From 2c8a930d897652091ecf03009ffd27ef6a39557f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 29 Nov 2021 09:49:05 -0500
Subject: [PATCH 01/98] Initial CM

---
 config/clientparameters.go                    |   5 +
 config/clientparameters_test.go               |  29 +-
 html/css/app.css                              |  14 +
 html/index.html                               | 210 +++++++++++-
 html/js/app.js                                |  11 +-
 html/js/app.test.js                           |  22 ++
 html/js/i18n.js                               |  47 ++-
 html/js/routes/case.js                        | 265 +++++++++++++++
 html/js/routes/case.test.js                   | 314 ++++++++++++++++++
 html/js/routes/hunt.js                        |  39 ++-
 html/js/routes/hunt.test.js                   |  50 +++
 html/js/routes/job.js                         |   4 +-
 html/js/routes/jobs.js                        |   6 +-
 html/js/test_common.js                        |  41 +++
 model/case.go                                 |  48 ++-
 model/event.go                                |  19 +-
 model/query.go                                |  76 ++++-
 model/query_test.go                           |  22 ++
 server/casehandler.go                         | 115 ++++++-
 server/casestore.go                           |   9 +
 server/eventstore.go                          |   6 +-
 server/eventstore_fake.go                     |  78 +++++
 server/modules/elastic/converter.go           | 240 +++++++++++--
 server/modules/elastic/converter_test.go      | 164 ++++++++-
 server/modules/elastic/elastic.go             |  19 ++
 server/modules/elastic/elastic_test.go        |  42 ++-
 server/modules/elastic/elasticcasestore.go    | 284 ++++++++++++++++
 .../modules/elastic/elasticcasestore_test.go  | 300 +++++++++++++++++
 server/modules/elastic/elasticeventstore.go   |  85 ++++-
 .../elasticcases/elasticcaseconverter.go      |   6 +-
 .../elasticcases/elasticcaseconverter_test.go |   8 +-
 .../modules/elasticcases/elasticcasestore.go  |  33 ++
 .../generichttp/generichttpreader_test.go     |   8 +-
 server/modules/generichttp/httpcasestore.go   |  32 ++
 server/modules/thehive/thehivecasestore.go    |  33 ++
 server/modules/thehive/thehiveconverter.go    |  13 +-
 server/queryhandler.go                        |   3 +
 server/server.go                              |   2 +-
 38 files changed, 2582 insertions(+), 120 deletions(-)
 create mode 100644 html/js/routes/case.js
 create mode 100644 html/js/routes/case.test.js
 create mode 100644 server/eventstore_fake.go
 create mode 100644 server/modules/elastic/elasticcasestore.go
 create mode 100644 server/modules/elastic/elasticcasestore_test.go

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 0fcc73c1..dc8351ae 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -19,6 +19,7 @@ const DEFAULT_MOST_RECENTLY_USED_LIMIT = 5
 type ClientParameters struct {
 	HuntingParams      HuntingParameters `json:"hunt"`
 	AlertingParams     HuntingParameters `json:"alerts"`
+	CasesParams        HuntingParameters `json:"cases"`
 	JobParams          HuntingParameters `json:"job"`
 	DocsUrl            string            `json:"docsUrl"`
 	CheatsheetUrl      string            `json:"cheatsheetUrl"`
@@ -39,6 +40,9 @@ func (config *ClientParameters) Verify() error {
 	if err := config.AlertingParams.Verify(); err != nil {
 		return err
 	}
+	if err := config.CasesParams.Verify(); err != nil {
+		return err
+	}
 	return config.JobParams.Verify()
 }
 
@@ -97,6 +101,7 @@ type HuntingParameters struct {
 	Advanced              bool                `json:"advanced"`
 	AckEnabled            bool                `json:"ackEnabled"`
 	EscalateEnabled       bool                `json:"escalateEnabled"`
+	ViewEnabled           bool                `json:"viewEnabled"`
 }
 
 type GridParameters struct {
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index bf88961e..db839e07 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -19,23 +19,28 @@ import (
 func TestVerifyClientParameters(tester *testing.T) {
 	params := &ClientParameters{}
 	err := params.Verify()
-	if assert.Nil(tester, err) {
-		assert.Zero(tester, params.WebSocketTimeoutMs)
-		assert.Zero(tester, params.TipTimeoutMs)
-		assert.Zero(tester, params.ApiTimeoutMs)
-		assert.Zero(tester, params.CacheExpirationMs)
-	}
+	assert.Nil(tester, err)
+	assert.Zero(tester, params.WebSocketTimeoutMs)
+	assert.Zero(tester, params.TipTimeoutMs)
+	assert.Zero(tester, params.ApiTimeoutMs)
+	assert.Zero(tester, params.CacheExpirationMs)
+	verifyInitialHuntingParams(tester, &params.HuntingParams)
+	verifyInitialHuntingParams(tester, &params.AlertingParams)
+	verifyInitialHuntingParams(tester, &params.CasesParams)
 }
 
 func TestVerifyHuntingParams(tester *testing.T) {
 	params := &HuntingParameters{}
 	err := params.Verify()
-	if assert.Nil(tester, err) {
-		assert.Equal(tester, DEFAULT_GROUP_FETCH_LIMIT, params.GroupFetchLimit)
-		assert.Equal(tester, DEFAULT_EVENT_FETCH_LIMIT, params.EventFetchLimit)
-		assert.Equal(tester, DEFAULT_RELATIVE_TIME_VALUE, params.RelativeTimeValue)
-		assert.Equal(tester, DEFAULT_RELATIVE_TIME_UNIT, params.RelativeTimeUnit)
-	}
+	assert.Nil(tester, err)
+	verifyInitialHuntingParams(tester, params)
+}
+
+func verifyInitialHuntingParams(tester *testing.T, params *HuntingParameters) {
+	assert.Equal(tester, DEFAULT_GROUP_FETCH_LIMIT, params.GroupFetchLimit)
+	assert.Equal(tester, DEFAULT_EVENT_FETCH_LIMIT, params.EventFetchLimit)
+	assert.Equal(tester, DEFAULT_RELATIVE_TIME_VALUE, params.RelativeTimeValue)
+	assert.Equal(tester, DEFAULT_RELATIVE_TIME_UNIT, params.RelativeTimeUnit)
 }
 
 func TestCombineEmptyDeprecatedLinkIntoEmptyLinks(tester *testing.T) {
diff --git a/html/css/app.css b/html/css/app.css
index 54b34a2e..3694a2c3 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -164,6 +164,20 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   white-space: nowrap;
 }
 
+.case.label {
+  display: inline-block;
+  padding-right: 10px;
+  width: 15%;
+  text-align: right;
+  white-space: nowrap;
+}
+
+.case.value {
+  text-align: left;
+  font-weight: bold;
+  white-space: wrap;
+}
+
 td {
   white-space: nowrap;
 }
diff --git a/html/index.html b/html/index.html
index eaa1c053..e6a26b91 100644
--- a/html/index.html
+++ b/html/index.html
@@ -56,6 +56,14 @@
               <v-list-item-title v-text="i18n.hunt"></v-list-item-title>
             </v-list-item-content>
           </v-list-item>
+          <v-list-item @click="" to="/cases">
+            <v-list-item-action>
+              <v-icon>fa-briefcase</v-icon>
+            </v-list-item-action>
+            <v-list-item-content>
+              <v-list-item-title v-text="i18n.cases"></v-list-item-title>
+            </v-list-item-content>
+          </v-list-item>
           <v-list-item @click="" to="/jobs">
             <v-list-item-action>
               <v-icon>fa-stream</v-icon>
@@ -391,7 +399,7 @@ <h5>
             </v-btn>
           </v-col>
         </v-row>
-        <v-row v-if="loaded && (queryFilters.length > 0 || queryGroupBys.length > 0)">
+        <v-row v-if="loaded && (queryFilters.length > 0 || queryGroupBys.length > 0 || querySortBys.length > 0)">
           <v-col cols="12">
             <span v-for="filter in queryFilters" :key="filter">
               <v-chip class="filter mx-1 my-1" color="primary" close @click:close="removeFilter(filter)">{{ filter }}</v-chip>
@@ -399,6 +407,9 @@ <h5>
             <span v-for="groupBy in queryGroupBys" :key="groupBy">
               <v-chip class="groupBy mx-1 my-1" color="accent" close @click:close="removeGroupBy(groupBy)">{{ i18n.groupedBy }} {{ groupBy }}</v-chip>
             </span>
+            <span v-for="sortBy in querySortBys" :key="sortBy">
+              <v-chip class="sortBy mx-1 my-1" color="secondary" close @click:close="removeSortBy(sortBy)">{{ i18n.sortedBy }} {{ sortBy }}</v-chip>
+            </span>
           </v-col>
         </v-row>
         <v-col  id="graphs" v-if="loaded && isAdvanced()">
@@ -547,6 +558,9 @@ <h5>
                           :color="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? 'secondary' : 'primary'">
                           <v-icon :title="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? i18n.alertEscalated : i18n.escalate">fa-exclamation-triangle</v-icon>
                         </v-btn>
+                        <router-link :to="{ name: 'case', params: {id: item.soc_id}}" style="text-decoration: none; cursor: 'pointer'" v-if="viewEnabled">
+                          <v-icon class="mr-2" :title="i18n.view">fa-binoculars</v-icon>
+                        </router-link>
                       </td>
                       <td v-for="field in eventHeaders" :key="field.value">
                         <div class="quick-action-trigger d-inline-block" v-text="item[field.value]" @click="toggleQuickAction($event, item, field.value, item[field.value])"></div>
@@ -839,7 +853,7 @@ <h2 v-text="i18n.users"></h2>
             </v-data-table>
             <v-dialog v-model="dialog" width="800px">
               <v-card>
-                <v-card-title class="lighten-4 py-4 title" v-text="i18n.addUser"></v-card-title>
+                <v-card-title class="lighten-4 py-4 title">{{ i18n.add }} {{ i18n.user }}</v-card-title>
                 <v-form v-model="form.valid">
                   <v-container grid-list-sm class="pa-4">
                     <v-row>
@@ -859,7 +873,7 @@ <h2 v-text="i18n.users"></h2>
                   <v-card-actions>
                     <v-spacer></v-spacer>
                     <v-btn text @click="dialog = false">Cancel</v-btn>
-                    <v-btn :disabled="!form.valid" text color="primary" @click="submitAddUser" v-text="i18n.addUser"></v-btn>
+                    <v-btn :disabled="!form.valid" text color="primary" @click="submitAddUser" v-text="i18n.add"></v-btn>
                   </v-card-actions>
                 </v-form>
               </v-card>
@@ -908,7 +922,7 @@ <h2 v-text="i18n.jobs"></h2>
             </v-data-table>
             <v-dialog v-model="dialog" width="800px">
               <v-card id="pcap-job-dialog">
-                <v-card-title class="lighten-4 py-4 title" v-text="i18n.addJob"></v-card-title>
+                <v-card-title class="lighten-4 py-4 title">{{ i18n.add }} {{ i18n.job }}</v-card-title>
                 <v-form v-model="form.valid">
                   <v-container grid-list-sm class="pa-4">
                     <v-row>
@@ -928,7 +942,7 @@ <h2 v-text="i18n.jobs"></h2>
                     <v-spacer></v-spacer>
                     <v-btn text @click="clearAddJobForm()" v-text="i18n.clear"></v-btn>
                     <v-btn text @click="dialog = false" v-text="i18n.cancel"></v-btn>
-                    <v-btn :disabled="!form.valid" text color="primary" @click="submitAddJob" v-text="i18n.addJob"></v-btn>
+                    <v-btn :disabled="!form.valid" text color="primary" @click="submitAddJob" v-text="i18n.add"></v-btn>
                   </v-card-actions>
                 </v-form>
               </v-card>
@@ -1156,6 +1170,191 @@ <h2>{{ i18n.viewJob }}</h2>
       </v-container>
     </script>
 
+    <script type="text/x-template" id="page-case">
+      <v-container fluid>
+        <v-row>
+          <v-col>
+            <h2>{{ i18n.viewCase }}</h2>
+          </v-col>
+        </v-row>
+        <v-row>
+          <v-col>
+            <v-form v-model="form.valid">
+              <div>
+                <span class="case label">{{ i18n.caseId }}:</span>
+                <span class="case value">{{ caseObj.id }}</span>
+              </div>
+              <div>
+                <span class="case label">{{ i18n.dateCreated }}:</span>
+                <span class="case value">{{ caseObj.createTime | formatDateTime}}</span>
+              </div>
+              <div>
+                <span class="case label">{{ i18n.dateModified }}:</span>
+                <span class="case value">{{ caseObj.updateTime | formatDateTime}}</span>
+              </div>
+              <div>
+                <span class="case label">{{ i18n.dateClosed }}:</span>
+                <span class="case value">{{ caseObj.completeTime | formatDateTime}}</span>
+              </div>
+              <div>
+                <span class="case label">{{ i18n.author }}:</span>
+                <span class="case value">{{ caseObj.owner }}</span>
+              </div>
+              <div>
+                <span class="case label">{{ i18n.caseAssignee }}:</span>
+                <span class="case value">{{ caseObj.assignee }}</span>
+              </div>
+              <div>
+                <v-text-field v-model="form.title" :placeholder="i18n.caseTitle" persistent-hint :hint="i18n.caseTitleHelp" :rules="[rules.required]"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.description" :placeholder="i18n.caseDescription" persistent-hint :hint="i18n.caseDescriptionHelp"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.status" :placeholder="i18n.caseStatus" persistent-hint :hint="i18n.caseStatusHelp" :rules="[rules.required]"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.severity" :placeholder="i18n.caseSeverity" persistent-hint :hint="i18n.caseSeverityHelp" :rules="[rules.required]"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.priority" :placeholder="i18n.casePriority" persistent-hint :hint="i18n.casePriorityHelp" :rules="[rules.required]"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.tags" :placeholder="i18n.caseTags" persistent-hint :hint="i18n.caseTagsHelp"></v-text-field>
+              </div>              
+              <div>
+                <v-text-field v-model="form.tlp" :placeholder="i18n.caseTlp" persistent-hint :hint="i18n.caseTlpHelp"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.pap" :placeholder="i18n.casePap" persistent-hint :hint="i18n.casePapHelp"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.category" :placeholder="i18n.caseCategory" persistent-hint :hint="i18n.caseCategoryHelp"></v-text-field>
+              </div>
+              <div>
+                <v-text-field v-model="form.assigneeId" :placeholder="i18n.caseAssignee" persistent-hint :hint="i18n.caseAssigneeHelp"></v-text-field>
+              </div>
+              <div class="my-4">
+                <v-btn :disabled="!form.valid" text color="primary" @click="modifyCase" v-text="i18n.update"></v-btn>
+              <div>
+            </form>
+          </v-col>
+        </v-row>
+        <v-row>
+            <v-tabs>
+
+              <v-tab id="case_commentsTab">
+                <v-icon left>fa-comments</v-icon>
+                {{ i18n.comments }}
+              </v-tab>
+              <v-tab id="case_historyTab">
+                <v-icon left>fa-history</v-icon>
+                {{ i18n.history }}
+              </v-tab>
+
+              <v-tab-item>
+                <v-card v-for="comment in associations.comments" elevation="2" class="my-2">
+                  <div>
+                    <span class="case label">{{ i18n.dateCreated }}:</span>
+                    <span class="case value">{{ comment.createTime | formatDateTime }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.dateModified }}:</span>
+                    <span class="case value">{{ comment.updateTime | formatDateTime }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.author }}:</span>
+                    <span class="case value">{{ comment.owner }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">authorId:</span>
+                    <span class="case value">{{ comment.userId }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.commentDescription }}:</span>
+                    <span class="case value">{{ comment.description }}</span>
+                  </div>
+                  <div class="my-4">
+                    <v-btn text colror="secondary" @click="editComment(comment)" icon><v-icon>fa-edit</v-icon></v-btn>
+                    <v-btn text colror="secondary" @click="deleteAssociation('comments', comment)" icon><v-icon>fa-trash</v-icon></v-btn>
+                  <div>                      
+                </v-card>
+                <div class="mx-12 my-12">
+                  <v-form v-model="associatedForms['comments'].valid">
+                    <v-text-field v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-text-field>
+                    <v-text-field v-model="associatedForms['comments'].id" class="d-none"></v-text-field>
+                    <div class="my-4">
+                      <v-btn v-if="associatedForms['comments'].id == ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="addAssociation('comments')" v-text="i18n.add"></v-btn>
+                      <v-btn v-if="associatedForms['comments'].id != ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="modifyAssociation('comments')" v-text="i18n.update"></v-btn>
+                      <v-btn text color="secondary" @click="cancelComment()" v-text="i18n.cancel"></v-btn>
+                    <div>                      
+                  </form>
+                </div>
+              </v-tab-item>
+
+              <v-tab-item>
+                <v-card v-for="event in associations.history" elevation="2" class="my-2">
+                  <div>
+                    <span class="case label">{{ i18n.event }}:</span>
+                    <span class="case value">{{ event.kind }} - {{ event.operation }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.dateCreated }}:</span>
+                    <span class="case value">{{ event.createTime | formatDateTime }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.dateModified }}:</span>
+                    <span class="case value">{{ event.updateTime | formatDateTime }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.dateClosed }}:</span>
+                    <span class="case value">{{ event.completeTime | formatDateTime }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.author }}:</span>
+                    <span class="case value">{{ event.owner }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">authorId:</span>
+                    <span class="case value">{{ event.userId }}</span>
+                  </div>
+                  <div v-if="event.kind == 'case'">
+                    <div>
+                      <span class="case label">{{ i18n.caseTitle}}:</span>
+                      <span class="case value">{{ event.title }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.caseDescription }}:</span>
+                      <span class="case value">{{ event.description }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.caseStatus }}:</span>
+                      <span class="case value">{{ event.status }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.caseSeverity }}:</span>
+                      <span class="case value">{{ event.severity }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.casePriority }}:</span>
+                      <span class="case value">{{ event.priority }}</span>
+                    </div>
+                  </div>
+                  <div v-if="event.kind == 'comment'">
+                    <div>
+                      <span class="case label">{{ i18n.commentDescription }}:</span>
+                      <span class="case value">{{ event.description }}</span>
+                    </div>
+                  </div>
+                </v-card>
+              </v-tab-item>
+
+            <v-tabs>
+        </v-row>
+      </v-container>
+    </script>
+
+
     <script type="text/x-template" id="page-grid">
       <v-container fluid>
         <v-row>
@@ -1341,6 +1540,7 @@ <h2 v-text="i18n.settingsTitle"></h2>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
+    <script src="js/routes/case.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/downloads.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/home.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/routes/hunt.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/app.js b/html/js/app.js
index a0af1565..e4d0647e 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -467,6 +467,9 @@ $(document).ready(function() {
       showError(msg) {
         this.error = true;
         this.errorMessage = this.localizeMessage(msg);
+        if (this.debug) {
+          console.log(msg.stack);
+        }
       },
       showWarning(msg) {
         this.warning = true;
@@ -706,11 +709,11 @@ $(document).ready(function() {
         }
         return null;
       },
-      async populateJobDetails(job) {
-        if (job.userId && job.userId.length > 0) {
-          const user = await this.$root.getUserById(job.userId);
+      async populateUserDetails(obj, idField, outputField) {
+        if (obj[idField] && obj[idField].length > 0) {
+          const user = await this.$root.getUserById(obj[idField]);
           if (user) {
-            job.owner = user.email;
+            obj[outputField] = user.email;
           }
         }
       },
diff --git a/html/js/app.test.js b/html/js/app.test.js
index 93583930..d33033bd 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -66,4 +66,26 @@ test('generateDatePickerPreselects', () => {
   expect(preselects[app.i18n.datePreselect4dToNow].length).toBe(2);
   expect(preselects[app.i18n.datePreselect7dToNow].length).toBe(2);
   expect(preselects[app.i18n.datePreselect30dToNow].length).toBe(2);
+});
+
+test('populateUserDetailsEmpty', async () => {
+  const obj = {};
+  await app.populateUserDetails(obj, "userId", "owner")
+  expect(obj.owner).toBe(undefined);
+});
+
+test('populateUserDetailsNonEmptyNoUser', async () => {
+  const obj = {userId:'123'}
+  app.users = [{id:'111',email:'hi@there.net'}];
+  app.usersLoadedTime = new Date().time;
+  await app.populateUserDetails(obj, "userId", "owner")
+  expect(obj.owner).toBe(undefined);
+});
+
+test('populateUserDetails', async () => {
+  const obj = {userId:'123'};
+  app.users = [{id:'123',email:'hi@there.net'}];
+  app.usersLoadedTime = new Date().time;
+  await app.populateUserDetails(obj, "userId", "owner")
+  expect(obj.owner).toBe('hi@there.net');
 });
\ No newline at end of file
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 181222ed..63851138 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -35,21 +35,44 @@ const i18n = {
       actionSuccess: 'Action completed: ',
       actionVirusTotal: 'VirusTotal',
       actionVirusTotalHelp: 'Analyze this field at virustotal.com',
+      add: 'Add',
       address: 'Address',
-      addJob: 'Add Job',
-      addUser: 'Add User',
       admin: 'Administration',
       alertAcknowledge: 'Acknowledge',
       alertEscalated: 'This alert has already been escalated',
       alertUndoAcknowledge: 'Undo Acknowledge',
       alerts: 'Alerts',
       attempt: 'Attempt',
+      author: 'Author',
       autohunt: 'Automatically Hunt after changing filters, groupings, and date-ranges',
       autoRefresh: 'Automatic refresh interval',
       beginTime: 'Filter Begin',
       beginTimeHelp: 'Filter start time in RFC 3339 format (Ex: 2020-10-16 13:00:00.230-04:00). Unused for imported PCAPs.',
       blog: 'Blog',
       cancel: 'Cancel',
+      cases: 'Cases',
+      caseAssignee: 'Assigned To',
+      caseAssigneeHelp: 'Designate the assignee for this case',
+      caseCategory: 'Category',
+      caseCategoryHelp: 'Category used for organizing and grouping similar cases',
+      caseDescription: 'Description',
+      caseDescriptionHelp: 'Detailed description of the case',
+      caseId: 'Case Id',
+      casePap: 'PAP',
+      casePapHelp: 'Permissible Actions Protocol',
+      casePriority: 'Priority',
+      casePriorityHelp: 'The numeric priority level of this case. Lower values typically indicate increasing importance.',
+      caseSeverity: 'Severity',
+      caseSeverityHelp: 'The severity classification for this case',
+      caseStatus: 'Status',
+      caseStatusHelp: 'Indicates the state of the case',
+      caseTags: 'Tags',
+      caseTagsHelp: 'Separate multiple tags by comma (tbd)',
+      caseTitle: 'Title',
+      caseTitleHelp: 'Brief summary of the case',
+      caseTlp: 'TLP',
+      caseTlpHelp: 'Traffic Light Protocol',
+
       chartTitleBottom: 'Fewest Occurrences',
       chartTitleTimeline: 'Timeline',
       chartTitleTop: 'Most Occurrences',
@@ -57,6 +80,9 @@ const i18n = {
       clear: 'Clear',
       collapse: 'Collapse',
       collapseHelp: 'Collapse all packet data',
+      comments: 'Comments',
+      commentDescription: 'Comment',
+      commentDescriptionHelp: 'Provide follow-up information to this case',
       completed: 'Completed',
       continue: 'Would you like to continue?',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
@@ -66,9 +92,12 @@ const i18n = {
       copyToClipboard: 'Copy to clipboard',
       custom: 'Custom',
       darkMode: 'Dark Mode',
-      dateDataEpoch: 'Earliest PCAP',
+      dateClosed: 'Date Closed',
       dateCompleted: 'Date Completed',
+      dateCreated: 'Date Created',
+      dateDataEpoch: 'Earliest PCAP',
       dateFailed: 'Date Failed',
+      dateModified: 'Date Modified',
       dateOnline: 'Online Since:',
       dateQueued: 'Date Queued',
       datePreselectToday: 'Today',
@@ -123,6 +152,7 @@ const i18n = {
       escalatedEventTip: 'Escalated event(s) to a new case.',
       escalatedMultipleTip: 'Escalating groups of alerts may take a while and will continue in the background.',
       escalatedSingleTip: 'Escalated alert and removed from view.',
+      event: 'Event',
       events: 'Events',
       eventCaseTitle: 'Event Escalation from SOC',
       eventExpandHelp: 'Show all event fields',
@@ -138,6 +168,10 @@ const i18n = {
       fault: 'Fault',
       fetchLimit: 'Fetch Limit',
       
+      'field_case.createTime': 'Create Date',
+      'field_case.severity': 'Severity',
+      'field_case.status': 'Status',
+      'field_case.title': 'Title',
       field_count: 'Count',
       field_soc_id: 'Event ID',
       field_soc_timestamp: 'Timestamp',
@@ -163,6 +197,7 @@ const i18n = {
       help: 'Help',
       hex: 'HEX',
       hexHelp: 'Include hexadecimal representation of packet data',
+      history: 'History',
       home: 'Overview',
       hours: 'hours',
       hunt: 'Hunt',
@@ -190,7 +225,6 @@ const i18n = {
       job: 'Job',
       jobIncomplete: 'The job was unable to complete and will retry within a few minutes. Details are available below.',
       jobInProgress: 'This job is awaiting completion.',
-      jobNotFound: 'The selected job no longer exists',
       jobs: 'PCAP',
       last: 'Last',
       lastName: 'Last Name',
@@ -222,6 +256,7 @@ const i18n = {
       nodeStatusRaid: 'Raid Status:',
       noSearchResults: 'No search results were found.',
       note: 'Note',
+      notFound: 'The selected item no longer exists',
       number: 'Num',
       ok: 'OK',
       offline: 'Offline',
@@ -294,6 +329,9 @@ const i18n = {
       'so-sensor-keywords': 'Forward, Sensor, Sensoroni, Stenographer',
       'so-standalone': 'Standalone',
       'so-standalone-keywords': 'Elastic, Elasticsearch, Fleet, Forward, Ingest, Manager, Master, Search, Sensor, Sensoroni, Soc, Stenographer, Web',
+      sortedBy: 'Sort:',
+      sortInclude: "Sort By",
+      sortIncludeHelp: "Add as a sort-by field",
       sponsorsIntro: 'Brought to you by:',
       srcIp: 'Source IP',
       srcIpHelp: 'Optional source IP address to include in this job filter',
@@ -337,6 +375,7 @@ const i18n = {
       users: 'Users',
       version: 'Version',
       view: 'View',
+      viewCase: 'Case Details',
       weeks: 'weeks',
       whatsnew: 'What\'s New',
 
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
new file mode 100644
index 00000000..c319837e
--- /dev/null
+++ b/html/js/routes/case.js
@@ -0,0 +1,265 @@
+// Copyright 2019 Jason Ertel (jertel). All rights reserved.
+// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+routes.push({ path: '/case/:id', name: 'case', component: {
+  template: '#page-case',
+  data() { return {
+    i18n: this.$root.i18n,
+    caseObj: {},
+    associationsLoading: false,
+    search: '',
+    associations: {
+      comments: [],
+      artifacts: [],
+      events: [],
+      tasks: [],
+      history: []
+    },
+    headers: {
+      comments: [],
+      artifacts: [],
+      events: [],
+      tasks: [],
+      history: []
+    },
+    sortBy: 'number',
+    sortDesc: false,
+    itemsPerPage: 10,
+    footerProps: { 'items-per-page-options': [10,50,250,1000] },
+    count: 500,
+    form: {
+      valid: false,
+      id: null,
+      title: null,
+      description: null,
+      status: null,
+      severity: null,
+      priority: null,
+      assigneeId: null,
+      tags: null,
+      tlp: null,
+      pap: null,
+      category: null
+    },
+    associatedForms: {
+      comments: {
+        id: "",
+        caseId: "",
+        description: "",
+        valid: false
+      },
+      tasks: {
+        id: "",
+        caseId: "",
+        description: "",
+        status: "",
+        valid: false
+      },
+      artifacts: {
+        id: "",
+        caseId: "",
+        description: "",
+        valid: false
+      }
+    },
+    rules: {
+      required: value => (!!value) || this.$root.i18n.required,
+    },
+  }},
+  created() {
+  },
+  mounted() {
+    this.loadData();
+    this.$root.loadParameters('case', this.initActions);
+  },
+  destroyed() {
+    this.$root.unsubscribe("case", this.updateCase);
+  },
+  watch: {
+    '$route': 'loadData',
+  },
+  methods: {
+    initActions(params) {
+      this.params = params;
+    },
+    async loadAssociations() {
+      this.associationsLoading = true;
+
+      this.associations["comments"] = [];
+      this.associatedForms["comments"].caseId = this.caseObj.id;
+      this.loadAssociation('comments');
+
+      this.associations["tasks"] = [];
+      this.associatedForms["tasks"].caseId = this.caseObj.id;
+      this.loadAssociation('tasks');
+
+      this.associations["artifacts"] = [];
+      this.associatedForms["artifacts"].caseId = this.caseObj.id;
+      this.loadAssociation('artifacts');
+
+      this.associations["events"] = [];
+      this.loadAssociation('events');
+
+      this.associations["history"] = [];
+      this.loadAssociation('history');
+
+      this.associationsLoading = false;
+    },
+    async loadAssociation(dataType) {
+      try {
+        const response = await this.$root.papi.get('case/' + dataType, { params: {
+          id: this.$route.params.id,
+          offset: this.associations[dataType].length,
+          count: this.count,
+        }});
+        if (response && response.data) {
+          for (var idx = 0; idx < response.data.length; idx++) {
+            const obj = response.data[idx];
+            await this.$root.populateUserDetails(obj, "userId", "owner");
+            this.associations[dataType].push(obj);
+          }
+        }
+      } catch (error) {
+        this.$root.showError(error);
+      }
+    },
+    async loadData() {
+      this.$root.startLoading();
+
+      try {
+        const response = await this.$root.papi.get('case/', { params: {
+            id: this.$route.params.id
+        }});
+        this.updateCaseDetails(response.data);
+        this.loadAssociations();
+      } catch (error) {
+        if (error.response != undefined && error.response.status == 404) {
+          this.$root.showError(this.i18n.notFound);
+        } else {
+          this.$root.showError(error);
+        }
+      }
+      this.$root.stopLoading();
+      this.$root.subscribe("case", this.updateCase);
+    },
+    updateCaseDetails(caseObj) {
+      this.form.id = caseObj.id;
+      this.form.title = caseObj.title;
+      this.form.description = caseObj.description;
+      this.form.severity = caseObj.severity;
+      this.form.priority = caseObj.priority;
+      this.form.status = caseObj.status;
+      this.form.tags = caseObj.tags ? caseObj.tags.join(", ") : "";
+      this.form.tlp = caseObj.tlp;
+      this.form.pap = caseObj.pap;
+      this.form.category = caseObj.category;
+      this.form.assigneeId = caseObj.assigneeId;
+      this.$root.populateUserDetails(caseObj, "userId", "owner");
+      this.$root.populateUserDetails(caseObj, "assigneeId", "assignee");
+      this.caseObj = caseObj;
+    },    
+    async modifyCase() {
+      this.$root.startLoading();
+      try {
+        // Convert priority and severity to ints
+        this.form.severity = parseInt(this.form.severity, 10);
+        this.form.priority = parseInt(this.form.priority, 10);
+        const formattedTags = this.form.tags;
+        if (this.form.tags) {
+          this.form.tags = this.form.tags.split(",").map(tag => {
+            return tag.trim();
+          });
+        }
+        const json = JSON.stringify(this.form);
+        this.form.tags = formattedTags;
+        const response = await this.$root.papi.put('case/', json);
+        this.updateCaseDetails(response.data);
+      } catch (error) {
+        if (error.response != undefined && error.response.status == 404) {
+          this.$root.showError(this.i18n.notFound);
+        } else {
+          this.$root.showError(error);
+        }
+      }
+      this.$root.stopLoading();
+    },
+    async addAssociation(association) {
+      this.$root.startLoading();
+      try {
+        const response = await this.$root.papi.post('case/' + association, JSON.stringify(this.associatedForms[association]));
+        this.$root.populateUserDetails(response.data, "userId", "owner");
+        this.associations[association].push(response.data);
+      } catch (error) {
+        this.$root.showError(error);
+      }
+      this.$root.stopLoading();
+    },
+    async modifyAssociation(association) {
+      var idx = -1;
+      for (var i = 0; i < this.associations[association].length; i++) {
+        if (this.associations[association][i].id == this.associatedForms[association].id) {
+          idx = i;
+          break;
+        }
+      }
+      if (idx > -1) {
+        this.$root.startLoading();
+        try {
+          const response = await this.$root.papi.put('case/' + association, JSON.stringify(this.associatedForms[association]));
+          this.$root.populateUserDetails(response.data, "userId", "owner");
+          Vue.set(this.associations[association], idx, response.data);
+        } catch (error) {
+          if (error.response != undefined && error.response.status == 404) {
+            this.$root.showError(this.i18n.notFound);
+          } else {
+            this.$root.showError(error);
+          }
+        }
+        this.$root.stopLoading();
+      }
+    },
+    async deleteAssociation(association, obj) {
+      const idx = this.associations[association].indexOf(obj);
+      if (idx > -1) {
+        this.$root.startLoading();
+        try {
+          const response = await this.$root.papi.delete('case/' + association, { params: {
+            id: obj.id
+          }});
+          this.associations[association].splice(idx, 1);
+        } catch (error) {
+          if (error.response != undefined && error.response.status == 404) {
+            this.$root.showError(this.i18n.notFound);
+          } else {
+            this.$root.showError(error);
+          }
+        }
+        this.$root.stopLoading();
+      }
+    },    
+    editComment(comment) {
+      this.associatedForms['comments'].id = comment.id;
+      this.associatedForms['comments'].description = comment.description;
+    },
+    cancelComment() {
+      this.associatedForms['comments'].id = "";
+      this.associatedForms['comments'].description = "";
+    },
+    updateCase(caseObj) {
+      // No-op until we can detect if the user has made any changes to the form. We don't
+      // want to wipe out a long description they might be working on typing.
+
+      // if (!caseObj || caseObj.id != this.caseObj.id) return;
+      // this.updateCaseDetails(caseObj)
+      // this.loadAssociations();
+    },
+  }
+}});
+
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
new file mode 100644
index 00000000..db84e7aa
--- /dev/null
+++ b/html/js/routes/case.test.js
@@ -0,0 +1,314 @@
+// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+require('../test_common.js');
+require('./case.js');
+
+const fakePriority = 33;
+const fakeSeverity = 31;
+const fakeEmail = 'my@email.invalid';
+const fakeAssigneeEmail = 'assignee@email.invalid';
+const fakeCase = {
+  userId: 'myUserId',
+  id: 'myCaseId',
+  title: 'myTitle',
+  description: 'myDescription',
+  severity: fakeSeverity,
+  priority: fakePriority,
+  tlp: 'myTlp',
+  pap: 'myPap',
+  category: 'myCategory',
+  tags: ['tag1', 'tag2'],
+  assigneeId: 'myAssigneeId',
+  status: 'open',
+};
+const fakeUsers = [
+  {'id': 'myUserId', 'email': fakeEmail},
+  {'id': 'myAssigneeId', 'email': fakeAssigneeEmail}
+  ];
+const fakeComment = {
+  userId: 'myUserId',
+  id: 'myCommentId',
+  description: 'myDescription',
+};
+
+var comp;
+
+beforeEach(() => {
+  comp = getComponent("case");
+  resetPapi();
+});
+
+test('initParams', () => {
+  comp.initActions({"foo":"bar"});
+  expect(comp.params.foo).toBe("bar");
+});
+
+test('loadAssociations', () => {
+  comp.caseObj = {id: 'myCaseId'};
+  comp.loadAssociation = jest.fn();
+  comp.loadAssociations();
+  expect(comp.loadAssociation).toHaveBeenCalledWith('comments');
+  expect(comp.associatedForms["comments"].caseId).toBe('myCaseId')
+  expect(comp.loadAssociation).toHaveBeenCalledWith('tasks');
+  expect(comp.associatedForms["tasks"].caseId).toBe('myCaseId')
+  expect(comp.loadAssociation).toHaveBeenCalledWith('artifacts');
+  expect(comp.associatedForms["artifacts"].caseId).toBe('myCaseId')
+  expect(comp.loadAssociation).toHaveBeenCalledWith('events');
+  expect(comp.loadAssociation).toHaveBeenCalledWith('history');
+  expect(comp.associationsLoading).toBe(false);
+});
+
+test('loadAssociation', async () => {
+  const params = { params: {
+          id: 'myUserId',
+          offset: 0,
+          count: comp.count,
+        }};
+
+  resetPapi();
+  // API call #1 is to get the comment list
+  mockPapi("get", {'data':[fakeComment]});
+  // API call #2 is to get the user list
+  mock = mockPapi("get", {'data':fakeUsers});
+
+  comp.$route.params.id = 'myUserId';
+  const showErrorMock = mockShowError();
+
+  await comp.loadAssociation('comments');
+
+  expect(mock).toHaveBeenCalledWith('case/comments', params);
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expect(comp.associations['comments'].length).toBe(1);
+  expect(comp.associations['comments'][0].owner).toBe(fakeEmail);
+  expect(comp.$root.loading).toBe(false);
+});
+
+test('loadAssociationError', async () => {
+  const showErrorMock = mockShowError();
+  resetPapi().mockPapi("get", null, new Error("something bad"));
+  await comp.loadAssociation('comments');
+  expect(showErrorMock).toHaveBeenCalledTimes(1);
+});
+
+expectCaseDetails = () => {
+  expect(comp.form.id).toBe(fakeCase.id);
+  expect(comp.form.title).toBe(fakeCase.title);
+  expect(comp.form.description).toBe(fakeCase.description);
+  expect(comp.form.severity).toBe(fakeCase.severity);
+  expect(comp.form.priority).toBe(fakeCase.priority);
+  expect(comp.form.status).toBe(fakeCase.status);
+  expect(comp.form.tlp).toBe(fakeCase.tlp);
+  expect(comp.form.pap).toBe(fakeCase.pap);
+  expect(comp.form.category).toBe(fakeCase.category);
+  expect(comp.form.tags).toBe(fakeCase.tags.join(", "));
+  expect(comp.caseObj).toBe(fakeCase);
+  expect(comp.caseObj.owner).toBe(fakeEmail);
+  expect(comp.caseObj.assignee).toBe(fakeAssigneeEmail);
+}
+
+test('loadData', async () => {
+  const params = { params: {
+          id: 'myCaseId'
+        }};
+
+  // API call #1 is to get the comment list
+  mockPapi("get", {'data':fakeCase});
+  // API call #2 is to get the user list
+  mock = mockPapi("get", {'data':fakeUsers});
+
+  comp.$route.params.id = 'myCaseId';
+  const showErrorMock = mockShowError();
+  comp.loadAssociations = jest.fn();
+
+  await comp.loadData();
+
+  expect(mock).toHaveBeenCalledWith('case/', params);
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expect(comp.loadAssociations).toHaveBeenCalledTimes(1);
+  expectCaseDetails();
+  expect(comp.$root.loading).toBe(false);
+});
+
+test('loadDataNotFound', async () => {
+  const showErrorMock = mockShowError();
+  const error = new Error("not found")
+  error.response = { status: 404 };
+  mockPapi("get", null, error);
+  await comp.loadData();
+  expect(showErrorMock).toHaveBeenCalledWith(comp.i18n.notFound);
+});
+
+test('loadDataError', async () => {
+  const showErrorMock = mockShowError();
+  mockPapi("get", null, new Error("something bad"));
+  await comp.loadData();
+  expect(showErrorMock).toHaveBeenCalledTimes(1);
+});
+
+test('modifyCase', async () => {
+  // API call #1 is to get the comment list
+  const putMock = mockPapi("put", {'data':fakeCase});
+  // API call #2 is to get the user list
+  const getMock = mockPapi("get", {'data':fakeUsers});
+
+  comp.form.priority = '' + fakePriority;
+  comp.form.severity = '' + fakeSeverity;
+  comp.form.id = 'myCaseId';
+  comp.form.title = 'myTitle';
+  comp.form.description = 'myDescription';
+  comp.form.status = 'open';
+  comp.form.tlp = 'myTlp';
+  comp.form.pap = 'myPap';
+  comp.form.category = 'myCategory';
+  comp.form.tags = 'tag1,tag2';
+  comp.form.assigneeId = 'myAssigneeId';
+  const showErrorMock = mockShowError(true);
+
+  await comp.modifyCase();
+
+  const body =  "{\"valid\":false,\"id\":\"myCaseId\",\"title\":\"myTitle\",\"description\":\"myDescription\",\"status\":\"open\",\"severity\":31,\"priority\":33,\"assigneeId\":\"myAssigneeId\",\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}";
+  expect(putMock).toHaveBeenCalledWith('case/', body);
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expectCaseDetails();
+  expect(comp.associations['history'].length).toBe(0);
+  expect(comp.$root.loading).toBe(false);
+});
+
+test('modifyCaseNotFound', async () => {
+  const showErrorMock = mockShowError();
+  const error = new Error("not found")
+  error.response = { status: 404 };
+  mockPapi("put", null, error);
+  await comp.modifyCase();
+  expect(showErrorMock).toHaveBeenCalledWith(comp.i18n.notFound);
+});
+
+test('modifyCaseError', async () => {
+  const showErrorMock = mockShowError();
+  mockPapi("put", null, new Error("something bad"));
+  await comp.modifyCase();
+  expect(showErrorMock).toHaveBeenCalledTimes(1);
+});
+
+test('addAssociation', async () => {
+  const mock = mockPapi("post", {'data':fakeComment});
+
+  comp.associatedForms['comments'].id = 'myCommentId';
+  comp.associatedForms['comments'].description = 'myDescription';
+  const showErrorMock = mockShowError();
+  expect(comp.associations['comments'].length).toBe(0);
+
+  await comp.addAssociation('comments');
+
+  const body =  "{\"id\":\"myCommentId\",\"caseId\":\"\",\"description\":\"myDescription\",\"valid\":false}";
+  expect(mock).toHaveBeenCalledWith('case/comments', body);
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expect(comp.associations['comments'].length).toBe(1);
+  expect(comp.$root.loading).toBe(false);
+});
+
+test('addAssociationError', async () => {
+  const showErrorMock = mockShowError();
+  mockPapi("post", null, new Error("something bad"));
+  await comp.addAssociation('comments');
+  expect(showErrorMock).toHaveBeenCalledTimes(1);
+});
+
+test('modifyAssociation', async () => {
+  const fakeComment2 = {
+    id: fakeComment.id,
+    description: 'myDescription2',
+    caseId: fakeCase.id,
+    userId: 'myUserId',
+  }
+  const mock = mockPapi("put", {'data':fakeComment2});
+  const showErrorMock = mockShowError();
+
+  comp.associatedForms['comments'].id = fakeComment.id;
+  comp.associatedForms['comments'].description = 'myDescription2';
+  comp.associations['comments'] = [fakeComment];
+  await comp.modifyAssociation('comments');
+
+  const body =  "{\"id\":\"myCommentId\",\"caseId\":\"\",\"description\":\"myDescription2\",\"valid\":false}";
+  expect(mock).toHaveBeenCalledWith('case/comments', body);
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expect(comp.associations['comments'].length).toBe(1);
+  expect(comp.associations['comments'][0].description).toBe('myDescription2');
+  expect(comp.$root.loading).toBe(false);
+});
+
+test('modifyAssociationNotFound', async () => {
+  const showErrorMock = mockShowError();
+  const error = new Error("not found")
+  error.response = { status: 404 };
+  mockPapi("put", null, error);
+  comp.associatedForms['comments'].id = fakeComment.id;
+  comp.associations['comments'] = [fakeComment];
+  await comp.modifyAssociation('comments');
+  expect(showErrorMock).toHaveBeenCalledWith(comp.i18n.notFound);
+});
+
+test('modifyAssociationError', async () => {
+  const showErrorMock = mockShowError();
+  mockPapi("put", null, new Error("something bad"));
+  comp.associatedForms['comments'].id = fakeComment.id;
+  comp.associations['comments'] = [fakeComment];
+  await comp.modifyAssociation('comments');
+  expect(showErrorMock).toHaveBeenCalledTimes(1);
+});
+
+test('deleteAssociation', async () => {
+  const params = {
+    params: {
+      id: 'myCommentId'
+    }
+  };
+  const mock = mockPapi("delete");
+
+  const showErrorMock = mockShowError();
+
+  comp.associations['comments'] = [fakeComment];
+  await comp.deleteAssociation('comments', fakeComment);
+
+  expect(mock).toHaveBeenCalledWith('case/comments', params);
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expect(comp.associations['comments'].length).toBe(0);
+  expect(comp.$root.loading).toBe(false);
+});
+
+test('deleteAssociationNotFound', async () => {
+  const showErrorMock = mockShowError();
+  const error = new Error("not found")
+  error.response = { status: 404 };
+  mockPapi("delete", null, error);
+  comp.associations['comments'] = [fakeComment];
+  await comp.deleteAssociation('comments', fakeComment);
+  expect(showErrorMock).toHaveBeenCalledWith(comp.i18n.notFound);
+});
+
+test('deleteAssociationError', async () => {
+  const showErrorMock = mockShowError();
+  mockPapi("delete", null, new Error("something bad"));
+  comp.associations['comments'] = [fakeComment];
+  await comp.deleteAssociation('comments', fakeComment);
+  expect(showErrorMock).toHaveBeenCalledTimes(1);
+});
+
+test('editComment', () => {
+  comp.editComment(fakeComment);
+  expect(comp.associatedForms['comments'].id).toBe(fakeComment.id);
+  expect(comp.associatedForms['comments'].description).toBe(fakeComment.description);
+});
+
+test('cancelComment', () => {
+  comp.cancelComment(fakeComment);
+  expect(comp.associatedForms['comments'].id).toBe("");
+  expect(comp.associatedForms['comments'].description).toBe("");
+});
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index b7f09331..abd1698b 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -30,6 +30,7 @@ const huntComponent = {
     queryName: '',
     queryFilters: [],
     queryGroupBys: [],
+    querySortBys: [],
     eventFields: {},
     dateRange: '',
     relativeTimeEnabled: true,
@@ -46,6 +47,7 @@ const huntComponent = {
     huntPending: false,
     ackEnabled: false,
     escalateEnabled: false,
+    viewEnabled: false,
     collapsedSections: [],
 
     filterToggles: [],
@@ -190,6 +192,7 @@ const huntComponent = {
       this.advanced = params["advanced"];
       this.ackEnabled = params["ackEnabled"];
       this.escalateEnabled = params["escalateEnabled"];
+      this.viewEnabled = params["viewEnabled"];
       if (this.queries != null && this.queries.length > 0) {
         this.query = this.queries[0].query;
       }
@@ -447,7 +450,7 @@ const huntComponent = {
 
           var template = 'rule.case_template' in item ? item['rule.case_template'] : '';
 
-          const response = await this.$root.papi.post('case', {
+          const response = await this.$root.papi.post('case/', {
             title: title,
             description: description,
             severity: severity,
@@ -536,6 +539,7 @@ const huntComponent = {
       this.queryName = "";
       this.queryFilters = [];
       this.queryGroupBys = [];
+      this.querySortBys = [];
       var route = this;
       if (this.query) {
         var segments = this.query.split("|");
@@ -564,7 +568,13 @@ const huntComponent = {
                   route.queryGroupBys.push(item);
                 }
               });
-              break;
+            }
+            if (segment.indexOf("sortby") == 0) {
+              segment.split(" ").forEach(function(item, index) {
+                if (index > 0 && item.trim().length > 0) {
+                  route.querySortBys.push(item);
+                }
+              });
             }
           }
         }
@@ -601,7 +611,27 @@ const huntComponent = {
           }
         }
         if (segments[i].length > 0) {
-          newQuery = newQuery.trim() + " | " + segments[i];
+          newQuery = newQuery.trim() + " | " + segments[i].trim();
+        }
+      }
+      this.query = newQuery.trim();
+      if (!this.notifyInputsChanged()) {
+        this.obtainQueryDetails();
+      }        
+    },
+    removeSortBy(sortBy) {
+      var segments = this.query.split("|");
+      var newQuery = segments[0];
+      for (var i = 1; i < segments.length; i++) {
+        if (segments[i].trim().indexOf("sortby") == 0) {
+          segments[i].replace(/,/g, ' ');
+          segments[i] = segments[i].replace(" " + sortBy, "");
+          if (segments[i].trim() == "sortby") {
+            segments[i] = "";
+          }
+        }
+        if (segments[i].length > 0) {
+          newQuery = newQuery.trim() + " | " + segments[i].trim();
         }
       }
       this.query = newQuery.trim();
@@ -1113,3 +1143,6 @@ routes.push({ path: '/hunt', name: 'hunt', component: huntComponent});
 
 const alertsComponent = Object.assign({}, huntComponent);
 routes.push({ path: '/alerts', name: 'alerts', component: alertsComponent});
+
+const casesComponent = Object.assign({}, huntComponent);
+routes.push({ path: '/cases', name: 'cases', component: casesComponent});
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index e2b43256..a2e7b41a 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -124,4 +124,54 @@ test('saveTimezone', () => {
   comp.zone = "Test";
   comp.loadLocalSettings();
   expect(comp.zone).toBe("Foo/Bar");
+});
+
+test('removeFilter', () => {
+  comp.query = "abc def | groupby foo bar*"; 
+  comp.removeFilter('def')
+  expect(comp.query).toBe("abc  | groupby foo bar*");
+
+  comp.removeFilter('abc')
+  expect(comp.query).toBe("* | groupby foo bar*");
+
+  // no-op
+  comp.removeFilter('*')
+  expect(comp.query).toBe("* | groupby foo bar*");
+});
+
+test('removeGroupBy', () => {
+  comp.query = "abc | groupby foo bar*"; 
+  comp.removeGroupBy('foo')
+  expect(comp.query).toBe("abc | groupby bar*");
+
+  comp.removeGroupBy('bar*')
+  expect(comp.query).toBe("abc");
+
+  // no-op
+  comp.removeGroupBy('bar*')
+  expect(comp.query).toBe("abc");
+});
+
+test('removeSortBy', () => {
+  comp.query = "abc | sortby foo bar^"; 
+  comp.removeSortBy('foo')
+  expect(comp.query).toBe("abc | sortby bar^");
+
+  comp.removeSortBy('bar^')
+  expect(comp.query).toBe("abc");
+
+  // no-op
+  comp.removeSortBy('bar^')
+  expect(comp.query).toBe("abc");
+
+  comp.query = "abc | sortby foo bar^ | groupby xyz"; 
+  comp.removeSortBy('foo')
+  expect(comp.query).toBe("abc | sortby bar^ | groupby xyz");
+
+  comp.removeSortBy('bar^')
+  expect(comp.query).toBe("abc | groupby xyz");
+
+  // no-op
+  comp.removeSortBy('bar^')
+  expect(comp.query).toBe("abc | groupby xyz");
 });
\ No newline at end of file
diff --git a/html/js/routes/job.js b/html/js/routes/job.js
index 15cb4328..688714da 100644
--- a/html/js/routes/job.js
+++ b/html/js/routes/job.js
@@ -230,11 +230,11 @@ routes.push({ path: '/job/:jobId', name: 'job', component: {
             jobId: this.$route.params.jobId
         }});
         this.job = response.data;
-        this.$root.populateJobDetails(this.job);
+        this.$root.populateUserDetails(this.job, "userId", "owner");
         this.loadPackets(this.isOptionEnabled('unwrap'));
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
-          this.$root.showError(this.i18n.jobNotFound);
+          this.$root.showError(this.i18n.notFound);
         } else {
           this.$root.showError(error);
         }
diff --git a/html/js/routes/jobs.js b/html/js/routes/jobs.js
index 722b5fe8..f8574e60 100644
--- a/html/js/routes/jobs.js
+++ b/html/js/routes/jobs.js
@@ -73,7 +73,7 @@ routes.push({ path: '/jobs', name: 'jobs', component: {
     },
     loadUserDetails() {
       for (var i = 0; i < this.jobs.length; i++) {
-        this.$root.populateJobDetails(this.jobs[i]);
+        this.$root.populateUserDetails(this.jobs[i], "userId", "owner");
       }
     },
     saveLocalSettings() {
@@ -102,7 +102,7 @@ routes.push({ path: '/jobs', name: 'jobs', component: {
           if (job.status == JobStatusDeleted) {
             this.jobs.splice(i, 1);
           } else {
-            this.$root.populateJobDetails(job);
+            this.$root.populateUserDetails(job, "userId", "owner");
             this.$set(this.jobs, i, job);
           }
           break;
@@ -161,7 +161,7 @@ routes.push({ path: '/jobs', name: 'jobs', component: {
               endTime: endDate
             }
           });
-          this.$root.populateJobDetails(response.data);
+          this.$root.populateUserDetails(response.data, "userId", "owner");
           this.jobs.push(response.data);
         }
       } catch (error) {
diff --git a/html/js/test_common.js b/html/js/test_common.js
index 008662fa..2f5abaed 100644
--- a/html/js/test_common.js
+++ b/html/js/test_common.js
@@ -22,11 +22,17 @@ global.document.ready = function(fn) { fn(); };
 var app = null;
 global.Vue = function(obj) {
 	app = this;
+	app.$root = this;
+	app.debug = true;
 	Object.assign(app, obj.data, obj.methods);
+	this.ensureConnected = jest.fn();
 };
 global.Vue.delete = function(data, i) {
 	data.splice(i, 1);
 };
+global.Vue.set = function(array, idx, value) {
+	array[idx] = value;
+};
 global.Vuetify = function(obj) {};
 global.VueRouter = function(obj) {};
 
@@ -49,14 +55,49 @@ global.getComponent = function(name) {
 			break;
 		}
 	}
+
 	comp.$root = app;
 
+	// Setup route mock data
+	comp.$route = { params: {}};
+	comp.$router = [];
+
 	const data = global.initComponentData(comp);
 	Object.assign(comp, data, comp.methods);
 
 	return comp;
 }
 
+////////////////////////////////////
+// Mock API calls
+////////////////////////////////////
+global.resetPapi = function() {
+	app.papi = {};
+	return global;
+}
+
+global.mockPapi = function(method, mockedResponse, error) {
+	mock = app.papi[method];
+	if (!mock) {
+		mock = jest.fn();
+		app.papi[method] = mock;
+	}
+	if (error) {
+		mock.mockImplementation(() => {
+			throw error;
+		});
+	} else {
+		mock.mockReturnValueOnce(mockedResponse);
+	}
+	return mock
+}
+
+global.mockShowError = function(logError = false) {
+	const mock = jest.fn().mockImplementation(err => { if (logError) console.log(err.stack) });
+	app.showError = mock;
+	return mock;
+}
+
 ////////////////////////////////////
 // Import SO app modules
 ////////////////////////////////////
diff --git a/model/case.go b/model/case.go
index 854b4332..7fc9c41d 100644
--- a/model/case.go
+++ b/model/case.go
@@ -13,20 +13,46 @@ import (
   "time"
 )
 
+const CASE_STATUS_NEW = "new"
+
+type Auditable struct {
+  Id         string     `json:"id,omitempty"`
+  CreateTime *time.Time `json:"createTime"`
+  UpdateTime *time.Time `json:"updateTime,omitempty"`
+  UserId     string     `json:"userId"`
+  Kind       string     `json:"kind,omitempty"`
+  Operation  string     `json:"operation,omitempty"`
+}
+
 type Case struct {
-  Id              string      `json:"id"`
-  CreateTime      time.Time   `json:"createTime"`
-  StartTime       time.Time   `json:"startTime"`
-  CompleteTime    time.Time   `json:"completeTime"`
-  Title           string      `json:"title"`
-  Description     string      `json:"description"`
-  Priority        int         `json:"priority"`
-  Severity        int         `json:"severity"`
-  Status          string      `json:"status"`
-  Template        string      `json:"template"`
+  Auditable
+  StartTime    *time.Time `json:"startTime"`
+  CompleteTime *time.Time `json:"completeTime"`
+  Title        string     `json:"title"`
+  Description  string     `json:"description"`
+  Priority     int        `json:"priority"`
+  Severity     int        `json:"severity"`
+  Status       string     `json:"status"`
+  Template     string     `json:"template"`
+  Tlp          string     `json:"tlp"`
+  Pap          string     `json:"pap"`
+  Category     string     `json:"category"`
+  AssigneeId   string     `json:"assigneeId"`
+  Tags         []string   `json:"tags"`
 }
 
 func NewCase() *Case {
   newCase := &Case{}
   return newCase
-}
\ No newline at end of file
+}
+
+type Comment struct {
+  Auditable
+  CaseId      string `json:"caseId"`
+  Description string `json:"description"`
+}
+
+func NewComment() *Comment {
+  newComment := &Comment{}
+  return newComment
+}
diff --git a/model/event.go b/model/event.go
index 30d6451d..b5a400ff 100644
--- a/model/event.go
+++ b/model/event.go
@@ -50,6 +50,11 @@ func NewEventSearchResults() *EventSearchResults {
 	return results
 }
 
+type SortCriteria struct {
+	Field string
+	Order string
+}
+
 type EventSearchCriteria struct {
 	RawQuery    string `json:"query"`
 	DateRange   string `json:"dateRange"`
@@ -59,6 +64,7 @@ type EventSearchCriteria struct {
 	EndTime     time.Time
 	CreateTime  time.Time
 	ParsedQuery *Query
+	SortFields  []*SortCriteria
 }
 
 func (criteria *EventSearchCriteria) initSearchCriteria() {
@@ -118,7 +124,8 @@ type EventMetric struct {
 }
 
 type EventRecord struct {
-	Source    string                 `json:"source"`
+	Source    string `json:"source"`
+	Time      time.Time
 	Timestamp string                 `json:"timestamp"`
 	Id        string                 `json:"id"`
 	Type      string                 `json:"type"`
@@ -174,3 +181,13 @@ type EventAckCriteria struct {
 func NewEventAckCriteria() *EventAckCriteria {
 	return &EventAckCriteria{}
 }
+
+type EventIndexResults struct {
+	Success    bool   `json:"success"`
+	DocumentId string `json:"id"`
+}
+
+func NewEventIndexResults() *EventIndexResults {
+	results := &EventIndexResults{}
+	return results
+}
diff --git a/model/query.go b/model/query.go
index 67287858..16cb9ca1 100644
--- a/model/query.go
+++ b/model/query.go
@@ -85,6 +85,7 @@ func (segment *BaseSegment) Terms() []*QueryTerm {
 
 const SegmentKind_Search = "search"
 const SegmentKind_GroupBy = "groupby"
+const SegmentKind_SortBy = "sortby"
 
 func NewSegment(kind string, terms []*QueryTerm) (QuerySegment, error) {
   switch kind {
@@ -92,6 +93,8 @@ func NewSegment(kind string, terms []*QueryTerm) (QuerySegment, error) {
     return NewSearchSegment(terms)
   case SegmentKind_GroupBy:
     return NewGroupBySegment(terms)
+  case SegmentKind_SortBy:
+    return NewSortBySegment(terms)
   }
   return nil, errors.New("QUERY_INVALID__SEGMENT_UNSUPPORTED")
 }
@@ -168,7 +171,7 @@ func (segment *SearchSegment) escape(value string) string {
 func (segment *SearchSegment) AddFilter(field string, value string, scalar bool, inclusive bool) error {
   // This flag can be adjust to true once the query parser is more robust and better able to determine
   // when an inclusive filter already exists in a query, so that two inclusive filters are not allowed
-  // to exist in a query together. For example, the following filters will prevent any matches: 
+  // to exist in a query together. For example, the following filters will prevent any matches:
   // Ex: foo:1 AND foo:2
   alreadyFiltered := false
 
@@ -264,6 +267,63 @@ func (segment *GroupBySegment) AddGrouping(group string) error {
   return err
 }
 
+type SortBySegment struct {
+  *BaseSegment
+}
+
+func NewSortBySegmentEmpty() *SortBySegment {
+  return &SortBySegment{
+    &BaseSegment{
+      terms: make([]*QueryTerm, 0, 0),
+    },
+  }
+}
+
+func NewSortBySegment(terms []*QueryTerm) (*SortBySegment, error) {
+  if terms == nil || len(terms) == 0 {
+    return nil, errors.New("QUERY_INVALID__SORTBY_TERMS_MISSING")
+  }
+
+  segment := NewSortBySegmentEmpty()
+  segment.terms = terms
+
+  return segment, nil
+}
+
+func (segment *SortBySegment) Kind() string {
+  return SegmentKind_SortBy
+}
+
+func (segment *SortBySegment) String() string {
+  return segment.Kind() + " " + segment.TermsAsString()
+}
+
+func (segment *SortBySegment) Fields() []string {
+  fields := make([]string, 0, 0)
+  for _, field := range segment.terms {
+    fields = append(fields, field.String())
+  }
+  return fields
+}
+
+func (segment *SortBySegment) AddSortField(sortField string) error {
+  fields := segment.Fields()
+  alreadySorted := false
+  for _, field := range fields {
+    if field == sortField {
+      alreadySorted = true
+    }
+  }
+  var err error
+  if !alreadySorted {
+    term, err := NewQueryTerm(sortField)
+    if err == nil {
+      segment.terms = append(segment.terms, term)
+    }
+  }
+  return err
+}
+
 type Query struct {
   Segments []QuerySegment
 }
@@ -480,3 +540,17 @@ func (query *Query) Group(field string) (string, error) {
 
   return query.String(), err
 }
+
+func (query *Query) Sort(field string) (string, error) {
+  var err error
+
+  segment := query.NamedSegment(SegmentKind_SortBy)
+  if segment == nil {
+    segment = NewSortBySegmentEmpty()
+    query.AddSegment(segment)
+  }
+  sortBySegment := segment.(*SortBySegment)
+  err = sortBySegment.AddSortField(field)
+
+  return query.String(), err
+}
diff --git a/model/query_test.go b/model/query_test.go
index c166d9ea..a26f6a18 100644
--- a/model/query_test.go
+++ b/model/query_test.go
@@ -72,6 +72,12 @@ func TestQueries(tester *testing.T) {
 
 	validateQuery(tester, "abcA|groupby", "QUERY_INVALID__GROUPBY_TERMS_MISSING")
 	validateQuery(tester, "abcA|groupby ", "QUERY_INVALID__GROUPBY_TERMS_MISSING")
+
+	validateQuery(tester, "abcA|sortby\njjj, lll", "abcA | sortby jjj lll")
+	validateQuery(tester, "abcA|\nsortby\tjjj", "abcA | sortby jjj")
+
+	validateQuery(tester, "abcA|sortby", "QUERY_INVALID__SORTBY_TERMS_MISSING")
+	validateQuery(tester, "abcA|sortby ", "QUERY_INVALID__SORTBY_TERMS_MISSING")
 }
 
 func validateGroup(tester *testing.T, orig string, group string, expected string) {
@@ -90,6 +96,22 @@ func TestGroup(tester *testing.T) {
 	validateGroup(tester, "a|groupby b", "b", "a | groupby b")
 }
 
+func validateSort(tester *testing.T, orig string, sort string, expected string) {
+	query := NewQuery()
+	query.Parse(orig)
+	actual, err := query.Sort(sort)
+	if err != nil {
+		actual = err.Error()
+	}
+	assert.Equal(tester, expected, actual)
+}
+
+func TestSort(tester *testing.T) {
+	validateSort(tester, "a", "b", "a | sortby b")
+	validateSort(tester, "a|sortby b", "c", "a | sortby b c")
+	validateSort(tester, "a|sortby b", "b", "a | sortby b")
+}
+
 func validateFilter(tester *testing.T, orig string, key string, value string, scalar bool, mode string, expected string) {
 	query := NewQuery()
 	query.Parse(orig)
diff --git a/server/casehandler.go b/server/casehandler.go
index 0edba00c..e1b314a6 100644
--- a/server/casehandler.go
+++ b/server/casehandler.go
@@ -40,24 +40,121 @@ func (caseHandler *CaseHandler) HandleNow(ctx context.Context, writer http.Respo
     switch request.Method {
     case http.MethodPost:
       return caseHandler.create(ctx, writer, request)
+    case http.MethodPut:
+      return caseHandler.update(ctx, writer, request)
+    case http.MethodGet:
+      return caseHandler.get(ctx, writer, request)
+    case http.MethodDelete:
+      return caseHandler.delete(ctx, writer, request)
     }
   }
   return http.StatusMethodNotAllowed, nil, errors.New("Method not supported")
 }
 
 func (caseHandler *CaseHandler) create(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
+  var err error
+  var obj interface{}
   statusCode := http.StatusBadRequest
-  var outputCase *model.Case
-
-  inputCase := model.NewCase()
-  err := json.NewDecoder(request.Body).Decode(&inputCase)
+  subpath := caseHandler.GetPathParameter(request.URL.Path, 2)
+  switch subpath {
+  case "events":
+  case "comments":
+    inputComment := model.NewComment()
+    err = json.NewDecoder(request.Body).Decode(&inputComment)
+    if err == nil {
+      obj, err = caseHandler.server.Casestore.CreateComment(ctx, inputComment)
+    }
+  case "tasks":
+  case "artifacts":
+  default:
+    inputCase := model.NewCase()
+    err = json.NewDecoder(request.Body).Decode(&inputCase)
+    if err == nil {
+      obj, err = caseHandler.server.Casestore.Create(ctx, inputCase)
+    }
+  }
   if err == nil {
-    outputCase, err = caseHandler.server.Casestore.Create(ctx, inputCase)
+    statusCode = http.StatusOK
+  } else {
+    statusCode = http.StatusBadRequest
+  }
+  return statusCode, obj, err
+}
+
+func (caseHandler *CaseHandler) update(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
+  var err error
+  var obj interface{}
+  statusCode := http.StatusBadRequest
+  subpath := caseHandler.GetPathParameter(request.URL.Path, 2)
+  switch subpath {
+  case "comments":
+    inputComment := model.NewComment()
+    err = json.NewDecoder(request.Body).Decode(&inputComment)
     if err == nil {
-      statusCode = http.StatusOK
-    } else {
-      statusCode = http.StatusBadRequest
+      obj, err = caseHandler.server.Casestore.UpdateComment(ctx, inputComment)
     }
+  case "tasks":
+  case "artifacts":
+  default:
+    inputCase := model.NewCase()
+    err = json.NewDecoder(request.Body).Decode(&inputCase)
+    if err == nil {
+      obj, err = caseHandler.server.Casestore.Update(ctx, inputCase)
+    }
+  }
+
+  if err == nil {
+    statusCode = http.StatusOK
+  } else {
+    statusCode = http.StatusBadRequest
+  }
+  return statusCode, obj, err
+}
+
+func (caseHandler *CaseHandler) delete(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
+  var err error
+  var obj interface{}
+  statusCode := http.StatusBadRequest
+  id := request.URL.Query().Get("id")
+  subpath := caseHandler.GetPathParameter(request.URL.Path, 2)
+  switch subpath {
+  case "comments":
+    err = caseHandler.server.Casestore.DeleteComment(ctx, id)
+  case "tasks":
+  case "artifacts":
+  default:
+    err = errors.New("Delete not supported")
+  }
+
+  if err == nil {
+    statusCode = http.StatusOK
+  } else {
+    statusCode = http.StatusBadRequest
+  }
+  return statusCode, obj, err
+}
+
+func (caseHandler *CaseHandler) get(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
+  statusCode := http.StatusBadRequest
+  id := request.URL.Query().Get("id")
+  var err error
+  var obj interface{}
+  subpath := caseHandler.GetPathParameter(request.URL.Path, 2)
+  switch subpath {
+  case "events":
+  case "comments":
+    obj, err = caseHandler.server.Casestore.GetComments(ctx, id)
+  case "tasks":
+  case "artifacts":
+  case "history":
+    obj, err = caseHandler.server.Casestore.GetCaseHistory(ctx, id)
+  default:
+    obj, err = caseHandler.server.Casestore.GetCase(ctx, id)
+  }
+  if obj != nil {
+    statusCode = http.StatusOK
+  } else {
+    statusCode = http.StatusNotFound
   }
-  return statusCode, outputCase, err
+  return statusCode, obj, err
 }
diff --git a/server/casestore.go b/server/casestore.go
index b3c0e416..bfd9f2ad 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -16,4 +16,13 @@ import (
 
 type Casestore interface {
 	Create(ctx context.Context, newCase *model.Case) (*model.Case, error)
+	Update(ctx context.Context, socCase *model.Case) (*model.Case, error)
+	GetCase(ctx context.Context, caseId string) (*model.Case, error)
+	GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error)
+
+	CreateComment(ctx context.Context, newComment *model.Comment) (*model.Comment, error)
+	GetComment(ctx context.Context, commentId string) (*model.Comment, error)
+	GetComments(ctx context.Context, caseId string) ([]*model.Comment, error)
+	UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error)
+	DeleteComment(ctx context.Context, id string) error
 }
diff --git a/server/eventstore.go b/server/eventstore.go
index ade4dfdf..9b5514b1 100644
--- a/server/eventstore.go
+++ b/server/eventstore.go
@@ -12,11 +12,13 @@ package server
 
 import (
 	"context"
-  "github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/model"
 )
 
 type Eventstore interface {
 	Search(context context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error)
+	Index(ctx context.Context, index string, document map[string]interface{}, id string) (*model.EventIndexResults, error)
 	Update(context context.Context, criteria *model.EventUpdateCriteria) (*model.EventUpdateResults, error)
+	Delete(context context.Context, index string, id string) error
 	Acknowledge(context context.Context, criteria *model.EventAckCriteria) (*model.EventUpdateResults, error)
-}
\ No newline at end of file
+}
diff --git a/server/eventstore_fake.go b/server/eventstore_fake.go
new file mode 100644
index 00000000..e0f7dd92
--- /dev/null
+++ b/server/eventstore_fake.go
@@ -0,0 +1,78 @@
+// Copyright 2019 Jason Ertel (jertel). All rights reserved.
+// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+package server
+
+import (
+	"context"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+)
+
+type FakeEventstore struct {
+	InputDocuments       []map[string]interface{}
+	InputContexts        []context.Context
+	InputIndexes         []string
+	InputIds             []string
+	InputSearchCriterias []*model.EventSearchCriteria
+	InputUpdateCriterias []*model.EventUpdateCriteria
+	InputAckCriterias    []*model.EventAckCriteria
+	Err                  error
+	SearchResults        *model.EventSearchResults
+	IndexResults         *model.EventIndexResults
+	UpdateResults        *model.EventUpdateResults
+}
+
+func NewFakeEventstore() *FakeEventstore {
+	store := &FakeEventstore{}
+	store.InputDocuments = make([]map[string]interface{}, 0)
+	store.InputContexts = make([]context.Context, 0)
+	store.InputIndexes = make([]string, 0)
+	store.InputIds = make([]string, 0)
+	store.InputSearchCriterias = make([]*model.EventSearchCriteria, 0)
+	store.InputUpdateCriterias = make([]*model.EventUpdateCriteria, 0)
+	store.InputAckCriterias = make([]*model.EventAckCriteria, 0)
+	store.SearchResults = model.NewEventSearchResults()
+	store.IndexResults = model.NewEventIndexResults()
+	store.UpdateResults = model.NewEventUpdateResults()
+	return store
+}
+
+func (store *FakeEventstore) Search(context context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error) {
+	store.InputContexts = append(store.InputContexts, context)
+	store.InputSearchCriterias = append(store.InputSearchCriterias, criteria)
+	return store.SearchResults, store.Err
+}
+
+func (store *FakeEventstore) Index(context context.Context, index string, document map[string]interface{}, id string) (*model.EventIndexResults, error) {
+	store.InputContexts = append(store.InputContexts, context)
+	store.InputIndexes = append(store.InputIndexes, index)
+	store.InputDocuments = append(store.InputDocuments, document)
+	store.InputIds = append(store.InputIds, id)
+	return store.IndexResults, store.Err
+}
+
+func (store *FakeEventstore) Update(context context.Context, criteria *model.EventUpdateCriteria) (*model.EventUpdateResults, error) {
+	store.InputContexts = append(store.InputContexts, context)
+	store.InputUpdateCriterias = append(store.InputUpdateCriterias, criteria)
+	return store.UpdateResults, store.Err
+}
+
+func (store *FakeEventstore) Delete(context context.Context, index string, id string) error {
+	store.InputContexts = append(store.InputContexts, context)
+	store.InputIndexes = append(store.InputIndexes, index)
+	store.InputIds = append(store.InputIds, id)
+	return store.Err
+}
+
+func (store *FakeEventstore) Acknowledge(context context.Context, criteria *model.EventAckCriteria) (*model.EventUpdateResults, error) {
+	store.InputContexts = append(store.InputContexts, context)
+	store.InputAckCriterias = append(store.InputAckCriterias, criteria)
+	return store.UpdateResults, store.Err
+}
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 3c690371..467bfe8c 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -93,21 +93,22 @@ func makeQuery(store *ElasticEventstore, parsedQuery *model.Query, beginTime tim
 
 	query := make(map[string]interface{})
 	query["query_string"] = queryDetails
+	must := make([]interface{}, 0, 0)
+	must = append(must, query)
 
-	timestampDetails := make(map[string]interface{})
-	timestampDetails["gte"] = beginTime.Format(time.RFC3339)
-	timestampDetails["lte"] = endTime.Format(time.RFC3339)
-	timestampDetails["format"] = "strict_date_optional_time"
-
-	timerangeDetails := make(map[string]interface{})
-	timerangeDetails["@timestamp"] = timestampDetails
+	if !endTime.IsZero() {
+		timestampDetails := make(map[string]interface{})
+		timestampDetails["gte"] = beginTime.Format(time.RFC3339)
+		timestampDetails["lte"] = endTime.Format(time.RFC3339)
+		timestampDetails["format"] = "strict_date_optional_time"
 
-	timerange := make(map[string]interface{})
-	timerange["range"] = timerangeDetails
+		timerangeDetails := make(map[string]interface{})
+		timerangeDetails["@timestamp"] = timestampDetails
 
-	must := make([]interface{}, 0, 0)
-	must = append(must, query)
-	must = append(must, timerange)
+		timerange := make(map[string]interface{})
+		timerange["range"] = timerangeDetails
+		must = append(must, timerange)
+	}
 
 	terms := make(map[string]interface{})
 	terms["must"] = must
@@ -186,17 +187,44 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 	esMap["query"] = makeQuery(store, criteria.ParsedQuery, criteria.BeginTime, criteria.EndTime)
 
 	aggregations := make(map[string]interface{})
-	esMap["aggs"] = aggregations
-	aggregations["timeline"] = makeTimeline(calcTimelineInterval(store.intervals, criteria.BeginTime, criteria.EndTime))
 
-	segment := criteria.ParsedQuery.NamedSegment(model.SegmentKind_GroupBy)
+	if criteria.MetricLimit > 0 {
+		if !criteria.EndTime.IsZero() {
+			aggregations["timeline"] = makeTimeline(calcTimelineInterval(store.intervals, criteria.BeginTime, criteria.EndTime))
+		}
+		segment := criteria.ParsedQuery.NamedSegment(model.SegmentKind_GroupBy)
+		if segment != nil {
+			groupBySegment := segment.(*model.GroupBySegment)
+			fields := groupBySegment.Fields()
+			if len(fields) > 0 {
+				agg, name := makeAggregation(store, "groupby", fields, criteria.MetricLimit, false)
+				aggregations[name] = agg
+				aggregations["bottom"], _ = makeAggregation(store, "", fields[0:1], criteria.MetricLimit, true)
+			}
+		}
+	}
+
+	if len(aggregations) > 0 {
+		esMap["aggs"] = aggregations
+	}
+
+	segment := criteria.ParsedQuery.NamedSegment(model.SegmentKind_SortBy)
 	if segment != nil {
-		groupBySegment := segment.(*model.GroupBySegment)
-		fields := groupBySegment.Fields()
+		sortBySegment := segment.(*model.SortBySegment)
+		fields := sortBySegment.Fields()
 		if len(fields) > 0 {
-			agg, name := makeAggregation(store, "groupby", fields, criteria.MetricLimit, false)
-			aggregations[name] = agg
-			aggregations["bottom"], _ = makeAggregation(store, "", fields[0:1], criteria.MetricLimit, true)
+			sorting := make([]map[string]string, 0, 0)
+			for _, field := range fields {
+				newSort := make(map[string]string)
+				order := "desc"
+				if strings.HasSuffix(field, "^") {
+					field = strings.TrimSuffix(field, "^")
+					order = "asc"
+				}
+				newSort[field] = order
+				sorting = append(sorting, newSort)
+			}
+			esMap["sort"] = sorting
 		}
 	}
 
@@ -290,15 +318,17 @@ func convertFromElasticResults(store *ElasticEventstore, esJson string, results
 		event.Source = esRecord["_index"].(string)
 		event.Id = esRecord["_id"].(string)
 		event.Type = esRecord["_type"].(string)
-		event.Score = esRecord["_score"].(float64)
+		if esRecord["_score"] != nil {
+			event.Score = esRecord["_score"].(float64)
+		}
 		event.Payload = flatten(store, esRecord["_source"].(map[string]interface{}))
-		var ts time.Time
+
 		if event.Payload["@timestamp"] != nil {
-			ts, _ = time.Parse(time.RFC3339, event.Payload["@timestamp"].(string))
+			event.Time, _ = time.Parse(time.RFC3339, event.Payload["@timestamp"].(string))
 		} else if event.Payload["timestamp"] != nil {
-			ts, _ = time.Parse(time.RFC3339, event.Payload["timestamp"].(string))
+			event.Time, _ = time.Parse(time.RFC3339, event.Payload["timestamp"].(string))
 		}
-		event.Timestamp = ts.Format("2006-01-02T15:04:05.000Z")
+		event.Timestamp = event.Time.Format("2006-01-02T15:04:05.000Z")
 		results.Events = append(results.Events, event)
 	}
 
@@ -313,6 +343,136 @@ func convertFromElasticResults(store *ElasticEventstore, esJson string, results
 	return err
 }
 
+func parseTime(fieldmap map[string]interface{}, key string) *time.Time {
+	var t time.Time
+
+	if value, ok := fieldmap[key]; ok {
+		switch value.(type) {
+		case time.Time:
+			t = value.(time.Time)
+		case *time.Time:
+			t = *(value.(*time.Time))
+		case string:
+			t, _ = time.Parse(time.RFC3339, value.(string))
+		}
+	}
+
+	return &t
+}
+
+func convertElasticEventToAuditable(event *model.EventRecord, auditable *model.Auditable) error {
+	auditable.Id = event.Id
+	auditable.UpdateTime = &event.Time
+	if value, ok := event.Payload["kind"]; ok {
+		auditable.Kind = value.(string)
+	}
+	if value, ok := event.Payload["operation"]; ok {
+		auditable.Operation = value.(string)
+	}
+	return nil
+}
+
+func convertElasticEventToCase(event *model.EventRecord) (*model.Case, error) {
+	var err error
+	var obj *model.Case
+
+	if event != nil {
+		obj = model.NewCase()
+		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		if err == nil {
+			if value, ok := event.Payload["case.title"]; ok {
+				obj.Title = value.(string)
+			}
+			if value, ok := event.Payload["case.description"]; ok {
+				obj.Description = value.(string)
+			}
+			if value, ok := event.Payload["case.priority"]; ok {
+				obj.Priority = int(value.(float64))
+			}
+			if value, ok := event.Payload["case.severity"]; ok {
+				obj.Severity = int(value.(float64))
+			}
+			if value, ok := event.Payload["case.status"]; ok {
+				obj.Status = value.(string)
+			}
+			if value, ok := event.Payload["case.template"]; ok {
+				obj.Template = value.(string)
+			}
+			if value, ok := event.Payload["case.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload["case.assigneeId"]; ok {
+				obj.AssigneeId = value.(string)
+			}
+			if value, ok := event.Payload["case.tlp"]; ok {
+				obj.Tlp = value.(string)
+			}
+			if value, ok := event.Payload["case.category"]; ok {
+				obj.Category = value.(string)
+			}
+			if value, ok := event.Payload["case.pap"]; ok {
+				obj.Pap = value.(string)
+			}
+			if value, ok := event.Payload["case.tags"]; ok {
+				obj.Tags = convertToStringArray(value.([]interface{}))
+			}
+			obj.CreateTime = parseTime(event.Payload, "case.createTime")
+			obj.StartTime = parseTime(event.Payload, "case.startTime")
+			obj.CompleteTime = parseTime(event.Payload, "case.completeTime")
+		}
+	}
+	return obj, err
+}
+
+func convertToStringArray(input []interface{}) []string {
+	out := make([]string, len(input), len(input))
+	for idx, value := range input {
+		out[idx] = value.(string)
+	}
+	return out
+}
+
+func convertElasticEventToComment(event *model.EventRecord) (*model.Comment, error) {
+	var err error
+	var obj *model.Comment
+
+	if event != nil {
+		obj = model.NewComment()
+		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		if err == nil {
+			if value, ok := event.Payload["comment.description"]; ok {
+				obj.Description = value.(string)
+			}
+			if value, ok := event.Payload["comment.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload["comment.caseId"]; ok {
+				obj.CaseId = value.(string)
+			}
+			obj.CreateTime = parseTime(event.Payload, "comment.createTime")
+		}
+	}
+
+	return obj, err
+}
+
+func convertElasticEventToObject(event *model.EventRecord) (interface{}, error) {
+	var obj interface{}
+	var err error
+
+	if value, ok := event.Payload["kind"]; ok {
+		switch value.(string) {
+		case "case":
+			obj, err = convertElasticEventToCase(event)
+		case "comment":
+			obj, err = convertElasticEventToComment(event)
+		}
+	} else {
+		err = errors.New("Unknown object kind; id=" + event.Id)
+	}
+	return obj, err
+}
+
 func convertToElasticUpdateRequest(store *ElasticEventstore, criteria *model.EventUpdateCriteria) (string, error) {
 	var err error
 	var esJson string
@@ -350,3 +510,33 @@ func convertFromElasticUpdateResults(store *ElasticEventstore, esJson string, re
 
 	return err
 }
+
+func convertObjectToDocumentMap(name string, obj interface{}) map[string]interface{} {
+	doc := make(map[string]interface{})
+	doc[name] = obj
+	doc["@timestamp"] = time.Now()
+	return doc
+}
+
+func convertToElasticIndexRequest(store *ElasticEventstore, event map[string]interface{}) (string, error) {
+	var err error
+	var esJson string
+
+	bytes, err := json.WriteJson(event)
+	if err == nil {
+		esJson = string(bytes)
+	}
+
+	return esJson, err
+}
+
+func convertFromElasticIndexResults(store *ElasticEventstore, esJson string, results *model.EventIndexResults) error {
+	esResults := make(map[string]interface{})
+	err := json.LoadJson([]byte(esJson), &esResults)
+
+	results.DocumentId = esResults["_id"].(string)
+	result := esResults["result"].(string)
+	results.Success = result == "created" || result == "updated"
+
+	return err
+}
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 1ea78c22..dfbd184c 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -86,10 +86,11 @@ func TestCalcTimelineInterval(tester *testing.T) {
 
 func TestConvertToElasticRequestEmptyCriteria(tester *testing.T) {
 	criteria := model.NewEventSearchCriteria()
+	criteria.MetricLimit = 0
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
 	assert.Nil(tester, err)
 
-	expectedJson := `{"aggs":{"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1s","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"*"}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"0001-01-01T00:00:00Z","lte":"0001-01-01T00:00:00Z"}}}],"must_not":[],"should":[]}},"size":25}`
+	expectedJson := `{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"*"}}],"must_not":[],"should":[]}},"size":25}`
 	assert.Equal(tester, expectedJson, actualJson)
 }
 
@@ -103,6 +104,26 @@ func TestConvertToElasticRequestGroupByCriteria(tester *testing.T) {
 	assert.Equal(tester, expectedJson, actualJson)
 }
 
+func TestConvertToElasticRequestSortByCriteria(tester *testing.T) {
+	criteria := model.NewEventSearchCriteria()
+	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | sortby ghi jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
+	assert.Nil(tester, err)
+
+	expectedJson := `{"aggs":{"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":"desc"},{"jkl":"asc"}]}`
+	assert.Equal(tester, expectedJson, actualJson)
+}
+
+func TestConvertToElasticRequestGroupBySortByCriteria(tester *testing.T) {
+	criteria := model.NewEventSearchCriteria()
+	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby ghi jkl* | sortby ghi jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
+	assert.Nil(tester, err)
+
+	expectedJson := `{"aggs":{"bottom":{"terms":{"field":"ghi","order":{"_count":"asc"},"size":10}},"groupby|ghi":{"aggs":{"groupby|ghi|jkl":{"terms":{"field":"jkl","missing":"__missing__","order":{"_count":"desc"},"size":10}}},"terms":{"field":"ghi","order":{"_count":"desc"},"size":10}},"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":"desc"},{"jkl":"asc"}]}`
+	assert.Equal(tester, expectedJson, actualJson)
+}
+
 func TestConvertFromElasticResultsSuccess(tester *testing.T) {
 	esData, err := ioutil.ReadFile("converter_response.json")
 	assert.Nil(tester, err)
@@ -228,3 +249,144 @@ func TestMapSearch(tester *testing.T) {
 	validateMappedQuery(tester, "barfoo: \"bar\"", "barfoo: \"bar\"")
 	validateMappedQuery(tester, "barfoo: \"foo: bar\"", "barfoo: \"foo: bar\"")
 }
+
+func TestConvertObjectToDocumentMap(tester *testing.T) {
+	caseObj := model.NewCase()
+	actual := convertObjectToDocumentMap("test", caseObj)
+	assert.NotNil(tester, actual)
+	assert.Equal(tester, caseObj, actual["test"])
+	assert.NotNil(tester, actual["@timestamp"])
+}
+
+func TestConvertToElasticIndexRequest(tester *testing.T) {
+	store := NewTestStore()
+	event := make(map[string]interface{})
+	event["foo"] = "bar"
+	expected := `{"foo":"bar"}`
+
+	actual, err := convertToElasticIndexRequest(store, event)
+	assert.NoError(tester, err)
+	assert.Equal(tester, expected, actual)
+}
+
+func TestConvertFromElasticIndexResults(tester *testing.T) {
+	store := NewTestStore()
+	results := model.NewEventIndexResults()
+	json := `{"_version":1, "_id":"123abc", "result": "successful"}`
+
+	err := convertFromElasticIndexResults(store, json, results)
+	assert.NoError(tester, err)
+}
+
+func TestConvertElasticEventToCaseNil(tester *testing.T) {
+	caseObj, err := convertElasticEventToCase(nil)
+	assert.NoError(tester, err)
+	assert.Nil(tester, caseObj)
+}
+
+func TestConvertElasticEventToCase(tester *testing.T) {
+	myTime := time.Now()
+	myCreateTime := myTime.Add(time.Hour * -1)
+	myCompleteTime := myTime.Add(time.Hour * -2)
+	myStartTime := myTime.Add(time.Hour * -3)
+
+	event := &model.EventRecord{}
+	event.Payload = make(map[string]interface{})
+	event.Payload["kind"] = "case"
+	event.Payload["operation"] = "update"
+	event.Payload["case.title"] = "myTitle"
+	event.Payload["case.description"] = "myDesc"
+	event.Payload["case.priority"] = float64(123)
+	event.Payload["case.severity"] = float64(456)
+	event.Payload["case.status"] = "myStatus"
+	event.Payload["case.template"] = "myTemplate"
+	event.Payload["case.userId"] = "myUserId"
+	event.Payload["case.assigneeId"] = "myAssigneeId"
+	event.Payload["case.tlp"] = "myTlp"
+	event.Payload["case.pap"] = "myPap"
+	event.Payload["case.category"] = "myCategory"
+	tags := make([]interface{}, 2, 2)
+	tags[0] = "tag1"
+	tags[1] = "tag2"
+	event.Payload["case.tags"] = tags
+	event.Time = myTime
+	event.Payload["case.createTime"] = myCreateTime
+	event.Payload["case.completeTime"] = myCompleteTime
+	event.Payload["case.startTime"] = myStartTime
+	caseObj, err := convertElasticEventToCase(event)
+	assert.NoError(tester, err)
+	assert.Equal(tester, "case", caseObj.Kind)
+	assert.Equal(tester, "update", caseObj.Operation)
+	assert.Equal(tester, "myTitle", caseObj.Title)
+	assert.Equal(tester, "myDesc", caseObj.Description)
+	assert.Equal(tester, 123, caseObj.Priority)
+	assert.Equal(tester, 456, caseObj.Severity)
+	assert.Equal(tester, "myStatus", caseObj.Status)
+	assert.Equal(tester, "myTemplate", caseObj.Template)
+	assert.Equal(tester, "myUserId", caseObj.UserId)
+	assert.Equal(tester, "myAssigneeId", caseObj.AssigneeId)
+	assert.Equal(tester, "myPap", caseObj.Pap)
+	assert.Equal(tester, "myTlp", caseObj.Tlp)
+	assert.Equal(tester, "myCategory", caseObj.Category)
+	assert.Equal(tester, tags[0], "tag1")
+	assert.Equal(tester, tags[1], "tag2")
+	assert.Equal(tester, &myTime, caseObj.UpdateTime)
+	assert.Equal(tester, &myCreateTime, caseObj.CreateTime)
+	assert.Equal(tester, &myCompleteTime, caseObj.CompleteTime)
+	assert.Equal(tester, &myStartTime, caseObj.StartTime)
+}
+
+func TestParseTime(tester *testing.T) {
+	m := make(map[string]interface{})
+
+	format := "2006-01-02 03:04pm"
+	t, _ := time.Parse(format, "2021-12-20 12:43pm")
+	m["obj"] = t
+	m["ptr"] = &t
+	m["str"] = "2021-12-20T12:43:00Z"
+	m["bad"] = 12
+
+	expected := "2021-12-20 12:43pm"
+
+	actual := parseTime(m, "obj").Format(format)
+	assert.Equal(tester, expected, actual)
+
+	actual = parseTime(m, "ptr").Format(format)
+	assert.Equal(tester, expected, actual)
+
+	actual = parseTime(m, "str").Format(format)
+	assert.Equal(tester, expected, actual)
+
+	actualObj := parseTime(m, "bad")
+	assert.True(tester, actualObj.IsZero())
+}
+
+func TestConvertElasticEventToCommentNil(tester *testing.T) {
+	obj, err := convertElasticEventToComment(nil)
+	assert.NoError(tester, err)
+	assert.Nil(tester, obj)
+}
+
+func TestConvertElasticEventToComment(tester *testing.T) {
+	myTime := time.Now()
+	myCreateTime := myTime.Add(time.Hour * -1)
+
+	event := &model.EventRecord{}
+	event.Payload = make(map[string]interface{})
+	event.Payload["kind"] = "comment"
+	event.Payload["operation"] = "create"
+	event.Payload["comment.description"] = "myDesc"
+	event.Payload["comment.userId"] = "myUserId"
+	event.Payload["comment.caseId"] = "myCaseId"
+	event.Time = myTime
+	event.Payload["comment.createTime"] = myCreateTime
+	obj, err := convertElasticEventToComment(event)
+	assert.NoError(tester, err)
+	assert.Equal(tester, "comment", obj.Kind)
+	assert.Equal(tester, "create", obj.Operation)
+	assert.Equal(tester, "myDesc", obj.Description)
+	assert.Equal(tester, "myUserId", obj.UserId)
+	assert.Equal(tester, "myCaseId", obj.CaseId)
+	assert.Equal(tester, &myTime, obj.UpdateTime)
+	assert.Equal(tester, &myCreateTime, obj.CreateTime)
+}
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index f2f707a1..5a825529 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -11,10 +11,14 @@
 package elastic
 
 import (
+  "errors"
   "github.com/security-onion-solutions/securityonion-soc/module"
   "github.com/security-onion-solutions/securityonion-soc/server"
 )
 
+const DEFAULT_CASE_INDEX = "so-case"
+const DEFAULT_CASE_AUDIT_INDEX = "so-case-events"
+const DEFAULT_CASE_ASSOCIATIONS_MAX = 1000
 const DEFAULT_TIME_SHIFT_MS = 120000
 const DEFAULT_DURATION_MS = 1800000
 const DEFAULT_ES_SEARCH_OFFSET_MS = 1800000
@@ -59,9 +63,24 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
   index := module.GetStringDefault(cfg, "index", DEFAULT_INDEX)
   asyncThreshold := module.GetIntDefault(cfg, "asyncThreshold", DEFAULT_ASYNC_THRESHOLD)
   intervals := module.GetIntDefault(cfg, "intervals", DEFAULT_INTERVALS)
+  casesEnabled := module.GetBoolDefault(cfg, "casesEnabled", true)
   err := elastic.store.Init(host, remoteHosts, username, password, verifyCert, timeShiftMs, defaultDurationMs, esSearchOffsetMs, timeoutMs, cacheMs, index, asyncThreshold, intervals)
   if err == nil && elastic.server != nil {
     elastic.server.Eventstore = elastic.store
+    if casesEnabled {
+      if elastic.server.Casestore != nil {
+        err = errors.New("Multiple case modules cannot be enabled concurrently")
+      } else {
+        caseIndex := module.GetStringDefault(cfg, "caseIndex", DEFAULT_CASE_INDEX)
+        auditIndex := module.GetStringDefault(cfg, "auditIndex", DEFAULT_CASE_AUDIT_INDEX)
+        maxCaseAssociations := module.GetIntDefault(cfg, "maxCaseAssociations", DEFAULT_CASE_ASSOCIATIONS_MAX)
+        casestore := NewElasticCasestore(elastic.server)
+        err = casestore.Init(caseIndex, auditIndex, maxCaseAssociations)
+        if err == nil {
+          elastic.server.Casestore = casestore
+        }
+      }
+    }
   }
   return err
 }
diff --git a/server/modules/elastic/elastic_test.go b/server/modules/elastic/elastic_test.go
index b88171ba..1be16925 100644
--- a/server/modules/elastic/elastic_test.go
+++ b/server/modules/elastic/elastic_test.go
@@ -15,27 +15,35 @@ import (
 	"time"
 
 	"github.com/security-onion-solutions/securityonion-soc/module"
+	"github.com/security-onion-solutions/securityonion-soc/server"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestElasticInit(tester *testing.T) {
-	elastic := NewElastic(nil)
+	srv := server.NewFakeUnauthorizedServer()
+	elastic := NewElastic(srv)
 	cfg := make(module.ModuleConfig)
 	err := elastic.Init(cfg)
-	if assert.Nil(tester, err) {
-		if assert.Len(tester, elastic.store.hostUrls, 1) {
-			assert.Equal(tester, "elasticsearch", elastic.store.hostUrls[0])
-		}
-		assert.Len(tester, elastic.store.esRemoteClients, 0)
-		assert.Len(tester, elastic.store.esAllClients, 1)
-		assert.Equal(tester, DEFAULT_TIME_SHIFT_MS, elastic.store.timeShiftMs)
-		assert.Equal(tester, DEFAULT_DURATION_MS, elastic.store.defaultDurationMs)
-		assert.Equal(tester, DEFAULT_ES_SEARCH_OFFSET_MS, elastic.store.esSearchOffsetMs)
-		expectedTimeout := time.Duration(DEFAULT_TIMEOUT_MS) * time.Millisecond
-		assert.Equal(tester, expectedTimeout, elastic.store.timeoutMs)
-		expectedCache := time.Duration(DEFAULT_CACHE_MS) * time.Millisecond
-		assert.Equal(tester, expectedCache, elastic.store.cacheMs)
-		assert.Equal(tester, DEFAULT_INDEX, elastic.store.index)
-		assert.Equal(tester, DEFAULT_INTERVALS, elastic.store.intervals)
-	}
+	assert.Nil(tester, err)
+	assert.NotNil(tester, srv.Eventstore)
+	assert.Len(tester, elastic.store.hostUrls, 1)
+	assert.Equal(tester, "elasticsearch", elastic.store.hostUrls[0])
+	assert.Len(tester, elastic.store.esRemoteClients, 0)
+	assert.Len(tester, elastic.store.esAllClients, 1)
+	assert.Equal(tester, DEFAULT_TIME_SHIFT_MS, elastic.store.timeShiftMs)
+	assert.Equal(tester, DEFAULT_DURATION_MS, elastic.store.defaultDurationMs)
+	assert.Equal(tester, DEFAULT_ES_SEARCH_OFFSET_MS, elastic.store.esSearchOffsetMs)
+	expectedTimeout := time.Duration(DEFAULT_TIMEOUT_MS) * time.Millisecond
+	assert.Equal(tester, expectedTimeout, elastic.store.timeoutMs)
+	expectedCache := time.Duration(DEFAULT_CACHE_MS) * time.Millisecond
+	assert.Equal(tester, expectedCache, elastic.store.cacheMs)
+	assert.Equal(tester, DEFAULT_INDEX, elastic.store.index)
+	assert.Equal(tester, DEFAULT_INTERVALS, elastic.store.intervals)
+
+	// Ensure casestore has been setup
+	assert.NotNil(tester, srv.Casestore)
+
+	// Ensure failure it attempting to init when a casestore is already setup
+	err = elastic.Init(cfg)
+	assert.Error(tester, err)
 }
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
new file mode 100644
index 00000000..08135f49
--- /dev/null
+++ b/server/modules/elastic/elasticcasestore.go
@@ -0,0 +1,284 @@
+// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+package elastic
+
+import (
+  "context"
+  "errors"
+  "fmt"
+  "github.com/apex/log"
+  "github.com/security-onion-solutions/securityonion-soc/model"
+  "github.com/security-onion-solutions/securityonion-soc/server"
+  "github.com/security-onion-solutions/securityonion-soc/web"
+  "strconv"
+  "time"
+)
+
+const AUDIT_DOC_ID = "so_audit_doc_id"
+
+type ElasticCasestore struct {
+  server          *server.Server
+  index           string
+  auditIndex      string
+  maxAssociations int
+}
+
+func NewElasticCasestore(srv *server.Server) *ElasticCasestore {
+  return &ElasticCasestore{
+    server: srv,
+  }
+}
+
+func (store *ElasticCasestore) Init(index string, auditIndex string, maxAssociations int) error {
+  store.index = index
+  store.auditIndex = auditIndex
+  store.maxAssociations = maxAssociations
+  return nil
+}
+
+func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
+  obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
+
+  // Don't waste space by saving the these values which are already part of ES documents
+  id := obj.Id
+  obj.Id = ""
+  obj.UpdateTime = nil
+
+  return id
+}
+
+func (store *ElasticCasestore) save(ctx context.Context, obj interface{}, kind string, id string) (*model.EventIndexResults, error) {
+  var results *model.EventIndexResults
+  var err error
+
+  if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+    document := convertObjectToDocumentMap(kind, obj)
+    document["kind"] = kind
+    results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
+    if err == nil {
+      document[AUDIT_DOC_ID] = results.DocumentId
+      if id == "" {
+        document["operation"] = "create"
+      } else {
+        document["operation"] = "update"
+      }
+      _, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+      if err != nil {
+        log.WithFields(log.Fields{
+          "documentId": results.DocumentId,
+          "kind":       kind,
+        }).WithError(err).Error("Object indexed successfully however audit record failed to index")
+      }
+    }
+  }
+
+  return results, err
+}
+
+func (store *ElasticCasestore) delete(ctx context.Context, obj interface{}, kind string, id string) error {
+  var err error
+
+  if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
+    err = store.server.Eventstore.Delete(ctx, store.index, id)
+    if err == nil {
+      document := convertObjectToDocumentMap(kind, obj)
+      document[AUDIT_DOC_ID] = id
+      document["kind"] = kind
+      document["operation"] = "delete"
+      _, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
+      if err != nil {
+        log.WithFields(log.Fields{
+          "documentId": id,
+          "kind":       kind,
+        }).WithError(err).Error("Object deleted successfully however audit record failed to index")
+      }
+    }
+  }
+
+  return err
+}
+
+func (store *ElasticCasestore) get(ctx context.Context, id string, kind string) (interface{}, error) {
+  query := fmt.Sprintf(`_index:"%s" AND kind:"%s" AND _id:"%s"`, store.index, kind, id)
+  objects, err := store.getAll(ctx, query, 1)
+  if err == nil && len(objects) > 0 {
+    return objects[0], err
+  }
+  return nil, err
+}
+
+func (store *ElasticCasestore) getAll(ctx context.Context, query string, max int) ([]interface{}, error) {
+  var err error
+  var objects []interface{}
+
+  if err = store.server.CheckAuthorized(ctx, "read", "cases"); err == nil {
+    criteria := model.NewEventSearchCriteria()
+    format := "2006-01-02 3:04:05 PM"
+    var zeroTime time.Time
+    zeroTimeStr := zeroTime.Format(format)
+    now := time.Now()
+    endTime := now.Format(format)
+    zone := now.Location().String()
+    err = criteria.Populate(query,
+      zeroTimeStr+" - "+endTime, // timeframe range
+      format,                    // timeframe format
+      zone,                      // timezone
+      "0",                       // no metrics
+      strconv.Itoa(max))
+
+    if err == nil {
+      var results *model.EventSearchResults
+      results, err = store.server.Eventstore.Search(ctx, criteria)
+      if err == nil {
+        for _, event := range results.Events {
+          var obj interface{}
+          obj, err = convertElasticEventToObject(event)
+          if err == nil {
+            objects = append(objects, obj)
+          } else {
+            log.WithField("event", event).WithError(err).Error("Unable to convert case object")
+          }
+        }
+      }
+    }
+  }
+
+  return objects, err
+}
+
+func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case) (*model.Case, error) {
+  var err error
+
+  if socCase.Id != "" {
+    err = errors.New("Unexpected ID found in new case")
+  } else {
+    socCase.Status = model.CASE_STATUS_NEW
+    now := time.Now()
+    socCase.CreateTime = &now
+    var results *model.EventIndexResults
+    results, err = store.save(ctx, socCase, "case", store.prepareForSave(ctx, &socCase.Auditable))
+    if err == nil {
+      // Read object back to get new modify date, etc
+      socCase, err = store.GetCase(ctx, results.DocumentId)
+    }
+  }
+  return socCase, err
+}
+
+func (store *ElasticCasestore) Update(ctx context.Context, socCase *model.Case) (*model.Case, error) {
+  var err error
+
+  if socCase.Id == "" {
+    err = errors.New("Missing case ID")
+  } else {
+    var oldCase *model.Case
+    oldCase, err = store.GetCase(ctx, socCase.Id)
+    if err == nil {
+      // Preserve read-only fields
+      socCase.CreateTime = oldCase.CreateTime
+      socCase.CompleteTime = oldCase.CompleteTime
+      socCase.StartTime = oldCase.StartTime
+      var results *model.EventIndexResults
+      results, err = store.save(ctx, socCase, "case", store.prepareForSave(ctx, &socCase.Auditable))
+      if err == nil {
+        // Read object back to get new modify date, etc
+        socCase, err = store.GetCase(ctx, results.DocumentId)
+      }
+    }
+  }
+  return socCase, err
+}
+
+func (store *ElasticCasestore) GetCase(ctx context.Context, id string) (*model.Case, error) {
+  obj, err := store.get(ctx, id, "case")
+  if err == nil {
+    return obj.(*model.Case), nil
+  }
+  return nil, err
+}
+
+func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error) {
+  query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s")`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId)
+  return store.getAll(ctx, query, store.maxAssociations)
+}
+
+func (store *ElasticCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  var err error
+
+  if comment.Id != "" {
+    return nil, errors.New("Unexpected ID found in new comment")
+  } else if comment.CaseId == "" {
+    return nil, errors.New("Missing Case ID in new comment")
+  } else {
+    now := time.Now()
+    comment.CreateTime = &now
+    var results *model.EventIndexResults
+    results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+    if err == nil {
+      // Read object back to get new modify date, etc
+      comment, err = store.GetComment(ctx, results.DocumentId)
+    }
+  }
+  return comment, err
+}
+
+func (store *ElasticCasestore) GetComment(ctx context.Context, id string) (*model.Comment, error) {
+  obj, err := store.get(ctx, id, "comment")
+  if err == nil {
+    return obj.(*model.Comment), nil
+  }
+  return nil, err
+}
+
+func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) ([]*model.Comment, error) {
+  comments := make([]*model.Comment, 0)
+  query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby comment.createTime^`, store.index, caseId)
+  objects, err := store.getAll(ctx, query, store.maxAssociations)
+  if err == nil {
+    for _, obj := range objects {
+      comments = append(comments, obj.(*model.Comment))
+    }
+  }
+  return comments, err
+}
+
+func (store *ElasticCasestore) UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  var err error
+
+  if comment.Id == "" {
+    err = errors.New("Missing comment ID")
+  } else {
+    var old *model.Comment
+    old, err = store.GetComment(ctx, comment.Id)
+    if err == nil {
+      // Preserve read-only fields
+      comment.CreateTime = old.CreateTime
+      var results *model.EventIndexResults
+      results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+      if err == nil {
+        // Read object back to get new modify date, etc
+        comment, err = store.GetComment(ctx, results.DocumentId)
+      }
+    }
+  }
+  return comment, err
+}
+
+func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) error {
+  var err error
+
+  var comment *model.Comment
+  comment, err = store.GetComment(ctx, id)
+  if err == nil {
+    err = store.delete(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+  }
+
+  return err
+}
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
new file mode 100644
index 00000000..9ef57ea9
--- /dev/null
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -0,0 +1,300 @@
+// Copyright 2019 Jason Ertel (jertel). All rights reserved.
+// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+package elastic
+
+import (
+	"context"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/web"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestInit(tester *testing.T) {
+	store := NewElasticCasestore(nil)
+	store.Init("myIndex", "myAuditIndex", 45)
+	assert.Equal(tester, "myIndex", store.index)
+	assert.Equal(tester, "myAuditIndex", store.auditIndex)
+	assert.Equal(tester, 45, store.maxAssociations)
+}
+
+func TestPrepareForSave(tester *testing.T) {
+	store := NewElasticCasestore(nil)
+	obj := &model.Auditable{
+		Id: "myId",
+	}
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	actualId := store.prepareForSave(ctx, obj)
+	assert.Equal(tester, "myId", actualId)
+	assert.Equal(tester, "myRequestorId", obj.UserId)
+	assert.Equal(tester, "", obj.Id)
+	assert.Nil(tester, obj.UpdateTime)
+}
+
+func TestSaveCreate(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	obj := model.NewCase()
+	results, err := store.save(ctx, obj, "case", "")
+	assert.NoError(tester, err)
+	assert.Equal(tester, 2, len(fakeEventStore.InputIds))
+	assert.Equal(tester, "", fakeEventStore.InputIds[0])
+	assert.Equal(tester, "", fakeEventStore.InputIds[1])
+	assert.Equal(tester, "myIndex", fakeEventStore.InputIndexes[0])
+	assert.Equal(tester, "myAuditIndex", fakeEventStore.InputIndexes[1])
+	assert.Equal(tester, 2, len(fakeEventStore.InputDocuments))
+	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["kind"])
+	assert.Equal(tester, "create", fakeEventStore.InputDocuments[1]["operation"])
+	assert.NotNil(tester, results)
+}
+
+func TestSaveUpdate(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	obj := model.NewCase()
+	results, err := store.save(ctx, obj, "case", "myCaseId")
+	assert.NoError(tester, err)
+	assert.Equal(tester, 2, len(fakeEventStore.InputIds))
+	assert.Equal(tester, "myCaseId", fakeEventStore.InputIds[0])
+	assert.Equal(tester, "", fakeEventStore.InputIds[1])
+	assert.Equal(tester, "myIndex", fakeEventStore.InputIndexes[0])
+	assert.Equal(tester, "myAuditIndex", fakeEventStore.InputIndexes[1])
+	assert.Equal(tester, 2, len(fakeEventStore.InputDocuments))
+	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["kind"])
+	assert.Equal(tester, "update", fakeEventStore.InputDocuments[1]["operation"])
+	assert.NotNil(tester, results)
+}
+
+func TestDelete(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	obj := model.NewCase()
+	err := store.delete(ctx, obj, "case", "myCaseId")
+	assert.NoError(tester, err)
+	assert.Equal(tester, 2, len(fakeEventStore.InputIds))
+	assert.Equal(tester, "myCaseId", fakeEventStore.InputIds[0])
+	assert.Equal(tester, "", fakeEventStore.InputIds[1])
+	assert.Equal(tester, "myIndex", fakeEventStore.InputIndexes[0])
+	assert.Equal(tester, "myAuditIndex", fakeEventStore.InputIndexes[1])
+	assert.Equal(tester, 1, len(fakeEventStore.InputDocuments))
+	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["kind"])
+	assert.Equal(tester, "delete", fakeEventStore.InputDocuments[0]["operation"])
+}
+
+func TestGetAll(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := "some query"
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+	}
+
+	commentPayload := make(map[string]interface{})
+	commentPayload["kind"] = "comment"
+	commentEvent := &model.EventRecord{
+		Payload: commentPayload,
+	}
+
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	results, err := store.getAll(ctx, query, 123)
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.Len(tester, results, 2)
+}
+
+func TestGet(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"case" AND _id:"myCaseId"`
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+	}
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
+	obj, err := store.get(ctx, "myCaseId", "case")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestCreateError(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	myCase := model.NewCase()
+	myCase.Id = "123"
+	newCase, err := store.Create(ctx, myCase)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Unexpected ID found in new case", err.Error())
+	assert.NotNil(tester, newCase)
+}
+
+func TestUpdateError(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	myCase := model.NewCase()
+	myCase.Id = ""
+	newCase, err := store.Update(ctx, myCase)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing case ID", err.Error())
+	assert.NotNil(tester, newCase)
+}
+
+func TestGetCase(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"case" AND _id:"myCaseId"`
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+	}
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
+	obj, err := store.GetCase(ctx, "myCaseId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestGetCaseHistory(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId")`
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+	}
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
+	results, err := store.GetCaseHistory(ctx, "myCaseId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.Len(tester, results, 1)
+}
+
+func TestCreateCommentUnexpectedId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	comment := model.NewComment()
+	comment.Id = "123"
+	_, err := store.CreateComment(ctx, comment)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Unexpected ID found in new comment", err.Error())
+}
+
+func TestCreateCommentMissingCaseId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	comment := model.NewComment()
+	_, err := store.CreateComment(ctx, comment)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing Case ID in new comment", err.Error())
+}
+
+func TestGetComment(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"comment" AND _id:"myCommentId"`
+	commentPayload := make(map[string]interface{})
+	commentPayload["kind"] = "comment"
+	commentEvent := &model.EventRecord{
+		Payload: commentPayload,
+	}
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	obj, err := store.GetComment(ctx, "myCommentId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestGetComments(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"comment" AND comment.caseId:"myCaseId" | sortby comment.createTime^`
+	commentPayload := make(map[string]interface{})
+	commentPayload["kind"] = "comment"
+	commentEvent := &model.EventRecord{
+		Payload: commentPayload,
+	}
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	obj, err := store.GetComments(ctx, "myCaseId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestUpdateComment(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	comment := model.NewComment()
+	_, err := store.UpdateComment(ctx, comment)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing comment ID", err.Error())
+}
+
+func TestDeleteComment(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"comment" AND _id:"myCommentId"`
+	commentPayload := make(map[string]interface{})
+	commentPayload["kind"] = "comment"
+	commentEvent := &model.EventRecord{
+		Payload: commentPayload,
+		Id:      "myCommentId",
+	}
+	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	err := store.DeleteComment(ctx, "myCommentId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1) // Search to ensure it exists first
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.Len(tester, fakeEventStore.InputIds, 2) // Delete and Index (for audit)
+	assert.Equal(tester, "myCommentId", fakeEventStore.InputIds[0])
+	assert.Equal(tester, "", fakeEventStore.InputIds[1])
+}
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index a2f16814..6d5e523a 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -242,6 +242,51 @@ func (store *ElasticEventstore) Update(ctx context.Context, criteria *model.Even
 	return results, err
 }
 
+func (store *ElasticEventstore) Index(ctx context.Context, index string, document map[string]interface{}, id string) (*model.EventIndexResults, error) {
+	var err error
+	results := model.NewEventIndexResults()
+	if err = store.server.CheckAuthorized(ctx, "write", "events"); err == nil {
+		store.refreshCache(ctx)
+
+		var request string
+		request, err = convertToElasticIndexRequest(store, document)
+		if err == nil {
+			var response string
+
+			log.Debug("Sending index request to primary Elasticsearch client")
+			response, err = store.indexDocument(ctx, index, request, id)
+			if err == nil {
+				err = convertFromElasticIndexResults(store, response, results)
+				if err != nil {
+					log.WithError(err).Error("Encountered error while converting document index results")
+				}
+			} else {
+				log.WithError(err).Error("Encountered error while indexing document into elasticsearch")
+			}
+		}
+	}
+	return results, err
+}
+
+func (store *ElasticEventstore) Delete(ctx context.Context, index string, id string) error {
+	var err error
+	results := model.NewEventIndexResults()
+	if err = store.server.CheckAuthorized(ctx, "write", "events"); err == nil {
+		var response string
+		log.Debug("Sending delete request to primary Elasticsearch client")
+		response, err = store.deleteDocument(ctx, index, id)
+		if err == nil {
+			err = convertFromElasticIndexResults(store, response, results)
+			if err != nil {
+				log.WithError(err).Error("Encountered error while converting document index results")
+			}
+		} else {
+			log.WithError(err).Error("Encountered error while deleting document from elasticsearch")
+		}
+	}
+	return err
+}
+
 func (store *ElasticEventstore) luceneSearch(ctx context.Context, query string) (string, error) {
 	return store.indexSearch(ctx, query, strings.Split(store.index, ","))
 }
@@ -298,16 +343,21 @@ func (store *ElasticEventstore) indexSearch(ctx context.Context, query string, i
 	return json, err
 }
 
-func (store *ElasticEventstore) indexDocument(ctx context.Context, document string, index string) (string, error) {
+func (store *ElasticEventstore) indexDocument(ctx context.Context, index string, document string, id string) (string, error) {
 	log.WithFields(log.Fields{
+		"index":     index,
+		"id":        id,
 		"document":  document,
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Adding document to Elasticsearch")
 
-	res, err := store.esClient.Index(store.transformIndex(index), strings.NewReader(document), store.esClient.Index.WithRefresh("true"))
+	res, err := store.esClient.Index(store.transformIndex(index),
+		strings.NewReader(document),
+		store.esClient.Index.WithRefresh("true"),
+		store.esClient.Index.WithDocumentID(id))
 
 	if err != nil {
-		log.WithError(err).Error("Unable to index acknowledgement into Elasticsearch")
+		log.WithError(err).Error("Unable to index document into Elasticsearch")
 		return "", err
 	}
 	defer res.Body.Close()
@@ -320,6 +370,35 @@ func (store *ElasticEventstore) indexDocument(ctx context.Context, document stri
 	return json, err
 }
 
+func (store *ElasticEventstore) deleteDocument(ctx context.Context, index string, id string) (string, error) {
+	log.WithFields(log.Fields{
+		"index":     index,
+		"id":        id,
+		"requestId": ctx.Value(web.ContextKeyRequestId),
+	}).Debug("Deleting document from Elasticsearch")
+
+	res, err := store.esClient.Delete(store.transformIndex(index), id)
+
+	if err != nil {
+		log.WithFields(log.Fields{
+			"index":     index,
+			"id":        id,
+			"requestId": ctx.Value(web.ContextKeyRequestId),
+		}).WithError(err).Error("Unable to delete document from Elasticsearch")
+		return "", err
+	}
+	defer res.Body.Close()
+	json, err := store.readJsonFromResponse(res)
+
+	log.WithFields(log.Fields{
+		"index":     index,
+		"id":        id,
+		"response":  json,
+		"requestId": ctx.Value(web.ContextKeyRequestId),
+	}).Debug("Delete document finished")
+	return json, err
+}
+
 func (store *ElasticEventstore) updateDocuments(ctx context.Context, client *elasticsearch.Client, query string, indexes []string, waitForCompletion bool) (string, error) {
 	log.WithFields(log.Fields{
 		"query":     query,
diff --git a/server/modules/elasticcases/elasticcaseconverter.go b/server/modules/elasticcases/elasticcaseconverter.go
index 2a1d6dae..ee373fc1 100644
--- a/server/modules/elasticcases/elasticcaseconverter.go
+++ b/server/modules/elasticcases/elasticcaseconverter.go
@@ -39,13 +39,13 @@ func convertFromElasticCase(inputCase *ElasticCase) (*model.Case, error) {
 	outputCase.Id = inputCase.Id
 	outputCase.Status = inputCase.Status
 	if inputCase.CreatedDate != nil {
-		outputCase.CreateTime = *inputCase.CreatedDate
+		outputCase.CreateTime = inputCase.CreatedDate
 	}
 	if inputCase.ModifiedDate != nil {
-		outputCase.StartTime = *inputCase.ModifiedDate
+		outputCase.UpdateTime = inputCase.ModifiedDate
 	}
 	if inputCase.ClosedDate != nil {
-		outputCase.CompleteTime = *inputCase.ClosedDate
+		outputCase.CompleteTime = inputCase.ClosedDate
 	}
 	return outputCase, nil
 }
diff --git a/server/modules/elasticcases/elasticcaseconverter_test.go b/server/modules/elasticcases/elasticcaseconverter_test.go
index 48c3645c..1ad86138 100644
--- a/server/modules/elasticcases/elasticcaseconverter_test.go
+++ b/server/modules/elasticcases/elasticcaseconverter_test.go
@@ -19,8 +19,6 @@ import (
 )
 
 func TestConvertFromElasticCase(tester *testing.T) {
-	var emptyTime time.Time
-
 	elasticCase := NewElasticCase()
 	elasticCase.Title = "my title"
 	elasticCase.Description = "my description.\nline 2.\n"
@@ -35,9 +33,9 @@ func TestConvertFromElasticCase(tester *testing.T) {
 	assert.Equal(tester, elasticCase.Title, socCase.Title)
 	assert.Equal(tester, elasticCase.Description, socCase.Description)
 	assert.Equal(tester, elasticCase.Id, socCase.Id)
-	assert.Equal(tester, tm, socCase.CreateTime)
-	assert.Equal(tester, emptyTime, socCase.StartTime)
-	assert.Equal(tester, emptyTime, socCase.CompleteTime)
+	assert.Equal(tester, &tm, socCase.CreateTime)
+	assert.Nil(tester, socCase.StartTime)
+	assert.Nil(tester, socCase.CompleteTime)
 }
 
 func TestConvertToElasticCase(tester *testing.T) {
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index be8015c1..ee5c2e40 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -12,6 +12,7 @@ package elasticcases
 import (
   "context"
   "encoding/base64"
+  "errors"
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
@@ -65,3 +66,35 @@ func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case)
   }
   return newCase, err
 }
+
+func (store *ElasticCasestore) Update(ctx context.Context, socCase *model.Case) (*model.Case, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetCase(ctx context.Context, caseId string) (*model.Case, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetComment(ctx context.Context, commentId string) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetComments(ctx context.Context, commentId string) ([]*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/generichttp/generichttpreader_test.go b/server/modules/generichttp/generichttpreader_test.go
index 4a0d8526..679c71a2 100644
--- a/server/modules/generichttp/generichttpreader_test.go
+++ b/server/modules/generichttp/generichttpreader_test.go
@@ -10,16 +10,18 @@
 package generichttp
 
 import (
-  "io"
-  "testing"
-
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/stretchr/testify/assert"
+  "io"
+  "testing"
+  "time"
 )
 
 func TestConvertCaseToReader(tester *testing.T) {
   socCase := model.NewCase()
   socCase.Id = "123"
+  tm, _ := time.Parse("2006-01-03 13:04 PM", "2006-01-03 13:04 PM")
+  socCase.CreateTime = &tm
   socCase.Title = "MyTitle"
   socCase.Description = "My \"Description\" is this."
   socCase.Severity = 44
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 3cc30d1f..357dc74a 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -71,3 +71,35 @@ func (store *HttpCasestore) Create(ctx context.Context, socCase *model.Case) (*m
   }
   return nil, err
 }
+
+func (store *HttpCasestore) Update(ctx context.Context, socCase *model.Case) (*model.Case, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetCase(ctx context.Context, caseId string) (*model.Case, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetComment(ctx context.Context, commentId string) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetComments(ctx context.Context, commentId string) ([]*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteComment(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 68254fb5..d19a25f7 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -12,6 +12,7 @@ package thehive
 
 import (
   "context"
+  "errors"
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
@@ -63,3 +64,35 @@ func (store *TheHiveCasestore) Create(ctx context.Context, socCase *model.Case)
   }
   return newCase, err
 }
+
+func (store *TheHiveCasestore) Update(ctx context.Context, socCase *model.Case) (*model.Case, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetCase(ctx context.Context, caseId string) (*model.Case, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetComment(ctx context.Context, commentId string) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetComments(ctx context.Context, commentId string) ([]*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteComment(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/thehive/thehiveconverter.go b/server/modules/thehive/thehiveconverter.go
index 6226559e..15ffc9e6 100644
--- a/server/modules/thehive/thehiveconverter.go
+++ b/server/modules/thehive/thehiveconverter.go
@@ -11,9 +11,9 @@
 package thehive
 
 import (
+	"github.com/security-onion-solutions/securityonion-soc/model"
 	"strconv"
 	"time"
-	"github.com/security-onion-solutions/securityonion-soc/model"
 )
 
 func convertToTheHiveCase(inputCase *model.Case) (*TheHiveCase, error) {
@@ -39,8 +39,11 @@ func convertFromTheHiveCase(inputCase *TheHiveCase) (*model.Case, error) {
 	outputCase.Description = inputCase.Description
 	outputCase.Id = strconv.Itoa(inputCase.Id)
 	outputCase.Status = inputCase.Status
-	outputCase.CreateTime = time.Unix(inputCase.CreateDate / 1000, 0)
-	outputCase.StartTime = time.Unix(inputCase.StartDate / 1000, 0)
-	outputCase.CompleteTime = time.Unix(inputCase.EndDate / 1000, 0)
+	createTime := time.Unix(inputCase.CreateDate/1000, 0)
+	outputCase.CreateTime = &createTime
+	startTime := time.Unix(inputCase.StartDate/1000, 0)
+	outputCase.StartTime = &startTime
+	completeTime := time.Unix(inputCase.EndDate/1000, 0)
+	outputCase.CompleteTime = &completeTime
 	return outputCase, nil
-}
\ No newline at end of file
+}
diff --git a/server/queryhandler.go b/server/queryhandler.go
index 5bed7ec6..9724769d 100644
--- a/server/queryhandler.go
+++ b/server/queryhandler.go
@@ -83,6 +83,9 @@ func (queryHandler *QueryHandler) get(ctx context.Context, writer http.ResponseW
 	case "grouped":
 		field := request.Form.Get("field")
 		alteredQuery, err = query.Group(field)
+	case "sorted":
+		field := request.Form.Get("field")
+		alteredQuery, err = query.Sort(field)
 	default:
 		return http.StatusBadRequest, nil, errors.New("Unsupported query operation")
 	}
diff --git a/server/server.go b/server/server.go
index 5d99e951..2893637d 100644
--- a/server/server.go
+++ b/server/server.go
@@ -64,7 +64,7 @@ func (server *Server) Start() {
   } else {
     log.Info("Starting server")
 
-    server.Host.Register("/api/case", NewCaseHandler(server))
+    server.Host.Register("/api/case/", NewCaseHandler(server))
     server.Host.Register("/api/events/", NewEventHandler(server))
     server.Host.Register("/api/info", NewInfoHandler(server))
     server.Host.Register("/api/job/", NewJobHandler(server))

From 411c9e32b592cbe5264139cc41363ee03f3700c3 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 30 Nov 2021 09:03:00 -0500
Subject: [PATCH 02/98] Add case perms and roles to RBAC

---
 rbac/permissions | 2 ++
 rbac/roles       | 1 +
 2 files changed, 3 insertions(+)

diff --git a/rbac/permissions b/rbac/permissions
index 6c9817a6..b32a576a 100644
--- a/rbac/permissions
+++ b/rbac/permissions
@@ -2,6 +2,7 @@
 # Syntax      => permX: roleY roleZ
 # Explanation => roleY and roleZ are granted permission permX
 
+cases/read:       case-monitor
 cases/write:      case-admin
 events/read:      event-monitor
 events/write:     event-admin
@@ -24,6 +25,7 @@ users/delete:     user-admin
 # Syntax      => roleB: roleA
 # Explanation => roleA inherits all of roleA's permissions
 
+case-monitor:     case-admin
 event-monitor:    event-admin
 job-monitor:      job-admin
 job-user:         job-admin
diff --git a/rbac/roles b/rbac/roles
index 70deae11..1b6744c9 100644
--- a/rbac/roles
+++ b/rbac/roles
@@ -2,6 +2,7 @@
 # Syntax      => roleX: roleY roleZ
 # Explanation => roleY and roleZ are granted permissions of roleX
 
+case-monitor:     auditor limited-auditor
 case-admin:       analyst limited-analyst superuser
 event-admin:      analyst limited-analyst superuser
 event-monitor:    auditor limited-auditor

From 7a3a78707e7bdf209f44daa0ea130f6a68dfc3fe Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 2 Dec 2021 19:50:05 -0500
Subject: [PATCH 03/98] Add input validation

---
 server/modules/elastic/elasticcasestore.go    | 285 ++++++++++++++----
 .../modules/elastic/elasticcasestore_test.go  | 264 +++++++++++++++-
 2 files changed, 483 insertions(+), 66 deletions(-)

diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 08135f49..f0732f00 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -17,11 +17,15 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "regexp"
   "strconv"
   "time"
 )
 
 const AUDIT_DOC_ID = "so_audit_doc_id"
+const SHORT_STRING_MAX = 100
+const LONG_STRING_MAX = 1000000
+const MAX_ARRAY_ELEMENTS = 50
 
 type ElasticCasestore struct {
   server          *server.Server
@@ -43,6 +47,116 @@ func (store *ElasticCasestore) Init(index string, auditIndex string, maxAssociat
   return nil
 }
 
+func (store *ElasticCasestore) validateId(id string, label string) error {
+  var err error
+
+  isValidId := regexp.MustCompile(`^[A-Za-z0-9-_]{5,50}$`).MatchString
+  if !isValidId(id) {
+    err = errors.New(fmt.Sprintf("invalid ID for %s", label))
+  }
+  return err
+}
+
+func (store *ElasticCasestore) validateString(str string, max int, label string) error {
+  var err error
+  length := len(str)
+  if length > max {
+    err = errors.New(fmt.Sprintf("%s is too long (%d/%d)", label, length, max))
+  }
+  return err
+}
+
+func (store *ElasticCasestore) validateStringArray(array []string, maxLen int, maxElements int, label string) error {
+  var err error
+  length := len(array)
+  if length > maxElements {
+    err = errors.New(fmt.Sprintf("Field 'Tags' contains excessive elements (%d/%d)", length, maxElements))
+  } else {
+    for idx, tag := range array {
+      err = store.validateString(tag, maxLen, fmt.Sprintf("tag[%d]", idx))
+      if err != nil {
+        break
+      }
+    }
+  }
+  return err
+}
+
+func (store *ElasticCasestore) validateCase(socCase *model.Case) error {
+  var err error
+
+  if err == nil && socCase.Id != "" {
+    err = store.validateId(socCase.Id, "caseId")
+  }
+  if err == nil && socCase.UserId != "" {
+    err = store.validateId(socCase.UserId, "userId")
+  }
+  if err == nil && socCase.AssigneeId != "" {
+    err = store.validateId(socCase.AssigneeId, "assigneeId")
+  }
+  if err == nil && socCase.Priority < 0 {
+    err = errors.New("Invalid priority")
+  }
+  if err == nil && socCase.Severity < 0 {
+    err = errors.New("Invalid severity")
+  }
+  if err == nil && len(socCase.Kind) > 0 {
+    err = errors.New("Field 'Kind' must not be specified")
+  }
+  if err == nil && len(socCase.Operation) > 0 {
+    err = errors.New("Field 'Operation' must not be specified")
+  }
+  if err == nil {
+    err = store.validateString(socCase.Title, SHORT_STRING_MAX, "title")
+  }
+  if err == nil {
+    err = store.validateString(socCase.Category, SHORT_STRING_MAX, "category")
+  }
+  if err == nil {
+    err = store.validateString(socCase.Status, SHORT_STRING_MAX, "status")
+  }
+  if err == nil {
+    err = store.validateString(socCase.Template, SHORT_STRING_MAX, "template")
+  }
+  if err == nil {
+    err = store.validateString(socCase.Tlp, SHORT_STRING_MAX, "tlp")
+  }
+  if err == nil {
+    err = store.validateString(socCase.Pap, SHORT_STRING_MAX, "pap")
+  }
+  if err == nil {
+    err = store.validateString(socCase.Description, LONG_STRING_MAX, "description")
+  }
+  if err == nil {
+    err = store.validateStringArray(socCase.Tags, SHORT_STRING_MAX, MAX_ARRAY_ELEMENTS, "tags")
+  }
+  return err
+}
+
+func (store *ElasticCasestore) validateComment(comment *model.Comment) error {
+  var err error
+
+  if err == nil && comment.Id != "" {
+    err = store.validateId(comment.Id, "commentId")
+  }
+  if err == nil && comment.CaseId != "" {
+    err = store.validateId(comment.CaseId, "caseId")
+  }
+  if err == nil && comment.UserId != "" {
+    err = store.validateId(comment.UserId, "userId")
+  }
+  if err == nil && len(comment.Kind) > 0 {
+    err = errors.New("Field 'Kind' must not be specified")
+  }
+  if err == nil && len(comment.Operation) > 0 {
+    err = errors.New("Field 'Operation' must not be specified")
+  }
+  if err == nil {
+    err = store.validateString(comment.Description, LONG_STRING_MAX, "description")
+  }
+  return err
+}
+
 func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
   obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
 
@@ -156,17 +270,20 @@ func (store *ElasticCasestore) getAll(ctx context.Context, query string, max int
 func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case) (*model.Case, error) {
   var err error
 
-  if socCase.Id != "" {
-    err = errors.New("Unexpected ID found in new case")
-  } else {
-    socCase.Status = model.CASE_STATUS_NEW
-    now := time.Now()
-    socCase.CreateTime = &now
-    var results *model.EventIndexResults
-    results, err = store.save(ctx, socCase, "case", store.prepareForSave(ctx, &socCase.Auditable))
-    if err == nil {
-      // Read object back to get new modify date, etc
-      socCase, err = store.GetCase(ctx, results.DocumentId)
+  err = store.validateCase(socCase)
+  if err == nil {
+    if socCase.Id != "" {
+      err = errors.New("Unexpected ID found in new case")
+    } else {
+      socCase.Status = model.CASE_STATUS_NEW
+      now := time.Now()
+      socCase.CreateTime = &now
+      var results *model.EventIndexResults
+      results, err = store.save(ctx, socCase, "case", store.prepareForSave(ctx, &socCase.Auditable))
+      if err == nil {
+        // Read object back to get new modify date, etc
+        socCase, err = store.GetCase(ctx, results.DocumentId)
+      }
     }
   }
   return socCase, err
@@ -175,21 +292,24 @@ func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case)
 func (store *ElasticCasestore) Update(ctx context.Context, socCase *model.Case) (*model.Case, error) {
   var err error
 
-  if socCase.Id == "" {
-    err = errors.New("Missing case ID")
-  } else {
-    var oldCase *model.Case
-    oldCase, err = store.GetCase(ctx, socCase.Id)
-    if err == nil {
-      // Preserve read-only fields
-      socCase.CreateTime = oldCase.CreateTime
-      socCase.CompleteTime = oldCase.CompleteTime
-      socCase.StartTime = oldCase.StartTime
-      var results *model.EventIndexResults
-      results, err = store.save(ctx, socCase, "case", store.prepareForSave(ctx, &socCase.Auditable))
+  err = store.validateCase(socCase)
+  if err == nil {
+    if socCase.Id == "" {
+      err = errors.New("Missing case ID")
+    } else {
+      var oldCase *model.Case
+      oldCase, err = store.GetCase(ctx, socCase.Id)
       if err == nil {
-        // Read object back to get new modify date, etc
-        socCase, err = store.GetCase(ctx, results.DocumentId)
+        // Preserve read-only fields
+        socCase.CreateTime = oldCase.CreateTime
+        socCase.CompleteTime = oldCase.CompleteTime
+        socCase.StartTime = oldCase.StartTime
+        var results *model.EventIndexResults
+        results, err = store.save(ctx, socCase, "case", store.prepareForSave(ctx, &socCase.Auditable))
+        if err == nil {
+          // Read object back to get new modify date, etc
+          socCase, err = store.GetCase(ctx, results.DocumentId)
+        }
       }
     }
   }
@@ -197,53 +317,84 @@ func (store *ElasticCasestore) Update(ctx context.Context, socCase *model.Case)
 }
 
 func (store *ElasticCasestore) GetCase(ctx context.Context, id string) (*model.Case, error) {
-  obj, err := store.get(ctx, id, "case")
+  var err error
+  var socCase *model.Case
+
+  err = store.validateId(id, "caseId")
   if err == nil {
-    return obj.(*model.Case), nil
+    var obj interface{}
+    obj, err = store.get(ctx, id, "case")
+    if err == nil {
+      socCase = obj.(*model.Case)
+    }
   }
-  return nil, err
+  return socCase, err
 }
 
 func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error) {
-  query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s")`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId)
-  return store.getAll(ctx, query, store.maxAssociations)
+  var err error
+  var history []interface{}
+
+  err = store.validateId(caseId, "caseId")
+  if err == nil {
+    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s")`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId)
+    history, err = store.getAll(ctx, query, store.maxAssociations)
+  }
+  return history, err
 }
 
 func (store *ElasticCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
   var err error
 
-  if comment.Id != "" {
-    return nil, errors.New("Unexpected ID found in new comment")
-  } else if comment.CaseId == "" {
-    return nil, errors.New("Missing Case ID in new comment")
-  } else {
-    now := time.Now()
-    comment.CreateTime = &now
-    var results *model.EventIndexResults
-    results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
-    if err == nil {
-      // Read object back to get new modify date, etc
-      comment, err = store.GetComment(ctx, results.DocumentId)
+  err = store.validateComment(comment)
+  if err == nil {
+    if comment.Id != "" {
+      return nil, errors.New("Unexpected ID found in new comment")
+    } else if comment.CaseId == "" {
+      return nil, errors.New("Missing Case ID in new comment")
+    } else {
+      now := time.Now()
+      comment.CreateTime = &now
+      var results *model.EventIndexResults
+      results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+      if err == nil {
+        // Read object back to get new modify date, etc
+        comment, err = store.GetComment(ctx, results.DocumentId)
+      }
     }
   }
   return comment, err
 }
 
 func (store *ElasticCasestore) GetComment(ctx context.Context, id string) (*model.Comment, error) {
-  obj, err := store.get(ctx, id, "comment")
+  var err error
+  var comment *model.Comment
+
+  err = store.validateId(id, "commentId")
   if err == nil {
-    return obj.(*model.Comment), nil
+    var obj interface{}
+    obj, err = store.get(ctx, id, "comment")
+    if err == nil {
+      comment = obj.(*model.Comment)
+    }
   }
-  return nil, err
+  return comment, err
 }
 
 func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) ([]*model.Comment, error) {
-  comments := make([]*model.Comment, 0)
-  query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby comment.createTime^`, store.index, caseId)
-  objects, err := store.getAll(ctx, query, store.maxAssociations)
+  var err error
+  var comments []*model.Comment
+
+  err = store.validateId(caseId, "caseId")
   if err == nil {
-    for _, obj := range objects {
-      comments = append(comments, obj.(*model.Comment))
+    comments = make([]*model.Comment, 0)
+    query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby comment.createTime^`, store.index, caseId)
+    var objects []interface{}
+    objects, err = store.getAll(ctx, query, store.maxAssociations)
+    if err == nil {
+      for _, obj := range objects {
+        comments = append(comments, obj.(*model.Comment))
+      }
     }
   }
   return comments, err
@@ -252,19 +403,22 @@ func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) (
 func (store *ElasticCasestore) UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
   var err error
 
-  if comment.Id == "" {
-    err = errors.New("Missing comment ID")
-  } else {
-    var old *model.Comment
-    old, err = store.GetComment(ctx, comment.Id)
-    if err == nil {
-      // Preserve read-only fields
-      comment.CreateTime = old.CreateTime
-      var results *model.EventIndexResults
-      results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+  err = store.validateComment(comment)
+  if err == nil {
+    if comment.Id == "" {
+      err = errors.New("Missing comment ID")
+    } else {
+      var old *model.Comment
+      old, err = store.GetComment(ctx, comment.Id)
       if err == nil {
-        // Read object back to get new modify date, etc
-        comment, err = store.GetComment(ctx, results.DocumentId)
+        // Preserve read-only fields
+        comment.CreateTime = old.CreateTime
+        var results *model.EventIndexResults
+        results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+        if err == nil {
+          // Read object back to get new modify date, etc
+          comment, err = store.GetComment(ctx, results.DocumentId)
+        }
       }
     }
   }
@@ -275,9 +429,12 @@ func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) err
   var err error
 
   var comment *model.Comment
-  comment, err = store.GetComment(ctx, id)
+  err = store.validateId(id, "id")
   if err == nil {
-    err = store.delete(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+    comment, err = store.GetComment(ctx, id)
+    if err == nil {
+      err = store.delete(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+    }
   }
 
   return err
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 9ef57ea9..16a23c68 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -40,6 +40,266 @@ func TestPrepareForSave(tester *testing.T) {
 	assert.Nil(tester, obj.UpdateTime)
 }
 
+func TestValidateIdInvalid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	err = store.validateId("", "test")
+	assert.Error(tester, err)
+
+	err = store.validateId("1", "test")
+	assert.Error(tester, err)
+
+	err = store.validateId("a", "test")
+	assert.Error(tester, err)
+
+	err = store.validateId("this is invalid since it has spaces", "test")
+	assert.Error(tester, err)
+
+	err = store.validateId("'quotes'", "test")
+	assert.Error(tester, err)
+
+	err = store.validateId("\"dblquotes\"", "test")
+	assert.Error(tester, err)
+
+	err = store.validateId("123456789012345678901234567890123456789012345678901", "test")
+	assert.Error(tester, err)
+}
+
+func TestValidateIdValid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	err = store.validateId("12345", "test")
+	assert.NoError(tester, err)
+
+	err = store.validateId("123456", "test")
+	assert.NoError(tester, err)
+
+	err = store.validateId("1-2-A-b", "test")
+	assert.NoError(tester, err)
+
+	err = store.validateId("1-2-a-b_2klj", "test")
+	assert.NoError(tester, err)
+
+	err = store.validateId("12345678901234567890123456789012345678901234567890", "test")
+	assert.NoError(tester, err)
+}
+
+func TestValidateStringInvalid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	err = store.validateString("1234567", 6, "test")
+	assert.Error(tester, err)
+
+	err = store.validateString("12345678", 6, "test")
+	assert.Error(tester, err)
+}
+
+func TestValidateStringValid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	err = store.validateString("12345", 6, "test")
+	assert.NoError(tester, err)
+
+	err = store.validateString("123456", 6, "test")
+	assert.NoError(tester, err)
+
+	err = store.validateString("", 6, "test")
+	assert.NoError(tester, err)
+}
+
+func TestValidateCaseInvalid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	socCase := model.NewCase()
+
+	socCase.Id = "this is an invalid id"
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "invalid ID for caseId")
+	socCase.Id = ""
+
+	socCase.UserId = "this is an invalid id"
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "invalid ID for userId")
+	socCase.UserId = ""
+
+	socCase.AssigneeId = "this is an invalid id"
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "invalid ID for assigneeId")
+	socCase.AssigneeId = ""
+
+	for x := 1; x < 5; x++ {
+		socCase.Title += "this is my unreasonably long title\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "title is too long (140/100)")
+	socCase.Title = "myTitle"
+
+	for x := 1; x < 30000; x++ {
+		socCase.Description += "this is my unreasonably long description\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "description is too long (1229959/1000000)")
+	socCase.Description = "myDescription"
+
+	socCase.Priority = -12
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "Invalid priority")
+	socCase.Priority = 12
+
+	socCase.Severity = -12
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "Invalid severity")
+	socCase.Severity = 12
+
+	for x := 1; x < 5; x++ {
+		socCase.Tlp += "this is my unreasonably long tlp\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "tlp is too long (132/100)")
+	socCase.Tlp = "myTlp"
+
+	for x := 1; x < 5; x++ {
+		socCase.Pap += "this is my unreasonably long pap\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "pap is too long (132/100)")
+	socCase.Pap = "myPap"
+
+	for x := 1; x < 5; x++ {
+		socCase.Category += "this is my unreasonably long category\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "category is too long (152/100)")
+	socCase.Category = "myCategory"
+
+	for x := 1; x < 5; x++ {
+		socCase.Template += "this is my unreasonably long template\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "template is too long (152/100)")
+	socCase.Template = "myTemplate"
+
+	for x := 1; x < 5; x++ {
+		socCase.Status += "this is my unreasonably long status\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "status is too long (144/100)")
+	socCase.Status = "myStatus"
+
+	socCase.Kind = "myKind"
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "Field 'Kind' must not be specified")
+	socCase.Kind = ""
+
+	socCase.Operation = "myOperation"
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "Field 'Operation' must not be specified")
+	socCase.Operation = ""
+
+	tag := ""
+	for x := 1; x < 5; x++ {
+		tag += "this is my unreasonably long tag\n"
+	}
+	socCase.Tags = append(socCase.Tags, tag)
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "tag[0] is too long (132/100)")
+	socCase.Tags = nil
+
+	for x := 1; x < 500; x++ {
+		socCase.Tags = append(socCase.Tags, "myTag")
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "Field 'Tags' contains excessive elements (499/50)")
+	socCase.Tags = nil
+}
+
+func TestValidateCaseValid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	socCase := model.NewCase() // empty cases are valid cases
+	err = store.validateCase(socCase)
+	assert.NoError(tester, err)
+
+	socCase.Id = "123456"
+	socCase.Title = "this is my reasonable long title - nothing excessive, just a normal title"
+	for x := 1; x < 500; x++ {
+		socCase.Description += "this is my reasonably long description\n"
+	}
+	socCase.Priority = 123
+	socCase.Severity = 1
+	socCase.Tags = append(socCase.Tags, "tag1")
+	socCase.Tags = append(socCase.Tags, "tag2")
+	socCase.Tlp = "amber"
+	socCase.Pap = "check"
+	socCase.Category = "confirmed"
+	socCase.Status = "in progress"
+	socCase.Template = "tbd"
+	socCase.UserId = "myUserId"
+	socCase.AssigneeId = "myAssigneeId"
+	err = store.validateCase(socCase)
+	assert.NoError(tester, err)
+}
+
+func TestValidateCommentInvalid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	comment := model.NewComment()
+
+	comment.Id = "this is an invalid id"
+	err = store.validateComment(comment)
+	assert.EqualError(tester, err, "invalid ID for commentId")
+	comment.Id = ""
+
+	comment.CaseId = "this is an invalid id"
+	err = store.validateComment(comment)
+	assert.EqualError(tester, err, "invalid ID for caseId")
+	comment.CaseId = ""
+
+	comment.UserId = "this is an invalid id"
+	err = store.validateComment(comment)
+	assert.EqualError(tester, err, "invalid ID for userId")
+	comment.UserId = ""
+
+	for x := 1; x < 30000; x++ {
+		comment.Description += "this is my unreasonably long description\n"
+	}
+	err = store.validateComment(comment)
+	assert.EqualError(tester, err, "description is too long (1229959/1000000)")
+	comment.Description = "myDescription"
+}
+
+func TestValidateCommentValid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	comment := model.NewComment() // empty comments are valid comments
+	err = store.validateComment(comment)
+	assert.NoError(tester, err)
+
+	comment.Id = "123456"
+	comment.UserId = "myUserId"
+	for x := 1; x < 500; x++ {
+		comment.Description += "this is my reasonably long description\n"
+	}
+	err = store.validateComment(comment)
+	assert.NoError(tester, err)
+}
+
 func TestSaveCreate(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	store.Init("myIndex", "myAuditIndex", 45)
@@ -153,7 +413,7 @@ func TestCreateError(tester *testing.T) {
 	myCase.Id = "123"
 	newCase, err := store.Create(ctx, myCase)
 	assert.Error(tester, err)
-	assert.Equal(tester, "Unexpected ID found in new case", err.Error())
+	assert.Equal(tester, "invalid ID for caseId", err.Error())
 	assert.NotNil(tester, newCase)
 }
 
@@ -212,7 +472,7 @@ func TestCreateCommentUnexpectedId(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 	comment := model.NewComment()
-	comment.Id = "123"
+	comment.Id = "123444"
 	_, err := store.CreateComment(ctx, comment)
 	assert.Error(tester, err)
 	assert.Equal(tester, "Unexpected ID found in new comment", err.Error())

From b679c6e3abe7a31050d40ebc121051884c3ac638 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 6 Dec 2021 12:15:26 -0500
Subject: [PATCH 04/98] Correct tag conversion when no tags exist

---
 server/modules/elastic/converter.go      |  2 +-
 server/modules/elastic/converter_test.go | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 467bfe8c..49ef065c 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -413,7 +413,7 @@ func convertElasticEventToCase(event *model.EventRecord) (*model.Case, error) {
 			if value, ok := event.Payload["case.pap"]; ok {
 				obj.Pap = value.(string)
 			}
-			if value, ok := event.Payload["case.tags"]; ok {
+			if value, ok := event.Payload["case.tags"]; ok && value != nil {
 				obj.Tags = convertToStringArray(value.([]interface{}))
 			}
 			obj.CreateTime = parseTime(event.Payload, "case.createTime")
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index dfbd184c..6b495f62 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -284,6 +284,17 @@ func TestConvertElasticEventToCaseNil(tester *testing.T) {
 	assert.Nil(tester, caseObj)
 }
 
+func TestConvertElasticEventToCaseWithoutTags(tester *testing.T) {
+	event := &model.EventRecord{}
+	event.Payload = make(map[string]interface{})
+	event.Payload["kind"] = "case"
+	event.Payload["operation"] = "create"
+	event.Payload["case.tags"] = nil
+
+	_, err := convertElasticEventToCase(event)
+	assert.NoError(tester, err)
+}
+
 func TestConvertElasticEventToCase(tester *testing.T) {
 	myTime := time.Now()
 	myCreateTime := myTime.Add(time.Hour * -1)

From 565956410b423145504edc20773f6e57a49afb11 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 6 Dec 2021 17:17:12 -0500
Subject: [PATCH 05/98] [wip] First case ui changes

---
 html/css/app.css       |   7 ++-
 html/index.html        |  72 ++++++++++++++++++++--------
 html/js/i18n.js        |   4 +-
 html/js/routes/case.js | 106 ++++++++++++++++++++++++++++-------------
 4 files changed, 132 insertions(+), 57 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 3694a2c3..fd5286cf 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -178,6 +178,11 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   white-space: wrap;
 }
 
+.case.title.v-text-field input {
+  font-size: 1.2em;
+  margin-bottom: 0.15em;
+}
+
 td {
   white-space: nowrap;
 }
@@ -203,4 +208,4 @@ td {
 
 #connection-indicator {
   color: white;
-}
\ No newline at end of file
+}
diff --git a/html/index.html b/html/index.html
index e6a26b91..a87038ff 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1172,15 +1172,48 @@ <h2>{{ i18n.viewJob }}</h2>
 
     <script type="text/x-template" id="page-case">
       <v-container fluid>
-        <v-row>
-          <v-col>
-            <h2>{{ i18n.viewCase }}</h2>
-          </v-col>
-        </v-row>
-        <v-row>
+        <v-form v-model="mainForms.info.valid">
+          <v-row class="mb-1">
+            <v-col>
+              <v-input hide-details="auto">
+                <v-text-field hide-details="auto" class="case title" v-model="mainForms.info.title"/>
+              </v-input>
+            </v-col>
+          </v-row>
+          <div class="align-center d-inline-flex mr-4">
+            <div class="mr-2">{{i18n.caseAssignee}}: </div>
+            <v-select dense outlined hide-details :items="userList" v-model="mainForms.info.assigneeId" item-text="email" item-value="id"></v-select>
+          </div>
+          <div class="align-center d-inline-flex">
+            <div class="mr-2">{{i18n.status}}: </div>
+            <v-select dense outlined hide-details :items="statusList" v-model="mainForms.info.status" item-text="text" item-value="value"></v-select>
+          </div>
+          <!-- <v-row dense class="ml-1 my-4">
+            <v-col class="col-12 col-md-7">
+              <v-row align="center">
+                <v-col class="d-flex flex-column justify-center align-end col-3 col-sm-2 col-md-3">
+                  <div class="text-center">{{i18n.caseAssignee}}: </div>
+                </v-col>
+                <v-col class="col-9 col-sm-7 col-md-9">
+                  <v-select dense outlined hide-details :items="userList" v-model="mainForms.info.assigneeId" item-text="email" item-value="id"></v-select>
+                </v-col>
+              </v-row>
+            </v-col>
+            <v-col class="col-12 col-md-4">
+              <v-row align="center">
+                <v-col class="d-flex flex-column align-end col-3 col-sm-2 col-md-3">
+                  <div class="text-center">{{i18n.status}}: </div>
+                </v-col>
+                <v-col class="col-7 col-sm-4 col-md-7">
+                  <v-select dense outlined hide-details :items="statusList" v-model="mainForms.info.status" item-text="text" item-value="value"></v-select>
+                </v-col>
+              </v-row>
+            </v-col>
+          </v-row> -->
+        </v-form>
+        <v-row class="mt-2">
           <v-col>
-            <v-form v-model="form.valid">
-              <div>
+            <v-form v-model="mainForms.details.valid">
                 <span class="case label">{{ i18n.caseId }}:</span>
                 <span class="case value">{{ caseObj.id }}</span>
               </div>
@@ -1205,37 +1238,34 @@ <h2>{{ i18n.viewCase }}</h2>
                 <span class="case value">{{ caseObj.assignee }}</span>
               </div>
               <div>
-                <v-text-field v-model="form.title" :placeholder="i18n.caseTitle" persistent-hint :hint="i18n.caseTitleHelp" :rules="[rules.required]"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="form.description" :placeholder="i18n.caseDescription" persistent-hint :hint="i18n.caseDescriptionHelp"></v-text-field>
+                <v-text-field v-model="mainForms.details.description" :placeholder="i18n.caseDescription" persistent-hint :hint="i18n.caseDescriptionHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="form.status" :placeholder="i18n.caseStatus" persistent-hint :hint="i18n.caseStatusHelp" :rules="[rules.required]"></v-text-field>
+                <v-text-field v-model="mainForms.info.status" :placeholder="i18n.caseStatus" persistent-hint :hint="i18n.caseStatusHelp" :rules="[rules.required]"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="form.severity" :placeholder="i18n.caseSeverity" persistent-hint :hint="i18n.caseSeverityHelp" :rules="[rules.required]"></v-text-field>
+                <v-text-field v-model="mainForms.details.severity" :placeholder="i18n.caseSeverity" persistent-hint :hint="i18n.caseSeverityHelp" :rules="[rules.required]"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="form.priority" :placeholder="i18n.casePriority" persistent-hint :hint="i18n.casePriorityHelp" :rules="[rules.required]"></v-text-field>
+                <v-text-field v-model="mainForms.details.priority" :placeholder="i18n.casePriority" persistent-hint :hint="i18n.casePriorityHelp" :rules="[rules.required]"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="form.tags" :placeholder="i18n.caseTags" persistent-hint :hint="i18n.caseTagsHelp"></v-text-field>
+                <v-text-field v-model="mainForms.details.tags" :placeholder="i18n.caseTags" persistent-hint :hint="i18n.caseTagsHelp"></v-text-field>
               </div>              
               <div>
-                <v-text-field v-model="form.tlp" :placeholder="i18n.caseTlp" persistent-hint :hint="i18n.caseTlpHelp"></v-text-field>
+                <v-text-field v-model="mainForms.details.tlp" :placeholder="i18n.caseTlp" persistent-hint :hint="i18n.caseTlpHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="form.pap" :placeholder="i18n.casePap" persistent-hint :hint="i18n.casePapHelp"></v-text-field>
+                <v-text-field v-model="mainForms.details.pap" :placeholder="i18n.casePap" persistent-hint :hint="i18n.casePapHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="form.category" :placeholder="i18n.caseCategory" persistent-hint :hint="i18n.caseCategoryHelp"></v-text-field>
+                <v-text-field v-model="mainForms.details.category" :placeholder="i18n.caseCategory" persistent-hint :hint="i18n.caseCategoryHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="form.assigneeId" :placeholder="i18n.caseAssignee" persistent-hint :hint="i18n.caseAssigneeHelp"></v-text-field>
+                <v-text-field v-model="mainForms.info.assigneeId" :placeholder="i18n.caseAssignee" persistent-hint :hint="i18n.caseAssigneeHelp"></v-text-field>
               </div>
               <div class="my-4">
-                <v-btn :disabled="!form.valid" text color="primary" @click="modifyCase" v-text="i18n.update"></v-btn>
+                <v-btn :disabled="!mainForms.details.valid" text color="primary" @click="modifyCase" v-text="i18n.update"></v-btn>
               <div>
             </form>
           </v-col>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 63851138..1942ea5b 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -51,7 +51,7 @@ const i18n = {
       blog: 'Blog',
       cancel: 'Cancel',
       cases: 'Cases',
-      caseAssignee: 'Assigned To',
+      caseAssignee: 'Assignee',
       caseAssigneeHelp: 'Designate the assignee for this case',
       caseCategory: 'Category',
       caseCategoryHelp: 'Category used for organizing and grouping similar cases',
@@ -94,7 +94,7 @@ const i18n = {
       darkMode: 'Dark Mode',
       dateClosed: 'Date Closed',
       dateCompleted: 'Date Completed',
-      dateCreated: 'Date Created',
+      dateCreated: 'Created',
       dateDataEpoch: 'Earliest PCAP',
       dateFailed: 'Date Failed',
       dateModified: 'Date Modified',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index c319837e..6cb91eab 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -34,19 +34,25 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     itemsPerPage: 10,
     footerProps: { 'items-per-page-options': [10,50,250,1000] },
     count: 500,
-    form: {
-      valid: false,
-      id: null,
-      title: null,
-      description: null,
-      status: null,
-      severity: null,
-      priority: null,
-      assigneeId: null,
-      tags: null,
-      tlp: null,
-      pap: null,
-      category: null
+    userList: [],
+    mainForms: {
+      info: {
+        valid: false,
+        title: null,
+        assigneeId: null,
+        status: null
+      },
+      details: {
+        valid: false,
+        id: null,
+        description: null,
+        severity: null,
+        priority: null,
+        tags: null,
+        tlp: null,
+        pap: null,
+        category: null
+      }
     },
     associatedForms: {
       comments: {
@@ -73,6 +79,34 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       required: value => (!!value) || this.$root.i18n.required,
     },
   }},
+  computed: {
+    severityList() {
+      return [
+        { text: 'High', value: 0 },
+        { text: 'Medium', value: 1 },
+        { text: 'Low', value: 2 },
+        { text: 'Extra Low', value: 3}
+      ]
+    },
+    severityString() {
+      return typeof(this.mainForms.details.severity) == Number
+        ? this.severityList.find(el => el.value == this.mainForms.details.severity).text
+        : this.mainForms.details.severity
+    }, 
+    statusList() {
+      const statuses = [
+        'new',
+        'in progress',
+        'closed'
+      ]
+      return statuses.map((value) => {
+        return {
+          text: value.split(' ').map(word => word.charAt(0).toLocaleUpperCase() + word.substring(1)).join(' '),
+          value: value
+        }
+      })
+    }
+  },
   created() {
   },
   mounted() {
@@ -137,6 +171,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         const response = await this.$root.papi.get('case/', { params: {
             id: this.$route.params.id
         }});
+        this.userList = await this.$root.getUsers();
         this.updateCaseDetails(response.data);
         this.loadAssociations();
       } catch (error) {
@@ -150,35 +185,40 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.$root.subscribe("case", this.updateCase);
     },
     updateCaseDetails(caseObj) {
-      this.form.id = caseObj.id;
-      this.form.title = caseObj.title;
-      this.form.description = caseObj.description;
-      this.form.severity = caseObj.severity;
-      this.form.priority = caseObj.priority;
-      this.form.status = caseObj.status;
-      this.form.tags = caseObj.tags ? caseObj.tags.join(", ") : "";
-      this.form.tlp = caseObj.tlp;
-      this.form.pap = caseObj.pap;
-      this.form.category = caseObj.category;
-      this.form.assigneeId = caseObj.assigneeId;
+      this.mainForms.details.id = caseObj.id;
+      this.mainForms.info.title = caseObj.title;
+      this.mainForms.details.description = caseObj.description;
+      this.mainForms.details.severity = caseObj.severity;
+      this.mainForms.details.priority = caseObj.priority;
+      this.mainForms.info.status = caseObj.status;
+      this.mainForms.details.tags = caseObj.tags ? caseObj.tags.join(", ") : "";
+      this.mainForms.details.tlp = caseObj.tlp;
+      this.mainForms.details.pap = caseObj.pap;
+      this.mainForms.details.category = caseObj.category;
+      this.mainForms.info.assigneeId = caseObj.assigneeId;
       this.$root.populateUserDetails(caseObj, "userId", "owner");
       this.$root.populateUserDetails(caseObj, "assigneeId", "assignee");
       this.caseObj = caseObj;
-    },    
+    },
     async modifyCase() {
       this.$root.startLoading();
       try {
         // Convert priority and severity to ints
-        this.form.severity = parseInt(this.form.severity, 10);
-        this.form.priority = parseInt(this.form.priority, 10);
-        const formattedTags = this.form.tags;
-        if (this.form.tags) {
-          this.form.tags = this.form.tags.split(",").map(tag => {
+        this.mainForms.details.severity = parseInt(this.mainForms.details.severity, 10);
+        this.mainForms.details.severity = this.severityString;
+        this.mainForms.details.priority = parseInt(this.mainForms.details.priority, 10);
+        const formattedTags = this.mainForms.details.tags;
+        if (this.mainForms.details.tags) {
+          this.mainForms.details.tags = this.mainForms.details.tags.split(",").map(tag => {
             return tag.trim();
           });
-        }
-        const json = JSON.stringify(this.form);
-        this.form.tags = formattedTags;
+        } else { this.mainForms.details.tags = []; }
+        const caseInfo = {
+          ...this.mainForms.info,
+          ...this.mainForms.details
+        };
+        const json = JSON.stringify(caseInfo);
+        this.mainForms.details.tags = formattedTags;
         const response = await this.$root.papi.put('case/', json);
         this.updateCaseDetails(response.data);
       } catch (error) {

From f2523af12d884028464ebcb7d37ef7def3c7d683 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 10:14:49 -0500
Subject: [PATCH 06/98] Add support for linking hunt events/alerts to cases

---
 config/clientparameters.go                    |  33 ++--
 config/clientparameters_test.go               |   2 +
 html/index.html                               |  56 +++++-
 html/js/i18n.js                               |   7 +-
 html/js/routes/case.js                        |  49 ++++-
 html/js/routes/case.test.js                   |  65 +++++-
 html/js/routes/hunt.js                        | 107 +++++++---
 html/js/routes/hunt.test.js                   |  29 ++-
 model/case.go                                 |  14 ++
 model/case_test.go                            |  22 +++
 server/casehandler.go                         |   8 +
 server/casestore.go                           |   5 +
 server/eventstore_fake.go                     |  46 ++++-
 server/modules/elastic/converter.go           |  35 +++-
 server/modules/elastic/converter_test.go      |  31 ++-
 server/modules/elastic/elastic.go             |   2 +-
 server/modules/elastic/elasticcasestore.go    | 124 +++++++++++-
 .../modules/elastic/elasticcasestore_test.go  | 187 +++++++++++++++++-
 .../modules/elasticcases/elasticcasestore.go  |  16 ++
 server/modules/generichttp/httpcasestore.go   |  16 ++
 server/modules/thehive/thehivecasestore.go    |  16 ++
 21 files changed, 774 insertions(+), 96 deletions(-)
 create mode 100644 model/case_test.go

diff --git a/config/clientparameters.go b/config/clientparameters.go
index dc8351ae..107438e1 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -86,22 +86,23 @@ type ToggleFilter struct {
 }
 
 type HuntingParameters struct {
-	GroupItemsPerPage     int                 `json:"groupItemsPerPage"`
-	GroupFetchLimit       int                 `json:"groupFetchLimit"`
-	EventItemsPerPage     int                 `json:"eventItemsPerPage"`
-	EventFetchLimit       int                 `json:"eventFetchLimit"`
-	RelativeTimeValue     int                 `json:"relativeTimeValue"`
-	RelativeTimeUnit      int                 `json:"relativeTimeUnit"`
-	MostRecentlyUsedLimit int                 `json:"mostRecentlyUsedLimit"`
-	EventFields           map[string][]string `json:"eventFields"`
-	QueryBaseFilter       string              `json:"queryBaseFilter"`
-	QueryToggleFilters    []*ToggleFilter     `json:"queryToggleFilters"`
-	Queries               []*HuntingQuery     `json:"queries"`
-	Actions               []*HuntingAction    `json:"actions"`
-	Advanced              bool                `json:"advanced"`
-	AckEnabled            bool                `json:"ackEnabled"`
-	EscalateEnabled       bool                `json:"escalateEnabled"`
-	ViewEnabled           bool                `json:"viewEnabled"`
+	GroupItemsPerPage            int                 `json:"groupItemsPerPage"`
+	GroupFetchLimit              int                 `json:"groupFetchLimit"`
+	EventItemsPerPage            int                 `json:"eventItemsPerPage"`
+	EventFetchLimit              int                 `json:"eventFetchLimit"`
+	RelativeTimeValue            int                 `json:"relativeTimeValue"`
+	RelativeTimeUnit             int                 `json:"relativeTimeUnit"`
+	MostRecentlyUsedLimit        int                 `json:"mostRecentlyUsedLimit"`
+	EventFields                  map[string][]string `json:"eventFields"`
+	QueryBaseFilter              string              `json:"queryBaseFilter"`
+	QueryToggleFilters           []*ToggleFilter     `json:"queryToggleFilters"`
+	Queries                      []*HuntingQuery     `json:"queries"`
+	Actions                      []*HuntingAction    `json:"actions"`
+	Advanced                     bool                `json:"advanced"`
+	AckEnabled                   bool                `json:"ackEnabled"`
+	EscalateEnabled              bool                `json:"escalateEnabled"`
+	EscalateRelatedEventsEnabled bool                `json:"escalateRelatedEventsEnabled"`
+	ViewEnabled                  bool                `json:"viewEnabled"`
 }
 
 type GridParameters struct {
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index db839e07..ebec53c8 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -41,6 +41,8 @@ func verifyInitialHuntingParams(tester *testing.T, params *HuntingParameters) {
 	assert.Equal(tester, DEFAULT_EVENT_FETCH_LIMIT, params.EventFetchLimit)
 	assert.Equal(tester, DEFAULT_RELATIVE_TIME_VALUE, params.RelativeTimeValue)
 	assert.Equal(tester, DEFAULT_RELATIVE_TIME_UNIT, params.RelativeTimeUnit)
+	assert.Equal(tester, false, params.EscalateRelatedEventsEnabled)
+	assert.Equal(tester, false, params.EscalateEnabled)
 }
 
 func TestCombineEmptyDeprecatedLinkIntoEmptyLinks(tester *testing.T) {
diff --git a/html/index.html b/html/index.html
index e6a26b91..3ac5814c 100644
--- a/html/index.html
+++ b/html/index.html
@@ -484,7 +484,7 @@ <h5>
                           <v-icon :title="isFilterToggleEnabled('acknowledged') ? i18n.alertUndoAcknowledge : i18n.alertAcknowledge">fa-bell</v-icon>
                         </v-btn>
                         <v-btn id="escalateButton" v-if="escalateEnabled" class="mx-2" icon x-small
-                          @click="ack($event, item, index, true, true)"
+                          @click="toggleEscalationMenu($event, item)"
                           :color="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? 'secondary' : 'primary'">
                           <v-icon :title="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? i18n.alertEscalated : i18n.escalate">fa-exclamation-triangle</v-icon>
                         </v-btn>
@@ -554,7 +554,7 @@ <h5>
                           <v-icon :title="isFilterToggleEnabled('acknowledged') ? i18n.alertUndoAcknowledge : i18n.alertAcknowledge">fa-bell</v-icon>
                         </v-btn>
                         <v-btn id="escalateButton" v-if="escalateEnabled" class="mx-2" icon x-small
-                          @click="ack($event, item, index, true, true)"
+                          @click="toggleEscalationMenu($event, item)"
                           :color="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? 'secondary' : 'primary'">
                           <v-icon :title="isFilterToggleEnabled('escalated') || item['event.escalated'] == true ? i18n.alertEscalated : i18n.escalate">fa-exclamation-triangle</v-icon>
                         </v-btn>
@@ -705,6 +705,30 @@ <h5>
             </v-list-group>
           </v-list>
         </v-menu>
+
+        <v-menu v-model="escalationMenuVisible" :position-x="escalationMenuX" :position-y="escalationMenuY" absolute>
+          <v-list id="hunt-escalate-menu" color="secondary">
+            <v-list-item id="escalateNewMenuItem" dense @click="ack($event, escalationItem, 0, true, true)" :title="i18n.escalateNewCaseHelp">
+              <v-list-item-icon>
+                <v-icon :alt="i18n.escalateNewCase" color="white">fa-plus</v-icon>
+              </v-list-item-icon>
+              <v-list-item-title class="white--text">
+                {{ i18n.escalateNewCase }}
+              </v-list-item-title>
+            </v-list-item>
+            <v-divider></v-divider>
+            <v-subheader>{{ i18n.escalateExistingCase }}</v-subheader>
+            <v-list-item dense v-for="socCase in mruCases" :title="i18n.escalateExistingCaseHelp" @click="ack($event, escalationItem, 0, true, true, socCase.id)">
+              <v-list-item-icon>
+                <v-icon :alt="i18n.escalateExistingCase" color="white">fa-link</v-icon>
+              </v-list-item-icon>
+              <v-list-item-title class="white--text">
+                {{ formatCaseSummary(socCase) }}
+              </v-list-item-title>
+            </v-list-item>
+          </v-list>
+        </v-menu>
+
       </v-container>
     </script>
 
@@ -1247,6 +1271,10 @@ <h2>{{ i18n.viewCase }}</h2>
                 <v-icon left>fa-comments</v-icon>
                 {{ i18n.comments }}
               </v-tab>
+              <v-tab id="case_eventsTab">
+                <v-icon left>fa-link</v-icon>
+                {{ i18n.events }}
+              </v-tab>
               <v-tab id="case_historyTab">
                 <v-icon left>fa-history</v-icon>
                 {{ i18n.history }}
@@ -1292,6 +1320,30 @@ <h2>{{ i18n.viewCase }}</h2>
                 </div>
               </v-tab-item>
 
+              <v-tab-item>
+                <v-card v-for="event in associations.events" elevation="2" class="my-2">
+                  <div>
+                    <span class="case label">{{ i18n.dateCreated }}:</span>
+                    <span class="case value">{{ event.createTime | formatDateTime }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">{{ i18n.author }}:</span>
+                    <span class="case value">{{ event.owner }}</span>
+                  </div>
+                  <div>
+                    <span class="case label">authorId:</span>
+                    <span class="case value">{{ event.userId }}</span>
+                  </div>
+                  <div v-for="value, key in event.fields">
+                    <span class="case label">{{ key }}:</span>
+                    <span class="case value">{{ value }}</span>
+                  </div>
+                  <div class="my-4">
+                    <v-btn text colror="secondary" @click="deleteAssociation('events', event)" icon><v-icon>fa-trash</v-icon></v-btn>
+                  <div>                                        
+                </v-card>
+              </v-tab-item>
+
               <v-tab-item>
                 <v-card v-for="event in associations.history" elevation="2" class="my-2">
                   <div>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 63851138..32ff7235 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -147,9 +147,12 @@ const i18n = {
       error: 'Error',
       escalate: 'Escalate',
       escalationInvalid: 'Invalid alert - cannot escalate to a case due to insufficient alert information',
-      escalateHelp: 'Escalate alert to a case',
+      escalateExistingCase: 'Attach event to a recently viewed case:',
+      escalateExistingCaseHelp: 'Attach event to this existing case',
+      escalateNewCase: 'Escalate to new case',
+      escalateNewCaseHelp: 'Escalate this event to a new case (a new case will be created)',
       escalated: 'Escalated',
-      escalatedEventTip: 'Escalated event(s) to a new case.',
+      escalatedEventTip: 'Escalated event(s).',
       escalatedMultipleTip: 'Escalating groups of alerts may take a while and will continue in the background.',
       escalatedSingleTip: 'Escalated alert and removed from view.',
       event: 'Event',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index c319837e..832b7e25 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -69,6 +69,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         valid: false
       }
     },
+    mruCaseLimit: 5,
+    mruCases: [],
     rules: {
       required: value => (!!value) || this.$root.i18n.required,
     },
@@ -77,7 +79,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
   },
   mounted() {
     this.loadData();
-    this.$root.loadParameters('case', this.initActions);
+    this.$root.loadParameters('cases', this.initCase);
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -86,8 +88,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     '$route': 'loadData',
   },
   methods: {
-    initActions(params) {
+    initCase(params) {
       this.params = params;
+      this.mruCaseLimit = params["mostRecentlyUsedLimit"];
+      this.loadLocalSettings();
     },
     async loadAssociations() {
       this.associationsLoading = true;
@@ -130,6 +134,22 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.$root.showError(error);
       }
     },
+    addMRUCaseObj(caseObj) {
+      if (caseObj) {
+        for (var idx = 0; idx < this.mruCases.length; idx++) {
+          const cur = this.mruCases[idx];
+          if (cur.id == caseObj.id) {
+            this.mruCases.splice(idx, 1);
+            break;
+          }
+        }
+        this.mruCases.unshift(caseObj);
+        while (this.mruCases.length > this.mruCaseLimit) {
+          this.mruCases.pop();
+        }
+        this.saveLocalSettings();
+      }
+    },
     async loadData() {
       this.$root.startLoading();
 
@@ -163,6 +183,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.form.assigneeId = caseObj.assigneeId;
       this.$root.populateUserDetails(caseObj, "userId", "owner");
       this.$root.populateUserDetails(caseObj, "assigneeId", "assignee");
+      this.addMRUCaseObj(caseObj);
       this.caseObj = caseObj;
     },    
     async modifyCase() {
@@ -176,11 +197,15 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           this.form.tags = this.form.tags.split(",").map(tag => {
             return tag.trim();
           });
+        } else {
+          this.form.tags = [];
         }
         const json = JSON.stringify(this.form);
         this.form.tags = formattedTags;
         const response = await this.$root.papi.put('case/', json);
-        this.updateCaseDetails(response.data);
+        if (response.data) {
+          this.updateCaseDetails(response.data);
+        }
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -194,8 +219,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.$root.startLoading();
       try {
         const response = await this.$root.papi.post('case/' + association, JSON.stringify(this.associatedForms[association]));
-        this.$root.populateUserDetails(response.data, "userId", "owner");
-        this.associations[association].push(response.data);
+        if (response.data) {
+          this.$root.populateUserDetails(response.data, "userId", "owner");
+          this.associations[association].push(response.data);
+        }
       } catch (error) {
         this.$root.showError(error);
       }
@@ -213,8 +240,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.$root.startLoading();
         try {
           const response = await this.$root.papi.put('case/' + association, JSON.stringify(this.associatedForms[association]));
-          this.$root.populateUserDetails(response.data, "userId", "owner");
-          Vue.set(this.associations[association], idx, response.data);
+          if (response.data) {
+            this.$root.populateUserDetails(response.data, "userId", "owner");
+            Vue.set(this.associations[association], idx, response.data);
+          }
         } catch (error) {
           if (error.response != undefined && error.response.status == 404) {
             this.$root.showError(this.i18n.notFound);
@@ -260,6 +289,12 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.updateCaseDetails(caseObj)
       // this.loadAssociations();
     },
+    saveLocalSettings() {
+      localStorage['settings.case.mruCases'] = JSON.stringify(this.mruCases);
+    },
+    loadLocalSettings() {
+      if (localStorage['settings.case.mruCases']) this.mruCases = JSON.parse(localStorage['settings.case.mruCases']);
+    },
   }
 }});
 
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index db84e7aa..2109cbea 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -46,8 +46,68 @@ beforeEach(() => {
 });
 
 test('initParams', () => {
-  comp.initActions({"foo":"bar"});
+  comp.mruCases.push({id:"123"});
+  comp.saveLocalSettings()
+  comp.mruCases = [];
+  comp.initCase({"foo":"bar", "mostRecentlyUsedLimit": 23});
   expect(comp.params.foo).toBe("bar");
+  expect(comp.mruCaseLimit).toBe(23);
+  expect(comp.mruCases.length).toBe(1)
+});
+
+test('addMRUCaseObj', () => {
+  const case1 = {id:'1'};
+  const case2 = {id:'2'};
+  const case3 = {id:'3'};
+  const case4 = {id:'4'};
+  const case5 = {id:'5'};
+  const case6 = {id:'6'};
+  expect(comp.mruCases.length).toBe(0);
+  comp.addMRUCaseObj(case1);
+  expect(comp.mruCases.length).toBe(1);
+  comp.addMRUCaseObj(case1);
+  expect(comp.mruCases.length).toBe(1); // still one
+  expect(comp.mruCases[0]).toBe(case1);
+
+  comp.addMRUCaseObj(case2);
+  expect(comp.mruCases.length).toBe(2);
+  expect(comp.mruCases[0]).toBe(case2);
+  expect(comp.mruCases[1]).toBe(case1);
+
+  comp.addMRUCaseObj(case3);
+  expect(comp.mruCases.length).toBe(3);
+  expect(comp.mruCases[0]).toBe(case3);
+  expect(comp.mruCases[1]).toBe(case2);
+  expect(comp.mruCases[2]).toBe(case1);
+
+  comp.addMRUCaseObj(case2);
+  expect(comp.mruCases.length).toBe(3);
+  expect(comp.mruCases[0]).toBe(case2); // back on top
+  expect(comp.mruCases[1]).toBe(case3);
+  expect(comp.mruCases[2]).toBe(case1);
+
+  comp.addMRUCaseObj(case4);
+  expect(comp.mruCases.length).toBe(4);
+  expect(comp.mruCases[0]).toBe(case4);
+  expect(comp.mruCases[1]).toBe(case2);
+  expect(comp.mruCases[2]).toBe(case3);
+  expect(comp.mruCases[3]).toBe(case1);
+
+  comp.addMRUCaseObj(case5);
+  expect(comp.mruCases.length).toBe(5);
+  expect(comp.mruCases[0]).toBe(case5);
+  expect(comp.mruCases[1]).toBe(case4);
+  expect(comp.mruCases[2]).toBe(case2);
+  expect(comp.mruCases[3]).toBe(case3);
+  expect(comp.mruCases[4]).toBe(case1);
+
+  comp.addMRUCaseObj(case6);
+  expect(comp.mruCases.length).toBe(5);
+  expect(comp.mruCases[0]).toBe(case6);
+  expect(comp.mruCases[1]).toBe(case5);
+  expect(comp.mruCases[2]).toBe(case4);
+  expect(comp.mruCases[3]).toBe(case2);
+  expect(comp.mruCases[4]).toBe(case3);
 });
 
 test('loadAssociations', () => {
@@ -171,6 +231,8 @@ test('modifyCase', async () => {
   comp.form.assigneeId = 'myAssigneeId';
   const showErrorMock = mockShowError(true);
 
+  expect(comp.mruCases.length).toBe(0);
+
   await comp.modifyCase();
 
   const body =  "{\"valid\":false,\"id\":\"myCaseId\",\"title\":\"myTitle\",\"description\":\"myDescription\",\"status\":\"open\",\"severity\":31,\"priority\":33,\"assigneeId\":\"myAssigneeId\",\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}";
@@ -179,6 +241,7 @@ test('modifyCase', async () => {
   expectCaseDetails();
   expect(comp.associations['history'].length).toBe(0);
   expect(comp.$root.loading).toBe(false);
+  expect(comp.mruCases.length).toBe(1);
 });
 
 test('modifyCaseNotFound', async () => {
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index abd1698b..723b7062 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -93,6 +93,7 @@ const huntComponent = {
     fetchTimeSecs: 0,
     roundTripTimeSecs: 0,
     mruQueries: [],
+    mruCases: [],
 
     autohunt: true,
 
@@ -107,6 +108,11 @@ const huntComponent = {
     quickActionEvent: null,
     quickActionField: "",
     quickActionValue: "",
+    escalationMenuVisible: false,
+    escalationMenuX: 0,
+    escalationMenuY: 0,
+    escalationItem: null,
+    escalateRelatedEventsEnabled: false,
     actions: [],
   }},
   created() {
@@ -192,6 +198,7 @@ const huntComponent = {
       this.advanced = params["advanced"];
       this.ackEnabled = params["ackEnabled"];
       this.escalateEnabled = params["escalateEnabled"];
+      this.escalateRelatedEventsEnabled = params["escalateRelatedEventsEnabled"];
       this.viewEnabled = params["viewEnabled"];
       if (this.queries != null && this.queries.length > 0) {
         this.query = this.queries[0].query;
@@ -407,7 +414,7 @@ const huntComponent = {
         this.$root.showError(error);
       }
     },  
-    async ack(event, item, idx, acknowledge, escalate = false) {
+    async ack(event, item, idx, acknowledge, escalate = false, caseId = null) {
       this.$root.startLoading();
       try {
         var docEvent = item;
@@ -417,45 +424,59 @@ const huntComponent = {
         }
         var isAlert = ('rule.name' in item || 'event.severity_label' in item);
         if (escalate) {
-          var title = item['rule.name'];
-          if (!title) {
-            title = this.i18n.eventCaseTitle;
-            if (item['event.module'] || item['event.dataset']) {
-              title = title + ": ";
-              if (item['event.module']) {
-                title = title + item['event.module'];
+          if (!caseId || !this.escalateRelatedEventsEnabled) {
+            // Add to new case
+            var title = item['rule.name'];
+            if (!title) {
+              title = this.i18n.eventCaseTitle;
+              if (item['event.module'] || item['event.dataset']) {
+                title = title + ": ";
+                if (item['event.module']) {
+                  title = title + item['event.module'];
+                  if (item['event.dataset']) {
+                    title = title + " - ";
+                  }
+                }
                 if (item['event.dataset']) {
-                  title = title + " - ";
+                  title = title + item['event.dataset'];
                 }
               }
-              if (item['event.dataset']) {
-                title = title + item['event.dataset'];
+            }
+
+            var description = item['message'];
+            if (!description) description = JSON.stringify(item);
+
+            var severity = item['event.severity'];
+            if (!severity || isNaN(severity)) {
+              switch (item['event.severity_label']) {
+              case 'low': severity = 1; break;
+              case 'medium': severity = 2; break;
+              case 'high': severity = 3; break;
+              case 'critical': severity = 4; break;
+              default: severity = 3;
               }
             }
-          }
 
-          var description = item['message'];
-          if (!description) description = JSON.stringify(item);
+            var template = 'rule.case_template' in item ? item['rule.case_template'] : '';
 
-          var severity = item['event.severity'];
-          if (!severity || isNaN(severity)) {
-            switch (item['event.severity_label']) {
-            case 'low': severity = 1; break;
-            case 'medium': severity = 2; break;
-            case 'high': severity = 3; break;
-            case 'critical': severity = 4; break;
-            default: severity = 3;
+            const response = await this.$root.papi.post('case/', {
+              title: title,
+              description: description,
+              severity: severity,
+              template: template,
+            });
+            if (response && response.data) {
+              caseId = response.data.id;
             }
           }
 
-          var template = 'rule.case_template' in item ? item['rule.case_template'] : '';
-
-          const response = await this.$root.papi.post('case/', {
-            title: title,
-            description: description,
-            severity: severity,
-            template: template,
-          });
+          // Attach the event to the case
+          if (caseId && this.escalateRelatedEventsEnabled) {
+            const response = await this.$root.papi.post('case/events', {
+              fields: item,
+              caseId: caseId,
+            });
+          }
         }
         if (isAlert) {
           const response = await this.$root.papi.post('events/ack', {
@@ -660,9 +681,28 @@ const huntComponent = {
         this.$router.push(this.filterRouteDrilldown);
       }
     },
+    toggleEscalationMenu(domEvent, event) {
+      if (!this.escalateRelatedEventsEnabled) {
+        this.ack(domEvent, event, 0, true, true);
+        return;
+      }
+
+      if (!domEvent || this.quickActionVisible || this.escalationMenuVisible) {
+        this.quickActionVisible = false;
+        this.escalationMenuVisible = false;
+        return;
+      }
+      this.escalationMenuX = domEvent.clientX;
+      this.escalationMenuY = domEvent.clientY;
+      this.escalationItem = event;
+      this.$nextTick(() => { 
+        this.escalationMenuVisible = true; 
+      });      
+    },
     toggleQuickAction(domEvent, event, field, value) {
-      if (!domEvent || this.quickActionVisible) {
+      if (!domEvent || this.quickActionVisible || this.escalationMenuVisible) {
         this.quickActionVisible = false;
+        this.escalationMenuVisible = false;
         return;
       }
 
@@ -1090,6 +1130,9 @@ const huntComponent = {
         localStorage.removeItem(item);
       }
     },
+    formatCaseSummary(socCase) {
+      return socCase.title;
+    },
     saveTimezone() {
       localStorage['timezone'] = this.zone;
     },
@@ -1125,6 +1168,8 @@ const huntComponent = {
       if (localStorage[prefix + '.relativeTimeValue']) this.relativeTimeValue = parseInt(localStorage[prefix + '.relativeTimeValue']);
       if (localStorage[prefix + '.relativeTimeUnit']) this.relativeTimeUnit = parseInt(localStorage[prefix + '.relativeTimeUnit']);
       if (localStorage[prefix + '.autohunt']) this.autohunt = localStorage[prefix + '.autohunt'] == 'true';
+
+      if (localStorage['settings.case.mruCases']) this.mruCases = JSON.parse(localStorage['settings.case.mruCases']);
     },
     toggleShowSection(item) {
       if (this.isExpandedSection(item)) {
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index a2e7b41a..597221ca 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -174,4 +174,31 @@ test('removeSortBy', () => {
   // no-op
   comp.removeSortBy('bar^')
   expect(comp.query).toBe("abc | groupby xyz");
-});
\ No newline at end of file
+});
+
+test('formatCaseSummary', () => {
+  const caseObj = {id:"12", title:"This is a case title"};
+  const summary = comp.formatCaseSummary(caseObj);
+  expect(summary).toBe('This is a case title');
+});
+
+test('toggleEscalationMenu', () => {
+  comp.escalateRelatedEventsEnabled = true;
+  const domEvent = {clientX: 12, clientY: 34};
+  const event = {id:"33",foo:"bar"};
+  comp.$nextTick = function(fn) { fn(); };
+  comp.toggleEscalationMenu(domEvent, event);
+  expect(comp.escalationMenuX).toBe(12);
+  expect(comp.escalationMenuY).toBe(34);
+  expect(comp.escalationItem).toBe(event);
+  expect(comp.escalationMenuVisible).toBe(true);
+});
+
+test('toggleEscalationMenuAlreadyOpen', () => {
+  comp.escalateRelatedEventsEnabled = true;
+  comp.quickActionVisible = true;
+  comp.escalationMenuVisible = true;
+  comp.toggleEscalationMenu();
+  expect(comp.quickActionVisible).toBe(false);
+  expect(comp.escalationMenuVisible).toBe(false);
+});
diff --git a/model/case.go b/model/case.go
index 7fc9c41d..f3d07f2a 100644
--- a/model/case.go
+++ b/model/case.go
@@ -56,3 +56,17 @@ func NewComment() *Comment {
   newComment := &Comment{}
   return newComment
 }
+
+type RelatedEvent struct {
+  Auditable
+  CaseId string                 `json:"caseId"`
+  Fields map[string]interface{} `json:"fields"`
+}
+
+func NewRelatedEvent() *RelatedEvent {
+  newRelatedEvent := &RelatedEvent{}
+  now := time.Now()
+  newRelatedEvent.CreateTime = &now
+  newRelatedEvent.Fields = make(map[string]interface{})
+  return newRelatedEvent
+}
diff --git a/model/case_test.go b/model/case_test.go
new file mode 100644
index 00000000..4bcff27f
--- /dev/null
+++ b/model/case_test.go
@@ -0,0 +1,22 @@
+// Copyright 2019 Jason Ertel (jertel). All rights reserved.
+// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewRelatedEvent(tester *testing.T) {
+	event := NewRelatedEvent()
+	assert.NotZero(tester, event.CreateTime)
+}
diff --git a/server/casehandler.go b/server/casehandler.go
index e1b314a6..e998334e 100644
--- a/server/casehandler.go
+++ b/server/casehandler.go
@@ -58,6 +58,11 @@ func (caseHandler *CaseHandler) create(ctx context.Context, writer http.Response
   subpath := caseHandler.GetPathParameter(request.URL.Path, 2)
   switch subpath {
   case "events":
+    inputEvent := model.NewRelatedEvent()
+    err = json.NewDecoder(request.Body).Decode(&inputEvent)
+    if err == nil {
+      obj, err = caseHandler.server.Casestore.CreateRelatedEvent(ctx, inputEvent)
+    }
   case "comments":
     inputComment := model.NewComment()
     err = json.NewDecoder(request.Body).Decode(&inputComment)
@@ -120,6 +125,8 @@ func (caseHandler *CaseHandler) delete(ctx context.Context, writer http.Response
   switch subpath {
   case "comments":
     err = caseHandler.server.Casestore.DeleteComment(ctx, id)
+  case "events":
+    err = caseHandler.server.Casestore.DeleteRelatedEvent(ctx, id)
   case "tasks":
   case "artifacts":
   default:
@@ -142,6 +149,7 @@ func (caseHandler *CaseHandler) get(ctx context.Context, writer http.ResponseWri
   subpath := caseHandler.GetPathParameter(request.URL.Path, 2)
   switch subpath {
   case "events":
+    obj, err = caseHandler.server.Casestore.GetRelatedEvents(ctx, id)
   case "comments":
     obj, err = caseHandler.server.Casestore.GetComments(ctx, id)
   case "tasks":
diff --git a/server/casestore.go b/server/casestore.go
index bfd9f2ad..f1a06217 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -25,4 +25,9 @@ type Casestore interface {
 	GetComments(ctx context.Context, caseId string) ([]*model.Comment, error)
 	UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error)
 	DeleteComment(ctx context.Context, id string) error
+
+	CreateRelatedEvent(ctx context.Context, event *model.RelatedEvent) (*model.RelatedEvent, error)
+	GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error)
+	GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error)
+	DeleteRelatedEvent(ctx context.Context, id string) error
 }
diff --git a/server/eventstore_fake.go b/server/eventstore_fake.go
index e0f7dd92..64b6ebb9 100644
--- a/server/eventstore_fake.go
+++ b/server/eventstore_fake.go
@@ -24,9 +24,12 @@ type FakeEventstore struct {
 	InputUpdateCriterias []*model.EventUpdateCriteria
 	InputAckCriterias    []*model.EventAckCriteria
 	Err                  error
-	SearchResults        *model.EventSearchResults
-	IndexResults         *model.EventIndexResults
-	UpdateResults        *model.EventUpdateResults
+	SearchResults        []*model.EventSearchResults
+	IndexResults         []*model.EventIndexResults
+	UpdateResults        []*model.EventUpdateResults
+	searchCount          int
+	indexCount           int
+	updateCount          int
 }
 
 func NewFakeEventstore() *FakeEventstore {
@@ -38,16 +41,24 @@ func NewFakeEventstore() *FakeEventstore {
 	store.InputSearchCriterias = make([]*model.EventSearchCriteria, 0)
 	store.InputUpdateCriterias = make([]*model.EventUpdateCriteria, 0)
 	store.InputAckCriterias = make([]*model.EventAckCriteria, 0)
-	store.SearchResults = model.NewEventSearchResults()
-	store.IndexResults = model.NewEventIndexResults()
-	store.UpdateResults = model.NewEventUpdateResults()
+	store.SearchResults = make([]*model.EventSearchResults, 0, 0)
+	store.SearchResults = append(store.SearchResults, model.NewEventSearchResults())
+	store.IndexResults = make([]*model.EventIndexResults, 0, 0)
+	store.IndexResults = append(store.IndexResults, model.NewEventIndexResults())
+	store.UpdateResults = make([]*model.EventUpdateResults, 0, 0)
+	store.UpdateResults = append(store.UpdateResults, model.NewEventUpdateResults())
 	return store
 }
 
 func (store *FakeEventstore) Search(context context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error) {
 	store.InputContexts = append(store.InputContexts, context)
 	store.InputSearchCriterias = append(store.InputSearchCriterias, criteria)
-	return store.SearchResults, store.Err
+	if store.searchCount >= len(store.SearchResults) {
+		store.searchCount = len(store.SearchResults) - 1
+	}
+	result := store.SearchResults[store.searchCount]
+	store.searchCount += 1
+	return result, store.Err
 }
 
 func (store *FakeEventstore) Index(context context.Context, index string, document map[string]interface{}, id string) (*model.EventIndexResults, error) {
@@ -55,13 +66,23 @@ func (store *FakeEventstore) Index(context context.Context, index string, docume
 	store.InputIndexes = append(store.InputIndexes, index)
 	store.InputDocuments = append(store.InputDocuments, document)
 	store.InputIds = append(store.InputIds, id)
-	return store.IndexResults, store.Err
+	if store.indexCount >= len(store.IndexResults) {
+		store.indexCount = len(store.IndexResults) - 1
+	}
+	result := store.IndexResults[store.indexCount]
+	store.indexCount += 1
+	return result, store.Err
 }
 
 func (store *FakeEventstore) Update(context context.Context, criteria *model.EventUpdateCriteria) (*model.EventUpdateResults, error) {
 	store.InputContexts = append(store.InputContexts, context)
 	store.InputUpdateCriterias = append(store.InputUpdateCriterias, criteria)
-	return store.UpdateResults, store.Err
+	if store.updateCount >= len(store.UpdateResults) {
+		store.updateCount = len(store.UpdateResults) - 1
+	}
+	result := store.UpdateResults[store.updateCount]
+	store.updateCount += 1
+	return result, store.Err
 }
 
 func (store *FakeEventstore) Delete(context context.Context, index string, id string) error {
@@ -74,5 +95,10 @@ func (store *FakeEventstore) Delete(context context.Context, index string, id st
 func (store *FakeEventstore) Acknowledge(context context.Context, criteria *model.EventAckCriteria) (*model.EventUpdateResults, error) {
 	store.InputContexts = append(store.InputContexts, context)
 	store.InputAckCriterias = append(store.InputAckCriterias, criteria)
-	return store.UpdateResults, store.Err
+	if store.updateCount >= len(store.UpdateResults) {
+		store.updateCount = len(store.UpdateResults) - 1
+	}
+	result := store.UpdateResults[store.updateCount]
+	store.updateCount += 1
+	return result, store.Err
 }
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 49ef065c..172a79fc 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -11,11 +11,10 @@ package elastic
 
 import (
 	"errors"
-	"strings"
-	"time"
-
 	"github.com/security-onion-solutions/securityonion-soc/json"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"strings"
+	"time"
 )
 
 func makeAggregation(store *ElasticEventstore, prefix string, keys []string, count int, ascending bool) (map[string]interface{}, string) {
@@ -456,6 +455,34 @@ func convertElasticEventToComment(event *model.EventRecord) (*model.Comment, err
 	return obj, err
 }
 
+func convertElasticEventToRelatedEvent(event *model.EventRecord) (*model.RelatedEvent, error) {
+	var err error
+	var obj *model.RelatedEvent
+
+	if event != nil {
+		obj = model.NewRelatedEvent()
+		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		if err == nil {
+			obj.Fields = make(map[string]interface{})
+			for key, value := range event.Payload {
+				if strings.HasPrefix(key, "related.fields.") {
+					key = strings.TrimPrefix(key, "related.fields.")
+					obj.Fields[key] = value
+				}
+			}
+			if value, ok := event.Payload["related.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload["related.caseId"]; ok {
+				obj.CaseId = value.(string)
+			}
+			obj.CreateTime = parseTime(event.Payload, "related.createTime")
+		}
+	}
+
+	return obj, err
+}
+
 func convertElasticEventToObject(event *model.EventRecord) (interface{}, error) {
 	var obj interface{}
 	var err error
@@ -466,6 +493,8 @@ func convertElasticEventToObject(event *model.EventRecord) (interface{}, error)
 			obj, err = convertElasticEventToCase(event)
 		case "comment":
 			obj, err = convertElasticEventToComment(event)
+		case "related":
+			obj, err = convertElasticEventToRelatedEvent(event)
 		}
 	} else {
 		err = errors.New("Unknown object kind; id=" + event.Id)
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 6b495f62..150e6b16 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -324,8 +324,9 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	event.Payload["case.createTime"] = myCreateTime
 	event.Payload["case.completeTime"] = myCompleteTime
 	event.Payload["case.startTime"] = myStartTime
-	caseObj, err := convertElasticEventToCase(event)
+	interf, err := convertElasticEventToObject(event)
 	assert.NoError(tester, err)
+	caseObj := interf.(*model.Case)
 	assert.Equal(tester, "case", caseObj.Kind)
 	assert.Equal(tester, "update", caseObj.Operation)
 	assert.Equal(tester, "myTitle", caseObj.Title)
@@ -391,8 +392,9 @@ func TestConvertElasticEventToComment(tester *testing.T) {
 	event.Payload["comment.caseId"] = "myCaseId"
 	event.Time = myTime
 	event.Payload["comment.createTime"] = myCreateTime
-	obj, err := convertElasticEventToComment(event)
+	interf, err := convertElasticEventToObject(event)
 	assert.NoError(tester, err)
+	obj := interf.(*model.Comment)
 	assert.Equal(tester, "comment", obj.Kind)
 	assert.Equal(tester, "create", obj.Operation)
 	assert.Equal(tester, "myDesc", obj.Description)
@@ -401,3 +403,28 @@ func TestConvertElasticEventToComment(tester *testing.T) {
 	assert.Equal(tester, &myTime, obj.UpdateTime)
 	assert.Equal(tester, &myCreateTime, obj.CreateTime)
 }
+
+func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
+	myTime := time.Now()
+	myCreateTime := myTime.Add(time.Hour * -1)
+
+	event := &model.EventRecord{}
+	event.Payload = make(map[string]interface{})
+	event.Payload["kind"] = "related"
+	event.Payload["operation"] = "create"
+	event.Payload["related.fields.foo"] = "bar"
+	event.Payload["related.userId"] = "myUserId"
+	event.Payload["related.caseId"] = "myCaseId"
+	event.Time = myTime
+	event.Payload["related.createTime"] = myCreateTime
+	interf, err := convertElasticEventToObject(event)
+	assert.NoError(tester, err)
+	obj := interf.(*model.RelatedEvent)
+	assert.Equal(tester, "related", obj.Kind)
+	assert.Equal(tester, "create", obj.Operation)
+	assert.Equal(tester, "myUserId", obj.UserId)
+	assert.Equal(tester, "myCaseId", obj.CaseId)
+	assert.Equal(tester, &myTime, obj.UpdateTime)
+	assert.Equal(tester, &myCreateTime, obj.CreateTime)
+	assert.Equal(tester, "bar", obj.Fields["foo"])
+}
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 5a825529..66486ad5 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -17,7 +17,7 @@ import (
 )
 
 const DEFAULT_CASE_INDEX = "so-case"
-const DEFAULT_CASE_AUDIT_INDEX = "so-case-events"
+const DEFAULT_CASE_AUDIT_INDEX = "so-casehistory"
 const DEFAULT_CASE_ASSOCIATIONS_MAX = 1000
 const DEFAULT_TIME_SHIFT_MS = 120000
 const DEFAULT_DURATION_MS = 1800000
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index f0732f00..88802671 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -133,6 +133,30 @@ func (store *ElasticCasestore) validateCase(socCase *model.Case) error {
   return err
 }
 
+func (store *ElasticCasestore) validateRelatedEvent(event *model.RelatedEvent) error {
+  var err error
+
+  if err == nil && event.Id != "" {
+    err = store.validateId(event.Id, "relatedEventId")
+  }
+  if err == nil && event.CaseId != "" {
+    err = store.validateId(event.CaseId, "caseId")
+  }
+  if err == nil && event.UserId != "" {
+    err = store.validateId(event.UserId, "userId")
+  }
+  if err == nil && len(event.Kind) > 0 {
+    err = errors.New("Field 'Kind' must not be specified")
+  }
+  if err == nil && len(event.Operation) > 0 {
+    err = errors.New("Field 'Operation' must not be specified")
+  }
+  if err == nil && len(event.Fields) == 0 {
+    err = errors.New("Related event fields cannot not be empty")
+  }
+  return err
+}
+
 func (store *ElasticCasestore) validateComment(comment *model.Comment) error {
   var err error
 
@@ -222,8 +246,11 @@ func (store *ElasticCasestore) delete(ctx context.Context, obj interface{}, kind
 func (store *ElasticCasestore) get(ctx context.Context, id string, kind string) (interface{}, error) {
   query := fmt.Sprintf(`_index:"%s" AND kind:"%s" AND _id:"%s"`, store.index, kind, id)
   objects, err := store.getAll(ctx, query, 1)
-  if err == nil && len(objects) > 0 {
-    return objects[0], err
+  if err == nil {
+    if len(objects) > 0 {
+      return objects[0], err
+    }
+    err = errors.New("Object not found")
   }
   return nil, err
 }
@@ -337,12 +364,86 @@ func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string
 
   err = store.validateId(caseId, "caseId")
   if err == nil {
-    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s")`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s" OR related.caseId:"%s")`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId, caseId)
     history, err = store.getAll(ctx, query, store.maxAssociations)
   }
   return history, err
 }
 
+func (store *ElasticCasestore) CreateRelatedEvent(ctx context.Context, event *model.RelatedEvent) (*model.RelatedEvent, error) {
+  var err error
+
+  err = store.validateRelatedEvent(event)
+  if err == nil {
+    if event.Id != "" {
+      return nil, errors.New("Unexpected ID found in new related event")
+    } else if event.CaseId == "" {
+      return nil, errors.New("Missing Case ID in new related event")
+    } else {
+      _, err = store.GetCase(ctx, event.CaseId)
+      if err == nil {
+        var results *model.EventIndexResults
+        results, err = store.save(ctx, event, "related", store.prepareForSave(ctx, &event.Auditable))
+        if err == nil {
+          // Read object back to get new modify date, etc
+          event, err = store.GetRelatedEvent(ctx, results.DocumentId)
+        }
+      }
+    }
+  }
+
+  return event, err
+}
+
+func (store *ElasticCasestore) GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error) {
+  var err error
+  var event *model.RelatedEvent
+
+  err = store.validateId(id, "id")
+  if err == nil {
+    var obj interface{}
+    obj, err = store.get(ctx, id, "related")
+    if err == nil {
+      event = obj.(*model.RelatedEvent)
+    }
+  }
+  return event, err
+}
+
+func (store *ElasticCasestore) GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error) {
+  var err error
+  var events []*model.RelatedEvent
+
+  err = store.validateId(caseId, "caseId")
+  if err == nil {
+    events = make([]*model.RelatedEvent, 0)
+    query := fmt.Sprintf(`_index:"%s" AND kind:"related" AND related.caseId:"%s" | sortby related.fields.timestamp^`, store.index, caseId)
+    var objects []interface{}
+    objects, err = store.getAll(ctx, query, store.maxAssociations)
+    if err == nil {
+      for _, obj := range objects {
+        events = append(events, obj.(*model.RelatedEvent))
+      }
+    }
+  }
+  return events, err
+}
+
+func (store *ElasticCasestore) DeleteRelatedEvent(ctx context.Context, id string) error {
+  var err error
+
+  var event *model.RelatedEvent
+  err = store.validateId(id, "id")
+  if err == nil {
+    event, err = store.GetRelatedEvent(ctx, id)
+    if err == nil {
+      err = store.delete(ctx, event, "related", store.prepareForSave(ctx, &event.Auditable))
+    }
+  }
+
+  return err
+}
+
 func (store *ElasticCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error) {
   var err error
 
@@ -353,13 +454,16 @@ func (store *ElasticCasestore) CreateComment(ctx context.Context, comment *model
     } else if comment.CaseId == "" {
       return nil, errors.New("Missing Case ID in new comment")
     } else {
-      now := time.Now()
-      comment.CreateTime = &now
-      var results *model.EventIndexResults
-      results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+      _, err = store.GetCase(ctx, comment.CaseId)
       if err == nil {
-        // Read object back to get new modify date, etc
-        comment, err = store.GetComment(ctx, results.DocumentId)
+        now := time.Now()
+        comment.CreateTime = &now
+        var results *model.EventIndexResults
+        results, err = store.save(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+        if err == nil {
+          // Read object back to get new modify date, etc
+          comment, err = store.GetComment(ctx, results.DocumentId)
+        }
       }
     }
   }
@@ -388,7 +492,7 @@ func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) (
   err = store.validateId(caseId, "caseId")
   if err == nil {
     comments = make([]*model.Comment, 0)
-    query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby comment.createTime^`, store.index, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby @timestamp^`, store.index, caseId)
     var objects []interface{}
     objects, err = store.getAll(ctx, query, store.maxAssociations)
     if err == nil {
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 16a23c68..510131e7 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -377,8 +377,8 @@ func TestGetAll(tester *testing.T) {
 		Payload: commentPayload,
 	}
 
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, commentEvent)
 	results, err := store.getAll(ctx, query, 123)
 	assert.NoError(tester, err)
 	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
@@ -398,7 +398,7 @@ func TestGet(tester *testing.T) {
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
 	obj, err := store.get(ctx, "myCaseId", "case")
 	assert.NoError(tester, err)
 	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
@@ -406,6 +406,16 @@ func TestGet(tester *testing.T) {
 	assert.NotNil(tester, obj)
 }
 
+func TestGetNotFound(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	_, err := store.get(ctx, "myCaseId", "case")
+	assert.EqualError(tester, err, "Object not found")
+}
+
 func TestCreateError(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -440,7 +450,7 @@ func TestGetCase(tester *testing.T) {
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
 	obj, err := store.GetCase(ctx, "myCaseId")
 	assert.NoError(tester, err)
 	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
@@ -454,13 +464,13 @@ func TestGetCaseHistory(tester *testing.T) {
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId")`
+	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId" OR related.caseId:"myCaseId")`
 	casePayload := make(map[string]interface{})
 	casePayload["kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, caseEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
 	results, err := store.GetCaseHistory(ctx, "myCaseId")
 	assert.NoError(tester, err)
 	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
@@ -487,6 +497,38 @@ func TestCreateCommentMissingCaseId(tester *testing.T) {
 	assert.Equal(tester, "Missing Case ID in new comment", err.Error())
 }
 
+func TestCreateComment(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+		Id:      "123444",
+	}
+	commentPayload := make(map[string]interface{})
+	commentPayload["kind"] = "comment"
+	commentEvent := &model.EventRecord{
+		Payload: commentPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
+	fakeEventStore.IndexResults[0].Success = true
+	fakeEventStore.IndexResults[0].DocumentId = "myCaseId"
+	commentSearchResults := model.NewEventSearchResults()
+	commentSearchResults.Events = append(commentSearchResults.Events, commentEvent)
+	fakeEventStore.SearchResults = append(fakeEventStore.SearchResults, commentSearchResults)
+	comment := model.NewComment()
+	comment.CaseId = "123444"
+	comment.Description = "Foo Bar"
+	newComment, err := store.CreateComment(ctx, comment)
+	assert.NoError(tester, err)
+	assert.NotNil(tester, newComment)
+}
+
 func TestGetComment(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	store.Init("myIndex", "myAuditIndex", 45)
@@ -499,7 +541,7 @@ func TestGetComment(tester *testing.T) {
 	commentEvent := &model.EventRecord{
 		Payload: commentPayload,
 	}
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, commentEvent)
 	obj, err := store.GetComment(ctx, "myCommentId")
 	assert.NoError(tester, err)
 	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
@@ -513,13 +555,13 @@ func TestGetComments(tester *testing.T) {
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"comment" AND comment.caseId:"myCaseId" | sortby comment.createTime^`
+	query := `_index:"myIndex" AND kind:"comment" AND comment.caseId:"myCaseId" | sortby @timestamp^`
 	commentPayload := make(map[string]interface{})
 	commentPayload["kind"] = "comment"
 	commentEvent := &model.EventRecord{
 		Payload: commentPayload,
 	}
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, commentEvent)
 	obj, err := store.GetComments(ctx, "myCaseId")
 	assert.NoError(tester, err)
 	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
@@ -549,7 +591,7 @@ func TestDeleteComment(tester *testing.T) {
 		Payload: commentPayload,
 		Id:      "myCommentId",
 	}
-	fakeEventStore.SearchResults.Events = append(fakeEventStore.SearchResults.Events, commentEvent)
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, commentEvent)
 	err := store.DeleteComment(ctx, "myCommentId")
 	assert.NoError(tester, err)
 	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1) // Search to ensure it exists first
@@ -558,3 +600,128 @@ func TestDeleteComment(tester *testing.T) {
 	assert.Equal(tester, "myCommentId", fakeEventStore.InputIds[0])
 	assert.Equal(tester, "", fakeEventStore.InputIds[1])
 }
+
+func TestCreateRelatedEventUnexpectedId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	event := model.NewRelatedEvent()
+	event.Id = "123444"
+	event.Fields["foo"] = "bar"
+	_, err := store.CreateRelatedEvent(ctx, event)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Unexpected ID found in new related event", err.Error())
+}
+
+func TestCreateRelatedEventMissingCaseId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	event := model.NewRelatedEvent()
+	event.Fields["foo"] = "bar"
+	_, err := store.CreateRelatedEvent(ctx, event)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing Case ID in new related event", err.Error())
+}
+
+func TestCreateRelatedEventMissingFields(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	event := model.NewRelatedEvent()
+	_, err := store.CreateRelatedEvent(ctx, event)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Related event fields cannot not be empty", err.Error())
+}
+
+func TestCreateRelatedEvent(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+		Id:      "123444",
+	}
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "related"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
+	fakeEventStore.IndexResults[0].Success = true
+	fakeEventStore.IndexResults[0].DocumentId = "myCaseId"
+	eventSearchResults := model.NewEventSearchResults()
+	eventSearchResults.Events = append(eventSearchResults.Events, elasticEvent)
+	fakeEventStore.SearchResults = append(fakeEventStore.SearchResults, eventSearchResults)
+	event := model.NewRelatedEvent()
+	event.CaseId = "123444"
+	event.Fields["foo"] = "bar"
+	newEvent, err := store.CreateRelatedEvent(ctx, event)
+	assert.NoError(tester, err)
+	assert.NotNil(tester, newEvent)
+}
+
+func TestGetRelatedEvent(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"related" AND _id:"myEventId"`
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "related"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	obj, err := store.GetRelatedEvent(ctx, "myEventId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestGetRelatedEvents(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"related" AND related.caseId:"myCaseId" | sortby related.fields.timestamp^`
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "related"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	obj, err := store.GetRelatedEvents(ctx, "myCaseId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestDeleteRelatedEvent(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"related" AND _id:"myEventId"`
+	elasticPayload := make(map[string]interface{})
+	elasticPayload["kind"] = "related"
+	elasticEvent := &model.EventRecord{
+		Payload: elasticPayload,
+		Id:      "myEventId",
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	err := store.DeleteRelatedEvent(ctx, "myEventId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1) // Search to ensure it exists first
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.Len(tester, fakeEventStore.InputIds, 2) // Delete and Index (for audit)
+	assert.Equal(tester, "myEventId", fakeEventStore.InputIds[0])
+	assert.Equal(tester, "", fakeEventStore.InputIds[1])
+}
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index ee5c2e40..e69e6588 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -98,3 +98,19 @@ func (store *ElasticCasestore) UpdateComment(ctx context.Context, comment *model
 func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
+
+func (store *ElasticCasestore) CreateRelatedEvent(ctx context.Context, event *model.RelatedEvent) (*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteRelatedEvent(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 357dc74a..375c5c90 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -103,3 +103,19 @@ func (store *HttpCasestore) UpdateComment(ctx context.Context, comment *model.Co
 func (store *HttpCasestore) DeleteComment(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
+
+func (store *HttpCasestore) CreateRelatedEvent(ctx context.Context, event *model.RelatedEvent) (*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteRelatedEvent(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index d19a25f7..4967bab7 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -96,3 +96,19 @@ func (store *TheHiveCasestore) UpdateComment(ctx context.Context, comment *model
 func (store *TheHiveCasestore) DeleteComment(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
+
+func (store *TheHiveCasestore) CreateRelatedEvent(ctx context.Context, event *model.RelatedEvent) (*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteRelatedEvent(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}

From 987e78c85024f379e4b5fd4286431c0feb085e54 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 11:24:41 -0500
Subject: [PATCH 07/98] [wip] Testing imp to edit fields individually

---
 html/index.html        | 35 ++++++++++++++++++++++++++++-------
 html/js/routes/case.js | 12 ++++++++++++
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/html/index.html b/html/index.html
index a87038ff..bbea4971 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1173,20 +1173,41 @@ <h2>{{ i18n.viewJob }}</h2>
     <script type="text/x-template" id="page-case">
       <v-container fluid>
         <v-form v-model="mainForms.info.valid">
-          <v-row class="mb-1">
-            <v-col>
-              <v-input hide-details="auto">
-                <v-text-field hide-details="auto" class="case title" v-model="mainForms.info.title"/>
-              </v-input>
+          <v-row class="mb-1" align="center">
+            <v-col id="case-title">
+              <v-text-field v-if="isEdit('case-title')" hide-details="auto" outlined class="case title" v-model="mainForms.info.title"/>
+              <h2 v-else class="py-1">{{ mainForms.info.title }}</h2>
+            </v-col>
+            <v-col class="flex-shrink-1 flex-grow-0">
+              <v-btn v-if="isEdit('case-title')" @click="toggleEdit('case-title')">Save</v-btn>
+              <v-btn v-else @click="toggleEdit('case-title')">Edit</v-btn>
             </v-col>
           </v-row>
           <div class="align-center d-inline-flex mr-4">
             <div class="mr-2">{{i18n.caseAssignee}}: </div>
-            <v-select dense outlined hide-details :items="userList" v-model="mainForms.info.assigneeId" item-text="email" item-value="id"></v-select>
+            <v-select
+              dense
+              outlined
+              hide-details
+              v-model="mainForms.info.assigneeId"
+              :items="userList"
+              item-text="email"
+              item-value="id"
+              v-on:change="modifyCase()"
+            />
           </div>
           <div class="align-center d-inline-flex">
             <div class="mr-2">{{i18n.status}}: </div>
-            <v-select dense outlined hide-details :items="statusList" v-model="mainForms.info.status" item-text="text" item-value="value"></v-select>
+            <v-select
+              dense
+              outlined
+              hide-details
+              v-model="mainForms.info.status"
+              :items="statusList"
+              item-text="text"
+              item-value="value"
+              v-on:change="modifyCase()"
+            />
           </div>
           <!-- <v-row dense class="ml-1 my-4">
             <v-col class="col-12 col-md-7">
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 6cb91eab..b9be9dff 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -75,6 +75,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         valid: false
       }
     },
+    editFields: [],
     rules: {
       required: value => (!!value) || this.$root.i18n.required,
     },
@@ -300,6 +301,17 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.updateCaseDetails(caseObj)
       // this.loadAssociations();
     },
+    isEdit(id) {
+      return this.editFields.find(item => item == id) != null
+    },
+    async toggleEdit(id) {
+      if (this.editFields.find(item => item == id) == null) {
+        this.editFields.push(id)
+      } else {
+        this.editFields = this.editFields.filter(item => item != id)
+        await this.modifyCase()
+      }
+    }
   }
 }});
 

From 76c5cc18c4231f49457be6ce733a50a2db07a4a3 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 12:25:38 -0500
Subject: [PATCH 08/98] Hide new Cases menu option if not using internal SOC
 cases

---
 config/clientparameters.go      |  1 +
 config/clientparameters_test.go |  1 +
 html/index.html                 |  2 +-
 html/js/app.js                  |  3 +++
 html/js/app.test.js             | 43 +++++++++++++++++++++++++++++++++
 5 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 107438e1..a494fa2f 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -31,6 +31,7 @@ type ClientParameters struct {
 	CacheExpirationMs  int               `json:"cacheExpirationMs"`
 	InactiveTools      []string          `json:"inactiveTools"`
 	Tools              []ClientTool      `json:"tools"`
+	CasesEnabled       bool              `json:"casesEnabled"`
 }
 
 func (config *ClientParameters) Verify() error {
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index ebec53c8..9d89a3c0 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -24,6 +24,7 @@ func TestVerifyClientParameters(tester *testing.T) {
 	assert.Zero(tester, params.TipTimeoutMs)
 	assert.Zero(tester, params.ApiTimeoutMs)
 	assert.Zero(tester, params.CacheExpirationMs)
+	assert.False(tester, params.CasesEnabled)
 	verifyInitialHuntingParams(tester, &params.HuntingParams)
 	verifyInitialHuntingParams(tester, &params.AlertingParams)
 	verifyInitialHuntingParams(tester, &params.CasesParams)
diff --git a/html/index.html b/html/index.html
index 3ac5814c..a9512b68 100644
--- a/html/index.html
+++ b/html/index.html
@@ -56,7 +56,7 @@
               <v-list-item-title v-text="i18n.hunt"></v-list-item-title>
             </v-list-item-content>
           </v-list-item>
-          <v-list-item @click="" to="/cases">
+          <v-list-item @click="" to="/cases" v-if="casesEnabled">
             <v-list-item-action>
               <v-icon>fa-briefcase</v-icon>
             </v-list-item-action>
diff --git a/html/js/app.js b/html/js/app.js
index e4d0647e..d04ac600 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -72,6 +72,7 @@ $(document).ready(function() {
       parameterSection: null,
       chartsInitialized: false,
       tools: [],
+      casesEnabled: false,
       subtitle: '',
       currentStatus: null,
       connected: false,
@@ -304,6 +305,8 @@ $(document).ready(function() {
                     }
                   }
                 }
+                this.casesEnabled = this.parameters.casesEnabled;
+
                 this.subscribe("status", this.updateStatus);
               }
             } catch (error) {
diff --git a/html/js/app.test.js b/html/js/app.test.js
index d33033bd..e9d14087 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -88,4 +88,47 @@ test('populateUserDetails', async () => {
   app.usersLoadedTime = new Date().time;
   await app.populateUserDetails(obj, "userId", "owner")
   expect(obj.owner).toBe('hi@there.net');
+});
+
+test('loadServerSettings', async () => {
+  const fakeInfo = {
+    version: 'myVersion',
+    license: 'myLicense',
+    parameters: {
+      webSocketTimeoutMs: 456,
+      apiTimeoutMs: 123,
+      cacheExpirationMs: 789,
+      tipTimeoutMs: 222,
+      tools: [{"name": "tool1"},{"name": "tool2"}],
+      inactiveTools: ['tool2'],
+      casesEnabled: true
+    },
+    elasticVersion: 'myElasticVersion',
+    wazuhVersion: 'myWazuhVersion',
+    timezones: ['UTC'],
+    userId: 'myUserId'
+  };
+
+  expect(app.casesEnabled).toBe(false);
+  const getElementByIdMock = global.document.getElementById = jest.fn().mockReturnValueOnce(true);
+  resetPapi();
+  const mock = mockPapi("get", {data: fakeInfo});
+  const showErrorMock = mockShowError();
+  await app.loadServerSettings();
+  expect(mock).toHaveBeenCalledWith('info');
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expect(app.version).toBe('myVersion');
+  expect(app.license).toBe('myLicense');
+  expect(app.elasticVersion).toBe('myElasticVersion');
+  expect(app.wazuhVersion).toBe('myWazuhVersion');
+  expect(app.timezones[0]).toBe('UTC');
+  expect(app.wsConnectionTimeout).toBe(456);
+  expect(app.connectionTimeout).toBe(123);
+  expect(app.cacheRefreshIntervalMs).toBe(789);
+  expect(app.tipTimeout).toBe(222);
+  expect(app.tools[0].name).toBe('tool1');
+  expect(app.tools[0].enabled).toBe(true);
+  expect(app.tools[1].name).toBe('tool2');
+  expect(app.tools[1].enabled).toBe(false);
+  expect(app.casesEnabled).toBe(true);
 });
\ No newline at end of file

From 28cc9deb81f42d03287ea9238cfcc13c9f87d0cb Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 12:29:02 -0500
Subject: [PATCH 09/98] [wip] Restore functions lost in git merge

---
 html/js/routes/case.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 9309870c..c078a144 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -328,6 +328,17 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.updateCaseDetails(caseObj)
       // this.loadAssociations();
     },
+    isEdit(id) {
+      return this.editFields.find(item => item == id) != null
+    },
+    async toggleEdit(id) {
+      if (this.editFields.find(item => item == id) == null) {
+        this.editFields.push(id)
+      } else {
+        this.editFields = this.editFields.filter(item => item != id)
+        await this.modifyCase()
+      }
+    },
     saveLocalSettings() {
       localStorage['settings.case.mruCases'] = JSON.stringify(this.mruCases);
     },

From ecbbbcb73cd5e683d04f8b5a3622a163ff3aeb9e Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 13:08:10 -0500
Subject: [PATCH 10/98] Ensure case history is sorted

---
 server/modules/elastic/elasticcasestore.go      | 2 +-
 server/modules/elastic/elasticcasestore_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 88802671..6ff93c23 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -364,7 +364,7 @@ func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string
 
   err = store.validateId(caseId, "caseId")
   if err == nil {
-    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s" OR related.caseId:"%s")`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s" OR related.caseId:"%s") | sortby @timestamp^`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId, caseId)
     history, err = store.getAll(ctx, query, store.maxAssociations)
   }
   return history, err
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 510131e7..69c88547 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -464,7 +464,7 @@ func TestGetCaseHistory(tester *testing.T) {
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId" OR related.caseId:"myCaseId")`
+	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId" OR related.caseId:"myCaseId") | sortby @timestamp^`
 	casePayload := make(map[string]interface{})
 	casePayload["kind"] = "case"
 	caseEvent := &model.EventRecord{

From d8b98e709065d85f0d45c6935057b623df7bf537 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 13:40:51 -0500
Subject: [PATCH 11/98] [wip] Initial formatting of details/info pane

---
 html/index.html | 75 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 49 insertions(+), 26 deletions(-)

diff --git a/html/index.html b/html/index.html
index 5e8a2a92..aba6b124 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1207,32 +1207,55 @@ <h2 v-else class="py-1">{{ mainForms.info.title }}</h2>
               <v-btn v-else @click="toggleEdit('case-title')">Edit</v-btn>
             </v-col>
           </v-row>
-          <div class="align-center d-inline-flex mr-4">
-            <div class="mr-2">{{i18n.caseAssignee}}: </div>
-            <v-select
-              dense
-              outlined
-              hide-details
-              v-model="mainForms.info.assigneeId"
-              :items="userList"
-              item-text="email"
-              item-value="id"
-              v-on:change="modifyCase()"
-            />
-          </div>
-          <div class="align-center d-inline-flex">
-            <div class="mr-2">{{i18n.status}}: </div>
-            <v-select
-              dense
-              outlined
-              hide-details
-              v-model="mainForms.info.status"
-              :items="statusList"
-              item-text="text"
-              item-value="value"
-              v-on:change="modifyCase()"
-            />
-          </div>
+          <v-row>
+            
+            <v-col class="d-flex flex-column justify-center">
+              <v-card
+                class="mx-auto"
+                max-width="600"
+                outlined
+              >
+                <h3 class="mx-3 my-2">Info</h3>
+                <v-divider/>
+                <div class="mx-6 my-8">
+                  <div class="align-center d-inline-flex mb-2">
+                    <div class="mr-2">{{i18n.caseAssignee}}: </div>
+                    <v-select
+                      dense
+                      outlined
+                      hide-details
+                      v-model="mainForms.info.assigneeId"
+                      :items="userList"
+                      item-text="email"
+                      item-value="id"
+                      v-on:change="modifyCase()"
+                      class="flex-shrink-1 flex-grow-0"
+                    />
+                  </div>
+                  <div class="align-center d-inline-flex">
+                    <div class="mr-2">{{i18n.status}}: </div>
+                    <v-select
+                      dense
+                      outlined
+                      hide-details
+                      v-model="mainForms.info.status"
+                      :items="statusList"
+                      item-text="text"
+                      item-value="value"
+                      v-on:change="modifyCase()"
+                      class="flex-shrink-1 flex-grow-0"
+                    />
+                  </div>
+                </div>
+                <v-divider/>
+                <h3 class="mx-3 my-2">Details</h3>
+                <v-divider/>
+                <div class="mx-6 my-8">
+                  test
+                </div>
+              </v-card>
+            </v-col>
+          </v-row>
           <!-- <v-row dense class="ml-1 my-4">
             <v-col class="col-12 col-md-7">
               <v-row align="center">

From a02d95e3758022036bea06422b8dffe914be73c0 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 16:04:09 -0500
Subject: [PATCH 12/98] Prevent attaching the same event multiple times to a
 case

---
 server/modules/elastic/elasticcasestore.go    | 32 +++++++++++++----
 .../modules/elastic/elasticcasestore_test.go  | 34 +++++++++++++++++++
 2 files changed, 59 insertions(+), 7 deletions(-)

diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 6ff93c23..070c4e92 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -302,6 +302,7 @@ func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case)
     if socCase.Id != "" {
       err = errors.New("Unexpected ID found in new case")
     } else {
+      socCase = store.applyTemplate(ctx, socCase)
       socCase.Status = model.CASE_STATUS_NEW
       now := time.Now()
       socCase.CreateTime = &now
@@ -382,11 +383,28 @@ func (store *ElasticCasestore) CreateRelatedEvent(ctx context.Context, event *mo
     } else {
       _, err = store.GetCase(ctx, event.CaseId)
       if err == nil {
-        var results *model.EventIndexResults
-        results, err = store.save(ctx, event, "related", store.prepareForSave(ctx, &event.Auditable))
+        var newId string
+        if value, ok := event.Fields["soc_id"]; ok {
+          newId = value.(string)
+          var existingEvents []*model.RelatedEvent
+          existingEvents, err = store.GetRelatedEvents(ctx, event.CaseId)
+          for _, existingEvent := range existingEvents {
+            if value, ok := existingEvent.Fields["soc_id"]; ok {
+              existingId := value.(string)
+              if existingId == newId {
+                err = errors.New(fmt.Sprintf("Event ID '%s' has already been attached to this case", existingId))
+                break
+              }
+            }
+          }
+        }
         if err == nil {
-          // Read object back to get new modify date, etc
-          event, err = store.GetRelatedEvent(ctx, results.DocumentId)
+          var results *model.EventIndexResults
+          results, err = store.save(ctx, event, "related", store.prepareForSave(ctx, &event.Auditable))
+          if err == nil {
+            // Read object back to get new modify date, etc
+            event, err = store.GetRelatedEvent(ctx, results.DocumentId)
+          }
         }
       }
     }
@@ -399,7 +417,7 @@ func (store *ElasticCasestore) GetRelatedEvent(ctx context.Context, id string) (
   var err error
   var event *model.RelatedEvent
 
-  err = store.validateId(id, "id")
+  err = store.validateId(id, "relatedEventId")
   if err == nil {
     var obj interface{}
     obj, err = store.get(ctx, id, "related")
@@ -433,7 +451,7 @@ func (store *ElasticCasestore) DeleteRelatedEvent(ctx context.Context, id string
   var err error
 
   var event *model.RelatedEvent
-  err = store.validateId(id, "id")
+  err = store.validateId(id, "relatedEventId")
   if err == nil {
     event, err = store.GetRelatedEvent(ctx, id)
     if err == nil {
@@ -533,7 +551,7 @@ func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) err
   var err error
 
   var comment *model.Comment
-  err = store.validateId(id, "id")
+  err = store.validateId(id, "commentId")
   if err == nil {
     comment, err = store.GetComment(ctx, id)
     if err == nil {
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 69c88547..8a9ebb4c 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -663,6 +663,40 @@ func TestCreateRelatedEvent(tester *testing.T) {
 	assert.NotNil(tester, newEvent)
 }
 
+func TestCreateRelatedEventAlreadyExists(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+
+	// Mock the search for case cll
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+		Id:      "123444",
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
+
+	// Mock the search for existing related events call
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "related"
+	eventPayload["related.fields.soc_id"] = "myEventId"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	getRelatedEventsResults := model.NewEventSearchResults()
+	getRelatedEventsResults.Events = append(getRelatedEventsResults.Events, elasticEvent)
+	fakeEventStore.SearchResults = append(fakeEventStore.SearchResults, getRelatedEventsResults)
+
+	event := model.NewRelatedEvent()
+	event.CaseId = "123444"
+	event.Fields["soc_id"] = "myEventId"
+	_, err := store.CreateRelatedEvent(ctx, event)
+	assert.EqualError(tester, err, "Event ID 'myEventId' has already been attached to this case")
+}
+
 func TestGetRelatedEvent(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	store.Init("myIndex", "myAuditIndex", 45)

From 81a20abcb1093e35ecd0f9466241a52be5ae1c14 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 7 Dec 2021 16:17:14 -0500
Subject: [PATCH 13/98] Initial case template support

---
 server/modules/elastic/template.go      | 39 ++++++++++++++++++++
 server/modules/elastic/template_test.go | 49 +++++++++++++++++++++++++
 2 files changed, 88 insertions(+)
 create mode 100644 server/modules/elastic/template.go
 create mode 100644 server/modules/elastic/template_test.go

diff --git a/server/modules/elastic/template.go b/server/modules/elastic/template.go
new file mode 100644
index 00000000..306fe14d
--- /dev/null
+++ b/server/modules/elastic/template.go
@@ -0,0 +1,39 @@
+// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+package elastic
+
+import (
+  "context"
+  "github.com/apex/log"
+  "github.com/security-onion-solutions/securityonion-soc/model"
+  "strings"
+)
+
+func (store *ElasticCasestore) applyTemplate(ctx context.Context, socCase *model.Case) *model.Case {
+  var err error
+  if socCase.Template != "" {
+    err = store.validateId(socCase.Template, "templateId")
+    if err == nil {
+      var templateCase *model.Case
+      log.WithField("templateId", socCase.Template).Info("Creating case from template case")
+      templateCase, err = store.GetCase(ctx, socCase.Template)
+      if err == nil {
+        templateCase.Title = strings.Replace(templateCase.Title, "{}", socCase.Title, 1)
+        templateCase.Description = strings.Replace(templateCase.Description, "{}", socCase.Description, 1)
+        socCase = templateCase
+      } else {
+        log.WithField("templateId", socCase.Template).Warn("Template case ID not found; Creating blank case instead")
+      }
+    } else {
+      log.WithField("templateId", socCase.Template).Warn("Invalid template case ID; Creating blank case instead")
+    }
+  }
+  return socCase
+}
diff --git a/server/modules/elastic/template_test.go b/server/modules/elastic/template_test.go
new file mode 100644
index 00000000..bb7be63f
--- /dev/null
+++ b/server/modules/elastic/template_test.go
@@ -0,0 +1,49 @@
+// Copyright 2019 Jason Ertel (jertel). All rights reserved.
+// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+//
+// This program is distributed under the terms of version 2 of the
+// GNU General Public License.  See LICENSE for further details.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+package elastic
+
+import (
+	"context"
+	"github.com/security-onion-solutions/securityonion-soc/model"
+	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/web"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestApplyTemplate(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"case" AND _id:"myTemplateId"`
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	casePayload["case.title"] = "myTemplateTitle {}"
+	casePayload["case.description"] = "myTemplateDescription {}"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
+
+	socCase := model.NewCase()
+	socCase.Template = "myTemplateId"
+	socCase.Title = "extraTitle"
+	socCase.Description = "extraDesc"
+
+	obj := store.applyTemplate(ctx, socCase)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+	assert.Equal(tester, "myTemplateTitle extraTitle", obj.Title)
+	assert.Equal(tester, "myTemplateDescription extraDesc", obj.Description)
+}

From 41098569314686e30196e539748d816a04b49e61 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 8 Dec 2021 17:14:06 -0500
Subject: [PATCH 14/98] Add case presets

---
 config/clientparameters.go      | 25 +++++++++++++++++++---
 config/clientparameters_test.go |  8 +++++++
 html/js/routes/case.js          | 16 +++++++++++++-
 html/js/routes/case.test.js     | 37 +++++++++++++++++++++++++++++++++
 4 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index a494fa2f..0493faf5 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -20,6 +20,7 @@ type ClientParameters struct {
 	HuntingParams      HuntingParameters `json:"hunt"`
 	AlertingParams     HuntingParameters `json:"alerts"`
 	CasesParams        HuntingParameters `json:"cases"`
+	CaseParams         CaseParameters    `json:"case"`
 	JobParams          HuntingParameters `json:"job"`
 	DocsUrl            string            `json:"docsUrl"`
 	CheatsheetUrl      string            `json:"cheatsheetUrl"`
@@ -106,9 +107,6 @@ type HuntingParameters struct {
 	ViewEnabled                  bool                `json:"viewEnabled"`
 }
 
-type GridParameters struct {
-}
-
 func (params *HuntingParameters) Verify() error {
 	var err error
 	if params.GroupFetchLimit <= 0 {
@@ -138,3 +136,24 @@ func (params *HuntingParameters) combineDeprecatedLinkIntoLinks() {
 		}
 	}
 }
+
+type PresetParameters struct {
+	Labels        []string `json:"labels"`
+	CustomEnabled bool     `json:"customEnabled"`
+}
+
+type CaseParameters struct {
+	MostRecentlyUsedLimit int                         `json:"mostRecentlyUsedLimit"`
+	Presets               map[string]PresetParameters `json:"presets"`
+}
+
+func (params *CaseParameters) Verify() error {
+	var err error
+	if params.MostRecentlyUsedLimit < 0 {
+		params.MostRecentlyUsedLimit = 0
+	}
+	return err
+}
+
+type GridParameters struct {
+}
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index 9d89a3c0..f888d1e4 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -79,3 +79,11 @@ func TestCombineDeprecatedLinkIntoNonEmptyLinks(tester *testing.T) {
 	assert.Len(tester, action.Links, 2)
 	assert.Len(tester, action.Link, 0)
 }
+
+func TestVerifyCaseParams(tester *testing.T) {
+	params := &CaseParameters{}
+	params.MostRecentlyUsedLimit = -1
+	err := params.Verify()
+	assert.Nil(tester, err)
+	assert.Equal(tester, params.MostRecentlyUsedLimit, 0)
+}
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 832b7e25..5b4d214b 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -71,6 +71,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
     mruCaseLimit: 5,
     mruCases: [],
+    presets: {},
     rules: {
       required: value => (!!value) || this.$root.i18n.required,
     },
@@ -79,7 +80,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
   },
   mounted() {
     this.loadData();
-    this.$root.loadParameters('cases', this.initCase);
+    this.$root.loadParameters('case', this.initCase);
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -91,6 +92,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     initCase(params) {
       this.params = params;
       this.mruCaseLimit = params["mostRecentlyUsedLimit"];
+      this.presets = params["presets"];
       this.loadLocalSettings();
     },
     async loadAssociations() {
@@ -134,6 +136,18 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.$root.showError(error);
       }
     },
+    getPresets(kind) {
+      if (this.presets && this.presets[kind]) {
+        return this.presets[kind].labels;
+      }
+      return [];
+    },
+    isPresetCustomEnabled(kind) {
+      if (this.presets && this.presets[kind]) {
+        return this.presets[kind].customEnabled == true;
+      }
+      return false;
+    },
     addMRUCaseObj(caseObj) {
       if (caseObj) {
         for (var idx = 0; idx < this.mruCases.length; idx++) {
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 2109cbea..dc904aae 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -375,3 +375,40 @@ test('cancelComment', () => {
   expect(comp.associatedForms['comments'].id).toBe("");
   expect(comp.associatedForms['comments'].description).toBe("");
 });
+
+test('presets', () => {
+  expect(comp.isPresetCustomEnabled('foo')).toBe(false); // Presets not loaded
+  expect(comp.getPresets('foo').length).toBe(0);
+
+  comp.presets = {
+    "category": {
+      "labels": [
+        "catLabel2",
+        "catLabel1"
+      ],
+      "customEnabled": true
+    },
+    "tag": {
+      "labels": [
+        "tagLabel1"
+      ]
+    },
+    "severity": {
+      "labels": [
+      ],
+      "customEnabled": false
+    }
+  };
+  expect(comp.isPresetCustomEnabled('foo')).toBe(false); // Doesn't exist
+  expect(comp.getPresets('foo').length).toBe(0);
+
+  expect(comp.isPresetCustomEnabled('category')).toBe(true);
+  expect(comp.getPresets('category')[0]).toBe('catLabel2'); // order is preserved as admin has defined them (do not sort!)
+  expect(comp.getPresets('category')[1]).toBe('catLabel1');
+
+  expect(comp.isPresetCustomEnabled('tag')).toBe(false);  // missing, assume false
+  expect(comp.getPresets('tag')[0]).toBe('tagLabel1');
+
+  expect(comp.isPresetCustomEnabled('severity')).toBe(false);
+  expect(comp.getPresets('severity').length).toBe(0);   // none defined
+});
\ No newline at end of file

From 3b1f6e1a676c4ed07c6ec9bbd383729305a68ba9 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 9 Dec 2021 13:49:34 -0500
Subject: [PATCH 15/98] [wip] Further styling for case page

---
 html/css/app.css       |  20 +-
 html/index.html        | 634 ++++++++++++++++++++++++++---------------
 html/js/i18n.js        |   4 +-
 html/js/routes/case.js | 178 +++++++-----
 4 files changed, 546 insertions(+), 290 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index fd5286cf..e44f5483 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -170,12 +170,14 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   width: 15%;
   text-align: right;
   white-space: nowrap;
+  font-weight: bold;
+  font-size: 13px;
 }
 
 .case.value {
   text-align: left;
-  font-weight: bold;
   white-space: wrap;
+  font-size: 13px;
 }
 
 .case.title.v-text-field input {
@@ -183,6 +185,22 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   margin-bottom: 0.15em;
 }
 
+.case-detail-field {
+  cursor: pointer;
+  border-radius: .25em;
+}
+
+.case-detail-field:hover {
+  background-color: #3d3d3d !important;
+}
+
+.case-detail-field:hover > .v-icon { 
+  /* transition: none !important; */
+  color: var(--v-primary-lighten1);
+}
+
+.v-text-field {}
+
 td {
   white-space: nowrap;
 }
diff --git a/html/index.html b/html/index.html
index 76d85966..b9db1cfd 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1196,92 +1196,418 @@ <h2>{{ i18n.viewJob }}</h2>
 
     <script type="text/x-template" id="page-case">
       <v-container fluid>
-        <v-form v-model="mainForms.info.valid">
-          <v-row class="mb-1" align="center">
+        
+        <v-form model="mainForm.valid" class="mx-sm-12 mx-lg-6 mt-2 mb-6">
+          <!-- <v-row align="center">
             <v-col id="case-title">
-              <v-text-field v-if="isEdit('case-title')" hide-details="auto" outlined class="case title" v-model="mainForms.info.title"/>
-              <h2 v-else class="py-1">{{ mainForms.info.title }}</h2>
+              <v-text-field v-if="isEdit('case-title')" hide-details="auto" outlined class="case title" v-model="mainForm.title"/>
+              <h2 v-else class="py-1">{{ mainForm.title }}</h2>
             </v-col>
             <v-col class="flex-shrink-1 flex-grow-0">
               <v-btn v-if="isEdit('case-title')" @click="toggleEdit('case-title')">Save</v-btn>
               <v-btn v-else @click="toggleEdit('case-title')">Edit</v-btn>
             </v-col>
-          </v-row>
-          <v-row>
-            
-            <v-col class="d-flex flex-column justify-center">
-              <v-card
-                class="mx-auto"
-                max-width="600"
-                outlined
-              >
-                <h3 class="mx-3 my-2">Info</h3>
-                <v-divider/>
-                <div class="mx-6 my-8">
-                  <div class="align-center d-inline-flex mb-2">
-                    <div class="mr-2">{{i18n.caseAssignee}}: </div>
-                    <v-select
-                      dense
-                      outlined
-                      hide-details
-                      v-model="mainForms.info.assigneeId"
-                      :items="userList"
-                      item-text="email"
-                      item-value="id"
-                      v-on:change="modifyCase()"
-                      class="flex-shrink-1 flex-grow-0"
-                    />
-                  </div>
-                  <div class="align-center d-inline-flex">
-                    <div class="mr-2">{{i18n.status}}: </div>
-                    <v-select
-                      dense
-                      outlined
-                      hide-details
-                      v-model="mainForms.info.status"
-                      :items="statusList"
-                      item-text="text"
-                      item-value="value"
-                      v-on:change="modifyCase()"
-                      class="flex-shrink-1 flex-grow-0"
-                    />
+          </v-row> -->
+          <div>
+            <div class="case-detail-field d-flex align-start pa-2" v-if="!isEdit('case-title')" @click="startEdit(mainForm.title, 'case-title')">
+              <h2 class="rounded">{{ mainForm.title }}</div>
+            </div>
+            <div class="d-flex flex-column" v-if="isEdit('case-title')">
+              <div class="mb-2">
+                <v-text-field v-if="isEdit('case-title')" hide-details="auto" outlined class="case title" v-model="editField.val"/>
+              </div>
+              <div class="d-inline-flex justify-end">
+                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                  Cancel
+                </v-btn>
+                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('title')">
+                  Save
+                </v-btn>
+              </div>
+            </div>
+          </div>
+          <div class="mt-1">
+            <div class="case-detail-field d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit(mainForm.description, 'case-description')">
+              <div class="rounded">{{ mainForm.description }}</div>
+            </div>
+            <div class="d-flex flex-column" v-if="isEdit('case-description')">
+              <div class="mb-2">
+                <v-textarea outlined hide-details rows="3" dense no-resize v-model="editField.val"/>
+              </div>
+              <div class="d-inline-flex justify-end">
+                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                  Cancel
+                </v-btn>
+                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('description')">
+                  Save
+                </v-btn>
+              </div>
+            </div>
+          </div>
+        </v-form>
+        <v-row class="mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
+          <v-col cols="12" md="9" class="px-sm-4 mx-4 mx-sm-0 case main" order="2" order-md="1">
+            <v-row>
+              <v-tabs grow>
+                <v-tab id="case_commentsTab">
+                  <v-icon left>fa-comments</v-icon>
+                  {{ i18n.comments }}
+                </v-tab>
+                <v-tab id="case_eventsTab">
+                  <v-icon left>fa-link</v-icon>
+                  {{ i18n.events }}
+                </v-tab>
+                <v-tab id="case_historyTab">
+                  <v-icon left>fa-history</v-icon>
+                  {{ i18n.history }}
+                </v-tab>
+  
+                <v-tab-item>
+                  <v-card v-for="comment in associations.comments" elevation="2" class="my-2">
+                    <div>
+                      <span class="case label">{{ i18n.dateCreated }}:</span>
+                      <span class="case value">{{ comment.createTime | formatDateTime }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.dateModified }}:</span>
+                      <span class="case value">{{ comment.updateTime | formatDateTime }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.author }}:</span>
+                      <span class="case value">{{ comment.owner }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">authorId:</span>
+                      <span class="case value">{{ comment.userId }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.commentDescription }}:</span>
+                      <span class="case value">{{ comment.description }}</span>
+                    </div>
+                    <div class="my-4">
+                      <v-btn text color="secondary" @click="editComment(comment)" icon><v-icon>fa-edit</v-icon></v-btn>
+                      <v-btn text color="secondary" @click="deleteAssociation('comments', comment)" icon><v-icon>fa-trash</v-icon></v-btn>
+                    <div>                      
+                  </v-card>
+                  <div class="mx-12 my-12">
+                    <v-form v-model="associatedForms['comments'].valid">
+                      <v-text-field v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-text-field>
+                      <v-text-field v-model="associatedForms['comments'].id" class="d-none"></v-text-field>
+                      <div class="my-4">
+                        <v-btn v-if="associatedForms['comments'].id == ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="addAssociation('comments')" v-text="i18n.add"></v-btn>
+                        <v-btn v-if="associatedForms['comments'].id != ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="modifyAssociation('comments')" v-text="i18n.update"></v-btn>
+                        <v-btn text color="secondary" @click="cancelComment()" v-text="i18n.cancel"></v-btn>
+                      <div>                      
+                    </form>
                   </div>
-                </div>
-                <v-divider/>
-                <h3 class="mx-3 my-2">Details</h3>
-                <v-divider/>
-                <div class="mx-6 my-8">
-                  test
-                </div>
-              </v-card>
-            </v-col>
+                </v-tab-item>
+  
+                <v-tab-item>
+                  <v-card v-for="event in associations.events" elevation="2" class="my-2">
+                    <div>
+                      <span class="case label">{{ i18n.dateCreated }}:</span>
+                      <span class="case value">{{ event.createTime | formatDateTime }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.author }}:</span>
+                      <span class="case value">{{ event.owner }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">authorId:</span>
+                      <span class="case value">{{ event.userId }}</span>
+                    </div>
+                    <div v-for="value, key in event.fields">
+                      <span class="case label">{{ key }}:</span>
+                      <span class="case value">{{ value }}</span>
+                    </div>
+                    <div class="my-4">
+                      <v-btn text colror="secondary" @click="deleteAssociation('events', event)" icon><v-icon>fa-trash</v-icon></v-btn>
+                    <div>                                        
+                  </v-card>
+                </v-tab-item>
+  
+                <v-tab-item>
+                  <v-card v-for="event in associations.history" elevation="2" class="my-2">
+                    <div>
+                      <span class="case label">{{ i18n.event }}:</span>
+                      <span class="case value">{{ event.kind }} - {{ event.operation }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.dateCreated }}:</span>
+                      <span class="case value">{{ event.createTime | formatDateTime }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.dateModified }}:</span>
+                      <span class="case value">{{ event.updateTime | formatDateTime }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.dateClosed }}:</span>
+                      <span class="case value">{{ event.completeTime | formatDateTime }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.author }}:</span>
+                      <span class="case value">{{ event.owner }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">authorId:</span>
+                      <span class="case value">{{ event.userId }}</span>
+                    </div>
+                    <div v-if="event.kind == 'case'">
+                      <div>
+                        <span class="case label">{{ i18n.caseTitle}}:</span>
+                        <span class="case value">{{ event.title }}</span>
+                      </div>
+                      <div>
+                        <span class="case label">{{ i18n.caseDescription }}:</span>
+                        <span class="case value">{{ event.description }}</span>
+                      </div>
+                      <div>
+                        <span class="case label">{{ i18n.caseStatus }}:</span>
+                        <span class="case value">{{ event.status }}</span>
+                      </div>
+                      <div>
+                        <span class="case label">{{ i18n.caseSeverity }}:</span>
+                        <span class="case value">{{ event.severity }}</span>
+                      </div>
+                      <div>
+                        <span class="case label">{{ i18n.casePriority }}:</span>
+                        <span class="case value">{{ event.priority }}</span>
+                      </div>
+                    </div>
+                    <div v-if="event.kind == 'comment'">
+                      <div>
+                        <span class="case label">{{ i18n.commentDescription }}:</span>
+                        <span class="case value">{{ event.description }}</span>
+                      </div>
+                    </div>
+                  </v-card>
+                </v-tab-item>
+  
+              <v-tabs>
           </v-row>
-          <!-- <v-row dense class="ml-1 my-4">
-            <v-col class="col-12 col-md-7">
-              <v-row align="center">
-                <v-col class="d-flex flex-column justify-center align-end col-3 col-sm-2 col-md-3">
-                  <div class="text-center">{{i18n.caseAssignee}}: </div>
-                </v-col>
-                <v-col class="col-9 col-sm-7 col-md-9">
-                  <v-select dense outlined hide-details :items="userList" v-model="mainForms.info.assigneeId" item-text="email" item-value="id"></v-select>
-                </v-col>
-              </v-row>
-            </v-col>
-            <v-col class="col-12 col-md-4">
-              <v-row align="center">
-                <v-col class="d-flex flex-column align-end col-3 col-sm-2 col-md-3">
-                  <div class="text-center">{{i18n.status}}: </div>
-                </v-col>
-                <v-col class="col-7 col-sm-4 col-md-7">
-                  <v-select dense outlined hide-details :items="statusList" v-model="mainForms.info.status" item-text="text" item-value="value"></v-select>
+          </v-col>
+          <v-col cols="12" md="3" order="1" order-md="2">
+            <v-form v-model="mainForm.valid">
+              <v-row class="mb-12" no-gutters>
+                <v-col class="d-flex flex-column justify-center">
+                  <v-card
+                    class="mx-2 overflow-hidden"
+                  >
+                    <v-toolbar dense flat>
+                      <v-toolbar-title>Info</v-toolbar-title>
+                    </v-toolbar>
+                    <!-- <div class="secondary py-1">
+                      <h3 class="mx-3 my-1">Info</h3>
+                    </div> -->
+                    <div class="mx-4 my-8">
+                      <v-row no-gutters class="align-start d-inline-flex mb-3 flex-column" style="width: 100%">
+                        <v-col cols="12" class="mr-n2 mb-2 font-weight-bold">{{i18n.caseAssignee}}: </v-col>
+                        <v-col cols="12" class="ml-2 pr-2">
+                          <v-select
+                            dense
+                            eager
+                            flat
+                            solo
+                            hide-details
+                            v-model="mainForm.assigneeId"
+                            :items="userList"
+                            item-text="email"
+                            item-value="id"
+                            v-on:change="modifyCase()"
+                            class="case-select"
+                          />
+                        </v-col>
+                      </v-row>
+                      <v-row no-gutters class="align-start d-inline-flex flex-column" style="width: 100%">
+                        <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.status}}: </v-col>
+                        <v-col cols="12" class="ml-2 pr-2">
+                          <v-select
+                            dense
+                            eager
+                            flat
+                            solo
+                            hide-details
+                            v-model="mainForm.status"
+                            :items="statusList"
+                            item-text="text"
+                            item-value="value"
+                            v-on:change="modifyCase()"
+                            class="case-select"
+                          />
+                        </v-col>
+                      </v-row>
+                    </div>
+                    <v-toolbar dense flat>
+                      <v-toolbar-title>Details</v-toolbar-title>
+                      <v-spacer />
+                      <v-btn plain icon small class="mr-1" @click="toggleShowSection('case-details')">
+                        <v-icon style="font-size: 12px !important;" v-if="!isExpandedSection('case-details')">fa-plus</v-icon>
+                        <v-icon style="font-size: 12px !important;" v-if="isExpandedSection('case-details')">fa-minus</v-icon>
+                      </v-btn>
+                    </v-toolbar>
+                    <!-- <v-row no-gutters align="center" class="mr-2">
+                      <v-col>
+                        <div class="secondary py-1">
+                          <h3 class="mx-3 my-1">Details</h3>
+                        </div>
+                      </v-col>
+                      <v-col>
+                        <div class="secondary py-2 pr-2 mr-n2 d-flex align-center justify-end">
+                          <v-btn plain icon small @click="toggleShowSection('case-details')">
+                            <v-icon style="font-size: 12px !important;" v-if="!isExpandedSection('case-details')">fa-plus</v-icon>
+                            <v-icon style="font-size: 12px !important;" v-if="isExpandedSection('case-details')">fa-minus</v-icon>
+                          </v-btn>
+                        </div>
+                      </v-col>
+                    </v-row> -->
+                    <v-expand-transition>
+                      <v-form v-show="isExpandedSection('case-details')" v-model="mainForm.valid" class="mb-n4">
+                        <div class="mx-4 my-8 d-flex flex-column">
+                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
+                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseSeverity}}: </v-col>
+                            <v-col cols="12" id="case-severity" class="ml-2 pr-2">
+                              <v-select
+                                dense
+                                eager
+                                flat
+                                solo
+                                hide-details
+                                v-model="mainForm.severity"
+                                :items="severityList"
+                                item-text="text"
+                                item-value="value"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
+                            </v-col>
+                          </v-row>
+                          <v-row no-gutters class="align-start d-inline-flex flex-column" style="width: 100%">
+                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.casePriority}}: </v-col>
+                            <v-col id="case-priority" cols="12" class="ml-2 pr-2">
+                              <div class="d-flex align-start pa-2 mb-4 case-detail-field" v-if="!isEdit('case-priority')" @click="startEdit(mainForm.priority, 'case-priority')">
+                                <div class="mr-2">{{ mainForm.priority }}</div>
+                              </div>
+                              <div class="d-flex flex-column mb-n5" v-if="isEdit('case-priority')">
+                                <div class="mb-2">
+                                  <v-text-field outlined solo hide-details rows="3" dense no-resize v-model="editField.val" :rules="[rules.number]"/>
+                                </div>
+                                <div class="d-inline-flex justify-end">
+                                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                                    Cancel
+                                  </v-btn>
+                                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('priority')">
+                                    Save
+                                  </v-btn>
+                                </div>
+                              </div>
+                            </v-col>
+                          </v-row>
+                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
+                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseTlp}}: </v-col>
+                            <v-col cols="12" id="case-tlp" class="ml-2 pr-2">
+                              <v-select
+                                dense
+                                eager
+                                flat
+                                solo
+                                hide-details
+                                v-model="mainForm.tlp"
+                                :items="tlpList"
+                                item-text="text"
+                                item-value="value"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
+                            </v-col>
+                          </v-row>
+                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
+                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.casePap}}: </v-col>
+                            <v-col cols="12" id="case-pap" class="ml-2 pr-2">
+                              <v-select
+                                dense
+                                eager
+                                flat
+                                solo
+                                hide-details
+                                v-model="mainForm.pap"
+                                :items="papList"
+                                item-text="text"
+                                item-value="value"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
+                            </v-col>
+                          </v-row>
+                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
+                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseCategory}}: </v-col>
+                            <v-col cols="12" id="case-category" class="ml-2 pr-2">
+                              <v-combobox
+                                dense
+                                eager
+                                chips
+                                flat
+                                solo
+                                hide-details
+                                v-model="mainForm.category"
+                                :items="categoryList"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
+                            </v-col>
+                          </v-row>
+                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
+                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseTags}}: </v-col>
+                            <v-col cols="12" id="case-tags" class="ml-2 pr-2">
+                              <v-combobox
+                                dense
+                                eager
+                                multiple
+                                chips
+                                flat
+                                solo
+                                hide-details
+                                v-model="mainForm.tags"
+                                :items="tagList"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
+                            </v-col>
+                          </v-row>
+                        </div>
+                      </div>
+                    </v-expand-transition>
+                  </v-card>
+                  <div class="ml-2 mt-2">
+                    <div>
+                      <span class="case label">{{ i18n.caseId }}:</span>
+                      <span class="case value">{{ caseObj.id }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.author }}:</span>
+                      <span class="case value">{{ caseObj.owner }}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.dateCreated }}:</span>
+                      <span class="case value">{{ caseObj.createTime | formatDateTime}}</span>
+                    </div>
+                    <div>
+                      <span class="case label">{{ i18n.dateModified }}:</span>
+                      <span class="case value">{{ caseObj.updateTime | formatDateTime}}</span>
+                    </div>
+                    <div v-if="$root.formatDateTime(caseObj.completeTime) !== ''">
+                      <span class="case label">{{ i18n.dateClosed }}:</span>
+                      <span class="case value">{{ caseObj.completeTime | formatDateTime}}</span>
+                    </div>
+                  </div>
                 </v-col>
               </v-row>
-            </v-col>
-          </v-row> -->
-        </v-form>
+            </v-form>
+          </v-col>
+        </v-row>
         <v-row class="mt-2">
           <v-col>
-            <v-form v-model="mainForms.details.valid">
+            <v-form v-model="mainForm.valid">
+              <div>
                 <span class="case label">{{ i18n.caseId }}:</span>
                 <span class="case value">{{ caseObj.id }}</span>
               </div>
@@ -1306,177 +1632,39 @@ <h3 class="mx-3 my-2">Details</h3>
                 <span class="case value">{{ caseObj.assignee }}</span>
               </div>
               <div>
-                <v-text-field v-model="mainForms.details.description" :placeholder="i18n.caseDescription" persistent-hint :hint="i18n.caseDescriptionHelp"></v-text-field>
+                <v-text-field v-model="mainForm.description" :placeholder="i18n.caseDescription" persistent-hint :hint="i18n.caseDescriptionHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="mainForms.info.status" :placeholder="i18n.caseStatus" persistent-hint :hint="i18n.caseStatusHelp" :rules="[rules.required]"></v-text-field>
+                <v-text-field v-model="mainForm.status" :placeholder="i18n.caseStatus" persistent-hint :hint="i18n.caseStatusHelp" :rules="[rules.required]"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="mainForms.details.severity" :placeholder="i18n.caseSeverity" persistent-hint :hint="i18n.caseSeverityHelp" :rules="[rules.required]"></v-text-field>
+                <v-text-field v-model="mainForm.severity" :placeholder="i18n.caseSeverity" persistent-hint :hint="i18n.caseSeverityHelp" :rules="[rules.required]"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="mainForms.details.priority" :placeholder="i18n.casePriority" persistent-hint :hint="i18n.casePriorityHelp" :rules="[rules.required]"></v-text-field>
+                <v-text-field v-model="mainForm.priority" :placeholder="i18n.casePriority" persistent-hint :hint="i18n.casePriorityHelp" :rules="[rules.required]"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="mainForms.details.tags" :placeholder="i18n.caseTags" persistent-hint :hint="i18n.caseTagsHelp"></v-text-field>
+                <v-text-field v-model="mainForm.tags" :placeholder="i18n.caseTags" persistent-hint :hint="i18n.caseTagsHelp"></v-text-field>
               </div>              
               <div>
-                <v-text-field v-model="mainForms.details.tlp" :placeholder="i18n.caseTlp" persistent-hint :hint="i18n.caseTlpHelp"></v-text-field>
+                <v-text-field v-model="mainForm.tlp" :placeholder="i18n.caseTlp" persistent-hint :hint="i18n.caseTlpHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="mainForms.details.pap" :placeholder="i18n.casePap" persistent-hint :hint="i18n.casePapHelp"></v-text-field>
+                <v-text-field v-model="mainForm.pap" :placeholder="i18n.casePap" persistent-hint :hint="i18n.casePapHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="mainForms.details.category" :placeholder="i18n.caseCategory" persistent-hint :hint="i18n.caseCategoryHelp"></v-text-field>
+                <v-text-field v-model="mainForm.category" :placeholder="i18n.caseCategory" persistent-hint :hint="i18n.caseCategoryHelp"></v-text-field>
               </div>
               <div>
-                <v-text-field v-model="mainForms.info.assigneeId" :placeholder="i18n.caseAssignee" persistent-hint :hint="i18n.caseAssigneeHelp"></v-text-field>
+                <v-text-field v-model="mainForm.assigneeId" :placeholder="i18n.caseAssignee" persistent-hint :hint="i18n.caseAssigneeHelp"></v-text-field>
               </div>
               <div class="my-4">
-                <v-btn :disabled="!mainForms.details.valid" text color="primary" @click="modifyCase" v-text="i18n.update"></v-btn>
+                <v-btn :disabled="!mainForm.valid" text color="primary" @click="modifyCase" v-text="i18n.update"></v-btn>
               <div>
             </form>
           </v-col>
         </v-row>
-        <v-row>
-            <v-tabs>
-
-              <v-tab id="case_commentsTab">
-                <v-icon left>fa-comments</v-icon>
-                {{ i18n.comments }}
-              </v-tab>
-              <v-tab id="case_eventsTab">
-                <v-icon left>fa-link</v-icon>
-                {{ i18n.events }}
-              </v-tab>
-              <v-tab id="case_historyTab">
-                <v-icon left>fa-history</v-icon>
-                {{ i18n.history }}
-              </v-tab>
-
-              <v-tab-item>
-                <v-card v-for="comment in associations.comments" elevation="2" class="my-2">
-                  <div>
-                    <span class="case label">{{ i18n.dateCreated }}:</span>
-                    <span class="case value">{{ comment.createTime | formatDateTime }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.dateModified }}:</span>
-                    <span class="case value">{{ comment.updateTime | formatDateTime }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.author }}:</span>
-                    <span class="case value">{{ comment.owner }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">authorId:</span>
-                    <span class="case value">{{ comment.userId }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.commentDescription }}:</span>
-                    <span class="case value">{{ comment.description }}</span>
-                  </div>
-                  <div class="my-4">
-                    <v-btn text colror="secondary" @click="editComment(comment)" icon><v-icon>fa-edit</v-icon></v-btn>
-                    <v-btn text colror="secondary" @click="deleteAssociation('comments', comment)" icon><v-icon>fa-trash</v-icon></v-btn>
-                  <div>                      
-                </v-card>
-                <div class="mx-12 my-12">
-                  <v-form v-model="associatedForms['comments'].valid">
-                    <v-text-field v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-text-field>
-                    <v-text-field v-model="associatedForms['comments'].id" class="d-none"></v-text-field>
-                    <div class="my-4">
-                      <v-btn v-if="associatedForms['comments'].id == ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="addAssociation('comments')" v-text="i18n.add"></v-btn>
-                      <v-btn v-if="associatedForms['comments'].id != ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="modifyAssociation('comments')" v-text="i18n.update"></v-btn>
-                      <v-btn text color="secondary" @click="cancelComment()" v-text="i18n.cancel"></v-btn>
-                    <div>                      
-                  </form>
-                </div>
-              </v-tab-item>
-
-              <v-tab-item>
-                <v-card v-for="event in associations.events" elevation="2" class="my-2">
-                  <div>
-                    <span class="case label">{{ i18n.dateCreated }}:</span>
-                    <span class="case value">{{ event.createTime | formatDateTime }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.author }}:</span>
-                    <span class="case value">{{ event.owner }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">authorId:</span>
-                    <span class="case value">{{ event.userId }}</span>
-                  </div>
-                  <div v-for="value, key in event.fields">
-                    <span class="case label">{{ key }}:</span>
-                    <span class="case value">{{ value }}</span>
-                  </div>
-                  <div class="my-4">
-                    <v-btn text colror="secondary" @click="deleteAssociation('events', event)" icon><v-icon>fa-trash</v-icon></v-btn>
-                  <div>                                        
-                </v-card>
-              </v-tab-item>
-
-              <v-tab-item>
-                <v-card v-for="event in associations.history" elevation="2" class="my-2">
-                  <div>
-                    <span class="case label">{{ i18n.event }}:</span>
-                    <span class="case value">{{ event.kind }} - {{ event.operation }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.dateCreated }}:</span>
-                    <span class="case value">{{ event.createTime | formatDateTime }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.dateModified }}:</span>
-                    <span class="case value">{{ event.updateTime | formatDateTime }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.dateClosed }}:</span>
-                    <span class="case value">{{ event.completeTime | formatDateTime }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">{{ i18n.author }}:</span>
-                    <span class="case value">{{ event.owner }}</span>
-                  </div>
-                  <div>
-                    <span class="case label">authorId:</span>
-                    <span class="case value">{{ event.userId }}</span>
-                  </div>
-                  <div v-if="event.kind == 'case'">
-                    <div>
-                      <span class="case label">{{ i18n.caseTitle}}:</span>
-                      <span class="case value">{{ event.title }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.caseDescription }}:</span>
-                      <span class="case value">{{ event.description }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.caseStatus }}:</span>
-                      <span class="case value">{{ event.status }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.caseSeverity }}:</span>
-                      <span class="case value">{{ event.severity }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.casePriority }}:</span>
-                      <span class="case value">{{ event.priority }}</span>
-                    </div>
-                  </div>
-                  <div v-if="event.kind == 'comment'">
-                    <div>
-                      <span class="case label">{{ i18n.commentDescription }}:</span>
-                      <span class="case value">{{ event.description }}</span>
-                    </div>
-                  </div>
-                </v-card>
-              </v-tab-item>
-
-            <v-tabs>
-        </v-row>
+        
       </v-container>
     </script>
 
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 2d47229b..bc6d4cde 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -92,12 +92,12 @@ const i18n = {
       copyToClipboard: 'Copy to clipboard',
       custom: 'Custom',
       darkMode: 'Dark Mode',
-      dateClosed: 'Date Closed',
+      dateClosed: 'Closed',
       dateCompleted: 'Date Completed',
       dateCreated: 'Created',
       dateDataEpoch: 'Earliest PCAP',
       dateFailed: 'Date Failed',
-      dateModified: 'Date Modified',
+      dateModified: 'Updated',
       dateOnline: 'Online Since:',
       dateQueued: 'Date Queued',
       datePreselectToday: 'Today',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index f635d863..1be3b8ee 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -35,24 +35,20 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     footerProps: { 'items-per-page-options': [10,50,250,1000] },
     count: 500,
     userList: [],
-    mainForms: {
-      info: {
-        valid: false,
-        title: null,
-        assigneeId: null,
-        status: null
-      },
-      details: {
-        valid: false,
-        id: null,
-        description: null,
-        severity: null,
-        priority: null,
-        tags: null,
-        tlp: null,
-        pap: null,
-        category: null
-      }
+    collapsedSections: [],
+    mainForm: {
+      valid: false,
+      title: null,
+      assigneeId: null,
+      status: null,
+      id: null,
+      description: null,
+      severity: null,
+      priority: null,
+      tags: [],
+      tlp: null,
+      pap: null,
+      category: null
     },
     associatedForms: {
       comments: {
@@ -75,28 +71,66 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         valid: false
       }
     },
-    editFields: [],
+    editField: "",
     mruCaseLimit: 5,
     mruCases: [],
     presets: {},
     rules: {
-      required: value => (!!value) || this.$root.i18n.required,
+      required: value => (value != [] && value != "") || this.$root.i18n.required,
+      number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
     },
   }},
   computed: {
     severityList() {
-      return [
-        { text: 'High', value: 0 },
-        { text: 'Medium', value: 1 },
-        { text: 'Low', value: 2 },
-        { text: 'Extra Low', value: 3}
-      ]
+      const sevPresets = this.getPresets('severity');
+      if (sevPresets != []) {
+        let formattedSevList = [];
+        for (let index = 0; index < sevPresets.length; index++) {
+          formattedSevList.push({
+            text: sevPresets[index],
+            value: index+1
+          });
+        }
+        return formattedSevList;
+      } else {
+        return [
+          { text: 'Critical', value: 1 },
+          { text: 'High', value: 2 },
+          { text: 'Medium', value: 3 },
+          { text: 'Low', value: 4}
+        ];
+      }
+    },
+    tagList() {
+      const tagPresets = this.getPresets('tags');
+      return tagPresets.concat(this.mainForm.tags);
+    },
+    categoryList() {
+      const catPresets = this.getPresets('category')
+      if (this.mainForm.category !== null) {
+        return catPresets.concat(this.mainForm.category)
+      } else {
+        return catPresets
+      }
+    },
+    tlpList() {
+      const tlpPresets = this.getPresets('tlp')
+      return tlpPresets.map((value) => {
+        return {
+          text: value.split(' ').map(word => word.charAt(0).toLocaleUpperCase() + word.substring(1)).join(' '),
+          value: value
+        }
+      })
+    },
+    papList() {
+      const papPresets = this.getPresets('pap')
+      return papPresets.map((value) => {
+        return {
+          text: value.split(' ').map(word => word.charAt(0).toLocaleUpperCase() + word.substring(1)).join(' '),
+          value: value
+        }
+      })
     },
-    severityString() {
-      return typeof(this.mainForms.details.severity) == Number
-        ? this.severityList.find(el => el.value == this.mainForms.details.severity).text
-        : this.mainForms.details.severity
-    }, 
     statusList() {
       const statuses = [
         'new',
@@ -207,6 +241,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
             id: this.$route.params.id
         }});
         this.userList = await this.$root.getUsers();
+        console.log(response.data)
         this.updateCaseDetails(response.data);
         this.loadAssociations();
       } catch (error) {
@@ -220,43 +255,40 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.$root.subscribe("case", this.updateCase);
     },
     updateCaseDetails(caseObj) {
-      this.mainForms.details.id = caseObj.id;
-      this.mainForms.info.title = caseObj.title;
-      this.mainForms.details.description = caseObj.description;
-      this.mainForms.details.severity = caseObj.severity;
-      this.mainForms.details.priority = caseObj.priority;
-      this.mainForms.info.status = caseObj.status;
-      this.mainForms.details.tags = caseObj.tags ? caseObj.tags.join(", ") : "";
-      this.mainForms.details.tlp = caseObj.tlp;
-      this.mainForms.details.pap = caseObj.pap;
-      this.mainForms.details.category = caseObj.category;
-      this.mainForms.info.assigneeId = caseObj.assigneeId;
+      
+      this.mainForm.id = caseObj.id;
+      this.mainForm.title = caseObj.title;
+      this.mainForm.description = caseObj.description;
+      this.mainForm.severity = caseObj.severity;
+      this.mainForm.priority = caseObj.priority;
+      this.mainForm.status = caseObj.status;
+      this.mainForm.tags = caseObj.tags;
+      this.mainForm.tlp = caseObj.tlp;
+      this.mainForm.pap = caseObj.pap;
+      this.mainForm.category = caseObj.category;
+      this.mainForm.assigneeId = caseObj.assigneeId;
       this.$root.populateUserDetails(caseObj, "userId", "owner");
       this.$root.populateUserDetails(caseObj, "assigneeId", "assignee");
       this.addMRUCaseObj(caseObj);
       this.caseObj = caseObj;
     },
-    async modifyCase() {
+    async modifyCase(keyStr = null) {
       this.$root.startLoading();
       try {
+        let jsonObj = {...this.mainForm };
+        if (keyStr !== null) {
+          jsonObj[keyStr] = this.editField.val;
+        }
         // Convert priority and severity to ints
-        this.mainForms.details.severity = parseInt(this.mainForms.details.severity, 10);
-        this.mainForms.details.severity = this.severityString;
-        this.mainForms.details.priority = parseInt(this.mainForms.details.priority, 10);
-        const formattedTags = this.mainForms.details.tags;
-        if (this.mainForms.details.tags) {
-          this.mainForms.details.tags = this.mainForms.details.tags.split(",").map(tag => {
-            return tag.trim();
-          });
-        } else { this.mainForms.details.tags = []; }
-        const caseInfo = {
-          ...this.mainForms.info,
-          ...this.mainForms.details
-        };
-        const json = JSON.stringify(caseInfo);
-        this.mainForms.details.tags = formattedTags;
+        jsonObj.severity = parseInt(jsonObj.severity, 10);
+        jsonObj.priority = parseInt(jsonObj.priority, 10);
+        // if (jsonObj.tags) {
+        //   jsonObj.tags = jsonObj.tags.split(",").map(tag => tag.trim());
+        // } else { jsonObj.tags = []; }
+        const json = JSON.stringify(jsonObj);
         const response = await this.$root.papi.put('case/', json);
         if (response.data) {
+          this.stopEdit();
           this.updateCaseDetails(response.data);
         }
       } catch (error) {
@@ -343,14 +375,22 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.loadAssociations();
     },
     isEdit(id) {
-      return this.editFields.find(item => item == id) != null
+      return this.editField !== {} && this.editField.id === id;
+    },
+    startEdit(val, id) {
+      this.editField = {
+        val,
+        id
+      };
     },
-    async toggleEdit(id) {
-      if (this.editFields.find(item => item == id) == null) {
-        this.editFields.push(id)
+    stopEdit() {
+      this.editField = {}
+    },
+    async saveEdit(keyStr) {
+      if (this.mainForm[keyStr] === this.editField.val) {
+        this.stopEdit();
       } else {
-        this.editFields = this.editFields.filter(item => item != id)
-        await this.modifyCase()
+        await this.modifyCase(keyStr);
       }
     },
     saveLocalSettings() {
@@ -359,6 +399,16 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     loadLocalSettings() {
       if (localStorage['settings.case.mruCases']) this.mruCases = JSON.parse(localStorage['settings.case.mruCases']);
     },
+    toggleShowSection(item) {
+      if (this.isExpandedSection(item)) {
+        this.collapsedSections.push(item);
+      } else {
+        this.collapsedSections.splice(this.collapsedSections.indexOf(item), 1);
+      }
+    },
+    isExpandedSection(item) {
+      return (this.collapsedSections.indexOf(item) == -1);
+    }
   }
 }});
 

From a0a65c1e99d3ce4630e1ae0cd957ab4b48e12547 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 13 Dec 2021 12:42:59 -0500
Subject: [PATCH 16/98] await populateUserDetails to ensure the value is always
 rendered

---
 html/js/routes/case.js | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 1be3b8ee..326b3937 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -254,8 +254,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.$root.stopLoading();
       this.$root.subscribe("case", this.updateCase);
     },
-    updateCaseDetails(caseObj) {
-      
+    async updateCaseDetails(caseObj) {
       this.mainForm.id = caseObj.id;
       this.mainForm.title = caseObj.title;
       this.mainForm.description = caseObj.description;
@@ -267,8 +266,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.mainForm.pap = caseObj.pap;
       this.mainForm.category = caseObj.category;
       this.mainForm.assigneeId = caseObj.assigneeId;
-      this.$root.populateUserDetails(caseObj, "userId", "owner");
-      this.$root.populateUserDetails(caseObj, "assigneeId", "assignee");
+      await this.$root.populateUserDetails(caseObj, "userId", "owner");
+      await this.$root.populateUserDetails(caseObj, "assigneeId", "assignee");
       this.addMRUCaseObj(caseObj);
       this.caseObj = caseObj;
     },

From 5ace5d28e1bdf8ac9a51745ef109f1df6ee20f0d Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 13 Dec 2021 12:44:41 -0500
Subject: [PATCH 17/98] Add further awaits

---
 html/js/routes/case.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 326b3937..d5c758fb 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -304,7 +304,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       try {
         const response = await this.$root.papi.post('case/' + association, JSON.stringify(this.associatedForms[association]));
         if (response.data) {
-          this.$root.populateUserDetails(response.data, "userId", "owner");
+          await this.$root.populateUserDetails(response.data, "userId", "owner");
           this.associations[association].push(response.data);
         }
       } catch (error) {
@@ -325,7 +325,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         try {
           const response = await this.$root.papi.put('case/' + association, JSON.stringify(this.associatedForms[association]));
           if (response.data) {
-            this.$root.populateUserDetails(response.data, "userId", "owner");
+            await this.$root.populateUserDetails(response.data, "userId", "owner");
             Vue.set(this.associations[association], idx, response.data);
           }
         } catch (error) {

From 7136134312c574d2d8b7f51ebb40763037bcc373 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 13 Dec 2021 12:45:11 -0500
Subject: [PATCH 18/98] Fix sizing and remove hardcoded color

---
 html/css/app.css | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index e44f5483..db7bfa46 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -171,13 +171,15 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   text-align: right;
   white-space: nowrap;
   font-weight: bold;
+}
+
+.case.details {
   font-size: 13px;
 }
 
 .case.value {
   text-align: left;
   white-space: wrap;
-  font-size: 13px;
 }
 
 .case.title.v-text-field input {
@@ -191,12 +193,12 @@ a#title, a#title:visited, a#title:active, a#title:hover {
 }
 
 .case-detail-field:hover {
-  background-color: #3d3d3d !important;
+  background-color: var(--v-drawer_background-base) !important;
 }
 
 .case-detail-field:hover > .v-icon { 
   /* transition: none !important; */
-  color: var(--v-primary-lighten1);
+  color: var(--v-secondary-lighten1);
 }
 
 .v-text-field {}

From 0091d42eb07d8dc4891a793352ab7171b4210c6f Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 13 Dec 2021 12:45:44 -0500
Subject: [PATCH 19/98] Further changes to details sidebar

---
 html/index.html | 134 +++++++++---------------------------------------
 1 file changed, 24 insertions(+), 110 deletions(-)

diff --git a/html/index.html b/html/index.html
index b9db1cfd..53b423dd 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1198,16 +1198,6 @@ <h2>{{ i18n.viewJob }}</h2>
       <v-container fluid>
         
         <v-form model="mainForm.valid" class="mx-sm-12 mx-lg-6 mt-2 mb-6">
-          <!-- <v-row align="center">
-            <v-col id="case-title">
-              <v-text-field v-if="isEdit('case-title')" hide-details="auto" outlined class="case title" v-model="mainForm.title"/>
-              <h2 v-else class="py-1">{{ mainForm.title }}</h2>
-            </v-col>
-            <v-col class="flex-shrink-1 flex-grow-0">
-              <v-btn v-if="isEdit('case-title')" @click="toggleEdit('case-title')">Save</v-btn>
-              <v-btn v-else @click="toggleEdit('case-title')">Edit</v-btn>
-            </v-col>
-          </v-row> -->
           <div>
             <div class="case-detail-field d-flex align-start pa-2" v-if="!isEdit('case-title')" @click="startEdit(mainForm.title, 'case-title')">
               <h2 class="rounded">{{ mainForm.title }}</div>
@@ -1396,9 +1386,6 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                     <v-toolbar dense flat>
                       <v-toolbar-title>Info</v-toolbar-title>
                     </v-toolbar>
-                    <!-- <div class="secondary py-1">
-                      <h3 class="mx-3 my-1">Info</h3>
-                    </div> -->
                     <div class="mx-4 my-8">
                       <v-row no-gutters class="align-start d-inline-flex mb-3 flex-column" style="width: 100%">
                         <v-col cols="12" class="mr-n2 mb-2 font-weight-bold">{{i18n.caseAssignee}}: </v-col>
@@ -1407,7 +1394,7 @@ <h3 class="mx-3 my-1">Info</h3>
                             dense
                             eager
                             flat
-                            solo
+                            solo-inverted
                             hide-details
                             v-model="mainForm.assigneeId"
                             :items="userList"
@@ -1425,7 +1412,7 @@ <h3 class="mx-3 my-1">Info</h3>
                             dense
                             eager
                             flat
-                            solo
+                            solo-inverted
                             hide-details
                             v-model="mainForm.status"
                             :items="statusList"
@@ -1445,21 +1432,6 @@ <h3 class="mx-3 my-1">Info</h3>
                         <v-icon style="font-size: 12px !important;" v-if="isExpandedSection('case-details')">fa-minus</v-icon>
                       </v-btn>
                     </v-toolbar>
-                    <!-- <v-row no-gutters align="center" class="mr-2">
-                      <v-col>
-                        <div class="secondary py-1">
-                          <h3 class="mx-3 my-1">Details</h3>
-                        </div>
-                      </v-col>
-                      <v-col>
-                        <div class="secondary py-2 pr-2 mr-n2 d-flex align-center justify-end">
-                          <v-btn plain icon small @click="toggleShowSection('case-details')">
-                            <v-icon style="font-size: 12px !important;" v-if="!isExpandedSection('case-details')">fa-plus</v-icon>
-                            <v-icon style="font-size: 12px !important;" v-if="isExpandedSection('case-details')">fa-minus</v-icon>
-                          </v-btn>
-                        </div>
-                      </v-col>
-                    </v-row> -->
                     <v-expand-transition>
                       <v-form v-show="isExpandedSection('case-details')" v-model="mainForm.valid" class="mb-n4">
                         <div class="mx-4 my-8 d-flex flex-column">
@@ -1470,7 +1442,7 @@ <h3 class="mx-3 my-1">Details</h3>
                                 dense
                                 eager
                                 flat
-                                solo
+                                solo-inverted
                                 hide-details
                                 v-model="mainForm.severity"
                                 :items="severityList"
@@ -1489,7 +1461,7 @@ <h3 class="mx-3 my-1">Details</h3>
                               </div>
                               <div class="d-flex flex-column mb-n5" v-if="isEdit('case-priority')">
                                 <div class="mb-2">
-                                  <v-text-field outlined solo hide-details rows="3" dense no-resize v-model="editField.val" :rules="[rules.number]"/>
+                                  <v-text-field solo-inverted flat hide-details rows="3" dense no-resize v-model="editField.val" :rules="[rules.number]"/>
                                 </div>
                                 <div class="d-inline-flex justify-end">
                                   <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
@@ -1509,7 +1481,7 @@ <h3 class="mx-3 my-1">Details</h3>
                                 dense
                                 eager
                                 flat
-                                solo
+                                solo-inverted
                                 hide-details
                                 v-model="mainForm.tlp"
                                 :items="tlpList"
@@ -1517,7 +1489,8 @@ <h3 class="mx-3 my-1">Details</h3>
                                 item-value="value"
                                 v-on:change="modifyCase()"
                                 class="case-select"
-                              />
+                                />
+                              </v-select>
                             </v-col>
                           </v-row>
                           <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
@@ -1527,7 +1500,7 @@ <h3 class="mx-3 my-1">Details</h3>
                                 dense
                                 eager
                                 flat
-                                solo
+                                solo-inverted
                                 hide-details
                                 v-model="mainForm.pap"
                                 :items="papList"
@@ -1544,9 +1517,8 @@ <h3 class="mx-3 my-1">Details</h3>
                               <v-combobox
                                 dense
                                 eager
-                                chips
                                 flat
-                                solo
+                                solo-inverted
                                 hide-details
                                 v-model="mainForm.category"
                                 :items="categoryList"
@@ -1559,7 +1531,6 @@ <h3 class="mx-3 my-1">Details</h3>
                             <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseTags}}: </v-col>
                             <v-col cols="12" id="case-tags" class="ml-2 pr-2">
                               <v-combobox
-                                dense
                                 eager
                                 multiple
                                 chips
@@ -1570,7 +1541,11 @@ <h3 class="mx-3 my-1">Details</h3>
                                 :items="tagList"
                                 v-on:change="modifyCase()"
                                 class="case-select"
-                              />
+                              >
+                                <template #selection="{ item }">
+                                  <v-chip color="primary">{{item}}</v-chip>
+                                </template>
+                              </v-combobox>
                             </v-col>
                           </v-row>
                         </div>
@@ -1579,24 +1554,24 @@ <h3 class="mx-3 my-1">Details</h3>
                   </v-card>
                   <div class="ml-2 mt-2">
                     <div>
-                      <span class="case label">{{ i18n.caseId }}:</span>
-                      <span class="case value">{{ caseObj.id }}</span>
+                      <span class="case label details">{{ i18n.caseId }}:</span>
+                      <span class="case value details">{{ caseObj.id }}</span>
                     </div>
                     <div>
-                      <span class="case label">{{ i18n.author }}:</span>
-                      <span class="case value">{{ caseObj.owner }}</span>
+                      <span class="case label details">{{ i18n.author }}:</span>
+                      <span class="case value details">{{ caseObj.owner }}</span>
                     </div>
                     <div>
-                      <span class="case label">{{ i18n.dateCreated }}:</span>
-                      <span class="case value">{{ caseObj.createTime | formatDateTime}}</span>
+                      <span class="case label details">{{ i18n.dateCreated }}:</span>
+                      <span class="case value details">{{ caseObj.createTime | formatDateTime}}</span>
                     </div>
                     <div>
-                      <span class="case label">{{ i18n.dateModified }}:</span>
-                      <span class="case value">{{ caseObj.updateTime | formatDateTime}}</span>
+                      <span class="case label details">{{ i18n.dateModified }}:</span>
+                      <span class="case value details">{{ caseObj.updateTime | formatDateTime}}</span>
                     </div>
                     <div v-if="$root.formatDateTime(caseObj.completeTime) !== ''">
-                      <span class="case label">{{ i18n.dateClosed }}:</span>
-                      <span class="case value">{{ caseObj.completeTime | formatDateTime}}</span>
+                      <span class="case label details">{{ i18n.dateClosed }}:</span>
+                      <span class="case value details">{{ caseObj.completeTime | formatDateTime}}</span>
                     </div>
                   </div>
                 </v-col>
@@ -1604,67 +1579,6 @@ <h3 class="mx-3 my-1">Details</h3>
             </v-form>
           </v-col>
         </v-row>
-        <v-row class="mt-2">
-          <v-col>
-            <v-form v-model="mainForm.valid">
-              <div>
-                <span class="case label">{{ i18n.caseId }}:</span>
-                <span class="case value">{{ caseObj.id }}</span>
-              </div>
-              <div>
-                <span class="case label">{{ i18n.dateCreated }}:</span>
-                <span class="case value">{{ caseObj.createTime | formatDateTime}}</span>
-              </div>
-              <div>
-                <span class="case label">{{ i18n.dateModified }}:</span>
-                <span class="case value">{{ caseObj.updateTime | formatDateTime}}</span>
-              </div>
-              <div>
-                <span class="case label">{{ i18n.dateClosed }}:</span>
-                <span class="case value">{{ caseObj.completeTime | formatDateTime}}</span>
-              </div>
-              <div>
-                <span class="case label">{{ i18n.author }}:</span>
-                <span class="case value">{{ caseObj.owner }}</span>
-              </div>
-              <div>
-                <span class="case label">{{ i18n.caseAssignee }}:</span>
-                <span class="case value">{{ caseObj.assignee }}</span>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.description" :placeholder="i18n.caseDescription" persistent-hint :hint="i18n.caseDescriptionHelp"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.status" :placeholder="i18n.caseStatus" persistent-hint :hint="i18n.caseStatusHelp" :rules="[rules.required]"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.severity" :placeholder="i18n.caseSeverity" persistent-hint :hint="i18n.caseSeverityHelp" :rules="[rules.required]"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.priority" :placeholder="i18n.casePriority" persistent-hint :hint="i18n.casePriorityHelp" :rules="[rules.required]"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.tags" :placeholder="i18n.caseTags" persistent-hint :hint="i18n.caseTagsHelp"></v-text-field>
-              </div>              
-              <div>
-                <v-text-field v-model="mainForm.tlp" :placeholder="i18n.caseTlp" persistent-hint :hint="i18n.caseTlpHelp"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.pap" :placeholder="i18n.casePap" persistent-hint :hint="i18n.casePapHelp"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.category" :placeholder="i18n.caseCategory" persistent-hint :hint="i18n.caseCategoryHelp"></v-text-field>
-              </div>
-              <div>
-                <v-text-field v-model="mainForm.assigneeId" :placeholder="i18n.caseAssignee" persistent-hint :hint="i18n.caseAssigneeHelp"></v-text-field>
-              </div>
-              <div class="my-4">
-                <v-btn :disabled="!mainForm.valid" text color="primary" @click="modifyCase" v-text="i18n.update"></v-btn>
-              <div>
-            </form>
-          </v-col>
-        </v-row>
-        
       </v-container>
     </script>
 

From ec7588cd3c043d465da963fc203660c80e93d33a Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 14 Dec 2021 10:29:58 -0500
Subject: [PATCH 20/98] Wait during mounted for the async loadData function

---
 html/js/routes/case.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index d5c758fb..d8a8336c 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -147,8 +147,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
   },
   created() {
   },
-  mounted() {
-    this.loadData();
+  async mounted() {
+    await this.loadData();
     this.$root.loadParameters('case', this.initCase);
   },
   destroyed() {

From 7cec1e98435ade7bd93f6cf3a4616aae37f21e8c Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 14 Dec 2021 10:36:37 -0500
Subject: [PATCH 21/98] Remove unnecessary console log

---
 html/js/routes/case.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index d8a8336c..fde53409 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -241,7 +241,6 @@ routes.push({ path: '/case/:id', name: 'case', component: {
             id: this.$route.params.id
         }});
         this.userList = await this.$root.getUsers();
-        console.log(response.data)
         this.updateCaseDetails(response.data);
         this.loadAssociations();
       } catch (error) {

From 94e01863a51259a67437290534131d2bc31a9279 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 14 Dec 2021 10:37:14 -0500
Subject: [PATCH 22/98] Match collapse icons in hunt to case details

---
 html/index.html | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/html/index.html b/html/index.html
index 53b423dd..164e35a3 100644
--- a/html/index.html
+++ b/html/index.html
@@ -417,7 +417,10 @@ <h5>
             <v-toolbar-title>{{ i18n.graphs }}</v-toolbar-title>
             <v-spacer />
             <v-btn
-              text
+              plain
+              icon
+              small
+              class="mr-1"
               @click="toggleShowSection('hunt-graphs')"
             >
               <v-icon v-if="!isExpandedSection('hunt-graphs')">fa-angle-down</v-icon>
@@ -450,7 +453,10 @@ <h5>
             <v-toolbar-title>{{ i18n.groups }}</v-toolbar-title>
             <v-spacer />
             <v-btn
-              text
+              plain
+              icon
+              small
+              class="mr-1"
               @click="toggleShowSection('hunt-groups')"
             >
               <v-icon v-if="!isExpandedSection('hunt-groups')">fa-angle-down</v-icon>
@@ -516,7 +522,10 @@ <h5>
             <v-toolbar-title>{{ i18n.events }}</v-toolbar-title>
             <v-spacer />
             <v-btn
-              text
+              plain
+              icon
+              small
+              class="mr-1"
               @click="toggleShowSection('hunt-events')"
             >
               <v-icon v-if="!isExpandedSection('hunt-events')">fa-angle-down</v-icon>

From d52e0b02523b402cd36e5d8457e4ce99e8e0c4ee Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 14 Dec 2021 10:38:53 -0500
Subject: [PATCH 23/98] Make case details collapsible + styling changes

* Return selects + comboboxes to solo
* Make highlight on hover of editable fields change text color to blue
* Move case details to left column above main content
---
 html/css/app.css       | 25 +++++++++-----
 html/index.html        | 78 +++++++++++++++++++++++-------------------
 html/js/routes/case.js | 45 +++++++++++++++++++-----
 3 files changed, 97 insertions(+), 51 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index db7bfa46..9d9e4f26 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -187,21 +187,30 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   margin-bottom: 0.15em;
 }
 
-.case-detail-field {
-  cursor: pointer;
+.case.detail-field {
+  padding-left: .75em;
   border-radius: .25em;
+  overflow: hidden;
+  white-space: pre-wrap;
+  word-wrap: break-word;
 }
 
-.case-detail-field:hover {
-  background-color: var(--v-drawer_background-base) !important;
+.case.detail-field:hover {
+  cursor: pointer;
+  color: var(--v-primary-lighten1) !important;
 }
 
-.case-detail-field:hover > .v-icon { 
-  /* transition: none !important; */
-  color: var(--v-secondary-lighten1);
+.case.collapse-field {
+  max-height: 7.5em;
+  overflow: hidden;
+  white-space: pre-wrap;
+  word-wrap: break-word;
 }
 
-.v-text-field {}
+.case.collapse-text:hover {
+  cursor: pointer;
+  color: var(--v-primary-lighten2) !important;
+}
 
 td {
   white-space: nowrap;
diff --git a/html/index.html b/html/index.html
index 164e35a3..4b9c6369 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1205,11 +1205,10 @@ <h2>{{ i18n.viewJob }}</h2>
 
     <script type="text/x-template" id="page-case">
       <v-container fluid>
-        
-        <v-form model="mainForm.valid" class="mx-sm-12 mx-lg-6 mt-2 mb-6">
+        <v-form model="mainForm.valid" class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
           <div>
-            <div class="case-detail-field d-flex align-start pa-2" v-if="!isEdit('case-title')" @click="startEdit(mainForm.title, 'case-title')">
-              <h2 class="rounded">{{ mainForm.title }}</div>
+            <div class="case detail-field d-flex align-start pa-2" v-if="!isEdit('case-title')" @click="startEdit(mainForm.title, 'case-title')">
+              <h2 class="rounded">{{ mainForm.title }}</h2>
             </div>
             <div class="d-flex flex-column" v-if="isEdit('case-title')">
               <div class="mb-2">
@@ -1225,27 +1224,36 @@ <h2 class="rounded">{{ mainForm.title }}</div>
               </div>
             </div>
           </div>
-          <div class="mt-1">
-            <div class="case-detail-field d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit(mainForm.description, 'case-description')">
-              <div class="rounded">{{ mainForm.description }}</div>
+        </v-form>
+        <v-row class="mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
+          <v-col cols="12" md="9" class="px-sm-4 mx-4 mx-sm-0 case main" order="2" order-md="1">
+            <div class="d-block d-md-none">
+              <h2>Description</h2>
             </div>
-            <div class="d-flex flex-column" v-if="isEdit('case-description')">
-              <div class="mb-2">
-                <v-textarea outlined hide-details rows="3" dense no-resize v-model="editField.val"/>
+            <div class="mb-6 mb-md-3">
+              <div class="case detail-field d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit(mainForm.description, 'case-description')">
+                <div class="d-block">
+                  <div id="case-description" class="rounded" :class="[ !isCollapsed('case-description') ? 'case collapse-field' : '' ]">{{ mainForm.description }}</div>
+                </div>
               </div>
-              <div class="d-inline-flex justify-end">
-                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
-                  Cancel
-                </v-btn>
-                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('description')">
-                  Save
-                </v-btn>
+              <div v-if="isCollapsible('case-description') && !isEdit('case-description')" class="pl-2 text-body-2 blue--text case collapse-text" @click="toggleCollapse('case-description')">
+                <div v-if="!isCollapsed('case-description')">See more</div>
+                <div v-if="isCollapsed('case-description')">See less</div>
+              </div>
+              <div class="d-flex flex-column" v-if="isEdit('case-description')">
+                <div class="mb-2">
+                  <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val"/>
+                </div>
+                <div class="d-inline-flex justify-end">
+                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                    Cancel
+                  </v-btn>
+                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('description')">
+                    Save
+                  </v-btn>
+                </div>
               </div>
             </div>
-          </div>
-        </v-form>
-        <v-row class="mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
-          <v-col cols="12" md="9" class="px-sm-4 mx-4 mx-sm-0 case main" order="2" order-md="1">
             <v-row>
               <v-tabs grow>
                 <v-tab id="case_commentsTab">
@@ -1387,7 +1395,7 @@ <h2 class="rounded">{{ mainForm.title }}</div>
           </v-col>
           <v-col cols="12" md="3" order="1" order-md="2">
             <v-form v-model="mainForm.valid">
-              <v-row class="mb-12" no-gutters>
+              <v-row no-gutters>
                 <v-col class="d-flex flex-column justify-center">
                   <v-card
                     class="mx-2 overflow-hidden"
@@ -1403,7 +1411,7 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                             dense
                             eager
                             flat
-                            solo-inverted
+                            solo
                             hide-details
                             v-model="mainForm.assigneeId"
                             :items="userList"
@@ -1421,7 +1429,7 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                             dense
                             eager
                             flat
-                            solo-inverted
+                            solo
                             hide-details
                             v-model="mainForm.status"
                             :items="statusList"
@@ -1436,13 +1444,13 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                     <v-toolbar dense flat>
                       <v-toolbar-title>Details</v-toolbar-title>
                       <v-spacer />
-                      <v-btn plain icon small class="mr-1" @click="toggleShowSection('case-details')">
-                        <v-icon style="font-size: 12px !important;" v-if="!isExpandedSection('case-details')">fa-plus</v-icon>
-                        <v-icon style="font-size: 12px !important;" v-if="isExpandedSection('case-details')">fa-minus</v-icon>
+                      <v-btn plain icon small class="mr-1" @click="toggleCollapse('case-details')">
+                        <v-icon style="font-size: 12px !important;" v-if="isCollapsed('case-details')">fa-angle-down</v-icon>
+                        <v-icon style="font-size: 12px !important;" v-if="!isCollapsed('case-details')">fa-angle-up</v-icon>
                       </v-btn>
                     </v-toolbar>
-                    <v-expand-transition>
-                      <v-form v-show="isExpandedSection('case-details')" v-model="mainForm.valid" class="mb-n4">
+                    <v-expand-transition mode="in-out">
+                      <v-form v-show="!isCollapsed('case-details')" v-model="mainForm.valid" class="mb-n4">
                         <div class="mx-4 my-8 d-flex flex-column">
                           <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
                             <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseSeverity}}: </v-col>
@@ -1451,7 +1459,7 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                                 dense
                                 eager
                                 flat
-                                solo-inverted
+                                solo
                                 hide-details
                                 v-model="mainForm.severity"
                                 :items="severityList"
@@ -1465,12 +1473,12 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                           <v-row no-gutters class="align-start d-inline-flex flex-column" style="width: 100%">
                             <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.casePriority}}: </v-col>
                             <v-col id="case-priority" cols="12" class="ml-2 pr-2">
-                              <div class="d-flex align-start pa-2 mb-4 case-detail-field" v-if="!isEdit('case-priority')" @click="startEdit(mainForm.priority, 'case-priority')">
+                              <div class="d-flex align-start px-3 py-2 mb-4 case detail-field" v-if="!isEdit('case-priority')" @click="startEdit(mainForm.priority, 'case-priority')">
                                 <div class="mr-2">{{ mainForm.priority }}</div>
                               </div>
                               <div class="d-flex flex-column mb-n5" v-if="isEdit('case-priority')">
                                 <div class="mb-2">
-                                  <v-text-field solo-inverted flat hide-details rows="3" dense no-resize v-model="editField.val" :rules="[rules.number]"/>
+                                  <v-text-field outlined hide-details rows="3" dense no-resize v-model="editField.val" :rules="[rules.number]"/>
                                 </div>
                                 <div class="d-inline-flex justify-end">
                                   <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
@@ -1490,7 +1498,7 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                                 dense
                                 eager
                                 flat
-                                solo-inverted
+                                solo
                                 hide-details
                                 v-model="mainForm.tlp"
                                 :items="tlpList"
@@ -1509,7 +1517,7 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                                 dense
                                 eager
                                 flat
-                                solo-inverted
+                                solo
                                 hide-details
                                 v-model="mainForm.pap"
                                 :items="papList"
@@ -1527,7 +1535,7 @@ <h2 class="rounded">{{ mainForm.title }}</div>
                                 dense
                                 eager
                                 flat
-                                solo-inverted
+                                solo
                                 hide-details
                                 v-model="mainForm.category"
                                 :items="categoryList"
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index fde53409..a39fa145 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -35,7 +35,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     footerProps: { 'items-per-page-options': [10,50,250,1000] },
     count: 500,
     userList: [],
-    collapsedSections: [],
+    collapsed: [
+      'case-details'
+    ],
+    collapsible: [],
     mainForm: {
       valid: false,
       title: null,
@@ -78,6 +81,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     rules: {
       required: value => (value != [] && value != "") || this.$root.i18n.required,
       number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
+      shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
+      longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
     },
   }},
   computed: {
@@ -143,13 +148,15 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           value: value
         }
       })
-    }
+    },
   },
   created() {
   },
   async mounted() {
     await this.loadData();
     this.$root.loadParameters('case', this.initCase);
+    this.updateCollapsible('case-description')
+
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -296,6 +303,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           this.$root.showError(error);
         }
       }
+      // Also update description collapsible bool when the description has been changed
+      if (keyStr === 'description') {
+        this.updateCollapsible('case-description');
+      }
       this.$root.stopLoading();
     },
     async addAssociation(association) {
@@ -397,15 +408,33 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     loadLocalSettings() {
       if (localStorage['settings.case.mruCases']) this.mruCases = JSON.parse(localStorage['settings.case.mruCases']);
     },
-    toggleShowSection(item) {
-      if (this.isExpandedSection(item)) {
-        this.collapsedSections.push(item);
+    updateCollapsible(id) {
+      this.$nextTick(() => {
+        let element = document.getElementById(id);
+        let retVal = element.offsetHeight < element.scrollHeight || element.offsetWidth < element.scrollWidth;
+        if (retVal) {
+          if (! this.collapsible.includes(id)) {
+            this.collapsible.push(id);
+          }
+        } else {
+          if (this.collapsible.includes(id)) {
+            this.collapsible.splice(this.collapsible.indexOf(id), 1);
+          }
+        }
+      })
+    },
+    isCollapsible(item) {
+      return (this.collapsible.indexOf(item) !== -1)
+    },
+    toggleCollapse(item) {
+      if (!this.isCollapsed(item)) {
+        this.collapsed.push(item);
       } else {
-        this.collapsedSections.splice(this.collapsedSections.indexOf(item), 1);
+        this.collapsed.splice(this.collapsed.indexOf(item), 1);
       }
     },
-    isExpandedSection(item) {
-      return (this.collapsedSections.indexOf(item) == -1);
+    isCollapsed(item) {
+      return (this.collapsed.indexOf(item) !== -1);
     }
   }
 }});

From b836ef872a3531fcc9c40e2873be222bcb608d98 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 14 Dec 2021 10:42:08 -0500
Subject: [PATCH 24/98] Use presets in status list as well

---
 html/js/routes/case.js | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index a39fa145..8028be6d 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -137,11 +137,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       })
     },
     statusList() {
-      const statuses = [
-        'new',
-        'in progress',
-        'closed'
-      ]
+      const statuses = this.getPresets('status')
       return statuses.map((value) => {
         return {
           text: value.split(' ').map(word => word.charAt(0).toLocaleUpperCase() + word.substring(1)).join(' '),

From c422246e22af2505fa4cfe6af24b7446bb34bfbb Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 14 Dec 2021 11:11:01 -0500
Subject: [PATCH 25/98] Wait for async functions to complete during loading

---
 html/js/routes/case.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 8028be6d..13467fb0 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -244,8 +244,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
             id: this.$route.params.id
         }});
         this.userList = await this.$root.getUsers();
-        this.updateCaseDetails(response.data);
-        this.loadAssociations();
+        await this.updateCaseDetails(response.data);
+        await this.loadAssociations();
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);

From bc7dcf55ad935825c3b821df36b0075428a07cae Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 14 Dec 2021 12:00:22 -0500
Subject: [PATCH 26/98] Fix unit tests

---
 html/js/routes/case.js      |  2 +-
 html/js/routes/case.test.js | 46 ++++++++++++++++++-------------------
 2 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 13467fb0..4a764e71 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -290,7 +290,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         const response = await this.$root.papi.put('case/', json);
         if (response.data) {
           this.stopEdit();
-          this.updateCaseDetails(response.data);
+          await this.updateCaseDetails(response.data);
         }
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index dc904aae..4ef6487b 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -158,16 +158,16 @@ test('loadAssociationError', async () => {
 });
 
 expectCaseDetails = () => {
-  expect(comp.form.id).toBe(fakeCase.id);
-  expect(comp.form.title).toBe(fakeCase.title);
-  expect(comp.form.description).toBe(fakeCase.description);
-  expect(comp.form.severity).toBe(fakeCase.severity);
-  expect(comp.form.priority).toBe(fakeCase.priority);
-  expect(comp.form.status).toBe(fakeCase.status);
-  expect(comp.form.tlp).toBe(fakeCase.tlp);
-  expect(comp.form.pap).toBe(fakeCase.pap);
-  expect(comp.form.category).toBe(fakeCase.category);
-  expect(comp.form.tags).toBe(fakeCase.tags.join(", "));
+  expect(comp.mainForm.id).toBe(fakeCase.id);
+  expect(comp.mainForm.title).toBe(fakeCase.title);
+  expect(comp.mainForm.description).toBe(fakeCase.description);
+  expect(comp.mainForm.severity).toBe(fakeCase.severity);
+  expect(comp.mainForm.priority).toBe(fakeCase.priority);
+  expect(comp.mainForm.status).toBe(fakeCase.status);
+  expect(comp.mainForm.tlp).toBe(fakeCase.tlp);
+  expect(comp.mainForm.pap).toBe(fakeCase.pap);
+  expect(comp.mainForm.category).toBe(fakeCase.category);
+  expect(comp.mainForm.tags).toBe(fakeCase.tags);
   expect(comp.caseObj).toBe(fakeCase);
   expect(comp.caseObj.owner).toBe(fakeEmail);
   expect(comp.caseObj.assignee).toBe(fakeAssigneeEmail);
@@ -218,24 +218,24 @@ test('modifyCase', async () => {
   // API call #2 is to get the user list
   const getMock = mockPapi("get", {'data':fakeUsers});
 
-  comp.form.priority = '' + fakePriority;
-  comp.form.severity = '' + fakeSeverity;
-  comp.form.id = 'myCaseId';
-  comp.form.title = 'myTitle';
-  comp.form.description = 'myDescription';
-  comp.form.status = 'open';
-  comp.form.tlp = 'myTlp';
-  comp.form.pap = 'myPap';
-  comp.form.category = 'myCategory';
-  comp.form.tags = 'tag1,tag2';
-  comp.form.assigneeId = 'myAssigneeId';
+  comp.mainForm.priority = '' + fakePriority;
+  comp.mainForm.severity = '' + fakeSeverity;
+  comp.mainForm.id = 'myCaseId';
+  comp.mainForm.title = 'myTitle';
+  comp.mainForm.description = 'myDescription';
+  comp.mainForm.status = 'open';
+  comp.mainForm.tlp = 'myTlp';
+  comp.mainForm.pap = 'myPap';
+  comp.mainForm.category = 'myCategory';
+  comp.mainForm.tags = ['tag1', 'tag2'];
+  comp.mainForm.assigneeId = 'myAssigneeId';
   const showErrorMock = mockShowError(true);
 
   expect(comp.mruCases.length).toBe(0);
 
   await comp.modifyCase();
 
-  const body =  "{\"valid\":false,\"id\":\"myCaseId\",\"title\":\"myTitle\",\"description\":\"myDescription\",\"status\":\"open\",\"severity\":31,\"priority\":33,\"assigneeId\":\"myAssigneeId\",\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}";
+  const body =  "{\"valid\":false,\"title\":\"myTitle\",\"assigneeId\":\"myAssigneeId\",\"status\":\"open\",\"id\":\"myCaseId\",\"description\":\"myDescription\",\"severity\":31,\"priority\":33,\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}"
   expect(putMock).toHaveBeenCalledWith('case/', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expectCaseDetails();
@@ -411,4 +411,4 @@ test('presets', () => {
 
   expect(comp.isPresetCustomEnabled('severity')).toBe(false);
   expect(comp.getPresets('severity').length).toBe(0);   // none defined
-});
\ No newline at end of file
+});

From 008bffd06d0b67a4c0e1648b18363409cc6444ba Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 15 Dec 2021 12:27:33 -0500
Subject: [PATCH 27/98] Added new translations for the new Receiver node type

---
 html/js/i18n.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index bc6d4cde..6d54cc6b 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -326,6 +326,8 @@ const i18n = {
       'so-manager-keywords': 'Manager, Master, Soc',
       'so-node': 'Search',
       'so-node-keywords': 'Elastic, Elasticsearch, Ingest, Search',
+      'so-receiver': 'Receiver',
+      'so-receiver-keywords': 'Receiver',
       'so-search': 'Search',
       'so-search-keywords': 'Elastic, Elasticsearch, Ingest, Search',
       'so-sensor': 'Forward',

From 570b0e4deb8c8106acb9c151f63fa3617177ea3a Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 15 Dec 2021 20:15:36 -0500
Subject: [PATCH 28/98] Correct modifyCase test to reflect new data type + make
 test names more clear

---
 html/js/routes/case.test.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 4ef6487b..2b8ccb00 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -11,7 +11,7 @@ require('../test_common.js');
 require('./case.js');
 
 const fakePriority = 33;
-const fakeSeverity = 31;
+const fakeSeverity = 'High';
 const fakeEmail = 'my@email.invalid';
 const fakeAssigneeEmail = 'assignee@email.invalid';
 const fakeCase = {
@@ -38,7 +38,7 @@ const fakeComment = {
   description: 'myDescription',
 };
 
-var comp;
+let comp;
 
 beforeEach(() => {
   comp = getComponent("case");
@@ -125,7 +125,7 @@ test('loadAssociations', () => {
   expect(comp.associationsLoading).toBe(false);
 });
 
-test('loadAssociation', async () => {
+test('loadSingleAssociation', async () => {
   const params = { params: {
           id: 'myUserId',
           offset: 0,
@@ -150,7 +150,7 @@ test('loadAssociation', async () => {
   expect(comp.$root.loading).toBe(false);
 });
 
-test('loadAssociationError', async () => {
+test('loadSignleAssociationError', async () => {
   const showErrorMock = mockShowError();
   resetPapi().mockPapi("get", null, new Error("something bad"));
   await comp.loadAssociation('comments');
@@ -235,7 +235,7 @@ test('modifyCase', async () => {
 
   await comp.modifyCase();
 
-  const body =  "{\"valid\":false,\"title\":\"myTitle\",\"assigneeId\":\"myAssigneeId\",\"status\":\"open\",\"id\":\"myCaseId\",\"description\":\"myDescription\",\"severity\":31,\"priority\":33,\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}"
+  const body =  "{\"valid\":false,\"title\":\"myTitle\",\"assigneeId\":\"myAssigneeId\",\"status\":\"open\",\"id\":\"myCaseId\",\"description\":\"myDescription\",\"severity\":\"High\",\"priority\":33,\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}";
   expect(putMock).toHaveBeenCalledWith('case/', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expectCaseDetails();
@@ -299,7 +299,7 @@ test('modifyAssociation', async () => {
   comp.associations['comments'] = [fakeComment];
   await comp.modifyAssociation('comments');
 
-  const body =  "{\"id\":\"myCommentId\",\"caseId\":\"\",\"description\":\"myDescription2\",\"valid\":false}";
+  const body = "{\"id\":\"myCommentId\",\"caseId\":\"\",\"description\":\"myDescription2\",\"valid\":false}";
   expect(mock).toHaveBeenCalledWith('case/comments', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);

From b7c4d8da0cc24d6d2920aa26c772801d54d4fe6c Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 15 Dec 2021 20:16:46 -0500
Subject: [PATCH 29/98] Add unit tests for new case.js functions & rework
 computed values into single function

---
 html/index.html             |  20 +---
 html/js/routes/case.js      |  79 ++-----------
 html/js/routes/case.test.js | 220 ++++++++++++++++++++++++++++++++++++
 html/js/test_common.js      |   5 +-
 4 files changed, 242 insertions(+), 82 deletions(-)

diff --git a/html/index.html b/html/index.html
index 4b9c6369..1f617eb3 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1432,9 +1432,7 @@ <h2>Description</h2>
                             solo
                             hide-details
                             v-model="mainForm.status"
-                            :items="statusList"
-                            item-text="text"
-                            item-value="value"
+                            :items="selectList('status')"
                             v-on:change="modifyCase()"
                             class="case-select"
                           />
@@ -1462,9 +1460,7 @@ <h2>Description</h2>
                                 solo
                                 hide-details
                                 v-model="mainForm.severity"
-                                :items="severityList"
-                                item-text="text"
-                                item-value="value"
+                                :items="selectList('severity')"
                                 v-on:change="modifyCase()"
                                 class="case-select"
                               />
@@ -1501,9 +1497,7 @@ <h2>Description</h2>
                                 solo
                                 hide-details
                                 v-model="mainForm.tlp"
-                                :items="tlpList"
-                                item-text="text"
-                                item-value="value"
+                                :items="selectList('tlp')"
                                 v-on:change="modifyCase()"
                                 class="case-select"
                                 />
@@ -1520,9 +1514,7 @@ <h2>Description</h2>
                                 solo
                                 hide-details
                                 v-model="mainForm.pap"
-                                :items="papList"
-                                item-text="text"
-                                item-value="value"
+                                :items="selectList('pap')"
                                 v-on:change="modifyCase()"
                                 class="case-select"
                               />
@@ -1538,7 +1530,7 @@ <h2>Description</h2>
                                 solo
                                 hide-details
                                 v-model="mainForm.category"
-                                :items="categoryList"
+                                :items="selectList('category')"
                                 v-on:change="modifyCase()"
                                 class="case-select"
                               />
@@ -1555,7 +1547,7 @@ <h2>Description</h2>
                                 solo
                                 hide-details
                                 v-model="mainForm.tags"
-                                :items="tagList"
+                                :items="selectList('tags')"
                                 v-on:change="modifyCase()"
                                 class="case-select"
                               >
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 4a764e71..14a0e2ff 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -48,7 +48,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       description: null,
       severity: null,
       priority: null,
-      tags: [],
+      tags: null,
       tlp: null,
       pap: null,
       category: null
@@ -74,7 +74,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         valid: false
       }
     },
-    editField: "",
+    editField: {},
     mruCaseLimit: 5,
     mruCases: [],
     presets: {},
@@ -86,73 +86,13 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
   }},
   computed: {
-    severityList() {
-      const sevPresets = this.getPresets('severity');
-      if (sevPresets != []) {
-        let formattedSevList = [];
-        for (let index = 0; index < sevPresets.length; index++) {
-          formattedSevList.push({
-            text: sevPresets[index],
-            value: index+1
-          });
-        }
-        return formattedSevList;
-      } else {
-        return [
-          { text: 'Critical', value: 1 },
-          { text: 'High', value: 2 },
-          { text: 'Medium', value: 3 },
-          { text: 'Low', value: 4}
-        ];
-      }
-    },
-    tagList() {
-      const tagPresets = this.getPresets('tags');
-      return tagPresets.concat(this.mainForm.tags);
-    },
-    categoryList() {
-      const catPresets = this.getPresets('category')
-      if (this.mainForm.category !== null) {
-        return catPresets.concat(this.mainForm.category)
-      } else {
-        return catPresets
-      }
-    },
-    tlpList() {
-      const tlpPresets = this.getPresets('tlp')
-      return tlpPresets.map((value) => {
-        return {
-          text: value.split(' ').map(word => word.charAt(0).toLocaleUpperCase() + word.substring(1)).join(' '),
-          value: value
-        }
-      })
-    },
-    papList() {
-      const papPresets = this.getPresets('pap')
-      return papPresets.map((value) => {
-        return {
-          text: value.split(' ').map(word => word.charAt(0).toLocaleUpperCase() + word.substring(1)).join(' '),
-          value: value
-        }
-      })
-    },
-    statusList() {
-      const statuses = this.getPresets('status')
-      return statuses.map((value) => {
-        return {
-          text: value.split(' ').map(word => word.charAt(0).toLocaleUpperCase() + word.substring(1)).join(' '),
-          value: value
-        }
-      })
-    },
   },
   created() {
   },
   async mounted() {
     await this.loadData();
     this.$root.loadParameters('case', this.initCase);
-    this.updateCollapsible('case-description')
-
+    this.updateCollapsible('case-description');
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -161,6 +101,12 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     '$route': 'loadData',
   },
   methods: {
+    selectList(field) {
+      const presets = this.getPresets(field)
+      return this.isPresetCustomEnabled(field) && this.mainForm[field] !== null 
+        ? presets.concat(this.mainForm[field]) 
+        : presets
+    },
     initCase(params) {
       this.params = params;
       this.mruCaseLimit = params["mostRecentlyUsedLimit"];
@@ -280,8 +226,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         if (keyStr !== null) {
           jsonObj[keyStr] = this.editField.val;
         }
-        // Convert priority and severity to ints
-        jsonObj.severity = parseInt(jsonObj.severity, 10);
+        // Convert priority to int
         jsonObj.priority = parseInt(jsonObj.priority, 10);
         // if (jsonObj.tags) {
         //   jsonObj.tags = jsonObj.tags.split(",").map(tag => tag.trim());
@@ -349,7 +294,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       if (idx > -1) {
         this.$root.startLoading();
         try {
-          const response = await this.$root.papi.delete('case/' + association, { params: {
+          await this.$root.papi.delete('case/' + association, { params: {
             id: obj.id
           }});
           this.associations[association].splice(idx, 1);
@@ -380,7 +325,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.loadAssociations();
     },
     isEdit(id) {
-      return this.editField !== {} && this.editField.id === id;
+      return this.editField.id === id;
     },
     startEdit(val, id) {
       this.editField = {
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 2b8ccb00..c1007fbe 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -37,6 +37,13 @@ const fakeComment = {
   id: 'myCommentId',
   description: 'myDescription',
 };
+const fakeFormKeyStr = 'description';
+const fakeEditVal = 'fakeVal';
+const fakeId = 'fakeId';
+const fakeEditFieldObj = {
+  val: fakeEditVal,
+  id: fakeId
+};
 
 let comp;
 
@@ -412,3 +419,216 @@ test('presets', () => {
   expect(comp.isPresetCustomEnabled('severity')).toBe(false);
   expect(comp.getPresets('severity').length).toBe(0);   // none defined
 });
+
+test('isEdit', () => {
+  comp.editField = fakeEditFieldObj;
+  expect(comp.isEdit('fakeId')).toBe(true);
+})
+
+test('isEdit_False', () => {
+  comp.editField = fakeEditFieldObj;
+
+  expect(comp.isEdit('otherFakeId')).toBe(false);
+})
+
+test('startEdit', () => {
+
+  comp.startEdit(fakeEditVal, fakeId);
+
+  const expectedObj = { val: 'fakeVal', id: 'fakeId' };
+  expect(comp.editField).toStrictEqual(expectedObj);
+})
+
+test('stopEdit', () => {
+  comp.editField = fakeEditFieldObj;
+
+  comp.stopEdit();
+
+  expect(comp.editField).toStrictEqual({})
+})
+
+test('saveEdit', async () => {
+  comp.mainForm[fakeFormKeyStr] = 'fakeValOld';
+  comp.editField.val = fakeEditVal;
+
+  comp.stopEdit = jest.fn();
+  comp.modifyCase = jest.fn();
+
+  await comp.saveEdit('description')
+
+  expect(comp.stopEdit).toHaveBeenCalledTimes(0);
+  expect(comp.modifyCase).toHaveBeenCalledTimes(1);
+  expect(comp.modifyCase).toHaveBeenCalledWith('description');
+})
+
+test('saveEdit_NoChanges', async () => {
+  comp.mainForm[fakeFormKeyStr] = fakeEditVal;
+  comp.editField.val = fakeEditVal;
+  comp.stopEdit = jest.fn();
+  comp.modifyCase = jest.fn();
+
+  await comp.saveEdit('description');
+
+  expect(comp.stopEdit).toHaveBeenCalledTimes(1);
+  expect(comp.modifyCase).toHaveBeenCalledTimes(0);
+})
+
+test('updateCollapsible_HeightOverflow', () => {
+  const fakeElement = {
+    offsetHeight: 10,
+    scrollHeight: 11
+  };
+  document.getElementById = jest.fn(_ => fakeElement);
+  comp.updateCollapsible(fakeId);
+
+  expect(comp.collapsible).toStrictEqual(['fakeId']);
+})
+
+test('updateCollapsible_WidthOverflow', () => {
+  const fakeElement = {
+    offsetWidth: 10,
+    scrollWidth: 11
+  };
+  document.getElementById = jest.fn(_ => fakeElement);
+  comp.updateCollapsible(fakeId);
+
+  expect(comp.collapsible).toStrictEqual(['fakeId']);
+})
+
+test('updateCollapsible_NoOverflow', () => {
+  const fakeElement = {
+    offsetHeight: 10,
+    scrollHeight: 10
+  };
+  document.getElementById = jest.fn(_ => fakeElement);
+  comp.updateCollapsible(fakeId);
+
+  expect(comp.collapsible).toStrictEqual([]);
+})
+
+test('updateCollapsible_RemoveId', () => {
+  const fakeElement = {
+    offsetHeight: 10,
+    scrollHeight: 10
+  };
+  comp.collapsible = [fakeId]
+
+  document.getElementById = jest.fn(_ => fakeElement);
+  comp.updateCollapsible(fakeId);
+
+  expect(comp.collapsible).toStrictEqual([]);
+})
+
+test('updateCollapsible_StillCollapsible', () => {
+  const fakeElement = {
+    offsetHeight: 10,
+    scrollHeight: 11
+  };
+  comp.collapsible = [fakeId]
+
+  document.getElementById = jest.fn(_ => fakeElement);
+  comp.updateCollapsible(fakeId);
+
+  expect(comp.collapsible).toStrictEqual(['fakeId']);
+})
+
+test('isCollapsible', () => {
+  comp.collapsible = [ fakeId ];
+
+  expect(comp.isCollapsible('fakeId')).toBe(true);
+})
+
+test('isCollapsible_False', () => {
+  comp.collapsible =  [];
+
+  expect(comp.isCollapsible('fakeId')).toBe(false);
+})
+
+test('isCollapsed', () => {
+  comp.collapsed = [ fakeId ];
+
+  expect(comp.isCollapsed('fakeId')).toBe(true);
+})
+
+test('isCollapsed_False', () => {
+  comp.collapsed =  [];
+
+  expect(comp.isCollapsed('fakeId')).toBe(false);
+})
+
+
+test('toggleCollapse_Add', () => {
+  comp.collapsed = [];
+  
+  comp.toggleCollapse(fakeId);
+
+  expect(comp.collapsed).toStrictEqual(['fakeId']);
+})
+
+test('toggleCollapse_Remove', () => {
+  comp.collapsed = [fakeId];
+  
+  comp.toggleCollapse('fakeId');
+
+  expect(comp.collapsed).toStrictEqual([]);
+})
+
+test('selectList', () => {
+  comp.presets = {
+    'severity': {
+      'labels': [
+        'presetSeverity1',
+        'presetSeverity2'
+      ],
+      'customEnabled': false
+    },
+  }
+  
+  const expectedList = [
+    'presetSeverity1',
+    'presetSeverity2'
+  ]
+
+  expect(comp.selectList('severity')).toStrictEqual(expectedList)
+})
+
+test('selectList_CustomEnabledNoCustomVal', () => {
+  comp.presets = {
+    'severity': {
+      'labels': [
+        'presetSeverity1',
+        'presetSeverity2'
+      ],
+      'customEnabled': true
+    },
+  }
+  
+  const expectedList = [
+    'presetSeverity1',
+    'presetSeverity2',
+  ]
+
+  expect(comp.selectList('severity')).toStrictEqual(expectedList)
+})
+
+test('selectList_CustomEnabledAndCustomVal', () => {
+  comp.presets = {
+    'severity': {
+      'labels': [
+        'presetSeverity1',
+        'presetSeverity2'
+      ],
+      'customEnabled': true
+    },
+  }
+
+  comp.mainForm['severity'] = 'customSeverity1'
+  
+  const expectedList = [
+    'presetSeverity1',
+    'presetSeverity2',
+    'customSeverity1'
+  ]
+
+  expect(comp.selectList('severity')).toStrictEqual(expectedList)
+})
diff --git a/html/js/test_common.js b/html/js/test_common.js
index 2f5abaed..890a2bb9 100644
--- a/html/js/test_common.js
+++ b/html/js/test_common.js
@@ -58,12 +58,15 @@ global.getComponent = function(name) {
 
 	comp.$root = app;
 
+	// Run callback function passed to nextTick
+	comp.$nextTick = (fun) => { fun(); }
+
 	// Setup route mock data
 	comp.$route = { params: {}};
 	comp.$router = [];
 
 	const data = global.initComponentData(comp);
-	Object.assign(comp, data, comp.methods);
+	Object.assign(comp, data, comp.methods, comp.computed);
 
 	return comp;
 }

From 56daf3fe9000d85f27f22075db5046033f3f5fd2 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 15 Dec 2021 20:45:58 -0500
Subject: [PATCH 30/98] Initial artifact API support; convert severity from int
 to string

---
 html/js/routes/case.js                        |   9 +-
 html/js/routes/case.test.js                   |   8 +-
 html/js/routes/hunt.js                        |  10 -
 model/case.go                                 |  24 ++-
 model/case_test.go                            |   5 +
 server/casehandler.go                         |  44 +++-
 server/casestore.go                           |   7 +
 server/modules/elastic/converter.go           |  55 ++++-
 server/modules/elastic/converter_test.go      |  66 +++++-
 server/modules/elastic/elasticcasestore.go    | 151 ++++++++++++-
 .../modules/elastic/elasticcasestore_test.go  | 204 +++++++++++++++++-
 .../modules/elasticcases/elasticcasestore.go  |  21 ++
 .../generichttp/generichttpreader_test.go     |   4 +-
 server/modules/generichttp/httpcasestore.go   |  21 ++
 server/modules/thehive/thehivecasestore.go    |  21 ++
 server/modules/thehive/thehiveconverter.go    |  30 ++-
 .../modules/thehive/thehiveconverter_test.go  |  19 +-
 17 files changed, 654 insertions(+), 45 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 4a764e71..9e50130e 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -180,7 +180,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
 
       this.associations["artifacts"] = [];
       this.associatedForms["artifacts"].caseId = this.caseObj.id;
-      this.loadAssociation('artifacts');
+      this.loadAssociation('artifacts', "/evidence");
 
       this.associations["events"] = [];
       this.loadAssociation('events');
@@ -190,9 +190,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
 
       this.associationsLoading = false;
     },
-    async loadAssociation(dataType) {
+    async loadAssociation(dataType, extraPath = "") {
       try {
-        const response = await this.$root.papi.get('case/' + dataType, { params: {
+        const response = await this.$root.papi.get('case/' + dataType + extraPath, { params: {
           id: this.$route.params.id,
           offset: this.associations[dataType].length,
           count: this.count,
@@ -280,8 +280,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         if (keyStr !== null) {
           jsonObj[keyStr] = this.editField.val;
         }
-        // Convert priority and severity to ints
-        jsonObj.severity = parseInt(jsonObj.severity, 10);
+        // Convert priority to int
         jsonObj.priority = parseInt(jsonObj.priority, 10);
         // if (jsonObj.tags) {
         //   jsonObj.tags = jsonObj.tags.split(",").map(tag => tag.trim());
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 4ef6487b..002ce1be 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -11,7 +11,7 @@ require('../test_common.js');
 require('./case.js');
 
 const fakePriority = 33;
-const fakeSeverity = 31;
+const fakeSeverity = 'medium';
 const fakeEmail = 'my@email.invalid';
 const fakeAssigneeEmail = 'assignee@email.invalid';
 const fakeCase = {
@@ -118,7 +118,7 @@ test('loadAssociations', () => {
   expect(comp.associatedForms["comments"].caseId).toBe('myCaseId')
   expect(comp.loadAssociation).toHaveBeenCalledWith('tasks');
   expect(comp.associatedForms["tasks"].caseId).toBe('myCaseId')
-  expect(comp.loadAssociation).toHaveBeenCalledWith('artifacts');
+  expect(comp.loadAssociation).toHaveBeenCalledWith('artifacts', '/evidence');
   expect(comp.associatedForms["artifacts"].caseId).toBe('myCaseId')
   expect(comp.loadAssociation).toHaveBeenCalledWith('events');
   expect(comp.loadAssociation).toHaveBeenCalledWith('history');
@@ -219,7 +219,7 @@ test('modifyCase', async () => {
   const getMock = mockPapi("get", {'data':fakeUsers});
 
   comp.mainForm.priority = '' + fakePriority;
-  comp.mainForm.severity = '' + fakeSeverity;
+  comp.mainForm.severity = fakeSeverity;
   comp.mainForm.id = 'myCaseId';
   comp.mainForm.title = 'myTitle';
   comp.mainForm.description = 'myDescription';
@@ -235,7 +235,7 @@ test('modifyCase', async () => {
 
   await comp.modifyCase();
 
-  const body =  "{\"valid\":false,\"title\":\"myTitle\",\"assigneeId\":\"myAssigneeId\",\"status\":\"open\",\"id\":\"myCaseId\",\"description\":\"myDescription\",\"severity\":31,\"priority\":33,\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}"
+  const body =  "{\"valid\":false,\"title\":\"myTitle\",\"assigneeId\":\"myAssigneeId\",\"status\":\"open\",\"id\":\"myCaseId\",\"description\":\"myDescription\",\"severity\":\"medium\",\"priority\":33,\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}"
   expect(putMock).toHaveBeenCalledWith('case/', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expectCaseDetails();
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 723b7062..3180be5d 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -447,16 +447,6 @@ const huntComponent = {
             if (!description) description = JSON.stringify(item);
 
             var severity = item['event.severity'];
-            if (!severity || isNaN(severity)) {
-              switch (item['event.severity_label']) {
-              case 'low': severity = 1; break;
-              case 'medium': severity = 2; break;
-              case 'high': severity = 3; break;
-              case 'critical': severity = 4; break;
-              default: severity = 3;
-              }
-            }
-
             var template = 'rule.case_template' in item ? item['rule.case_template'] : '';
 
             const response = await this.$root.papi.post('case/', {
diff --git a/model/case.go b/model/case.go
index f3d07f2a..8599ab81 100644
--- a/model/case.go
+++ b/model/case.go
@@ -31,7 +31,7 @@ type Case struct {
   Title        string     `json:"title"`
   Description  string     `json:"description"`
   Priority     int        `json:"priority"`
-  Severity     int        `json:"severity"`
+  Severity     string     `json:"severity"`
   Status       string     `json:"status"`
   Template     string     `json:"template"`
   Tlp          string     `json:"tlp"`
@@ -70,3 +70,25 @@ func NewRelatedEvent() *RelatedEvent {
   newRelatedEvent.Fields = make(map[string]interface{})
   return newRelatedEvent
 }
+
+type Artifact struct {
+  Auditable
+  CaseId       string   `json:"caseId"`
+  GroupType    string   `json:"groupType"`
+  GroupId      string   `json:"groupId"`
+  ArtifactType string   `json:"artifactType"`
+  Value        string   `json:"value"`
+  MimeType     string   `json:"mimeType"`
+  StreamLen    int      `json:"streamLength"`
+  Tlp          string   `json:"tlp"`
+  Tags         []string `json:"tags"`
+  Description  string   `json:"description"`
+  Ioc          bool     `json:"ioc"`
+}
+
+func NewArtifact() *Artifact {
+  newArtifact := &Artifact{}
+  now := time.Now()
+  newArtifact.CreateTime = &now
+  return newArtifact
+}
diff --git a/model/case_test.go b/model/case_test.go
index 4bcff27f..db66c447 100644
--- a/model/case_test.go
+++ b/model/case_test.go
@@ -20,3 +20,8 @@ func TestNewRelatedEvent(tester *testing.T) {
 	event := NewRelatedEvent()
 	assert.NotZero(tester, event.CreateTime)
 }
+
+func TestNewArtifact(tester *testing.T) {
+	event := NewArtifact()
+	assert.NotZero(tester, event.CreateTime)
+}
diff --git a/server/casehandler.go b/server/casehandler.go
index e998334e..a1dfbbf1 100644
--- a/server/casehandler.go
+++ b/server/casehandler.go
@@ -13,9 +13,12 @@ import (
   "context"
   "encoding/json"
   "errors"
+  "github.com/apex/log"
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "io"
   "net/http"
+  "strconv"
 )
 
 type CaseHandler struct {
@@ -71,6 +74,11 @@ func (caseHandler *CaseHandler) create(ctx context.Context, writer http.Response
     }
   case "tasks":
   case "artifacts":
+    inputArtifact := model.NewArtifact()
+    err = json.NewDecoder(request.Body).Decode(&inputArtifact)
+    if err == nil {
+      obj, err = caseHandler.server.Casestore.CreateArtifact(ctx, inputArtifact)
+    }
   default:
     inputCase := model.NewCase()
     err = json.NewDecoder(request.Body).Decode(&inputCase)
@@ -153,16 +161,50 @@ func (caseHandler *CaseHandler) get(ctx context.Context, writer http.ResponseWri
   case "comments":
     obj, err = caseHandler.server.Casestore.GetComments(ctx, id)
   case "tasks":
+  case "artifactstream":
+    err = caseHandler.copyArtifactStream(ctx, writer, id)
   case "artifacts":
+    groupType := caseHandler.GetPathParameter(request.URL.Path, 3)
+    groupId := caseHandler.GetPathParameter(request.URL.Path, 4)
+    obj, err = caseHandler.server.Casestore.GetArtifacts(ctx, id, groupType, groupId)
   case "history":
     obj, err = caseHandler.server.Casestore.GetCaseHistory(ctx, id)
   default:
     obj, err = caseHandler.server.Casestore.GetCase(ctx, id)
   }
-  if obj != nil {
+  if err == nil {
     statusCode = http.StatusOK
   } else {
     statusCode = http.StatusNotFound
   }
   return statusCode, obj, err
 }
+
+func (caseHandler *CaseHandler) copyArtifactStream(ctx context.Context, writer http.ResponseWriter, artifactId string) error {
+  artifact, err := caseHandler.server.Casestore.GetArtifact(ctx, artifactId)
+  if err == nil {
+    var reader io.ReadCloser
+    reader, err = caseHandler.server.Casestore.GetArtifactStream(ctx, artifactId)
+    if err == nil {
+      defer reader.Close()
+      writer.Header().Set("Content-Type", artifact.MimeType)
+      writer.Header().Set("Content-Length", strconv.FormatInt(int64(artifact.StreamLen), 10))
+      writer.Header().Set("Content-Disposition", "inline; filename=\""+artifact.Value+"\"")
+      writer.Header().Set("Content-Transfer-Encoding", "binary")
+      written, err := io.Copy(writer, reader)
+      if err != nil {
+        log.WithError(err).WithFields(log.Fields{
+          "name":       artifact.Value,
+          "artifactId": artifactId,
+        }).Error("Failed to copy artifact stream")
+      } else {
+        log.WithFields(log.Fields{
+          "name":       artifact.Value,
+          "size":       written,
+          "artifactId": artifactId,
+        }).Info("Copied artifact stream to response")
+      }
+    }
+  }
+  return err
+}
diff --git a/server/casestore.go b/server/casestore.go
index f1a06217..84ce168a 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -12,6 +12,7 @@ package server
 import (
 	"context"
 	"github.com/security-onion-solutions/securityonion-soc/model"
+	"io"
 )
 
 type Casestore interface {
@@ -30,4 +31,10 @@ type Casestore interface {
 	GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error)
 	GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error)
 	DeleteRelatedEvent(ctx context.Context, id string) error
+
+	CreateArtifact(ctx context.Context, attachment *model.Artifact) (*model.Artifact, error)
+	GetArtifact(ctx context.Context, id string) (*model.Artifact, error)
+	GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error)
+	GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error)
+	DeleteArtifact(ctx context.Context, id string) error
 }
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 172a79fc..e81118ba 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -389,7 +389,7 @@ func convertElasticEventToCase(event *model.EventRecord) (*model.Case, error) {
 				obj.Priority = int(value.(float64))
 			}
 			if value, ok := event.Payload["case.severity"]; ok {
-				obj.Severity = int(value.(float64))
+				obj.Severity = value.(string)
 			}
 			if value, ok := event.Payload["case.status"]; ok {
 				obj.Status = value.(string)
@@ -483,6 +483,57 @@ func convertElasticEventToRelatedEvent(event *model.EventRecord) (*model.Related
 	return obj, err
 }
 
+func convertElasticEventToArtifact(event *model.EventRecord) (*model.Artifact, error) {
+	var err error
+	var obj *model.Artifact
+
+	if event != nil {
+		obj = model.NewArtifact()
+		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		if err == nil {
+			if value, ok := event.Payload["artifact.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload["artifact.caseId"]; ok {
+				obj.CaseId = value.(string)
+			}
+			if value, ok := event.Payload["artifact.groupType"]; ok {
+				obj.GroupType = value.(string)
+			}
+			if value, ok := event.Payload["artifact.groupId"]; ok {
+				obj.GroupId = value.(string)
+			}
+			if value, ok := event.Payload["artifact.description"]; ok {
+				obj.Description = value.(string)
+			}
+			if value, ok := event.Payload["artifact.artifactType"]; ok {
+				obj.ArtifactType = value.(string)
+			}
+			if value, ok := event.Payload["artifact.streamLength"]; ok {
+				obj.StreamLen = int(value.(float64))
+			}
+			if value, ok := event.Payload["artifact.mimeType"]; ok {
+				obj.MimeType = value.(string)
+			}
+			if value, ok := event.Payload["artifact.value"]; ok {
+				obj.Value = value.(string)
+			}
+			if value, ok := event.Payload["artifact.tlp"]; ok {
+				obj.Tlp = value.(string)
+			}
+			if value, ok := event.Payload["artifact.tags"]; ok && value != nil {
+				obj.Tags = convertToStringArray(value.([]interface{}))
+			}
+			if value, ok := event.Payload["artifact.ioc"]; ok {
+				obj.Ioc = value.(bool)
+			}
+			obj.CreateTime = parseTime(event.Payload, "artifact.createTime")
+		}
+	}
+
+	return obj, err
+}
+
 func convertElasticEventToObject(event *model.EventRecord) (interface{}, error) {
 	var obj interface{}
 	var err error
@@ -495,6 +546,8 @@ func convertElasticEventToObject(event *model.EventRecord) (interface{}, error)
 			obj, err = convertElasticEventToComment(event)
 		case "related":
 			obj, err = convertElasticEventToRelatedEvent(event)
+		case "artifact":
+			obj, err = convertElasticEventToArtifact(event)
 		}
 	} else {
 		err = errors.New("Unknown object kind; id=" + event.Id)
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 150e6b16..2d07f233 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -308,7 +308,7 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	event.Payload["case.title"] = "myTitle"
 	event.Payload["case.description"] = "myDesc"
 	event.Payload["case.priority"] = float64(123)
-	event.Payload["case.severity"] = float64(456)
+	event.Payload["case.severity"] = "medium"
 	event.Payload["case.status"] = "myStatus"
 	event.Payload["case.template"] = "myTemplate"
 	event.Payload["case.userId"] = "myUserId"
@@ -332,7 +332,7 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	assert.Equal(tester, "myTitle", caseObj.Title)
 	assert.Equal(tester, "myDesc", caseObj.Description)
 	assert.Equal(tester, 123, caseObj.Priority)
-	assert.Equal(tester, 456, caseObj.Severity)
+	assert.Equal(tester, "medium", caseObj.Severity)
 	assert.Equal(tester, "myStatus", caseObj.Status)
 	assert.Equal(tester, "myTemplate", caseObj.Template)
 	assert.Equal(tester, "myUserId", caseObj.UserId)
@@ -348,6 +348,68 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 	assert.Equal(tester, &myStartTime, caseObj.StartTime)
 }
 
+func TestConvertElasticEventToArtifactNil(tester *testing.T) {
+	artifactObj, err := convertElasticEventToArtifact(nil)
+	assert.NoError(tester, err)
+	assert.Nil(tester, artifactObj)
+}
+
+func TestConvertElasticEventToArtifactWithoutTags(tester *testing.T) {
+	event := &model.EventRecord{}
+	event.Payload = make(map[string]interface{})
+	event.Payload["kind"] = "artifact"
+	event.Payload["operation"] = "create"
+	event.Payload["case.tags"] = nil
+
+	_, err := convertElasticEventToCase(event)
+	assert.NoError(tester, err)
+}
+
+func TestConvertElasticEventToArtifact(tester *testing.T) {
+	myTime := time.Now()
+	myCreateTime := myTime.Add(time.Hour * -1)
+
+	event := &model.EventRecord{}
+	event.Payload = make(map[string]interface{})
+	event.Payload["kind"] = "artifact"
+	event.Payload["operation"] = "update"
+	event.Payload["artifact.value"] = "myValue"
+	event.Payload["artifact.description"] = "myDesc"
+	event.Payload["artifact.streamLength"] = float64(123)
+	event.Payload["artifact.groupType"] = "myGroupType"
+	event.Payload["artifact.groupId"] = "myGroupId"
+	event.Payload["artifact.userId"] = "myUserId"
+	event.Payload["artifact.artifactType"] = "myArtifactType"
+	event.Payload["artifact.tlp"] = "myTlp"
+	event.Payload["artifact.mimeType"] = "myMimeType"
+	event.Payload["artifact.ioc"] = true
+	tags := make([]interface{}, 2, 2)
+	tags[0] = "tag1"
+	tags[1] = "tag2"
+	event.Payload["artifact.tags"] = tags
+	event.Time = myTime
+	event.Payload["artifact.createTime"] = myCreateTime
+	interf, err := convertElasticEventToObject(event)
+	assert.NoError(tester, err)
+	artifactObj := interf.(*model.Artifact)
+	assert.Equal(tester, "artifact", artifactObj.Kind)
+	assert.Equal(tester, "update", artifactObj.Operation)
+	assert.Equal(tester, "myValue", artifactObj.Value)
+	assert.Equal(tester, "myDesc", artifactObj.Description)
+	assert.Equal(tester, 123, artifactObj.StreamLen)
+	assert.Equal(tester, "myGroupType", artifactObj.GroupType)
+	assert.Equal(tester, "myGroupId", artifactObj.GroupId)
+	assert.Equal(tester, "myUserId", artifactObj.UserId)
+	assert.Equal(tester, "myArtifactType", artifactObj.ArtifactType)
+	assert.Equal(tester, "myTlp", artifactObj.Tlp)
+	assert.Equal(tester, "myMimeType", artifactObj.MimeType)
+	assert.Equal(tester, true, artifactObj.Ioc)
+	assert.Equal(tester, tags[0], "tag1")
+	assert.Equal(tester, tags[1], "tag2")
+	assert.Equal(tester, &myTime, artifactObj.UpdateTime)
+	assert.Equal(tester, &myCreateTime, artifactObj.CreateTime)
+}
+
 func TestParseTime(tester *testing.T) {
 	m := make(map[string]interface{})
 
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 070c4e92..4c950a43 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -17,6 +17,7 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "io"
   "regexp"
   "strconv"
   "time"
@@ -97,8 +98,8 @@ func (store *ElasticCasestore) validateCase(socCase *model.Case) error {
   if err == nil && socCase.Priority < 0 {
     err = errors.New("Invalid priority")
   }
-  if err == nil && socCase.Severity < 0 {
-    err = errors.New("Invalid severity")
+  if err == nil {
+    err = store.validateString(socCase.Severity, SHORT_STRING_MAX, "severity")
   }
   if err == nil && len(socCase.Kind) > 0 {
     err = errors.New("Field 'Kind' must not be specified")
@@ -181,6 +182,54 @@ func (store *ElasticCasestore) validateComment(comment *model.Comment) error {
   return err
 }
 
+func (store *ElasticCasestore) validateArtifact(artifact *model.Artifact) error {
+  var err error
+
+  if err == nil && artifact.Id != "" {
+    err = store.validateId(artifact.Id, "artifactId")
+  }
+  if err == nil && artifact.UserId != "" {
+    err = store.validateId(artifact.UserId, "userId")
+  }
+  if err == nil && artifact.CaseId != "" {
+    err = store.validateId(artifact.CaseId, "caseId")
+  }
+  if err == nil && artifact.StreamLen != 0 {
+    err = errors.New("Invalid streamLength")
+  }
+  if err == nil && len(artifact.Kind) > 0 {
+    err = errors.New("Field 'Kind' must not be specified")
+  }
+  if err == nil && len(artifact.Operation) > 0 {
+    err = errors.New("Field 'Operation' must not be specified")
+  }
+  if err == nil {
+    err = store.validateString(artifact.Value, LONG_STRING_MAX, "value")
+  }
+  if err == nil {
+    err = store.validateId(artifact.GroupType, "groupType")
+  }
+  if err == nil && len(artifact.GroupId) > 0 {
+    err = store.validateId(artifact.GroupId, "groupId")
+  }
+  if err == nil {
+    err = store.validateString(artifact.ArtifactType, SHORT_STRING_MAX, "artifactType")
+  }
+  if err == nil {
+    err = store.validateString(artifact.Tlp, SHORT_STRING_MAX, "tlp")
+  }
+  if err == nil {
+    err = store.validateString(artifact.MimeType, SHORT_STRING_MAX, "mimeType")
+  }
+  if err == nil {
+    err = store.validateString(artifact.Description, LONG_STRING_MAX, "description")
+  }
+  if err == nil {
+    err = store.validateStringArray(artifact.Tags, SHORT_STRING_MAX, MAX_ARRAY_ELEMENTS, "tags")
+  }
+  return err
+}
+
 func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
   obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
 
@@ -551,13 +600,105 @@ func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) err
   var err error
 
   var comment *model.Comment
-  err = store.validateId(id, "commentId")
+  comment, err = store.GetComment(ctx, id)
+  if err == nil {
+    err = store.delete(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+  }
+
+  return err
+}
+
+func (store *ElasticCasestore) CreateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error) {
+  var err error
+
+  err = store.validateArtifact(artifact)
+  if err == nil {
+    if artifact.Id != "" {
+      return nil, errors.New("Unexpected ID found in new artifact")
+    } else if artifact.CaseId == "" {
+      return nil, errors.New("Missing Case ID in new artifact")
+    } else if artifact.GroupType == "" {
+      return nil, errors.New("Missing GroupType in new artifact")
+    } else if artifact.ArtifactType == "" {
+      return nil, errors.New("Missing ArtifactType in new artifact")
+    } else if artifact.Value == "" {
+      return nil, errors.New("Missing Value in new artifact")
+    } else {
+      _, err = store.GetCase(ctx, artifact.CaseId)
+      if err == nil {
+        now := time.Now()
+        artifact.CreateTime = &now
+        var results *model.EventIndexResults
+        results, err = store.save(ctx, artifact, "artifact", store.prepareForSave(ctx, &artifact.Auditable))
+        if err == nil {
+          // Read object back to get new modify date, etc
+          artifact, err = store.GetArtifact(ctx, results.DocumentId)
+        }
+      }
+    }
+  }
+  return artifact, err
+}
+
+func (store *ElasticCasestore) GetArtifact(ctx context.Context, id string) (*model.Artifact, error) {
+  var err error
+  var artifact *model.Artifact
+
+  err = store.validateId(id, "artifactId")
   if err == nil {
-    comment, err = store.GetComment(ctx, id)
+    var obj interface{}
+    obj, err = store.get(ctx, id, "artifact")
     if err == nil {
-      err = store.delete(ctx, comment, "comment", store.prepareForSave(ctx, &comment.Auditable))
+      artifact = obj.(*model.Artifact)
     }
   }
+  return artifact, err
+}
+
+func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
+  var err error
+  var artifacts []*model.Artifact
+
+  err = store.validateId(caseId, "caseId")
+  if err == nil {
+    err = store.validateId(groupType, "groupType") // It's not technically an ID but the possible values confirm to an ID, so let's validate it as an ID.
+    if err == nil {
+      if len(groupId) > 0 {
+        // groupId is optional, since some group won't have multiple groups per case.
+        err = store.validateId(groupId, "groupId")
+      }
+      if err == nil {
+        artifacts = make([]*model.Artifact, 0)
+        var groupIdTerm string
+        if len(groupId) > 0 {
+          groupIdTerm = fmt.Sprintf(`AND artifact.groupId:"%s" `, groupId)
+        }
+        query := fmt.Sprintf(`_index:"%s" AND kind:"artifact" AND artifact.caseId:"%s" AND artifact.groupType:"%s" %s| sortby @timestamp^`, store.index, caseId, groupType, groupIdTerm)
+        var objects []interface{}
+        objects, err = store.getAll(ctx, query, store.maxAssociations)
+        if err == nil {
+          for _, obj := range objects {
+            artifacts = append(artifacts, obj.(*model.Artifact))
+          }
+        }
+      }
+    }
+  }
+  return artifacts, err
+}
+
+func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  var err error
+
+  var artifact *model.Artifact
+  artifact, err = store.GetArtifact(ctx, id)
+  if err == nil {
+    err = store.delete(ctx, artifact, "artifact", store.prepareForSave(ctx, &artifact.Auditable))
+  }
 
   return err
 }
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 8a9ebb4c..ec8bfbe4 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -156,10 +156,12 @@ func TestValidateCaseInvalid(tester *testing.T) {
 	assert.EqualError(tester, err, "Invalid priority")
 	socCase.Priority = 12
 
-	socCase.Severity = -12
+	for x := 1; x < 5; x++ {
+		socCase.Severity += "this is my unreasonably long severity\n"
+	}
 	err = store.validateCase(socCase)
-	assert.EqualError(tester, err, "Invalid severity")
-	socCase.Severity = 12
+	assert.EqualError(tester, err, "severity is too long (152/100)")
+	socCase.Severity = "medium"
 
 	for x := 1; x < 5; x++ {
 		socCase.Tlp += "this is my unreasonably long tlp\n"
@@ -238,7 +240,7 @@ func TestValidateCaseValid(tester *testing.T) {
 		socCase.Description += "this is my reasonably long description\n"
 	}
 	socCase.Priority = 123
-	socCase.Severity = 1
+	socCase.Severity = "medium"
 	socCase.Tags = append(socCase.Tags, "tag1")
 	socCase.Tags = append(socCase.Tags, "tag2")
 	socCase.Tlp = "amber"
@@ -759,3 +761,197 @@ func TestDeleteRelatedEvent(tester *testing.T) {
 	assert.Equal(tester, "myEventId", fakeEventStore.InputIds[0])
 	assert.Equal(tester, "", fakeEventStore.InputIds[1])
 }
+
+func TestCreateArtifactUnexpectedId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	artifact := model.NewArtifact()
+	artifact.Id = "123444"
+	artifact.GroupType = "myGroupType"
+	artifact.ArtifactType = "myArtifactType"
+	artifact.Value = "Value"
+	_, err := store.CreateArtifact(ctx, artifact)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Unexpected ID found in new artifact", err.Error())
+}
+
+func TestCreateArtifactMissingCaseId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	artifact := model.NewArtifact()
+	artifact.GroupType = "myGroupType"
+	artifact.ArtifactType = "myArtifactType"
+	artifact.Value = "Value"
+	_, err := store.CreateArtifact(ctx, artifact)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing Case ID in new artifact", err.Error())
+}
+
+func TestCreateArtifactMissingGroupType(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	artifact := model.NewArtifact()
+	_, err := store.CreateArtifact(ctx, artifact)
+	assert.Error(tester, err)
+	assert.Equal(tester, "invalid ID for groupType", err.Error())
+}
+
+func TestCreateArtifactMissingArtifactType(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	artifact := model.NewArtifact()
+	artifact.GroupType = "myGroupType"
+	artifact.CaseId = "12345"
+	_, err := store.CreateArtifact(ctx, artifact)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing ArtifactType in new artifact", err.Error())
+}
+
+func TestCreateArtifactMissingValue(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	artifact := model.NewArtifact()
+	artifact.GroupType = "myGroupType"
+	artifact.ArtifactType = "myArtifactType"
+	artifact.CaseId = "12345"
+	_, err := store.CreateArtifact(ctx, artifact)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing Value in new artifact", err.Error())
+}
+
+func TestCreateArtifact(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "case"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+		Id:      "123444",
+	}
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "artifact"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
+	fakeEventStore.IndexResults[0].Success = true
+	fakeEventStore.IndexResults[0].DocumentId = "myCaseId"
+	eventSearchResults := model.NewEventSearchResults()
+	eventSearchResults.Events = append(eventSearchResults.Events, elasticEvent)
+	fakeEventStore.SearchResults = append(fakeEventStore.SearchResults, eventSearchResults)
+	artifact := model.NewArtifact()
+	artifact.CaseId = "123444"
+	artifact.GroupType = "myGroupType"
+	artifact.ArtifactType = "myArtifactType"
+	artifact.Value = "Value"
+	newEvent, err := store.CreateArtifact(ctx, artifact)
+	assert.NoError(tester, err)
+	assert.NotNil(tester, newEvent)
+}
+
+func TestGetArtifact(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"artifact" AND _id:"myArtifactId"`
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "artifact"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	obj, err := store.GetArtifact(ctx, "myArtifactId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestGetArtifactsBadGroupType(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	_, err := store.GetArtifacts(ctx, "myCaseId", "myGroupType is invalid", "myGroupId")
+	assert.EqualError(tester, err, "invalid ID for groupType")
+}
+
+func TestGetArtifactsBadGroupId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	_, err := store.GetArtifacts(ctx, "myCaseId", "myGroupType", "myGroupId is invalid")
+	assert.EqualError(tester, err, "invalid ID for groupId")
+}
+
+func TestGetArtifactsNoGroupId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" | sortby @timestamp^`
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "artifact"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	obj, err := store.GetArtifacts(ctx, "myCaseId", "myGroupType", "")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestGetArtifacts(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" AND artifact.groupId:"myGroupId" | sortby @timestamp^`
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "artifact"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	obj, err := store.GetArtifacts(ctx, "myCaseId", "myGroupType", "myGroupId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestDeleteArtifact(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"artifact" AND _id:"myArtifactId"`
+	elasticPayload := make(map[string]interface{})
+	elasticPayload["kind"] = "artifact"
+	elasticEvent := &model.EventRecord{
+		Payload: elasticPayload,
+		Id:      "myArtifactId",
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	err := store.DeleteArtifact(ctx, "myArtifactId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1) // Search to ensure it exists first
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.Len(tester, fakeEventStore.InputIds, 2) // Delete and Index (for audit)
+	assert.Equal(tester, "myArtifactId", fakeEventStore.InputIds[0])
+	assert.Equal(tester, "", fakeEventStore.InputIds[1])
+}
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index e69e6588..e151eaa7 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -16,6 +16,7 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "io"
   "net/http"
 )
 
@@ -114,3 +115,23 @@ func (store *ElasticCasestore) GetRelatedEvents(ctx context.Context, caseId stri
 func (store *ElasticCasestore) DeleteRelatedEvent(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
+
+func (store *ElasticCasestore) CreateArtifact(ctx context.Context, attachment *model.Artifact) (*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetArtifact(ctx context.Context, id string) (*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/generichttp/generichttpreader_test.go b/server/modules/generichttp/generichttpreader_test.go
index 679c71a2..54ff3662 100644
--- a/server/modules/generichttp/generichttpreader_test.go
+++ b/server/modules/generichttp/generichttpreader_test.go
@@ -24,7 +24,7 @@ func TestConvertCaseToReader(tester *testing.T) {
   socCase.CreateTime = &tm
   socCase.Title = "MyTitle"
   socCase.Description = "My \"Description\" is this."
-  socCase.Severity = 44
+  socCase.Severity = "medium"
 
   source := `ID: {{ .Id }}; Title: {{ .Title }}; Desc: {{ .Description | js }}; Sev: {{ .Severity }}; Time: {{ .CreateTime.Format "15:04" }}`
 
@@ -35,5 +35,5 @@ func TestConvertCaseToReader(tester *testing.T) {
   assert.NoError(tester, err2)
 
   converted := string(bytes)
-  assert.Equal(tester, "ID: 123; Title: MyTitle; Desc: My \\\"Description\\\" is this.; Sev: 44; Time: 00:00", converted)
+  assert.Equal(tester, "ID: 123; Title: MyTitle; Desc: My \\\"Description\\\" is this.; Sev: medium; Time: 00:00", converted)
 }
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 375c5c90..3b532552 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -15,6 +15,7 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "io"
   "net/http"
   "strconv"
   "strings"
@@ -119,3 +120,23 @@ func (store *HttpCasestore) GetRelatedEvents(ctx context.Context, caseId string)
 func (store *HttpCasestore) DeleteRelatedEvent(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
+
+func (store *HttpCasestore) CreateArtifact(ctx context.Context, attachment *model.Artifact) (*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetArtifact(ctx context.Context, id string) (*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 4967bab7..dc6d6fdb 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -16,6 +16,7 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "io"
   "net/http"
 )
 
@@ -112,3 +113,23 @@ func (store *TheHiveCasestore) GetRelatedEvents(ctx context.Context, caseId stri
 func (store *TheHiveCasestore) DeleteRelatedEvent(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
+
+func (store *TheHiveCasestore) CreateArtifact(ctx context.Context, attachment *model.Artifact) (*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetArtifact(ctx context.Context, id string) (*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
diff --git a/server/modules/thehive/thehiveconverter.go b/server/modules/thehive/thehiveconverter.go
index 15ffc9e6..4d5fb7be 100644
--- a/server/modules/thehive/thehiveconverter.go
+++ b/server/modules/thehive/thehiveconverter.go
@@ -13,17 +13,33 @@ package thehive
 import (
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"strconv"
+	"strings"
 	"time"
 )
 
+func convertSeverity(sev string) int {
+	severity := 3
+
+	if len(sev) != 0 {
+		switch strings.ToLower(sev) {
+		case "low":
+			severity = 1
+		case "medium":
+			severity = 2
+		case "high":
+			severity = 3
+		case "critical":
+			severity = 4
+		default:
+			severity = 3
+		}
+	}
+	return severity
+}
+
 func convertToTheHiveCase(inputCase *model.Case) (*TheHiveCase, error) {
 	outputCase := NewTheHiveCase()
-	outputCase.Severity = inputCase.Severity
-	if outputCase.Severity > CASE_SEVERITY_HIGH {
-		outputCase.Severity = CASE_SEVERITY_HIGH
-	} else if outputCase.Severity < CASE_SEVERITY_LOW {
-		outputCase.Severity = CASE_SEVERITY_LOW
-	}
+	outputCase.Severity = convertSeverity(inputCase.Severity)
 	outputCase.Title = inputCase.Title
 	outputCase.Description = inputCase.Description
 	outputCase.Tags = append(outputCase.Tags, "SecurityOnion")
@@ -34,7 +50,7 @@ func convertToTheHiveCase(inputCase *model.Case) (*TheHiveCase, error) {
 
 func convertFromTheHiveCase(inputCase *TheHiveCase) (*model.Case, error) {
 	outputCase := model.NewCase()
-	outputCase.Severity = inputCase.Severity
+	outputCase.Severity = strconv.Itoa(inputCase.Severity)
 	outputCase.Title = inputCase.Title
 	outputCase.Description = inputCase.Description
 	outputCase.Id = strconv.Itoa(inputCase.Id)
diff --git a/server/modules/thehive/thehiveconverter_test.go b/server/modules/thehive/thehiveconverter_test.go
index 558bbf09..a57c02c0 100644
--- a/server/modules/thehive/thehiveconverter_test.go
+++ b/server/modules/thehive/thehiveconverter_test.go
@@ -33,7 +33,7 @@ func TestConvertFromTheHiveCase(tester *testing.T) {
 	assert.Nil(tester, err)
 	assert.Equal(tester, thehiveCase.Title, socCase.Title)
 	assert.Equal(tester, thehiveCase.Description, socCase.Description)
-	assert.Equal(tester, thehiveCase.Severity, socCase.Severity)
+	assert.Equal(tester, "3", socCase.Severity)
 	assert.Equal(tester, strconv.Itoa(thehiveCase.Id), socCase.Id)
 
 	tm := socCase.CreateTime.Format(time.RFC3339)
@@ -50,7 +50,7 @@ func TestConvertToTheHiveCase(tester *testing.T) {
 	socCase := model.NewCase()
 	socCase.Title = "my title"
 	socCase.Description = "my description.\nline 2.\n"
-	socCase.Severity = 3
+	socCase.Severity = "low"
 	socCase.Id = "my id"
 	socCase.Template = "someTemplate"
 
@@ -59,7 +59,20 @@ func TestConvertToTheHiveCase(tester *testing.T) {
 
 	assert.Equal(tester, thehiveCase.Title, socCase.Title)
 	assert.Equal(tester, thehiveCase.Description, socCase.Description)
-	assert.Equal(tester, thehiveCase.Severity, socCase.Severity)
+	assert.Equal(tester, thehiveCase.Severity, 1)
 	assert.Len(tester, thehiveCase.Tags, 1)
 	assert.Equal(tester, thehiveCase.Template, socCase.Template)
 }
+
+func TestConvertSeverity(tester *testing.T) {
+	assert.Equal(tester, 3, convertSeverity(""))
+	assert.Equal(tester, 3, convertSeverity("unknown"))
+	assert.Equal(tester, 1, convertSeverity("low"))
+	assert.Equal(tester, 1, convertSeverity("Low"))
+	assert.Equal(tester, 2, convertSeverity("medium"))
+	assert.Equal(tester, 2, convertSeverity("Medium"))
+	assert.Equal(tester, 3, convertSeverity("high"))
+	assert.Equal(tester, 3, convertSeverity("High"))
+	assert.Equal(tester, 4, convertSeverity("critical"))
+	assert.Equal(tester, 4, convertSeverity("Critical"))
+}

From bb9360ec4286a5a8b30ee2c8569729372cc5a5da Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 16 Dec 2021 09:33:03 -0500
Subject: [PATCH 31/98] Support unmapped types in sorts

---
 server/modules/elastic/converter.go             | 10 +++++++---
 server/modules/elastic/converter_test.go        |  4 ++--
 server/modules/elastic/elasticcasestore.go      |  2 +-
 server/modules/elastic/elasticcasestore_test.go |  2 +-
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index e81118ba..dbfb556c 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -212,15 +212,19 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 		sortBySegment := segment.(*model.SortBySegment)
 		fields := sortBySegment.Fields()
 		if len(fields) > 0 {
-			sorting := make([]map[string]string, 0, 0)
+			sorting := make([]map[string]map[string]string, 0, 0)
 			for _, field := range fields {
-				newSort := make(map[string]string)
+				newSort := make(map[string]map[string]string)
 				order := "desc"
 				if strings.HasSuffix(field, "^") {
 					field = strings.TrimSuffix(field, "^")
 					order = "asc"
 				}
-				newSort[field] = order
+				sortParams := make(map[string]string)
+				sortParams["order"] = order
+				sortParams["missing"] = "_last"
+				sortParams["unmapped_type"] = "date"
+				newSort[field] = sortParams
 				sorting = append(sorting, newSort)
 			}
 			esMap["sort"] = sorting
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 2d07f233..d41b9027 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -110,7 +110,7 @@ func TestConvertToElasticRequestSortByCriteria(tester *testing.T) {
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
 	assert.Nil(tester, err)
 
-	expectedJson := `{"aggs":{"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":"desc"},{"jkl":"asc"}]}`
+	expectedJson := `{"aggs":{"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":{"missing":"_last","order":"desc","unmapped_type":"date"}},{"jkl":{"missing":"_last","order":"asc","unmapped_type":"date"}}]}`
 	assert.Equal(tester, expectedJson, actualJson)
 }
 
@@ -120,7 +120,7 @@ func TestConvertToElasticRequestGroupBySortByCriteria(tester *testing.T) {
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
 	assert.Nil(tester, err)
 
-	expectedJson := `{"aggs":{"bottom":{"terms":{"field":"ghi","order":{"_count":"asc"},"size":10}},"groupby|ghi":{"aggs":{"groupby|ghi|jkl":{"terms":{"field":"jkl","missing":"__missing__","order":{"_count":"desc"},"size":10}}},"terms":{"field":"ghi","order":{"_count":"desc"},"size":10}},"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":"desc"},{"jkl":"asc"}]}`
+	expectedJson := `{"aggs":{"bottom":{"terms":{"field":"ghi","order":{"_count":"asc"},"size":10}},"groupby|ghi":{"aggs":{"groupby|ghi|jkl":{"terms":{"field":"jkl","missing":"__missing__","order":{"_count":"desc"},"size":10}}},"terms":{"field":"ghi","order":{"_count":"desc"},"size":10}},"timeline":{"date_histogram":{"field":"@timestamp","fixed_interval":"1m","min_doc_count":1}}},"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"*","query":"abc AND def AND q: \"\\\\\\\\file\\\\path\""}},{"range":{"@timestamp":{"format":"strict_date_optional_time","gte":"2020-01-02T12:13:14Z","lte":"2020-01-02T13:13:14Z"}}}],"must_not":[],"should":[]}},"size":25,"sort":[{"ghi":{"missing":"_last","order":"desc","unmapped_type":"date"}},{"jkl":{"missing":"_last","order":"asc","unmapped_type":"date"}}]}`
 	assert.Equal(tester, expectedJson, actualJson)
 }
 
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 4c950a43..fc7167f4 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -559,7 +559,7 @@ func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) (
   err = store.validateId(caseId, "caseId")
   if err == nil {
     comments = make([]*model.Comment, 0)
-    query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby @timestamp^`, store.index, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby comment.createTime^`, store.index, caseId)
     var objects []interface{}
     objects, err = store.getAll(ctx, query, store.maxAssociations)
     if err == nil {
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index ec8bfbe4..248c4494 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -557,7 +557,7 @@ func TestGetComments(tester *testing.T) {
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"comment" AND comment.caseId:"myCaseId" | sortby @timestamp^`
+	query := `_index:"myIndex" AND kind:"comment" AND comment.caseId:"myCaseId" | sortby comment.createTime^`
 	commentPayload := make(map[string]interface{})
 	commentPayload["kind"] = "comment"
 	commentEvent := &model.EventRecord{

From 46176a7cdac2fa71fd1066c16b6fe59a4ea147d6 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 16 Dec 2021 09:36:33 -0500
Subject: [PATCH 32/98] [wip] Initial work on comment ui changes

---
 html/css/app.css       |   7 ++-
 html/index.html        | 140 ++++++++++++++++++++++++++++++++++-------
 html/js/routes/case.js |  23 +++----
 3 files changed, 135 insertions(+), 35 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 9d9e4f26..bbdeadf4 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -188,7 +188,6 @@ a#title, a#title:visited, a#title:active, a#title:hover {
 }
 
 .case.detail-field {
-  padding-left: .75em;
   border-radius: .25em;
   overflow: hidden;
   white-space: pre-wrap;
@@ -212,6 +211,12 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   color: var(--v-primary-lighten2) !important;
 }
 
+.case.comment {
+  overflow: hidden;
+  white-space: pre-wrap;
+  word-wrap: break-word;
+}
+
 td {
   white-space: nowrap;
 }
diff --git a/html/index.html b/html/index.html
index 1f617eb3..7070c272 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1270,27 +1270,38 @@ <h2>Description</h2>
                 </v-tab>
   
                 <v-tab-item>
-                  <v-card v-for="comment in associations.comments" elevation="2" class="my-2">
-                    <div>
-                      <span class="case label">{{ i18n.dateCreated }}:</span>
-                      <span class="case value">{{ comment.createTime | formatDateTime }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.dateModified }}:</span>
-                      <span class="case value">{{ comment.updateTime | formatDateTime }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.author }}:</span>
-                      <span class="case value">{{ comment.owner }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">authorId:</span>
-                      <span class="case value">{{ comment.userId }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.commentDescription }}:</span>
-                      <span class="case value">{{ comment.description }}</span>
-                    </div>
+                  <v-card v-for="(comment, index) in associations.comments" elevation="2" class="my-2">
+                    <v-row align="start" class="ma-4" style="width: 100%">
+                      <v-avatar
+                        color="primary"
+                        size="36"
+                      >
+                        <div class="font-weight-bold">
+                          {{ comment.owner.charAt(0) }}
+                        </div>
+                      </v-avatar>
+                      <div class="ml-3 py-3 px-4 rounded secondary rounded-md" style="width: 90%;">
+                        <div class="d-flex flex-column align-start">
+                          <div class="case d-flex align-start">
+                            <div class="d-block mb-10">
+                              <div :id="`comment-${index}`" class="case comment" :class="[ !isCollapsed(`comment-${index}`) ? 'case collapse-field' : '' ]">{{ comment.description }}</div>
+                              <div v-if="isCollapsible(`comment-${index}`) && !isEdit(`comment-${index}`)" class="pt-1 text-body-2 blue--text case collapse-text" @click="toggleCollapse(`comment-${index}`)">
+                                <div v-if="!isCollapsed(`comment-${index}`)">See more</div>
+                                <div v-if="isCollapsed(`comment-${index}`)">See less</div>
+                              </div>
+                            </div>
+                          </div>
+                          <div class="d-flex flex-column" v-if="isEdit('case-description')">
+                            <div class="mb-2">
+                              <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val"/>
+                            </div>
+                          </div>
+                          <div class="align-self-end text-body-2 text--secondary">
+                            {{ comment.owner }} &bull; {{ comment.updateTime | formatDateTime }}
+                          </div>
+                        </div>
+                      </div>
+                    </v-row>
                     <div class="my-4">
                       <v-btn text color="secondary" @click="editComment(comment)" icon><v-icon>fa-edit</v-icon></v-btn>
                       <v-btn text color="secondary" @click="deleteAssociation('comments', comment)" icon><v-icon>fa-trash</v-icon></v-btn>
@@ -1298,8 +1309,8 @@ <h2>Description</h2>
                   </v-card>
                   <div class="mx-12 my-12">
                     <v-form v-model="associatedForms['comments'].valid">
-                      <v-text-field v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-text-field>
-                      <v-text-field v-model="associatedForms['comments'].id" class="d-none"></v-text-field>
+                      <v-textarea solo flat no-resize v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-textarea>
+                      <v-textarea solo flat no-resize v-model="associatedForms['comments'].id" class="d-none"></v-textarea>
                       <div class="my-4">
                         <v-btn v-if="associatedForms['comments'].id == ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="addAssociation('comments')" v-text="i18n.add"></v-btn>
                         <v-btn v-if="associatedForms['comments'].id != ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="modifyAssociation('comments')" v-text="i18n.update"></v-btn>
@@ -1431,6 +1442,19 @@ <h2>Description</h2>
                             flat
                             solo
                             hide-details
+                            v-if="!isPresetCustomEnabled('status')"
+                            v-model="mainForm.status"
+                            :items="selectList('status')"
+                            v-on:change="modifyCase()"
+                            class="case-select"
+                          />
+                          <v-combobox
+                            dense
+                            eager
+                            flat
+                            solo
+                            hide-details
+                            v-if="isPresetCustomEnabled('status')"
                             v-model="mainForm.status"
                             :items="selectList('status')"
                             v-on:change="modifyCase()"
@@ -1459,6 +1483,19 @@ <h2>Description</h2>
                                 flat
                                 solo
                                 hide-details
+                                v-if="!isPresetCustomEnabled('severity')"
+                                v-model="mainForm.severity"
+                                :items="selectList('severity')"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
+                              <v-combobox
+                                dense
+                                eager
+                                flat
+                                solo
+                                hide-details
+                                v-if="isPresetCustomEnabled('severity')"
                                 v-model="mainForm.severity"
                                 :items="selectList('severity')"
                                 v-on:change="modifyCase()"
@@ -1496,11 +1533,24 @@ <h2>Description</h2>
                                 flat
                                 solo
                                 hide-details
+                                v-if="!isPresetCustomEnabled('tlp')"
                                 v-model="mainForm.tlp"
                                 :items="selectList('tlp')"
                                 v-on:change="modifyCase()"
                                 class="case-select"
                                 />
+                                <v-combobox
+                                  dense
+                                  eager
+                                  flat
+                                  solo
+                                  hide-details
+                                  v-if="isPresetCustomEnabled('tlp')"
+                                  v-model="mainForm.tlp"
+                                  :items="selectList('tlp')"
+                                  v-on:change="modifyCase()"
+                                  class="case-select"
+                                />
                               </v-select>
                             </v-col>
                           </v-row>
@@ -1513,6 +1563,19 @@ <h2>Description</h2>
                                 flat
                                 solo
                                 hide-details
+                                v-if="!isPresetCustomEnabled('pap')"
+                                v-model="mainForm.pap"
+                                :items="selectList('pap')"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
+                              <v-combobox
+                                dense
+                                eager
+                                flat
+                                solo
+                                hide-details
+                                v-if="isPresetCustomEnabled('pap')"
                                 v-model="mainForm.pap"
                                 :items="selectList('pap')"
                                 v-on:change="modifyCase()"
@@ -1523,12 +1586,25 @@ <h2>Description</h2>
                           <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
                             <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseCategory}}: </v-col>
                             <v-col cols="12" id="case-category" class="ml-2 pr-2">
+                              <v-select
+                                dense
+                                eager
+                                flat
+                                solo
+                                hide-details
+                                v-if="!isPresetCustomEnabled('category')"
+                                v-model="mainForm.category"
+                                :items="selectList('category')"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              />
                               <v-combobox
                                 dense
                                 eager
                                 flat
                                 solo
                                 hide-details
+                                v-if="isPresetCustomEnabled('category')"
                                 v-model="mainForm.category"
                                 :items="selectList('category')"
                                 v-on:change="modifyCase()"
@@ -1539,6 +1615,23 @@ <h2>Description</h2>
                           <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
                             <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseTags}}: </v-col>
                             <v-col cols="12" id="case-tags" class="ml-2 pr-2">
+                              <v-select
+                                dense
+                                eager
+                                multiple
+                                flat
+                                solo
+                                hide-details
+                                v-if="!isPresetCustomEnabled('tags')"
+                                v-model="mainForm.tags"
+                                :items="selectList('tags')"
+                                v-on:change="modifyCase()"
+                                class="case-select"
+                              >
+                                <template #selection="{ item }">
+                                  <v-chip color="primary">{{item}}</v-chip>
+                                </template>
+                              </v-select>
                               <v-combobox
                                 eager
                                 multiple
@@ -1546,6 +1639,7 @@ <h2>Description</h2>
                                 flat
                                 solo
                                 hide-details
+                                v-if="isPresetCustomEnabled('tags')"
                                 v-model="mainForm.tags"
                                 :items="selectList('tags')"
                                 v-on:change="modifyCase()"
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 14a0e2ff..e8d7ede2 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -38,7 +38,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     collapsed: [
       'case-details'
     ],
-    collapsible: [],
+    collapsible: {},
     mainForm: {
       valid: false,
       title: null,
@@ -92,7 +92,6 @@ routes.push({ path: '/case/:id', name: 'case', component: {
   async mounted() {
     await this.loadData();
     this.$root.loadParameters('case', this.initCase);
-    this.updateCollapsible('case-description');
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -350,22 +349,24 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       if (localStorage['settings.case.mruCases']) this.mruCases = JSON.parse(localStorage['settings.case.mruCases']);
     },
     updateCollapsible(id) {
+      if (! Object.keys(this.collapsible).includes(id)) {
+        this.collapsible[id] = false
+      }
       this.$nextTick(() => {
         let element = document.getElementById(id);
         let retVal = element.offsetHeight < element.scrollHeight || element.offsetWidth < element.scrollWidth;
-        if (retVal) {
-          if (! this.collapsible.includes(id)) {
-            this.collapsible.push(id);
-          }
-        } else {
-          if (this.collapsible.includes(id)) {
-            this.collapsible.splice(this.collapsible.indexOf(id), 1);
-          }
+        if (retVal && this.isCollapsed[id] === false) {
+          this.collapsible[id] = true
+        } else if (!retVal && this.collapsed[id] === true) {
+          this.collapsible[id] = false
         }
       })
     },
     isCollapsible(item) {
-      return (this.collapsible.indexOf(item) !== -1)
+      if ((Object.keys(this.collapsible).indexOf(item) !== -1)) {
+        this.updateCollapsible(item)
+      }
+      return (this.collapsible[item] !== false)
     },
     toggleCollapse(item) {
       if (!this.isCollapsed(item)) {

From b80a71535206c6200fbda1605f7b047d2912d6b7 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 16 Dec 2021 15:16:04 -0500
Subject: [PATCH 33/98] Make changes to collapsible imp. to support collapsing
 comments

Also update unit tests to reflect changed methods
---
 html/css/app.css            |  2 ++
 html/index.html             | 71 ++++++++++++++++++++++---------------
 html/js/routes/case.js      |  9 ++---
 html/js/routes/case.test.js | 18 +++++-----
 4 files changed, 59 insertions(+), 41 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index bbdeadf4..741bf44a 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -171,6 +171,7 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   text-align: right;
   white-space: nowrap;
   font-weight: bold;
+  opacity: 70%;
 }
 
 .case.details {
@@ -180,6 +181,7 @@ a#title, a#title:visited, a#title:active, a#title:hover {
 .case.value {
   text-align: left;
   white-space: wrap;
+  opacity: 70%;
 }
 
 .case.title.v-text-field input {
diff --git a/html/index.html b/html/index.html
index 7070c272..73c35789 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1226,7 +1226,7 @@ <h2 class="rounded">{{ mainForm.title }}</h2>
           </div>
         </v-form>
         <v-row class="mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
-          <v-col cols="12" md="9" class="px-sm-4 mx-4 mx-sm-0 case main" order="2" order-md="1">
+          <v-col cols="12" md="9" class="case main" order="2" order-md="1">
             <div class="d-block d-md-none">
               <h2>Description</h2>
             </div>
@@ -1258,55 +1258,70 @@ <h2>Description</h2>
               <v-tabs grow>
                 <v-tab id="case_commentsTab">
                   <v-icon left>fa-comments</v-icon>
-                  {{ i18n.comments }}
+                  <div class="d-none d-sm-block">{{ i18n.comments }}</div>
                 </v-tab>
                 <v-tab id="case_eventsTab">
                   <v-icon left>fa-link</v-icon>
-                  {{ i18n.events }}
+                  <div class="d-none d-sm-block">{{ i18n.events }}</div>
                 </v-tab>
                 <v-tab id="case_historyTab">
                   <v-icon left>fa-history</v-icon>
-                  {{ i18n.history }}
+                  <div class="d-none d-sm-block">{{ i18n.history }}</div>
                 </v-tab>
   
                 <v-tab-item>
-                  <v-card v-for="(comment, index) in associations.comments" elevation="2" class="my-2">
-                    <v-row align="start" class="ma-4" style="width: 100%">
+                  <div v-for="(comment, index) in associations.comments" class="my-2">
+                    <div class="d-flex flex-column flex-md-row align-start ma-4">
                       <v-avatar
                         color="primary"
-                        size="36"
+                        size="32"
                       >
                         <div class="font-weight-bold">
                           {{ comment.owner.charAt(0) }}
                         </div>
                       </v-avatar>
-                      <div class="ml-3 py-3 px-4 rounded secondary rounded-md" style="width: 90%;">
-                        <div class="d-flex flex-column align-start">
-                          <div class="case d-flex align-start">
-                            <div class="d-block mb-10">
-                              <div :id="`comment-${index}`" class="case comment" :class="[ !isCollapsed(`comment-${index}`) ? 'case collapse-field' : '' ]">{{ comment.description }}</div>
-                              <div v-if="isCollapsible(`comment-${index}`) && !isEdit(`comment-${index}`)" class="pt-1 text-body-2 blue--text case collapse-text" @click="toggleCollapse(`comment-${index}`)">
-                                <div v-if="!isCollapsed(`comment-${index}`)">See more</div>
-                                <div v-if="isCollapsed(`comment-${index}`)">See less</div>
+                      <v-col class="d-flex flex-column align-start pt-2 pb-0 px-0 pa-md-0">
+                        <div class="ml-1 ml-md-3 py-3 px-4 secondary rounded rounded-md" style="width: 100%;">
+                          <div class="d-flex flex-column align-start">
+                            <div class="case d-flex align-start">
+                              <div class="d-block mb-10">
+                                <div :id="`comment-${index}`" class="case comment" :class="[ !isCollapsed(`comment-${index}`) ? 'case collapse-field' : '' ]">{{ comment.description }}</div>
+                                <div v-if="isCollapsible(`comment-${index}`) && !isEdit(`comment-${index}`)" class="pt-1 text-body-2 blue--text case collapse-text" @click="toggleCollapse(`comment-${index}`)">
+                                  <div v-if="!isCollapsed(`comment-${index}`)">See more</div>
+                                  <div v-if="isCollapsed(`comment-${index}`)">See less</div>
+                                </div>
                               </div>
                             </div>
-                          </div>
-                          <div class="d-flex flex-column" v-if="isEdit('case-description')">
-                            <div class="mb-2">
-                              <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val"/>
+                            <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)">
+                              <div class="mb-2">
+                                <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val"/>
+                              </div>
+                            </div>
+                            <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2 text--secondary">
+                              <div class="mr-1">
+                                {{ comment.owner }}
+                              </div>
+                              <div class="mr-1 d-none d-sm-block">
+                                &bull;
+                              </div>
+                              <div :class="[$root.formatDateTime(comment.createTime) !== $root.formatDateTime(comment.updateTime)] ? 'mr-1' : ''">
+                                {{ comment.createTime | formatDateTime }}
+                              </div>
                             </div>
                           </div>
-                          <div class="align-self-end text-body-2 text--secondary">
-                            {{ comment.owner }} &bull; {{ comment.updateTime | formatDateTime }}
+                        </div>
+                        <div class="d-flex align-center align-self-end text-body-2 text--secondary mt-1">
+                          <div v-if="$root.formatDateTime(comment.createTime) !== $root.formatDateTime(comment.updateTime)" class="mr-1">
+                            edited {{ comment.updateTime | formatDateTime }}
+                          </div>
+                          <div class="ml-3 d-flex">
+                            <v-btn text small color="primary" @click="editComment(comment)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
+                            <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
                           </div>
                         </div>
-                      </div>
-                    </v-row>
-                    <div class="my-4">
-                      <v-btn text color="secondary" @click="editComment(comment)" icon><v-icon>fa-edit</v-icon></v-btn>
-                      <v-btn text color="secondary" @click="deleteAssociation('comments', comment)" icon><v-icon>fa-trash</v-icon></v-btn>
-                    <div>                      
-                  </v-card>
+                      </v-col> 
+                    </div>           
+                  </div>
                   <div class="mx-12 my-12">
                     <v-form v-model="associatedForms['comments'].valid">
                       <v-textarea solo flat no-resize v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-textarea>
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 31b14324..85d2f427 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -92,6 +92,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
   async mounted() {
     await this.loadData();
     this.$root.loadParameters('case', this.initCase);
+    this.updateCollapsible('case-description'); // Update collapsible state for description manually
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -355,18 +356,18 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.$nextTick(() => {
         let element = document.getElementById(id);
         let retVal = element.offsetHeight < element.scrollHeight || element.offsetWidth < element.scrollWidth;
-        if (retVal && this.isCollapsed[id] === false) {
+        if (retVal && !this.collapsible[id]) {
           this.collapsible[id] = true
-        } else if (!retVal && this.collapsed[id] === true) {
+        } else if (!retVal && this.collapsible[id]) {
           this.collapsible[id] = false
         }
       })
     },
     isCollapsible(item) {
-      if ((Object.keys(this.collapsible).indexOf(item) !== -1)) {
+      if ((Object.keys(this.collapsible).indexOf(item) === -1)) {
         this.updateCollapsible(item)
       }
-      return (this.collapsible[item] !== false)
+      return (this.collapsible[item] === true)
     },
     toggleCollapse(item) {
       if (!this.isCollapsed(item)) {
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 22a6eb5f..d1905aaf 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -481,7 +481,7 @@ test('updateCollapsible_HeightOverflow', () => {
   document.getElementById = jest.fn(_ => fakeElement);
   comp.updateCollapsible(fakeId);
 
-  expect(comp.collapsible).toStrictEqual(['fakeId']);
+  expect(comp.collapsible).toStrictEqual({'fakeId': true});
 })
 
 test('updateCollapsible_WidthOverflow', () => {
@@ -492,7 +492,7 @@ test('updateCollapsible_WidthOverflow', () => {
   document.getElementById = jest.fn(_ => fakeElement);
   comp.updateCollapsible(fakeId);
 
-  expect(comp.collapsible).toStrictEqual(['fakeId']);
+  expect(comp.collapsible).toStrictEqual({'fakeId': true});
 })
 
 test('updateCollapsible_NoOverflow', () => {
@@ -503,7 +503,7 @@ test('updateCollapsible_NoOverflow', () => {
   document.getElementById = jest.fn(_ => fakeElement);
   comp.updateCollapsible(fakeId);
 
-  expect(comp.collapsible).toStrictEqual([]);
+  expect(comp.collapsible).toStrictEqual({'fakeId': false});
 })
 
 test('updateCollapsible_RemoveId', () => {
@@ -511,12 +511,12 @@ test('updateCollapsible_RemoveId', () => {
     offsetHeight: 10,
     scrollHeight: 10
   };
-  comp.collapsible = [fakeId]
+  comp.collapsible = {fakeId: true}
 
   document.getElementById = jest.fn(_ => fakeElement);
   comp.updateCollapsible(fakeId);
 
-  expect(comp.collapsible).toStrictEqual([]);
+  expect(comp.collapsible).toStrictEqual({'fakeId': false});
 })
 
 test('updateCollapsible_StillCollapsible', () => {
@@ -524,22 +524,22 @@ test('updateCollapsible_StillCollapsible', () => {
     offsetHeight: 10,
     scrollHeight: 11
   };
-  comp.collapsible = [fakeId]
+  comp.collapsible = {fakeId: true}
 
   document.getElementById = jest.fn(_ => fakeElement);
   comp.updateCollapsible(fakeId);
 
-  expect(comp.collapsible).toStrictEqual(['fakeId']);
+  expect(comp.collapsible).toStrictEqual({'fakeId': true});
 })
 
 test('isCollapsible', () => {
-  comp.collapsible = [ fakeId ];
+  comp.collapsible = {fakeId: true};
 
   expect(comp.isCollapsible('fakeId')).toBe(true);
 })
 
 test('isCollapsible_False', () => {
-  comp.collapsible =  [];
+  comp.collapsible =  {fakeId: false};
 
   expect(comp.isCollapsible('fakeId')).toBe(false);
 })

From 046748e9166ead8b1bc30881c5e8eef5c9d2a2c7 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 16 Dec 2021 16:28:33 -0500
Subject: [PATCH 34/98] Change how collapsible css works + add lighter
 secondary color in light mode

---
 html/css/app.css | 11 ++++++++++-
 html/index.html  |  6 +++---
 html/js/app.js   |  2 ++
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 741bf44a..57328d12 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -201,7 +201,16 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   color: var(--v-primary-lighten1) !important;
 }
 
-.case.collapse-field {
+.case.collapsible {
+  transition: max-height 0.8s;
+}
+
+.case.collapsible.expanded {
+  max-height: max-content;
+
+}
+
+.case.collapsible.collapsed {
   max-height: 7.5em;
   overflow: hidden;
   white-space: pre-wrap;
diff --git a/html/index.html b/html/index.html
index 73c35789..47d5a8de 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1233,7 +1233,7 @@ <h2>Description</h2>
             <div class="mb-6 mb-md-3">
               <div class="case detail-field d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit(mainForm.description, 'case-description')">
                 <div class="d-block">
-                  <div id="case-description" class="rounded" :class="[ !isCollapsed('case-description') ? 'case collapse-field' : '' ]">{{ mainForm.description }}</div>
+                  <div id="case-description" class="rounded case collapsible" :class="[ !isCollapsed('case-description') ? 'collapsed' : 'expanded' ]">{{ mainForm.description }}</div>
                 </div>
               </div>
               <div v-if="isCollapsible('case-description') && !isEdit('case-description')" class="pl-2 text-body-2 blue--text case collapse-text" @click="toggleCollapse('case-description')">
@@ -1276,7 +1276,7 @@ <h2>Description</h2>
                         color="primary"
                         size="32"
                       >
-                        <div class="font-weight-bold">
+                        <div class="font-weight-bold white--text">
                           {{ comment.owner.charAt(0) }}
                         </div>
                       </v-avatar>
@@ -1285,7 +1285,7 @@ <h2>Description</h2>
                           <div class="d-flex flex-column align-start">
                             <div class="case d-flex align-start">
                               <div class="d-block mb-10">
-                                <div :id="`comment-${index}`" class="case comment" :class="[ !isCollapsed(`comment-${index}`) ? 'case collapse-field' : '' ]">{{ comment.description }}</div>
+                                <div :id="`comment-${index}`" class="case comment collapsible" :class="[ !isCollapsed(`comment-${index}`) ? 'collapsed' : 'expanded' ]">{{ comment.description }}</div>
                                 <div v-if="isCollapsible(`comment-${index}`) && !isEdit(`comment-${index}`)" class="pt-1 text-body-2 blue--text case collapse-text" @click="toggleCollapse(`comment-${index}`)">
                                   <div v-if="!isCollapsed(`comment-${index}`)">See more</div>
                                   <div v-if="isCollapsed(`comment-${index}`)">See less</div>
diff --git a/html/js/app.js b/html/js/app.js
index d04ac600..f2581f95 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -29,12 +29,14 @@ $(document).ready(function() {
             nav: '#ffffff',
             drawer_background: '#f4f4f4',
             background: '#ffffff',
+            secondary: '#f5f5f5'
           },
           dark: {
             nav_background: '#12110d',
             nav: '#ffffff',
             drawer_background: '#353535',
             background: '#1e1e1e',
+            secondary: '#424242'
           },
         },
       },

From 64abfda3d4acbfce9a8f404b542fe7c3c46f8326 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 16 Dec 2021 16:45:46 -0500
Subject: [PATCH 35/98] Enable inline editing of case comments

---
 html/css/app.css       |  5 +++++
 html/index.html        | 22 ++++++++++++++++------
 html/js/routes/case.js |  5 ++++-
 3 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 57328d12..550d0ceb 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -205,6 +205,11 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   transition: max-height 0.8s;
 }
 
+.case.comment-input>.v-input__control>.v-input__slot:before {
+  border: none;
+}
+
+
 .case.collapsible.expanded {
   max-height: max-content;
 
diff --git a/html/index.html b/html/index.html
index 47d5a8de..875c6d1d 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1283,8 +1283,8 @@ <h2>Description</h2>
                       <v-col class="d-flex flex-column align-start pt-2 pb-0 px-0 pa-md-0">
                         <div class="ml-1 ml-md-3 py-3 px-4 secondary rounded rounded-md" style="width: 100%;">
                           <div class="d-flex flex-column align-start">
-                            <div class="case d-flex align-start">
-                              <div class="d-block mb-10">
+                            <div class="case d-flex align-start" v-if="!isEdit(`comment-${index}`)">
+                              <div class="d-block mb-8">
                                 <div :id="`comment-${index}`" class="case comment collapsible" :class="[ !isCollapsed(`comment-${index}`) ? 'collapsed' : 'expanded' ]">{{ comment.description }}</div>
                                 <div v-if="isCollapsible(`comment-${index}`) && !isEdit(`comment-${index}`)" class="pt-1 text-body-2 blue--text case collapse-text" @click="toggleCollapse(`comment-${index}`)">
                                   <div v-if="!isCollapsed(`comment-${index}`)">See more</div>
@@ -1292,9 +1292,19 @@ <h2>Description</h2>
                                 </div>
                               </div>
                             </div>
-                            <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)">
+                            <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
                               <div class="mb-2">
-                                <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val"/>
+                                <v-form v-model="associatedForms['comments'].valid">
+                                  <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val" class="mb-1"/>
+                                  <div class="d-inline-flex justify-end">
+                                    <v-btn :disabled="!associatedForms['comments'].valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                                      Cancel
+                                    </v-btn>
+                                    <v-btn :disabled="!associatedForms['comments'].valid" text small color="primary" class="align-self-end" @click="modifyAssociation('comments')">
+                                      Save
+                                    </v-btn>
+                                  </div>
+                                </v-form>
                               </div>
                             </div>
                             <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2 text--secondary">
@@ -1315,14 +1325,14 @@ <h2>Description</h2>
                             edited {{ comment.updateTime | formatDateTime }}
                           </div>
                           <div class="ml-3 d-flex">
-                            <v-btn text small color="primary" @click="editComment(comment)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
+                            <v-btn text small color="primary" @click="editComment(comment, `comment-${index}`)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
                             <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
                           </div>
                         </div>
                       </v-col> 
                     </div>           
                   </div>
-                  <div class="mx-12 my-12">
+                  <div class="mx-12 my-12 d-none">
                     <v-form v-model="associatedForms['comments'].valid">
                       <v-textarea solo flat no-resize v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-textarea>
                       <v-textarea solo flat no-resize v-model="associatedForms['comments'].id" class="d-none"></v-textarea>
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 85d2f427..5d7a7951 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -274,6 +274,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       if (idx > -1) {
         this.$root.startLoading();
         try {
+          this.associatedForms[association].description = this.editField.val
           const response = await this.$root.papi.put('case/' + association, JSON.stringify(this.associatedForms[association]));
           if (response.data) {
             await this.$root.populateUserDetails(response.data, "userId", "owner");
@@ -286,6 +287,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
             this.$root.showError(error);
           }
         }
+        this.stopEdit();
         this.$root.stopLoading();
       }
     },
@@ -308,9 +310,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.$root.stopLoading();
       }
     },    
-    editComment(comment) {
+    editComment(comment, htmlId) {
       this.associatedForms['comments'].id = comment.id;
       this.associatedForms['comments'].description = comment.description;
+      this.startEdit(comment.description, htmlId)
     },
     cancelComment() {
       this.associatedForms['comments'].id = "";

From a60bd5cdba8e5d5321535eef0528754bc2dc4d93 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 17 Dec 2021 13:35:11 -0500
Subject: [PATCH 36/98] [wip] Association rework + ui changes

* Rework handling of adding + modifying associations
* Add new comment element
* Slightly modify comment + right info box ui
---
 html/index.html             | 106 ++++++++++++++++++++----------------
 html/js/routes/case.js      |  61 +++++++++------------
 html/js/routes/case.test.js |  33 +++++------
 3 files changed, 104 insertions(+), 96 deletions(-)

diff --git a/html/index.html b/html/index.html
index 875c6d1d..b11ef6e5 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1270,7 +1270,7 @@ <h2>Description</h2>
                 </v-tab>
   
                 <v-tab-item>
-                  <div v-for="(comment, index) in associations.comments" class="my-2">
+                  <div v-for="(comment, index) in associations.comments" class="mb-8">
                     <div class="d-flex flex-column flex-md-row align-start ma-4">
                       <v-avatar
                         color="primary"
@@ -1294,14 +1294,14 @@ <h2>Description</h2>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
                               <div class="mb-2">
-                                <v-form v-model="associatedForms['comments'].valid">
+                                <v-form v-model="associatedForm.valid">
                                   <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val" class="mb-1"/>
                                   <div class="d-inline-flex justify-end">
-                                    <v-btn :disabled="!associatedForms['comments'].valid" text small color="primary" class="align-self-end" @click="stopEdit()">
-                                      Cancel
+                                    <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                                      {{ i18n.cancel }}
                                     </v-btn>
-                                    <v-btn :disabled="!associatedForms['comments'].valid" text small color="primary" class="align-self-end" @click="modifyAssociation('comments')">
-                                      Save
+                                    <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="modifyAssociation('comments', comment, `comment-${index}`)">
+                                      {{ i18n.update }}
                                     </v-btn>
                                   </div>
                                 </v-form>
@@ -1317,6 +1317,10 @@ <h2>Description</h2>
                               <div :class="[$root.formatDateTime(comment.createTime) !== $root.formatDateTime(comment.updateTime)] ? 'mr-1' : ''">
                                 {{ comment.createTime | formatDateTime }}
                               </div>
+                              <div class="ml-1 d-flex">
+                                <v-btn text small color="primary" v-if="!isEdit(`comment-${index}`)" @click="editComment(comment, `comment-${index}`)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
+                                <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
+                              </div>
                             </div>
                           </div>
                         </div>
@@ -1324,24 +1328,47 @@ <h2>Description</h2>
                           <div v-if="$root.formatDateTime(comment.createTime) !== $root.formatDateTime(comment.updateTime)" class="mr-1">
                             edited {{ comment.updateTime | formatDateTime }}
                           </div>
-                          <div class="ml-3 d-flex">
-                            <v-btn text small color="primary" @click="editComment(comment, `comment-${index}`)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
-                            <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
-                          </div>
                         </div>
                       </v-col> 
                     </div>           
                   </div>
-                  <div class="mx-12 my-12 d-none">
-                    <v-form v-model="associatedForms['comments'].valid">
-                      <v-textarea solo flat no-resize v-model="associatedForms['comments'].description" :placeholder="i18n.commentDescription" persistent-hint :hint="i18n.commentDescriptionHelp" :rules="[rules.required]"></v-textarea>
-                      <v-textarea solo flat no-resize v-model="associatedForms['comments'].id" class="d-none"></v-textarea>
-                      <div class="my-4">
-                        <v-btn v-if="associatedForms['comments'].id == ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="addAssociation('comments')" v-text="i18n.add"></v-btn>
-                        <v-btn v-if="associatedForms['comments'].id != ''" :disabled="!associatedForms['comments'].valid" text color="primary" @click="modifyAssociation('comments')" v-text="i18n.update"></v-btn>
-                        <v-btn text color="secondary" @click="cancelComment()" v-text="i18n.cancel"></v-btn>
-                      <div>                      
-                    </form>
+                  <div class="d-flex flex-column flex-md-row align-start ma-4">
+                    <v-avatar
+                        color="primary"
+                        size="32"
+                    >
+                        <div class="font-weight-bold white--text">
+                        {{ $root.username.charAt(0).toLocaleUpperCase() }}
+                        </div>
+                    </v-avatar>
+                    <v-col class="d-flex flex-column align-start pt-2 pb-0 px-0 pa-md-0">
+                        <div class="ml-1 ml-md-3 py-3 px-4 secondary rounded rounded-md" style="width: 100%;">
+                        <div class="d-flex flex-column align-start">
+                            <div class="d-flex flex-column" style="width: 100%;">
+                            <div class="mb-2">
+                                <v-form v-model="associatedForm.valid">
+                                <v-textarea solo flat hide-details rows="5" dense no-resize color="text--black" v-model="associatedForm.description" :rules="[rules.required]" class="mb-1"/>
+                                </v-form>
+                            </div>
+                            </div>
+                            <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2 text--secondary">
+                            <div class="mr-1">
+                                {{ $root.username }}
+                            </div>
+                            </div>
+                        </div>
+                        </div>
+                        <div class="d-flex align-center align-self-end text-body-2 text--secondary mt-2">
+                        <div class="d-inline-flex justify-end">
+                            <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                            {{ i18n.cancel }}
+                            </v-btn>
+                            <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="addAssociation('comments')">
+                            {{ i18n.add }}
+                            </v-btn>
+                        </div>
+                        </div>
+                    </v-col> 
                   </div>
                 </v-tab-item>
   
@@ -1446,8 +1473,7 @@ <h2>Description</h2>
                           <v-select
                             dense
                             eager
-                            flat
-                            solo
+                            outlined
                             hide-details
                             v-model="mainForm.assigneeId"
                             :items="userList"
@@ -1464,8 +1490,7 @@ <h2>Description</h2>
                           <v-select
                             dense
                             eager
-                            flat
-                            solo
+                            outlined
                             hide-details
                             v-if="!isPresetCustomEnabled('status')"
                             v-model="mainForm.status"
@@ -1476,8 +1501,7 @@ <h2>Description</h2>
                           <v-combobox
                             dense
                             eager
-                            flat
-                            solo
+                            outlined
                             hide-details
                             v-if="isPresetCustomEnabled('status')"
                             v-model="mainForm.status"
@@ -1505,8 +1529,7 @@ <h2>Description</h2>
                               <v-select
                                 dense
                                 eager
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="!isPresetCustomEnabled('severity')"
                                 v-model="mainForm.severity"
@@ -1517,8 +1540,7 @@ <h2>Description</h2>
                               <v-combobox
                                 dense
                                 eager
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="isPresetCustomEnabled('severity')"
                                 v-model="mainForm.severity"
@@ -1555,8 +1577,7 @@ <h2>Description</h2>
                               <v-select
                                 dense
                                 eager
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="!isPresetCustomEnabled('tlp')"
                                 v-model="mainForm.tlp"
@@ -1567,8 +1588,7 @@ <h2>Description</h2>
                                 <v-combobox
                                   dense
                                   eager
-                                  flat
-                                  solo
+                                  outlined
                                   hide-details
                                   v-if="isPresetCustomEnabled('tlp')"
                                   v-model="mainForm.tlp"
@@ -1585,8 +1605,7 @@ <h2>Description</h2>
                               <v-select
                                 dense
                                 eager
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="!isPresetCustomEnabled('pap')"
                                 v-model="mainForm.pap"
@@ -1597,8 +1616,7 @@ <h2>Description</h2>
                               <v-combobox
                                 dense
                                 eager
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="isPresetCustomEnabled('pap')"
                                 v-model="mainForm.pap"
@@ -1614,8 +1632,7 @@ <h2>Description</h2>
                               <v-select
                                 dense
                                 eager
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="!isPresetCustomEnabled('category')"
                                 v-model="mainForm.category"
@@ -1626,8 +1643,7 @@ <h2>Description</h2>
                               <v-combobox
                                 dense
                                 eager
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="isPresetCustomEnabled('category')"
                                 v-model="mainForm.category"
@@ -1644,8 +1660,7 @@ <h2>Description</h2>
                                 dense
                                 eager
                                 multiple
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="!isPresetCustomEnabled('tags')"
                                 v-model="mainForm.tags"
@@ -1661,8 +1676,7 @@ <h2>Description</h2>
                                 eager
                                 multiple
                                 chips
-                                flat
-                                solo
+                                outlined
                                 hide-details
                                 v-if="isPresetCustomEnabled('tags')"
                                 v-model="mainForm.tags"
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 5d7a7951..51b9d6d9 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -53,25 +53,20 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       pap: null,
       category: null
     },
+    associatedForm: {
+      description: '',
+      valid: false
+    },
     associatedForms: {
       comments: {
-        id: "",
-        caseId: "",
-        description: "",
-        valid: false
+        id: ""
       },
       tasks: {
         id: "",
-        caseId: "",
-        description: "",
-        status: "",
-        valid: false
+        status: ""
       },
       artifacts: {
-        id: "",
-        caseId: "",
-        description: "",
-        valid: false
+        id: ""
       }
     },
     editField: {},
@@ -117,15 +112,12 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.associationsLoading = true;
 
       this.associations["comments"] = [];
-      this.associatedForms["comments"].caseId = this.caseObj.id;
       this.loadAssociation('comments');
 
       this.associations["tasks"] = [];
-      this.associatedForms["tasks"].caseId = this.caseObj.id;
       this.loadAssociation('tasks');
 
       this.associations["artifacts"] = [];
-      this.associatedForms["artifacts"].caseId = this.caseObj.id;
       this.loadAssociation('artifacts', "/evidence");
 
       this.associations["events"] = [];
@@ -253,33 +245,38 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     async addAssociation(association) {
       this.$root.startLoading();
       try {
-        const response = await this.$root.papi.post('case/' + association, JSON.stringify(this.associatedForms[association]));
+        const req = {
+          id: '',
+          caseId: this.caseObj.id,
+          description: this.associatedForm.description
+        }
+        const response = await this.$root.papi.post('case/' + association, JSON.stringify(req));
         if (response.data) {
           await this.$root.populateUserDetails(response.data, "userId", "owner");
           this.associations[association].push(response.data);
         }
+        this.associatedForm.description = ''
       } catch (error) {
         this.$root.showError(error);
       }
       this.$root.stopLoading();
     },
-    async modifyAssociation(association) {
-      var idx = -1;
-      for (var i = 0; i < this.associations[association].length; i++) {
-        if (this.associations[association][i].id == this.associatedForms[association].id) {
-          idx = i;
-          break;
-        }
-      }
+    async modifyAssociation(association, obj, htmlId = null) {
+      let idx = this.associations[association].findIndex((x) =>  x.id === obj.id)
       if (idx > -1) {
         this.$root.startLoading();
         try {
-          this.associatedForms[association].description = this.editField.val
-          const response = await this.$root.papi.put('case/' + association, JSON.stringify(this.associatedForms[association]));
+          const req = {
+            id: obj.id,
+            caseId: this.caseObj.id,
+            description: this.editField.val
+          }
+          const response = await this.$root.papi.put('case/' + association, JSON.stringify(req));
           if (response.data) {
             await this.$root.populateUserDetails(response.data, "userId", "owner");
             Vue.set(this.associations[association], idx, response.data);
           }
+          if (htmlId !== null ) this.updateCollapsible(htmlId);
         } catch (error) {
           if (error.response != undefined && error.response.status == 404) {
             this.$root.showError(this.i18n.notFound);
@@ -312,12 +309,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },    
     editComment(comment, htmlId) {
       this.associatedForms['comments'].id = comment.id;
-      this.associatedForms['comments'].description = comment.description;
       this.startEdit(comment.description, htmlId)
     },
     cancelComment() {
       this.associatedForms['comments'].id = "";
-      this.associatedForms['comments'].description = "";
     },
     updateCase(caseObj) {
       // No-op until we can detect if the user has made any changes to the form. We don't
@@ -337,7 +332,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       };
     },
     stopEdit() {
+      // Clear all edit values
       this.editField = {}
+      this.associatedForm.description = ''
     },
     async saveEdit(keyStr) {
       if (this.mainForm[keyStr] === this.editField.val) {
@@ -354,16 +351,12 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
     updateCollapsible(id) {
       if (! Object.keys(this.collapsible).includes(id)) {
-        this.collapsible[id] = false
+        this.collapsible[id] = false;
       }
       this.$nextTick(() => {
         let element = document.getElementById(id);
         let retVal = element.offsetHeight < element.scrollHeight || element.offsetWidth < element.scrollWidth;
-        if (retVal && !this.collapsible[id]) {
-          this.collapsible[id] = true
-        } else if (!retVal && this.collapsible[id]) {
-          this.collapsible[id] = false
-        }
+        this.collapsible[id] = retVal;
       })
     },
     isCollapsible(item) {
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index d1905aaf..3a885226 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -121,12 +121,10 @@ test('loadAssociations', () => {
   comp.caseObj = {id: 'myCaseId'};
   comp.loadAssociation = jest.fn();
   comp.loadAssociations();
+  
   expect(comp.loadAssociation).toHaveBeenCalledWith('comments');
-  expect(comp.associatedForms["comments"].caseId).toBe('myCaseId')
   expect(comp.loadAssociation).toHaveBeenCalledWith('tasks');
-  expect(comp.associatedForms["tasks"].caseId).toBe('myCaseId')
   expect(comp.loadAssociation).toHaveBeenCalledWith('artifacts', '/evidence');
-  expect(comp.associatedForms["artifacts"].caseId).toBe('myCaseId')
   expect(comp.loadAssociation).toHaveBeenCalledWith('events');
   expect(comp.loadAssociation).toHaveBeenCalledWith('history');
   expect(comp.associationsLoading).toBe(false);
@@ -270,14 +268,14 @@ test('modifyCaseError', async () => {
 test('addAssociation', async () => {
   const mock = mockPapi("post", {'data':fakeComment});
 
-  comp.associatedForms['comments'].id = 'myCommentId';
-  comp.associatedForms['comments'].description = 'myDescription';
+  comp.associatedForm.description = 'myDescription';
+  comp.caseObj.id = 'myCaseId';
   const showErrorMock = mockShowError();
   expect(comp.associations['comments'].length).toBe(0);
 
   await comp.addAssociation('comments');
 
-  const body =  "{\"id\":\"myCommentId\",\"caseId\":\"\",\"description\":\"myDescription\",\"valid\":false}";
+  const body =  "{\"id\":\"\",\"caseId\":\"myCaseId\",\"description\":\"myDescription\"}";
   expect(mock).toHaveBeenCalledWith('case/comments', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);
@@ -301,16 +299,19 @@ test('modifyAssociation', async () => {
   const mock = mockPapi("put", {'data':fakeComment2});
   const showErrorMock = mockShowError();
 
-  comp.associatedForms['comments'].id = fakeComment.id;
-  comp.associatedForms['comments'].description = 'myDescription2';
+  comp.caseObj.id = 'myCaseId';
+  comp.editField.val = 'myDescription2';
   comp.associations['comments'] = [fakeComment];
-  await comp.modifyAssociation('comments');
+  comp.updateCollapsible = jest.fn();
+  await comp.modifyAssociation('comments', fakeComment, fakeId);
 
-  const body = "{\"id\":\"myCommentId\",\"caseId\":\"\",\"description\":\"myDescription2\",\"valid\":false}";
+  const body = "{\"id\":\"myCommentId\",\"caseId\":\"myCaseId\",\"description\":\"myDescription2\"}";
   expect(mock).toHaveBeenCalledWith('case/comments', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);
   expect(comp.associations['comments'][0].description).toBe('myDescription2');
+  expect(comp.updateCollapsible).toHaveBeenCalledTimes(1)
+  expect(comp.updateCollapsible).toHaveBeenCalledWith(fakeId);
   expect(comp.$root.loading).toBe(false);
 });
 
@@ -319,18 +320,18 @@ test('modifyAssociationNotFound', async () => {
   const error = new Error("not found")
   error.response = { status: 404 };
   mockPapi("put", null, error);
-  comp.associatedForms['comments'].id = fakeComment.id;
+  comp.associatedForm.id = fakeComment.id;
   comp.associations['comments'] = [fakeComment];
-  await comp.modifyAssociation('comments');
+  await comp.modifyAssociation('comments', fakeComment, fakeId);
   expect(showErrorMock).toHaveBeenCalledWith(comp.i18n.notFound);
 });
 
 test('modifyAssociationError', async () => {
   const showErrorMock = mockShowError();
   mockPapi("put", null, new Error("something bad"));
-  comp.associatedForms['comments'].id = fakeComment.id;
+  comp.associatedForm.id = fakeComment.id;
   comp.associations['comments'] = [fakeComment];
-  await comp.modifyAssociation('comments');
+  await comp.modifyAssociation('comments', fakeComment, fakeId);
   expect(showErrorMock).toHaveBeenCalledTimes(1);
 });
 
@@ -374,13 +375,13 @@ test('deleteAssociationError', async () => {
 test('editComment', () => {
   comp.editComment(fakeComment);
   expect(comp.associatedForms['comments'].id).toBe(fakeComment.id);
-  expect(comp.associatedForms['comments'].description).toBe(fakeComment.description);
+  expect(comp.editField.val).toBe(fakeComment.description);
 });
 
 test('cancelComment', () => {
   comp.cancelComment(fakeComment);
   expect(comp.associatedForms['comments'].id).toBe("");
-  expect(comp.associatedForms['comments'].description).toBe("");
+  expect(comp.associatedForm.description).toBe("");
 });
 
 test('presets', () => {

From 4b1eb8d0258285966941a4a29a1420b020d174ff Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 27 Dec 2021 08:58:16 -0500
Subject: [PATCH 37/98] Initial artifact support

---
 config/serverconfig.go                        |    5 +
 config/serverconfig_test.go                   |    1 +
 html/css/app.css                              |   64 +-
 html/index.html                               | 1074 ++++++++++-------
 html/js/app.js                                |    8 +-
 html/js/i18n.js                               |   42 +-
 html/js/routes/case.js                        |  435 ++++---
 html/js/routes/case.test.js                   |  292 ++---
 model/case.go                                 |   41 +
 model/case_test.go                            |   21 +-
 server/casehandler.go                         |   70 +-
 server/casestore.go                           |    9 +-
 server/modules/elastic/converter.go           |   26 +
 server/modules/elastic/converter_test.go      |   31 +
 server/modules/elastic/elastic.go             |    5 +-
 server/modules/elastic/elastic_test.go        |    1 +
 server/modules/elastic/elasticcasestore.go    |  144 ++-
 .../modules/elastic/elasticcasestore_test.go  |  410 ++++++-
 server/modules/elastic/elasticeventstore.go   |   72 +-
 .../modules/elasticcases/elasticcasestore.go  |   19 +-
 server/modules/generichttp/httpcasestore.go   |   19 +-
 server/modules/thehive/thehivecasestore.go    |   19 +-
 web/basehandler.go                            |   42 +-
 23 files changed, 1948 insertions(+), 902 deletions(-)

diff --git a/config/serverconfig.go b/config/serverconfig.go
index dfcfeb3b..1dff8922 100644
--- a/config/serverconfig.go
+++ b/config/serverconfig.go
@@ -18,6 +18,7 @@ import (
 
 const DEFAULT_MAX_PACKET_COUNT = 5000
 const DEFAULT_IDLE_CONNECTION_TIMEOUT_MS = 300000
+const DEFAULT_MAX_UPLOAD_SIZE_BYTES = 26214400
 
 type ServerConfig struct {
   AirgapEnabled           bool                   `json:"airgapEnabled"`
@@ -31,6 +32,7 @@ type ServerConfig struct {
   ClientParams            ClientParameters       `json:"client"`
   IdleConnectionTimeoutMs int                    `json:"idleConnectionTimeoutMs"`
   TimezoneScript          string                 `json:"timezoneScript"`
+  MaxUploadSizeBytes      int                    `json:"maxUploadSizeBytes"`
 }
 
 func (config *ServerConfig) Verify() error {
@@ -56,5 +58,8 @@ func (config *ServerConfig) Verify() error {
   if len(config.TimezoneScript) == 0 {
     config.TimezoneScript = "/opt/sensoroni/scripts/timezones.sh"
   }
+  if config.MaxUploadSizeBytes == 0 {
+    config.MaxUploadSizeBytes = DEFAULT_MAX_UPLOAD_SIZE_BYTES
+  }
   return err
 }
diff --git a/config/serverconfig_test.go b/config/serverconfig_test.go
index 5d5163a8..d35231a3 100644
--- a/config/serverconfig_test.go
+++ b/config/serverconfig_test.go
@@ -22,6 +22,7 @@ func TestVerifyServer(tester *testing.T) {
 	if assert.Error(tester, err) {
 		assert.Equal(tester, DEFAULT_MAX_PACKET_COUNT, cfg.MaxPacketCount)
 		assert.Equal(tester, DEFAULT_IDLE_CONNECTION_TIMEOUT_MS, cfg.IdleConnectionTimeoutMs)
+		assert.Equal(tester, DEFAULT_MAX_UPLOAD_SIZE_BYTES, cfg.MaxUploadSizeBytes)
 		assert.False(tester, cfg.DeveloperEnabled)
 	}
 
diff --git a/html/css/app.css b/html/css/app.css
index 550d0ceb..380aa2ac 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -62,6 +62,10 @@
   margin-right: 6px;
 }
 
+.contrast-bg {
+  background-color: var(--v-drawer_background-base) !important;
+}
+
 /* animations */
 .waggle {
   animation-name: waggle;
@@ -164,73 +168,51 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   white-space: nowrap;
 }
 
+.case.summary {
+  overflow-x: hidden;
+  white-space: nowrap;
+  opacity: 60%;
+  font-size: 75%;
+}
+
 .case.label {
   display: inline-block;
-  padding-right: 10px;
   width: 15%;
+  min-width: 6.0em;
+  padding-right: 10px;
   text-align: right;
-  white-space: nowrap;
   font-weight: bold;
-  opacity: 70%;
-}
-
-.case.details {
-  font-size: 13px;
 }
 
 .case.value {
   text-align: left;
-  white-space: wrap;
-  opacity: 70%;
 }
 
-.case.title.v-text-field input {
-  font-size: 1.2em;
-  margin-bottom: 0.15em;
+.case.raw {
+  overflow-x: hidden;
 }
 
 .case.detail-field {
   border-radius: .25em;
-  overflow: hidden;
   white-space: pre-wrap;
   word-wrap: break-word;
 }
 
-.case.detail-field:hover {
-  cursor: pointer;
-  color: var(--v-primary-lighten1) !important;
-}
-
-.case.collapsible {
-  transition: max-height 0.8s;
-}
-
-.case.comment-input>.v-input__control>.v-input__slot:before {
-  border: none;
-}
-
-
-.case.collapsible.expanded {
-  max-height: max-content;
-
+.no-underline {
+  text-decoration: none;
 }
 
-.case.collapsible.collapsed {
-  max-height: 7.5em;
-  overflow: hidden;
-  white-space: pre-wrap;
-  word-wrap: break-word;
+.clicktoedit:hover {
+  cursor: pointer;
+  color: var(--v-primary-lighten1) !important;
 }
 
-.case.collapse-text:hover {
+tr.expandable:hover {
   cursor: pointer;
-  color: var(--v-primary-lighten2) !important;
 }
 
-.case.comment {
-  overflow: hidden;
-  white-space: pre-wrap;
-  word-wrap: break-word;
+td.case {
+  white-space: normal !important;
 }
 
 td {
diff --git a/html/index.html b/html/index.html
index b11ef6e5..05dbec94 100644
--- a/html/index.html
+++ b/html/index.html
@@ -224,20 +224,29 @@
         <textarea id="clipboardBuffer"></textarea>
       </v-main>
       <v-footer app>
-        <span id="version" class="overline text-no-wrap">
+        <span id="version" class="text-no-wrap">
           {{ i18n.version }}: {{ version }}
         </span>
         <v-spacer></v-spacer>
-        <span class="overline text-no-wrap">
+        <span class="text-no-wrap d-none d-md-flex">
           &copy; {{ new Date().getFullYear() }} 
-          <a class="footer" target="sos" href="https://securityonionsolutions.com/">
+          <a class="footer mx-1" target="sos" href="https://securityonionsolutions.com/">
             Security Onion Solutions, LLC
           </a>
         </span>
+        <span class="text-no-wrap d-md-none">
+          &copy; {{ new Date().getFullYear() }} 
+          <a class="footer mx-1" target="sos" href="https://securityonionsolutions.com/">
+            SOS
+          </a>
+        </span>
         <v-spacer></v-spacer>
-        <span class="overline text-no-wrap">
+        <span class="text-no-wrap d-none d-lg-flex">
           <router-link id="termsLink" to="/terms" class="footer">{{ i18n.terms }}</router-link>
         </span>
+        <span class="text-no-wrap d-lg-none">
+          <router-link id="termsLink" to="/terms" class="footer">{{ i18n.tcs }}</router-link>
+        </span>
       </v-footer>
     </v-app>
 
@@ -726,7 +735,7 @@ <h5>
               </v-list-item-title>
             </v-list-item>
             <v-divider></v-divider>
-            <v-subheader>{{ i18n.escalateExistingCase }}</v-subheader>
+            <v-subheader class="white--text">{{ i18n.escalateExistingCase }}</v-subheader>
             <v-list-item dense v-for="socCase in mruCases" :title="i18n.escalateExistingCaseHelp" @click="ack($event, escalationItem, 0, true, true, socCase.id)">
               <v-list-item-icon>
                 <v-icon :alt="i18n.escalateExistingCase" color="white">fa-link</v-icon>
@@ -905,7 +914,7 @@ <h2 v-text="i18n.users"></h2>
                   </v-container>
                   <v-card-actions>
                     <v-spacer></v-spacer>
-                    <v-btn text @click="dialog = false">Cancel</v-btn>
+                    <v-btn text @click="dialog = false">{{ i18n.cancel }}</v-btn>
                     <v-btn :disabled="!form.valid" text color="primary" @click="submitAddUser" v-text="i18n.add"></v-btn>
                   </v-card-actions>
                 </v-form>
@@ -1205,53 +1214,51 @@ <h2>{{ i18n.viewJob }}</h2>
 
     <script type="text/x-template" id="page-case">
       <v-container fluid>
-        <v-form model="mainForm.valid" class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
-          <div>
-            <div class="case detail-field d-flex align-start pa-2" v-if="!isEdit('case-title')" @click="startEdit(mainForm.title, 'case-title')">
-              <h2 class="rounded">{{ mainForm.title }}</h2>
-            </div>
-            <div class="d-flex flex-column" v-if="isEdit('case-title')">
+        <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
+          <div class="case detail-field clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-title')" @click="startEdit('case-title-input', caseObj.title, 'case-title', 'title', modifyCase)">
+            <h2 id="case-title" class="rounded">{{ caseObj.title }}</h2>
+          </div>
+          <div class="d-flex flex-column" v-if="isEdit('case-title')">
+            <v-form v-model="editForm.valid">
               <div class="mb-2">
-                <v-text-field v-if="isEdit('case-title')" hide-details="auto" outlined class="case title" v-model="editField.val"/>
+                <v-text-field id="case-title-input" hide-details="auto" outlined v-model="editForm.val" :rules="[rules.required]" persistent-hint :hint="i18n.caseTitleHelp"/>
               </div>
               <div class="d-inline-flex justify-end">
-                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
-                  Cancel
+                <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                  {{ i18n.cancel }}
                 </v-btn>
-                <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('title')">
-                  Save
+                <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                  {{ i18n.save }}
                 </v-btn>
               </div>
-            </div>
+            </v-form>
           </div>
-        </v-form>
+        </div>
         <v-row class="mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
           <v-col cols="12" md="9" class="case main" order="2" order-md="1">
             <div class="d-block d-md-none">
               <h2>Description</h2>
             </div>
             <div class="mb-6 mb-md-3">
-              <div class="case detail-field d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit(mainForm.description, 'case-description')">
+              <div class="case detail-field clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)">
                 <div class="d-block">
-                  <div id="case-description" class="rounded case collapsible" :class="[ !isCollapsed('case-description') ? 'collapsed' : 'expanded' ]">{{ mainForm.description }}</div>
+                  <div id="case-description" class="rounded case">{{ caseObj.description }}</div>
                 </div>
               </div>
-              <div v-if="isCollapsible('case-description') && !isEdit('case-description')" class="pl-2 text-body-2 blue--text case collapse-text" @click="toggleCollapse('case-description')">
-                <div v-if="!isCollapsed('case-description')">See more</div>
-                <div v-if="isCollapsed('case-description')">See less</div>
-              </div>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
-                <div class="mb-2">
-                  <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val"/>
-                </div>
-                <div class="d-inline-flex justify-end">
-                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
-                    Cancel
-                  </v-btn>
-                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('description')">
-                    Save
-                  </v-btn>
-                </div>
+                <v-form v-model="editForm.valid">
+                  <div class="mb-2">
+                    <v-textarea id="case-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" :rules="[rules.required]" persistent-hint :hint="i18n.caseDescriptionHelp"/>
+                  </div>
+                  <div class="d-inline-flex justify-end">
+                    <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                      {{ i18n.cancel }}
+                    </v-btn>
+                    <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                      {{ i18n.save }}
+                    </v-btn>
+                  </div>
+                </form>
               </div>
             </div>
             <v-row>
@@ -1260,6 +1267,10 @@ <h2>Description</h2>
                   <v-icon left>fa-comments</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.comments }}</div>
                 </v-tab>
+                <v-tab id="case_evidenceTab">
+                  <v-icon left>fa-eye</v-icon>
+                  <div class="d-none d-sm-block">{{ i18n.evidence }}</div>
+                </v-tab>
                 <v-tab id="case_eventsTab">
                   <v-icon left>fa-link</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.events }}</div>
@@ -1272,453 +1283,690 @@ <h2>Description</h2>
                 <v-tab-item>
                   <div v-for="(comment, index) in associations.comments" class="mb-8">
                     <div class="d-flex flex-column flex-md-row align-start ma-4">
-                      <v-avatar
-                        color="primary"
-                        size="32"
-                      >
-                        <div class="font-weight-bold white--text">
-                          {{ comment.owner.charAt(0) }}
+                      <v-avatar color="primary" size="32">
+                        <div class="font-weight-bold" :title="comment.owner">
+                          {{ $root.getAvatar(comment.owner) }}
                         </div>
                       </v-avatar>
                       <v-col class="d-flex flex-column align-start pt-2 pb-0 px-0 pa-md-0">
-                        <div class="ml-1 ml-md-3 py-3 px-4 secondary rounded rounded-md" style="width: 100%;">
+                        <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
                           <div class="d-flex flex-column align-start">
                             <div class="case d-flex align-start" v-if="!isEdit(`comment-${index}`)">
                               <div class="d-block mb-8">
-                                <div :id="`comment-${index}`" class="case comment collapsible" :class="[ !isCollapsed(`comment-${index}`) ? 'collapsed' : 'expanded' ]">{{ comment.description }}</div>
-                                <div v-if="isCollapsible(`comment-${index}`) && !isEdit(`comment-${index}`)" class="pt-1 text-body-2 blue--text case collapse-text" @click="toggleCollapse(`comment-${index}`)">
-                                  <div v-if="!isCollapsed(`comment-${index}`)">See more</div>
-                                  <div v-if="isCollapsed(`comment-${index}`)">See less</div>
-                                </div>
+                                <div :id="`comment-${index}`" class="case detail-field">{{ comment.description }}</div>
                               </div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
                               <div class="mb-2">
-                                <v-form v-model="associatedForm.valid">
-                                  <v-textarea outlined hide-details rows="5" dense no-resize color="text--black" v-model="editField.val" class="mb-1"/>
+                                <v-form v-model="editForm.valid">
+                                  <v-textarea id="comment-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" class="mb-1" :rules="[rules.required]"/>
                                   <div class="d-inline-flex justify-end">
-                                    <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
+                                    <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
                                       {{ i18n.cancel }}
                                     </v-btn>
-                                    <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="modifyAssociation('comments', comment, `comment-${index}`)">
+                                    <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
                                       {{ i18n.update }}
                                     </v-btn>
                                   </div>
                                 </v-form>
                               </div>
                             </div>
-                            <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2 text--secondary">
+                            <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
                               <div class="mr-1">
                                 {{ comment.owner }}
                               </div>
                               <div class="mr-1 d-none d-sm-block">
                                 &bull;
                               </div>
-                              <div :class="[$root.formatDateTime(comment.createTime) !== $root.formatDateTime(comment.updateTime)] ? 'mr-1' : ''">
+                              <div>
                                 {{ comment.createTime | formatDateTime }}
                               </div>
+                              <div v-if="isEdited(comment)" :title="$root.formatDateTime(comment.updateTime)" class="mx-2">
+                                {{ i18n.edited }}
+                              </div>
                               <div class="ml-1 d-flex">
-                                <v-btn text small color="primary" v-if="!isEdit(`comment-${index}`)" @click="editComment(comment, `comment-${index}`)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
+                                <v-btn text small color="primary" v-if="!isEdit(`comment-${index}`)" @click="startEdit('comment-desc-input', comment.description, `comment-${index}`, 'description', modifyAssociation, ['comments', comment], true)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
                                 <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
                               </div>
                             </div>
                           </div>
                         </div>
-                        <div class="d-flex align-center align-self-end text-body-2 text--secondary mt-1">
-                          <div v-if="$root.formatDateTime(comment.createTime) !== $root.formatDateTime(comment.updateTime)" class="mr-1">
-                            edited {{ comment.updateTime | formatDateTime }}
-                          </div>
-                        </div>
                       </v-col> 
                     </div>           
                   </div>
                   <div class="d-flex flex-column flex-md-row align-start ma-4">
-                    <v-avatar
-                        color="primary"
-                        size="32"
-                    >
-                        <div class="font-weight-bold white--text">
-                        {{ $root.username.charAt(0).toLocaleUpperCase() }}
-                        </div>
+                    <v-avatar color="primary" size="32">
+                      <div class="font-weight-bold" :title="$root.username">
+                      {{ $root.getAvatar($root.username) }}
+                      </div>
                     </v-avatar>
                     <v-col class="d-flex flex-column align-start pt-2 pb-0 px-0 pa-md-0">
-                        <div class="ml-1 ml-md-3 py-3 px-4 secondary rounded rounded-md" style="width: 100%;">
-                        <div class="d-flex flex-column align-start">
-                            <div class="d-flex flex-column" style="width: 100%;">
-                            <div class="mb-2">
-                                <v-form v-model="associatedForm.valid">
-                                <v-textarea solo flat hide-details rows="5" dense no-resize color="text--black" v-model="associatedForm.description" :rules="[rules.required]" class="mb-1"/>
-                                </v-form>
+                      <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
+                      <div class="d-flex flex-column align-start">
+                        <div class="d-flex flex-column" style="width: 100%;">
+                          <div class="mb-2">
+                            <a name="add"><h3>{{ i18n.commentAdd }}</h3></a>
+                            <v-form ref="comments" v-model="associatedForms['comments'].valid">
+                            <v-textarea solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
+                            </v-form>
+                          </div>
+                        </div>
+                      </div>
+                      </div>
+                      <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                        <div class="d-inline-flex justify-end">
+                          <v-btn text small color="primary" class="align-self-end" @click="resetForm('comments')">
+                          {{ i18n.cancel }}
+                          </v-btn>
+                          <v-btn :disabled="!associatedForms['comments'].valid" text small color="primary" class="align-self-end" @click="addAssociation('comments')">
+                          {{ i18n.add }}
+                          </v-btn>
+                        </div>
+                      </div>
+                    </v-col> 
+                  </div>
+                </v-tab-item>
+
+                <v-tab-item>
+                  <v-text-field v-model="associatedTable['artifacts'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
+                  <v-data-table ref="artifactsTable" :sort-by.sync="associatedTable['artifacts'].sortBy" :sort-desc.sync="associatedTable['artifacts'].sortDesc" :items-per-page.sync="associatedTable['artifacts'].itemsPerPage" 
+                    :search="associatedTable['artifacts'].search" :footer-props="associatedTable['artifacts'].footerProps" must-sort :headers="associatedTable['artifacts'].headers"
+                    :items="associations['artifacts']" item-key="id" :loading="associatedTable['artifacts'].loading" :expanded="associatedTable['artifacts'].expanded">
+                    <template v-slot:item="props">
+                      <tr @click="expandRow('artifacts', props.item)" class="expandable">
+                        <td>{{ props.item.createTime | formatDateTime }}</td>
+                        <td>{{ props.item.updateTime | formatDateTime }}</td>
+                        <td class="case">
+                          <div class="rounded">{{ props.item.artifactType }}</div>
+                        </td>
+                        <td class="case">
+                          <div class="rounded">{{ props.item.value }}</div>
+                        </td>                  
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="props">
+                      <tr>
+                        <td :colspan="4" class="case">
+                          <v-container fluid class="my-2" v-if="props.item.artifactType == 'file'">
+                            <a target="soc-download" :href="`/api/case/artifactstream?id=${props.item.id}`" class="no-underline">
+                              <v-icon>fa-download</v-icon>
+                              {{ props.item.value }}
+                              ({{ props.item.streamLength | formatCount }} 
+                              {{ i18n.bytes }})
+                            </a>
+                          </v-container>
+                          <v-container fluid class="my-2">
+                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-description-input`, props.item.description, `artifact-${props.index}-description`, 'description', modifyAssociation, ['artifacts', props.item], true)">
+                              <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
+                              <div id="`artifact-${props.index}-description`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-description`)">{{ withDefault(props.item.description) }}</div>
+                            </div>
+                            <div class="d-flex flex-column" v-if="isEdit(`artifact-${props.index}-description`)">
+                              <v-form v-model="editForm.valid">
+                                <div class="mb-2">
+                                  <v-textarea full-width rows="3" multiline :id="`artifact-${props.index}-description-input`" hide-details="auto" outlined v-model="editForm.val" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                                </div>
+                                <div class="d-inline-flex justify-end">
+                                  <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                    {{ i18n.cancel }}
+                                  </v-btn>
+                                  <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                    {{ i18n.save }}
+                                  </v-btn>
+                                </div>
+                              </v-form>
+                            </div>
+                          </v-container>
+                          <v-container fluid class="my-2">
+                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-ioc-input`, props.item.ioc, `artifact-${props.index}-ioc`, 'ioc', modifyAssociation, ['artifacts', props.item])">
+                              <div class="font-weight-bold">{{i18n.artifactIoc}}: </div>
+                              <div id="`artifact-${props.index}-ioc`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-ioc`)">{{ props.item.ioc ? i18n.yes : i18n.no }}</div>
+                            </div>
+                            <v-checkbox :id="`artifact-${props.index}-ioc-input`" v-if="isEdit(`artifact-${props.index}-ioc`)" v-model="editForm.val" v-on:change="stopEdit(true)" persistent-hint :hint="i18n.artifactIocHelp"/>
+                          </v-container>
+                          <v-container fluid class="my-2">
+                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-tlp-input`, props.item.tlp, `artifact-${props.index}-tlp`, 'tlp', modifyAssociation, ['artifacts', props.item])">
+                              <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
+                              <div id="`artifact-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
                             </div>
+                            <v-select :id="`artifact-${props.index}-tlp-input`" v-if="isEdit(`artifact-${props.index}-tlp`) && !isPresetCustomEnabled('tlp')"
+                              dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
+                              v-model="editForm.val"
+                              :items="selectList('tlp', props.item.tlp)"
+                              v-on:change="stopEdit(true)"
+                              />
+                              <v-combobox :id="`artifact-${props.index}-tlp-input`" v-if="isEdit(`artifact-${props.index}-tlp`) && isPresetCustomEnabled('tlp')"
+                                dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
+                                v-model="editForm.val"
+                                :items="selectList('tlp', props.item.tlp)"
+                                v-on:change="stopEdit(true)"
+                              />
+                            </v-select>
+                          </v-container>
+                          <v-container fluid class="my-2">
+                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-tags-input`, props.item.tags, `artifact-${props.index}-tags`, 'tags', modifyAssociation, ['artifacts', props.item])">
+                              <div class="font-weight-bold">{{i18n.caseTags}}: </div>
+                              <div id="`artifact-${props.index}-tags`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-tags`)">
+                                <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
+                              </div>
                             </div>
-                            <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2 text--secondary">
+                            <v-select :id="`artifact-${props.index}-tags-input`" v-if="isEdit(`artifact-${props.index}-tags`) && !isPresetCustomEnabled('tags')"
+                              dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
+                              v-model="editForm.val"
+                              :items="selectList('tags', props.item.tags)"
+                              v-on:change="stopEdit(true)">
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-select>
+                            <v-combobox :id="`artifact-${props.index}-tags-input`" v-if="isEdit(`artifact-${props.index}-tags`) && isPresetCustomEnabled('tags')"
+                              dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
+                              v-model="editForm.val"
+                              :items="selectList('tags', props.item.tags)"
+                              v-on:change="stopEdit(true)">
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-combobox>
+                          </v-container>
+
+                          <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
+                            <v-spacer/>
                             <div class="mr-1">
-                                {{ $root.username }}
+                              {{ props.item.owner }}
                             </div>
+                            <div class="mr-1 d-none d-sm-block">
+                              &bull;
                             </div>
+                            <div>
+                              {{ props.item.createTime | formatDateTime }}
+                            </div>
+                            <div v-if="isEdited(props.item)" :title="$root.formatDateTime(props.item.updateTime)" class="mx-2">
+                              {{ i18n.edited }}
+                            </div>
+                            <div class="ml-1 d-flex">
+                              <v-btn text small color="red" @click="deleteAssociation('artifacts', props.item)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
+                            </div>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:no-results>
+                      <v-alert :value="true" color="info" icon="fa-info">
+                        {{ i18n.noSearchResults }}
+                      </v-alert>
+                    </template>
+                  </v-data-table>
+                  <div class="text-xs-center pt-2 d-none">
+                      <v-btn v-text="i18n.loadMore" @click="loadAssociation('artifacts', '/evidence')"></v-btn>
+                  </div>
+                  <v-row>
+                    <v-col>
+                      <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
+                      <div class="d-flex flex-column align-start">
+                        <div class="d-flex flex-column" style="width: 100%;">
+                        <div class="mb-2">
+                          <a name="add"><h3>{{ i18n.evidenceAdd }}</h3></a>
+                          <v-form ref="artifacts" v-model="associatedForms['artifacts'].valid">
+                            <v-select v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['artifacts'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-combobox v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['artifacts'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-file-input v-if="associatedForms['artifacts'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
+                            <v-textarea v-if="associatedForms['artifacts'].artifactType != 'file'" rows="2" v-model="associatedForms['artifacts'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
+                            <v-textarea rows="2" v-model="associatedForms['artifacts'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-checkbox v-model="associatedForms['artifacts'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
+                            <v-select v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['artifacts'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-combobox v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['artifacts'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-select v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['artifacts'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-select>
+                            <v-combobox v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['artifacts'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-combobox>                              
+                          </v-form>
                         </div>
                         </div>
-                        <div class="d-flex align-center align-self-end text-body-2 text--secondary mt-2">
-                        <div class="d-inline-flex justify-end">
-                            <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
-                            {{ i18n.cancel }}
-                            </v-btn>
-                            <v-btn :disabled="!associatedForm.valid" text small color="primary" class="align-self-end" @click="addAssociation('comments')">
-                            {{ i18n.add }}
-                            </v-btn>
-                        </div>
-                        </div>
-                    </v-col> 
-                  </div>
+                      </div>
+                      </div>
+                      <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                      <div class="d-inline-flex justify-end">
+                        <v-btn text small color="primary" class="align-self-end" @click="resetForm('artifacts')">
+                        {{ i18n.cancel }}
+                        </v-btn>
+                        <v-btn :disabled="!associatedForms['artifacts'].valid" text small color="primary" class="align-self-end" @click="addAssociation('artifacts', {'groupType': 'evidence'})">
+                        {{ i18n.add }}
+                        </v-btn>
+                      </div>
+                      </div>
+                    </v-col>
+                  </v-row>                  
                 </v-tab-item>
-  
+
                 <v-tab-item>
-                  <v-card v-for="event in associations.events" elevation="2" class="my-2">
-                    <div>
-                      <span class="case label">{{ i18n.dateCreated }}:</span>
-                      <span class="case value">{{ event.createTime | formatDateTime }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.author }}:</span>
-                      <span class="case value">{{ event.owner }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">authorId:</span>
-                      <span class="case value">{{ event.userId }}</span>
-                    </div>
-                    <div v-for="value, key in event.fields">
-                      <span class="case label">{{ key }}:</span>
-                      <span class="case value">{{ value }}</span>
-                    </div>
-                    <div class="my-4">
-                      <v-btn text colror="secondary" @click="deleteAssociation('events', event)" icon><v-icon>fa-trash</v-icon></v-btn>
-                    <div>                                        
-                  </v-card>
+                  <v-text-field v-model="associatedTable['events'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
+                  <v-data-table ref="eventsTable" :sort-by.sync="associatedTable['events'].sortBy" :sort-desc.sync="associatedTable['events'].sortDesc" :items-per-page.sync="associatedTable['events'].itemsPerPage" 
+                    :search="associatedTable['events'].search" :footer-props="associatedTable['events'].footerProps" must-sort :headers="associatedTable['events'].headers"
+                    :items="associations['events']" item-key="id" :loading="associatedTable['events'].loading" :expanded="associatedTable['events'].expanded">
+                    <template v-slot:item="props">
+                      <tr @click="expandRow('events', props.item)" class="expandable">
+                        <td>
+                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q:`_id:${props.item.id}`}}" :title="i18n.huntForEvent"><v-icon>fa-crosshairs</v-icon></router-link>
+                        </td>
+                        <td>{{ props.item.fields.timestamp | formatTimestamp }}</td>
+                        <td class="case">
+                          <div class="rounded">{{ props.item.fields['event.category'] }}</div>
+                        </td>
+                        <td class="case">
+                          <div class="rounded">{{ props.item.fields['event.dataset'] }}</div>
+                        </td>
+                        <td class="case">
+                          <div class="rounded">{{ props.item.fields.message }}</div>
+                        </td>                        
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="props">
+                      <tr>
+                        <td :colspan="5" class="case">
+                          <div class="mt-2">
+                            <div v-for="value, key in props.item.fields">
+                              <span class="case label">{{ key }}:</span>
+                              <span class="case value">{{ value }}</span>
+                            </div>
+                          </div>
+
+                          <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
+                            <v-spacer/>
+                            <div class="mr-1">
+                              {{ props.item.owner }}
+                            </div>
+                            <div class="mr-1 d-none d-sm-block">
+                              &bull;
+                            </div>
+                            <div>
+                              {{ props.item.createTime | formatDateTime }}
+                            </div>
+                            <div class="ml-1 d-flex">
+                              <v-btn text small color="red" @click="deleteAssociation('events', props.item)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
+                            </div>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:no-results>
+                      <v-alert :value="true" color="info" icon="fa-info">
+                        {{ i18n.noSearchResults }}
+                      </v-alert>
+                    </template>
+                  </v-data-table>
+                  <div class="text-xs-center pt-2 d-none">
+                      <v-btn v-text="i18n.loadMore" @click="loadAssociation('events')"></v-btn>
+                  </div>
                 </v-tab-item>
   
                 <v-tab-item>
-                  <v-card v-for="event in associations.history" elevation="2" class="my-2">
-                    <div>
-                      <span class="case label">{{ i18n.event }}:</span>
-                      <span class="case value">{{ event.kind }} - {{ event.operation }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.dateCreated }}:</span>
-                      <span class="case value">{{ event.createTime | formatDateTime }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.dateModified }}:</span>
-                      <span class="case value">{{ event.updateTime | formatDateTime }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.dateClosed }}:</span>
-                      <span class="case value">{{ event.completeTime | formatDateTime }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">{{ i18n.author }}:</span>
-                      <span class="case value">{{ event.owner }}</span>
-                    </div>
-                    <div>
-                      <span class="case label">authorId:</span>
-                      <span class="case value">{{ event.userId }}</span>
-                    </div>
-                    <div v-if="event.kind == 'case'">
-                      <div>
-                        <span class="case label">{{ i18n.caseTitle}}:</span>
-                        <span class="case value">{{ event.title }}</span>
-                      </div>
-                      <div>
-                        <span class="case label">{{ i18n.caseDescription }}:</span>
-                        <span class="case value">{{ event.description }}</span>
-                      </div>
-                      <div>
-                        <span class="case label">{{ i18n.caseStatus }}:</span>
-                        <span class="case value">{{ event.status }}</span>
-                      </div>
-                      <div>
-                        <span class="case label">{{ i18n.caseSeverity }}:</span>
-                        <span class="case value">{{ event.severity }}</span>
-                      </div>
-                      <div>
-                        <span class="case label">{{ i18n.casePriority }}:</span>
-                        <span class="case value">{{ event.priority }}</span>
-                      </div>
-                    </div>
-                    <div v-if="event.kind == 'comment'">
-                      <div>
-                        <span class="case label">{{ i18n.commentDescription }}:</span>
-                        <span class="case value">{{ event.description }}</span>
-                      </div>
-                    </div>
-                  </v-card>
+                  <v-text-field v-model="associatedTable['history'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
+                  <v-data-table ref="historyTable" :sort-by.sync="associatedTable['history'].sortBy" :sort-desc.sync="associatedTable['history'].sortDesc" :items-per-page.sync="associatedTable['history'].itemsPerPage" 
+                    :search="associatedTable['history'].search" :footer-props="associatedTable['history'].footerProps" must-sort :headers="associatedTable['history'].headers"
+                    :items="associations['history']" item-key="id" :loading="associatedTable['history'].loading" :expanded="associatedTable['history'].expanded">
+                    <template v-slot:item="props">
+                      <tr @click="expandRow('history', props.item)" class="expandable">
+                        <td>
+                          <v-avatar color="primary" size="32">
+                            <div class="font-weight-bold" :title="props.item.owner">
+                              {{ $root.getAvatar(props.item.owner) }}
+                            </div>
+                          </v-avatar>
+                        </td>
+                        <td>{{ props.item.updateTime | formatDateTime }}</td>
+                        <td>
+                          <v-icon v-if="props.item.kind == 'case'">fa-briefcase</v-icon>
+                          <v-icon v-if="props.item.kind == 'comment'">fa-comments</v-icon>
+                          <v-icon v-if="props.item.kind == 'artifact'">fa-eye</v-icon>
+                          <v-icon v-if="props.item.kind == 'related'">fa-link</v-icon>
+                          <span class="rounded ml-2">{{ props.item.kind }}</span>
+                        </td>
+                        <td>
+                          <span class="rounded mr-2">{{ props.item.operation }}</span>
+                          <v-icon v-if="props.item.operation == 'update'">fa-pencil-alt</v-icon>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="props">
+                      <tr>
+                        <td :colspan="4" class="case">
+                          <div class="mt-2">
+                            <span class="case label">{{ i18n.kind }}:</span>
+                            <span class="case value">{{ props.item.kind }}</span>
+                          </div>
+                          <div>
+                            <span class="case label">{{ i18n.operation }}:</span>
+                            <span class="case value">{{ props.item.operation }}</span>
+                          </div>
+                          <div>
+                            <span class="case label">{{ i18n.dateCreated }}:</span>
+                            <span class="case value">{{ props.item.createTime | formatDateTime }}</span>
+                          </div>
+                          <div>
+                            <span class="case label">{{ i18n.dateModified }}:</span>
+                            <span class="case value">{{ props.item.updateTime | formatDateTime }}</span>
+                          </div>
+                          <div v-if="props.item.kind == 'case'">
+                            <div>
+                              <span class="case label">{{ i18n.caseTitle}}:</span>
+                              <span class="case value">{{ props.item.title }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.caseDescription }}:</span>
+                              <span class="case value">{{ props.item.description }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.caseStatus }}:</span>
+                              <span class="case value">{{ props.item.status }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.caseSeverity }}:</span>
+                              <span class="case value">{{ props.item.severity }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.casePriority }}:</span>
+                              <span class="case value">{{ props.item.priority }}</span>
+                            </div>
+                          </div>
+                          <div v-if="props.item.kind == 'comment'">
+                            <div>
+                              <span class="case label">{{ i18n.commentDescription }}:</span>
+                              <span class="case value">{{ props.item.description }}</span>
+                            </div>
+                          </div>
+                          <div v-if="props.item.kind == 'related'">
+                            <div>
+                              <span class="case label">{{ i18n.relatedEventId }}:</span>
+                              <span class="case value">
+                                <router-link class="no-underline" :to="{ name: 'hunt', query: {q:`_id:${props.item.fields.soc_id}`}}">
+                                  {{ props.item.fields.soc_id }}
+                                </router-link>
+                              </span>
+                            </div>
+                          </div>
+                          <div v-if="props.item.kind == 'artifact'">
+                            <div>
+                              <span class="case label">{{ i18n.artifactGroupType }}:</span>
+                              <span class="case value">{{ props.item.groupType }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.artifactGroupId }}:</span>
+                              <span class="case value">{{ props.item.groupId }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.artifactType }}:</span>
+                              <span class="case value">{{ props.item.artifactType }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.value }}:</span>
+                              <span class="case value">{{ props.item.value }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.description }}:</span>
+                              <span class="case value">{{ props.item.description }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.caseTlp }}:</span>
+                              <span class="case value">{{ props.item.tlp }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.artifactIoc }}:</span>
+                              <span class="case value">{{ props.item.ioc }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.caseTags }}:</span>
+                              <span class="case value">{{ props.item.tags }}</span>
+                            </div>
+                          </div>
+
+                          <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
+                            <v-spacer/>
+                            <div class="mr-1">
+                              {{ props.item.owner }}
+                            </div>
+                            <div class="mr-1 d-none d-sm-block">
+                              &bull;
+                            </div>
+                            <div>
+                              {{ props.item.updateTime | formatDateTime }}
+                            </div>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:no-results>
+                      <v-alert :value="true" color="info" icon="fa-info">
+                        {{ i18n.noSearchResults }}
+                      </v-alert>
+                    </template>
+                  </v-data-table>
+                  <div class="text-xs-center pt-2 d-none">
+                      <v-btn v-text="i18n.loadMore" @click="loadAssociation('history')"></v-btn>
+                  </div>
                 </v-tab-item>
   
               <v-tabs>
-          </v-row>
+            </v-row>
           </v-col>
           <v-col cols="12" md="3" order="1" order-md="2">
-            <v-form v-model="mainForm.valid">
               <v-row no-gutters>
-                <v-col class="d-flex flex-column justify-center">
-                  <v-card
-                    class="mx-2 overflow-hidden"
-                  >
-                    <v-toolbar dense flat>
-                      <v-toolbar-title>Info</v-toolbar-title>
-                    </v-toolbar>
-                    <div class="mx-4 my-8">
-                      <v-row no-gutters class="align-start d-inline-flex mb-3 flex-column" style="width: 100%">
-                        <v-col cols="12" class="mr-n2 mb-2 font-weight-bold">{{i18n.caseAssignee}}: </v-col>
-                        <v-col cols="12" class="ml-2 pr-2">
-                          <v-select
-                            dense
-                            eager
-                            outlined
-                            hide-details
-                            v-model="mainForm.assigneeId"
-                            :items="userList"
-                            item-text="email"
-                            item-value="id"
-                            v-on:change="modifyCase()"
-                            class="case-select"
-                          />
-                        </v-col>
-                      </v-row>
-                      <v-row no-gutters class="align-start d-inline-flex flex-column" style="width: 100%">
-                        <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.status}}: </v-col>
-                        <v-col cols="12" class="ml-2 pr-2">
-                          <v-select
-                            dense
-                            eager
-                            outlined
-                            hide-details
-                            v-if="!isPresetCustomEnabled('status')"
-                            v-model="mainForm.status"
-                            :items="selectList('status')"
-                            v-on:change="modifyCase()"
-                            class="case-select"
-                          />
-                          <v-combobox
-                            dense
-                            eager
-                            outlined
-                            hide-details
-                            v-if="isPresetCustomEnabled('status')"
-                            v-model="mainForm.status"
-                            :items="selectList('status')"
-                            v-on:change="modifyCase()"
-                            class="case-select"
-                          />
-                        </v-col>
-                      </v-row>
-                    </div>
-                    <v-toolbar dense flat>
-                      <v-toolbar-title>Details</v-toolbar-title>
-                      <v-spacer />
-                      <v-btn plain icon small class="mr-1" @click="toggleCollapse('case-details')">
-                        <v-icon style="font-size: 12px !important;" v-if="isCollapsed('case-details')">fa-angle-down</v-icon>
-                        <v-icon style="font-size: 12px !important;" v-if="!isCollapsed('case-details')">fa-angle-up</v-icon>
-                      </v-btn>
-                    </v-toolbar>
-                    <v-expand-transition mode="in-out">
-                      <v-form v-show="!isCollapsed('case-details')" v-model="mainForm.valid" class="mb-n4">
-                        <div class="mx-4 my-8 d-flex flex-column">
-                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
-                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseSeverity}}: </v-col>
-                            <v-col cols="12" id="case-severity" class="ml-2 pr-2">
-                              <v-select
-                                dense
-                                eager
-                                outlined
-                                hide-details
-                                v-if="!isPresetCustomEnabled('severity')"
-                                v-model="mainForm.severity"
-                                :items="selectList('severity')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              />
-                              <v-combobox
-                                dense
-                                eager
-                                outlined
-                                hide-details
-                                v-if="isPresetCustomEnabled('severity')"
-                                v-model="mainForm.severity"
-                                :items="selectList('severity')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              />
-                            </v-col>
-                          </v-row>
-                          <v-row no-gutters class="align-start d-inline-flex flex-column" style="width: 100%">
-                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.casePriority}}: </v-col>
-                            <v-col id="case-priority" cols="12" class="ml-2 pr-2">
-                              <div class="d-flex align-start px-3 py-2 mb-4 case detail-field" v-if="!isEdit('case-priority')" @click="startEdit(mainForm.priority, 'case-priority')">
-                                <div class="mr-2">{{ mainForm.priority }}</div>
-                              </div>
-                              <div class="d-flex flex-column mb-n5" v-if="isEdit('case-priority')">
-                                <div class="mb-2">
-                                  <v-text-field outlined hide-details rows="3" dense no-resize v-model="editField.val" :rules="[rules.number]"/>
+                <v-col class="d-flex flex-column justify-center text-truncate">
+
+                    <v-expansion-panels multiple focusable v-model="expanded">
+                      <v-expansion-panel>
+                        <v-expansion-panel-header>
+                          <h3>{{ i18n.summary }}</h3>
+                        </v-expansion-panel-header>
+                        <v-expansion-panel-content class="my-2">
+                            <v-row class="clicktoedit" @click="startEdit('case-assignee-input', caseObj.assigneeId, 'case-assignee', 'assigneeId', modifyCase)">
+                              <v-col cols="12">
+                                <div class="font-weight-bold">{{i18n.caseAssignee}}: </div>
+                                <div id='case-assignee' class="case detail-field" v-if="!isEdit('case-assignee')">{{ withDefault(caseObj.assignee, i18n.unassigned) }}</div>
+                                <v-select id='case-assignee-input' v-if="isEdit('case-assignee')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseAssigneeHelp"
+                                  v-model="editForm.val"
+                                  :items="userList"
+                                  item-text="email"
+                                  item-value="id"
+                                  v-on:change="stopEdit(true)"
+                                />
+                              </v-col>
+                            </v-row>
+                            <v-row class="clicktoedit" @click="startEdit('case-status-input', caseObj.status, 'case-status', 'status', modifyCase)">
+                              <v-col cols="12">
+                                <div class="font-weight-bold">{{i18n.status}}: </div>
+                                <div id="case-status" class="case detail-field" v-if="!isEdit('case-status')">{{ withDefault(caseObj.status, i18n.unknown) }}</div>
+                                <v-select id="case-status-input" v-if="isEdit('case-status') && !isPresetCustomEnabled('status')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseStatusHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('status', caseObj.status)"
+                                  v-on:change="stopEdit(true)"
+                                />
+                                <v-combobox id="case-status-input" v-if="isEdit('case-status') && isPresetCustomEnabled('status')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseStatusHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('status', caseObj.status)"
+                                  v-on:change="stopEdit(true)"
+                                />
+                              </v-col>
+                            </v-row>
+                        </v-expansion-panel-content>
+                      </v-expansion-panel>
+
+                      <v-expansion-panel>
+                        <v-expansion-panel-header>
+                          <h3>{{ i18n.details }}</h3>
+                        </v-expansion-panel-header>
+                        <v-expansion-panel-content class="my-2">
+
+                            <v-row>
+                              <v-col cols="12">
+                                <div class="clicktoedit" @click="startEdit('case-severity-input', caseObj.severity, 'case-severity', 'severity', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.caseSeverity}}: </div>
+                                  <div id="case-severity" class="case detail-field" v-if="!isEdit('case-severity')">{{ withDefault(caseObj.severity, i18n.unknown) }}</div>
                                 </div>
-                                <div class="d-inline-flex justify-end">
-                                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="stopEdit()">
-                                    Cancel
-                                  </v-btn>
-                                  <v-btn :disabled="!mainForm.valid" text small color="primary" class="align-self-end" @click="saveEdit('priority')">
-                                    Save
-                                  </v-btn>
+                                <v-select id="case-severity-input" v-if="isEdit('case-severity') && !isPresetCustomEnabled('severity')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseSeverityHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('severity', caseObj.severity)"
+                                  v-on:change="stopEdit(true)"
+                                />
+                                <v-combobox id="case-severity-input" v-if="isEdit('case-severity') && isPresetCustomEnabled('severity')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseSeverityHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('severity', caseObj.severity)"
+                                  v-on:change="stopEdit(true)"
+                                />
+                              </v-col>
+                            </v-row>
+                            <v-row>
+                              <v-col cols="12">
+                                <div class="clicktoedit" @click="startEdit('case-priority-input', caseObj.priority, 'case-priority', 'priority', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.casePriority}}: </div>
+                                  <div id="case-priority" class="case detail-field" v-if="!isEdit('case-priority')">{{ caseObj.priority }}</div>
                                 </div>
-                              </div>
-                            </v-col>
-                          </v-row>
-                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
-                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseTlp}}: </v-col>
-                            <v-col cols="12" id="case-tlp" class="ml-2 pr-2">
-                              <v-select
-                                dense
-                                eager
-                                outlined
-                                hide-details
-                                v-if="!isPresetCustomEnabled('tlp')"
-                                v-model="mainForm.tlp"
-                                :items="selectList('tlp')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
+                                <div v-if="isEdit('case-priority')">
+                                  <v-form v-model="editForm.valid">
+                                    <div class="mb-2">
+                                      <v-text-field id="case-priority-input" outlined hide-details="auto" rows="3" dense no-resize v-model="editForm.val" :rules="[rules.number]" persistent-hint :hint="i18n.casePriorityHelp"/>
+                                    </div>
+                                    <div class="d-inline-flex justify-end">
+                                      <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                        {{ i18n.cancel }}
+                                      </v-btn>
+                                      <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                        {{ i18n.save }}
+                                      </v-btn>
+                                    </div>
+                                  </form>
+                                </div>
+                              </v-col>
+                            </v-row>
+                            <v-row>
+                              <v-col cols="12">
+                                <div class="clicktoedit" @click="startEdit('case-tlp-input', caseObj.tlp, 'case-tlp', 'tlp', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
+                                  <div id="case-tlp" class="case detail-field" v-if="!isEdit('case-tlp')">{{ withDefault(caseObj.tlp, i18n.unknown) }}</div>
+                                </div>
+                                <v-select id="case-tlp-input" v-if="isEdit('case-tlp') && !isPresetCustomEnabled('tlp')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('tlp', caseObj.tlp)"
+                                  v-on:change="stopEdit(true)"
+                                  />
+                                  <v-combobox id="case-tlp-input" v-if="isEdit('case-tlp') && isPresetCustomEnabled('tlp')"
+                                    dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
+                                    v-model="editForm.val"
+                                    :items="selectList('tlp', caseObj.tlp)"
+                                    v-on:change="stopEdit(true)"
+                                  />
+                                </v-select>
+                              </v-col>
+                            </v-row>
+                            <v-row>
+                              <v-col cols="12">
+                                <div class="clicktoedit" @click="startEdit('case-pap-input', caseObj.pap, 'case-pap', 'pap', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.casePap}}: </div>
+                                  <div id="case-pap" class="case detail-field" v-if="!isEdit('case-pap')">{{ withDefault(caseObj.pap, i18n.unknown) }}</div>
+                                </div>
+                                <v-select id="case-pap-input" v-if="isEdit('case-pap') && !isPresetCustomEnabled('pap')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.casePapHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('pap', caseObj.pap)"
+                                  v-on:change="stopEdit(true)"
                                 />
-                                <v-combobox
-                                  dense
-                                  eager
-                                  outlined
-                                  hide-details
-                                  v-if="isPresetCustomEnabled('tlp')"
-                                  v-model="mainForm.tlp"
-                                  :items="selectList('tlp')"
-                                  v-on:change="modifyCase()"
-                                  class="case-select"
+                                <v-combobox id="case-pap-input" v-if="isEdit('case-pap') && isPresetCustomEnabled('pap')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.casePapHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('pap', caseObj.pap)"
+                                  v-on:change="stopEdit(true)"
                                 />
-                              </v-select>
-                            </v-col>
-                          </v-row>
-                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
-                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.casePap}}: </v-col>
-                            <v-col cols="12" id="case-pap" class="ml-2 pr-2">
-                              <v-select
-                                dense
-                                eager
-                                outlined
-                                hide-details
-                                v-if="!isPresetCustomEnabled('pap')"
-                                v-model="mainForm.pap"
-                                :items="selectList('pap')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              />
-                              <v-combobox
-                                dense
-                                eager
-                                outlined
-                                hide-details
-                                v-if="isPresetCustomEnabled('pap')"
-                                v-model="mainForm.pap"
-                                :items="selectList('pap')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              />
-                            </v-col>
-                          </v-row>
-                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
-                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseCategory}}: </v-col>
-                            <v-col cols="12" id="case-category" class="ml-2 pr-2">
-                              <v-select
-                                dense
-                                eager
-                                outlined
-                                hide-details
-                                v-if="!isPresetCustomEnabled('category')"
-                                v-model="mainForm.category"
-                                :items="selectList('category')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              />
-                              <v-combobox
-                                dense
-                                eager
-                                outlined
-                                hide-details
-                                v-if="isPresetCustomEnabled('category')"
-                                v-model="mainForm.category"
-                                :items="selectList('category')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              />
-                            </v-col>
-                          </v-row>
-                          <v-row no-gutters class="align-start d-inline-flex mb-4 flex-column" style="width: 100%">
-                            <v-col cols="12" class="mb-2 font-weight-bold">{{i18n.caseTags}}: </v-col>
-                            <v-col cols="12" id="case-tags" class="ml-2 pr-2">
-                              <v-select
-                                dense
-                                eager
-                                multiple
-                                outlined
-                                hide-details
-                                v-if="!isPresetCustomEnabled('tags')"
-                                v-model="mainForm.tags"
-                                :items="selectList('tags')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              >
-                                <template #selection="{ item }">
-                                  <v-chip color="primary">{{item}}</v-chip>
-                                </template>
-                              </v-select>
-                              <v-combobox
-                                eager
-                                multiple
-                                chips
-                                outlined
-                                hide-details
-                                v-if="isPresetCustomEnabled('tags')"
-                                v-model="mainForm.tags"
-                                :items="selectList('tags')"
-                                v-on:change="modifyCase()"
-                                class="case-select"
-                              >
-                                <template #selection="{ item }">
-                                  <v-chip color="primary">{{item}}</v-chip>
-                                </template>
-                              </v-combobox>
-                            </v-col>
-                          </v-row>
-                        </div>
-                      </div>
-                    </v-expand-transition>
-                  </v-card>
+                              </v-col>
+                            </v-row>
+                            <v-row>
+                              <v-col cols="12">
+                                <div class="clicktoedit" @click="startEdit('case-category-input', caseObj.category, 'case-category', 'category', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.caseCategory}}: </div>
+                                  <div id="case-category" class="case detail-field" v-if="!isEdit('case-category')">{{ withDefault(caseObj.category, i18n.unknown) }}</div>
+                                </div>
+                                <v-select id="case-category-input" v-if="isEdit('case-category') && !isPresetCustomEnabled('category')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseCategoryHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('category', caseObj.category)"
+                                  v-on:change="stopEdit(true)"
+                                />
+                                <v-combobox id="case-category-input" v-if="isEdit('case-category') && isPresetCustomEnabled('category')"
+                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseCategoryHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('category', caseObj.category)"
+                                  v-on:change="stopEdit(true)"
+                                />
+                              </v-col>
+                            </v-row>
+                            <v-row>
+                              <v-col cols="12">
+                                <div class="clicktoedit" @click="startEdit('case-tags-input', caseObj.tags, 'case-tags', 'tags', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.caseTags}}: </div>
+                                  <div id="case-tags" class="case detail-field" v-if="!isEdit('case-tags')">
+                                    <v-chip class="mx-1" v-for="tag in caseObj.tags" color="primary">{{ tag }}</v-chip>
+                                  </div>
+                                </div>
+                                <v-select id="case-tags-input" v-if="isEdit('case-tags') && !isPresetCustomEnabled('tags')"
+                                  dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('tags', caseObj.tags)"
+                                  v-on:change="stopEdit(true)"
+                                >
+                                  <template #selection="{ item }">
+                                    <v-chip color="primary">{{item}}</v-chip>
+                                  </template>
+                                </v-select>
+                                <v-combobox id="case-tags-input" v-if="isEdit('case-tags') && isPresetCustomEnabled('tags')"
+                                  dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
+                                  v-model="editForm.val"
+                                  :items="selectList('tags', caseObj.tags)"
+                                  v-on:change="stopEdit(true)"
+                                >
+                                  <template #selection="{ item }">
+                                    <v-chip color="primary">{{item}}</v-chip>
+                                  </template>
+                                </v-combobox>
+                              </v-col>
+                            </v-row>
+                        </v-expansion-panel-content>
+                      </v-expansion-panel>
+                    </v-expansion-panels>
+
                   <div class="ml-2 mt-2">
-                    <div>
-                      <span class="case label details">{{ i18n.caseId }}:</span>
-                      <span class="case value details">{{ caseObj.id }}</span>
+                    <div class="case summary">
+                      <span class="case label">{{ i18n.caseId }}:</span>
+                      <span class="case value">{{ caseObj.id }}</span>
                     </div>
-                    <div>
-                      <span class="case label details">{{ i18n.author }}:</span>
-                      <span class="case value details">{{ caseObj.owner }}</span>
+                    <div class="case summary">
+                      <span class="case label">{{ i18n.author }}:</span>
+                      <span class="case value">{{ caseObj.owner }}</span>
                     </div>
-                    <div>
-                      <span class="case label details">{{ i18n.dateCreated }}:</span>
-                      <span class="case value details">{{ caseObj.createTime | formatDateTime}}</span>
+                    <div class="case summary">
+                      <span class="case label">{{ i18n.dateCreated }}:</span>
+                      <span class="case value">{{ caseObj.createTime | formatDateTime}}</span>
                     </div>
-                    <div>
-                      <span class="case label details">{{ i18n.dateModified }}:</span>
-                      <span class="case value details">{{ caseObj.updateTime | formatDateTime}}</span>
+                    <div class="case summary">
+                      <span class="case label">{{ i18n.dateModified }}:</span>
+                      <span class="case value">{{ caseObj.updateTime | formatDateTime}}</span>
                     </div>
-                    <div v-if="$root.formatDateTime(caseObj.completeTime) !== ''">
-                      <span class="case label details">{{ i18n.dateClosed }}:</span>
-                      <span class="case value details">{{ caseObj.completeTime | formatDateTime}}</span>
+                    <div class="case summary" v-if="$root.formatDateTime(caseObj.completeTime) !== ''">
+                      <span class="case label">{{ i18n.dateClosed }}:</span>
+                      <span class="case value">{{ caseObj.completeTime | formatDateTime}}</span>
                     </div>
                   </div>
                 </v-col>
               </v-row>
-            </v-form>
           </v-col>
         </v-row>
       </v-container>
diff --git a/html/js/app.js b/html/js/app.js
index f2581f95..4eefc032 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -29,14 +29,12 @@ $(document).ready(function() {
             nav: '#ffffff',
             drawer_background: '#f4f4f4',
             background: '#ffffff',
-            secondary: '#f5f5f5'
           },
           dark: {
             nav_background: '#12110d',
             nav: '#ffffff',
             drawer_background: '#353535',
             background: '#1e1e1e',
-            secondary: '#424242'
           },
         },
       },
@@ -691,6 +689,12 @@ $(document).ready(function() {
         
         return "#"+RR+GG+BB;
       },
+      getAvatar(user) {
+        if (user && user.length > 0) {
+          return user.charAt(0).toLocaleUpperCase();
+        }
+        return this.i18n.na;
+      },
       async getUsers() {
         try {
           const response = await this.papi.get('users/');
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 6d54cc6b..84c30725 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -42,6 +42,18 @@ const i18n = {
       alertEscalated: 'This alert has already been escalated',
       alertUndoAcknowledge: 'Undo Acknowledge',
       alerts: 'Alerts',
+      artifactDescription: 'Description',
+      artifactDescriptionHelp: 'Provide an optional description',
+      artifactIoc: 'IOC',
+      artifactIocHelp: 'Enable this field if this is an Indicator of Compromise',
+      artifactGroupType: 'Group Type',
+      artifactGroupId: 'Group ID',
+      artifactDescription: 'Description',
+      artifactType: 'Type',
+      artifactTypeHelp: 'Select a type for classification purposes (Note: choose "file" type to upload a file)',
+      artifactValue: 'Value (hash, filename, etc.)',
+      artifactValueHelp: 'Specify the observed value',
+      attachmentHelp: 'Click to attach a file to upload. (Note: max upload size is {maxUploadSizeBytes} bytes)',
       attempt: 'Attempt',
       author: 'Author',
       autohunt: 'Automatically Hunt after changing filters, groupings, and date-ranges',
@@ -49,6 +61,7 @@ const i18n = {
       beginTime: 'Filter Begin',
       beginTimeHelp: 'Filter start time in RFC 3339 format (Ex: 2020-10-16 13:00:00.230-04:00). Unused for imported PCAPs.',
       blog: 'Blog',
+      bytes: 'Bytes',
       cancel: 'Cancel',
       cases: 'Cases',
       caseAssignee: 'Assignee',
@@ -61,17 +74,18 @@ const i18n = {
       casePap: 'PAP',
       casePapHelp: 'Permissible Actions Protocol',
       casePriority: 'Priority',
-      casePriorityHelp: 'The numeric priority level of this case. Lower values typically indicate increasing importance.',
+      casePriorityHelp: 'Lower values typically indicate increasing importance.',
       caseSeverity: 'Severity',
       caseSeverityHelp: 'The severity classification for this case',
       caseStatus: 'Status',
       caseStatusHelp: 'Indicates the state of the case',
       caseTags: 'Tags',
-      caseTagsHelp: 'Separate multiple tags by comma (tbd)',
+      caseTagsHelp: 'Annotate with multiple, optional tags',
       caseTitle: 'Title',
       caseTitleHelp: 'Brief summary of the case',
       caseTlp: 'TLP',
       caseTlpHelp: 'Traffic Light Protocol',
+      category: 'Category',
 
       chartTitleBottom: 'Fewest Occurrences',
       chartTitleTimeline: 'Timeline',
@@ -81,6 +95,7 @@ const i18n = {
       collapse: 'Collapse',
       collapseHelp: 'Collapse all packet data',
       comments: 'Comments',
+      commentAdd: 'Add Comment',
       commentDescription: 'Comment',
       commentDescriptionHelp: 'Provide follow-up information to this case',
       completed: 'Completed',
@@ -92,6 +107,7 @@ const i18n = {
       copyToClipboard: 'Copy to clipboard',
       custom: 'Custom',
       darkMode: 'Dark Mode',
+      dataset: 'Dataset',
       dateClosed: 'Closed',
       dateCompleted: 'Date Completed',
       dateCreated: 'Created',
@@ -123,6 +139,7 @@ const i18n = {
       deleteUserTitle: 'Delete User',
       deleteUserConfirm: 'You are about to permanently delete this user:',
       description: 'Description',
+      details: 'Details',
       disconnected: 'Disconnected from manager',
       downloads: 'Downloads',
       downloadsFirewallTip: 'When installing packages such as osquery or beats onto remote systems be sure to run <code>so-allow</code> on the Security Onion Manager node to allow network access through the firewall.',
@@ -136,6 +153,7 @@ const i18n = {
       dstPort: 'Destination Port',
       dstPortHelp: 'Optional destination TCP port to include in this job filter',
       edit: 'Edit',
+      edited: '(edited)',
       email: 'Email Address',
       emailHelp: 'Specify a valid email address. Contact your administrator for new account creation.',
       emailRequired: 'An email address must be specified.',
@@ -164,6 +182,9 @@ const i18n = {
       eventLookupFailed: 'The event lookup could not be completed.',
       eventRoundTripTook: 'The total round trip took ',
       eventTotal: 'Total Found: ',
+      evidence: 'Observables',
+      evidenceAdd: 'Add Observable',
+      evidenceHelp: 'Important data relevant to this case',
       expand: 'Expand',
       expandHelp: 'Expand all packet data',
       incomplete: 'Incomplete',
@@ -179,6 +200,9 @@ const i18n = {
       field_soc_id: 'Event ID',
       field_soc_timestamp: 'Timestamp',
 
+      fileTooLarge: 'The chosen file is too large to upload; max file size is {maxUploadSizeBytes} bytes',
+      fileEmpty: 'The chosen file appears to have no content; consider using a "filename" artifact instead',
+
       filterDrilldown: 'Drilldown',
       filterDrilldownHelp: 'Drilldown into this value',
       filterExact: 'Only',
@@ -204,6 +228,7 @@ const i18n = {
       home: 'Overview',
       hours: 'hours',
       hunt: 'Hunt',
+      huntForEvent: 'Hunt for this event',
       huntHelp: 'Start a new hunt based on the current filters',
       id: 'ID',
       importId: 'Import ID',
@@ -229,6 +254,7 @@ const i18n = {
       jobIncomplete: 'The job was unable to complete and will retry within a few minutes. Details are available below.',
       jobInProgress: 'This job is awaiting completion.',
       jobs: 'PCAP',
+      kind: 'Kind',
       last: 'Last',
       lastName: 'Last Name',
       length: 'Length',
@@ -244,12 +270,14 @@ const i18n = {
       loginTitle: 'Login to Security Onion',
       logout: 'Logout',
       logoutFailure: 'Unable to initiate logout. Ensure server is accessible.',
+      message: 'Message',
       minutes: 'minutes',
       model: 'Model',
       months: 'months',
       mruQuery: 'Recently Used',
       mruQueryHelp: 'This query is a user-defined query and is only available on this browser.',
       na: 'N/A',
+      no: 'No',
       noData: 'No information is currently available.',
       nodeExpandHelp: 'Show node details',
       nodeExpand: 'Expand',
@@ -264,7 +292,9 @@ const i18n = {
       ok: 'OK',
       offline: 'Offline',
       online: 'Online',
+      operation: 'Operation',
       options: 'Options',
+      order: 'Order',
       owner: 'Owner',
       packages: 'Packages',
       packets: 'Captured Packets',
@@ -288,6 +318,7 @@ const i18n = {
       reason: 'Reason',
       reconnecting: 'Attempting to connect to manager',
       refresh: 'Refresh',
+      relatedEventId: 'Related Event ID',
       relativeTimeHelp: 'Click the clock icon to change to absolute time',
       required: 'Required.',
       resetDefaults: 'Reset Defaults',
@@ -343,8 +374,11 @@ const i18n = {
       srcPort: 'Source Port',
       srcPortHelp: 'Optional source TCP port to include in this job filter',
       status: 'Status',
+      summary: 'Summary',
+      tcs: 'T&C\'s',
       terms: 'Terms and Conditions',
       termDetails: '<h3>Disclaimer of Warranty</h3>THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.<p><h3>Limitation of Liability</h3>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.',
+      time: 'Time',
       timePickerHelp: 'Choose the timespan to search, or click the calendar icon to switch to relative time',
       timePickerFormat: 'YYYY/MM/DD hh:mm:ss A',
       timePickerSample: '2006/01/02 3:04:05 PM',
@@ -368,6 +402,7 @@ const i18n = {
       toolTheHiveHelp: 'Case Management',
       transcriptCyberChefHelp: 'Send the transcript to CyberChef',
       type: 'Type',
+      unassigned: 'Unassigned',
       unknown: 'Unknown',
       unwrapHelp: 'Unwrap packets from encapsulation (Ex: VXLAN)',
       update: 'Update',
@@ -377,12 +412,15 @@ const i18n = {
       updateSuccessful: 'Update successful',
       uptime: 'Uptime',
       user: 'User Details',
+      username: 'User',
       users: 'Users',
+      value: 'Value',
       version: 'Version',
       view: 'View',
       viewCase: 'Case Details',
       weeks: 'weeks',
       whatsnew: 'What\'s New',
+      yes: 'Yes',
 
       CASE_MODULE_NOT_ENABLED: 'A case module has not been configured for this installation. Unable to proceed with request.',
       QUERY_INVALID__GROUP_EMPTY: 'The search query has an empty group.',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 51b9d6d9..1d14ca20 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -8,13 +8,14 @@
 // but WITHOUT ANY WARRANTY; without even the implied warranty of
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
+const MAX_TIMEOUT_ATTEMPTS=20;
+
 routes.push({ path: '/case/:id', name: 'case', component: {
   template: '#page-case',
   data() { return {
     i18n: this.$root.i18n,
     caseObj: {},
     associationsLoading: false,
-    search: '',
     associations: {
       comments: [],
       artifacts: [],
@@ -22,72 +23,115 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       tasks: [],
       history: []
     },
-    headers: {
-      comments: [],
-      artifacts: [],
-      events: [],
-      tasks: [],
-      history: []
-    },
-    sortBy: 'number',
-    sortDesc: false,
-    itemsPerPage: 10,
-    footerProps: { 'items-per-page-options': [10,50,250,1000] },
-    count: 500,
-    userList: [],
-    collapsed: [
-      'case-details'
-    ],
-    collapsible: {},
-    mainForm: {
-      valid: false,
-      title: null,
-      assigneeId: null,
-      status: null,
-      id: null,
-      description: null,
-      severity: null,
-      priority: null,
-      tags: null,
-      tlp: null,
-      pap: null,
-      category: null
-    },
-    associatedForm: {
-      description: '',
-      valid: false
-    },
-    associatedForms: {
+    associatedTable: {
       comments: {
-        id: ""
+        sortBy: 'createTime',
+        sortDesc: false,
+        search: '',
+        headers: [
+          { text: this.$root.i18n.username, value: 'owner' },
+          { text: this.$root.i18n.dateCreated, value: 'createTime' },
+          { text: this.$root.i18n.dateModified, value: 'updateTime' },
+          { text: this.$root.i18n.commentDescription, value: 'description' },
+        ],
+        itemsPerPage: 10,
+        footerProps: { 'items-per-page-options': [10,50,250,1000] },
+        count: 500,
+        expanded: [],
+        loading: false,
+      },
+      artifacts: {
+        sortBy: 'createTime',
+        sortDesc: false,
+        search: '',
+        headers: [
+          { text: this.$root.i18n.dateCreated, value: 'createTime' },
+          { text: this.$root.i18n.dateModified, value: 'updateTime' },
+          { text: this.$root.i18n.artifactType, value: 'artifactType' },
+          { text: this.$root.i18n.value, value: 'value' },
+        ],
+        itemsPerPage: 10,
+        footerProps: { 'items-per-page-options': [10,50,250,1000] },
+        count: 500,
+        expanded: [],
+        loading: false,
+      },
+      events: {
+        sortBy: 'fields.timestamp',
+        sortDesc: false,
+        search: '',
+        headers: [
+          { text: this.$root.i18n.actions },
+          { text: this.$root.i18n.timestamp, value: 'fields.timestamp' },
+          { text: this.$root.i18n.category, value: 'fields["event.category"]' },
+          { text: this.$root.i18n.dataset, value: 'fields["event.dataset"]' },
+          { text: this.$root.i18n.message, value: 'fields.message' },
+        ],
+        itemsPerPage: 10,
+        footerProps: { 'items-per-page-options': [10,50,250,1000] },
+        count: 500,
+        expanded: [],
+        loading: false,
       },
       tasks: {
-        id: "",
-        status: ""
+        sortBy: 'order',
+        sortDesc: false,
+        search: '',
+        headers: [
+          { text: this.$root.i18n.order, value: 'order' },
+          { text: this.$root.i18n.summary, value: 'summary' },
+        ],
+        itemsPerPage: 10,
+        footerProps: { 'items-per-page-options': [10,50,250,1000] },
+        count: 500,
+        expanded: [],
+        loading: false,
+      },
+      history: {
+        sortBy: 'updateTime',
+        sortDesc: false,
+        search: '',
+        headers: [
+          { text: this.$root.i18n.username, value: 'owner' },
+          { text: this.$root.i18n.time, value: 'updateTime' },
+          { text: this.$root.i18n.kind, value: 'kind' },
+          { text: this.$root.i18n.operation, value: 'operation' },
+        ],
+        itemsPerPage: 10,
+        footerProps: { 'items-per-page-options': [10,50,250,1000] },
+        count: 500,
+        expanded: [],
+        loading: false,
       },
-      artifacts: {
-        id: ""
-      }
     },
-    editField: {},
+    userList: [],
+    expanded: [0, 1],
+    associatedForms: {
+      comments: {},
+      artifacts: {},
+    },
+    editForm: {},
     mruCaseLimit: 5,
     mruCases: [],
     presets: {},
     rules: {
-      required: value => (value != [] && value != "") || this.$root.i18n.required,
+      required: value => (value && value.length > 0) || this.$root.i18n.required,
       number: value => (! isNaN(+value) && Number.isInteger(parseFloat(value))) || this.$root.i18n.required,
       shortLengthLimit: value => (value.length < 100) || this.$root.i18n.required,
       longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
+      fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
+      fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
     },
+    attachment: null,
+    maxUploadSizeBytes: 26214400,
   }},
   computed: {
   },
-  created() {
+  created() {   
   },
   async mounted() {
-    await this.loadData();
     this.$root.loadParameters('case', this.initCase);
-    this.updateCollapsible('case-description'); // Update collapsible state for description manually
+    await this.loadData();
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -96,17 +140,28 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     '$route': 'loadData',
   },
   methods: {
-    selectList(field) {
-      const presets = this.getPresets(field)
-      return this.isPresetCustomEnabled(field) && this.mainForm[field] !== null 
-        ? presets.concat(this.mainForm[field]) 
-        : presets
-    },
     initCase(params) {
       this.params = params;
       this.mruCaseLimit = params["mostRecentlyUsedLimit"];
       this.presets = params["presets"];
+      if (params["maxUploadSizeBytes"]) {
+        this.maxUploadSizeBytes = params.maxUploadSizeBytes;
+      }
       this.loadLocalSettings();
+      this.resetForm('artifacts');
+      this.resetForm('comments');
+    },
+    getAttachmentHelp() {
+      return this.i18n.attachmentHelp.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes));
+    },
+    getDefaultPreset(preset) {
+      if (this.presets) {
+        const presets = this.presets[preset];
+        if (presets && presets.labels && presets.labels.length > 0) {
+          return presets.labels[0];
+        }
+      }
+      return "";
     },
     async loadAssociations() {
       this.associationsLoading = true;
@@ -130,10 +185,11 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
     async loadAssociation(dataType, extraPath = "") {
       try {
+        const route = this;
         const response = await this.$root.papi.get('case/' + dataType + extraPath, { params: {
-          id: this.$route.params.id,
-          offset: this.associations[dataType].length,
-          count: this.count,
+          id: route.$route.params.id,
+          offset: route.associations[dataType].length,
+          count: route.associatedTable[dataType].count,
         }});
         if (response && response.data) {
           for (var idx = 0; idx < response.data.length; idx++) {
@@ -146,6 +202,28 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.$root.showError(error);
       }
     },
+    expandRow(association, row) {
+      const expanded = this.associatedTable[association].expanded;
+      for (var i = 0; i < expanded.length; i++) {
+        if (expanded[i].id == row.id) {
+          expanded.splice(i, 1);
+          return;
+        }
+      }
+      expanded.push(row);
+    },    
+    withDefault(value, deflt) {
+      if (value == null || value == undefined || value == "") {
+        value = deflt;
+      }
+      return value;
+    },
+    selectList(field, value) {
+      const presets = this.getPresets(field);
+      return this.isPresetCustomEnabled(field) && value
+        ? presets.concat(value)
+        : presets
+    },
     getPresets(kind) {
       if (this.presets && this.presets[kind]) {
         return this.presets[kind].labels;
@@ -195,39 +273,42 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.$root.subscribe("case", this.updateCase);
     },
     async updateCaseDetails(caseObj) {
-      this.mainForm.id = caseObj.id;
-      this.mainForm.title = caseObj.title;
-      this.mainForm.description = caseObj.description;
-      this.mainForm.severity = caseObj.severity;
-      this.mainForm.priority = caseObj.priority;
-      this.mainForm.status = caseObj.status;
-      this.mainForm.tags = caseObj.tags;
-      this.mainForm.tlp = caseObj.tlp;
-      this.mainForm.pap = caseObj.pap;
-      this.mainForm.category = caseObj.category;
-      this.mainForm.assigneeId = caseObj.assigneeId;
-      await this.$root.populateUserDetails(caseObj, "userId", "owner");
-      await this.$root.populateUserDetails(caseObj, "assigneeId", "assignee");
+      await this.$root.populateUserDetails(caseObj, "userId", "owner", this.i18n.unknown);
+      await this.$root.populateUserDetails(caseObj, "assigneeId", "assignee", this.i18n.unassigned);
       this.addMRUCaseObj(caseObj);
       this.caseObj = caseObj;
     },
-    async modifyCase(keyStr = null) {
+
+    prepareModifyForm(obj) {
+      const form = {...obj};
+      let val = this.editForm.val;
+      if (typeof this.editForm.orig == 'number' &&
+          typeof val == 'string') {
+        val = parseInt(val, 10);
+      }
+      
+      if (form[this.editForm.field] == val) return false;
+
+      form[this.editForm.field] = val;
+      delete form.kind;
+      delete form.operation;
+      return form;
+    },
+
+    async modifyCase() {
+      let success = false;
       this.$root.startLoading();
       try {
-        let jsonObj = {...this.mainForm };
-        if (keyStr !== null) {
-          jsonObj[keyStr] = this.editField.val;
-        }
-        // Convert priority to int
-        jsonObj.priority = parseInt(jsonObj.priority, 10);
-        // if (jsonObj.tags) {
-        //   jsonObj.tags = jsonObj.tags.split(",").map(tag => tag.trim());
-        // } else { jsonObj.tags = []; }
-        const json = JSON.stringify(jsonObj);
-        const response = await this.$root.papi.put('case/', json);
-        if (response.data) {
-          this.stopEdit();
-          await this.updateCaseDetails(response.data);
+        const form = this.prepareModifyForm(this.caseObj);
+        if (form) {
+          const response = await this.$root.papi.put('case/', JSON.stringify(form));
+          if (response.data) {
+            this.stopEdit();
+            await this.updateCaseDetails(response.data);
+            success = true;
+          }
+        } else {
+          success = true; // no change detected, allow edit mode to exit
         }
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
@@ -236,47 +317,63 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           this.$root.showError(error);
         }
       }
-      // Also update description collapsible bool when the description has been changed
-      if (keyStr === 'description') {
-        this.updateCollapsible('case-description');
-      }
       this.$root.stopLoading();
+      return success;
     },
-    async addAssociation(association) {
+    async addAssociation(association, additionalProps) {
+      if (this.$refs && this.$refs[association] && !this.$refs[association].validate()) {
+        return;
+      }
       this.$root.startLoading();
       try {
-        const req = {
-          id: '',
-          caseId: this.caseObj.id,
-          description: this.associatedForm.description
+        const form = this.associatedForms[association];
+        if (additionalProps) {
+          Object.assign(form, additionalProps);
         }
-        const response = await this.$root.papi.post('case/' + association, JSON.stringify(req));
+        form.caseId = this.caseObj.id;
+        form.id = '';
+
+        let config = undefined;
+        let data = JSON.stringify(form);
+        if (this.attachment) {
+          let jsonData = data;
+          data = new FormData();
+          data.append("json", jsonData);
+          data.append("attachment", this.attachment);
+          headers = { 'Content-Type': 'multipart/form-data; boundary=' + data._boundary }
+          config = { 'headers': headers };
+        }
+        const response = await this.$root.papi.post('case/' + association, data, config);
         if (response.data) {
           await this.$root.populateUserDetails(response.data, "userId", "owner");
           this.associations[association].push(response.data);
+          this.resetForm(association);
         }
-        this.associatedForm.description = ''
       } catch (error) {
         this.$root.showError(error);
       }
+      // always clear file, even if failure. Otherwise there's a risk that the file could be sent on 
+      // all subsequent artifacts.
+      this.attachment = null;
       this.$root.stopLoading();
     },
-    async modifyAssociation(association, obj, htmlId = null) {
+    async modifyAssociation(association, obj) {
+      let success = false;
       let idx = this.associations[association].findIndex((x) =>  x.id === obj.id)
       if (idx > -1) {
         this.$root.startLoading();
         try {
-          const req = {
-            id: obj.id,
-            caseId: this.caseObj.id,
-            description: this.editField.val
-          }
-          const response = await this.$root.papi.put('case/' + association, JSON.stringify(req));
-          if (response.data) {
-            await this.$root.populateUserDetails(response.data, "userId", "owner");
-            Vue.set(this.associations[association], idx, response.data);
+          const form = this.prepareModifyForm(obj);
+          if (form) {
+            const response = await this.$root.papi.put('case/' + association, JSON.stringify(form));
+            if (response.data) {
+              await this.$root.populateUserDetails(response.data, "userId", "owner");
+              Vue.set(this.associations[association], idx, response.data);
+              success = true;
+            }
+          } else {
+            success = true; // no change detected, allow edit mode to exit
           }
-          if (htmlId !== null ) this.updateCollapsible(htmlId);
         } catch (error) {
           if (error.response != undefined && error.response.status == 404) {
             this.$root.showError(this.i18n.notFound);
@@ -284,9 +381,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
             this.$root.showError(error);
           }
         }
-        this.stopEdit();
         this.$root.stopLoading();
       }
+      return success;
     },
     async deleteAssociation(association, obj) {
       const idx = this.associations[association].indexOf(obj);
@@ -306,14 +403,76 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         }
         this.$root.stopLoading();
       }
-    },    
-    editComment(comment, htmlId) {
-      this.associatedForms['comments'].id = comment.id;
-      this.startEdit(comment.description, htmlId)
     },
-    cancelComment() {
-      this.associatedForms['comments'].id = "";
+
+    isEdit(roId) {
+      return this.editForm.roId == roId;
+    },
+    startEdit(focusId, val, roId, field, callback, callbackArgs, isMultiline) {
+      if (this.editForm.focusId == focusId) {
+        // We're already editing this field.
+        return;
+      }
+      if (this.stopEdit(true)) {
+        this.editForm.focusId = focusId;
+        this.editForm.orig = val;
+        this.editForm.val = val;
+        this.editForm.roId = roId;
+        this.editForm.field = field;
+        this.editForm.callback = callback;
+        this.editForm.callbackArgs = callbackArgs;
+        this.editForm.isMultiline = isMultiline;
+        window.addEventListener("keyup", this.onEditKeyUp);
+        const route = this;
+        this.$nextTick(() => {
+          let element = document.getElementById(this.editForm.focusId);
+          if (element) {
+            element.focus();
+          }
+        });
+      }
     },
+    async stopEdit(save = false) {
+      let okToClear = true;
+      if (save && this.editForm && this.editForm.callback) {
+        if (this.editForm.valid) {
+          if (this.editForm.callbackArgs) {
+            okToClear = await this.editForm.callback(...this.editForm.callbackArgs);
+          } else {
+            okToClear = await this.editForm.callback();
+          }
+        } else {
+          okToClear = false;
+        }
+      }
+      if (okToClear) {
+        this.editForm = { valid: true };
+        window.removeEventListener("keyup", this.onEditKeyUp);
+      }
+      return okToClear;
+    },
+    onEditKeyUp(event) {
+      switch (event.which) {
+        case 27: this.stopEdit(); break;
+        case 13: if (!this.editForm.isMultiline) this.stopEdit(true); break;
+      }
+    },
+    resetForm(ref) {
+      const form = { valid: false };
+      switch (ref) {
+        case "artifacts": 
+          form.tlp = this.getDefaultPreset('tlp');
+          form.artifactType = this.getDefaultPreset('artifactType');
+          break;
+      }
+      Vue.set(this.associatedForms, ref, form)
+    },
+    isEdited(association) {
+      const createTime = Date.parse(association.createTime);
+      const updateTime = Date.parse(association.updateTime);
+      return Math.abs(updateTime - createTime) >= 1000;
+    },
+     
     updateCase(caseObj) {
       // No-op until we can detect if the user has made any changes to the form. We don't
       // want to wipe out a long description they might be working on typing.
@@ -322,59 +481,13 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.updateCaseDetails(caseObj)
       // this.loadAssociations();
     },
-    isEdit(id) {
-      return this.editField.id === id;
-    },
-    startEdit(val, id) {
-      this.editField = {
-        val,
-        id
-      };
-    },
-    stopEdit() {
-      // Clear all edit values
-      this.editField = {}
-      this.associatedForm.description = ''
-    },
-    async saveEdit(keyStr) {
-      if (this.mainForm[keyStr] === this.editField.val) {
-        this.stopEdit();
-      } else {
-        await this.modifyCase(keyStr);
-      }
-    },
+
     saveLocalSettings() {
       localStorage['settings.case.mruCases'] = JSON.stringify(this.mruCases);
     },
     loadLocalSettings() {
       if (localStorage['settings.case.mruCases']) this.mruCases = JSON.parse(localStorage['settings.case.mruCases']);
     },
-    updateCollapsible(id) {
-      if (! Object.keys(this.collapsible).includes(id)) {
-        this.collapsible[id] = false;
-      }
-      this.$nextTick(() => {
-        let element = document.getElementById(id);
-        let retVal = element.offsetHeight < element.scrollHeight || element.offsetWidth < element.scrollWidth;
-        this.collapsible[id] = retVal;
-      })
-    },
-    isCollapsible(item) {
-      if ((Object.keys(this.collapsible).indexOf(item) === -1)) {
-        this.updateCollapsible(item)
-      }
-      return (this.collapsible[item] === true)
-    },
-    toggleCollapse(item) {
-      if (!this.isCollapsed(item)) {
-        this.collapsed.push(item);
-      } else {
-        this.collapsed.splice(this.collapsed.indexOf(item), 1);
-      }
-    },
-    isCollapsed(item) {
-      return (this.collapsed.indexOf(item) !== -1);
-    }
   }
 }});
 
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 3a885226..17ad4c26 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -37,12 +37,17 @@ const fakeComment = {
   id: 'myCommentId',
   description: 'myDescription',
 };
+const fakeComment2 = {
+  userId: 'myUserId2',
+  id: 'myCommentId2',
+  description: 'myDescription2',
+};
 const fakeFormKeyStr = 'description';
 const fakeEditVal = 'fakeVal';
 const fakeId = 'fakeId';
 const fakeEditFieldObj = {
   val: fakeEditVal,
-  id: fakeId
+  field: fakeId
 };
 
 let comp;
@@ -134,7 +139,7 @@ test('loadSingleAssociation', async () => {
   const params = { params: {
           id: 'myUserId',
           offset: 0,
-          count: comp.count,
+          count: 500,
         }};
 
   resetPapi();
@@ -163,16 +168,6 @@ test('loadSignleAssociationError', async () => {
 });
 
 expectCaseDetails = () => {
-  expect(comp.mainForm.id).toBe(fakeCase.id);
-  expect(comp.mainForm.title).toBe(fakeCase.title);
-  expect(comp.mainForm.description).toBe(fakeCase.description);
-  expect(comp.mainForm.severity).toBe(fakeCase.severity);
-  expect(comp.mainForm.priority).toBe(fakeCase.priority);
-  expect(comp.mainForm.status).toBe(fakeCase.status);
-  expect(comp.mainForm.tlp).toBe(fakeCase.tlp);
-  expect(comp.mainForm.pap).toBe(fakeCase.pap);
-  expect(comp.mainForm.category).toBe(fakeCase.category);
-  expect(comp.mainForm.tags).toBe(fakeCase.tags);
   expect(comp.caseObj).toBe(fakeCase);
   expect(comp.caseObj.owner).toBe(fakeEmail);
   expect(comp.caseObj.assignee).toBe(fakeAssigneeEmail);
@@ -223,24 +218,26 @@ test('modifyCase', async () => {
   // API call #2 is to get the user list
   const getMock = mockPapi("get", {'data':fakeUsers});
 
-  comp.mainForm.priority = '' + fakePriority;
-  comp.mainForm.severity = fakeSeverity;
-  comp.mainForm.id = 'myCaseId';
-  comp.mainForm.title = 'myTitle';
-  comp.mainForm.description = 'myDescription';
-  comp.mainForm.status = 'open';
-  comp.mainForm.tlp = 'myTlp';
-  comp.mainForm.pap = 'myPap';
-  comp.mainForm.category = 'myCategory';
-  comp.mainForm.tags = ['tag1', 'tag2'];
-  comp.mainForm.assigneeId = 'myAssigneeId';
+  comp.caseObj.priority = '' + fakePriority;
+  comp.caseObj.severity = fakeSeverity;
+  comp.caseObj.id = 'myCaseId';
+  comp.caseObj.title = 'myTitle';
+  comp.caseObj.description = 'myDescription';
+  comp.caseObj.status = 'open';
+  comp.caseObj.tlp = 'myTlp';
+  comp.caseObj.pap = 'myPap';
+  comp.caseObj.category = 'myCategory';
+  comp.caseObj.tags = ['tag1', 'tag2'];
+  comp.caseObj.assigneeId = 'myAssigneeId';
+  comp.editForm.val = "myNewDescription";
+  comp.editForm.field = "description"
   const showErrorMock = mockShowError(true);
 
   expect(comp.mruCases.length).toBe(0);
 
   await comp.modifyCase();
 
-  const body =  "{\"valid\":false,\"title\":\"myTitle\",\"assigneeId\":\"myAssigneeId\",\"status\":\"open\",\"id\":\"myCaseId\",\"description\":\"myDescription\",\"severity\":\"High\",\"priority\":33,\"tags\":[\"tag1\",\"tag2\"],\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\"}";
+  const body =  "{\"priority\":\"33\",\"severity\":\"High\",\"id\":\"myCaseId\",\"title\":\"myTitle\",\"description\":\"myNewDescription\",\"status\":\"open\",\"tlp\":\"myTlp\",\"pap\":\"myPap\",\"category\":\"myCategory\",\"tags\":[\"tag1\",\"tag2\"],\"assigneeId\":\"myAssigneeId\"}";
   expect(putMock).toHaveBeenCalledWith('case/', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expectCaseDetails();
@@ -254,6 +251,11 @@ test('modifyCaseNotFound', async () => {
   const error = new Error("not found")
   error.response = { status: 404 };
   mockPapi("put", null, error);
+
+  comp.caseObj.description = 'myDescription';
+  comp.editForm.val = "myNewDescription";
+  comp.editForm.field = "description"
+
   await comp.modifyCase();
   expect(showErrorMock).toHaveBeenCalledWith(comp.i18n.notFound);
 });
@@ -261,6 +263,11 @@ test('modifyCaseNotFound', async () => {
 test('modifyCaseError', async () => {
   const showErrorMock = mockShowError();
   mockPapi("put", null, new Error("something bad"));
+
+  comp.caseObj.description = 'myDescription';
+  comp.editForm.val = "myNewDescription";
+  comp.editForm.field = "description"
+
   await comp.modifyCase();
   expect(showErrorMock).toHaveBeenCalledTimes(1);
 });
@@ -268,15 +275,15 @@ test('modifyCaseError', async () => {
 test('addAssociation', async () => {
   const mock = mockPapi("post", {'data':fakeComment});
 
-  comp.associatedForm.description = 'myDescription';
+  comp.associatedForms['comments'].description = 'myDescription';
   comp.caseObj.id = 'myCaseId';
   const showErrorMock = mockShowError();
   expect(comp.associations['comments'].length).toBe(0);
 
   await comp.addAssociation('comments');
 
-  const body =  "{\"id\":\"\",\"caseId\":\"myCaseId\",\"description\":\"myDescription\"}";
-  expect(mock).toHaveBeenCalledWith('case/comments', body);
+  const body =  "{\"description\":\"myDescription\",\"caseId\":\"myCaseId\",\"id\":\"\"}";
+  expect(mock).toHaveBeenCalledWith('case/comments', body, undefined);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);
   expect(comp.$root.loading).toBe(false);
@@ -300,18 +307,16 @@ test('modifyAssociation', async () => {
   const showErrorMock = mockShowError();
 
   comp.caseObj.id = 'myCaseId';
-  comp.editField.val = 'myDescription2';
+  comp.editForm.val = 'myDescription2';
+  comp.editForm.field = 'description';
   comp.associations['comments'] = [fakeComment];
-  comp.updateCollapsible = jest.fn();
-  await comp.modifyAssociation('comments', fakeComment, fakeId);
+  await comp.modifyAssociation('comments', fakeComment);
 
-  const body = "{\"id\":\"myCommentId\",\"caseId\":\"myCaseId\",\"description\":\"myDescription2\"}";
+  const body = "{\"userId\":\"myUserId\",\"id\":\"myCommentId\",\"description\":\"myDescription2\",\"owner\":\"my@email.invalid\"}";
   expect(mock).toHaveBeenCalledWith('case/comments', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);
   expect(comp.associations['comments'][0].description).toBe('myDescription2');
-  expect(comp.updateCollapsible).toHaveBeenCalledTimes(1)
-  expect(comp.updateCollapsible).toHaveBeenCalledWith(fakeId);
   expect(comp.$root.loading).toBe(false);
 });
 
@@ -320,7 +325,7 @@ test('modifyAssociationNotFound', async () => {
   const error = new Error("not found")
   error.response = { status: 404 };
   mockPapi("put", null, error);
-  comp.associatedForm.id = fakeComment.id;
+  comp.editForm.val = fakeComment.id;
   comp.associations['comments'] = [fakeComment];
   await comp.modifyAssociation('comments', fakeComment, fakeId);
   expect(showErrorMock).toHaveBeenCalledWith(comp.i18n.notFound);
@@ -329,7 +334,8 @@ test('modifyAssociationNotFound', async () => {
 test('modifyAssociationError', async () => {
   const showErrorMock = mockShowError();
   mockPapi("put", null, new Error("something bad"));
-  comp.associatedForm.id = fakeComment.id;
+  comp.editForm.val = "new desc";
+  comp.editForm.field = "description";
   comp.associations['comments'] = [fakeComment];
   await comp.modifyAssociation('comments', fakeComment, fakeId);
   expect(showErrorMock).toHaveBeenCalledTimes(1);
@@ -372,16 +378,16 @@ test('deleteAssociationError', async () => {
   expect(showErrorMock).toHaveBeenCalledTimes(1);
 });
 
-test('editComment', () => {
-  comp.editComment(fakeComment);
-  expect(comp.associatedForms['comments'].id).toBe(fakeComment.id);
-  expect(comp.editField.val).toBe(fakeComment.description);
+test('resetFormComments', () => {
+  comp.associatedForms['comments'].description = "something";
+  comp.resetForm('comments');
+  expect(comp.associatedForms['comments'].description).toBe(undefined);
 });
 
-test('cancelComment', () => {
-  comp.cancelComment(fakeComment);
-  expect(comp.associatedForms['comments'].id).toBe("");
-  expect(comp.associatedForm.description).toBe("");
+test('resetFormArtifacts', () => {
+  comp.associatedForms['artifacts'].description = "something";
+  comp.resetForm('artifacts');
+  expect(comp.associatedForms['artifacts'].description).toBe(undefined);
 });
 
 test('presets', () => {
@@ -422,156 +428,67 @@ test('presets', () => {
 });
 
 test('isEdit', () => {
-  comp.editField = fakeEditFieldObj;
+  comp.editForm.roId = "fakeId";
   expect(comp.isEdit('fakeId')).toBe(true);
 })
 
 test('isEdit_False', () => {
-  comp.editField = fakeEditFieldObj;
+  comp.editForm = fakeEditFieldObj;
 
   expect(comp.isEdit('otherFakeId')).toBe(false);
 })
 
 test('startEdit', () => {
-
-  comp.startEdit(fakeEditVal, fakeId);
-
-  const expectedObj = { val: 'fakeVal', id: 'fakeId' };
-  expect(comp.editField).toStrictEqual(expectedObj);
+  const fn = jest.fn();
+
+  comp.startEdit('myFid', 'myVal', 'myRoId', 'myField', fn, ['foo'], true);
+
+  const expectedObj = { 
+    callback: fn,
+    callbackArgs: ['foo'],
+    field: 'myField',
+    focusId: 'myFid',
+    isMultiline: true,
+    orig: 'myVal',
+    roId: 'myRoId',
+    val: 'myVal',
+    valid: true,    
+  };
+  expect(comp.editForm).toStrictEqual(expectedObj);
 })
 
 test('stopEdit', () => {
-  comp.editField = fakeEditFieldObj;
+  comp.editForm = fakeEditFieldObj;
 
   comp.stopEdit();
 
-  expect(comp.editField).toStrictEqual({})
+  expect(comp.editForm).toStrictEqual({valid:true})
 })
 
-test('saveEdit', async () => {
-  comp.mainForm[fakeFormKeyStr] = 'fakeValOld';
-  comp.editField.val = fakeEditVal;
-
-  comp.stopEdit = jest.fn();
+test('stopEditSave', async () => {
+  const fn = jest.fn();
+  comp.editForm.field = 'fakeValOld';
+  comp.editForm.val = 'fakeEditVal';
+  comp.editForm.valid = true
+  comp.editForm.callback = fn;
   comp.modifyCase = jest.fn();
 
-  await comp.saveEdit('description')
+  await comp.stopEdit(true)
 
-  expect(comp.stopEdit).toHaveBeenCalledTimes(0);
-  expect(comp.modifyCase).toHaveBeenCalledTimes(1);
-  expect(comp.modifyCase).toHaveBeenCalledWith('description');
+  expect(fn).toHaveBeenCalledTimes(1);
 })
 
-test('saveEdit_NoChanges', async () => {
-  comp.mainForm[fakeFormKeyStr] = fakeEditVal;
-  comp.editField.val = fakeEditVal;
-  comp.stopEdit = jest.fn();
+test('saveEditInvalidForm', async () => {
+  const fn = jest.fn();
+  comp.editForm.field = 'fakeValOld';
+  comp.editForm.val = 'fakeEditVal';
+  comp.editForm.valid = false
+  comp.editForm.callback = fn;
   comp.modifyCase = jest.fn();
 
-  await comp.saveEdit('description');
-
-  expect(comp.stopEdit).toHaveBeenCalledTimes(1);
-  expect(comp.modifyCase).toHaveBeenCalledTimes(0);
-})
-
-test('updateCollapsible_HeightOverflow', () => {
-  const fakeElement = {
-    offsetHeight: 10,
-    scrollHeight: 11
-  };
-  document.getElementById = jest.fn(_ => fakeElement);
-  comp.updateCollapsible(fakeId);
-
-  expect(comp.collapsible).toStrictEqual({'fakeId': true});
-})
-
-test('updateCollapsible_WidthOverflow', () => {
-  const fakeElement = {
-    offsetWidth: 10,
-    scrollWidth: 11
-  };
-  document.getElementById = jest.fn(_ => fakeElement);
-  comp.updateCollapsible(fakeId);
-
-  expect(comp.collapsible).toStrictEqual({'fakeId': true});
-})
-
-test('updateCollapsible_NoOverflow', () => {
-  const fakeElement = {
-    offsetHeight: 10,
-    scrollHeight: 10
-  };
-  document.getElementById = jest.fn(_ => fakeElement);
-  comp.updateCollapsible(fakeId);
-
-  expect(comp.collapsible).toStrictEqual({'fakeId': false});
-})
-
-test('updateCollapsible_RemoveId', () => {
-  const fakeElement = {
-    offsetHeight: 10,
-    scrollHeight: 10
-  };
-  comp.collapsible = {fakeId: true}
-
-  document.getElementById = jest.fn(_ => fakeElement);
-  comp.updateCollapsible(fakeId);
-
-  expect(comp.collapsible).toStrictEqual({'fakeId': false});
-})
-
-test('updateCollapsible_StillCollapsible', () => {
-  const fakeElement = {
-    offsetHeight: 10,
-    scrollHeight: 11
-  };
-  comp.collapsible = {fakeId: true}
-
-  document.getElementById = jest.fn(_ => fakeElement);
-  comp.updateCollapsible(fakeId);
+  await comp.stopEdit(true)
 
-  expect(comp.collapsible).toStrictEqual({'fakeId': true});
-})
-
-test('isCollapsible', () => {
-  comp.collapsible = {fakeId: true};
-
-  expect(comp.isCollapsible('fakeId')).toBe(true);
-})
-
-test('isCollapsible_False', () => {
-  comp.collapsible =  {fakeId: false};
-
-  expect(comp.isCollapsible('fakeId')).toBe(false);
-})
-
-test('isCollapsed', () => {
-  comp.collapsed = [ fakeId ];
-
-  expect(comp.isCollapsed('fakeId')).toBe(true);
-})
-
-test('isCollapsed_False', () => {
-  comp.collapsed =  [];
-
-  expect(comp.isCollapsed('fakeId')).toBe(false);
-})
-
-
-test('toggleCollapse_Add', () => {
-  comp.collapsed = [];
-  
-  comp.toggleCollapse(fakeId);
-
-  expect(comp.collapsed).toStrictEqual(['fakeId']);
-})
-
-test('toggleCollapse_Remove', () => {
-  comp.collapsed = [fakeId];
-  
-  comp.toggleCollapse('fakeId');
-
-  expect(comp.collapsed).toStrictEqual([]);
+  expect(fn).toHaveBeenCalledTimes(0);
 })
 
 test('selectList', () => {
@@ -623,13 +540,44 @@ test('selectList_CustomEnabledAndCustomVal', () => {
     },
   }
 
-  comp.mainForm['severity'] = 'customSeverity1'
-  
   const expectedList = [
     'presetSeverity1',
     'presetSeverity2',
-    'customSeverity1'
+    'new value'
   ]
 
-  expect(comp.selectList('severity')).toStrictEqual(expectedList)
+  expect(comp.selectList('severity', 'new value')).toStrictEqual(expectedList)
+})
+
+test('expandRow', () => {
+  comp.expandRow('comments', fakeComment);
+  expect(comp.associatedTable['comments'].expanded.length).toBe(1);
+  comp.expandRow('comments', fakeComment2);
+  expect(comp.associatedTable['comments'].expanded.length).toBe(2);
+  comp.expandRow('comments', fakeComment);
+  expect(comp.associatedTable['comments'].expanded.length).toBe(1);
+})
+
+test('withDefault', () => {
+  expect(comp.withDefault('foo', 'bar')).toBe('foo');
+  expect(comp.withDefault('', 'bar')).toBe('bar');
+  expect(comp.withDefault(null, 'bar')).toBe('bar');
+  expect(comp.withDefault(undefined, 'bar')).toBe('bar');
 })
+
+test('getAttachmentHelp', () => {
+  expect(comp.getAttachmentHelp()).toBe('Click to attach a file to upload. (Note: max upload size is 26,214,400 bytes)');
+});
+
+test('isEdited', () => {
+  const fakeArtifact1 = {
+    createTime: "12/25/2021, 6:01:21 PM",
+    updateTime: "12/25/2021, 6:01:20 PM",
+  };
+  const fakeArtifact2 = {
+    createTime: "12/25/2021, 6:01:21 PM",
+    updateTime: "12/25/2021, 6:01:21 PM",
+  };
+  expect(comp.isEdited(fakeArtifact1)).toBe(true);
+  expect(comp.isEdited(fakeArtifact2)).toBe(false);
+});
\ No newline at end of file
diff --git a/model/case.go b/model/case.go
index 8599ab81..194328be 100644
--- a/model/case.go
+++ b/model/case.go
@@ -10,6 +10,13 @@
 package model
 
 import (
+  "bytes"
+  "encoding/base64"
+  "fmt"
+  "io"
+  "math"
+  "net/http"
+  "strings"
   "time"
 )
 
@@ -80,6 +87,7 @@ type Artifact struct {
   Value        string   `json:"value"`
   MimeType     string   `json:"mimeType"`
   StreamLen    int      `json:"streamLength"`
+  StreamId     string   `json:"streamId"`
   Tlp          string   `json:"tlp"`
   Tags         []string `json:"tags"`
   Description  string   `json:"description"`
@@ -92,3 +100,36 @@ func NewArtifact() *Artifact {
   newArtifact.CreateTime = &now
   return newArtifact
 }
+
+type ArtifactStream struct {
+  Auditable
+  Content string `json:"content"`
+}
+
+func NewArtifactStream() *ArtifactStream {
+  newStream := &ArtifactStream{}
+  now := time.Now()
+  newStream.CreateTime = &now
+  return newStream
+}
+
+func (stream *ArtifactStream) Write(reader io.Reader) (int, string, error) {
+  var buffer bytes.Buffer
+  var mimeType string
+  b64 := base64.NewEncoder(base64.StdEncoding, &buffer)
+  copyLen, err := io.Copy(b64, reader)
+
+  if err == nil {
+    b64.Close()
+    stream.Content = buffer.String()
+    preview := stream.Content[:int64(math.Min(1024, float64(copyLen)))]
+    previewDecoded, _ := base64.StdEncoding.DecodeString(preview)
+    mimeType = http.DetectContentType(previewDecoded)
+  }
+  return int(copyLen), mimeType, err
+}
+
+func (stream *ArtifactStream) Read() io.Reader {
+  fmt.Printf("streamLen = %d", len(stream.Content))
+  return base64.NewDecoder(base64.StdEncoding, strings.NewReader(stream.Content))
+}
diff --git a/model/case_test.go b/model/case_test.go
index db66c447..6e373a7d 100644
--- a/model/case_test.go
+++ b/model/case_test.go
@@ -11,9 +11,10 @@
 package model
 
 import (
-	"testing"
-
+	"bytes"
 	"github.com/stretchr/testify/assert"
+	"strings"
+	"testing"
 )
 
 func TestNewRelatedEvent(tester *testing.T) {
@@ -25,3 +26,19 @@ func TestNewArtifact(tester *testing.T) {
 	event := NewArtifact()
 	assert.NotZero(tester, event.CreateTime)
 }
+
+func TestNewArtifactStream(tester *testing.T) {
+	event := NewArtifactStream()
+	assert.NotZero(tester, event.CreateTime)
+	reader := strings.NewReader("hello world")
+	len, mimeType, err := event.Write(reader)
+	assert.NoError(tester, err)
+	assert.Equal(tester, 11, len)
+	assert.Equal(tester, "text/plain; charset=utf-8", mimeType)
+	assert.Equal(tester, "aGVsbG8gd29ybGQ=", event.Content)
+
+	var buffer bytes.Buffer
+	_, err = buffer.ReadFrom(event.Read())
+	assert.NoError(tester, err)
+	assert.Equal(tester, "hello world", buffer.String())
+}
diff --git a/server/casehandler.go b/server/casehandler.go
index a1dfbbf1..a40379f7 100644
--- a/server/casehandler.go
+++ b/server/casehandler.go
@@ -19,6 +19,7 @@ import (
   "io"
   "net/http"
   "strconv"
+  "strings"
 )
 
 type CaseHandler struct {
@@ -75,7 +76,61 @@ func (caseHandler *CaseHandler) create(ctx context.Context, writer http.Response
   case "tasks":
   case "artifacts":
     inputArtifact := model.NewArtifact()
-    err = json.NewDecoder(request.Body).Decode(&inputArtifact)
+    if contentType, ok := request.Header["Content-Type"]; !ok || !strings.Contains(contentType[0], "multipart") {
+      // Fallback to plain JSON
+      log.WithField("contentType", contentType).Debug("Multipart content type not found")
+      err = json.NewDecoder(request.Body).Decode(&inputArtifact)
+    } else {
+      err = request.ParseMultipartForm(int64(caseHandler.server.Config.MaxUploadSizeBytes))
+      if err == nil {
+        jsonData := request.FormValue("json")
+        err = json.NewDecoder(strings.NewReader(jsonData)).Decode(&inputArtifact)
+        if err == nil {
+          log.Debug("Successfully parsed multipart form")
+
+          // Try pulling an attachment file
+          file, handler, err := request.FormFile("attachment")
+          if err == nil && file != nil {
+            log.Debug("Found attachment")
+            defer file.Close()
+
+            if len(inputArtifact.Value) > 0 {
+              err = errors.New("Attachment artifacts must be provided without a value")
+            } else {
+              inputArtifact.Value = handler.Filename
+              inputArtifact.ArtifactType = "file"
+
+              artifactStream := model.NewArtifactStream()
+              inputArtifact.StreamLen, inputArtifact.MimeType, err = artifactStream.Write(file)
+              if err == nil {
+                if inputArtifact.StreamLen != int(handler.Size) {
+                  log.WithFields(log.Fields{
+                    "requestId": ctx.Value(web.ContextKeyRequestId),
+                    "mimeType":  inputArtifact.MimeType,
+                    "formLen":   handler.Size,
+                    "copyLen":   inputArtifact.StreamLen,
+                  }).Warn("Mismatch of stream size detected")
+                } else {
+                  log.WithFields(log.Fields{
+                    "requestId":   ctx.Value(web.ContextKeyRequestId),
+                    "formFileLen": handler.Size,
+                    "streamLen":   inputArtifact.StreamLen,
+                    "mimeType":    inputArtifact.MimeType,
+                  }).Info("Successfully copied attachment bytes into new artifact stream object")
+                }
+
+                var artifactStreamId string
+                artifactStreamId, err = caseHandler.server.Casestore.CreateArtifactStream(ctx, artifactStream)
+                if err == nil {
+                  inputArtifact.StreamId = artifactStreamId
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
     if err == nil {
       obj, err = caseHandler.server.Casestore.CreateArtifact(ctx, inputArtifact)
     }
@@ -108,6 +163,11 @@ func (caseHandler *CaseHandler) update(ctx context.Context, writer http.Response
     }
   case "tasks":
   case "artifacts":
+    inputArtifact := model.NewArtifact()
+    err = json.NewDecoder(request.Body).Decode(&inputArtifact)
+    if err == nil {
+      obj, err = caseHandler.server.Casestore.UpdateArtifact(ctx, inputArtifact)
+    }
   default:
     inputCase := model.NewCase()
     err = json.NewDecoder(request.Body).Decode(&inputCase)
@@ -137,6 +197,7 @@ func (caseHandler *CaseHandler) delete(ctx context.Context, writer http.Response
     err = caseHandler.server.Casestore.DeleteRelatedEvent(ctx, id)
   case "tasks":
   case "artifacts":
+    err = caseHandler.server.Casestore.DeleteArtifact(ctx, id)
   default:
     err = errors.New("Delete not supported")
   }
@@ -183,15 +244,14 @@ func (caseHandler *CaseHandler) get(ctx context.Context, writer http.ResponseWri
 func (caseHandler *CaseHandler) copyArtifactStream(ctx context.Context, writer http.ResponseWriter, artifactId string) error {
   artifact, err := caseHandler.server.Casestore.GetArtifact(ctx, artifactId)
   if err == nil {
-    var reader io.ReadCloser
-    reader, err = caseHandler.server.Casestore.GetArtifactStream(ctx, artifactId)
+    var stream *model.ArtifactStream
+    stream, err = caseHandler.server.Casestore.GetArtifactStream(ctx, artifact.StreamId)
     if err == nil {
-      defer reader.Close()
       writer.Header().Set("Content-Type", artifact.MimeType)
       writer.Header().Set("Content-Length", strconv.FormatInt(int64(artifact.StreamLen), 10))
       writer.Header().Set("Content-Disposition", "inline; filename=\""+artifact.Value+"\"")
       writer.Header().Set("Content-Transfer-Encoding", "binary")
-      written, err := io.Copy(writer, reader)
+      written, err := io.Copy(writer, stream.Read())
       if err != nil {
         log.WithError(err).WithFields(log.Fields{
           "name":       artifact.Value,
diff --git a/server/casestore.go b/server/casestore.go
index 84ce168a..a76a61f2 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -12,7 +12,6 @@ package server
 import (
 	"context"
 	"github.com/security-onion-solutions/securityonion-soc/model"
-	"io"
 )
 
 type Casestore interface {
@@ -32,9 +31,13 @@ type Casestore interface {
 	GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error)
 	DeleteRelatedEvent(ctx context.Context, id string) error
 
-	CreateArtifact(ctx context.Context, attachment *model.Artifact) (*model.Artifact, error)
+	CreateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error)
 	GetArtifact(ctx context.Context, id string) (*model.Artifact, error)
-	GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error)
 	GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error)
 	DeleteArtifact(ctx context.Context, id string) error
+	UpdateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error)
+
+	CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error)
+	GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error)
+	DeleteArtifactStream(ctx context.Context, id string) error
 }
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index dbfb556c..5a016c92 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -516,6 +516,9 @@ func convertElasticEventToArtifact(event *model.EventRecord) (*model.Artifact, e
 			if value, ok := event.Payload["artifact.streamLength"]; ok {
 				obj.StreamLen = int(value.(float64))
 			}
+			if value, ok := event.Payload["artifact.streamId"]; ok {
+				obj.StreamId = value.(string)
+			}
 			if value, ok := event.Payload["artifact.mimeType"]; ok {
 				obj.MimeType = value.(string)
 			}
@@ -538,6 +541,27 @@ func convertElasticEventToArtifact(event *model.EventRecord) (*model.Artifact, e
 	return obj, err
 }
 
+func convertElasticEventToArtifactStream(event *model.EventRecord) (*model.ArtifactStream, error) {
+	var err error
+	var obj *model.ArtifactStream
+
+	if event != nil {
+		obj = model.NewArtifactStream()
+		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		if err == nil {
+			if value, ok := event.Payload["artifactstream.userId"]; ok {
+				obj.UserId = value.(string)
+			}
+			if value, ok := event.Payload["artifactstream.content"]; ok {
+				obj.Content = value.(string)
+			}
+			obj.CreateTime = parseTime(event.Payload, "artifactstream.createTime")
+		}
+	}
+
+	return obj, err
+}
+
 func convertElasticEventToObject(event *model.EventRecord) (interface{}, error) {
 	var obj interface{}
 	var err error
@@ -552,6 +576,8 @@ func convertElasticEventToObject(event *model.EventRecord) (interface{}, error)
 			obj, err = convertElasticEventToRelatedEvent(event)
 		case "artifact":
 			obj, err = convertElasticEventToArtifact(event)
+		case "artifactstream":
+			obj, err = convertElasticEventToArtifactStream(event)
 		}
 	} else {
 		err = errors.New("Unknown object kind; id=" + event.Id)
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index d41b9027..93daf8cf 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -376,6 +376,7 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 	event.Payload["artifact.value"] = "myValue"
 	event.Payload["artifact.description"] = "myDesc"
 	event.Payload["artifact.streamLength"] = float64(123)
+	event.Payload["artifact.streamId"] = "myStreamId"
 	event.Payload["artifact.groupType"] = "myGroupType"
 	event.Payload["artifact.groupId"] = "myGroupId"
 	event.Payload["artifact.userId"] = "myUserId"
@@ -397,6 +398,7 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 	assert.Equal(tester, "myValue", artifactObj.Value)
 	assert.Equal(tester, "myDesc", artifactObj.Description)
 	assert.Equal(tester, 123, artifactObj.StreamLen)
+	assert.Equal(tester, "myStreamId", artifactObj.StreamId)
 	assert.Equal(tester, "myGroupType", artifactObj.GroupType)
 	assert.Equal(tester, "myGroupId", artifactObj.GroupId)
 	assert.Equal(tester, "myUserId", artifactObj.UserId)
@@ -410,6 +412,35 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 	assert.Equal(tester, &myCreateTime, artifactObj.CreateTime)
 }
 
+func TestConvertElasticEventToArtifactStreamNil(tester *testing.T) {
+	artifactObj, err := convertElasticEventToArtifactStream(nil)
+	assert.NoError(tester, err)
+	assert.Nil(tester, artifactObj)
+}
+
+func TestConvertElasticEventToArtifactStream(tester *testing.T) {
+	myTime := time.Now()
+	myCreateTime := myTime.Add(time.Hour * -1)
+
+	event := &model.EventRecord{}
+	event.Payload = make(map[string]interface{})
+	event.Payload["kind"] = "artifactstream"
+	event.Payload["operation"] = "create"
+	event.Payload["artifactstream.content"] = "myValue"
+	event.Payload["artifactstream.userId"] = "myUserId"
+	event.Time = myTime
+	event.Payload["artifactstream.createTime"] = myCreateTime
+	interf, err := convertElasticEventToObject(event)
+	assert.NoError(tester, err)
+	obj := interf.(*model.ArtifactStream)
+	assert.Equal(tester, "artifactstream", obj.Kind)
+	assert.Equal(tester, "create", obj.Operation)
+	assert.Equal(tester, "myUserId", obj.UserId)
+	assert.Equal(tester, &myTime, obj.UpdateTime)
+	assert.Equal(tester, &myCreateTime, obj.CreateTime)
+	assert.Equal(tester, "myValue", obj.Content)
+}
+
 func TestParseTime(tester *testing.T) {
 	m := make(map[string]interface{})
 
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 66486ad5..e432795d 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -27,6 +27,7 @@ const DEFAULT_CACHE_MS = 86400000
 const DEFAULT_INDEX = "*:so-*"
 const DEFAULT_ASYNC_THRESHOLD = 10
 const DEFAULT_INTERVALS = 25
+const DEFAULT_MAX_LOG_LENGTH = 1024
 
 type Elastic struct {
   config module.ModuleConfig
@@ -63,8 +64,10 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
   index := module.GetStringDefault(cfg, "index", DEFAULT_INDEX)
   asyncThreshold := module.GetIntDefault(cfg, "asyncThreshold", DEFAULT_ASYNC_THRESHOLD)
   intervals := module.GetIntDefault(cfg, "intervals", DEFAULT_INTERVALS)
+  maxLogLength := module.GetIntDefault(cfg, "maxLogLength", DEFAULT_MAX_LOG_LENGTH)
   casesEnabled := module.GetBoolDefault(cfg, "casesEnabled", true)
-  err := elastic.store.Init(host, remoteHosts, username, password, verifyCert, timeShiftMs, defaultDurationMs, esSearchOffsetMs, timeoutMs, cacheMs, index, asyncThreshold, intervals)
+  err := elastic.store.Init(host, remoteHosts, username, password, verifyCert, timeShiftMs, defaultDurationMs,
+    esSearchOffsetMs, timeoutMs, cacheMs, index, asyncThreshold, intervals, maxLogLength)
   if err == nil && elastic.server != nil {
     elastic.server.Eventstore = elastic.store
     if casesEnabled {
diff --git a/server/modules/elastic/elastic_test.go b/server/modules/elastic/elastic_test.go
index 1be16925..f732d104 100644
--- a/server/modules/elastic/elastic_test.go
+++ b/server/modules/elastic/elastic_test.go
@@ -39,6 +39,7 @@ func TestElasticInit(tester *testing.T) {
 	assert.Equal(tester, expectedCache, elastic.store.cacheMs)
 	assert.Equal(tester, DEFAULT_INDEX, elastic.store.index)
 	assert.Equal(tester, DEFAULT_INTERVALS, elastic.store.intervals)
+	assert.Equal(tester, DEFAULT_MAX_LOG_LENGTH, elastic.store.maxLogLength)
 
 	// Ensure casestore has been setup
 	assert.NotNil(tester, srv.Casestore)
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index fc7167f4..89aed3a6 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -17,7 +17,6 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
-  "io"
   "regexp"
   "strconv"
   "time"
@@ -59,10 +58,16 @@ func (store *ElasticCasestore) validateId(id string, label string) error {
 }
 
 func (store *ElasticCasestore) validateString(str string, max int, label string) error {
+  return store.validateStringRequired(str, 0, max, label)
+}
+
+func (store *ElasticCasestore) validateStringRequired(str string, min int, max int, label string) error {
   var err error
   length := len(str)
   if length > max {
     err = errors.New(fmt.Sprintf("%s is too long (%d/%d)", label, length, max))
+  } else if length < min {
+    err = errors.New(fmt.Sprintf("%s is too short (%d/%d)", label, length, min))
   }
   return err
 }
@@ -108,13 +113,13 @@ func (store *ElasticCasestore) validateCase(socCase *model.Case) error {
     err = errors.New("Field 'Operation' must not be specified")
   }
   if err == nil {
-    err = store.validateString(socCase.Title, SHORT_STRING_MAX, "title")
+    err = store.validateStringRequired(socCase.Title, 1, SHORT_STRING_MAX, "title")
   }
   if err == nil {
     err = store.validateString(socCase.Category, SHORT_STRING_MAX, "category")
   }
   if err == nil {
-    err = store.validateString(socCase.Status, SHORT_STRING_MAX, "status")
+    err = store.validateStringRequired(socCase.Status, 1, SHORT_STRING_MAX, "status")
   }
   if err == nil {
     err = store.validateString(socCase.Template, SHORT_STRING_MAX, "template")
@@ -126,7 +131,7 @@ func (store *ElasticCasestore) validateCase(socCase *model.Case) error {
     err = store.validateString(socCase.Pap, SHORT_STRING_MAX, "pap")
   }
   if err == nil {
-    err = store.validateString(socCase.Description, LONG_STRING_MAX, "description")
+    err = store.validateStringRequired(socCase.Description, 1, LONG_STRING_MAX, "description")
   }
   if err == nil {
     err = store.validateStringArray(socCase.Tags, SHORT_STRING_MAX, MAX_ARRAY_ELEMENTS, "tags")
@@ -177,7 +182,7 @@ func (store *ElasticCasestore) validateComment(comment *model.Comment) error {
     err = errors.New("Field 'Operation' must not be specified")
   }
   if err == nil {
-    err = store.validateString(comment.Description, LONG_STRING_MAX, "description")
+    err = store.validateStringRequired(comment.Description, 1, LONG_STRING_MAX, "description")
   }
   return err
 }
@@ -194,7 +199,7 @@ func (store *ElasticCasestore) validateArtifact(artifact *model.Artifact) error
   if err == nil && artifact.CaseId != "" {
     err = store.validateId(artifact.CaseId, "caseId")
   }
-  if err == nil && artifact.StreamLen != 0 {
+  if err == nil && artifact.StreamLen != 0 && artifact.ArtifactType != "file" {
     err = errors.New("Invalid streamLength")
   }
   if err == nil && len(artifact.Kind) > 0 {
@@ -204,7 +209,7 @@ func (store *ElasticCasestore) validateArtifact(artifact *model.Artifact) error
     err = errors.New("Field 'Operation' must not be specified")
   }
   if err == nil {
-    err = store.validateString(artifact.Value, LONG_STRING_MAX, "value")
+    err = store.validateStringRequired(artifact.Value, 1, LONG_STRING_MAX, "value")
   }
   if err == nil {
     err = store.validateId(artifact.GroupType, "groupType")
@@ -213,7 +218,7 @@ func (store *ElasticCasestore) validateArtifact(artifact *model.Artifact) error
     err = store.validateId(artifact.GroupId, "groupId")
   }
   if err == nil {
-    err = store.validateString(artifact.ArtifactType, SHORT_STRING_MAX, "artifactType")
+    err = store.validateStringRequired(artifact.ArtifactType, 1, SHORT_STRING_MAX, "artifactType")
   }
   if err == nil {
     err = store.validateString(artifact.Tlp, SHORT_STRING_MAX, "tlp")
@@ -230,6 +235,27 @@ func (store *ElasticCasestore) validateArtifact(artifact *model.Artifact) error
   return err
 }
 
+func (store *ElasticCasestore) validateArtifactStream(artifactstream *model.ArtifactStream) error {
+  var err error
+
+  if err == nil && artifactstream.Id != "" {
+    err = store.validateId(artifactstream.Id, "artifactStreamId")
+  }
+  if err == nil && artifactstream.UserId != "" {
+    err = store.validateId(artifactstream.UserId, "userId")
+  }
+  if err == nil && len(artifactstream.Content) == 0 {
+    err = errors.New("Missing stream content")
+  }
+  if err == nil && len(artifactstream.Kind) > 0 {
+    err = errors.New("Field 'Kind' must not be specified")
+  }
+  if err == nil && len(artifactstream.Operation) > 0 {
+    err = errors.New("Field 'Operation' must not be specified")
+  }
+  return err
+}
+
 func (store *ElasticCasestore) prepareForSave(ctx context.Context, obj *model.Auditable) string {
   obj.UserId = ctx.Value(web.ContextKeyRequestorId).(string)
 
@@ -346,13 +372,13 @@ func (store *ElasticCasestore) getAll(ctx context.Context, query string, max int
 func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case) (*model.Case, error) {
   var err error
 
+  socCase.Status = model.CASE_STATUS_NEW
   err = store.validateCase(socCase)
   if err == nil {
     if socCase.Id != "" {
       err = errors.New("Unexpected ID found in new case")
     } else {
       socCase = store.applyTemplate(ctx, socCase)
-      socCase.Status = model.CASE_STATUS_NEW
       now := time.Now()
       socCase.CreateTime = &now
       var results *model.EventIndexResults
@@ -414,7 +440,8 @@ func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string
 
   err = store.validateId(caseId, "caseId")
   if err == nil {
-    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s" OR related.caseId:"%s") | sortby @timestamp^`, store.auditIndex, AUDIT_DOC_ID, caseId, caseId, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s" OR related.caseId:"%s" OR artifact.caseId:"%s") | sortby @timestamp^`,
+      store.auditIndex, AUDIT_DOC_ID, caseId, caseId, caseId, caseId)
     history, err = store.getAll(ctx, query, store.maxAssociations)
   }
   return history, err
@@ -619,10 +646,6 @@ func (store *ElasticCasestore) CreateArtifact(ctx context.Context, artifact *mod
       return nil, errors.New("Missing Case ID in new artifact")
     } else if artifact.GroupType == "" {
       return nil, errors.New("Missing GroupType in new artifact")
-    } else if artifact.ArtifactType == "" {
-      return nil, errors.New("Missing ArtifactType in new artifact")
-    } else if artifact.Value == "" {
-      return nil, errors.New("Missing Value in new artifact")
     } else {
       _, err = store.GetCase(ctx, artifact.CaseId)
       if err == nil {
@@ -655,10 +678,6 @@ func (store *ElasticCasestore) GetArtifact(ctx context.Context, id string) (*mod
   return artifact, err
 }
 
-func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
-  return nil, errors.New("Unsupported operation by this module")
-}
-
 func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
   var err error
   var artifacts []*model.Artifact
@@ -677,7 +696,7 @@ func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string,
         if len(groupId) > 0 {
           groupIdTerm = fmt.Sprintf(`AND artifact.groupId:"%s" `, groupId)
         }
-        query := fmt.Sprintf(`_index:"%s" AND kind:"artifact" AND artifact.caseId:"%s" AND artifact.groupType:"%s" %s| sortby @timestamp^`, store.index, caseId, groupType, groupIdTerm)
+        query := fmt.Sprintf(`_index:"%s" AND kind:"artifact" AND artifact.caseId:"%s" AND artifact.groupType:"%s" %s| sortby artifact.createTime^`, store.index, caseId, groupType, groupIdTerm)
         var objects []interface{}
         objects, err = store.getAll(ctx, query, store.maxAssociations)
         if err == nil {
@@ -691,14 +710,95 @@ func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string,
   return artifacts, err
 }
 
-func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error {
+func (store *ElasticCasestore) UpdateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error) {
   var err error
 
-  var artifact *model.Artifact
-  artifact, err = store.GetArtifact(ctx, id)
+  err = store.validateArtifact(artifact)
   if err == nil {
+    if artifact.Id == "" {
+      err = errors.New("Missing artifact ID")
+    } else {
+      var old *model.Artifact
+      old, err = store.GetArtifact(ctx, artifact.Id)
+      if err == nil {
+        // Preserve read-only fields
+        artifact.CreateTime = old.CreateTime
+        artifact.ArtifactType = old.ArtifactType
+        artifact.Value = old.Value
+        artifact.GroupType = old.GroupType
+        artifact.GroupId = old.GroupId
+        artifact.StreamLen = old.StreamLen
+        artifact.MimeType = old.MimeType
+        artifact.StreamId = old.StreamId
+        var results *model.EventIndexResults
+        results, err = store.save(ctx, artifact, "artifact", store.prepareForSave(ctx, &artifact.Auditable))
+        if err == nil {
+          // Read object back to get new modify date, etc
+          artifact, err = store.GetArtifact(ctx, results.DocumentId)
+        }
+      }
+    }
+  }
+  return artifact, err
+}
+
+func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  artifact, err := store.GetArtifact(ctx, id)
+  if err == nil {
+    if len(artifact.StreamId) > 0 {
+      err = store.DeleteArtifactStream(ctx, artifact.StreamId)
+      if err != nil {
+        log.WithFields(log.Fields{
+          "artifactStreamId": artifact.StreamId,
+          "artifactId":       artifact.Id,
+        }).Error("Unable to delete artifact stream; proceeding with artifact deletion anyway")
+      }
+    }
     err = store.delete(ctx, artifact, "artifact", store.prepareForSave(ctx, &artifact.Auditable))
   }
 
   return err
 }
+
+func (store *ElasticCasestore) CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error) {
+  var id string
+  err := store.validateArtifactStream(artifactstream)
+  if err == nil {
+    if artifactstream.Id != "" {
+      return "", errors.New("Unexpected ID found in new artifactstream")
+    } else {
+      now := time.Now()
+      artifactstream.CreateTime = &now
+      var results *model.EventIndexResults
+      results, err = store.save(ctx, artifactstream, "artifactstream", store.prepareForSave(ctx, &artifactstream.Auditable))
+      if err == nil {
+        id = results.DocumentId
+      }
+    }
+  }
+  return id, err
+}
+
+func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error) {
+  var err error
+  var artifactstream *model.ArtifactStream
+
+  err = store.validateId(id, "artifactStreamId")
+  if err == nil {
+    var obj interface{}
+    obj, err = store.get(ctx, id, "artifactstream")
+    if err == nil {
+      artifactstream = obj.(*model.ArtifactStream)
+    }
+  }
+  return artifactstream, err
+}
+
+func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
+  artifactstream, err := store.GetArtifactStream(ctx, id)
+  if err == nil {
+    err = store.delete(ctx, artifactstream, "artifactstream", store.prepareForSave(ctx, &artifactstream.Auditable))
+  }
+
+  return err
+}
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 248c4494..aeb20ef6 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -144,6 +144,13 @@ func TestValidateCaseInvalid(tester *testing.T) {
 	assert.EqualError(tester, err, "title is too long (140/100)")
 	socCase.Title = "myTitle"
 
+	for x := 1; x < 5; x++ {
+		socCase.Status += "this is my unreasonably long status\n"
+	}
+	err = store.validateCase(socCase)
+	assert.EqualError(tester, err, "status is too long (144/100)")
+	socCase.Status = "myStatus"
+
 	for x := 1; x < 30000; x++ {
 		socCase.Description += "this is my unreasonably long description\n"
 	}
@@ -191,13 +198,6 @@ func TestValidateCaseInvalid(tester *testing.T) {
 	assert.EqualError(tester, err, "template is too long (152/100)")
 	socCase.Template = "myTemplate"
 
-	for x := 1; x < 5; x++ {
-		socCase.Status += "this is my unreasonably long status\n"
-	}
-	err = store.validateCase(socCase)
-	assert.EqualError(tester, err, "status is too long (144/100)")
-	socCase.Status = "myStatus"
-
 	socCase.Kind = "myKind"
 	err = store.validateCase(socCase)
 	assert.EqualError(tester, err, "Field 'Kind' must not be specified")
@@ -230,7 +230,10 @@ func TestValidateCaseValid(tester *testing.T) {
 	store.Init("myIndex", "myAuditIndex", 45)
 
 	var err error
-	socCase := model.NewCase() // empty cases are valid cases
+	socCase := model.NewCase()
+	socCase.Title = "myTitle"
+	socCase.Description = "myDescription"
+	socCase.Status = "new"
 	err = store.validateCase(socCase)
 	assert.NoError(tester, err)
 
@@ -254,6 +257,53 @@ func TestValidateCaseValid(tester *testing.T) {
 	assert.NoError(tester, err)
 }
 
+func TestValidateRelatedEventInvalid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	event := model.NewRelatedEvent()
+
+	event.Id = "this is an invalid id"
+	err = store.validateRelatedEvent(event)
+	assert.EqualError(tester, err, "invalid ID for relatedEventId")
+	event.Id = "myEventId"
+
+	event.CaseId = "this is an invalid id"
+	err = store.validateRelatedEvent(event)
+	assert.EqualError(tester, err, "invalid ID for caseId")
+	event.CaseId = "myCaseId"
+
+	event.UserId = "this is an invalid id"
+	err = store.validateRelatedEvent(event)
+	assert.EqualError(tester, err, "invalid ID for userId")
+	event.UserId = "myUserId"
+
+	event.Kind = "myKind"
+	err = store.validateRelatedEvent(event)
+	assert.EqualError(tester, err, "Field 'Kind' must not be specified")
+	event.Kind = ""
+
+	event.Operation = "myOperation"
+	err = store.validateRelatedEvent(event)
+	assert.EqualError(tester, err, "Field 'Operation' must not be specified")
+	event.Operation = ""
+
+	err = store.validateRelatedEvent(event)
+	assert.EqualError(tester, err, "Related event fields cannot not be empty")
+}
+
+func TestValidateRelatedEventValid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	event := model.NewRelatedEvent()
+	event.Fields["foo"] = "bar"
+	err = store.validateRelatedEvent(event)
+	assert.NoError(tester, err)
+}
+
 func TestValidateCommentInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	store.Init("myIndex", "myAuditIndex", 45)
@@ -276,6 +326,16 @@ func TestValidateCommentInvalid(tester *testing.T) {
 	assert.EqualError(tester, err, "invalid ID for userId")
 	comment.UserId = ""
 
+	comment.Kind = "myKind"
+	err = store.validateComment(comment)
+	assert.EqualError(tester, err, "Field 'Kind' must not be specified")
+	comment.Kind = ""
+
+	comment.Operation = "myOperation"
+	err = store.validateComment(comment)
+	assert.EqualError(tester, err, "Field 'Operation' must not be specified")
+	comment.Operation = ""
+
 	for x := 1; x < 30000; x++ {
 		comment.Description += "this is my unreasonably long description\n"
 	}
@@ -289,7 +349,8 @@ func TestValidateCommentValid(tester *testing.T) {
 	store.Init("myIndex", "myAuditIndex", 45)
 
 	var err error
-	comment := model.NewComment() // empty comments are valid comments
+	comment := model.NewComment()
+	comment.Description = "myDesc"
 	err = store.validateComment(comment)
 	assert.NoError(tester, err)
 
@@ -302,6 +363,157 @@ func TestValidateCommentValid(tester *testing.T) {
 	assert.NoError(tester, err)
 }
 
+func TestValidateArtifactInvalid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	artifact := model.NewArtifact()
+
+	for x := 1; x < 30000; x++ {
+		artifact.Value += "this is my unreasonably long value\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "value is too long (1049965/1000000)")
+	artifact.Value = "myValue"
+
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "invalid ID for groupType")
+	artifact.GroupType = "myGroupType"
+
+	artifact.Id = "this is an invalid id"
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "invalid ID for artifactId")
+	artifact.Id = "myArtifactId"
+
+	artifact.UserId = "this is an invalid id"
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "invalid ID for userId")
+	artifact.UserId = "myUserId"
+
+	artifact.GroupId = "this is an invalid id"
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "invalid ID for groupId")
+	artifact.GroupId = "myGroupId"
+
+	artifact.CaseId = "this is an invalid id"
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "invalid ID for caseId")
+	artifact.CaseId = "myCaseId"
+
+	for x := 1; x < 5; x++ {
+		artifact.ArtifactType += "this is my unreasonably long artifactType\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "artifactType is too long (168/100)")
+	artifact.ArtifactType = "myArtifactType"
+
+	for x := 1; x < 30000; x++ {
+		artifact.Description += "this is my unreasonably long description\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "description is too long (1229959/1000000)")
+	artifact.Description = "myDescription"
+
+	artifact.StreamLen = 123
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "Invalid streamLength")
+	artifact.StreamLen = 0
+
+	for x := 1; x < 5; x++ {
+		artifact.MimeType += "this is my unreasonably long severity\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "mimeType is too long (152/100)")
+	artifact.MimeType = "image/jpg"
+
+	for x := 1; x < 5; x++ {
+		artifact.Tlp += "this is my unreasonably long tlp\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "tlp is too long (132/100)")
+	artifact.Tlp = "myTlp"
+
+	artifact.Kind = "myKind"
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "Field 'Kind' must not be specified")
+	artifact.Kind = ""
+
+	artifact.Operation = "myOperation"
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "Field 'Operation' must not be specified")
+	artifact.Operation = ""
+
+	tag := ""
+	for x := 1; x < 5; x++ {
+		tag += "this is my unreasonably long tag\n"
+	}
+	artifact.Tags = append(artifact.Tags, tag)
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "tag[0] is too long (132/100)")
+	artifact.Tags = nil
+
+	for x := 1; x < 500; x++ {
+		artifact.Tags = append(artifact.Tags, "myTag")
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "Field 'Tags' contains excessive elements (499/50)")
+	artifact.Tags = nil
+}
+
+func TestValidateArtifactValid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	artifact := model.NewArtifact()
+	artifact.Id = "123456"
+	artifact.UserId = "myUserId"
+	artifact.GroupType = "myGroupType"
+	artifact.ArtifactType = "myArtifactType"
+	for x := 1; x < 500; x++ {
+		artifact.Value += "this is my reasonably long description\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.NoError(tester, err)
+}
+
+func TestValidateArtifactStreamInvalid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	artifactstream := model.NewArtifactStream()
+
+	artifactstream.Id = "this is an invalid id"
+	err = store.validateArtifactStream(artifactstream)
+	assert.EqualError(tester, err, "invalid ID for artifactStreamId")
+	artifactstream.Id = ""
+
+	artifactstream.UserId = "this is an invalid id"
+	err = store.validateArtifactStream(artifactstream)
+	assert.EqualError(tester, err, "invalid ID for userId")
+	artifactstream.UserId = ""
+
+	err = store.validateArtifactStream(artifactstream)
+	assert.EqualError(tester, err, "Missing stream content")
+}
+
+func TestValidateArtifactStreamValid(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+
+	var err error
+	artifactstream := model.NewArtifactStream()
+	artifactstream.Id = "123456"
+	artifactstream.UserId = "myUserId"
+	for x := 1; x < 500; x++ {
+		artifactstream.Content += "this is my reasonably long description\n"
+	}
+	err = store.validateArtifactStream(artifactstream)
+	assert.NoError(tester, err)
+}
+
 func TestSaveCreate(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	store.Init("myIndex", "myAuditIndex", 45)
@@ -434,6 +646,9 @@ func TestUpdateError(tester *testing.T) {
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 	myCase := model.NewCase()
 	myCase.Id = ""
+	myCase.Title = "myTitle"
+	myCase.Description = "myDesc"
+	myCase.Status = "myStatus"
 	newCase, err := store.Update(ctx, myCase)
 	assert.Error(tester, err)
 	assert.Equal(tester, "Missing case ID", err.Error())
@@ -466,7 +681,7 @@ func TestGetCaseHistory(tester *testing.T) {
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId" OR related.caseId:"myCaseId") | sortby @timestamp^`
+	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId" OR related.caseId:"myCaseId" OR artifact.caseId:"myCaseId") | sortby @timestamp^`
 	casePayload := make(map[string]interface{})
 	casePayload["kind"] = "case"
 	caseEvent := &model.EventRecord{
@@ -485,6 +700,7 @@ func TestCreateCommentUnexpectedId(tester *testing.T) {
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 	comment := model.NewComment()
 	comment.Id = "123444"
+	comment.Description = "myDesc"
 	_, err := store.CreateComment(ctx, comment)
 	assert.Error(tester, err)
 	assert.Equal(tester, "Unexpected ID found in new comment", err.Error())
@@ -494,6 +710,7 @@ func TestCreateCommentMissingCaseId(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 	comment := model.NewComment()
+	comment.Description = "myDesc"
 	_, err := store.CreateComment(ctx, comment)
 	assert.Error(tester, err)
 	assert.Equal(tester, "Missing Case ID in new comment", err.Error())
@@ -575,6 +792,7 @@ func TestUpdateComment(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 	comment := model.NewComment()
+	comment.Description = "myDesc"
 	_, err := store.UpdateComment(ctx, comment)
 	assert.Error(tester, err)
 	assert.Equal(tester, "Missing comment ID", err.Error())
@@ -791,6 +1009,7 @@ func TestCreateArtifactMissingGroupType(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 	artifact := model.NewArtifact()
+	artifact.Value = "myValue"
 	_, err := store.CreateArtifact(ctx, artifact)
 	assert.Error(tester, err)
 	assert.Equal(tester, "invalid ID for groupType", err.Error())
@@ -802,9 +1021,10 @@ func TestCreateArtifactMissingArtifactType(tester *testing.T) {
 	artifact := model.NewArtifact()
 	artifact.GroupType = "myGroupType"
 	artifact.CaseId = "12345"
+	artifact.Value = "myValue"
 	_, err := store.CreateArtifact(ctx, artifact)
 	assert.Error(tester, err)
-	assert.Equal(tester, "Missing ArtifactType in new artifact", err.Error())
+	assert.Equal(tester, "artifactType is too short (0/1)", err.Error())
 }
 
 func TestCreateArtifactMissingValue(tester *testing.T) {
@@ -816,7 +1036,7 @@ func TestCreateArtifactMissingValue(tester *testing.T) {
 	artifact.CaseId = "12345"
 	_, err := store.CreateArtifact(ctx, artifact)
 	assert.Error(tester, err)
-	assert.Equal(tester, "Missing Value in new artifact", err.Error())
+	assert.Equal(tester, "value is too short (0/1)", err.Error())
 }
 
 func TestCreateArtifact(tester *testing.T) {
@@ -899,7 +1119,7 @@ func TestGetArtifactsNoGroupId(tester *testing.T) {
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" | sortby @timestamp^`
+	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" | sortby artifact.createTime^`
 	eventPayload := make(map[string]interface{})
 	eventPayload["kind"] = "artifact"
 	elasticEvent := &model.EventRecord{
@@ -919,7 +1139,7 @@ func TestGetArtifacts(tester *testing.T) {
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" AND artifact.groupId:"myGroupId" | sortby @timestamp^`
+	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" AND artifact.groupId:"myGroupId" | sortby artifact.createTime^`
 	eventPayload := make(map[string]interface{})
 	eventPayload["kind"] = "artifact"
 	elasticEvent := &model.EventRecord{
@@ -955,3 +1175,165 @@ func TestDeleteArtifact(tester *testing.T) {
 	assert.Equal(tester, "myArtifactId", fakeEventStore.InputIds[0])
 	assert.Equal(tester, "", fakeEventStore.InputIds[1])
 }
+
+func TestCreateArtifactStreamUnexpectedId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	artifactstream := model.NewArtifactStream()
+	artifactstream.Id = "123444"
+	artifactstream.Content = "Value"
+	_, err := store.CreateArtifactStream(ctx, artifactstream)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Unexpected ID found in new artifactstream", err.Error())
+}
+
+func TestCreateArtifactStreamMissingValue(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	artifactstream := model.NewArtifactStream()
+	artifactstream.Id = "123444"
+	_, err := store.CreateArtifactStream(ctx, artifactstream)
+	assert.Error(tester, err)
+	assert.Equal(tester, "Missing stream content", err.Error())
+}
+
+func TestCreateArtifactStream(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+
+	casePayload := make(map[string]interface{})
+	casePayload["kind"] = "artifactstream"
+	caseEvent := &model.EventRecord{
+		Payload: casePayload,
+		Id:      "123444",
+	}
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "artifactstream"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, caseEvent)
+	fakeEventStore.IndexResults[0].Success = true
+	fakeEventStore.IndexResults[0].DocumentId = "myArtifactStreamId"
+	eventSearchResults := model.NewEventSearchResults()
+	eventSearchResults.Events = append(eventSearchResults.Events, elasticEvent)
+	fakeEventStore.SearchResults = append(fakeEventStore.SearchResults, eventSearchResults)
+	artifact := model.NewArtifactStream()
+	artifact.Content = "Content"
+	newEvent, err := store.CreateArtifactStream(ctx, artifact)
+	assert.NoError(tester, err)
+	assert.NotNil(tester, newEvent)
+}
+
+func TestGetArtifactStream(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"artifactstream" AND _id:"myArtifactStreamId"`
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "artifactstream"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	obj, err := store.GetArtifactStream(ctx, "myArtifactStreamId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.NotNil(tester, obj)
+}
+
+func TestGetArtifactStreamBadId(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	_, err := store.GetArtifactStream(ctx, "stream id is invalid")
+	assert.EqualError(tester, err, "invalid ID for artifactStreamId")
+}
+
+func TestDeleteArtifactStream(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+	query := `_index:"myIndex" AND kind:"artifactstream" AND _id:"myArtifactStreamId"`
+	elasticPayload := make(map[string]interface{})
+	elasticPayload["kind"] = "artifactstream"
+	elasticEvent := &model.EventRecord{
+		Payload: elasticPayload,
+		Id:      "myArtifactStreamId",
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	err := store.DeleteArtifactStream(ctx, "myArtifactStreamId")
+	assert.NoError(tester, err)
+	assert.Len(tester, fakeEventStore.InputSearchCriterias, 1) // Search to ensure it exists first
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.Len(tester, fakeEventStore.InputIds, 2) // Delete and Index (for audit)
+	assert.Equal(tester, "myArtifactStreamId", fakeEventStore.InputIds[0])
+	assert.Equal(tester, "", fakeEventStore.InputIds[1])
+}
+
+func TestUpdateArtifact(tester *testing.T) {
+	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45)
+	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
+
+	fakeEventStore := server.NewFakeEventstore()
+	store.server.Eventstore = fakeEventStore
+	query := `_index:"myIndex" AND kind:"artifact" AND _id:"myArtifactId"`
+	eventPayload := make(map[string]interface{})
+	eventPayload["kind"] = "artifact"
+	eventPayload["artifact.artifactType"] = "myArtifactType"
+	eventPayload["artifact.groupType"] = "myGroupType"
+	eventPayload["artifact.groupId"] = "myGroupId"
+	eventPayload["artifact.value"] = "myValue"
+	eventPayload["artifact.streamLength"] = 123.0
+	eventPayload["artifact.mimeType"] = "myMimeType"
+	eventPayload["artifact.streamId"] = "myStreamId"
+	eventPayload["artifact.description"] = "myDesc"
+	elasticEvent := &model.EventRecord{
+		Payload: eventPayload,
+	}
+	fakeEventStore.SearchResults[0].Events = append(fakeEventStore.SearchResults[0].Events, elasticEvent)
+	fakeEventStore.IndexResults[0].DocumentId = "myArtifactId"
+
+	artifact := model.NewArtifact()
+	artifact.Value = "myNewValue"
+	artifact.GroupType = "myNewGroupType"
+	artifact.GroupId = "myNewGroupId"
+	artifact.ArtifactType = "file"
+	artifact.GroupId = "myNewGroupId"
+	artifact.MimeType = "myNewMimeType"
+	artifact.StreamId = "myNewStreamId"
+	artifact.StreamLen = 456
+	artifact.Description = "myNewDesc"
+
+	_, err := store.UpdateArtifact(ctx, artifact)
+	assert.Equal(tester, "Missing artifact ID", err.Error())
+
+	artifact.Id = "myArtifactId"
+	_, err = store.UpdateArtifact(ctx, artifact)
+	assert.NoError(tester, err)
+	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
+	assert.Equal(tester, "update", fakeEventStore.InputDocuments[0]["operation"])
+
+	newArtifact := fakeEventStore.InputDocuments[0]["artifact"].(*model.Artifact)
+	assert.Equal(tester, "myNewDesc", newArtifact.Description)
+
+	// Should have preserved read-only props
+	assert.Equal(tester, "myArtifactType", newArtifact.ArtifactType)
+	assert.Equal(tester, "myGroupType", newArtifact.GroupType)
+	assert.Equal(tester, "myGroupId", newArtifact.GroupId)
+	assert.Equal(tester, "myStreamId", newArtifact.StreamId)
+	assert.Equal(tester, "myMimeType", newArtifact.MimeType)
+	assert.Equal(tester, "myValue", newArtifact.Value)
+	assert.Equal(tester, 123, newArtifact.StreamLen)
+}
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index 6d5e523a..3199534e 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -57,6 +57,7 @@ type ElasticEventstore struct {
 	fieldDefs         map[string]*FieldDefinition
 	intervals         int
 	asyncThreshold    int
+	maxLogLength      int
 }
 
 func NewElasticEventstore(srv *server.Server) *ElasticEventstore {
@@ -80,7 +81,8 @@ func (store *ElasticEventstore) Init(hostUrl string,
 	cacheMs int,
 	index string,
 	asyncThreshold int,
-	intervals int) error {
+	intervals int,
+	maxLogLength int) error {
 	store.timeShiftMs = timeShiftMs
 	store.defaultDurationMs = defaultDurationMs
 	store.esSearchOffsetMs = esSearchOffsetMs
@@ -89,6 +91,7 @@ func (store *ElasticEventstore) Init(hostUrl string,
 	store.timeoutMs = time.Duration(timeoutMs) * time.Millisecond
 	store.cacheMs = time.Duration(cacheMs) * time.Millisecond
 	store.intervals = intervals
+	store.maxLogLength = maxLogLength
 
 	var err error
 	store.esClient, err = store.makeEsClient(hostUrl, user, pass, verifyCert)
@@ -109,6 +112,13 @@ func (store *ElasticEventstore) Init(hostUrl string,
 	return err
 }
 
+func (store *ElasticEventstore) truncate(input string) string {
+	if len(input) > store.maxLogLength {
+		return input[:store.maxLogLength] + "..."
+	}
+	return input
+}
+
 func (store *ElasticEventstore) makeEsClient(host string, user string, pass string, verifyCert bool) (*elasticsearch.Client, error) {
 	var esClient *elasticsearch.Client
 
@@ -321,7 +331,7 @@ func (store *ElasticEventstore) readJsonFromResponse(res *esapi.Response) (strin
 
 func (store *ElasticEventstore) indexSearch(ctx context.Context, query string, indexes []string) (string, error) {
 	log.WithFields(log.Fields{
-		"query":     query,
+		"query":     store.truncate(query),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Info("Searching Elasticsearch")
 	var json string
@@ -337,7 +347,7 @@ func (store *ElasticEventstore) indexSearch(ctx context.Context, query string, i
 		json, err = store.readJsonFromResponse(res)
 	}
 	log.WithFields(log.Fields{
-		"response":  json,
+		"response":  store.truncate(json),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Search finished")
 	return json, err
@@ -347,7 +357,7 @@ func (store *ElasticEventstore) indexDocument(ctx context.Context, index string,
 	log.WithFields(log.Fields{
 		"index":     index,
 		"id":        id,
-		"document":  document,
+		"document":  store.truncate(document),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Adding document to Elasticsearch")
 
@@ -364,7 +374,7 @@ func (store *ElasticEventstore) indexDocument(ctx context.Context, index string,
 	json, err := store.readJsonFromResponse(res)
 
 	log.WithFields(log.Fields{
-		"response":  json,
+		"response":  store.truncate(json),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Index new document finished")
 	return json, err
@@ -393,7 +403,7 @@ func (store *ElasticEventstore) deleteDocument(ctx context.Context, index string
 	log.WithFields(log.Fields{
 		"index":     index,
 		"id":        id,
-		"response":  json,
+		"response":  store.truncate(json),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Delete document finished")
 	return json, err
@@ -401,7 +411,7 @@ func (store *ElasticEventstore) deleteDocument(ctx context.Context, index string
 
 func (store *ElasticEventstore) updateDocuments(ctx context.Context, client *elasticsearch.Client, query string, indexes []string, waitForCompletion bool) (string, error) {
 	log.WithFields(log.Fields{
-		"query":     query,
+		"query":     store.truncate(query),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Updating documents in Elasticsearch")
 	var json string
@@ -419,7 +429,7 @@ func (store *ElasticEventstore) updateDocuments(ctx context.Context, client *ela
 		json, err = store.readJsonFromResponse(res)
 	}
 	log.WithFields(log.Fields{
-		"response":  json,
+		"response":  store.truncate(json),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Update finished")
 	return json, err
@@ -449,7 +459,7 @@ func (store *ElasticEventstore) refreshCacheFromFieldCaps(ctx context.Context) e
 	if err == nil {
 		defer res.Body.Close()
 		json, err = store.readJsonFromResponse(res)
-		log.WithFields(log.Fields{"response": json}).Debug("Fetch finished")
+		log.WithFields(log.Fields{"response": store.truncate(json)}).Debug("Fetch finished")
 		store.cacheFieldsFromJson(json)
 	} else {
 		log.WithError(err).Error("Failed to refresh cache from index patterns")
@@ -520,7 +530,7 @@ func (store *ElasticEventstore) clusterState(ctx context.Context) (string, error
 			err = errors.New(errorType + ": " + errorReason + " -> " + errorDetails)
 		}
 	}
-	log.WithFields(log.Fields{"response": json}).Debug("Refresh Finished")
+	log.WithFields(log.Fields{"response": store.truncate(json)}).Debug("Refresh Finished")
 	return json, err
 }
 
@@ -579,18 +589,18 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 	filter := model.NewFilter()
 	json, err := store.luceneSearch(ctx, query)
 	log.WithFields(log.Fields{
-		"query":     query,
-		"response":  json,
+		"query":     store.truncate(query),
+		"response":  store.truncate(json),
 		"requestId": ctx.Value(web.ContextKeyRequestId),
 	}).Debug("Elasticsearch primary search finished")
 	if err != nil {
-		log.WithField("query", query).WithError(err).Error("Unable to lookup initial document record")
+		log.WithField("query", store.truncate(query)).WithError(err).Error("Unable to lookup initial document record")
 		return err
 	}
 
 	hits := gjson.Get(json, "hits.total.value").Int()
 	if hits == 0 {
-		log.WithField("query", query).Error("Pivoted document record was not found")
+		log.WithField("query", store.truncate(query)).Error("Pivoted document record was not found")
 		return errors.New("Unable to locate document record")
 	}
 
@@ -621,16 +631,16 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 
 		json, err = store.luceneSearch(ctx, query)
 		log.WithFields(log.Fields{
-			"query":    query,
-			"response": json,
+			"query":    store.truncate(query),
+			"response": store.truncate(json),
 		}).Debug("Elasticsearch tunnel search finished")
 		if err != nil {
-			log.WithField("query", query).WithError(err).Error("Unable to lookup tunnel record")
+			log.WithField("query", store.truncate(query)).WithError(err).Error("Unable to lookup tunnel record")
 			return err
 		}
 		hits := gjson.Get(json, "hits.total.value").Int()
 		if hits == 0 {
-			log.WithField("query", query).Error("Tunnel record was not found")
+			log.WithField("query", store.truncate(query)).Error("Tunnel record was not found")
 			return errors.New("Unable to locate encapsulating tunnel record")
 		}
 	}
@@ -661,15 +671,15 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 					zeekFileQuery, rangeFilter)
 				json, err = store.luceneSearch(ctx, query)
 				log.WithFields(log.Fields{
-					"query":     query,
-					"response":  json,
+					"query":     store.truncate(query),
+					"response":  store.truncate(json),
 					"requestId": ctx.Value(web.ContextKeyRequestId),
 				}).Debug("Elasticsearch Zeek File search finished")
 
 				if err != nil {
 					log.WithFields(log.Fields{
-						"query":         query,
-						"zeekFileQuery": zeekFileQuery,
+						"query":         store.truncate(query),
+						"zeekFileQuery": store.truncate(zeekFileQuery),
 						"requestId":     ctx.Value(web.ContextKeyRequestId),
 					}).WithError(err).Error("Unable to lookup Zeek File record")
 					return err
@@ -678,8 +688,8 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 				hits = gjson.Get(json, "hits.total.value").Int()
 				if hits == 0 {
 					log.WithFields(log.Fields{
-						"query":         query,
-						"zeekFileQuery": zeekFileQuery,
+						"query":         store.truncate(query),
+						"zeekFileQuery": store.truncate(zeekFileQuery),
 						"requestId":     ctx.Value(web.ContextKeyRequestId),
 					}).Error("Zeek File record was not found")
 					return errors.New("Unable to locate Zeek File record")
@@ -690,8 +700,8 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 
 			if len(uid) == 0 {
 				log.WithFields(log.Fields{
-					"query":         query,
-					"zeekFileQuery": zeekFileQuery,
+					"query":         store.truncate(query),
+					"zeekFileQuery": store.truncate(zeekFileQuery),
 					"requestId":     ctx.Value(web.ContextKeyRequestId),
 				}).Warn("Zeek File record is missing a UID")
 				return errors.New("No valid Zeek connection ID found")
@@ -703,14 +713,14 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 			uid, rangeFilter)
 		json, err = store.luceneSearch(ctx, query)
 		log.WithFields(log.Fields{
-			"query":     query,
-			"response":  json,
+			"query":     store.truncate(query),
+			"response":  store.truncate(json),
 			"requestId": ctx.Value(web.ContextKeyRequestId),
 		}).Debug("Elasticsearch Zeek search finished")
 
 		if err != nil {
 			log.WithFields(log.Fields{
-				"query":     query,
+				"query":     store.truncate(query),
 				"uid":       uid,
 				"requestId": ctx.Value(web.ContextKeyRequestId),
 			}).WithError(err).Error("Unable to lookup Zeek record")
@@ -720,7 +730,7 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 		hits = gjson.Get(json, "hits.total.value").Int()
 		if hits == 0 {
 			log.WithFields(log.Fields{
-				"query":     query,
+				"query":     store.truncate(query),
 				"uid":       uid,
 				"requestId": ctx.Value(web.ContextKeyRequestId),
 			}).Error("Zeek record was not found")
@@ -771,7 +781,7 @@ func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idF
 
 	if len(filter.SrcIp) == 0 || len(filter.DstIp) == 0 || filter.SrcPort == 0 || filter.DstPort == 0 {
 		log.WithFields(log.Fields{
-			"query":     query,
+			"query":     store.truncate(query),
 			"uid":       uid,
 			"requestId": ctx.Value(web.ContextKeyRequestId),
 		}).Warn("Unable to lookup PCAP due to missing TCP/UDP parameters")
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index e151eaa7..ccd85a39 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -16,7 +16,6 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
-  "io"
   "net/http"
 )
 
@@ -124,14 +123,26 @@ func (store *ElasticCasestore) GetArtifact(ctx context.Context, id string) (*mod
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
+func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
+func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) UpdateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error) {
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error {
+func (store *ElasticCasestore) CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error) {
+  return "", errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 3b532552..879df107 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -15,7 +15,6 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
-  "io"
   "net/http"
   "strconv"
   "strings"
@@ -129,14 +128,26 @@ func (store *HttpCasestore) GetArtifact(ctx context.Context, id string) (*model.
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *HttpCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
+func (store *HttpCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *HttpCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
+func (store *HttpCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) UpdateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error) {
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *HttpCasestore) DeleteArtifact(ctx context.Context, id string) error {
+func (store *HttpCasestore) CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error) {
+  return "", errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *HttpCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index dc6d6fdb..1e4143cb 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -16,7 +16,6 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/server"
   "github.com/security-onion-solutions/securityonion-soc/web"
-  "io"
   "net/http"
 )
 
@@ -122,14 +121,26 @@ func (store *TheHiveCasestore) GetArtifact(ctx context.Context, id string) (*mod
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *TheHiveCasestore) GetArtifactStream(ctx context.Context, id string) (io.ReadCloser, error) {
+func (store *TheHiveCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *TheHiveCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error) {
+func (store *TheHiveCasestore) DeleteArtifact(ctx context.Context, id string) error {
+  return errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) UpdateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error) {
   return nil, errors.New("Unsupported operation by this module")
 }
 
-func (store *TheHiveCasestore) DeleteArtifact(ctx context.Context, id string) error {
+func (store *TheHiveCasestore) CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error) {
+  return "", errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error) {
+  return nil, errors.New("Unsupported operation by this module")
+}
+
+func (store *TheHiveCasestore) DeleteArtifactStream(ctx context.Context, id string) error {
   return errors.New("Unsupported operation by this module")
 }
diff --git a/web/basehandler.go b/web/basehandler.go
index 2e0c3be5..40758973 100644
--- a/web/basehandler.go
+++ b/web/basehandler.go
@@ -16,12 +16,12 @@ import (
   "context"
   "encoding/json"
   "errors"
+  "github.com/apex/log"
+  "github.com/security-onion-solutions/securityonion-soc/model"
   "net/http"
   "reflect"
   "strings"
   "time"
-  "github.com/apex/log"
-  "github.com/security-onion-solutions/securityonion-soc/model"
 )
 
 type HandlerImpl interface {
@@ -29,13 +29,13 @@ type HandlerImpl interface {
 }
 
 type BaseHandler struct {
-  Host					*Host
-  Impl					HandlerImpl
+  Host *Host
+  Impl HandlerImpl
 }
 
 func (handler *BaseHandler) Handle(responseWriter http.ResponseWriter, request *http.Request) {
   var statusCode, contentLength int
- 	var err error
+  var err error
 
   defer request.Body.Close()
   start := time.Now()
@@ -55,10 +55,10 @@ func (handler *BaseHandler) Handle(responseWriter http.ResponseWriter, request *
 
   if err != nil {
     log.WithError(err).WithFields(log.Fields{
-	    "requestId": context.Value(ContextKeyRequestId),
-	    "requestor": context.Value(ContextKeyRequestor),
+      "requestId": context.Value(ContextKeyRequestId),
+      "requestor": context.Value(ContextKeyRequestor),
     }).Warn("Request did not complete successfully")
-  
+
     var unauthorizedError *model.Unauthorized
     if errors.As(err, &unauthorizedError) {
       statusCode = http.StatusUnauthorized
@@ -71,17 +71,17 @@ func (handler *BaseHandler) Handle(responseWriter http.ResponseWriter, request *
     responseWriter.Write(bytes)
   }
   log.WithFields(log.Fields{
-    "remoteAddr": request.RemoteAddr,
-    "sourceIp": handler.Host.GetSourceIp(request),
-    "path": request.URL.Path,
-    "query": request.URL.Query(),
-    "impl": reflect.TypeOf(handler.Impl),
-    "statusCode": statusCode,
+    "remoteAddr":    request.RemoteAddr,
+    "sourceIp":      handler.Host.GetSourceIp(request),
+    "path":          request.URL.Path,
+    "query":         request.URL.Query(),
+    "impl":          reflect.TypeOf(handler.Impl),
+    "statusCode":    statusCode,
     "contentLength": contentLength,
-    "method": request.Method,
-    "elapsedMs": elapsed,
-    "requestId": context.Value(ContextKeyRequestId),
-    "requestor": context.Value(ContextKeyRequestor),
+    "method":        request.Method,
+    "elapsedMs":     elapsed,
+    "requestId":     context.Value(ContextKeyRequestId),
+    "requestor":     context.Value(ContextKeyRequestor),
   }).Info("Handled request")
 }
 
@@ -115,9 +115,9 @@ func (handler *BaseHandler) ReadJson(request *http.Request, obj interface{}) err
 
 func (handler *BaseHandler) GetPathParameter(path string, paramIndex int) string {
   p := strings.Split(path, "/")
-  if paramIndex < 0 || paramIndex + 1 >= len(p) {
+  if paramIndex < 0 || paramIndex+1 >= len(p) {
     return ""
   } else {
-    return p[paramIndex + 1]
+    return p[paramIndex+1]
   }
-}
\ No newline at end of file
+}

From bef14225733faf1d5bb42c8f67994c3330ee7700 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 27 Dec 2021 10:09:12 -0500
Subject: [PATCH 38/98] Add markdown support for case desc, comment desc,
 observable desc; sanitize markdown html

---
 html/index.html                      | 9 +++++----
 html/js/app.js                       | 9 +++++++++
 html/js/external/purify-2.3.4.min.js | 2 ++
 html/js/routes/home.js               | 2 +-
 4 files changed, 17 insertions(+), 5 deletions(-)
 create mode 100644 html/js/external/purify-2.3.4.min.js

diff --git a/html/index.html b/html/index.html
index 05dbec94..01d04554 100644
--- a/html/index.html
+++ b/html/index.html
@@ -259,7 +259,7 @@ <h2 v-text="i18n.home"></h2>
         </v-row>
         <v-row>
           <v-col class="mx-auto px-12">
-            <div id="motd" v-html="motd"></div>
+            <div id="motd" :inner-html.prop="motd | formatMarkdown"></div>
           </v-col>
           <v-col class="mx-auto text-center">
             <div v-html="i18n.sponsorsIntro" class="mb-6"></div>
@@ -1242,7 +1242,7 @@ <h2>Description</h2>
             <div class="mb-6 mb-md-3">
               <div class="case detail-field clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)">
                 <div class="d-block">
-                  <div id="case-description" class="rounded case">{{ caseObj.description }}</div>
+                  <div id="case-description" class="rounded case" :inner-html.prop="caseObj.description | formatMarkdown"></div>
                 </div>
               </div>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
@@ -1293,7 +1293,7 @@ <h2>Description</h2>
                           <div class="d-flex flex-column align-start">
                             <div class="case d-flex align-start" v-if="!isEdit(`comment-${index}`)">
                               <div class="d-block mb-8">
-                                <div :id="`comment-${index}`" class="case detail-field">{{ comment.description }}</div>
+                                <div :id="`comment-${index}`" class="case detail-field" :inner-html.prop="comment.description | formatMarkdown"></div>
                               </div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
@@ -1398,7 +1398,7 @@ <h2>Description</h2>
                           <v-container fluid class="my-2">
                             <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-description-input`, props.item.description, `artifact-${props.index}-description`, 'description', modifyAssociation, ['artifacts', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
-                              <div id="`artifact-${props.index}-description`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-description`)">{{ withDefault(props.item.description) }}</div>
+                              <div id="`artifact-${props.index}-description`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`artifact-${props.index}-description`)">
                               <v-form v-model="editForm.valid">
@@ -2155,6 +2155,7 @@ <h2 v-text="i18n.settingsTitle"></h2>
     <script src="js/external/vue-chartjs-3.5.1.min.js"></script>
     <script src="js/external/daterangepicker-3.1.0.min.js"></script>
     <script src="js/external/marked-2.1.3.min.js"></script>
+    <script src="js/external/purify-2.3.4.min.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/app.js b/html/js/app.js
index 4eefc032..ff087449 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -429,6 +429,14 @@ $(document).ready(function() {
         }
         return "";
       },
+      formatMarkdown(str) {
+        var md = str;
+        if (str) {
+          md = marked(str);
+          md = DOMPurify.sanitize(md);
+        }
+        return md;
+      },
       generateDatePickerPreselects() {
         var preselects = {};
         preselects[this.i18n.datePreselectToday] = [moment().startOf('day'), moment().endOf('day')];
@@ -755,6 +763,7 @@ $(document).ready(function() {
       Vue.filter('formatDateTime', this.formatDateTime);
       Vue.filter('formatDuration', this.formatDuration);
       Vue.filter('formatCount', this.formatCount);
+      Vue.filter('formatMarkdown', this.formatMarkdown);
       Vue.filter('formatTimestamp', this.formatTimestamp);
       $('#app')[0].style.display = "block";
       this.log("Initialization complete");
diff --git a/html/js/external/purify-2.3.4.min.js b/html/js/external/purify-2.3.4.min.js
new file mode 100644
index 00000000..de5624ae
--- /dev/null
+++ b/html/js/external/purify-2.3.4.min.js
@@ -0,0 +1,2 @@
+/*! @license DOMPurify 2.3.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.4/LICENSE */
+!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e=e||self).DOMPurify=t()}(this,(function(){"use strict";var e=Object.hasOwnProperty,t=Object.setPrototypeOf,n=Object.isFrozen,r=Object.getPrototypeOf,o=Object.getOwnPropertyDescriptor,i=Object.freeze,a=Object.seal,l=Object.create,c="undefined"!=typeof Reflect&&Reflect,s=c.apply,u=c.construct;s||(s=function(e,t,n){return e.apply(t,n)}),i||(i=function(e){return e}),a||(a=function(e){return e}),u||(u=function(e,t){return new(Function.prototype.bind.apply(e,[null].concat(function(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}(t))))});var m,f=A(Array.prototype.forEach),d=A(Array.prototype.pop),p=A(Array.prototype.push),h=A(String.prototype.toLowerCase),g=A(String.prototype.match),y=A(String.prototype.replace),v=A(String.prototype.indexOf),b=A(String.prototype.trim),T=A(RegExp.prototype.test),N=(m=TypeError,function(){for(var e=arguments.length,t=Array(e),n=0;n<e;n++)t[n]=arguments[n];return u(m,t)});function A(e){return function(t){for(var n=arguments.length,r=Array(n>1?n-1:0),o=1;o<n;o++)r[o-1]=arguments[o];return s(e,t,r)}}function E(e,r){t&&t(e,null);for(var o=r.length;o--;){var i=r[o];if("string"==typeof i){var a=h(i);a!==i&&(n(r)||(r[o]=a),i=a)}e[i]=!0}return e}function x(t){var n=l(null),r=void 0;for(r in t)s(e,t,[r])&&(n[r]=t[r]);return n}function k(e,t){for(;null!==e;){var n=o(e,t);if(n){if(n.get)return A(n.get);if("function"==typeof n.value)return A(n.value)}e=r(e)}return function(e){return console.warn("fallback value for",e),null}}var S=i(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dialog","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),w=i(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","view","vkern"]),_=i(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),O=i(["animate","color-profile","cursor","discard","fedropshadow","font-face","font-face-format","font-face-name","font-face-src","font-face-uri","foreignobject","hatch","hatchpath","mesh","meshgradient","meshpatch","meshrow","missing-glyph","script","set","solidcolor","unknown","use"]),D=i(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),M=i(["maction","maligngroup","malignmark","mlongdiv","mscarries","mscarry","msgroup","mstack","msline","msrow","semantics","annotation","annotation-xml","mprescripts","none"]),C=i(["#text"]),L=i(["accept","action","align","alt","autocapitalize","autocomplete","autopictureinpicture","autoplay","background","bgcolor","border","capture","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","controlslist","coords","crossorigin","datetime","decoding","default","dir","disabled","disablepictureinpicture","disableremoteplayback","download","draggable","enctype","enterkeyhint","face","for","headers","height","hidden","high","href","hreflang","id","inputmode","integrity","ismap","kind","label","lang","list","loading","loop","low","max","maxlength","media","method","min","minlength","multiple","muted","name","nonce","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","playsinline","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","translate","type","usemap","valign","value","width","xmlns","slot"]),R=i(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clippathunits","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","startoffset","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","systemlanguage","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),I=i(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),F=i(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),H=a(/\{\{[\s\S]*|[\s\S]*\}\}/gm),U=a(/<%[\s\S]*|[\s\S]*%>/gm),z=a(/^data-[\-\w.\u00B7-\uFFFF]/),B=a(/^aria-[\-\w]+$/),j=a(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),P=a(/^(?:\w+script|data):/i),G=a(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),W="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e};function q(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}var Y=function(){return"undefined"==typeof window?null:window},K=function(e,t){if("object"!==(void 0===e?"undefined":W(e))||"function"!=typeof e.createPolicy)return null;var n=null,r="data-tt-policy-suffix";t.currentScript&&t.currentScript.hasAttribute(r)&&(n=t.currentScript.getAttribute(r));var o="dompurify"+(n?"#"+n:"");try{return e.createPolicy(o,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+o+" could not be created."),null}};return function e(){var t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:Y(),n=function(t){return e(t)};if(n.version="2.3.4",n.removed=[],!t||!t.document||9!==t.document.nodeType)return n.isSupported=!1,n;var r=t.document,o=t.document,a=t.DocumentFragment,l=t.HTMLTemplateElement,c=t.Node,s=t.Element,u=t.NodeFilter,m=t.NamedNodeMap,A=void 0===m?t.NamedNodeMap||t.MozNamedAttrMap:m,V=t.HTMLFormElement,X=t.DOMParser,$=t.trustedTypes,Z=s.prototype,J=k(Z,"cloneNode"),Q=k(Z,"nextSibling"),ee=k(Z,"childNodes"),te=k(Z,"parentNode");if("function"==typeof l){var ne=o.createElement("template");ne.content&&ne.content.ownerDocument&&(o=ne.content.ownerDocument)}var re=K($,r),oe=re&&Fe?re.createHTML(""):"",ie=o,ae=ie.implementation,le=ie.createNodeIterator,ce=ie.createDocumentFragment,se=ie.getElementsByTagName,ue=r.importNode,me={};try{me=x(o).documentMode?o.documentMode:{}}catch(e){}var fe={};n.isSupported="function"==typeof te&&ae&&void 0!==ae.createHTMLDocument&&9!==me;var de=H,pe=U,he=z,ge=B,ye=P,ve=G,be=j,Te=null,Ne=E({},[].concat(q(S),q(w),q(_),q(D),q(C))),Ae=null,Ee=E({},[].concat(q(L),q(R),q(I),q(F))),xe=Object.seal(Object.create(null,{tagNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},attributeNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},allowCustomizedBuiltInElements:{writable:!0,configurable:!1,enumerable:!0,value:!1}})),ke=null,Se=null,we=!0,_e=!0,Oe=!1,De=!1,Me=!1,Ce=!1,Le=!1,Re=!1,Ie=!1,Fe=!1,He=!0,Ue=!0,ze=!1,Be={},je=null,Pe=E({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","noscript","plaintext","script","style","svg","template","thead","title","video","xmp"]),Ge=null,We=E({},["audio","video","img","source","image","track"]),qe=null,Ye=E({},["alt","class","for","id","label","name","pattern","placeholder","role","summary","title","value","style","xmlns"]),Ke="http://www.w3.org/1998/Math/MathML",Ve="http://www.w3.org/2000/svg",Xe="http://www.w3.org/1999/xhtml",$e=Xe,Ze=!1,Je=void 0,Qe=["application/xhtml+xml","text/html"],et="text/html",tt=void 0,nt=null,rt=o.createElement("form"),ot=function(e){return e instanceof RegExp||e instanceof Function},it=function(e){nt&&nt===e||(e&&"object"===(void 0===e?"undefined":W(e))||(e={}),e=x(e),Te="ALLOWED_TAGS"in e?E({},e.ALLOWED_TAGS):Ne,Ae="ALLOWED_ATTR"in e?E({},e.ALLOWED_ATTR):Ee,qe="ADD_URI_SAFE_ATTR"in e?E(x(Ye),e.ADD_URI_SAFE_ATTR):Ye,Ge="ADD_DATA_URI_TAGS"in e?E(x(We),e.ADD_DATA_URI_TAGS):We,je="FORBID_CONTENTS"in e?E({},e.FORBID_CONTENTS):Pe,ke="FORBID_TAGS"in e?E({},e.FORBID_TAGS):{},Se="FORBID_ATTR"in e?E({},e.FORBID_ATTR):{},Be="USE_PROFILES"in e&&e.USE_PROFILES,we=!1!==e.ALLOW_ARIA_ATTR,_e=!1!==e.ALLOW_DATA_ATTR,Oe=e.ALLOW_UNKNOWN_PROTOCOLS||!1,De=e.SAFE_FOR_TEMPLATES||!1,Me=e.WHOLE_DOCUMENT||!1,Re=e.RETURN_DOM||!1,Ie=e.RETURN_DOM_FRAGMENT||!1,Fe=e.RETURN_TRUSTED_TYPE||!1,Le=e.FORCE_BODY||!1,He=!1!==e.SANITIZE_DOM,Ue=!1!==e.KEEP_CONTENT,ze=e.IN_PLACE||!1,be=e.ALLOWED_URI_REGEXP||be,$e=e.NAMESPACE||Xe,e.CUSTOM_ELEMENT_HANDLING&&ot(e.CUSTOM_ELEMENT_HANDLING.tagNameCheck)&&(xe.tagNameCheck=e.CUSTOM_ELEMENT_HANDLING.tagNameCheck),e.CUSTOM_ELEMENT_HANDLING&&ot(e.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)&&(xe.attributeNameCheck=e.CUSTOM_ELEMENT_HANDLING.attributeNameCheck),e.CUSTOM_ELEMENT_HANDLING&&"boolean"==typeof e.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements&&(xe.allowCustomizedBuiltInElements=e.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements),Je=Je=-1===Qe.indexOf(e.PARSER_MEDIA_TYPE)?et:e.PARSER_MEDIA_TYPE,tt="application/xhtml+xml"===Je?function(e){return e}:h,De&&(_e=!1),Ie&&(Re=!0),Be&&(Te=E({},[].concat(q(C))),Ae=[],!0===Be.html&&(E(Te,S),E(Ae,L)),!0===Be.svg&&(E(Te,w),E(Ae,R),E(Ae,F)),!0===Be.svgFilters&&(E(Te,_),E(Ae,R),E(Ae,F)),!0===Be.mathMl&&(E(Te,D),E(Ae,I),E(Ae,F))),e.ADD_TAGS&&(Te===Ne&&(Te=x(Te)),E(Te,e.ADD_TAGS)),e.ADD_ATTR&&(Ae===Ee&&(Ae=x(Ae)),E(Ae,e.ADD_ATTR)),e.ADD_URI_SAFE_ATTR&&E(qe,e.ADD_URI_SAFE_ATTR),e.FORBID_CONTENTS&&(je===Pe&&(je=x(je)),E(je,e.FORBID_CONTENTS)),Ue&&(Te["#text"]=!0),Me&&E(Te,["html","head","body"]),Te.table&&(E(Te,["tbody"]),delete ke.tbody),i&&i(e),nt=e)},at=E({},["mi","mo","mn","ms","mtext"]),lt=E({},["foreignobject","desc","title","annotation-xml"]),ct=E({},w);E(ct,_),E(ct,O);var st=E({},D);E(st,M);var ut=function(e){var t=te(e);t&&t.tagName||(t={namespaceURI:Xe,tagName:"template"});var n=h(e.tagName),r=h(t.tagName);if(e.namespaceURI===Ve)return t.namespaceURI===Xe?"svg"===n:t.namespaceURI===Ke?"svg"===n&&("annotation-xml"===r||at[r]):Boolean(ct[n]);if(e.namespaceURI===Ke)return t.namespaceURI===Xe?"math"===n:t.namespaceURI===Ve?"math"===n&&lt[r]:Boolean(st[n]);if(e.namespaceURI===Xe){if(t.namespaceURI===Ve&&!lt[r])return!1;if(t.namespaceURI===Ke&&!at[r])return!1;var o=E({},["title","style","font","a","script"]);return!st[n]&&(o[n]||!ct[n])}return!1},mt=function(e){p(n.removed,{element:e});try{e.parentNode.removeChild(e)}catch(t){try{e.outerHTML=oe}catch(t){e.remove()}}},ft=function(e,t){try{p(n.removed,{attribute:t.getAttributeNode(e),from:t})}catch(e){p(n.removed,{attribute:null,from:t})}if(t.removeAttribute(e),"is"===e&&!Ae[e])if(Re||Ie)try{mt(t)}catch(e){}else try{t.setAttribute(e,"")}catch(e){}},dt=function(e){var t=void 0,n=void 0;if(Le)e="<remove></remove>"+e;else{var r=g(e,/^[\r\n\t ]+/);n=r&&r[0]}"application/xhtml+xml"===Je&&(e='<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>'+e+"</body></html>");var i=re?re.createHTML(e):e;if($e===Xe)try{t=(new X).parseFromString(i,Je)}catch(e){}if(!t||!t.documentElement){t=ae.createDocument($e,"template",null);try{t.documentElement.innerHTML=Ze?"":i}catch(e){}}var a=t.body||t.documentElement;return e&&n&&a.insertBefore(o.createTextNode(n),a.childNodes[0]||null),$e===Xe?se.call(t,Me?"html":"body")[0]:Me?t.documentElement:a},pt=function(e){return le.call(e.ownerDocument||e,e,u.SHOW_ELEMENT|u.SHOW_COMMENT|u.SHOW_TEXT,null,!1)},ht=function(e){return e instanceof V&&("string"!=typeof e.nodeName||"string"!=typeof e.textContent||"function"!=typeof e.removeChild||!(e.attributes instanceof A)||"function"!=typeof e.removeAttribute||"function"!=typeof e.setAttribute||"string"!=typeof e.namespaceURI||"function"!=typeof e.insertBefore)},gt=function(e){return"object"===(void 0===c?"undefined":W(c))?e instanceof c:e&&"object"===(void 0===e?"undefined":W(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},yt=function(e,t,r){fe[e]&&f(fe[e],(function(e){e.call(n,t,r,nt)}))},vt=function(e){var t=void 0;if(yt("beforeSanitizeElements",e,null),ht(e))return mt(e),!0;if(g(e.nodeName,/[\u0080-\uFFFF]/))return mt(e),!0;var r=tt(e.nodeName);if(yt("uponSanitizeElement",e,{tagName:r,allowedTags:Te}),!gt(e.firstElementChild)&&(!gt(e.content)||!gt(e.content.firstElementChild))&&T(/<[/\w]/g,e.innerHTML)&&T(/<[/\w]/g,e.textContent))return mt(e),!0;if("select"===r&&T(/<template/i,e.innerHTML))return mt(e),!0;if(!Te[r]||ke[r]){if(Ue&&!je[r]){var o=te(e)||e.parentNode,i=ee(e)||e.childNodes;if(i&&o)for(var a=i.length-1;a>=0;--a)o.insertBefore(J(i[a],!0),Q(e))}if(!ke[r]&&Tt(r)){if(xe.tagNameCheck instanceof RegExp&&T(xe.tagNameCheck,r))return!1;if(xe.tagNameCheck instanceof Function&&xe.tagNameCheck(r))return!1}return mt(e),!0}return e instanceof s&&!ut(e)?(mt(e),!0):"noscript"!==r&&"noembed"!==r||!T(/<\/no(script|embed)/i,e.innerHTML)?(De&&3===e.nodeType&&(t=e.textContent,t=y(t,de," "),t=y(t,pe," "),e.textContent!==t&&(p(n.removed,{element:e.cloneNode()}),e.textContent=t)),yt("afterSanitizeElements",e,null),!1):(mt(e),!0)},bt=function(e,t,n){if(He&&("id"===t||"name"===t)&&(n in o||n in rt))return!1;if(_e&&!Se[t]&&T(he,t));else if(we&&T(ge,t));else if(!Ae[t]||Se[t]){if(!(Tt(e)&&(xe.tagNameCheck instanceof RegExp&&T(xe.tagNameCheck,e)||xe.tagNameCheck instanceof Function&&xe.tagNameCheck(e))&&(xe.attributeNameCheck instanceof RegExp&&T(xe.attributeNameCheck,t)||xe.attributeNameCheck instanceof Function&&xe.attributeNameCheck(t))||"is"===t&&xe.allowCustomizedBuiltInElements&&(xe.tagNameCheck instanceof RegExp&&T(xe.tagNameCheck,n)||xe.tagNameCheck instanceof Function&&xe.tagNameCheck(n))))return!1}else if(qe[t]);else if(T(be,y(n,ve,"")));else if("src"!==t&&"xlink:href"!==t&&"href"!==t||"script"===e||0!==v(n,"data:")||!Ge[e]){if(Oe&&!T(ye,y(n,ve,"")));else if(n)return!1}else;return!0},Tt=function(e){return e.indexOf("-")>0},Nt=function(e){var t=void 0,r=void 0,o=void 0,i=void 0;yt("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:Ae};for(i=a.length;i--;){var c=t=a[i],s=c.name,u=c.namespaceURI;if(r=b(t.value),o=tt(s),l.attrName=o,l.attrValue=r,l.keepAttr=!0,l.forceKeepAttr=void 0,yt("uponSanitizeAttribute",e,l),r=l.attrValue,!l.forceKeepAttr&&(ft(s,e),l.keepAttr))if(T(/\/>/i,r))ft(s,e);else{De&&(r=y(r,de," "),r=y(r,pe," "));var m=tt(e.nodeName);if(bt(m,o,r))try{u?e.setAttributeNS(u,s,r):e.setAttribute(s,r),d(n.removed)}catch(e){}}}yt("afterSanitizeAttributes",e,null)}},At=function e(t){var n=void 0,r=pt(t);for(yt("beforeSanitizeShadowDOM",t,null);n=r.nextNode();)yt("uponSanitizeShadowNode",n,null),vt(n)||(n.content instanceof a&&e(n.content),Nt(n));yt("afterSanitizeShadowDOM",t,null)};return n.sanitize=function(e,o){var i=void 0,l=void 0,s=void 0,u=void 0,m=void 0;if((Ze=!e)&&(e="\x3c!--\x3e"),"string"!=typeof e&&!gt(e)){if("function"!=typeof e.toString)throw N("toString is not a function");if("string"!=typeof(e=e.toString()))throw N("dirty is not a string, aborting")}if(!n.isSupported){if("object"===W(t.toStaticHTML)||"function"==typeof t.toStaticHTML){if("string"==typeof e)return t.toStaticHTML(e);if(gt(e))return t.toStaticHTML(e.outerHTML)}return e}if(Ce||it(o),n.removed=[],"string"==typeof e&&(ze=!1),ze);else if(e instanceof c)1===(l=(i=dt("\x3c!----\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===l.nodeName||"HTML"===l.nodeName?i=l:i.appendChild(l);else{if(!Re&&!De&&!Me&&-1===e.indexOf("<"))return re&&Fe?re.createHTML(e):e;if(!(i=dt(e)))return Re?null:oe}i&&Le&&mt(i.firstChild);for(var f=pt(ze?e:i);s=f.nextNode();)3===s.nodeType&&s===u||vt(s)||(s.content instanceof a&&At(s.content),Nt(s),u=s);if(u=null,ze)return e;if(Re){if(Ie)for(m=ce.call(i.ownerDocument);i.firstChild;)m.appendChild(i.firstChild);else m=i;return Ae.shadowroot&&(m=ue.call(r,m,!0)),m}var d=Me?i.outerHTML:i.innerHTML;return De&&(d=y(d,de," "),d=y(d,pe," ")),re&&Fe?re.createHTML(d):d},n.setConfig=function(e){it(e),Ce=!0},n.clearConfig=function(){nt=null,Ce=!1},n.isValidAttribute=function(e,t,n){nt||it({});var r=tt(e),o=tt(t);return bt(r,o,n)},n.addHook=function(e,t){"function"==typeof t&&(fe[e]=fe[e]||[],p(fe[e],t))},n.removeHook=function(e){fe[e]&&d(fe[e])},n.removeHooks=function(e){fe[e]&&(fe[e]=[])},n.removeAllHooks=function(){fe={}},n}()}));
diff --git a/html/js/routes/home.js b/html/js/routes/home.js
index 4a5526f7..a369db9f 100644
--- a/html/js/routes/home.js
+++ b/html/js/routes/home.js
@@ -24,7 +24,7 @@ routes.push({ path: '/', name: 'home', component: {
       try {
         const response = await this.$root.createApi().get('motd.md?v=' + Date.now());
         if (response.data) {
-          this.motd = marked(response.data);
+          this.motd = response.data;
         }
       } catch (error) {
         this.$root.showError(error);

From 86272ea7f0056b364ae9cc5c2ab34266b86e40c0 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 27 Dec 2021 10:16:41 -0500
Subject: [PATCH 39/98] Add unit test for md

---
 html/js/app.test.js    | 5 +++++
 html/js/test_common.js | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/html/js/app.test.js b/html/js/app.test.js
index e9d14087..547bac35 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -43,6 +43,11 @@ test('base64encode', () => {
   expect(app.base64encode('hello')).toBe('aGVsbG8=');
 });
 
+test('formatMarkdown', () => {
+  expect(app.formatMarkdown('```code```')).toBe('<p><code>code</code></p>\n');
+  expect(app.formatMarkdown('<scripts src="https://somebad.place"></script>bad')).toBe('<p>bad</p>\n');
+});
+
 test('formatStringArray', () => {
   expect(app.formatStringArray(['hi','there','foo'])).toBe('hi, there, foo');
   expect(app.formatStringArray(['hi','there'])).toBe('hi, there');
diff --git a/html/js/test_common.js b/html/js/test_common.js
index 890a2bb9..c3ef7a9f 100644
--- a/html/js/test_common.js
+++ b/html/js/test_common.js
@@ -111,3 +111,5 @@ require('./app.js');
 // Import external dependencies
 ////////////////////////////////////
 global.moment = require('./external/moment-2.29.1.min.js');
+global.marked = require('./external/marked-2.1.3.min.js');
+global.DOMPurify = require('./external/purify-2.3.4.min.js');

From 8b2d7bef2a88a1f45382e282b981dd24baa81a97 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 27 Dec 2021 14:23:01 -0500
Subject: [PATCH 40/98] refactor for additional artifact groups

---
 html/index.html             | 74 ++++++++++++++++++-------------------
 html/js/i18n.js             |  2 +
 html/js/routes/case.js      | 40 +++++++++++++-------
 html/js/routes/case.test.js | 10 ++---
 4 files changed, 70 insertions(+), 56 deletions(-)

diff --git a/html/index.html b/html/index.html
index 01d04554..368d4ffb 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1368,12 +1368,12 @@ <h2>Description</h2>
                 </v-tab-item>
 
                 <v-tab-item>
-                  <v-text-field v-model="associatedTable['artifacts'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
-                  <v-data-table ref="artifactsTable" :sort-by.sync="associatedTable['artifacts'].sortBy" :sort-desc.sync="associatedTable['artifacts'].sortDesc" :items-per-page.sync="associatedTable['artifacts'].itemsPerPage" 
-                    :search="associatedTable['artifacts'].search" :footer-props="associatedTable['artifacts'].footerProps" must-sort :headers="associatedTable['artifacts'].headers"
-                    :items="associations['artifacts']" item-key="id" :loading="associatedTable['artifacts'].loading" :expanded="associatedTable['artifacts'].expanded">
+                  <v-text-field v-model="associatedTable['evidence'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
+                  <v-data-table ref="evidenceTable" :sort-by.sync="associatedTable['evidence'].sortBy" :sort-desc.sync="associatedTable['evidence'].sortDesc" :items-per-page.sync="associatedTable['evidence'].itemsPerPage" 
+                    :search="associatedTable['evidence'].search" :footer-props="associatedTable['evidence'].footerProps" must-sort :headers="associatedTable['evidence'].headers"
+                    :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded">
                     <template v-slot:item="props">
-                      <tr @click="expandRow('artifacts', props.item)" class="expandable">
+                      <tr @click="expandRow('evidence', props.item)" class="expandable">
                         <td>{{ props.item.createTime | formatDateTime }}</td>
                         <td>{{ props.item.updateTime | formatDateTime }}</td>
                         <td class="case">
@@ -1396,14 +1396,14 @@ <h2>Description</h2>
                             </a>
                           </v-container>
                           <v-container fluid class="my-2">
-                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-description-input`, props.item.description, `artifact-${props.index}-description`, 'description', modifyAssociation, ['artifacts', props.item], true)">
+                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
-                              <div id="`artifact-${props.index}-description`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
+                              <div id="`evidence-${props.index}-description`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
-                            <div class="d-flex flex-column" v-if="isEdit(`artifact-${props.index}-description`)">
+                            <div class="d-flex flex-column" v-if="isEdit(`evidence-${props.index}-description`)">
                               <v-form v-model="editForm.valid">
                                 <div class="mb-2">
-                                  <v-textarea full-width rows="3" multiline :id="`artifact-${props.index}-description-input`" hide-details="auto" outlined v-model="editForm.val" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                                  <v-textarea full-width rows="3" multiline :id="`evidence-${props.index}-description-input`" hide-details="auto" outlined v-model="editForm.val" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
                                 </div>
                                 <div class="d-inline-flex justify-end">
                                   <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
@@ -1417,24 +1417,24 @@ <h2>Description</h2>
                             </div>
                           </v-container>
                           <v-container fluid class="my-2">
-                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-ioc-input`, props.item.ioc, `artifact-${props.index}-ioc`, 'ioc', modifyAssociation, ['artifacts', props.item])">
+                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.artifactIoc}}: </div>
-                              <div id="`artifact-${props.index}-ioc`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-ioc`)">{{ props.item.ioc ? i18n.yes : i18n.no }}</div>
+                              <div id="`evidence-${props.index}-ioc`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-ioc`)">{{ props.item.ioc ? i18n.yes : i18n.no }}</div>
                             </div>
-                            <v-checkbox :id="`artifact-${props.index}-ioc-input`" v-if="isEdit(`artifact-${props.index}-ioc`)" v-model="editForm.val" v-on:change="stopEdit(true)" persistent-hint :hint="i18n.artifactIocHelp"/>
+                            <v-checkbox :id="`evidence-${props.index}-ioc-input`" v-if="isEdit(`evidence-${props.index}-ioc`)" v-model="editForm.val" v-on:change="stopEdit(true)" persistent-hint :hint="i18n.artifactIocHelp"/>
                           </v-container>
                           <v-container fluid class="my-2">
-                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-tlp-input`, props.item.tlp, `artifact-${props.index}-tlp`, 'tlp', modifyAssociation, ['artifacts', props.item])">
+                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
-                              <div id="`artifact-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
+                              <div id="`evidence-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
                             </div>
-                            <v-select :id="`artifact-${props.index}-tlp-input`" v-if="isEdit(`artifact-${props.index}-tlp`) && !isPresetCustomEnabled('tlp')"
+                            <v-select :id="`evidence-${props.index}-tlp-input`" v-if="isEdit(`evidence-${props.index}-tlp`) && !isPresetCustomEnabled('tlp')"
                               dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
                               v-model="editForm.val"
                               :items="selectList('tlp', props.item.tlp)"
                               v-on:change="stopEdit(true)"
                               />
-                              <v-combobox :id="`artifact-${props.index}-tlp-input`" v-if="isEdit(`artifact-${props.index}-tlp`) && isPresetCustomEnabled('tlp')"
+                              <v-combobox :id="`evidence-${props.index}-tlp-input`" v-if="isEdit(`evidence-${props.index}-tlp`) && isPresetCustomEnabled('tlp')"
                                 dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
                                 v-model="editForm.val"
                                 :items="selectList('tlp', props.item.tlp)"
@@ -1443,13 +1443,13 @@ <h2>Description</h2>
                             </v-select>
                           </v-container>
                           <v-container fluid class="my-2">
-                            <div class="clicktoedit" @click="startEdit(`artifact-${props.index}-tags-input`, props.item.tags, `artifact-${props.index}-tags`, 'tags', modifyAssociation, ['artifacts', props.item])">
+                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
-                              <div id="`artifact-${props.index}-tags`" class="case detail-field" v-if="!isEdit(`artifact-${props.index}-tags`)">
+                              <div id="`evidence-${props.index}-tags`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tags`)">
                                 <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
                               </div>
                             </div>
-                            <v-select :id="`artifact-${props.index}-tags-input`" v-if="isEdit(`artifact-${props.index}-tags`) && !isPresetCustomEnabled('tags')"
+                            <v-select :id="`evidence-${props.index}-tags-input`" v-if="isEdit(`evidence-${props.index}-tags`) && !isPresetCustomEnabled('tags')"
                               dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
                               v-model="editForm.val"
                               :items="selectList('tags', props.item.tags)"
@@ -1458,7 +1458,7 @@ <h2>Description</h2>
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
                             </v-select>
-                            <v-combobox :id="`artifact-${props.index}-tags-input`" v-if="isEdit(`artifact-${props.index}-tags`) && isPresetCustomEnabled('tags')"
+                            <v-combobox :id="`evidence-${props.index}-tags-input`" v-if="isEdit(`evidence-${props.index}-tags`) && isPresetCustomEnabled('tags')"
                               dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
                               v-model="editForm.val"
                               :items="selectList('tags', props.item.tags)"
@@ -1484,7 +1484,7 @@ <h2>Description</h2>
                               {{ i18n.edited }}
                             </div>
                             <div class="ml-1 d-flex">
-                              <v-btn text small color="red" @click="deleteAssociation('artifacts', props.item)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
+                              <v-btn text small color="red" @click="deleteAssociation('evidence', props.item)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
                             </div>
                           </div>
                         </td>
@@ -1497,7 +1497,7 @@ <h2>Description</h2>
                     </template>
                   </v-data-table>
                   <div class="text-xs-center pt-2 d-none">
-                      <v-btn v-text="i18n.loadMore" @click="loadAssociation('artifacts', '/evidence')"></v-btn>
+                      <v-btn v-text="i18n.loadMore" @click="loadAssociation('evidence')"></v-btn>
                   </div>
                   <v-row>
                     <v-col>
@@ -1506,21 +1506,21 @@ <h2>Description</h2>
                         <div class="d-flex flex-column" style="width: 100%;">
                         <div class="mb-2">
                           <a name="add"><h3>{{ i18n.evidenceAdd }}</h3></a>
-                          <v-form ref="artifacts" v-model="associatedForms['artifacts'].valid">
-                            <v-select v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['artifacts'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
-                            <v-combobox v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['artifacts'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
-                            <v-file-input v-if="associatedForms['artifacts'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
-                            <v-textarea v-if="associatedForms['artifacts'].artifactType != 'file'" rows="2" v-model="associatedForms['artifacts'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
-                            <v-textarea rows="2" v-model="associatedForms['artifacts'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
-                            <v-checkbox v-model="associatedForms['artifacts'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
-                            <v-select v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['artifacts'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-combobox v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['artifacts'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-select v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['artifacts'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                          <v-form ref="evidence" v-model="associatedForms['evidence'].valid">
+                            <v-select v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-combobox v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-file-input v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
+                            <v-textarea v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" v-model="associatedForms['evidence'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
+                            <v-textarea rows="2" v-model="associatedForms['evidence'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-checkbox v-model="associatedForms['evidence'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
+                            <v-select v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-combobox v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-select v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
                             </v-select>
-                            <v-combobox v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['artifacts'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                            <v-combobox v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
@@ -1532,10 +1532,10 @@ <h2>Description</h2>
                       </div>
                       <div class="d-flex align-center align-self-end text-body-2 mt-2">
                       <div class="d-inline-flex justify-end">
-                        <v-btn text small color="primary" class="align-self-end" @click="resetForm('artifacts')">
+                        <v-btn text small color="primary" class="align-self-end" @click="resetForm('evidence')">
                         {{ i18n.cancel }}
                         </v-btn>
-                        <v-btn :disabled="!associatedForms['artifacts'].valid" text small color="primary" class="align-self-end" @click="addAssociation('artifacts', {'groupType': 'evidence'})">
+                        <v-btn :disabled="!associatedForms['evidence'].valid" text small color="primary" class="align-self-end" @click="addAssociation('evidence', {'groupType': 'evidence'})">
                         {{ i18n.add }}
                         </v-btn>
                       </div>
@@ -1623,7 +1623,7 @@ <h2>Description</h2>
                         <td>
                           <v-icon v-if="props.item.kind == 'case'">fa-briefcase</v-icon>
                           <v-icon v-if="props.item.kind == 'comment'">fa-comments</v-icon>
-                          <v-icon v-if="props.item.kind == 'artifact'">fa-eye</v-icon>
+                          <v-icon v-if="props.item.kind == 'artifact' && props.item.groupType == 'evidence'">fa-eye</v-icon>
                           <v-icon v-if="props.item.kind == 'related'">fa-link</v-icon>
                           <span class="rounded ml-2">{{ props.item.kind }}</span>
                         </td>
@@ -1690,7 +1690,7 @@ <h2>Description</h2>
                               </span>
                             </div>
                           </div>
-                          <div v-if="props.item.kind == 'artifact'">
+                          <div v-if="props.item.kind == 'artifact' && props.item.groupType == 'evidence'">
                             <div>
                               <span class="case label">{{ i18n.artifactGroupType }}:</span>
                               <span class="case value">{{ props.item.groupType }}</span>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 84c30725..76b85592 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -53,6 +53,7 @@ const i18n = {
       artifactTypeHelp: 'Select a type for classification purposes (Note: choose "file" type to upload a file)',
       artifactValue: 'Value (hash, filename, etc.)',
       artifactValueHelp: 'Specify the observed value',
+      attachments: 'Attachments',
       attachmentHelp: 'Click to attach a file to upload. (Note: max upload size is {maxUploadSizeBytes} bytes)',
       attempt: 'Attempt',
       author: 'Author',
@@ -200,6 +201,7 @@ const i18n = {
       field_soc_id: 'Event ID',
       field_soc_timestamp: 'Timestamp',
 
+      filename: 'Filename',
       fileTooLarge: 'The chosen file is too large to upload; max file size is {maxUploadSizeBytes} bytes',
       fileEmpty: 'The chosen file appears to have no content; consider using a "filename" artifact instead',
 
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 1d14ca20..7d4470e0 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -18,7 +18,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     associationsLoading: false,
     associations: {
       comments: [],
-      artifacts: [],
+      evidence: [],
       events: [],
       tasks: [],
       history: []
@@ -40,7 +40,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         expanded: [],
         loading: false,
       },
-      artifacts: {
+      evidence: {
         sortBy: 'createTime',
         sortDesc: false,
         search: '',
@@ -108,7 +108,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     expanded: [0, 1],
     associatedForms: {
       comments: {},
-      artifacts: {},
+      evidence: {},
     },
     editForm: {},
     mruCaseLimit: 5,
@@ -148,7 +148,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.maxUploadSizeBytes = params.maxUploadSizeBytes;
       }
       this.loadLocalSettings();
-      this.resetForm('artifacts');
+      this.resetForm('evidence');
       this.resetForm('comments');
     },
     getAttachmentHelp() {
@@ -163,6 +163,18 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       }
       return "";
     },
+    mapAssociatedPath(association, concatPath = false) {
+      var path = association;
+      switch (association) {
+        case 'evidence':
+          path = "artifacts";
+          if (concatPath) {
+            path += "/" + association
+          }
+          break;
+      }
+      return path;
+    },
     async loadAssociations() {
       this.associationsLoading = true;
 
@@ -172,8 +184,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.associations["tasks"] = [];
       this.loadAssociation('tasks');
 
-      this.associations["artifacts"] = [];
-      this.loadAssociation('artifacts', "/evidence");
+      this.associations["evidence"] = [];
+      this.loadAssociation('evidence');
 
       this.associations["events"] = [];
       this.loadAssociation('events');
@@ -183,19 +195,19 @@ routes.push({ path: '/case/:id', name: 'case', component: {
 
       this.associationsLoading = false;
     },
-    async loadAssociation(dataType, extraPath = "") {
+    async loadAssociation(association) {
       try {
         const route = this;
-        const response = await this.$root.papi.get('case/' + dataType + extraPath, { params: {
+        const response = await this.$root.papi.get('case/' + this.mapAssociatedPath(association, true), { params: {
           id: route.$route.params.id,
-          offset: route.associations[dataType].length,
-          count: route.associatedTable[dataType].count,
+          offset: route.associations[association].length,
+          count: route.associatedTable[association].count,
         }});
         if (response && response.data) {
           for (var idx = 0; idx < response.data.length; idx++) {
             const obj = response.data[idx];
             await this.$root.populateUserDetails(obj, "userId", "owner");
-            this.associations[dataType].push(obj);
+            this.associations[association].push(obj);
           }
         }
       } catch (error) {
@@ -343,7 +355,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           headers = { 'Content-Type': 'multipart/form-data; boundary=' + data._boundary }
           config = { 'headers': headers };
         }
-        const response = await this.$root.papi.post('case/' + association, data, config);
+        const response = await this.$root.papi.post('case/' + this.mapAssociatedPath(association), data, config);
         if (response.data) {
           await this.$root.populateUserDetails(response.data, "userId", "owner");
           this.associations[association].push(response.data);
@@ -365,7 +377,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         try {
           const form = this.prepareModifyForm(obj);
           if (form) {
-            const response = await this.$root.papi.put('case/' + association, JSON.stringify(form));
+            const response = await this.$root.papi.put('case/' + this.mapAssociatedPath(association), JSON.stringify(form));
             if (response.data) {
               await this.$root.populateUserDetails(response.data, "userId", "owner");
               Vue.set(this.associations[association], idx, response.data);
@@ -460,7 +472,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     resetForm(ref) {
       const form = { valid: false };
       switch (ref) {
-        case "artifacts": 
+        case "evidence": 
           form.tlp = this.getDefaultPreset('tlp');
           form.artifactType = this.getDefaultPreset('artifactType');
           break;
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 17ad4c26..8ce0bf10 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -129,7 +129,7 @@ test('loadAssociations', () => {
   
   expect(comp.loadAssociation).toHaveBeenCalledWith('comments');
   expect(comp.loadAssociation).toHaveBeenCalledWith('tasks');
-  expect(comp.loadAssociation).toHaveBeenCalledWith('artifacts', '/evidence');
+  expect(comp.loadAssociation).toHaveBeenCalledWith('evidence');
   expect(comp.loadAssociation).toHaveBeenCalledWith('events');
   expect(comp.loadAssociation).toHaveBeenCalledWith('history');
   expect(comp.associationsLoading).toBe(false);
@@ -384,10 +384,10 @@ test('resetFormComments', () => {
   expect(comp.associatedForms['comments'].description).toBe(undefined);
 });
 
-test('resetFormArtifacts', () => {
-  comp.associatedForms['artifacts'].description = "something";
-  comp.resetForm('artifacts');
-  expect(comp.associatedForms['artifacts'].description).toBe(undefined);
+test('resetFormEvidence', () => {
+  comp.associatedForms['evidence'].description = "something";
+  comp.resetForm('evidence');
+  expect(comp.associatedForms['evidence'].description).toBe(undefined);
 });
 
 test('presets', () => {

From 3e8fbdda7df17716a8c94837ce9e423b8526a577 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 27 Dec 2021 14:24:57 -0500
Subject: [PATCH 41/98] refactor for additional artifact groups

---
 html/js/routes/case.test.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 8ce0bf10..d5832d6e 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -580,4 +580,11 @@ test('isEdited', () => {
   };
   expect(comp.isEdited(fakeArtifact1)).toBe(true);
   expect(comp.isEdited(fakeArtifact2)).toBe(false);
+});
+
+test('mapAssociatedPath', () => {
+  expect(comp.mapAssociatedPath('comments')).teBe('comments');
+  expect(comp.mapAssociatedPath('comments', true)).teBe('comments');
+  expect(comp.mapAssociatedPath('evidence')).teBe('artifacts');
+  expect(comp.mapAssociatedPath('evidence', true)).teBe('artifacts/evidence');
 });
\ No newline at end of file

From 81a88c053df59036f6d5212106d09aa199b0ea47 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 27 Dec 2021 15:27:10 -0500
Subject: [PATCH 42/98] Add attachments

---
 html/index.html             | 202 +++++++++++++++++++++++++++++++++++-
 html/js/app.js              |   1 +
 html/js/app.test.js         |   5 +
 html/js/i18n.js             |   5 +
 html/js/routes/case.js      |  49 ++++++++-
 html/js/routes/case.test.js |  12 ++-
 6 files changed, 264 insertions(+), 10 deletions(-)

diff --git a/html/index.html b/html/index.html
index 368d4ffb..3e7c46b9 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1267,6 +1267,10 @@ <h2>Description</h2>
                   <v-icon left>fa-comments</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.comments }}</div>
                 </v-tab>
+                <v-tab id="case_attachmentTab">
+                  <v-icon left>fa-paperclip</v-icon>
+                  <div class="d-none d-sm-block">{{ i18n.attachments }}</div>
+                </v-tab>
                 <v-tab id="case_evidenceTab">
                   <v-icon left>fa-eye</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.evidence }}</div>
@@ -1367,6 +1371,169 @@ <h2>Description</h2>
                   </div>
                 </v-tab-item>
 
+                <v-tab-item>
+                  <v-text-field v-model="associatedTable['attachments'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
+                  <v-data-table ref="attachmentsTable" :sort-by.sync="associatedTable['attachments'].sortBy" :sort-desc.sync="associatedTable['attachments'].sortDesc" :items-per-page.sync="associatedTable['attachments'].itemsPerPage" 
+                    :search="associatedTable['attachments'].search" :footer-props="associatedTable['attachments'].footerProps" must-sort :headers="associatedTable['attachments'].headers"
+                    :items="associations['attachments']" item-key="id" :loading="associatedTable['attachments'].loading" :expanded="associatedTable['attachments'].expanded">
+                    <template v-slot:item="props">
+                      <tr @click="expandRow('attachments', props.item)" class="expandable">
+                        <td>{{ props.item.createTime | formatDateTime }}</td>
+                        <td>{{ props.item.updateTime | formatDateTime }}</td>
+                        <td class="case">
+                          <div class="rounded">{{ props.item.value }}</div>
+                        </td>                  
+                      </tr>
+                    </template>
+                    <template v-slot:expanded-item="props">
+                      <tr>
+                        <td :colspan="3" class="case">
+                          <v-container fluid class="my-2">
+                            <a target="soc-download" :href="`/api/case/artifactstream?id=${props.item.id}`" class="no-underline">
+                              <v-icon>fa-download</v-icon>
+                              {{ props.item.value }}
+                              ({{ props.item.streamLength | formatCount }} 
+                              {{ i18n.bytes }})
+                            </a>
+                          </v-container>
+                          <v-container fluid class="my-2">
+                            <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)">
+                              <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
+                              <div id="`attachments-${props.index}-description`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
+                            </div>
+                            <div class="d-flex flex-column" v-if="isEdit(`attachments-${props.index}-description`)">
+                              <v-form v-model="editForm.valid">
+                                <div class="mb-2">
+                                  <v-textarea full-width rows="3" multiline :id="`attachments-${props.index}-description-input`" hide-details="auto" outlined v-model="editForm.val" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                                </div>
+                                <div class="d-inline-flex justify-end">
+                                  <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                    {{ i18n.cancel }}
+                                  </v-btn>
+                                  <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                    {{ i18n.save }}
+                                  </v-btn>
+                                </div>
+                              </v-form>
+                            </div>
+                          </v-container>
+                          <v-container fluid class="my-2">
+                            <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])">
+                              <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
+                              <div id="`attachments-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
+                            </div>
+                            <v-select :id="`attachments-${props.index}-tlp-input`" v-if="isEdit(`attachments-${props.index}-tlp`) && !isPresetCustomEnabled('tlp')"
+                              dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
+                              v-model="editForm.val"
+                              :items="selectList('tlp', props.item.tlp)"
+                              v-on:change="stopEdit(true)"
+                              />
+                              <v-combobox :id="`attachments-${props.index}-tlp-input`" v-if="isEdit(`attachments-${props.index}-tlp`) && isPresetCustomEnabled('tlp')"
+                                dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
+                                v-model="editForm.val"
+                                :items="selectList('tlp', props.item.tlp)"
+                                v-on:change="stopEdit(true)"
+                              />
+                            </v-select>
+                          </v-container>
+                          <v-container fluid class="my-2">
+                            <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])">
+                              <div class="font-weight-bold">{{i18n.caseTags}}: </div>
+                              <div id="`attachments-${props.index}-tags`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-tags`)">
+                                <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
+                              </div>
+                            </div>
+                            <v-select :id="`attachments-${props.index}-tags-input`" v-if="isEdit(`attachments-${props.index}-tags`) && !isPresetCustomEnabled('tags')"
+                              dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
+                              v-model="editForm.val"
+                              :items="selectList('tags', props.item.tags)"
+                              v-on:change="stopEdit(true)">
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-select>
+                            <v-combobox :id="`attachments-${props.index}-tags-input`" v-if="isEdit(`attachments-${props.index}-tags`) && isPresetCustomEnabled('tags')"
+                              dense eager outlined hide-details="auto" class="case-select" multiple persistent-hint :hint="i18n.caseTagsHelp"
+                              v-model="editForm.val"
+                              :items="selectList('tags', props.item.tags)"
+                              v-on:change="stopEdit(true)">
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-combobox>
+                          </v-container>
+
+                          <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
+                            <v-spacer/>
+                            <div class="mr-1">
+                              {{ props.item.owner }}
+                            </div>
+                            <div class="mr-1 d-none d-sm-block">
+                              &bull;
+                            </div>
+                            <div>
+                              {{ props.item.createTime | formatDateTime }}
+                            </div>
+                            <div v-if="isEdited(props.item)" :title="$root.formatDateTime(props.item.updateTime)" class="mx-2">
+                              {{ i18n.edited }}
+                            </div>
+                            <div class="ml-1 d-flex">
+                              <v-btn text small color="red" @click="deleteAssociation('attachments', props.item)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
+                            </div>
+                          </div>
+                        </td>
+                      </tr>
+                    </template>
+                    <template v-slot:no-results>
+                      <v-alert :value="true" color="info" icon="fa-info">
+                        {{ i18n.noSearchResults }}
+                      </v-alert>
+                    </template>
+                  </v-data-table>
+                  <div class="text-xs-center pt-2 d-none">
+                      <v-btn v-text="i18n.loadMore" @click="loadAssociation('attachments')"></v-btn>
+                  </div>
+                  <v-row>
+                    <v-col>
+                      <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
+                      <div class="d-flex flex-column align-start">
+                        <div class="d-flex flex-column" style="width: 100%;">
+                        <div class="mb-2">
+                          <a name="add"><h3>{{ i18n.attachmentAdd }}</h3></a>
+                          <v-form ref="attachments" v-model="associatedForms['attachments'].valid">
+                            <v-file-input show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
+                            <v-textarea rows="2" v-model="associatedForms['attachments'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-select v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-combobox v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-select v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-select>
+                            <v-combobox v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-combobox>                              
+                          </v-form>
+                        </div>
+                        </div>
+                      </div>
+                      </div>
+                      <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                      <div class="d-inline-flex justify-end">
+                        <v-btn text small color="primary" class="align-self-end" @click="resetForm('attachments')">
+                        {{ i18n.cancel }}
+                        </v-btn>
+                        <v-btn :disabled="!associatedForms['attachments'].valid" text small color="primary" class="align-self-end" @click="addAssociation('attachments', {'groupType': 'attachments', 'artifactType':'file'})">
+                        {{ i18n.add }}
+                        </v-btn>
+                      </div>
+                      </div>
+                    </v-col>
+                  </v-row>                  
+                </v-tab-item>
+
                 <v-tab-item>
                   <v-text-field v-model="associatedTable['evidence'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="evidenceTable" :sort-by.sync="associatedTable['evidence'].sortBy" :sort-desc.sync="associatedTable['evidence'].sortDesc" :items-per-page.sync="associatedTable['evidence'].itemsPerPage" 
@@ -1623,12 +1790,13 @@ <h2>Description</h2>
                         <td>
                           <v-icon v-if="props.item.kind == 'case'">fa-briefcase</v-icon>
                           <v-icon v-if="props.item.kind == 'comment'">fa-comments</v-icon>
+                          <v-icon v-if="props.item.kind == 'artifact' && props.item.groupType == 'attachments'">fa-paperclip</v-icon>
                           <v-icon v-if="props.item.kind == 'artifact' && props.item.groupType == 'evidence'">fa-eye</v-icon>
                           <v-icon v-if="props.item.kind == 'related'">fa-link</v-icon>
-                          <span class="rounded ml-2">{{ props.item.kind }}</span>
+                          <span class="rounded ml-2">{{ props.item.kindLocalized }}</span>
                         </td>
                         <td>
-                          <span class="rounded mr-2">{{ props.item.operation }}</span>
+                          <span class="rounded mr-2">{{ props.item.operationLocalized }}</span>
                           <v-icon v-if="props.item.operation == 'update'">fa-pencil-alt</v-icon>
                         </td>
                       </tr>
@@ -1638,11 +1806,11 @@ <h2>Description</h2>
                         <td :colspan="4" class="case">
                           <div class="mt-2">
                             <span class="case label">{{ i18n.kind }}:</span>
-                            <span class="case value">{{ props.item.kind }}</span>
+                            <span class="case value">{{ props.item.kindLocalized }}</span>
                           </div>
                           <div>
                             <span class="case label">{{ i18n.operation }}:</span>
-                            <span class="case value">{{ props.item.operation }}</span>
+                            <span class="case value">{{ props.item.operationLocalized }}</span>
                           </div>
                           <div>
                             <span class="case label">{{ i18n.dateCreated }}:</span>
@@ -1690,6 +1858,32 @@ <h2>Description</h2>
                               </span>
                             </div>
                           </div>
+                          <div v-if="props.item.kind == 'artifact' && props.item.groupType == 'attachments'">
+                            <div>
+                              <span class="case label">{{ i18n.artifactGroupType }}:</span>
+                              <span class="case value">{{ props.item.groupType }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.artifactGroupId }}:</span>
+                              <span class="case value">{{ props.item.groupId }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.filename }}:</span>
+                              <span class="case value">{{ props.item.value }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.description }}:</span>
+                              <span class="case value">{{ props.item.description }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.caseTlp }}:</span>
+                              <span class="case value">{{ props.item.tlp }}</span>
+                            </div>
+                            <div>
+                              <span class="case label">{{ i18n.caseTags }}:</span>
+                              <span class="case value">{{ props.item.tags }}</span>
+                            </div>
+                          </div>
                           <div v-if="props.item.kind == 'artifact' && props.item.groupType == 'evidence'">
                             <div>
                               <span class="case label">{{ i18n.artifactGroupType }}:</span>
diff --git a/html/js/app.js b/html/js/app.js
index ff087449..75ee0479 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -456,6 +456,7 @@ $(document).ready(function() {
         return preselects;
       },
       localizeMessage(origMsg) {
+        if (!origMsg) return "";
         var msg = origMsg;
         if (msg.response && msg.response.data) {
           msg = msg.response.data;
diff --git a/html/js/app.test.js b/html/js/app.test.js
index 547bac35..7f872a75 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -136,4 +136,9 @@ test('loadServerSettings', async () => {
   expect(app.tools[1].name).toBe('tool2');
   expect(app.tools[1].enabled).toBe(false);
   expect(app.casesEnabled).toBe(true);
+});
+
+test('localizeMessage', () => {
+  expect(app.localizeMessage(null)).toBe("");
+  expect(app.localizeMessage('create')).toBe("Create");
 });
\ No newline at end of file
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 76b85592..567f1e67 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -54,6 +54,7 @@ const i18n = {
       artifactValue: 'Value (hash, filename, etc.)',
       artifactValueHelp: 'Specify the observed value',
       attachments: 'Attachments',
+      attachmentAdd: 'Add Attachment',
       attachmentHelp: 'Click to attach a file to upload. (Note: max upload size is {maxUploadSizeBytes} bytes)',
       attempt: 'Attempt',
       author: 'Author',
@@ -64,6 +65,7 @@ const i18n = {
       blog: 'Blog',
       bytes: 'Bytes',
       cancel: 'Cancel',
+      case: 'Case',
       cases: 'Cases',
       caseAssignee: 'Assignee',
       caseAssigneeHelp: 'Designate the assignee for this case',
@@ -95,6 +97,7 @@ const i18n = {
       clear: 'Clear',
       collapse: 'Collapse',
       collapseHelp: 'Collapse all packet data',
+      comment: 'Comments',
       comments: 'Comments',
       commentAdd: 'Add Comment',
       commentDescription: 'Comment',
@@ -106,6 +109,7 @@ const i18n = {
       copyFieldToClipboard: 'Copy this value only',
       copyFieldValueToClipboard: 'Copy as field:value',
       copyToClipboard: 'Copy to clipboard',
+      create: 'Create',
       custom: 'Custom',
       darkMode: 'Dark Mode',
       dataset: 'Dataset',
@@ -320,6 +324,7 @@ const i18n = {
       reason: 'Reason',
       reconnecting: 'Attempting to connect to manager',
       refresh: 'Refresh',
+      related: 'Events',
       relatedEventId: 'Related Event ID',
       relativeTimeHelp: 'Click the clock icon to change to absolute time',
       required: 'Required.',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 7d4470e0..a8346130 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -18,6 +18,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     associationsLoading: false,
     associations: {
       comments: [],
+      attachments: [],
       evidence: [],
       events: [],
       tasks: [],
@@ -40,6 +41,21 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         expanded: [],
         loading: false,
       },
+      attachments: {
+        sortBy: 'createTime',
+        sortDesc: false,
+        search: '',
+        headers: [
+          { text: this.$root.i18n.dateCreated, value: 'createTime' },
+          { text: this.$root.i18n.dateModified, value: 'updateTime' },
+          { text: this.$root.i18n.filename, value: 'value' },
+        ],
+        itemsPerPage: 10,
+        footerProps: { 'items-per-page-options': [10,50,250,1000] },
+        count: 500,
+        expanded: [],
+        loading: false,
+      },
       evidence: {
         sortBy: 'createTime',
         sortDesc: false,
@@ -96,6 +112,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           { text: this.$root.i18n.time, value: 'updateTime' },
           { text: this.$root.i18n.kind, value: 'kind' },
           { text: this.$root.i18n.operation, value: 'operation' },
+          { text: '', value: 'kindLocalized', align: ' d-none' },
+          { text: '', value: 'operationLocalized', align: ' d-none' },
         ],
         itemsPerPage: 10,
         footerProps: { 'items-per-page-options': [10,50,250,1000] },
@@ -108,6 +126,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     expanded: [0, 1],
     associatedForms: {
       comments: {},
+      attachments: {},
       evidence: {},
     },
     editForm: {},
@@ -148,6 +167,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.maxUploadSizeBytes = params.maxUploadSizeBytes;
       }
       this.loadLocalSettings();
+      this.resetForm('attachments');
       this.resetForm('evidence');
       this.resetForm('comments');
     },
@@ -166,6 +186,12 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     mapAssociatedPath(association, concatPath = false) {
       var path = association;
       switch (association) {
+        case 'attachments':
+          path = "artifacts";
+          if (concatPath) {
+            path += "/" + association
+          }
+          break;
         case 'evidence':
           path = "artifacts";
           if (concatPath) {
@@ -175,6 +201,19 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       }
       return path;
     },
+    mapAssociatedKind(obj) {
+      var name = "";
+      if (obj) {
+        switch (obj.kind) {
+          case 'artifact':
+            name = obj.groupType;
+            break;
+          default:
+            name = obj.kind;
+        }
+      }
+      return name;
+    },
     async loadAssociations() {
       this.associationsLoading = true;
 
@@ -184,6 +223,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.associations["tasks"] = [];
       this.loadAssociation('tasks');
 
+      this.associations["attachments"] = [];
+      this.loadAssociation('attachments');
+
       this.associations["evidence"] = [];
       this.loadAssociation('evidence');
 
@@ -207,6 +249,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           for (var idx = 0; idx < response.data.length; idx++) {
             const obj = response.data[idx];
             await this.$root.populateUserDetails(obj, "userId", "owner");
+            obj.kindLocalized = this.$root.localizeMessage(this.mapAssociatedKind(obj));
+            obj.operationLocalized = this.$root.localizeMessage(obj.operation);
             this.associations[association].push(obj);
           }
         }
@@ -402,7 +446,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       if (idx > -1) {
         this.$root.startLoading();
         try {
-          await this.$root.papi.delete('case/' + association, { params: {
+          await this.$root.papi.delete('case/' + this.mapAssociatedPath(association), { params: {
             id: obj.id
           }});
           this.associations[association].splice(idx, 1);
@@ -472,6 +516,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     resetForm(ref) {
       const form = { valid: false };
       switch (ref) {
+        case "attachments": 
+          form.tlp = this.getDefaultPreset('tlp');
+          break;
         case "evidence": 
           form.tlp = this.getDefaultPreset('tlp');
           form.artifactType = this.getDefaultPreset('artifactType');
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index d5832d6e..64ba0623 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -312,7 +312,7 @@ test('modifyAssociation', async () => {
   comp.associations['comments'] = [fakeComment];
   await comp.modifyAssociation('comments', fakeComment);
 
-  const body = "{\"userId\":\"myUserId\",\"id\":\"myCommentId\",\"description\":\"myDescription2\",\"owner\":\"my@email.invalid\"}";
+  const body = "{\"userId\":\"myUserId\",\"id\":\"myCommentId\",\"description\":\"myDescription2\",\"owner\":\"my@email.invalid\",\"kindLocalized\":\"\",\"operationLocalized\":\"\"}";
   expect(mock).toHaveBeenCalledWith('case/comments', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);
@@ -583,8 +583,10 @@ test('isEdited', () => {
 });
 
 test('mapAssociatedPath', () => {
-  expect(comp.mapAssociatedPath('comments')).teBe('comments');
-  expect(comp.mapAssociatedPath('comments', true)).teBe('comments');
-  expect(comp.mapAssociatedPath('evidence')).teBe('artifacts');
-  expect(comp.mapAssociatedPath('evidence', true)).teBe('artifacts/evidence');
+  expect(comp.mapAssociatedPath('comments')).toBe('comments');
+  expect(comp.mapAssociatedPath('comments', true)).toBe('comments');
+  expect(comp.mapAssociatedPath('evidence')).toBe('artifacts');
+  expect(comp.mapAssociatedPath('evidence', true)).toBe('artifacts/evidence');
+  expect(comp.mapAssociatedPath('attachments')).toBe('artifacts');
+  expect(comp.mapAssociatedPath('attachments', true)).toBe('artifacts/attachments');
 });
\ No newline at end of file

From 2c672cf2e361608d50f626e401d27bbd6e7d75da Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 27 Dec 2021 15:32:46 -0500
Subject: [PATCH 43/98] Use KeyboardEvent.key instead of UIEvent.which

---
 html/js/routes/case.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 1d14ca20..227925bb 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -452,9 +452,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       return okToClear;
     },
     onEditKeyUp(event) {
-      switch (event.which) {
-        case 27: this.stopEdit(); break;
-        case 13: if (!this.editForm.isMultiline) this.stopEdit(true); break;
+      switch (event.key) {
+        case 'Escape': this.stopEdit(); break;
+        case 'Enter': if (!this.editForm.isMultiline) this.stopEdit(true); break;
       }
     },
     resetForm(ref) {

From 1203aa31c215bf325d814108863f838c171df60c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 28 Dec 2021 11:41:23 -0500
Subject: [PATCH 44/98] Compute and render common hashes of uploaded files

---
 html/index.html                               | 44 ++++++++++++++++++-
 html/js/i18n.js                               |  3 ++
 html/js/routes/case.js                        |  4 +-
 model/case.go                                 | 35 ++++++++++-----
 model/case_test.go                            |  5 ++-
 server/casehandler.go                         |  2 +-
 server/modules/elastic/converter.go           |  9 ++++
 server/modules/elastic/converter_test.go      |  6 +++
 server/modules/elastic/elasticcasestore.go    | 12 +++++
 .../modules/elastic/elasticcasestore_test.go  | 34 +++++++++++++-
 10 files changed, 137 insertions(+), 17 deletions(-)

diff --git a/html/index.html b/html/index.html
index 3e7c46b9..a227e8e5 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1395,6 +1395,27 @@ <h2>Description</h2>
                               ({{ props.item.streamLength | formatCount }} 
                               {{ i18n.bytes }})
                             </a>
+                            <div class="mt-4">
+                              <div class="font-weight-bold">{{i18n.sha256}}: </div>
+                              <div id="`attachments-${props.index}-sha256`" class="case">
+                                {{ withDefault(props.item.sha256, i18n.unknown) }}
+                                <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha256)" :title="i18n.copyToClipboard">fa-copy</v-icon>
+                              </div>
+                            </div>
+                            <div class="mt-2">
+                              <div class="font-weight-bold">{{i18n.sha1}}: </div>
+                              <div id="`attachments-${props.index}-sha1`" class="case">
+                                {{ withDefault(props.item.sha1, i18n.unknown) }}
+                                <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha1)" :title="i18n.copyToClipboard">fa-copy</v-icon>
+                              </div>
+                            </div>
+                            <div class="mt-2">
+                              <div class="font-weight-bold">{{i18n.md5}}: </div>
+                              <div id="`attachments-${props.index}-md5`" class="case">
+                                {{ withDefault(props.item.md5, i18n.unknown) }}
+                                <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.md5)" :title="i18n.copyToClipboard">fa-copy</v-icon>
+                              </div>
+                            </div>
                           </v-container>
                           <v-container fluid class="my-2">
                             <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)">
@@ -1561,6 +1582,27 @@ <h2>Description</h2>
                               ({{ props.item.streamLength | formatCount }} 
                               {{ i18n.bytes }})
                             </a>
+                            <div class="mt-4">
+                              <div class="font-weight-bold">{{i18n.sha256}}: </div>
+                              <div id="`attachments-${props.index}-sha256`" class="case">
+                                {{ withDefault(props.item.sha256, i18n.unknown) }}
+                                <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha256)" :title="i18n.copyToClipboard">fa-copy</v-icon>
+                              </div>
+                            </div>
+                            <div class="mt-2">
+                              <div class="font-weight-bold">{{i18n.sha1}}: </div>
+                              <div id="`attachments-${props.index}-sha1`" class="case">
+                                {{ withDefault(props.item.sha1, i18n.unknown) }}
+                                <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha1)" :title="i18n.copyToClipboard">fa-copy</v-icon>
+                              </div>
+                            </div>
+                            <div class="mt-2">
+                              <div class="font-weight-bold">{{i18n.md5}}: </div>
+                              <div id="`attachments-${props.index}-md5`" class="case">
+                                {{ withDefault(props.item.md5, i18n.unknown) }}
+                                <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.md5)" :title="i18n.copyToClipboard">fa-copy</v-icon>
+                              </div>
+                            </div>
                           </v-container>
                           <v-container fluid class="my-2">
                             <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)">
@@ -1676,7 +1718,7 @@ <h2>Description</h2>
                           <v-form ref="evidence" v-model="associatedForms['evidence'].valid">
                             <v-select v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
                             <v-combobox v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
-                            <v-file-input v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
+                            <v-file-input v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty, rules.fileRequired]"/>
                             <v-textarea v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" v-model="associatedForms['evidence'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
                             <v-textarea rows="2" v-model="associatedForms['evidence'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
                             <v-checkbox v-model="associatedForms['evidence'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 567f1e67..96a28cd5 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -276,6 +276,7 @@ const i18n = {
       loginTitle: 'Login to Security Onion',
       logout: 'Logout',
       logoutFailure: 'Unable to initiate logout. Ensure server is accessible.',
+      md5: 'MD5',
       message: 'Message',
       minutes: 'minutes',
       model: 'Model',
@@ -347,6 +348,8 @@ const i18n = {
       settingsInvalid: 'Unable to save settings: ',
       settingsSaved: 'Your new settings have been saved.',
       settingsTitle: 'User Settings',
+      sha1: 'SHA1',
+      sha256: 'SHA256',
       share: 'Clipboard',
       'so-eval': 'Evaluation',
       'so-eval-keywords': 'Elastic, Elasticsearch, Fleet, Forward, Ingest, Manager, Master, Search, Sensor, Sensoroni, Soc, Stenographer, Web',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index a8346130..c617abbd 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -140,6 +140,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       longLengthLimit: value => (encodeURI(value).split(/%..|./).length - 1 < 10000000) || this.$root.i18n.required,
       fileSizeLimit: value => (value == null || value.size < this.maxUploadSizeBytes) || this.$root.i18n.fileTooLarge.replace("{maxUploadSizeBytes}", this.$root.formatCount(this.maxUploadSizeBytes)),
       fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
+      fileRequired: value => (value != null) || this.$root.i18n.required,
     },
     attachment: null,
     maxUploadSizeBytes: 26214400,
@@ -391,7 +392,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
 
         let config = undefined;
         let data = JSON.stringify(form);
-        if (this.attachment) {
+        if (this.attachment && form.artifactType == 'file') {
           let jsonData = data;
           data = new FormData();
           data.append("json", jsonData);
@@ -515,6 +516,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
     resetForm(ref) {
       const form = { valid: false };
+      this.attachment = null;
       switch (ref) {
         case "attachments": 
           form.tlp = this.getDefaultPreset('tlp');
diff --git a/model/case.go b/model/case.go
index 194328be..c8450271 100644
--- a/model/case.go
+++ b/model/case.go
@@ -11,10 +11,13 @@ package model
 
 import (
   "bytes"
+  "crypto/md5"
+  "crypto/sha1"
+  "crypto/sha256"
   "encoding/base64"
   "fmt"
+  "hash"
   "io"
-  "math"
   "net/http"
   "strings"
   "time"
@@ -92,6 +95,9 @@ type Artifact struct {
   Tags         []string `json:"tags"`
   Description  string   `json:"description"`
   Ioc          bool     `json:"ioc"`
+  Md5          string   `json:"md5"`
+  Sha1         string   `json:"sha1"`
+  Sha256       string   `json:"sha256"`
 }
 
 func NewArtifact() *Artifact {
@@ -113,20 +119,27 @@ func NewArtifactStream() *ArtifactStream {
   return newStream
 }
 
-func (stream *ArtifactStream) Write(reader io.Reader) (int, string, error) {
+func (stream *ArtifactStream) hashBytes(hasher hash.Hash, input []byte) string {
+  hasher.Write(input)
+  output := hasher.Sum(nil)
+  return fmt.Sprintf("%x", output)
+}
+
+func (stream *ArtifactStream) Write(reader io.Reader) (int, string, string, string, string, error) {
   var buffer bytes.Buffer
-  var mimeType string
-  b64 := base64.NewEncoder(base64.StdEncoding, &buffer)
-  copyLen, err := io.Copy(b64, reader)
+  var mimeType, md5hash, sha1hash, sha256hash string
 
+  // Collect bytes in memory
+  copyLen, err := buffer.ReadFrom(reader)
   if err == nil {
-    b64.Close()
-    stream.Content = buffer.String()
-    preview := stream.Content[:int64(math.Min(1024, float64(copyLen)))]
-    previewDecoded, _ := base64.StdEncoding.DecodeString(preview)
-    mimeType = http.DetectContentType(previewDecoded)
+    raw := buffer.Bytes()
+    stream.Content = base64.StdEncoding.EncodeToString(raw)
+    mimeType = http.DetectContentType(raw)
+    md5hash = stream.hashBytes(md5.New(), raw)
+    sha1hash = stream.hashBytes(sha1.New(), raw)
+    sha256hash = stream.hashBytes(sha256.New(), raw)
   }
-  return int(copyLen), mimeType, err
+  return int(copyLen), mimeType, md5hash, sha1hash, sha256hash, err
 }
 
 func (stream *ArtifactStream) Read() io.Reader {
diff --git a/model/case_test.go b/model/case_test.go
index 6e373a7d..54291706 100644
--- a/model/case_test.go
+++ b/model/case_test.go
@@ -31,10 +31,13 @@ func TestNewArtifactStream(tester *testing.T) {
 	event := NewArtifactStream()
 	assert.NotZero(tester, event.CreateTime)
 	reader := strings.NewReader("hello world")
-	len, mimeType, err := event.Write(reader)
+	len, mimeType, md5, sha1, sha256, err := event.Write(reader)
 	assert.NoError(tester, err)
 	assert.Equal(tester, 11, len)
 	assert.Equal(tester, "text/plain; charset=utf-8", mimeType)
+	assert.Equal(tester, "5eb63bbbe01eeed093cb22bb8f5acdc3", md5)
+	assert.Equal(tester, "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed", sha1)
+	assert.Equal(tester, "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9", sha256)
 	assert.Equal(tester, "aGVsbG8gd29ybGQ=", event.Content)
 
 	var buffer bytes.Buffer
diff --git a/server/casehandler.go b/server/casehandler.go
index a40379f7..29ea3586 100644
--- a/server/casehandler.go
+++ b/server/casehandler.go
@@ -101,7 +101,7 @@ func (caseHandler *CaseHandler) create(ctx context.Context, writer http.Response
               inputArtifact.ArtifactType = "file"
 
               artifactStream := model.NewArtifactStream()
-              inputArtifact.StreamLen, inputArtifact.MimeType, err = artifactStream.Write(file)
+              inputArtifact.StreamLen, inputArtifact.MimeType, inputArtifact.Md5, inputArtifact.Sha1, inputArtifact.Sha256, err = artifactStream.Write(file)
               if err == nil {
                 if inputArtifact.StreamLen != int(handler.Size) {
                   log.WithFields(log.Fields{
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 5a016c92..2ed69df1 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -534,6 +534,15 @@ func convertElasticEventToArtifact(event *model.EventRecord) (*model.Artifact, e
 			if value, ok := event.Payload["artifact.ioc"]; ok {
 				obj.Ioc = value.(bool)
 			}
+			if value, ok := event.Payload["artifact.md5"]; ok {
+				obj.Md5 = value.(string)
+			}
+			if value, ok := event.Payload["artifact.sha1"]; ok {
+				obj.Sha1 = value.(string)
+			}
+			if value, ok := event.Payload["artifact.sha256"]; ok {
+				obj.Sha256 = value.(string)
+			}
 			obj.CreateTime = parseTime(event.Payload, "artifact.createTime")
 		}
 	}
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 93daf8cf..3fa96993 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -384,6 +384,9 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 	event.Payload["artifact.tlp"] = "myTlp"
 	event.Payload["artifact.mimeType"] = "myMimeType"
 	event.Payload["artifact.ioc"] = true
+	event.Payload["artifact.md5"] = "myMd5"
+	event.Payload["artifact.sha1"] = "mySha1"
+	event.Payload["artifact.sha256"] = "mySha256"
 	tags := make([]interface{}, 2, 2)
 	tags[0] = "tag1"
 	tags[1] = "tag2"
@@ -408,6 +411,9 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 	assert.Equal(tester, true, artifactObj.Ioc)
 	assert.Equal(tester, tags[0], "tag1")
 	assert.Equal(tester, tags[1], "tag2")
+	assert.Equal(tester, "myMd5", artifactObj.Md5)
+	assert.Equal(tester, "mySha1", artifactObj.Sha1)
+	assert.Equal(tester, "mySha256", artifactObj.Sha256)
 	assert.Equal(tester, &myTime, artifactObj.UpdateTime)
 	assert.Equal(tester, &myCreateTime, artifactObj.CreateTime)
 }
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 89aed3a6..06858c96 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -232,6 +232,15 @@ func (store *ElasticCasestore) validateArtifact(artifact *model.Artifact) error
   if err == nil {
     err = store.validateStringArray(artifact.Tags, SHORT_STRING_MAX, MAX_ARRAY_ELEMENTS, "tags")
   }
+  if err == nil {
+    err = store.validateString(artifact.Md5, SHORT_STRING_MAX, "md5")
+  }
+  if err == nil {
+    err = store.validateString(artifact.Sha1, SHORT_STRING_MAX, "sha1")
+  }
+  if err == nil {
+    err = store.validateString(artifact.Sha256, SHORT_STRING_MAX, "sha256")
+  }
   return err
 }
 
@@ -730,6 +739,9 @@ func (store *ElasticCasestore) UpdateArtifact(ctx context.Context, artifact *mod
         artifact.StreamLen = old.StreamLen
         artifact.MimeType = old.MimeType
         artifact.StreamId = old.StreamId
+        artifact.Md5 = old.Md5
+        artifact.Sha1 = old.Sha1
+        artifact.Sha256 = old.Sha256
         var results *model.EventIndexResults
         results, err = store.save(ctx, artifact, "artifact", store.prepareForSave(ctx, &artifact.Auditable))
         if err == nil {
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index aeb20ef6..503cc025 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -421,12 +421,33 @@ func TestValidateArtifactInvalid(tester *testing.T) {
 	artifact.StreamLen = 0
 
 	for x := 1; x < 5; x++ {
-		artifact.MimeType += "this is my unreasonably long severity\n"
+		artifact.MimeType += "this is my unreasonably long str\n"
 	}
 	err = store.validateArtifact(artifact)
-	assert.EqualError(tester, err, "mimeType is too long (152/100)")
+	assert.EqualError(tester, err, "mimeType is too long (132/100)")
 	artifact.MimeType = "image/jpg"
 
+	for x := 1; x < 5; x++ {
+		artifact.Md5 += "this is my unreasonably long str\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "md5 is too long (132/100)")
+	artifact.Md5 = "myMd5"
+
+	for x := 1; x < 5; x++ {
+		artifact.Sha1 += "this is my unreasonably long str\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "sha1 is too long (132/100)")
+	artifact.Sha1 = "mySha1"
+
+	for x := 1; x < 5; x++ {
+		artifact.Sha256 += "this is my unreasonably long str\n"
+	}
+	err = store.validateArtifact(artifact)
+	assert.EqualError(tester, err, "sha256 is too long (132/100)")
+	artifact.Sha256 = "mySha256"
+
 	for x := 1; x < 5; x++ {
 		artifact.Tlp += "this is my unreasonably long tlp\n"
 	}
@@ -1297,6 +1318,9 @@ func TestUpdateArtifact(tester *testing.T) {
 	eventPayload["artifact.value"] = "myValue"
 	eventPayload["artifact.streamLength"] = 123.0
 	eventPayload["artifact.mimeType"] = "myMimeType"
+	eventPayload["artifact.md5"] = "myMd5"
+	eventPayload["artifact.sha1"] = "mySha1"
+	eventPayload["artifact.sha256"] = "mySha256"
 	eventPayload["artifact.streamId"] = "myStreamId"
 	eventPayload["artifact.description"] = "myDesc"
 	elasticEvent := &model.EventRecord{
@@ -1312,6 +1336,9 @@ func TestUpdateArtifact(tester *testing.T) {
 	artifact.ArtifactType = "file"
 	artifact.GroupId = "myNewGroupId"
 	artifact.MimeType = "myNewMimeType"
+	artifact.Md5 = "myNewMd5"
+	artifact.Sha1 = "myNewSha1"
+	artifact.Sha256 = "myNewSha256"
 	artifact.StreamId = "myNewStreamId"
 	artifact.StreamLen = 456
 	artifact.Description = "myNewDesc"
@@ -1334,6 +1361,9 @@ func TestUpdateArtifact(tester *testing.T) {
 	assert.Equal(tester, "myGroupId", newArtifact.GroupId)
 	assert.Equal(tester, "myStreamId", newArtifact.StreamId)
 	assert.Equal(tester, "myMimeType", newArtifact.MimeType)
+	assert.Equal(tester, "myMd5", newArtifact.Md5)
+	assert.Equal(tester, "mySha1", newArtifact.Sha1)
+	assert.Equal(tester, "mySha256", newArtifact.Sha256)
 	assert.Equal(tester, "myValue", newArtifact.Value)
 	assert.Equal(tester, 123, newArtifact.StreamLen)
 }

From 88ecaea47dfbfef751a1cc2812aa84e887dca85c Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 28 Dec 2021 14:08:57 -0500
Subject: [PATCH 45/98] Fix markdown formatting in comments

---
 html/css/app.css | 36 ++++++++++++++++++++++++
 html/index.html  | 73 ++++++++++++++++++++++++++++++------------------
 html/js/app.js   |  5 ++++
 3 files changed, 87 insertions(+), 27 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 380aa2ac..8aa49f24 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -241,3 +241,39 @@ td {
 #connection-indicator {
   color: white;
 }
+
+.comment-body {
+  width: 100%;
+}
+
+.markdown-body {
+  overflow: auto;
+  position: relative;
+  padding: 0.75em 1.25em;
+  border-radius: 0.25em;
+  background-color: rgba(0,0,0,.2);
+}
+
+.markdown-body pre {
+  overflow-x: scroll;
+}
+
+.v-application .markdown-body pre code {
+  display: block;
+  background-color: revert !important;
+  padding: 0.25 !important;
+}
+
+.theme--light.v-application .markdown-body pre {
+  background-color: rgba(0,0,0,.05);
+  border-radius: 0.25em;
+}
+
+.theme--dark.v-application .markdown-body pre {
+  background-color: hsla(0,0%,100%,.1);
+  border-radius: 0.25em;
+}
+
+.case.avatar-font {
+  font-size: 11px;
+}
diff --git a/html/index.html b/html/index.html
index a227e8e5..f4b0fa28 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1286,18 +1286,13 @@ <h2>Description</h2>
   
                 <v-tab-item>
                   <div v-for="(comment, index) in associations.comments" class="mb-8">
-                    <div class="d-flex flex-column flex-md-row align-start ma-4">
-                      <v-avatar color="primary" size="32">
-                        <div class="font-weight-bold" :title="comment.owner">
-                          {{ $root.getAvatar(comment.owner) }}
-                        </div>
-                      </v-avatar>
-                      <v-col class="d-flex flex-column align-start pt-2 pb-0 px-0 pa-md-0">
-                        <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
+                    <div class="d-flex flex-column align-start ma-4">
+                      <v-col class="d-flex flex-column align-start pt-2 pb-0  pl-2 pr-0 pt-md-0">
+                        <div class="mt-1 mt-md-3 py-3 px-3 contrast-bg rounded rounded-md" style="width: 100%;">
                           <div class="d-flex flex-column align-start">
-                            <div class="case d-flex align-start" v-if="!isEdit(`comment-${index}`)">
-                              <div class="d-block mb-8">
-                                <div :id="`comment-${index}`" class="case detail-field" :inner-html.prop="comment.description | formatMarkdown"></div>
+                            <div class="case d-block comment-body" v-if="!isEdit(`comment-${index}`)">
+                              <div class="mb-4">
+                                <div :id="`comment-${index}`" class="markdown-body" :inner-html.prop="comment.description | formatMarkdown"></div>
                               </div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
@@ -1315,9 +1310,16 @@ <h2>Description</h2>
                                 </v-form>
                               </div>
                             </div>
-                            <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
-                              <div class="mr-1">
-                                {{ comment.owner }}
+                            <div class="d-flex flex-column flex-sm-row align-sm-center align-self-end text-body-2">
+                              <div class="d-inline-flex align-center mr-1">
+                                <v-avatar color="primary" size="24" class="mr-2">
+                                  <div class="case avatar-font" :title="comment.owner">
+                                    {{ $root.getAvatar(comment.owner) }}
+                                  </div>
+                                </v-avatar>
+                                <div >
+                                  {{ comment.owner }}
+                                </div>
                               </div>
                               <div class="mr-1 d-none d-sm-block">
                                 &bull;
@@ -1325,10 +1327,10 @@ <h2>Description</h2>
                               <div>
                                 {{ comment.createTime | formatDateTime }}
                               </div>
-                              <div v-if="isEdited(comment)" :title="$root.formatDateTime(comment.updateTime)" class="mx-2">
+                              <div v-if="isEdited(comment)" :title="$root.formatDateTime(comment.updateTime)" class="mx-sm-2">
                                 {{ i18n.edited }}
                               </div>
-                              <div class="ml-1 d-flex">
+                              <div class="ml-1 d-flex mt-1 mt-sm-0">
                                 <v-btn text small color="primary" v-if="!isEdit(`comment-${index}`)" @click="startEdit('comment-desc-input', comment.description, `comment-${index}`, 'description', modifyAssociation, ['comments', comment], true)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
                                 <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
                               </div>
@@ -1338,18 +1340,20 @@ <h2>Description</h2>
                       </v-col> 
                     </div>           
                   </div>
-                  <div class="d-flex flex-column flex-md-row align-start ma-4">
-                    <v-avatar color="primary" size="32">
-                      <div class="font-weight-bold" :title="$root.username">
-                      {{ $root.getAvatar($root.username) }}
-                      </div>
-                    </v-avatar>
-                    <v-col class="d-flex flex-column align-start pt-2 pb-0 px-0 pa-md-0">
-                      <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
+                  <div class="d-flex flex-column align-start ma-4">
+                    <v-col class="d-flex flex-column align-start pt-2 pb-0 pl-2 pr-0 pt-md-0">
+                      <div class="mt-1 mt-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
                       <div class="d-flex flex-column align-start">
                         <div class="d-flex flex-column" style="width: 100%;">
                           <div class="mb-2">
-                            <a name="add"><h3>{{ i18n.commentAdd }}</h3></a>
+                            <div class="d-inline-flex align-center mb-3">
+                              <v-avatar color="primary" size="28" class="mr-2">
+                                <div class="font-weight-bold" :title="$root.username">
+                                {{ $root.getAvatar($root.username) }}
+                                </div>
+                              </v-avatar>
+                              <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
+                            </div>
                             <v-form ref="comments" v-model="associatedForms['comments'].valid">
                             <v-textarea solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
                             </v-form>
@@ -1520,7 +1524,14 @@ <h2>Description</h2>
                       <div class="d-flex flex-column align-start">
                         <div class="d-flex flex-column" style="width: 100%;">
                         <div class="mb-2">
-                          <a name="add"><h3>{{ i18n.attachmentAdd }}</h3></a>
+                          <div class="d-inline-flex align-center mb-3">
+                            <v-avatar color="primary" size="28" class="mr-2">
+                              <div class="font-weight-bold" :title="$root.username">
+                              {{ $root.getAvatar($root.username) }}
+                              </div>
+                            </v-avatar>
+                            <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
+                          </div>
                           <v-form ref="attachments" v-model="associatedForms['attachments'].valid">
                             <v-file-input show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
                             <v-textarea rows="2" v-model="associatedForms['attachments'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
@@ -1714,7 +1725,14 @@ <h2>Description</h2>
                       <div class="d-flex flex-column align-start">
                         <div class="d-flex flex-column" style="width: 100%;">
                         <div class="mb-2">
-                          <a name="add"><h3>{{ i18n.evidenceAdd }}</h3></a>
+                          <div class="d-inline-flex align-center mb-3">
+                            <v-avatar color="primary" size="28" class="mr-2">
+                              <div class="font-weight-bold" :title="$root.username">
+                              {{ $root.getAvatar($root.username) }}
+                              </div>
+                            </v-avatar>
+                            <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
+                          </div>
                           <v-form ref="evidence" v-model="associatedForms['evidence'].valid">
                             <v-select v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
                             <v-combobox v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
@@ -2392,6 +2410,7 @@ <h2 v-text="i18n.settingsTitle"></h2>
     <script src="js/external/daterangepicker-3.1.0.min.js"></script>
     <script src="js/external/marked-2.1.3.min.js"></script>
     <script src="js/external/purify-2.3.4.min.js"></script>
+    <script src="js/external/highlight-11.3.1.min.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/app.js b/html/js/app.js
index 75ee0479..448ada07 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -7,6 +7,7 @@
 // This program is distributed in the hope that it will be useful,
 // but WITHOUT ANY WARRANTY; without even the implied warranty of
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
 const routes = [];
 
 if (typeof global !== 'undefined') global.routes = routes;
@@ -430,6 +431,10 @@ $(document).ready(function() {
         return "";
       },
       formatMarkdown(str) {
+        marked.setOptions({
+          renderer: new marked.Renderer(),
+          smartLists: true
+        })
         var md = str;
         if (str) {
           md = marked(str);

From b43601c7d41b0b53e7cc903655d5a409d2a4bb24 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 28 Dec 2021 19:13:20 -0500
Subject: [PATCH 46/98] Enable CM in CCS mode

---
 server/modules/elastic/elastic.go           |  4 ++--
 server/modules/elastic/elasticeventstore.go | 17 +++++++++++------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index e432795d..3112ffa3 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -16,8 +16,8 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/server"
 )
 
-const DEFAULT_CASE_INDEX = "so-case"
-const DEFAULT_CASE_AUDIT_INDEX = "so-casehistory"
+const DEFAULT_CASE_INDEX = "*:so-case"
+const DEFAULT_CASE_AUDIT_INDEX = "*:so-casehistory"
 const DEFAULT_CASE_ASSOCIATIONS_MAX = 1000
 const DEFAULT_TIME_SHIFT_MS = 120000
 const DEFAULT_DURATION_MS = 1800000
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index 3199534e..b9179747 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -198,12 +198,17 @@ func (store *ElasticEventstore) Search(ctx context.Context, criteria *model.Even
 	return results, err
 }
 
+func (store *ElasticEventstore) disableCrossClusterIndex(index string) string {
+	pieces := strings.SplitN(index, ":", 2)
+	if len(pieces) == 2 {
+		index = pieces[1]
+	}
+	return index
+}
+
 func (store *ElasticEventstore) disableCrossClusterIndexing(indexes []string) []string {
 	for idx, index := range indexes {
-		pieces := strings.SplitN(index, ":", 2)
-		if len(pieces) == 2 {
-			indexes[idx] = pieces[1]
-		}
+		indexes[idx] = store.disableCrossClusterIndex(index)
 	}
 	return indexes
 }
@@ -264,7 +269,7 @@ func (store *ElasticEventstore) Index(ctx context.Context, index string, documen
 			var response string
 
 			log.Debug("Sending index request to primary Elasticsearch client")
-			response, err = store.indexDocument(ctx, index, request, id)
+			response, err = store.indexDocument(ctx, store.disableCrossClusterIndex(index), request, id)
 			if err == nil {
 				err = convertFromElasticIndexResults(store, response, results)
 				if err != nil {
@@ -284,7 +289,7 @@ func (store *ElasticEventstore) Delete(ctx context.Context, index string, id str
 	if err = store.server.CheckAuthorized(ctx, "write", "events"); err == nil {
 		var response string
 		log.Debug("Sending delete request to primary Elasticsearch client")
-		response, err = store.deleteDocument(ctx, index, id)
+		response, err = store.deleteDocument(ctx, store.disableCrossClusterIndex(index), id)
 		if err == nil {
 			err = convertFromElasticIndexResults(store, response, results)
 			if err != nil {

From c227ff703009c9008dbe8a599d7d13854523779a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 28 Dec 2021 19:16:47 -0500
Subject: [PATCH 47/98] Correct link to related event

---
 html/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/index.html b/html/index.html
index f4b0fa28..1257395b 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1779,7 +1779,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                     <template v-slot:item="props">
                       <tr @click="expandRow('events', props.item)" class="expandable">
                         <td>
-                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q:`_id:${props.item.id}`}}" :title="i18n.huntForEvent"><v-icon>fa-crosshairs</v-icon></router-link>
+                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q:`_id:${props.item.fields['soc_id']}`}}" :title="i18n.huntForEvent"><v-icon>fa-crosshairs</v-icon></router-link>
                         </td>
                         <td>{{ props.item.fields.timestamp | formatTimestamp }}</td>
                         <td class="case">

From 8c293a837cfea9c1d72b3c0eed207f0af599b762 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 29 Dec 2021 10:46:27 -0500
Subject: [PATCH 48/98] Fix markdown overflow & alpha coloring of comments

---
 html/css/app.css | 15 +++++++++++++++
 html/index.html  | 38 +++++++++++++++++++-------------------
 2 files changed, 34 insertions(+), 19 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 8aa49f24..d12a7f58 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -246,14 +246,29 @@ td {
   width: 100%;
 }
 
+.case-table table {
+  width: 100% !important;
+  table-layout:fixed;
+}
+
 .markdown-body {
   overflow: auto;
   position: relative;
+}
+
+.comment-body .markdown-body {
   padding: 0.75em 1.25em;
   border-radius: 0.25em;
+}
+
+.theme--dark.v-application .comment-body .markdown-body {
   background-color: rgba(0,0,0,.2);
 }
 
+.theme--light.v-application .comment-body .markdown-body {
+  background-color: rgba(0,0,0,.03);
+}
+
 .markdown-body pre {
   overflow-x: scroll;
 }
diff --git a/html/index.html b/html/index.html
index 1257395b..74c1c629 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1237,12 +1237,12 @@ <h2 id="case-title" class="rounded">{{ caseObj.title }}</h2>
         <v-row class="mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
           <v-col cols="12" md="9" class="case main" order="2" order-md="1">
             <div class="d-block d-md-none">
-              <h2>Description</h2>
+              <h2>{{ i18n.description }}</h2>
             </div>
             <div class="mb-6 mb-md-3">
-              <div class="case detail-field clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)">
-                <div class="d-block">
-                  <div id="case-description" class="rounded case" :inner-html.prop="caseObj.description | formatMarkdown"></div>
+              <div class="clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)">
+                <div class="d-block" style="width: 100%;">
+                  <div id="case-description" class="rounded case markdown-body" :inner-html.prop="caseObj.description | formatMarkdown"></div>
                 </div>
               </div>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
@@ -1379,7 +1379,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                   <v-text-field v-model="associatedTable['attachments'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="attachmentsTable" :sort-by.sync="associatedTable['attachments'].sortBy" :sort-desc.sync="associatedTable['attachments'].sortDesc" :items-per-page.sync="associatedTable['attachments'].itemsPerPage" 
                     :search="associatedTable['attachments'].search" :footer-props="associatedTable['attachments'].footerProps" must-sort :headers="associatedTable['attachments'].headers"
-                    :items="associations['attachments']" item-key="id" :loading="associatedTable['attachments'].loading" :expanded="associatedTable['attachments'].expanded">
+                    :items="associations['attachments']" item-key="id" :loading="associatedTable['attachments'].loading" :expanded="associatedTable['attachments'].expanded" class="case-table">
                     <template v-slot:item="props">
                       <tr @click="expandRow('attachments', props.item)" class="expandable">
                         <td>{{ props.item.createTime | formatDateTime }}</td>
@@ -1392,7 +1392,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                     <template v-slot:expanded-item="props">
                       <tr>
                         <td :colspan="3" class="case">
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="py-1">
                             <a target="soc-download" :href="`/api/case/artifactstream?id=${props.item.id}`" class="no-underline">
                               <v-icon>fa-download</v-icon>
                               {{ props.item.value }}
@@ -1421,10 +1421,10 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                               </div>
                             </div>
                           </v-container>
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="pt-2 pb-0">
                             <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
-                              <div id="`attachments-${props.index}-description`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
+                              <div id="`attachments-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`attachments-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`attachments-${props.index}-description`)">
                               <v-form v-model="editForm.valid">
@@ -1442,7 +1442,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                               </v-form>
                             </div>
                           </v-container>
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="py-1">
                             <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
                               <div id="`attachments-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
@@ -1461,10 +1461,10 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                               />
                             </v-select>
                           </v-container>
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="py-1">
                             <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
-                              <div id="`attachments-${props.index}-tags`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-tags`)">
+                              <div id="`attachments-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`attachments-${props.index}-tags`)">
                                 <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
                               </div>
                             </div>
@@ -1570,7 +1570,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                   <v-text-field v-model="associatedTable['evidence'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="evidenceTable" :sort-by.sync="associatedTable['evidence'].sortBy" :sort-desc.sync="associatedTable['evidence'].sortDesc" :items-per-page.sync="associatedTable['evidence'].itemsPerPage" 
                     :search="associatedTable['evidence'].search" :footer-props="associatedTable['evidence'].footerProps" must-sort :headers="associatedTable['evidence'].headers"
-                    :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded">
+                    :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded" class="case-table">
                     <template v-slot:item="props">
                       <tr @click="expandRow('evidence', props.item)" class="expandable">
                         <td>{{ props.item.createTime | formatDateTime }}</td>
@@ -1615,10 +1615,10 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                               </div>
                             </div>
                           </v-container>
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="pt-2 pb-0">
                             <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
-                              <div id="`evidence-${props.index}-description`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
+                              <div id="`evidence-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`evidence-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`evidence-${props.index}-description`)">
                               <v-form v-model="editForm.valid">
@@ -1636,14 +1636,14 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                               </v-form>
                             </div>
                           </v-container>
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="py-1">
                             <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.artifactIoc}}: </div>
                               <div id="`evidence-${props.index}-ioc`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-ioc`)">{{ props.item.ioc ? i18n.yes : i18n.no }}</div>
                             </div>
                             <v-checkbox :id="`evidence-${props.index}-ioc-input`" v-if="isEdit(`evidence-${props.index}-ioc`)" v-model="editForm.val" v-on:change="stopEdit(true)" persistent-hint :hint="i18n.artifactIocHelp"/>
                           </v-container>
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="py-1">
                             <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
                               <div id="`evidence-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
@@ -1662,10 +1662,10 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                               />
                             </v-select>
                           </v-container>
-                          <v-container fluid class="my-2">
+                          <v-container fluid class="py-1">
                             <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
-                              <div id="`evidence-${props.index}-tags`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tags`)">
+                              <div id="`evidence-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`evidence-${props.index}-tags`)">
                                 <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
                               </div>
                             </div>
@@ -2167,7 +2167,7 @@ <h3>{{ i18n.details }}</h3>
                               <v-col cols="12">
                                 <div class="clicktoedit" @click="startEdit('case-tags-input', caseObj.tags, 'case-tags', 'tags', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.caseTags}}: </div>
-                                  <div id="case-tags" class="case detail-field" v-if="!isEdit('case-tags')">
+                                  <div id="case-tags" class="case detail-field mt-1" v-if="!isEdit('case-tags')">
                                     <v-chip class="mx-1" v-for="tag in caseObj.tags" color="primary">{{ tag }}</v-chip>
                                   </div>
                                 </div>

From ed0ef0fcc103b240f773125e4344f41384bfe99c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 29 Dec 2021 15:02:24 -0500
Subject: [PATCH 49/98] Force numeric severities (and other fields) to string
 format before sending to server API; fix quoted groupby fields

---
 html/js/routes/hunt.js                   |  6 +++---
 model/query_test.go                      |  8 ++++++++
 server/modules/elastic/converter.go      | 15 +++++++++++++++
 server/modules/elastic/converter_test.go | 18 ++++++++++++++++++
 4 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 3180be5d..f9780c3a 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -426,7 +426,7 @@ const huntComponent = {
         if (escalate) {
           if (!caseId || !this.escalateRelatedEventsEnabled) {
             // Add to new case
-            var title = item['rule.name'];
+            var title = '' + item['rule.name'];
             if (!title) {
               title = this.i18n.eventCaseTitle;
               if (item['event.module'] || item['event.dataset']) {
@@ -446,8 +446,8 @@ const huntComponent = {
             var description = item['message'];
             if (!description) description = JSON.stringify(item);
 
-            var severity = item['event.severity'];
-            var template = 'rule.case_template' in item ? item['rule.case_template'] : '';
+            var severity = 'event.severity' in item ? '' + item['event.severity'] : '';
+            var template = 'rule.case_template' in item ? '' + item['rule.case_template'] : '';
 
             const response = await this.$root.papi.post('case/', {
               title: title,
diff --git a/model/query_test.go b/model/query_test.go
index a26f6a18..5c2be8f9 100644
--- a/model/query_test.go
+++ b/model/query_test.go
@@ -15,6 +15,14 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func TestGroupWithQuotes(tester *testing.T) {
+	query := NewQuery()
+	err := query.Parse(`foo:"bar" | groupby "complex field" "another complex field"`)
+	assert.NoError(tester, err)
+	groupbySegment := query.NamedSegment(SegmentKind_GroupBy).(*GroupBySegment)
+	assert.Len(tester, groupbySegment.Fields(), 2)
+}
+
 func validateQuery(tester *testing.T, args ...string) {
 	query := NewQuery()
 	err := query.Parse(args[0])
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 2ed69df1..d52491ec 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -177,6 +177,20 @@ func calcTimelineInterval(intervals int, beginTime time.Time, endTime time.Time)
 	return "30d"
 }
 
+func unquoteString(field string) string {
+	field = strings.TrimSuffix(field, `"`)
+	field = strings.TrimPrefix(field, `"`)
+	return field
+}
+
+func unquoteStringArray(fields []string) []string {
+	newFields := make([]string, 0, 0)
+	for _, field := range fields {
+		newFields = append(newFields, unquoteString(field))
+	}
+	return newFields
+}
+
 func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSearchCriteria) (string, error) {
 	var err error
 	var esJson string
@@ -196,6 +210,7 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 			groupBySegment := segment.(*model.GroupBySegment)
 			fields := groupBySegment.Fields()
 			if len(fields) > 0 {
+				fields = unquoteStringArray(fields)
 				agg, name := makeAggregation(store, "groupby", fields, criteria.MetricLimit, false)
 				aggregations[name] = agg
 				aggregations["bottom"], _ = makeAggregation(store, "", fields[0:1], criteria.MetricLimit, true)
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 3fa96993..83bf701d 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -527,3 +527,21 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 	assert.Equal(tester, &myCreateTime, obj.CreateTime)
 	assert.Equal(tester, "bar", obj.Fields["foo"])
 }
+
+func TestUnquote(tester *testing.T) {
+	input := make([]string, 0, 0)
+	input = append(input, "\"one\"")
+	input = append(input, "\"two")
+	input = append(input, "three")
+	input = append(input, "\"fo ur\"")
+	input = append(input, "\"five six\"")
+	input = append(input, "se\"v\"en")
+
+	output := unquoteStringArray(input)
+	assert.Equal(tester, "one", output[0])
+	assert.Equal(tester, "two", output[1])
+	assert.Equal(tester, "three", output[2])
+	assert.Equal(tester, "fo ur", output[3])
+	assert.Equal(tester, "five six", output[4])
+	assert.Equal(tester, "se\"v\"en", output[5])
+}

From fe1f4ab3c5f7bcf028d807e9febe8395e997ed23 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 29 Dec 2021 16:45:53 -0500
Subject: [PATCH 50/98] Switch presets to lowercase for uniformity; convert
 severity between numeric and string

---
 html/js/i18n.js                               |  4 ++--
 server/modules/elastic/converter.go           | 21 ++++++++++++++++++-
 server/modules/elastic/converter_test.go      | 17 +++++++++++++++
 server/modules/thehive/thehiveconverter.go    |  8 +++----
 .../modules/thehive/thehiveconverter_test.go  |  4 ++++
 5 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index 96a28cd5..5f69b435 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -412,8 +412,8 @@ const i18n = {
       toolTheHiveHelp: 'Case Management',
       transcriptCyberChefHelp: 'Send the transcript to CyberChef',
       type: 'Type',
-      unassigned: 'Unassigned',
-      unknown: 'Unknown',
+      unassigned: 'unassigned',
+      unknown: 'unknown',
       unwrapHelp: 'Unwrap packets from encapsulation (Ex: VXLAN)',
       update: 'Update',
       updatePassword: 'Update Password',
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index d52491ec..66910177 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -390,6 +390,25 @@ func convertElasticEventToAuditable(event *model.EventRecord, auditable *model.A
 	return nil
 }
 
+func convertSeverity(sev string) string {
+	sev = strings.ToLower(sev)
+	if len(sev) != 0 {
+		switch sev {
+		case "1":
+			sev = "low"
+		case "2":
+			sev = "medium"
+		case "3":
+			sev = "high"
+		case "4":
+			sev = "critical"
+		}
+	} else {
+		sev = "high"
+	}
+	return sev
+}
+
 func convertElasticEventToCase(event *model.EventRecord) (*model.Case, error) {
 	var err error
 	var obj *model.Case
@@ -408,7 +427,7 @@ func convertElasticEventToCase(event *model.EventRecord) (*model.Case, error) {
 				obj.Priority = int(value.(float64))
 			}
 			if value, ok := event.Payload["case.severity"]; ok {
-				obj.Severity = value.(string)
+				obj.Severity = convertSeverity(value.(string))
 			}
 			if value, ok := event.Payload["case.status"]; ok {
 				obj.Status = value.(string)
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 83bf701d..7ba5f6b2 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -545,3 +545,20 @@ func TestUnquote(tester *testing.T) {
 	assert.Equal(tester, "five six", output[4])
 	assert.Equal(tester, "se\"v\"en", output[5])
 }
+
+func TestConvertSeverity(tester *testing.T) {
+	assert.Equal(tester, "high", convertSeverity(""))
+	assert.Equal(tester, "unknown", convertSeverity("unknown"))
+	assert.Equal(tester, "low", convertSeverity("low"))
+	assert.Equal(tester, "low", convertSeverity("Low"))
+	assert.Equal(tester, "low", convertSeverity("1"))
+	assert.Equal(tester, "medium", convertSeverity("medium"))
+	assert.Equal(tester, "medium", convertSeverity("Medium"))
+	assert.Equal(tester, "medium", convertSeverity("2"))
+	assert.Equal(tester, "high", convertSeverity("high"))
+	assert.Equal(tester, "high", convertSeverity("High"))
+	assert.Equal(tester, "high", convertSeverity("3"))
+	assert.Equal(tester, "critical", convertSeverity("critical"))
+	assert.Equal(tester, "critical", convertSeverity("4"))
+	assert.Equal(tester, "critical", convertSeverity("Critical"))
+}
diff --git a/server/modules/thehive/thehiveconverter.go b/server/modules/thehive/thehiveconverter.go
index 4d5fb7be..03054ce1 100644
--- a/server/modules/thehive/thehiveconverter.go
+++ b/server/modules/thehive/thehiveconverter.go
@@ -22,13 +22,13 @@ func convertSeverity(sev string) int {
 
 	if len(sev) != 0 {
 		switch strings.ToLower(sev) {
-		case "low":
+		case "low", "1":
 			severity = 1
-		case "medium":
+		case "medium", "2":
 			severity = 2
-		case "high":
+		case "high", "3":
 			severity = 3
-		case "critical":
+		case "critical", "4":
 			severity = 4
 		default:
 			severity = 3
diff --git a/server/modules/thehive/thehiveconverter_test.go b/server/modules/thehive/thehiveconverter_test.go
index a57c02c0..fb20fc40 100644
--- a/server/modules/thehive/thehiveconverter_test.go
+++ b/server/modules/thehive/thehiveconverter_test.go
@@ -69,10 +69,14 @@ func TestConvertSeverity(tester *testing.T) {
 	assert.Equal(tester, 3, convertSeverity("unknown"))
 	assert.Equal(tester, 1, convertSeverity("low"))
 	assert.Equal(tester, 1, convertSeverity("Low"))
+	assert.Equal(tester, 1, convertSeverity("1"))
 	assert.Equal(tester, 2, convertSeverity("medium"))
 	assert.Equal(tester, 2, convertSeverity("Medium"))
+	assert.Equal(tester, 2, convertSeverity("2"))
 	assert.Equal(tester, 3, convertSeverity("high"))
 	assert.Equal(tester, 3, convertSeverity("High"))
+	assert.Equal(tester, 3, convertSeverity("3"))
 	assert.Equal(tester, 4, convertSeverity("critical"))
+	assert.Equal(tester, 4, convertSeverity("4"))
 	assert.Equal(tester, 4, convertSeverity("Critical"))
 }

From 5a72b98becd05c59850fc70fde8c59028ce68be4 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 29 Dec 2021 17:10:14 -0500
Subject: [PATCH 51/98] GroupBy action will now auto-quote fields to support
 spaces in fields

---
 model/query.go                           | 23 +++++++++++++++++++++--
 model/query_test.go                      | 24 +++++++++++++++++++++---
 server/modules/elastic/converter.go      | 16 +---------------
 server/modules/elastic/converter_test.go | 18 ------------------
 4 files changed, 43 insertions(+), 38 deletions(-)

diff --git a/model/query.go b/model/query.go
index 16cb9ca1..a138b8d9 100644
--- a/model/query.go
+++ b/model/query.go
@@ -250,16 +250,17 @@ func (segment *GroupBySegment) Fields() []string {
 }
 
 func (segment *GroupBySegment) AddGrouping(group string) error {
+  group = UnquoteString(group)
   fields := segment.Fields()
   alreadyGrouped := false
   for _, field := range fields {
-    if field == group {
+    if UnquoteString(field) == group {
       alreadyGrouped = true
     }
   }
   var err error
   if !alreadyGrouped {
-    term, err := NewQueryTerm(group)
+    term, err := NewQueryTerm(QuoteString(group))
     if err == nil {
       segment.terms = append(segment.terms, term)
     }
@@ -554,3 +555,21 @@ func (query *Query) Sort(field string) (string, error) {
 
   return query.String(), err
 }
+
+func QuoteString(field string) string {
+  return `"` + field + `"`
+}
+
+func UnquoteString(field string) string {
+  field = strings.TrimSuffix(field, `"`)
+  field = strings.TrimPrefix(field, `"`)
+  return field
+}
+
+func UnquoteStringArray(fields []string) []string {
+  newFields := make([]string, 0, 0)
+  for _, field := range fields {
+    newFields = append(newFields, UnquoteString(field))
+  }
+  return newFields
+}
diff --git a/model/query_test.go b/model/query_test.go
index 5c2be8f9..302e185e 100644
--- a/model/query_test.go
+++ b/model/query_test.go
@@ -99,9 +99,9 @@ func validateGroup(tester *testing.T, orig string, group string, expected string
 }
 
 func TestGroup(tester *testing.T) {
-	validateGroup(tester, "a", "b", "a | groupby b")
-	validateGroup(tester, "a|groupby b", "c", "a | groupby b c")
-	validateGroup(tester, "a|groupby b", "b", "a | groupby b")
+	validateGroup(tester, "a", "b", `a | groupby "b"`)
+	validateGroup(tester, "a|groupby b", "c", `a | groupby b "c"`)
+	validateGroup(tester, "a|groupby b", "b", `a | groupby b`)
 }
 
 func validateSort(tester *testing.T, orig string, sort string, expected string) {
@@ -163,3 +163,21 @@ func TestRemoveTermsWith(tester *testing.T) {
 	segment.AddFilter("goodbye", "d", false, false)
 	assert.Equal(tester, 2, segment.RemoveTermsWith("e"))
 }
+
+func TestUnquote(tester *testing.T) {
+	input := make([]string, 0, 0)
+	input = append(input, "\"one\"")
+	input = append(input, "\"two")
+	input = append(input, "three")
+	input = append(input, "\"fo ur\"")
+	input = append(input, "\"five six\"")
+	input = append(input, "se\"v\"en")
+
+	output := UnquoteStringArray(input)
+	assert.Equal(tester, "one", output[0])
+	assert.Equal(tester, "two", output[1])
+	assert.Equal(tester, "three", output[2])
+	assert.Equal(tester, "fo ur", output[3])
+	assert.Equal(tester, "five six", output[4])
+	assert.Equal(tester, "se\"v\"en", output[5])
+}
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 66910177..31785c93 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -177,20 +177,6 @@ func calcTimelineInterval(intervals int, beginTime time.Time, endTime time.Time)
 	return "30d"
 }
 
-func unquoteString(field string) string {
-	field = strings.TrimSuffix(field, `"`)
-	field = strings.TrimPrefix(field, `"`)
-	return field
-}
-
-func unquoteStringArray(fields []string) []string {
-	newFields := make([]string, 0, 0)
-	for _, field := range fields {
-		newFields = append(newFields, unquoteString(field))
-	}
-	return newFields
-}
-
 func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSearchCriteria) (string, error) {
 	var err error
 	var esJson string
@@ -210,7 +196,7 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 			groupBySegment := segment.(*model.GroupBySegment)
 			fields := groupBySegment.Fields()
 			if len(fields) > 0 {
-				fields = unquoteStringArray(fields)
+				fields = model.UnquoteStringArray(fields)
 				agg, name := makeAggregation(store, "groupby", fields, criteria.MetricLimit, false)
 				aggregations[name] = agg
 				aggregations["bottom"], _ = makeAggregation(store, "", fields[0:1], criteria.MetricLimit, true)
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 7ba5f6b2..851cfcc6 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -528,24 +528,6 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 	assert.Equal(tester, "bar", obj.Fields["foo"])
 }
 
-func TestUnquote(tester *testing.T) {
-	input := make([]string, 0, 0)
-	input = append(input, "\"one\"")
-	input = append(input, "\"two")
-	input = append(input, "three")
-	input = append(input, "\"fo ur\"")
-	input = append(input, "\"five six\"")
-	input = append(input, "se\"v\"en")
-
-	output := unquoteStringArray(input)
-	assert.Equal(tester, "one", output[0])
-	assert.Equal(tester, "two", output[1])
-	assert.Equal(tester, "three", output[2])
-	assert.Equal(tester, "fo ur", output[3])
-	assert.Equal(tester, "five six", output[4])
-	assert.Equal(tester, "se\"v\"en", output[5])
-}
-
 func TestConvertSeverity(tester *testing.T) {
 	assert.Equal(tester, "high", convertSeverity(""))
 	assert.Equal(tester, "unknown", convertSeverity("unknown"))

From 49e8adc79d71af112e452fd68a74a235781a3501 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 30 Dec 2021 10:14:36 -0500
Subject: [PATCH 52/98] Refactor group/sort segments to eliminate need for
 quoting/unqouting functions

---
 html/index.html                          |   1 -
 html/js/routes/hunt.js                   |  10 ++-
 model/query.go                           | 110 ++++++++---------------
 model/query_test.go                      |  38 ++++----
 server/modules/elastic/converter.go      |   5 +-
 server/modules/elastic/converter_test.go |   4 +-
 6 files changed, 66 insertions(+), 102 deletions(-)

diff --git a/html/index.html b/html/index.html
index 74c1c629..ed368992 100644
--- a/html/index.html
+++ b/html/index.html
@@ -2410,7 +2410,6 @@ <h2 v-text="i18n.settingsTitle"></h2>
     <script src="js/external/daterangepicker-3.1.0.min.js"></script>
     <script src="js/external/marked-2.1.3.min.js"></script>
     <script src="js/external/purify-2.3.4.min.js"></script>
-    <script src="js/external/highlight-11.3.1.min.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index f9780c3a..11ad0ebb 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -576,14 +576,20 @@ const huntComponent = {
             if (segment.indexOf("groupby") == 0) {
               segment.split(" ").forEach(function(item, index) {
                 if (index > 0 && item.trim().length > 0) {
-                  route.queryGroupBys.push(item);
+                  if (item.split("\"").length % 2 == 1) {
+                    // Will currently skip quoted items with spaces. 
+                    route.queryGroupBys.push(item);
+                  }
                 }
               });
             }
             if (segment.indexOf("sortby") == 0) {
               segment.split(" ").forEach(function(item, index) {
                 if (index > 0 && item.trim().length > 0) {
-                  route.querySortBys.push(item);
+                  if (item.split("\"").length % 2 == 1) {
+                    // Will currently skip quoted items with spaces. 
+                    route.querySortBys.push(item);
+                  }
                 }
               });
             }
diff --git a/model/query.go b/model/query.go
index a138b8d9..f40475c6 100644
--- a/model/query.go
+++ b/model/query.go
@@ -131,6 +131,41 @@ func (segment *BaseSegment) RemoveTermsWith(raw string) int {
   return removed
 }
 
+func (segment *BaseSegment) RawFields() []string {
+  fields := make([]string, 0, 0)
+  for _, field := range segment.terms {
+    fields = append(fields, field.Raw)
+  }
+  return fields
+}
+
+func (segment *BaseSegment) Fields() []string {
+  fields := make([]string, 0, 0)
+  for _, field := range segment.terms {
+    fields = append(fields, field.String())
+  }
+  return fields
+}
+
+func (segment *BaseSegment) AddField(field string) error {
+  alreadyIncluded := false
+  for _, term := range segment.terms {
+    if term.Raw == field {
+      alreadyIncluded = true
+    }
+  }
+  var err error
+  if !alreadyIncluded {
+    term, err := NewQueryTerm(field)
+    if err == nil {
+      term.Quoted = true
+      term.Quote = '"'
+      segment.terms = append(segment.terms, term)
+    }
+  }
+  return err
+}
+
 type SearchSegment struct {
   *BaseSegment
 }
@@ -241,33 +276,6 @@ func (segment *GroupBySegment) String() string {
   return segment.Kind() + " " + segment.TermsAsString()
 }
 
-func (segment *GroupBySegment) Fields() []string {
-  fields := make([]string, 0, 0)
-  for _, field := range segment.terms {
-    fields = append(fields, field.String())
-  }
-  return fields
-}
-
-func (segment *GroupBySegment) AddGrouping(group string) error {
-  group = UnquoteString(group)
-  fields := segment.Fields()
-  alreadyGrouped := false
-  for _, field := range fields {
-    if UnquoteString(field) == group {
-      alreadyGrouped = true
-    }
-  }
-  var err error
-  if !alreadyGrouped {
-    term, err := NewQueryTerm(QuoteString(group))
-    if err == nil {
-      segment.terms = append(segment.terms, term)
-    }
-  }
-  return err
-}
-
 type SortBySegment struct {
   *BaseSegment
 }
@@ -299,32 +307,6 @@ func (segment *SortBySegment) String() string {
   return segment.Kind() + " " + segment.TermsAsString()
 }
 
-func (segment *SortBySegment) Fields() []string {
-  fields := make([]string, 0, 0)
-  for _, field := range segment.terms {
-    fields = append(fields, field.String())
-  }
-  return fields
-}
-
-func (segment *SortBySegment) AddSortField(sortField string) error {
-  fields := segment.Fields()
-  alreadySorted := false
-  for _, field := range fields {
-    if field == sortField {
-      alreadySorted = true
-    }
-  }
-  var err error
-  if !alreadySorted {
-    term, err := NewQueryTerm(sortField)
-    if err == nil {
-      segment.terms = append(segment.terms, term)
-    }
-  }
-  return err
-}
-
 type Query struct {
   Segments []QuerySegment
 }
@@ -537,7 +519,7 @@ func (query *Query) Group(field string) (string, error) {
     query.AddSegment(segment)
   }
   groupBySegment := segment.(*GroupBySegment)
-  err = groupBySegment.AddGrouping(field)
+  err = groupBySegment.AddField(field)
 
   return query.String(), err
 }
@@ -551,25 +533,7 @@ func (query *Query) Sort(field string) (string, error) {
     query.AddSegment(segment)
   }
   sortBySegment := segment.(*SortBySegment)
-  err = sortBySegment.AddSortField(field)
+  err = sortBySegment.AddField(field)
 
   return query.String(), err
 }
-
-func QuoteString(field string) string {
-  return `"` + field + `"`
-}
-
-func UnquoteString(field string) string {
-  field = strings.TrimSuffix(field, `"`)
-  field = strings.TrimPrefix(field, `"`)
-  return field
-}
-
-func UnquoteStringArray(fields []string) []string {
-  newFields := make([]string, 0, 0)
-  for _, field := range fields {
-    newFields = append(newFields, UnquoteString(field))
-  }
-  return newFields
-}
diff --git a/model/query_test.go b/model/query_test.go
index 302e185e..ac92052c 100644
--- a/model/query_test.go
+++ b/model/query_test.go
@@ -20,7 +20,21 @@ func TestGroupWithQuotes(tester *testing.T) {
 	err := query.Parse(`foo:"bar" | groupby "complex field" "another complex field"`)
 	assert.NoError(tester, err)
 	groupbySegment := query.NamedSegment(SegmentKind_GroupBy).(*GroupBySegment)
-	assert.Len(tester, groupbySegment.Fields(), 2)
+	fields := groupbySegment.Fields()
+	assert.Len(tester, fields, 2)
+	assert.Equal(tester, `"complex field"`, fields[0])
+	assert.Equal(tester, `"another complex field"`, fields[1])
+}
+
+func TestRawFields(tester *testing.T) {
+	query := NewQuery()
+	err := query.Parse(`foo:"bar" | groupby "complex field" "another complex field"`)
+	assert.NoError(tester, err)
+	groupbySegment := query.NamedSegment(SegmentKind_GroupBy).(*GroupBySegment)
+	rawFields := groupbySegment.RawFields()
+	assert.Len(tester, rawFields, 2)
+	assert.Equal(tester, "complex field", rawFields[0])
+	assert.Equal(tester, "another complex field", rawFields[1])
 }
 
 func validateQuery(tester *testing.T, args ...string) {
@@ -115,8 +129,8 @@ func validateSort(tester *testing.T, orig string, sort string, expected string)
 }
 
 func TestSort(tester *testing.T) {
-	validateSort(tester, "a", "b", "a | sortby b")
-	validateSort(tester, "a|sortby b", "c", "a | sortby b c")
+	validateSort(tester, "a", "b", `a | sortby "b"`)
+	validateSort(tester, "a|sortby b", "c", `a | sortby b "c"`)
 	validateSort(tester, "a|sortby b", "b", "a | sortby b")
 }
 
@@ -163,21 +177,3 @@ func TestRemoveTermsWith(tester *testing.T) {
 	segment.AddFilter("goodbye", "d", false, false)
 	assert.Equal(tester, 2, segment.RemoveTermsWith("e"))
 }
-
-func TestUnquote(tester *testing.T) {
-	input := make([]string, 0, 0)
-	input = append(input, "\"one\"")
-	input = append(input, "\"two")
-	input = append(input, "three")
-	input = append(input, "\"fo ur\"")
-	input = append(input, "\"five six\"")
-	input = append(input, "se\"v\"en")
-
-	output := UnquoteStringArray(input)
-	assert.Equal(tester, "one", output[0])
-	assert.Equal(tester, "two", output[1])
-	assert.Equal(tester, "three", output[2])
-	assert.Equal(tester, "fo ur", output[3])
-	assert.Equal(tester, "five six", output[4])
-	assert.Equal(tester, "se\"v\"en", output[5])
-}
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 31785c93..a005e67d 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -194,9 +194,8 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 		segment := criteria.ParsedQuery.NamedSegment(model.SegmentKind_GroupBy)
 		if segment != nil {
 			groupBySegment := segment.(*model.GroupBySegment)
-			fields := groupBySegment.Fields()
+			fields := groupBySegment.RawFields()
 			if len(fields) > 0 {
-				fields = model.UnquoteStringArray(fields)
 				agg, name := makeAggregation(store, "groupby", fields, criteria.MetricLimit, false)
 				aggregations[name] = agg
 				aggregations["bottom"], _ = makeAggregation(store, "", fields[0:1], criteria.MetricLimit, true)
@@ -211,7 +210,7 @@ func convertToElasticRequest(store *ElasticEventstore, criteria *model.EventSear
 	segment := criteria.ParsedQuery.NamedSegment(model.SegmentKind_SortBy)
 	if segment != nil {
 		sortBySegment := segment.(*model.SortBySegment)
-		fields := sortBySegment.Fields()
+		fields := sortBySegment.RawFields()
 		if len(fields) > 0 {
 			sorting := make([]map[string]map[string]string, 0, 0)
 			for _, field := range fields {
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 851cfcc6..378291f0 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -96,7 +96,7 @@ func TestConvertToElasticRequestEmptyCriteria(tester *testing.T) {
 
 func TestConvertToElasticRequestGroupByCriteria(tester *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby ghi jkl*`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | groupby "ghi" jkl*`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
 	assert.Nil(tester, err)
 
@@ -106,7 +106,7 @@ func TestConvertToElasticRequestGroupByCriteria(tester *testing.T) {
 
 func TestConvertToElasticRequestSortByCriteria(tester *testing.T) {
 	criteria := model.NewEventSearchCriteria()
-	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | sortby ghi jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
+	criteria.Populate(`abc AND def AND q:"\\\\file\\path" | sortby "ghi" jkl^`, "2020-01-02T12:13:14Z - 2020-01-02T13:13:14Z", time.RFC3339, "America/New_York", "10", "25")
 	actualJson, err := convertToElasticRequest(NewTestStore(), criteria)
 	assert.Nil(tester, err)
 

From 5b5f34a84cd9f92d63eefba116f0fe047b15130f Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 30 Dec 2021 11:29:28 -0500
Subject: [PATCH 53/98] Markdown formatting and id additions

---
 html/css/app.css |   5 +++
 html/index.html  | 100 ++++++++++++++++++++++++-----------------------
 2 files changed, 56 insertions(+), 49 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index d12a7f58..d68adca1 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -261,6 +261,11 @@ td {
   border-radius: 0.25em;
 }
 
+.comment-body .markdown-body pre,
+.comment-body .markdown-body p {
+  margin: 8px 0;
+}
+
 .theme--dark.v-application .comment-body .markdown-body {
   background-color: rgba(0,0,0,.2);
 }
diff --git a/html/index.html b/html/index.html
index ed368992..79f894be 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1285,63 +1285,65 @@ <h2>{{ i18n.description }}</h2>
                 </v-tab>
   
                 <v-tab-item>
-                  <div v-for="(comment, index) in associations.comments" class="mb-8">
-                    <div class="d-flex flex-column align-start ma-4">
-                      <v-col class="d-flex flex-column align-start pt-2 pb-0  pl-2 pr-0 pt-md-0">
-                        <div class="mt-1 mt-md-3 py-3 px-3 contrast-bg rounded rounded-md" style="width: 100%;">
-                          <div class="d-flex flex-column align-start">
-                            <div class="case d-block comment-body" v-if="!isEdit(`comment-${index}`)">
-                              <div class="mb-4">
-                                <div :id="`comment-${index}`" class="markdown-body" :inner-html.prop="comment.description | formatMarkdown"></div>
+                  <div id="comment-list">
+                    <div v-for="(comment, index) in associations.comments" class="mb-8">
+                      <div class="d-flex flex-column align-start ma-4">
+                        <v-col class="d-flex flex-column align-start pt-2 pb-0  pl-2 pr-0 pt-md-0">
+                          <div class="mt-1 mt-md-3 py-3 px-3 contrast-bg rounded rounded-md" style="width: 100%;">
+                            <div class="d-flex flex-column align-start">
+                              <div class="case d-block comment-body" v-if="!isEdit(`comment-${index}`)">
+                                <div class="mb-4">
+                                  <div :id="`comment-${index}`" class="markdown-body" :inner-html.prop="comment.description | formatMarkdown"></div>
+                                </div>
                               </div>
-                            </div>
-                            <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
-                              <div class="mb-2">
-                                <v-form v-model="editForm.valid">
-                                  <v-textarea id="comment-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" class="mb-1" :rules="[rules.required]"/>
-                                  <div class="d-inline-flex justify-end">
-                                    <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
-                                      {{ i18n.cancel }}
-                                    </v-btn>
-                                    <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
-                                      {{ i18n.update }}
-                                    </v-btn>
-                                  </div>
-                                </v-form>
+                              <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
+                                <div class="mb-2">
+                                  <v-form v-model="editForm.valid">
+                                    <v-textarea id="comment-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" class="mb-1" :rules="[rules.required]"/>
+                                    <div class="d-inline-flex justify-end">
+                                      <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                        {{ i18n.cancel }}
+                                      </v-btn>
+                                      <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                        {{ i18n.update }}
+                                      </v-btn>
+                                    </div>
+                                  </v-form>
+                                </div>
                               </div>
-                            </div>
-                            <div class="d-flex flex-column flex-sm-row align-sm-center align-self-end text-body-2">
-                              <div class="d-inline-flex align-center mr-1">
-                                <v-avatar color="primary" size="24" class="mr-2">
-                                  <div class="case avatar-font" :title="comment.owner">
-                                    {{ $root.getAvatar(comment.owner) }}
+                              <div class="d-flex flex-column flex-sm-row align-sm-center align-self-end text-body-2">
+                                <div class="d-inline-flex align-center mr-1">
+                                  <v-avatar color="primary" size="24" class="mr-2">
+                                    <div class="case avatar-font" :title="comment.owner">
+                                      {{ $root.getAvatar(comment.owner) }}
+                                    </div>
+                                  </v-avatar>
+                                  <div >
+                                    {{ comment.owner }}
                                   </div>
-                                </v-avatar>
-                                <div >
-                                  {{ comment.owner }}
                                 </div>
-                              </div>
-                              <div class="mr-1 d-none d-sm-block">
-                                &bull;
-                              </div>
-                              <div>
-                                {{ comment.createTime | formatDateTime }}
-                              </div>
-                              <div v-if="isEdited(comment)" :title="$root.formatDateTime(comment.updateTime)" class="mx-sm-2">
-                                {{ i18n.edited }}
-                              </div>
-                              <div class="ml-1 d-flex mt-1 mt-sm-0">
-                                <v-btn text small color="primary" v-if="!isEdit(`comment-${index}`)" @click="startEdit('comment-desc-input', comment.description, `comment-${index}`, 'description', modifyAssociation, ['comments', comment], true)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
-                                <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
+                                <div class="mr-1 d-none d-sm-block">
+                                  &bull;
+                                </div>
+                                <div>
+                                  {{ comment.createTime | formatDateTime }}
+                                </div>
+                                <div v-if="isEdited(comment)" :title="$root.formatDateTime(comment.updateTime)" class="mx-sm-2">
+                                  {{ i18n.edited }}
+                                </div>
+                                <div class="ml-1 d-flex mt-1 mt-sm-0">
+                                  <v-btn text small color="primary" v-if="!isEdit(`comment-${index}`)" @click="startEdit('comment-desc-input', comment.description, `comment-${index}`, 'description', modifyAssociation, ['comments', comment], true)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
+                                  <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
+                                </div>
                               </div>
                             </div>
                           </div>
-                        </div>
-                      </v-col> 
-                    </div>           
+                        </v-col> 
+                      </div>           
+                    </div>
                   </div>
                   <div class="d-flex flex-column align-start ma-4">
-                    <v-col class="d-flex flex-column align-start pt-2 pb-0 pl-2 pr-0 pt-md-0">
+                    <v-col id="new-comment" class="d-flex flex-column align-start pt-2 pb-0 pl-2 pr-0 pt-md-0">
                       <div class="mt-1 mt-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
                       <div class="d-flex flex-column align-start">
                         <div class="d-flex flex-column" style="width: 100%;">
@@ -1355,7 +1357,7 @@ <h2>{{ i18n.description }}</h2>
                               <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             </div>
                             <v-form ref="comments" v-model="associatedForms['comments'].valid">
-                            <v-textarea solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
+                              <v-textarea  solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
                             </v-form>
                           </div>
                         </div>

From d08f892297cd753dcbb272e61422ef8ffb3dbaaf Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 30 Dec 2021 15:32:34 -0500
Subject: [PATCH 54/98] Make summary fields consistent with detail fields

---
 html/index.html | 58 ++++++++++++++++++++++++++-----------------------
 1 file changed, 31 insertions(+), 27 deletions(-)

diff --git a/html/index.html b/html/index.html
index 79f894be..67bbd4d7 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1242,7 +1242,7 @@ <h2>{{ i18n.description }}</h2>
             <div class="mb-6 mb-md-3">
               <div class="clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)">
                 <div class="d-block" style="width: 100%;">
-                  <div id="case-description" class="rounded case markdown-body" :inner-html.prop="caseObj.description | formatMarkdown"></div>
+                  <div id="case-description" class="rounded case detail-field markdown-body" :inner-html.prop="caseObj.description | formatMarkdown"></div>
                 </div>
               </div>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
@@ -2020,36 +2020,40 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                           <h3>{{ i18n.summary }}</h3>
                         </v-expansion-panel-header>
                         <v-expansion-panel-content class="my-2">
-                            <v-row class="clicktoedit" @click="startEdit('case-assignee-input', caseObj.assigneeId, 'case-assignee', 'assigneeId', modifyCase)">
+                            <v-row>
                               <v-col cols="12">
-                                <div class="font-weight-bold">{{i18n.caseAssignee}}: </div>
-                                <div id='case-assignee' class="case detail-field" v-if="!isEdit('case-assignee')">{{ withDefault(caseObj.assignee, i18n.unassigned) }}</div>
-                                <v-select id='case-assignee-input' v-if="isEdit('case-assignee')"
-                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseAssigneeHelp"
-                                  v-model="editForm.val"
-                                  :items="userList"
-                                  item-text="email"
-                                  item-value="id"
-                                  v-on:change="stopEdit(true)"
-                                />
+                                <div class="clicktoedit" @click="startEdit('case-assignee-input', caseObj.assigneeId, 'case-assignee', 'assigneeId', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.caseAssignee}}: </div>
+                                  <div id='case-assignee' class="case detail-field" v-if="!isEdit('case-assignee')">{{ withDefault(caseObj.assignee, i18n.unassigned) }}</div>
+                                  <v-select id='case-assignee-input' v-if="isEdit('case-assignee')"
+                                    dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseAssigneeHelp"
+                                    v-model="editForm.val"
+                                    :items="userList"
+                                    item-text="email"
+                                    item-value="id"
+                                    v-on:change="stopEdit(true)"
+                                  />
+                                </div>
                               </v-col>
                             </v-row>
-                            <v-row class="clicktoedit" @click="startEdit('case-status-input', caseObj.status, 'case-status', 'status', modifyCase)">
+                            <v-row>
                               <v-col cols="12">
-                                <div class="font-weight-bold">{{i18n.status}}: </div>
-                                <div id="case-status" class="case detail-field" v-if="!isEdit('case-status')">{{ withDefault(caseObj.status, i18n.unknown) }}</div>
-                                <v-select id="case-status-input" v-if="isEdit('case-status') && !isPresetCustomEnabled('status')"
-                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseStatusHelp"
-                                  v-model="editForm.val"
-                                  :items="selectList('status', caseObj.status)"
-                                  v-on:change="stopEdit(true)"
-                                />
-                                <v-combobox id="case-status-input" v-if="isEdit('case-status') && isPresetCustomEnabled('status')"
-                                  dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseStatusHelp"
-                                  v-model="editForm.val"
-                                  :items="selectList('status', caseObj.status)"
-                                  v-on:change="stopEdit(true)"
-                                />
+                                <div class="clicktoedit" @click="startEdit('case-status-input', caseObj.status, 'case-status', 'status', modifyCase)">
+                                  <div class="font-weight-bold">{{i18n.status}}: </div>
+                                  <div id="case-status" class="case detail-field" v-if="!isEdit('case-status')">{{ withDefault(caseObj.status, i18n.unknown) }}</div>
+                                  <v-select id="case-status-input" v-if="isEdit('case-status') && !isPresetCustomEnabled('status')"
+                                    dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseStatusHelp"
+                                    v-model="editForm.val"
+                                    :items="selectList('status', caseObj.status)"
+                                    v-on:change="stopEdit(true)"
+                                  />
+                                  <v-combobox id="case-status-input" v-if="isEdit('case-status') && isPresetCustomEnabled('status')"
+                                    dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseStatusHelp"
+                                    v-model="editForm.val"
+                                    :items="selectList('status', caseObj.status)"
+                                    v-on:change="stopEdit(true)"
+                                  />
+                                </div>
                               </v-col>
                             </v-row>
                         </v-expansion-panel-content>

From 64a5001815d8a4e93bbaf46981266497dca7502a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 30 Dec 2021 16:13:00 -0500
Subject: [PATCH 55/98] Improve case title generation when event does not have
 rule.name field

---
 html/js/routes/hunt.js      | 63 +++++++++++++++++++------------------
 html/js/routes/hunt.test.js | 55 ++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+), 30 deletions(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 11ad0ebb..8012422a 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -413,7 +413,38 @@ const huntComponent = {
       } catch (error) {
         this.$root.showError(error);
       }
-    },  
+    },
+    buildCase(item) {
+      var title = 'rule.name' in item && item['rule.name'] ? '' + item['rule.name'] : null;
+      if (!title) {
+        title = this.i18n.eventCaseTitle;
+        if (item['event.module'] || item['event.dataset']) {
+          title = title + ": ";
+          if (item['event.module']) {
+            title = title + item['event.module'];
+            if (item['event.dataset']) {
+              title = title + " - ";
+            }
+          }
+          if (item['event.dataset']) {
+            title = title + item['event.dataset'];
+          }
+        }
+      }
+
+      var description = item['message'];
+      if (!description) description = JSON.stringify(item);
+
+      var severity = 'event.severity' in item && item['event.severity'] ? '' + item['event.severity'] : '';
+      var template = 'rule.case_template' in item && item['rule.case_template'] ? '' + item['rule.case_template'] : '';
+
+      return {
+        title: title,
+        description: description,
+        severity: severity,
+        template: template,
+      };
+    },
     async ack(event, item, idx, acknowledge, escalate = false, caseId = null) {
       this.$root.startLoading();
       try {
@@ -426,35 +457,7 @@ const huntComponent = {
         if (escalate) {
           if (!caseId || !this.escalateRelatedEventsEnabled) {
             // Add to new case
-            var title = '' + item['rule.name'];
-            if (!title) {
-              title = this.i18n.eventCaseTitle;
-              if (item['event.module'] || item['event.dataset']) {
-                title = title + ": ";
-                if (item['event.module']) {
-                  title = title + item['event.module'];
-                  if (item['event.dataset']) {
-                    title = title + " - ";
-                  }
-                }
-                if (item['event.dataset']) {
-                  title = title + item['event.dataset'];
-                }
-              }
-            }
-
-            var description = item['message'];
-            if (!description) description = JSON.stringify(item);
-
-            var severity = 'event.severity' in item ? '' + item['event.severity'] : '';
-            var template = 'rule.case_template' in item ? '' + item['rule.case_template'] : '';
-
-            const response = await this.$root.papi.post('case/', {
-              title: title,
-              description: description,
-              severity: severity,
-              template: template,
-            });
+            const response = await this.$root.papi.post('case/', buildCase(item));
             if (response && response.data) {
               caseId = response.data.id;
             }
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index 597221ca..8d111ad8 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -202,3 +202,58 @@ test('toggleEscalationMenuAlreadyOpen', () => {
   expect(comp.quickActionVisible).toBe(false);
   expect(comp.escalationMenuVisible).toBe(false);
 });
+
+function validateCase(
+    name, template, mod, dataset, severity, message,
+    expectedTitle, expectedDescription, expectedSeverity, expectedTemplate) {
+  const item = {
+    "rule.name": name,
+    "rule.case_template": template,
+    "event.module": mod,
+    "event.dataset": dataset,
+    "event.severity": severity,
+    "message": message,
+  };
+  const caseObj = comp.buildCase(item)
+  expect(caseObj.title).toBe(expectedTitle);
+  expect(caseObj.description).toBe(expectedDescription);
+  expect(caseObj.severity).toBe(expectedSeverity);
+  expect(caseObj.template).toBe(expectedTemplate);
+}
+
+test('buildCase', () => {
+  // has rule name and message, etc (happy path)
+  validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
+      'myTitle', 'myMessage', 'mySeverity', 'myTemplate');
+
+  // missing rule name, module, and dataset
+  validateCase('', 'myTemplate', '', '', 'mySeverity', 'myMessage',
+      'Event Escalation from SOC', 'myMessage', 'mySeverity', 'myTemplate');
+
+  // missing rule name but has module
+  validateCase('', 'myTemplate', 'myModule', '', 'mySeverity', 'myMessage',
+      'Event Escalation from SOC: myModule', 'myMessage', 'mySeverity', 'myTemplate');
+
+  // missing rule name but has dataset
+  validateCase('', 'myTemplate', '', 'myDataset', 'mySeverity', 'myMessage',
+      'Event Escalation from SOC: myDataset', 'myMessage', 'mySeverity', 'myTemplate');
+
+  // missing rule name but has module and dataset
+  validateCase('', 'myTemplate', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
+      'Event Escalation from SOC: myModule - myDataset', 'myMessage', 'mySeverity', 'myTemplate');
+  validateCase(null, 'myTemplate', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
+      'Event Escalation from SOC: myModule - myDataset', 'myMessage', 'mySeverity', 'myTemplate');
+
+  // missing message
+  validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', 'mySeverity', '',
+      'myTitle', '{\"rule.name\":\"myTitle\",\"rule.case_template\":\"myTemplate\",\"event.module\":\"myModule\",\"event.dataset\":\"myDataset\",\"event.severity\":\"mySeverity\",\"message\":\"\"}', 'mySeverity', 'myTemplate');
+
+  // missing severity
+  validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', '', 'myMessage',
+      'myTitle', 'myMessage', '', 'myTemplate');
+
+  // missing template
+  validateCase('myTitle', '', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
+      'myTitle', 'myMessage', 'mySeverity', '');
+
+});

From 3925c8caecbeeb11ae96624fa79b119c13a452ae Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 30 Dec 2021 16:16:16 -0500
Subject: [PATCH 56/98] Improve case title generation when event does not have
 rule.name field

---
 html/js/routes/hunt.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 8012422a..7249bc83 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -457,7 +457,7 @@ const huntComponent = {
         if (escalate) {
           if (!caseId || !this.escalateRelatedEventsEnabled) {
             // Add to new case
-            const response = await this.$root.papi.post('case/', buildCase(item));
+            const response = await this.$root.papi.post('case/', this.buildCase(item));
             if (response && response.data) {
               caseId = response.data.id;
             }

From c56ef0ae63c89b89ead113aeeec15026bf923f88 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 3 Jan 2022 12:41:14 -0500
Subject: [PATCH 57/98] Disable bare url tokenization

---
 html/js/app.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/html/js/app.js b/html/js/app.js
index 448ada07..3a0153ba 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -435,6 +435,13 @@ $(document).ready(function() {
           renderer: new marked.Renderer(),
           smartLists: true
         })
+        marked.use({
+          tokenizer: {
+            url(src) {
+              // Blank function disables bare url tokenization
+            }
+          }
+        })
         var md = str;
         if (str) {
           md = marked(str);

From 6060519ed1968078ca41c0b8443862c53178777b Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 3 Jan 2022 12:41:55 -0500
Subject: [PATCH 58/98] Put edit fields in tab index

---
 html/index.html | 56 +++++++++++++++++++++++++++++++++----------------
 1 file changed, 38 insertions(+), 18 deletions(-)

diff --git a/html/index.html b/html/index.html
index 67bbd4d7..02a63378 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1215,7 +1215,8 @@ <h2>{{ i18n.viewJob }}</h2>
     <script type="text/x-template" id="page-case">
       <v-container fluid>
         <div class="mx-sm-12 mx-lg-6 mt-2 mb-6 mb-md-1">
-          <div class="case detail-field clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-title')" @click="startEdit('case-title-input', caseObj.title, 'case-title', 'title', modifyCase)">
+          <div tabindex="0" class="case detail-field clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-title')" 
+            @click="startEdit('case-title-input', caseObj.title, 'case-title', 'title', modifyCase)" @keypress.space.prevent="startEdit('case-title-input', caseObj.title, 'case-title', 'title', modifyCase)">
             <h2 id="case-title" class="rounded">{{ caseObj.title }}</h2>
           </div>
           <div class="d-flex flex-column" v-if="isEdit('case-title')">
@@ -1240,7 +1241,8 @@ <h2 id="case-title" class="rounded">{{ caseObj.title }}</h2>
               <h2>{{ i18n.description }}</h2>
             </div>
             <div class="mb-6 mb-md-3">
-              <div class="clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)">
+              <div tabindex="0" class="clicktoedit d-flex align-start pa-2" v-if="!isEdit('case-description')" @click="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)"
+              @keypress.space.prevent="startEdit('case-desc-input',  caseObj.description, 'case-description', 'description', modifyCase, [], true)">
                 <div class="d-block" style="width: 100%;">
                   <div id="case-description" class="rounded case detail-field markdown-body" :inner-html.prop="caseObj.description | formatMarkdown"></div>
                 </div>
@@ -1332,7 +1334,10 @@ <h2>{{ i18n.description }}</h2>
                                   {{ i18n.edited }}
                                 </div>
                                 <div class="ml-1 d-flex mt-1 mt-sm-0">
-                                  <v-btn text small color="primary" v-if="!isEdit(`comment-${index}`)" @click="startEdit('comment-desc-input', comment.description, `comment-${index}`, 'description', modifyAssociation, ['comments', comment], true)" icon><v-icon style="font-size: 14px !important;">fa-edit</v-icon></v-btn>
+                                  <v-btn text small icon color="primary" v-if="!isEdit(`comment-${index}`)" @click="startEdit('comment-desc-input', comment.description, `comment-${index}`, 'description', modifyAssociation, ['comments', comment], true)" 
+                                    @keypress.space.prevent="startEdit('comment-desc-input', comment.description, `comment-${index}`, 'description', modifyAssociation, ['comments', comment], true)">
+                                    <v-icon style="font-size: 14px !important;">fa-edit</v-icon>
+                                  </v-btn>
                                   <v-btn text small color="red" @click="deleteAssociation('comments', comment)" icon><v-icon style="font-size: 14px !important;">fa-trash</v-icon></v-btn>
                                 </div>
                               </div>
@@ -1424,7 +1429,8 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             </div>
                           </v-container>
                           <v-container fluid class="pt-2 pb-0">
-                            <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)">
+                            <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)"
+                              @keypress.space.prevent="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
                               <div id="`attachments-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`attachments-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
@@ -1445,7 +1451,8 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             </div>
                           </v-container>
                           <v-container fluid class="py-1">
-                            <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])">
+                            <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])"
+                              @keypress.space.prevent="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
                               <div id="`attachments-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
                             </div>
@@ -1464,7 +1471,8 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             </v-select>
                           </v-container>
                           <v-container fluid class="py-1">
-                            <div class="clicktoedit" @click="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])">
+                            <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])"
+                              @keypress.space.prevent="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
                               <div id="`attachments-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`attachments-${props.index}-tags`)">
                                 <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
@@ -1618,7 +1626,8 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             </div>
                           </v-container>
                           <v-container fluid class="pt-2 pb-0">
-                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)">
+                            <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)"
+                              @keypress.space.prevent="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
                               <div id="`evidence-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`evidence-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
@@ -1639,14 +1648,16 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             </div>
                           </v-container>
                           <v-container fluid class="py-1">
-                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])">
+                            <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])"
+                              @keypress.space.prevent="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.artifactIoc}}: </div>
                               <div id="`evidence-${props.index}-ioc`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-ioc`)">{{ props.item.ioc ? i18n.yes : i18n.no }}</div>
                             </div>
                             <v-checkbox :id="`evidence-${props.index}-ioc-input`" v-if="isEdit(`evidence-${props.index}-ioc`)" v-model="editForm.val" v-on:change="stopEdit(true)" persistent-hint :hint="i18n.artifactIocHelp"/>
                           </v-container>
                           <v-container fluid class="py-1">
-                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])">
+                            <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])"
+                              @keypress.space.prevent="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
                               <div id="`evidence-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
                             </div>
@@ -1665,7 +1676,8 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             </v-select>
                           </v-container>
                           <v-container fluid class="py-1">
-                            <div class="clicktoedit" @click="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])">
+                            <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])"
+                              @keypress.space.prevent="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
                               <div id="`evidence-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`evidence-${props.index}-tags`)">
                                 <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
@@ -2022,7 +2034,8 @@ <h3>{{ i18n.summary }}</h3>
                         <v-expansion-panel-content class="my-2">
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-assignee-input', caseObj.assigneeId, 'case-assignee', 'assigneeId', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-assignee-input', caseObj.assigneeId, 'case-assignee', 'assigneeId', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-assignee-input', caseObj.assigneeId, 'case-assignee', 'assigneeId', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.caseAssignee}}: </div>
                                   <div id='case-assignee' class="case detail-field" v-if="!isEdit('case-assignee')">{{ withDefault(caseObj.assignee, i18n.unassigned) }}</div>
                                   <v-select id='case-assignee-input' v-if="isEdit('case-assignee')"
@@ -2038,7 +2051,8 @@ <h3>{{ i18n.summary }}</h3>
                             </v-row>
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-status-input', caseObj.status, 'case-status', 'status', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-status-input', caseObj.status, 'case-status', 'status', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-status-input', caseObj.status, 'case-status', 'status', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.status}}: </div>
                                   <div id="case-status" class="case detail-field" v-if="!isEdit('case-status')">{{ withDefault(caseObj.status, i18n.unknown) }}</div>
                                   <v-select id="case-status-input" v-if="isEdit('case-status') && !isPresetCustomEnabled('status')"
@@ -2067,7 +2081,8 @@ <h3>{{ i18n.details }}</h3>
 
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-severity-input', caseObj.severity, 'case-severity', 'severity', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-severity-input', caseObj.severity, 'case-severity', 'severity', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-severity-input', caseObj.severity, 'case-severity', 'severity', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.caseSeverity}}: </div>
                                   <div id="case-severity" class="case detail-field" v-if="!isEdit('case-severity')">{{ withDefault(caseObj.severity, i18n.unknown) }}</div>
                                 </div>
@@ -2087,7 +2102,8 @@ <h3>{{ i18n.details }}</h3>
                             </v-row>
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-priority-input', caseObj.priority, 'case-priority', 'priority', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-priority-input', caseObj.priority, 'case-priority', 'priority', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-priority-input', caseObj.priority, 'case-priority', 'priority', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.casePriority}}: </div>
                                   <div id="case-priority" class="case detail-field" v-if="!isEdit('case-priority')">{{ caseObj.priority }}</div>
                                 </div>
@@ -2110,7 +2126,8 @@ <h3>{{ i18n.details }}</h3>
                             </v-row>
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-tlp-input', caseObj.tlp, 'case-tlp', 'tlp', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-tlp-input', caseObj.tlp, 'case-tlp', 'tlp', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-tlp-input', caseObj.tlp, 'case-tlp', 'tlp', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
                                   <div id="case-tlp" class="case detail-field" v-if="!isEdit('case-tlp')">{{ withDefault(caseObj.tlp, i18n.unknown) }}</div>
                                 </div>
@@ -2131,7 +2148,8 @@ <h3>{{ i18n.details }}</h3>
                             </v-row>
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-pap-input', caseObj.pap, 'case-pap', 'pap', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-pap-input', caseObj.pap, 'case-pap', 'pap', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-pap-input', caseObj.pap, 'case-pap', 'pap', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.casePap}}: </div>
                                   <div id="case-pap" class="case detail-field" v-if="!isEdit('case-pap')">{{ withDefault(caseObj.pap, i18n.unknown) }}</div>
                                 </div>
@@ -2151,7 +2169,8 @@ <h3>{{ i18n.details }}</h3>
                             </v-row>
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-category-input', caseObj.category, 'case-category', 'category', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-category-input', caseObj.category, 'case-category', 'category', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-category-input', caseObj.category, 'case-category', 'category', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.caseCategory}}: </div>
                                   <div id="case-category" class="case detail-field" v-if="!isEdit('case-category')">{{ withDefault(caseObj.category, i18n.unknown) }}</div>
                                 </div>
@@ -2171,7 +2190,8 @@ <h3>{{ i18n.details }}</h3>
                             </v-row>
                             <v-row>
                               <v-col cols="12">
-                                <div class="clicktoedit" @click="startEdit('case-tags-input', caseObj.tags, 'case-tags', 'tags', modifyCase)">
+                                <div tabindex="0" class="clicktoedit" @click="startEdit('case-tags-input', caseObj.tags, 'case-tags', 'tags', modifyCase)"
+                                  @keypress.space.prevent="startEdit('case-tags-input', caseObj.tags, 'case-tags', 'tags', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.caseTags}}: </div>
                                   <div id="case-tags" class="case detail-field mt-1" v-if="!isEdit('case-tags')">
                                     <v-chip class="mx-1" v-for="tag in caseObj.tags" color="primary">{{ tag }}</v-chip>

From 9df4a4b93cc5a381d717d0d69f73684dc6923494 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 3 Jan 2022 13:43:17 -0500
Subject: [PATCH 59/98] Add ability to create new case without escalation; fix
 issue with clicking to edit second field before saving first field

---
 config/clientparameters.go  |  1 +
 html/index.html             | 14 +++++++++++---
 html/js/i18n.js             |  3 +++
 html/js/routes/case.js      | 30 ++++++++++++++++++++++++++----
 html/js/routes/case.test.js | 28 +++++++++++++++++++++++++---
 html/js/routes/hunt.js      |  2 ++
 6 files changed, 68 insertions(+), 10 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 0493faf5..93300e8f 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -105,6 +105,7 @@ type HuntingParameters struct {
 	EscalateEnabled              bool                `json:"escalateEnabled"`
 	EscalateRelatedEventsEnabled bool                `json:"escalateRelatedEventsEnabled"`
 	ViewEnabled                  bool                `json:"viewEnabled"`
+	CreateLink                   string              `json:"createLink"`
 }
 
 func (params *HuntingParameters) Verify() error {
diff --git a/html/index.html b/html/index.html
index 02a63378..a86856b6 100644
--- a/html/index.html
+++ b/html/index.html
@@ -300,9 +300,17 @@ <h2 v-text="i18n[category]"></h2>
           <v-spacer></v-spacer>
           <v-col cols="2" align="end">
             <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
-            <p>
-            <h5>
-            </h5>
+          </v-col>
+        </v-row>
+        <v-row align="start" v-if="createLink != ''">
+          <v-col cols="12">
+            <v-toolbar class="elevation-0" fixed>
+              <router-link :to="createLink" style="text-decoration: none; cursor: 'pointer'">
+                <v-btn color="primary" id="add-case-button">
+                  <v-icon :title="i18n.create">fa-plus</v-icon>
+                </v-btn>
+              </router-link>
+            </v-toolbar>
           </v-col>
         </v-row>
         <v-row align="start">
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 5f69b435..878d5d92 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -110,6 +110,9 @@ const i18n = {
       copyFieldValueToClipboard: 'Copy as field:value',
       copyToClipboard: 'Copy to clipboard',
       create: 'Create',
+      caseCreateFailed: 'Unable to create new case - request a system administrator review SOC logs',
+      caseDefaultTitle: 'Case title not yet provided - click here to update this title',
+      caseDefaultDescription: 'Case description not yet provided - click here to update this description',
       custom: 'Custom',
       darkMode: 'Dark Mode',
       dataset: 'Dataset',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 584bd5aa..483a0b0e 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -151,7 +151,11 @@ routes.push({ path: '/case/:id', name: 'case', component: {
   },
   async mounted() {
     this.$root.loadParameters('case', this.initCase);
-    await this.loadData();
+    if (this.$route.params.id == 'create') {
+      await this.createCase();
+    } else {
+      await this.loadData();
+    }
   },
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
@@ -309,6 +313,24 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.saveLocalSettings();
       }
     },
+    async createCase() {
+      this.$root.startLoading();
+      try {
+        const response = await this.$root.papi.post('case/', {
+          title: this.i18n.caseDefaultTitle,
+          description: this.i18n.caseDefaultDescription,
+        });
+        if (response && response.data && response.data.id) {
+          this.$router.replace({ name: 'case', params: { id: response.data.id } });
+        } else {
+          this.$root.showError(i18n.createFailed);
+        }
+      }
+      catch (error) {
+        this.$root.showError(error);
+      }
+      this.$root.stopLoading();
+    },
     async loadData() {
       this.$root.startLoading();
 
@@ -360,7 +382,6 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         if (form) {
           const response = await this.$root.papi.put('case/', JSON.stringify(form));
           if (response.data) {
-            this.stopEdit();
             await this.updateCaseDetails(response.data);
             success = true;
           }
@@ -465,12 +486,13 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     isEdit(roId) {
       return this.editForm.roId == roId;
     },
-    startEdit(focusId, val, roId, field, callback, callbackArgs, isMultiline) {
+    async startEdit(focusId, val, roId, field, callback, callbackArgs, isMultiline) {
       if (this.editForm.focusId == focusId) {
         // We're already editing this field.
         return;
       }
-      if (this.stopEdit(true)) {
+      if (await this.stopEdit(true)) {
+        this.editForm = { valid: true };
         this.editForm.focusId = focusId;
         this.editForm.orig = val;
         this.editForm.val = val;
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 64ba0623..fcfc9c16 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -160,7 +160,7 @@ test('loadSingleAssociation', async () => {
   expect(comp.$root.loading).toBe(false);
 });
 
-test('loadSignleAssociationError', async () => {
+test('loadSingleAssociationError', async () => {
   const showErrorMock = mockShowError();
   resetPapi().mockPapi("get", null, new Error("something bad"));
   await comp.loadAssociation('comments');
@@ -173,6 +173,28 @@ expectCaseDetails = () => {
   expect(comp.caseObj.assignee).toBe(fakeAssigneeEmail);
 }
 
+test('createCase', async () => {
+  const params = { 
+    "description": comp.i18n.caseDefaultDescription,
+    "title": comp.i18n.caseDefaultTitle,
+  };
+
+  // API call #1 is to get the comment list
+  mockPapi("post", {'data':fakeCase});
+
+  comp.$route.params.id = 'myCaseId';
+  const showErrorMock = mockShowError(true);
+  comp.loadAssociations = jest.fn();
+  comp.$router.replace = jest.fn();
+
+  await comp.createCase();
+
+  expect(mock).toHaveBeenCalledWith('case/', params);
+  expect(showErrorMock).toHaveBeenCalledTimes(0);
+  expect(comp.$router.replace).toHaveBeenCalledWith({ name: 'case', params: { id: fakeCase.id }});
+  expect(comp.$root.loading).toBe(false);
+});
+
 test('loadData', async () => {
   const params = { params: {
           id: 'myCaseId'
@@ -438,10 +460,10 @@ test('isEdit_False', () => {
   expect(comp.isEdit('otherFakeId')).toBe(false);
 })
 
-test('startEdit', () => {
+test('startEdit', async () => {
   const fn = jest.fn();
 
-  comp.startEdit('myFid', 'myVal', 'myRoId', 'myField', fn, ['foo'], true);
+  await comp.startEdit('myFid', 'myVal', 'myRoId', 'myField', fn, ['foo'], true);
 
   const expectedObj = { 
     callback: fn,
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 7249bc83..e509864c 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -48,6 +48,7 @@ const huntComponent = {
     ackEnabled: false,
     escalateEnabled: false,
     viewEnabled: false,
+    createLink: '',
     collapsedSections: [],
 
     filterToggles: [],
@@ -200,6 +201,7 @@ const huntComponent = {
       this.escalateEnabled = params["escalateEnabled"];
       this.escalateRelatedEventsEnabled = params["escalateRelatedEventsEnabled"];
       this.viewEnabled = params["viewEnabled"];
+      this.createLink = params["createLink"];
       if (this.queries != null && this.queries.length > 0) {
         this.query = this.queries[0].query;
       }

From 3b12620f204f4c74be335f639672360dafaa8148 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 3 Jan 2022 15:52:55 -0500
Subject: [PATCH 60/98] Add ids for attachment and evidence fields

---
 html/index.html | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/html/index.html b/html/index.html
index a86856b6..fa80d7d8 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1551,16 +1551,16 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                           </div>
                           <v-form ref="attachments" v-model="associatedForms['attachments'].valid">
-                            <v-file-input show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
-                            <v-textarea rows="2" v-model="associatedForms['attachments'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
-                            <v-select v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-combobox v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-select v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                            <v-file-input id="attachments-file" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
+                            <v-textarea id="attachments-description" rows="2" v-model="associatedForms['attachments'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-select id="attachments-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-combobox id="attachments-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-select id="attachments-tags" v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
                             </v-select>
-                            <v-combobox v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                            <v-combobox id="attachments-tags" v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
@@ -1756,20 +1756,20 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                           </div>
                           <v-form ref="evidence" v-model="associatedForms['evidence'].valid">
-                            <v-select v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
-                            <v-combobox v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
-                            <v-file-input v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty, rules.fileRequired]"/>
-                            <v-textarea v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" v-model="associatedForms['evidence'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
-                            <v-textarea rows="2" v-model="associatedForms['evidence'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
-                            <v-checkbox v-model="associatedForms['evidence'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
-                            <v-select v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-combobox v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-select v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                            <v-select id="evidence-type" v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-combobox id="evidence-type" v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-file-input id="evidence-value" v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty, rules.fileRequired]"/>
+                            <v-textarea id="evidence-value" v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" v-model="associatedForms['evidence'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
+                            <v-textarea id="evidence-description" rows="2" v-model="associatedForms['evidence'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-checkbox id="evidence-ioc" v-model="associatedForms['evidence'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
+                            <v-select id="evidence-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-combobox id="evidence-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-select id="evidence-tags" v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
                             </v-select>
-                            <v-combobox v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                            <v-combobox id="evidence-tags" v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>

From ba4dd1b810d67c2284fd9942e2c3fe1bac8f0d9c Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 4 Jan 2022 10:18:46 -0500
Subject: [PATCH 61/98] Add more ids

---
 html/index.html | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/html/index.html b/html/index.html
index fa80d7d8..90f135fe 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1572,11 +1572,11 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                       </div>
                       <div class="d-flex align-center align-self-end text-body-2 mt-2">
                       <div class="d-inline-flex justify-end">
-                        <v-btn text small color="primary" class="align-self-end" @click="resetForm('attachments')">
-                        {{ i18n.cancel }}
+                        <v-btn id="attachment-cancel" text small color="primary" class="align-self-end" @click="resetForm('attachments')">
+                          {{ i18n.cancel }}
                         </v-btn>
-                        <v-btn :disabled="!associatedForms['attachments'].valid" text small color="primary" class="align-self-end" @click="addAssociation('attachments', {'groupType': 'attachments', 'artifactType':'file'})">
-                        {{ i18n.add }}
+                        <v-btn id="attachment-add" :disabled="!associatedForms['attachments'].valid" text small color="primary" class="align-self-end" @click="addAssociation('attachments', {'groupType': 'attachments', 'artifactType':'file'})">
+                          {{ i18n.add }}
                         </v-btn>
                       </div>
                       </div>
@@ -1781,11 +1781,11 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                       </div>
                       <div class="d-flex align-center align-self-end text-body-2 mt-2">
                       <div class="d-inline-flex justify-end">
-                        <v-btn text small color="primary" class="align-self-end" @click="resetForm('evidence')">
-                        {{ i18n.cancel }}
+                        <v-btn id="evidence-cancel" text small color="primary" class="align-self-end" @click="resetForm('evidence')">
+                          {{ i18n.cancel }}
                         </v-btn>
-                        <v-btn :disabled="!associatedForms['evidence'].valid" text small color="primary" class="align-self-end" @click="addAssociation('evidence', {'groupType': 'evidence'})">
-                        {{ i18n.add }}
+                        <v-btn id="evidence-add" :disabled="!associatedForms['evidence'].valid" text small color="primary" class="align-self-end" @click="addAssociation('evidence', {'groupType': 'evidence'})">
+                          {{ i18n.add }}
                         </v-btn>
                       </div>
                       </div>

From a7f8d3bf8076fb5b9ad3aff483ceeef4ca5b0f0e Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 4 Jan 2022 11:34:13 -0500
Subject: [PATCH 62/98] Fix string interpolation

---
 html/index.html | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/html/index.html b/html/index.html
index 90f135fe..30391c75 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1416,21 +1416,21 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             </a>
                             <div class="mt-4">
                               <div class="font-weight-bold">{{i18n.sha256}}: </div>
-                              <div id="`attachments-${props.index}-sha256`" class="case">
+                              <div :id="`attachments-${props.index}-sha256`" class="case">
                                 {{ withDefault(props.item.sha256, i18n.unknown) }}
                                 <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha256)" :title="i18n.copyToClipboard">fa-copy</v-icon>
                               </div>
                             </div>
                             <div class="mt-2">
                               <div class="font-weight-bold">{{i18n.sha1}}: </div>
-                              <div id="`attachments-${props.index}-sha1`" class="case">
+                              <div :id="`attachments-${props.index}-sha1`" class="case">
                                 {{ withDefault(props.item.sha1, i18n.unknown) }}
                                 <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha1)" :title="i18n.copyToClipboard">fa-copy</v-icon>
                               </div>
                             </div>
                             <div class="mt-2">
                               <div class="font-weight-bold">{{i18n.md5}}: </div>
-                              <div id="`attachments-${props.index}-md5`" class="case">
+                              <div :id="`attachments-${props.index}-md5`" class="case">
                                 {{ withDefault(props.item.md5, i18n.unknown) }}
                                 <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.md5)" :title="i18n.copyToClipboard">fa-copy</v-icon>
                               </div>
@@ -1440,7 +1440,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)"
                               @keypress.space.prevent="startEdit(`attachments-${props.index}-description-input`, props.item.description, `attachments-${props.index}-description`, 'description', modifyAssociation, ['attachments', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
-                              <div id="`attachments-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`attachments-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
+                              <div :id="`attachments-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`attachments-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`attachments-${props.index}-description`)">
                               <v-form v-model="editForm.valid">
@@ -1482,7 +1482,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])"
                               @keypress.space.prevent="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
-                              <div id="`attachments-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`attachments-${props.index}-tags`)">
+                              <div :id="`attachments-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`attachments-${props.index}-tags`)">
                                 <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
                               </div>
                             </div>
@@ -1613,21 +1613,21 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             </a>
                             <div class="mt-4">
                               <div class="font-weight-bold">{{i18n.sha256}}: </div>
-                              <div id="`attachments-${props.index}-sha256`" class="case">
+                              <div :id="`evidence-${props.index}-sha256`" class="case">
                                 {{ withDefault(props.item.sha256, i18n.unknown) }}
                                 <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha256)" :title="i18n.copyToClipboard">fa-copy</v-icon>
                               </div>
                             </div>
                             <div class="mt-2">
                               <div class="font-weight-bold">{{i18n.sha1}}: </div>
-                              <div id="`attachments-${props.index}-sha1`" class="case">
+                              <div :id="`evidence-${props.index}-sha1`" class="case">
                                 {{ withDefault(props.item.sha1, i18n.unknown) }}
                                 <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.sha1)" :title="i18n.copyToClipboard">fa-copy</v-icon>
                               </div>
                             </div>
                             <div class="mt-2">
                               <div class="font-weight-bold">{{i18n.md5}}: </div>
-                              <div id="`attachments-${props.index}-md5`" class="case">
+                              <div :id="`evidence-${props.index}-md5`" class="case">
                                 {{ withDefault(props.item.md5, i18n.unknown) }}
                                 <v-icon class="ml-1" @click="$root.copyToClipboard(props.item.md5)" :title="i18n.copyToClipboard">fa-copy</v-icon>
                               </div>
@@ -1637,7 +1637,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)">
                               <div class="font-weight-bold">{{i18n.artifactDescription}}: </div>
-                              <div id="`evidence-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`evidence-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
+                              <div :id="`evidence-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`evidence-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`evidence-${props.index}-description`)">
                               <v-form v-model="editForm.valid">
@@ -1659,7 +1659,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.artifactIoc}}: </div>
-                              <div id="`evidence-${props.index}-ioc`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-ioc`)">{{ props.item.ioc ? i18n.yes : i18n.no }}</div>
+                              <div :id="`evidence-${props.index}-ioc`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-ioc`)">{{ props.item.ioc ? i18n.yes : i18n.no }}</div>
                             </div>
                             <v-checkbox :id="`evidence-${props.index}-ioc-input`" v-if="isEdit(`evidence-${props.index}-ioc`)" v-model="editForm.val" v-on:change="stopEdit(true)" persistent-hint :hint="i18n.artifactIocHelp"/>
                           </v-container>
@@ -1667,7 +1667,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
-                              <div id="`evidence-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
+                              <div :id="`evidence-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
                             </div>
                             <v-select :id="`evidence-${props.index}-tlp-input`" v-if="isEdit(`evidence-${props.index}-tlp`) && !isPresetCustomEnabled('tlp')"
                               dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
@@ -1687,7 +1687,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
-                              <div id="`evidence-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`evidence-${props.index}-tags`)">
+                              <div :id="`evidence-${props.index}-tags`" class="case detail-field mt-1" v-if="!isEdit(`evidence-${props.index}-tags`)">
                                 <v-chip class="mx-1" v-for="tag in props.item.tags" color="primary">{{ tag }}</v-chip>
                               </div>
                             </div>

From 26e9ad01c4532591ffb2299f002eeb3468256ee4 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 5 Jan 2022 08:18:09 -0500
Subject: [PATCH 63/98] Wrap event ID in quotes for hunt link; Change escalated
 description to a static localized string unless event has a message field (or
 using legacy case mgmt); Replace message column in Events table with
 event.module; Remove comma from Case Tags field help to avoid confusion

---
 html/index.html             | 13 ++++++++-----
 html/js/i18n.js             | 11 +++++++----
 html/js/routes/case.js      | 14 +++++++++++++-
 html/js/routes/case.test.js | 11 +++++++++++
 html/js/routes/hunt.js      |  8 +++++++-
 html/js/routes/hunt.test.js |  5 +++++
 6 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/html/index.html b/html/index.html
index 30391c75..b792fca8 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1801,23 +1801,26 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                     <template v-slot:item="props">
                       <tr @click="expandRow('events', props.item)" class="expandable">
                         <td>
-                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q:`_id:${props.item.fields['soc_id']}`}}" :title="i18n.huntForEvent"><v-icon>fa-crosshairs</v-icon></router-link>
+                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQuery(props.item)}}" :title="i18n.huntForEvent" v-if="props.item.fields['soc_id']"><v-icon>fa-crosshairs</v-icon></router-link>
                         </td>
                         <td>{{ props.item.fields.timestamp | formatTimestamp }}</td>
                         <td class="case">
-                          <div class="rounded">{{ props.item.fields['event.category'] }}</div>
+                          <div class="rounded">{{ getEventId(props.item) }}</div>
                         </td>
                         <td class="case">
-                          <div class="rounded">{{ props.item.fields['event.dataset'] }}</div>
+                          <div class="rounded">{{ props.item.fields['event.category'] }}</div>
                         </td>
                         <td class="case">
-                          <div class="rounded">{{ props.item.fields.message }}</div>
+                          <div class="rounded">{{ props.item.fields['event.module'] }}</div>
                         </td>                        
+                        <td class="case">
+                          <div class="rounded">{{ props.item.fields['event.dataset'] }}</div>
+                        </td>
                       </tr>
                     </template>
                     <template v-slot:expanded-item="props">
                       <tr>
-                        <td :colspan="5" class="case">
+                        <td :colspan="6" class="case">
                           <div class="mt-2">
                             <div v-for="value, key in props.item.fields">
                               <span class="case label">{{ key }}:</span>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 878d5d92..e5b062c4 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -71,6 +71,11 @@ const i18n = {
       caseAssigneeHelp: 'Designate the assignee for this case',
       caseCategory: 'Category',
       caseCategoryHelp: 'Category used for organizing and grouping similar cases',
+      caseCreateFailed: 'Unable to create new case - request a system administrator review SOC logs',
+      caseDefaultTitle: 'Case title not yet provided - click here to update this title',
+      caseDefaultDescription: 'Case description not yet provided - click here to update this description',
+      caseEscalatedDescription: 'Review escalated event details in the Events tab below. Click here to update this description.',
+      caseEventIdAggregation: '(aggregation)',
       caseDescription: 'Description',
       caseDescriptionHelp: 'Detailed description of the case',
       caseId: 'Case Id',
@@ -83,7 +88,7 @@ const i18n = {
       caseStatus: 'Status',
       caseStatusHelp: 'Indicates the state of the case',
       caseTags: 'Tags',
-      caseTagsHelp: 'Annotate with multiple, optional tags',
+      caseTagsHelp: 'Annotate with multiple optional tags',
       caseTitle: 'Title',
       caseTitleHelp: 'Brief summary of the case',
       caseTlp: 'TLP',
@@ -110,9 +115,6 @@ const i18n = {
       copyFieldValueToClipboard: 'Copy as field:value',
       copyToClipboard: 'Copy to clipboard',
       create: 'Create',
-      caseCreateFailed: 'Unable to create new case - request a system administrator review SOC logs',
-      caseDefaultTitle: 'Case title not yet provided - click here to update this title',
-      caseDefaultDescription: 'Case description not yet provided - click here to update this description',
       custom: 'Custom',
       darkMode: 'Dark Mode',
       dataset: 'Dataset',
@@ -283,6 +285,7 @@ const i18n = {
       message: 'Message',
       minutes: 'minutes',
       model: 'Model',
+      module: 'Module',
       months: 'months',
       mruQuery: 'Recently Used',
       mruQueryHelp: 'This query is a user-defined query and is only available on this browser.',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 483a0b0e..b22f16c5 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -79,9 +79,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         headers: [
           { text: this.$root.i18n.actions },
           { text: this.$root.i18n.timestamp, value: 'fields.timestamp' },
+          { text: this.$root.i18n.id, value: 'fields["soc_id"]' },
           { text: this.$root.i18n.category, value: 'fields["event.category"]' },
+          { text: this.$root.i18n.module, value: 'fields["event.module"]' },
           { text: this.$root.i18n.dataset, value: 'fields["event.dataset"]' },
-          { text: this.$root.i18n.message, value: 'fields.message' },
         ],
         itemsPerPage: 10,
         footerProps: { 'items-per-page-options': [10,50,250,1000] },
@@ -565,6 +566,17 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.loadAssociations();
     },
 
+    buildHuntQuery(event) {
+      return '_id: "' + event.fields["soc_id"] + '"';
+    },
+    getEventId(event) {
+      var id = event.fields['soc_id'];
+      if (!id) {
+        id = this.i18n.caseEventIdAggregation;
+      }
+      return id;
+    },
+
     saveLocalSettings() {
       localStorage['settings.case.mruCases'] = JSON.stringify(this.mruCases);
     },
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index fcfc9c16..34e0fd48 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -611,4 +611,15 @@ test('mapAssociatedPath', () => {
   expect(comp.mapAssociatedPath('evidence', true)).toBe('artifacts/evidence');
   expect(comp.mapAssociatedPath('attachments')).toBe('artifacts');
   expect(comp.mapAssociatedPath('attachments', true)).toBe('artifacts/attachments');
+});
+
+test('buildHuntQuery', () => {
+  const fakeEvent = { fields: { soc_id: 'xyz' }};
+  expect(comp.buildHuntQuery(fakeEvent)).toBe('_id: "xyz"');
+});
+
+test('getEventId', () => {
+  const fakeEvent = { fields: { soc_id: 'xyz' }};
+  expect(comp.getEventId(fakeEvent)).toBe('xyz');
+  expect(comp.getEventId({ fields: {}})).toBe(comp.i18n.caseEventIdAggregation);
 });
\ No newline at end of file
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index e509864c..46d3a47c 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -435,7 +435,13 @@ const huntComponent = {
       }
 
       var description = item['message'];
-      if (!description) description = JSON.stringify(item);
+      if (!description) {
+        if (!this.escalateRelatedEventsEnabled) {
+          description = JSON.stringify(item);
+        } else {
+          description = this.i18n.caseEscalatedDescription;
+        }
+      }
 
       var severity = 'event.severity' in item && item['event.severity'] ? '' + item['event.severity'] : '';
       var template = 'rule.case_template' in item && item['rule.case_template'] ? '' + item['rule.case_template'] : '';
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index 8d111ad8..a0deb66b 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -245,9 +245,14 @@ test('buildCase', () => {
       'Event Escalation from SOC: myModule - myDataset', 'myMessage', 'mySeverity', 'myTemplate');
 
   // missing message
+  comp.escalateRelatedEventsEnabled = false;
   validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', 'mySeverity', '',
       'myTitle', '{\"rule.name\":\"myTitle\",\"rule.case_template\":\"myTemplate\",\"event.module\":\"myModule\",\"event.dataset\":\"myDataset\",\"event.severity\":\"mySeverity\",\"message\":\"\"}', 'mySeverity', 'myTemplate');
 
+  comp.escalateRelatedEventsEnabled = true;
+  validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', 'mySeverity', '',
+      'myTitle', comp.i18n.caseEscalatedDescription, 'mySeverity', 'myTemplate');
+
   // missing severity
   validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', '', 'myMessage',
       'myTitle', 'myMessage', '', 'myTemplate');

From d917eb7ac9874db65cd07975a03525d5cd93df2b Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 5 Jan 2022 16:43:26 -0500
Subject: [PATCH 64/98] Revert white space for markdown

---
 html/css/app.css | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/css/app.css b/html/css/app.css
index d68adca1..24ea97de 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -248,11 +248,12 @@ td {
 
 .case-table table {
   width: 100% !important;
-  table-layout:fixed;
+  table-layout: fixed;
 }
 
 .markdown-body {
   overflow: auto;
+  white-space: revert !important;
   position: relative;
 }
 

From 6c852d53dbe9ab5747373cb6e0888addea2f371b Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 5 Jan 2022 08:27:08 -0500
Subject: [PATCH 65/98] Update SOC page title to reflect current case or job

---
 html/js/routes/case.js | 4 ++++
 html/js/routes/job.js  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index b22f16c5..f1058afc 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -158,6 +158,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       await this.loadData();
     }
   },
+  beforeDestroy() {
+    this.$root.setSubtitle("");
+  },  
   destroyed() {
     this.$root.unsubscribe("case", this.updateCase);
   },
@@ -356,6 +359,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       await this.$root.populateUserDetails(caseObj, "userId", "owner", this.i18n.unknown);
       await this.$root.populateUserDetails(caseObj, "assigneeId", "assignee", this.i18n.unassigned);
       this.addMRUCaseObj(caseObj);
+      this.$root.setSubtitle(this.i18n.case + " - " + caseObj.title); 
       this.caseObj = caseObj;
     },
 
diff --git a/html/js/routes/job.js b/html/js/routes/job.js
index 688714da..8b7c7b5a 100644
--- a/html/js/routes/job.js
+++ b/html/js/routes/job.js
@@ -52,6 +52,9 @@ routes.push({ path: '/job/:jobId', name: 'job', component: {
     this.loadData();
     this.$root.loadParameters('job', this.initActions);
   },
+  beforeDestroy() {
+    this.$root.setSubtitle("");
+  },  
   destroyed() {
     this.$root.unsubscribe("job", this.updateJob);
   },
@@ -231,6 +234,7 @@ routes.push({ path: '/job/:jobId', name: 'job', component: {
         }});
         this.job = response.data;
         this.$root.populateUserDetails(this.job, "userId", "owner");
+        this.$root.setSubtitle(this.i18n.jobs + " - " + this.job.id); 
         this.loadPackets(this.isOptionEnabled('unwrap'));
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {

From e54d05c73ba681c49245d1f034b401ebe39fa85b Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 5 Jan 2022 14:09:10 -0500
Subject: [PATCH 66/98] Ensure case severities are converted before the case is
 created; Keep new artifact forms collapsed until the user clicks the +
 button; ensure long field names show up as tooltips to help readability when
 truncation/overlap occurs

---
 config/clientparameters.go                    |  1 +
 html/index.html                               | 76 ++++++++++++-------
 html/js/routes/case.js                        |  8 ++
 html/js/routes/case.test.js                   |  4 +-
 html/js/routes/hunt.js                        | 28 ++++---
 server/modules/elastic/elasticcasestore.go    |  1 +
 .../modules/elastic/elasticcasestore_test.go  |  5 +-
 7 files changed, 79 insertions(+), 44 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 93300e8f..eebc73f3 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -76,6 +76,7 @@ type HuntingAction struct {
 	Method                string                 `json:"method"`
 	Body                  string                 `json:"body"`
 	Options               map[string]interface{} `json:"options"`
+	Categories            []string               `json:"categories"`
 }
 
 type ToggleFilter struct {
diff --git a/html/index.html b/html/index.html
index b792fca8..d5dd2049 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1536,7 +1536,16 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                   <div class="text-xs-center pt-2 d-none">
                       <v-btn v-text="i18n.loadMore" @click="loadAssociation('attachments')"></v-btn>
                   </div>
-                  <v-row>
+                  <v-row v-if="!isAdding('attachments')">
+                    <v-col>
+                      <v-toolbar class="elevation-0" fixed>
+                        <v-btn color="primary" @click.stop="enableAdding('attachments')" id="add-attachment-button">
+                          <v-icon>fa-plus</v-icon>
+                        </v-btn>
+                      </v-toolbar>
+                    </v-col>
+                  </v-row>                    
+                  <v-row v-if="isAdding('attachments')">
                     <v-col>
                       <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
                       <div class="d-flex flex-column align-start">
@@ -1741,7 +1750,16 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                   <div class="text-xs-center pt-2 d-none">
                       <v-btn v-text="i18n.loadMore" @click="loadAssociation('evidence')"></v-btn>
                   </div>
-                  <v-row>
+                  <v-row v-if="!isAdding('evidence')">
+                    <v-col>
+                      <v-toolbar class="elevation-0" fixed>
+                        <v-btn color="primary" @click.stop="enableAdding('evidence')" id="add-evidence-button">
+                          <v-icon>fa-plus</v-icon>
+                        </v-btn>
+                      </v-toolbar>
+                    </v-col>
+                  </v-row>                    
+                  <v-row v-if="isAdding('evidence')">
                     <v-col>
                       <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
                       <div class="d-flex flex-column align-start">
@@ -1803,7 +1821,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                         <td>
                           <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQuery(props.item)}}" :title="i18n.huntForEvent" v-if="props.item.fields['soc_id']"><v-icon>fa-crosshairs</v-icon></router-link>
                         </td>
-                        <td>{{ props.item.fields.timestamp | formatTimestamp }}</td>
+                        <td>{{ props.item.fields["@timestamp"] | formatTimestamp }}</td>
                         <td class="case">
                           <div class="rounded">{{ getEventId(props.item) }}</div>
                         </td>
@@ -1823,7 +1841,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                         <td :colspan="6" class="case">
                           <div class="mt-2">
                             <div v-for="value, key in props.item.fields">
-                              <span class="case label">{{ key }}:</span>
+                              <span class="case label" :title="key">{{ key }}:</span>
                               <span class="case value">{{ value }}</span>
                             </div>
                           </div>
@@ -1890,52 +1908,52 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                       <tr>
                         <td :colspan="4" class="case">
                           <div class="mt-2">
-                            <span class="case label">{{ i18n.kind }}:</span>
+                            <span class="case label" :title="i18n.kind">{{ i18n.kind }}:</span>
                             <span class="case value">{{ props.item.kindLocalized }}</span>
                           </div>
                           <div>
-                            <span class="case label">{{ i18n.operation }}:</span>
+                            <span class="case label" :title="i18n.operation">{{ i18n.operation }}:</span>
                             <span class="case value">{{ props.item.operationLocalized }}</span>
                           </div>
                           <div>
-                            <span class="case label">{{ i18n.dateCreated }}:</span>
+                            <span class="case label" :title="i18n.dateCreated">{{ i18n.dateCreated }}:</span>
                             <span class="case value">{{ props.item.createTime | formatDateTime }}</span>
                           </div>
                           <div>
-                            <span class="case label">{{ i18n.dateModified }}:</span>
+                            <span class="case label" :title="i18n.dateModified">{{ i18n.dateModified }}:</span>
                             <span class="case value">{{ props.item.updateTime | formatDateTime }}</span>
                           </div>
                           <div v-if="props.item.kind == 'case'">
                             <div>
-                              <span class="case label">{{ i18n.caseTitle}}:</span>
+                              <span class="case label" :title="i18n.caseTitle">{{ i18n.caseTitle}}:</span>
                               <span class="case value">{{ props.item.title }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.caseDescription }}:</span>
+                              <span class="case label" :title="i18n.caseDescription">{{ i18n.caseDescription }}:</span>
                               <span class="case value">{{ props.item.description }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.caseStatus }}:</span>
+                              <span class="case label" :title="i18n.caseStatus">{{ i18n.caseStatus }}:</span>
                               <span class="case value">{{ props.item.status }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.caseSeverity }}:</span>
+                              <span class="case label" :title="i18n.caseSeverity">{{ i18n.caseSeverity }}:</span>
                               <span class="case value">{{ props.item.severity }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.casePriority }}:</span>
+                              <span class="case label" :title="i18n.casePriority">{{ i18n.casePriority }}:</span>
                               <span class="case value">{{ props.item.priority }}</span>
                             </div>
                           </div>
                           <div v-if="props.item.kind == 'comment'">
                             <div>
-                              <span class="case label">{{ i18n.commentDescription }}:</span>
+                              <span class="case label" :title="i18n.commentDescription">{{ i18n.commentDescription }}:</span>
                               <span class="case value">{{ props.item.description }}</span>
                             </div>
                           </div>
                           <div v-if="props.item.kind == 'related'">
                             <div>
-                              <span class="case label">{{ i18n.relatedEventId }}:</span>
+                              <span class="case label" :title="i18n.relatedEventId">{{ i18n.relatedEventId }}:</span>
                               <span class="case value">
                                 <router-link class="no-underline" :to="{ name: 'hunt', query: {q:`_id:${props.item.fields.soc_id}`}}">
                                   {{ props.item.fields.soc_id }}
@@ -1945,61 +1963,61 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                           </div>
                           <div v-if="props.item.kind == 'artifact' && props.item.groupType == 'attachments'">
                             <div>
-                              <span class="case label">{{ i18n.artifactGroupType }}:</span>
+                              <span class="case label" :title="i18n.artifactGroupType">{{ i18n.artifactGroupType }}:</span>
                               <span class="case value">{{ props.item.groupType }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.artifactGroupId }}:</span>
+                              <span class="case label" :title="i18n.artifactGroupId">{{ i18n.artifactGroupId }}:</span>
                               <span class="case value">{{ props.item.groupId }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.filename }}:</span>
+                              <span class="case label" :title="i18n.filename">{{ i18n.filename }}:</span>
                               <span class="case value">{{ props.item.value }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.description }}:</span>
+                              <span class="case label" :title="i18n.description">{{ i18n.description }}:</span>
                               <span class="case value">{{ props.item.description }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.caseTlp }}:</span>
+                              <span class="case label" :title="i18n.caseTlp">{{ i18n.caseTlp }}:</span>
                               <span class="case value">{{ props.item.tlp }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.caseTags }}:</span>
+                              <span class="case label" :title="i18n.caseTags">{{ i18n.caseTags }}:</span>
                               <span class="case value">{{ props.item.tags }}</span>
                             </div>
                           </div>
                           <div v-if="props.item.kind == 'artifact' && props.item.groupType == 'evidence'">
                             <div>
-                              <span class="case label">{{ i18n.artifactGroupType }}:</span>
+                              <span class="case label" :title="i18n.artifactGroupType">{{ i18n.artifactGroupType }}:</span>
                               <span class="case value">{{ props.item.groupType }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.artifactGroupId }}:</span>
+                              <span class="case label" :title="i18n.artifactGroupId">{{ i18n.artifactGroupId }}:</span>
                               <span class="case value">{{ props.item.groupId }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.artifactType }}:</span>
+                              <span class="case label" :title="i18n.artifactType">{{ i18n.artifactType }}:</span>
                               <span class="case value">{{ props.item.artifactType }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.value }}:</span>
+                              <span class="case label" :title="i18n.value">{{ i18n.value }}:</span>
                               <span class="case value">{{ props.item.value }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.description }}:</span>
+                              <span class="case label" :title="i18n.description">{{ i18n.description }}:</span>
                               <span class="case value">{{ props.item.description }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.caseTlp }}:</span>
+                              <span class="case label" :title="i18n.caseTlp">{{ i18n.caseTlp }}:</span>
                               <span class="case value">{{ props.item.tlp }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.artifactIoc }}:</span>
+                              <span class="case label" :title="i18n.artifactIoc">{{ i18n.artifactIoc }}:</span>
                               <span class="case value">{{ props.item.ioc }}</span>
                             </div>
                             <div>
-                              <span class="case label">{{ i18n.caseTags }}:</span>
+                              <span class="case label" :title="i18n.caseTags">{{ i18n.caseTags }}:</span>
                               <span class="case value">{{ props.item.tags }}</span>
                             </div>
                           </div>
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index f1058afc..ceb4ac1e 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -145,6 +145,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
     attachment: null,
     maxUploadSizeBytes: 26214400,
+    addingAssociation: null,
   }},
   computed: {
   },
@@ -553,6 +554,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           form.artifactType = this.getDefaultPreset('artifactType');
           break;
       }
+      this.addingAssociation = null;
       Vue.set(this.associatedForms, ref, form)
     },
     isEdited(association) {
@@ -560,6 +562,12 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       const updateTime = Date.parse(association.updateTime);
       return Math.abs(updateTime - createTime) >= 1000;
     },
+    enableAdding(association) {
+      this.addingAssociation = association;
+    },
+    isAdding(association) {
+      return this.addingAssociation == association;
+    },
      
     updateCase(caseObj) {
       // No-op until we can detect if the user has made any changes to the form. We don't
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 34e0fd48..14e07ec7 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -183,7 +183,7 @@ test('createCase', async () => {
   mockPapi("post", {'data':fakeCase});
 
   comp.$route.params.id = 'myCaseId';
-  const showErrorMock = mockShowError(true);
+  const showErrorMock = mockShowError();
   comp.loadAssociations = jest.fn();
   comp.$router.replace = jest.fn();
 
@@ -253,7 +253,7 @@ test('modifyCase', async () => {
   comp.caseObj.assigneeId = 'myAssigneeId';
   comp.editForm.val = "myNewDescription";
   comp.editForm.field = "description"
-  const showErrorMock = mockShowError(true);
+  const showErrorMock = mockShowError();
 
   expect(comp.mruCases.length).toBe(0);
 
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 46d3a47c..099cf29e 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -721,7 +721,13 @@ const huntComponent = {
         this.groupByRoute = this.buildGroupByRoute(field);
         var route = this;
         this.actions.forEach(function(action, index) {
-          if (action.fields) {
+          action.enabled = true;
+
+          if (action.categories && action.categories.indexOf(this.category) == -1) {
+            action.enabled = false;
+          }
+
+          if (action.enabled && action.fields) {
             action.enabled = false;
             for (var x = 0; x < action.fields.length; x++) {
               if (action.fields[x] == field) {
@@ -731,16 +737,16 @@ const huntComponent = {
             }
           }
 
-          var link = route.$root.findEligibleActionLinkForEvent(action, event);
-          if (link) {
-            action.enabled = true;
-            action.linkFormatted = route.$root.formatActionContent(link, event, field, value, true);
-            action.bodyFormatted = route.$root.formatActionContent(action.body, event, field, value, action.encodeBody);
-            action.backgroundSuccessLinkFormatted = route.$root.formatActionContent(action.backgroundSuccessLink, event, field, value, true);
-            action.backgroundFailureLinkFormatted = route.$root.formatActionContent(action.backgroundFailureLink, event, field, value, true);
-            
-          } else {
-            action.enabled = false;
+          if (action.enabled) {
+            var link = route.$root.findEligibleActionLinkForEvent(action, event);
+            if (link) {
+              action.linkFormatted = route.$root.formatActionContent(link, event, field, value, true);
+              action.bodyFormatted = route.$root.formatActionContent(action.body, event, field, value, action.encodeBody);
+              action.backgroundSuccessLinkFormatted = route.$root.formatActionContent(action.backgroundSuccessLink, event, field, value, true);
+              action.backgroundFailureLinkFormatted = route.$root.formatActionContent(action.backgroundFailureLink, event, field, value, true);
+            } else {
+              action.enabled = false;
+            }
           }
         });
         this.quickActionEvent = event;
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 06858c96..30b91d9d 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -104,6 +104,7 @@ func (store *ElasticCasestore) validateCase(socCase *model.Case) error {
     err = errors.New("Invalid priority")
   }
   if err == nil {
+    socCase.Severity = convertSeverity(socCase.Severity)
     err = store.validateString(socCase.Severity, SHORT_STRING_MAX, "severity")
   }
   if err == nil && len(socCase.Kind) > 0 {
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 503cc025..962d39ec 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -167,7 +167,7 @@ func TestValidateCaseInvalid(tester *testing.T) {
 		socCase.Severity += "this is my unreasonably long severity\n"
 	}
 	err = store.validateCase(socCase)
-	assert.EqualError(tester, err, "severity is too long (152/100)")
+	assert.EqualError(tester, err, "severity is too long (156/100)")
 	socCase.Severity = "medium"
 
 	for x := 1; x < 5; x++ {
@@ -243,7 +243,7 @@ func TestValidateCaseValid(tester *testing.T) {
 		socCase.Description += "this is my reasonably long description\n"
 	}
 	socCase.Priority = 123
-	socCase.Severity = "medium"
+	socCase.Severity = "2"
 	socCase.Tags = append(socCase.Tags, "tag1")
 	socCase.Tags = append(socCase.Tags, "tag2")
 	socCase.Tlp = "amber"
@@ -255,6 +255,7 @@ func TestValidateCaseValid(tester *testing.T) {
 	socCase.AssigneeId = "myAssigneeId"
 	err = store.validateCase(socCase)
 	assert.NoError(tester, err)
+	assert.Equal(tester, "medium", socCase.Severity)
 }
 
 func TestValidateRelatedEventInvalid(tester *testing.T) {

From fe71b2218fa66dcdd482a5a74e647ce970fe63ad Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 5 Jan 2022 18:03:51 -0500
Subject: [PATCH 67/98] Several styling and formatting adjustments for CM

---
 html/css/app.css            |  26 ++++
 html/index.html             | 286 +++++++++++++++++++++++-------------
 html/js/i18n.js             |   3 +-
 html/js/routes/case.js      |  20 ++-
 html/js/routes/case.test.js |   2 +-
 5 files changed, 230 insertions(+), 107 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 24ea97de..1b8beb9e 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -175,6 +175,25 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   font-size: 75%;
 }
 
+.case.blocked {
+  display: block;
+  width: auto !important;
+  min-width: auto !important;
+}
+
+.theme--light.v-application .case.tabular-row {
+  border-bottom: 1px dotted rgba(0,0,0,.05);
+}
+
+.theme--dark.v-application .case.tabular-row {
+  border-bottom: 1px dotted hsla(0,0%,100%,.05);
+}
+
+.case.tabular-label {
+  word-wrap: break-word;
+  font-weight: bold;
+}
+
 .case.label {
   display: inline-block;
   width: 15%;
@@ -182,10 +201,12 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   padding-right: 10px;
   text-align: right;
   font-weight: bold;
+  word-wrap: break-word;
 }
 
 .case.value {
   text-align: left;
+  word-wrap: break-word;
 }
 
 .case.raw {
@@ -207,6 +228,11 @@ a#title, a#title:visited, a#title:active, a#title:hover {
   color: var(--v-primary-lighten1) !important;
 }
 
+td.associated {
+  overflow-x: hidden;
+  text-overflow: ellipsis;
+}
+
 tr.expandable:hover {
   cursor: pointer;
 }
diff --git a/html/index.html b/html/index.html
index d5dd2049..19a79078 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1396,17 +1396,23 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                     :search="associatedTable['attachments'].search" :footer-props="associatedTable['attachments'].footerProps" must-sort :headers="associatedTable['attachments'].headers"
                     :items="associations['attachments']" item-key="id" :loading="associatedTable['attachments'].loading" :expanded="associatedTable['attachments'].expanded" class="case-table">
                     <template v-slot:item="props">
-                      <tr @click="expandRow('attachments', props.item)" class="expandable">
-                        <td>{{ props.item.createTime | formatDateTime }}</td>
-                        <td>{{ props.item.updateTime | formatDateTime }}</td>
-                        <td class="case">
+                      <tr>
+                        <td class="associated actions">
+                          <v-btn :id="`attachments-${props.index}-expand`" icon small @click="expandRow('attachments', props.item)">
+                            <v-icon v-if="isExpanded('attachments', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded('attachments', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
+                          </v-btn>
+                        </td>                          
+                        <td class="associated">{{ props.item.createTime | formatDateTime }}</td>
+                        <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
+                        <td class="associated">
                           <div class="rounded">{{ props.item.value }}</div>
                         </td>                  
                       </tr>
                     </template>
                     <template v-slot:expanded-item="props">
                       <tr>
-                        <td :colspan="3" class="case">
+                        <td :colspan="4" class="case">
                           <v-container fluid class="py-1">
                             <a target="soc-download" :href="`/api/case/artifactstream?id=${props.item.id}`" class="no-underline">
                               <v-icon>fa-download</v-icon>
@@ -1599,20 +1605,26 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                     :search="associatedTable['evidence'].search" :footer-props="associatedTable['evidence'].footerProps" must-sort :headers="associatedTable['evidence'].headers"
                     :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded" class="case-table">
                     <template v-slot:item="props">
-                      <tr @click="expandRow('evidence', props.item)" class="expandable">
-                        <td>{{ props.item.createTime | formatDateTime }}</td>
-                        <td>{{ props.item.updateTime | formatDateTime }}</td>
-                        <td class="case">
+                      <tr>
+                        <td class="association actions">
+                          <v-btn :id="`evidence-${props.index}-expand`" icon small @click="expandRow('evidence', props.item)">
+                            <v-icon v-if="isExpanded('evidence', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded('evidence', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
+                          </v-btn>
+                        </td>                        
+                        <td class="associated">{{ props.item.createTime | formatDateTime }}</td>
+                        <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
+                        <td class="associated case">
                           <div class="rounded">{{ props.item.artifactType }}</div>
                         </td>
-                        <td class="case">
+                        <td class="associated case">
                           <div class="rounded">{{ props.item.value }}</div>
                         </td>                  
                       </tr>
                     </template>
                     <template v-slot:expanded-item="props">
                       <tr>
-                        <td :colspan="4" class="case">
+                        <td :colspan="5" class="case">
                           <v-container fluid class="my-2" v-if="props.item.artifactType == 'file'">
                             <a target="soc-download" :href="`/api/case/artifactstream?id=${props.item.id}`" class="no-underline">
                               <v-icon>fa-download</v-icon>
@@ -1642,6 +1654,12 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                               </div>
                             </div>
                           </v-container>
+                          <v-container fluid class="pt-2 pb-0" v-if="props.item.artifactType != 'file'">
+                            <div>
+                              <div class="font-weight-bold">{{i18n.artifactValue}}: </div>
+                              <div :id="`evidence-${props.index}-value`" class="case detail-field" :inner-html.prop="props.item.value | formatMarkdown"></div>
+                            </div>
+                          </v-container>
                           <v-container fluid class="pt-2 pb-0">
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-description-input`, props.item.description, `evidence-${props.index}-description`, 'description', modifyAssociation, ['evidence', props.item], true)">
@@ -1815,23 +1833,27 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-text-field v-model="associatedTable['events'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="eventsTable" :sort-by.sync="associatedTable['events'].sortBy" :sort-desc.sync="associatedTable['events'].sortDesc" :items-per-page.sync="associatedTable['events'].itemsPerPage" 
                     :search="associatedTable['events'].search" :footer-props="associatedTable['events'].footerProps" must-sort :headers="associatedTable['events'].headers"
-                    :items="associations['events']" item-key="id" :loading="associatedTable['events'].loading" :expanded="associatedTable['events'].expanded">
+                    :items="associations['events']" item-key="id" :loading="associatedTable['events'].loading" :expanded="associatedTable['events'].expanded" class="case-table">
                     <template v-slot:item="props">
-                      <tr @click="expandRow('events', props.item)" class="expandable">
-                        <td>
+                      <tr>
+                        <td class="associated actions">
+                          <v-btn :id="`events-${props.index}-expand`" icon small @click="expandRow('events', props.item)">
+                            <v-icon v-if="isExpanded('events', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded('events', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
+                          </v-btn>
                           <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQuery(props.item)}}" :title="i18n.huntForEvent" v-if="props.item.fields['soc_id']"><v-icon>fa-crosshairs</v-icon></router-link>
                         </td>
-                        <td>{{ props.item.fields["@timestamp"] | formatTimestamp }}</td>
-                        <td class="case">
+                        <td class="associated">{{ props.item.fields["@timestamp"] | formatTimestamp }}</td>
+                        <td class="associated case">
                           <div class="rounded">{{ getEventId(props.item) }}</div>
                         </td>
-                        <td class="case">
+                        <td class="associated case">
                           <div class="rounded">{{ props.item.fields['event.category'] }}</div>
                         </td>
-                        <td class="case">
+                        <td class="associated case">
                           <div class="rounded">{{ props.item.fields['event.module'] }}</div>
                         </td>                        
-                        <td class="case">
+                        <td class="associated case">
                           <div class="rounded">{{ props.item.fields['event.dataset'] }}</div>
                         </td>
                       </tr>
@@ -1840,10 +1862,10 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                       <tr>
                         <td :colspan="6" class="case">
                           <div class="mt-2">
-                            <div v-for="value, key in props.item.fields">
-                              <span class="case label" :title="key">{{ key }}:</span>
-                              <span class="case value">{{ value }}</span>
-                            </div>
+                            <v-row no-gutters class="py-1 case tabular-row" v-for="value, key in props.item.fields">
+                              <v-col cols="4"><span class="case tabular-label">{{ key }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ value }}</span></v-col>
+                            </v-row>
                           </div>
 
                           <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
@@ -1879,146 +1901,212 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-text-field v-model="associatedTable['history'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="historyTable" :sort-by.sync="associatedTable['history'].sortBy" :sort-desc.sync="associatedTable['history'].sortDesc" :items-per-page.sync="associatedTable['history'].itemsPerPage" 
                     :search="associatedTable['history'].search" :footer-props="associatedTable['history'].footerProps" must-sort :headers="associatedTable['history'].headers"
-                    :items="associations['history']" item-key="id" :loading="associatedTable['history'].loading" :expanded="associatedTable['history'].expanded">
+                    :items="associations['history']" item-key="id" :loading="associatedTable['history'].loading" :expanded="associatedTable['history'].expanded" class="case-table">
                     <template v-slot:item="props">
-                      <tr @click="expandRow('history', props.item)" class="expandable">
-                        <td>
-                          <v-avatar color="primary" size="32">
+                      <tr>
+                        <td class="associated actions">
+                          <v-btn :id="`history-${props.index}-expand`" icon small @click="expandRow('history', props.item)">
+                            <v-icon v-if="isExpanded('history', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
+                            <v-icon v-if="!isExpanded('history', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
+                          </v-btn>
+                        </td>
+                        <td class="associated">
+                          <v-avatar color="primary" class="mr-1" size="32">
                             <div class="font-weight-bold" :title="props.item.owner">
                               {{ $root.getAvatar(props.item.owner) }}
                             </div>
                           </v-avatar>
+                          {{ props.item.owner }} 
                         </td>
-                        <td>{{ props.item.updateTime | formatDateTime }}</td>
-                        <td>
-                          <v-icon v-if="props.item.kind == 'case'">fa-briefcase</v-icon>
-                          <v-icon v-if="props.item.kind == 'comment'">fa-comments</v-icon>
-                          <v-icon v-if="props.item.kind == 'artifact' && props.item.groupType == 'attachments'">fa-paperclip</v-icon>
-                          <v-icon v-if="props.item.kind == 'artifact' && props.item.groupType == 'evidence'">fa-eye</v-icon>
-                          <v-icon v-if="props.item.kind == 'related'">fa-link</v-icon>
-                          <span class="rounded ml-2">{{ props.item.kindLocalized }}</span>
+                        <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
+                        <td class="associated">
+                          <v-icon v-if="props.item.kind == i18n.case">fa-briefcase</v-icon>
+                          <v-icon v-if="props.item.kind == i18n.comments">fa-comments</v-icon>
+                          <v-icon v-if="props.item.kind == i18n.attachments">fa-paperclip</v-icon>
+                          <v-icon v-if="props.item.kind == i18n.evidence">fa-eye</v-icon>
+                          <v-icon v-if="props.item.kind == i18n.events">fa-link</v-icon>
+                          <span class="rounded ml-2">{{ props.item.kind }}</span>
                         </td>
-                        <td>
-                          <span class="rounded mr-2">{{ props.item.operationLocalized }}</span>
+                        <td class="associated">
+                          <span class="rounded mr-2">{{ props.item.operation }}</span>
                           <v-icon v-if="props.item.operation == 'update'">fa-pencil-alt</v-icon>
                         </td>
                       </tr>
                     </template>
                     <template v-slot:expanded-item="props">
                       <tr>
-                        <td :colspan="4" class="case">
+                        <td colspan="5" class="case">
                           <div class="mt-2">
-                            <span class="case label" :title="i18n.kind">{{ i18n.kind }}:</span>
-                            <span class="case value">{{ props.item.kindLocalized }}</span>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.id }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.id }}</span></v-col>
+                            </v-row>
                           </div>
                           <div>
-                            <span class="case label" :title="i18n.operation">{{ i18n.operation }}:</span>
-                            <span class="case value">{{ props.item.operationLocalized }}</span>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.kind }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.kind }}</span></v-col>
+                            </v-row>
+                          </div>
+                          <div>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.operation }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.operation }}</span></v-col>
+                            </v-row>
                           </div>
                           <div>
-                            <span class="case label" :title="i18n.dateCreated">{{ i18n.dateCreated }}:</span>
-                            <span class="case value">{{ props.item.createTime | formatDateTime }}</span>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.dateCreated }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.createTime | formatDateTime }}</span></v-col>
+                            </v-row>
                           </div>
                           <div>
-                            <span class="case label" :title="i18n.dateModified">{{ i18n.dateModified }}:</span>
-                            <span class="case value">{{ props.item.updateTime | formatDateTime }}</span>
+                            <v-row no-gutters class="py-1 case tabular-row">
+                              <v-col cols="4"><span class="case tabular-label">{{ i18n.dateModified }}:</span></v-col>
+                              <v-col cols="8"><span class="case">{{ props.item.updateTime | formatDateTime }}</span></v-col>
+                            </v-row>
                           </div>
-                          <div v-if="props.item.kind == 'case'">
+                          <div v-if="props.item.kind == i18n.case">
                             <div>
-                              <span class="case label" :title="i18n.caseTitle">{{ i18n.caseTitle}}:</span>
-                              <span class="case value">{{ props.item.title }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseTitle }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.title }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.caseDescription">{{ i18n.caseDescription }}:</span>
-                              <span class="case value">{{ props.item.description }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseDescription }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.description }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.caseStatus">{{ i18n.caseStatus }}:</span>
-                              <span class="case value">{{ props.item.status }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseStatus }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.status }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.caseSeverity">{{ i18n.caseSeverity }}:</span>
-                              <span class="case value">{{ props.item.severity }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseSeverity }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.severity }}</span></v-col>
+                              </v-row>                                
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.casePriority">{{ i18n.casePriority }}:</span>
-                              <span class="case value">{{ props.item.priority }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.casePriority }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.priority }}</span></v-col>
+                              </v-row>
                             </div>
                           </div>
-                          <div v-if="props.item.kind == 'comment'">
+                          <div v-if="props.item.kind == i18n.comments">
                             <div>
-                              <span class="case label" :title="i18n.commentDescription">{{ i18n.commentDescription }}:</span>
-                              <span class="case value">{{ props.item.description }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.commentDescription }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.description }}</span></v-col>
+                              </v-row>
                             </div>
                           </div>
-                          <div v-if="props.item.kind == 'related'">
+                          <div v-if="props.item.kind == i18n.events">
                             <div>
-                              <span class="case label" :title="i18n.relatedEventId">{{ i18n.relatedEventId }}:</span>
-                              <span class="case value">
-                                <router-link class="no-underline" :to="{ name: 'hunt', query: {q:`_id:${props.item.fields.soc_id}`}}">
-                                  {{ props.item.fields.soc_id }}
-                                </router-link>
-                              </span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.relatedEventId }}:</span></v-col>
+                                <v-col cols="8"><span class="case value">
+                                  <router-link v-if="props.item.fields.soc_id" class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQuery(props.item) }}">
+                                    {{ props.item.fields.soc_id }}
+                                  </router-link>
+                                  <span v-if="!props.item.fields.soc_id">
+                                    {{ i18n.caseEventIdAggregation }}
+                                  </span>
+                                </span></v-col>
+                              </v-row>
                             </div>
                           </div>
-                          <div v-if="props.item.kind == 'artifact' && props.item.groupType == 'attachments'">
+                          <div v-if="props.item.kind == i18n.attachments">
                             <div>
-                              <span class="case label" :title="i18n.artifactGroupType">{{ i18n.artifactGroupType }}:</span>
-                              <span class="case value">{{ props.item.groupType }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.artifactGroupType }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.groupType }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.artifactGroupId">{{ i18n.artifactGroupId }}:</span>
-                              <span class="case value">{{ props.item.groupId }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.artifactGroupId }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.groupId }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.filename">{{ i18n.filename }}:</span>
-                              <span class="case value">{{ props.item.value }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.filename }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.value }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.description">{{ i18n.description }}:</span>
-                              <span class="case value">{{ props.item.description }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.description }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.description }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.caseTlp">{{ i18n.caseTlp }}:</span>
-                              <span class="case value">{{ props.item.tlp }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseTlp }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.tlp }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.caseTags">{{ i18n.caseTags }}:</span>
-                              <span class="case value">{{ props.item.tags }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseTags }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.tags }}</span></v-col>
+                              </v-row>
                             </div>
                           </div>
-                          <div v-if="props.item.kind == 'artifact' && props.item.groupType == 'evidence'">
+                          <div v-if="props.item.kind == i18n.evidence">
                             <div>
-                              <span class="case label" :title="i18n.artifactGroupType">{{ i18n.artifactGroupType }}:</span>
-                              <span class="case value">{{ props.item.groupType }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.artifactGroupType }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.groupType }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.artifactGroupId">{{ i18n.artifactGroupId }}:</span>
-                              <span class="case value">{{ props.item.groupId }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.artifactGroupId }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.groupId }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.artifactType">{{ i18n.artifactType }}:</span>
-                              <span class="case value">{{ props.item.artifactType }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.artifactType }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.artifactType }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.value">{{ i18n.value }}:</span>
-                              <span class="case value">{{ props.item.value }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.value }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.value }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.description">{{ i18n.description }}:</span>
-                              <span class="case value">{{ props.item.description }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.description }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.description }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.caseTlp">{{ i18n.caseTlp }}:</span>
-                              <span class="case value">{{ props.item.tlp }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseTlp }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.tlp }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.artifactIoc">{{ i18n.artifactIoc }}:</span>
-                              <span class="case value">{{ props.item.ioc }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.artifactIoc }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.ioc }}</span></v-col>
+                              </v-row>
                             </div>
                             <div>
-                              <span class="case label" :title="i18n.caseTags">{{ i18n.caseTags }}:</span>
-                              <span class="case value">{{ props.item.tags }}</span>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseTags }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.tags }}</span></v-col>
+                              </v-row>
                             </div>
                           </div>
 
@@ -2312,8 +2400,8 @@ <h4 v-if="metricsEnabled">{{ i18n.gridEps }} {{ gridEps | formatCount }}</h4>
                 <tr>
                   <td>
                     <v-btn id="expandNode" icon small @click="expand(props.item)">
-                      <v-icon v-if="isExpanded(props.item)" :alt="i18n.nodeExpand" :title="i18n.nodeExpandHelp">fa-angle-down</v-icon>
-                      <v-icon v-if="!isExpanded(props.item)" :alt="i18n.nodeExpand" :title="i18n.nodeExpandHelp">fa-angle-right</v-icon>
+                      <v-icon v-if="isExpanded(props.item)" :alt="i18n.expand" :title="i18n.nodeExpandHelp">fa-angle-down</v-icon>
+                      <v-icon v-if="!isExpanded(props.item)" :alt="i18n.expand" :title="i18n.nodeExpandHelp">fa-angle-right</v-icon>
                     </v-btn>
                   </td>
                   <td v-text="props.item.id"></td>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index e5b062c4..a8fa8476 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -187,7 +187,6 @@ const i18n = {
       events: 'Events',
       eventCaseTitle: 'Event Escalation from SOC',
       eventExpandHelp: 'Show all event fields',
-      eventExpand: 'Expand',
       eventFetchTook: 'The backend data fetch took ',
       eventLookupFailed: 'The event lookup could not be completed.',
       eventRoundTripTook: 'The total round trip took ',
@@ -196,7 +195,7 @@ const i18n = {
       evidenceAdd: 'Add Observable',
       evidenceHelp: 'Important data relevant to this case',
       expand: 'Expand',
-      expandHelp: 'Expand all packet data',
+      expandHelp: 'Expand and show detailed data',
       incomplete: 'Incomplete',
       failedEvents: 'Failed Events',
       fault: 'Fault',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index ceb4ac1e..b972dda8 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -46,6 +46,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         sortDesc: false,
         search: '',
         headers: [
+          { text: this.$root.i18n.actions, width: '10.0em' },
           { text: this.$root.i18n.dateCreated, value: 'createTime' },
           { text: this.$root.i18n.dateModified, value: 'updateTime' },
           { text: this.$root.i18n.filename, value: 'value' },
@@ -61,6 +62,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         sortDesc: false,
         search: '',
         headers: [
+          { text: this.$root.i18n.actions, width: '10.0em' },
           { text: this.$root.i18n.dateCreated, value: 'createTime' },
           { text: this.$root.i18n.dateModified, value: 'updateTime' },
           { text: this.$root.i18n.artifactType, value: 'artifactType' },
@@ -77,7 +79,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         sortDesc: false,
         search: '',
         headers: [
-          { text: this.$root.i18n.actions },
+          { text: this.$root.i18n.actions, width: '10.0em' },
           { text: this.$root.i18n.timestamp, value: 'fields.timestamp' },
           { text: this.$root.i18n.id, value: 'fields["soc_id"]' },
           { text: this.$root.i18n.category, value: 'fields["event.category"]' },
@@ -109,12 +111,11 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         sortDesc: false,
         search: '',
         headers: [
+          { text: this.$root.i18n.actions, width: '10.0em' },
           { text: this.$root.i18n.username, value: 'owner' },
           { text: this.$root.i18n.time, value: 'updateTime' },
           { text: this.$root.i18n.kind, value: 'kind' },
           { text: this.$root.i18n.operation, value: 'operation' },
-          { text: '', value: 'kindLocalized', align: ' d-none' },
-          { text: '', value: 'operationLocalized', align: ' d-none' },
         ],
         itemsPerPage: 10,
         footerProps: { 'items-per-page-options': [10,50,250,1000] },
@@ -259,8 +260,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           for (var idx = 0; idx < response.data.length; idx++) {
             const obj = response.data[idx];
             await this.$root.populateUserDetails(obj, "userId", "owner");
-            obj.kindLocalized = this.$root.localizeMessage(this.mapAssociatedKind(obj));
-            obj.operationLocalized = this.$root.localizeMessage(obj.operation);
+            obj.kind = this.$root.localizeMessage(this.mapAssociatedKind(obj));
+            obj.operation = this.$root.localizeMessage(obj.operation);
             this.associations[association].push(obj);
           }
         }
@@ -268,6 +269,15 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         this.$root.showError(error);
       }
     },
+    isExpanded(association, row) {
+      const expanded = this.associatedTable[association].expanded;
+      for (var i = 0; i < expanded.length; i++) {
+        if (expanded[i].id == row.id) {
+          return true;
+        }
+      }
+      return false;
+    },
     expandRow(association, row) {
       const expanded = this.associatedTable[association].expanded;
       for (var i = 0; i < expanded.length; i++) {
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 14e07ec7..475e02e6 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -334,7 +334,7 @@ test('modifyAssociation', async () => {
   comp.associations['comments'] = [fakeComment];
   await comp.modifyAssociation('comments', fakeComment);
 
-  const body = "{\"userId\":\"myUserId\",\"id\":\"myCommentId\",\"description\":\"myDescription2\",\"owner\":\"my@email.invalid\",\"kindLocalized\":\"\",\"operationLocalized\":\"\"}";
+  const body = "{\"userId\":\"myUserId\",\"id\":\"myCommentId\",\"description\":\"myDescription2\",\"owner\":\"my@email.invalid\"}";
   expect(mock).toHaveBeenCalledWith('case/comments', body);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);

From 486ac3fc28998e909de6fd4ff15a157b4b1aa2af Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 6 Jan 2022 15:40:32 -0500
Subject: [PATCH 68/98] Several improvements to CM, documented internally

---
 html/index.html                            | 374 +++++++++++----------
 html/js/i18n.js                            |   2 +
 html/js/routes/case.js                     |  33 +-
 html/js/routes/hunt.js                     |   9 +-
 html/js/routes/hunt.test.js                |  16 +-
 model/case.go                              |  14 +
 model/case_test.go                         |  27 ++
 server/modules/elastic/elastic.go          |   2 +-
 server/modules/elastic/elasticcasestore.go |   1 +
 9 files changed, 286 insertions(+), 192 deletions(-)

diff --git a/html/index.html b/html/index.html
index 19a79078..bbaa5ca1 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1228,19 +1228,19 @@ <h2>{{ i18n.viewJob }}</h2>
             <h2 id="case-title" class="rounded">{{ caseObj.title }}</h2>
           </div>
           <div class="d-flex flex-column" v-if="isEdit('case-title')">
-            <v-form v-model="editForm.valid">
-              <div class="mb-2">
+            <div class="mb-2">
+              <v-form v-model="editForm.valid" @submit.prevent>
                 <v-text-field id="case-title-input" hide-details="auto" outlined v-model="editForm.val" :rules="[rules.required]" persistent-hint :hint="i18n.caseTitleHelp"/>
-              </div>
-              <div class="d-inline-flex justify-end">
-                <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
-                  {{ i18n.cancel }}
-                </v-btn>
-                <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
-                  {{ i18n.save }}
-                </v-btn>
-              </div>
-            </v-form>
+              </v-form>
+            </div>
+            <div class="d-inline-flex justify-end">
+              <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                {{ i18n.cancel }}
+              </v-btn>
+              <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                {{ i18n.save }}
+              </v-btn>
+            </div>
           </div>
         </div>
         <v-row class="mx-sm-8 mx-md-12 mx-lg-4 flex-column flex-md-row">
@@ -1256,45 +1256,45 @@ <h2>{{ i18n.description }}</h2>
                 </div>
               </div>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
-                <v-form v-model="editForm.valid">
-                  <div class="mb-2">
+                <div class="mb-2">
+                  <v-form v-model="editForm.valid" @submit.prevent>
                     <v-textarea id="case-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" :rules="[rules.required]" persistent-hint :hint="i18n.caseDescriptionHelp"/>
-                  </div>
-                  <div class="d-inline-flex justify-end">
-                    <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
-                      {{ i18n.cancel }}
-                    </v-btn>
-                    <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
-                      {{ i18n.save }}
-                    </v-btn>
-                  </div>
-                </form>
+                  </form>
+                </div>
+                <div class="d-inline-flex justify-end">
+                  <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                    {{ i18n.cancel }}
+                  </v-btn>
+                  <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                    {{ i18n.save }}
+                  </v-btn>
+                </div>
               </div>
             </div>
             <v-row>
-              <v-tabs grow>
-                <v-tab id="case_commentsTab">
+              <v-tabs grow v-model="activeTab">
+                <v-tab id="case_commentsTab" href="#comments">
                   <v-icon left>fa-comments</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.comments }}</div>
                 </v-tab>
-                <v-tab id="case_attachmentTab">
+                <v-tab id="case_attachmentTab" href="#attachments">
                   <v-icon left>fa-paperclip</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.attachments }}</div>
                 </v-tab>
-                <v-tab id="case_evidenceTab">
+                <v-tab id="case_evidenceTab" href="#evidence">
                   <v-icon left>fa-eye</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.evidence }}</div>
                 </v-tab>
-                <v-tab id="case_eventsTab">
+                <v-tab id="case_eventsTab" href="#events">
                   <v-icon left>fa-link</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.events }}</div>
                 </v-tab>
-                <v-tab id="case_historyTab">
+                <v-tab id="case_historyTab" href="#history">
                   <v-icon left>fa-history</v-icon>
                   <div class="d-none d-sm-block">{{ i18n.history }}</div>
                 </v-tab>
   
-                <v-tab-item>
+                <v-tab-item value="comments">
                   <div id="comment-list">
                     <div v-for="(comment, index) in associations.comments" class="mb-8">
                       <div class="d-flex flex-column align-start ma-4">
@@ -1308,17 +1308,17 @@ <h2>{{ i18n.description }}</h2>
                               </div>
                               <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
                                 <div class="mb-2">
-                                  <v-form v-model="editForm.valid">
+                                  <v-form v-model="editForm.valid" @submit.prevent>
                                     <v-textarea id="comment-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" class="mb-1" :rules="[rules.required]"/>
-                                    <div class="d-inline-flex justify-end">
-                                      <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
-                                        {{ i18n.cancel }}
-                                      </v-btn>
-                                      <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
-                                        {{ i18n.update }}
-                                      </v-btn>
-                                    </div>
                                   </v-form>
+                                  <div class="d-inline-flex justify-end">
+                                    <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                      {{ i18n.cancel }}
+                                    </v-btn>
+                                    <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                      {{ i18n.update }}
+                                    </v-btn>
+                                  </div>
                                 </div>
                               </div>
                               <div class="d-flex flex-column flex-sm-row align-sm-center align-self-end text-body-2">
@@ -1369,7 +1369,7 @@ <h2>{{ i18n.description }}</h2>
                               </v-avatar>
                               <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             </div>
-                            <v-form ref="comments" v-model="associatedForms['comments'].valid">
+                            <v-form ref="comments" v-model="associatedForms['comments'].valid" @submit.prevent>
                               <v-textarea  solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
                             </v-form>
                           </div>
@@ -1390,7 +1390,62 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                   </div>
                 </v-tab-item>
 
-                <v-tab-item>
+                <v-tab-item value="attachments">
+                  <v-row v-if="!isAdding('attachments')">
+                    <v-col>
+                      <v-toolbar class="elevation-0" fixed>
+                        <v-btn color="primary" @click.stop="enableAdding('attachments')" id="add-attachment-button">
+                          <v-icon>fa-plus</v-icon>
+                        </v-btn>
+                      </v-toolbar>
+                    </v-col>
+                  </v-row>                    
+                  <v-row v-if="isAdding('attachments')">
+                    <v-col>
+                      <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
+                      <div class="d-flex flex-column align-start">
+                        <div class="d-flex flex-column" style="width: 100%;">
+                        <div class="mb-2">
+                          <div class="d-inline-flex align-center mb-3">
+                            <v-avatar color="primary" size="28" class="mr-2">
+                              <div class="font-weight-bold" :title="$root.username">
+                              {{ $root.getAvatar($root.username) }}
+                              </div>
+                            </v-avatar>
+                            <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
+                          </div>
+                          <v-form ref="attachments" v-model="associatedForms['attachments'].valid" @submit.prevent>
+                            <v-file-input id="attachments-file" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
+                            <v-textarea id="attachments-description" rows="2" v-model="associatedForms['attachments'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-select id="attachments-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-combobox id="attachments-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-select id="attachments-tags" v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-select>
+                            <v-combobox id="attachments-tags" v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                              <template #selection="{ item }">
+                                <v-chip color="primary">{{item}}</v-chip>
+                              </template>
+                            </v-combobox>                              
+                          </v-form>
+                        </div>
+                        </div>
+                      </div>
+                      </div>
+                      <div class="d-flex align-center align-self-end text-body-2 mt-2">
+                      <div class="d-inline-flex justify-end">
+                        <v-btn id="attachment-cancel" text small color="primary" class="align-self-end" @click="resetForm('attachments')">
+                          {{ i18n.cancel }}
+                        </v-btn>
+                        <v-btn id="attachment-add" :disabled="!associatedForms['attachments'].valid" text small color="primary" class="align-self-end" @click="addAssociation('attachments', {'groupType': 'attachments', 'artifactType':'file'})">
+                          {{ i18n.add }}
+                        </v-btn>
+                      </div>
+                      </div>
+                    </v-col>
+                  </v-row>   
                   <v-text-field v-model="associatedTable['attachments'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="attachmentsTable" :sort-by.sync="associatedTable['attachments'].sortBy" :sort-desc.sync="associatedTable['attachments'].sortDesc" :items-per-page.sync="associatedTable['attachments'].itemsPerPage" 
                     :search="associatedTable['attachments'].search" :footer-props="associatedTable['attachments'].footerProps" must-sort :headers="associatedTable['attachments'].headers"
@@ -1405,9 +1460,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                         </td>                          
                         <td class="associated">{{ props.item.createTime | formatDateTime }}</td>
                         <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
-                        <td class="associated">
-                          <div class="rounded">{{ props.item.value }}</div>
-                        </td>                  
+                        <td class="associated">{{ props.item.value }}</td>
                       </tr>
                     </template>
                     <template v-slot:expanded-item="props">
@@ -1449,26 +1502,26 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                               <div :id="`attachments-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`attachments-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`attachments-${props.index}-description`)">
-                              <v-form v-model="editForm.valid">
+                              <v-form v-model="editForm.valid" @submit.prevent>
                                 <div class="mb-2">
                                   <v-textarea full-width rows="3" multiline :id="`attachments-${props.index}-description-input`" hide-details="auto" outlined v-model="editForm.val" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
                                 </div>
-                                <div class="d-inline-flex justify-end">
-                                  <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
-                                    {{ i18n.cancel }}
-                                  </v-btn>
-                                  <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
-                                    {{ i18n.save }}
-                                  </v-btn>
-                                </div>
                               </v-form>
+                              <div class="d-inline-flex justify-end">
+                                <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                  {{ i18n.cancel }}
+                                </v-btn>
+                                <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                  {{ i18n.save }}
+                                </v-btn>
+                              </div>
                             </div>
                           </v-container>
                           <v-container fluid class="py-1">
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])"
                               @keypress.space.prevent="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
-                              <div id="`attachments-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`attachments-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
+                              <v-chip :id="`attachments-${props.index}-tlp`" :color="colorizeChip(props.item.tlp)" outlined v-if="!isEdit(`attachments-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</v-chip>
                             </div>
                             <v-select :id="`attachments-${props.index}-tlp-input`" v-if="isEdit(`attachments-${props.index}-tlp`) && !isPresetCustomEnabled('tlp')"
                               dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
@@ -1541,17 +1594,20 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                   </v-data-table>
                   <div class="text-xs-center pt-2 d-none">
                       <v-btn v-text="i18n.loadMore" @click="loadAssociation('attachments')"></v-btn>
-                  </div>
-                  <v-row v-if="!isAdding('attachments')">
+                  </div>               
+                </v-tab-item>
+
+                <v-tab-item value="evidence">
+                  <v-row v-if="!isAdding('evidence')">
                     <v-col>
                       <v-toolbar class="elevation-0" fixed>
-                        <v-btn color="primary" @click.stop="enableAdding('attachments')" id="add-attachment-button">
+                        <v-btn color="primary" @click.stop="enableAdding('evidence')" id="add-evidence-button">
                           <v-icon>fa-plus</v-icon>
                         </v-btn>
                       </v-toolbar>
                     </v-col>
                   </v-row>                    
-                  <v-row v-if="isAdding('attachments')">
+                  <v-row v-if="isAdding('evidence')">
                     <v-col>
                       <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
                       <div class="d-flex flex-column align-start">
@@ -1563,19 +1619,23 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                               {{ $root.getAvatar($root.username) }}
                               </div>
                             </v-avatar>
-                            <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
+                            <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                           </div>
-                          <v-form ref="attachments" v-model="associatedForms['attachments'].valid">
-                            <v-file-input id="attachments-file" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
-                            <v-textarea id="attachments-description" rows="2" v-model="associatedForms['attachments'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
-                            <v-select id="attachments-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-combobox id="attachments-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-select id="attachments-tags" v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                          <v-form ref="evidence" v-model="associatedForms['evidence'].valid" @submit.prevent>
+                            <v-select id="evidence-type" v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-combobox id="evidence-type" v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
+                            <v-file-input id="evidence-value" v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty, rules.fileRequired]"/>
+                            <v-textarea id="evidence-value" v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" v-model="associatedForms['evidence'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
+                            <v-textarea id="evidence-description" rows="2" v-model="associatedForms['evidence'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-checkbox id="evidence-ioc" v-model="associatedForms['evidence'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
+                            <v-select id="evidence-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-combobox id="evidence-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
+                            <v-select id="evidence-tags" v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
                             </v-select>
-                            <v-combobox id="attachments-tags" v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
+                            <v-combobox id="evidence-tags" v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
                               <template #selection="{ item }">
                                 <v-chip color="primary">{{item}}</v-chip>
                               </template>
@@ -1587,19 +1647,16 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                       </div>
                       <div class="d-flex align-center align-self-end text-body-2 mt-2">
                       <div class="d-inline-flex justify-end">
-                        <v-btn id="attachment-cancel" text small color="primary" class="align-self-end" @click="resetForm('attachments')">
+                        <v-btn id="evidence-cancel" text small color="primary" class="align-self-end" @click="resetForm('evidence')">
                           {{ i18n.cancel }}
                         </v-btn>
-                        <v-btn id="attachment-add" :disabled="!associatedForms['attachments'].valid" text small color="primary" class="align-self-end" @click="addAssociation('attachments', {'groupType': 'attachments', 'artifactType':'file'})">
+                        <v-btn id="evidence-add" :disabled="!associatedForms['evidence'].valid" text small color="primary" class="align-self-end" @click="addAssociation('evidence', {'groupType': 'evidence'})">
                           {{ i18n.add }}
                         </v-btn>
                       </div>
                       </div>
                     </v-col>
-                  </v-row>                  
-                </v-tab-item>
-
-                <v-tab-item>
+                  </v-row>  
                   <v-text-field v-model="associatedTable['evidence'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="evidenceTable" :sort-by.sync="associatedTable['evidence'].sortBy" :sort-desc.sync="associatedTable['evidence'].sortDesc" :items-per-page.sync="associatedTable['evidence'].itemsPerPage" 
                     :search="associatedTable['evidence'].search" :footer-props="associatedTable['evidence'].footerProps" must-sort :headers="associatedTable['evidence'].headers"
@@ -1614,12 +1671,8 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                         </td>                        
                         <td class="associated">{{ props.item.createTime | formatDateTime }}</td>
                         <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
-                        <td class="associated case">
-                          <div class="rounded">{{ props.item.artifactType }}</div>
-                        </td>
-                        <td class="associated case">
-                          <div class="rounded">{{ props.item.value }}</div>
-                        </td>                  
+                        <td class="associated">{{ props.item.artifactType }}</td>
+                        <td class="associated">{{ props.item.value }}</td>
                       </tr>
                     </template>
                     <template v-slot:expanded-item="props">
@@ -1667,19 +1720,19 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                               <div :id="`evidence-${props.index}-description`" class="case detail-field markdown-body" v-if="!isEdit(`evidence-${props.index}-description`)" :inner-html.prop="props.item.description | formatMarkdown"></div>
                             </div>
                             <div class="d-flex flex-column" v-if="isEdit(`evidence-${props.index}-description`)">
-                              <v-form v-model="editForm.valid">
+                              <v-form v-model="editForm.valid" @submit.prevent>
                                 <div class="mb-2">
                                   <v-textarea full-width rows="3" multiline :id="`evidence-${props.index}-description-input`" hide-details="auto" outlined v-model="editForm.val" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
                                 </div>
-                                <div class="d-inline-flex justify-end">
-                                  <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
-                                    {{ i18n.cancel }}
-                                  </v-btn>
-                                  <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
-                                    {{ i18n.save }}
-                                  </v-btn>
-                                </div>
                               </v-form>
+                              <div class="d-inline-flex justify-end">
+                                <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                  {{ i18n.cancel }}
+                                </v-btn>
+                                <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                  {{ i18n.save }}
+                                </v-btn>
+                              </div>
                             </div>
                           </v-container>
                           <v-container fluid class="py-1">
@@ -1694,7 +1747,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
-                              <div :id="`evidence-${props.index}-tlp`" class="case detail-field" v-if="!isEdit(`evidence-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</div>
+                              <v-chip :id="`evidence-${props.index}-tlp`" :color="colorizeChip(props.item.tlp)" outlined v-if="!isEdit(`evidence-${props.index}-tlp`)">{{ withDefault(props.item.tlp, i18n.unknown) }}</v-chip>
                             </div>
                             <v-select :id="`evidence-${props.index}-tlp-input`" v-if="isEdit(`evidence-${props.index}-tlp`) && !isPresetCustomEnabled('tlp')"
                               dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
@@ -1767,69 +1820,10 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                   </v-data-table>
                   <div class="text-xs-center pt-2 d-none">
                       <v-btn v-text="i18n.loadMore" @click="loadAssociation('evidence')"></v-btn>
-                  </div>
-                  <v-row v-if="!isAdding('evidence')">
-                    <v-col>
-                      <v-toolbar class="elevation-0" fixed>
-                        <v-btn color="primary" @click.stop="enableAdding('evidence')" id="add-evidence-button">
-                          <v-icon>fa-plus</v-icon>
-                        </v-btn>
-                      </v-toolbar>
-                    </v-col>
-                  </v-row>                    
-                  <v-row v-if="isAdding('evidence')">
-                    <v-col>
-                      <div class="ml-1 ml-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
-                      <div class="d-flex flex-column align-start">
-                        <div class="d-flex flex-column" style="width: 100%;">
-                        <div class="mb-2">
-                          <div class="d-inline-flex align-center mb-3">
-                            <v-avatar color="primary" size="28" class="mr-2">
-                              <div class="font-weight-bold" :title="$root.username">
-                              {{ $root.getAvatar($root.username) }}
-                              </div>
-                            </v-avatar>
-                            <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
-                          </div>
-                          <v-form ref="evidence" v-model="associatedForms['evidence'].valid">
-                            <v-select id="evidence-type" v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
-                            <v-combobox id="evidence-type" v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
-                            <v-file-input id="evidence-value" v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty, rules.fileRequired]"/>
-                            <v-textarea id="evidence-value" v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" v-model="associatedForms['evidence'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
-                            <v-textarea id="evidence-description" rows="2" v-model="associatedForms['evidence'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
-                            <v-checkbox id="evidence-ioc" v-model="associatedForms['evidence'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
-                            <v-select id="evidence-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-combobox id="evidence-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
-                            <v-select id="evidence-tags" v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
-                              <template #selection="{ item }">
-                                <v-chip color="primary">{{item}}</v-chip>
-                              </template>
-                            </v-select>
-                            <v-combobox id="evidence-tags" v-if="isPresetCustomEnabled('tags')" v-model="associatedForms['evidence'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
-                              <template #selection="{ item }">
-                                <v-chip color="primary">{{item}}</v-chip>
-                              </template>
-                            </v-combobox>                              
-                          </v-form>
-                        </div>
-                        </div>
-                      </div>
-                      </div>
-                      <div class="d-flex align-center align-self-end text-body-2 mt-2">
-                      <div class="d-inline-flex justify-end">
-                        <v-btn id="evidence-cancel" text small color="primary" class="align-self-end" @click="resetForm('evidence')">
-                          {{ i18n.cancel }}
-                        </v-btn>
-                        <v-btn id="evidence-add" :disabled="!associatedForms['evidence'].valid" text small color="primary" class="align-self-end" @click="addAssociation('evidence', {'groupType': 'evidence'})">
-                          {{ i18n.add }}
-                        </v-btn>
-                      </div>
-                      </div>
-                    </v-col>
-                  </v-row>                  
+                  </div>                
                 </v-tab-item>
 
-                <v-tab-item>
+                <v-tab-item value="events">
                   <v-text-field v-model="associatedTable['events'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="eventsTable" :sort-by.sync="associatedTable['events'].sortBy" :sort-desc.sync="associatedTable['events'].sortDesc" :items-per-page.sync="associatedTable['events'].itemsPerPage" 
                     :search="associatedTable['events'].search" :footer-props="associatedTable['events'].footerProps" must-sort :headers="associatedTable['events'].headers"
@@ -1841,21 +1835,15 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                             <v-icon v-if="isExpanded('events', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
                             <v-icon v-if="!isExpanded('events', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
                           </v-btn>
-                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQuery(props.item)}}" :title="i18n.huntForEvent" v-if="props.item.fields['soc_id']"><v-icon>fa-crosshairs</v-icon></router-link>
+                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQuery(props.item)}}" :title="i18n.huntForEvent" v-if="props.item.fields['soc_id']">
+                            <v-icon :title="i18n.huntForEvent">fa-crosshairs</v-icon>
+                          </router-link>
                         </td>
                         <td class="associated">{{ props.item.fields["@timestamp"] | formatTimestamp }}</td>
-                        <td class="associated case">
-                          <div class="rounded">{{ getEventId(props.item) }}</div>
-                        </td>
-                        <td class="associated case">
-                          <div class="rounded">{{ props.item.fields['event.category'] }}</div>
-                        </td>
-                        <td class="associated case">
-                          <div class="rounded">{{ props.item.fields['event.module'] }}</div>
-                        </td>                        
-                        <td class="associated case">
-                          <div class="rounded">{{ props.item.fields['event.dataset'] }}</div>
-                        </td>
+                        <td class="associated">{{ getEventId(props.item) }}</td>
+                        <td class="associated">{{ props.item.fields['event.category'] }}</td>
+                        <td class="associated">{{ props.item.fields['event.module'] }}</td>                        
+                        <td class="associated">{{ props.item.fields['event.dataset'] }}</td>
                       </tr>
                     </template>
                     <template v-slot:expanded-item="props">
@@ -1863,8 +1851,16 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                         <td :colspan="6" class="case">
                           <div class="mt-2">
                             <v-row no-gutters class="py-1 case tabular-row" v-for="value, key in props.item.fields">
+                              <v-col cols="1">
+                                <v-btn :id="`events-${props.index}-addobservable`" icon small @click="populateAddForm('evidence', key, value)">
+                                  <v-icon :title="i18n.addObservable">fa-eye</v-icon>
+                                </v-btn>
+                                <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQueryForValue(value) }}">
+                                  <v-icon :title="i18n.huntForFieldValue">fa-crosshairs</v-icon>
+                                </router-link>
+                              </v-col>
                               <v-col cols="4"><span class="case tabular-label">{{ key }}:</span></v-col>
-                              <v-col cols="8"><span class="case">{{ value }}</span></v-col>
+                              <v-col cols="7"><span class="case">{{ value }}</span></v-col>
                             </v-row>
                           </div>
 
@@ -1897,7 +1893,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   </div>
                 </v-tab-item>
   
-                <v-tab-item>
+                <v-tab-item value="history">
                   <v-text-field v-model="associatedTable['history'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="historyTable" :sort-by.sync="associatedTable['history'].sortBy" :sort-desc.sync="associatedTable['history'].sortDesc" :items-per-page.sync="associatedTable['history'].itemsPerPage" 
                     :search="associatedTable['history'].search" :footer-props="associatedTable['history'].footerProps" must-sort :headers="associatedTable['history'].headers"
@@ -1979,6 +1975,12 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                                 <v-col cols="8"><span class="case">{{ props.item.description }}</span></v-col>
                               </v-row>
                             </div>
+                            <div>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseAssignee }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.assignee }}</span></v-col>
+                              </v-row>
+                            </div>
                             <div>
                               <v-row no-gutters class="py-1 case tabular-row">
                                 <v-col cols="4"><span class="case tabular-label">{{ i18n.caseStatus }}:</span></v-col>
@@ -1997,6 +1999,24 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                                 <v-col cols="8"><span class="case">{{ props.item.priority }}</span></v-col>
                               </v-row>
                             </div>
+                            <div>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseTlp }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.tlp }}</span></v-col>
+                              </v-row>
+                            </div>
+                            <div>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseCategory }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.category }}</span></v-col>
+                              </v-row>
+                            </div>
+                            <div>
+                              <v-row no-gutters class="py-1 case tabular-row">
+                                <v-col cols="4"><span class="case tabular-label">{{ i18n.caseTags }}:</span></v-col>
+                                <v-col cols="8"><span class="case">{{ props.item.tags }}</span></v-col>
+                              </v-row>
+                            </div>
                           </div>
                           <div v-if="props.item.kind == i18n.comments">
                             <div>
@@ -2225,19 +2245,19 @@ <h3>{{ i18n.details }}</h3>
                                   <div id="case-priority" class="case detail-field" v-if="!isEdit('case-priority')">{{ caseObj.priority }}</div>
                                 </div>
                                 <div v-if="isEdit('case-priority')">
-                                  <v-form v-model="editForm.valid">
+                                  <v-form v-model="editForm.valid" @submit.prevent>
                                     <div class="mb-2">
                                       <v-text-field id="case-priority-input" outlined hide-details="auto" rows="3" dense no-resize v-model="editForm.val" :rules="[rules.number]" persistent-hint :hint="i18n.casePriorityHelp"/>
                                     </div>
-                                    <div class="d-inline-flex justify-end">
-                                      <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
-                                        {{ i18n.cancel }}
-                                      </v-btn>
-                                      <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
-                                        {{ i18n.save }}
-                                      </v-btn>
-                                    </div>
-                                  </form>
+                                  </v-form>
+                                  <div class="d-inline-flex justify-end">
+                                    <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
+                                      {{ i18n.cancel }}
+                                    </v-btn>
+                                    <v-btn :disabled="!editForm.valid" text small color="primary" class="align-self-end" @click="stopEdit(true)">
+                                      {{ i18n.save }}
+                                    </v-btn>
+                                  </div>
                                 </div>
                               </v-col>
                             </v-row>
@@ -2246,7 +2266,7 @@ <h3>{{ i18n.details }}</h3>
                                 <div tabindex="0" class="clicktoedit" @click="startEdit('case-tlp-input', caseObj.tlp, 'case-tlp', 'tlp', modifyCase)"
                                   @keypress.space.prevent="startEdit('case-tlp-input', caseObj.tlp, 'case-tlp', 'tlp', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
-                                  <div id="case-tlp" class="case detail-field" v-if="!isEdit('case-tlp')">{{ withDefault(caseObj.tlp, i18n.unknown) }}</div>
+                                  <v-chip :color="colorizeChip(caseObj.tlp)" outlined id="case-tlp" v-if="!isEdit('case-tlp')">{{ withDefault(caseObj.tlp, i18n.unknown) }}</v-chip>
                                 </div>
                                 <v-select id="case-tlp-input" v-if="isEdit('case-tlp') && !isPresetCustomEnabled('tlp')"
                                   dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.caseTlpHelp"
@@ -2268,7 +2288,7 @@ <h3>{{ i18n.details }}</h3>
                                 <div tabindex="0" class="clicktoedit" @click="startEdit('case-pap-input', caseObj.pap, 'case-pap', 'pap', modifyCase)"
                                   @keypress.space.prevent="startEdit('case-pap-input', caseObj.pap, 'case-pap', 'pap', modifyCase)">
                                   <div class="font-weight-bold">{{i18n.casePap}}: </div>
-                                  <div id="case-pap" class="case detail-field" v-if="!isEdit('case-pap')">{{ withDefault(caseObj.pap, i18n.unknown) }}</div>
+                                  <v-chip :color="colorizeChip(caseObj.pap)" outlined id="case-pap" v-if="!isEdit('case-pap')">{{ withDefault(caseObj.pap, i18n.unknown) }}</v-chip>
                                 </div>
                                 <v-select id="case-pap-input" v-if="isEdit('case-pap') && !isPresetCustomEnabled('pap')"
                                   dense eager outlined hide-details="auto" class="case-select" persistent-hint :hint="i18n.casePapHelp"
diff --git a/html/js/i18n.js b/html/js/i18n.js
index a8fa8476..ed722d0f 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -36,6 +36,7 @@ const i18n = {
       actionVirusTotal: 'VirusTotal',
       actionVirusTotalHelp: 'Analyze this field at virustotal.com',
       add: 'Add',
+      addObservable: 'Add as new observable...',
       address: 'Address',
       admin: 'Administration',
       alertAcknowledge: 'Acknowledge',
@@ -239,6 +240,7 @@ const i18n = {
       hours: 'hours',
       hunt: 'Hunt',
       huntForEvent: 'Hunt for this event',
+      huntForFieldValue: 'Hunt for this field\'s value',
       huntHelp: 'Start a new hunt based on the current filters',
       id: 'ID',
       importId: 'Import ID',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index b972dda8..c578234e 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -147,6 +147,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     attachment: null,
     maxUploadSizeBytes: 26214400,
     addingAssociation: null,
+    activeTab: null,
   }},
   computed: {
   },
@@ -260,6 +261,9 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           for (var idx = 0; idx < response.data.length; idx++) {
             const obj = response.data[idx];
             await this.$root.populateUserDetails(obj, "userId", "owner");
+            if (obj.assigneeId) {
+              await this.$root.populateUserDetails(obj, "assigneeId", "assignee");
+            }
             obj.kind = this.$root.localizeMessage(this.mapAssociatedKind(obj));
             obj.operation = this.$root.localizeMessage(obj.operation);
             this.associations[association].push(obj);
@@ -578,6 +582,15 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     isAdding(association) {
       return this.addingAssociation == association;
     },
+    populateAddForm(association, key, value) {
+      this.enableAdding(association);
+      this.associatedForms[association].value = value.toString();
+      this.associatedForms[association].description = key;
+      this.switchToTab(association);
+    },
+    switchToTab(association) {
+      this.activeTab = association;
+    },
      
     updateCase(caseObj) {
       // No-op until we can detect if the user has made any changes to the form. We don't
@@ -588,8 +601,26 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       // this.loadAssociations();
     },
 
+    colorizeChip(color) {
+      if (color == "white" && !this.$root.$vuetify.theme.dark) {
+        color = "grey";
+      } else if (color == "amber" && !this.$root.$vuetify.theme.dark) {
+        color = "orange";
+      }
+
+      return color;
+    },
+
+    escapeQueryValue(value) {
+      return this.$root.escape(value.toString());
+    },
     buildHuntQuery(event) {
-      return '_id: "' + event.fields["soc_id"] + '"';
+      var value = this.escapeQueryValue(event.fields["soc_id"]);
+      return '_id: "' + value + '"';
+    },
+    buildHuntQueryForValue(value) {
+      var value = this.escapeQueryValue(value);
+      return '"' + value + '"';
     },
     getEventId(event) {
       var id = event.fields['soc_id'];
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 099cf29e..32d43271 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -434,12 +434,11 @@ const huntComponent = {
         }
       }
 
-      var description = item['message'];
-      if (!description) {
-        if (!this.escalateRelatedEventsEnabled) {
+      var description = this.i18n.caseEscalatedDescription;
+      if (!this.escalateRelatedEventsEnabled) {
+        var description = item['message'];
+        if (!description) {
           description = JSON.stringify(item);
-        } else {
-          description = this.i18n.caseEscalatedDescription;
         }
       }
 
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index a0deb66b..d547e81f 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -224,25 +224,25 @@ function validateCase(
 test('buildCase', () => {
   // has rule name and message, etc (happy path)
   validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
-      'myTitle', 'myMessage', 'mySeverity', 'myTemplate');
+      'myTitle', comp.i18n.caseEscalatedDescription, 'mySeverity', 'myTemplate');
 
   // missing rule name, module, and dataset
   validateCase('', 'myTemplate', '', '', 'mySeverity', 'myMessage',
-      'Event Escalation from SOC', 'myMessage', 'mySeverity', 'myTemplate');
+      'Event Escalation from SOC', comp.i18n.caseEscalatedDescription, 'mySeverity', 'myTemplate');
 
   // missing rule name but has module
   validateCase('', 'myTemplate', 'myModule', '', 'mySeverity', 'myMessage',
-      'Event Escalation from SOC: myModule', 'myMessage', 'mySeverity', 'myTemplate');
+      'Event Escalation from SOC: myModule', comp.i18n.caseEscalatedDescription, 'mySeverity', 'myTemplate');
 
   // missing rule name but has dataset
   validateCase('', 'myTemplate', '', 'myDataset', 'mySeverity', 'myMessage',
-      'Event Escalation from SOC: myDataset', 'myMessage', 'mySeverity', 'myTemplate');
+      'Event Escalation from SOC: myDataset', comp.i18n.caseEscalatedDescription, 'mySeverity', 'myTemplate');
 
   // missing rule name but has module and dataset
   validateCase('', 'myTemplate', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
-      'Event Escalation from SOC: myModule - myDataset', 'myMessage', 'mySeverity', 'myTemplate');
+      'Event Escalation from SOC: myModule - myDataset', comp.i18n.caseEscalatedDescription, 'mySeverity', 'myTemplate');
   validateCase(null, 'myTemplate', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
-      'Event Escalation from SOC: myModule - myDataset', 'myMessage', 'mySeverity', 'myTemplate');
+      'Event Escalation from SOC: myModule - myDataset', comp.i18n.caseEscalatedDescription, 'mySeverity', 'myTemplate');
 
   // missing message
   comp.escalateRelatedEventsEnabled = false;
@@ -255,10 +255,10 @@ test('buildCase', () => {
 
   // missing severity
   validateCase('myTitle', 'myTemplate', 'myModule', 'myDataset', '', 'myMessage',
-      'myTitle', 'myMessage', '', 'myTemplate');
+      'myTitle', comp.i18n.caseEscalatedDescription, '', 'myTemplate');
 
   // missing template
   validateCase('myTitle', '', 'myModule', 'myDataset', 'mySeverity', 'myMessage',
-      'myTitle', 'myMessage', 'mySeverity', '');
+      'myTitle', comp.i18n.caseEscalatedDescription, 'mySeverity', '');
 
 });
diff --git a/model/case.go b/model/case.go
index c8450271..880abab8 100644
--- a/model/case.go
+++ b/model/case.go
@@ -56,6 +56,20 @@ func NewCase() *Case {
   return newCase
 }
 
+func (socCase *Case) ProcessWorkflowForStatus(oldCase *Case) {
+  now := time.Now()
+  if oldCase.CompleteTime != nil && !oldCase.CompleteTime.IsZero() {
+    socCase.CompleteTime = oldCase.CompleteTime
+  } else if socCase.Status == "closed" && oldCase.Status != "closed" {
+    socCase.CompleteTime = &now
+  }
+  if oldCase.StartTime != nil && !oldCase.StartTime.IsZero() {
+    socCase.StartTime = oldCase.StartTime
+  } else if socCase.Status == "in progress" && oldCase.Status != "in progress" {
+    socCase.StartTime = &now
+  }
+}
+
 type Comment struct {
   Auditable
   CaseId      string `json:"caseId"`
diff --git a/model/case_test.go b/model/case_test.go
index 54291706..779fea45 100644
--- a/model/case_test.go
+++ b/model/case_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"strings"
 	"testing"
+	"time"
 )
 
 func TestNewRelatedEvent(tester *testing.T) {
@@ -45,3 +46,29 @@ func TestNewArtifactStream(tester *testing.T) {
 	assert.NoError(tester, err)
 	assert.Equal(tester, "hello world", buffer.String())
 }
+
+func TestWorkflowForStatus(tester *testing.T) {
+	now := time.Now()
+
+	oldCase := NewCase()
+	newCase := NewCase()
+	newCase.ProcessWorkflowForStatus(oldCase)
+	assert.Nil(tester, newCase.CompleteTime)
+	assert.Nil(tester, newCase.StartTime)
+
+	newCase.Status = "in progress"
+	newCase.ProcessWorkflowForStatus(oldCase)
+	assert.Nil(tester, newCase.CompleteTime)
+	assert.NotNil(tester, newCase.StartTime)
+
+	newCase.Status = "closed"
+	newCase.ProcessWorkflowForStatus(oldCase)
+	assert.NotNil(tester, newCase.CompleteTime)
+	assert.True(tester, newCase.CompleteTime.After(*newCase.StartTime))
+
+	oldCase.Status = "new"
+	oldCase.StartTime = &now
+	newCase.Status = "in progress"
+	newCase.ProcessWorkflowForStatus(oldCase)
+	assert.Equal(tester, oldCase.StartTime, newCase.StartTime)
+}
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 3112ffa3..3af78a4e 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -27,7 +27,7 @@ const DEFAULT_CACHE_MS = 86400000
 const DEFAULT_INDEX = "*:so-*"
 const DEFAULT_ASYNC_THRESHOLD = 10
 const DEFAULT_INTERVALS = 25
-const DEFAULT_MAX_LOG_LENGTH = 1024
+const DEFAULT_MAX_LOG_LENGTH = 10240
 
 type Elastic struct {
   config module.ModuleConfig
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 30b91d9d..f625c2bd 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -417,6 +417,7 @@ func (store *ElasticCasestore) Update(ctx context.Context, socCase *model.Case)
         socCase.CreateTime = oldCase.CreateTime
         socCase.CompleteTime = oldCase.CompleteTime
         socCase.StartTime = oldCase.StartTime
+        socCase.ProcessWorkflowForStatus(oldCase)
         var results *model.EventIndexResults
         results, err = store.save(ctx, socCase, "case", store.prepareForSave(ctx, &socCase.Auditable))
         if err == nil {

From bd17522f3501953ef962bdff1b4991c61a78e7d6 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 6 Jan 2022 15:59:39 -0500
Subject: [PATCH 69/98] Show success tip after saving an association

---
 html/js/i18n.js             | 1 +
 html/js/routes/case.js      | 1 +
 html/js/routes/case.test.js | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index ed722d0f..e134936f 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -345,6 +345,7 @@ const i18n = {
       ruleMinLen: 'The provided value is too short',
       ruleMaxLen: 'The provided value is too long',
       save: 'Save',
+      saveSuccess: 'Save successfull!',
       seconds: 'seconds',
       security: 'Security',
       sensor: 'Sensor',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index c578234e..811de75d 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -446,6 +446,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           await this.$root.populateUserDetails(response.data, "userId", "owner");
           this.associations[association].push(response.data);
           this.resetForm(association);
+          this.$root.showTip(this.i18n.saveSuccess);
         }
       } catch (error) {
         this.$root.showError(error);
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 475e02e6..8f54fe2c 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -296,6 +296,7 @@ test('modifyCaseError', async () => {
 
 test('addAssociation', async () => {
   const mock = mockPapi("post", {'data':fakeComment});
+  getApp().showTip = jest.fn();
 
   comp.associatedForms['comments'].description = 'myDescription';
   comp.caseObj.id = 'myCaseId';
@@ -309,6 +310,7 @@ test('addAssociation', async () => {
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);
   expect(comp.$root.loading).toBe(false);
+  expect(getApp().showTip).toHaveBeenCalledWith(comp.i18n.saveSuccess);
 });
 
 test('addAssociationError', async () => {

From 2716077f054920225cc6b345ff00b422ab9956c7 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 6 Jan 2022 17:04:14 -0500
Subject: [PATCH 70/98] Provide auto mapping of observable values to artifact
 type

---
 html/index.html             |  2 +-
 html/js/routes/case.js      | 35 +++++++++++++++++++++++++++++++++--
 html/js/routes/case.test.js | 16 ++++++++++++++++
 3 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/html/index.html b/html/index.html
index bbaa5ca1..8b100040 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1852,7 +1852,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                           <div class="mt-2">
                             <v-row no-gutters class="py-1 case tabular-row" v-for="value, key in props.item.fields">
                               <v-col cols="1">
-                                <v-btn :id="`events-${props.index}-addobservable`" icon small @click="populateAddForm('evidence', key, value)">
+                                <v-btn :id="`events-${props.index}-addobservable`" icon small @click="populateAddObservableForm(key, value)">
                                   <v-icon :title="i18n.addObservable">fa-eye</v-icon>
                                 </v-btn>
                                 <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQueryForValue(value) }}">
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 811de75d..ef9d531f 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -9,6 +9,12 @@
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
 const MAX_TIMEOUT_ATTEMPTS=20;
+const ipRegex = /^[0-9a-fA-F:]*([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F:]*$|^(\d{1,3}\.){3}\d{1,3}$/;
+const fqdnRegex = /(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{1,63}(?<!-)\.)+[a-zA-Z]{2,63}$)/;
+const domainRegex = /^(xn\-\-)?([a-z0-9\-]{1,61}|[a-z0-9\-]{1,30})\.[a-z]{2,}$/;
+const urlRegex = /^[a-z]+:\/\//;
+const filenameRegex = /(\/)?[\w,\s-]+\.[A-Za-z]{3}$/;
+const uriPathRegex = /^\/[\w,\s-]/;
 
 routes.push({ path: '/case/:id', name: 'case', component: {
   template: '#page-case',
@@ -583,10 +589,32 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     isAdding(association) {
       return this.addingAssociation == association;
     },
-    populateAddForm(association, key, value) {
+    mapArtifactTypeFromValue(value) {
+      var artifactType = null;
+      if (ipRegex.test(value)) {
+        artifactType = "ip";
+      } else if (domainRegex.test(value)) {
+        artifactType = "domain";
+      } else if (fqdnRegex.test(value)) {
+        artifactType = "fqdn";
+      } else if (urlRegex.test(value)) {
+        artifactType = "url"
+      } else if (filenameRegex.test(value)) {
+        artifactType = "filename"
+      } else if (uriPathRegex.test(value)) {
+        artifactType = "uri_path"
+      }
+      return artifactType;
+    },
+    populateAddObservableForm(key, value) {
+      const association = 'evidence';
       this.enableAdding(association);
       this.associatedForms[association].value = value.toString();
       this.associatedForms[association].description = key;
+      const artifactType = this.mapArtifactTypeFromValue(value.toString());
+      if (artifactType) {
+        this.associatedForms[association].artifactType = artifactType;
+      }
       this.switchToTab(association);
     },
     switchToTab(association) {
@@ -613,7 +641,10 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
 
     escapeQueryValue(value) {
-      return this.$root.escape(value.toString());
+      if (value) {
+        return this.$root.escape(value.toString());
+      }
+      return '';
     },
     buildHuntQuery(event) {
       var value = this.escapeQueryValue(event.fields["soc_id"]);
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 8f54fe2c..b790a44d 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -606,6 +606,22 @@ test('isEdited', () => {
   expect(comp.isEdited(fakeArtifact2)).toBe(false);
 });
 
+test('mapArtifactTypeFromValue', () => {
+  expect(comp.mapArtifactTypeFromValue('sub.subber.short.com')).toBe('fqdn')
+  expect(comp.mapArtifactTypeFromValue('sub.short.io')).toBe('fqdn')
+  expect(comp.mapArtifactTypeFromValue('short.io')).toBe('domain')
+  expect(comp.mapArtifactTypeFromValue('sensoroni.com')).toBe('domain')
+  expect(comp.mapArtifactTypeFromValue('/var/log/syslog.tgz')).toBe('filename')
+  expect(comp.mapArtifactTypeFromValue('c:/windows/system32/malware.exe')).toBe('filename')
+  expect(comp.mapArtifactTypeFromValue('/some/path/around/there')).toBe('uri_path')
+  expect(comp.mapArtifactTypeFromValue('/some/path')).toBe('uri_path')
+  expect(comp.mapArtifactTypeFromValue('file://some/file/path.txt')).toBe('url')
+  expect(comp.mapArtifactTypeFromValue('https://some.where/out?there=foo')).toBe('url')
+  expect(comp.mapArtifactTypeFromValue('2.3.113.234')).toBe('ip')
+  expect(comp.mapArtifactTypeFromValue('ff02::1:ffc5:a922')).toBe('ip')
+  expect(comp.mapArtifactTypeFromValue('ff02::16')).toBe('ip')
+});
+
 test('mapAssociatedPath', () => {
   expect(comp.mapAssociatedPath('comments')).toBe('comments');
   expect(comp.mapAssociatedPath('comments', true)).toBe('comments');

From 65db1bbfd27863f18604bd5f153ced75f7b508ae Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 6 Jan 2022 17:08:10 -0500
Subject: [PATCH 71/98] Favor latest complete time over previous complete times

---
 model/case.go      | 4 +---
 model/case_test.go | 8 ++++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/model/case.go b/model/case.go
index 880abab8..c26c3794 100644
--- a/model/case.go
+++ b/model/case.go
@@ -58,9 +58,7 @@ func NewCase() *Case {
 
 func (socCase *Case) ProcessWorkflowForStatus(oldCase *Case) {
   now := time.Now()
-  if oldCase.CompleteTime != nil && !oldCase.CompleteTime.IsZero() {
-    socCase.CompleteTime = oldCase.CompleteTime
-  } else if socCase.Status == "closed" && oldCase.Status != "closed" {
+  if socCase.Status == "closed" && oldCase.Status != "closed" {
     socCase.CompleteTime = &now
   }
   if oldCase.StartTime != nil && !oldCase.StartTime.IsZero() {
diff --git a/model/case_test.go b/model/case_test.go
index 779fea45..8808efeb 100644
--- a/model/case_test.go
+++ b/model/case_test.go
@@ -66,6 +66,14 @@ func TestWorkflowForStatus(tester *testing.T) {
 	assert.NotNil(tester, newCase.CompleteTime)
 	assert.True(tester, newCase.CompleteTime.After(*newCase.StartTime))
 
+	oldCase.Status = "in progress"
+	oldCase.CompleteTime = &now
+	newCase.CompleteTime = nil
+	newCase.Status = "closed"
+	newCase.ProcessWorkflowForStatus(oldCase)
+	assert.NotNil(tester, newCase.CompleteTime)
+	assert.True(tester, newCase.CompleteTime.After(*oldCase.CompleteTime))
+
 	oldCase.Status = "new"
 	oldCase.StartTime = &now
 	newCase.Status = "in progress"

From e868b702f0a90548a0f7cd55946dc0f6ef45c43a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 6 Jan 2022 21:29:58 -0500
Subject: [PATCH 72/98] reference category from route object

---
 html/js/routes/hunt.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 32d43271..2451ea9c 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -722,7 +722,7 @@ const huntComponent = {
         this.actions.forEach(function(action, index) {
           action.enabled = true;
 
-          if (action.categories && action.categories.indexOf(this.category) == -1) {
+          if (action.categories && action.categories.indexOf(route.category) == -1) {
             action.enabled = false;
           }
 

From 2bd0bbf0214616de52f955905193a1108b881cb5 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 7 Jan 2022 12:57:35 -0500
Subject: [PATCH 73/98] Add localization for new case exclusion toggle

---
 html/js/i18n.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index e134936f..f40920af 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -94,6 +94,7 @@ const i18n = {
       caseTitleHelp: 'Brief summary of the case',
       caseTlp: 'TLP',
       caseTlpHelp: 'Traffic Light Protocol',
+      caseExcludeToggle: 'Exclude case data',
       category: 'Category',
 
       chartTitleBottom: 'Fewest Occurrences',

From 650fe6daf6e3bb3d9e84d7e9e3509bfa07b87469 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 7 Jan 2022 15:28:19 -0500
Subject: [PATCH 74/98] Restore original max log len default

---
 server/modules/elastic/elastic.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 3af78a4e..3112ffa3 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -27,7 +27,7 @@ const DEFAULT_CACHE_MS = 86400000
 const DEFAULT_INDEX = "*:so-*"
 const DEFAULT_ASYNC_THRESHOLD = 10
 const DEFAULT_INTERVALS = 25
-const DEFAULT_MAX_LOG_LENGTH = 10240
+const DEFAULT_MAX_LOG_LENGTH = 1024
 
 type Elastic struct {
   config module.ModuleConfig

From 2d69bcb4844a33e3a0b4101d7613aad5ee1339b0 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 10 Jan 2022 10:45:55 -0500
Subject: [PATCH 75/98] Fix important comment typo

---
 rbac/permissions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rbac/permissions b/rbac/permissions
index b32a576a..87a21122 100644
--- a/rbac/permissions
+++ b/rbac/permissions
@@ -23,7 +23,7 @@ users/delete:     user-admin
 
 # Define low-level permission set inheritence relationships
 # Syntax      => roleB: roleA
-# Explanation => roleA inherits all of roleA's permissions
+# Explanation => roleA inherits all of roleB's permissions
 
 case-monitor:     case-admin
 event-monitor:    event-admin

From 547e66a3b086a57ed8954215848c715e117c7a19 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 16:10:07 -0500
Subject: [PATCH 76/98] Markdown changes

* Set break flag to true for marked
* Add ui hint for markdown fields
---
 html/css/app.css | 22 +++++++++++++++++++
 html/index.html  | 57 ++++++++++++++++++++++++++++--------------------
 html/js/app.js   |  3 ++-
 html/js/i18n.js  |  1 +
 4 files changed, 58 insertions(+), 25 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 1b8beb9e..11d07c79 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -324,3 +324,25 @@ td {
 .case.avatar-font {
   font-size: 11px;
 }
+
+.case.markdown-icon{
+  text-decoration: none;
+}
+
+.theme--light.v-application .case.description {
+  background-color: rgba(0,0,0,.05);
+  border-radius: 0.25em;
+}
+
+.theme--dark.v-application .case.description {
+  background-color: hsla(0,0%,100%,.1);
+  border-radius: 0.25em;
+}
+
+.case.markdown-icon i {
+  color: var(--v-secondary-lighten3);
+}
+
+.case.markdown-icon:hover i {
+  color: var(--v-primary-base);
+}
diff --git a/html/index.html b/html/index.html
index 8b100040..8ae82fb4 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1256,9 +1256,12 @@ <h2>{{ i18n.description }}</h2>
                 </div>
               </div>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
-                <div class="mb-2">
+                <div class="mb-2 pt-1 px-2 case description d-flex flex-column">
+                  <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-1">
+                    <a class="case markdown-icon" href="https://www.markdownguide.org/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                  </div>
                   <v-form v-model="editForm.valid" @submit.prevent>
-                    <v-textarea id="case-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" :rules="[rules.required]" persistent-hint :hint="i18n.caseDescriptionHelp"/>
+                    <v-textarea id="case-desc-input" solo flat hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" :rules="[rules.required]" persistent-hint :hint="i18n.caseDescriptionHelp"/>
                   </form>
                 </div>
                 <div class="d-inline-flex justify-end">
@@ -1298,18 +1301,21 @@ <h2>{{ i18n.description }}</h2>
                   <div id="comment-list">
                     <div v-for="(comment, index) in associations.comments" class="mb-8">
                       <div class="d-flex flex-column align-start ma-4">
-                        <v-col class="d-flex flex-column align-start pt-2 pb-0  pl-2 pr-0 pt-md-0">
-                          <div class="mt-1 mt-md-3 py-3 px-3 contrast-bg rounded rounded-md" style="width: 100%;">
+                        <v-col class="d-flex flex-column align-start pt-2 pt-md-0">
+                          <div class="mt-1 mt-md-3 pt-1 pb-2 px-2 contrast-bg rounded rounded-md" style="width: 100%;">
                             <div class="d-flex flex-column align-start">
-                              <div class="case d-block comment-body" v-if="!isEdit(`comment-${index}`)">
-                                <div class="mb-4">
+                              <div class="case d-block comment-body mt-2" v-if="!isEdit(`comment-${index}`)">
+                                <div class="mb-2">
                                   <div :id="`comment-${index}`" class="markdown-body" :inner-html.prop="comment.description | formatMarkdown"></div>
                                 </div>
                               </div>
                               <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
-                                <div class="mb-2">
+                                <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-1">
+                                  <a class="case markdown-icon" href="https://www.markdownguide.org/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                                </div>
+                                <div class="mb-3">
                                   <v-form v-model="editForm.valid" @submit.prevent>
-                                    <v-textarea id="comment-desc-input" outlined hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" class="mb-1" :rules="[rules.required]"/>
+                                    <v-textarea id="comment-desc-input" solo flat hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" class="mb-1" :rules="[rules.required]"/>
                                   </v-form>
                                   <div class="d-inline-flex justify-end">
                                     <v-btn text small color="primary" class="align-self-end" @click="stopEdit()">
@@ -1356,26 +1362,29 @@ <h2>{{ i18n.description }}</h2>
                     </div>
                   </div>
                   <div class="d-flex flex-column align-start ma-4">
-                    <v-col id="new-comment" class="d-flex flex-column align-start pt-2 pb-0 pl-2 pr-0 pt-md-0">
-                      <div class="mt-1 mt-md-3 py-3 px-4 contrast-bg rounded rounded-md" style="width: 100%;">
-                      <div class="d-flex flex-column align-start">
-                        <div class="d-flex flex-column" style="width: 100%;">
-                          <div class="mb-2">
-                            <div class="d-inline-flex align-center mb-3">
-                              <v-avatar color="primary" size="28" class="mr-2">
-                                <div class="font-weight-bold" :title="$root.username">
-                                {{ $root.getAvatar($root.username) }}
-                                </div>
-                              </v-avatar>
-                              <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
+                    <v-col id="new-comment" class="d-flex flex-column align-start pt-2 pt-md-0">
+                      <div class="mt-1 mt-md-3 pb-3 pt-1 contrast-bg rounded rounded-md" style="width: 100%;">
+                        <div class="d-flex flex-column align-start">
+                          <div class="d-inline-flex align-center mt-3 mx-2 mb-4">
+                            <v-avatar color="primary" size="28" class="mr-2">
+                              <div class="font-weight-bold" :title="$root.username">
+                              {{ $root.getAvatar($root.username) }}
+                              </div>
+                            </v-avatar>
+                            <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
+                          </div>
+                          <div class="d-flex flex-column" style="width: 100%;">
+                            <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-3">
+                              <a class="case markdown-icon" href="https://www.markdownguide.org/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                            </div>
+                            <div class="mx-2">
+                              <v-form ref="comments" v-model="associatedForms['comments'].valid" @submit.prevent>
+                                <v-textarea  solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
+                              </v-form>
                             </div>
-                            <v-form ref="comments" v-model="associatedForms['comments'].valid" @submit.prevent>
-                              <v-textarea  solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
-                            </v-form>
                           </div>
                         </div>
                       </div>
-                      </div>
                       <div class="d-flex align-center align-self-end text-body-2 mt-2">
                         <div class="d-inline-flex justify-end">
                           <v-btn text small color="primary" class="align-self-end" @click="resetForm('comments')">
diff --git a/html/js/app.js b/html/js/app.js
index 3a0153ba..1c3c1c81 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -433,7 +433,8 @@ $(document).ready(function() {
       formatMarkdown(str) {
         marked.setOptions({
           renderer: new marked.Renderer(),
-          smartLists: true
+          smartLists: true,
+          breaks: true
         })
         marked.use({
           tokenizer: {
diff --git a/html/js/i18n.js b/html/js/i18n.js
index f40920af..4aa6bdc9 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -283,6 +283,7 @@ const i18n = {
       loginTitle: 'Login to Security Onion',
       logout: 'Logout',
       logoutFailure: 'Unable to initiate logout. Ensure server is accessible.',
+      markdownFormattingSupported: 'Markdown formatting supported',
       md5: 'MD5',
       message: 'Message',
       minutes: 'minutes',

From ef26c0a4a5223eb0e927cdb068490f46ef552bfe Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 16:12:58 -0500
Subject: [PATCH 77/98] Minor CSS + class changes

---
 html/css/app.css | 10 ----------
 html/index.html  |  2 +-
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index 11d07c79..f3c226e6 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -329,16 +329,6 @@ td {
   text-decoration: none;
 }
 
-.theme--light.v-application .case.description {
-  background-color: rgba(0,0,0,.05);
-  border-radius: 0.25em;
-}
-
-.theme--dark.v-application .case.description {
-  background-color: hsla(0,0%,100%,.1);
-  border-radius: 0.25em;
-}
-
 .case.markdown-icon i {
   color: var(--v-secondary-lighten3);
 }
diff --git a/html/index.html b/html/index.html
index 8ae82fb4..ff708bc0 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1256,7 +1256,7 @@ <h2>{{ i18n.description }}</h2>
                 </div>
               </div>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
-                <div class="mb-2 pt-1 px-2 case description d-flex flex-column">
+                <div class="mb-2 pt-1 px-2 rounded rounded-md contrast-bg d-flex flex-column">
                   <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-1">
                     <a class="case markdown-icon" href="https://www.markdownguide.org/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
                   </div>

From 58f0915a2c9e9a1ab953c9e83f2ca1d614532ad8 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 16:30:36 -0500
Subject: [PATCH 78/98] Padding and display changes for better small screen
 viewing

---
 html/index.html | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/html/index.html b/html/index.html
index ff708bc0..6dabbead 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1278,29 +1278,29 @@ <h2>{{ i18n.description }}</h2>
               <v-tabs grow v-model="activeTab">
                 <v-tab id="case_commentsTab" href="#comments">
                   <v-icon left>fa-comments</v-icon>
-                  <div class="d-none d-sm-block">{{ i18n.comments }}</div>
+                  <div class="d-none d-lg-block">{{ i18n.comments }}</div>
                 </v-tab>
                 <v-tab id="case_attachmentTab" href="#attachments">
                   <v-icon left>fa-paperclip</v-icon>
-                  <div class="d-none d-sm-block">{{ i18n.attachments }}</div>
+                  <div class="d-none d-lg-block">{{ i18n.attachments }}</div>
                 </v-tab>
                 <v-tab id="case_evidenceTab" href="#evidence">
                   <v-icon left>fa-eye</v-icon>
-                  <div class="d-none d-sm-block">{{ i18n.evidence }}</div>
+                  <div class="d-none d-lg-block">{{ i18n.evidence }}</div>
                 </v-tab>
                 <v-tab id="case_eventsTab" href="#events">
                   <v-icon left>fa-link</v-icon>
-                  <div class="d-none d-sm-block">{{ i18n.events }}</div>
+                  <div class="d-none d-lg-block">{{ i18n.events }}</div>
                 </v-tab>
                 <v-tab id="case_historyTab" href="#history">
                   <v-icon left>fa-history</v-icon>
-                  <div class="d-none d-sm-block">{{ i18n.history }}</div>
+                  <div class="d-none d-lg-block">{{ i18n.history }}</div>
                 </v-tab>
   
                 <v-tab-item value="comments">
                   <div id="comment-list">
                     <div v-for="(comment, index) in associations.comments" class="mb-8">
-                      <div class="d-flex flex-column align-start ma-4">
+                      <div class="d-flex flex-column align-start my-4">
                         <v-col class="d-flex flex-column align-start pt-2 pt-md-0">
                           <div class="mt-1 mt-md-3 pt-1 pb-2 px-2 contrast-bg rounded rounded-md" style="width: 100%;">
                             <div class="d-flex flex-column align-start">
@@ -1329,7 +1329,7 @@ <h2>{{ i18n.description }}</h2>
                               </div>
                               <div class="d-flex flex-column flex-sm-row align-sm-center align-self-end text-body-2">
                                 <div class="d-inline-flex align-center mr-1">
-                                  <v-avatar color="primary" size="24" class="mr-2">
+                                  <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex">
                                     <div class="case avatar-font" :title="comment.owner">
                                       {{ $root.getAvatar(comment.owner) }}
                                     </div>
@@ -1361,7 +1361,7 @@ <h2>{{ i18n.description }}</h2>
                       </div>           
                     </div>
                   </div>
-                  <div class="d-flex flex-column align-start ma-4">
+                  <div class="d-flex flex-column align-start my-4">
                     <v-col id="new-comment" class="d-flex flex-column align-start pt-2 pt-md-0">
                       <div class="mt-1 mt-md-3 pb-3 pt-1 contrast-bg rounded rounded-md" style="width: 100%;">
                         <div class="d-flex flex-column align-start">

From 530a1d4886dc4f7af1d21d71876a1f06d50d83d7 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 16:39:44 -0500
Subject: [PATCH 79/98] Add support for detecting hash observable types

---
 html/js/routes/case.js      | 6 +++++-
 html/js/routes/case.test.js | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index ef9d531f..8053e8a0 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -15,6 +15,7 @@ const domainRegex = /^(xn\-\-)?([a-z0-9\-]{1,61}|[a-z0-9\-]{1,30})\.[a-z]{2,}$/;
 const urlRegex = /^[a-z]+:\/\//;
 const filenameRegex = /(\/)?[\w,\s-]+\.[A-Za-z]{3}$/;
 const uriPathRegex = /^\/[\w,\s-]/;
+const hashRegex = /^[0-9a-fA-F]{32}$|^[0-9a-fA-F]{40}$|^[0-9a-fA-F]{64}$|^[0-9a-fA-F]{128}$/;
 
 routes.push({ path: '/case/:id', name: 'case', component: {
   template: '#page-case',
@@ -603,6 +604,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         artifactType = "filename"
       } else if (uriPathRegex.test(value)) {
         artifactType = "uri_path"
+      } else if (hashRegex.test(value)) {
+        artifactType = "hash"
       }
       return artifactType;
     },
@@ -612,7 +615,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.associatedForms[association].value = value.toString();
       this.associatedForms[association].description = key;
       const artifactType = this.mapArtifactTypeFromValue(value.toString());
-      if (artifactType) {
+      typePresets = this.getPresets('evidence');
+      if (artifactType && typePresets && typePresets.indexOf(artifactType)) {
         this.associatedForms[association].artifactType = artifactType;
       }
       this.switchToTab(association);
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index b790a44d..cc2d5e38 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -620,6 +620,10 @@ test('mapArtifactTypeFromValue', () => {
   expect(comp.mapArtifactTypeFromValue('2.3.113.234')).toBe('ip')
   expect(comp.mapArtifactTypeFromValue('ff02::1:ffc5:a922')).toBe('ip')
   expect(comp.mapArtifactTypeFromValue('ff02::16')).toBe('ip')
+  expect(comp.mapArtifactTypeFromValue('0e2fc59194659497c8d0aec1762add1324ad2e02549bb3e41d58ca8f39e14843')).toBe('hash')
+  expect(comp.mapArtifactTypeFromValue('3b43c8fadd64750525a2e285d83fa01d62227999')).toBe('hash')
+  expect(comp.mapArtifactTypeFromValue('0e2fc59194659497c8d0aec1762add1324ad2e02549bb3e41d58ca8f39e14843')).toBe('hash')
+  expect(comp.mapArtifactTypeFromValue('ea04541a17986a92e4d68f57e97d477845e778721044d0dcf96d380a7eddfc427a7ff0528931c39c35428cf78176da2c9741023b9c298be82521c96d547d68e8')).toBe('hash')
 });
 
 test('mapAssociatedPath', () => {

From c4bdd1cb811eed388095836a24d9f7626409120e Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 17:07:46 -0500
Subject: [PATCH 80/98] Support var sub in default queries

---
 Dockerfile.kratos           | 2 +-
 html/js/routes/hunt.js      | 8 +++++++-
 html/js/routes/hunt.test.js | 9 +++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.kratos b/Dockerfile.kratos
index 748c680d..7155fc2f 100644
--- a/Dockerfile.kratos
+++ b/Dockerfile.kratos
@@ -11,7 +11,7 @@
 FROM ghcr.io/security-onion-solutions/golang:alpine AS builder
 
 ARG OWNER=ory
-ARG VERSION=v0.7.6-alpha.1
+ARG VERSION=v0.8.2-alpha.1
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 2451ea9c..2c239cc9 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -193,7 +193,7 @@ const huntComponent = {
       this.relativeTimeUnit = params["relativeTimeUnit"];
       this.mruQueryLimit = params["mostRecentlyUsedLimit"];
       this.queryBaseFilter = params["queryBaseFilter"];
-      this.queries = params["queries"];
+      this.queries = this.applyQuerySubstitutions(params["queries"]);
       this.filterToggles = params["queryToggleFilters"];
       this.eventFields = params["eventFields"];
       this.advanced = params["advanced"];
@@ -230,6 +230,12 @@ const huntComponent = {
         this.hunt(true);
       }
     },
+    applyQuerySubstitutions(queries) {
+      queries.forEach(query => {
+        query.query = query.query.replace(/\{myId\}/g, this.$root.user.id);
+      });
+      return queries;
+    },
     notifyInputsChanged(replaceHistory = false) {
       var hunted = false;
       this.toggleQuickAction();
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index d547e81f..eb49ba35 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -262,3 +262,12 @@ test('buildCase', () => {
       'myTitle', comp.i18n.caseEscalatedDescription, 'mySeverity', '');
 
 });
+
+test('applyQuerySubstitutions', () => {
+  comp.$root.user = {id:'123'};
+  const queries = [{ query: 'foo'}, { query: 'bar:{myId}' }];
+  const newQueries = comp.applyQuerySubstitutions(queries);
+  expect(newQueries).toBe(queries);
+  expect(newQueries[0].query).toBe('foo');
+  expect(newQueries[1].query).toBe('bar:123');
+});
\ No newline at end of file

From 892eed4a183518ba8f22758b9e5fa65138034426 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 17:12:21 -0500
Subject: [PATCH 81/98] Revert "Support var sub in default queries"

This reverts commit c4bdd1cb811eed388095836a24d9f7626409120e.
---
 Dockerfile.kratos           | 2 +-
 html/js/routes/hunt.js      | 8 +-------
 html/js/routes/hunt.test.js | 9 ---------
 3 files changed, 2 insertions(+), 17 deletions(-)

diff --git a/Dockerfile.kratos b/Dockerfile.kratos
index 7155fc2f..748c680d 100644
--- a/Dockerfile.kratos
+++ b/Dockerfile.kratos
@@ -11,7 +11,7 @@
 FROM ghcr.io/security-onion-solutions/golang:alpine AS builder
 
 ARG OWNER=ory
-ARG VERSION=v0.8.2-alpha.1
+ARG VERSION=v0.7.6-alpha.1
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 2c239cc9..2451ea9c 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -193,7 +193,7 @@ const huntComponent = {
       this.relativeTimeUnit = params["relativeTimeUnit"];
       this.mruQueryLimit = params["mostRecentlyUsedLimit"];
       this.queryBaseFilter = params["queryBaseFilter"];
-      this.queries = this.applyQuerySubstitutions(params["queries"]);
+      this.queries = params["queries"];
       this.filterToggles = params["queryToggleFilters"];
       this.eventFields = params["eventFields"];
       this.advanced = params["advanced"];
@@ -230,12 +230,6 @@ const huntComponent = {
         this.hunt(true);
       }
     },
-    applyQuerySubstitutions(queries) {
-      queries.forEach(query => {
-        query.query = query.query.replace(/\{myId\}/g, this.$root.user.id);
-      });
-      return queries;
-    },
     notifyInputsChanged(replaceHistory = false) {
       var hunted = false;
       this.toggleQuickAction();
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index eb49ba35..d547e81f 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -262,12 +262,3 @@ test('buildCase', () => {
       'myTitle', comp.i18n.caseEscalatedDescription, 'mySeverity', '');
 
 });
-
-test('applyQuerySubstitutions', () => {
-  comp.$root.user = {id:'123'};
-  const queries = [{ query: 'foo'}, { query: 'bar:{myId}' }];
-  const newQueries = comp.applyQuerySubstitutions(queries);
-  expect(newQueries).toBe(queries);
-  expect(newQueries[0].query).toBe('foo');
-  expect(newQueries[1].query).toBe('bar:123');
-});
\ No newline at end of file

From 3fbdd01a482e98f7d54fcc55cf4815bf6a836dfb Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 17:13:37 -0500
Subject: [PATCH 82/98] Support var sub in default queries

---
 html/js/routes/hunt.js      | 8 +++++++-
 html/js/routes/hunt.test.js | 9 +++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 2451ea9c..2c239cc9 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -193,7 +193,7 @@ const huntComponent = {
       this.relativeTimeUnit = params["relativeTimeUnit"];
       this.mruQueryLimit = params["mostRecentlyUsedLimit"];
       this.queryBaseFilter = params["queryBaseFilter"];
-      this.queries = params["queries"];
+      this.queries = this.applyQuerySubstitutions(params["queries"]);
       this.filterToggles = params["queryToggleFilters"];
       this.eventFields = params["eventFields"];
       this.advanced = params["advanced"];
@@ -230,6 +230,12 @@ const huntComponent = {
         this.hunt(true);
       }
     },
+    applyQuerySubstitutions(queries) {
+      queries.forEach(query => {
+        query.query = query.query.replace(/\{myId\}/g, this.$root.user.id);
+      });
+      return queries;
+    },
     notifyInputsChanged(replaceHistory = false) {
       var hunted = false;
       this.toggleQuickAction();
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index d547e81f..eb49ba35 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -262,3 +262,12 @@ test('buildCase', () => {
       'myTitle', comp.i18n.caseEscalatedDescription, 'mySeverity', '');
 
 });
+
+test('applyQuerySubstitutions', () => {
+  comp.$root.user = {id:'123'};
+  const queries = [{ query: 'foo'}, { query: 'bar:{myId}' }];
+  const newQueries = comp.applyQuerySubstitutions(queries);
+  expect(newQueries).toBe(queries);
+  expect(newQueries[0].query).toBe('foo');
+  expect(newQueries[1].query).toBe('bar:123');
+});
\ No newline at end of file

From 3992bab9f05a538030c73c9d906964848bdd96cb Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 14 Jan 2022 10:47:54 -0500
Subject: [PATCH 83/98] Prevent internal error details from being included in
 API response

---
 html/js/i18n.js         | 22 +++++++++++-----------
 model/query.go          | 22 +++++++++++-----------
 model/query_test.go     | 36 ++++++++++++++++++------------------
 server/casehandler.go   |  2 +-
 web/basehandler.go      | 13 ++++++++++++-
 web/basehandler_test.go |  9 +++++++++
 6 files changed, 62 insertions(+), 42 deletions(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index 4aa6bdc9..80598764 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -442,17 +442,17 @@ const i18n = {
       whatsnew: 'What\'s New',
       yes: 'Yes',
 
-      CASE_MODULE_NOT_ENABLED: 'A case module has not been configured for this installation. Unable to proceed with request.',
-      QUERY_INVALID__GROUP_EMPTY: 'The search query has an empty group.',
-      QUERY_INVALID__GROUP_INCOMPLETE: 'The search query is missing an ending parenthesis.',
-      QUERY_INVALID__GROUP_NOT_STARTED: 'The search query has an extra parenthesis.',
-      QUERY_INVALID__GROUPBY_TERMS_MISSING: 'The search query is has a malformed groupby segment.',
-      QUERY_INVALID__QUOTE_INCOMPLETE: 'The search query is missing an ending double quote.',
-      QUERY_INVALID__SEARCH_MISSING: 'The search query is missing the search criteria.',
-      QUERY_INVALID__SEARCH_TERMS_MISSING: 'The search query is missing search terms.',
-      QUERY_INVALID__SEGMENT_EMPTY: 'The search query has an incomplete segment (pipe) function.',
-      QUERY_INVALID__SEGMENT_UNSUPPORTED: 'The search query contains an unsupported segment (pipe) function.',
-      QUERY_INVALID__TERM_MISSING: 'The search query is incomplete.',
+      ERROR_CASE_MODULE_NOT_ENABLED: 'A case module has not been configured for this installation. Unable to proceed with request.',
+      ERROR_QUERY_INVALID__GROUP_EMPTY: 'The search query has an empty group.',
+      ERROR_QUERY_INVALID__GROUP_INCOMPLETE: 'The search query is missing an ending parenthesis.',
+      ERROR_QUERY_INVALID__GROUP_NOT_STARTED: 'The search query has an extra parenthesis.',
+      ERROR_QUERY_INVALID__GROUPBY_TERMS_MISSING: 'The search query is has a malformed groupby segment.',
+      ERROR_QUERY_INVALID__QUOTE_INCOMPLETE: 'The search query is missing an ending double quote.',
+      ERROR_QUERY_INVALID__SEARCH_MISSING: 'The search query is missing the search criteria.',
+      ERROR_QUERY_INVALID__SEARCH_TERMS_MISSING: 'The search query is missing search terms.',
+      ERROR_QUERY_INVALID__SEGMENT_EMPTY: 'The search query has an incomplete segment (pipe) function.',
+      ERROR_QUERY_INVALID__SEGMENT_UNSUPPORTED: 'The search query contains an unsupported segment (pipe) function.',
+      ERROR_QUERY_INVALID__TERM_MISSING: 'The search query is incomplete.',
     },
   },
 
diff --git a/model/query.go b/model/query.go
index f40475c6..e411f5cf 100644
--- a/model/query.go
+++ b/model/query.go
@@ -43,7 +43,7 @@ func sanitize(field string) string {
 func NewQueryTerm(str string) (*QueryTerm, error) {
   field := sanitize(str)
   if len(field) == 0 {
-    return nil, errors.New("QUERY_INVALID__TERM_MISSING")
+    return nil, errors.New("ERROR_QUERY_INVALID__TERM_MISSING")
   }
 
   term := &QueryTerm{
@@ -96,7 +96,7 @@ func NewSegment(kind string, terms []*QueryTerm) (QuerySegment, error) {
   case SegmentKind_SortBy:
     return NewSortBySegment(terms)
   }
-  return nil, errors.New("QUERY_INVALID__SEGMENT_UNSUPPORTED")
+  return nil, errors.New("ERROR_QUERY_INVALID__SEGMENT_UNSUPPORTED")
 }
 
 func (segment *BaseSegment) TermsAsString() string {
@@ -180,7 +180,7 @@ func NewSearchSegmentEmpty() *SearchSegment {
 
 func NewSearchSegment(terms []*QueryTerm) (*SearchSegment, error) {
   if terms == nil || len(terms) == 0 {
-    return nil, errors.New("QUERY_INVALID__SEARCH_TERMS_MISSING")
+    return nil, errors.New("ERROR_QUERY_INVALID__SEARCH_TERMS_MISSING")
   }
 
   segment := NewSearchSegmentEmpty()
@@ -259,7 +259,7 @@ func NewGroupBySegmentEmpty() *GroupBySegment {
 
 func NewGroupBySegment(terms []*QueryTerm) (*GroupBySegment, error) {
   if terms == nil || len(terms) == 0 {
-    return nil, errors.New("QUERY_INVALID__GROUPBY_TERMS_MISSING")
+    return nil, errors.New("ERROR_QUERY_INVALID__GROUPBY_TERMS_MISSING")
   }
 
   segment := NewGroupBySegmentEmpty()
@@ -290,7 +290,7 @@ func NewSortBySegmentEmpty() *SortBySegment {
 
 func NewSortBySegment(terms []*QueryTerm) (*SortBySegment, error) {
   if terms == nil || len(terms) == 0 {
-    return nil, errors.New("QUERY_INVALID__SORTBY_TERMS_MISSING")
+    return nil, errors.New("ERROR_QUERY_INVALID__SORTBY_TERMS_MISSING")
   }
 
   segment := NewSortBySegmentEmpty()
@@ -372,7 +372,7 @@ func (query *Query) Parse(str string) error {
             currentTermBuilder.Reset()
           }
           if len(currentSegmentTerms) == 0 {
-            return errors.New("QUERY_INVALID__SEGMENT_EMPTY")
+            return errors.New("ERROR_QUERY_INVALID__SEGMENT_EMPTY")
           }
           if currentSegmentKind == "" {
             currentSegmentKind = currentSegmentTerms[0].String()
@@ -397,13 +397,13 @@ func (query *Query) Parse(str string) error {
         } else if !escaping && ch == '(' {
           grouping++
         } else if !escaping && ch == ')' {
-          return errors.New("QUERY_INVALID__GROUP_NOT_STARTED")
+          return errors.New("ERROR_QUERY_INVALID__GROUP_NOT_STARTED")
         } else {
           currentTermBuilder.WriteRune(ch)
         }
       } else if !escaping && ch == ')' && grouping == 1 {
         if currentTermBuilder.Len() == 0 {
-          return errors.New("QUERY_INVALID__GROUP_EMPTY")
+          return errors.New("ERROR_QUERY_INVALID__GROUP_EMPTY")
         }
         term, err := NewQueryTerm(currentTermBuilder.String())
         if err != nil {
@@ -441,10 +441,10 @@ func (query *Query) Parse(str string) error {
     }
   }
   if quoting {
-    return errors.New("QUERY_INVALID__QUOTE_INCOMPLETE")
+    return errors.New("ERROR_QUERY_INVALID__QUOTE_INCOMPLETE")
   }
   if grouping > 0 {
-    return errors.New("QUERY_INVALID__GROUP_INCOMPLETE")
+    return errors.New("ERROR_QUERY_INVALID__GROUP_INCOMPLETE")
   }
   if currentTermBuilder.Len() > 0 {
     term, err := NewQueryTerm(currentTermBuilder.String())
@@ -469,7 +469,7 @@ func (query *Query) Parse(str string) error {
   }
 
   if len(query.Segments) == 0 {
-    return errors.New("QUERY_INVALID__SEARCH_MISSING")
+    return errors.New("ERROR_QUERY_INVALID__SEARCH_MISSING")
   }
 
   return nil
diff --git a/model/query_test.go b/model/query_test.go
index ac92052c..150c50c3 100644
--- a/model/query_test.go
+++ b/model/query_test.go
@@ -73,33 +73,33 @@ func TestQueries(tester *testing.T) {
 	validateQuery(tester, "abcA|groupby\njjj", "abcA | groupby jjj")
 	validateQuery(tester, "abcA|\ngroupby\tjjj", "abcA | groupby jjj")
 
-	validateQuery(tester, "'abc4 def", "QUERY_INVALID__QUOTE_INCOMPLETE")
-	validateQuery(tester, "'abc9|", "QUERY_INVALID__QUOTE_INCOMPLETE")
+	validateQuery(tester, "'abc4 def", "ERROR_QUERY_INVALID__QUOTE_INCOMPLETE")
+	validateQuery(tester, "'abc9|", "ERROR_QUERY_INVALID__QUOTE_INCOMPLETE")
 
-	validateQuery(tester, "|", "QUERY_INVALID__SEGMENT_EMPTY")
-	validateQuery(tester, " |", "QUERY_INVALID__SEGMENT_EMPTY")
-	validateQuery(tester, " | abc", "QUERY_INVALID__SEGMENT_EMPTY")
-	validateQuery(tester, "abc6 def | |", "QUERY_INVALID__SEGMENT_EMPTY")
-	validateQuery(tester, "abc7 def || ", "QUERY_INVALID__SEGMENT_EMPTY")
+	validateQuery(tester, "|", "ERROR_QUERY_INVALID__SEGMENT_EMPTY")
+	validateQuery(tester, " |", "ERROR_QUERY_INVALID__SEGMENT_EMPTY")
+	validateQuery(tester, " | abc", "ERROR_QUERY_INVALID__SEGMENT_EMPTY")
+	validateQuery(tester, "abc6 def | |", "ERROR_QUERY_INVALID__SEGMENT_EMPTY")
+	validateQuery(tester, "abc7 def || ", "ERROR_QUERY_INVALID__SEGMENT_EMPTY")
 
-	validateQuery(tester, "abc7 def ) ", "QUERY_INVALID__GROUP_NOT_STARTED")
-	validateQuery(tester, "abc7 def () ", "QUERY_INVALID__GROUP_EMPTY")
-	validateQuery(tester, "abc (d e f", "QUERY_INVALID__GROUP_INCOMPLETE")
-	validateQuery(tester, "abc (d e f | ghi 'jkl' | mno", "QUERY_INVALID__GROUP_INCOMPLETE")
+	validateQuery(tester, "abc7 def ) ", "ERROR_QUERY_INVALID__GROUP_NOT_STARTED")
+	validateQuery(tester, "abc7 def () ", "ERROR_QUERY_INVALID__GROUP_EMPTY")
+	validateQuery(tester, "abc (d e f", "ERROR_QUERY_INVALID__GROUP_INCOMPLETE")
+	validateQuery(tester, "abc (d e f | ghi 'jkl' | mno", "ERROR_QUERY_INVALID__GROUP_INCOMPLETE")
 
-	validateQuery(tester, "abc (d e f) | groupby 'jkl' | mno", "QUERY_INVALID__SEGMENT_UNSUPPORTED")
+	validateQuery(tester, "abc (d e f) | groupby 'jkl' | mno", "ERROR_QUERY_INVALID__SEGMENT_UNSUPPORTED")
 
-	validateQuery(tester, "", "QUERY_INVALID__SEARCH_MISSING")
-	validateQuery(tester, " ", "QUERY_INVALID__SEARCH_MISSING")
+	validateQuery(tester, "", "ERROR_QUERY_INVALID__SEARCH_MISSING")
+	validateQuery(tester, " ", "ERROR_QUERY_INVALID__SEARCH_MISSING")
 
-	validateQuery(tester, "abcA|groupby", "QUERY_INVALID__GROUPBY_TERMS_MISSING")
-	validateQuery(tester, "abcA|groupby ", "QUERY_INVALID__GROUPBY_TERMS_MISSING")
+	validateQuery(tester, "abcA|groupby", "ERROR_QUERY_INVALID__GROUPBY_TERMS_MISSING")
+	validateQuery(tester, "abcA|groupby ", "ERROR_QUERY_INVALID__GROUPBY_TERMS_MISSING")
 
 	validateQuery(tester, "abcA|sortby\njjj, lll", "abcA | sortby jjj lll")
 	validateQuery(tester, "abcA|\nsortby\tjjj", "abcA | sortby jjj")
 
-	validateQuery(tester, "abcA|sortby", "QUERY_INVALID__SORTBY_TERMS_MISSING")
-	validateQuery(tester, "abcA|sortby ", "QUERY_INVALID__SORTBY_TERMS_MISSING")
+	validateQuery(tester, "abcA|sortby", "ERROR_QUERY_INVALID__SORTBY_TERMS_MISSING")
+	validateQuery(tester, "abcA|sortby ", "ERROR_QUERY_INVALID__SORTBY_TERMS_MISSING")
 }
 
 func validateGroup(tester *testing.T, orig string, group string, expected string) {
diff --git a/server/casehandler.go b/server/casehandler.go
index 29ea3586..08c0ab2c 100644
--- a/server/casehandler.go
+++ b/server/casehandler.go
@@ -37,7 +37,7 @@ func NewCaseHandler(srv *Server) *CaseHandler {
 
 func (caseHandler *CaseHandler) HandleNow(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
   if caseHandler.server.Casestore == nil {
-    return http.StatusMethodNotAllowed, nil, errors.New("CASE_MODULE_NOT_ENABLED")
+    return http.StatusMethodNotAllowed, nil, errors.New("ERROR_CASE_MODULE_NOT_ENABLED")
   }
 
   if caseHandler.server.Casestore != nil {
diff --git a/web/basehandler.go b/web/basehandler.go
index 40758973..b37ef7e3 100644
--- a/web/basehandler.go
+++ b/web/basehandler.go
@@ -24,6 +24,8 @@ import (
   "time"
 )
 
+const GENERIC_ERROR_MESSAGE = "The request could not be processed. Contact a server admin for assistance with reviewing error details in SOC logs."
+
 type HandlerImpl interface {
   HandleNow(ctx context.Context, responseWriter http.ResponseWriter, request *http.Request) (int, interface{}, error)
 }
@@ -66,7 +68,8 @@ func (handler *BaseHandler) Handle(responseWriter http.ResponseWriter, request *
       statusCode = http.StatusInternalServerError
     }
     responseWriter.WriteHeader(statusCode)
-    bytes := []byte(err.Error())
+
+    bytes := []byte(handler.convertErrorToSafeString(err))
     contentLength = len(bytes)
     responseWriter.Write(bytes)
   }
@@ -85,6 +88,14 @@ func (handler *BaseHandler) Handle(responseWriter http.ResponseWriter, request *
   }).Info("Handled request")
 }
 
+func (handler *BaseHandler) convertErrorToSafeString(err error) string {
+  msg := err.Error()
+  if !strings.HasPrefix(msg, "ERROR_") {
+    msg = GENERIC_ERROR_MESSAGE
+  }
+  return msg
+}
+
 func (handler *BaseHandler) WriteJson(responseWriter http.ResponseWriter, request *http.Request, statusCode int, obj interface{}) (int, error) {
   jsonBytes, err := json.Marshal(obj)
   length := 0
diff --git a/web/basehandler_test.go b/web/basehandler_test.go
index f10fcafa..3e60a6f3 100644
--- a/web/basehandler_test.go
+++ b/web/basehandler_test.go
@@ -10,6 +10,7 @@
 package web
 
 import (
+  "errors"
   "github.com/stretchr/testify/assert"
   "strconv"
   "testing"
@@ -23,6 +24,7 @@ func NewTestHandler() *TestHandler {
   handler := &TestHandler{}
   return handler
 }
+
 func TestGetPathParameter(tester *testing.T) {
   handler := NewTestHandler()
   var testTable = []struct {
@@ -52,3 +54,10 @@ func TestGetPathParameter(tester *testing.T) {
     })
   }
 }
+
+func TestConvertErrorToSafeString(tester *testing.T) {
+  handler := NewTestHandler()
+
+  assert.Equal(tester, "ERROR_FOO", handler.convertErrorToSafeString(errors.New("ERROR_FOO")))
+  assert.Equal(tester, GENERIC_ERROR_MESSAGE, handler.convertErrorToSafeString(errors.New("ERROR2_FOO")))
+}

From 975ecbd5e1f534d4a078b08fcdbd0f35a50b753c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 14 Jan 2022 12:33:44 -0500
Subject: [PATCH 84/98] Add ability to hunt for observable values; Fix settings
 page refresh bug; Show indicator for each row that is escalated; Prevent
 auto-detected types from being added to observable artifactType list if it's
 no longer a valid preset due to a customization

---
 html/index.html             |  3 +++
 html/js/app.js              |  6 ++++++
 html/js/i18n.js             |  1 +
 html/js/routes/case.js      |  4 ++--
 html/js/routes/case.test.js | 23 ++++++++++++++++++++++-
 html/js/routes/hunt.js      |  1 +
 6 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/html/index.html b/html/index.html
index 6dabbead..7ef5c33d 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1677,6 +1677,9 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                             <v-icon v-if="isExpanded('evidence', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-down</v-icon>
                             <v-icon v-if="!isExpanded('evidence', props.item)" :alt="i18n.expand" :title="i18n.expandHelp">fa-angle-right</v-icon>
                           </v-btn>
+                          <router-link class="no-underline" :to="{ name: 'hunt', query: {q: buildHuntQueryForValue(props.item.value)}}" :title="i18n.huntForEvidence">
+                            <v-icon :title="i18n.huntForEvidence">fa-crosshairs</v-icon>
+                          </router-link>
                         </td>                        
                         <td class="associated">{{ props.item.createTime | formatDateTime }}</td>
                         <td class="associated">{{ props.item.updateTime | formatDateTime }}</td>
diff --git a/html/js/app.js b/html/js/app.js
index 1c3c1c81..a5c2ef58 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -256,6 +256,7 @@ $(document).ready(function() {
         const redirectPage = this.getRedirectPage();
         if (redirectPage) {
           location.hash = '#' + redirectPage;
+          this.removeSearchParam('r');
         }
       },
       async loadServerSettings(background) {
@@ -333,6 +334,11 @@ $(document).ready(function() {
         const value = searchParams.get(param);
         return value;
       },
+      removeSearchParam(param) {
+        const searchParams = new URLSearchParams(window.location.search);
+        searchParams.delete(param);
+        window.location.search = searchParams.toString();
+      },
       loadParameters(section, callback) {
         if (this.parametersLoaded) {
           callback(this.parameters[section])
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 80598764..42187755 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -242,6 +242,7 @@ const i18n = {
       hunt: 'Hunt',
       huntForEvent: 'Hunt for this event',
       huntForFieldValue: 'Hunt for this field\'s value',
+      huntForEvidence: 'Hunt for this observable value',
       huntHelp: 'Start a new hunt based on the current filters',
       id: 'ID',
       importId: 'Import ID',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 8053e8a0..c9ad906b 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -615,8 +615,8 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       this.associatedForms[association].value = value.toString();
       this.associatedForms[association].description = key;
       const artifactType = this.mapArtifactTypeFromValue(value.toString());
-      typePresets = this.getPresets('evidence');
-      if (artifactType && typePresets && typePresets.indexOf(artifactType)) {
+      const typePresets = this.getPresets('artifactType');
+      if (artifactType && typePresets && typePresets.indexOf(artifactType) != -1) {
         this.associatedForms[association].artifactType = artifactType;
       }
       this.switchToTab(association);
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index cc2d5e38..153fd87b 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -644,4 +644,25 @@ test('getEventId', () => {
   const fakeEvent = { fields: { soc_id: 'xyz' }};
   expect(comp.getEventId(fakeEvent)).toBe('xyz');
   expect(comp.getEventId({ fields: {}})).toBe(comp.i18n.caseEventIdAggregation);
-});
\ No newline at end of file
+});
+
+test('populateAddObservableForm', () => {
+  comp.presets['artifactType'] = {labels:['ip']};
+  comp.activeTab = 'something';
+
+  comp.populateAddObservableForm('foo', 'bar');
+  expect(comp.associatedForms['evidence'].value).toBe('bar');
+  expect(comp.associatedForms['evidence'].description).toBe('foo');
+  expect(comp.associatedForms['evidence'].artifactType).toBe(undefined);
+  expect(comp.activeTab).toBe('evidence');
+
+  comp.populateAddObservableForm('foo', '3b43c8fadd64750525a2e285d83fa01d62227999');
+  expect(comp.associatedForms['evidence'].value).toBe('3b43c8fadd64750525a2e285d83fa01d62227999');
+  expect(comp.associatedForms['evidence'].description).toBe('foo');
+  expect(comp.associatedForms['evidence'].artifactType).toBe(undefined);
+
+  comp.populateAddObservableForm('foo', '12.34.56.78');
+  expect(comp.associatedForms['evidence'].value).toBe('12.34.56.78');
+  expect(comp.associatedForms['evidence'].description).toBe('foo');
+  expect(comp.associatedForms['evidence'].artifactType).toBe('ip');
+});
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 2c239cc9..eacf768b 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -507,6 +507,7 @@ const huntComponent = {
           this.removeDataItemFromView(item["count"] ? this.groupByData : this.eventData, item);
         } else if (escalate) {
           this.$root.showTip(this.i18n.escalatedEventTip);
+          item['event.escalated'] = true;
         }
       } catch (error) {
         this.$root.showError(error);

From fd6888e6d02e73f6c310775ac9fa4346d2f9ad2f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 14 Jan 2022 13:39:35 -0500
Subject: [PATCH 85/98] Show more coherent error when trying to escalate the
 same event to a case twice

---
 html/js/i18n.js                            | 1 +
 server/modules/elastic/elasticcasestore.go | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index 42187755..b6fbfc7a 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -443,6 +443,7 @@ const i18n = {
       whatsnew: 'What\'s New',
       yes: 'Yes',
 
+      ERROR_CASE_EVENT_ALREADY_ATTACHED: 'The event is already attached to the selected case.',
       ERROR_CASE_MODULE_NOT_ENABLED: 'A case module has not been configured for this installation. Unable to proceed with request.',
       ERROR_QUERY_INVALID__GROUP_EMPTY: 'The search query has an empty group.',
       ERROR_QUERY_INVALID__GROUP_INCOMPLETE: 'The search query is missing an ending parenthesis.',
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index f625c2bd..84f2457d 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -479,7 +479,7 @@ func (store *ElasticCasestore) CreateRelatedEvent(ctx context.Context, event *mo
             if value, ok := existingEvent.Fields["soc_id"]; ok {
               existingId := value.(string)
               if existingId == newId {
-                err = errors.New(fmt.Sprintf("Event ID '%s' has already been attached to this case", existingId))
+                err = errors.New("ERROR_CASE_EVENT_ALREADY_ATTACHED")
                 break
               }
             }

From ada3bfb0807d38a00283b943e03b8b7ddd5be18a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 14 Jan 2022 13:40:24 -0500
Subject: [PATCH 86/98] Show more coherent error when trying to escalate the
 same event to a case twice

---
 server/modules/elastic/elasticcasestore_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 962d39ec..0fba3346 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -936,7 +936,7 @@ func TestCreateRelatedEventAlreadyExists(tester *testing.T) {
 	event.CaseId = "123444"
 	event.Fields["soc_id"] = "myEventId"
 	_, err := store.CreateRelatedEvent(ctx, event)
-	assert.EqualError(tester, err, "Event ID 'myEventId' has already been attached to this case")
+	assert.EqualError(tester, err, "ERROR_CASE_EVENT_ALREADY_ATTACHED")
 }
 
 func TestGetRelatedEvent(tester *testing.T) {

From d87fa62cdf53eef3f3143a5d28f4b0d580554071 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 18 Jan 2022 13:59:06 -0500
Subject: [PATCH 87/98] Move related fields to root of document for field
 mapping purposes

---
 html/index.html                               |  2 +-
 html/js/routes/case.js                        |  2 +-
 model/case.go                                 |  2 +-
 server/modules/elastic/converter.go           | 29 +++++++++++++++++--
 server/modules/elastic/converter_test.go      | 16 +++++++++-
 .../modules/elastic/elasticcasestore_test.go  |  2 +-
 6 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/html/index.html b/html/index.html
index 7ef5c33d..1287f3c0 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1851,7 +1851,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                             <v-icon :title="i18n.huntForEvent">fa-crosshairs</v-icon>
                           </router-link>
                         </td>
-                        <td class="associated">{{ props.item.fields["@timestamp"] | formatTimestamp }}</td>
+                        <td class="associated">{{ props.item.fields["soc_timestamp"] | formatTimestamp }}</td>
                         <td class="associated">{{ getEventId(props.item) }}</td>
                         <td class="associated">{{ props.item.fields['event.category'] }}</td>
                         <td class="associated">{{ props.item.fields['event.module'] }}</td>                        
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index c9ad906b..b4bbab5c 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -87,7 +87,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         search: '',
         headers: [
           { text: this.$root.i18n.actions, width: '10.0em' },
-          { text: this.$root.i18n.timestamp, value: 'fields.timestamp' },
+          { text: this.$root.i18n.timestamp, value: 'fields["soc_timestamp"]' },
           { text: this.$root.i18n.id, value: 'fields["soc_id"]' },
           { text: this.$root.i18n.category, value: 'fields["event.category"]' },
           { text: this.$root.i18n.module, value: 'fields["event.module"]' },
diff --git a/model/case.go b/model/case.go
index c26c3794..ddf3e97d 100644
--- a/model/case.go
+++ b/model/case.go
@@ -82,7 +82,7 @@ func NewComment() *Comment {
 type RelatedEvent struct {
   Auditable
   CaseId string                 `json:"caseId"`
-  Fields map[string]interface{} `json:"fields"`
+  Fields map[string]interface{} `json:"fields,omitempty"`
 }
 
 func NewRelatedEvent() *RelatedEvent {
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index a005e67d..7294679e 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -488,11 +488,22 @@ func convertElasticEventToRelatedEvent(event *model.EventRecord) (*model.Related
 		if err == nil {
 			obj.Fields = make(map[string]interface{})
 			for key, value := range event.Payload {
-				if strings.HasPrefix(key, "related.fields.") {
-					key = strings.TrimPrefix(key, "related.fields.")
+
+				// The following logic unwinds the complications caused by the special treatment
+				// of related events performed by sibling function convertObjectToDocumentMap().
+				if !strings.HasPrefix(key, "@") &&
+					!strings.HasPrefix(key, "_") &&
+					key != "related.userId" &&
+					key != "related.caseId" &&
+					key != "related.createTime" &&
+					key != "related.updateTime" &&
+					key != "kind" &&
+					key != "operation" {
+
 					obj.Fields[key] = value
 				}
 			}
+
 			if value, ok := event.Payload["related.userId"]; ok {
 				obj.UserId = value.(string)
 			}
@@ -654,6 +665,20 @@ func convertFromElasticUpdateResults(store *ElasticEventstore, esJson string, re
 func convertObjectToDocumentMap(name string, obj interface{}) map[string]interface{} {
 	doc := make(map[string]interface{})
 	doc[name] = obj
+
+	switch name {
+	case "related":
+		// Related events have special handling in order to coerce the original event fields
+		// back to the root of the document. This is needed to re-use existing field mappings
+		related := obj.(*model.RelatedEvent)
+		for k, v := range related.Fields {
+			doc[k] = v
+		}
+
+		// Wipe out fields to avoid duplicating data
+		related.Fields = make(map[string]interface{})
+	}
+
 	doc["@timestamp"] = time.Now()
 	return doc
 }
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 378291f0..99218d06 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -258,6 +258,19 @@ func TestConvertObjectToDocumentMap(tester *testing.T) {
 	assert.NotNil(tester, actual["@timestamp"])
 }
 
+func TestConvertObjectToDocumentMapRelatedEvent(tester *testing.T) {
+	related := model.NewRelatedEvent()
+	related.UserId = "123"
+	related.Fields["foo"] = "bar"
+	actual := convertObjectToDocumentMap("related", related)
+	assert.NotNil(tester, actual)
+	assert.Equal(tester, "bar", actual["foo"])
+	assert.Equal(tester, "123", actual["related"].(*model.RelatedEvent).UserId)
+	assert.Nil(tester, actual["related.fields.foo"])
+	assert.Len(tester, related.Fields, 0)
+	assert.NotNil(tester, actual["@timestamp"])
+}
+
 func TestConvertToElasticIndexRequest(tester *testing.T) {
 	store := NewTestStore()
 	event := make(map[string]interface{})
@@ -511,7 +524,7 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 	event.Payload = make(map[string]interface{})
 	event.Payload["kind"] = "related"
 	event.Payload["operation"] = "create"
-	event.Payload["related.fields.foo"] = "bar"
+	event.Payload["foo"] = "bar"
 	event.Payload["related.userId"] = "myUserId"
 	event.Payload["related.caseId"] = "myCaseId"
 	event.Time = myTime
@@ -525,6 +538,7 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 	assert.Equal(tester, "myCaseId", obj.CaseId)
 	assert.Equal(tester, &myTime, obj.UpdateTime)
 	assert.Equal(tester, &myCreateTime, obj.CreateTime)
+	assert.Len(tester, obj.Fields, 1)
 	assert.Equal(tester, "bar", obj.Fields["foo"])
 }
 
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 0fba3346..3553a58c 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -924,7 +924,7 @@ func TestCreateRelatedEventAlreadyExists(tester *testing.T) {
 	// Mock the search for existing related events call
 	eventPayload := make(map[string]interface{})
 	eventPayload["kind"] = "related"
-	eventPayload["related.fields.soc_id"] = "myEventId"
+	eventPayload["soc_id"] = "myEventId"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}

From 4b93ad64bf5c5750c069a27be8118db75b23861a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 19 Jan 2022 08:30:26 -0500
Subject: [PATCH 88/98] Continue cleanup of related case schema refactor;
 Provide refresh buttons on case tabs to allow quick refresh of history,
 events, etc; Provide new Add Comment button to quick scroll/focus the comment
 text area into view; Update markdownguide link to point to the cheatsheat
 instead of main website

---
 html/index.html             | 55 +++++++++++++++++++++++++++-----
 html/js/app.js              |  5 +++
 html/js/i18n.js             |  8 +++++
 html/js/routes/case.js      | 63 +++++++++++++++++++++++--------------
 html/js/routes/case.test.js | 13 ++++++++
 html/js/routes/hunt.js      |  4 +--
 6 files changed, 114 insertions(+), 34 deletions(-)

diff --git a/html/index.html b/html/index.html
index 1287f3c0..9a003739 100644
--- a/html/index.html
+++ b/html/index.html
@@ -589,7 +589,10 @@ <h4 v-if="loaded">{{ i18n.eventTotal }} {{ totalEvents.toLocaleString() }}</h4>
                         </router-link>
                       </td>
                       <td v-for="field in eventHeaders" :key="field.value">
-                        <div class="quick-action-trigger d-inline-block" v-text="item[field.value]" @click="toggleQuickAction($event, item, field.value, item[field.value])"></div>
+                        <div class="quick-action-trigger d-inline-block" @click="toggleQuickAction($event, item, field.value, item[field.value])">
+                          <span v-if="field.value != 'soc_timestamp'" v-text="item[field.value]"/>
+                          <span v-if="field.value == 'soc_timestamp'" v-text="$root.formatLocalTimestamp(item[field.value], zone)"/>
+                        </div>
                       </td>
                     </tr>
                   </template>
@@ -1258,7 +1261,7 @@ <h2>{{ i18n.description }}</h2>
               <div class="d-flex flex-column" v-if="isEdit('case-description')">
                 <div class="mb-2 pt-1 px-2 rounded rounded-md contrast-bg d-flex flex-column">
                   <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-1">
-                    <a class="case markdown-icon" href="https://www.markdownguide.org/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                    <a class="case markdown-icon" href="https://www.markdownguide.org/cheat-sheet/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
                   </div>
                   <v-form v-model="editForm.valid" @submit.prevent>
                     <v-textarea id="case-desc-input" solo flat hide-details="auto" rows="5" dense color="text--black" v-model="editForm.val" :rules="[rules.required]" persistent-hint :hint="i18n.caseDescriptionHelp"/>
@@ -1298,6 +1301,18 @@ <h2>{{ i18n.description }}</h2>
                 </v-tab>
   
                 <v-tab-item value="comments">
+                  <v-row>
+                    <v-col>
+                      <v-toolbar class="elevation-0" fixed>
+                        <v-btn :title="i18n.addCommentHelp" color="primary" @click.stop="prepareForInput('comment-input')" id="add-comment-button">
+                          <v-icon>fa-plus</v-icon>
+                        </v-btn>
+                        <v-btn class="mx-1" :title="i18n.refreshCommentsHelp" color="secondary" @click.stop="reloadAssociation('comments', true)" id="refresh-comments-button">
+                          <v-icon>fa-sync</v-icon>
+                        </v-btn>
+                      </v-toolbar>
+                    </v-col>
+                  </v-row>  
                   <div id="comment-list">
                     <div v-for="(comment, index) in associations.comments" class="mb-8">
                       <div class="d-flex flex-column align-start my-4">
@@ -1311,7 +1326,7 @@ <h2>{{ i18n.description }}</h2>
                               </div>
                               <div class="d-flex flex-column" v-if="isEdit(`comment-${index}`)" style="width: 100%;">
                                 <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-1">
-                                  <a class="case markdown-icon" href="https://www.markdownguide.org/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                                  <a class="case markdown-icon" href="https://www.markdownguide.org/cheat-sheet/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
                                 </div>
                                 <div class="mb-3">
                                   <v-form v-model="editForm.valid" @submit.prevent>
@@ -1375,11 +1390,11 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                           </div>
                           <div class="d-flex flex-column" style="width: 100%;">
                             <div class="d-flex flex-column flex-sm-row align-sm-center align-self-start text-body-2 mb-1 ml-3">
-                              <a class="case markdown-icon" href="https://www.markdownguide.org/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
+                              <a class="case markdown-icon" href="https://www.markdownguide.org/cheat-sheet/" target="_blank" :title="i18n.markdownFormattingSupported"><v-icon>fab fa-markdown</v-icon></a>
                             </div>
                             <div class="mx-2">
                               <v-form ref="comments" v-model="associatedForms['comments'].valid" @submit.prevent>
-                                <v-textarea  solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
+                                <v-textarea id="comment-input" solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
                               </v-form>
                             </div>
                           </div>
@@ -1403,9 +1418,12 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                   <v-row v-if="!isAdding('attachments')">
                     <v-col>
                       <v-toolbar class="elevation-0" fixed>
-                        <v-btn color="primary" @click.stop="enableAdding('attachments')" id="add-attachment-button">
+                        <v-btn :title="i18n.addAttachmentHelp" color="primary" @click.stop="enableAdding('attachments')" id="add-attachment-button">
                           <v-icon>fa-plus</v-icon>
                         </v-btn>
+                        <v-btn class="mx-1" :title="i18n.refreshAttachmentsHelp" color="secondary" @click.stop="reloadAssociation('attachments', true)" id="refresh-attachments-button">
+                          <v-icon>fa-sync</v-icon>
+                        </v-btn>
                       </v-toolbar>
                     </v-col>
                   </v-row>                    
@@ -1610,9 +1628,12 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                   <v-row v-if="!isAdding('evidence')">
                     <v-col>
                       <v-toolbar class="elevation-0" fixed>
-                        <v-btn color="primary" @click.stop="enableAdding('evidence')" id="add-evidence-button">
+                        <v-btn :title="i18n.addObservableHelp" color="primary" @click.stop="enableAdding('evidence')" id="add-evidence-button">
                           <v-icon>fa-plus</v-icon>
                         </v-btn>
+                        <v-btn class="mx-1" :title="i18n.refreshObservablesHelp" color="secondary" @click.stop="reloadAssociation('evidence', true)" id="refresh-observables-button">
+                          <v-icon>fa-sync</v-icon>
+                        </v-btn>
                       </v-toolbar>
                     </v-col>
                   </v-row>                    
@@ -1836,6 +1857,15 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                 </v-tab-item>
 
                 <v-tab-item value="events">
+                  <v-row>
+                    <v-col>
+                      <v-toolbar class="elevation-0" fixed>
+                        <v-btn :title="i18n.refreshEventsHelp" color="secondary" @click.stop="reloadAssociation('events', true)" id="refresh-events-button">
+                          <v-icon>fa-sync</v-icon>
+                        </v-btn>
+                      </v-toolbar>
+                    </v-col>
+                  </v-row>                   
                   <v-text-field v-model="associatedTable['events'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="eventsTable" :sort-by.sync="associatedTable['events'].sortBy" :sort-desc.sync="associatedTable['events'].sortDesc" :items-per-page.sync="associatedTable['events'].itemsPerPage" 
                     :search="associatedTable['events'].search" :footer-props="associatedTable['events'].footerProps" must-sort :headers="associatedTable['events'].headers"
@@ -1862,7 +1892,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                       <tr>
                         <td :colspan="6" class="case">
                           <div class="mt-2">
-                            <v-row no-gutters class="py-1 case tabular-row" v-for="value, key in props.item.fields">
+                            <v-row no-gutters class="py-1 case tabular-row" v-for="value, key in props.item.fields" v-if="!key.startsWith(internalPrefix)">
                               <v-col cols="1">
                                 <v-btn :id="`events-${props.index}-addobservable`" icon small @click="populateAddObservableForm(key, value)">
                                   <v-icon :title="i18n.addObservable">fa-eye</v-icon>
@@ -1906,6 +1936,15 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                 </v-tab-item>
   
                 <v-tab-item value="history">
+                  <v-row>
+                    <v-col>
+                      <v-toolbar class="elevation-0" fixed>
+                        <v-btn :title="i18n.refreshHistoryHelp" color="secondary" @click.stop="reloadAssociation('history', true)" id="refresh-history-button">
+                          <v-icon>fa-sync</v-icon>
+                        </v-btn>
+                      </v-toolbar>
+                    </v-col>
+                  </v-row>                    
                   <v-text-field v-model="associatedTable['history'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="historyTable" :sort-by.sync="associatedTable['history'].sortBy" :sort-desc.sync="associatedTable['history'].sortDesc" :items-per-page.sync="associatedTable['history'].itemsPerPage" 
                     :search="associatedTable['history'].search" :footer-props="associatedTable['history'].footerProps" must-sort :headers="associatedTable['history'].headers"
diff --git a/html/js/app.js b/html/js/app.js
index a5c2ef58..fadda896 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -406,6 +406,11 @@ $(document).ready(function() {
       formatDateTime(date) {
         return this.formatDate(date, this.i18n.dateTimeFormat, this.i18n.dateUnknown);
       },
+      formatLocalTimestamp(date, tz) {
+        var utcTime = moment.utc(date);
+        var localTime = utcTime.tz(tz);
+        return localTime.format(this.i18n.timestampFormat);
+      },
       formatTimestamp(date) {
         return this.formatDate(date, this.i18n.timestampFormat, this.i18n.dateUnknown);
       },
diff --git a/html/js/i18n.js b/html/js/i18n.js
index b6fbfc7a..c32b2844 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -36,6 +36,9 @@ const i18n = {
       actionVirusTotal: 'VirusTotal',
       actionVirusTotalHelp: 'Analyze this field at virustotal.com',
       add: 'Add',
+      addAttachmentHelp: 'Add a new attachment to this case',
+      addCommentHelp: 'Add a new comment to this case',
+      addObservableHelp: 'Add a new observable to this case',
       addObservable: 'Add as new observable...',
       address: 'Address',
       admin: 'Administration',
@@ -335,6 +338,11 @@ const i18n = {
       reason: 'Reason',
       reconnecting: 'Attempting to connect to manager',
       refresh: 'Refresh',
+      refreshAttachmentsHelp: 'Refresh to view all recently added attachments for this case.',
+      refreshCommentsHelp: 'Refresh to view all recently added comments for this case.',
+      refreshObservablesHelp: 'Refresh to view all recently added observables for this case.',
+      refreshEventsHelp: 'Refresh to view all recently escalated events for this case.',
+      refreshHistoryHelp: 'Refresh to view the latest history for this case.',
       related: 'Events',
       relatedEventId: 'Related Event ID',
       relativeTimeHelp: 'Click the clock icon to change to absolute time',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index b4bbab5c..606bda2f 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -16,6 +16,7 @@ const urlRegex = /^[a-z]+:\/\//;
 const filenameRegex = /(\/)?[\w,\s-]+\.[A-Za-z]{3}$/;
 const uriPathRegex = /^\/[\w,\s-]/;
 const hashRegex = /^[0-9a-fA-F]{32}$|^[0-9a-fA-F]{40}$|^[0-9a-fA-F]{64}$|^[0-9a-fA-F]{128}$/;
+const internalPrefix = "___";
 
 routes.push({ path: '/case/:id', name: 'case', component: {
   template: '#page-case',
@@ -82,16 +83,16 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         loading: false,
       },
       events: {
-        sortBy: 'fields.timestamp',
+        sortBy: 'fields.soc_timestamp',
         sortDesc: false,
         search: '',
         headers: [
           { text: this.$root.i18n.actions, width: '10.0em' },
-          { text: this.$root.i18n.timestamp, value: 'fields["soc_timestamp"]' },
-          { text: this.$root.i18n.id, value: 'fields["soc_id"]' },
-          { text: this.$root.i18n.category, value: 'fields["event.category"]' },
-          { text: this.$root.i18n.module, value: 'fields["event.module"]' },
-          { text: this.$root.i18n.dataset, value: 'fields["event.dataset"]' },
+          { text: this.$root.i18n.timestamp, value: 'fields.soc_timestamp' },
+          { text: this.$root.i18n.id, value: 'fields.soc_id' },
+          { text: this.$root.i18n.category, value: 'fields.' + internalPrefix + 'event_category' },
+          { text: this.$root.i18n.module, value: 'fields.' + internalPrefix + 'event_module' },
+          { text: this.$root.i18n.dataset, value: 'fields.' + internalPrefix + 'event_dataset' },
         ],
         itemsPerPage: 10,
         footerProps: { 'items-per-page-options': [10,50,250,1000] },
@@ -236,26 +237,21 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     async loadAssociations() {
       this.associationsLoading = true;
 
-      this.associations["comments"] = [];
-      this.loadAssociation('comments');
-
-      this.associations["tasks"] = [];
-      this.loadAssociation('tasks');
-
-      this.associations["attachments"] = [];
-      this.loadAssociation('attachments');
-
-      this.associations["evidence"] = [];
-      this.loadAssociation('evidence');
-
-      this.associations["events"] = [];
-      this.loadAssociation('events');
-
-      this.associations["history"] = [];
-      this.loadAssociation('history');
+      this.reloadAssociation("comments");
+      this.reloadAssociation("tasks");
+      this.reloadAssociation("attachments");
+      this.reloadAssociation("evidence");
+      this.reloadAssociation("events");
+      this.reloadAssociation("history");
 
       this.associationsLoading = false;
     },
+    async reloadAssociation(association, showLoadingIndicator = false) {
+      if (showLoadingIndicator) this.$root.startLoading();
+      this.associations[association] = [];
+      this.loadAssociation(association);
+      if (showLoadingIndicator) this.$root.stopLoading();
+    },
     async loadAssociation(association) {
       try {
         const route = this;
@@ -274,12 +270,28 @@ routes.push({ path: '/case/:id', name: 'case', component: {
             obj.kind = this.$root.localizeMessage(this.mapAssociatedKind(obj));
             obj.operation = this.$root.localizeMessage(obj.operation);
             this.associations[association].push(obj);
+            this.duplicateEventFields(obj);
           }
         }
       } catch (error) {
         this.$root.showError(error);
       }
     },
+    duplicateEventFields(obj) {
+      // Vuetify Data Tables has a flaw in that it cannot resolve object properties
+      // for the purpose of filtering, when the property name contains a dot (.)
+      // character. So our obj.fields["event.module"] won't work with filtering.
+      // To resolve this, we have to duplicate the field name into one with an 
+      // underscore instead of a dot. Fortunately these three event fields are
+      // small so it's not going cost much overhead.
+      if (obj && obj.fields) {
+        ["event.module", "event.category", "event.dataset"].forEach( field => {
+          if (obj.fields[field]) {
+            obj.fields[internalPrefix + field.replace(".", "_")] = obj.fields[field];
+          }
+        });
+      }
+    },
     isExpanded(association, row) {
       const expanded = this.associatedTable[association].expanded;
       for (var i = 0; i < expanded.length; i++) {
@@ -665,6 +677,11 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       }
       return id;
     },
+    prepareForInput(id) {
+      const el = document.getElementById(id)
+      el.scrollIntoView()
+      el.focus();
+    },
 
     saveLocalSettings() {
       localStorage['settings.case.mruCases'] = JSON.stringify(this.mruCases);
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 153fd87b..984b560a 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -646,6 +646,19 @@ test('getEventId', () => {
   expect(comp.getEventId({ fields: {}})).toBe(comp.i18n.caseEventIdAggregation);
 });
 
+test('duplicateEventFields', () => {
+    obj = { fields: { 'event.dataset': 'foo', 'event.module': 'bar', 'event.category': 'sho', 'event.blah': 'nope' }};
+    comp.duplicateEventFields(obj);
+    expect(obj.fields['event.dataset']).toBe('foo');
+    expect(obj.fields['event.module']).toBe('bar');
+    expect(obj.fields['event.category']).toBe('sho');
+    expect(obj.fields['event.blah']).toBe('nope');
+    expect(obj.fields['___event_dataset']).toBe('foo');
+    expect(obj.fields['___event_module']).toBe('bar');
+    expect(obj.fields['___event_category']).toBe('sho');
+    expect(obj.fields['___event_blah']).toBe(undefined);
+});
+
 test('populateAddObservableForm', () => {
   comp.presets['artifactType'] = {labels:['ip']};
   comp.activeTab = 'something';
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index eacf768b..a96656be 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -843,9 +843,7 @@ const huntComponent = {
           record.soc_id = event.id;
           record.soc_score = event.score;
           record.soc_type = event.type;
-          var utcTime = moment.utc(event.timestamp);
-          var localTime = utcTime.tz(route.zone);
-          record.soc_timestamp = localTime.format(route.i18n.timestampFormat);
+          record.soc_timestamp = event.timestamp;
           record.soc_source = event.source;
           records.push(record);
 

From ba57d6321d35afce8875b91ff11797dcad7d083a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 19 Jan 2022 14:27:44 -0500
Subject: [PATCH 89/98] Prefix all SO fields to avoid potential conflicts with
 future ECS changes

---
 html/index.html                               |  16 +-
 server/modules/elastic/converter.go           | 136 ++++++-----
 server/modules/elastic/converter_test.go      | 140 ++++++------
 server/modules/elastic/elastic.go             |   4 +-
 server/modules/elastic/elasticcasestore.go    |  41 ++--
 .../modules/elastic/elasticcasestore_test.go  | 213 +++++++++---------
 server/modules/elastic/template_test.go       |  10 +-
 7 files changed, 281 insertions(+), 279 deletions(-)

diff --git a/html/index.html b/html/index.html
index 9a003739..c6a63cd0 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1544,7 +1544,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                               </div>
                             </div>
                           </v-container>
-                          <v-container fluid class="py-1">
+                          <v-container fluid class="py-2">
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])"
                               @keypress.space.prevent="startEdit(`attachments-${props.index}-tlp-input`, props.item.tlp, `attachments-${props.index}-tlp`, 'tlp', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
@@ -1564,7 +1564,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                               />
                             </v-select>
                           </v-container>
-                          <v-container fluid class="py-1">
+                          <v-container fluid class="py-2">
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])"
                               @keypress.space.prevent="startEdit(`attachments-${props.index}-tags-input`, props.item.tags, `attachments-${props.index}-tags`, 'tags', modifyAssociation, ['attachments', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
@@ -1768,7 +1768,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                               </div>
                             </div>
                           </v-container>
-                          <v-container fluid class="py-1">
+                          <v-container fluid class="py-2">
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-ioc-input`, props.item.ioc, `evidence-${props.index}-ioc`, 'ioc', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.artifactIoc}}: </div>
@@ -1776,7 +1776,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                             </div>
                             <v-checkbox :id="`evidence-${props.index}-ioc-input`" v-if="isEdit(`evidence-${props.index}-ioc`)" v-model="editForm.val" v-on:change="stopEdit(true)" persistent-hint :hint="i18n.artifactIocHelp"/>
                           </v-container>
-                          <v-container fluid class="py-1">
+                          <v-container fluid class="py-2">
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-tlp-input`, props.item.tlp, `evidence-${props.index}-tlp`, 'tlp', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTlp}}: </div>
@@ -1796,7 +1796,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                               />
                             </v-select>
                           </v-container>
-                          <v-container fluid class="py-1">
+                          <v-container fluid class="py-2">
                             <div tabindex="0" class="clicktoedit" @click="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])"
                               @keypress.space.prevent="startEdit(`evidence-${props.index}-tags-input`, props.item.tags, `evidence-${props.index}-tags`, 'tags', modifyAssociation, ['evidence', props.item])">
                               <div class="font-weight-bold">{{i18n.caseTags}}: </div>
@@ -1975,8 +1975,10 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                           <span class="rounded ml-2">{{ props.item.kind }}</span>
                         </td>
                         <td class="associated">
-                          <span class="rounded mr-2">{{ props.item.operation }}</span>
-                          <v-icon v-if="props.item.operation == 'update'">fa-pencil-alt</v-icon>
+                          <v-icon v-if="props.item.operation == i18n.create">fa-plus</v-icon>
+                          <v-icon v-if="props.item.operation == i18n.delete">fa-trash</v-icon>
+                          <v-icon v-if="props.item.operation == i18n.update">fa-pencil-alt</v-icon>
+                          <span class="rounded ml-2">{{ props.item.operation }}</span>
                         </td>
                       </tr>
                     </template>
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 7294679e..a5560973 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -363,13 +363,13 @@ func parseTime(fieldmap map[string]interface{}, key string) *time.Time {
 	return &t
 }
 
-func convertElasticEventToAuditable(event *model.EventRecord, auditable *model.Auditable) error {
+func convertElasticEventToAuditable(event *model.EventRecord, auditable *model.Auditable, schemaPrefix string) error {
 	auditable.Id = event.Id
 	auditable.UpdateTime = &event.Time
-	if value, ok := event.Payload["kind"]; ok {
+	if value, ok := event.Payload[schemaPrefix+"kind"]; ok {
 		auditable.Kind = value.(string)
 	}
-	if value, ok := event.Payload["operation"]; ok {
+	if value, ok := event.Payload[schemaPrefix+"operation"]; ok {
 		auditable.Operation = value.(string)
 	}
 	return nil
@@ -394,53 +394,53 @@ func convertSeverity(sev string) string {
 	return sev
 }
 
-func convertElasticEventToCase(event *model.EventRecord) (*model.Case, error) {
+func convertElasticEventToCase(event *model.EventRecord, schemaPrefix string) (*model.Case, error) {
 	var err error
 	var obj *model.Case
 
 	if event != nil {
 		obj = model.NewCase()
-		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
 		if err == nil {
-			if value, ok := event.Payload["case.title"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.title"]; ok {
 				obj.Title = value.(string)
 			}
-			if value, ok := event.Payload["case.description"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.description"]; ok {
 				obj.Description = value.(string)
 			}
-			if value, ok := event.Payload["case.priority"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.priority"]; ok {
 				obj.Priority = int(value.(float64))
 			}
-			if value, ok := event.Payload["case.severity"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.severity"]; ok {
 				obj.Severity = convertSeverity(value.(string))
 			}
-			if value, ok := event.Payload["case.status"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.status"]; ok {
 				obj.Status = value.(string)
 			}
-			if value, ok := event.Payload["case.template"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.template"]; ok {
 				obj.Template = value.(string)
 			}
-			if value, ok := event.Payload["case.userId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.userId"]; ok {
 				obj.UserId = value.(string)
 			}
-			if value, ok := event.Payload["case.assigneeId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.assigneeId"]; ok {
 				obj.AssigneeId = value.(string)
 			}
-			if value, ok := event.Payload["case.tlp"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.tlp"]; ok {
 				obj.Tlp = value.(string)
 			}
-			if value, ok := event.Payload["case.category"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.category"]; ok {
 				obj.Category = value.(string)
 			}
-			if value, ok := event.Payload["case.pap"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"case.pap"]; ok {
 				obj.Pap = value.(string)
 			}
-			if value, ok := event.Payload["case.tags"]; ok && value != nil {
+			if value, ok := event.Payload[schemaPrefix+"case.tags"]; ok && value != nil {
 				obj.Tags = convertToStringArray(value.([]interface{}))
 			}
-			obj.CreateTime = parseTime(event.Payload, "case.createTime")
-			obj.StartTime = parseTime(event.Payload, "case.startTime")
-			obj.CompleteTime = parseTime(event.Payload, "case.completeTime")
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"case.createTime")
+			obj.StartTime = parseTime(event.Payload, schemaPrefix+"case.startTime")
+			obj.CompleteTime = parseTime(event.Payload, schemaPrefix+"case.completeTime")
 		}
 	}
 	return obj, err
@@ -454,37 +454,37 @@ func convertToStringArray(input []interface{}) []string {
 	return out
 }
 
-func convertElasticEventToComment(event *model.EventRecord) (*model.Comment, error) {
+func convertElasticEventToComment(event *model.EventRecord, schemaPrefix string) (*model.Comment, error) {
 	var err error
 	var obj *model.Comment
 
 	if event != nil {
 		obj = model.NewComment()
-		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
 		if err == nil {
-			if value, ok := event.Payload["comment.description"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"comment.description"]; ok {
 				obj.Description = value.(string)
 			}
-			if value, ok := event.Payload["comment.userId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"comment.userId"]; ok {
 				obj.UserId = value.(string)
 			}
-			if value, ok := event.Payload["comment.caseId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"comment.caseId"]; ok {
 				obj.CaseId = value.(string)
 			}
-			obj.CreateTime = parseTime(event.Payload, "comment.createTime")
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"comment.createTime")
 		}
 	}
 
 	return obj, err
 }
 
-func convertElasticEventToRelatedEvent(event *model.EventRecord) (*model.RelatedEvent, error) {
+func convertElasticEventToRelatedEvent(event *model.EventRecord, schemaPrefix string) (*model.RelatedEvent, error) {
 	var err error
 	var obj *model.RelatedEvent
 
 	if event != nil {
 		obj = model.NewRelatedEvent()
-		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
 		if err == nil {
 			obj.Fields = make(map[string]interface{})
 			for key, value := range event.Payload {
@@ -493,130 +493,124 @@ func convertElasticEventToRelatedEvent(event *model.EventRecord) (*model.Related
 				// of related events performed by sibling function convertObjectToDocumentMap().
 				if !strings.HasPrefix(key, "@") &&
 					!strings.HasPrefix(key, "_") &&
-					key != "related.userId" &&
-					key != "related.caseId" &&
-					key != "related.createTime" &&
-					key != "related.updateTime" &&
-					key != "kind" &&
-					key != "operation" {
-
+					!strings.HasPrefix(key, schemaPrefix) {
 					obj.Fields[key] = value
 				}
 			}
 
-			if value, ok := event.Payload["related.userId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"related.userId"]; ok {
 				obj.UserId = value.(string)
 			}
-			if value, ok := event.Payload["related.caseId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"related.caseId"]; ok {
 				obj.CaseId = value.(string)
 			}
-			obj.CreateTime = parseTime(event.Payload, "related.createTime")
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"related.createTime")
 		}
 	}
 
 	return obj, err
 }
 
-func convertElasticEventToArtifact(event *model.EventRecord) (*model.Artifact, error) {
+func convertElasticEventToArtifact(event *model.EventRecord, schemaPrefix string) (*model.Artifact, error) {
 	var err error
 	var obj *model.Artifact
 
 	if event != nil {
 		obj = model.NewArtifact()
-		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
 		if err == nil {
-			if value, ok := event.Payload["artifact.userId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.userId"]; ok {
 				obj.UserId = value.(string)
 			}
-			if value, ok := event.Payload["artifact.caseId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.caseId"]; ok {
 				obj.CaseId = value.(string)
 			}
-			if value, ok := event.Payload["artifact.groupType"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.groupType"]; ok {
 				obj.GroupType = value.(string)
 			}
-			if value, ok := event.Payload["artifact.groupId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.groupId"]; ok {
 				obj.GroupId = value.(string)
 			}
-			if value, ok := event.Payload["artifact.description"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.description"]; ok {
 				obj.Description = value.(string)
 			}
-			if value, ok := event.Payload["artifact.artifactType"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.artifactType"]; ok {
 				obj.ArtifactType = value.(string)
 			}
-			if value, ok := event.Payload["artifact.streamLength"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.streamLength"]; ok {
 				obj.StreamLen = int(value.(float64))
 			}
-			if value, ok := event.Payload["artifact.streamId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.streamId"]; ok {
 				obj.StreamId = value.(string)
 			}
-			if value, ok := event.Payload["artifact.mimeType"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.mimeType"]; ok {
 				obj.MimeType = value.(string)
 			}
-			if value, ok := event.Payload["artifact.value"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.value"]; ok {
 				obj.Value = value.(string)
 			}
-			if value, ok := event.Payload["artifact.tlp"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.tlp"]; ok {
 				obj.Tlp = value.(string)
 			}
-			if value, ok := event.Payload["artifact.tags"]; ok && value != nil {
+			if value, ok := event.Payload[schemaPrefix+"artifact.tags"]; ok && value != nil {
 				obj.Tags = convertToStringArray(value.([]interface{}))
 			}
-			if value, ok := event.Payload["artifact.ioc"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.ioc"]; ok {
 				obj.Ioc = value.(bool)
 			}
-			if value, ok := event.Payload["artifact.md5"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.md5"]; ok {
 				obj.Md5 = value.(string)
 			}
-			if value, ok := event.Payload["artifact.sha1"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.sha1"]; ok {
 				obj.Sha1 = value.(string)
 			}
-			if value, ok := event.Payload["artifact.sha256"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifact.sha256"]; ok {
 				obj.Sha256 = value.(string)
 			}
-			obj.CreateTime = parseTime(event.Payload, "artifact.createTime")
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"artifact.createTime")
 		}
 	}
 
 	return obj, err
 }
 
-func convertElasticEventToArtifactStream(event *model.EventRecord) (*model.ArtifactStream, error) {
+func convertElasticEventToArtifactStream(event *model.EventRecord, schemaPrefix string) (*model.ArtifactStream, error) {
 	var err error
 	var obj *model.ArtifactStream
 
 	if event != nil {
 		obj = model.NewArtifactStream()
-		err = convertElasticEventToAuditable(event, &obj.Auditable)
+		err = convertElasticEventToAuditable(event, &obj.Auditable, schemaPrefix)
 		if err == nil {
-			if value, ok := event.Payload["artifactstream.userId"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifactstream.userId"]; ok {
 				obj.UserId = value.(string)
 			}
-			if value, ok := event.Payload["artifactstream.content"]; ok {
+			if value, ok := event.Payload[schemaPrefix+"artifactstream.content"]; ok {
 				obj.Content = value.(string)
 			}
-			obj.CreateTime = parseTime(event.Payload, "artifactstream.createTime")
+			obj.CreateTime = parseTime(event.Payload, schemaPrefix+"artifactstream.createTime")
 		}
 	}
 
 	return obj, err
 }
 
-func convertElasticEventToObject(event *model.EventRecord) (interface{}, error) {
+func convertElasticEventToObject(event *model.EventRecord, schemaPrefix string) (interface{}, error) {
 	var obj interface{}
 	var err error
 
-	if value, ok := event.Payload["kind"]; ok {
+	if value, ok := event.Payload[schemaPrefix+"kind"]; ok {
 		switch value.(string) {
 		case "case":
-			obj, err = convertElasticEventToCase(event)
+			obj, err = convertElasticEventToCase(event, schemaPrefix)
 		case "comment":
-			obj, err = convertElasticEventToComment(event)
+			obj, err = convertElasticEventToComment(event, schemaPrefix)
 		case "related":
-			obj, err = convertElasticEventToRelatedEvent(event)
+			obj, err = convertElasticEventToRelatedEvent(event, schemaPrefix)
 		case "artifact":
-			obj, err = convertElasticEventToArtifact(event)
+			obj, err = convertElasticEventToArtifact(event, schemaPrefix)
 		case "artifactstream":
-			obj, err = convertElasticEventToArtifactStream(event)
+			obj, err = convertElasticEventToArtifactStream(event, schemaPrefix)
 		}
 	} else {
 		err = errors.New("Unknown object kind; id=" + event.Id)
@@ -662,9 +656,9 @@ func convertFromElasticUpdateResults(store *ElasticEventstore, esJson string, re
 	return err
 }
 
-func convertObjectToDocumentMap(name string, obj interface{}) map[string]interface{} {
+func convertObjectToDocumentMap(name string, obj interface{}, schemaPrefix string) map[string]interface{} {
 	doc := make(map[string]interface{})
-	doc[name] = obj
+	doc[schemaPrefix+name] = obj
 
 	switch name {
 	case "related":
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 99218d06..4760c9c4 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -252,9 +252,9 @@ func TestMapSearch(tester *testing.T) {
 
 func TestConvertObjectToDocumentMap(tester *testing.T) {
 	caseObj := model.NewCase()
-	actual := convertObjectToDocumentMap("test", caseObj)
+	actual := convertObjectToDocumentMap("test", caseObj, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NotNil(tester, actual)
-	assert.Equal(tester, caseObj, actual["test"])
+	assert.Equal(tester, caseObj, actual["so_test"])
 	assert.NotNil(tester, actual["@timestamp"])
 }
 
@@ -262,11 +262,11 @@ func TestConvertObjectToDocumentMapRelatedEvent(tester *testing.T) {
 	related := model.NewRelatedEvent()
 	related.UserId = "123"
 	related.Fields["foo"] = "bar"
-	actual := convertObjectToDocumentMap("related", related)
+	actual := convertObjectToDocumentMap("related", related, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NotNil(tester, actual)
 	assert.Equal(tester, "bar", actual["foo"])
-	assert.Equal(tester, "123", actual["related"].(*model.RelatedEvent).UserId)
-	assert.Nil(tester, actual["related.fields.foo"])
+	assert.Equal(tester, "123", actual["so_related"].(*model.RelatedEvent).UserId)
+	assert.Nil(tester, actual["so_related.fields.foo"])
 	assert.Len(tester, related.Fields, 0)
 	assert.NotNil(tester, actual["@timestamp"])
 }
@@ -292,7 +292,7 @@ func TestConvertFromElasticIndexResults(tester *testing.T) {
 }
 
 func TestConvertElasticEventToCaseNil(tester *testing.T) {
-	caseObj, err := convertElasticEventToCase(nil)
+	caseObj, err := convertElasticEventToCase(nil, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	assert.Nil(tester, caseObj)
 }
@@ -304,7 +304,7 @@ func TestConvertElasticEventToCaseWithoutTags(tester *testing.T) {
 	event.Payload["operation"] = "create"
 	event.Payload["case.tags"] = nil
 
-	_, err := convertElasticEventToCase(event)
+	_, err := convertElasticEventToCase(event, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 }
 
@@ -316,28 +316,28 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
-	event.Payload["kind"] = "case"
-	event.Payload["operation"] = "update"
-	event.Payload["case.title"] = "myTitle"
-	event.Payload["case.description"] = "myDesc"
-	event.Payload["case.priority"] = float64(123)
-	event.Payload["case.severity"] = "medium"
-	event.Payload["case.status"] = "myStatus"
-	event.Payload["case.template"] = "myTemplate"
-	event.Payload["case.userId"] = "myUserId"
-	event.Payload["case.assigneeId"] = "myAssigneeId"
-	event.Payload["case.tlp"] = "myTlp"
-	event.Payload["case.pap"] = "myPap"
-	event.Payload["case.category"] = "myCategory"
+	event.Payload["so_kind"] = "case"
+	event.Payload["so_operation"] = "update"
+	event.Payload["so_case.title"] = "myTitle"
+	event.Payload["so_case.description"] = "myDesc"
+	event.Payload["so_case.priority"] = float64(123)
+	event.Payload["so_case.severity"] = "medium"
+	event.Payload["so_case.status"] = "myStatus"
+	event.Payload["so_case.template"] = "myTemplate"
+	event.Payload["so_case.userId"] = "myUserId"
+	event.Payload["so_case.assigneeId"] = "myAssigneeId"
+	event.Payload["so_case.tlp"] = "myTlp"
+	event.Payload["so_case.pap"] = "myPap"
+	event.Payload["so_case.category"] = "myCategory"
 	tags := make([]interface{}, 2, 2)
 	tags[0] = "tag1"
 	tags[1] = "tag2"
-	event.Payload["case.tags"] = tags
+	event.Payload["so_case.tags"] = tags
 	event.Time = myTime
-	event.Payload["case.createTime"] = myCreateTime
-	event.Payload["case.completeTime"] = myCompleteTime
-	event.Payload["case.startTime"] = myStartTime
-	interf, err := convertElasticEventToObject(event)
+	event.Payload["so_case.createTime"] = myCreateTime
+	event.Payload["so_case.completeTime"] = myCompleteTime
+	event.Payload["so_case.startTime"] = myStartTime
+	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	caseObj := interf.(*model.Case)
 	assert.Equal(tester, "case", caseObj.Kind)
@@ -362,7 +362,7 @@ func TestConvertElasticEventToCase(tester *testing.T) {
 }
 
 func TestConvertElasticEventToArtifactNil(tester *testing.T) {
-	artifactObj, err := convertElasticEventToArtifact(nil)
+	artifactObj, err := convertElasticEventToArtifact(nil, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	assert.Nil(tester, artifactObj)
 }
@@ -370,11 +370,11 @@ func TestConvertElasticEventToArtifactNil(tester *testing.T) {
 func TestConvertElasticEventToArtifactWithoutTags(tester *testing.T) {
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
-	event.Payload["kind"] = "artifact"
-	event.Payload["operation"] = "create"
-	event.Payload["case.tags"] = nil
+	event.Payload["so_kind"] = "artifact"
+	event.Payload["so_operation"] = "create"
+	event.Payload["so_case.tags"] = nil
 
-	_, err := convertElasticEventToCase(event)
+	_, err := convertElasticEventToCase(event, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 }
 
@@ -384,29 +384,29 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
-	event.Payload["kind"] = "artifact"
-	event.Payload["operation"] = "update"
-	event.Payload["artifact.value"] = "myValue"
-	event.Payload["artifact.description"] = "myDesc"
-	event.Payload["artifact.streamLength"] = float64(123)
-	event.Payload["artifact.streamId"] = "myStreamId"
-	event.Payload["artifact.groupType"] = "myGroupType"
-	event.Payload["artifact.groupId"] = "myGroupId"
-	event.Payload["artifact.userId"] = "myUserId"
-	event.Payload["artifact.artifactType"] = "myArtifactType"
-	event.Payload["artifact.tlp"] = "myTlp"
-	event.Payload["artifact.mimeType"] = "myMimeType"
-	event.Payload["artifact.ioc"] = true
-	event.Payload["artifact.md5"] = "myMd5"
-	event.Payload["artifact.sha1"] = "mySha1"
-	event.Payload["artifact.sha256"] = "mySha256"
+	event.Payload["so_kind"] = "artifact"
+	event.Payload["so_operation"] = "update"
+	event.Payload["so_artifact.value"] = "myValue"
+	event.Payload["so_artifact.description"] = "myDesc"
+	event.Payload["so_artifact.streamLength"] = float64(123)
+	event.Payload["so_artifact.streamId"] = "myStreamId"
+	event.Payload["so_artifact.groupType"] = "myGroupType"
+	event.Payload["so_artifact.groupId"] = "myGroupId"
+	event.Payload["so_artifact.userId"] = "myUserId"
+	event.Payload["so_artifact.artifactType"] = "myArtifactType"
+	event.Payload["so_artifact.tlp"] = "myTlp"
+	event.Payload["so_artifact.mimeType"] = "myMimeType"
+	event.Payload["so_artifact.ioc"] = true
+	event.Payload["so_artifact.md5"] = "myMd5"
+	event.Payload["so_artifact.sha1"] = "mySha1"
+	event.Payload["so_artifact.sha256"] = "mySha256"
 	tags := make([]interface{}, 2, 2)
 	tags[0] = "tag1"
 	tags[1] = "tag2"
-	event.Payload["artifact.tags"] = tags
+	event.Payload["so_artifact.tags"] = tags
 	event.Time = myTime
-	event.Payload["artifact.createTime"] = myCreateTime
-	interf, err := convertElasticEventToObject(event)
+	event.Payload["so_artifact.createTime"] = myCreateTime
+	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	artifactObj := interf.(*model.Artifact)
 	assert.Equal(tester, "artifact", artifactObj.Kind)
@@ -432,7 +432,7 @@ func TestConvertElasticEventToArtifact(tester *testing.T) {
 }
 
 func TestConvertElasticEventToArtifactStreamNil(tester *testing.T) {
-	artifactObj, err := convertElasticEventToArtifactStream(nil)
+	artifactObj, err := convertElasticEventToArtifactStream(nil, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	assert.Nil(tester, artifactObj)
 }
@@ -443,13 +443,13 @@ func TestConvertElasticEventToArtifactStream(tester *testing.T) {
 
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
-	event.Payload["kind"] = "artifactstream"
-	event.Payload["operation"] = "create"
-	event.Payload["artifactstream.content"] = "myValue"
-	event.Payload["artifactstream.userId"] = "myUserId"
+	event.Payload["so_kind"] = "artifactstream"
+	event.Payload["so_operation"] = "create"
+	event.Payload["so_artifactstream.content"] = "myValue"
+	event.Payload["so_artifactstream.userId"] = "myUserId"
 	event.Time = myTime
-	event.Payload["artifactstream.createTime"] = myCreateTime
-	interf, err := convertElasticEventToObject(event)
+	event.Payload["so_artifactstream.createTime"] = myCreateTime
+	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	obj := interf.(*model.ArtifactStream)
 	assert.Equal(tester, "artifactstream", obj.Kind)
@@ -486,7 +486,7 @@ func TestParseTime(tester *testing.T) {
 }
 
 func TestConvertElasticEventToCommentNil(tester *testing.T) {
-	obj, err := convertElasticEventToComment(nil)
+	obj, err := convertElasticEventToComment(nil, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	assert.Nil(tester, obj)
 }
@@ -497,14 +497,14 @@ func TestConvertElasticEventToComment(tester *testing.T) {
 
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
-	event.Payload["kind"] = "comment"
-	event.Payload["operation"] = "create"
-	event.Payload["comment.description"] = "myDesc"
-	event.Payload["comment.userId"] = "myUserId"
-	event.Payload["comment.caseId"] = "myCaseId"
+	event.Payload["so_kind"] = "comment"
+	event.Payload["so_operation"] = "create"
+	event.Payload["so_comment.description"] = "myDesc"
+	event.Payload["so_comment.userId"] = "myUserId"
+	event.Payload["so_comment.caseId"] = "myCaseId"
 	event.Time = myTime
-	event.Payload["comment.createTime"] = myCreateTime
-	interf, err := convertElasticEventToObject(event)
+	event.Payload["so_comment.createTime"] = myCreateTime
+	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	obj := interf.(*model.Comment)
 	assert.Equal(tester, "comment", obj.Kind)
@@ -522,14 +522,14 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 
 	event := &model.EventRecord{}
 	event.Payload = make(map[string]interface{})
-	event.Payload["kind"] = "related"
-	event.Payload["operation"] = "create"
+	event.Payload["so_kind"] = "related"
+	event.Payload["so_operation"] = "create"
 	event.Payload["foo"] = "bar"
-	event.Payload["related.userId"] = "myUserId"
-	event.Payload["related.caseId"] = "myCaseId"
+	event.Payload["so_related.userId"] = "myUserId"
+	event.Payload["so_related.caseId"] = "myCaseId"
 	event.Time = myTime
-	event.Payload["related.createTime"] = myCreateTime
-	interf, err := convertElasticEventToObject(event)
+	event.Payload["so_related.createTime"] = myCreateTime
+	interf, err := convertElasticEventToObject(event, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.NoError(tester, err)
 	obj := interf.(*model.RelatedEvent)
 	assert.Equal(tester, "related", obj.Kind)
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 3112ffa3..846fccfe 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -28,6 +28,7 @@ const DEFAULT_INDEX = "*:so-*"
 const DEFAULT_ASYNC_THRESHOLD = 10
 const DEFAULT_INTERVALS = 25
 const DEFAULT_MAX_LOG_LENGTH = 1024
+const DEFAULT_CASE_SCHEMA_PREFIX = "so_"
 
 type Elastic struct {
   config module.ModuleConfig
@@ -77,8 +78,9 @@ func (elastic *Elastic) Init(cfg module.ModuleConfig) error {
         caseIndex := module.GetStringDefault(cfg, "caseIndex", DEFAULT_CASE_INDEX)
         auditIndex := module.GetStringDefault(cfg, "auditIndex", DEFAULT_CASE_AUDIT_INDEX)
         maxCaseAssociations := module.GetIntDefault(cfg, "maxCaseAssociations", DEFAULT_CASE_ASSOCIATIONS_MAX)
+        schemaPrefix := module.GetStringDefault(cfg, "schemaPrefix", DEFAULT_CASE_SCHEMA_PREFIX)
         casestore := NewElasticCasestore(elastic.server)
-        err = casestore.Init(caseIndex, auditIndex, maxCaseAssociations)
+        err = casestore.Init(caseIndex, auditIndex, maxCaseAssociations, schemaPrefix)
         if err == nil {
           elastic.server.Casestore = casestore
         }
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index 84f2457d..bbdbc4a1 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -22,7 +22,7 @@ import (
   "time"
 )
 
-const AUDIT_DOC_ID = "so_audit_doc_id"
+const AUDIT_DOC_ID = "audit_doc_id"
 const SHORT_STRING_MAX = 100
 const LONG_STRING_MAX = 1000000
 const MAX_ARRAY_ELEMENTS = 50
@@ -32,6 +32,7 @@ type ElasticCasestore struct {
   index           string
   auditIndex      string
   maxAssociations int
+  schemaPrefix    string
 }
 
 func NewElasticCasestore(srv *server.Server) *ElasticCasestore {
@@ -40,10 +41,11 @@ func NewElasticCasestore(srv *server.Server) *ElasticCasestore {
   }
 }
 
-func (store *ElasticCasestore) Init(index string, auditIndex string, maxAssociations int) error {
+func (store *ElasticCasestore) Init(index string, auditIndex string, maxAssociations int, schemaPrefix string) error {
   store.index = index
   store.auditIndex = auditIndex
   store.maxAssociations = maxAssociations
+  store.schemaPrefix = schemaPrefix
   return nil
 }
 
@@ -282,15 +284,15 @@ func (store *ElasticCasestore) save(ctx context.Context, obj interface{}, kind s
   var err error
 
   if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
-    document := convertObjectToDocumentMap(kind, obj)
-    document["kind"] = kind
+    document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+    document[store.schemaPrefix+"kind"] = kind
     results, err = store.server.Eventstore.Index(ctx, store.index, document, id)
     if err == nil {
-      document[AUDIT_DOC_ID] = results.DocumentId
+      document[store.schemaPrefix+AUDIT_DOC_ID] = results.DocumentId
       if id == "" {
-        document["operation"] = "create"
+        document[store.schemaPrefix+"operation"] = "create"
       } else {
-        document["operation"] = "update"
+        document[store.schemaPrefix+"operation"] = "update"
       }
       _, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
       if err != nil {
@@ -311,10 +313,10 @@ func (store *ElasticCasestore) delete(ctx context.Context, obj interface{}, kind
   if err = store.server.CheckAuthorized(ctx, "write", "cases"); err == nil {
     err = store.server.Eventstore.Delete(ctx, store.index, id)
     if err == nil {
-      document := convertObjectToDocumentMap(kind, obj)
-      document[AUDIT_DOC_ID] = id
-      document["kind"] = kind
-      document["operation"] = "delete"
+      document := convertObjectToDocumentMap(kind, obj, store.schemaPrefix)
+      document[store.schemaPrefix+AUDIT_DOC_ID] = id
+      document[store.schemaPrefix+"kind"] = kind
+      document[store.schemaPrefix+"operation"] = "delete"
       _, err = store.server.Eventstore.Index(ctx, store.auditIndex, document, "")
       if err != nil {
         log.WithFields(log.Fields{
@@ -329,7 +331,7 @@ func (store *ElasticCasestore) delete(ctx context.Context, obj interface{}, kind
 }
 
 func (store *ElasticCasestore) get(ctx context.Context, id string, kind string) (interface{}, error) {
-  query := fmt.Sprintf(`_index:"%s" AND kind:"%s" AND _id:"%s"`, store.index, kind, id)
+  query := fmt.Sprintf(`_index:"%s" AND %skind:"%s" AND _id:"%s"`, store.index, store.schemaPrefix, kind, id)
   objects, err := store.getAll(ctx, query, 1)
   if err == nil {
     if len(objects) > 0 {
@@ -365,7 +367,7 @@ func (store *ElasticCasestore) getAll(ctx context.Context, query string, max int
       if err == nil {
         for _, event := range results.Events {
           var obj interface{}
-          obj, err = convertElasticEventToObject(event)
+          obj, err = convertElasticEventToObject(event, store.schemaPrefix)
           if err == nil {
             objects = append(objects, obj)
           } else {
@@ -451,8 +453,8 @@ func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string
 
   err = store.validateId(caseId, "caseId")
   if err == nil {
-    query := fmt.Sprintf(`_index:"%s" AND (%s:"%s" OR comment.caseId:"%s" OR related.caseId:"%s" OR artifact.caseId:"%s") | sortby @timestamp^`,
-      store.auditIndex, AUDIT_DOC_ID, caseId, caseId, caseId, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND (%s%s:"%s" OR %scomment.caseId:"%s" OR %srelated.caseId:"%s" OR %sartifact.caseId:"%s") | sortby @timestamp^`,
+      store.auditIndex, store.schemaPrefix, AUDIT_DOC_ID, caseId, store.schemaPrefix, caseId, store.schemaPrefix, caseId, store.schemaPrefix, caseId)
     history, err = store.getAll(ctx, query, store.maxAssociations)
   }
   return history, err
@@ -522,7 +524,7 @@ func (store *ElasticCasestore) GetRelatedEvents(ctx context.Context, caseId stri
   err = store.validateId(caseId, "caseId")
   if err == nil {
     events = make([]*model.RelatedEvent, 0)
-    query := fmt.Sprintf(`_index:"%s" AND kind:"related" AND related.caseId:"%s" | sortby related.fields.timestamp^`, store.index, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND %skind:"related" AND %srelated.caseId:"%s" | sortby %srelated.fields.timestamp^`, store.index, store.schemaPrefix, store.schemaPrefix, caseId, store.schemaPrefix)
     var objects []interface{}
     objects, err = store.getAll(ctx, query, store.maxAssociations)
     if err == nil {
@@ -597,7 +599,7 @@ func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) (
   err = store.validateId(caseId, "caseId")
   if err == nil {
     comments = make([]*model.Comment, 0)
-    query := fmt.Sprintf(`_index:"%s" AND kind:"comment" AND comment.caseId:"%s" | sortby comment.createTime^`, store.index, caseId)
+    query := fmt.Sprintf(`_index:"%s" AND %skind:"comment" AND %scomment.caseId:"%s" | sortby %scomment.createTime^`, store.index, store.schemaPrefix, store.schemaPrefix, caseId, store.schemaPrefix)
     var objects []interface{}
     objects, err = store.getAll(ctx, query, store.maxAssociations)
     if err == nil {
@@ -705,9 +707,10 @@ func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string,
         artifacts = make([]*model.Artifact, 0)
         var groupIdTerm string
         if len(groupId) > 0 {
-          groupIdTerm = fmt.Sprintf(`AND artifact.groupId:"%s" `, groupId)
+          groupIdTerm = fmt.Sprintf(`AND %sartifact.groupId:"%s" `, store.schemaPrefix, groupId)
         }
-        query := fmt.Sprintf(`_index:"%s" AND kind:"artifact" AND artifact.caseId:"%s" AND artifact.groupType:"%s" %s| sortby artifact.createTime^`, store.index, caseId, groupType, groupIdTerm)
+        query := fmt.Sprintf(`_index:"%s" AND %skind:"artifact" AND %sartifact.caseId:"%s" AND %sartifact.groupType:"%s" %s| sortby %sartifact.createTime^`,
+          store.index, store.schemaPrefix, store.schemaPrefix, caseId, store.schemaPrefix, groupType, groupIdTerm, store.schemaPrefix)
         var objects []interface{}
         objects, err = store.getAll(ctx, query, store.maxAssociations)
         if err == nil {
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 3553a58c..5f46db30 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -21,7 +21,7 @@ import (
 
 func TestInit(tester *testing.T) {
 	store := NewElasticCasestore(nil)
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	assert.Equal(tester, "myIndex", store.index)
 	assert.Equal(tester, "myAuditIndex", store.auditIndex)
 	assert.Equal(tester, 45, store.maxAssociations)
@@ -42,7 +42,7 @@ func TestPrepareForSave(tester *testing.T) {
 
 func TestValidateIdInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	err = store.validateId("", "test")
@@ -69,7 +69,7 @@ func TestValidateIdInvalid(tester *testing.T) {
 
 func TestValidateIdValid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	err = store.validateId("12345", "test")
@@ -90,7 +90,7 @@ func TestValidateIdValid(tester *testing.T) {
 
 func TestValidateStringInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	err = store.validateString("1234567", 6, "test")
@@ -102,7 +102,7 @@ func TestValidateStringInvalid(tester *testing.T) {
 
 func TestValidateStringValid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	err = store.validateString("12345", 6, "test")
@@ -117,7 +117,7 @@ func TestValidateStringValid(tester *testing.T) {
 
 func TestValidateCaseInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	socCase := model.NewCase()
@@ -227,7 +227,7 @@ func TestValidateCaseInvalid(tester *testing.T) {
 
 func TestValidateCaseValid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	socCase := model.NewCase()
@@ -260,7 +260,7 @@ func TestValidateCaseValid(tester *testing.T) {
 
 func TestValidateRelatedEventInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	event := model.NewRelatedEvent()
@@ -296,7 +296,7 @@ func TestValidateRelatedEventInvalid(tester *testing.T) {
 
 func TestValidateRelatedEventValid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	event := model.NewRelatedEvent()
@@ -307,7 +307,7 @@ func TestValidateRelatedEventValid(tester *testing.T) {
 
 func TestValidateCommentInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	comment := model.NewComment()
@@ -347,7 +347,7 @@ func TestValidateCommentInvalid(tester *testing.T) {
 
 func TestValidateCommentValid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	comment := model.NewComment()
@@ -366,7 +366,7 @@ func TestValidateCommentValid(tester *testing.T) {
 
 func TestValidateArtifactInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	artifact := model.NewArtifact()
@@ -485,7 +485,7 @@ func TestValidateArtifactInvalid(tester *testing.T) {
 
 func TestValidateArtifactValid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	artifact := model.NewArtifact()
@@ -502,7 +502,7 @@ func TestValidateArtifactValid(tester *testing.T) {
 
 func TestValidateArtifactStreamInvalid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	artifactstream := model.NewArtifactStream()
@@ -523,7 +523,7 @@ func TestValidateArtifactStreamInvalid(tester *testing.T) {
 
 func TestValidateArtifactStreamValid(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 
 	var err error
 	artifactstream := model.NewArtifactStream()
@@ -538,7 +538,7 @@ func TestValidateArtifactStreamValid(tester *testing.T) {
 
 func TestSaveCreate(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -551,14 +551,14 @@ func TestSaveCreate(tester *testing.T) {
 	assert.Equal(tester, "myIndex", fakeEventStore.InputIndexes[0])
 	assert.Equal(tester, "myAuditIndex", fakeEventStore.InputIndexes[1])
 	assert.Equal(tester, 2, len(fakeEventStore.InputDocuments))
-	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["kind"])
-	assert.Equal(tester, "create", fakeEventStore.InputDocuments[1]["operation"])
+	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["so_kind"])
+	assert.Equal(tester, "create", fakeEventStore.InputDocuments[1]["so_operation"])
 	assert.NotNil(tester, results)
 }
 
 func TestSaveUpdate(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -571,14 +571,14 @@ func TestSaveUpdate(tester *testing.T) {
 	assert.Equal(tester, "myIndex", fakeEventStore.InputIndexes[0])
 	assert.Equal(tester, "myAuditIndex", fakeEventStore.InputIndexes[1])
 	assert.Equal(tester, 2, len(fakeEventStore.InputDocuments))
-	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["kind"])
-	assert.Equal(tester, "update", fakeEventStore.InputDocuments[1]["operation"])
+	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["so_kind"])
+	assert.Equal(tester, "update", fakeEventStore.InputDocuments[1]["so_operation"])
 	assert.NotNil(tester, results)
 }
 
 func TestDelete(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -591,24 +591,25 @@ func TestDelete(tester *testing.T) {
 	assert.Equal(tester, "myIndex", fakeEventStore.InputIndexes[0])
 	assert.Equal(tester, "myAuditIndex", fakeEventStore.InputIndexes[1])
 	assert.Equal(tester, 1, len(fakeEventStore.InputDocuments))
-	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["kind"])
-	assert.Equal(tester, "delete", fakeEventStore.InputDocuments[0]["operation"])
+	assert.Equal(tester, "case", fakeEventStore.InputDocuments[0]["so_kind"])
+	assert.Equal(tester, "delete", fakeEventStore.InputDocuments[0]["so_operation"])
 }
 
 func TestGetAll(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 	query := "some query"
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}
 
 	commentPayload := make(map[string]interface{})
-	commentPayload["kind"] = "comment"
+	commentPayload["so_kind"] = "comment"
 	commentEvent := &model.EventRecord{
 		Payload: commentPayload,
 	}
@@ -624,13 +625,13 @@ func TestGetAll(tester *testing.T) {
 
 func TestGet(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"case" AND _id:"myCaseId"`
+	query := `_index:"myIndex" AND so_kind:"case" AND _id:"myCaseId"`
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}
@@ -644,7 +645,7 @@ func TestGet(tester *testing.T) {
 
 func TestGetNotFound(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -679,13 +680,13 @@ func TestUpdateError(tester *testing.T) {
 
 func TestGetCase(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"case" AND _id:"myCaseId"`
+	query := `_index:"myIndex" AND so_kind:"case" AND _id:"myCaseId"`
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}
@@ -699,13 +700,13 @@ func TestGetCase(tester *testing.T) {
 
 func TestGetCaseHistory(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR comment.caseId:"myCaseId" OR related.caseId:"myCaseId" OR artifact.caseId:"myCaseId") | sortby @timestamp^`
+	query := `_index:"myAuditIndex" AND (so_audit_doc_id:"myCaseId" OR so_comment.caseId:"myCaseId" OR so_related.caseId:"myCaseId" OR so_artifact.caseId:"myCaseId") | sortby @timestamp^`
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}
@@ -740,19 +741,19 @@ func TestCreateCommentMissingCaseId(tester *testing.T) {
 
 func TestCreateComment(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 		Id:      "123444",
 	}
 	commentPayload := make(map[string]interface{})
-	commentPayload["kind"] = "comment"
+	commentPayload["so_kind"] = "comment"
 	commentEvent := &model.EventRecord{
 		Payload: commentPayload,
 	}
@@ -772,13 +773,13 @@ func TestCreateComment(tester *testing.T) {
 
 func TestGetComment(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"comment" AND _id:"myCommentId"`
+	query := `_index:"myIndex" AND so_kind:"comment" AND _id:"myCommentId"`
 	commentPayload := make(map[string]interface{})
-	commentPayload["kind"] = "comment"
+	commentPayload["so_kind"] = "comment"
 	commentEvent := &model.EventRecord{
 		Payload: commentPayload,
 	}
@@ -792,13 +793,13 @@ func TestGetComment(tester *testing.T) {
 
 func TestGetComments(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"comment" AND comment.caseId:"myCaseId" | sortby comment.createTime^`
+	query := `_index:"myIndex" AND so_kind:"comment" AND so_comment.caseId:"myCaseId" | sortby so_comment.createTime^`
 	commentPayload := make(map[string]interface{})
-	commentPayload["kind"] = "comment"
+	commentPayload["so_kind"] = "comment"
 	commentEvent := &model.EventRecord{
 		Payload: commentPayload,
 	}
@@ -822,13 +823,13 @@ func TestUpdateComment(tester *testing.T) {
 
 func TestDeleteComment(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"comment" AND _id:"myCommentId"`
+	query := `_index:"myIndex" AND so_kind:"comment" AND _id:"myCommentId"`
 	commentPayload := make(map[string]interface{})
-	commentPayload["kind"] = "comment"
+	commentPayload["so_kind"] = "comment"
 	commentEvent := &model.EventRecord{
 		Payload: commentPayload,
 		Id:      "myCommentId",
@@ -875,19 +876,19 @@ func TestCreateRelatedEventMissingFields(tester *testing.T) {
 
 func TestCreateRelatedEvent(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 		Id:      "123444",
 	}
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "related"
+	eventPayload["so_kind"] = "related"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -907,14 +908,14 @@ func TestCreateRelatedEvent(tester *testing.T) {
 
 func TestCreateRelatedEventAlreadyExists(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
 	// Mock the search for case cll
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 		Id:      "123444",
@@ -923,7 +924,7 @@ func TestCreateRelatedEventAlreadyExists(tester *testing.T) {
 
 	// Mock the search for existing related events call
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "related"
+	eventPayload["so_kind"] = "related"
 	eventPayload["soc_id"] = "myEventId"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
@@ -941,13 +942,13 @@ func TestCreateRelatedEventAlreadyExists(tester *testing.T) {
 
 func TestGetRelatedEvent(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"related" AND _id:"myEventId"`
+	query := `_index:"myIndex" AND so_kind:"related" AND _id:"myEventId"`
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "related"
+	eventPayload["so_kind"] = "related"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -961,13 +962,13 @@ func TestGetRelatedEvent(tester *testing.T) {
 
 func TestGetRelatedEvents(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"related" AND related.caseId:"myCaseId" | sortby related.fields.timestamp^`
+	query := `_index:"myIndex" AND so_kind:"related" AND so_related.caseId:"myCaseId" | sortby so_related.fields.timestamp^`
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "related"
+	eventPayload["so_kind"] = "related"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -981,13 +982,13 @@ func TestGetRelatedEvents(tester *testing.T) {
 
 func TestDeleteRelatedEvent(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"related" AND _id:"myEventId"`
+	query := `_index:"myIndex" AND so_kind:"related" AND _id:"myEventId"`
 	elasticPayload := make(map[string]interface{})
-	elasticPayload["kind"] = "related"
+	elasticPayload["so_kind"] = "related"
 	elasticEvent := &model.EventRecord{
 		Payload: elasticPayload,
 		Id:      "myEventId",
@@ -1063,19 +1064,19 @@ func TestCreateArtifactMissingValue(tester *testing.T) {
 
 func TestCreateArtifact(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
+	casePayload["so_kind"] = "case"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 		Id:      "123444",
 	}
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "artifact"
+	eventPayload["so_kind"] = "artifact"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -1097,13 +1098,13 @@ func TestCreateArtifact(tester *testing.T) {
 
 func TestGetArtifact(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifact" AND _id:"myArtifactId"`
+	query := `_index:"myIndex" AND so_kind:"artifact" AND _id:"myArtifactId"`
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "artifact"
+	eventPayload["so_kind"] = "artifact"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -1117,7 +1118,7 @@ func TestGetArtifact(tester *testing.T) {
 
 func TestGetArtifactsBadGroupType(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -1127,7 +1128,7 @@ func TestGetArtifactsBadGroupType(tester *testing.T) {
 
 func TestGetArtifactsBadGroupId(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -1137,13 +1138,13 @@ func TestGetArtifactsBadGroupId(tester *testing.T) {
 
 func TestGetArtifactsNoGroupId(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" | sortby artifact.createTime^`
+	query := `_index:"myIndex" AND so_kind:"artifact" AND so_artifact.caseId:"myCaseId" AND so_artifact.groupType:"myGroupType" | sortby so_artifact.createTime^`
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "artifact"
+	eventPayload["so_kind"] = "artifact"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -1157,13 +1158,13 @@ func TestGetArtifactsNoGroupId(tester *testing.T) {
 
 func TestGetArtifacts(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifact" AND artifact.caseId:"myCaseId" AND artifact.groupType:"myGroupType" AND artifact.groupId:"myGroupId" | sortby artifact.createTime^`
+	query := `_index:"myIndex" AND so_kind:"artifact" AND so_artifact.caseId:"myCaseId" AND so_artifact.groupType:"myGroupType" AND so_artifact.groupId:"myGroupId" | sortby so_artifact.createTime^`
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "artifact"
+	eventPayload["so_kind"] = "artifact"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -1177,13 +1178,13 @@ func TestGetArtifacts(tester *testing.T) {
 
 func TestDeleteArtifact(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifact" AND _id:"myArtifactId"`
+	query := `_index:"myIndex" AND so_kind:"artifact" AND _id:"myArtifactId"`
 	elasticPayload := make(map[string]interface{})
-	elasticPayload["kind"] = "artifact"
+	elasticPayload["so_kind"] = "artifact"
 	elasticEvent := &model.EventRecord{
 		Payload: elasticPayload,
 		Id:      "myArtifactId",
@@ -1221,19 +1222,19 @@ func TestCreateArtifactStreamMissingValue(tester *testing.T) {
 
 func TestCreateArtifactStream(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "artifactstream"
+	casePayload["so_kind"] = "artifactstream"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 		Id:      "123444",
 	}
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "artifactstream"
+	eventPayload["so_kind"] = "artifactstream"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -1252,13 +1253,13 @@ func TestCreateArtifactStream(tester *testing.T) {
 
 func TestGetArtifactStream(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifactstream" AND _id:"myArtifactStreamId"`
+	query := `_index:"myIndex" AND so_kind:"artifactstream" AND _id:"myArtifactStreamId"`
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "artifactstream"
+	eventPayload["so_kind"] = "artifactstream"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -1272,7 +1273,7 @@ func TestGetArtifactStream(tester *testing.T) {
 
 func TestGetArtifactStreamBadId(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
@@ -1282,13 +1283,13 @@ func TestGetArtifactStreamBadId(tester *testing.T) {
 
 func TestDeleteArtifactStream(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"artifactstream" AND _id:"myArtifactStreamId"`
+	query := `_index:"myIndex" AND so_kind:"artifactstream" AND _id:"myArtifactStreamId"`
 	elasticPayload := make(map[string]interface{})
-	elasticPayload["kind"] = "artifactstream"
+	elasticPayload["so_kind"] = "artifactstream"
 	elasticEvent := &model.EventRecord{
 		Payload: elasticPayload,
 		Id:      "myArtifactStreamId",
@@ -1305,25 +1306,25 @@ func TestDeleteArtifactStream(tester *testing.T) {
 
 func TestUpdateArtifact(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
-	query := `_index:"myIndex" AND kind:"artifact" AND _id:"myArtifactId"`
+	query := `_index:"myIndex" AND so_kind:"artifact" AND _id:"myArtifactId"`
 	eventPayload := make(map[string]interface{})
-	eventPayload["kind"] = "artifact"
-	eventPayload["artifact.artifactType"] = "myArtifactType"
-	eventPayload["artifact.groupType"] = "myGroupType"
-	eventPayload["artifact.groupId"] = "myGroupId"
-	eventPayload["artifact.value"] = "myValue"
-	eventPayload["artifact.streamLength"] = 123.0
-	eventPayload["artifact.mimeType"] = "myMimeType"
-	eventPayload["artifact.md5"] = "myMd5"
-	eventPayload["artifact.sha1"] = "mySha1"
-	eventPayload["artifact.sha256"] = "mySha256"
-	eventPayload["artifact.streamId"] = "myStreamId"
-	eventPayload["artifact.description"] = "myDesc"
+	eventPayload["so_kind"] = "artifact"
+	eventPayload["so_artifact.artifactType"] = "myArtifactType"
+	eventPayload["so_artifact.groupType"] = "myGroupType"
+	eventPayload["so_artifact.groupId"] = "myGroupId"
+	eventPayload["so_artifact.value"] = "myValue"
+	eventPayload["so_artifact.streamLength"] = 123.0
+	eventPayload["so_artifact.mimeType"] = "myMimeType"
+	eventPayload["so_artifact.md5"] = "myMd5"
+	eventPayload["so_artifact.sha1"] = "mySha1"
+	eventPayload["so_artifact.sha256"] = "mySha256"
+	eventPayload["so_artifact.streamId"] = "myStreamId"
+	eventPayload["so_artifact.description"] = "myDesc"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}
@@ -1351,9 +1352,9 @@ func TestUpdateArtifact(tester *testing.T) {
 	_, err = store.UpdateArtifact(ctx, artifact)
 	assert.NoError(tester, err)
 	assert.Equal(tester, query, fakeEventStore.InputSearchCriterias[0].RawQuery)
-	assert.Equal(tester, "update", fakeEventStore.InputDocuments[0]["operation"])
+	assert.Equal(tester, "update", fakeEventStore.InputDocuments[0]["so_operation"])
 
-	newArtifact := fakeEventStore.InputDocuments[0]["artifact"].(*model.Artifact)
+	newArtifact := fakeEventStore.InputDocuments[0]["so_artifact"].(*model.Artifact)
 	assert.Equal(tester, "myNewDesc", newArtifact.Description)
 
 	// Should have preserved read-only props
diff --git a/server/modules/elastic/template_test.go b/server/modules/elastic/template_test.go
index bb7be63f..21bc8fc0 100644
--- a/server/modules/elastic/template_test.go
+++ b/server/modules/elastic/template_test.go
@@ -21,15 +21,15 @@ import (
 
 func TestApplyTemplate(tester *testing.T) {
 	store := NewElasticCasestore(server.NewFakeAuthorizedServer(nil))
-	store.Init("myIndex", "myAuditIndex", 45)
+	store.Init("myIndex", "myAuditIndex", 45, DEFAULT_CASE_SCHEMA_PREFIX)
 	fakeEventStore := server.NewFakeEventstore()
 	store.server.Eventstore = fakeEventStore
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
-	query := `_index:"myIndex" AND kind:"case" AND _id:"myTemplateId"`
+	query := `_index:"myIndex" AND so_kind:"case" AND _id:"myTemplateId"`
 	casePayload := make(map[string]interface{})
-	casePayload["kind"] = "case"
-	casePayload["case.title"] = "myTemplateTitle {}"
-	casePayload["case.description"] = "myTemplateDescription {}"
+	casePayload["so_kind"] = "case"
+	casePayload["so_case.title"] = "myTemplateTitle {}"
+	casePayload["so_case.description"] = "myTemplateDescription {}"
 	caseEvent := &model.EventRecord{
 		Payload: casePayload,
 	}

From 31249a88fd77b4c246eb1f6a62874780b1de828c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 19 Jan 2022 14:51:40 -0500
Subject: [PATCH 90/98] Update copyright dates

---
 Dockerfile                                    |  2 +-
 Dockerfile.kratos                             |  2 +-
 agent/agent.go                                | 22 +++---
 agent/agent_test.go                           |  2 +-
 agent/jobmanager.go                           | 18 ++---
 agent/jobprocessor.go                         |  6 +-
 cmd/sensoroni.go                              | 16 ++--
 cmd/sensoroni_test.go                         |  2 +-
 config/agentconfig.go                         | 26 +++----
 config/agentconfig_test.go                    |  2 +-
 config/clientparameters.go                    |  2 +-
 config/clientparameters_test.go               |  2 +-
 config/config.go                              | 34 ++++----
 config/serverconfig.go                        |  2 +-
 config/serverconfig_test.go                   |  2 +-
 html/css/app.css                              |  2 +-
 html/index.html                               |  2 +-
 html/js/app.js                                |  2 +-
 html/js/app.test.js                           |  2 +-
 html/js/custom.js                             |  2 +-
 html/js/i18n.js                               |  2 +-
 html/js/routes/case.js                        |  2 +-
 html/js/routes/case.test.js                   |  2 +-
 html/js/routes/downloads.js                   |  2 +-
 html/js/routes/grid.js                        |  2 +-
 html/js/routes/grid.test.js                   |  2 +-
 html/js/routes/home.js                        |  2 +-
 html/js/routes/hunt.js                        |  2 +-
 html/js/routes/hunt.test.js                   |  2 +-
 html/js/routes/job.js                         |  2 +-
 html/js/routes/jobs.js                        |  2 +-
 html/js/routes/login.js                       |  2 +-
 html/js/routes/settings.js                    |  2 +-
 html/js/routes/terms.js                       |  2 +-
 html/js/routes/users.js                       |  2 +-
 html/js/test_common.js                        |  2 +-
 html/login/index.html                         |  2 +-
 json/json.go                                  | 12 +--
 json/json_test.go                             |  2 +-
 model/case.go                                 |  2 +-
 model/case_test.go                            |  2 +-
 model/event.go                                |  2 +-
 model/event_test.go                           |  2 +-
 model/filter.go                               | 18 ++---
 model/info.go                                 |  2 +-
 model/job.go                                  |  2 +-
 model/job_test.go                             |  2 +-
 model/node.go                                 |  2 +-
 model/node_test.go                            |  2 +-
 model/packet.go                               | 38 ++++-----
 model/query.go                                |  2 +-
 model/query_test.go                           |  2 +-
 model/status.go                               | 21 +++--
 model/unauthorized.go                         |  2 +-
 model/unauthorized_test.go                    |  2 +-
 model/user.go                                 |  2 +-
 module/manager.go                             | 22 +++---
 module/manager_test.go                        |  2 +-
 module/module.go                              |  4 +-
 module/options.go                             |  8 +-
 module/options_test.go                        |  2 +-
 packet/parser.go                              | 22 +++---
 packet/parser_test.go                         |  2 +-
 scripts/stenoquery.sh                         |  2 +-
 server/casehandler.go                         |  2 +-
 server/casestore.go                           |  2 +-
 server/datastore.go                           |  2 +-
 server/eventhandler.go                        | 35 +++++----
 server/eventstore.go                          |  2 +-
 server/eventstore_fake.go                     |  2 +-
 server/gridhandler.go                         |  2 +-
 server/infohandler.go                         | 25 +++---
 server/jobhandler.go                          |  2 +-
 server/jobshandler.go                         |  2 +-
 server/metrics.go                             |  2 +-
 server/modules/elastic/converter.go           |  2 +-
 server/modules/elastic/converter_test.go      |  2 +-
 server/modules/elastic/elastic.go             |  2 +-
 server/modules/elastic/elastic_test.go        |  2 +-
 server/modules/elastic/elasticcasestore.go    |  2 +-
 .../modules/elastic/elasticcasestore_test.go  |  2 +-
 server/modules/elastic/elasticeventstore.go   |  2 +-
 .../modules/elastic/elasticeventstore_test.go |  2 +-
 server/modules/elastic/elastictransport.go    | 16 ++--
 .../modules/elastic/elastictransport_test.go  |  2 +-
 server/modules/elastic/joblookuphandler.go    |  2 +-
 server/modules/elastic/template.go            |  2 +-
 server/modules/elastic/template_test.go       |  2 +-
 server/modules/elasticcases/elasticcase.go    |  2 +-
 .../elasticcases/elasticcaseconverter.go      |  2 +-
 .../elasticcases/elasticcaseconverter_test.go |  2 +-
 server/modules/elasticcases/elasticcases.go   |  2 +-
 .../modules/elasticcases/elasticcases_test.go |  2 +-
 .../modules/elasticcases/elasticcasestore.go  |  2 +-
 .../elasticcases/elasticcasestore_test.go     |  2 +-
 server/modules/filedatastore/filedatastore.go |  2 +-
 .../filedatastore/filedatastoreimpl.go        |  2 +-
 .../filedatastore/filedatastoreimpl_test.go   |  2 +-
 .../modules/generichttp/generichttpparams.go  |  2 +-
 .../generichttp/generichttpparams_test.go     |  2 +-
 .../modules/generichttp/generichttpreader.go  |  2 +-
 .../generichttp/generichttpreader_test.go     |  2 +-
 server/modules/generichttp/httpcase.go        |  2 +-
 server/modules/generichttp/httpcase_test.go   |  2 +-
 server/modules/generichttp/httpcasestore.go   |  2 +-
 .../modules/generichttp/httpcasestore_test.go |  2 +-
 server/modules/influxdb/influxdb.go           |  2 +-
 server/modules/influxdb/influxdb_test.go      |  2 +-
 server/modules/influxdb/influxdbmetrics.go    |  2 +-
 .../modules/influxdb/influxdbmetrics_test.go  |  2 +-
 server/modules/kratos/kratos.go               |  2 +-
 server/modules/kratos/kratos_test.go          |  2 +-
 server/modules/kratos/kratospreprocessor.go   | 23 +++---
 .../modules/kratos/kratospreprocessor_test.go |  2 +-
 server/modules/kratos/kratosuser.go           |  2 +-
 server/modules/kratos/kratosuser_test.go      |  2 +-
 server/modules/kratos/kratosuserstore.go      |  2 +-
 server/modules/kratos/kratosuserstore_test.go |  2 +-
 server/modules/modules.go                     |  2 +-
 server/modules/modules_test.go                |  2 +-
 server/modules/sostatus/sostatus.go           |  2 +-
 server/modules/sostatus/sostatus_test.go      |  2 +-
 server/modules/statickeyauth/statickeyauth.go |  2 +-
 .../statickeyauth/statickeyauth_test.go       |  2 +-
 .../statickeyauth/statickeyauthimpl.go        |  2 +-
 .../statickeyauth/statickeyauthimpl_test.go   |  2 +-
 server/modules/staticrbac/staticrbac.go       |  2 +-
 server/modules/staticrbac/staticrbac_test.go  |  2 +-
 .../staticrbac/staticrbacauthorizer.go        |  2 +-
 .../staticrbac/staticrbacauthorizer_test.go   |  2 +-
 server/modules/thehive/thehive.go             |  2 +-
 server/modules/thehive/thehive_test.go        |  2 +-
 server/modules/thehive/thehivecase.go         | 48 ++++++------
 server/modules/thehive/thehivecasestore.go    |  2 +-
 .../modules/thehive/thehivecasestore_test.go  |  2 +-
 server/modules/thehive/thehiveconverter.go    |  2 +-
 .../modules/thehive/thehiveconverter_test.go  |  2 +-
 server/nodehandler.go                         |  2 +-
 server/packethandler.go                       |  2 +-
 server/queryhandler.go                        |  2 +-
 server/roleshandler.go                        |  2 +-
 server/rolestore.go                           |  2 +-
 server/server.go                              |  2 +-
 server/server_fake.go                         |  2 +-
 server/server_test.go                         |  2 +-
 server/streamhandler.go                       |  2 +-
 server/userhandler.go                         |  2 +-
 server/usershandler.go                        |  2 +-
 server/userstore.go                           |  2 +-
 web/basehandler.go                            |  2 +-
 web/basehandler_test.go                       |  2 +-
 web/basepreprocessor.go                       |  2 +-
 web/basepreprocessor_test.go                  |  2 +-
 web/client.go                                 |  2 +-
 web/client_test.go                            |  2 +-
 web/connection.go                             | 16 ++--
 web/connection_test.go                        |  2 +-
 web/host.go                                   | 78 +++++++++----------
 web/host_test.go                              |  2 +-
 web/websockethandler.go                       | 42 +++++-----
 web/websockethandler_test.go                  |  2 +-
 web/websocketmessage.go                       |  6 +-
 162 files changed, 417 insertions(+), 417 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e6ae467a..cc7900d8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Copyright 2019 Jason Ertel (jertel). All rights reserved.
-# Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+# Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 #
 # This program is distributed under the terms of version 2 of the
 # GNU General Public License.  See LICENSE for further details.
diff --git a/Dockerfile.kratos b/Dockerfile.kratos
index 748c680d..109d21a4 100644
--- a/Dockerfile.kratos
+++ b/Dockerfile.kratos
@@ -1,5 +1,5 @@
 # Copyright 2019 Jason Ertel (jertel). All rights reserved.
-# Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+# Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 #
 # This program is distributed under the terms of version 2 of the
 # GNU General Public License.  See LICENSE for further details.
diff --git a/agent/agent.go b/agent/agent.go
index a6835d56..f459c894 100644
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -17,19 +17,19 @@ import (
 )
 
 type Agent struct {
-  Client			*web.Client
-  Config 			*config.AgentConfig
-  JobMgr			*JobManager
-  stoppedChan	chan bool
-  Version			string
+  Client      *web.Client
+  Config      *config.AgentConfig
+  JobMgr      *JobManager
+  stoppedChan chan bool
+  Version     string
 }
 
 func NewAgent(cfg *config.AgentConfig, version string) *Agent {
   agent := &Agent{
-    Config: cfg,
-    Client: web.NewClient(cfg.ServerUrl, cfg.VerifyCert),
+    Config:      cfg,
+    Client:      web.NewClient(cfg.ServerUrl, cfg.VerifyCert),
     stoppedChan: make(chan bool, 1),
-    Version: version,
+    Version:     version,
   }
   agent.JobMgr = NewJobManager(agent)
   return agent
@@ -47,5 +47,5 @@ func (agent *Agent) Stop() {
 }
 
 func (agent *Agent) Wait() {
-  <- agent.stoppedChan
-}
\ No newline at end of file
+  <-agent.stoppedChan
+}
diff --git a/agent/agent_test.go b/agent/agent_test.go
index 60e98eb4..a4915391 100644
--- a/agent/agent_test.go
+++ b/agent/agent_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/agent/jobmanager.go b/agent/jobmanager.go
index 9a60693c..d47c384d 100644
--- a/agent/jobmanager.go
+++ b/agent/jobmanager.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,12 +12,12 @@ package agent
 
 import (
   "errors"
+  "github.com/apex/log"
+  "github.com/security-onion-solutions/securityonion-soc/model"
   "io"
   "strconv"
   "sync"
   "time"
-  "github.com/apex/log"
-  "github.com/security-onion-solutions/securityonion-soc/model"
 )
 
 type JobManager struct {
@@ -31,10 +31,10 @@ type JobManager struct {
 func NewJobManager(agent *Agent) *JobManager {
   mgr := &JobManager{
     agent: agent,
-    node: model.NewNode(agent.Config.NodeId),
+    node:  model.NewNode(agent.Config.NodeId),
   }
 
-  // Any field/value added to this list must be manually copied to the 
+  // Any field/value added to this list must be manually copied to the
   // existing node object in filedatastoreimpl.go::UpdateNode()
   mgr.node.Role = agent.Config.Role
   mgr.node.Description = agent.Config.Description
@@ -59,7 +59,7 @@ func (mgr *JobManager) Start() {
     } else {
       log.WithField("jobId", job.Id).Info("Discovered pending job")
       var reader io.ReadCloser
-      reader, err = mgr.ProcessJob(job) 
+      reader, err = mgr.ProcessJob(job)
       if err == nil {
         if reader != nil {
           defer reader.Close()
@@ -104,7 +104,7 @@ func (mgr *JobManager) ProcessJob(job *model.Job) (io.ReadCloser, error) {
   for _, processor := range mgr.jobProcessors {
     reader, err = processor.ProcessJob(job, reader)
     if err != nil {
-      log.WithError(err).WithFields(log.Fields {
+      log.WithError(err).WithFields(log.Fields{
         "jobId": job.Id,
       }).Error("Failed to process job; job processing aborted")
       break
@@ -115,7 +115,7 @@ func (mgr *JobManager) ProcessJob(job *model.Job) (io.ReadCloser, error) {
 
 func (mgr *JobManager) CleanupJob(job *model.Job) {
   for _, processor := range mgr.jobProcessors {
-    processor.CleanupJob(job) 
+    processor.CleanupJob(job)
   }
 }
 
@@ -131,7 +131,7 @@ func (mgr *JobManager) updateDataEpoch() {
 }
 
 func (mgr *JobManager) StreamJobResults(job *model.Job, reader io.ReadCloser) error {
-  resp, err := mgr.agent.Client.SendAuthorizedRequest("POST", "/api/stream?jobId=" + strconv.Itoa(job.Id), "application/octet-stream", reader)
+  resp, err := mgr.agent.Client.SendAuthorizedRequest("POST", "/api/stream?jobId="+strconv.Itoa(job.Id), "application/octet-stream", reader)
   if resp.StatusCode != 200 {
     err = errors.New("Unable to submit job results (" + strconv.Itoa(resp.StatusCode) + "): " + resp.Status)
   }
diff --git a/agent/jobprocessor.go b/agent/jobprocessor.go
index 8289616e..e87a69f2 100644
--- a/agent/jobprocessor.go
+++ b/agent/jobprocessor.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -11,13 +11,13 @@
 package agent
 
 import (
+  "github.com/security-onion-solutions/securityonion-soc/model"
   "io"
   "time"
-  "github.com/security-onion-solutions/securityonion-soc/model"
 )
 
 type JobProcessor interface {
   ProcessJob(*model.Job, io.ReadCloser) (io.ReadCloser, error)
   CleanupJob(*model.Job)
   GetDataEpoch() time.Time
-}
\ No newline at end of file
+}
diff --git a/cmd/sensoroni.go b/cmd/sensoroni.go
index e1a0b903..c9b341c8 100644
--- a/cmd/sensoroni.go
+++ b/cmd/sensoroni.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -13,10 +13,6 @@ package main
 import (
   "flag"
   "fmt"
-  "os"
-  "os/signal"
-  "syscall"
-  "time"
   "github.com/apex/log"
   "github.com/apex/log/handlers/logfmt"
   "github.com/apex/log/handlers/text"
@@ -26,6 +22,10 @@ import (
   "github.com/security-onion-solutions/securityonion-soc/module"
   "github.com/security-onion-solutions/securityonion-soc/server"
   serverModules "github.com/security-onion-solutions/securityonion-soc/server/modules"
+  "os"
+  "os/signal"
+  "syscall"
+  "time"
 )
 
 var (
@@ -58,10 +58,10 @@ func main() {
     logFile, _ := InitLogging(cfg.LogFilename, cfg.LogLevel)
     defer logFile.Close()
 
-    log.WithFields(log.Fields {
-      "version": cfg.Version,
+    log.WithFields(log.Fields{
+      "version":   cfg.Version,
       "buildTime": cfg.BuildTime,
-    }).Info("Version Information")	
+    }).Info("Version Information")
 
     moduleMgr := module.NewModuleManager()
     var srv *server.Server
diff --git a/cmd/sensoroni_test.go b/cmd/sensoroni_test.go
index cbd34a50..6495b3af 100644
--- a/cmd/sensoroni_test.go
+++ b/cmd/sensoroni_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/config/agentconfig.go b/config/agentconfig.go
index bd35ae05..b9219846 100644
--- a/config/agentconfig.go
+++ b/config/agentconfig.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,23 +12,23 @@ package config
 
 import (
   "errors"
-  "os"
   "github.com/security-onion-solutions/securityonion-soc/module"
+  "os"
 )
 
 const DEFAULT_POLL_INTERVAL_MS = 1000
 
 type AgentConfig struct {
-  NodeId                          string                            `json:"nodeId"`
-  Role                            string                            `json:"role"`
-  Description                     string                            `json:"description"`
-  Address                         string                            `json:"address"`
-  Model                           string                            `json:"model"`
-  ServerUrl                       string                            `json:"serverUrl"`
-  VerifyCert                      bool                              `json:"verifyCert"`
-  PollIntervalMs                  int                               `json:"pollIntervalMs"`
-  Modules                         module.ModuleConfigMap            `json:"modules"`
-  ModuleFailuresIgnored           bool                              `json:"moduleFailuresIgnored"`
+  NodeId                string                 `json:"nodeId"`
+  Role                  string                 `json:"role"`
+  Description           string                 `json:"description"`
+  Address               string                 `json:"address"`
+  Model                 string                 `json:"model"`
+  ServerUrl             string                 `json:"serverUrl"`
+  VerifyCert            bool                   `json:"verifyCert"`
+  PollIntervalMs        int                    `json:"pollIntervalMs"`
+  Modules               module.ModuleConfigMap `json:"modules"`
+  ModuleFailuresIgnored bool                   `json:"moduleFailuresIgnored"`
 }
 
 func (config *AgentConfig) Verify() error {
@@ -43,4 +43,4 @@ func (config *AgentConfig) Verify() error {
     err = errors.New("Agent.ServerUrl configuration value is required")
   }
   return err
-}
\ No newline at end of file
+}
diff --git a/config/agentconfig_test.go b/config/agentconfig_test.go
index 9e1a2e88..371aefc6 100644
--- a/config/agentconfig_test.go
+++ b/config/agentconfig_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/config/clientparameters.go b/config/clientparameters.go
index eebc73f3..57465eb7 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index f888d1e4..711f3adc 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/config/config.go b/config/config.go
index e6474964..9d77c5d9 100644
--- a/config/config.go
+++ b/config/config.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -11,30 +11,30 @@
 package config
 
 import (
-  "time"
   "github.com/security-onion-solutions/securityonion-soc/json"
+  "time"
 )
 
 type Config struct {
-  Filename                  			string
-  Version													string
-  BuildTime                       time.Time
-  LoadTime                  			time.Time
-  LogLevel                  			string    												`json:"logLevel"`
-  LogFilename               			string    												`json:"logFilename"`
-  ShutdownGracePeriodMs						int																`json:"shutdownGracePeriodMs"`
-  Server													*ServerConfig											`json:"server"`
-  Agent														*AgentConfig											`json:"agent"`
+  Filename              string
+  Version               string
+  BuildTime             time.Time
+  LoadTime              time.Time
+  LogLevel              string        `json:"logLevel"`
+  LogFilename           string        `json:"logFilename"`
+  ShutdownGracePeriodMs int           `json:"shutdownGracePeriodMs"`
+  Server                *ServerConfig `json:"server"`
+  Agent                 *AgentConfig  `json:"agent"`
 }
 
 func LoadConfig(filename string, version string, buildTime time.Time) (*Config, error) {
   cfg := &Config{
-    Version: version,
-    BuildTime: buildTime,
-    Filename: filename,
-    LoadTime: time.Now(),
-    LogLevel: "info",
-    LogFilename: filename + ".log",
+    Version:               version,
+    BuildTime:             buildTime,
+    Filename:              filename,
+    LoadTime:              time.Now(),
+    LogLevel:              "info",
+    LogFilename:           filename + ".log",
     ShutdownGracePeriodMs: 10000,
   }
   err := json.LoadJsonFile(cfg.Filename, cfg)
diff --git a/config/serverconfig.go b/config/serverconfig.go
index 1dff8922..69ee61ff 100644
--- a/config/serverconfig.go
+++ b/config/serverconfig.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/config/serverconfig_test.go b/config/serverconfig_test.go
index d35231a3..edf83b87 100644
--- a/config/serverconfig_test.go
+++ b/config/serverconfig_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/css/app.css b/html/css/app.css
index f3c226e6..f00381f5 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -1,6 +1,6 @@
 /*
   Copyright 2019 Jason Ertel (jertel). All rights reserved.
-  Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+  Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 
   This program is distributed under the terms of version 2 of the
   GNU General Public License.  See LICENSE for further details.
diff --git a/html/index.html b/html/index.html
index c6a63cd0..98085450 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1,7 +1,7 @@
 <!doctype html>
 <!--
   Copyright 2019 Jason Ertel (jertel). All rights reserved.
-  Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+  Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 
   This program is distributed under the terms of version 2 of the
   GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/app.js b/html/js/app.js
index fadda896..6a402270 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/app.test.js b/html/js/app.test.js
index 7f872a75..1e598b13 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/custom.js b/html/js/custom.js
index 2ba15f5b..1eef2597 100644
--- a/html/js/custom.js
+++ b/html/js/custom.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/i18n.js b/html/js/i18n.js
index c32b2844..1c4f924e 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 606bda2f..63da744a 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index 984b560a..d11e47b2 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/downloads.js b/html/js/routes/downloads.js
index 5902708f..f4e43a80 100644
--- a/html/js/routes/downloads.js
+++ b/html/js/routes/downloads.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/grid.js b/html/js/routes/grid.js
index 13410c9e..802d0753 100644
--- a/html/js/routes/grid.js
+++ b/html/js/routes/grid.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/grid.test.js b/html/js/routes/grid.test.js
index 3f05a7ac..f48e9320 100644
--- a/html/js/routes/grid.test.js
+++ b/html/js/routes/grid.test.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/home.js b/html/js/routes/home.js
index a369db9f..d9253225 100644
--- a/html/js/routes/home.js
+++ b/html/js/routes/home.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index a96656be..7097e07f 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index eb49ba35..419c6390 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/job.js b/html/js/routes/job.js
index 8b7c7b5a..e5e97b66 100644
--- a/html/js/routes/job.js
+++ b/html/js/routes/job.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/jobs.js b/html/js/routes/jobs.js
index f8574e60..245461d6 100644
--- a/html/js/routes/jobs.js
+++ b/html/js/routes/jobs.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/login.js b/html/js/routes/login.js
index 080a54ae..fe9fb314 100644
--- a/html/js/routes/login.js
+++ b/html/js/routes/login.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/settings.js b/html/js/routes/settings.js
index 862d1a58..48d217b7 100644
--- a/html/js/routes/settings.js
+++ b/html/js/routes/settings.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/terms.js b/html/js/routes/terms.js
index eb74c7cf..d642f9ff 100644
--- a/html/js/routes/terms.js
+++ b/html/js/routes/terms.js
@@ -1,4 +1,4 @@
-// Copyright 2020,2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/routes/users.js b/html/js/routes/users.js
index 7736a039..839bba9b 100644
--- a/html/js/routes/users.js
+++ b/html/js/routes/users.js
@@ -1,4 +1,4 @@
-// Copyright 2020 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/js/test_common.js b/html/js/test_common.js
index c3ef7a9f..bec4517a 100644
--- a/html/js/test_common.js
+++ b/html/js/test_common.js
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/html/login/index.html b/html/login/index.html
index 89f15cf0..f058488e 100644
--- a/html/login/index.html
+++ b/html/login/index.html
@@ -1,7 +1,7 @@
 <!doctype html>
 <!--
   Copyright 2019 Jason Ertel (jertel). All rights reserved.
-  Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+  Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 
   This program is distributed under the terms of version 2 of the
   GNU General Public License.  See LICENSE for further details.
diff --git a/json/json.go b/json/json.go
index bb3853ec..fcbe0b87 100644
--- a/json/json.go
+++ b/json/json.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,8 +12,8 @@ package json
 
 import (
   "encoding/json"
-  "io/ioutil"
   "github.com/apex/log"
+  "io/ioutil"
 )
 
 func WriteJsonFile(filename string, obj interface{}) error {
@@ -22,7 +22,7 @@ func WriteJsonFile(filename string, obj interface{}) error {
     err = ioutil.WriteFile(filename, bytes, 0644)
   }
   if err != nil {
-    log.WithError(err).WithFields(log.Fields{ 
+    log.WithError(err).WithFields(log.Fields{
       "filename": filename,
     }).Errorf("Error writing json object: %T", err)
   }
@@ -46,11 +46,11 @@ func LoadJson(content []byte, obj interface{}) error {
   err := json.Unmarshal(content, &obj)
   if err != nil {
     if jsonErr, ok := err.(*json.SyntaxError); ok {
-      log.WithError(err).WithFields(log.Fields{ 
+      log.WithError(err).WithFields(log.Fields{
         "offset": jsonErr.Offset,
       }).Error("Syntax error reading json object")
     } else if jsonErr, ok := err.(*json.UnmarshalTypeError); ok {
-      log.WithError(err).WithFields(log.Fields{ 
+      log.WithError(err).WithFields(log.Fields{
         "offset": jsonErr.Offset,
       }).Error("Unmarshal error reading json object")
     } else {
@@ -58,4 +58,4 @@ func LoadJson(content []byte, obj interface{}) error {
     }
   }
   return err
-}
\ No newline at end of file
+}
diff --git a/json/json_test.go b/json/json_test.go
index 5a1231e5..5331ef4f 100644
--- a/json/json_test.go
+++ b/json/json_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/case.go b/model/case.go
index ddf3e97d..da7ff98e 100644
--- a/model/case.go
+++ b/model/case.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/case_test.go b/model/case_test.go
index 8808efeb..a6de90ce 100644
--- a/model/case_test.go
+++ b/model/case_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/event.go b/model/event.go
index b5a400ff..7dbae95c 100644
--- a/model/event.go
+++ b/model/event.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/event_test.go b/model/event_test.go
index d5fce96b..cbf30e1b 100644
--- a/model/event_test.go
+++ b/model/event_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/filter.go b/model/filter.go
index a16b2103..68713979 100644
--- a/model/filter.go
+++ b/model/filter.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -15,14 +15,14 @@ import (
 )
 
 type Filter struct {
-  ImportId                  string                  `json:"importId"`
-  BeginTime             		time.Time 							`json:"beginTime"`
-  EndTime             			time.Time 							`json:"endTime"`
-  SrcIp											string									`json:"srcIp"`
-  SrcPort										int											`json:"srcPort"`
-  DstIp											string									`json:"dstIp"`
-  DstPort										int											`json:"dstPort"`
-  Parameters								map[string]interface{}	`json:"parameters"`
+  ImportId   string                 `json:"importId"`
+  BeginTime  time.Time              `json:"beginTime"`
+  EndTime    time.Time              `json:"endTime"`
+  SrcIp      string                 `json:"srcIp"`
+  SrcPort    int                    `json:"srcPort"`
+  DstIp      string                 `json:"dstIp"`
+  DstPort    int                    `json:"dstPort"`
+  Parameters map[string]interface{} `json:"parameters"`
 }
 
 func NewFilter() *Filter {
diff --git a/model/info.go b/model/info.go
index 7d90348a..60dbc760 100644
--- a/model/info.go
+++ b/model/info.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/job.go b/model/job.go
index c3768754..059f1eaf 100644
--- a/model/job.go
+++ b/model/job.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/job_test.go b/model/job_test.go
index 5fb3e95f..818b1302 100644
--- a/model/job_test.go
+++ b/model/job_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/node.go b/model/node.go
index 9a210ff7..a679b03e 100644
--- a/model/node.go
+++ b/model/node.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/node_test.go b/model/node_test.go
index d4aac421..5b678265 100644
--- a/model/node_test.go
+++ b/model/node_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/packet.go b/model/packet.go
index 56775b1d..d13c77f5 100644
--- a/model/packet.go
+++ b/model/packet.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -15,28 +15,28 @@ import (
 )
 
 type Packet struct {
-  Number										int				`json:"number"`
-  Type											string		`json:"type"`
-  SrcMac										string		`json:"srcMac"`
-  DstMac										string		`json:"dstMac"`
-  SrcIp											string		`json:"srcIp"`
-  SrcPort										int				`json:"srcPort"`
-  DstIp											string		`json:"dstIp"`
-  DstPort										int				`json:"dstPort"`
-  Length										int				`json:"length"`
-  Timestamp									time.Time	`json:"timestamp"`
-  Sequence									int				`json:"sequence"`
-  Acknowledge								int				`json:"acknowledge"`
-  Window										int				`json:"window"`
-  Checksum									int				`json:"checksum"`
-  Flags											[]string	`json:"flags"`
-  Payload										string		`json:"payload"`
-  PayloadOffset							int				`json:"payloadOffset"`
+  Number        int       `json:"number"`
+  Type          string    `json:"type"`
+  SrcMac        string    `json:"srcMac"`
+  DstMac        string    `json:"dstMac"`
+  SrcIp         string    `json:"srcIp"`
+  SrcPort       int       `json:"srcPort"`
+  DstIp         string    `json:"dstIp"`
+  DstPort       int       `json:"dstPort"`
+  Length        int       `json:"length"`
+  Timestamp     time.Time `json:"timestamp"`
+  Sequence      int       `json:"sequence"`
+  Acknowledge   int       `json:"acknowledge"`
+  Window        int       `json:"window"`
+  Checksum      int       `json:"checksum"`
+  Flags         []string  `json:"flags"`
+  Payload       string    `json:"payload"`
+  PayloadOffset int       `json:"payloadOffset"`
 }
 
 func NewPacket(number int) *Packet {
   return &Packet{
     Number: number,
-    Type: "UNKNOWN",
+    Type:   "UNKNOWN",
   }
 }
diff --git a/model/query.go b/model/query.go
index e411f5cf..8742e918 100644
--- a/model/query.go
+++ b/model/query.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/query_test.go b/model/query_test.go
index 150c50c3..260a795d 100644
--- a/model/query_test.go
+++ b/model/query_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/status.go b/model/status.go
index 5c764add..abdfc1c3 100644
--- a/model/status.go
+++ b/model/status.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -9,28 +9,27 @@
 
 package model
 
-import (
-)
+import ()
 
 type Status struct {
-  Grid        *GridStatus     `json:"grid"`
-  Alerts      *AlertsStatus   `json:"alerts"`
+  Grid   *GridStatus   `json:"grid"`
+  Alerts *AlertsStatus `json:"alerts"`
 }
 
 type GridStatus struct {
-  TotalNodeCount      int     `json:"totalNodeCount"`
-  UnhealthyNodeCount  int     `json:"unhealthyNodeCount"`
-  Eps                 int     `json:"eps"`
+  TotalNodeCount     int `json:"totalNodeCount"`
+  UnhealthyNodeCount int `json:"unhealthyNodeCount"`
+  Eps                int `json:"eps"`
 }
 
 type AlertsStatus struct {
-  NewCount      int     `json:"newCount"`
+  NewCount int `json:"newCount"`
 }
 
 func NewStatus() *Status {
   newStatus := &Status{
-    Grid: &GridStatus{},
+    Grid:   &GridStatus{},
     Alerts: &AlertsStatus{},
   }
   return newStatus
-}
\ No newline at end of file
+}
diff --git a/model/unauthorized.go b/model/unauthorized.go
index 70c339ce..1eb840b1 100644
--- a/model/unauthorized.go
+++ b/model/unauthorized.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/unauthorized_test.go b/model/unauthorized_test.go
index 9b3b5407..f5c1e636 100644
--- a/model/unauthorized_test.go
+++ b/model/unauthorized_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/model/user.go b/model/user.go
index f81a7562..0fc46f7a 100644
--- a/model/user.go
+++ b/model/user.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/module/manager.go b/module/manager.go
index de0d09c2..67cda2c1 100644
--- a/module/manager.go
+++ b/module/manager.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -16,8 +16,8 @@ import (
 )
 
 type ModuleManager struct {
-  enabled					[]Module
-  stoppedChan	chan string
+  enabled     []Module
+  stoppedChan chan string
 }
 
 func NewModuleManager() *ModuleManager {
@@ -41,12 +41,12 @@ func (mgr *ModuleManager) LaunchModules(available map[string]Module, modules Mod
   return err
 }
 
-func (mgr *ModuleManager) initModules(available map[string]Module, modules ModuleConfigMap, skipFailures bool) (map[string]Module, error) {	
+func (mgr *ModuleManager) initModules(available map[string]Module, modules ModuleConfigMap, skipFailures bool) (map[string]Module, error) {
   var err error
   initialized := make(map[string]Module)
   for moduleName, moduleConfig := range modules {
     log.WithField("module", moduleName).Info("Initializing module")
-    
+
     instance := available[moduleName]
     if instance == nil {
       log.WithField("module", moduleName).Error("Module does not exist")
@@ -67,7 +67,7 @@ func (mgr *ModuleManager) initModules(available map[string]Module, modules Modul
           }
         }
       }
-    }	
+    }
   }
   return initialized, err
 }
@@ -78,17 +78,17 @@ func (mgr *ModuleManager) meetsPrerequisites(prereqs []string, modules ModuleCon
       return false
     }
   }
-  return true 
+  return true
 }
 
-func (mgr *ModuleManager)startModules(modules map[string]Module, skipFailures bool) {
+func (mgr *ModuleManager) startModules(modules map[string]Module, skipFailures bool) {
   for name, instance := range modules {
     go mgr.runModule(name, instance)
     mgr.enabled = append(mgr.enabled, instance)
   }
 }
 
-func (mgr *ModuleManager)runModule(name string, module Module) {
+func (mgr *ModuleManager) runModule(name string, module Module) {
   log.WithField("module", name).Info("Starting module")
   err := module.Start()
   if err != nil {
@@ -107,8 +107,8 @@ func (mgr *ModuleManager) TerminateModules() {
 
   completedCount := 0
   for completedCount < len(mgr.enabled) {
-    name := <- mgr.stoppedChan
+    name := <-mgr.stoppedChan
     log.WithField("module", name).Info("Module stopped")
     completedCount++
   }
-}
\ No newline at end of file
+}
diff --git a/module/manager_test.go b/module/manager_test.go
index 29e5eab1..b8406d3f 100644
--- a/module/manager_test.go
+++ b/module/manager_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/module/module.go b/module/module.go
index 02b7073f..2c37b52b 100644
--- a/module/module.go
+++ b/module/module.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -20,4 +20,4 @@ type Module interface {
   Start() error
   Stop() error
   IsRunning() bool
-}
\ No newline at end of file
+}
diff --git a/module/options.go b/module/options.go
index fb752e5d..f8f95abf 100644
--- a/module/options.go
+++ b/module/options.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -82,14 +82,14 @@ func GetStringArray(options map[string]interface{}, key string) ([]string, error
   var value []string
   if gen, ok := options[key]; ok {
     value = make([]string, 0)
-    for _, iface := range(gen.([]interface{})) {
+    for _, iface := range gen.([]interface{}) {
       value = append(value, iface.(string))
     }
   } else {
     err = errors.New("Required option is missing: " + key + " ([]string)")
   }
   return value, err
-} 
+}
 
 func GetStringArrayDefault(options map[string]interface{}, key string, dflt []string) []string {
   value, err := GetStringArray(options, key)
@@ -97,4 +97,4 @@ func GetStringArrayDefault(options map[string]interface{}, key string, dflt []st
     value = dflt
   }
   return value
-} 
+}
diff --git a/module/options_test.go b/module/options_test.go
index aa141721..f71d2b24 100644
--- a/module/options_test.go
+++ b/module/options_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/packet/parser.go b/packet/parser.go
index 69ab6946..8af15b2b 100644
--- a/packet/parser.go
+++ b/packet/parser.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,16 +12,16 @@ package packet
 
 import (
   "encoding/base64"
-  "os"
   "github.com/apex/log"
   "github.com/google/gopacket"
   "github.com/google/gopacket/layers"
   "github.com/google/gopacket/pcap"
   "github.com/google/gopacket/pcapgo"
   "github.com/security-onion-solutions/securityonion-soc/model"
+  "os"
 )
 
-var SupportedLayerTypes = [...]gopacket.LayerType {
+var SupportedLayerTypes = [...]gopacket.LayerType{
   layers.LayerTypeARP,
   layers.LayerTypeICMPv4,
   layers.LayerTypeICMPv6,
@@ -47,7 +47,7 @@ func ParsePcap(filename string, offset int, count int, unwrap bool) ([]*model.Pa
 
 func UnwrapPcap(filename string, unwrappedFilename string) bool {
   unwrapped := false
-  info, err := os.Stat(unwrappedFilename) 
+  info, err := os.Stat(unwrappedFilename)
   if os.IsNotExist(err) {
     unwrappedFile, err := os.Create(unwrappedFilename)
     if err != nil {
@@ -63,9 +63,9 @@ func UnwrapPcap(filename string, unwrappedFilename string) bool {
           newPacket := unwrapVxlanPacket(pcapPacket, nil)
           err = writer.WritePacket(newPacket.Metadata().CaptureInfo, newPacket.Data())
           if err != nil {
-            log.WithError(err).WithFields(log.Fields {
+            log.WithError(err).WithFields(log.Fields{
               "unwrappedFilename": unwrappedFilename,
-              "index": index,
+              "index":             index,
             }).Error("Unable to write unwrapped file packet")
             return false
           }
@@ -208,14 +208,14 @@ func parseData(pcapPacket gopacket.Packet, packet *model.Packet, unwrap bool) {
     overrideType(packet, layer.LayerType())
   }
 
-  packetLayers := pcapPacket.Layers();
+  packetLayers := pcapPacket.Layers()
   topLayer := packetLayers[len(packetLayers)-1]
   overrideType(packet, topLayer.LayerType())
-  
+
   packet.Payload = base64.StdEncoding.EncodeToString(pcapPacket.Data())
-  packet.PayloadOffset = 0;
-  appLayer := pcapPacket.ApplicationLayer();
+  packet.PayloadOffset = 0
+  appLayer := pcapPacket.ApplicationLayer()
   if appLayer != nil {
     packet.PayloadOffset = len(pcapPacket.Data()) - len(appLayer.Payload())
   }
-}
\ No newline at end of file
+}
diff --git a/packet/parser_test.go b/packet/parser_test.go
index e80d0cdd..d6989bf2 100644
--- a/packet/parser_test.go
+++ b/packet/parser_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/scripts/stenoquery.sh b/scripts/stenoquery.sh
index 465de143..d0cab8ff 100644
--- a/scripts/stenoquery.sh
+++ b/scripts/stenoquery.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+# Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 #
 # This program is distributed under the terms of version 2 of the
 # GNU General Public License.  See LICENSE for further details.
diff --git a/server/casehandler.go b/server/casehandler.go
index 08c0ab2c..c48b7d8b 100644
--- a/server/casehandler.go
+++ b/server/casehandler.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/casestore.go b/server/casestore.go
index a76a61f2..71fd0847 100644
--- a/server/casestore.go
+++ b/server/casestore.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/datastore.go b/server/datastore.go
index da188dda..398d1ccd 100644
--- a/server/datastore.go
+++ b/server/datastore.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/eventhandler.go b/server/eventhandler.go
index 93658d09..633762e2 100644
--- a/server/eventhandler.go
+++ b/server/eventhandler.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -11,20 +11,20 @@ package server
 
 import (
   "context"
-  "errors"
   "encoding/json"
-  "net/http"
+  "errors"
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "net/http"
 )
 
 type EventHandler struct {
   web.BaseHandler
-  server 		*Server
+  server *Server
 }
 
 func NewEventHandler(srv *Server) *EventHandler {
-  handler := &EventHandler {}
+  handler := &EventHandler{}
   handler.Host = srv.Host
   handler.server = srv
   handler.Impl = handler
@@ -34,12 +34,13 @@ func NewEventHandler(srv *Server) *EventHandler {
 func (eventHandler *EventHandler) HandleNow(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
   if eventHandler.server.Eventstore != nil {
     switch request.Method {
-      case http.MethodGet: return eventHandler.get(ctx, writer, request)
-      case http.MethodPost: 
-        obj := eventHandler.GetPathParameter(request.URL.Path, 2)
-        if obj == "ack" {
-          return eventHandler.ack(ctx, writer, request)
-        }
+    case http.MethodGet:
+      return eventHandler.get(ctx, writer, request)
+    case http.MethodPost:
+      obj := eventHandler.GetPathParameter(request.URL.Path, 2)
+      if obj == "ack" {
+        return eventHandler.ack(ctx, writer, request)
+      }
     }
   }
   return http.StatusMethodNotAllowed, nil, errors.New("Method not supported")
@@ -52,12 +53,12 @@ func (eventHandler *EventHandler) get(ctx context.Context, writer http.ResponseW
   err := request.ParseForm()
   if err == nil {
     criteria := model.NewEventSearchCriteria()
-    err = criteria.Populate(request.Form.Get("query"), 
-                            request.Form.Get("range"), 
-                            request.Form.Get("format"), 
-                            request.Form.Get("zone"),
-                            request.Form.Get("metricLimit"),
-                            request.Form.Get("eventLimit"))
+    err = criteria.Populate(request.Form.Get("query"),
+      request.Form.Get("range"),
+      request.Form.Get("format"),
+      request.Form.Get("zone"),
+      request.Form.Get("metricLimit"),
+      request.Form.Get("eventLimit"))
     if err == nil {
       results, err = eventHandler.server.Eventstore.Search(ctx, criteria)
       if err == nil {
diff --git a/server/eventstore.go b/server/eventstore.go
index 9b5514b1..4a9b7982 100644
--- a/server/eventstore.go
+++ b/server/eventstore.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/eventstore_fake.go b/server/eventstore_fake.go
index 64b6ebb9..442585c6 100644
--- a/server/eventstore_fake.go
+++ b/server/eventstore_fake.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/gridhandler.go b/server/gridhandler.go
index eeb77e7c..628d112e 100644
--- a/server/gridhandler.go
+++ b/server/gridhandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/infohandler.go b/server/infohandler.go
index a2b87c14..4ff55e4c 100644
--- a/server/infohandler.go
+++ b/server/infohandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -13,20 +13,20 @@ package server
 import (
   "context"
   "errors"
-  "net/http"
-  "os"
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "net/http"
+  "os"
 )
 
 type InfoHandler struct {
   web.BaseHandler
-  server 		*Server
+  server    *Server
   timezones []string
 }
 
 func NewInfoHandler(srv *Server) *InfoHandler {
-  handler := &InfoHandler {}
+  handler := &InfoHandler{}
   handler.Host = srv.Host
   handler.server = srv
   handler.Impl = handler
@@ -36,7 +36,8 @@ func NewInfoHandler(srv *Server) *InfoHandler {
 
 func (infoHandler *InfoHandler) HandleNow(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
   switch request.Method {
-    case http.MethodGet: return infoHandler.get(ctx, writer, request)
+  case http.MethodGet:
+    return infoHandler.get(ctx, writer, request)
   }
   return http.StatusMethodNotAllowed, nil, errors.New("Method not supported")
 }
@@ -46,13 +47,13 @@ func (infoHandler *InfoHandler) get(ctx context.Context, writer http.ResponseWri
   var info *model.Info
   if user, ok := request.Context().Value(web.ContextKeyRequestor).(*model.User); ok {
     info = &model.Info{
-      Version: infoHandler.Host.Version,
-      License: "GPL v2",
-      Parameters: &infoHandler.server.Config.ClientParams,
+      Version:        infoHandler.Host.Version,
+      License:        "GPL v2",
+      Parameters:     &infoHandler.server.Config.ClientParams,
       ElasticVersion: os.Getenv("ELASTIC_VERSION"),
-      WazuhVersion: os.Getenv("WAZUH_VERSION"),
-      UserId: user.Id,
-      Timezones: infoHandler.timezones,
+      WazuhVersion:   os.Getenv("WAZUH_VERSION"),
+      UserId:         user.Id,
+      Timezones:      infoHandler.timezones,
     }
   } else {
     err = errors.New("Unable to determine logged in user from context")
diff --git a/server/jobhandler.go b/server/jobhandler.go
index be36a44d..0a4d871d 100644
--- a/server/jobhandler.go
+++ b/server/jobhandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/jobshandler.go b/server/jobshandler.go
index 934ac763..52e76c82 100644
--- a/server/jobshandler.go
+++ b/server/jobshandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/metrics.go b/server/metrics.go
index 2e864b90..dc1418e8 100644
--- a/server/metrics.go
+++ b/server/metrics.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index a5560973..2da4c630 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index 4760c9c4..c047911a 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/elastic.go b/server/modules/elastic/elastic.go
index 846fccfe..3d5870e4 100644
--- a/server/modules/elastic/elastic.go
+++ b/server/modules/elastic/elastic.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/elastic_test.go b/server/modules/elastic/elastic_test.go
index f732d104..3dfd2c18 100644
--- a/server/modules/elastic/elastic_test.go
+++ b/server/modules/elastic/elastic_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/elasticcasestore.go b/server/modules/elastic/elasticcasestore.go
index bbdbc4a1..8d34f946 100644
--- a/server/modules/elastic/elasticcasestore.go
+++ b/server/modules/elastic/elasticcasestore.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index 5f46db30..ff093893 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/elasticeventstore.go b/server/modules/elastic/elasticeventstore.go
index b9179747..23fcfbf5 100644
--- a/server/modules/elastic/elasticeventstore.go
+++ b/server/modules/elastic/elasticeventstore.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/elasticeventstore_test.go b/server/modules/elastic/elasticeventstore_test.go
index ae15dc25..50991424 100644
--- a/server/modules/elastic/elasticeventstore_test.go
+++ b/server/modules/elastic/elasticeventstore_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/elastictransport.go b/server/modules/elastic/elastictransport.go
index cb2a183c..bda9d120 100644
--- a/server/modules/elastic/elastictransport.go
+++ b/server/modules/elastic/elastictransport.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -11,12 +11,12 @@ package elastic
 
 import (
   "crypto/tls"
-  "net"
-  "net/http"
-  "time"
   "github.com/apex/log"
   "github.com/security-onion-solutions/securityonion-soc/model"
   "github.com/security-onion-solutions/securityonion-soc/web"
+  "net"
+  "net/http"
+  "time"
 )
 
 type ElasticTransport struct {
@@ -34,7 +34,7 @@ func NewElasticTransport(user string, pass string, timeoutMs time.Duration, veri
   }
 
   if len(user) > 0 && len(pass) > 0 {
-    return &ElasticTransport {
+    return &ElasticTransport{
       internal: httpTransport,
     }
   }
@@ -44,10 +44,10 @@ func NewElasticTransport(user string, pass string, timeoutMs time.Duration, veri
 
 func (transport *ElasticTransport) RoundTrip(req *http.Request) (*http.Response, error) {
   if user, ok := req.Context().Value(web.ContextKeyRequestor).(*model.User); ok {
-    log.WithFields(log.Fields {
-      "username": user.Email,
+    log.WithFields(log.Fields{
+      "username":       user.Email,
       "searchUsername": user.SearchUsername,
-      "requestId": req.Context().Value(web.ContextKeyRequestId),
+      "requestId":      req.Context().Value(web.ContextKeyRequestId),
     }).Debug("Executing Elastic request on behalf of user")
     username := user.Email
     if user.SearchUsername != "" {
diff --git a/server/modules/elastic/elastictransport_test.go b/server/modules/elastic/elastictransport_test.go
index bb586e9b..5d1ae471 100644
--- a/server/modules/elastic/elastictransport_test.go
+++ b/server/modules/elastic/elastictransport_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/joblookuphandler.go b/server/modules/elastic/joblookuphandler.go
index f1b3365f..df531c25 100644
--- a/server/modules/elastic/joblookuphandler.go
+++ b/server/modules/elastic/joblookuphandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/template.go b/server/modules/elastic/template.go
index 306fe14d..99564137 100644
--- a/server/modules/elastic/template.go
+++ b/server/modules/elastic/template.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elastic/template_test.go b/server/modules/elastic/template_test.go
index 21bc8fc0..4f91721c 100644
--- a/server/modules/elastic/template_test.go
+++ b/server/modules/elastic/template_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elasticcases/elasticcase.go b/server/modules/elasticcases/elasticcase.go
index 779ea3e7..596913b2 100644
--- a/server/modules/elasticcases/elasticcase.go
+++ b/server/modules/elasticcases/elasticcase.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elasticcases/elasticcaseconverter.go b/server/modules/elasticcases/elasticcaseconverter.go
index ee373fc1..011ac0a5 100644
--- a/server/modules/elasticcases/elasticcaseconverter.go
+++ b/server/modules/elasticcases/elasticcaseconverter.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elasticcases/elasticcaseconverter_test.go b/server/modules/elasticcases/elasticcaseconverter_test.go
index 1ad86138..d29a3783 100644
--- a/server/modules/elasticcases/elasticcaseconverter_test.go
+++ b/server/modules/elasticcases/elasticcaseconverter_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elasticcases/elasticcases.go b/server/modules/elasticcases/elasticcases.go
index b664e7aa..635082b3 100644
--- a/server/modules/elasticcases/elasticcases.go
+++ b/server/modules/elasticcases/elasticcases.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elasticcases/elasticcases_test.go b/server/modules/elasticcases/elasticcases_test.go
index 5bffe151..818aabc1 100644
--- a/server/modules/elasticcases/elasticcases_test.go
+++ b/server/modules/elasticcases/elasticcases_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elasticcases/elasticcasestore.go b/server/modules/elasticcases/elasticcasestore.go
index ccd85a39..ecce0cff 100644
--- a/server/modules/elasticcases/elasticcasestore.go
+++ b/server/modules/elasticcases/elasticcasestore.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/elasticcases/elasticcasestore_test.go b/server/modules/elasticcases/elasticcasestore_test.go
index 9c21c8e8..cae43249 100644
--- a/server/modules/elasticcases/elasticcasestore_test.go
+++ b/server/modules/elasticcases/elasticcasestore_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/filedatastore/filedatastore.go b/server/modules/filedatastore/filedatastore.go
index 8a996755..bbd9b753 100644
--- a/server/modules/filedatastore/filedatastore.go
+++ b/server/modules/filedatastore/filedatastore.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/filedatastore/filedatastoreimpl.go b/server/modules/filedatastore/filedatastoreimpl.go
index 64f40d70..f7cd7337 100644
--- a/server/modules/filedatastore/filedatastoreimpl.go
+++ b/server/modules/filedatastore/filedatastoreimpl.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/filedatastore/filedatastoreimpl_test.go b/server/modules/filedatastore/filedatastoreimpl_test.go
index 2105577b..9e945c94 100644
--- a/server/modules/filedatastore/filedatastoreimpl_test.go
+++ b/server/modules/filedatastore/filedatastoreimpl_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/generichttpparams.go b/server/modules/generichttp/generichttpparams.go
index b4517598..36c0a1db 100644
--- a/server/modules/generichttp/generichttpparams.go
+++ b/server/modules/generichttp/generichttpparams.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/generichttpparams_test.go b/server/modules/generichttp/generichttpparams_test.go
index 5c5d7740..b845558c 100644
--- a/server/modules/generichttp/generichttpparams_test.go
+++ b/server/modules/generichttp/generichttpparams_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/generichttpreader.go b/server/modules/generichttp/generichttpreader.go
index cff983e3..3d5ff5ab 100644
--- a/server/modules/generichttp/generichttpreader.go
+++ b/server/modules/generichttp/generichttpreader.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/generichttpreader_test.go b/server/modules/generichttp/generichttpreader_test.go
index 54ff3662..afa43c30 100644
--- a/server/modules/generichttp/generichttpreader_test.go
+++ b/server/modules/generichttp/generichttpreader_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/httpcase.go b/server/modules/generichttp/httpcase.go
index b592bedb..8ee4f089 100644
--- a/server/modules/generichttp/httpcase.go
+++ b/server/modules/generichttp/httpcase.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/httpcase_test.go b/server/modules/generichttp/httpcase_test.go
index a7c3ea3a..4bf9e124 100644
--- a/server/modules/generichttp/httpcase_test.go
+++ b/server/modules/generichttp/httpcase_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/httpcasestore.go b/server/modules/generichttp/httpcasestore.go
index 879df107..a2ef7b46 100644
--- a/server/modules/generichttp/httpcasestore.go
+++ b/server/modules/generichttp/httpcasestore.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/generichttp/httpcasestore_test.go b/server/modules/generichttp/httpcasestore_test.go
index 9e001014..3ac160ec 100644
--- a/server/modules/generichttp/httpcasestore_test.go
+++ b/server/modules/generichttp/httpcasestore_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/influxdb/influxdb.go b/server/modules/influxdb/influxdb.go
index a4666c27..00ea0682 100644
--- a/server/modules/influxdb/influxdb.go
+++ b/server/modules/influxdb/influxdb.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/influxdb/influxdb_test.go b/server/modules/influxdb/influxdb_test.go
index 8c4ab940..c127308e 100644
--- a/server/modules/influxdb/influxdb_test.go
+++ b/server/modules/influxdb/influxdb_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/influxdb/influxdbmetrics.go b/server/modules/influxdb/influxdbmetrics.go
index 94f1e3b4..5652f1e5 100644
--- a/server/modules/influxdb/influxdbmetrics.go
+++ b/server/modules/influxdb/influxdbmetrics.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/influxdb/influxdbmetrics_test.go b/server/modules/influxdb/influxdbmetrics_test.go
index 2fca343c..829e6560 100644
--- a/server/modules/influxdb/influxdbmetrics_test.go
+++ b/server/modules/influxdb/influxdbmetrics_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/kratos/kratos.go b/server/modules/kratos/kratos.go
index 92c3947d..f8083b20 100644
--- a/server/modules/kratos/kratos.go
+++ b/server/modules/kratos/kratos.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/kratos/kratos_test.go b/server/modules/kratos/kratos_test.go
index 71226324..9a4de8c0 100644
--- a/server/modules/kratos/kratos_test.go
+++ b/server/modules/kratos/kratos_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/kratos/kratospreprocessor.go b/server/modules/kratos/kratospreprocessor.go
index 3fce5a64..99fa1646 100644
--- a/server/modules/kratos/kratospreprocessor.go
+++ b/server/modules/kratos/kratospreprocessor.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,8 +12,8 @@ package kratos
 
 import (
 	"context"
+	"github.com/security-onion-solutions/securityonion-soc/web"
 	"net/http"
-  "github.com/security-onion-solutions/securityonion-soc/web"
 )
 
 type KratosPreprocessor struct {
@@ -34,15 +34,14 @@ func (proc *KratosPreprocessor) Preprocess(ctx context.Context, request *http.Re
 	var statusCode int
 	var err error
 
-  userId := request.Header.Get("x-user-id")
-  if userId != "" {
-  	ctx = context.WithValue(ctx, web.ContextKeyRequestorId, userId)
-  	user, err := proc.userstore.GetUser(ctx, userId)
-  	if err == nil {
-  		ctx = context.WithValue(ctx, web.ContextKeyRequestor, user)
-  	}
-  }
+	userId := request.Header.Get("x-user-id")
+	if userId != "" {
+		ctx = context.WithValue(ctx, web.ContextKeyRequestorId, userId)
+		user, err := proc.userstore.GetUser(ctx, userId)
+		if err == nil {
+			ctx = context.WithValue(ctx, web.ContextKeyRequestor, user)
+		}
+	}
 
-  return ctx, statusCode, err
+	return ctx, statusCode, err
 }
-
diff --git a/server/modules/kratos/kratospreprocessor_test.go b/server/modules/kratos/kratospreprocessor_test.go
index 2f99f7a5..d8390191 100644
--- a/server/modules/kratos/kratospreprocessor_test.go
+++ b/server/modules/kratos/kratospreprocessor_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/kratos/kratosuser.go b/server/modules/kratos/kratosuser.go
index 3217c3f6..d64900a9 100644
--- a/server/modules/kratos/kratosuser.go
+++ b/server/modules/kratos/kratosuser.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/kratos/kratosuser_test.go b/server/modules/kratos/kratosuser_test.go
index f290f338..ddf6a95a 100644
--- a/server/modules/kratos/kratosuser_test.go
+++ b/server/modules/kratos/kratosuser_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/kratos/kratosuserstore.go b/server/modules/kratos/kratosuserstore.go
index f872a34c..1169aa47 100644
--- a/server/modules/kratos/kratosuserstore.go
+++ b/server/modules/kratos/kratosuserstore.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/kratos/kratosuserstore_test.go b/server/modules/kratos/kratosuserstore_test.go
index 3533f192..8faac2c0 100644
--- a/server/modules/kratos/kratosuserstore_test.go
+++ b/server/modules/kratos/kratosuserstore_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/modules.go b/server/modules/modules.go
index 9ba59b81..cf353675 100644
--- a/server/modules/modules.go
+++ b/server/modules/modules.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/modules_test.go b/server/modules/modules_test.go
index f7a312ee..960dfae0 100644
--- a/server/modules/modules_test.go
+++ b/server/modules/modules_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/sostatus/sostatus.go b/server/modules/sostatus/sostatus.go
index e45a8d08..c627c002 100644
--- a/server/modules/sostatus/sostatus.go
+++ b/server/modules/sostatus/sostatus.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/sostatus/sostatus_test.go b/server/modules/sostatus/sostatus_test.go
index 7f6c1858..9d95b41c 100644
--- a/server/modules/sostatus/sostatus_test.go
+++ b/server/modules/sostatus/sostatus_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/statickeyauth/statickeyauth.go b/server/modules/statickeyauth/statickeyauth.go
index 24240c59..0ccca824 100644
--- a/server/modules/statickeyauth/statickeyauth.go
+++ b/server/modules/statickeyauth/statickeyauth.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/statickeyauth/statickeyauth_test.go b/server/modules/statickeyauth/statickeyauth_test.go
index 47b831e4..b136662c 100644
--- a/server/modules/statickeyauth/statickeyauth_test.go
+++ b/server/modules/statickeyauth/statickeyauth_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/statickeyauth/statickeyauthimpl.go b/server/modules/statickeyauth/statickeyauthimpl.go
index 3bd76025..013deeea 100644
--- a/server/modules/statickeyauth/statickeyauthimpl.go
+++ b/server/modules/statickeyauth/statickeyauthimpl.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/statickeyauth/statickeyauthimpl_test.go b/server/modules/statickeyauth/statickeyauthimpl_test.go
index c5702455..9ac1685c 100644
--- a/server/modules/statickeyauth/statickeyauthimpl_test.go
+++ b/server/modules/statickeyauth/statickeyauthimpl_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/staticrbac/staticrbac.go b/server/modules/staticrbac/staticrbac.go
index a2229880..99783497 100644
--- a/server/modules/staticrbac/staticrbac.go
+++ b/server/modules/staticrbac/staticrbac.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/staticrbac/staticrbac_test.go b/server/modules/staticrbac/staticrbac_test.go
index daf3cec0..93d855ac 100644
--- a/server/modules/staticrbac/staticrbac_test.go
+++ b/server/modules/staticrbac/staticrbac_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/staticrbac/staticrbacauthorizer.go b/server/modules/staticrbac/staticrbacauthorizer.go
index 2e5318b8..07af073c 100644
--- a/server/modules/staticrbac/staticrbacauthorizer.go
+++ b/server/modules/staticrbac/staticrbacauthorizer.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/staticrbac/staticrbacauthorizer_test.go b/server/modules/staticrbac/staticrbacauthorizer_test.go
index f5439f84..8dc67586 100644
--- a/server/modules/staticrbac/staticrbacauthorizer_test.go
+++ b/server/modules/staticrbac/staticrbacauthorizer_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/thehive/thehive.go b/server/modules/thehive/thehive.go
index 25c432af..7af0d14f 100644
--- a/server/modules/thehive/thehive.go
+++ b/server/modules/thehive/thehive.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/thehive/thehive_test.go b/server/modules/thehive/thehive_test.go
index 3ee37d7b..6be769e9 100644
--- a/server/modules/thehive/thehive_test.go
+++ b/server/modules/thehive/thehive_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/thehive/thehivecase.go b/server/modules/thehive/thehivecase.go
index 32743a51..4c8171e7 100644
--- a/server/modules/thehive/thehivecase.go
+++ b/server/modules/thehive/thehivecase.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -9,33 +9,33 @@
 
 package thehive
 
-const CASE_STATUS_OPEN      = "Open"
-const CASE_STATUS_RESOLVED  = "Resolved"
-const CASE_STATUS_DELETED   = "Deleted"
-const CASE_TLP_WHITE  = 0
-const CASE_TLP_GREN   = 1
-const CASE_TLP_AMBER  = 2
-const CASE_TLP_RED    = 3
-const CASE_SEVERITY_LOW     = 1
-const CASE_SEVERITY_MEDIUM  = 2
-const CASE_SEVERITY_HIGH    = 3
+const CASE_STATUS_OPEN = "Open"
+const CASE_STATUS_RESOLVED = "Resolved"
+const CASE_STATUS_DELETED = "Deleted"
+const CASE_TLP_WHITE = 0
+const CASE_TLP_GREN = 1
+const CASE_TLP_AMBER = 2
+const CASE_TLP_RED = 3
+const CASE_SEVERITY_LOW = 1
+const CASE_SEVERITY_MEDIUM = 2
+const CASE_SEVERITY_HIGH = 3
 
 type TheHiveCase struct {
-  Id              int         `json:"caseId,omitempty"`
-  CreateDate      int64       `json:"createdAt,omitempty"`
-  StartDate       int64       `json:"startDate,omitempty"`
-  EndDate         int64       `json:"endDate,omitempty"`
-  Title           string      `json:"title"`
-  Description     string      `json:"description"`
-  Severity        int         `json:"severity"`
-  Status          string      `json:"status,omitempty"`
-  Tags            []string    `json:"tags"`
-  Tlp             int         `json:"tlp"`
-  Flag            bool        `json:"flag"`
-  Template        string      `json:"template"`
+  Id          int      `json:"caseId,omitempty"`
+  CreateDate  int64    `json:"createdAt,omitempty"`
+  StartDate   int64    `json:"startDate,omitempty"`
+  EndDate     int64    `json:"endDate,omitempty"`
+  Title       string   `json:"title"`
+  Description string   `json:"description"`
+  Severity    int      `json:"severity"`
+  Status      string   `json:"status,omitempty"`
+  Tags        []string `json:"tags"`
+  Tlp         int      `json:"tlp"`
+  Flag        bool     `json:"flag"`
+  Template    string   `json:"template"`
 }
 
 func NewTheHiveCase() *TheHiveCase {
   newCase := &TheHiveCase{}
   return newCase
-}
\ No newline at end of file
+}
diff --git a/server/modules/thehive/thehivecasestore.go b/server/modules/thehive/thehivecasestore.go
index 1e4143cb..ea104b94 100644
--- a/server/modules/thehive/thehivecasestore.go
+++ b/server/modules/thehive/thehivecasestore.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/thehive/thehivecasestore_test.go b/server/modules/thehive/thehivecasestore_test.go
index 2279f680..28060df9 100644
--- a/server/modules/thehive/thehivecasestore_test.go
+++ b/server/modules/thehive/thehivecasestore_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/thehive/thehiveconverter.go b/server/modules/thehive/thehiveconverter.go
index 03054ce1..62ca5117 100644
--- a/server/modules/thehive/thehiveconverter.go
+++ b/server/modules/thehive/thehiveconverter.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/modules/thehive/thehiveconverter_test.go b/server/modules/thehive/thehiveconverter_test.go
index fb20fc40..7bebe4cd 100644
--- a/server/modules/thehive/thehiveconverter_test.go
+++ b/server/modules/thehive/thehiveconverter_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/nodehandler.go b/server/nodehandler.go
index fd8ed8dd..b65e3bd3 100644
--- a/server/nodehandler.go
+++ b/server/nodehandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/packethandler.go b/server/packethandler.go
index e3770a9e..13dc2a7c 100644
--- a/server/packethandler.go
+++ b/server/packethandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/queryhandler.go b/server/queryhandler.go
index 9724769d..7bd356c5 100644
--- a/server/queryhandler.go
+++ b/server/queryhandler.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/roleshandler.go b/server/roleshandler.go
index a2656730..f95b6593 100644
--- a/server/roleshandler.go
+++ b/server/roleshandler.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/rolestore.go b/server/rolestore.go
index e11e4655..e09fdaf5 100644
--- a/server/rolestore.go
+++ b/server/rolestore.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/server.go b/server/server.go
index 2893637d..df8a0589 100644
--- a/server/server.go
+++ b/server/server.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/server_fake.go b/server/server_fake.go
index d99efbeb..8358b336 100644
--- a/server/server_fake.go
+++ b/server/server_fake.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/server_test.go b/server/server_test.go
index c9aa63a9..9c50d4f2 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/streamhandler.go b/server/streamhandler.go
index 7f43ed12..0f5812f8 100644
--- a/server/streamhandler.go
+++ b/server/streamhandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/userhandler.go b/server/userhandler.go
index 4a8a7f9c..64858bb2 100644
--- a/server/userhandler.go
+++ b/server/userhandler.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/usershandler.go b/server/usershandler.go
index 50720161..ba396730 100644
--- a/server/usershandler.go
+++ b/server/usershandler.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/server/userstore.go b/server/userstore.go
index 75f98e4b..55aec3e7 100644
--- a/server/userstore.go
+++ b/server/userstore.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/basehandler.go b/web/basehandler.go
index b37ef7e3..e004f3af 100644
--- a/web/basehandler.go
+++ b/web/basehandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/basehandler_test.go b/web/basehandler_test.go
index 3e60a6f3..e19d53a5 100644
--- a/web/basehandler_test.go
+++ b/web/basehandler_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/basepreprocessor.go b/web/basepreprocessor.go
index e7bb1a96..f1621f5f 100644
--- a/web/basepreprocessor.go
+++ b/web/basepreprocessor.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/basepreprocessor_test.go b/web/basepreprocessor_test.go
index 8f5cc85b..e1ccda15 100644
--- a/web/basepreprocessor_test.go
+++ b/web/basepreprocessor_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2021 Security Onion Solutions. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/client.go b/web/client.go
index e515afe9..7924d787 100644
--- a/web/client.go
+++ b/web/client.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/client_test.go b/web/client_test.go
index c9adc830..fac12db4 100644
--- a/web/client_test.go
+++ b/web/client_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/connection.go b/web/connection.go
index bcaeaf74..c8a0af57 100644
--- a/web/connection.go
+++ b/web/connection.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -11,20 +11,20 @@
 package web
 
 import (
-  "time"
   "github.com/gorilla/websocket"
+  "time"
 )
 
 type Connection struct {
-  websocket     *websocket.Conn
-  lastPingTime  time.Time
-  ip            string
-} 
+  websocket    *websocket.Conn
+  lastPingTime time.Time
+  ip           string
+}
 
 func NewConnection(wsConn *websocket.Conn, ip string) *Connection {
   conn := &Connection{
     websocket: wsConn,
-    ip: ip,
+    ip:        ip,
   }
   conn.UpdatePingTime()
   return conn
@@ -36,4 +36,4 @@ func (connection *Connection) IsAuthorized(kind string) bool {
 
 func (connection *Connection) UpdatePingTime() {
   connection.lastPingTime = time.Now()
-}
\ No newline at end of file
+}
diff --git a/web/connection_test.go b/web/connection_test.go
index 09004585..ad40eb8e 100644
--- a/web/connection_test.go
+++ b/web/connection_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/host.go b/web/host.go
index 54df6e2c..92cf21a4 100644
--- a/web/host.go
+++ b/web/host.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -13,14 +13,14 @@ package web
 import (
   "context"
   "errors"
+  "github.com/apex/log"
+  "github.com/gorilla/websocket"
   "net/http"
   "reflect"
   "sort"
   "strconv"
   "sync"
   "time"
-  "github.com/apex/log"
-  "github.com/gorilla/websocket"
 )
 
 type HostHandler interface {
@@ -33,25 +33,25 @@ type Preprocessor interface {
 }
 
 type Host struct {
-  preprocessors             []Preprocessor
-  bindAddress	              string
-  htmlDir			              string
-  idleConnectionTimeoutMs   int
-  server    	              *http.Server
-  running			              bool
-  Version			              string
-  connections               []*Connection
-  lock				              sync.Mutex
+  preprocessors           []Preprocessor
+  bindAddress             string
+  htmlDir                 string
+  idleConnectionTimeoutMs int
+  server                  *http.Server
+  running                 bool
+  Version                 string
+  connections             []*Connection
+  lock                    sync.Mutex
 }
 
 func NewHost(address string, htmlDir string, timeoutMs int, version string) *Host {
-  host := &Host {
-    preprocessors: make([]Preprocessor, 0),
-    running: false,
-    bindAddress: address,
-    htmlDir: htmlDir,
+  host := &Host{
+    preprocessors:           make([]Preprocessor, 0),
+    running:                 false,
+    bindAddress:             address,
+    htmlDir:                 htmlDir,
     idleConnectionTimeoutMs: timeoutMs,
-    Version: version,
+    Version:                 version,
   }
   err := host.AddPreprocessor(NewBasePreprocessor())
   if err != nil {
@@ -102,17 +102,17 @@ func (host *Host) IsRunning() bool {
 }
 
 func (host *Host) AddConnection(wsConn *websocket.Conn, ip string) *Connection {
-  host.lock.Lock();
+  host.lock.Lock()
   defer host.lock.Unlock()
 
   conn := NewConnection(wsConn, ip)
-  host.connections = append(host.connections, conn);
+  host.connections = append(host.connections, conn)
   log.WithField("Connections", len(host.connections)).Debug("Added WebSocket connection")
   return conn
 }
 
 func (host *Host) RemoveConnection(wsConn *websocket.Conn) {
-  host.lock.Lock();
+  host.lock.Lock()
   defer host.lock.Unlock()
   remaining := make([]*Connection, 0)
   for _, connection := range host.connections {
@@ -128,29 +128,29 @@ func (host *Host) Broadcast(kind string, obj interface{}) {
   host.lock.Lock()
   defer host.lock.Unlock()
   msg := &WebSocketMessage{
-    Kind: kind,
+    Kind:   kind,
     Object: obj,
   }
   for _, connection := range host.connections {
-    if (connection.IsAuthorized(kind)) {
-      log.WithFields(log.Fields {
-        "kind": kind,
+    if connection.IsAuthorized(kind) {
+      log.WithFields(log.Fields{
+        "kind":       kind,
         "remoteAddr": connection.websocket.RemoteAddr().String(),
-        "sourceIp": connection.ip,
+        "sourceIp":   connection.ip,
       }).Debug("Broadcasting message to WebSocket connection")
       connection.websocket.WriteJSON(msg)
     } else {
-      log.WithFields(log.Fields {
-        "kind": kind,
+      log.WithFields(log.Fields{
+        "kind":       kind,
         "remoteAddr": connection.websocket.RemoteAddr().String(),
-        "sourceIp": connection.ip,
+        "sourceIp":   connection.ip,
       }).Debug("Skipping broadcast due to insufficient authorization")
     }
   }
 }
 
 func (host *Host) pruneConnections() {
-  host.lock.Lock();
+  host.lock.Lock()
   defer host.lock.Unlock()
 
   activeConnections := make([]*Connection, 0)
@@ -163,9 +163,9 @@ func (host *Host) pruneConnections() {
     }
   }
 
-  log.WithFields(log.Fields {
+  log.WithFields(log.Fields{
     "before": len(host.connections),
-    "after": len(activeConnections),
+    "after":  len(activeConnections),
   }).Debug("Prune connections complete")
 
   host.connections = activeConnections
@@ -179,9 +179,9 @@ func (host *Host) manageConnections(sleepDuration time.Duration) {
 }
 
 func (host *Host) AddPreprocessor(preprocessor Preprocessor) error {
-  log.WithFields(log.Fields {
+  log.WithFields(log.Fields{
     "priority": preprocessor.PreprocessPriority(),
-    "type": reflect.TypeOf(preprocessor).String(),
+    "type":     reflect.TypeOf(preprocessor).String(),
   }).Info("Adding new preprocessor")
 
   unsortedMap := make(map[int]Preprocessor)
@@ -205,9 +205,9 @@ func (host *Host) AddPreprocessor(preprocessor Preprocessor) error {
 
   for _, priority := range priorities {
     preprocessor := unsortedMap[priority]
-    log.WithFields(log.Fields {
+    log.WithFields(log.Fields{
       "priority": preprocessor.PreprocessPriority(),
-      "type": reflect.TypeOf(preprocessor).String(),
+      "type":     reflect.TypeOf(preprocessor).String(),
     }).Debug("Prioritized preprocessor")
     sortedList = append(sortedList, preprocessor)
   }
@@ -231,9 +231,9 @@ func (host *Host) Preprocess(ctx context.Context, req *http.Request) (context.Co
   var err error
 
   for _, preprocessor := range host.preprocessors {
-    log.WithFields(log.Fields {
+    log.WithFields(log.Fields{
       "priority": preprocessor.PreprocessPriority(),
-      "type": reflect.TypeOf(preprocessor).String(),
+      "type":     reflect.TypeOf(preprocessor).String(),
     }).Debug("Preprocessing request")
     ctx, statusCode, err = preprocessor.Preprocess(ctx, req)
     if err != nil {
@@ -241,4 +241,4 @@ func (host *Host) Preprocess(ctx context.Context, req *http.Request) (context.Co
     }
   }
   return ctx, statusCode, err
-}
\ No newline at end of file
+}
diff --git a/web/host_test.go b/web/host_test.go
index c202d415..d1b5b91d 100644
--- a/web/host_test.go
+++ b/web/host_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/websockethandler.go b/web/websockethandler.go
index a920dd4c..2cfbd93c 100644
--- a/web/websockethandler.go
+++ b/web/websockethandler.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -12,22 +12,22 @@ package web
 
 import (
   "context"
-	"errors"
-	"net/http"
+  "errors"
   "github.com/apex/log"
   "github.com/gorilla/websocket"
   "github.com/security-onion-solutions/securityonion-soc/json"
+  "net/http"
 )
 
 type WebSocketHandler struct {
-	BaseHandler
+  BaseHandler
 }
 
 func NewWebSocketHandler(host *Host) *WebSocketHandler {
-	handler := &WebSocketHandler {}
-	handler.Host = host
-	handler.Impl = handler
-	return handler
+  handler := &WebSocketHandler{}
+  handler.Host = host
+  handler.Impl = handler
+  return handler
 }
 
 func (webSocketHandler *WebSocketHandler) HandleNow(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error) {
@@ -37,16 +37,16 @@ func (webSocketHandler *WebSocketHandler) HandleNow(ctx context.Context, writer
   if err != nil {
     log.WithError(err).WithFields(log.Fields{
       "remoteAddr": request.RemoteAddr,
-      "sourceIp": ip,
-      "path": request.URL.Path,
+      "sourceIp":   ip,
+      "path":       request.URL.Path,
     }).Warn("Failed to upgrade websocket")
     return http.StatusBadRequest, nil, errors.New("Unable to upgrade request to websocket")
   }
 
   log.WithFields(log.Fields{
     "remoteAddr": request.RemoteAddr,
-    "sourceIp": ip,
-    "path": request.URL.Path,
+    "sourceIp":   ip,
+    "path":       request.URL.Path,
   }).Info("WebSocket connected")
   conn := webSocketHandler.Host.AddConnection(connection, ip)
 
@@ -58,10 +58,10 @@ func (webSocketHandler *WebSocketHandler) HandleNow(ctx context.Context, writer
     }
     log.WithFields(log.Fields{
       "remoteAddr": request.RemoteAddr,
-      "sourceIp": ip,
-      "path": request.URL.Path,
-      "msg": string(messageBytes),
-      "type": messageType,
+      "sourceIp":   ip,
+      "path":       request.URL.Path,
+      "msg":        string(messageBytes),
+      "type":       messageType,
     }).Info("WebSocket message received")
 
     msg := &WebSocketMessage{}
@@ -70,15 +70,15 @@ func (webSocketHandler *WebSocketHandler) HandleNow(ctx context.Context, writer
   }
   log.WithFields(log.Fields{
     "remoteAddr": request.RemoteAddr,
-    "sourceIp": ip,
-    "path": request.URL.Path,
+    "sourceIp":   ip,
+    "path":       request.URL.Path,
   }).Info("WebSocket disconnected")
   webSocketHandler.Host.RemoveConnection(connection)
-	return http.StatusOK, nil, nil
+  return http.StatusOK, nil, nil
 }
 
 func (webSocketHandler *WebSocketHandler) handleMessage(msg *WebSocketMessage, conn *Connection) {
   if msg.Kind == "Ping" {
-    conn.UpdatePingTime();
+    conn.UpdatePingTime()
   }
-}
\ No newline at end of file
+}
diff --git a/web/websockethandler_test.go b/web/websockethandler_test.go
index 76534ed4..fb2d9bf3 100644
--- a/web/websockethandler_test.go
+++ b/web/websockethandler_test.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
diff --git a/web/websocketmessage.go b/web/websocketmessage.go
index b324e0b3..51bacab2 100644
--- a/web/websocketmessage.go
+++ b/web/websocketmessage.go
@@ -1,5 +1,5 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
-// Copyright 2020-2021 Security Onion Solutions, LLC. All rights reserved.
+// Copyright 2020-2022 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
@@ -11,6 +11,6 @@
 package web
 
 type WebSocketMessage struct {
-  Kind		string
-  Object	interface{}
+  Kind   string
+  Object interface{}
 }

From 18bc2b231740a09af2d4ec9c849cec4b35074f77 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 21 Jan 2022 12:54:29 -0500
Subject: [PATCH 91/98] Add css for markdown tables

---
 html/css/app.css | 43 +++++++++++++++++++++++++++++++++++++++++++
 html/index.html  |  2 +-
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/html/css/app.css b/html/css/app.css
index f00381f5..d8f44e15 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -293,6 +293,49 @@ td {
   margin: 8px 0;
 }
 
+.markdown-body table {
+  border-collapse: collapse;
+  margin: 8px 0 24px 0;
+  text-align: left;
+}
+
+.markdown-body td,
+.markdown-body th {
+  padding: 8px;
+}
+ 
+.theme--dark.v-application .markdown-body td,
+.theme--dark.v-application  .markdown-body th {
+  border: 1px solid hsla(0,0%,100%,.1);
+}
+
+.theme--light.v-application .markdown-body td,
+.theme--light.v-application  .markdown-body th {
+  border: 1px solid rgba(0,0,0,.2);
+}
+
+.theme--dark.v-application .markdown-body tr:nth-child(even) {
+  background-color: hsla(0,0%,100%,.05);
+}
+
+.theme--light.v-application .markdown-body tr:nth-child(even) {
+  background-color: rgba(0,0,0,.05);
+}
+
+.markdown-body th {
+  background-color: rgba(0,0,0,.1);
+}
+
+/* motd background is darker, so some markdown table colors need to be different */
+.theme--dark.v-application #motd.markdown-body th {
+  background-color: rgba(0,0,0,.25);
+}
+
+.theme--light.v-application  #motd.markdown-body th {
+  background-color: rgba(0,0,0,.1);
+}
+
+
 .theme--dark.v-application .comment-body .markdown-body {
   background-color: rgba(0,0,0,.2);
 }
diff --git a/html/index.html b/html/index.html
index 98085450..42dd14fc 100644
--- a/html/index.html
+++ b/html/index.html
@@ -259,7 +259,7 @@ <h2 v-text="i18n.home"></h2>
         </v-row>
         <v-row>
           <v-col class="mx-auto px-12">
-            <div id="motd" :inner-html.prop="motd | formatMarkdown"></div>
+            <div id="motd" class="markdown-body" :inner-html.prop="motd | formatMarkdown"></div>
           </v-col>
           <v-col class="mx-auto text-center">
             <div v-html="i18n.sponsorsIntro" class="mb-6"></div>

From 631ac21b146d005e0569d5bd02f5843248e3aa4a Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 21 Jan 2022 17:36:16 -0500
Subject: [PATCH 92/98] Fix css for markdown code block

Also add margin for headers
---
 html/css/app.css | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index d8f44e15..eba65450 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -295,7 +295,7 @@ td {
 
 .markdown-body table {
   border-collapse: collapse;
-  margin: 8px 0 24px 0;
+  margin: 8px 0 1px 0;
   text-align: left;
 }
 
@@ -303,6 +303,15 @@ td {
 .markdown-body th {
   padding: 8px;
 }
+
+.markdown-body h1, 
+.markdown-body h2, 
+.markdown-body h3,
+.markdown-body h4, 
+.markdown-body h5, 
+.markdown-body h6 {
+  margin: 8px 0 8px 0;
+}
  
 .theme--dark.v-application .markdown-body td,
 .theme--dark.v-application  .markdown-body th {
@@ -345,13 +354,14 @@ td {
 }
 
 .markdown-body pre {
-  overflow-x: scroll;
+  overflow-x: auto;
+  padding: 0.5em 0.7em !important;
 }
 
 .v-application .markdown-body pre code {
   display: block;
   background-color: revert !important;
-  padding: 0.25 !important;
+  padding: 0 !important;
 }
 
 .theme--light.v-application .markdown-body pre {

From c2c518166783c8ad533d4dc95ab441c129f01b31 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 24 Jan 2022 14:28:36 -0500
Subject: [PATCH 93/98] Fix avatar font color in light mode; ensure avatar
 shows up consistently in footer of all associated dropdowns

---
 html/index.html | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/html/index.html b/html/index.html
index 42dd14fc..4bdd6618 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1344,7 +1344,7 @@ <h2>{{ i18n.description }}</h2>
                               </div>
                               <div class="d-flex flex-column flex-sm-row align-sm-center align-self-end text-body-2">
                                 <div class="d-inline-flex align-center mr-1">
-                                  <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex">
+                                  <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
                                     <div class="case avatar-font" :title="comment.owner">
                                       {{ $root.getAvatar(comment.owner) }}
                                     </div>
@@ -1381,7 +1381,7 @@ <h2>{{ i18n.description }}</h2>
                       <div class="mt-1 mt-md-3 pb-3 pt-1 contrast-bg rounded rounded-md" style="width: 100%;">
                         <div class="d-flex flex-column align-start">
                           <div class="d-inline-flex align-center mt-3 mx-2 mb-4">
-                            <v-avatar color="primary" size="28" class="mr-2">
+                            <v-avatar color="primary" size="28" class="mr-2 white--text">
                               <div class="font-weight-bold" :title="$root.username">
                               {{ $root.getAvatar($root.username) }}
                               </div>
@@ -1434,7 +1434,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                         <div class="d-flex flex-column" style="width: 100%;">
                         <div class="mb-2">
                           <div class="d-inline-flex align-center mb-3">
-                            <v-avatar color="primary" size="28" class="mr-2">
+                            <v-avatar color="primary" size="28" class="mr-2 white--text">
                               <div class="font-weight-bold" :title="$root.username">
                               {{ $root.getAvatar($root.username) }}
                               </div>
@@ -1594,6 +1594,11 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
 
                           <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
                             <v-spacer/>
+                            <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
+                              <div class="case avatar-font" :title="props.item.owner">
+                                {{ $root.getAvatar(props.item.owner) }}
+                              </div>
+                            </v-avatar>
                             <div class="mr-1">
                               {{ props.item.owner }}
                             </div>
@@ -1644,7 +1649,7 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                         <div class="d-flex flex-column" style="width: 100%;">
                         <div class="mb-2">
                           <div class="d-inline-flex align-center mb-3">
-                            <v-avatar color="primary" size="28" class="mr-2">
+                            <v-avatar color="primary" size="28" class="mr-2 white--text">
                               <div class="font-weight-bold" :title="$root.username">
                               {{ $root.getAvatar($root.username) }}
                               </div>
@@ -1826,6 +1831,11 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
 
                           <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
                             <v-spacer/>
+                            <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
+                              <div class="case avatar-font" :title="props.item.owner">
+                                {{ $root.getAvatar(props.item.owner) }}
+                              </div>
+                            </v-avatar>
                             <div class="mr-1">
                               {{ props.item.owner }}
                             </div>
@@ -1908,6 +1918,11 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
 
                           <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
                             <v-spacer/>
+                            <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
+                              <div class="case avatar-font" :title="props.item.owner">
+                                {{ $root.getAvatar(props.item.owner) }}
+                              </div>
+                            </v-avatar>
                             <div class="mr-1">
                               {{ props.item.owner }}
                             </div>
@@ -1958,7 +1973,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                           </v-btn>
                         </td>
                         <td class="associated">
-                          <v-avatar color="primary" class="mr-1" size="32">
+                          <v-avatar color="primary" class="mr-2 white--text" size="28">
                             <div class="font-weight-bold" :title="props.item.owner">
                               {{ $root.getAvatar(props.item.owner) }}
                             </div>
@@ -2185,6 +2200,11 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
 
                           <div class="d-flex flex-column flex-sm-row align-end align-sm-center align-self-end text-body-2">
                             <v-spacer/>
+                            <v-avatar color="primary" size="24" class="mr-2 d-none d-sm-inline-flex white--text">
+                              <div class="case avatar-font" :title="props.item.owner">
+                                {{ $root.getAvatar(props.item.owner) }}
+                              </div>
+                            </v-avatar>
                             <div class="mr-1">
                               {{ props.item.owner }}
                             </div>

From 53398d65f2ac38be8bca13b8bddf18dcb9cf4e98 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 25 Jan 2022 13:25:06 -0500
Subject: [PATCH 94/98] Ensure error and warning messages are visible to the
 user without the need to scroll up

---
 html/index.html | 18 ++++++++++++++++--
 html/js/app.js  |  2 ++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/html/index.html b/html/index.html
index 4bdd6618..41e6a9bc 100644
--- a/html/index.html
+++ b/html/index.html
@@ -209,8 +209,22 @@
         <v-overlay id="loading" :value="loading">
           <v-progress-circular indeterminate color="primary" width="2" size="64"></v-progress-circular>
         </v-overlay>
-        <v-alert dismissible type="error" icon="fa-exclamation-triangle" v-model="error" transition="scale-transition" v-text="errorMessage"></v-alert>
-        <v-alert dismissible type="warning" icon="fa-exclamation" v-model="warning" transition="scale-transition" v-text="warningMessage"></v-alert>
+        <v-snackbar id="error" top centered rounded close :timeout="errorTimeout" v-model="error" color="error">
+          <template v-slot:action="{ attrs }">
+            <v-btn icon small v-bind="attrs" @click="error = false">
+              <v-icon>fa-times</v-icon>
+            </v-btn>
+          </template>
+          {{ errorMessage }}
+        </v-snackbar>
+        <v-snackbar id="warning" top centered rounded close :timeout="warningTimeout" v-model="warning" color="warning">
+          <template v-slot:action="{ attrs }">
+            <v-btn icon small v-bind="attrs" @click="warning = false">
+              <v-icon>fa-times</v-icon>
+            </v-btn>
+          </template>
+          {{ warningMessage }}
+        </v-snackbar>
         <v-alert dismissible type="info" icon="fa-info" v-model="info" transition="scale-transition" v-text="infoMessage"></v-alert>
         <v-snackbar id="tip" top centered rounded close :timeout="tipTimeout" v-model="tip" color="info">
           <template v-slot:action="{ attrs }">
diff --git a/html/js/app.js b/html/js/app.js
index 6a402270..9461251b 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -54,6 +54,8 @@ $(document).ready(function() {
       infoMessage: "",
       tipMessage: "",
       tipTimeout: 6000,
+      warningTimeout: 30000,
+      errorTimeout: 120000,
       toolbar: null,
       wsUrl: (location.protocol == 'https:' ?  'wss://' : 'ws://') + location.host + location.pathname + 'ws',
       apiUrl: location.origin + location.pathname + 'api/',

From 8544a41d1a7aed1d57216c95b64e869972cc934a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 26 Jan 2022 09:27:02 -0500
Subject: [PATCH 95/98] Match login footer style with main footer style

---
 html/login/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/login/index.html b/html/login/index.html
index f058488e..77f7ed65 100644
--- a/html/login/index.html
+++ b/html/login/index.html
@@ -41,7 +41,7 @@
       </v-main>
       <v-footer app inset>
         <v-spacer></v-spacer>
-        <span class="center overline text-no-wrap">
+        <span class="center text-no-wrap">
           &copy; {{ new Date().getFullYear() }} <a class="footer" target="sos" href="https://securityonionsolutions.com/">Security Onion Solutions, LLC</a>
         </span>
         <v-spacer></v-spacer>

From dedbedfec8338d64c1bc712bd5e7a76b41ce0865 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 26 Jan 2022 10:45:19 -0500
Subject: [PATCH 96/98] Abandon experiment of storing related events as ECS
 compliant fields

---
 model/case.go                                 |  2 +-
 server/modules/elastic/converter.go           | 22 ++-----------------
 server/modules/elastic/converter_test.go      | 15 +------------
 .../modules/elastic/elasticcasestore_test.go  |  2 +-
 4 files changed, 5 insertions(+), 36 deletions(-)

diff --git a/model/case.go b/model/case.go
index da7ff98e..a65f6c73 100644
--- a/model/case.go
+++ b/model/case.go
@@ -82,7 +82,7 @@ func NewComment() *Comment {
 type RelatedEvent struct {
   Auditable
   CaseId string                 `json:"caseId"`
-  Fields map[string]interface{} `json:"fields,omitempty"`
+  Fields map[string]interface{} `json:"fields"`
 }
 
 func NewRelatedEvent() *RelatedEvent {
diff --git a/server/modules/elastic/converter.go b/server/modules/elastic/converter.go
index 2da4c630..541f5753 100644
--- a/server/modules/elastic/converter.go
+++ b/server/modules/elastic/converter.go
@@ -488,12 +488,8 @@ func convertElasticEventToRelatedEvent(event *model.EventRecord, schemaPrefix st
 		if err == nil {
 			obj.Fields = make(map[string]interface{})
 			for key, value := range event.Payload {
-
-				// The following logic unwinds the complications caused by the special treatment
-				// of related events performed by sibling function convertObjectToDocumentMap().
-				if !strings.HasPrefix(key, "@") &&
-					!strings.HasPrefix(key, "_") &&
-					!strings.HasPrefix(key, schemaPrefix) {
+				if strings.HasPrefix(key, schemaPrefix+"related.fields.") {
+					key = strings.TrimPrefix(key, schemaPrefix+"related.fields.")
 					obj.Fields[key] = value
 				}
 			}
@@ -659,20 +655,6 @@ func convertFromElasticUpdateResults(store *ElasticEventstore, esJson string, re
 func convertObjectToDocumentMap(name string, obj interface{}, schemaPrefix string) map[string]interface{} {
 	doc := make(map[string]interface{})
 	doc[schemaPrefix+name] = obj
-
-	switch name {
-	case "related":
-		// Related events have special handling in order to coerce the original event fields
-		// back to the root of the document. This is needed to re-use existing field mappings
-		related := obj.(*model.RelatedEvent)
-		for k, v := range related.Fields {
-			doc[k] = v
-		}
-
-		// Wipe out fields to avoid duplicating data
-		related.Fields = make(map[string]interface{})
-	}
-
 	doc["@timestamp"] = time.Now()
 	return doc
 }
diff --git a/server/modules/elastic/converter_test.go b/server/modules/elastic/converter_test.go
index c047911a..5bd257d1 100644
--- a/server/modules/elastic/converter_test.go
+++ b/server/modules/elastic/converter_test.go
@@ -258,19 +258,6 @@ func TestConvertObjectToDocumentMap(tester *testing.T) {
 	assert.NotNil(tester, actual["@timestamp"])
 }
 
-func TestConvertObjectToDocumentMapRelatedEvent(tester *testing.T) {
-	related := model.NewRelatedEvent()
-	related.UserId = "123"
-	related.Fields["foo"] = "bar"
-	actual := convertObjectToDocumentMap("related", related, DEFAULT_CASE_SCHEMA_PREFIX)
-	assert.NotNil(tester, actual)
-	assert.Equal(tester, "bar", actual["foo"])
-	assert.Equal(tester, "123", actual["so_related"].(*model.RelatedEvent).UserId)
-	assert.Nil(tester, actual["so_related.fields.foo"])
-	assert.Len(tester, related.Fields, 0)
-	assert.NotNil(tester, actual["@timestamp"])
-}
-
 func TestConvertToElasticIndexRequest(tester *testing.T) {
 	store := NewTestStore()
 	event := make(map[string]interface{})
@@ -524,7 +511,7 @@ func TestConvertElasticEventToRelatedEvent(tester *testing.T) {
 	event.Payload = make(map[string]interface{})
 	event.Payload["so_kind"] = "related"
 	event.Payload["so_operation"] = "create"
-	event.Payload["foo"] = "bar"
+	event.Payload["so_related.fields.foo"] = "bar"
 	event.Payload["so_related.userId"] = "myUserId"
 	event.Payload["so_related.caseId"] = "myCaseId"
 	event.Time = myTime
diff --git a/server/modules/elastic/elasticcasestore_test.go b/server/modules/elastic/elasticcasestore_test.go
index ff093893..7e55d6bf 100644
--- a/server/modules/elastic/elasticcasestore_test.go
+++ b/server/modules/elastic/elasticcasestore_test.go
@@ -925,7 +925,7 @@ func TestCreateRelatedEventAlreadyExists(tester *testing.T) {
 	// Mock the search for existing related events call
 	eventPayload := make(map[string]interface{})
 	eventPayload["so_kind"] = "related"
-	eventPayload["soc_id"] = "myEventId"
+	eventPayload["so_related.fields.soc_id"] = "myEventId"
 	elasticEvent := &model.EventRecord{
 		Payload: eventPayload,
 	}

From 5a863d64071df72d85fe633e4132effdfb8798b7 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 27 Jan 2022 15:35:41 -0500
Subject: [PATCH 97/98] Resolve performance issues when dealing with large
 quantities of associations per case

---
 config/clientparameters.go  |  5 ++-
 html/css/app.css            |  6 +++
 html/index.html             | 22 +++++++---
 html/js/app.js              |  2 +-
 html/js/i18n.js             |  3 ++
 html/js/routes/case.js      | 67 +++++++++++++++++++++++++-----
 html/js/routes/case.test.js | 83 ++++++++++++++++++++++++++++++++++++-
 7 files changed, 167 insertions(+), 21 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 57465eb7..367a18f7 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -145,8 +145,9 @@ type PresetParameters struct {
 }
 
 type CaseParameters struct {
-	MostRecentlyUsedLimit int                         `json:"mostRecentlyUsedLimit"`
-	Presets               map[string]PresetParameters `json:"presets"`
+	MostRecentlyUsedLimit  int                         `json:"mostRecentlyUsedLimit"`
+	RenderAbbreviatedCount int                         `json:"renderAbbreviatedCount"`
+	Presets                map[string]PresetParameters `json:"presets"`
 }
 
 func (params *CaseParameters) Verify() error {
diff --git a/html/css/app.css b/html/css/app.css
index d8f44e15..5abb86f5 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -113,6 +113,12 @@
   color: white !important;
 }
 
+.show-all {
+  padding: 10px;
+  border-top: 2px dotted;
+  border-bottom: 2px dotted;
+}
+
 /* Sensoroni-specific element styles */
 .hardwrap {
   word-wrap: break-word;
diff --git a/html/index.html b/html/index.html
index 41e6a9bc..41160fa5 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1328,7 +1328,7 @@ <h2>{{ i18n.description }}</h2>
                     </v-col>
                   </v-row>  
                   <div id="comment-list">
-                    <div v-for="(comment, index) in associations.comments" class="mb-8">
+                    <div v-for="(comment, index) in associations.comments" class="mb-8" v-if="shouldRenderAssociationRecord('comments', comment, index)">
                       <div class="d-flex flex-column align-start my-4">
                         <v-col class="d-flex flex-column align-start pt-2 pt-md-0">
                           <div class="mt-1 mt-md-3 pt-1 pb-2 px-2 contrast-bg rounded rounded-md" style="width: 100%;">
@@ -1387,7 +1387,15 @@ <h2>{{ i18n.description }}</h2>
                             </div>
                           </div>
                         </v-col> 
-                      </div>           
+                      </div>
+                      <div v-if="shouldRenderShowAll('comments', index)" class="d-flex-block justify-center my-4 show-all">
+                        <div class="d-flex justify-center">
+                          <div>{{ getUnrenderedCount('comments') }} {{ i18n.hidden }} {{ i18n.comments }}</div>
+                        </div>
+                        <div class="d-flex justify-center">
+                          <v-btn @click="renderAllAssociations('comments')">{{ i18n.showAll }}</v-btn>
+                        </div>
+                      </div>
                     </div>
                   </div>
                   <div class="d-flex flex-column align-start my-4">
@@ -1408,7 +1416,7 @@ <h3 class="text--primary">{{ i18n.commentAdd }}</h3>
                             </div>
                             <div class="mx-2">
                               <v-form ref="comments" v-model="associatedForms['comments'].valid" @submit.prevent>
-                                <v-textarea id="comment-input" solo flat hide-details="auto" rows="5" color="text--black" v-model="associatedForms['comments'].description" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
+                                <v-textarea id="comment-input" solo flat hide-details="auto" rows="5" color="text--black" :value="associatedForms['comments'].description" @change="val => associatedForms['comments'].description = val" :rules="[rules.required]" class="mb-1" persistent-hint :hint="i18n.commentDescriptionHelp"/>
                               </v-form>
                             </div>
                           </div>
@@ -1457,7 +1465,9 @@ <h3 class="text--primary">{{ i18n.attachmentAdd }}</h3>
                           </div>
                           <v-form ref="attachments" v-model="associatedForms['attachments'].valid" @submit.prevent>
                             <v-file-input id="attachments-file" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty]"/>
-                            <v-textarea id="attachments-description" rows="2" v-model="associatedForms['attachments'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-textarea id="attachments-description" rows="2"
+                            :value="associatedForms['attachments'].description" @change="val => associatedForms['attachments'].description = val"
+                            :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
                             <v-select id="attachments-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
                             <v-combobox id="attachments-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['attachments'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
                             <v-select id="attachments-tags" v-if="!isPresetCustomEnabled('tags')" v-model="associatedForms['attachments'].tags" :items="selectList('tags')" persistent-hint :hint="i18n.caseTagsHelp" multiple>
@@ -1674,8 +1684,8 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                             <v-select id="evidence-type" v-if="!isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
                             <v-combobox id="evidence-type" v-if="isPresetCustomEnabled('artifactType')" v-model="associatedForms['evidence'].artifactType" :items="selectList('artifactType')" persistent-hint :hint="i18n.artifactTypeHelp"/>
                             <v-file-input id="evidence-value" v-if="associatedForms['evidence'].artifactType == 'file'" show-size v-model="attachment" persistent-hint :hint="getAttachmentHelp()" :rules="[rules.fileSizeLimit, rules.fileNotEmpty, rules.fileRequired]"/>
-                            <v-textarea id="evidence-value" v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" v-model="associatedForms['evidence'].value" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
-                            <v-textarea id="evidence-description" rows="2" v-model="associatedForms['evidence'].description" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
+                            <v-textarea id="evidence-value" v-if="associatedForms['evidence'].artifactType != 'file'" rows="2" :value="associatedForms['evidence'].value" @change="val => associatedForms['evidence'].value = val" :rules="[rules.required]" :placeholder="i18n.artifactValue" persistent-hint :hint="i18n.artifactValueHelp"/>
+                            <v-textarea id="evidence-description" rows="2" :value="associatedForms['evidence'].description" @change="val => associatedForms['evidence'].description = val" :placeholder="i18n.artifactDescription" persistent-hint :hint="i18n.artifactDescriptionHelp"/>
                             <v-checkbox id="evidence-ioc" v-model="associatedForms['evidence'].ioc" persistent-hint :hint="i18n.artifactIocHelp"/>
                             <v-select id="evidence-tlp" v-if="!isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
                             <v-combobox id="evidence-tlp" v-if="isPresetCustomEnabled('tlp')" v-model="associatedForms['evidence'].tlp" :items="selectList('tlp')" persistent-hint :hint="i18n.caseTlpHelp"/>
diff --git a/html/js/app.js b/html/js/app.js
index 9461251b..97501b0a 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -757,7 +757,7 @@ $(document).ready(function() {
         if (obj[idField] && obj[idField].length > 0) {
           const user = await this.$root.getUserById(obj[idField]);
           if (user) {
-            obj[outputField] = user.email;
+            Vue.set(obj, outputField, user.email);
           }
         }
       },
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 1c4f924e..dff92987 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -112,6 +112,7 @@ const i18n = {
       commentAdd: 'Add Comment',
       commentDescription: 'Comment',
       commentDescriptionHelp: 'Provide follow-up information to this case',
+      commentRequired: 'Comments cannot be empty.',
       completed: 'Completed',
       continue: 'Would you like to continue?',
       copyEventToClipboardAsJson: 'Copy full event as JSON',
@@ -239,6 +240,7 @@ const i18n = {
       help: 'Help',
       hex: 'HEX',
       hexHelp: 'Include hexadecimal representation of packet data',
+      hidden: 'Hidden',
       history: 'History',
       home: 'Overview',
       hours: 'hours',
@@ -370,6 +372,7 @@ const i18n = {
       sha1: 'SHA1',
       sha256: 'SHA256',
       share: 'Clipboard',
+      showAll: 'Show all...',
       'so-eval': 'Evaluation',
       'so-eval-keywords': 'Elastic, Elasticsearch, Fleet, Forward, Ingest, Manager, Master, Search, Sensor, Sensoroni, Soc, Stenographer, Web',
       'so-fleet': 'Fleet',
diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 63da744a..811ea71a 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -23,7 +23,6 @@ routes.push({ path: '/case/:id', name: 'case', component: {
   data() { return {
     i18n: this.$root.i18n,
     caseObj: {},
-    associationsLoading: false,
     associations: {
       comments: [],
       attachments: [],
@@ -34,6 +33,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     },
     associatedTable: {
       comments: {
+        showAll: false,
         sortBy: 'createTime',
         sortDesc: false,
         search: '',
@@ -156,6 +156,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     maxUploadSizeBytes: 26214400,
     addingAssociation: null,
     activeTab: null,
+    renderAbbreviatedCount: 30,
   }},
   computed: {
   },
@@ -182,6 +183,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
     initCase(params) {
       this.params = params;
       this.mruCaseLimit = params["mostRecentlyUsedLimit"];
+      this.renderAbbreviatedCount = params["renderAbbreviatedCount"];
       this.presets = params["presets"];
       if (params["maxUploadSizeBytes"]) {
         this.maxUploadSizeBytes = params.maxUploadSizeBytes;
@@ -234,22 +236,18 @@ routes.push({ path: '/case/:id', name: 'case', component: {
       }
       return name;
     },
-    async loadAssociations() {
-      this.associationsLoading = true;
-
+    loadAssociations() {
       this.reloadAssociation("comments");
       this.reloadAssociation("tasks");
       this.reloadAssociation("attachments");
       this.reloadAssociation("evidence");
       this.reloadAssociation("events");
       this.reloadAssociation("history");
-
-      this.associationsLoading = false;
     },
     async reloadAssociation(association, showLoadingIndicator = false) {
       if (showLoadingIndicator) this.$root.startLoading();
       this.associations[association] = [];
-      this.loadAssociation(association);
+      await this.loadAssociation(association);
       if (showLoadingIndicator) this.$root.stopLoading();
     },
     async loadAssociation(association) {
@@ -263,9 +261,13 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         if (response && response.data) {
           for (var idx = 0; idx < response.data.length; idx++) {
             const obj = response.data[idx];
-            await this.$root.populateUserDetails(obj, "userId", "owner");
+
+            // Don't await the user details -- takes too long for the task scheduler to
+            // complete all these futures when looping across hundreds of records. Let
+            // the UI update as they finish, for a better user experience.
+            this.$root.populateUserDetails(obj, "userId", "owner");
             if (obj.assigneeId) {
-              await this.$root.populateUserDetails(obj, "assigneeId", "assignee");
+              this.$root.populateUserDetails(obj, "assigneeId", "assignee");
             }
             obj.kind = this.$root.localizeMessage(this.mapAssociatedKind(obj));
             obj.operation = this.$root.localizeMessage(obj.operation);
@@ -292,6 +294,46 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         });
       }
     },
+    getUnrenderedCount(association) {
+      var hiddenCount = 0;
+      if (!this.associatedTable[association].showAll && this.renderAbbreviatedCount) {
+        const count = this.associations[association] ? this.associations[association].length : 0;
+        if (count > this.renderAbbreviatedCount) {
+          hiddenCount = count - this.renderAbbreviatedCount;
+        }
+      }
+      return hiddenCount;
+    },
+    renderAllAssociations(association) {
+      this.associatedTable[association].showAll = true;
+    },
+    shouldRenderShowAll(association, index) {
+      var render = false;
+      if (!this.associatedTable[association].showAll && this.renderAbbreviatedCount) {
+        const count = this.associations[association] ? this.associations[association].length : 0;
+        const lowerCutoff = Math.floor(this.renderAbbreviatedCount / 2);
+        if (count - this.renderAbbreviatedCount > lowerCutoff) {
+          if (index == lowerCutoff-1) {
+            render = true;
+          }
+        }
+      }
+      return render;
+    },
+    shouldRenderAssociationRecord(association, obj, index) {
+      var render = true;
+      if (!this.associatedTable[association].showAll && this.renderAbbreviatedCount) {      
+        const count = this.associations[association] ? this.associations[association].length : 0;
+        const lowerCutoff = Math.floor(this.renderAbbreviatedCount / 2);
+        if (count - this.renderAbbreviatedCount > lowerCutoff) {
+          const upperCutoff = count - lowerCutoff;
+          if (index >= lowerCutoff && index < upperCutoff) {
+            render = false;
+          }
+        }
+      }
+      return render;
+    },
     isExpanded(association, row) {
       const expanded = this.associatedTable[association].expanded;
       for (var i = 0; i < expanded.length; i++) {
@@ -378,7 +420,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
         }});
         this.userList = await this.$root.getUsers();
         await this.updateCaseDetails(response.data);
-        await this.loadAssociations();
+        this.loadAssociations();
       } catch (error) {
         if (error.response != undefined && error.response.status == 404) {
           this.$root.showError(this.i18n.notFound);
@@ -587,6 +629,11 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           form.tlp = this.getDefaultPreset('tlp');
           form.artifactType = this.getDefaultPreset('artifactType');
           break;
+        case "comments":
+          if (this.$refs) {
+            this.$refs[ref].reset();
+          }
+          break;
       }
       this.addingAssociation = null;
       Vue.set(this.associatedForms, ref, form)
diff --git a/html/js/routes/case.test.js b/html/js/routes/case.test.js
index d11e47b2..0886ed6d 100644
--- a/html/js/routes/case.test.js
+++ b/html/js/routes/case.test.js
@@ -132,7 +132,6 @@ test('loadAssociations', () => {
   expect(comp.loadAssociation).toHaveBeenCalledWith('evidence');
   expect(comp.loadAssociation).toHaveBeenCalledWith('events');
   expect(comp.loadAssociation).toHaveBeenCalledWith('history');
-  expect(comp.associationsLoading).toBe(false);
 });
 
 test('loadSingleAssociation', async () => {
@@ -156,7 +155,6 @@ test('loadSingleAssociation', async () => {
   expect(mock).toHaveBeenCalledWith('case/comments', params);
   expect(showErrorMock).toHaveBeenCalledTimes(0);
   expect(comp.associations['comments'].length).toBe(1);
-  expect(comp.associations['comments'][0].owner).toBe(fakeEmail);
   expect(comp.$root.loading).toBe(false);
 });
 
@@ -679,3 +677,84 @@ test('populateAddObservableForm', () => {
   expect(comp.associatedForms['evidence'].description).toBe('foo');
   expect(comp.associatedForms['evidence'].artifactType).toBe('ip');
 });
+
+test('getUnrenderedCount', () => {
+  // Empty list
+  expect(comp.getUnrenderedCount('comments')).toBe(0);
+
+  // Not quite enough to hide any
+  for (var i = 0; i < 30; i++) {
+    comp.associations['comments'].push({id:i});
+  }
+  expect(comp.getUnrenderedCount('comments')).toBe(0);
+
+  // Now some are hidden
+  for (var i = 0; i < 10; i++) {
+    comp.associations['comments'].push({id:i});
+  }
+  expect(comp.getUnrenderedCount('comments')).toBe(10);
+});
+
+test('renderAllAssociations', () => {
+  expect(comp.associatedTable['comments'].showAll).toBe(false);
+  comp.renderAllAssociations('comments');
+  expect(comp.associatedTable['comments'].showAll).toBe(true);
+});
+
+
+test('shouldRenderShowAll', () => {
+  // Empty list
+  expect(comp.shouldRenderShowAll('comments', 0)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 10)).toBe(false);
+
+  // Not quite enough to hide any
+  for (var i = 0; i < 30; i++) {
+    comp.associations['comments'].push({id:i});
+  }
+  expect(comp.shouldRenderShowAll('comments', 0)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 10)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 14)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 20)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 30)).toBe(false);
+
+  // Now some are hidden
+  for (var i = 0; i < 30; i++) {
+    comp.associations['comments'].push({id:i});
+  }
+  expect(comp.shouldRenderShowAll('comments', 0)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 10)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 14)).toBe(true);
+  expect(comp.shouldRenderShowAll('comments', 20)).toBe(false);
+  expect(comp.shouldRenderShowAll('comments', 30)).toBe(false);
+});
+
+test('shouldRenderAssociationRecord', () => {
+  // Empty list
+  expect(comp.shouldRenderAssociationRecord('comments', null, 0)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 10)).toBe(true);
+
+  // Not quite enough to hide any
+  for (var i = 0; i < 30; i++) {
+    comp.associations['comments'].push({id:i});
+  }
+  expect(comp.shouldRenderAssociationRecord('comments', null, 0)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 10)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 14)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 20)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 30)).toBe(true);
+
+  // Now some are hidden
+  for (var i = 0; i < 30; i++) {
+    comp.associations['comments'].push({id:i});
+  }
+  expect(comp.shouldRenderAssociationRecord('comments', null, 0)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 10)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 14)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 15)).toBe(false);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 20)).toBe(false);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 30)).toBe(false);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 44)).toBe(false);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 45)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 50)).toBe(true);
+  expect(comp.shouldRenderAssociationRecord('comments', null, 59)).toBe(true);
+});
\ No newline at end of file

From 074eb4a19cec2dc1e389943c32baa77b716386b7 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 27 Jan 2022 20:00:02 -0500
Subject: [PATCH 98/98] Ensure ref exists before resetting form

---
 html/js/routes/case.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/js/routes/case.js b/html/js/routes/case.js
index 811ea71a..cd827752 100644
--- a/html/js/routes/case.js
+++ b/html/js/routes/case.js
@@ -630,7 +630,7 @@ routes.push({ path: '/case/:id', name: 'case', component: {
           form.artifactType = this.getDefaultPreset('artifactType');
           break;
         case "comments":
-          if (this.$refs) {
+          if (this.$refs && this.$refs[ref]) {
             this.$refs[ref].reset();
           }
           break;