diff --git a/Vagrant/resources/splunk_server/logger_dashboard.xml b/Vagrant/resources/splunk_server/logger_dashboard.xml
index 76eaab3..2e74211 100644
--- a/Vagrant/resources/splunk_server/logger_dashboard.xml
+++ b/Vagrant/resources/splunk_server/logger_dashboard.xml
@@ -1,164 +1,218 @@
 <dashboard theme="dark">
-    <label>Logger Dashboard</label>
-    <row>
-        <panel>
-            <title>Events by Index per Hour</title>
-            <chart>
-                <search>
-                    <query>| tstats count where index=* by index, _time span=4h prestats=t | timechart span=4h count by index</query>
-                    <earliest>-7d@h</earliest>
-                    <latest>now</latest>
-                    <sampleRatio>1</sampleRatio>
-                </search>
-                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
-                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
-                <option name="charting.axisTitleX.visibility">visible</option>
-                <option name="charting.axisTitleY.visibility">visible</option>
-                <option name="charting.axisTitleY2.visibility">visible</option>
-                <option name="charting.axisX.abbreviation">none</option>
-                <option name="charting.axisX.scale">linear</option>
-                <option name="charting.axisY.abbreviation">none</option>
-                <option name="charting.axisY.scale">linear</option>
-                <option name="charting.axisY2.abbreviation">none</option>
-                <option name="charting.axisY2.enabled">0</option>
-                <option name="charting.axisY2.scale">inherit</option>
-                <option name="charting.chart">column</option>
-                <option name="charting.chart.bubbleMaximumSize">50</option>
-                <option name="charting.chart.bubbleMinimumSize">10</option>
-                <option name="charting.chart.bubbleSizeBy">area</option>
-                <option name="charting.chart.nullValueMode">gaps</option>
-                <option name="charting.chart.showDataLabels">none</option>
-                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
-                <option name="charting.chart.stackMode">stacked</option>
-                <option name="charting.chart.style">shiny</option>
-                <option name="charting.drilldown">none</option>
-                <option name="charting.layout.splitSeries">0</option>
-                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
-                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
-                <option name="charting.legend.mode">standard</option>
-                <option name="charting.legend.placement">right</option>
-                <option name="charting.lineWidth">2</option>
-                <option name="refresh.display">progressbar</option>
-                <option name="trellis.enabled">0</option>
-                <option name="trellis.scales.shared">1</option>
-                <option name="trellis.size">medium</option>
-            </chart>
-        </panel>
-    </row>
-    <row>
-        <panel>
-            <title>Top Suricata Network Alerts</title>
-            <table>
-                <search>
-                    <query>index=suricata | stats values(src_ip) count by alert.signature, alert.signature_id</query>
-                    <earliest>-24h@h</earliest>
-                    <latest>now</latest>
-                    <sampleRatio>1</sampleRatio>
-                </search>
-                <option name="count">20</option>
-                <option name="dataOverlayMode">none</option>
-                <option name="drilldown">none</option>
-                <option name="percentagesRow">false</option>
-                <option name="refresh.display">progressbar</option>
-                <option name="rowNumbers">false</option>
-                <option name="totalsRow">false</option>
-                <option name="wrap">true</option>
-            </table>
-        </panel>
-        <panel>
-            <title>Zeek Network Traffic by Type</title>
-            <chart>
-                <search>
-                    <query>index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype</query>
-                    <earliest>-24h@h</earliest>
-                    <latest>now</latest>
-                </search>
-                <option name="charting.chart">column</option>
-                <option name="charting.chart.stackMode">stacked</option>
-                <option name="charting.drilldown">none</option>
-            </chart>
-        </panel>
-    </row>
-    <row>
-        <panel>
-            <title>Windows Events by Host</title>
-            <chart>
-                <search>
-                    <query>| tstats count where index=wineventlog by host, _time span=1h prestats=t | timechart span=1h count by host</query>
-                    <earliest>-24h@h</earliest>
-                    <latest>now</latest>
-                </search>
-                <option name="charting.chart">line</option>
-                <option name="charting.drilldown">none</option>
-                <option name="refresh.display">progressbar</option>
-            </chart>
-        </panel>
-        <panel>
-            <title>osquery Events by Host</title>
-            <chart>
-                <search>
-                    <query>| tstats count where index=osquery by host, _time span=1h prestats=t | timechart span=1h count by host</query>
-                    <earliest>-24h@h</earliest>
-                    <latest>now</latest>
-                </search>
-                <option name="charting.chart">line</option>
-                <option name="charting.drilldown">none</option>
-                <option name="refresh.display">progressbar</option>
-            </chart>
-        </panel>
-        <panel>
-            <title>Powershell Event Preview</title>
-            <table>
-                <search>
-                    <query>index=powershell | table _time, host, _raw, sourcetype</query>
-                    <earliest>-24h@h</earliest>
-                    <latest>now</latest>
-                </search>
-                <option name="count">1</option>
-                <option name="drilldown">none</option>
-            </table>
-        </panel>
-    </row>
-    <row>
-        <panel>
-            <title>License Usage</title>
-            <chart>
-                <search>
-                    <query>| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Used"=round(used_bytes/1024/1024/1024, 3) | eval "Quota"=round(quota/1024/1024/1024, 3) | fields Pool "Used" "Quota"</query>
-                    <sampleRatio>1</sampleRatio>
-                </search>
-                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
-                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
-                <option name="charting.axisTitleX.visibility">visible</option>
-                <option name="charting.axisTitleY.visibility">visible</option>
-                <option name="charting.axisTitleY2.visibility">visible</option>
-                <option name="charting.axisX.abbreviation">none</option>
-                <option name="charting.axisX.scale">linear</option>
-                <option name="charting.axisY.abbreviation">none</option>
-                <option name="charting.axisY.scale">linear</option>
-                <option name="charting.axisY2.abbreviation">none</option>
-                <option name="charting.axisY2.enabled">0</option>
-                <option name="charting.axisY2.scale">inherit</option>
-                <option name="charting.chart">bar</option>
-                <option name="charting.chart.bubbleMaximumSize">50</option>
-                <option name="charting.chart.bubbleMinimumSize">10</option>
-                <option name="charting.chart.bubbleSizeBy">area</option>
-                <option name="charting.chart.nullValueMode">gaps</option>
-                <option name="charting.chart.showDataLabels">none</option>
-                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
-                <option name="charting.chart.stackMode">default</option>
-                <option name="charting.chart.style">shiny</option>
-                <option name="charting.drilldown">none</option>
-                <option name="charting.layout.splitSeries">0</option>
-                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
-                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
-                <option name="charting.legend.mode">standard</option>
-                <option name="charting.legend.placement">right</option>
-                <option name="charting.lineWidth">2</option>
-                <option name="trellis.enabled">0</option>
-                <option name="trellis.scales.shared">1</option>
-                <option name="trellis.size">medium</option>
-            </chart>
-        </panel>
-    </row>
-</dashboard>
\ No newline at end of file
+  <label>Logger Dashboard</label>
+  <row>
+    <panel>
+      <title>Events by Index per Hour</title>
+      <chart>
+        <search>
+          <query>| tstats count where index=* by index, _time span=4h prestats=t | timechart span=4h count by index</query>
+          <earliest>-7d@h</earliest>
+          <latest>now</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.abbreviation">none</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.abbreviation">none</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.abbreviation">none</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.mode">standard</option>
+        <option name="charting.legend.placement">right</option>
+        <option name="charting.lineWidth">2</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Top Suricata Network Alerts</title>
+      <table>
+        <search>
+          <query>index=suricata | stats values(src_ip) count by alert.signature, alert.signature_id</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="count">20</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="rowNumbers">false</option>
+        <option name="totalsRow">false</option>
+        <option name="wrap">true</option>
+      </table>
+    </panel>
+    <panel>
+      <title>Zeek Network Traffic by Type</title>
+      <chart>
+        <search>
+          <query>index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.drilldown">none</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Windows Events by Host</title>
+      <chart>
+        <search>
+          <query>| tstats count where index=wineventlog by host, _time span=1h prestats=t | timechart span=1h count by host</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>Sysmon Events by Host</title>
+      <chart>
+        <search>
+          <query>| tstats count where index=sysmon by host, _time span=1h prestats=t | timechart span=1h count by host</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>osquery Events by Host</title>
+      <chart>
+        <search>
+          <query>| tstats count where index=osquery by host, _time span=1h prestats=t | timechart span=1h count by host</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Jack Crook's Hunting for Beacons Query</title>
+      <table>
+        <title>http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html</title>
+        <search>
+          <query>index=zeek (dest_port=443 OR dest_port=80)  
+| rename orig_bytes as bytes_out resp_bytes as bytes_in 
+| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip 
+| eval beacon_avg=('beacon_count' / 'total_count') 
+| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out 
+| head 100
+| eval incount=mvcount(bytes_in) 
+| eventstats avg(beacon_count) as overall_average 
+| eval beacon_percentage=('beacon_count' / 'overall_average') 
+| sort - beacon_percentage</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="count">20</option>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Powershell Event Preview</title>
+      <table>
+        <search>
+          <query>index=powershell | table _time, host, _raw, sourcetype</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="count">1</option>
+        <option name="drilldown">none</option>
+        <option name="rowNumbers">false</option>
+        <option name="wrap">true</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>License Usage</title>
+      <chart>
+        <search>
+          <query>| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Used"=round(used_bytes/1024/1024/1024, 3) | eval "Quota"=round(quota/1024/1024/1024, 3) | fields Pool "Used" "Quota"</query>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.abbreviation">none</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.abbreviation">none</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.abbreviation">none</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">bar</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">default</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.mode">standard</option>
+        <option name="charting.legend.placement">right</option>
+        <option name="charting.lineWidth">2</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <search>
+          <query>index=_internal source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | timechart span=1h sum(MB) by idx</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+</dashboard>