Merge dev to 2.4

alerts.rst

@@ -42,6 +42,8 @@ Query Bar
 
 The query bar defaults to ``Group By Name, Module`` which groups the alerts by ``rule.name`` and ``event.module``. You can click the dropdown box to select other queries which will group by other fields. If you want to send your current Alerts query to :ref:`hunt`, you can click the crosshair icon to the right of the query bar.
 
+If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.
+
 Time Picker
 -----------
 

cases.rst

@@ -31,6 +31,8 @@ The query bar defaults to Open Cases. Clicking the drop-down box reveals other o
 
 Under the query bar, you’ll notice colored bubbles that represent the individual components of the query and the fields to group by. If you want to remove part of the query, you can click the X in the corresponding bubble to remove it and run a new search.
 
+If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.
+
 Time Picker
 -----------
 

dashboards.rst

@@ -55,6 +55,8 @@ Query Bar
 
 The easiest way to get started is to click the query drop down box and select one of the pre-defined dashboards. These pre-defined dashboards cover most of the major data types that you would expect to see in a Security Onion deployment: :ref:`nids` alerts from :ref:`suricata`, protocol metadata logs from :ref:`zeek` or :ref:`suricata`, endpoint logs, and firewall logs.
 
+Under the query bar, you’ll notice colored bubbles that represent the individual components of the query. If you want to remove part of the query, you can click the X in the corresponding bubble to remove it and run a new search.
+
 If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.
 
 Time Picker

detections.rst

@@ -58,6 +58,8 @@ The query bar defaults to ``All Detections``. Clicking the drop-down box reveals
 
 Under the query bar, you’ll notice colored bubbles that represent the individual components of the query. If you want to remove part of the query, you can click the X in the corresponding bubble to remove it and run a new search.
 
+If you would like to save your own personal queries, you can bookmark them in your browser. If you would like to customize the default queries for all users, please see the :ref:`soc-customization` section.
+
 Group Metrics
 -------------
 

firewall.rst

@@ -82,7 +82,6 @@ Elastic Fleet nodes to Receiver nodes:
 
 - TCP/5056 - Logstash-to-Logstash for Elastic Agent data ingest
 
-
 Host Firewall
 -------------
 
@@ -100,10 +99,10 @@ You can configure the firewall by going to :ref:`administration` --> Configurati
 .. image:: images/config-item-firewall.png
   :target: _images/config-item-firewall.png
 
-If for some reason you can't access :ref:`soc`, you can use the so-firewall command to allow your IP address to connect (replacing ``<IP ADDRESS>`` with your actual IP address):
+If for some reason you can't access :ref:`soc` at all, you can use the so-firewall command to allow the IP address of your web browser to connect (replacing ``<IP ADDRESS>`` with the actual IP address of your web browser):
 ::
 
-    so-firewall includehost analyst <IP ADDRESS>
+        sudo so-firewall includehost analyst <IP ADDRESS>
 
 Reviewing Host Firewall
 -----------------------

kibana.rst

@@ -10,7 +10,11 @@ Authentication
 
 Log into Kibana using the same username and password that you use for :ref:`soc`. 
 
-You can add new user accounts to both Kibana and :ref:`soc` at the same time as shown in the :ref:`adding-accounts` section. Please note that if you instead create accounts directly in Kibana, then those accounts will only have access to Kibana and not :ref:`soc`.
+You can add new user accounts to both Kibana and :ref:`soc` at the same time as shown in the :ref:`adding-accounts` section. 
+
+.. warning::
+
+        If you create accounts directly in Kibana (rather than in SOC), then those accounts will NOT be able to log into SOC.
 
 Kibana Dashboards
 -----------------

post-installation.rst

@@ -3,6 +3,21 @@
 After Installation
 ==================
 
+Adjust firewall rules
+---------------------
+
+Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to make other adjustments to firewall rules, you can do so by going to :ref:`administration` --> Configuration --> firewall --> hostgroups.
+
+.. image:: images/config-item-firewall.png
+  :target: _images/config-item-firewall.png
+
+If for some reason you can't access :ref:`soc` at all, you can use the so-firewall command to allow the IP address of your web browser to connect (replacing ``<IP ADDRESS>`` with the actual IP address of your web browser):
+::
+
+        sudo so-firewall includehost analyst <IP ADDRESS>
+
+For more information, please see the :ref:`firewall` section.
+
 Services
 --------
 
@@ -21,14 +36,6 @@ You can also verify services are running from the command line with the :ref:`so
 
 	sudo so-status
 
-Adjust firewall rules
----------------------
-
-Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to make other adjustments to firewall rules, you can do so by going to :ref:`administration` --> Configuration --> firewall --> hostgroups.
-
-.. image:: images/config-item-firewall.png
-  :target: _images/config-item-firewall.png
-
 SSH
 ---
 

soc-customization.rst

@@ -52,11 +52,15 @@ The default timeout for user login sessions is 24 hours. This is a fixed timespa
 Custom Queries
 --------------
 
-If you'd like to add your own custom queries to :ref:`alerts`, :ref:`dashboards`, or :ref:`hunt`, you can go to :ref:`administration` --> Configuration --> soc --> server --> client and then select the specific app you'd like to modify.
+If you'd like to add your own custom queries to :ref:`alerts`, :ref:`cases`, :ref:`dashboards`, :ref:`detections` or :ref:`hunt`, you can go to :ref:`administration` --> Configuration --> soc --> config --> server --> client and then select the specific app you'd like to modify. 
+
+.. warning::
+
+        When you save your custom queries, SOC saves the entire list of queries (including our default queries included in the product). So if you update to a new version which includes new or updated default queries, you won't see the new or updated default queries since your custom query list is overriding the default.
 
 To see all available fields for your queries, go down to the Events table and then click the arrow to expand a row. It will show all of the individual fields from that particular event.
 
-For example, suppose you want to add GeoIP information like ``source.geo.region_iso_code`` or ``destination.geo.region_iso_code`` to :ref:`alerts`. You would go to :ref:`administration` --> Configuration --> soc --> server --> client --> alerts --> queries and insert the following line wherever you want it show up in the query list:
+For example, suppose you want to add GeoIP information like ``source.geo.region_iso_code`` or ``destination.geo.region_iso_code`` to :ref:`alerts`. You would go to :ref:`administration` --> Configuration --> soc --> config --> server --> client --> alerts --> queries and insert the following line wherever you want it show up in the query list:
 
 ::