ja4plus nest enabled under ja4plus key for defaults

ja4plus cleanup
2026-03-24 05:22:38 +01:00 · 2026-03-19 12:39:37 -04:00 · 2026-03-19 11:12:24 -04:00 · 2026-03-19 11:01:40 -04:00 · 2026-03-19 09:46:33 -04:00 · 2026-03-19 09:42:39 -04:00
114 changed files with 1545 additions and 2409 deletions
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -1,24 +1,14 @@
 from os import path
 import subprocess
 def check():
  osfam = __grains__['os_family']
  retval = 'False'
-  if osfam == 'Debian':
+  cmd = 'needs-restarting -r > /dev/null 2>&1'
    if path.exists('/var/run/reboot-required'):
      retval = 'True'
-  elif osfam == 'RedHat':
+  try:
-    cmd = 'needs-restarting -r > /dev/null 2>&1'
+    needs_restarting = subprocess.check_call(cmd, shell=True)
-    
+  except subprocess.CalledProcessError:
-    try:
+    retval = 'True'
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      retval = 'True'
  else:
    retval = 'Unsupported OS: %s' % os
  return retval
--- a/salt/backup/soc_backup.yaml
+++ b/salt/backup/soc_backup.yaml
@@ -1,10 +1,10 @@
 backup:
  locations:
    description: List of locations to back up to the destination.
-    helpLink: backup.html
+    helpLink: backup
    global: True
  destination:
    description: Directory to store the configuration backups in.
-    helpLink: backup.html
+    helpLink: backup
    global: True
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -3,14 +3,14 @@ bpf:
    description: List of BPF filters to apply to the PCAP engine.
    multiline: True
    forcedType: "[]string"
-    helpLink: bpf.html
+    helpLink: bpf
  suricata:
    description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata.
    multiline: True
    forcedType: "[]string"
-    helpLink: bpf.html
+    helpLink: bpf
  zeek:
    description: List of BPF filters to apply to Zeek.
    multiline: True
    forcedType: "[]string"
-    helpLink: bpf.html
+    helpLink: bpf
--- a/salt/ca/trustca.sls
+++ b/salt/ca/trustca.sls
@@ -3,8 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - docker
@@ -18,9 +16,3 @@ trusttheca:
    - show_changes: False
    - makedirs: True
 {% if GLOBALS.os_family == 'Debian' %}
 symlinkca:
  file.symlink:
    - target: /etc/pki/tls/certs/intca.crt
    - name: /etc/ssl/certs/intca.crt
 {% endif %}
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -1,19 +0,0 @@
 {
  "registry-mirrors": [
    "https://:5000"
  ],
  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
      "base": "172.17.0.0/24",
      "size": 24
    }
  ],
  "default-ulimits": {
      "nofile": {
        "Name": "nofile",
        "Soft": 1048576,
        "Hard": 1048576
      }
  }
 }
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -20,11 +20,6 @@ kernel.printk:
  sysctl.present:
    - value: "3 4 1 3"
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
  file.absent:
    - name: /tmp/variables.txt
 # Add socore Group
 socoregroup:
  group.present:
@@ -149,28 +144,6 @@ common_sbin_jinja:
      - so-import-pcap
 {% endif %}
 {% if GLOBALS.role == 'so-heavynode' %}
 remove_so-pcap-import_heavynode:
  file.absent:
    - name: /usr/sbin/so-pcap-import
 remove_so-import-pcap_heavynode:
  file.absent:
    - name: /usr/sbin/so-import-pcap
 {% endif %}
 {% if not GLOBALS.is_manager%}
 # prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
 # these two states remove the scripts from non manager nodes
 remove_soup:
  file.absent:
    - name: /usr/sbin/soup
 remove_so-firewall:
  file.absent:
    - name: /usr/sbin/so-firewall
 {% endif %}
 so-status_script:
  file.managed:
    - name: /usr/sbin/so-status
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -1,52 +1,5 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
 {% if grains.os_family == 'Debian' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - apache2-utils
      - wget
      - ntpdate
      - jq
      - curl
      - ca-certificates
      - software-properties-common
      - apt-transport-https
      - openssl
      - netcat-openbsd
      - sqlite3
      - libssl-dev
      - procps
      - python3-dateutil
      - python3-docker
      - python3-packaging
      - python3-lxml
      - git
      - rsync
      - vim
      - tar
      - unzip
      - bc
      {% if grains.oscodename != 'focal' %}
      - python3-rich
      {% endif %}
 {%     if grains.oscodename == 'focal' %}
 # since Ubuntu requires and internet connection we can use pip to install modules
 python3-pip:
  pkg.installed
 python-rich:
  pip.installed:
    - name: rich
    - target: /usr/local/lib/python3.8/dist-packages/
    - require:
      - pkg: python3-pip
 {%     endif %}
 {% endif %}
 {% if grains.os_family == 'RedHat' %}
 remove_mariadb:
  pkg.removed:
@@ -84,5 +37,3 @@ commonpkgs:
      - unzip
      - wget
      - yum-utils
 {% endif %}
--- a/salt/common/soup_scripts.sls
+++ b/salt/common/soup_scripts.sls
@@ -11,14 +11,6 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
 remove_common_soup:
  file.absent:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
 remove_common_so-firewall:
  file.absent:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -349,21 +349,16 @@ get_random_value() {
 }
 gpg_rpm_import() {
-	if [[ $is_oracle ]]; then
+	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	else
-	    else
+		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
 		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 		for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
 	elif [[ $is_rpm ]]; then
 		echo "Importing the security onion GPG key"
 		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
 	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 	for RPMKEY in "${RPMKEYS[@]}"; do
 		rpm --import $RPMKEYSLOC/$RPMKEY
 		echo "Imported $RPMKEY"
 	done
 }
 header() {
@@ -550,6 +545,22 @@ retry() {
        return $exitcode
 }
 rollover_index() {
  idx=$1
  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
  if [[ $exists -eq 200 ]]; then
    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
    if [[ $rollover -eq 200 ]]; then
      echo "Successfully triggered rollover for $idx..."
    else
      echo "Could not trigger rollover for $idx..."
    fi
  else
    echo "Could not find index $idx..."
  fi
 }
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
@@ -615,69 +626,19 @@ salt_minion_count() {
 }
 set_os() {
-	if [ -f /etc/redhat-release ]; then
+	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+		OS=oracle
-			OS=rocky
+		OSVER=9
-			OSVER=9
+		is_oracle=true
-			is_rocky=true
+		is_rpm=true
 			is_rpm=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
 			is_rpm=true
 		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
 			OS=alma
 			OSVER=9
 			is_alma=true
 			is_rpm=true
 		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
 			if [ -f /etc/oracle-release ]; then
 				OS=oracle
 				OSVER=9
 				is_oracle=true
 				is_rpm=true
 			else
 				OS=rhel
 				OSVER=9
 				is_rhel=true
 				is_rpm=true
 			fi
 		fi
 		cron_service_name="crond"
 	elif [ -f /etc/os-release ]; then
 		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
 			OSVER=focal
 			UBVER=20.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
 			OSVER=jammy
 			UBVER=22.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
 			OSVER=bookworm
 			DEBVER=12
 			is_debian=true
 			OS=debian
 			is_deb=true
 		fi
 		cron_service_name="cron"
 	fi
 	cron_service_name="crond"
 }
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 set_palette() {
 	if [[ $is_deb ]]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
 }
 set_version() {
 	CURRENTVERSION=0.0.0
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -131,6 +131,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP"     # SO does not bundle the maxminddb with Zeek
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found"          # Salt loops until Kratos returns 200, during startup Kratos may not be ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt
 fi
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -1,34 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 so-curator:
  docker_container.absent:
    - force: True
 so-curator_so-status.disabled:
  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
    - match: ^so-curator$
    - mode: delete
 so-curator-cluster-close:
  cron.absent:
    - identifier: so-curator-cluster-close
 so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete
 delete_curator_configuration:
  file.absent:
    - name: /opt/so/conf/curator
    - recurse: True
 {% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
 {% if files|length > 0 %}
 delete_curator_scripts:
  file.absent:
    - names: {{files|yaml}}
 {% endif %}
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,6 +1,10 @@
 docker:
  range: '172.17.1.0/24'
  gateway: '172.17.1.1'
  ulimits:
    - name: nofile
      soft: 1048576
      hard: 1048576
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -9,6 +13,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-fleet':
      final_octet: 21
      port_bindings:
@@ -16,6 +21,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elasticsearch':
      final_octet: 22
      port_bindings:
@@ -24,6 +30,16 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
        - name: memlock
          soft: -1
          hard: -1
        - name: nofile
          soft: 65536
          hard: 65536
        - name: nproc
          soft: 4096
          hard: 4096
    'so-influxdb':
      final_octet: 26
      port_bindings:
@@ -31,6 +47,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-kibana':
      final_octet: 27
      port_bindings:
@@ -38,6 +55,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-kratos':
      final_octet: 28
      port_bindings:
@@ -46,6 +64,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-hydra':
      final_octet: 30
      port_bindings:
@@ -54,6 +73,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-logstash':
      final_octet: 29
      port_bindings:
@@ -70,6 +90,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-nginx':
      final_octet: 31
      port_bindings:
@@ -81,6 +102,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-nginx-fleet-node':
      final_octet: 31
      port_bindings:
@@ -88,6 +110,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-redis':
      final_octet: 33
      port_bindings:
@@ -96,11 +119,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-sensoroni':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-soc':
      final_octet: 34
      port_bindings:
@@ -108,16 +133,19 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-backend':
      final_octet: 36
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-filestream':
      final_octet: 37
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-frontend':
      final_octet: 38
      port_bindings:
@@ -125,11 +153,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-manager':
      final_octet: 39
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-gatekeeper':
      final_octet: 40
      port_bindings:
@@ -137,6 +167,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-coordinator':
      final_octet: 41
      port_bindings:
@@ -144,11 +175,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastalert':
      final_octet: 42
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-fleet-package-registry':
      final_octet: 44
      port_bindings:
@@ -156,11 +189,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-idh':
      final_octet: 45
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-agent':
      final_octet: 46
      port_bindings:
@@ -169,23 +204,28 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-telegraf':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-suricata':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits:
+      ulimits: []
        - memlock=524288000
    'so-zeek':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
        - name: core
          soft: 0
          hard: 0
    'so-kafka':
      final_octet: 88
      port_bindings:
@@ -196,3 +236,4 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,8 +1,8 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
-{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
+{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.range.split('.') %}
+{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
-{% for container, vals in DOCKER.containers.items() %}
+{% for container, vals in DOCKERMERGED.containers.items() %}
-{%   do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
+{%   do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
 {% endfor %}
--- a/salt/docker/files/daemon.json.jinja
+++ b/salt/docker/files/daemon.json.jinja
@@ -0,0 +1,24 @@
 {% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
 {
  "registry-mirrors": [
    "https://:5000"
  ],
  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
      "base": "172.17.0.0/24",
      "size": 24
    }
  ]
 {%- if DOCKERMERGED.ulimits %},
  "default-ulimits": {
 {%-   for ULIMIT in DOCKERMERGED.ulimits %}
      "{{ ULIMIT.name }}": {
        "Name": "{{ ULIMIT.name }}",
        "Soft": {{ ULIMIT.soft }},
        "Hard": {{ ULIMIT.hard }}
      }{{ "," if not loop.last else "" }}
 {%-   endfor %}
  }
 {%- endif %}
 }
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 # docker service requires the ca.crt
@@ -15,39 +15,6 @@ dockergroup:
    - name: docker
    - gid: 920
 {% if GLOBALS.os_family == 'Debian' %}
 {%    if grains.oscodename == 'bookworm' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 2.2.1-1~debian.12~bookworm
      - docker-ce: 5:29.2.1-1~debian.12~bookworm
      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
    - hold: True
    - update_holds: True
 {%    elif grains.oscodename == 'jammy' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
    - hold: True
    - update_holds: True
 {%    else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.7.21-1
      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
    - hold: True
    - update_holds: True
 {%   endif %}
 {% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -57,7 +24,6 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 29.2.1-1.el9
    - hold: True
    - update_holds: True
 {% endif %}
 #disable docker from managing iptables
 iptables_disabled:
@@ -75,10 +41,9 @@ dockeretc:
  file.directory:
    - name: /etc/docker
 # Manager daemon.json
 docker_daemon:
  file.managed:
-    - source: salt://common/files/daemon.json
+    - source: salt://docker/files/daemon.json.jinja
    - name: /etc/docker/daemon.json
    - template: jinja 
@@ -109,8 +74,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.range }}
+    - subnet: {{ DOCKERMERGED.range }}
-    - gateway: {{ DOCKER.gateway }}
+    - gateway: {{ DOCKERMERGED.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -1,44 +1,82 @@
 docker:
  gateway:
    description: Gateway for the default docker interface.
-    helpLink: docker.html
+    helpLink: docker
    advanced: True
  range:
    description: Default docker IP range for containers.
-    helpLink: docker.html
+    helpLink: docker
    advanced: True
  ulimits:
    description: |
      Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
    forcedType: "[]{}"
    syntax: json
    advanced: True
    helpLink: docker.html
    uiElements:
    - field: name
      label: Resource Name
      required: True
      regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
      regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
    - field: soft
      label: Soft Limit
      forcedType: int
    - field: hard
      label: Hard Limit
      forcedType: int
  containers:
    so-dockerregistry: &dockerOptions
      final_octet:
        description: Last octet of the container IP address.
-        helpLink: docker.html
+        helpLink: docker
        readonly: True
        advanced: True
        global: True
      port_bindings:
        description: List of port bindings for the container.
-        helpLink: docker.html
+        helpLink: docker
        advanced: True
        multiline: True
        forcedType: "[]string"
      custom_bind_mounts:
        description: List of custom local volume bindings.
        advanced: True
-        helpLink: docker.html
+        helpLink: docker
        multiline: True
        forcedType: "[]string"
      extra_hosts:
        description: List of additional host entries for the container.
        advanced: True
-        helpLink: docker.html
+        helpLink: docker
        multiline: True
        forcedType: "[]string"
      extra_env:
        description: List of additional ENV entries for the container.
        advanced: True
-        helpLink: docker.html
+        helpLink: docker
        multiline: True
        forcedType: "[]string"
      ulimits:
        description: |
          Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
        advanced: True
        helpLink: docker.html
        forcedType: "[]{}"
        syntax: json
        uiElements:
        - field: name
          label: Resource Name
          required: True
          regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
          regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
        - field: soft
          label: Soft Limit
          forcedType: int
        - field: hard
          label: Hard Limit
          forcedType: int
    so-elastic-fleet: *dockerOptions
    so-elasticsearch: *dockerOptions
    so-influxdb: *dockerOptions
@@ -62,42 +100,6 @@ docker:
    so-idh: *dockerOptions
    so-elastic-agent: *dockerOptions
    so-telegraf: *dockerOptions
-    so-suricata:
+    so-suricata: *dockerOptions
      final_octet:
        description: Last octet of the container IP address.
        helpLink: docker.html
        readonly: True
        advanced: True
        global: True
      port_bindings:
        description: List of port bindings for the container.
        helpLink: docker.html
        advanced: True
        multiline: True
        forcedType: "[]string"
      custom_bind_mounts:
        description: List of custom local volume bindings.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      extra_hosts:
        description: List of additional host entries for the container.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      extra_env:
        description: List of additional ENV entries for the container.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      ulimits:
        description: Ulimits for the container, in bytes.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
    so-zeek: *dockerOptions
    so-kafka: *dockerOptions
--- a/salt/elastalert/enabled.sls
+++ b/salt/elastalert/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
    - user: so-elastalert
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
    - detach: True
    - binds:
      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,24 +33,30 @@ so-elastalert:
      - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
      - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
-      {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-      {% if DOCKER.containers['so-elastalert'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-      {% if DOCKER.containers['so-elastalert'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - require:
      - cmd: wait_for_elasticsearch
      - file: elastarules
--- a/salt/elasticfleet/files/certs/placeholder
+++ b/salt/elasticfleet/files/certs/placeholder
--- a/salt/elastalert/files/custom/placeholder
+++ b/salt/elastalert/files/custom/placeholder
@@ -1 +0,0 @@
 THIS IS A PLACEHOLDER FILE
--- a/salt/elastalert/soc_elastalert.yaml
+++ b/salt/elastalert/soc_elastalert.yaml
@@ -1,47 +1,47 @@
 elastalert:
  enabled:
    description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
-    helpLink: elastalert.html
+    helpLink: elastalert
  alerter_parameters:
    title: Custom Configuration Parameters
    description: Optional configuration parameters made available as defaults for all rules and alerters. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available configuration parameters. Requires a valid Security Onion license key.
    global: True
    multiline: True
    syntax: yaml
-    helpLink: elastalert.html
+    helpLink: elastalert
    forcedType: string
  jira_api_key:
    title: Jira API Key
    description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key.
    global: True
    sensitive: True
-    helpLink: elastalert.html
+    helpLink: elastalert
    forcedType: string
  jira_pass:
    title: Jira Password
    description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key.
    global: True
    sensitive: True
-    helpLink: elastalert.html
+    helpLink: elastalert
    forcedType: string
  jira_user:
    title: Jira Username
    description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key.
    global: True
-    helpLink: elastalert.html
+    helpLink: elastalert
    forcedType: string
  smtp_pass:
    title: SMTP Password
    description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key.
    global: True
    sensitive: True
-    helpLink: elastalert.html
+    helpLink: elastalert
    forcedType: string
  smtp_user:
    title: SMTP Username
    description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key.
    global: True
-    helpLink: elastalert.html
+    helpLink: elastalert
    forcedType: string
  files:
    custom:
@@ -49,91 +49,91 @@ elastalert:
        description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      gelf_ca__crt:
        description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      http_post_ca__crt:
        description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      http_post2_ca__crt:
        description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      ms_teams_ca__crt:
        description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      pagerduty_ca__crt:
        description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      rocket_chat_ca__crt:
        description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      smtp__crt:
        description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      smtp__key:
        description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      slack_ca__crt:
        description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
-        helpLink: elastalert.html
+        helpLink: elastalert
  config:
    disable_rules_on_error:
      description: Disable rules on failure.
      global: True
-      helpLink: elastalert.html
+      helpLink: elastalert
    run_every:
      minutes:
        description: Amount of time in minutes between searches.
        global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
    buffer_time:
      minutes:
        description: Amount of time in minutes to look through.
        global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
    old_query_limit:
      minutes:
        description: Amount of time in minutes between queries to start at the most recently run query.
        global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
    es_conn_timeout:
      description: Timeout in seconds for connecting to and reading from Elasticsearch.
      global: True
-      helpLink: elastalert.html
+      helpLink: elastalert
    max_query_size:
      description: The maximum number of documents that will be returned from Elasticsearch in a single query.
      global: True
-      helpLink: elastalert.html
+      helpLink: elastalert
    alert_time_limit:
      days:
        description: The retry window for failed alerts.
        global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
    index_settings:
      shards:
        description: The number of shards for elastalert indices.
        global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
      replicas:
        description: The number of replicas for elastalert indices.
        global: True
-        helpLink: elastalert.html
+        helpLink: elastalert
--- a/salt/elastic-fleet-package-registry/enabled.sls
+++ b/salt/elastic-fleet-package-registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - elastic-fleet-package-registry.config
@@ -21,30 +21,36 @@ so-elastic-fleet-package-registry:
    - user: 948
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
    - extra_hosts:
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
    - binds:
-        {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
    - user: 949
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -41,19 +41,25 @@ so-elastic-agent:
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
      - /opt/so/log:/opt/so/log:ro
-     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - environment:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - require:
      - file: create-elastic-agent-config
      - file: trusttheca
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {#   This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
    - user: 947
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
-     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}      
@@ -128,11 +128,17 @@ so-elastic-fleet:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: trusttheca
      - x509: etc_elasticfleet_key
--- a/salt/elasticfleet/files/certs/.gitkeep
+++ b/salt/elasticfleet/files/certs/.gitkeep
--- a/salt/elasticfleet/soc_elasticfleet.yaml
+++ b/salt/elasticfleet/soc_elasticfleet.yaml
@@ -2,13 +2,13 @@ elasticfleet:
  enabled:
    description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
    advanced: True
-    helpLink: elastic-fleet.html
+    helpLink: elastic-fleet
  enable_manager_output:
    description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers.
    advanced: True
    global: True
    forcedType: bool
-    helpLink: elastic-fleet.html
+    helpLink: elastic-fleet
  files:
    soc:
      elastic-defend-disabled-filters__yaml:
@@ -17,7 +17,7 @@ elasticfleet:
        syntax: yaml
        file: True
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
      elastic-defend-custom-filters__yaml:
        title: Custom Elastic Defend filters
@@ -25,31 +25,31 @@ elasticfleet:
        syntax: yaml
        file: True
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
  logging:
    zeek:
      excluded:
        description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors.
        forcedType: "[]string"
-        helpLink: zeek.html
+        helpLink: zeek
  config:
    defend_filters:
      enable_auto_configuration:
        description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
    subscription_integrations:
      description: Enable the installation of integrations that require an Elastic license.
      global: True
      forcedType: bool
-      helpLink: elastic-fleet.html
+      helpLink: elastic-fleet
    auto_upgrade_integrations:
      description: Enables or disables automatically upgrading Elastic Agent integrations.
      global: True
      forcedType: bool
-      helpLink: elastic-fleet.html
+      helpLink: elastic-fleet
    outputs:
      logstash:
        bulk_max_size:
@@ -57,67 +57,67 @@ elasticfleet:
          global: True
          forcedType: int
          advanced: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
        worker:
          description: The number of workers per configured host publishing events.
          global: True
          forcedType: int
          advanced: true
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
        queue_mem_events:
          title: queued events
          description: The number of events the queue can store. This value should be evenly divisible by the smaller of 'bulk_max_size' to avoid sending partial batches to the output.
          global: True
          forcedType: int
          advanced: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
        timeout:
          description: The number of seconds to wait for responses from the Logstash server before timing out. Eg 30s
          regex: ^[0-9]+s$
          advanced: True
          global: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
        loadbalance:
          description: If true and multiple Logstash hosts are configured, the output plugin load balances published events onto all Logstash hosts. If false, the output plugin sends all events to one host (determined at random) and switches to another host if the selected one becomes unresponsive.
          forcedType: bool
          advanced: True
          global: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
        compression_level:
          description: The gzip compression level. The compression level must be in the range of 1 (best speed) to 9 (best compression).
          regex: ^[1-9]$
          forcedType: int
          advanced: True
          global: True
-          helpLink: elastic-fleet.html
+          helpLink: elastic-fleet
    server:
      custom_fqdn:
        description: Custom FQDN for Agents to connect to. One per line.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: "[]string"
      enable_auto_configuration:
        description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
      endpoints_enrollment:
        description: Endpoint enrollment key.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        sensitive: True
        advanced: True
      es_token:
        description: Elastic auth token.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        sensitive: True
        advanced: True
      grid_enrollment:
        description: Grid enrollment key.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        sensitive: True
        advanced: True
  optional_integrations:
@@ -125,57 +125,57 @@ elasticfleet:
      enabled_nodes:
        description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: "[]string"
      api_key:
        description: API key for Sublime Platform.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: string
        sensitive: True
      base_url:
        description: Base URL for Sublime Platform.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: string
      poll_interval:
        description: Poll interval for alerts from Sublime Platform.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: string
      limit:
        description: The maximum number of message groups to return from Sublime Platform.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: int
    kismet:
      base_url:
        description: Base URL for Kismet.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: string
      poll_interval:
        description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: string
      api_key:
        description: API key for Kismet.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: string
        sensitive: True
      enabled_nodes:
        description: Fleet nodes with the Kismet integration enabled. Enter one per line.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        advanced: True
        forcedType: "[]string"
--- a/salt/elasticsearch/config.map.jinja
+++ b/salt/elasticsearch/config.map.jinja
@@ -6,8 +6,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -36,14 +34,8 @@
      {% endfor %}
    {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
  {% if HIGHLANDER %}
        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
  {% endif %}
  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
 {% if HIGHLANDER %}
      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
 {% endif %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -10,7 +10,7 @@
 vm.max_map_count:
  sysctl.present:
-    - value: 262144
+    - value: {{ ELASTICSEARCHMERGED.vm.max_map_count }}
 # Add ES Group
 elasticsearchgroup:
@@ -98,10 +98,6 @@ esrolesdir:
    - group: 939
    - makedirs: True
 eslibdir:
  file.absent:
    - name: /opt/so/conf/elasticsearch/lib
 esingestdynamicconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
@@ -119,11 +115,6 @@ esingestconf:
    - group: 939
    - show_changes: False
 # Remove .fleet_final_pipeline-1 because we are using global@custom now
 so-fleet-final-pipeline-remove:
  file.absent:
    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -2,6 +2,8 @@ elasticsearch:
  enabled: false
  version: 9.0.8
  index_clean: true
  vm:
    max_map_count: 1048576
  config:
    action:
      destructive_requires_name: true
@@ -117,7 +119,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-case*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -129,8 +131,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
              lifecycle:
                name: so-case-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -141,14 +141,7 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
      policy:
        phases:
          hot:
            actions: {}
            min_age: 0ms
    so-common:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -212,7 +205,9 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - winlog-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-*-so*
@@ -272,7 +267,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-detection*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -284,8 +279,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
              lifecycle:
                name: so-detection-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -296,11 +289,6 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
      policy:
        phases:
          hot:
            actions: {}
            min_age: 0ms
    sos-backup:
      index_sorting: false
      index_template:
@@ -460,7 +448,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - endgame*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -508,8 +496,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-idh:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -564,10 +550,13 @@ elasticsearch:
        - dtc-user_agent-mappings
        - common-settings
        - common-dynamic-mappings
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
-        - so-idh-*
+        - logs-idh-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -677,11 +666,13 @@ elasticsearch:
        - common-dynamic-mappings
        - winlog-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-import-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -736,7 +727,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-ip*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -751,19 +742,12 @@ elasticsearch:
              mapping:
                total_fields:
                  limit: 1500
              lifecycle:
                name: so-ip-mappings-logs
              number_of_replicas: 0
              number_of_shards: 1
              refresh_interval: 30s
              sort:
                field: '@timestamp'
                order: desc
      policy:
        phases:
          hot:
            actions: {}
            min_age: 0ms
    so-items:
      index_sorting: false
      index_template:
@@ -772,7 +756,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .items-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -851,8 +835,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-kratos:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -873,7 +855,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-kratos-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -921,8 +903,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-hydra:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -983,7 +963,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-hydra-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1038,7 +1018,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .lists-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1524,6 +1504,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.cloudbeat@custom
        index_patterns:
@@ -1759,6 +1742,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.heartbeat@custom
        index_patterns:
@@ -3018,8 +3004,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-logs-soc:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -3074,11 +3058,13 @@ elasticsearch:
        - dtc-user_agent-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-soc-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3668,10 +3654,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-logstash-default*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3969,10 +3958,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
-        - logs-redis-default*
+        - logs-redis.log*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4083,11 +4075,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-strelka-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4197,11 +4191,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4311,11 +4307,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4425,11 +4423,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-syslog-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4541,11 +4541,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-zeek-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
    - user: elasticsearch
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
    - extra_hosts:
    {% for node in ELASTICSEARCH_NODES %}
    {%   for hostname, ip in node.items() %}
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -45,17 +45,19 @@ so-elasticsearch:
      - discovery.type=single-node
      {% endif %}
      - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
-      ulimits:
+      {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
-      - memlock=-1:-1
+        {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
      - nofile=65536:65536
      - nproc=4096
      {% if DOCKER.containers['so-elasticsearch'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -75,8 +77,8 @@ so-elasticsearch:
      - {{ repo }}:{{ repo }}:rw
        {% endfor %}
      {% endif %}
-      {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
--- a/salt/elasticsearch/files/ingest-dynamic/.gitkeep
+++ b/salt/elasticsearch/files/ingest-dynamic/.gitkeep
--- a/salt/elasticsearch/files/ingest-dynamic/common
+++ b/salt/elasticsearch/files/ingest-dynamic/common
@@ -1,5 +1,3 @@
 {%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
 {%- raw -%}
 {
  "description" : "common",
  "processors" : [
@@ -67,19 +65,7 @@
    { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
    { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
    { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
 {%- endraw %}
 {%- if HIGHLANDER %}
    ,
    {
      "pipeline": {
        "name": "ecs"
      }
    }
 {%- endif %}
 {%- raw %}
    ,
    { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
  ]
 }
 {% endraw %}
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -2,7 +2,7 @@ elasticsearch:
  enabled:
    description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
    advanced: True
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch
  version:
    description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."
    readonly: True
@@ -10,15 +10,20 @@ elasticsearch:
    advanced: True
  esheap:
    description: Specify the memory heap size in (m)egabytes for Elasticsearch.
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch
  index_clean:
    description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
    forcedType: bool
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch
  vm:
    max_map_count:
      description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
      forcedType: int
      helpLink: elasticsearch
  retention: 
    retention_pct:
      decription: Total percentage of space used by Elasticsearch for multi node clusters
-      helpLink: elasticsearch.html
+      helpLink: elasticsearch
      global: True
  config:
    cluster:
@@ -26,55 +31,55 @@ elasticsearch:
        description: The name of the Security Onion Elasticsearch cluster, for identification purposes.
        readonly: True
        global: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
      logsdb:
        enabled:
          description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over.
          forcedType: bool
          global: True
          advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
      routing:
        allocation:
          disk:
            threshold_enabled: 
              description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
            watermark:
              low: 
                description: The lower percentage of used disk space representing a healthy node.
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              high: 
                description: The higher percentage of used disk space representing an unhealthy node.
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              flood_stage: 
                description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
    script:
      max_compilations_rate: 
        description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
        global: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
    indices:
      query:
        bool:
          max_clause_count: 
            description: Max number of boolean clauses per query.
            global: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
  pipelines:
    custom001: &pipelines
      description:
        description: Description of the ingest node pipeline
        global: True
        advanced: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
      processors:
        description: Processors for the ingest node pipeline
        global: True
        advanced: True
        multiline: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
    custom002: *pipelines
    custom003: *pipelines
    custom004: *pipelines
@@ -94,24 +99,24 @@ elasticsearch:
                description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
                forcedType: int
                global: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              refresh_interval: 
                description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
                global: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              number_of_shards: 
                description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                global: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              sort:
                field:
                  description: The field to sort by. Must set index_sorting to True.
                  global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                order:
                  description: The order to sort by. Must set index_sorting to True.
                  global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
      policy:
        phases:
          hot:
@@ -121,16 +126,16 @@ elasticsearch:
                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              rollover:
                max_age:
                  description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                max_primary_shard_size:
                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              shrink:
                method:
                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -178,13 +183,13 @@ elasticsearch:
              regex: ^[0-9]{1,5}d$
              forcedType: string
              global: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
                  description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              allocate:
                number_of_replicas:
                  description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -197,14 +202,14 @@ elasticsearch:
              regex: ^[0-9]{1,5}d$
              forcedType: string
              global: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              shrink:
                method:
                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -257,13 +262,13 @@ elasticsearch:
              regex: ^[0-9]{1,5}d$
              forcedType: string
              global: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
    so-logs: &indexSettings
      index_sorting: 
        description: Sorts the index by event time, at the cost of additional processing resource consumption.
        global: True
        advanced: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
      index_template:
        index_patterns:
          description: Patterns for matching multiple indices or tables.
@@ -271,7 +276,7 @@ elasticsearch:
          multiline: True
          global: True
          advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
        template:
          settings:
            index:
@@ -280,35 +285,35 @@ elasticsearch:
                forcedType: int
                global: True
                advanced: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              mapping:
                total_fields:
                  limit:
                    description: Max number of fields that can exist on a single index. Larger values will consume more resources.
                    global: True
                    advanced: True
-                    helpLink: elasticsearch.html
+                    helpLink: elasticsearch
              refresh_interval: 
                description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
                global: True
                advanced: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              number_of_shards: 
                description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                global: True
                advanced: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              sort:
                field:
                  description: The field to sort by. Must set index_sorting to True.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                order:
                  description: The order to sort by. Must set index_sorting to True.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
          mappings:
            _meta:
              package:
@@ -316,43 +321,43 @@ elasticsearch:
                  description: Meta settings for the mapping.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              managed_by:
                  description: Meta settings for the mapping.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              managed:
                  description: Meta settings for the mapping.
                  forcedType: bool
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
        composed_of:
          description: The index template is composed of these component templates.
          forcedType: "[]string"
          global: True
          advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
        priority:
          description: The priority of the index template.
          forcedType: int
          global: True
          advanced: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
        data_stream:
          hidden:
            description: Hide the data stream.
            forcedType: bool
            global: True
            advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
          allow_custom_routing:
            description: Allow custom routing for the data stream.
            forcedType: bool
            global: True
            advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
      policy:
        phases:
          hot:
@@ -360,7 +365,7 @@ elasticsearch:
              description: Minimum age of index. This determines when the index should be moved to the hot tier.
              global: True
              advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
@@ -368,18 +373,18 @@ elasticsearch:
                  forcedType: int
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              rollover:
                max_age:
                  description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                max_primary_shard_size:
                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              shrink:
                method:
                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -428,7 +433,7 @@ elasticsearch:
              forcedType: string
              global: True
              advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
@@ -436,18 +441,18 @@ elasticsearch:
                  forcedType: int
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              rollover:
                max_age:
                  description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
                max_primary_shard_size:
                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              shrink:
                method:
                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
@@ -501,7 +506,7 @@ elasticsearch:
              forcedType: string
              global: True
              advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
@@ -509,7 +514,7 @@ elasticsearch:
                  forcedType: int
                  global: True
                  advanced: True
-                  helpLink: elasticsearch.html
+                  helpLink: elasticsearch
              allocate:
                number_of_replicas:
                  description: Set the number of replicas. Remains the same as the previous phase by default.
@@ -523,25 +528,25 @@ elasticsearch:
              forcedType: string
              global: True
              advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
        _meta:
          package:
            name:
              description: Meta settings for the mapping.
              global: True
              advanced: True
-              helpLink: elasticsearch.html
+              helpLink: elasticsearch
          managed_by:
            description: Meta settings for the mapping.
            global: True
            advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
          managed:
            description: Meta settings for the mapping.
            forcedType: bool
            global: True
            advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
    so-logs-system_x_auth: *indexSettings
    so-logs-system_x_syslog: *indexSettings
    so-logs-system_x_system: *indexSettings
@@ -606,18 +611,18 @@ elasticsearch:
        description: Sorts the index by event time, at the cost of additional processing resource consumption.
        advanced: True
        readonly: True
-        helpLink: elasticsearch.html
+        helpLink: elasticsearch
      index_template:
        ignore_missing_component_templates:
          description: Ignore component templates if they aren't in Elasticsearch.
          advanced: True
          readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
        index_patterns:
          description: Patterns for matching multiple indices or tables.
          advanced: True
          readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
        template:
          settings:
            index:
@@ -625,33 +630,33 @@ elasticsearch:
                description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage.
                advanced: True
                readonly: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
              number_of_replicas:
                description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
                advanced: True
                readonly: True
-                helpLink: elasticsearch.html
+                helpLink: elasticsearch
        composed_of:
          description: The index template is composed of these component templates.
          advanced: True
          readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
        priority:
          description: The priority of the index template.
          advanced: True
          readonly: True
-          helpLink: elasticsearch.html
+          helpLink: elasticsearch
        data_stream:
          hidden:
            description: Hide the data stream.
            advanced: True
            readonly: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
          allow_custom_routing:
            description: Allow custom routing for the data stream.
            advanced: True
            readonly: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
    so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings
  so_roles:
    so-manager: &soroleSettings
@@ -662,7 +667,7 @@ elasticsearch:
            forcedType: "[]string"
            global: False
            advanced: True
-            helpLink: elasticsearch.html
+            helpLink: elasticsearch
    so-managersearch: *soroleSettings
    so-standalone: *soroleSettings
    so-searchnode: *soroleSettings
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -27,14 +27,12 @@ iptables_config:
    - source: salt://firewall/iptables.jinja
    - template: jinja
 {%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
  service.dead:
    - name: firewalld
    - enable: False
    - require:
      - file: iptables_config
 {%   endif %}
 iptables_restore:
  cmd.run:
@@ -44,7 +42,6 @@ iptables_restore:
    - onlyif:
      - iptables-restore --test {{ iptmap.configfile }}
 {%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
  service.running:
    - name: firewalld
@@ -52,7 +49,6 @@ enable_firewalld:
    - onfail:
      - file: iptables_config
      - cmd: iptables_restore
 {%   endif %}
 {% else %}
--- a/salt/firewall/ipt.map.jinja
+++ b/salt/firewall/ipt.map.jinja
@@ -1,14 +1,6 @@
-{% set iptmap = salt['grains.filter_by']({
+{% set iptmap = {
-    'Debian': {
+    'service': 'iptables',
-        'service': 'netfilter-persistent',
+    'iptpkg': 'iptables-nft',
-        'iptpkg': 'iptables',
+    'persistpkg': 'iptables-nft-services',
-        'persistpkg': 'iptables-persistent',
+    'configfile': '/etc/sysconfig/iptables'
-        'configfile': '/etc/iptables/rules.v4'
+} %}
    },
    'RedHat': {
        'service': 'iptables',
        'iptpkg': 'iptables-nft',
        'persistpkg': 'iptables-nft-services',
        'configfile': '/etc/sysconfig/iptables'
    },
 }) %}
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
 {%- set role = GLOBALS.role.split('-')[1] %}
 {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
 {%- set D1 = [] %}
 {%- set D2 = [] %}
 {%- for container in NODE_CONTAINERS %}
-{%-   set IP = DOCKER.containers[container].ip %}
+{%-   set IP = DOCKERMERGED.containers[container].ip %}
-{%-   if DOCKER.containers[container].port_bindings is defined %}
+{%-   if DOCKERMERGED.containers[container].port_bindings is defined %}
-{%-     for binding in DOCKER.containers[container].port_bindings %}
+{%-     for binding in DOCKERMERGED.containers[container].port_bindings %}
 {#-       cant split int so we convert to string #}
 {%-       set binding = binding|string %}
 {#-          split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
 {%-           set hostPort = bsa[0] %}
 {%-           set containerPort = bsa[1] %}
 {%-         endif %}
-{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
 {%-         if bindip | length and bindip != '0.0.0.0' %}
-{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         else %}
-{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         endif %}
-{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
 {%-     endfor %}
 {%-   endif %}
 {%- endfor %}
@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,11 +1,11 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
--- a/salt/firewall/soc_firewall.yaml
+++ b/salt/firewall/soc_firewall.yaml
@@ -3,7 +3,7 @@ firewall:
    analyst: &hostgroupsettings
      description: List of IP or CIDR blocks to allow access to this hostgroup.
      forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
      multiline: True
      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
      regexFailureMessage: You must enter a valid IP address or CIDR.
@@ -11,7 +11,7 @@ firewall:
    anywhere: &hostgroupsettingsadv
      description: List of IP or CIDR blocks to allow access to this hostgroup.
      forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
      multiline: True
      advanced: True
      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -22,7 +22,7 @@ firewall:
    dockernet: &ROhostgroupsettingsadv
      description: List of IP or CIDR blocks to allow access to this hostgroup.
      forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
      multiline: True
      advanced: True
      readonly: True
@@ -53,7 +53,7 @@ firewall:
    customhostgroup0: &customhostgroupsettings
      description: List of IP or CIDR blocks to allow to this hostgroup.
      forcedType: "[]string"
-      helpLink: firewall.html
+      helpLink: firewall
      advanced: True
      multiline: True
      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
@@ -73,14 +73,14 @@ firewall:
      tcp: &tcpsettings
        description: List of TCP ports for this port group.
        forcedType: "[]string"
-        helpLink: firewall.html
+        helpLink: firewall
        advanced: True
        multiline: True
        duplicates: True
      udp: &udpsettings
        description: List of UDP ports for this port group.
        forcedType: "[]string"
-        helpLink: firewall.html
+        helpLink: firewall
        advanced: True
        multiline: True
        duplicates: True
@@ -206,7 +206,7 @@ firewall:
                advanced: True
                multiline: True
                forcedType: "[]string"
-                helpLink: firewall.html
+                helpLink: firewall
                duplicates: True
            sensor:
              portgroups: *portgroupsdocker
@@ -262,7 +262,7 @@ firewall:
                advanced: True
                multiline: True
                forcedType: "[]string"
-                helpLink: firewall.html
+                helpLink: firewall
                duplicates: True
            dockernet: 
              portgroups: *portgroupshost
--- a/salt/host/soc_host.yaml
+++ b/salt/host/soc_host.yaml
@@ -1,7 +1,7 @@
 host:
  mainint:
    description: Main interface of the grid host.
-    helpLink: host.html    
+    helpLink: ip-address
  mainip:
    description: Main IP address of the grid host.
-    helpLink: host.html
+    helpLink: ip-address
--- a/salt/hydra/enabled.sls
+++ b/salt/hydra/enabled.sls
@@ -11,7 +11,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   if 'api' in salt['pillar.get']('features', []) %}
@@ -26,32 +26,38 @@ so-hydra:
    - name: so-hydra
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
    - binds:
      - /opt/so/conf/hydra/:/hydra-conf:ro
      - /opt/so/log/hydra/:/hydra-log:rw
      - /nsm/hydra/db:/hydra-data:rw
-      {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-hydra'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-hydra'].extra_env %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-hydra'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: hydraconfig
--- a/salt/hydra/soc_hydra.yaml
+++ b/salt/hydra/soc_hydra.yaml
@@ -1,7 +1,7 @@
 hydra:
  enabled:
    description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. 
-    helpLink: connect.html
+    helpLink: connect-api
    global: True
  config:
    ttl:
@@ -9,16 +9,16 @@ hydra:
        description: Amount of time that the generated access token will be valid. Specified in the form of 2h, which means 2 hours.
        global: True
        forcedType: string
-        helpLink: connect.html
+        helpLink: connect-api
    log:
      level: 
        description: Log level to use for Kratos logs.
        global: True
-        helpLink: connect.html
+        helpLink: connect-api
      format: 
        description: Log output format for Kratos logs.
        global: True
-        helpLink: connect.html
+        helpLink: connect-api
    secrets:
      system: 
        description: Secrets used for token generation. Generated during installation.
@@ -26,4 +26,4 @@ hydra:
        sensitive: True
        advanced: True
        forcedType: "[]string"
-        helpLink: connect.html
+        helpLink: connect-api
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - idh.config
@@ -22,23 +22,29 @@ so-idh:
      - /nsm/idh:/var/tmp:rw
      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
-      {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_env %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-idh'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: opencanary_config
    - require:
--- a/salt/idh/openssh/config.sls
+++ b/salt/idh/openssh/config.sls
@@ -3,7 +3,6 @@
 include:
  - idh.openssh
 {% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
  selinux.port_policy_present:
    - port: {{ openssh_map.config.port }}
@@ -13,7 +12,6 @@ idh_sshd_selinux:
      - file: openssh_config
    - require:
      - pkg: python_selinux_mgmt_tools
 {% endif %}
 openssh_config:
  file.replace:
--- a/salt/idh/openssh/init.sls
+++ b/salt/idh/openssh/init.sls
@@ -16,8 +16,6 @@ openssh:
    - name: {{ openssh_map.service }}
  {% endif %}
 {% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
  pkg.installed:
    - name: policycoreutils-python-utils
 {% endif %}
--- a/salt/idh/soc_idh.yaml
+++ b/salt/idh/soc_idh.yaml
@@ -1,7 +1,7 @@
 idh:
  enabled:
    description: Enables or disables the Intrusion Detection Honeypot (IDH) process. 
-    helpLink: idh.html
+    helpLink: idh
  opencanary:
    config:
      logger:
@@ -10,7 +10,7 @@ idh:
          readonly: True
          advanced: True
          global: True
-          helpLink: idh.html
+          helpLink: idh
        kwargs:
            formatters:
              plain:
@@ -24,53 +24,53 @@ idh:
                  filename: *loggingOptions
      portscan_x_enabled: &serviceOptions
        description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
-        helpLink: idh.html
+        helpLink: idh
      portscan_x_logfile: *loggingOptions
      portscan_x_synrate:
        description: Portscan - syn rate limiting
        advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
      portscan_x_nmaposrate:
        description: Portscan - nmap OS rate limiting
        advanced: True
-        helpLink: idh.html  
+        helpLink: idh  
      portscan_x_lorate: 
        description: Portscan - lo rate limiting
        advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
      tcpbanner_x_maxnum:
        description:  Portscan - maxnum
        advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
      tcpbanner_x_enabled: *serviceOptions
      tcpbanner_1_x_enabled: *serviceOptions
      tcpbanner_1_x_port: &portOptions
        description: Port the service should listen on.
        advanced: True
-        helpLink: idh.html
+        helpLink: idh
      tcpbanner_1_x_datareceivedbanner: &bannerOptions
        description: Data Received Banner
        advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
      tcpbanner_1_x_initbanner: *bannerOptions
      tcpbanner_1_x_alertstring_x_enabled: *serviceOptions
      tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions
      tcpbanner_1_x_keep_alive_secret:
        description: Keep Alive Secret
        advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
      tcpbanner_1_x_keep_alive_probes:
        description: Keep Alive Probes
        advanced: True
-        helpLink: idh.html  
+        helpLink: idh  
      tcpbanner_1_x_keep_alive_interval:
        description: Keep Alive Interval
        advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
      tcpbanner_1_x_keep_alive_idle:
        description: Keep Alive Idle
        advanced: True
-        helpLink: idh.html 
+        helpLink: idh 
      ftp_x_enabled: *serviceOptions
      ftp_x_port: *portOptions
      ftp_x_banner: *bannerOptions
@@ -82,11 +82,11 @@ idh:
      http_x_skin: &skinOptions
        description: HTTP skin
        advanced: True
-        helpLink: idh.html
+        helpLink: idh
      http_x_skinlist: &skinlistOptions
        description: List of skins to use for the service.
        advanced: True
-        helpLink: idh.html
+        helpLink: idh
      httpproxy_x_enabled: *serviceOptions
      httpproxy_x_port: *portOptions
      httpproxy_x_skin: *skinOptions
@@ -95,7 +95,7 @@ idh:
      mssql_x_version: &versionOptions
        description: Specify the version the service should present.
        advanced: True
-        helpLink: idh.html
+        helpLink: idh
      mssql_x_port: *portOptions
      mysql_x_enabled: *serviceOptions
      mysql_x_port: *portOptions
@@ -119,7 +119,7 @@ idh:
      telnet_x_honeycreds:
        description: Credentials list for the telnet service.
        advanced: True
-        helpLink: idh.html
+        helpLink: idh
      tftp_x_enabled: *serviceOptions
      tftp_x_port: *portOptions
      vnc_x_enabled: *serviceOptions
@@ -127,8 +127,8 @@ idh:
  openssh:
    enable: 
      description: This is the real SSH service for the host machine.
-      helpLink: idh.html
+      helpLink: idh
    config:
      port:
        description: Port that the real SSH service will listen on and will only be accessible from the manager.
-        helpLink: idh.html
+        helpLink: idh
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
    - hostname: influxdb
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
    - environment:
      - INFLUXD_CONFIG_PATH=/conf/config.yaml
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
      - DOCKER_INFLUXDB_INIT_ORG=Security Onion
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
-      {% if DOCKER.containers['so-influxdb'].extra_env %}
+      {% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -43,21 +43,27 @@ so-influxdb:
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
-      {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-influxdb'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: influxdbconf
      - x509: influxdb_key
--- a/salt/influxdb/soc_influxdb.yaml
+++ b/salt/influxdb/soc_influxdb.yaml
@@ -1,358 +1,358 @@
 influxdb:
  enabled:
    description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
-    helpLink: influxdb.html
+    helpLink: influxdb
  config:
    assets-path:
      description: Path to the InfluxDB user interface assets located inside the so-influxdb container.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    bolt-path:
      description: Path to the bolt DB file located inside the so-influxdb container.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    engine-path:
      description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    feature-flags:
      description: List of key=value flags to enable.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    flux-log-enabled:
      description: Controls whether detailed flux query logging is enabled.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    hardening-enabled:
      description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    http-bind-address:
      description: The URL and port on which InfluxDB will listen for new connections.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    http-idle-timeout:
      description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    http-read-header-timeout:
      description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    http-read-timeout:
      description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    http-write-timeout:
      description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    influxql-max-select-buckets:
      description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    influxql-max-select-point:
      description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    influxql-max-select-series:
      description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    instance-id:
      description: Unique instance ID for this server, to avoid collisions in a replicated cluster.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    log-level:
      description: The log level to use for outputting log statements. Allowed values are debug, info, or error.
      global: True
      advanced: false
      regex: ^(info|debug|error)$
-      helpLink: influxdb.html
+      helpLink: influxdb
    metrics-disabled:
      description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    no-tasks:
      description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    pprof-disabled:
      description: If true, the profiling data HTTP endpoint will be inaccessible.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    query-concurrency:
      description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    query-initial-memory-bytes:
      description: The initial number of bytes of memory to allocate for a new query.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    query-max-memory-bytes:
      description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    query-memory-bytes:
      description: Maximum number of bytes of memory to allocate to a query.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    query-queue-size:
      description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    reporting-disabled:
      description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    secret-store:
      description: Determines the type of storage used for secrets. Allowed values are bolt or vault.
      global: True
      advanced: True
      regex: ^(bolt|vault)$
-      helpLink: influxdb.html
+      helpLink: influxdb
    session-length:
      description: Number of minutes that a user login session can remain authenticated. 
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    session-renew-disabled:
      description: If true, user login sessions will renew after each request.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    sqlite-path:
      description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-cache-max-memory-size:
      description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-cache-snapshot-memory-size:
      description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-cache-snapshot-write-cold-duration:
      description: Duration between snapshot writes to disk when the shard data hasn't been modified.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-compact-full-write-cold-duration:
      description: Duration between shard compactions when the shard data hasn't been modified.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-compact-throughput-burst:
      description: Maximum throughput (number of bytes per second) that compactions be written to disk.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-max-concurrent-compactions:
      description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs).
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-max-index-log-file-size:
      description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-no-validate-field-size:
      description: If true, incoming requests will skip the field size validation.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-retention-check-interval:
      description: Interval between reviewing each bucket's retention policy and the age of the associated data.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-series-file-max-concurrent-snapshot-compactions:
      description: Maximum number of concurrent snapshot compactions across all database partitions.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-series-id-set-cache-size:
      description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-shard-precreator-advance-period:
      description: The duration before a successor shard group is created after the end-time has been reached. 
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-shard-precreator-check-interval:
      description: Interval between checking if new shards should be created.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-tsm-use-madv-willneed:
      description: If true, InfluxDB will manage TSM memory paging.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-validate-keys:
      description: If true, validates incoming requests for supported characters.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-wal-fsync-delay:
      description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-wal-max-concurrent-writes:
      description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-wal-max-write-delay:
      description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    storage-write-timeout:
      description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    store:
      description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations.
      global: True
      advanced: True
      regex: ^(disk|memory)$
-      helpLink: influxdb.html
+      helpLink: influxdb
    tls-cert: 
      description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    tls-key: 
      description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    tls-min-version: 
      description: The minimum supported version of TLS to be enforced on all incoming HTTP requests.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    tls-strict-ciphers:
      description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    tracing-type: 
      description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    ui-disabled: 
      description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-addr: 
      description: Vault server address.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-cacert: 
      description: Path to the Vault's single certificate authority certificate file within the container.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-capath: 
      description: Path to the Vault's certificate authority directory within the container.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-client-cert: 
      description: Vault client certificate path within the container.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-client-key: 
      description: Vault client certificate key path within the container.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-client-timeout: 
      description: Duration to wait for a response from the Vault server before aborting.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-max-retries:
      description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-skip-verify: 
      description: Skip certification validation of the Vault server.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-tls-server-name: 
      description: SNI host to specify when using TLS to connect to the Vault server.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    vault-token:   
      description: Vault token used for authentication.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
  buckets:
    so_short_term:
      duration:
        description: Amount of time (in seconds) to keep short term data.
        global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
      shard_duration:
        description: Amount of the time (in seconds) range covered by the shard group.
        global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
    so_long_term:
      duration:
        description: Amount of time (in seconds) to keep long term downsampled data.
        global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
      shard_duration:
        description: Amount of the time (in seconds) range covered by the shard group.
        global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
  downsample:
    so_long_term:
      resolution:
        description: Amount of time to turn into a single data point.
        global: True
-        helpLink: influxdb.html
+        helpLink: influxdb
--- a/salt/kafka/enabled.sls
+++ b/salt/kafka/enabled.sls
@@ -12,7 +12,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
 {%   set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
 {%   if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
    - name: so-kafka
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
    - user: kafka
    - environment:
        KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
-        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
+        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
    - extra_hosts:
      {% for node in KAFKANODES %}
      - {{ node }}:{{ KAFKANODES[node].ip }}
      {% endfor %}
-      {% if DOCKER.containers['so-kafka'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
-      {%   for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
+      {%   for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
      - {{ XTRAHOST }}
      {%   endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -60,6 +60,12 @@ so-kafka:
      {% if KAFKA_EXTERNAL_ACCESS %}
      - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
      {% endif %}
    {% if DOCKERMERGED.containers['so-kafka'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      {% for sc in ['server', 'client'] %}
      - file: kafka_kraft_{{sc}}_properties
--- a/salt/kafka/soc_kafka.yaml
+++ b/salt/kafka/soc_kafka.yaml
@@ -1,257 +1,257 @@
 kafka:
  enabled:
    description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key.
-    helpLink: kafka.html
+    helpLink: kafka
  cluster_id:
    description: The ID of the Kafka cluster.
    readonly: True
    advanced: True
    sensitive: True
-    helpLink: kafka.html
+    helpLink: kafka
  controllers:
    description: A comma-separated list of hostnames that will act as Kafka controllers. These hosts will be responsible for managing the Kafka cluster. Note that only manager and receiver nodes are eligible to run Kafka. This configuration needs to be set before enabling Kafka. Failure to do so may result in Kafka topics becoming unavailable requiring manual intervention to restore functionality or reset Kafka, either of which can result in data loss.
    forcedType: string
-    helpLink: kafka.html
+    helpLink: kafka
  reset:
    description: Disable and reset the Kafka cluster. This will remove all Kafka data including logs that may have not yet been ingested into Elasticsearch and reverts the grid to using REDIS as the global pipeline. This is useful when testing different Kafka configurations such as rearranging Kafka brokers / controllers allowing you to reset the cluster rather than manually fixing any issues arising from attempting to reassign a Kafka broker into a controller. Enter 'YES_RESET_KAFKA' and submit to disable and reset Kafka. Make any configuration changes required and re-enable Kafka when ready. This action CANNOT be reversed.
    advanced: True
-    helpLink: kafka.html
+    helpLink: kafka
  logstash:
    description: By default logstash is disabled when Kafka is enabled. This option allows you to specify any hosts you would like to re-enable logstash on alongside Kafka.
    forcedType: "[]string"
    multiline: True
    advanced: True
-    helpLink: kafka.html
+    helpLink: kafka
  config:
    password:
      description: The password used for the Kafka certificates.
      readonly: True
      sensitive: True
-      helpLink: kafka.html
+      helpLink: kafka
    trustpass:
      description: The password used for the Kafka truststore.
      readonly: True
      sensitive: True
-      helpLink: kafka.html
+      helpLink: kafka
    broker:
      auto_x_create_x_topics_x_enable:
        description: Enable the auto creation of topics.
        title: auto.create.topics.enable
        forcedType: bool
-        helpLink: kafka.html
+        helpLink: kafka
      default_x_replication_x_factor:
        description: The default replication factor for automatically created topics. This value must be less than the amount of brokers in the cluster. Hosts specified in controllers should not be counted towards total broker count.
        title: default.replication.factor
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      inter_x_broker_x_listener_x_name:
        description: The name of the listener used for inter-broker communication.
        title: inter.broker.listener.name
-        helpLink: kafka.html
+        helpLink: kafka
      listeners:
        description: Set of URIs that is listened on and the listener names in a comma-seperated list.
-        helpLink: kafka.html
+        helpLink: kafka
      listener_x_security_x_protocol_x_map:
        description: Comma-seperated mapping of listener name and security protocols.
        title: listener.security.protocol.map
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_dirs:
        description: Where Kafka logs are stored within the Docker container.
        title: log.dirs
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_retention_x_check_x_interval_x_ms:
        description: Frequency at which log files are checked if they are qualified for deletion.
        title: log.retention.check.interval.ms
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_retention_x_hours:
        description: How long, in hours, a log file is kept.
        title: log.retention.hours
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_segment_x_bytes:
        description: The maximum allowable size for a log file.
        title: log.segment.bytes
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      num_x_io_x_threads:
        description: The number of threads used by Kafka.
        title: num.io.threads
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      num_x_network_x_threads:
        description: The number of threads used for network communication.
        title: num.network.threads
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      num_x_partitions:
        description: The number of log partitions assigned per topic.
        title: num.partitions
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      num_x_recovery_x_threads_x_per_x_data_x_dir:
        description: The number of threads used for log recuperation at startup and purging at shutdown. This ammount of threads is used per data directory.
        title: num.recovery.threads.per.data.dir
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      offsets_x_topic_x_replication_x_factor:
        description: The offsets topic replication factor.
        title: offsets.topic.replication.factor
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      process_x_roles:
        description: The role performed by Kafka brokers.
        title: process.roles
        readonly: True
-        helpLink: kafka.html
+        helpLink: kafka
      socket_x_receive_x_buffer_x_bytes:
        description: Size, in bytes of the SO_RCVBUF buffer. A value of -1 will use the OS default.
        title: socket.receive.buffer.bytes
        #forcedType: int - soc needs to allow -1 as an int before we can use this
-        helpLink: kafka.html
+        helpLink: kafka
      socket_x_request_x_max_x_bytes:
        description: The maximum bytes allowed for a request to the socket.
        title: socket.request.max.bytes
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      socket_x_send_x_buffer_x_bytes:
        description: Size, in bytes of the SO_SNDBUF buffer. A value of -1 will use the OS default.
        title: socket.send.buffer.byte
        #forcedType: int - soc needs to allow -1 as an int before we can use this
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_keystore_x_location:
        description: The key store file location within the Docker container.
        title: ssl.keystore.location
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_keystore_x_password:
        description: The key store file password. Invalid for PEM format.
        title: ssl.keystore.password
        sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_keystore_x_type: 
        description: The key store file format.
        title: ssl.keystore.type
        regex: ^(JKS|PKCS12|PEM)$
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_truststore_x_location:
        description: The trust store file location within the Docker container.
        title: ssl.truststore.location
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_truststore_x_type:
        description: The trust store file format.
        title: ssl.truststore.type
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_truststore_x_password:
        description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
        title: ssl.truststore.password
        sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
      transaction_x_state_x_log_x_min_x_isr:
        description: Overrides min.insync.replicas for the transaction topic. When a producer configures acks to "all" (or "-1"), this setting determines the minimum number of replicas required to acknowledge a write as successful. Failure to meet this minimum triggers an exception (either NotEnoughReplicas or NotEnoughReplicasAfterAppend). When used in conjunction, min.insync.replicas and acks enable stronger durability guarantees. For instance, creating a topic with a replication factor of 3, setting min.insync.replicas to 2, and using acks of "all" ensures that the producer raises an exception if a majority of replicas fail to receive a write.
        title: transaction.state.log.min.isr
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      transaction_x_state_x_log_x_replication_x_factor:
        description: Set the replication factor higher for the transaction topic to ensure availability. Internal topic creation will not proceed until the cluster size satisfies this replication factor prerequisite.
        title: transaction.state.log.replication.factor
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
    client:
      security_x_protocol:
        description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT'
        title: security.protocol
        regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT)
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_keystore_x_location:
        description: The key store file location within the Docker container.
        title: ssl.keystore.location
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_keystore_x_password:
        description: The key store file password. Invalid for PEM format.
        title: ssl.keystore.password
        sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_keystore_x_type:
        description: The key store file format.
        title: ssl.keystore.type
        regex: ^(JKS|PKCS12|PEM)$
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_truststore_x_location:
        description: The trust store file location within the Docker container.
        title: ssl.truststore.location
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_truststore_x_type:
        description: The trust store file format.
        title: ssl.truststore.type
-        helpLink: kafka.html
+        helpLink: kafka
      ssl_x_truststore_x_password:
        description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format.
        title: ssl.truststore.password
        sensitive: True
-        helpLink: kafka.html
+        helpLink: kafka
    controller:
      controller_x_listener_x_names:
        description: Set listeners used by the controller in a comma-seperated list.
        title: controller.listener.names
-        helpLink: kafka.html
+        helpLink: kafka
      listeners:
        description: Set of URIs that is listened on and the listener names in a comma-seperated list.
-        helpLink: kafka.html
+        helpLink: kafka
      listener_x_security_x_protocol_x_map:
        description: Comma-seperated mapping of listener name and security protocols.
        title: listener.security.protocol.map
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_dirs:
        description: Where Kafka logs are stored within the Docker container.
        title: log.dirs
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_retention_x_check_x_interval_x_ms:
        description: Frequency at which log files are checked if they are qualified for deletion.
        title: log.retention.check.interval.ms
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_retention_x_hours:
        description: How long, in hours, a log file is kept.
        title: log.retention.hours
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      log_x_segment_x_bytes:
        description: The maximum allowable size for a log file.
        title: log.segment.bytes
        forcedType: int
-        helpLink: kafka.html
+        helpLink: kafka
      process_x_roles:
        description: The role performed by controller node.
        title: process.roles
        readonly: True
-        helpLink: kafka.html
+        helpLink: kafka
    external_access:
      enabled:
        description: Enables or disables access to Kafka topics using user/password authentication. Used for producing / consuming messages via an external client.
        forcedType: bool
-        helpLink: kafka.html
+        helpLink: kafka
      listeners:
        description: Set of URIs that is listened on and the listener names in a comma-seperated list.
        title: listeners
        readonly: True
        advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
      listener_x_security_x_protocol_x_map:
        description: External listener name and mapped security protocol.
        title: listener.security.protocol.map
        readonly: True
        advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
      sasl_x_enabled_x_mechanisms:
        description: SASL/PLAIN is a simple username/password authentication mechanism, used with TLS to implement secure authentication.
        title: sasl.enabled.mechanisms
        readonly: True
        advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
      sasl_x_mechanism_x_inter_x_broker_x_protocol:
        description: SASL mechanism used for inter-broker communication
        title: sasl.mechanism.inter.broker.protocol
        readonly: True
        advanced: True
-        helpLink: kafka.html
+        helpLink: kafka
      remote_users:
        user01: &remote_user
          username:
--- a/salt/kibana/enabled.sls
+++ b/salt/kibana/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -20,20 +20,20 @@ so-kibana:
    - user: kibana
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
    - environment:
      - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
      - ELASTICSEARCH_PORT=9200
      - MANAGER={{ GLOBALS.manager }}
-      {% if DOCKER.containers['so-kibana'].extra_env %}
+      {% if DOCKERMERGED.containers['so-kibana'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers['so-kibana'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -42,15 +42,21 @@ so-kibana:
      - /opt/so/log/kibana:/var/log/kibana:rw
      - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      {% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    {% if DOCKERMERGED.containers['so-kibana'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: kibanaconfig
--- a/salt/kibana/map.jinja
+++ b/salt/kibana/map.jinja
@@ -5,7 +5,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
--- a/salt/kibana/so_dashboard_load.sls
+++ b/salt/kibana/so_dashboard_load.sls
@@ -3,7 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
  - kibana.enabled
@@ -29,27 +28,3 @@ so-kibana-dashboard-load:
    - require:
      - sls: kibana.enabled
      - file: dashboard_saved_objects_template
 {%- if HIGHLANDER %}
 dashboard_saved_objects_template_hl:
  file.managed:
    - name: /opt/so/conf/kibana/hl.ndjson.template
    - source: salt://kibana/files/hl.ndjson
    - user: 932
    - group: 939
    - show_changes: False
 dashboard_saved_objects_hl_changes:
  file.absent:
    - names:
      - /opt/so/state/kibana_hl.txt
    - onchanges:
      - file: dashboard_saved_objects_template_hl
 so-kibana-dashboard-load_hl:
  cmd.run:
    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
    - cwd: /opt/so
    - require:
      - sls: kibana.enabled
      - file: dashboard_saved_objects_template_hl
 {%- endif %}
--- a/salt/kibana/soc_kibana.yaml
+++ b/salt/kibana/soc_kibana.yaml
@@ -1,10 +1,10 @@
 kibana:
  enabled: 
    description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results.
-    helpLink: kibana.html
+    helpLink: kibana
  config:
    elasticsearch:
      requestTimeout:
        description: The length of time before the request reaches timeout.
        global: True
-        helpLink: kibana.html
+        helpLink: kibana
--- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
+++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
@@ -1,6 +1,5 @@
 #!/bin/bash
 . /usr/sbin/so-common
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##
@@ -9,10 +8,6 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Space:"
+echo "Setting up default Kibana Space:"
 {% if HIGHLANDER %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
 {% else %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
 {% endif %}
 echo
--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -19,32 +19,38 @@ so-kratos:
    - name: so-kratos
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
    - binds:
      - /opt/so/conf/kratos/:/kratos-conf:ro
      - /opt/so/log/kratos/:/kratos-log:rw
      - /nsm/kratos/db:/kratos-data:rw
-      {% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-kratos'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-kratos'].extra_env %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-kratos'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: kratosschema
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -2,79 +2,79 @@ kratos:
  enabled:
    description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
    advanced: True
-    helpLink: kratos.html
+    helpLink: kratos
  oidc:
    enabled: 
      description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
      global: True
-      helpLink: oidc.html
+      helpLink: oidc
    config:
      id: 
        description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      provider:
        description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft"
        global: True
        forcedType: string
        regex: "auth0|generic|github|google|microsoft"
        regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft"
-        helpLink: oidc.html
+        helpLink: oidc
      client_id: 
        description: Specify the client ID, also referenced as the application ID. Required.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      client_secret: 
        description: Specify the client secret. Required.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      microsoft_tenant:
        description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      subject_source: 
        description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'.
        global: True
        forcedType: string
        regex: me|userinfo
        regexFailureMessage: "Valid values are: me, userinfo"
-        helpLink: oidc.html
+        helpLink: oidc
      auth_url: 
        description: Provider's auth URL. Required when provider is 'generic'.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      issuer_url: 
        description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      mapper_url: 
        description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting.
        advanced: True
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      token_url: 
        description: Provider's token URL. Required when provider is 'generic'.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      scope: 
        description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'.
        global: True
        forcedType: "[]string"
-        helpLink: oidc.html
+        helpLink: oidc
      pkce:
        description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported.
        global: True
        forcedType: string
-        helpLink: oidc.html
+        helpLink: oidc
      requested_claims: 
        id_token:
          email:
@@ -82,7 +82,7 @@ kratos:
              description: Specifies whether the email claim is necessary. Typically leave this value set to true.
              advanced: True
              global: True
-              helpLink: oidc.html
+              helpLink: oidc
  files:
    oidc__jsonnet:
      title: OIDC Claims Mapping
@@ -90,20 +90,20 @@ kratos:
      advanced: True
      file: True
      global: True
-      helpLink: oidc.html
+      helpLink: oidc
  config:
    session:
      lifespan: 
        description: Defines the length of a login session.
        global: True
-        helpLink: kratos.html
+        helpLink: kratos
      whoami:
        required_aal: 
          description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
          global: True
          advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
    selfservice:
      methods:
        password:
@@ -111,143 +111,143 @@ kratos:
            description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled.
            global: True
            advanced: True
-            helpLink: oidc.html
+            helpLink: oidc
          config:
            haveibeenpwned_enabled:
              description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
              global: True
-              helpLink: kratos.html
+              helpLink: kratos
        totp:
          enabled: 
            description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
            global: True
-            helpLink: kratos.html
+            helpLink: kratos
          config:
            issuer: 
              description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
              global: True
-              helpLink: kratos.html
+              helpLink: kratos
        webauthn:
          enabled:
            description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
            global: True
-            helpLink: kratos.html
+            helpLink: kratos
          config:
            passwordless: 
              description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
              global: True
-              helpLink: kratos.html
+              helpLink: kratos
            rp:
              id: 
                description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly.
                global: True
                advanced: True
-                helpLink: kratos.html
+                helpLink: kratos
              origin: 
                description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly.
                global: True
                advanced: True
-                helpLink: kratos.html
+                helpLink: kratos
              display_name: 
                description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations.
                global: True
                advanced: True
-                helpLink: kratos.html
+                helpLink: kratos
      flows:
        settings:
          privileged_session_max_age:
            description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
            global: True
-            helpLink: kratos.html
+            helpLink: kratos
          ui_url: 
            description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
            global: True
            advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
          required_aal:
            description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
            global: True
            advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
        verification:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
        login:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
          lifespan: 
            description: Defines the duration that a login form will remain valid.
            global: True
-            helpLink: kratos.html
+            helpLink: kratos
        error:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
        registration:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
-            helpLink: kratos.html
+            helpLink: kratos
      default_browser_return_url:
        description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
        global: True
        advanced: True
-        helpLink: kratos.html
+        helpLink: kratos
      allowed_return_urls:
        description: Internal redirect URL. Leave as default to ensure proper operation.
        global: True
        advanced: True
-        helpLink: kratos.html
+        helpLink: kratos
    log:
      level: 
        description: Log level to use for Kratos logs.
        global: True
-        helpLink: kratos.html
+        helpLink: kratos
      format: 
        description: Log output format for Kratos logs.
        global: True
-        helpLink: kratos.html
+        helpLink: kratos
    secrets:
      default: 
        description: Secret key used for protecting session cookie data. Generated during installation.
        global: True
        sensitive: True
        advanced: True
-        helpLink: kratos.html
+        helpLink: kratos
    serve:
      public:
        base_url: 
          description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
          global: True
          advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
      admin:
        base_url: 
          description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
          global: True
          advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
    hashers:
      bcrypt:
        cost: 
          description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
          global: True
          advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
    courier:
      smtp:
        connection_uri: 
          description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
          global: True
          advanced: True
-          helpLink: kratos.html
+          helpLink: kratos
--- a/salt/logstash/config.sls
+++ b/salt/logstash/config.sls
@@ -36,10 +36,6 @@ logstash:
    - gid: 931
    - home: /opt/so/conf/logstash
 lslibdir:
  file.absent:
    - name: /opt/so/conf/logstash/lib
 logstash_sbin:
  file.recurse:
    - name: /usr/sbin
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_NODES %}
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
    - name: so-logstash
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
    - user: logstash
    - extra_hosts:
    {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-logstash'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
-    {% if DOCKER.containers['so-logstash'].extra_env %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_env %}
-    {%   for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -91,11 +91,17 @@ so-logstash:
      - /opt/so/log/fleet/:/osquery/logs:ro
      - /opt/so/log/strelka:/strelka:ro
      {% endif %}
-      {% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-logstash'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: lsetcsync
      - file: trusttheca
--- a/salt/logstash/soc_logstash.yaml
+++ b/salt/logstash/soc_logstash.yaml
@@ -1,13 +1,13 @@
 logstash:
  enabled: 
    description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
-    helpLink: logstash.html
+    helpLink: logstash
  assigned_pipelines:
    roles:
      standalone: &assigned_pipelines
        description: List of defined pipelines to add to this role.
        advanced: True
-        helpLink: logstash.html
+        helpLink: logstash
        multiline: True
        forcedType: "[]string"
        duplicates: True
@@ -21,7 +21,7 @@ logstash:
    receiver: &defined_pipelines
      description: List of pipeline configurations assign to this group.
      advanced: True
-      helpLink: logstash.html
+      helpLink: logstash
      multiline: True
      forcedType: "[]string" 
      duplicates: True
@@ -39,7 +39,7 @@ logstash:
      advanced: True
      multiline: True
      forcedType: string
-      helpLink: logstash.html
+      helpLink: logstash
      duplicates: True
    custom002: *pipeline_config
    custom003: *pipeline_config
@@ -53,35 +53,35 @@ logstash:
  settings:
    lsheap: 
      description: Heap size to use for logstash
-      helpLink: logstash.html
+      helpLink: logstash
      global: False
  config:
    api_x_http_x_host:
      description: Host interface to listen to connections.
-      helpLink: logstash.html
+      helpLink: logstash
      readonly: True
      advanced: True
    path_x_logs: 
      description: Path inside the container to wrote logs.
-      helpLink: logstash.html
+      helpLink: logstash
      readonly: True
      advanced: True
    pipeline_x_workers: 
      description: Number of worker threads to process events in logstash.
-      helpLink: logstash.html
+      helpLink: logstash
      global: False
    pipeline_x_batch_x_size: 
      description: Logstash batch size.
-      helpLink: logstash.html
+      helpLink: logstash
      global: False
    pipeline_x_ecs_compatibility: 
      description: Sets ECS compatibility. This is set per pipeline so you should never need to change this.
-      helpLink: logstash.html
+      helpLink: logstash
      readonly: True
      advanced: True
  dmz_nodes:
    description: "List of receiver nodes in DMZs. Prevents sensors from sending to these receivers. Primarily used for external Elastic agents."
-    helpLink: logstash.html
+    helpLink: logstash
    multiline: True
    advanced: True
    forcedType: "[]string"
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -63,11 +63,9 @@ yara_log_dir:
      - user
      - group
 {% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
  pkg.installed:
    - name: createrepo_c
 {% endif %}
 repo_conf_dir:
  file.directory:
--- a/salt/manager/soc_manager.yaml
+++ b/salt/manager/soc_manager.yaml
@@ -3,80 +3,80 @@ manager:
    enabled:
      description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
      global: True
-      helpLink: soup.html
+      helpLink: soup
    hour:
      description: The hour of the day in which the repo sync takes place.
      global: True
-      helpLink: soup.html
+      helpLink: soup
    minute:
      description: The minute within the hour to run the repo sync.
      global: True
-      helpLink: soup.html
+      helpLink: soup
  elastalert:
    description: Enable elastalert 1=enabled 0=disabled.
    global: True
-    helpLink: elastalert.html
+    helpLink: elastalert
  no_proxy:
    description: String of hosts to ignore the proxy settings for.
    global: True
-    helpLink: proxy.html
+    helpLink: proxy
  proxy:
    description: Proxy server to use for updates.
    global: True
-    helpLink: proxy.html
+    helpLink: proxy
  additionalCA:
    description: Additional CA certificates to trust in PEM format.
    global: True
    advanced: True
    multiline: True
    forcedType: string
-    helpLink: proxy.html
+    helpLink: proxy
  insecureSkipVerify:
    description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes.
    advanced: True
    forcedType: bool
    global: True
-    helpLink: proxy.html
+    helpLink: proxy
  agent_monitoring:
    enabled:
      description: Enable monitoring elastic agents for health issues. Can be used to trigger an alert when a 'critical' agent hasn't checked in with fleet for longer than the configured offline threshold.
      global: True
-      helpLink: elastic-fleet.html
+      helpLink: elastic-fleet
      forcedType: bool
    config:
      critical_agents:
        description: List of 'critical' agents to log when they haven't checked in longer than the maximum allowed time. If there are no 'critical' agents specified all offline agents will be logged once they reach the offline threshold.
        global: True
        multiline: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        forcedType: "[]string"
      custom_kquery:
        description: For more granular control over what agents to monitor for offline|degraded status add a kquery here. It is recommended to create & test within Elastic Fleet first to ensure your agents are targeted correctly using the query. eg 'status:offline AND tags:INFRA'
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        forcedType: string
        advanced: True
      offline_threshold:
        description: The maximum allowed time in hours a 'critical' agent has been offline before being logged.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        forcedType: int
      realert_threshold:
        description: The time to pass before another alert for an offline agent exceeding the offline_threshold is generated.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        forcedType: int
      page_size:
        description: The amount of agents that can be processed per API request to fleet.
        global: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        forcedType: int
        advanced: True
      run_interval:
        description: The time in minutes between checking fleet agent statuses.
        global: True
        advanced: True
-        helpLink: elastic-fleet.html
+        helpLink: elastic-fleet
        forcedType: int
  managed_integrations:
    description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
@@ -84,4 +84,4 @@ manager:
    multiline: True
    global: True
    advanced: True
-    helpLink: elasticsearch.html
+    helpLink: elasticsearch
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -403,7 +403,15 @@ migrate_pcap_to_suricata() {
 }
 post_to_3.0.0() {
-  echo "Nothing to apply"
+  for idx in "logs-idh-so" "logs-redis.log-default"; do
    rollover_index "$idx"
  done
  # Remove ILM for so-case and so-detection indices
  for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
    so-elasticsearch-query $idx/_ilm/remove -XPOST
  done
  POSTVERSION=3.0.0
 }
@@ -576,78 +584,46 @@ upgrade_check_salt() {
 upgrade_salt() {
  echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
  echo ""
-  # If rhel family
+  # Check if salt-cloud is installed
-  if [[ $is_rpm ]]; then
+  if rpm -q salt-cloud &>/dev/null; then
-    # Check if salt-cloud is installed
+    SALT_CLOUD_INSTALLED=true
-    if rpm -q salt-cloud &>/dev/null; then
+  fi
-      SALT_CLOUD_INSTALLED=true
+  # Check if salt-cloud is configured
-    fi
+  if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
-    # Check if salt-cloud is configured
+    SALT_CLOUD_CONFIGURED=true
-    if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
+  fi
      SALT_CLOUD_CONFIGURED=true
    fi
-    echo "Removing yum versionlock for Salt."
+  echo "Removing yum versionlock for Salt."
-    echo ""
+  echo ""
-    yum versionlock delete "salt"
+  yum versionlock delete "salt"
-    yum versionlock delete "salt-minion"
+  yum versionlock delete "salt-minion"
-    yum versionlock delete "salt-master"
+  yum versionlock delete "salt-master"
-    # Remove salt-cloud versionlock if installed
+  # Remove salt-cloud versionlock if installed
-    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-      yum versionlock delete "salt-cloud"
+    yum versionlock delete "salt-cloud"
-    fi
+  fi
-    echo "Updating Salt packages."
+  echo "Updating Salt packages."
-    echo ""
+  echo ""
-    set +e
+  set +e
-    # if oracle run with -r to ignore repos set by bootstrap
+  # Run with -r to ignore repos set by bootstrap
-    if [[ $OS == 'oracle' ]]; then
+  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
      # Add -L flag only if salt-cloud is already installed
      if [[ $SALT_CLOUD_INSTALLED == true ]]; then
        run_check_net_err \
        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
        "Could not update salt, please check $SOUP_LOG for details."
      else
        run_check_net_err \
        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
        "Could not update salt, please check $SOUP_LOG for details."
      fi
    # if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
    else
      run_check_net_err \
      "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
      "Could not update salt, please check $SOUP_LOG for details."
    fi
    set -e
    echo "Applying yum versionlock for Salt."
    echo ""
    yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
    yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
    yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
    # Add salt-cloud versionlock if installed
    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
      yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
    fi
  # Else do Ubuntu things
  elif [[ $is_deb ]]; then
    # ensure these files don't exist when upgrading from 3006.9 to 3006.16
    rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
    echo "Removing apt hold for Salt."
    echo ""
    apt-mark unhold "salt-common"
    apt-mark unhold "salt-master"
    apt-mark unhold "salt-minion"
    echo "Updating Salt packages."
    echo ""
    set +e
    run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
    "Could not update salt, please check $SOUP_LOG for details."
-    set -e
+  else
-    echo "Applying apt hold for Salt."
+    run_check_net_err \
-    echo ""
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
-    apt-mark hold "salt-common"
+    "Could not update salt, please check $SOUP_LOG for details."
-    apt-mark hold "salt-master"
+  fi
-    apt-mark hold "salt-minion"
+  set -e
  echo "Applying yum versionlock for Salt."
  echo ""
  yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
  yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
  yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
  # Add salt-cloud versionlock if installed
  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
    yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
  fi
  echo "Checking if Salt was upgraded."
@@ -1084,6 +1060,10 @@ main() {
  echo ""
  set_os
  if [[ ! $is_oracle ]]; then
    fail "This OS is not supported. Security Onion requires Oracle Linux 9."
  fi
  check_salt_master_status 1 || fail  "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
  echo "Checking to see if this is a manager."
@@ -1193,14 +1173,6 @@ main() {
      echo "Upgrading Salt"
      # Update the repo files so it can actually upgrade
      upgrade_salt
      # for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
      # *  WARN: Not starting daemons on Debian based distributions
      #    is not working mostly because starting them is the default behaviour.
      if [[ $is_deb ]]; then
        stop_salt_minion
        stop_salt_master
      fi
    fi
    preupgrade_changes
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}
 include:
@@ -37,11 +37,11 @@ so-nginx:
    - hostname: so-nginx
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers[container_config].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers[container_config].extra_hosts %}
+    {% if DOCKERMERGED.containers[container_config].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -64,20 +64,26 @@ so-nginx:
      - /opt/so/rules/nids/suri:/surirules:ro
      {%   endif %}
      {% endif %}
-      {% if DOCKER.containers[container_config].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers[container_config].extra_env %}
+    {% if DOCKERMERGED.containers[container_config].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers[container_config].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
-      {% for BINDING in DOCKER.containers[container_config].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'nginx/map.jinja' import NGINXMERGED %}
 {%- set role = grains.id.split('_') | last %}
 {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
--- a/salt/nginx/soc_nginx.yaml
+++ b/salt/nginx/soc_nginx.yaml
@@ -2,11 +2,11 @@ nginx:
  enabled: 
    description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
    advanced: True
-    helpLink: nginx.html
+    helpLink: nginx
  external_suricata:
    description: Enable this to allow external access to Suricata Rulesets managed by Detections.
    advanced: True
-    helplink: nginx.html
+    helpLink: nginx
    forcedType: bool
  ssl:
    replace_cert:
@@ -15,33 +15,33 @@ nginx:
      advanced: True
      forcedType: bool
      title: Replace Default Cert
-      helpLink: nginx.html
+      helpLink: nginx
    ssl__key:
      description: If you enabled the replace_cert option, paste the contents of your .key file here.
      file: True
      title: SSL/TLS Key File
      advanced: True
      global: True
-      helpLink: nginx.html
+      helpLink: nginx
    ssl__crt:
      description: If you enabled the replace_cert option, paste the contents of your .crt file here.
      file: True
      title: SSL/TLS Cert File
      advanced: True
      global: True
-      helpLink: nginx.html
+      helpLink: nginx
    alt_names:
      description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname.
      global: True
      forcedType: '[]string'
      multiline: True
-      helpLink: nginx.html
+      helpLink: nginx
  config:
    throttle_login_burst:
      description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.
      global: True
-      helpLink: nginx.html
+      helpLink: nginx
    throttle_login_rate:
      description: Number of login API requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. Note that a single login flow will perform multiple requests to the login API, so this value will need to be adjusted accordingly.
      global: True
-      helpLink: nginx.html
+      helpLink: nginx
--- a/salt/ntp/init.sls
+++ b/salt/ntp/init.sls
@@ -2,7 +2,6 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}
 chrony_pkg:
@@ -17,11 +16,7 @@ chronyconf:
    - defaults:
        NTPCONFIG: {{ NTPCONFIG }}
 {% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
 {% else %}
 chrony:
 {% endif %}
  service.running:
    - enable: True
    - watch: 
--- a/salt/ntp/soc_ntp.yaml
+++ b/salt/ntp/soc_ntp.yaml
@@ -3,4 +3,4 @@ ntp:
    servers:
      description: NTP Server List
      title: NTP Servers
-      helpLink: ntp.html
+      helpLink: ntp
--- a/salt/patch/soc_patch.yaml
+++ b/salt/patch/soc_patch.yaml
@@ -2,19 +2,19 @@ patch:
  os:
    enabled:
      description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
-      helpLink: soup.html
+      helpLink: soup
    schedule_to_run: 
      description: Currently running schedule for updates.
-      helpLink: soup.html
+      helpLink: soup
    schedules:
      auto:
        splay: &splayOptions
          description: Seconds to splay updates.
-          helpLink: soup.html 
+          helpLink: soup 
        schedule:
          hours: 
            description: Run the OS updates every X hours. 
-            helpLink: soup.html
+            helpLink: soup
      monday:
        splay: *splayOptions
        schedule: 
@@ -51,7 +51,7 @@ patch:
          Monday: &dailyOptions
            description: List of times to apply OS patches daily.
            multiline: True
-            helpLink: soup.html
+            helpLink: soup
          Tuesday: *dailyOptions
          Wednesday: *dailyOptions
          Thursday: *dailyOptions
@@ -64,7 +64,7 @@ patch:
          Monday: &weekdayOptions
            description: List of times for weekdays.
            multiline: True
-            helpLink: soup.html
+            helpLink: soup
          Tuesday: *weekdayOptions
          Wednesday: *weekdayOptions
          Thursday: *weekdayOptions
@@ -75,5 +75,5 @@ patch:
          Saturday: &weekendOptions
            description: List of times for weekend days.
            multiline: true
-            helpLink: soup.html
+            helpLink: soup
          Sunday: *weekendOptions
--- a/salt/podman/files/podman.service
+++ b/salt/podman/files/podman.service
@@ -1,17 +0,0 @@
 [Unit]
 Description=Podman API Service
 Requires=podman.socket
 After=podman.socket
 Documentation=man:podman-api(1)
 StartLimitIntervalSec=0
 [Service]
 Type=oneshot
 Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
 ExecStart=/usr/bin/podman system service
 TimeoutStopSec=30
 KillMode=process
 [Install]
 WantedBy=multi-user.target
 Also=podman.socket
--- a/salt/podman/files/podman.socket
+++ b/salt/podman/files/podman.socket
@@ -1,10 +0,0 @@
 [Unit]
 Description=Podman API Socket
 Documentation=man:podman-api(1)
 [Socket]
 ListenStream=%t/podman/podman.sock
 SocketMode=0660
 [Install]
 WantedBy=sockets.target
--- a/salt/podman/files/sobridge.conflist
+++ b/salt/podman/files/sobridge.conflist
@@ -1,48 +0,0 @@
 {
   "args": {
      "podman_options": {
         "isolate": "true",
         "mtu": "1500"
      }
   },
   "cniVersion": "0.4.0",
   "name": "sobridge",
   "plugins": [
      {
         "type": "bridge",
         "bridge": "sobridge",
         "isGateway": true,
         "ipMasq": false,
         "mtu": 1500,
         "hairpinMode": false,
         "ipam": {
            "type": "host-local",
            "routes": [
               {
                  "dst": "0.0.0.0/0"
               }
            ],
            "ranges": [
               [
                  {
                     "subnet": "172.17.1.0/24",
                     "gateway": "172.17.1.1"
                  }
               ]
            ]
         },
         "capabilities": {
            "ips": true
         }
      },
      {
         "type": "portmap",
         "capabilities": {
            "portMappings": false
         }
      },
      {
         "type": "tuning"
      }
   ]
 }
--- a/salt/podman/init.sls
+++ b/salt/podman/init.sls
@@ -1,56 +0,0 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 Podman pkg:
  pkg.installed:
    - name: podman
 cnipkg:
  pkg.installed:
    - name: containernetworking-plugins
 {#
 Podman service:
  file.managed:
    - name: /usr/lib/systemd/system/podman.service
    - source: salt://podman/podman.service
 #}
 sobridgeconf:
  file.managed:
    - name: /etc/cni/net.d/sobridge.conflist
    - source: salt://podman/files/sobridge.conflist
 Podman_socket_service:
  service.running:
    - name: podman.socket
    - enable: true
 Podman_service:
  service.running:
    - name: podman.service
    - enable: true
 Docker socket:
  file.symlink:
    - name: /var/run/docker.sock
    - target: /var/run/podman/podman.sock
 podman_docker_symlink:
  file.symlink:
    - name: /usr/bin/docker
    - target: /usr/bin/podman
 {#
 sos_docker_net:
  docker_network.present:
    - name: sobridge
    - subnet: {{ DOCKER.range }}
    - gateway: {{ DOCKER.bip }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
        com.docker.network.bridge.enable_ip_masquerade: 'true'
        com.docker.network.bridge.enable_icc: 'true'
        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
    - unless: 'docker network ls | grep sobridge'
 #}
--- a/salt/redis/enabled.sls
+++ b/salt/redis/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -21,9 +21,9 @@ so-redis:
    - user: socore
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -34,23 +34,29 @@ so-redis:
      - /etc/pki/redis.crt:/certs/redis.crt:ro
      - /etc/pki/redis.key:/certs/redis.key:ro
      - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_env %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-redis'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
      - file: trusttheca
--- a/salt/redis/soc_redis.yaml
+++ b/salt/redis/soc_redis.yaml
@@ -1,18 +1,18 @@
 redis:
  enabled: 
    description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
-    helpLink: redis.html
+    helpLink: redis
  config:
    bind:
      description: The IP address to bind to.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    protected-mode:
      description: Force authentication to access redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    requirepass:
      description: Password for accessing Redis.
      global: True
@@ -21,262 +21,262 @@ redis:
      description: TLS cert file location.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-key-file: 
      description: TLS key file location.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-ca-cert-file:
      description: TLS CA file location.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-port: 
      description: Port to use TLS encryption on.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-auth-clients: 
      description: Force TLS authentication.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    port: 
      description: Non TLS port for Redis access.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tcp-backlog: 
      description: Set the TCP backlog value. This is normally increasd in high request environments.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    timeout: 
      description: Time in seconds to close an idle connection. 0 to disable.
      global: True
-      helpLink: redis.html
+      helpLink: redis
    tcp-keepalive: 
      description: Time in seconds to send a keepalive.
      global: True
-      helpLink: redis.html
+      helpLink: redis
    tls-replication:
      description: Enable TLS replication links.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-protocols:
      description: List of acceptable TLS protocols separated by spaces.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-prefer-server-ciphers: 
      description: Prefer the server side ciphers.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-session-caching:
      description: Enable TLS session caching.
      global: True
-      helpLink: redis.html
+      helpLink: redis
    tls-session-cache-size: 
      description: The number of TLS sessions to cache.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    tls-session-cache-timeout: 
      description: Timeout in seconds to cache TLS sessions.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    loglevel:
      description: Log verbosity level.
      global: True
-      helpLink: redis.html
+      helpLink: redis
    logfile:
      description: Log file name.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    syslog-enabled: 
      description: Enable syslog output.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    syslog-ident:
      description: Set the syslog identity.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    syslog-facility:
      description: Set the syslog facility.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    databases:
      description: Total amount of databases.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    always-show-logo:
      description: The amount of time that a write will wait before fsyncing.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    save:
      '900':
        description: Set the amount of keys that need to change to save after 15 minutes.
        global: True
-        helpLink: redis.html
+        helpLink: redis
      '300': 
        description: Set the amount of keys that need to change to save after 5 minutes.
        global: True
-        helpLink: redis.html
+        helpLink: redis
      '60': 
        description: Set the amount of keys that need to change to save after 1 minute
        global: True
-        helpLink: redis.html
+        helpLink: redis
    stop-writes-on-bgsave-error: 
      description: Stop writes to redis is there is an error with the save.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    rdbcompression:
      description: Compress string objects with LZF.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    rdbchecksum:
      description: Enable checksum of rdb files.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    dbfilename:
      description: Filename of the rdb saves.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    acllog-max-len:
      description: Maximum length of the ACL log.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    maxmemory:
      description: Maximum memory for storing redis objects.
      global: True
-      helpLink: redis.html
+      helpLink: redis
    maxmemory-policy:
      description: The policy to use when maxmemory is reached.
      global: True
-      helpLink: redis.html
+      helpLink: redis
    maxmemory-samples:
      description: maxmemory sample size.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    lua-time-limit:
      description: Maximum execution time of LUA scripts.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    slowlog-log-slower-than:
      description: Time in microseconds to write to the slow log.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    slowlog-max-len:
      description: Maximum size of the slow log.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    hash-max-ziplist-entries:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    hash-max-ziplist-value:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    list-max-ziplist-size:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    list-compress-depth:
      description: Depth for list compression.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    set-max-intset-entries:
      description: Sets the limit on the size of the set in order to use the special memory saving encoding.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    zset-max-ziplist-entries:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    zset-max-ziplist-value:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    hll-sparse-max-bytes:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    stream-node-max-bytes:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    stream-node-max-entries:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    activerehashing:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    client-output-buffer-limit:
      normal: 
        description: Used for advanced performance tuning of Redis.
        global: True
        advanced: True
-        helpLink: redis.html
+        helpLink: redis
      replica:
        description: Used for advanced performance tuning of Redis.
        global: True
        advanced: True
-        helpLink: redis.html
+        helpLink: redis
      pubsub: 
        description: Used for advanced performance tuning of Redis.
        global: True
        advanced: True
-        helpLink: redis.html
+        helpLink: redis
    hz: 
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    dynamic-hz:
      description: Used for advanced performance tuning of Redis.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    rdb-save-incremental-fsync: 
      description: fsync redis data.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
    jemalloc-bg-thread:
      description: Jemalloc background thread for purging.
      global: True
      advanced: True
-      helpLink: redis.html
+      helpLink: redis
--- a/salt/registry/enabled.sls
+++ b/salt/registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
    - hostname: so-registry
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
    - restart_policy: always
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -32,25 +32,31 @@ so-dockerregistry:
      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-      {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    - client_timeout: 180
    - environment:
      - HOME=/root
-      {% if DOCKER.containers['so-dockerregistry'].extra_env %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - retry:
        attempts: 5
        interval: 30
--- a/salt/repo/client/map.jinja
+++ b/salt/repo/client/map.jinja
@@ -1,43 +1,29 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% set REPOPATH = '/etc/yum.repos.d/' %}
-
+{% set ABSENTFILES = [
-{% if GLOBALS.os_family == 'RedHat' %}
+       'centos-addons.repo',
-  {% set REPOPATH = '/etc/yum.repos.d/' %}
+       'centos-devel.repo',
-{%     if GLOBALS.os == 'OEL' %}
+       'centos-extras.repo',
-  {% set ABSENTFILES = [
+       'centos.repo',
-         'centos-addons.repo',
+       'docker-ce.repo',
-         'centos-devel.repo',
+       'epel.repo',
-         'centos-extras.repo',
+       'epel-testing.repo',
-         'centos.repo',
+       'saltstack.repo',
-         'docker-ce.repo',
+       'salt-latest.repo',
-         'epel.repo',
+       'wazuh.repo'
-         'epel-testing.repo',
+       'Rocky-Base.repo',
-         'saltstack.repo',
+       'Rocky-CR.repo',
-         'salt-latest.repo',
+       'Rocky-Debuginfo.repo',
-         'wazuh.repo'
+       'Rocky-fasttrack.repo',
-         'Rocky-Base.repo',
+       'Rocky-Media.repo',
-         'Rocky-CR.repo',
+       'Rocky-Sources.repo',
-         'Rocky-Debuginfo.repo',
+       'Rocky-Vault.repo',
-         'Rocky-fasttrack.repo',
+       'Rocky-x86_64-kernel.repo',
-         'Rocky-Media.repo',
+       'rocky-addons.repo',
-         'Rocky-Sources.repo',
+       'rocky-devel.repo',
-         'Rocky-Vault.repo',
+       'rocky-extras.repo',
-         'Rocky-x86_64-kernel.repo',
+       'rocky.repo',
-         'rocky-addons.repo',
+       'oracle-linux-ol9.repo',
-         'rocky-devel.repo',
+       'uek-ol9.repo',
-         'rocky-extras.repo',
+       'virt-ol9.repo'
-         'rocky.repo',
+     ]
-         'oracle-linux-ol9.repo',
+%}
         'uek-ol9.repo',
         'virt-ol9.repo'
       ]
  %}
 {%     else %}
  {% set ABSENTFILES = [] %}
 {%    endif %}
 {% else %}
  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
  {% set ABSENTFILES = [] %}
 {% endif %}
--- a/salt/salt/init.sls
+++ b/salt/salt/init.sls
@@ -1,10 +1,3 @@
 {% if grains.oscodename == 'focal' %}
 saltpymodules:
  pkg.installed:
    - pkgs:
      - python3-docker
 {% endif %}
 # distribute to minions for salt upgrades
 salt_bootstrap:
  file.managed:
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -17,22 +17,12 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
-{% if grains.os_family == 'Debian' %}
+{% set SPLITCHAR = '-' %}
-  {% set SPLITCHAR = '+' %}
+{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
 {% else %}
  {% set SPLITCHAR = '-' %}
  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 {% endif %}
 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% if grains.os_family|lower == 'redhat' %}
+  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
  {% elif grains.os_family|lower == 'debian' %}
    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -23,15 +23,6 @@ sync_runners:
    - name: saltutil.sync_runners
 {% endif %}
 # prior to 2.4.30 this engine ran on the manager with salt-minion
 # this has changed to running with the salt-master in 2.4.30
 remove_engines_config:
  file.absent:
    - name: /etc/salt/minion.d/engines.conf
    - source: salt://salt/files/engines.conf
    - watch_in:
      - service: salt_minion_service
 checkmine_engine:
  file.managed:
    - name: /etc/salt/engines/checkmine.py
--- a/salt/sensor/soc_sensor.yaml
+++ b/salt/sensor/soc_sensor.yaml
@@ -1,15 +1,15 @@
 sensor:
  interface:
    description: Main sensor monitoring interface.
-    helpLink: network.html
+    helpLink: network-visibility
    readonly: True
  mtu:
    description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
-    helpLink: network.html
+    helpLink: network-visibility
    readonly: True
  channels:
    description: Set the size of the nic channels. This is rarely changed from 1 
-    helpLink: network.html
+    helpLink: network-visibility
    forcedType: int
    node: True
    advanced: True
--- a/salt/sensoroni/enabled.sls
+++ b/salt/sensoroni/enabled.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
@@ -23,23 +23,29 @@ so-sensoroni:
      - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_env %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: /opt/so/conf/sensoroni/sensoroni.json
    - require:
--- a/salt/sensoroni/soc_sensoroni.yaml
+++ b/salt/sensoroni/soc_sensoroni.yaml
@@ -2,79 +2,79 @@ sensoroni:
  enabled:
    description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
    advanced: True
-    helpLink: grid.html
+    helpLink: grid
  config:
    analyze:
      enabled:
        description: Enable or disable the analyzer.
        advanced: True
-        helpLink: cases.html
+        helpLink: cases
      timeout_ms:
        description: Timeout period for the analyzer.
        advanced: True
-        helpLink: cases.html
+        helpLink: cases
      parallel_limit:
        description: Parallel limit for the analyzer.
        advanced: True
-        helpLink: cases.html
+        helpLink: cases
    export:
      timeout_ms:
        description: Timeout period for the exporter to finish export-related tasks.
        advanced: True
-        helpLink: reports.html
+        helpLink: reports
      cache_refresh_interval_ms:
        description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports.
        advanced: True
-        helpLink: reports.html
+        helpLink: reports
      export_metric_limit:
        description: Maximum number of metric values to include in each metric aggregation group.
        advanced: True
-        helpLink: reports.html
+        helpLink: reports
      export_event_limit:
        description: Maximum number of events to include per event list.
        advanced: True
-        helpLink: reports.html
+        helpLink: reports
      csv_separator:
        description: Separator character to use for CSV exports.
        advanced: False
-        helpLink: reports.html
+        helpLink: reports
    node_checkin_interval_ms:
      description: Interval in ms to checkin to the soc_host.
      advanced: True
-      helpLink: grid.html
+      helpLink: grid
    node_description:
      description: Description of the specific node.
-      helpLink: grid.html
+      helpLink: grid
      node: True
      forcedType: string
    sensoronikey:
      description: Shared key for sensoroni authentication.
-      helpLink: grid.html
+      helpLink: grid
      global: True
      sensitive: True
      advanced: True
    soc_host:
      description: Host for sensoroni agents to connect to.
-      helpLink: grid.html
+      helpLink: grid
      global: True
      advanced: True
    suripcap:
      pcapMaxCount:
        description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
-        helpLink: sensoroni.html
+        helpLink: pcap
        advanced: True
  analyzers:
    echotrail:
      api_key:
        description: API key for the Echotrail analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: True
        advanced: False
        forcedType: string
      base_url:
        description: Base URL for the Echotrail analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: False
@@ -82,70 +82,70 @@ sensoroni:
    elasticsearch:
      api_key:
        description: API key for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Connection URL for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: False
        forcedType: string
      auth_user:
        description: Username for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: False
        forcedType: string
      auth_pwd:
        description: User password for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: True
        advanced: False
        forcedType: string
      num_results:
        description: Number of documents to return for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      index:
        description: Search index for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: False
        forcedType: string
      time_delta_minutes:
        description: Time (in minutes) to search back for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: True
        forcedType: int
      timestamp_field_name:
        description: Specified name for a documents' timestamp field for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      map:
        description: Map between observable types and search field for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: False
        forcedType: string
      cert_path:
        description: Path to a TLS certificate for the Elasticsearch analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: False
        advanced: False
@@ -153,14 +153,14 @@ sensoroni:
    emailrep:
      api_key:
        description: API key for the EmailRep analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the EmailRep analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -168,21 +168,21 @@ sensoroni:
    greynoise:
      api_key:
        description: API key for the GreyNoise analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      api_version:
        description: API version for the GreyNoise analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the GreyNoise analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -190,7 +190,7 @@ sensoroni:
    localfile:
      file_path:
        description: File path for the LocalFile analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -198,7 +198,7 @@ sensoroni:
    malwarebazaar:
      api_key:
        description: API key for the malwarebazaar analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: True
        advanced: False
@@ -206,14 +206,14 @@ sensoroni:
    otx:
      api_key:
        description: API key for the OTX analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the OTX analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -221,14 +221,14 @@ sensoroni:
    pulsedive:
      api_key:
        description: API key for the Pulsedive analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the Pulsedive analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -236,14 +236,14 @@ sensoroni:
    spamhaus:
      lookup_host:
        description: Host to use for lookups.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      nameservers:
        description: Nameservers used for queries.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        multiline: True
@@ -252,35 +252,35 @@ sensoroni:
    sublime_platform:
      api_key:
        description: API key for the Sublime Platform analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the Sublime Platform analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      live_flow:
        description: Determines if live flow analysis is used.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: bool
      mailbox_email_address:
        description: Source mailbox address used for live flow analysis.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      message_source_id:
        description: ID of the message source used for live flow analysis.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -288,7 +288,7 @@ sensoroni:
    threatfox:
      api_key:
        description: API key for the threatfox analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: True
        advanced: False
@@ -296,35 +296,35 @@ sensoroni:
    urlscan:
      api_key:
        description: API key for the Urlscan analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the Urlscan analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      enabled:
        description: Analyzer enabled
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: bool
      timeout:
        description: Timeout for the Urlscan analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
        forcedType: int
      visibility:
        description: Type of visibility.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -332,7 +332,7 @@ sensoroni:
    urlhaus:
      api_key:
        description: API key for the urlhaus analyzer.
-        helpLink: sensoroni.html
+        helpLink: cases#configuring-analyzers
        global: False
        sensitive: True
        advanced: False
@@ -340,14 +340,14 @@ sensoroni:
    virustotal:
      api_key:
        description: API key for the VirusTotal analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the VirusTotal analyzer.
-        helpLink: cases.html
+        helpLink: cases
        global: False
        sensitive: False
        advanced: True
@@ -362,21 +362,21 @@ sensoroni:
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          productivity_report__md:
            title: Productivity Report Template
            description: The template used when generating a comprehensive productivity report. Supports markdown format.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          assistant_session_report__md:
            title: Assistant Session Report Template
            description: The template used when generating an assistant session report. Supports markdown format.
            file: True
            global: True
            syntax: md
-            helplink: reports.html
+            helpLink: reports
        custom:
          generic_report1__md:
            title: Custom Report 1
@@ -384,63 +384,63 @@ sensoroni:
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report2__md:
            title: Custom Report 2
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report3__md:
            title: Custom Report 3
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report4__md:
            title: Custom Report 4
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report5__md:
            title: Custom Report 5
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report6__md:
            title: Custom Report 6
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report7__md:
            title: Custom Report 7
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report8__md:
            title: Custom Report 8
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          generic_report9__md:
            title: Custom Report 9
            description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
            file: True
            global: True
            syntax: md
-            helpLink: reports.html
+            helpLink: reports
          addl_generic_report__md:
            title: Additional Custom Report
            description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app.
@@ -449,4 +449,4 @@ sensoroni:
            global: True
            syntax: md
            duplicates: True
-            helpLink: reports.html
+            helpLink: reports
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -5,7 +5,7 @@
 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER -%}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
 {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
 {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
@@ -32,7 +32,7 @@
 {%   endif %}
 {% endfor %}
-{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
 {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
 {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1679,8 +1679,8 @@ soc:
      client:
        docsUrl: /docs/
        cheatsheetUrl: /docs/cheatsheet.pdf
-        releaseNotesUrl: /docs/release-notes.html
+        releaseNotesUrl: /docs/release-notes
-        apiTimeoutMs: 300000
+        apiTimeoutMs: 
        webSocketTimeoutMs: 15000
        tipTimeoutMs: 6000
        cacheExpirationMs: 300000
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
 {%   from 'soc/merged.map.jinja' import SOCMERGED %}
@@ -22,7 +22,7 @@ so-soc:
    - name: so-soc
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
    - binds:
      - /nsm/rules:/nsm/rules:rw
      - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,21 +63,27 @@ so-soc:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-    {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
+    {% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
      - {{ BINDING }}
    {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_env %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_env %}
    - environment:
-    {%   for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-soc'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: trusttheca
      - file: /opt/so/conf/soc/*
--- a/salt/soc/files/soc/motd.md
+++ b/salt/soc/files/soc/motd.md
@@ -18,7 +18,7 @@ For more coverage of your enterprise, you can deploy the Elastic Agent to endpoi
 ## What's New 
-To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
+To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes) link.
 ## Security Onion Pro
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -6,7 +6,7 @@ soc:
    title: SOC Telemetry
    description: When this setting is enabled and the grid is not in airgap mode, SOC will provide feature usage data to the Security Onion development team via Google Analytics. This data helps Security Onion developers determine which product features are being used and can also provide insight into improving the user interface. When changing this setting, wait for the grid to fully synchronize and then perform a hard browser refresh on SOC, to force the browser cache to update and reflect the new setting.
    global: True
-    helpLink: telemetry.html
+    helpLink: telemetry
  files:
    soc:
      banner__md:
@@ -15,28 +15,28 @@ soc:
        file: True
        global: True
        syntax: md
-        helpLink: soc-customization.html
+        helpLink: security-onion-console-customization
      motd__md:
        title: Overview Page
        description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
        file: True
        global: True
        syntax: md
-        helpLink: soc-customization.html
+        helpLink: security-onion-console-customization
      custom__js:
        title: Custom Javascript
        description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
        file: True
        global: True
        advanced: True
-        helpLink: soc-customization.html
+        helpLink: security-onion-console-customization
      custom_roles:
        title: Custom Roles
        description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
        file: True
        global: True
        advanced: True
-        helpLink: soc-customization.html
+        helpLink: security-onion-console-customization
      sigma_final_pipeline__yaml:
        title: Final Sigma Pipeline
        description: Final Processing Pipeline for Sigma Rules.
@@ -44,7 +44,7 @@ soc:
        file: True
        global: True
        advanced: True
-        helpLink: soc-customization.html
+        helpLink: security-onion-console-customization
  config:
    licenseKey:
      title: License Key
@@ -183,7 +183,7 @@ soc:
      enableReverseLookup:
        description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state."
        global: True
-        helpLink: soc-customization.html#reverse-dns
+        helpLink: security-onion-console-customization#reverse-dns
      modules:
        elastalertengine:
          aiRepoUrl:
@@ -205,7 +205,7 @@ soc:
            title: "Notifications: Sev 0/Default Alerters"
            description: "Specify default alerters to enable for outbound notifications. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
            global: True
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: "[]string"
            multiline: True
          additionalSev0AlertersParams:
@@ -214,14 +214,14 @@ soc:
            global: True
            multiline: True
            syntax: yaml
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: string
            jinjaEscaped: True
          additionalSev1Alerters:
            title: "Notifications: Sev 1/Informational Alerters"
            description: "Specify specific alerters to use when alerting at the info severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
            global: True
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: "[]string"
            multiline: True
          additionalSev1AlertersParams:
@@ -230,14 +230,14 @@ soc:
            global: True
            multiline: True
            syntax: yaml
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: string
            jinjaEscaped: True
          additionalSev2Alerters:
            title: "Notifications: Sev 2/Low Alerters"
            description: "Specify specific alerters to use when alerting at the low severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
            global: True
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: "[]string"
            multiline: True
          additionalSev2AlertersParams:
@@ -246,14 +246,14 @@ soc:
            global: True
            multiline: True
            syntax: yaml
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: string
            jinjaEscaped: True
          additionalSev3Alerters:
            title: "Notifications: Sev 3/Medium Alerters"
            description: "Specify specific alerters to use when alerting at the medium severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
            global: True
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: "[]string"
            multiline: True
          additionalSev3AlertersParams:
@@ -262,14 +262,14 @@ soc:
            global: True
            multiline: True
            syntax: yaml
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: string
            jinjaEscaped: True
          additionalSev4Alerters:
            title: "Notifications: Sev 4/High Alerters"
            description: "Specify specific alerters to use when alerting at the high severity level or critical severity level. These alerters will be used unless overridden by critical severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
            global: True
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: "[]string"
            multiline: True
          additionalSev4AlertersParams:
@@ -278,14 +278,14 @@ soc:
            global: True
            multiline: True
            syntax: yaml
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: string
            jinjaEscaped: True
          additionalSev5Alerters:
            title: "Notifications: Sev 5/Critical Alerters"
            description: "Specify specific alerters to use when alerting at the critical severity level. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
            global: True
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: "[]string"
            multiline: True
          additionalSev5AlertersParams:
@@ -294,14 +294,14 @@ soc:
            global: True
            multiline: True
            syntax: yaml
-            helpLink: notifications.html
+            helpLink: notifications
            forcedType: string
            jinjaEscaped: True
          additionalUserDefinedNotifications:
            customAlerters:
              description: "Specify custom notification alerters to use when the Sigma rule contains the following tag: so.alerters.customAlerters. This setting can be duplicated to create new custom alerter configurations. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key."
              global: True
-              helpLink: notifications.html
+              helpLink: notifications
              forcedType: "[]string"
              duplicates: True
              multiline: True
@@ -310,7 +310,7 @@ soc:
              global: True
              multiline: True
              syntax: yaml
-              helpLink: notifications.html
+              helpLink: notifications
              duplicates: True
              forcedType: string
              jinjaEscaped: True
@@ -318,7 +318,7 @@ soc:
            default: &enabledSigmaRules
              description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
              global: True
-              helpLink: sigma.html
+              helpLink: sigma
              multiline: True
              syntax: yaml
              forcedType: string
@@ -330,7 +330,7 @@ soc:
              description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.'
              global: True
              advanced: True
-              helpLink: sigma.html
+              helpLink: sigma
            so-eval: *autoEnabledSigmaRules
            so-import: *autoEnabledSigmaRules
          autoUpdateEnabled:
@@ -341,7 +341,7 @@ soc:
            description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
            global: True
            advanced: True
-            helpLink: sigma.html
+            helpLink: sigma
          integrityCheckFrequencySeconds:
            description: 'How often the ElastAlert integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
            global: True
@@ -352,7 +352,7 @@ soc:
              global: True
              advanced: True
              forcedType: "[]{}"
-              helpLink: sigma.html
+              helpLink: sigma
              syntax: json
              uiElements:
              - field: rulesetName
@@ -375,7 +375,7 @@ soc:
            description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, the new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections -->  Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
            global: True
            advanced: False
-            helpLink: sigma.html
+            helpLink: sigma
        elastic:
          index:
            description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -484,12 +484,12 @@ soc:
            description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
            global: True
            advanced: True
-            helpLink: sigma.html
+            helpLink: sigma
          communityRulesImportFrequencySeconds:
            description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
            global: True
            advanced: True
-            helpLink: yara.html
+            helpLink: yara
          integrityCheckFrequencySeconds:
            description: 'How often the Strelka integrity checker runs (in seconds). This verifies the integrity of deployed rules.'
            global: True
@@ -500,7 +500,7 @@ soc:
              global: True
              advanced: True
              forcedType: "[]{}"
-              helpLink: yara.html
+              helpLink: yara
              syntax: json
              uiElements:
              - field: rulesetName
@@ -543,7 +543,7 @@ soc:
            description: 'How often to check for new Suricata rules (in seconds).'
            global: True
            advanced: True
-            helpLink: suricata.html
+            helpLink: suricata
          disableRegex:
            description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content.
            global: True
@@ -562,20 +562,20 @@ soc:
            advanced: True
            forcedType: "[]{}"
            readonly: True
-            helpLink: suricata.html
+            helpLink: suricata
          ignoredSidRanges:
            description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.'
            global: True
            advanced: True
            forcedType: "[]string"
-            helpLink: detections.html#rule-engine-status
+            helpLink: detections#rule-engine-status
          rulesetSources:
            default: &serulesetSources
              description: "Ruleset sources for Suricata rules. Supports URL downloads and local directories. Refer to the linked documentation for details on how to configure this setting."
              global: True
              advanced: False
              forcedType: "[]{}"
-              helpLink: suricata.html
+              helpLink: suricata
              syntax: json
              uiElements:
              - field: name
@@ -631,11 +631,11 @@ soc:
          intervalMinutes:
            description: How often to generate the Navigator Layers. (minutes)
            global: True
-            helpLink: attack-navigator.html
+            helpLink: attack-navigator
          lookbackDays:
            description: How far back to search for ATT&CK-tagged alerts. (days)
            global: True
-            helpLink: attack-navigator.html
+            helpLink: attack-navigator
        playbook:
          playbookRepos:
            default: &pbRepos
@@ -670,7 +670,7 @@ soc:
            global: True
            advanced: True
            forcedType: "[]{}"
-            helpLink: assistant.html
+            helpLink: onion-ai
            syntax: json
            uiElements:
            - field: name
@@ -735,7 +735,7 @@ soc:
            global: True
            advanced: True
            forcedType: "[]{}"
-            helpLink: assistant.html
+            helpLink: onion-ai
            syntax: json
            uiElements:
            - field: id
--- a/salt/strelka/backend/enabled.sls
+++ b/salt/strelka/backend/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,29 +18,35 @@ strelka_backend:
    - binds:
      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
      - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
-      {% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-backend
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
    - command: strelka-backend
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-backend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: on-failure
    - watch:
      - file: strelkasensorcompiledrules
--- a/salt/strelka/coordinator/enabled.sls
+++ b/salt/strelka/coordinator/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,32 +18,38 @@ strelka_coordinator:
    - name: so-strelka-coordinator
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
    - entrypoint: redis-server --save "" --appendonly no
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-  {% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
+  {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    - binds:
      - /nsm/strelka/coord-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
 delete_so-strelka-coordinator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/strelka/filestream/config.sls
+++ b/salt/strelka/filestream/config.sls
@@ -47,12 +47,6 @@ filestream_config:
        FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }}
 # Filecheck Section
 {% if GLOBALS.os_family == 'Debian' %}
 install_watchdog:
  pkg.installed:
    - name: python3-watchdog
 {% elif GLOBALS.os_family == 'RedHat' %}
 remove_old_watchdog:
  pkg.removed:
    - name: python3-watchdog
@@ -60,7 +54,6 @@ remove_old_watchdog:
 install_watchdog:
  pkg.installed:
    - name: securityonion-python39-watchdog
 {% endif %}
 filecheck_logdir:
  file.directory:
--- a/salt/strelka/filestream/enabled.sls
+++ b/salt/strelka/filestream/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,29 +18,35 @@ strelka_filestream:
    - binds:
      - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
      - /nsm/strelka:/nsm/strelka
-      {% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-filestream
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
    - command: strelka-filestream
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-filestream'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: filestream_config
--- a/salt/strelka/frontend/enabled.sls
+++ b/salt/strelka/frontend/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,8 +18,8 @@ strelka_frontend:
    - binds:
      - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
      - /nsm/strelka/log/:/var/log/strelka/:rw
-      {% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
@@ -27,25 +27,31 @@ strelka_frontend:
    - name: so-strelka-frontend
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
    - command: strelka-frontend
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-strelka-frontend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: frontend_config
--- a/salt/strelka/gatekeeper/enabled.sls
+++ b/salt/strelka/gatekeeper/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,32 +18,38 @@ strelka_gatekeeper:
    - name: so-strelka-gatekeeper
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
    - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /nsm/strelka/gk-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
 delete_so-strelka-gatekeeper_so-status.disabled:
  file.uncomment:
--- a/salt/strelka/manager/enabled.sls
+++ b/salt/strelka/manager/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -17,29 +17,35 @@ strelka_manager:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
    - binds:
      - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
-      {% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-manager
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
    - command: strelka-manager
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-   {% if DOCKER.containers['so-strelka-manager'].extra_env %}
+   {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: manager_config
--- a/salt/strelka/soc_strelka.yaml
+++ b/salt/strelka/soc_strelka.yaml
@@ -2,73 +2,73 @@ strelka:
  backend:
    enabled: 
      description: Enables or disables the Strelka file analysis process.
-      helpLink: strelka.html
+      helpLink: strelka
    config:
      backend:
        logging_cfg:
          description: Path to the Python logging configuration.
          readonly: True
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        limits:
          max_files:
            description: Number of files the backend will process before shutting down.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
          time_to_live: 
            description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable).
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
          max_depth: 
            description: Maximum depth that extracted files will be processed by the backend.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
          distribution: 
            description: Amount of time (in seconds) that a single file can be distributed to all scanners.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
          scanner: 
            description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner).
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
        coordinator:
          addr:
            description: Network address of the coordinator.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
          db:
            description: Redis database of the coordinator.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
        tasting:
          mime_db:
            description: Location of the MIME database used to taste files.
            readonly: True
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
          yara_rules:
            description: Location of the directory of YARA files that contains rules used to taste files.
            readonly: True
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
        scanners:
          'ScanBase64PE': &scannerOptions
            description: Configuration options for this scanner.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
            forcedType: "[]{}"
            syntax: json
@@ -139,7 +139,7 @@ strelka:
          description: This is an advanced option for Strelka logging.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        formatters:
          simple:
@@ -147,13 +147,13 @@ strelka:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
            datefmt:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
        handlers:
          console:
@@ -161,32 +161,32 @@ strelka:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
            formatter:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
            stream:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
        root:
          level:
            description: This is an advanced option for Strelka logging.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
          handlers:
            description: This is an advanced option for Strelka logging.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
        loggers:
          OpenSSL:
@@ -194,425 +194,425 @@ strelka:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          bs4:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          bz2:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          chardet:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          docx:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          elftools:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          email:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          entropy:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          esprima:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          gzip:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          hashlib:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          json:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          libarchive:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          lxml:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          lzma:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          macholibre:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          olefile:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          oletools:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          pdfminer:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          pefile:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          pgpdump:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          pygments:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          pylzma:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          rarfile:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          requests:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          rpmfile:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          ssdeep:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          tarfile:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          tnefparse:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          yara:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          zipfile:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
          zlib:
            propagate:
              description: This is an advanced option for Strelka logging.
              readonly: False
              global: False
-              helpLink: strelka.html
+              helpLink: strelka
              advanced: True
      passwords:
        description: Passwords that will be stored in the password_file used in scanner options.
        readonly: False
        global: False
-        helpLink: strelka.html
+        helpLink: strelka
        multiline: True
  filestream:
    enabled: 
      description: You can enable or disable Strelka filestream.
-      helpLink: strelka.html
+      helpLink: strelka
    config:
      conn:
        server: 
          description: Network address of the frontend server.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        cert:
          description: Local path to the frontend SSL server certificate.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        timeout:
          dial:
            description: Amount of time to wait for the client to dial the server.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
          file:
            description: Amount of time to wait for an individual file to complete a scan.
            readonly: False
            global: False
-            helpLink: strelka.html
+            helpLink: strelka
            advanced: True
      throughput:
        concurrency:
          description: Number of concurrent requests to make.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        chunk:
          description: Size of file chunks that will be sent to the frontend server.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        delay:
          description: Artificial sleep between the submission of each chunk.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
      files:
        patterns:
          description: List of glob patterns that determine which files will be sent for scanning.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        delete:
          description: Boolean that determines if files should be deleted after being sent for scanning.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        gatekeeper:
          description: Boolean that determines if events should be pulled from the temporary event cache.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        processed:
          description: Directory where files will be moved after being submitted for scanning.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
      response:
        report:
          description: Frequency at which the frontend reports the number of files processed.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
      delta:
        description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning.
        readonly: False
        global: False
-        helpLink: strelka.html
+        helpLink: strelka
        advanced: True
      staging:
        description: Directory where files are staged before being sent to the cluster.
        readonly: False
        global: False
-        helpLink: strelka.html
+        helpLink: strelka
        advanced: True
  frontend:
    enabled: 
      description: You can enable or disable Strelka frontend.
-      helpLink: strelka.html
+      helpLink: strelka
    config:
      server:
        description: Network address of the frontend server.
        readonly: False
        global: False
-        helpLink: strelka.html
+        helpLink: strelka
        advanced: True
      coordinator:
        addr:
          description: Network address of the coordinator.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        db:
          description: Redis database of the coordinator.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
      gatekeeper:
        addr:
          description: Network address of the gatekeeper.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        db:
          description: Redis database of the gatekeeper.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        ttl:
          description: Time-to-live for events added to the gatekeeper.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
      response:
        log:
          description: Location where worker scan results are logged to.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
  manager:
    enabled: 
      description: You can enable or disable Strelka manager.
-      helpLink: strelka.html
+      helpLink: strelka
    config:
      coordinator:
        addr:
          description: Network address of the coordinator.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
        db:
          description: Redis database of the coordinator.
          readonly: False
          global: False
-          helpLink: strelka.html
+          helpLink: strelka
          advanced: True
  coordinator:
    enabled: 
      description: You can enable or disable Strelka coordinator.
-      helpLink: strelka.html
+      helpLink: strelka
  gatekeeper:
    enabled: 
      description: You can enable or disable Strelka gatekeeper.
-      helpLink: strelka.html
+      helpLink: strelka
  rules:
    enabled:
      description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.
      readonly: False
      global: False
-      helpLink: strelka.html
+      helpLink: strelka
      advanced: False
  filecheck:
    historypath:
      description: The path for previously scanned files.
      readonly: True
      global: False
-      helpLink: strelka.html
+      helpLink: strelka
      advanced: True
    strelkapath:
      description: The path for unprocessed files.
      readonly: True
      global: False
-      helpLink: strelka.html
+      helpLink: strelka
      advanced: True
    logfile:
      description: The path for the filecheck log.
      readonly: False
      global: False
-      helpLink: strelka.html
+      helpLink: strelka
      advanced: True
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
@@ -20,16 +20,15 @@ so-suricata:
    - privileged: True
    - environment:
      - INTERFACE={{ GLOBALS.sensor.interface }}
-      {% if DOCKER.containers['so-suricata'].extra_env %}
+      {% if DOCKERMERGED.containers['so-suricata'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
+    {% if DOCKERMERGED.containers['so-suricata'].ulimits %}
    {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
+    {%   for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
-      - {{ ULIMIT }}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - binds:
@@ -42,15 +41,15 @@ so-suricata:
      - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - network_mode: host
-    {% if DOCKER.containers['so-suricata'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
--- a/salt/suricata/rules/.gitkeep
+++ b/salt/suricata/rules/.gitkeep
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -1,7 +1,7 @@
 suricata:
  enabled: 
    description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
-    helpLink: suricata.html
+    helpLink: suricata
  thresholding:
    sids__yaml:
      description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules.
@@ -10,7 +10,7 @@ suricata:
      global: True
      multiline: True
      title: SIDS
-      helpLink: suricata.html
+      helpLink: suricata
      readonlyUi: True
      advanced: True
  classification:
@@ -20,64 +20,64 @@ suricata:
      global: True
      multiline: True
      title: Classifications
-      helpLink: suricata.html
+      helpLink: suricata
  pcap:
    enabled:
      description: Enables or disables the Suricata packet recording process.
      forcedType: bool
-      helpLink: suricata.html
+      helpLink: suricata
    filesize: 
      description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
      advanced: True
-      helpLink: suricata.html 
+      helpLink: suricata 
    maxsize:
      description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
-      helpLink: suricata.html
+      helpLink: suricata
    compression: 
      description: Enable compression of Suricata PCAP files.
      advanced: True
-      helpLink: suricata.html
+      helpLink: suricata
    lz4-checksum: 
      description: Enable PCAP lz4 checksum.
      advanced: True
-      helpLink: suricata.html
+      helpLink: suricata
    lz4-level: 
      description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
      advanced: True
-      helpLink: suricata.html
+      helpLink: suricata
    filename:
      description: Filename output for Suricata PCAP files.
      advanced: True
      readonly: True
-      helpLink: suricata.html
+      helpLink: suricata
    mode: 
      description: Suricata PCAP mode. Currently only multi is supported.
      advanced: True
      readonly: True
-      helpLink: suricata.html
+      helpLink: suricata
    use-stream-depth: 
      description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
      advanced: True
      regex: ^(yes|no)$
      regexFailureMessage: You must enter either yes or no.
-      helpLink: suricata.html
+      helpLink: suricata
    conditional: 
      description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
      regex: ^(all|alerts|tag)$
      regexFailureMessage: You must enter either all, alert or tag.
-      helpLink: suricata.html
+      helpLink: suricata
    dir:
      description: Parent directory to store PCAP.
      advanced: True
      readonly: True
-      helpLink: suricata.html
+      helpLink: suricata
  config:
    af-packet:
      interface:
        description: The network interface that Suricata will monitor. This is set under sensor > interface.
        advanced: True
        readonly: True
-        helpLink: suricata.html
+        helpLink: suricata
      cluster-id:
        advanced: True
      cluster-type:
@@ -93,10 +93,10 @@ suricata:
        description: Prevent swapping by locking the memory map.
        advanced: True
        regex: ^(yes|no)$
-        helpLink: suricata.html
+        helpLink: suricata
      threads:
        description: The amount of worker threads.
-        helpLink: suricata.html
+        helpLink: suricata
        forcedType: int
      tpacket-v3:
        advanced: True
@@ -104,54 +104,54 @@ suricata:
      ring-size:
        description: Buffer size for packets per thread.
        forcedType: int
-        helpLink: suricata.html
+        helpLink: suricata
      block-size:
        description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
        advanced: True
        forcedType: int
-        helpLink: suricata.html
+        helpLink: suricata
      block-timeout:
        description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
        advanced: True
        forcedType: int
-        helpLink: suricata.html
+        helpLink: suricata
      use-emergency-flush:
        description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
        advanced: True
        regex: ^(yes|no)$
-        helpLink: suricata.html
+        helpLink: suricata
      buffer-size:
        description: Increasing the value of the receive buffer may improve performance.
        advanced: True
        forcedType: int
-        helpLink: suricata.html
+        helpLink: suricata
      disable-promisc:
        description: Promiscuous mode can be disabled by setting this to "yes".
        advanced: True
        regex: ^(yes|no)$
-        helpLink: suricata.html
+        helpLink: suricata
      checksum-checks:
        description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
        advanced: True
        regex: ^(kernel|yes|no|auto)$
-        helpLink: suricata.html
+        helpLink: suricata
    threading:
      set-cpu-affinity:
        description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
        regex: ^(yes|no)$
        regexFailureMessage: You must enter either yes or no.
-        helpLink: suricata.html
+        helpLink: suricata
      cpu-affinity:
        management-cpu-set:
          cpu:
            description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
            forcedType: "[]string"
-            helpLink: suricata.html
+            helpLink: suricata
        worker-cpu-set:
          cpu:
            description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
            forcedType: "[]string"
-            helpLink: suricata.html
+            helpLink: suricata
    vars:
      address-groups:
        HOME_NET: 
@@ -160,12 +160,12 @@ suricata:
          regexFailureMessage: You must enter a valid IP address or CIDR.
          forcedType: "[]string"
          duplicates: True
-          helpLink: suricata.html
+          helpLink: suricata
        EXTERNAL_NET: &suriaddressgroup
          description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
          forcedType: "[]string"
          duplicates: True
-          helpLink: suricata.html
+          helpLink: suricata
        HTTP_SERVERS: *suriaddressgroup
        SMTP_SERVERS: *suriaddressgroup
        SQL_SERVERS: *suriaddressgroup
@@ -184,7 +184,7 @@ suricata:
          description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable.
          forcedType: "[]string"
          duplicates: True
-          helpLink: suricata.html
+          helpLink: suricata
        SHELLCODE_PORTS: *suriportgroup
        ORACLE_PORTS: *suriportgroup
        SSH_PORTS: *suriportgroup
@@ -203,104 +203,104 @@ suricata:
            xff:
              enabled:
                description: Enable X-Forward-For support.
-                helpLink: suricata.html
+                helpLink: suricata
              mode:
                description: Operation mode. This should always be extra-data if you use PCAP.
-                helpLink: suricata.html
+                helpLink: suricata
              deployment:
                description: forward would use the first IP address and reverse would use the last.
-                helpLink: suricata.html
+                helpLink: suricata
              header:
                description: Header name where the actual IP address will be reported.
-                helpLink: suricata.html
+                helpLink: suricata
    asn1-max-frames:
      description: Maximum nuber of asn1 frames to decode.
-      helpLink: suricata.html
+      helpLink: suricata
    max-pending-packets:
      description: Number of packets preallocated per thread.
-      helpLink: suricata.html
+      helpLink: suricata
    default-packet-size:
      description: Preallocated size for each packet.
-      helpLink: suricata.html
+      helpLink: suricata
    pcre:
      match-limit:
        description: Match limit for PCRE.
-        helpLink: suricata.html
+        helpLink: suricata
      match-limit-recursion:
        description: Recursion limit for PCRE.
-        helpLink: suricata.html
+        helpLink: suricata
    defrag:
      memcap: 
        description: Max memory to use for defrag. You should only change this if you know what you are doing.
-        helpLink: suricata.html
+        helpLink: suricata
      hash-size: 
        description: Hash size
-        helpLink: suricata.html
+        helpLink: suricata
      trackers: 
        description: Number of defragmented flows to follow.
-        helpLink: suricata.html
+        helpLink: suricata
      max-frags: 
        description: Max number of fragments to keep
-        helpLink: suricata.html
+        helpLink: suricata
      prealloc: 
        description: Preallocate memory.
-        helpLink: suricata.html
+        helpLink: suricata
      timeout:    
        description: Timeout value.
-        helpLink: suricata.html
+        helpLink: suricata
    flow:
      memcap: 
        description: Reserverd memory for flows.
-        helpLink: suricata.html
+        helpLink: suricata
      hash-size: 
        description: Determines the size of the hash used to identify flows inside the engine.
-        helpLink: suricata.html
+        helpLink: suricata
      prealloc: 
        description: Number of preallocated flows.
-        helpLink: suricata.html
+        helpLink: suricata
    stream:
      memcap: 
        description: Can be specified in kb,mb,gb.
-        helpLink: suricata.html
+        helpLink: suricata
      checksum-validation:
        description: Validate checksum of packets.
-        helpLink: suricata.html
+        helpLink: suricata
      reassembly:
        memcap:
          description: Can be specified in kb,mb,gb.
-          helpLink: suricata.html
+          helpLink: suricata
        depth:
          description: Controls how far into a stream that reassembly is done.  
-          helpLink: suricata.html
+          helpLink: suricata
    host:
      hash-size:
        description: Hash size in bytes.
-        helpLink: suricata.html
+        helpLink: suricata
      prealloc:
        description: How many streams to preallocate.
-        helpLink: suricata.html
+        helpLink: suricata
      memcap:
        description: Memory settings for host.
-        helpLink: suricata.html
+        helpLink: suricata
    decoder:
      teredo:
        enabled:
          description: Enable TEREDO capabilities
-          helpLink: suricata.html
+          helpLink: suricata
        ports:
          description: Ports to listen for. This should be a variable.
-          helpLink: suricata.html
+          helpLink: suricata
      vxlan:
        enabled:
          description: Enable VXLAN capabilities.
-          helpLink: suricata.html
+          helpLink: suricata
        ports: 
          description: Ports to listen for. This should be a variable.    
-          helpLink: suricata.html
+          helpLink: suricata
      geneve:
        enabled:
          description: Enable VXLAN capabilities.
-          helpLink: suricata.html
+          helpLink: suricata
        ports: 
          description: Ports to listen for. This should be a variable.    
-          helpLink: suricata.html
+          helpLink: suricata
--- a/salt/telegraf/enabled.sls
+++ b/salt/telegraf/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 include:
@@ -25,8 +25,8 @@ so-telegraf:
      - HOST_SYS=/host/sys
      - HOST_MOUNT_PREFIX=/host
      - GODEBUG=x509ignoreCN=0
-      {% if DOCKER.containers['so-telegraf'].extra_env %}
+      {% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -55,17 +55,23 @@ so-telegraf:
      {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
      - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
      {% endif %}
-      {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-telegraf'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: trusttheca
      - x509: telegraf_crt
--- a/salt/telegraf/soc_telegraf.yaml
+++ b/salt/telegraf/soc_telegraf.yaml
@@ -2,54 +2,54 @@ telegraf:
  enabled: 
    description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results.
    advanced: True
-    helpLink: influxdb.html
+    helpLink: influxdb
  config:
    interval:
      description: Data collection interval.
      global: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    metric_batch_size: 
      description: Data collection batch size.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    metric_buffer_limit:
      description: Data collection buffer size.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    collection_jitter: 
      description: Jitter of the flush interval.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    flush_interval:
      description: Flush interval for all outputs.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    flush_jitter: 
      description: Jitter the flush interval.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    debug: 
      description: Data collection interval.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    quiet: 
      description: Data collection interval.
      global: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
  scripts:
    eval: &telegrafscripts
      description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts.
      forcedType: "[]string"
      multiline: True
      advanced: True
-      helpLink: influxdb.html
+      helpLink: influxdb
    standalone: *telegrafscripts
    manager: *telegrafscripts
    managersearch: *telegrafscripts
--- a/salt/telegraf/ssl.sls
+++ b/salt/telegraf/ssl.sls
@@ -46,17 +46,6 @@ telegraf_key_perms:
    - mode: 640
    - group: 939
 {%   if not GLOBALS.is_manager %}
 {# Prior to 2.4.210, minions used influxdb.crt and key for telegraf #}
 remove_influxdb.crt:
  file.absent:
    - name: /etc/pki/influxdb.crt
 remove_influxdb.key:
  file.absent:
    - name: /etc/pki/influxdb.key
 {%   endif %}
 {% else %}
 {{sls}}_state_not_allowed:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mike Reeves	d3938b61d2	ja4plus nest enabled under ja4plus key for defaults	2026-03-19 12:39:37 -04:00
Mike Reeves	83b7fecbbc	ja4plus cleanup	2026-03-19 11:12:24 -04:00
Mike Reeves	d227cf71c8	ja4plus cleanup	2026-03-19 11:01:40 -04:00
Josh Patterson	020b9db610	Merge pull request #15641 from Security-Onion-Solutions/delta Support docker ulimit customization	2026-03-19 09:46:33 -04:00
Josh Patterson	cceaebe350	remove restriction of mmap locked on suricata ulimits	2026-03-19 09:42:39 -04:00
Josh Patterson	a982056363	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-18 15:45:15 -04:00
Josh Patterson	db81834e06	fix indentation to match prior indentation	2026-03-18 15:44:49 -04:00
Jason Ertel	318e4ec54b	Merge pull request #15643 from Security-Onion-Solutions/jertel/wip fix casing to match annotation docs	2026-03-18 15:36:47 -04:00
Jorge Reyes	20bf05e9f3	Merge pull request #15644 from Security-Onion-Solutions/reyesj2-361 fix so-idh and so-redis datastream config	2026-03-18 14:36:17 -05:00
Josh Patterson	4254769e68	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-18 15:32:52 -04:00
reyesj2	c16ff2bd99	so-idh and so-redis datastream config	2026-03-18 14:31:23 -05:00
Jason Ertel	0c88b32fc2	fix casing to match annotation docs	2026-03-18 15:31:19 -04:00
Josh Patterson	0814f34f0e	don't define zeek nofile, already uses docker default	2026-03-18 13:13:06 -04:00
Jason Ertel	b6366e52ba	Merge pull request #15642 from Security-Onion-Solutions/jertel/wip more doc updates	2026-03-18 13:09:36 -04:00
Jason Ertel	825f377d2d	more doc updates	2026-03-18 13:05:36 -04:00
Josh Patterson	74ad2990a7	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-18 13:05:02 -04:00
Josh Patterson	738ce62d35	Merge pull request #15640 from Security-Onion-Solutions/customulimit ensure valid ulimit names	2026-03-18 12:51:15 -04:00
Josh Patterson	057ec6f0f1	ensure valid ulimit names	2026-03-18 12:49:46 -04:00
Jorge Reyes	20c4da50b1	Merge pull request #15632 from Security-Onion-Solutions/reyesj2-15601 fix global override settings affecting non-data stream indices	2026-03-18 10:51:17 -05:00
Jason Ertel	5fb396fc09	Merge pull request #15637 from Security-Onion-Solutions/jertel/wip ignore redis restart warning in logstash log	2026-03-18 11:13:00 -04:00
Josh Patterson	a0b1e31717	Merge pull request #15638 from Security-Onion-Solutions/customulimit remove .jinja from daemon.json	2026-03-18 11:09:41 -04:00
Josh Patterson	cacae12ba3	remove .jinja from daemon.json	2026-03-18 11:08:33 -04:00
Jason Ertel	83bd8a025c	ignore redis restart warning in logstash log	2026-03-18 10:59:20 -04:00
Josh Patterson	2a271b950b	Merge pull request #15636 from Security-Onion-Solutions/customulimit Customulimit	2026-03-18 10:42:19 -04:00
Josh Patterson	e19e83bebb	allow user defined ulimits	2026-03-18 10:38:15 -04:00
Doug Burks	066918e27d	Merge pull request #15634 from Security-Onion-Solutions/dougburks-3dev update helpLink references for new documentation	2026-03-18 10:01:43 -04:00
Doug Burks	930985b770	update helpLink references for new documentation	2026-03-18 09:46:45 -04:00
Jorge Reyes	346dc446de	Merge pull request #15630 from Security-Onion-Solutions/reyesj2-449 use elasticsearch recommended vm.max_map_count	2026-03-17 15:36:06 -05:00
reyesj2	7e7b8dc8a8	vm.max_map_count allow for minion specific values	2026-03-17 15:23:46 -05:00
Josh Patterson	341471d38e	DOCKER to DOCKERMERGED	2026-03-17 16:19:36 -04:00
Josh Patterson	2349750e13	DOCKER to DOCKERMERGED	2026-03-17 16:19:02 -04:00
reyesj2	2c6c502067	use elasticsearch recommended vm.max_map_count	2026-03-17 15:12:29 -05:00
Josh Patterson	00986dc2fd	Merge remote-tracking branch 'origin/delta' into customulimit	2026-03-17 16:04:09 -04:00
Josh Patterson	d60bef1371	add spft/hard ulimits	2026-03-17 16:00:09 -04:00
Josh Patterson	5806a85214	Merge pull request #15629 from Security-Onion-Solutions/ulimits Add customizable ulimit settings for all Docker containers	2026-03-17 15:14:31 -04:00
Mike Reeves	2d97dfc8a1	Add customizable ulimit settings for all Docker containers Add ulimits as a configurable advanced setting for every container, allowing customization through the web UI. Move hardcoded ulimits from elasticsearch and zeek into defaults.yaml and fix elasticsearch ulimits that were incorrectly nested under the environment key. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 15:10:42 -04:00
Josh Patterson	d6263812a6	move daemon.json to docker/files	2026-03-17 15:09:09 -04:00
Josh Patterson	ef7d1771ab	DOCKER TO DOCKERMERGED	2026-03-17 15:08:10 -04:00
Josh Patterson	4dc377c99f	DOCKER to DOCKERMERGED	2026-03-17 15:06:06 -04:00
reyesj2	a52e5d0474	update index template priorities + explicity add datastream config options	2026-03-17 13:50:15 -05:00
reyesj2	1a943aefc5	rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices	2026-03-17 13:49:20 -05:00
Mike Reeves	4bb61d999d	Merge pull request #15628 from Security-Onion-Solutions/zeekload Add salt states for custom Zeek package loading	2026-03-17 13:40:14 -04:00
Josh Patterson	d2d2f0cb5f	Merge pull request #15627 from Security-Onion-Solutions/delta old code cleanup. add ja4 toggle in soc.	2026-03-17 13:24:59 -04:00
Josh Patterson	7bf63b822d	replace placeholder files with .gitkeep to keep empty directories	2026-03-17 11:40:49 -04:00
Josh Patterson	1a7d72c630	ensure empty directory tracked by git	2026-03-17 11:11:02 -04:00
Josh Patterson	4224713cc6	Merge pull request #15624 from Security-Onion-Solutions/moreja Add SOC UI toggle for JA4+ fingerprinting	2026-03-17 09:44:04 -04:00
Mike Reeves	b452e70419	Keep JA4S_raw and JA4H_raw hardcoded to disabled	2026-03-17 09:37:37 -04:00
Mike Reeves	6809497730	Add SOC UI toggle for JA4+ fingerprinting in Zeek JA4 (BSD licensed) remains always enabled, but JA4+ variants (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X) require a FoxIO license and are now toggleable via the SOC UI. The toggle includes a license agreement warning and defaults to disabled.	2026-03-17 09:35:31 -04:00
reyesj2	eaf3f10adc	remove unused close/delete configs on datastream index templates	2026-03-16 17:26:45 -05:00
reyesj2	84f4e460f6	update index patterns	2026-03-16 16:53:22 -05:00
reyesj2	88841c9814	remove ilm configs from non-datastream indices	2026-03-16 16:52:42 -05:00
Josh Patterson	744d8fdd5e	Merge pull request #15620 from Security-Onion-Solutions/mreeves/remove-non-oracle9-salt Remove non-Oracle Linux 9 support from salt states	2026-03-16 17:10:24 -04:00
Josh Patterson	6feb06e623	cleanup preflight	2026-03-16 17:02:36 -04:00
Mike Reeves	afc14ec29d	Remove non-Oracle Linux 9 support from salt states Simplifies salt states, map files, and modules to only support Oracle Linux 9, removing all Debian/Ubuntu/CentOS/Rocky/AlmaLinux/RHEL conditional branches.	2026-03-16 16:58:39 -04:00
Josh Patterson	59134c65d0	Merge pull request #15619 from Security-Onion-Solutions/mreeves/remove-non-oracle9-support Remove support for non-Oracle Linux 9 operating systems	2026-03-16 16:55:59 -04:00
Josh Patterson	614537998a	remove curator.disabled from top	2026-03-16 16:44:11 -04:00
Mike Reeves	d2cee468a0	Remove support for non-Oracle Linux 9 operating systems Security Onion now exclusively supports Oracle Linux 9. This removes detection, setup, and update logic for Ubuntu, Debian, CentOS, Rocky, AlmaLinux, and RHEL.	2026-03-16 16:44:07 -04:00
Josh Patterson	94f454c311	cleanup file.absent	2026-03-16 15:57:15 -04:00
Josh Patterson	17881c9a36	cleanup highlander	2026-03-16 15:56:16 -04:00