDiags?pageReq=heap"; sid:1000045; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-ICMP REQUEST"; content:"/rokform/advancedDiags?pageReq=icmp"; sid:1000046; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-ARP REQUEST"; content:"/rokform/advancedDiags?pageReq=arp"; sid:1000047; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-UDP REQUEST"; content:"/rokform/advancedDiags?pageReq=udp"; sid:1000048; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IF REQUEST"; content:"/rokform/advancedDiags?pageReq=if"; sid:1000049; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IP REQUEST"; content:"/rokform/advancedDiags?pageReq=ip"; sid:1000050; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-CSS Path"; content:"/css/radevice.css"; sid:1000051; rev:1;)
+alert http any any -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-SYSTEM LIST DATA"; content:"/rokform/SysListDetail?name=";sid:1000052;rev:1;)
diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules b/suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules
new file mode 100644
index 000000000..fe0f4a32d
--- /dev/null
+++ b/suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules
@@ -0,0 +1,38 @@
+alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - homepage"; content:"/home.sel"; sid:1000001; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - LoginError"; content:"/errors/err401.sel?username="; sid:1000002; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - default.sel page"; content:"/default.sel"; sid:1000003; rev:1;)
+alert tcp any 1024 -> any any (msg: "ELITEWOLF SEL-3530-RTAC Possible SSH Login Activity"; content:"SSH-2.0-dropbear_2016.74"; sid:1000004; rev:1;)
+alert tcp any 5432 -> any any (msg: "ELITEWOLF SEL-3530-RTAC Possible AcSELerator Firmware Activity"; content:"SEL-3530 RTAC"; sid:1000005; rev:1;)
+
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "http://www.sel-secure.com"; sid:1000006; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "commonname=http://www.sel-secure.com"; sid:1000007; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "issuer_CN: http://www.sel-secure.com"; sid:1000008; rev:1;)
+
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 URL path activity"; content: "/scripts/dScripts.sel"; sid:1000009; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 URL path activity"; content: "/css/sel.css?vid="; sid:1000010; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 X509 certificate activity"; content: "commonName=http://www.selinc.com/EthernetCommunications/"; sid:1000011; rev:1;)
+alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 X509 certificate activity"; content: "issuer_CN: http://www.selinc.com/EthernetCommunications/"; sid:1000012; rev:1;)
+
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Telnet Activity"; pcre:"/SEL-[0-9]{3,4}/"; sid:1000013; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Access Level 1 Change"; content: "Level 1"; sid:1000014; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Access Level 2 Change"; content: "Level 2"; sid:1000015; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL 2032 Processor"; content:"COMMUNICATIONS PROCESSOR-S/N"; sid:1000016; rev:1;)
+alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Callibration Access Level Login Success"; content:"Calibration Access Established"; sid:1000017; rev:1;)
+
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Access Change"; content: "USER 2AC"; sid:1000018; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Change working directory 2701"; content: "CWD SEL-2701"; sid:1000019; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Change working directory 2701"; content: "CWD /SEL-2701"; sid:1000020; rev:1;)
+alert tcp any 21 -> any any (msg: "ELITEWOLF SEL FTP Activity - Current directory"; content: "/SEL-2701"; sid:1000021; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR DNPMAP.TXT file"; content: "RETR DNPMAP.TXT"; sid:1000022; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - STOR SET_DNP1.TXT file"; content: "STOR SET_DNP1.TXT"; sid:1000023; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - potential file change"; content:"STOR SET_"; pcre:"/STOR SET_[0-9A-Z]{1,4}.TXT/"; sid:1000024; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Access Change ACC"; content: "USER ACC"; sid:1000025; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Password Login otter"; content: "PASS otter"; sid:1000026; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - STOR DNPMAP.TXT file"; content: "STOR DNPMAP.TXT"; sid:1000027; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR ERR.TXT file"; content: "RETR ERR.TXT"; sid:1000028; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR SET_DNP1.TXT file 2701"; content: "RETR SET_DNP1.TXT"; sid:1000029; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - File Retrieval"; content:"RETR SET_"; pcre:"/RETR SET_[0-9A-Z]{1,4}/"; sid:1000030; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Default Username"; content:"USER FTPUSER"; sid:1000031; rev:1;)
+alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Default Password"; content:"PASS TAIL"; sid:1000032; rev:1;)
+alert tcp any 21 -> any any (msg: "ELITEWOLF SEL-751A FTP SERVER"; content:"SEL-751A"; sid:1000033; rev:1;)
+
diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules b/suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules
new file mode 100644
index 000000000..74bd84914
--- /dev/null
+++ b/suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules
@@ -0,0 +1,5 @@
+alert tcp any 80 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens Web Activity"; content:"/CSS/S7Web.css"; sid:1000034; rev:1;)
+alert tcp any 80 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens Web Activity"; content:"/Images/CPU1200/"; sid:1; rev:1000035;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"S7-1200 Controller Family"; sid:1000036; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"commonName=S7-1200 Controller Family"; sid:1000037; rev:1;)
+alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"issuer_CN: S7-1200 Controller Family"; sid:1000038; rev:1;)
diff --git a/suricata/include-configs/.gitignore b/suricata/include-configs/.gitignore
new file mode 100644
index 000000000..a5baada18
--- /dev/null
+++ b/suricata/include-configs/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index 4450fe3ad..3236e16de 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -13,6 +13,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ?
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -20,6 +21,7 @@ global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
 global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
 global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
 global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
+global disable_spicy_quic = (getenv("ZEEK_DISABLE_SPICY_QUIC") == "") ? F : T;
 global disable_spicy_stun = (getenv("ZEEK_DISABLE_SPICY_STUN") == "") ? F : T;
 global disable_spicy_tailscale = (getenv("ZEEK_DISABLE_SPICY_TAILSCALE") == "") ? F : T;
 global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
@@ -87,9 +89,22 @@ redef ignore_checksums = T;
 
 @load packages
 @load intel
+@load custom
 
 event zeek_init() &priority=-5 {
 
+  if (zeek_local_nets_str != "") {
+    local nets_strs = split_string(zeek_local_nets_str, /,/);
+    if (|nets_strs| > 0) {
+      for (net_idx in nets_strs) {
+        local local_subnet = to_subnet(nets_strs[net_idx]);
+        if (local_subnet != [::]/0) {
+          add Site::local_nets[local_subnet];
+        }
+      }
+    }
+  }
+
   if (disable_ics_all || disable_ics_bacnet) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
   }
@@ -108,7 +123,7 @@ event zeek_init() &priority=-5 {
     PacketAnalyzer::__disable_analyzer(PacketAnalyzer::ANALYZER_ETHERCAT);
   }
   if (disable_ics_all || disable_ics_genisys) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GENISYS_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_GENISYS_TCP);
   }
   if (disable_ics_all || disable_ics_opcua_binary) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY);
@@ -123,8 +138,8 @@ event zeek_init() &priority=-5 {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_S7COMM_TCP);
   }
   if (disable_ics_all || disable_ics_synchrophasor) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP);
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SYNCHROPHASOR_UDP);
   }
   if (disable_spicy_dhcp) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
@@ -141,7 +156,8 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
   }
   if (disable_spicy_ldap) {
-    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_TCP);
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_LDAP_UDP);
   }
   if (disable_spicy_openvpn) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
@@ -155,6 +171,9 @@ event zeek_init() &priority=-5 {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
   }
+  if (disable_spicy_quic) {
+    Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_QUIC);
+  }
   if (disable_spicy_stun) {
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN);
     Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_STUN_TCP);
@@ -185,10 +204,10 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|synch_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_TCP, synch_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_TCP, synch_ports_tcp);
       }
       if (|synch_ports_udp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_SYNCHROPHASOR_UDP, synch_ports_udp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_SYNCHROPHASOR_UDP, synch_ports_udp);
       }
     }
   }
@@ -204,7 +223,7 @@ event zeek_init() &priority=-5 {
         }
       }
       if (|gen_ports_tcp| > 0) {
-        Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_GENISYS_TCP, gen_ports_tcp);
+        Analyzer::register_for_ports(Analyzer::ANALYZER_GENISYS_TCP, gen_ports_tcp);
       }
     }
   }
diff --git a/zeek/custom/.gitignore b/zeek/custom/.gitignore
new file mode 100644
index 000000000..a5baada18
--- /dev/null
+++ b/zeek/custom/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+