diff --git a/salt/common/tools/sbin/so-idh-restart b/salt/common/tools/sbin/so-idh-restart
new file mode 100644
index 000000000..ce6dd9843
--- /dev/null
+++ b/salt/common/tools/sbin/so-idh-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart idh $1
diff --git a/salt/common/tools/sbin/so-idh-start b/salt/common/tools/sbin/so-idh-start
new file mode 100644
index 000000000..2f300ba01
--- /dev/null
+++ b/salt/common/tools/sbin/so-idh-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start idh $1
diff --git a/salt/common/tools/sbin/so-idh-stop b/salt/common/tools/sbin/so-idh-stop
new file mode 100644
index 000000000..48e974be2
--- /dev/null
+++ b/salt/common/tools/sbin/so-idh-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop idh $1
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index fb4298893..e29b1a583 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -273,6 +273,10 @@ filebeat.inputs:
     category: host
     tags: beat-ext
   processors:
+    - decode_json_fields:
+        fields: ["message"]
+        target: ""
+        add_error_key: true
     - rename:
         fields:
           - from: "audience"
@@ -297,6 +301,8 @@ filebeat.inputs:
   fields:
     module: opencanary
     dataset: idh
+    category: host
+    tags: beat-ext
   processors:
     - decode_json_fields:
         fields: ["message"]
@@ -325,6 +331,9 @@ filebeat.inputs:
         ignore_missing: true
     - drop_fields:
         fields: '["prospector", "input", "offset", "beat"]'
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
 {%- endif %}
 
 {%- if INPUTS %}
diff --git a/setup/so-whiptail b/setup/so-whiptail
index b6db2d9a7..c8d0faf5e 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -752,7 +752,7 @@ whiptail_idh_services_custom() {
 		"Git" "  TCP/9418                                       " OFF \
 		"HTTP" "  TCP/80,   Additional Configuration Available   " OFF \
 		"HTTPPROXY" "  TCP/8080, Additional Configuration Available   " OFF \
-		"MSSQL" "  TCP/22                                         " OFF \
+		"MSSQL" "  TCP/1433                                         " OFF \
 		"MySQL" "  TCP/3306, Additional Configuration Available   " OFF \
 		"NTP" "  TCP/123                                        " OFF \
 		"REDIS" "  TCP/6379                                       " OFF \
@@ -760,7 +760,7 @@ whiptail_idh_services_custom() {
 		"SSH" "  TCP/22,   Additional Configuration Available   " OFF \
 		"TELNET" "  TCP/23,   Additional Configuration Available   " OFF \
 		"TFTP" "  TCP/69                                         " OFF \
-		"VNC" "  TCP/22                                         " OFF 3>&1 1>&2 2>&3 )
+		"VNC" "  TCP/5000                                         " OFF 3>&1 1>&2 2>&3 )
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus