diff --git a/salt/idh/defaults/git.defaults.yaml b/salt/idh/defaults/git.defaults.yaml
index e6946465a..d77c4aa1d 100644
--- a/salt/idh/defaults/git.defaults.yaml
+++ b/salt/idh/defaults/git.defaults.yaml
@@ -2,4 +2,4 @@ idh:
   opencanary:
     config:
       git.enabled: true
-      git.port: 9418      
\ No newline at end of file
+      git.port: 9418
\ No newline at end of file
diff --git a/salt/idh/defaults/http.defaults.yaml b/salt/idh/defaults/http.defaults.yaml
index a685062c5..9e6268fc6 100644
--- a/salt/idh/defaults/http.defaults.yaml
+++ b/salt/idh/defaults/http.defaults.yaml
@@ -1,10 +1,10 @@
 idh:
   opencanary:
     config:
-      http.banner: Apache/2.2.22 (Ubuntu)
+      http.banner: Apache/2.2.34 (Ubuntu)
       http.enabled: true
       http.port: 80
-      http.skin: nasLogin
+      http.skin: basicLogin
       http.skin.list:
       - desc: Plain HTML Login
         name: basicLogin
diff --git a/salt/idh/plays/idh_ftp.yml b/salt/idh/plays/idh_ftp.yml
index c7572e87a..4da18b204 100644
--- a/salt/idh/plays/idh_ftp.yml
+++ b/salt/idh/plays/idh_ftp.yml
@@ -3,11 +3,15 @@ id: d2d82069-30a7-4ac3-b584-ba696fbc24fd
 status: experimental
 description: Detects when the FTP service on a SO IDH node has had a login attempt.
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
   selection:
-    event.code:
+    logtype:
     - 2000
   condition: selection
 falsepositives:
diff --git a/salt/idh/plays/idh_git.yml b/salt/idh/plays/idh_git.yml
new file mode 100644
index 000000000..b972f6fdd
--- /dev/null
+++ b/salt/idh/plays/idh_git.yml
@@ -0,0 +1,21 @@
+title: SO IDH - Git Clone Request
+id: 7e48bfa0-8175-4c0f-8f5a-a8b9a005a4c3
+status: experimental
+description: Detects when the Git service on a SO IDH node has had a git clone request.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 16001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_http.yml b/salt/idh/plays/idh_http.yml
new file mode 100644
index 000000000..2dd9377b0
--- /dev/null
+++ b/salt/idh/plays/idh_http.yml
@@ -0,0 +1,22 @@
+title: SO IDH - HTTP Accessed
+id: 34300b04-3350-4f4b-bf8c-9bfbfdc9914f
+status: experimental
+description: Detects when the HTTP service on a SO IDH node has had a Get request (logtype 3000), or a login attempt (logtype 3001).
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 3000 #Get request
+    - 3001 #Login attempt
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_httpproxy.yml b/salt/idh/plays/idh_httpproxy.yml
index 9333be88c..a5af69304 100644
--- a/salt/idh/plays/idh_httpproxy.yml
+++ b/salt/idh/plays/idh_httpproxy.yml
@@ -1,14 +1,18 @@
-title: SO IDH - HTTP Proxy Attempted Proxy
+title: SO IDH - HTTP Proxy Attempted Proxy Login
 id: 6722bba8-5713-4463-b3ab-8432224928c2
 status: experimental
-description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy attempt.
+description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy login attempt.
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
   selection:
-    event.code:
-    - 2000
+    logtype:
+    - 7001
   condition: selection
 falsepositives:
   - None
diff --git a/salt/idh/plays/idh_mssql.yml b/salt/idh/plays/idh_mssql.yml
new file mode 100644
index 000000000..728d61b04
--- /dev/null
+++ b/salt/idh/plays/idh_mssql.yml
@@ -0,0 +1,22 @@
+title: SO IDH - MSSQL Attempted Login
+id: 3c36173e-9b56-4b03-b2d4-d420a9a7917f
+status: experimental
+description: Detects when the MS SQL service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 9001 #SQL Auth
+    - 9002 #Windows Auth
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_mysql.yml b/salt/idh/plays/idh_mysql.yml
new file mode 100644
index 000000000..085b2c293
--- /dev/null
+++ b/salt/idh/plays/idh_mysql.yml
@@ -0,0 +1,21 @@
+title: SO IDH - MySQL Attempted Login
+id: fd9bfee4-301c-40e2-8f4e-857088cb3969
+status: experimental
+description: Detects when the MySQL service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 8001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_ntp.yml b/salt/idh/plays/idh_ntp.yml
new file mode 100644
index 000000000..eb9b7d1f9
--- /dev/null
+++ b/salt/idh/plays/idh_ntp.yml
@@ -0,0 +1,21 @@
+title: SO IDH - NTP Service Request
+id: 883202b4-b974-4779-af98-8ecb0b90ba9e
+status: experimental
+description: Detects when the NTP service on a SO IDH node has had a NTP request sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 11001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_redis.yml b/salt/idh/plays/idh_redis.yml
new file mode 100644
index 000000000..2746c9514
--- /dev/null
+++ b/salt/idh/plays/idh_redis.yml
@@ -0,0 +1,21 @@
+title: SO IDH - Redis Accessed
+id: 61bd7f23-90c4-41b0-a70d-9991b863e3f7
+status: experimental
+description: Detects when the Redis service on a SO IDH node has had an action sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 17001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_sip.yml b/salt/idh/plays/idh_sip.yml
new file mode 100644
index 000000000..1d3c2ea6f
--- /dev/null
+++ b/salt/idh/plays/idh_sip.yml
@@ -0,0 +1,21 @@
+title: SO IDH - SIP Request
+id: c2bd0439-2aac-416d-93f5-adad8aa1131b
+status: experimental
+description: Detects when the SIP service on a SO IDH node has had a SIP request sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 15001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_smb.yml b/salt/idh/plays/idh_smb.yml
new file mode 100644
index 000000000..5b9e8b8c6
--- /dev/null
+++ b/salt/idh/plays/idh_smb.yml
@@ -0,0 +1,21 @@
+title: SO IDH - SMB Request
+id: 3ef55cde-1edd-414e-b1ba-499db822aef7
+status: experimental
+description: Detects when the SMB service on a SO IDH node has been accessed.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 5000
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_snmp.yml b/salt/idh/plays/idh_snmp.yml
new file mode 100644
index 000000000..4c61b110d
--- /dev/null
+++ b/salt/idh/plays/idh_snmp.yml
@@ -0,0 +1,21 @@
+title: SO IDH - SNMP OID Request
+id: 7be20101-6701-4bfb-a0cd-dbf830e46d85
+status: experimental
+description: Detects when the SNMP service on a SO IDH node has had an OID request sent to it.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 13001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_ssh.yml b/salt/idh/plays/idh_ssh.yml
index 8ed0c26b8..87f1af144 100644
--- a/salt/idh/plays/idh_ssh.yml
+++ b/salt/idh/plays/idh_ssh.yml
@@ -1,14 +1,18 @@
-title: SO IDH - SSH Login Attempt
+title: SO IDH - SSH Accessed
 id: b7a09f0a-88ca-4fe0-bc8a-92106133e231
 status: experimental
-description: Detects when the SSH service on a SO IDH node has had a login attempt.
+description: Detects when the SSH service on a SO IDH node has had a new connection (logtype 4000) or login attempt (logtype 4002).
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
   selection:
-    event.code:
-    - 4000
+    logtype:
+    - 4000 
     - 4001
     - 4002
   condition: selection
diff --git a/salt/idh/plays/idh_telnet.yml b/salt/idh/plays/idh_telnet.yml
new file mode 100644
index 000000000..c1f490c72
--- /dev/null
+++ b/salt/idh/plays/idh_telnet.yml
@@ -0,0 +1,21 @@
+title: SO IDH - Telnet Login Attempt
+id: 4f3314c2-41cd-4ace-bdcf-5564beb78def
+status: experimental
+description: Detects when the Telnet service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 6001 
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/plays/idh_tftp.yml b/salt/idh/plays/idh_tftp.yml
index 8e07a9d53..aa68d6c87 100644
--- a/salt/idh/plays/idh_tftp.yml
+++ b/salt/idh/plays/idh_tftp.yml
@@ -3,12 +3,16 @@ id: 6722bba8-5713-4463-b3ab-8432224928c2
 status: experimental
 description: Detects when the TFTP service on a SO IDH node has had requests.
 author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 logsource:
-  product: idh
+  product: opencanary
 detection:
   selection:
-    event.code:
-    - 2000
+    logtype:
+    - 10001
   condition: selection
 falsepositives:
   - None
diff --git a/salt/idh/plays/idh_vnc.yml b/salt/idh/plays/idh_vnc.yml
new file mode 100644
index 000000000..e26f3fc8a
--- /dev/null
+++ b/salt/idh/plays/idh_vnc.yml
@@ -0,0 +1,21 @@
+title: SO IDH - VNC Login Attempt
+id: 2d4ec11b-9d7c-464f-a9fa-e555e5cd605a
+status: experimental
+description: Detects when the VNC service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 12001 
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file