diff --git a/salt/common/init.sls b/salt/common/init.sls
index 0004bbc7e..3cd4dce19 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -117,13 +117,13 @@ nginxtmp:
 # Start the core docker
 so-coreimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.2
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
 
 so-core:
   docker_container.running:
     - require:
       - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.2
+    - image: docker.io/soshybridhunter/so-core:HH1.1.3
     - hostname: so-core
     - user: socore
     - binds:
diff --git a/salt/logstash/files/dynamic/9997_output_helix.conf b/salt/logstash/files/dynamic/9997_output_helix.conf
index 6168bfb07..320648de5 100644
--- a/salt/logstash/files/dynamic/9997_output_helix.conf
+++ b/salt/logstash/files/dynamic/9997_output_helix.conf
@@ -1,7 +1,7 @@
 {% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
 
 filter {
-  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
     grok {
       match => [
         "source_ip", "^%{IPV4:srcipv4}$",
@@ -72,7 +72,8 @@ filter {
     if "bro_dhcp" in [class] {
       mutate{
         #add_field = { "metaclass" => "dhcp"}
-        rename => { "ips" => "ip" }
+        rename => { "message_types" => "direction" }
+				rename => { "lease_time" => "duration" }
       }
     }
     if "bro_files" in [class] {
@@ -109,25 +110,35 @@ filter {
         rename => { "request_body_len" => "sentbodybytes" }
       }
     }
-  }
-}
-
-#output {
-#  if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
-#    http {
-#      url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
-#      http_method => post
-#      http_compression => true
-#      socket_timeout => 60
-#      headers => ["Authorization","{{ HELIX_API_KEY }}"]
-#      format => json_batch
-#    }
-#  }
-#}
-output {
-  if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl$/ {
-    file {
-      path => "/var/log/logstash/output.json"      
+		if "bro_weird" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+        rename => { "name" => "eventname" }
+      }
+    }
+		if "bro_x509" in [class] {
+      mutate{
+        #add_field = { "metaclass" => "dns"}
+				rename => { "certificate_common_name" => "certname" }
+        rename => { "certificate_subject" => "certsubject" }
+				rename => { "issuer_common_name" => "issuer" }
+				reanme => { "certificate_issuer" => "issuersubject" }
+				rename => { "certificate_not_valid_before" => "issuetime" }
+				rename => { "certificate_key_type" => "cert_type" }
+      }
+    }
+  }
+}
+
+output {
+  if [event_type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+    http {
+      url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
+      http_method => post
+      http_compression => true
+      socket_timeout => 60
+      headers => ["Authorization","{{ HELIX_API_KEY }}"]
+      format => json_batch
     }
   }
 }
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index d4286f913..b5a06dfe4 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -71,13 +71,13 @@ if (whiptail_you_sure) ; then
     # Set management nic
     whiptail_management_nic
 
-    whiptail_create_socore_user
-    SCMATCH=no
-    while [ $SCMATCH != yes ]; do
-      whiptail_create_socore_user_password1
-      whiptail_create_socore_user_password2
-      check_socore_pass
-    done
+#    whiptail_create_socore_user
+#    SCMATCH=no
+#    while [ $SCMATCH != yes ]; do
+#      whiptail_create_socore_user_password1
+#      whiptail_create_socore_user_password2
+#      check_socore_pass
+#    done
 
   else
 
@@ -166,7 +166,10 @@ if (whiptail_you_sure) ; then
     get_filesystem_root
     get_filesystem_nsm
     get_main_ip
-    add_socore_user_master
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
+    #add_socore_user_master
     # Install salt and dependencies
     {
       sleep 0.5
@@ -285,6 +288,15 @@ if (whiptail_you_sure) ; then
       fi
     fi
 
+    # Get a password for the socore user
+    whiptail_create_socore_user
+    SCMATCH=no
+    while [ $SCMATCH != yes ]; do
+      whiptail_create_socore_user_password1
+      whiptail_create_socore_user_password2
+      check_socore_pass
+    done
+
     # Last Chance to back out
     whiptail_make_changes
     set_hostname
@@ -300,6 +312,9 @@ if (whiptail_you_sure) ; then
 
     # Figure out the main IP address
     get_main_ip
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
 
     # Add the user so we can sit back and relax
     #echo ""
@@ -441,6 +456,9 @@ if (whiptail_you_sure) ; then
     mkdir -p /nsm
     get_filesystem_root
     get_filesystem_nsm
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
     copy_ssh_key >> $SETUPLOG 2>&1
     {
       sleep 0.5
@@ -525,6 +543,15 @@ if (whiptail_you_sure) ; then
     BROVERSION=ZEEK
     CURCLOSEDAYS=30
     process_components
+    # Get a password for the socore user
+    whiptail_create_socore_user
+    SCMATCH=no
+    while [ $SCMATCH != yes ]; do
+      whiptail_create_socore_user_password1
+      whiptail_create_socore_user_password2
+      check_socore_pass
+    done
+
     whiptail_make_changes
     set_hostname
     generate_passwords
@@ -535,6 +562,9 @@ if (whiptail_you_sure) ; then
     get_filesystem_nsm
     get_log_size_limit
     get_main_ip
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
     # Add the user so we can sit back and relax
     add_socore_user_master
     {
@@ -688,6 +718,9 @@ if (whiptail_you_sure) ; then
     mkdir -p /nsm
     get_filesystem_root
     get_filesystem_nsm
+    if [ $INSTALLMETHOD == iso ]; then
+      disable_onion_user
+    fi
     copy_ssh_key >> $SETUPLOG 2>&1
     {
       sleep 0.5