diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 57f51fe9a..e354bcce4 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -202,7 +202,6 @@ case "${operation}" in
     createUser "$email"
     echo "Successfully added new user to SOC"
     check_container thehive && echo $password | so-thehive-user-add "$email"
-    check_container cortex && echo $password | so-cortex-user-add "$email"
     check_container fleet && echo $password | so-fleet-user-add "$email"
     ;;
 
@@ -226,7 +225,6 @@ case "${operation}" in
     updateStatus "$email" 'active'
     echo "Successfully enabled user"
     check_container thehive && so-thehive-user-enable "$email" true
-    check_container cortex && so-cortex-user-enable "$email" true
     check_container fleet && so-fleet-user-enable "$email" true   
     ;;
 
@@ -237,7 +235,6 @@ case "${operation}" in
     updateStatus "$email" 'locked'
     echo "Successfully disabled user"
     check_container thehive && so-thehive-user-enable "$email" false
-    check_container cortex && so-cortex-user-enable "$email" false
     check_container fleet && so-fleet-user-enable "$email" false   
     ;;    
 
@@ -248,7 +245,6 @@ case "${operation}" in
     deleteUser "$email"
     echo "Successfully deleted user"
     check_container thehive && so-thehive-user-enable "$email" false
-    check_container cortex && so-cortex-user-enable "$email" false
     check_container fleet && so-fleet-user-enable "$email" false
     ;;
 
diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index 81efcb447..f3c103dc4 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -145,7 +145,8 @@
         "actions": [
           { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" },
           { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" },
-          { "name": "", "description": "actionVirtusTotalHelp", "icon": "fa-globe", "link": "https://www.virustotal.com/gui/ip-address/{value}/detection", "fields": [ "source.ip", "destination.ip" ] }
+          { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}" },
+          { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" }
         ]
       }
     }
diff --git a/setup/so-whiptail b/setup/so-whiptail
index d760373af..ce8b22011 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -621,8 +621,7 @@ whiptail_nids() {
 	[ -n "$TESTING" ] && return
 
 	NIDS=$(whiptail --title "Security Onion Setup" --radiolist \
-	"Choose which IDS to run. \n 
-	Snort 3.0 support will be added once it is out of beta:" 25 75 4 \
+	"Choose which IDS to run. \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \
 	"Suricata" "Suricata" ON  \
 	"Snort" "Placeholder for Snort 3.0  " OFF 3>&1 1>&2 2>&3 )