diff --git a/.github/issue_template.md b/.github/ISSUE_TEMPLATE/thehive3_bug_report.md
similarity index 82%
rename from .github/issue_template.md
rename to .github/ISSUE_TEMPLATE/thehive3_bug_report.md
index ad1bb405d9..69218ae1c4 100644
--- a/.github/issue_template.md
+++ b/.github/ISSUE_TEMPLATE/thehive3_bug_report.md
@@ -1,8 +1,16 @@
+---
+name: Bug Report for TheHive 3.x
+about: Create a bug report for TheHive 3.x
+title: "[Bug]"
+labels: bug, TheHive3
+assignees: ''
+
+---
+
 # EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)
 
 ### Request Type
-(select Bug or Feature Request and **remove this part**)
-Bug / Feature Request
+Bug
 
 ### Work Environment
 
@@ -27,4 +35,4 @@ Describe the problem/bug as clearly as possible.
 (keep this section if you have suggestions on how to solve the problem. **Otherwise delete it**)
 
 ### Complementary information
-(add anything that can help identifying the problem such as **log** excerpts, **screenshots**, **configuration dumps** etc.)
+(add anything that can help identifying the problem such as **log** excerpts, **screenshots**, **configuration dumps** etc.)
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/thehive4_bug_report.md b/.github/ISSUE_TEMPLATE/thehive4_bug_report.md
new file mode 100644
index 0000000000..4c7cbcb330
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/thehive4_bug_report.md
@@ -0,0 +1,38 @@
+---
+name: Bug Report for TheHive4
+about: Create a bug report for TheHive 4.
+title: "[Bug]"
+labels: bug, TheHive4
+assignees: ''
+
+---
+
+# EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)
+
+### Request Type
+Bug
+
+### Work Environment
+
+| Question              | Answer
+|---------------------------|--------------------
+| OS version (server)       | Debian, Ubuntu, CentOS, RedHat, ...
+| OS version (client)       | XP, Seven, 10, Ubuntu, ...
+| TheHive version / git hash   | 4.x, hash of the commit
+| Package Type              | RPM, DEB, Docker, Binary, From source
+| Browser type & version    | If applicable
+
+
+### Problem Description
+Describe the problem/bug as clearly as possible.
+
+### Steps to Reproduce
+1. step 1
+1. step 2
+1. step 3...
+
+### Possible Solutions
+(keep this section if you have suggestions on how to solve the problem. **Otherwise delete it**)
+
+### Complementary information
+(add anything that can help identifying the problem such as **log** excerpts, **screenshots**, **configuration dumps** etc.)
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/thehive4_feature_request.md b/.github/ISSUE_TEMPLATE/thehive4_feature_request.md
new file mode 100644
index 0000000000..4bf32d9fa1
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/thehive4_feature_request.md
@@ -0,0 +1,31 @@
+---
+name: Feature Request for TheHive4
+about: Create a feature request for TheHive 4.
+title: "[Bug]"
+labels: "feature request", TheHive4
+assignees: ''
+---
+
+# EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)
+
+### Request Type
+
+Feature Request
+
+### Work Environment
+
+| Question              | Answer
+|---------------------------|--------------------
+| TheHive version   | 4.x
+
+### Feature Description
+
+Describe feature as clearly as possible.
+
+### Possible Solutions
+
+(keep this section if you have suggestions on how to solve the purpose. **Otherwise delete it**)
+
+### Complementary information
+
+(add anything that can help identifying the problem such as **log** excerpts, **screenshots**, **configuration dumps** etc.)
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/thehive4_question.md b/.github/ISSUE_TEMPLATE/thehive4_question.md
new file mode 100644
index 0000000000..a551433c07
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/thehive4_question.md
@@ -0,0 +1,26 @@
+---
+name: Ask question about TheHive 4
+about: Ask a question about TheHive 4
+title: "[Question]"
+labels: question, TheHive 4
+assignees: ''
+
+---
+
+### Request Type
+
+Question
+
+### Work Environment
+
+| Question              | Answer
+|---------------------------|--------------------
+| OS version (server)       | Debian, Ubuntu, CentOS, RedHat, ...
+| OS version (client)       | XP, Seven, 10, Ubuntu, ...
+| TheHive version / git hash   | 4.x, hash of the commit
+| Package Type              | RPM, DEB, Docker, Binary, From source
+| Browser type & version    | If applicable
+
+### Question
+
+Describe the question/requirement as clearly as possible.
\ No newline at end of file
diff --git a/.scalafmt.conf b/.scalafmt.conf
index 97286da352..4a6c535e14 100644
--- a/.scalafmt.conf
+++ b/.scalafmt.conf
@@ -7,6 +7,7 @@ maxColumn = 150
 
 align.openParenCallSite = false
 align.openParenDefnSite = false
+align.tokens.add = [{code = "must"}]
 newlines.alwaysBeforeTopLevelStatements = false
 rewrite.rules = [
   RedundantBraces
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0058adc08..48989a670e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,71 @@
 # Change Log
 
+## [4.1.0](https://github.com/TheHive-Project/TheHive/milestone/56) (2021-03-18)
+
+**Implemented enhancements:**
+
+- Suggestion: Marge cases on the oldest and close the newest as duplicated [\#960](https://github.com/TheHive-Project/TheHive/issues/960)
+- [Feature Request] Implement case merging feature [\#1264](https://github.com/TheHive-Project/TheHive/issues/1264)
+- [Enhancement] Enrich v1 API [\#1454](https://github.com/TheHive-Project/TheHive/issues/1454)
+- [Feature Request] Prompt to save changes to Case Templates before navigating away [\#1524](https://github.com/TheHive-Project/TheHive/issues/1524)
+- [Feature Request] allow user to choose the format of the date displayed [\#1583](https://github.com/TheHive-Project/TheHive/issues/1583)
+- [Feature Request] Add support to taxonomies [\#1670](https://github.com/TheHive-Project/TheHive/issues/1670)
+- [Enhancement] Improve search performance by using external index engine [\#1731](https://github.com/TheHive-Project/TheHive/issues/1731)
+- [Feature Request] Default filter of alert case similarity : add "No filter" as an option [\#1750](https://github.com/TheHive-Project/TheHive/issues/1750)
+- [Feature Request] Add MITRE ATT&CK support [\#1766](https://github.com/TheHive-Project/TheHive/issues/1766)
+- [Feature Request] Show case status in the default view (open / closed as FP / closed as TP, etc.)  [\#1781](https://github.com/TheHive-Project/TheHive/issues/1781)
+- [Enhancement] Create logfile after installation [\#1789](https://github.com/TheHive-Project/TheHive/issues/1789)
+- [Feature Request] Revamp case template admin section [\#1804](https://github.com/TheHive-Project/TheHive/issues/1804)
+- [Feature Request] Improve date fields in data lists [\#1807](https://github.com/TheHive-Project/TheHive/issues/1807)
+- [Feature Request] Enhance organisation list page [\#1813](https://github.com/TheHive-Project/TheHive/issues/1813)
+- [Feature Request] Add a platform status page [\#1815](https://github.com/TheHive-Project/TheHive/issues/1815)
+- [Feature Request] Add organisation free tags administration section [\#1816](https://github.com/TheHive-Project/TheHive/issues/1816)
+- [Feature Request] Enhance the dashboard list section [\#1817](https://github.com/TheHive-Project/TheHive/issues/1817)
+- [Enhancement] Add migration from TheHive 3.5.1 [\#1818](https://github.com/TheHive-Project/TheHive/issues/1818)
+- [Feature Request] Additional case bulk actions [\#1821](https://github.com/TheHive-Project/TheHive/issues/1821)
+- [Feature Request] Add support to "isEmpty" filter option [\#1824](https://github.com/TheHive-Project/TheHive/issues/1824)
+- [Feature Request] Improve task list page [\#1831](https://github.com/TheHive-Project/TheHive/issues/1831)
+- [Feature Request] Disk usage monitoring API route [\#1843](https://github.com/TheHive-Project/TheHive/issues/1843)
+- [Feature Request] Allow cancelling task action request [\#1844](https://github.com/TheHive-Project/TheHive/issues/1844)
+- [Feature Request] Add more quick filters to case list [\#1848](https://github.com/TheHive-Project/TheHive/issues/1848)
+- [Feature Request] Add support of authentication in webhooks [\#1850](https://github.com/TheHive-Project/TheHive/issues/1850)
+- [Feature Request] Allow removing a custom field from a case [\#1852](https://github.com/TheHive-Project/TheHive/issues/1852)
+
+**Closed issues:**
+
+- [Feature Request] Alphabetize Case Template view [\#1551](https://github.com/TheHive-Project/TheHive/issues/1551)
+- [Feature Request] Add the ability to directly close a task [\#1727](https://github.com/TheHive-Project/TheHive/issues/1727)
+- [Question] Tags and custom fields can be seen across organisations / potential for data leakage  [\#1778](https://github.com/TheHive-Project/TheHive/issues/1778)
+- [Feature Request] Allow user to reorder case templates, or display them in alphabetic order [\#1787](https://github.com/TheHive-Project/TheHive/issues/1787)
+- [Repository] Improve github issue templates [\#1840](https://github.com/TheHive-Project/TheHive/issues/1840)
+
+**Fixed bugs:**
+
+- Can not view or delete alert when delete the case that created by Import Alert [\#1123](https://github.com/TheHive-Project/TheHive/issues/1123)
+- Imported Alerts Cannot be Deleted [\#1201](https://github.com/TheHive-Project/TheHive/issues/1201)
+- [Bug] Creating Cases via API ignores the owner field [\#1473](https://github.com/TheHive-Project/TheHive/issues/1473)
+- [Bug] Missing cases migrating from TH3 to TH4 [\#1682](https://github.com/TheHive-Project/TheHive/issues/1682)
+- [Bug] Attachment files are not deleted from local filesystem storage when logs is deleted [\#1687](https://github.com/TheHive-Project/TheHive/issues/1687)
+- [Bug] Impossible to switch organization if organization name contains an accent [\#1741](https://github.com/TheHive-Project/TheHive/issues/1741)
+- [Bug] Filtering issue [\#1753](https://github.com/TheHive-Project/TheHive/issues/1753)
+- Identical URL Observables can still be added multiple times to the same case [\#1756](https://github.com/TheHive-Project/TheHive/issues/1756)
+- [Bug] Integrity checks for user deduplication is not run when an user is added [\#1759](https://github.com/TheHive-Project/TheHive/issues/1759)
+- [Bug] Deleting a shared case on org2 doesn't delete task from the Org1 resulting in log spam and undeletable task [\#1767](https://github.com/TheHive-Project/TheHive/issues/1767)
+- [Bug] Fix pivoting from donuts to search pages on custom fields based widgets [\#1777](https://github.com/TheHive-Project/TheHive/issues/1777)
+- [Bug] Unable to migrate to TH 4.0.5 [\#1785](https://github.com/TheHive-Project/TheHive/issues/1785)
+- [Bug] Elapsed time for re-opened cases is showed as "closed". [\#1796](https://github.com/TheHive-Project/TheHive/issues/1796)
+- [Bug] Observables list doesn't reload  [\#1802](https://github.com/TheHive-Project/TheHive/issues/1802)
+- [Bug] Error in handling users included in many organisations [\#1803](https://github.com/TheHive-Project/TheHive/issues/1803)
+- [Bug] Organisation users list doesn't include update date [\#1805](https://github.com/TheHive-Project/TheHive/issues/1805)
+- [Bug] Reveal API key not working for users with profile analyst [\#1806](https://github.com/TheHive-Project/TheHive/issues/1806)
+- [Bug] Observables not present in some events imported from MISP [\#1819](https://github.com/TheHive-Project/TheHive/issues/1819)
+- [Bug] Migration: parameter input is unusable [\#1827](https://github.com/TheHive-Project/TheHive/issues/1827)
+- [Bug] Migration of caseTemplate without task fails [\#1828](https://github.com/TheHive-Project/TheHive/issues/1828)
+- [Bug] - Use API v1 to fetch observable job history [\#1838](https://github.com/TheHive-Project/TheHive/issues/1838)
+- [Bug] File observables with special character in name can not be downloaded [\#1842](https://github.com/TheHive-Project/TheHive/issues/1842)
+- [Bug] Shared dashboards are not editable [\#1849](https://github.com/TheHive-Project/TheHive/issues/1849)
+- [Bug] Disable the Audit search section [\#1851](https://github.com/TheHive-Project/TheHive/issues/1851)
+
 ## [4.0.5](https://github.com/TheHive-Project/TheHive/milestone/68) (2021-02-08)
 
 **Implemented enhancements:**
@@ -26,7 +92,6 @@
 - [Bug] Sort field list in dashboard widget filters [\#1771](https://github.com/TheHive-Project/TheHive/issues/1771)
 - [Bug] Dashboard on organisation (and other) doesn't work [\#1772](https://github.com/TheHive-Project/TheHive/issues/1772)
 - [BUG] Cannot link multiple organisations together [\#1773](https://github.com/TheHive-Project/TheHive/issues/1773)
-- [Bug] Fix pivoting from donuts to search pages on custom fields based widgets [\#1777](https://github.com/TheHive-Project/TheHive/issues/1777)
 - [Bug] Fix custom field filters in v0 APIs [\#1779](https://github.com/TheHive-Project/TheHive/issues/1779)
 
 ## [4.0.4](https://github.com/TheHive-Project/TheHive/milestone/67) (2021-01-12)
diff --git a/ScalliGraph b/ScalliGraph
index 213e4478d3..b403c2c2db 160000
--- a/ScalliGraph
+++ b/ScalliGraph
@@ -1 +1 @@
-Subproject commit 213e4478d349afeb3e9978c39042458fde6a61b9
+Subproject commit b403c2c2db7e163550022283512c1f6d0c9fe91a
diff --git a/build.sbt b/build.sbt
index 4de4641c4a..2c0db1876a 100644
--- a/build.sbt
+++ b/build.sbt
@@ -2,8 +2,8 @@ import Dependencies._
 import com.typesafe.sbt.packager.Keys.bashScriptDefines
 import org.thp.ghcl.Milestone
 
-val thehiveVersion         = "4.0.5-1"
-val scala212               = "2.12.12"
+val thehiveVersion         = "4.1.0-1"
+val scala212               = "2.12.13"
 val scala213               = "2.13.1"
 val supportedScalaVersions = List(scala212, scala213)
 
@@ -62,7 +62,8 @@ libraryDependencies in ThisBuild ++= {
 }
 dependencyOverrides in ThisBuild ++= Seq(
 //  "org.locationtech.spatial4j" % "spatial4j"                 % "0.6",
-  "org.elasticsearch.client" % "elasticsearch-rest-client" % "6.7.2"
+//  "org.elasticsearch.client" % "elasticsearch-rest-client" % "6.7.2"
+  akkaActor
 )
 PlayKeys.includeDocumentationInBinary := false
 milestoneFilter := ((milestone: Milestone) => milestone.title.startsWith("4"))
@@ -170,7 +171,10 @@ lazy val thehiveDto = (project in file("dto"))
   .dependsOn(scalligraph)
   .settings(
     name := "thehive-dto",
-    version := thehiveVersion
+    version := thehiveVersion,
+    libraryDependencies ++= Seq(
+      aix
+    )
   )
 
 lazy val thehiveClient = (project in file("client"))
@@ -319,6 +323,7 @@ lazy val mispClient = (project in file("misp/client"))
     libraryDependencies ++= Seq(
       ws,
       alpakka,
+      akkaHttp,
       specs      % Test,
       playMockws % Test
     )
@@ -337,13 +342,12 @@ lazy val thehiveMigration = (project in file("migration"))
     libraryDependencies ++= Seq(
       elastic4sCore,
       elastic4sHttpStreams,
-      elastic4sHttp,
+      elastic4sClient,
 //      jts,
       ehcache,
       scopt,
       specs % Test
     ),
-    fork := true,
     normalizedName := "migrate"
   )
 
diff --git a/client-common/src/main/scala/org/thp/client/Authentication.scala b/client-common/src/main/scala/org/thp/client/Authentication.scala
index 39ff9e52c4..c20887eb57 100644
--- a/client-common/src/main/scala/org/thp/client/Authentication.scala
+++ b/client-common/src/main/scala/org/thp/client/Authentication.scala
@@ -19,14 +19,15 @@ object Authentication {
         } yield PasswordAuthentication(username, password)
       case "bearer" => (json \ "key").validate[String].map(KeyAuthentication(_, "Bearer "))
       case "key"    => (json \ "key").validate[String].map(KeyAuthentication(_, ""))
+      case "none"   => JsSuccess(NoAuthentication)
       case other    => JsError(s"Unknown authentication type: $other")
     }
   }
 
   val writes: Writes[Authentication] = Writes[Authentication] {
     case PasswordAuthentication(username, password) => Json.obj("type" -> "basic", "username" -> username, "password" -> password)
-    case KeyAuthentication(key, "")                 => Json.obj("type" -> "key", "key"        -> key)
-    case KeyAuthentication(key, "Bearer ")          => Json.obj("type" -> "bearer", "key"     -> key)
+    case KeyAuthentication(key, "")                 => Json.obj("type" -> "key", "key" -> key)
+    case KeyAuthentication(key, "Bearer ")          => Json.obj("type" -> "bearer", "key" -> key)
   }
   implicit val format: Format[Authentication] = Format(reads, writes)
 }
diff --git a/conf/application.sample.conf b/conf/application.sample.conf
index 0f36eb225b..4de3da18e0 100644
--- a/conf/application.sample.conf
+++ b/conf/application.sample.conf
@@ -11,7 +11,7 @@ db.janusgraph {
   storage {
     ## Cassandra configuration
     # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
-    backend: cql
+    // backend: cql
     // hostname: ["ip1", "ip2"]
     # Cassandra authentication (if configured)
     // username: "thehive"
@@ -23,9 +23,9 @@ db.janusgraph {
   }
 
   ## For test only !
-  # Comment Cassandra settings before enable Berkeley database
-  // storage.backend: berkeleyje
-  // storage.directory: /path/to/berkeleydb
+  # Comment the two lines below before enable Cassandra database
+  storage.backend: berkeleyje
+  storage.directory: /opt/thp/thehive/database
   // berkeleyje.freeDisk: 200 # disk usage threshold
 }
 
diff --git a/conf/logback.xml b/conf/logback.xml
index 52ba1c47b9..94caf258db 100644
--- a/conf/logback.xml
+++ b/conf/logback.xml
@@ -36,6 +36,8 @@
 
     <logger name="org.thp.scalligraph.models" level="TRACE"/>
     <logger name="org.thp.scalligraph.traversal" level="TRACE"/>
+    <logger name="org.thp.thehive.services.StreamSrv" level="INFO"/>
+    <logger name="org.thp.thehive.services.StreamActor" level="INFO"/>
     <!--
     <logger name="org.janusgraph.graphdb" level="INFO" />
     <logger name="org.thp.thehive.client" level="DEBUG" />
diff --git a/cortex/client/src/test/scala/org/thp/cortex/client/CortexClientTest.scala b/cortex/client/src/test/scala/org/thp/cortex/client/CortexClientTest.scala
index 85e948f3d3..5833f91dad 100644
--- a/cortex/client/src/test/scala/org/thp/cortex/client/CortexClientTest.scala
+++ b/cortex/client/src/test/scala/org/thp/cortex/client/CortexClientTest.scala
@@ -1,12 +1,11 @@
 package org.thp.cortex.client
 
-import java.util.Date
-
 import org.thp.cortex.dto.v0._
 import org.thp.scalligraph.AppBuilder
 import play.api.libs.json.{JsObject, JsString, Json}
 import play.api.test.PlaySpecification
 
+import java.util.Date
 import scala.concurrent.duration._
 
 class CortexClientTest extends PlaySpecification {
@@ -64,55 +63,61 @@ class CortexClientTest extends PlaySpecification {
         OutputReport(
           summary = Seq(OutputMinireport("info", "test", "data", JsString("test"))),
           success = true,
-          full = Some(Json.parse("""{
-                                    "data": "imageedit_2_3904987689.jpg",
-                                    "input": {
-                                      "file": "attachment7619802021796183482",
-                                      "filename": "imageedit_2_3904987689.jpg",
-                                      "dataType": "file",
-                                      "tlp": 2,
-                                      "message": "179e85c4-4170-45fe-9d2d-3173539554a6",
-                                      "contentType": "image/jpeg",
-                                      "parameters": {
-                                      },
-                                      "config": {
-                                        "proxy_https": null,
-                                        "cacerts": null,
-                                        "max_pap": 2,
-                                        "jobTimeout": 30,
-                                        "check_tlp": true,
-                                        "proxy_http": null,
-                                        "max_tlp": 2,
-                                        "auto_extract_artifacts": false,
-                                        "jobCache": 10,
-                                        "check_pap": true
-                                      },
-                                      "pap": 2
-                                    }
-                                  }""").as[JsObject]),
-          artifacts = Json.parse("""[
-                                         {
-                                           "attachment": {
-                                             "contentType": "application/octet-stream",
-                                             "id": "e64871cf4652cb6e1babc06a376e7c79256dd6b967ca845ae06708cbeb686663",
-                                             "name": "passwd",
-                                             "size": 2644
-                                           },
-                                           "dataType": "file",
-                                           "message": null,
-                                           "tags": ["file", "virus"],
-                                           "tlp": 3
-                                         },
-                                         {
-                                           "data": "127.0.0.1",
-                                           "dataType": "ip",
-                                           "message": null,
-                                           "tags": [
-                                             "localhost"
-                                           ],
-                                           "tlp": 2
-                                         }
-                                       ]""").as[List[OutputArtifact]],
+          full = Some(
+            Json
+              .parse("""{
+                "data": "imageedit_2_3904987689.jpg",
+                "input": {
+                  "file": "attachment7619802021796183482",
+                  "filename": "imageedit_2_3904987689.jpg",
+                  "dataType": "file",
+                  "tlp": 2,
+                  "message": "179e85c4-4170-45fe-9d2d-3173539554a6",
+                  "contentType": "image/jpeg",
+                  "parameters": {
+                  },
+                  "config": {
+                    "proxy_https": null,
+                    "cacerts": null,
+                    "max_pap": 2,
+                    "jobTimeout": 30,
+                    "check_tlp": true,
+                    "proxy_http": null,
+                    "max_tlp": 2,
+                    "auto_extract_artifacts": false,
+                    "jobCache": 10,
+                    "check_pap": true
+                  },
+                  "pap": 2
+                }
+              }""")
+              .as[JsObject]
+          ),
+          artifacts = Json
+            .parse("""[
+              {
+                "attachment": {
+                  "contentType": "application/octet-stream",
+                  "id": "e64871cf4652cb6e1babc06a376e7c79256dd6b967ca845ae06708cbeb686663",
+                  "name": "passwd",
+                  "size": 2644
+                },
+                "dataType": "file",
+                "message": null,
+                "tags": ["file", "virus"],
+                "tlp": 3
+              },
+              {
+                "data": "127.0.0.1",
+                "dataType": "ip",
+                "message": null,
+                "tags": [
+                  "localhost"
+                ],
+                "tlp": 2
+              }
+            ]""")
+            .as[List[OutputArtifact]],
           operations = Nil,
           errorMessage = None,
           input = None
diff --git a/cortex/client/src/test/scala/org/thp/cortex/client/TestCortexClientProvider.scala b/cortex/client/src/test/scala/org/thp/cortex/client/TestCortexClientProvider.scala
index 5d2b92128c..5a1a5e2af5 100644
--- a/cortex/client/src/test/scala/org/thp/cortex/client/TestCortexClientProvider.scala
+++ b/cortex/client/src/test/scala/org/thp/cortex/client/TestCortexClientProvider.scala
@@ -1,10 +1,6 @@
 package org.thp.cortex.client
 
-import java.net.URLEncoder
-import java.nio.file.{Path, Paths}
-
 import akka.stream.scaladsl._
-import javax.inject.{Inject, Provider}
 import mockws.MockWS
 import org.thp.client.NoAuthentication
 import org.thp.cortex.dto.v0.{OutputJob, OutputWorker}
@@ -13,6 +9,9 @@ import play.api.libs.json.{JsValue, Json}
 import play.api.mvc._
 import play.api.test.Helpers._
 
+import java.net.URLEncoder
+import java.nio.file.{Path, Paths}
+import javax.inject.{Inject, Provider}
 import scala.concurrent.ExecutionContext
 import scala.io.Source
 import scala.util.matching.Regex
@@ -42,7 +41,8 @@ class TestCortexClientProvider @Inject() (Action: DefaultActionBuilder, implicit
       val filename = URLEncoder.encode(s"$id.test.txt", "utf-8")
       Action(
         Result(
-          header = ResponseHeader(200, Map("Content-Disposition" -> s"""attachment; filename="$filename"""", "Content-Transfer-Encoding" -> "binary")),
+          header =
+            ResponseHeader(200, Map("Content-Disposition" -> s"""attachment; filename="$filename"""", "Content-Transfer-Encoding" -> "binary")),
           body = HttpEntity.Streamed(FileIO.fromPath(fileResource(id)), None, None)
         )
       )
diff --git a/cortex/connector/src/main/resources/play/reference-overrides.conf b/cortex/connector/src/main/resources/play/reference-overrides.conf
index 324d422143..d2863a52ff 100644
--- a/cortex/connector/src/main/resources/play/reference-overrides.conf
+++ b/cortex/connector/src/main/resources/play/reference-overrides.conf
@@ -1,12 +1,12 @@
 akka {
   actor {
     serializers {
-      cortex-schema-updater = "org.thp.thehive.connector.cortex.models.SchemaUpdaterSerializer"
+      //cortex-schema-updater = "org.thp.thehive.connector.cortex.models.SchemaUpdaterSerializer"
       cortex-jobs = "org.thp.thehive.connector.cortex.services.CortexSerializer"
     }
 
     serialization-bindings {
-      "org.thp.thehive.connector.cortex.models.SchemaUpdaterMessage" = cortex-schema-updater
+      //"org.thp.thehive.connector.cortex.models.SchemaUpdaterMessage" = cortex-schema-updater
       "org.thp.thehive.connector.cortex.services.CortexActorMessage" = cortex-jobs
     }
   }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexModule.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexModule.scala
index ccbdf83079..33c480accf 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexModule.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexModule.scala
@@ -2,10 +2,10 @@ package org.thp.thehive.connector.cortex
 
 import com.google.inject.AbstractModule
 import net.codingwell.scalaguice.{ScalaModule, ScalaMultibinder}
-import org.thp.scalligraph.models.{Database, Schema}
+import org.thp.scalligraph.models.UpdatableSchema
 import org.thp.scalligraph.query.QueryExecutor
 import org.thp.thehive.connector.cortex.controllers.v0.{CortexQueryExecutor => CortexQueryExecutorV0}
-import org.thp.thehive.connector.cortex.models.{CortexSchemaDefinition, DatabaseProvider}
+import org.thp.thehive.connector.cortex.models.CortexSchemaDefinition
 import org.thp.thehive.connector.cortex.services.notification.notifiers.{RunAnalyzerProvider, RunResponderProvider}
 import org.thp.thehive.connector.cortex.services.{Connector, CortexActor}
 import org.thp.thehive.services.notification.notifiers.NotifierProvider
@@ -24,14 +24,13 @@ class CortexModule(environment: Environment, configuration: Configuration) exten
     queryExecutorBindings.addBinding.to[CortexQueryExecutorV0]
     val connectorBindings = ScalaMultibinder.newSetBinder[TheHiveConnector](binder)
     connectorBindings.addBinding.to[Connector]
-    val schemaBindings = ScalaMultibinder.newSetBinder[Schema](binder)
+    val schemaBindings = ScalaMultibinder.newSetBinder[UpdatableSchema](binder)
     schemaBindings.addBinding.to[CortexSchemaDefinition]
 
     val notifierBindings = ScalaMultibinder.newSetBinder[NotifierProvider](binder)
     notifierBindings.addBinding.to[RunResponderProvider]
     notifierBindings.addBinding.to[RunAnalyzerProvider]
 
-    bind[Database].annotatedWithName("with-thehive-cortex-schema").toProvider[DatabaseProvider]
     bindActor[CortexActor]("cortex-actor")
     ()
   }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexRouter.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexRouter.scala
index a705015f9a..b9dcd8c11a 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexRouter.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/CortexRouter.scala
@@ -1,10 +1,11 @@
 package org.thp.thehive.connector.cortex
 
-import javax.inject.{Inject, Provider, Singleton}
 import org.thp.thehive.connector.cortex.controllers.v0
 import play.api.Logger
 import play.api.routing.Router
 
+import javax.inject.{Inject, Provider, Singleton}
+
 @Singleton
 class CortexRouter @Inject() (routerV0: v0.Router) extends Provider[Router] {
 
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ActionCtrl.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ActionCtrl.scala
index 5e3da7c817..ccbe2999bd 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ActionCtrl.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ActionCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
@@ -20,13 +19,14 @@ import org.thp.thehive.services._
 import play.api.libs.json.{JsObject, Json, OWrites}
 import play.api.mvc.{AnyContent, Results, Action => PlayAction}
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.reflect.runtime.{universe => ru}
 
 @Singleton
 class ActionCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     actionSrv: ActionSrv,
     entityHelper: EntityHelper,
     caseSrv: CaseSrv,
@@ -76,19 +76,17 @@ class ActionCtrl @Inject() (
 }
 
 @Singleton
-class PublicAction @Inject() (actionSrv: ActionSrv, @Named("with-thehive-schema") db: Database) extends PublicData {
+class PublicAction @Inject() (actionSrv: ActionSrv, organisationSrv: OrganisationSrv, db: Database) extends PublicData {
 
   override val entityName: String = "action"
   override val initialQuery: Query =
-    Query.init[Traversal.V[Action]]("listAction", (graph, authContext) => actionSrv.startTraversal(graph).visible(authContext))
+    Query.init[Traversal.V[Action]]("listAction", (graph, authContext) => actionSrv.startTraversal(graph).visible(organisationSrv)(authContext))
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Action]](
     "getAction",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => actionSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => actionSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Action], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, actionSteps, _) => actionSteps.richPage(range.from, range.to, withTotal = true)(_.richAction)
   )
   override val outputQuery: Query = Query.output[RichAction, Traversal.V[Action]](_.richAction)
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrl.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrl.scala
index 3f440b3978..dc01a48ec9 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrl.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrl.scala
@@ -1,13 +1,13 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
 import akka.actor.ActorSystem
-import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.thehive.connector.cortex.controllers.v0.Conversion._
 import org.thp.thehive.connector.cortex.services.AnalyzerSrv
 import org.thp.thehive.controllers.v0.Conversion._
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.ExecutionContext
 
 @Singleton
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrl.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrl.scala
index 8dea87e972..554f94221e 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrl.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrl.scala
@@ -1,9 +1,6 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import java.util.zip.ZipFile
-
 import com.google.inject.name.Named
-import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FFile, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
@@ -21,12 +18,14 @@ import org.thp.thehive.models.Permissions
 import play.api.libs.json.{JsFalse, JsObject, JsTrue}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import java.util.zip.ZipFile
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success}
 
 @Singleton
 class AnalyzerTemplateCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-cortex-schema") override val db: Database,
+    override val db: Database,
     analyzerTemplateSrv: AnalyzerTemplateSrv,
     @Named("v0") override val queryExecutor: QueryExecutor,
     override val publicData: PublicAnalyzerTemplate
@@ -100,13 +99,11 @@ class PublicAnalyzerTemplate @Inject() (analyzerTemplateSrv: AnalyzerTemplateSrv
     Query.init[Traversal.V[AnalyzerTemplate]]("listAnalyzerTemplate", (graph, _) => analyzerTemplateSrv.startTraversal(graph))
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[AnalyzerTemplate]](
     "getReportTemplate",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => analyzerTemplateSrv.get(idOrName)(graph)
   )
   override val pageQuery: ParamQuery[OutputParam] =
     Query.withParam[OutputParam, Traversal.V[AnalyzerTemplate], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       (range, analyzerTemplateTraversal, _) => analyzerTemplateTraversal.page(range.from, range.to, withTotal = true)
     )
   override val outputQuery: Query = Query.output[AnalyzerTemplate with Entity]
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Conversion.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Conversion.scala
index 2d14ae959c..32b7d2e32e 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Conversion.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Conversion.scala
@@ -22,6 +22,7 @@ object Conversion {
       .withFieldComputed(_.objectType, _.context._label)
       .withFieldComputed(_.operations, a => JsArray(a.operations).toString)
       .withFieldComputed(_.report, _.report.map(_.toString).getOrElse("{}"))
+      .enableMethodAccessors
       .transform
   )
 
@@ -46,6 +47,7 @@ object Conversion {
       .withFieldComputed(_.id, _._id.toString)
       .withFieldConst(_._type, "case_artifact_job")
       .withFieldConst(_.case_artifact, None)
+      .enableMethodAccessors
       .transform
   )
 
@@ -78,6 +80,7 @@ object Conversion {
               Some(observableWithExtraOutput.toValue((richObservable, JsObject.empty, Some(richCase))))
           }
         )
+        .enableMethodAccessors
         .transform
     }
 
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/CortexQueryExecutor.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/CortexQueryExecutor.scala
index 0b28a004ef..96e8390af9 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/CortexQueryExecutor.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/CortexQueryExecutor.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import com.google.inject.name.Named
-import javax.inject.{Inject, Singleton}
 import org.scalactic.Good
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers.FieldsParser
@@ -16,11 +14,12 @@ import org.thp.thehive.controllers.v0._
 import org.thp.thehive.models.Observable
 import org.thp.thehive.services.ObservableOps._
 
+import javax.inject.{Inject, Singleton}
 import scala.reflect.runtime.{universe => ru}
 
 @Singleton
-class CortexQueryExecutor @Inject() (
-    @Named("with-thehive-cortex-schema") implicit override val db: Database,
+class CortexQueryExecutor @Inject() (implicit
+    override val db: Database,
     job: PublicJob,
     report: PublicAnalyzerTemplate,
     action: PublicAction,
@@ -44,7 +43,7 @@ class CortexQueryExecutor @Inject() (
     case tpe if SubType(tpe, ru.typeOf[Traversal.V[Job]]) => ru.typeOf[Traversal.V[Observable]]
   }
 
-  override val customFilterQuery: FilterQuery = FilterQuery(db, publicProperties) { (tpe, globalParser) =>
+  override val customFilterQuery: FilterQuery = FilterQuery(publicProperties) { (tpe, globalParser) =>
     FieldsParser("parentChildFilter") {
       case (_, FObjOne("_parent", ParentIdFilter(_, parentId))) if parentTypes.isDefinedAt(tpe) =>
         Good(new CortexParentIdInputFilter(parentId))
@@ -60,7 +59,6 @@ class CortexQueryExecutor @Inject() (
 
 class CortexParentIdInputFilter(parentId: String) extends InputQuery[Traversal.Unk, Traversal.Unk] {
   override def apply(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -78,43 +76,35 @@ class CortexParentIdInputFilter(parentId: String) extends InputQuery[Traversal.U
   */
 class CortexParentQueryInputFilter(parentFilter: InputQuery[Traversal.Unk, Traversal.Unk]) extends InputQuery[Traversal.Unk, Traversal.Unk] {
   override def apply(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
       authContext: AuthContext
-  ): Traversal.Unk = {
-    def filter[F, T: ru.TypeTag](t: Traversal.V[F] => Traversal.V[T]): Traversal.Unk =
-      parentFilter(
-        db,
-        publicProperties,
-        ru.typeOf[Traversal.V[T]],
-        t(traversal.asInstanceOf[Traversal.V[F]]).asInstanceOf[Traversal.Unk],
-        authContext
-      )
-    if (traversalType =:= ru.typeOf[Traversal.V[Job]]) filter[Job, Observable](_.observable)
+  ): Traversal.Unk =
+    if (traversalType =:= ru.typeOf[Traversal.V[Job]])
+      traversal
+        .asInstanceOf[Traversal.V[Job]]
+        .filter { t =>
+          parentFilter(publicProperties, ru.typeOf[Traversal.V[Observable]], t.observable.asInstanceOf[Traversal.Unk], authContext)
+        }
+        .asInstanceOf[Traversal.Unk]
     else throw BadRequestError(s"$traversalType hasn't parent")
-  }
 }
 
 class CortexChildQueryInputFilter(childType: String, childFilter: InputQuery[Traversal.Unk, Traversal.Unk])
     extends InputQuery[Traversal.Unk, Traversal.Unk] {
   override def apply(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
       authContext: AuthContext
-  ): Traversal.Unk = {
-    def filter[F, T: ru.TypeTag](t: Traversal.V[F] => Traversal.V[T]): Traversal.Unk =
-      childFilter(
-        db,
-        publicProperties,
-        ru.typeOf[Traversal.V[T]],
-        t(traversal.asInstanceOf[Traversal.V[F]]).asInstanceOf[Traversal.Unk],
-        authContext
-      )
-    if (traversalType =:= ru.typeOf[Traversal.V[Observable]] && childType == "case_artifact_job") filter[Observable, Job](_.jobs)
+  ): Traversal.Unk =
+    if (traversalType =:= ru.typeOf[Traversal.V[Observable]] && childType == "case_artifact_job")
+      traversal
+        .asInstanceOf[Traversal.V[Observable]]
+        .filter { t =>
+          childFilter(publicProperties, ru.typeOf[Traversal.V[Job]], t.jobs.asInstanceOf[Traversal.Unk], authContext)
+        }
+        .asInstanceOf[Traversal.Unk]
     else throw BadRequestError(s"$traversalType hasn't child of type $childType")
-  }
 }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrl.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrl.scala
index e844845d15..140ec854da 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrl.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrl.scala
@@ -1,8 +1,6 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
 import com.google.inject.name.Named
-
-import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, UMapping}
 import org.thp.scalligraph.query._
@@ -20,12 +18,13 @@ import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.ObservableSrv
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 
 @Singleton
 class JobCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-cortex-schema") override val db: Database,
+    override val db: Database,
     jobSrv: JobSrv,
     observableSrv: ObservableSrv,
     errorHandler: ErrorHandler,
@@ -79,13 +78,11 @@ class PublicJob @Inject() (jobSrv: JobSrv) extends PublicData with JobRenderer {
     Query.init[Traversal.V[Job]]("listJob", (graph, authContext) => jobSrv.startTraversal(graph).visible(authContext))
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Job]](
     "getJob",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => jobSrv.get(idOrName)(graph).visible(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] =
     Query.withParam[OutputParam, Traversal.V[Job], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       {
         case (OutputParam(from, to, _, withParents), jobSteps, authContext) if withParents > 0 =>
           jobSteps.richPage(from, to, withTotal = true)(_.richJobWithCustomRenderer(jobParents(_)(authContext))(authContext))
@@ -95,7 +92,7 @@ class PublicJob @Inject() (jobSrv: JobSrv) extends PublicData with JobRenderer {
     )
   override val outputQuery: Query = Query.outputWithContext[RichJob, Traversal.V[Job]]((jobSteps, authContext) => jobSteps.richJob(authContext))
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
-    Query[Traversal.V[Observable], Traversal.V[Job]]("jobs", (jobTraversal, _) => jobTraversal.jobs)
+    Query[Traversal.V[Observable], Traversal.V[Job]]("jobs", (observables, _) => observables.jobs)
   )
   override val publicProperties: PublicProperties = PublicPropertyListBuilder[Job]
     .property("analyzerId", UMapping.string)(_.rename("workerId").readonly)
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobRenderer.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobRenderer.scala
index 2b8ee12e95..fb375dafbd 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobRenderer.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/JobRenderer.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import java.util.{Map => JMap}
-
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal.{Converter, Traversal}
@@ -11,9 +9,11 @@ import org.thp.thehive.models.{RichCase, RichObservable}
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.ObservableOps._
 
+import java.util.{Map => JMap}
+
 trait JobRenderer {
-  def jobParents(traversal: Traversal.V[Job])(
-      implicit authContext: AuthContext
+  def jobParents(traversal: Traversal.V[Job])(implicit
+      authContext: AuthContext
   ): Traversal[Option[(RichObservable, RichCase)], JMap[String, Any], Converter[Option[(RichObservable, RichCase)], JMap[String, Any]]] =
     traversal.observable.project(_.by(_.richObservable).by(_.`case`.richCase)).domainMap(Some(_))
 }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ResponderCtrl.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ResponderCtrl.scala
index 17ab8b76e3..880e3890d6 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ResponderCtrl.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/ResponderCtrl.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import com.google.inject.name.Named
-import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -11,12 +9,13 @@ import org.thp.thehive.controllers.v0.Conversion._
 import play.api.libs.json.JsObject
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.ExecutionContext
 
 @Singleton
 class ResponderCtrl @Inject() (
     entrypoint: Entrypoint,
-    @Named("with-thehive-cortex-schema") implicit val db: Database,
+    implicit val db: Database,
     responderSrv: ResponderSrv,
     implicit val ex: ExecutionContext
 ) {
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Router.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Router.scala
index 7d66ba446c..6b7fb8e866 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Router.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/controllers/v0/Router.scala
@@ -1,10 +1,11 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import javax.inject.{Inject, Singleton}
 import play.api.routing.Router.Routes
 import play.api.routing.SimpleRouter
 import play.api.routing.sird._
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class Router @Inject() (
     val jobCtrl: JobCtrl,
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/Action.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/Action.scala
index 3fe038f67c..bd3ce306b5 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/Action.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/Action.scala
@@ -1,13 +1,13 @@
 package org.thp.thehive.connector.cortex.models
 
-import java.util.Date
-
-import org.apache.tinkerpop.gremlin.structure.{Edge, Graph, Vertex}
+import org.apache.tinkerpop.gremlin.structure.{Edge, Vertex}
 import org.thp.scalligraph.models._
-import org.thp.scalligraph.traversal.Converter
+import org.thp.scalligraph.traversal.{Converter, Graph}
 import org.thp.scalligraph.{BuildVertexEntity, EntityId}
 import play.api.libs.json.JsObject
 
+import java.util.Date
+
 @BuildVertexEntity
 case class Action(
     workerId: String,
@@ -67,7 +67,7 @@ object ActionContext extends HasModel {
         override def _createdAt: Date           = entity._createdAt
         override def _updatedAt: Option[Date]   = entity._updatedAt
       }
-    override def create(e: ActionContext, from: Vertex, to: Vertex)(implicit db: Database, graph: Graph): Edge =
+    override def create(e: ActionContext, from: Vertex, to: Vertex)(implicit graph: Graph): Edge =
       from.addEdge(label, to)
   }
 }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/CortexSchemaDefinition.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/CortexSchemaDefinition.scala
index 1727dc9526..dbf25c51b1 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/CortexSchemaDefinition.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/CortexSchemaDefinition.scala
@@ -1,12 +1,14 @@
 package org.thp.thehive.connector.cortex.models
 
-import javax.inject.{Inject, Singleton}
 import org.reflections.Reflections
 import org.reflections.scanners.SubTypesScanner
 import org.reflections.util.ConfigurationBuilder
+import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
+import org.thp.thehive.services.LocalUserSrv
 import play.api.Logger
 
+import javax.inject.{Inject, Singleton}
 import scala.collection.JavaConverters._
 import scala.reflect.runtime.{universe => ru}
 
@@ -38,4 +40,5 @@ class CortexSchemaDefinition @Inject() () extends Schema with UpdatableSchema {
       }
       .toSeq
   }
+  override val authContext: AuthContext = LocalUserSrv.getSystemAuthContext
 }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/SchemaUpdaterActor.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/SchemaUpdaterActor.scala
deleted file mode 100644
index 958a6c3ce0..0000000000
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/SchemaUpdaterActor.scala
+++ /dev/null
@@ -1,76 +0,0 @@
-package org.thp.thehive.connector.cortex.models
-
-import akka.actor.{Actor, ActorRef, ActorSystem, PoisonPill, Props}
-import akka.cluster.singleton.{ClusterSingletonManager, ClusterSingletonManagerSettings, ClusterSingletonProxy, ClusterSingletonProxySettings}
-import akka.pattern.ask
-import akka.util.Timeout
-import org.thp.scalligraph.models.Database
-import org.thp.thehive.services.LocalUserSrv
-import play.api.Logger
-
-import javax.inject.{Inject, Named, Provider, Singleton}
-import scala.concurrent.Await
-import scala.concurrent.duration.DurationInt
-
-@Singleton
-class DatabaseProvider @Inject() (
-    cortexSchema: CortexSchemaDefinition,
-    @Named("with-thehive-schema") database: Database,
-    actorSystem: ActorSystem
-) extends Provider[Database] {
-  lazy val schemaUpdaterActor: ActorRef = {
-    val singletonManager =
-      actorSystem.actorOf(
-        ClusterSingletonManager.props(
-          singletonProps = Props(classOf[SchemaUpdaterActor], cortexSchema, database),
-          terminationMessage = PoisonPill,
-          settings = ClusterSingletonManagerSettings(actorSystem)
-        ),
-        name = "theHiveCortexSchemaUpdaterSingletonManager"
-      )
-
-    actorSystem.actorOf(
-      ClusterSingletonProxy.props(
-        singletonManagerPath = singletonManager.path.toStringWithoutAddress,
-        settings = ClusterSingletonProxySettings(actorSystem)
-      ),
-      name = "theHiveCortexSchemaUpdaterSingletonProxy"
-    )
-  }
-
-  override def get(): Database = {
-    implicit val timeout: Timeout = Timeout(5.minutes)
-    Await.result(schemaUpdaterActor ? RequestDB, timeout.duration) match {
-      case DBReady => database
-    }
-  }
-}
-
-sealed trait SchemaUpdaterMessage
-case object RequestDB extends SchemaUpdaterMessage
-case object DBReady   extends SchemaUpdaterMessage
-
-class SchemaUpdaterActor @Inject() (cortexSchema: CortexSchemaDefinition, database: Database) extends Actor {
-  lazy val logger: Logger = Logger(getClass)
-
-  def update(): Unit = {
-    cortexSchema
-      .update(database)(LocalUserSrv.getSystemAuthContext)
-      .recover {
-        case error => logger.error(s"Database with CortexSchema schema update failure", error)
-      }
-    ()
-  }
-
-  override def receive: Receive = {
-    case RequestDB =>
-      update()
-      sender ! DBReady
-      context.become(databaseUpToDate)
-  }
-
-  def databaseUpToDate: Receive = {
-    case RequestDB =>
-      sender ! DBReady
-  }
-}
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/SchemaUpdaterSerializer.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/SchemaUpdaterSerializer.scala
deleted file mode 100644
index 27e4acc7cb..0000000000
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/SchemaUpdaterSerializer.scala
+++ /dev/null
@@ -1,25 +0,0 @@
-package org.thp.thehive.connector.cortex.models
-
-import akka.serialization.Serializer
-
-import java.io.NotSerializableException
-
-class SchemaUpdaterSerializer extends Serializer {
-  override def identifier: Int = -639734235
-
-  override def includeManifest: Boolean = false
-
-  override def toBinary(o: AnyRef): Array[Byte] =
-    o match {
-      case RequestDB => Array(0)
-      case DBReady   => Array(1)
-      case _         => throw new NotSerializableException
-    }
-
-  override def fromBinary(bytes: Array[Byte], manifest: Option[Class[_]]): AnyRef =
-    bytes(0) match {
-      case 0 => RequestDB
-      case 1 => DBReady
-      case _ => throw new NotSerializableException
-    }
-}
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/TheHiveCortexSchemaProvider.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/TheHiveCortexSchemaProvider.scala
index 5ad29eea2e..28e062905b 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/TheHiveCortexSchemaProvider.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/models/TheHiveCortexSchemaProvider.scala
@@ -1,9 +1,10 @@
 package org.thp.thehive.connector.cortex.models
 
-import javax.inject.{Inject, Provider, Singleton}
 import org.thp.scalligraph.models.Schema
 import org.thp.thehive.models.TheHiveSchemaDefinition
 
+import javax.inject.{Inject, Provider, Singleton}
+
 @Singleton
 class TheHiveCortexSchemaProvider @Inject() (thehiveSchema: TheHiveSchemaDefinition, cortexSchema: CortexSchemaDefinition) extends Provider[Schema] {
   override lazy val get: Schema = thehiveSchema + cortexSchema
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionOperationSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionOperationSrv.scala
index 2839e10596..11eb3ca8da 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionOperationSrv.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionOperationSrv.scala
@@ -1,21 +1,19 @@
 package org.thp.thehive.connector.cortex.services
 
-import java.util.Date
-
-import javax.inject.Inject
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{EntityIdOrName, InternalError}
 import org.thp.thehive.connector.cortex.models._
 import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.InputTask
 import org.thp.thehive.models._
-import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services._
 import play.api.Logger
 
+import java.util.Date
+import javax.inject.Inject
 import scala.util.{Failure, Success, Try}
 
 class ActionOperationSrv @Inject() (
@@ -25,9 +23,7 @@ class ActionOperationSrv @Inject() (
     alertSrv: AlertSrv,
     logSrv: LogSrv,
     organisationSrv: OrganisationSrv,
-    observableTypeSrv: ObservableTypeSrv,
-    userSrv: UserSrv,
-    shareSrv: ShareSrv
+    userSrv: UserSrv
 ) {
   private[ActionOperationSrv] lazy val logger: Logger = Logger(getClass)
 
@@ -63,10 +59,8 @@ class ActionOperationSrv @Inject() (
 
       case CreateTask(title, description) =>
         for {
-          case0        <- relatedCase.fold[Try[Case with Entity]](Failure(InternalError("Unable to apply action CreateTask without case")))(Success(_))
-          createdTask  <- taskSrv.create(InputTask(title = title, description = Some(description)).toTask, None)
-          organisation <- organisationSrv.getOrFail(authContext.organisation)
-          _            <- shareSrv.shareTask(createdTask, case0, organisation)
+          case0 <- relatedCase.fold[Try[Case with Entity]](Failure(InternalError("Unable to apply action CreateTask without case")))(Success(_))
+          _     <- caseSrv.createTask(case0, InputTask(title = title, description = Some(description)).toTask)
         } yield updateOperation(operation)
 
       case AddCustomFields(name, _, value) =>
@@ -90,28 +84,35 @@ class ActionOperationSrv @Inject() (
       case AddLogToTask(content, _) =>
         for {
           t <- relatedTask.fold[Try[Task with Entity]](Failure(InternalError("Unable to apply action AddLogToTask without task")))(Success(_))
-          _ <- logSrv.create(Log(content, new Date(), deleted = false), t, None)
+          _ <- logSrv.create(Log(content, new Date()), t, None)
         } yield updateOperation(operation)
 
-      case AddArtifactToCase(_, dataType, dataMessage) =>
+      case AddArtifactToCase(data, dataType, message) =>
         for {
-          c       <- relatedCase.fold[Try[Case with Entity]](Failure(InternalError("Unable to apply action AddArtifactToCase without case")))(Success(_))
-          obsType <- observableTypeSrv.getOrFail(EntityIdOrName(dataType))
-          richObservable <- observableSrv.create(
-            Observable(Some(dataMessage), 2, ioc = false, sighted = false, ignoreSimilarity = None),
-            obsType,
-            dataMessage,
-            Set.empty[String],
-            Nil
+          c            <- relatedCase.fold[Try[Case with Entity]](Failure(InternalError("Unable to apply action AddArtifactToCase without case")))(Success(_))
+          organisation <- organisationSrv.getOrFail(authContext.organisation)
+          _ <- caseSrv.createObservable(
+            c,
+            Observable(
+              message = Some(message),
+              tlp = 2,
+              ioc = false,
+              sighted = false,
+              ignoreSimilarity = None,
+              dataType = dataType,
+              tags = Nil,
+              relatedId = c._id,
+              organisationIds = Set(organisation._id)
+            ),
+            data
           )
-          _ <- caseSrv.addObservable(c, richObservable)
         } yield updateOperation(operation)
 
       case AssignCase(owner) =>
         for {
           c <- relatedCase.fold[Try[Case with Entity]](Failure(InternalError("Unable to apply action AssignCase without case")))(Success(_))
           u <- userSrv.get(EntityIdOrName(owner)).getOrFail("User")
-          _ <- Try(caseSrv.startTraversal.getEntity(c).unassign())
+          _ <- caseSrv.unassign(c)
           _ <- caseSrv.assign(c, u)
         } yield updateOperation(operation)
 
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionSrv.scala
index 79d97e3a23..110fef105f 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionSrv.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ActionSrv.scala
@@ -1,18 +1,15 @@
 package org.thp.thehive.connector.cortex.services
 
-import java.util.{Date, Map => JMap}
-
 import akka.actor.ActorRef
 import com.google.inject.name.Named
-import javax.inject.Inject
-import org.apache.tinkerpop.gremlin.structure.{Element, Graph}
+import org.apache.tinkerpop.gremlin.structure.Element
 import org.thp.cortex.client.CortexClient
 import org.thp.cortex.dto.v0.{InputAction => CortexAction, OutputJob => CortexJob}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
 import org.thp.scalligraph.{EntityId, NotFoundError}
 import org.thp.thehive.connector.cortex.controllers.v0.Conversion._
 import org.thp.thehive.connector.cortex.models._
@@ -23,11 +20,13 @@ import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.LogOps._
-import org.thp.thehive.services.LogSrv
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.TaskOps._
+import org.thp.thehive.services.{LogSrv, OrganisationSrv}
 import play.api.libs.json.{JsObject, Json, OWrites}
 
+import java.util.{Date, Map => JMap}
+import javax.inject.Inject
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.Try
 
@@ -39,7 +38,7 @@ class ActionSrv @Inject() (
     logSrv: LogSrv,
     connector: Connector,
     implicit val schema: Schema,
-    @Named("with-thehive-cortex-schema") implicit val db: Database,
+    implicit val db: Database,
     implicit val ec: ExecutionContext,
     auditSrv: CortexAuditSrv
 ) extends VertexSrv[Action] {
@@ -229,16 +228,16 @@ object ActionOps {
 
     def context: Traversal[Product with Entity, Element, Converter[Product with Entity, Element]] = traversal.out[ActionContext].entity
 
-    def visible(implicit authContext: AuthContext): Traversal.V[Action] =
+    def visible(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Action] =
       traversal.filter(
         _.out[ActionContext]
-          .choose(
+          .chooseBranch[String, Any](
             _.on(_.label)
-              .option("Case", _.v[Case].visible.entity)
-              .option("Task", _.v[Task].visible.entity)
-              .option("Log", _.v[Log].visible.entity)
-              .option("Alert", _.v[Alert].visible.entity)
-              .option("Observable", _.v[Observable].visible.entity)
+              .option("Case", _.v[Case].visible(organisationSrv).widen[Any])
+              .option("Task", _.v[Task].visible(organisationSrv).widen[Any])
+              .option("Log", _.v[Log].visible(organisationSrv).widen[Any])
+              .option("Alert", _.v[Alert].visible(organisationSrv).widen[Any])
+              .option("Observable", _.v[Observable].visible(organisationSrv).widen[Any])
           )
       )
   }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrv.scala
index f4eb6ebf74..0b2ccb7dc5 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrv.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrv.scala
@@ -1,13 +1,12 @@
 package org.thp.thehive.connector.cortex.services
 
-import javax.inject.{Inject, Singleton}
 import org.thp.cortex.dto.v0.{OutputWorker => CortexWorker}
-import org.thp.scalligraph.{EntityIdOrName, NotFoundError}
 import org.thp.scalligraph.auth.AuthContext
-import org.thp.cortex.dto.v0.OutputWorker
+import org.thp.scalligraph.{EntityIdOrName, NotFoundError}
 import play.api.Logger
 import play.api.libs.json.{JsObject, Json}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success}
 
@@ -68,10 +67,10 @@ class AnalyzerSrv @Inject() (connector: Connector, serviceHelper: ServiceHelper,
   def getAnalyzerByName(analyzerName: String, organisation: EntityIdOrName): Future[Map[CortexWorker, Seq[String]]] =
     searchAnalyzers(Json.obj("query" -> Json.obj("_field" -> "name", "_value" -> analyzerName)), organisation)
 
-  def searchAnalyzers(query: JsObject)(implicit authContext: AuthContext): Future[Map[OutputWorker, Seq[String]]] =
+  def searchAnalyzers(query: JsObject)(implicit authContext: AuthContext): Future[Map[CortexWorker, Seq[String]]] =
     searchAnalyzers(query, authContext.organisation)
 
-  def searchAnalyzers(query: JsObject, organisation: EntityIdOrName): Future[Map[OutputWorker, Seq[String]]] =
+  def searchAnalyzers(query: JsObject, organisation: EntityIdOrName): Future[Map[CortexWorker, Seq[String]]] =
     Future
       .traverse(serviceHelper.availableCortexClients(connector.clients, organisation)) { client =>
         client
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerTemplateSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerTemplateSrv.scala
index 0467ddd4c2..fa4d3f1ae6 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerTemplateSrv.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/AnalyzerTemplateSrv.scala
@@ -1,16 +1,11 @@
 package org.thp.thehive.connector.cortex.services
 
-import java.util.zip.{ZipEntry, ZipFile}
-
-import com.google.inject.name.Named
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.scalligraph.{CreateError, EntityIdOrName, EntityName}
 import org.thp.thehive.connector.cortex.controllers.v0.Conversion._
 import org.thp.thehive.connector.cortex.models.AnalyzerTemplate
@@ -19,13 +14,14 @@ import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.services.OrganisationSrv
 import play.api.libs.json.{JsObject, Json}
 
+import java.util.zip.{ZipEntry, ZipFile}
+import javax.inject.{Inject, Singleton}
 import scala.collection.JavaConverters._
 import scala.io.Source
 import scala.util.{Failure, Try}
 
 @Singleton
-class AnalyzerTemplateSrv @Inject() (implicit
-    @Named("with-thehive-cortex-schema") db: Database,
+class AnalyzerTemplateSrv @Inject() (
     auditSrv: CortexAuditSrv,
     organisationSrv: OrganisationSrv
 ) extends VertexSrv[AnalyzerTemplate] {
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Connector.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Connector.scala
index 5bdb6d70e1..99f790d791 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Connector.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Connector.scala
@@ -2,17 +2,14 @@ package org.thp.thehive.connector.cortex.services
 
 import akka.actor.ActorSystem
 import akka.stream.Materializer
-
-import javax.inject.{Inject, Singleton}
 import org.thp.cortex.client.{CortexClient, CortexClientConfig}
-import org.thp.scalligraph.models.SchemaStatus
 import org.thp.scalligraph.services.config.ApplicationConfig.finiteDurationFormat
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
-import org.thp.thehive.connector.cortex.models.CortexSchemaDefinition
 import org.thp.thehive.models.HealthStatus
 import org.thp.thehive.services.{Connector => TheHiveConnector}
 import play.api.libs.json.{JsObject, Json}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.duration.FiniteDuration
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success}
@@ -20,7 +17,6 @@ import scala.util.{Failure, Success}
 @Singleton
 class Connector @Inject() (
     appConfig: ApplicationConfig,
-    schemaDefinition: CortexSchemaDefinition,
     mat: Materializer,
     implicit val system: ActorSystem,
     implicit val ec: ExecutionContext
@@ -88,6 +84,4 @@ class Connector @Inject() (
         system.scheduler.scheduleOnce(statusCheckInterval)(updateStatus())
       }
   updateStatus()
-
-  override def schemaStatus: Option[SchemaStatus] = schemaDefinition.schemaStatus
 }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Conversion.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Conversion.scala
index 5f1256fd91..eee6dbc795 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Conversion.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/Conversion.scala
@@ -2,6 +2,7 @@ package org.thp.thehive.connector.cortex.services
 
 import io.scalaland.chimney.dsl._
 import org.thp.cortex.dto.v0.{OutputArtifact, OutputMinireport, JobStatus => CortexJobStatus}
+import org.thp.scalligraph.EntityId
 import org.thp.thehive.connector.cortex.models.JobStatus
 import org.thp.thehive.models.{Observable, ReportTag, ReportTagLevel}
 
@@ -21,7 +22,10 @@ object Conversion {
 
   implicit class CortexOutputArtifactOps(artifact: OutputArtifact) {
 
-    def toObservable: Observable =
+    def toObservable(
+        relatedId: EntityId,
+        organisations: Set[EntityId]
+    ): Observable =
       artifact
         .into[Observable]
         .withFieldComputed(_.message, _.message)
@@ -29,6 +33,10 @@ object Conversion {
         .withFieldConst(_.ioc, false)
         .withFieldConst(_.sighted, false)
         .withFieldConst(_.ignoreSimilarity, None)
+        .withFieldConst(_.data, None)
+        .withFieldComputed(_.tags, _.tags.toSeq)
+        .withFieldConst(_.relatedId, relatedId)
+        .withFieldConst(_.organisationIds, organisations)
         .transform
   }
 
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/CortexAuditSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/CortexAuditSrv.scala
index 4aa4767c55..acd750f046 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/CortexAuditSrv.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/CortexAuditSrv.scala
@@ -3,20 +3,21 @@ package org.thp.thehive.connector.cortex.services
 import akka.actor.ActorRef
 import com.google.inject.Singleton
 import com.google.inject.name.Named
-import javax.inject.{Inject, Provider}
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services.EventSrv
 import org.thp.thehive.connector.cortex.models.{Action, AnalyzerTemplate, Job}
 import org.thp.thehive.models.Observable
 import org.thp.thehive.services.{AuditSrv, UserSrv}
 
+import javax.inject.{Inject, Provider}
+
 @Singleton
 class CortexAuditSrv @Inject() (
     userSrvProvider: Provider[UserSrv],
     @Named("notification-actor") notificationActor: ActorRef,
-    eventSrv: EventSrv
-)(implicit @Named("with-thehive-cortex-schema") db: Database)
-    extends AuditSrv(userSrvProvider, notificationActor, eventSrv) {
+    eventSrv: EventSrv,
+    db: Database
+) extends AuditSrv(userSrvProvider, notificationActor, eventSrv, db) {
 
   val job              = new ObjectAudit[Job, Observable]
   val action           = new ObjectAudit[Action, Product with Entity]
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/EntityHelper.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/EntityHelper.scala
index 9e767333f8..af6bc89409 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/EntityHelper.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/EntityHelper.scala
@@ -1,9 +1,8 @@
 package org.thp.thehive.connector.cortex.services
 
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{BadRequestError, EntityIdOrName}
 import org.thp.thehive.models._
@@ -15,6 +14,7 @@ import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services._
 import play.api.Logger
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Try}
 
 @Singleton
@@ -23,7 +23,8 @@ class EntityHelper @Inject() (
     caseSrv: CaseSrv,
     alertSrv: AlertSrv,
     observableSrv: ObservableSrv,
-    logSrv: LogSrv
+    logSrv: LogSrv,
+    organisationSrv: OrganisationSrv
 ) {
 
   lazy val logger: Logger = Logger(getClass)
@@ -47,7 +48,7 @@ class EntityHelper @Inject() (
       case "Case"       => caseSrv.get(objectId).can(permission).getOrFail("Case")
       case "Observable" => observableSrv.get(objectId).can(permission).getOrFail("Observable")
       case "Log"        => logSrv.get(objectId).can(permission).getOrFail("Log")
-      case "Alert"      => alertSrv.get(objectId).can(permission).getOrFail("Alert")
+      case "Alert"      => alertSrv.get(objectId).can(organisationSrv, permission).getOrFail("Alert")
       case _            => Failure(BadRequestError(s"objectType $objectType is not recognised"))
     }
 
@@ -88,14 +89,15 @@ class EntityHelper @Inject() (
     */
   def entityInfo(entity: Entity)(implicit graph: Graph, authContext: AuthContext): Try[(String, Int, Int)] =
     entity match {
-      case t: Task  => taskSrv.get(t).visible.`case`.getOrFail("Case").map(c => (s"${t.title} (${t.status})", c.tlp, c.pap))
-      case c: Case  => caseSrv.get(c).visible.getOrFail("Case").map(c => (s"#${c.number} ${c.title}", c.tlp, c.pap))
-      case l: Log   => logSrv.get(l).visible.`case`.getOrFail("Case").map(c => (s"${l.message} from ${l._createdBy}", c.tlp, c.pap))
-      case a: Alert => alertSrv.get(a).visible.getOrFail("Alert").map(a => (s"[${a.source}:${a.sourceRef}] ${a.title}", a.tlp, a.pap))
+      case t: Task => taskSrv.get(t).visible(organisationSrv).`case`.getOrFail("Case").map(c => (s"${t.title} (${t.status})", c.tlp, c.pap))
+      case c: Case => caseSrv.get(c).visible(organisationSrv).getOrFail("Case").map(c => (s"#${c.number} ${c.title}", c.tlp, c.pap))
+      case l: Log  => logSrv.get(l).visible(organisationSrv).`case`.getOrFail("Case").map(c => (s"${l.message} from ${l._createdBy}", c.tlp, c.pap))
+      case a: Alert =>
+        alertSrv.get(a).visible(organisationSrv).getOrFail("Alert").map(a => (s"[${a.source}:${a.sourceRef}] ${a.title}", a.tlp, a.pap))
       case o: Observable =>
         for {
-          ro <- observableSrv.get(o).visible.richObservable.getOrFail("Observable")
+          ro <- observableSrv.get(o).visible(organisationSrv).richObservable.getOrFail("Observable")
           c  <- observableSrv.get(o).`case`.getOrFail("Case")
-        } yield (s"[${ro.`type`.name}] ${ro.data.map(_.data).getOrElse("<no data>")}", ro.tlp, c.pap) // TODO add attachment info
+        } yield (s"[${ro.dataType}] ${ro.data.getOrElse("<no data>")}", ro.tlp, c.pap) // TODO add attachment info
     }
 }
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala
index f8477a3baf..8fa24cfd25 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala
@@ -1,25 +1,20 @@
 package org.thp.thehive.connector.cortex.services
 
-import java.nio.file.Files
-import java.util.{Date, Map => JMap}
-
 import akka.Done
 import akka.actor._
 import akka.stream.Materializer
 import akka.stream.scaladsl.FileIO
 import com.google.inject.name.Named
 import io.scalaland.chimney.dsl._
-import javax.inject.{Inject, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.P
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.cortex.client.CortexClient
-import org.thp.cortex.dto.v0.{InputArtifact, OutputArtifact, Attachment => CortexAttachment, OutputJob => CortexJob, JobStatus => CortexJobStatus}
+import org.thp.cortex.dto.v0.{InputArtifact, OutputArtifact, Attachment => CortexAttachment, JobStatus => CortexJobStatus, OutputJob => CortexJob}
 import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.controllers.FFile
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, StepLabel, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, StepLabel, Traversal}
 import org.thp.scalligraph.{EntityId, EntityIdOrName, NotFoundError}
 import org.thp.thehive.connector.cortex.controllers.v0.Conversion._
 import org.thp.thehive.connector.cortex.models._
@@ -31,8 +26,11 @@ import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.{AttachmentSrv, ObservableSrv, ObservableTypeSrv, ReportTagSrv}
-import play.api.libs.json.Json
+import play.api.libs.json.{JsObject, JsString, Json}
 
+import java.nio.file.Files
+import java.util.{Date, Map => JMap}
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success, Try}
 
@@ -46,7 +44,7 @@ class JobSrv @Inject() (
     reportTagSrv: ReportTagSrv,
     serviceHelper: ServiceHelper,
     auditSrv: CortexAuditSrv,
-    @Named("with-thehive-schema") implicit val db: Database,
+    implicit val db: Database,
     implicit val ec: ExecutionContext,
     implicit val mat: Materializer
 ) extends VertexSrv[Job] {
@@ -77,15 +75,15 @@ class JobSrv @Inject() (
       analyzer <- cortexClient.getAnalyzer(workerId).recoverWith {
         case _ => cortexClient.getAnalyzerByName(workerId)
       } // if get analyzer using cortex2 API fails, try using legacy API
-      cortexArtifact <- (observable.attachment, observable.data) match {
-        case (None, Some(data)) =>
+      cortexArtifact <- observable.dataOrAttachment match {
+        case Left(data) =>
           Future.successful(
-            InputArtifact(observable.tlp, `case`.pap, observable.`type`.name, `case`.number.toString, Some(data.data), None)
+            InputArtifact(observable.tlp, `case`.pap, observable.dataType, `case`.number.toString, Some(data), None)
           )
-        case (Some(a), None) =>
+        case Right(a) =>
           val attachment = CortexAttachment(a.name, a.size, a.contentType, attachmentSrv.source(a))
           Future.successful(
-            InputArtifact(observable.tlp, `case`.pap, observable.`type`.name, `case`.number.toString, None, Some(attachment))
+            InputArtifact(observable.tlp, `case`.pap, observable.dataType, `case`.number.toString, None, Some(attachment))
           )
         case _ => Future.failed(new Exception(s"Invalid Observable data for ${observable.observable._id}"))
       }
@@ -94,7 +92,13 @@ class JobSrv @Inject() (
         create(fromCortexOutputJob(cortexOutputJob).copy(cortexId = cortexId), observable.observable)
       })
       _ <- Future.fromTry(db.tryTransaction { implicit graph =>
-        auditSrv.job.create(createdJob.job, observable.observable, createdJob.toJson)
+        auditSrv
+          .job
+          .create(
+            createdJob.job,
+            observable.observable,
+            createdJob.toJson.as[JsObject] + ("objectType" -> JsString("Observable")) + ("objectId" -> JsString(observable._id.toString))
+          )
       })
       _ = cortexActor ! CheckJob(Some(createdJob._id), cortexOutputJob.id, None, cortexClient.name, authContext)
     } yield createdJob
@@ -173,7 +177,14 @@ class JobSrv @Inject() (
             .update(_.endDate, endDate)
             .getOrFail("Job")
           observable <- get(job).observable.getOrFail("Observable")
-          _          <- auditSrv.job.update(job, observable, Json.obj("status" -> status, "endDate" -> endDate))
+          _ <-
+            auditSrv
+              .job
+              .update(
+                job,
+                observable,
+                Json.obj("status" -> status, "endDate" -> endDate, "objectType" -> "Observable", "objectId" -> observable._id.toString)
+              )
         } yield job
       }
     }
@@ -208,16 +219,16 @@ class JobSrv @Inject() (
     Future
       .traverse(artifacts) { artifact =>
         db.tryTransaction(graph => observableTypeSrv.getOrFail(EntityIdOrName(artifact.dataType))(graph)) match {
-          case Success(attachmentType) if attachmentType.isAttachment => importCortexAttachment(job, artifact, attachmentType, cortexClient)
-          case Success(dataType) =>
+          case Success(attachmentType) if attachmentType.isAttachment => importCortexAttachment(job, artifact, cortexClient)
+          case _: Success[_] =>
             Future
               .fromTry {
                 db.tryTransaction { implicit graph =>
-                  observableSrv
-                    .create(artifact.toObservable, dataType, artifact.data.get, artifact.tags, Nil)
-                    .flatMap { richObservable =>
-                      addObservable(job, richObservable.observable)
-                    }
+                  for {
+                    origObs <- get(job).observable.getOrFail("Observable")
+                    obs     <- observableSrv.create(artifact.toObservable(job._id, origObs.organisationIds), artifact.data.get)
+                    _       <- addObservable(job, obs.observable)
+                  } yield ()
                 }
               }
           case Failure(e) => Future.failed(e)
@@ -243,7 +254,6 @@ class JobSrv @Inject() (
   private def importCortexAttachment(
       job: Job with Entity,
       artifact: OutputArtifact,
-      attachmentType: ObservableType with Entity,
       cortexClient: CortexClient
   )(implicit
       authContext: AuthContext
@@ -259,8 +269,9 @@ class JobSrv @Inject() (
           savedAttachment <- Future.fromTry {
             db.tryTransaction { implicit graph =>
               for {
+                origObs           <- get(job).observable.getOrFail("Observable")
                 createdAttachment <- attachmentSrv.create(fFile)
-                richObservable    <- observableSrv.create(artifact.toObservable, attachmentType, createdAttachment, artifact.tags, Nil)
+                richObservable    <- observableSrv.create(artifact.toObservable(job._id, origObs.organisationIds), createdAttachment)
                 _                 <- reportObservableSrv.create(ReportObservable(), job, richObservable.observable)
               } yield createdAttachment
             }
@@ -296,7 +307,7 @@ object JobOps {
     def can(permission: Permission)(implicit authContext: AuthContext): Traversal.V[Job] =
       if (authContext.permissions.contains(permission))
         traversal.filter(_.observable.can(permission))
-      else traversal.limit(0)
+      else traversal.empty
 
     def observable: Traversal.V[Observable] = traversal.in[ObservableJob].v[Observable]
 
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ResponderSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ResponderSrv.scala
index 18ded91397..e559937cd9 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ResponderSrv.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ResponderSrv.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.connector.cortex.services
 
-import com.google.inject.name.Named
-import javax.inject.{Inject, Singleton}
 import org.thp.cortex.dto.v0.OutputWorker
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.auth.AuthContext
@@ -11,13 +9,14 @@ import org.thp.thehive.models.Permissions
 import play.api.Logger
 import play.api.libs.json.{JsObject, Json}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success}
 
 @Singleton
 class ResponderSrv @Inject() (
     connector: Connector,
-    @Named("with-thehive-cortex-schema") db: Database,
+    db: Database,
     entityHelper: EntityHelper,
     serviceHelper: ServiceHelper,
     implicit val ec: ExecutionContext
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ServiceHelper.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ServiceHelper.scala
index 0ce824fc26..85c33def7b 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ServiceHelper.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/ServiceHelper.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.connector.cortex.services
 
-import com.google.inject.name.Named
-import javax.inject.{Inject, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.P
 import org.thp.cortex.client.CortexClient
 import org.thp.cortex.dto.v0.OutputWorker
@@ -14,9 +12,11 @@ import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services._
 import play.api.Logger
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class ServiceHelper @Inject() (
-    @Named("with-thehive-cortex-schema") db: Database,
+    db: Database,
     organisationSrv: OrganisationSrv
 ) {
 
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunAnalyzer.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunAnalyzer.scala
index c292c513a9..c0abd6a12e 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunAnalyzer.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunAnalyzer.scala
@@ -1,8 +1,7 @@
 package org.thp.thehive.connector.cortex.services.notification.notifiers
 
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{BadConfigurationError, NotFoundError, RichOption}
 import org.thp.thehive.connector.cortex.services.{AnalyzerSrv, JobSrv}
@@ -13,6 +12,7 @@ import org.thp.thehive.services._
 import org.thp.thehive.services.notification.notifiers.{Notifier, NotifierProvider}
 import play.api.Configuration
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Try}
 
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunResponder.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunResponder.scala
index 8d50288980..9d501457cf 100644
--- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunResponder.scala
+++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/notification/notifiers/RunResponder.scala
@@ -1,9 +1,8 @@
 package org.thp.thehive.connector.cortex.services.notification.notifiers
 
 import com.typesafe.config.ConfigRenderOptions
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{BadConfigurationError, NotFoundError, RichOption}
 import org.thp.thehive.connector.cortex.services.{ActionSrv, ResponderSrv}
@@ -14,6 +13,7 @@ import org.thp.thehive.services.notification.notifiers.{Notifier, NotifierProvid
 import play.api.Configuration
 import play.api.libs.json.{JsObject, Json, OWrites}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Try}
 
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrlTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrlTest.scala
index d4ba90febb..4dec8d3142 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrlTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerCtrlTest.scala
@@ -1,16 +1,10 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import org.thp.scalligraph.AppBuilder
-import org.thp.scalligraph.models.Database
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.dto.v0.OutputWorker
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
 import play.api.test.{FakeRequest, PlaySpecification}
 
 class AnalyzerCtrlTest extends PlaySpecification with TestAppBuilder {
-  override def appConfigure: AppBuilder =
-    super
-      .appConfigure
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
 
   "analyzer controller" should {
     "list analyzers" in testApp { app =>
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrlTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrlTest.scala
index 1abf23b16f..846507bcc1 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrlTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/AnalyzerTemplateCtrlTest.scala
@@ -1,10 +1,8 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import org.thp.scalligraph.AppBuilder
 import org.thp.scalligraph.controllers.FakeTemporaryFile
-import org.thp.scalligraph.models.Database
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.dto.v0.OutputAnalyzerTemplate
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
 import play.api.libs.json.Json
 import play.api.mvc.MultipartFormData.FilePart
 import play.api.mvc.{AnyContentAsMultipartFormData, MultipartFormData}
@@ -13,10 +11,6 @@ import play.api.test.{FakeRequest, PlaySpecification}
 import scala.util.Random
 
 class AnalyzerTemplateCtrlTest extends PlaySpecification with TestAppBuilder {
-  override def appConfigure: AppBuilder =
-    super
-      .appConfigure
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
 
   "report controller" should {
 //      "create, fetch, update and delete a template" in testApp {app =>
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrlTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrlTest.scala
index 15ffbdbb95..df87d9e634 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrlTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/JobCtrlTest.scala
@@ -5,10 +5,10 @@ import org.thp.scalligraph.AppBuilder
 import org.thp.scalligraph.models.{Database, Schema}
 import org.thp.scalligraph.query.QueryExecutor
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.models.TheHiveCortexSchemaProvider
 import org.thp.thehive.connector.cortex.services.{Connector, CortexActor, TestConnector}
 import org.thp.thehive.services.ObservableSrv
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
 import play.api.libs.json.Json
 import play.api.test.{FakeRequest, PlaySpecification}
 
@@ -23,7 +23,6 @@ class JobCtrlTest extends PlaySpecification with TestAppBuilder {
           .bind[Connector, TestConnector]
           .bindToProvider[Schema, TheHiveCortexSchemaProvider]
           .bindNamedToProvider[QueryExecutor, TheHiveCortexQueryExecutorProvider]("v0")
-          .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
       )
 
   "job controller" should {
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/TheHiveCortexQueryExecutorProvider.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/TheHiveCortexQueryExecutorProvider.scala
index 9ff1cadd47..48d5432fd5 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/TheHiveCortexQueryExecutorProvider.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/controllers/v0/TheHiveCortexQueryExecutorProvider.scala
@@ -1,9 +1,10 @@
 package org.thp.thehive.connector.cortex.controllers.v0
 
-import javax.inject.{Inject, Provider}
 import org.thp.scalligraph.query.QueryExecutor
 import org.thp.thehive.controllers.v0.TheHiveQueryExecutor
 
+import javax.inject.{Inject, Provider}
+
 class TheHiveCortexQueryExecutorProvider @Inject() (thehiveQueryExecutor: TheHiveQueryExecutor, cortexQueryExecutor: CortexQueryExecutor)
     extends Provider[QueryExecutor] {
   override def get(): QueryExecutor = thehiveQueryExecutor ++ cortexQueryExecutor
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ActionSrvTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ActionSrvTest.scala
index 66980decaa..80fd0eaa78 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ActionSrvTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ActionSrvTest.scala
@@ -6,13 +6,13 @@ import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{AppBuilder, EntityName}
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.controllers.v0.ActionCtrl
 import org.thp.thehive.connector.cortex.models.{JobStatus, TheHiveCortexSchemaProvider}
 import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.TaskOps._
-import org.thp.thehive.services.{AlertSrv, LogSrv, TaskSrv}
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
+import org.thp.thehive.services.{AlertSrv, LogSrv, OrganisationSrv, TaskSrv}
 import play.api.libs.json._
 import play.api.test.PlaySpecification
 
@@ -33,7 +33,6 @@ class ActionSrvTest extends PlaySpecification with TestAppBuilder {
           .bind[Connector, TestConnector]
           .bindToProvider[Schema, TheHiveCortexSchemaProvider]
       )
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
 
   def testAppBuilder[A](body: AppBuilder => A): A =
     testApp { app =>
@@ -110,7 +109,7 @@ class ActionSrvTest extends PlaySpecification with TestAppBuilder {
     "handle action related to an Alert" in testApp { app =>
       implicit val entityWrites: OWrites[Entity] = app[ActionCtrl].entityWrites
       val alert = app[Database].roTransaction { implicit graph =>
-        app[AlertSrv].get(EntityName("testType;testSource;ref2")).visible.head
+        app[AlertSrv].get(EntityName("testType;testSource;ref2")).visible(app[OrganisationSrv]).head
       }
       alert.read must beFalse
       val richAction = await(app[ActionSrv].execute(alert, None, "respTest1", JsObject.empty))
@@ -123,15 +122,15 @@ class ActionSrvTest extends PlaySpecification with TestAppBuilder {
       updatedActionTry must beSuccessfulTry
 
       app[Database].roTransaction { implicit graph =>
-        val updatedAlert = app[AlertSrv].get(EntityName("testType;testSource;ref2")).visible.richAlert.head // FIXME
+        val updatedAlert = app[AlertSrv].get(EntityName("testType;testSource;ref2")).visible(app[OrganisationSrv]).richAlert.head // FIXME
         updatedAlert.read must beTrue
-        updatedAlert.tags.map(_.toString) must contain("test tag from action") // TODO
+        updatedAlert.tags must contain("test tag from action") // TODO
       }
     }
   }
 
   def readJsonResource(resourceName: String): JsValue = {
-    val dataSource = Source.fromResource("cortex-jobs.json")
+    val dataSource = Source.fromResource(resourceName)
     try {
       val data = dataSource.mkString
       Json.parse(data)
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrvTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrvTest.scala
index 43fd62587d..b2cd9e21c6 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrvTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/AnalyzerSrvTest.scala
@@ -5,9 +5,9 @@ import org.thp.cortex.dto.v0.OutputWorker
 import org.thp.scalligraph.AppBuilder
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.models.TheHiveCortexSchemaProvider
 import org.thp.thehive.models.Permissions
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
 import play.api.test.PlaySpecification
 
 class AnalyzerSrvTest extends PlaySpecification with TestAppBuilder {
@@ -22,7 +22,6 @@ class AnalyzerSrvTest extends PlaySpecification with TestAppBuilder {
           .bind[Connector, TestConnector]
           .bindToProvider[Schema, TheHiveCortexSchemaProvider]
       )
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
 
   implicit val authContext: AuthContext =
     DummyUserSrv(userId = "certuser@thehive.local", organisation = "cert", permissions = Permissions.all).authContext
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/EntityHelperTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/EntityHelperTest.scala
index 0aa8bef360..d2ff8a363d 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/EntityHelperTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/EntityHelperTest.scala
@@ -7,7 +7,7 @@ import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.models.Permissions
 import org.thp.thehive.services.AlertOps._
-import org.thp.thehive.services.{AlertSrv, ObservableSrv, TaskSrv}
+import org.thp.thehive.services.{AlertSrv, ObservableSrv, OrganisationSrv, TaskSrv}
 import play.api.test.PlaySpecification
 
 class EntityHelperTest extends PlaySpecification with TestAppBuilder {
@@ -55,7 +55,7 @@ class EntityHelperTest extends PlaySpecification with TestAppBuilder {
     "find a manageable entity only (alert)" in testApp { app =>
       app[Database].roTransaction { implicit graph =>
         for {
-          alert <- app[AlertSrv].get(EntityName("testType;testSource;ref2")).visible.getOrFail("Alert")
+          alert <- app[AlertSrv].get(EntityName("testType;testSource;ref2")).visible(app[OrganisationSrv]).getOrFail("Alert")
           t     <- app[EntityHelper].get("Alert", alert._id, Permissions.manageAction)
         } yield t
       } must beSuccessfulTry
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/JobSrvTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/JobSrvTest.scala
index e0c2aabcb9..9cfe8927a5 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/JobSrvTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/JobSrvTest.scala
@@ -1,13 +1,12 @@
 package org.thp.thehive.connector.cortex.services
 
-import java.util.Date
-
 import org.thp.cortex.client.{CortexClient, TestCortexClientProvider}
 import org.thp.cortex.dto.v0.OutputJob
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, DummyUserSrv, Schema}
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{AppBuilder, EntityName}
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.models.{Job, JobStatus, TheHiveCortexSchemaProvider}
 import org.thp.thehive.connector.cortex.services.JobOps._
 import org.thp.thehive.models.Permissions
@@ -15,10 +14,10 @@ import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import org.thp.thehive.services.notification.triggers.JobFinished
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
 import play.api.libs.json.Json
 import play.api.test.PlaySpecification
 
+import java.util.Date
 import scala.concurrent.Await
 import scala.concurrent.duration.DurationInt
 import scala.io.Source
@@ -31,7 +30,6 @@ class JobSrvTest extends PlaySpecification with TestAppBuilder {
       .bindActor[CortexActor]("cortex-actor")
       .bindToProvider[CortexClient, TestCortexClientProvider]
       .bind[Connector, TestConnector]
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
       .`override`(_.bindToProvider[Schema, TheHiveCortexSchemaProvider])
 
   "job service" should {
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ResponderSrvTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ResponderSrvTest.scala
index 528b0c8b2c..a40c9001c6 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ResponderSrvTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ResponderSrvTest.scala
@@ -5,10 +5,10 @@ import org.thp.scalligraph.AppBuilder
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.models.TheHiveCortexSchemaProvider
 import org.thp.thehive.models.Permissions
 import org.thp.thehive.services._
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
 import play.api.libs.json.Json
 import play.api.test.PlaySpecification
 
@@ -27,7 +27,6 @@ class ResponderSrvTest extends PlaySpecification with TestAppBuilder {
           .bind[Connector, TestConnector]
           .bindToProvider[Schema, TheHiveCortexSchemaProvider]
       )
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
 
   "responder service" should {
     "fetch responders by type" in testApp { app =>
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ServiceHelperTest.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ServiceHelperTest.scala
index 99051a0cb8..70ab8a2217 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ServiceHelperTest.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/ServiceHelperTest.scala
@@ -4,10 +4,10 @@ import org.thp.cortex.client.{CortexClient, TestCortexClientProvider}
 import org.thp.scalligraph.models.{Database, Schema}
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{AppBuilder, EntityName}
+import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.connector.cortex.models.TheHiveCortexSchemaProvider
 import org.thp.thehive.models.Organisation
 import org.thp.thehive.services._
-import org.thp.thehive.{BasicDatabaseProvider, TestAppBuilder}
 import play.api.test.PlaySpecification
 
 class ServiceHelperTest extends PlaySpecification with TestAppBuilder {
@@ -22,7 +22,6 @@ class ServiceHelperTest extends PlaySpecification with TestAppBuilder {
           .bind[Connector, TestConnector]
           .bindToProvider[Schema, TheHiveCortexSchemaProvider]
       )
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-cortex-schema")
 
   "service helper" should {
     "filter properly organisations according to supplied config" in testApp { app =>
diff --git a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/TestConnector.scala b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/TestConnector.scala
index b6dc5cd410..cfff319404 100644
--- a/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/TestConnector.scala
+++ b/cortex/connector/src/test/scala/org/thp/thehive/connector/cortex/services/TestConnector.scala
@@ -2,23 +2,20 @@ package org.thp.thehive.connector.cortex.services
 
 import akka.actor.ActorSystem
 import akka.stream.Materializer
-
-import javax.inject.{Inject, Singleton}
 import org.thp.cortex.client.CortexClient
 import org.thp.scalligraph.services.config.ApplicationConfig
-import org.thp.thehive.connector.cortex.models.CortexSchemaDefinition
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.ExecutionContext
 
 @Singleton
 class TestConnector @Inject() (
     client: CortexClient,
     appConfig: ApplicationConfig,
-    schemaDefinition: CortexSchemaDefinition,
     mat: Materializer,
     system: ActorSystem,
     ec: ExecutionContext
-) extends Connector(appConfig, schemaDefinition, mat, system, ec) {
+) extends Connector(appConfig, mat, system, ec) {
   override def clients: Seq[CortexClient] = Seq(client)
 
   override protected def updateHealth(): Unit = ()
diff --git a/cortex/dto/src/main/scala/org/thp/cortex/dto/v0/Job.scala b/cortex/dto/src/main/scala/org/thp/cortex/dto/v0/Job.scala
index e2a906628c..eda4136a9d 100644
--- a/cortex/dto/src/main/scala/org/thp/cortex/dto/v0/Job.scala
+++ b/cortex/dto/src/main/scala/org/thp/cortex/dto/v0/Job.scala
@@ -1,9 +1,9 @@
 package org.thp.cortex.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json._
 
+import java.util.Date
+
 object JobStatus extends Enumeration {
   val InProgress, Success, Failure, Waiting, Deleted = Value
 }
diff --git a/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Action.scala b/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Action.scala
index 1fbb0fe195..41f7f8db31 100644
--- a/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Action.scala
+++ b/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Action.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.connector.cortex.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json.{JsObject, Json, OFormat}
 
+import java.util.Date
+
 case class InputAction(
     responderId: String,
     cortexId: Option[String],
diff --git a/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Job.scala b/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Job.scala
index 55a8d5ab78..d3e04c6403 100644
--- a/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Job.scala
+++ b/dto/src/main/scala/org/thp/thehive/connector/cortex/dto/v0/Job.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.connector.cortex.dto.v0
 
-import java.util.Date
-
 import org.thp.thehive.dto.v0.OutputObservable
 import play.api.libs.json.{JsObject, Json, OFormat}
 
+import java.util.Date
+
 case class OutputJob(
     _type: String,
     analyzerId: String,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Alert.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Alert.scala
index 4549939595..9c0fa03781 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Alert.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Alert.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json._
 
+import java.util.Date
+
 case class InputAlert(
     `type`: String,
     source: String,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Audit.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Audit.scala
index 79889dd505..5e1a24ca59 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Audit.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Audit.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.models.Entity
 import play.api.libs.json._
 
+import java.util.Date
+
 case class OutputEntity(_type: String, _id: String, _createdAt: Date, _createdBy: String, _updatedAt: Option[Date], _updatedBy: Option[String])
 
 object OutputEntity {
@@ -44,7 +44,7 @@ case class OutputAudit(
 object OutputAudit {
 
   val auditWrites: OWrites[OutputAudit] = Json.writes[OutputAudit].transform { js: JsObject =>
-    Json.obj("base" -> (js - "summary"), "summary" -> (js \ "summary").asOpt[JsObject])
+    Json.obj("base" -> (js - "summary"), "summary" -> (js \ "summary").asOpt[JsObject], "_type" -> "audit")
   }
 
   val auditReads: Reads[OutputAudit] = Reads[OutputAudit] { js =>
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Case.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Case.scala
index b1782a1b79..421e20041f 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Case.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Case.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json._
 
+import java.util.Date
+
 case class InputCase(
     title: String,
     description: String,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/CaseTemplate.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/CaseTemplate.scala
index b1b8c4d7a8..a4f229c31f 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/CaseTemplate.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/CaseTemplate.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json.{JsObject, Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputCaseTemplate(
     name: String,
     displayName: Option[String],
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/CustomFieldValue.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/CustomFieldValue.scala
index 3931d5b4dd..74bb531cc4 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/CustomFieldValue.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/CustomFieldValue.scala
@@ -1,13 +1,13 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.scalactic.Accumulation._
 import org.scalactic._
 import org.thp.scalligraph.controllers.{FNull, _}
 import org.thp.scalligraph.{AttributeError, InvalidFormatAttributeError}
 import play.api.libs.json._
 
+import java.util.Date
+
 case class OutputCustomField(
     id: String,
     name: String,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Dashboard.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Dashboard.scala
index cba02e5912..76aad83259 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Dashboard.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Dashboard.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json.{Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputDashboard(title: String, description: String, status: String, definition: String)
 
 object InputDashboard {
@@ -21,7 +21,8 @@ case class OutputDashboard(
     title: String,
     description: String,
     status: String,
-    definition: String
+    definition: String,
+    writable: Boolean
 )
 
 object OutputDashboard {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Log.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Log.scala
index 418f98caf9..ec0b7d077a 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Log.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Log.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.FFile
 import play.api.libs.json.{Json, OFormat}
 
+import java.util.Date
+
 case class InputLog(message: String, startDate: Option[Date] = None, attachment: Option[FFile] = None)
 
 case class OutputLog(
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Observable.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Observable.scala
index 37173a6296..02e7d4fd89 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Observable.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Observable.scala
@@ -1,11 +1,12 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
 import org.scalactic.Accumulation._
 import org.scalactic.Good
 import org.thp.scalligraph.controllers._
 import play.api.libs.json.{JsObject, Json, OFormat, Writes}
 
+import java.util.Date
+
 case class InputObservable(
     dataType: String,
     @WithParser(InputObservable.dataParser)
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/ObservableType.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/ObservableType.scala
index 55a851f58e..e5d2211b86 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/ObservableType.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/ObservableType.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json.{Json, OFormat, Writes}
 
+import java.util.Date
+
 case class InputObservableType(name: String, isAttachment: Option[Boolean])
 object InputObservableType {
   implicit val writes: Writes[InputObservableType] = Json.writes[InputObservableType]
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Organistion.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Organistion.scala
index 124e9afe29..b1f0275277 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Organistion.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Organistion.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json.{Format, Json, Writes}
 
+import java.util.Date
+
 case class InputOrganisation(name: String, description: String)
 
 object InputOrganisation {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Page.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Page.scala
index bd057ec3a7..ec5d8ae4ef 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Page.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Page.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json._
 
+import java.util.Date
+
 case class InputPage(
     title: String,
     content: String,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Profile.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Profile.scala
index 1a6d7efe54..a3a917d4cf 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Profile.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Profile.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json.{Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputProfile(name: String, permissions: Set[String])
 
 object InputProfile {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Share.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Share.scala
index 3ff4a758c8..94dc76d901 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Share.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Share.scala
@@ -1,11 +1,11 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.thp.thehive.dto.v0.ObservablesFilter.ObservablesFilter
 import org.thp.thehive.dto.v0.TasksFilter.TasksFilter
 import play.api.libs.json.{Format, Json, Writes}
 
+import java.util.Date
+
 case class InputShare(organisationName: String, profile: String, tasks: TasksFilter, observables: ObservablesFilter)
 
 object TasksFilter extends Enumeration {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Tag.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Tag.scala
index 46cdc7fd5e..d994f6fc38 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Tag.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Tag.scala
@@ -2,13 +2,13 @@ package org.thp.thehive.dto.v0
 
 import play.api.libs.json.{Json, OFormat, OWrites}
 
-case class InputTag(namespace: String, predicate: String, value: Option[String], description: Option[String], colour: Option[Int])
+case class InputTag(namespace: String, predicate: String, value: Option[String], description: Option[String], colour: Option[String])
 
 object InputTag {
   implicit val writes: OWrites[InputTag] = Json.writes[InputTag]
 }
 
-case class OutputTag(namespace: String, predicate: String, value: Option[String], description: Option[String], colour: Int)
+case class OutputTag(namespace: String, predicate: String, value: Option[String], description: Option[String], colour: String)
 
 object OutputTag {
   implicit val format: OFormat[OutputTag] = Json.format[OutputTag]
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/Task.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/Task.scala
index 23113b8ac2..7602e63142 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/Task.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/Task.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import play.api.libs.json.{Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputTask(
     title: String,
     group: Option[String] = None,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v0/User.scala b/dto/src/main/scala/org/thp/thehive/dto/v0/User.scala
index b35703628f..0e1b51244e 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v0/User.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v0/User.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.FFile
 import play.api.libs.json.{Json, OFormat, Writes}
 
+import java.util.Date
+
 case class InputUser(
     login: String,
     name: String,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Alert.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Alert.scala
index 994b315bcd..ca58be6432 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Alert.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Alert.scala
@@ -1,10 +1,12 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
+import ai.x.play.json.Encoders.encoder
+import ai.x.play.json.Jsonx
 import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json._
 
+import java.util.Date
+
 case class InputAlert(
     `type`: String,
     source: String,
@@ -54,87 +56,5 @@ case class OutputAlert(
 )
 
 object OutputAlert {
-  implicit val reads: Reads[OutputAlert] = Reads[OutputAlert] { json =>
-    for {
-      _id             <- (json \ "_id").validate[String]
-      _type           <- (json \ "_type").validate[String]
-      _createdBy      <- (json \ "_createdBy").validate[String]
-      _updatedBy      <- (json \ "_updatedBy").validateOpt[String]
-      _createdAt      <- (json \ "_createdAt").validate[Date]
-      _updatedAt      <- (json \ "_updatedAt").validateOpt[Date]
-      tpe             <- (json \ "type").validate[String]
-      source          <- (json \ "source").validate[String]
-      sourceRef       <- (json \ "sourceRef").validate[String]
-      externalLink    <- (json \ "externalLink").validateOpt[String]
-      title           <- (json \ "title").validate[String]
-      description     <- (json \ "description").validate[String]
-      severity        <- (json \ "severity").validate[Int]
-      date            <- (json \ "date").validate[Date]
-      tags            <- (json \ "tags").validate[Set[String]]
-      tlp             <- (json \ "tlp").validate[Int]
-      pap             <- (json \ "pap").validate[Int]
-      read            <- (json \ "read").validate[Boolean]
-      follow          <- (json \ "follow").validate[Boolean]
-      customFields    <- (json \ "customFields").validate[Seq[OutputCustomFieldValue]]
-      caseTemplate    <- (json \ "caseTemplate").validateOpt[String]
-      observableCount <- (json \ "observableCount").validate[Long]
-      caseId          <- (json \ "caseId").validateOpt[String]
-      extraData       <- (json \ "extraData").validate[JsObject]
-    } yield OutputAlert(
-      _id,
-      _type,
-      _createdBy,
-      _updatedBy,
-      _createdAt,
-      _updatedAt,
-      tpe,
-      source,
-      sourceRef,
-      externalLink,
-      title,
-      description,
-      severity,
-      date,
-      tags,
-      tlp,
-      pap,
-      read,
-      follow,
-      customFields,
-      caseTemplate,
-      observableCount,
-      caseId,
-      extraData
-    )
-  }
-  implicit val writes: OWrites[OutputAlert] = OWrites[OutputAlert] { outputAlert =>
-    Json.obj(
-      "_id"             -> outputAlert._id,
-      "_type"           -> outputAlert._type,
-      "_createdBy"      -> outputAlert._createdBy,
-      "_updatedBy"      -> outputAlert._updatedBy,
-      "_createdAt"      -> outputAlert._createdAt,
-      "_updatedAt"      -> outputAlert._updatedAt,
-      "type"            -> outputAlert.`type`,
-      "source"          -> outputAlert.source,
-      "sourceRef"       -> outputAlert.sourceRef,
-      "externalLink"    -> outputAlert.externalLink,
-      "title"           -> outputAlert.title,
-      "description"     -> outputAlert.description,
-      "severity"        -> outputAlert.severity,
-      "date"            -> outputAlert.date,
-      "tags"            -> outputAlert.tags,
-      "tlp"             -> outputAlert.tlp,
-      "pap"             -> outputAlert.pap,
-      "read"            -> outputAlert.read,
-      "follow"          -> outputAlert.follow,
-      "customFields"    -> outputAlert.customFields,
-      "caseTemplate"    -> outputAlert.caseTemplate,
-      "observableCount" -> outputAlert.observableCount,
-      "caseId"          -> outputAlert.caseId,
-      "extraData"       -> outputAlert.extraData
-    )
-  }
-
-  implicit val format: OFormat[OutputAlert] = OFormat(reads, writes)
+  implicit val format: OFormat[OutputAlert] = Jsonx.formatCaseClass[OutputAlert]
 }
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Audit.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Audit.scala
index 318d92ea17..0d49144e6c 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Audit.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Audit.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import org.thp.scalligraph.models.Entity
 import play.api.libs.json.{Json, OFormat}
 
+import java.util.Date
+
 case class OutputEntity(_type: String, _id: String, _createdAt: Date, _createdBy: String, _updatedAt: Option[Date], _updatedBy: Option[String])
 
 object OutputEntity {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Case.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Case.scala
index bd2fa69f4b..9749c8c7dc 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Case.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Case.scala
@@ -1,10 +1,12 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
+import ai.x.play.json.Encoders.encoder
+import ai.x.play.json.Jsonx
 import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json._
 
+import java.util.Date
+
 case class InputCase(
     title: String,
     description: String,
@@ -53,86 +55,5 @@ case class OutputCase(
 )
 
 object OutputCase {
-
-  val reads: Reads[OutputCase] = Reads[OutputCase] { json =>
-    for {
-      _id              <- (json \ "_id").validate[String]
-      _type            <- (json \ "_type").validate[String]
-      _createdBy       <- (json \ "_createdBy").validate[String]
-      _updatedBy       <- (json \ "_updatedBy").validateOpt[String]
-      _createdAt       <- (json \ "_createdAt").validate[Date]
-      _updatedAt       <- (json \ "_updatedAt").validateOpt[Date]
-      number           <- (json \ "number").validate[Int]
-      title            <- (json \ "title").validate[String]
-      description      <- (json \ "description").validate[String]
-      severity         <- (json \ "severity").validate[Int]
-      startDate        <- (json \ "startDate").validate[Date]
-      endDate          <- (json \ "endDate").validateOpt[Date]
-      tags             <- (json \ "tags").validate[Set[String]]
-      flag             <- (json \ "flag").validate[Boolean]
-      tlp              <- (json \ "tlp").validate[Int]
-      pap              <- (json \ "pap").validate[Int]
-      status           <- (json \ "status").validate[String]
-      summary          <- (json \ "summary").validateOpt[String]
-      impactStatus     <- (json \ "impactStatus").validateOpt[String]
-      resolutionStatus <- (json \ "resolutionStatus").validateOpt[String]
-      assignee         <- (json \ "assignee").validateOpt[String]
-      customFields     <- (json \ "customFields").validate[Seq[OutputCustomFieldValue]]
-      extraData        <- (json \ "extraData").validate[JsObject]
-    } yield OutputCase(
-      _id,
-      _type,
-      _createdBy,
-      _updatedBy,
-      _createdAt,
-      _updatedAt,
-      number,
-      title,
-      description,
-      severity,
-      startDate,
-      endDate,
-      tags,
-      flag,
-      tlp,
-      pap,
-      status,
-      summary,
-      impactStatus,
-      resolutionStatus,
-      assignee,
-      customFields,
-      extraData
-    )
-  }
-
-  val writes: OWrites[OutputCase] = OWrites[OutputCase] { outputCase =>
-    Json.obj(
-      "_id"              -> outputCase._id,
-      "_type"            -> outputCase._type,
-      "_createdBy"       -> outputCase._createdBy,
-      "_updatedBy"       -> outputCase._updatedBy,
-      "_createdAt"       -> outputCase._createdAt,
-      "_updatedAt"       -> outputCase._updatedAt,
-      "number"           -> outputCase.number,
-      "title"            -> outputCase.title,
-      "description"      -> outputCase.description,
-      "severity"         -> outputCase.severity,
-      "startDate"        -> outputCase.startDate,
-      "endDate"          -> outputCase.endDate,
-      "tags"             -> outputCase.tags,
-      "flag"             -> outputCase.flag,
-      "tlp"              -> outputCase.tlp,
-      "pap"              -> outputCase.pap,
-      "status"           -> outputCase.status,
-      "summary"          -> outputCase.summary,
-      "impactStatus"     -> outputCase.impactStatus,
-      "resolutionStatus" -> outputCase.resolutionStatus,
-      "assignee"         -> outputCase.assignee,
-      "customFields"     -> outputCase.customFields,
-      "extraData"        -> outputCase.extraData
-    )
-  }
-
-  implicit val format: OFormat[OutputCase] = OFormat(reads, writes)
+  implicit val format: OFormat[OutputCase] = Jsonx.formatCaseClass[OutputCase]
 }
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/CaseTemplate.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/CaseTemplate.scala
index 06d942a849..f48af6b851 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/CaseTemplate.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/CaseTemplate.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.WithParser
 import play.api.libs.json.{Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputCaseTemplate(
     name: String,
     displayName: Option[String],
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/CustomFieldValue.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/CustomFieldValue.scala
index 6e72438d06..df6ade452a 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/CustomFieldValue.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/CustomFieldValue.scala
@@ -1,13 +1,13 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import org.scalactic.Accumulation._
 import org.scalactic.{Bad, Good, One}
 import org.thp.scalligraph.InvalidFormatAttributeError
 import org.thp.scalligraph.controllers._
 import play.api.libs.json._
 
+import java.util.Date
+
 case class InputCustomField(name: String, description: String, `type`: String, mandatory: Option[Boolean])
 
 object InputCustomField {
@@ -55,21 +55,22 @@ object InputCustomFieldValue {
     case (_, FSeq(list)) =>
       list
         .validatedBy {
-        case cf: FObject =>
-          val order = FieldsParser.int(cf.get("order")).toOption
-          for {
-            name  <- FieldsParser.string(cf.get("name"))
-            value <- valueParser(cf.get("value"))
-          } yield InputCustomFieldValue(name, value, order)
-        case other =>
-          Bad(
-            One(
-              InvalidFormatAttributeError(s"customField", "CustomFieldValue", Set.empty, other)
+          case cf: FObject =>
+            val order = FieldsParser.int(cf.get("order")).toOption
+            for {
+              name  <- FieldsParser.string(cf.get("name"))
+              value <- valueParser(cf.get("value"))
+            } yield InputCustomFieldValue(name, value, order)
+          case other =>
+            Bad(
+              One(
+                InvalidFormatAttributeError(s"customField", "CustomFieldValue", Set.empty, other)
+              )
             )
-          )
-      }
+        }
     case _ => Good(Nil)
   }
+
   implicit val writes: Writes[Seq[InputCustomFieldValue]] = Writes[Seq[InputCustomFieldValue]] { icfv =>
     val fields = icfv.map {
       case InputCustomFieldValue(name, Some(s: String), _)  => name -> JsString(s)
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Dashboard.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Dashboard.scala
index 0ba3907e42..e0451a865e 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Dashboard.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Dashboard.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import play.api.libs.json.{Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputDashboard(title: String, description: String, status: String, definition: String)
 
 object InputDashboard {
@@ -20,7 +20,8 @@ case class OutputDashboard(
     title: String,
     description: String,
     status: String,
-    definition: String
+    definition: String,
+    writable: Boolean
 )
 
 object OutputDashboard {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Log.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Log.scala
index 4e4ba55519..677d04dacb 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Log.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Log.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.FFile
 import play.api.libs.json.{JsObject, Json, OFormat}
 
+import java.util.Date
+
 case class InputLog(message: String, startDate: Option[Date] = None, attachment: Option[FFile] = None)
 
 case class OutputLog(
@@ -17,7 +17,6 @@ case class OutputLog(
     message: String,
     date: Date,
     attachment: Option[OutputAttachment] = None,
-    deleted: Boolean,
     owner: String,
     extraData: JsObject
 )
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Observable.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Observable.scala
index 3562dab2cd..01dac45433 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Observable.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Observable.scala
@@ -1,11 +1,12 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
 import org.scalactic.Accumulation._
 import org.scalactic.Good
 import org.thp.scalligraph.controllers._
 import play.api.libs.json.{JsObject, Json, OFormat, Writes}
 
+import java.util.Date
+
 case class InputObservable(
     dataType: String,
     @WithParser(InputObservable.dataParser)
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/ObservableType.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/ObservableType.scala
index 36940202fa..df11589467 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/ObservableType.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/ObservableType.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import play.api.libs.json.{Json, OFormat, Writes}
 
+import java.util.Date
+
 case class InputObservableType(name: String, isAttachment: Option[Boolean])
 
 object InputObservableType {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Organistion.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Organisation.scala
similarity index 100%
rename from dto/src/main/scala/org/thp/thehive/dto/v1/Organistion.scala
rename to dto/src/main/scala/org/thp/thehive/dto/v1/Organisation.scala
index dc264d9dc1..f223bd0c51 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Organistion.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Organisation.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import play.api.libs.json.{Format, Json, Writes}
 
+import java.util.Date
+
 case class InputOrganisation(name: String, description: String)
 
 object InputOrganisation {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Pattern.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Pattern.scala
new file mode 100644
index 0000000000..9b31414625
--- /dev/null
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Pattern.scala
@@ -0,0 +1,144 @@
+package org.thp.thehive.dto.v1
+
+import ai.x.play.json.Encoders.encoder
+import ai.x.play.json.Jsonx
+import play.api.libs.json._
+
+import java.util.Date
+
+case class InputPattern(
+    external_id: String,
+    name: String,
+    description: Option[String],
+    kill_chain_phases: Seq[InputKillChainPhase],
+    url: String,
+    `type`: String,
+    capec_id: Option[String],
+    capec_url: Option[String],
+    revoked: Boolean,
+    x_mitre_data_sources: Seq[String],
+    x_mitre_defense_bypassed: Seq[String],
+    x_mitre_detection: Option[String],
+    x_mitre_is_subtechnique: Boolean,
+    x_mitre_permissions_required: Seq[String],
+    x_mitre_platforms: Seq[String],
+    x_mitre_remote_support: Boolean,
+    x_mitre_system_requirements: Seq[String],
+    x_mitre_version: Option[String]
+)
+
+case class InputReference(
+    source_name: String,
+    external_id: Option[String],
+    url: Option[String]
+)
+
+case class InputKillChainPhase(
+    kill_chain_name: String,
+    phase_name: String
+)
+
+object InputReference {
+  implicit val reads: Reads[InputReference] = Reads[InputReference] { json =>
+    for {
+      source_name <- (json \ "source_name").validate[String]
+      external_id <- (json \ "external_id").validateOpt[String]
+      url         <- (json \ "url").validateOpt[String]
+    } yield InputReference(
+      source_name,
+      external_id,
+      url
+    )
+  }
+
+  implicit val writes: Writes[InputReference] = Json.writes[InputReference]
+}
+
+object InputKillChainPhase {
+  implicit val reads: Reads[InputKillChainPhase] = Json.reads[InputKillChainPhase]
+
+  implicit val writes: Writes[InputKillChainPhase] = Json.writes[InputKillChainPhase]
+}
+
+object InputPattern {
+  implicit val reads: Reads[InputPattern] = Reads[InputPattern] { json =>
+    for {
+      optReferences <- (json \ "external_references").validateOpt[Seq[InputReference]]
+      references     = optReferences.getOrElse(Seq())
+      mitreReference = references.find(ref => isSourceNameMitre(ref.source_name))
+      capecReference = references.find(ref => isSourceNameCapec(ref.source_name))
+      name                         <- (json \ "name").validateOpt[String]
+      description                  <- (json \ "description").validateOpt[String]
+      kill_chain_phases            <- (json \ "kill_chain_phases").validateOpt[Seq[InputKillChainPhase]]
+      techniqueType                <- (json \ "type").validateOpt[String]
+      revoked                      <- (json \ "revoked").validateOpt[Boolean]
+      x_mitre_data_sources         <- (json \ "x_mitre_data_sources").validateOpt[Seq[String]]
+      x_mitre_defense_bypassed     <- (json \ "x_mitre_defense_bypassed").validateOpt[Seq[String]]
+      x_mitre_detection            <- (json \ "x_mitre_detection").validateOpt[String]
+      x_mitre_is_subtechnique      <- (json \ "x_mitre_is_subtechnique").validateOpt[Boolean]
+      x_mitre_permissions_required <- (json \ "x_mitre_permissions_required").validateOpt[Seq[String]]
+      x_mitre_platforms            <- (json \ "x_mitre_platforms").validateOpt[Seq[String]]
+      x_mitre_remote_support       <- (json \ "x_mitre_remote_support").validateOpt[Boolean]
+      x_mitre_system_requirements  <- (json \ "x_mitre_system_requirements").validateOpt[Seq[String]]
+      x_mitre_version              <- (json \ "x_mitre_version").validateOpt[String]
+    } yield InputPattern(
+      mitreReference.flatMap(_.external_id).getOrElse(""),
+      name.getOrElse(""),
+      description,
+      kill_chain_phases.getOrElse(Seq()),
+      mitreReference.flatMap(_.url).getOrElse(""),
+      techniqueType.getOrElse(""),
+      capecReference.flatMap(_.external_id),
+      capecReference.flatMap(_.url),
+      revoked.getOrElse(false),
+      x_mitre_data_sources.getOrElse(Seq()),
+      x_mitre_defense_bypassed.getOrElse(Seq()),
+      x_mitre_detection,
+      x_mitre_is_subtechnique.getOrElse(false),
+      x_mitre_permissions_required.getOrElse(Seq()),
+      x_mitre_platforms.getOrElse(Seq()),
+      x_mitre_remote_support.getOrElse(false),
+      x_mitre_system_requirements.getOrElse(Seq()),
+      x_mitre_version
+    )
+  }
+
+  private def isSourceNameMitre(reference: String): Boolean =
+    reference == "mitre-attack"
+
+  private def isSourceNameCapec(reference: String): Boolean =
+    reference == "capec"
+
+  implicit val writes: Writes[InputPattern] = Json.writes[InputPattern]
+}
+
+case class OutputPattern(
+    _id: String,
+    _type: String,
+    _createdBy: String,
+    _updatedBy: Option[String],
+    _createdAt: Date,
+    _updatedAt: Option[Date],
+    patternId: String,
+    name: String,
+    description: Option[String],
+    tactics: Set[String],
+    url: String,
+    patternType: String,
+    capecId: Option[String],
+    capecUrl: Option[String],
+    revoked: Boolean,
+    dataSources: Seq[String],
+    defenseBypassed: Seq[String],
+    detection: Option[String],
+    permissionsRequired: Seq[String],
+    platforms: Seq[String],
+    remoteSupport: Boolean,
+    systemRequirements: Seq[String],
+    version: Option[String],
+    extraData: JsObject
+)
+
+object OutputPattern {
+  implicit val format: OFormat[OutputPattern] = Jsonx.formatCaseClass[OutputPattern]
+}
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Procedure.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Procedure.scala
new file mode 100644
index 0000000000..474485b3fa
--- /dev/null
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Procedure.scala
@@ -0,0 +1,50 @@
+package org.thp.thehive.dto.v1
+
+import play.api.libs.json._
+
+import java.util.Date
+
+case class InputProcedure(
+    description: Option[String],
+    occurDate: Date,
+    tactic: String,
+    caseId: String,
+    patternId: String
+)
+
+object InputProcedure {
+  implicit val reads: Reads[InputProcedure] = Reads[InputProcedure] { json =>
+    for {
+      description <- (json \ "description").validateOpt[String]
+      occurDate   <- (json \ "occurDate").validate[Date]
+      tactic      <- (json \ "tactic").validate[String]
+      caseId      <- (json \ "caseId").validate[String]
+      patternId   <- (json \ "patternId").validate[String]
+    } yield InputProcedure(
+      description,
+      occurDate,
+      tactic,
+      caseId,
+      patternId
+    )
+  }
+
+  implicit val writes: Writes[InputProcedure] = Json.writes[InputProcedure]
+}
+
+case class OutputProcedure(
+    _id: String,
+    _createdAt: Date,
+    _createdBy: String,
+    _updatedAt: Option[Date],
+    _updatedBy: Option[String],
+    description: Option[String],
+    occurDate: Date,
+    patternId: String,
+    tactic: String,
+    extraData: JsObject
+)
+
+object OutputProcedure {
+  implicit val format: Format[OutputProcedure] = Json.format[OutputProcedure]
+}
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Profile.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Profile.scala
index 06709d6bf1..95dc218072 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Profile.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Profile.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import play.api.libs.json.{Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputProfile(name: String, permissions: Set[String])
 
 object InputProfile {
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Share.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Share.scala
new file mode 100644
index 0000000000..90dcfdfebc
--- /dev/null
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Share.scala
@@ -0,0 +1,48 @@
+package org.thp.thehive.dto.v1
+
+import org.thp.thehive.dto.v1.ObservablesFilter.ObservablesFilter
+import org.thp.thehive.dto.v1.TasksFilter.TasksFilter
+import play.api.libs.json.{Format, Json, Writes}
+
+import java.util.Date
+
+case class InputShare(organisationName: String, profile: String, tasks: TasksFilter, observables: ObservablesFilter)
+
+object TasksFilter extends Enumeration {
+  type TasksFilter = Value
+
+  val all: TasksFilter  = Value("all")
+  val none: TasksFilter = Value("none")
+
+  implicit val format: Format[TasksFilter] = Json.formatEnum(TasksFilter)
+}
+
+object ObservablesFilter extends Enumeration {
+  type ObservablesFilter = Value
+
+  val all: ObservablesFilter  = Value("all")
+  val none: ObservablesFilter = Value("none")
+
+  implicit val format: Format[ObservablesFilter] = Json.formatEnum(ObservablesFilter)
+}
+
+object InputShare {
+  implicit val writes: Writes[InputShare] = Json.writes[InputShare]
+}
+
+case class OutputShare(
+    _id: String,
+    _type: String,
+    _createdBy: String,
+    _updatedBy: Option[String] = None,
+    _createdAt: Date,
+    _updatedAt: Option[Date] = None,
+    caseId: String,
+    profileName: String,
+    organisationName: String,
+    owner: Boolean
+)
+
+object OutputShare {
+  implicit val format: Format[OutputShare] = Json.format[OutputShare]
+}
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Tag.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Tag.scala
new file mode 100644
index 0000000000..a32227a520
--- /dev/null
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Tag.scala
@@ -0,0 +1,24 @@
+package org.thp.thehive.dto.v1
+
+import play.api.libs.json.{JsObject, Json, OFormat}
+
+import java.util.Date
+
+case class OutputTag(
+    _id: String,
+    _type: String,
+    _createdBy: String,
+    _updatedBy: Option[String] = None,
+    _createdAt: Date,
+    _updatedAt: Option[Date] = None,
+    namespace: String,
+    predicate: String,
+    value: Option[String],
+    description: Option[String],
+    colour: String,
+    extraData: JsObject
+)
+
+object OutputTag {
+  implicit val format: OFormat[OutputTag] = Json.format[OutputTag]
+}
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Task.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Task.scala
index 04b9ce5192..4b2670adea 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/Task.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Task.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import play.api.libs.json.{JsObject, Json, OFormat, OWrites}
 
+import java.util.Date
+
 case class InputTask(
     title: String,
     group: Option[String] = None,
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/Taxonomy.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/Taxonomy.scala
new file mode 100644
index 0000000000..49054ce5bd
--- /dev/null
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/Taxonomy.scala
@@ -0,0 +1,75 @@
+package org.thp.thehive.dto.v1
+
+import play.api.libs.json.Json.WithDefaultValues
+import play.api.libs.json.{JsObject, Json, OFormat}
+
+import java.util.Date
+
+/*
+Format based on :
+https://tools.ietf.org/id/draft-dulaunoy-misp-taxonomy-format-04.html
+ */
+
+case class InputTaxonomy(
+    namespace: String,
+    description: String,
+    version: Int,
+    exclusive: Option[Boolean],
+    predicates: Seq[InputPredicate],
+    values: Seq[InputValue] = Nil
+)
+
+case class InputPredicate(
+    value: String,
+    expanded: Option[String],
+    exclusive: Option[Boolean],
+    description: Option[String],
+    colour: Option[String]
+)
+
+case class InputValue(
+    predicate: String,
+    entry: Seq[InputEntry]
+)
+
+case class InputEntry(
+    value: String,
+    expanded: Option[String],
+    colour: Option[String],
+    description: Option[String],
+    numerical_value: Option[Int]
+)
+
+object InputTaxonomy {
+  implicit val format: OFormat[InputTaxonomy] = Json.configured[WithDefaultValues].format[InputTaxonomy]
+}
+
+object InputPredicate {
+  implicit val format: OFormat[InputPredicate] = Json.format[InputPredicate]
+}
+
+object InputValue {
+  implicit val format: OFormat[InputValue] = Json.format[InputValue]
+}
+
+object InputEntry {
+  implicit val format: OFormat[InputEntry] = Json.format[InputEntry]
+}
+
+case class OutputTaxonomy(
+    _id: String,
+    _type: String,
+    _createdBy: String,
+    _updatedBy: Option[String] = None,
+    _createdAt: Date,
+    _updatedAt: Option[Date] = None,
+    namespace: String,
+    description: String,
+    version: Int,
+    tags: Seq[OutputTag],
+    extraData: JsObject
+)
+
+object OutputTaxonomy {
+  implicit val format: OFormat[OutputTaxonomy] = Json.format[OutputTaxonomy]
+}
diff --git a/dto/src/main/scala/org/thp/thehive/dto/v1/User.scala b/dto/src/main/scala/org/thp/thehive/dto/v1/User.scala
index dba6f4304b..1dc2313358 100644
--- a/dto/src/main/scala/org/thp/thehive/dto/v1/User.scala
+++ b/dto/src/main/scala/org/thp/thehive/dto/v1/User.scala
@@ -1,17 +1,17 @@
 package org.thp.thehive.dto.v1
 
-import java.util.Date
-
 import org.thp.scalligraph.controllers.FFile
 import play.api.libs.json.{Json, OFormat, Writes}
 
+import java.util.Date
+
 case class InputUser(login: String, name: String, password: Option[String], profile: String, organisation: Option[String], avatar: Option[FFile])
 
 object InputUser {
   implicit val writes: Writes[InputUser] = Json.writes[InputUser]
 }
 
-case class OutputOrganisationProfile(organisation: String, profile: String)
+case class OutputOrganisationProfile(organisationId: String, organisation: String, profile: String)
 object OutputOrganisationProfile {
   implicit val format: OFormat[OutputOrganisationProfile] = Json.format[OutputOrganisationProfile]
 }
diff --git a/frontend/app/index.html b/frontend/app/index.html
index 4bc5afcf49..35e7900ca0 100644
--- a/frontend/app/index.html
+++ b/frontend/app/index.html
@@ -50,9 +50,11 @@
     <link rel="stylesheet" href="styles/dashboard.css"/>
     <link rel="stylesheet" href="styles/case-item.css"/>
     <link rel="stylesheet" href="styles/case-template.css"/>
+    <link rel="stylesheet" href="styles/procedure.css"/>
     <link rel="stylesheet" href="styles/custom-fields.css"/>
     <link rel="stylesheet" href="styles/directives/page-sizer.css"/>
     <link rel="stylesheet" href="styles/directives/user.css"/>
+    <link rel="stylesheet" href="styles/components/tag.css"/>
     <!-- endbuild -->
 
     <style>
@@ -139,12 +141,16 @@
     <script src="scripts/components/common/custom-field-input.component.js"></script>
     <script src="scripts/components/common/custom-field-labels.component.js"></script>
     <script src="scripts/components/common/observable-flags.component.js"></script>
+    <script src="scripts/components/common/tag.component.js"></script>
+    <script src="scripts/components/common/task-flags.component.js"></script>
     <script src="scripts/components/control-sidebar.component.js"></script>
     <script src="scripts/components/header.component.js"></script>
     <script src="scripts/components/list/stats-item.component.js"></script>
     <script src="scripts/components/main-sidebar.component.js"></script>
     <script src="scripts/components/organisation/OrgCaseTemplateListCmp.js"></script>
+    <script src="scripts/components/organisation/OrgCaseTemplateModalCtrl.js"></script>
     <script src="scripts/components/organisation/OrgConfigListCmp.js"></script>
+    <script src="scripts/components/organisation/OrgCustomTagsListCmp.js"></script>
     <script src="scripts/components/organisation/OrgSwitchCtrl.js"></script>
     <script src="scripts/components/organisation/OrgUserListCmp.js"></script>
     <script src="scripts/components/search/filters-preview.component.js"></script>
@@ -157,6 +163,7 @@
     <script src="scripts/controllers/admin/AdminCustomFieldsCtrl.js"></script>
     <script src="scripts/controllers/admin/AdminObservablesCtrl.js"></script>
     <script src="scripts/controllers/admin/AdminUiSettingsCtrl.js"></script>
+    <script src="scripts/controllers/admin/attack/AttackPatternListCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/case-template/AdminCaseTemplateImportCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/case-template/AdminCaseTemplateTasksCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/OrgDetailsCtrl.js"></script>
@@ -165,8 +172,10 @@
     <script src="scripts/controllers/admin/organisation/OrgModalCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/OrgUserModalCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/OrgUsersCtrl.js"></script>
+    <script src="scripts/controllers/admin/platform/PlatformStatusCtrl.js"></script>
     <script src="scripts/controllers/admin/profile/ProfileListCtrl.js"></script>
     <script src="scripts/controllers/admin/profile/ProfileModalCtrl.js"></script>
+    <script src="scripts/controllers/admin/taxonomy/TaxonomyListCtrl.js"></script>
     <script src="scripts/controllers/alert/AlertEventCtrl.js"></script>
     <script src="scripts/controllers/alert/AlertListCtrl.js"></script>
     <script src="scripts/controllers/alert/AlertStatsCtrl.js"></script>
@@ -184,6 +193,7 @@
     <script src="scripts/controllers/case/CaseObservablesCtrl.js"></script>
     <script src="scripts/controllers/case/CaseObservablesExportCtrl.js"></script>
     <script src="scripts/controllers/case/CaseObservablesItemCtrl.js"></script>
+    <script src="scripts/controllers/case/CaseProceduresCtrl.js"></script>
     <script src="scripts/controllers/case/CaseReopenModalCtrl.js"></script>
     <script src="scripts/controllers/case/CaseSharingCtrl.js"></script>
     <script src="scripts/controllers/case/CaseStatsCtrl.js"></script>
@@ -195,6 +205,7 @@
     <script src="scripts/controllers/case/ObservableCreationCtrl.js"></script>
     <script src="scripts/controllers/case/ObservablesStatsCtrl.js"></script>
     <script src="scripts/controllers/case/ObservableUpdateCtrl.js"></script>
+    <script src="scripts/controllers/case/procedure/AddProcedureModalCtrl.js"></script>
     <script src="scripts/controllers/case/share/CaseShareModalCtrl.js"></script>
     <script src="scripts/controllers/case/tasklogs/AddTaskLogModalCtrl.js"></script>
     <script src="scripts/controllers/cortex/CortexInstanceDialogCtrl.js"></script>
@@ -206,6 +217,7 @@
     <script src="scripts/controllers/MigrationCtrl.js"></script>
     <script src="scripts/controllers/misc/ResponderSelectorCtrl.js"></script>
     <script src="scripts/controllers/misc/ServerInstanceDialogCtrl.js"></script>
+    <script src="scripts/controllers/misc/TaxonomySelectionModalCtrl.js"></script>
     <script src="scripts/controllers/RootCtrl.js"></script>
     <script src="scripts/controllers/SearchCtrl.js"></script>
     <script src="scripts/controllers/SettingsCtrl.js"></script>
@@ -243,15 +255,20 @@
     <script src="scripts/directives/responder-actions.js"></script>
     <script src="scripts/directives/search/search-item.js"></script>
     <script src="scripts/directives/severity.js"></script>
+    <script src="scripts/directives/tag-colour.js"></script>
+    <script src="scripts/directives/tag-item.js"></script>
     <script src="scripts/directives/tag-list.js"></script>
     <script src="scripts/directives/task-progress.js"></script>
     <script src="scripts/directives/tlp.js"></script>
     <script src="scripts/directives/updatable.js"></script>
     <script src="scripts/directives/updatableBoolean.js"></script>
+    <script src="scripts/directives/updatableColour.js"></script>
     <script src="scripts/directives/updatableDataDropdown.js"></script>
     <script src="scripts/directives/updatableDate.js"></script>
     <script src="scripts/directives/updatableSelect.js"></script>
     <script src="scripts/directives/updatableSimpleText.js"></script>
+    <script src="scripts/directives/updatableTag.js"></script>
+    <script src="scripts/directives/updatableTagList.js"></script>
     <script src="scripts/directives/updatableTags.js"></script>
     <script src="scripts/directives/updatableText.js"></script>
     <script src="scripts/directives/updatableUser.js"></script>
@@ -274,11 +291,13 @@
     <script src="scripts/filters/sha256.js"></script>
     <script src="scripts/filters/shortDate.js"></script>
     <script src="scripts/filters/showDate.js"></script>
+    <script src="scripts/filters/tag-value.js"></script>
     <script src="scripts/filters/urlencode.js"></script>
     <script src="scripts/services/AnalyzerInfoSrv.js"></script>
     <script src="scripts/services/api/AlertingSrv.js"></script>
     <script src="scripts/services/api/AnalyzerSrv.js"></script>
     <script src="scripts/services/api/AnalyzerTemplateSrv.js"></script>
+    <script src="scripts/services/api/AttackPatternSrv.js"></script>
     <script src="scripts/services/api/AuditSrv.js"></script>
     <script src="scripts/services/api/AuthenticationSrv.js"></script>
     <script src="scripts/services/api/CaseSrv.js"></script>
@@ -292,9 +311,13 @@
     <script src="scripts/services/api/MispSrv.js"></script>
     <script src="scripts/services/api/ObservableTypeSrv.js"></script>
     <script src="scripts/services/api/OrganisationSrv.js"></script>
+    <script src="scripts/services/api/PlatformSrv.js"></script>
+    <script src="scripts/services/api/ProcedureSrv.js"></script>
     <script src="scripts/services/api/ProfileSrv.js"></script>
     <script src="scripts/services/api/TagSrv.js"></script>
     <script src="scripts/services/api/TaskLogSrv.js"></script>
+    <script src="scripts/services/api/TaxonomyCacheSrv.js"></script>
+    <script src="scripts/services/api/TaxonomySrv.js"></script>
     <script src="scripts/services/api/UiSettingsSrv.js"></script>
     <script src="scripts/services/api/UserSrv.js"></script>
     <script src="scripts/services/api/VersionSrv.js"></script>
diff --git a/frontend/app/scripts/app.js b/frontend/app/scripts/app.js
index 800a72397d..0f6ebe764c 100644
--- a/frontend/app/scripts/app.js
+++ b/frontend/app/scripts/app.js
@@ -116,6 +116,9 @@ angular.module('thehive', [
                     },
                     uiConfig: function($q, UiSettingsSrv) {
                         return UiSettingsSrv.all();
+                    },
+                    taxonomyCache: function(TaxonomyCacheSrv) {
+                        return TaxonomyCacheSrv.all();
                     }
                 }
             })
@@ -202,6 +205,21 @@ angular.module('thehive', [
                 url: 'administration',
                 template: '<ui-view/>'
             })
+            .state('app.administration.platform', {
+                url: '/platform',
+                templateUrl: 'views/partials/admin/platform/status.html',
+                controller: 'PlatformStatusCtrl',
+                controllerAs: '$vm',
+                title: 'Platform administration',
+                resolve: {
+                    appConfig: function(VersionSrv) {
+                        return VersionSrv.get();
+                    }
+                },
+                guard: {
+                    permissions: ['managePlatform']
+                }
+            })
             .state('app.administration.profiles', {
                 url: '/profiles',
                 templateUrl: 'views/partials/admin/profile/list.html',
@@ -217,6 +235,36 @@ angular.module('thehive', [
                     permissions: ['manageProfile']
                 }
             })
+            .state('app.administration.taxonomies', {
+                url: '/taxonomies',
+                templateUrl: 'views/partials/admin/taxonomy/list.html',
+                controller: 'TaxonomyListCtrl',
+                controllerAs: '$vm',
+                title: 'Taxonomies administration',
+                resolve: {
+                    appConfig: function(VersionSrv) {
+                        return VersionSrv.get();
+                    }
+                },
+                guard: {
+                    permissions: ['manageTaxonomy']
+                }
+            })
+            .state('app.administration.attackPatterns', {
+                url: '/attack-patterns',
+                templateUrl: 'views/partials/admin/attack/list.html',
+                controller: 'AttackPatternListCtrl',
+                controllerAs: '$vm',
+                title: 'ATT&CK patterns administration',
+                resolve: {
+                    appConfig: function(VersionSrv) {
+                        return VersionSrv.get();
+                    }
+                }
+                // guard: {
+                //     permissions: ['manageTaxonomy']
+                // }
+            })
             .state('app.administration.organisations', {
                 url: '/organisations',
                 templateUrl: 'views/partials/admin/organisation/list.html',
@@ -241,9 +289,6 @@ angular.module('thehive', [
                     organisation: function($stateParams, OrganisationSrv) {
                         return OrganisationSrv.get($stateParams.organisation);
                     },
-                    templates: function($stateParams, OrganisationSrv) {
-                        return OrganisationSrv.caseTemplates($stateParams.organisation);
-                    },
                     fields: function(CustomFieldsSrv){
                         return CustomFieldsSrv.all();
                     },
@@ -480,6 +525,18 @@ angular.module('thehive', [
                     isSuperAdmin: false
                 }
             })
+            .state('app.case.procedures', {
+                url: '/procedures',
+                templateUrl: 'views/partials/case/case.procedures.html',
+                controller: 'CaseProceduresCtrl',
+                controllerAs: '$vm',
+                data: {
+                    tab: 'procedures'
+                },
+                guard: {
+                    isSuperAdmin: false
+                }
+            })
             .state('app.alert-list', {
                 url: 'alert/list',
                 templateUrl: 'views/partials/alert/list.html',
diff --git a/frontend/app/scripts/components/alert/AlertObservableListCmp.js b/frontend/app/scripts/components/alert/AlertObservableListCmp.js
index 8344ca5c71..1e7b032827 100644
--- a/frontend/app/scripts/components/alert/AlertObservableListCmp.js
+++ b/frontend/app/scripts/components/alert/AlertObservableListCmp.js
@@ -7,7 +7,7 @@
                 var self = this;
 
                 self.$onInit = function() {
-                    this.filtering = new FilteringSrv('case_artifact', 'alert.dialog.observables', {
+                    this.filtering = new FilteringSrv('observable', 'alert.dialog.observables', {
                         version: 'v1',
                         defaults: {
                             showFilters: false,
diff --git a/frontend/app/scripts/components/common/custom-field-input.component.js b/frontend/app/scripts/components/common/custom-field-input.component.js
index 80a53c0070..98353a5fd9 100644
--- a/frontend/app/scripts/components/common/custom-field-input.component.js
+++ b/frontend/app/scripts/components/common/custom-field-input.component.js
@@ -10,6 +10,11 @@
                         value: newValue
                     });
                 };
+                this.removeCustomField = function(id) {
+                    this.onRemove({
+                        fieldId: id
+                    })
+                }
             },
             controllerAs: '$ctrl',
             templateUrl: 'views/components/common/custom-field-input.component.html',
@@ -17,8 +22,11 @@
                 index: '<',
                 field: '<',
                 value: '=',
+                id: '<',
                 onUpdate: '&',
-                editable: '<'
+                onRemove: '&',
+                editable: '<',
+                removable: '<'
             }
         });
 })();
diff --git a/frontend/app/scripts/components/common/tag.component.js b/frontend/app/scripts/components/common/tag.component.js
new file mode 100644
index 0000000000..7a9317ab33
--- /dev/null
+++ b/frontend/app/scripts/components/common/tag.component.js
@@ -0,0 +1,32 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveComponents')
+        .component('tag', {
+            controller: function() {
+                this.$onInit = function() {
+                    if(!this.value) {
+                        return;
+                    }                    
+                    if(_.isString(this.value)) {
+                        this.tag = this.value;
+                        this.bgColor = '#3c8dbc';
+                    } else {
+                        this.tag = _.without([
+                            this.value.namespace,
+                            ':',
+                            this.value.predicate,
+                            this.value.value ? ("=\"" + this.value.value + "\"") : null
+                        ], null).join('');
+                        this.bgColor = this.value.colour || '#3c8dbc';
+                    }
+                };
+            },
+            controllerAs: '$ctrl',
+            replace: true,
+            templateUrl: 'views/components/common/tag.component.html',
+            bindings: {
+                value: '<'
+            }
+        });
+})();
diff --git a/frontend/app/scripts/components/common/task-flags.component.js b/frontend/app/scripts/components/common/task-flags.component.js
new file mode 100644
index 0000000000..f075df2575
--- /dev/null
+++ b/frontend/app/scripts/components/common/task-flags.component.js
@@ -0,0 +1,22 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveComponents')
+        .component('taskFlags', {
+            controller: function() {
+                this.filterBy = function(fieldName, newValue) {
+                    this.onFilter({
+                        fieldName: fieldName,
+                        value: newValue
+                    });
+                };
+            },
+            controllerAs: '$ctrl',
+            templateUrl: 'views/components/common/task-flags.component.html',
+            bindings: {
+                task: '<',
+                inline: '<',
+                onFilter: '&'
+            }
+        });
+})();
diff --git a/frontend/app/scripts/components/organisation/OrgCaseTemplateListCmp.js b/frontend/app/scripts/components/organisation/OrgCaseTemplateListCmp.js
index 2eca269f62..d0cc9b90be 100644
--- a/frontend/app/scripts/components/organisation/OrgCaseTemplateListCmp.js
+++ b/frontend/app/scripts/components/organisation/OrgCaseTemplateListCmp.js
@@ -3,7 +3,7 @@
 
     angular.module('theHiveComponents')
         .component('orgCaseTemplateList', {
-            controller: function($uibModal, $scope, CaseTemplateSrv, TagSrv, UserSrv, AuthenticationSrv, NotificationSrv, UtilsSrv, ModalUtilsSrv) {
+            controller: function($uibModal, $scope, $q, CaseTemplateSrv, PaginatedQuerySrv, FilteringSrv, UserSrv, NotificationSrv, ModalUtilsSrv) {
                 var self = this;
 
                 self.task = '';
@@ -11,118 +11,116 @@
                 self.templateCustomFields = [];
                 self.templateIndex = -1;
                 self.getUserInfo = UserSrv.getCache;
-                self.currentUser = AuthenticationSrv.currentUser;
-
-                /**
-                 * Convert the template custom fields definition to a list of ordered field names
-                 * to be used for drag&drop sorting feature
-                 */
-                var getTemplateCustomFields = function(customFields) {
-                    var result = [];
-
-                    result = _.sortBy(
-                        _.map(customFields, function(definition, name) {
-                            var fieldDef = self.fields[name];
-                            var type = fieldDef ? fieldDef.type : null;
-
-                            // The field doesn't exist, trying to find the field type from it's template value
-                            if (type === null) {
-                                var keys = _.without(_.keys(definition), 'order');
-                                if (keys.length > 0) {
-                                    type = keys[0];
-                                }
-                            }
 
-                            return {
-                                name: name,
-                                order: definition.order,
-                                value: fieldDef ? definition[type] : null,
-                                type: type
-                            };
-                        }),
-                        'order'
-                    );
 
-                    return result;
-                };
+                this.$onInit = function() {
+                    self.filtering = new FilteringSrv('caseTemplate', 'caseTemplate.list', {
+                        version: 'v1',
+                        defaults: {
+                            showFilters: true,
+                            showStats: false,
+                            pageSize: 15,
+                            sort: ['+displayName']
+                        },
+                        defaultFilter: []
+                    });
 
-                self.dateOptions = {
-                    closeOnDateSelection: true,
-                    formatYear: 'yyyy',
-                    startingDay: 1
+                    self.filtering.initContext(self.organisation.name)
+                        .then(function() {
+                            self.load();
+
+                            $scope.$watch('$vm.list.pageSize', function (newValue) {
+                                self.filtering.setPageSize(newValue);
+                            });
+                        });
                 };
 
-                self.sortableOptions = {
-                    handle: '.drag-handle',
-                    stop: function( /*e, ui*/ ) {
-                        self.reorderTasks();
-                    },
-                    axis: 'y'
+                this.load = function() {
+
+                    self.list = new PaginatedQuerySrv({
+                        name: 'organisation-case-templates',
+                        version: 'v1',
+                        skipStream: true,
+                        sort: self.filtering.context.sort,
+                        loadAll: false,
+                        pageSize: self.filtering.context.pageSize,
+                        filter: this.filtering.buildQuery(),
+                        operations: [{
+                                '_name': 'getOrganisation',
+                                'idOrName': self.organisation.name
+                            },
+                            {
+                                '_name': 'caseTemplates'
+                            }
+                        ],
+                        onFailure: function(err) {
+                            if(err && err.status === 400) {
+                                self.filtering.resetContext();
+                                self.load();
+                            }
+                        }
+                    });
                 };
 
-                self.sortableFields = {
-                    handle: '.drag-handle',
-                    axis: 'y'
+                // Filtering
+                this.toggleFilters = function () {
+                    this.filtering.toggleFilters();
                 };
 
-                self.keys = function(obj) {
-                    if (!obj) {
-                        return [];
-                    }
-                    return _.keys(obj);
+                this.filter = function () {
+                    self.filtering.filter().then(this.applyFilters);
                 };
 
-                self.getList = function(id) {
-                    CaseTemplateSrv.list().then(function(templates) {
-                        self.templates = templates;
-
-                        if (templates.length === 0) {
-                            self.templateIndex = 0;
-                            self.newTemplate();
-                        } else if (id) {
-                            self.loadTemplateById(id);
-                        } else {
-                            self.loadTemplateById(templates[0].id, 0);
-                        }
-                    });
+                this.clearFilters = function () {
+                    this.filtering.clearFilters()
+                        .then(self.search);
                 };
 
-                self.loadTemplate = function(template, index) {
-                    if (!template) {
-                        return;
-                    }
+                this.removeFilter = function (index) {
+                    self.filtering.removeFilter(index)
+                        .then(self.search);
+                };
 
-                    var filteredKeys = _.filter(_.keys(template), function(k) {
-                        return k.startsWith('_');
-                    }).concat(['createdAt', 'updatedAt', 'createdBy', 'updatedBy']);
+                this.search = function () {
+                    self.load();
+                    self.filtering.storeContext();
+                };
+                this.addFilterValue = function (field, value) {
+                    this.filtering.addFilterValue(field, value);
+                    this.search();
+                };
 
-                    self.template = _.defaults(_.omit(template, filteredKeys), {
-                        pap: 2,
-                        tlp: 2
-                    });
-                    self.template.tasks = _.sortBy(self.template.tasks, 'order');
-                    self.tags = UtilsSrv.objectify(self.template.tags, 'text');
-                    self.templateCustomFields = getTemplateCustomFields(template.customFields);
+                this.filterBy = function(field, value) {
+                    self.filtering.clearFilters()
+                        .then(function(){
+                            self.addFilterValue(field, value);
+                        });
+                };
 
-                    self.templateIndex = index || _.indexOf(self.templates, _.findWhere(self.templates, {
-                        id: template.id
-                    }));
+                this.sortBy = function(sort) {
+                    self.list.sort = sort;
+                    self.list.update();
+                    self.filtering.setSort(sort);
                 };
 
-                self.$onInit = function() {
-                    if (self.templates && !_.isEmpty(self.templates)) {
-                        self.loadTemplate(self.templates[0]);
+                this.sortByField = function(field) {
+                    var context = this.filtering.context;
+                    var currentSort = Array.isArray(context.sort) ? context.sort[0] : context.sort;
+                    var sort = null;
+
+                    if(currentSort.substr(1) !== field) {
+                        sort = ['+' + field];
+                    } else {
+                        sort = [(currentSort === '+' + field) ? '-'+field : '+'+field];
                     }
-                };
 
-                self.loadTemplateById = function(id) {
-                    CaseTemplateSrv.get(id).then(function(template) {
-                        self.loadTemplate(template);
-                    });
+                    self.list.sort = sort;
+                    self.list.update();
+                    self.filtering.setSort(sort);
                 };
 
-                self.newTemplate = function() {
-                    self.template = {
+                this.newTemplate = function() {
+                    self.showTemplate({
                         name: '',
                         titlePrefix: '',
                         severity: 2,
@@ -132,143 +130,49 @@
                         tasks: [],
                         customFields: {},
                         description: ''
-                    };
-                    self.tags = [];
-                    self.templateIndex = -1;
-                    self.templateCustomFields = [];
-                };
-
-                self.reorderTasks = function() {
-                    _.each(self.template.tasks, function(task, index) {
-                        task.order = index;
                     });
                 };
 
-                self.removeTask = function(task) {
-                    self.template.tasks = _.without(self.template.tasks, task);
-                    self.reorderTasks();
-                };
-
-                self.addTask = function() {
-                    var order = self.template.tasks ? self.template.tasks.length : 0;
-
-                    self.openTaskDialog({
-                        order: order
-                    }, 'Add');
-                };
-
-                self.editTask = function(task) {
-                    self.openTaskDialog(task, 'Update');
-                };
-
-                self.openTaskDialog = function(task, action) {
-                    var modal = $uibModal.open({
-                        scope: $scope,
-                        templateUrl: 'views/components/org/case-template/case-templates.task.html',
-                        controller: 'AdminCaseTemplateTasksCtrl',
-                        size: 'lg',
-                        resolve: {
-                            action: function() {
-                                return action;
-                            },
-                            task: function() {
-                                return _.extend({}, task);
-                            },
-                            users: function() {
-                                return UserSrv.list(
-                                    self.currentUser.organisation,
-                                    {
-                                        filter: {
-                                            _is: {
-                                                _field: 'locked',
-                                                _value: false
-                                            }
-                                        },
-                                        sort: ['+name']
+                this.showTemplate = function(template) {
+
+                    var promise = template._id ? CaseTemplateSrv.get(template._id) : $q.resolve(template);
+
+                    promise
+                        .then(function(response) {
+                            var modalInstance = $uibModal.open({
+                                animation: true,
+                                keyboard: false,
+                                backdrop: 'static',
+                                templateUrl: 'views/components/org/case-template/details.modal.html',
+                                controller: 'OrgCaseTemplateModalCtrl',
+                                controllerAs: '$vm',
+                                size: 'max',
+                                resolve: {
+                                    template: function() {
+                                        return response;
+                                    },
+                                    fields: function() {
+                                        return self.fields;
                                     }
-                                );
-                            },
-                            groups: function() {
-                                var existingGroups = _.uniq(_.pluck(self.template.tasks, 'group').sort());
-
-                                return existingGroups.length === 0 ? ['default'] : existingGroups;
-                            }
-                        }
-                    });
-
-                    modal.result.then(function(data) {
-                        if (action === 'Add') {
-                            if (self.template.tasks) {
-                                self.template.tasks.push(data);
-                            } else {
-                                self.template.tasks = [data];
-                            }
-                        } else {
-                            self.template.tasks[data.order] = data;
-                        }
-                    });
-                };
-
-                self.addCustomFieldRow = function() {
-                    self.templateCustomFields.push({
-                        name: null,
-                        order: self.templateCustomFields.length + 1,
-                        value: null
-                    });
-                };
-
-                self.removeCustomField = function(field) {
-                    self.templateCustomFields = _.without(self.templateCustomFields, field);
-                };
-
-                self.updateCustomField = function(field, value) {
-                    field.value = value;
-                };
+                                }
+                            });
 
-                self.deleteTemplate = function() {
-                    ModalUtilsSrv.confirm('Remove case template', 'Are you sure you want to delete this case template?', {
-                            okText: 'Yes, remove it',
-                            flavor: 'danger'
+                            return modalInstance.result;
                         })
                         .then(function() {
-                            return CaseTemplateSrv.delete(self.template.id);
+                            self.load();
                         })
-                        .then(function() {
-                            self.getList();
-
-                            $scope.$emit('templates:refresh');
-                        });
-                };
-
-                self.saveTemplate = function() {
-                    // Set tags
-                    self.template.tags = _.pluck(self.tags, 'text');
-
-                    // Set custom fields
-                    self.template.customFields = {};
-                    _.each(self.templateCustomFields, function(cf, index) {
-                        var fieldDef = self.fields[cf.name];
-                        var value = null;
-                        if (fieldDef) {
-                            value = fieldDef.type === 'date' && cf.value ? moment(cf.value).valueOf() : cf.value;
-                        }
-
-                        self.template.customFields[cf.name] = {};
-                        self.template.customFields[cf.name][fieldDef ? fieldDef.type : cf.type] = value;
-                        self.template.customFields[cf.name].order = index + 1;
-                    });
-
-                    if (_.isEmpty(self.template.id)) {
-                        self.createTemplate(self.template);
-                    } else {
-                        self.updateTemplate(self.template);
-                    }
-                };
+                        .catch(function(err) {
+                            if(err && !_.isString(err)) {
+                                NotificationSrv.error('Case Template Admin', err.data, err.status);
+                            }
+                        })
+                }
 
                 self.createTemplate = function(template) {
                     return CaseTemplateSrv.create(template).then(
-                        function(response) {
-                            self.getList(response.data.id);
+                        function(/*response*/) {
+                            self.load();
 
                             $scope.$emit('templates:refresh');
 
@@ -280,34 +184,6 @@
                     );
                 };
 
-                self.updateTemplate = function(template) {
-                    return CaseTemplateSrv.update(template.id, _.omit(template, 'id', 'user')).then(
-                        function( /*response*/ ) {
-                            self.getList(template.id);
-
-                            $scope.$emit('templates:refresh');
-
-                            NotificationSrv.log('The template [' + template.name + '] has been successfully updated', 'success');
-                        },
-                        function(response) {
-                            NotificationSrv.error('TemplateCtrl', response.data, response.status);
-                        }
-                    );
-                };
-
-                self.exportTemplate = function() {
-                    var fileName = 'Case-Template__' + self.template.name.replace(/\s/gi, '_') + '.json';
-
-                    // Create a blob of the data
-                    var fileToSave = new Blob([angular.toJson(_.omit(self.template, 'id'))], {
-                        type: 'application/json',
-                        name: fileName
-                    });
-
-                    // Save the file
-                    saveAs(fileToSave, fileName);
-                };
-
                 self.importTemplate = function() {
                     var modalInstance = $uibModal.open({
                         animation: true,
@@ -328,13 +204,42 @@
                         });
                 };
 
-                self.getTags = function(query) {
-                    return TagSrv.fromCases(query);
+                self.deleteTemplate = function (template) {
+                    ModalUtilsSrv.confirm('Remove case template', 'Are you sure you want to delete this case template?', {
+                        okText: 'Yes, remove it',
+                        flavor: 'danger'
+                    })
+                        .then(function () {
+                            return CaseTemplateSrv.delete(template._id);
+                        })
+                        .then(function () {
+                            self.load();
+
+                            $scope.$emit('templates:refresh');
+                        });
+                };
+
+                self.exportTemplate = function (template) {
+                    CaseTemplateSrv.get(template._id)
+                        .then(function(response) {
+                            var fileName = 'Case-Template__' + response.name.replace(/\s/gi, '_') + '.json';
+
+                            // Create a blob of the data
+                            var fileToSave = new Blob([angular.toJson(_.omit(response, 'id'))], {
+                                type: 'application/json',
+                                name: fileName
+                            });
+
+                            // Save the file
+                            saveAs(fileToSave, fileName);
+                        })
+
                 };
             },
             controllerAs: '$vm',
             templateUrl: 'views/components/org/case-template/case-templates.html',
             bindings: {
+                organisation: '<',
                 templates: '=',
                 fields: '<',
                 onReload: '&',
diff --git a/frontend/app/scripts/components/organisation/OrgCaseTemplateModalCtrl.js b/frontend/app/scripts/components/organisation/OrgCaseTemplateModalCtrl.js
new file mode 100644
index 0000000000..6f3cc4bf4d
--- /dev/null
+++ b/frontend/app/scripts/components/organisation/OrgCaseTemplateModalCtrl.js
@@ -0,0 +1,241 @@
+(function () {
+    'use strict';
+
+    angular.module('theHiveControllers')
+        .controller('OrgCaseTemplateModalCtrl', function ($scope, $uibModalInstance, $uibModal, CaseTemplateSrv, AuthenticationSrv, TaxonomyCacheSrv, TagSrv, UserSrv, NotificationSrv, UtilsSrv, template, fields) {
+            var self = this;
+
+            this.template = template;
+            this.fields = fields;
+            self.task = '';
+            self.tags = [];
+            self.templateCustomFields = [];
+            self.templateIndex = -1;
+            self.currentUser = AuthenticationSrv.currentUser;
+
+            /**
+             * Convert the template custom fields definition to a list of ordered field names
+             * to be used for drag&drop sorting feature
+             */
+            var getTemplateCustomFields = function (customFields) {
+                var result = [];
+
+                result = _.sortBy(
+                    _.map(customFields, function (definition, name) {
+                        var fieldDef = self.fields[name];
+                        var type = fieldDef ? fieldDef.type : null;
+
+                        // The field doesn't exist, trying to find the field type from it's template value
+                        if (type === null) {
+                            var keys = _.without(_.keys(definition), 'order');
+                            if (keys.length > 0) {
+                                type = keys[0];
+                            }
+                        }
+
+                        return {
+                            name: name,
+                            order: definition.order,
+                            value: fieldDef ? definition[type] : null,
+                            type: type
+                        };
+                    }),
+                    'order'
+                );
+
+                return result;
+            };
+
+            this.$onInit = function () {
+                if (self.template._id) {
+                    self.action = 'Edit';
+                } else {
+                    self.action = 'Add';
+                }
+
+                self.tags = UtilsSrv.objectify(self.template.tags, 'text');
+                self.templateCustomFields = getTemplateCustomFields(self.template.customFields);
+            }
+
+            this.cancel = function () {
+                $uibModalInstance.dismiss();
+            };
+
+            self.dateOptions = {
+                closeOnDateSelection: true,
+                formatYear: 'yyyy',
+                startingDay: 1
+            };
+
+            self.sortableOptions = {
+                handle: '.drag-handle',
+                stop: function ( /*e, ui*/) {
+                    self.reorderTasks();
+                },
+                axis: 'y'
+            };
+
+            self.sortableFields = {
+                handle: '.drag-handle',
+                axis: 'y'
+            };
+
+            self.keys = function (obj) {
+                if (!obj) {
+                    return [];
+                }
+                return _.keys(obj);
+            };
+
+            self.fromTagLibrary = function () {
+                TaxonomyCacheSrv.openTagLibrary()
+                    .then(function (tags) {
+                        self.tags = self.tags.concat(tags);
+                    })
+            };
+
+            self.reorderTasks = function () {
+                _.each(self.template.tasks, function (task, index) {
+                    task.order = index;
+                });
+            };
+
+            self.removeTask = function (task) {
+                self.template.tasks = _.without(self.template.tasks, task);
+                self.reorderTasks();
+            };
+
+            self.addTask = function () {
+                var order = self.template.tasks ? self.template.tasks.length : 0;
+
+                self.openTaskDialog({
+                    order: order
+                }, 'Add');
+            };
+
+            self.editTask = function (task) {
+                self.openTaskDialog(task, 'Update');
+            };
+
+            self.openTaskDialog = function (task, action) {
+                var modal = $uibModal.open({
+                    scope: $scope,
+                    templateUrl: 'views/components/org/case-template/case-templates.task.html',
+                    controller: 'AdminCaseTemplateTasksCtrl',
+                    size: 'lg',
+                    resolve: {
+                        action: function () {
+                            return action;
+                        },
+                        task: function () {
+                            return _.extend({}, task);
+                        },
+                        users: function () {
+                            return UserSrv.list(
+                                self.currentUser.organisation,
+                                {
+                                    filter: {
+                                        _is: {
+                                            _field: 'locked',
+                                            _value: false
+                                        }
+                                    },
+                                    sort: ['+name']
+                                }
+                            );
+                        },
+                        groups: function () {
+                            var existingGroups = _.uniq(_.pluck(self.template.tasks, 'group').sort());
+
+                            return existingGroups.length === 0 ? ['default'] : existingGroups;
+                        }
+                    }
+                });
+
+                modal.result.then(function (data) {
+                    if (action === 'Add') {
+                        if (self.template.tasks) {
+                            self.template.tasks.push(data);
+                        } else {
+                            self.template.tasks = [data];
+                        }
+                    } else {
+                        self.template.tasks[data.order] = data;
+                    }
+                });
+            };
+
+            self.addCustomFieldRow = function () {
+                self.templateCustomFields.push({
+                    name: null,
+                    order: self.templateCustomFields.length + 1,
+                    value: null
+                });
+            };
+
+            self.removeCustomField = function (field) {
+                self.templateCustomFields = _.without(self.templateCustomFields, field);
+            };
+
+            self.updateCustomField = function (field, value) {
+                field.value = value;
+            };
+
+            self.saveTemplate = function () {
+                // Set tags
+                self.template.tags = _.pluck(self.tags, 'text');
+
+                // Set custom fields
+                self.template.customFields = {};
+                _.each(self.templateCustomFields, function (cf, index) {
+                    var fieldDef = self.fields[cf.name];
+                    var value = null;
+                    if (fieldDef) {
+                        value = fieldDef.type === 'date' && cf.value ? moment(cf.value).valueOf() : cf.value;
+                    }
+
+                    self.template.customFields[cf.name] = {};
+                    self.template.customFields[cf.name][fieldDef ? fieldDef.type : cf.type] = value;
+                    self.template.customFields[cf.name].order = index + 1;
+                });
+
+                if (_.isEmpty(self.template.id)) {
+                    self.createTemplate(self.template);
+                } else {
+                    self.updateTemplate(self.template);
+                }
+            };
+
+            self.createTemplate = function (template) {
+                return CaseTemplateSrv.create(template).then(
+                    function (/*response*/) {
+                        $scope.$emit('templates:refresh');
+
+                        NotificationSrv.log('The template [' + template.name + '] has been successfully created', 'success');
+                        $uibModalInstance.close();
+                    },
+                    function (response) {
+                        NotificationSrv.error('TemplateCtrl', response.data, response.status);
+                    }
+                );
+            };
+
+            self.updateTemplate = function (template) {
+                return CaseTemplateSrv.update(template.id, _.omit(template, 'id', 'user')).then(
+                    function ( /*response*/) {
+                        $scope.$emit('templates:refresh');
+
+                        NotificationSrv.log('The template [' + template.name + '] has been successfully updated', 'success');
+                        $uibModalInstance.close();
+                    },
+                    function (response) {
+                        NotificationSrv.error('TemplateCtrl', response.data, response.status);
+                    }
+                );
+            };
+
+            self.getTags = function (query) {
+                return TagSrv.autoComplete(query);
+            };
+        });
+})();
diff --git a/frontend/app/scripts/components/organisation/OrgConfigListCmp.js b/frontend/app/scripts/components/organisation/OrgConfigListCmp.js
index f96da1fade..58c4b94f29 100644
--- a/frontend/app/scripts/components/organisation/OrgConfigListCmp.js
+++ b/frontend/app/scripts/components/organisation/OrgConfigListCmp.js
@@ -3,7 +3,7 @@
 
     angular.module('theHiveComponents')
         .component('orgConfigList', {
-            controller: function($scope, $q, NotificationSrv, AlertingSrv, UiSettingsSrv) {
+            controller: function($scope, $q, $interval, NotificationSrv, AlertingSrv, UiSettingsSrv) {
                 var self = this;
 
                 self.alertSimilarityFilters = [];
@@ -66,7 +66,19 @@
                     self.loadSettings(this.uiConfig);
 
                     self.alertSimilarityFilters = AlertingSrv.getSimilarityFilters();
+
+
+                    self.timer = $interval(function() {
+                        self.date = new moment();
+                      }, 1000);
+
                 };
+
+                self.$onDestroy = function() {
+                    if(self.timer) {
+                        $interval.cancel(self.timer);
+                    }
+                }
             },
             controllerAs: '$ctrl',
             templateUrl: 'views/components/org/config.list.html',
diff --git a/frontend/app/scripts/components/organisation/OrgCustomTagsListCmp.js b/frontend/app/scripts/components/organisation/OrgCustomTagsListCmp.js
new file mode 100644
index 0000000000..3cd8116668
--- /dev/null
+++ b/frontend/app/scripts/components/organisation/OrgCustomTagsListCmp.js
@@ -0,0 +1,167 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveComponents')
+        .component('orgCustomTagsList', {
+            controller: function($scope, PaginatedQuerySrv, FilteringSrv, TagSrv, UserSrv, ModalUtilsSrv, NotificationSrv) {
+                var self = this;
+
+                self.tags = [];
+                self.getUserInfo = UserSrv.getCache;
+
+                this.$onInit = function() {
+                    // TODO: FIXME
+                    self.filtering = new FilteringSrv('tag', 'custom-tags.list', {
+                        version: 'v1',
+                        defaults: {
+                            showFilters: true,
+                            showStats: false,
+                            pageSize: 15,
+                            sort: ['+predicate']
+                        },
+                        defaultFilter: []
+                    });
+
+                    self.filtering.initContext(self.organisation.name)
+                        .then(function() {
+                            self.load();
+
+                            $scope.$watch('$vm.list.pageSize', function (newValue) {
+                                self.filtering.setPageSize(newValue);
+                            });
+                        });
+                };
+
+                this.load = function() {
+
+                    self.list = new PaginatedQuerySrv({
+                        name: 'organisation-custom-tags',
+                        version: 'v1',
+                        skipStream: true,
+                        sort: self.filtering.context.sort,
+                        loadAll: false,
+                        pageSize: self.filtering.context.pageSize,
+                        filter: this.filtering.buildQuery(),
+                        operations: [
+                            {
+                                '_name': 'listTag'
+                            },
+                            {
+                                '_name': 'freetags'
+                            }
+                        ],
+                        extraData: ['usage'],
+                        onFailure: function(err) {
+                            if(err && err.status === 400) {
+                                self.filtering.resetContext();
+                                self.load();
+                            }
+                        }
+                    });
+                };
+
+                self.deleteTag = function (tag) {
+                    ModalUtilsSrv.confirm('Remove free tag', 'Are you sure you want to delete this tag?', {
+                        okText: 'Yes, remove it',
+                        flavor: 'danger'
+                    })
+                        .then(function () {
+                            return TagSrv.removeTag(tag._id);
+                        })
+                        .then(function () {
+                            NotificationSrv.success('Tag [' + tag.predicate + '] removed successfully');
+
+                            self.load();
+
+                            $scope.$emit('freetags:refresh');
+                        });
+                };
+
+                self.updateColour = function(id, colour) {
+                    TagSrv.updateTag(id, {colour: colour})
+                        .then(function(/*response*/) {
+                            NotificationSrv.success('Tag colour updated successfully');
+                        })
+                        .catch(function(err) {
+                            NotificationSrv.error('Tag list', err.data, err.status);
+                        })
+                }
+
+                self.updateTag = function(id, value) {
+                    TagSrv.updateTag(id, {predicate: value})
+                        .then(function(/*response*/) {
+                            NotificationSrv.success('Tag value updated successfully');
+                        })
+                        .catch(function(err) {
+                            NotificationSrv.error('Tag list', err.data, err.status);
+                        })
+                }
+
+                // Filtering
+                this.toggleFilters = function () {
+                    this.filtering.toggleFilters();
+                };
+
+                this.filter = function () {
+                    self.filtering.filter().then(this.applyFilters);
+                };
+
+                this.clearFilters = function () {
+                    this.filtering.clearFilters()
+                        .then(self.search);
+                };
+
+                this.removeFilter = function (index) {
+                    self.filtering.removeFilter(index)
+                        .then(self.search);
+                };
+
+                this.search = function () {
+                    self.load();
+                    self.filtering.storeContext();
+                };
+                this.addFilterValue = function (field, value) {
+                    this.filtering.addFilterValue(field, value);
+                    this.search();
+                };
+
+                this.filterBy = function(field, value) {
+                    self.filtering.clearFilters()
+                        .then(function(){
+                            self.addFilterValue(field, value);
+                        });
+                };
+
+                this.sortBy = function(sort) {
+                    self.list.sort = sort;
+                    self.list.update();
+                    self.filtering.setSort(sort);
+                };
+
+                this.sortByField = function(field) {
+                    var context = this.filtering.context;
+                    var currentSort = Array.isArray(context.sort) ? context.sort[0] : context.sort;
+                    var sort = null;
+
+                    if(currentSort.substr(1) !== field) {
+                        sort = ['+' + field];
+                    } else {
+                        sort = [(currentSort === '+' + field) ? '-'+field : '+'+field];
+                    }
+
+                    self.list.sort = sort;
+                    self.list.update();
+                    self.filtering.setSort(sort);
+                };
+            },
+            controllerAs: '$vm',
+            templateUrl: 'views/components/org/custom-tags/tag-list.html',
+            bindings: {
+                organisation: '<',
+                templates: '=',
+                fields: '<',
+                onReload: '&',
+                onEdit: '&'
+            }
+        });
+})();
diff --git a/frontend/app/scripts/components/organisation/OrgUserListCmp.js b/frontend/app/scripts/components/organisation/OrgUserListCmp.js
index 15f91da50f..dfaba897cb 100644
--- a/frontend/app/scripts/components/organisation/OrgUserListCmp.js
+++ b/frontend/app/scripts/components/organisation/OrgUserListCmp.js
@@ -18,6 +18,13 @@
                     this.onSort({field: field});
                 };
 
+                self.addFilterValue = function(field, value) {
+                    self.onFilter({
+                        field: field,
+                        value: value
+                    });
+                }
+
                 self.reload = function() {
                     self.onReload();
                 };
@@ -210,7 +217,8 @@
                 setPasswordEnabled: '<',
                 onReload: '&',
                 onEdit: '&',
-                onSort: '&'
+                onSort: '&',
+                onFilter: '&'
             }
         });
 })();
diff --git a/frontend/app/scripts/components/sharing/task/SharingListCmp.js b/frontend/app/scripts/components/sharing/task/SharingListCmp.js
index fc3930fc38..39378a0be7 100644
--- a/frontend/app/scripts/components/sharing/task/SharingListCmp.js
+++ b/frontend/app/scripts/components/sharing/task/SharingListCmp.js
@@ -25,6 +25,13 @@
                         org: org
                     });
                 };
+
+                this.cancelRequireAction = function(org) {
+                    this.onCancelRequireAction({
+                        task: self.task,
+                        org: org
+                    });
+                }
             },
             controllerAs: '$ctrl',
             templateUrl: 'views/components/sharing/task/sharing-list.html',
@@ -38,6 +45,7 @@
                 onUpdateProfile: '&',
                 onDelete: '&',
                 onRequireAction: '&',
+                onCancelRequireAction: '&',
                 permissions: '='
             }
         });
diff --git a/frontend/app/scripts/controllers/AuthenticationCtrl.js b/frontend/app/scripts/controllers/AuthenticationCtrl.js
index 30d0d2867b..d0257de7fe 100644
--- a/frontend/app/scripts/controllers/AuthenticationCtrl.js
+++ b/frontend/app/scripts/controllers/AuthenticationCtrl.js
@@ -5,6 +5,7 @@
     'use strict';
     angular.module('theHiveControllers')
         .controller('AuthenticationCtrl', function($rootScope, $scope, $state, $location, $uibModalStack, $stateParams, AuthenticationSrv, NotificationSrv, UtilsSrv, UrlParser, appConfig) {
+            $scope.appConfig = appConfig;
             $scope.version = appConfig.versions.TheHive;
 
             $scope.params = {
diff --git a/frontend/app/scripts/controllers/MainPageCtrl.js b/frontend/app/scripts/controllers/MainPageCtrl.js
index da42a4b96f..a468799838 100644
--- a/frontend/app/scripts/controllers/MainPageCtrl.js
+++ b/frontend/app/scripts/controllers/MainPageCtrl.js
@@ -19,7 +19,7 @@
                     {_name: 'currentUser'},
                     {_name: 'tasks'}
                 ] : [
-                    {_name: 'waitingTask'}
+                    {_name: 'waitingTasks'}
                 ];
 
                 if ($stateParams.viewId === 'mytasks') {
@@ -31,7 +31,7 @@
                     self.view.data = 'waitingtasks';
                 }
 
-                self.filtering = new FilteringSrv('case_task', $stateParams.viewId + '.list', {
+                self.filtering = new FilteringSrv('task', $stateParams.viewId + '.list', {
                     version: 'v1',
                     defaults: {
                         showFilters: true,
diff --git a/frontend/app/scripts/controllers/RootCtrl.js b/frontend/app/scripts/controllers/RootCtrl.js
index 15341e81f2..609ce267b3 100644
--- a/frontend/app/scripts/controllers/RootCtrl.js
+++ b/frontend/app/scripts/controllers/RootCtrl.js
@@ -55,8 +55,7 @@ angular.module('theHiveControllers').controller('RootCtrl',
         });
 
         StreamQuerySrv('v1', [
-            {_name: 'currentUser'},
-            {_name: 'tasks'},
+            {_name: 'myTasks'},
             {_name: 'filter',
                 _in: {
                     _field: 'status',
@@ -79,7 +78,7 @@ angular.module('theHiveControllers').controller('RootCtrl',
         });
 
         StreamQuerySrv('v1', [
-            {_name: 'waitingTask'},
+            {_name: 'waitingTasks'},
             {_name: 'count'}
         ], {
             scope: $scope,
diff --git a/frontend/app/scripts/controllers/SearchCtrl.js b/frontend/app/scripts/controllers/SearchCtrl.js
index 6eb5522550..c13271d062 100644
--- a/frontend/app/scripts/controllers/SearchCtrl.js
+++ b/frontend/app/scripts/controllers/SearchCtrl.js
@@ -10,8 +10,8 @@
                 {name: 'case_task_log', label: 'Tasks Logs', icon: 'glyphicon glyphicon-comment'},
                 {name: 'case_artifact', label: 'Observables', icon: 'glyphicon glyphicon-pushpin'},
                 {name: 'alert', label: 'Alerts', icon: 'glyphicon glyphicon-alert'},
-                {name: 'case_artifact_job', label: 'Jobs', icon: 'glyphicon glyphicon-cog'},
-                {name: 'audit', label: 'Audit Logs', icon: 'glyphicon glyphicon-list-alt'}
+                {name: 'case_artifact_job', label: 'Jobs', icon: 'glyphicon glyphicon-cog'}
+                // {name: 'audit', label: 'Audit Logs', icon: 'glyphicon glyphicon-list-alt'}
             ];
 
             $scope.getUserInfo = UserSrv.getCache;
diff --git a/frontend/app/scripts/controllers/admin/attack/AttackPatternListCtrl.js b/frontend/app/scripts/controllers/admin/attack/AttackPatternListCtrl.js
new file mode 100644
index 0000000000..80604099a3
--- /dev/null
+++ b/frontend/app/scripts/controllers/admin/attack/AttackPatternListCtrl.js
@@ -0,0 +1,169 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveControllers')
+        .controller('AttackPatternListCtrl', AttackPatternListCtrl)
+        .controller('AttackPatternDialogCtrl', AttackPatternDialogCtrl)
+        .controller('AttackPatternImportCtrl', AttackPatternImportCtrl);
+
+    function AttackPatternListCtrl($scope, $uibModal, PaginatedQuerySrv, FilteringSrv, AttackPatternSrv, NotificationSrv, ModalSrv, appConfig) {
+        var self = this;
+
+        this.appConfig = appConfig;
+
+        self.load = function() {
+            this.loading = true;
+
+            this.list = new PaginatedQuerySrv({
+                name: 'attack-patterns',
+                root: undefined,
+                objectType: 'pattern',
+                version: 'v1',
+                scope: $scope,
+                sort: self.filtering.context.sort,
+                loadAll: false,
+                pageSize: self.filtering.context.pageSize,
+                filter: this.filtering.buildQuery(),
+                baseFilter: {
+                    _field: 'patternType',
+                    _value:'attack-pattern'
+                },
+                operations: [
+                    {'_name': 'listPattern'}
+                ],
+                extraData: ['enabled', 'parent'],
+                onUpdate: function() {
+                    self.loading = false;
+                }
+            });
+        };
+
+        self.show = function(patternId) {
+            $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/admin/attack/view.html',
+                controller: 'AttackPatternDialogCtrl',
+                controllerAs: '$modal',
+                size: 'max',
+                resolve: {
+                    pattern: function() {
+                        return AttackPatternSrv.get(patternId);
+                    }
+                }
+            });
+        };
+
+
+        self.import = function () {
+            var modalInstance = $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/admin/attack/import.html',
+                controller: 'AttackPatternImportCtrl',
+                controllerAs: '$vm',
+                size: 'lg',
+                resolve: {
+                    appConfig: self.appConfig
+                }
+            });
+
+            modalInstance.result
+                .then(function() {
+                    self.load();
+                })
+                .catch(function(err){
+                    if(err && !_.isString(err)) {
+                        NotificationSrv.error('Pattern import', err.data, err.status);
+                    }
+                });
+        };
+
+        this.toggleFilters = function () {
+            this.filtering.toggleFilters();
+        };
+
+        this.filter = function () {
+            self.filtering.filter().then(this.applyFilters);
+        };
+
+        this.clearFilters = function () {
+            this.filtering.clearFilters()
+                .then(self.search);
+        };
+
+        this.removeFilter = function (index) {
+            self.filtering.removeFilter(index)
+                .then(self.search);
+        };
+
+        this.search = function () {
+            self.load();
+            self.filtering.storeContext();
+        };
+        this.addFilterValue = function (field, value) {
+            this.filtering.addFilterValue(field, value);
+            this.search();
+        };
+
+        self.$onInit = function() {
+            self.filtering = new FilteringSrv('pattern', 'attack-pattern.list', {
+                version: 'v1',
+                defaults: {
+                    showFilters: true,
+                    showStats: false,
+                    pageSize: 15,
+                    sort: ['+name']
+                },
+                defaultFilter: []
+            });
+
+            self.filtering.initContext('list')
+                .then(function() {
+                    self.load();
+
+                    $scope.$watch('$vm.list.pageSize', function (newValue) {
+                        self.filtering.setPageSize(newValue);
+                    });
+                });
+        };
+    }
+
+    function AttackPatternDialogCtrl($uibModalInstance, AttackPatternSrv, NotificationSrv, pattern) {
+        this.pattern = pattern;
+
+        this.ok = function () {
+            $uibModalInstance.close();
+        };
+
+        this.cancel = function () {
+            $uibModalInstance.dismiss('cancel');
+        };
+
+        this.$onInit = function() {
+            if (this.pattern.extraData.parent) {
+                this.pattern.isSubTechnique = true;
+                this.pattern.parentId = this.pattern.extraData.parent.patternId;
+                this.pattern.parentName = this.pattern.extraData.parent.name;
+            } else {
+                this.pattern.isSubTechnique = false;
+            }
+        };
+    }
+
+    function AttackPatternImportCtrl($uibModalInstance, AttackPatternSrv, NotificationSrv, appConfig) {
+        this.appConfig = appConfig;
+        this.formData = {};
+
+        this.ok = function () {
+            AttackPatternSrv.import(this.formData)
+                .then(function() {
+                    $uibModalInstance.close();
+                }, function(response) {
+                    NotificationSrv.error('AttackPatternImportCtrl', response.data, response.status);
+                });
+        };
+
+        this.cancel = function () {
+            $uibModalInstance.dismiss('cancel');
+        };
+    }
+})();
diff --git a/frontend/app/scripts/controllers/admin/organisation/OrgDetailsCtrl.js b/frontend/app/scripts/controllers/admin/organisation/OrgDetailsCtrl.js
index b122522177..ef29e8e7cb 100644
--- a/frontend/app/scripts/controllers/admin/organisation/OrgDetailsCtrl.js
+++ b/frontend/app/scripts/controllers/admin/organisation/OrgDetailsCtrl.js
@@ -2,13 +2,11 @@
     'use strict';
 
     angular.module('theHiveControllers').controller('OrgDetailsCtrl',
-        function($scope, $q, $uibModal, FilteringSrv, PaginatedQuerySrv, OrganisationSrv, NotificationSrv, UserSrv, organisation, /*users, */templates, fields, appConfig, uiConfig) {
+        function($scope, FilteringSrv, PaginatedQuerySrv, NotificationSrv, UserSrv, organisation, fields, appConfig, uiConfig) {
             var self = this;
 
             this.uiConfig = uiConfig;
             this.org = organisation;
-            //this.users = users;
-            this.templates = templates;
             this.fields = fields;
             this.canChangeMfa = appConfig.config.capabilities.indexOf('mfa') !== -1;
             this.canSetPass = appConfig.config.capabilities.indexOf('setPassword') !== -1;
@@ -46,6 +44,7 @@
                     sort: self.filtering.context.sort,
                     loadAll: false,
                     pageSize: self.filtering.context.pageSize,
+                    pageOptions: {organisation: self.org.name},
                     filter: this.filtering.buildQuery(),
                     operations: [{
                             '_name': 'getOrganisation',
diff --git a/frontend/app/scripts/controllers/admin/organisation/OrgListCtrl.js b/frontend/app/scripts/controllers/admin/organisation/OrgListCtrl.js
index c068b4d491..9f562684db 100644
--- a/frontend/app/scripts/controllers/admin/organisation/OrgListCtrl.js
+++ b/frontend/app/scripts/controllers/admin/organisation/OrgListCtrl.js
@@ -2,21 +2,50 @@
     'use strict';
 
     angular.module('theHiveControllers').controller('OrgListCtrl',
-        function($scope, $q, $uibModal, OrganisationSrv, NotificationSrv, appConfig) {
+        function($scope, $q, $uibModal, PaginatedQuerySrv, OrganisationSrv, NotificationSrv, FilteringSrv, appConfig) {
             var self = this;
 
             self.appConfig = appConfig;
 
-            self.load = function() {
-                OrganisationSrv.list()
-                    .then(function(response) {
-                        self.list = response.data;
-                    })
-                    .catch(function(err) {
-                        NotificationSrv.error('Error', 'Failed to list organisations', err.status);
+            this.$onInit = function() {
+                self.filtering = new FilteringSrv('organisation', 'organisation.list', {
+                    version: 'v1',
+                    defaults: {
+                        showFilters: true,
+                        showStats: false,
+                        pageSize: 15,
+                        sort: ['-_updatedAt']
+                    },
+                    defaultFilter: []
+                });
+                self.filtering.initContext('list')
+                    .then(function() {
+                        self.load();
+
+                        $scope.$watch('$vm.list.pageSize', function (newValue) {
+                            self.filtering.setPageSize(newValue);
+                        });
                     });
             };
 
+            this.load = function() {
+
+                this.list = new PaginatedQuerySrv({
+                    name: 'organisations',
+                    root: undefined,
+                    objectType: 'organisation',
+                    version: 'v1',
+                    scope: $scope,
+                    sort: self.filtering.context.sort,
+                    loadAll: false,
+                    pageSize: self.filtering.context.pageSize,
+                    filter: this.filtering.buildQuery(),
+                    operations: [
+                        {'_name': 'listOrganisation'}
+                    ]
+                });
+            };
+
             self.showNewOrg = function(mode, org) {
                 var modal = $uibModal.open({
                     controller: 'OrgModalCtrl',
@@ -60,11 +89,18 @@
                             return org;
                         },
                         organisations: function() {
-                            var list = _.filter(angular.copy(self.list), function(item) {
-                                return [OrganisationSrv.defaultOrg, org.name].indexOf(item.name) === -1;
-                            });
+                            var defer = $q.defer();
+
+                            OrganisationSrv.list()
+                                .then(function(response) {
+                                    var list = _.filter(response.data, function(item) {
+                                        return [OrganisationSrv.defaultOrg, org.name].indexOf(item.name) === -1;
+                                    });
 
-                            return _.sortBy(list, 'name');
+                                    defer.resolve(_.sortBy(list, 'name'));
+                                });
+
+                            return defer.promise;
                         },
                         links: function () {
                             return OrganisationSrv.links(org.name);
@@ -72,16 +108,22 @@
                     }
                 });
 
-                modalInstance.result.then(function(newLinks) {
-                    OrganisationSrv.setLinks(org.name, newLinks)
-                        .then(function() {
-                            self.load();
-                            NotificationSrv.log('Organisation updated successfully', 'success');
-                        })
-                        .catch(function(err) {
+                modalInstance.result
+                    .then(function(newLinks) {
+                        OrganisationSrv.setLinks(org.name, newLinks)
+                            .then(function() {
+                                self.load();
+                                NotificationSrv.log('Organisation updated successfully', 'success');
+                            })
+                            .catch(function(err) {
+                                NotificationSrv.error('Error', 'Organisation update failed', err.status);
+                            });
+                    })
+                    .catch(function(err) {
+                        if(err && !_.isString(err)) {
                             NotificationSrv.error('Error', 'Organisation update failed', err.status);
-                        });
-                });
+                        }
+                    });
             };
 
             self.update = function(orgName, org) {
@@ -106,6 +148,53 @@
                     });
             };
 
-            self.load();
+            this.toggleFilters = function () {
+                this.filtering.toggleFilters();
+            };
+
+            this.filter = function () {
+                self.filtering.filter().then(this.applyFilters);
+            };
+
+            this.clearFilters = function () {
+                this.filtering.clearFilters()
+                    .then(self.search);
+            };
+
+            this.removeFilter = function (index) {
+                self.filtering.removeFilter(index)
+                    .then(self.search);
+            };
+
+            this.search = function () {
+                self.load();
+                self.filtering.storeContext();
+            };
+            this.addFilterValue = function (field, value) {
+                this.filtering.addFilterValue(field, value);
+                this.search();
+            };
+
+            this.sortBy = function(sort) {
+                this.list.sort = sort;
+                this.list.update();
+                this.filtering.setSort(sort);
+            };
+
+            this.sortByField = function(field) {
+                var context = this.filtering.context;
+                var currentSort = Array.isArray(context.sort) ? context.sort[0] : context.sort;
+                var sort = null;
+
+                if(currentSort.substr(1) !== field) {
+                    sort = ['+' + field];
+                } else {
+                    sort = [(currentSort === '+' + field) ? '-'+field : '+'+field];
+                }
+
+                self.list.sort = sort;
+                self.list.update();
+                self.filtering.setSort(sort);
+            };
         });
 })();
diff --git a/frontend/app/scripts/controllers/admin/platform/PlatformStatusCtrl.js b/frontend/app/scripts/controllers/admin/platform/PlatformStatusCtrl.js
new file mode 100644
index 0000000000..3718916b33
--- /dev/null
+++ b/frontend/app/scripts/controllers/admin/platform/PlatformStatusCtrl.js
@@ -0,0 +1,107 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveControllers').controller('PlatformStatusCtrl', function(ModalSrv, PlatformSrv, NotificationSrv, appConfig) {
+            var self = this;
+
+            self.appConfig = appConfig;
+            self.indexStatus = {};
+            self.checkStats = {};
+
+            self.loading = {
+                index: false,
+                check: false
+            }
+
+            this.loadIndexStatus = function() {
+                self.indexStatus = {};
+                self.loading.index = true;
+
+                PlatformSrv.getIndexStatus()
+                    .then(function(response) {
+                        self.indexStatus = response.data;
+                        self.loading.index = false;
+                    });
+            }
+
+            this.loadCheckStats = function() {
+                self.loading.check = true;
+
+                PlatformSrv.getCheckStats()
+                    .then(function(response) {
+                        self.checkStats = response.data;
+                        self.loading.check = false;
+                    })
+            }
+
+            this.$onInit = function() {
+                self.loadIndexStatus();
+                self.loadCheckStats();
+            };
+
+            this.exportReport = function() {
+                var date = new moment().format('YYYYMMDD-HH:mmZ');
+                var fileName = 'Platform-Status-Report-'+date+'.json';
+
+                var content = {
+                    indexStatus: self.indexStatus,
+                    checkStatus: self.checkStats,
+                    schemaStatus: self.appConfig.schemaStatus
+                };
+
+                // Create a blob of the data
+                var fileToSave = new Blob([JSON.stringify(content)], {
+                    type: 'application/json',
+                    name: fileName
+                });
+
+                // Save the file
+                saveAs(fileToSave, fileName);
+            }
+
+            this.reindex = function(indexName) {
+                var modalInstance = ModalSrv.confirm(
+                    'Reindex',
+                    'Are you sure you want to trigger ' + indexName + ' data reindex', {
+                        okText: 'Yes, reindex it'
+                    }
+                );
+
+                modalInstance.result
+                    .then(function() {
+                        PlatformSrv.runReindex(indexName);
+                    })
+                    .then(function(/*response*/) {
+                        NotificationSrv.success('Reindexing of ' + indexName + ' data started sucessfully');
+                    })
+                    .catch(function(err) {
+                        if (!_.isString(err)) {
+                            NotificationSrv.error('Platform status', err.data, err.status);
+                        }
+                    });
+            };
+
+            this.checkControl = function(checkName) {
+                var modalInstance = ModalSrv.confirm(
+                    'Data health check',
+                    'Are you sure you want to trigger ' + checkName + ' health check', {
+                        okText: 'Yes, trigger it'
+                    }
+                );
+
+                modalInstance.result
+                    .then(function() {
+                        PlatformSrv.runCheck(checkName);
+                    })
+                    .then(function(/*response*/) {
+                        NotificationSrv.success('Data health check of ' + checkName + ' started sucessfully');
+                    })
+                    .catch(function(err) {
+                        if (!_.isString(err)) {
+                            NotificationSrv.error('Platform status', err.data, err.status);
+                        }
+                    });
+            }
+
+        });
+})();
diff --git a/frontend/app/scripts/controllers/admin/taxonomy/TaxonomyListCtrl.js b/frontend/app/scripts/controllers/admin/taxonomy/TaxonomyListCtrl.js
new file mode 100644
index 0000000000..78a1d5c29b
--- /dev/null
+++ b/frontend/app/scripts/controllers/admin/taxonomy/TaxonomyListCtrl.js
@@ -0,0 +1,207 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveControllers')
+        .controller('TaxonomyListCtrl', TaxonomyListCtrl)
+        .controller('TaxonomyDialogCtrl', TaxonomyDialogCtrl)
+        .controller('TaxonomyImportCtrl', TaxonomyImportCtrl);
+
+    function TaxonomyListCtrl($scope, $uibModal, PaginatedQuerySrv, FilteringSrv, TaxonomySrv, NotificationSrv, ModalSrv, appConfig) {
+        var self = this;
+
+        this.appConfig = appConfig;
+
+        self.load = function() {
+            this.loading = true;
+
+            this.list = new PaginatedQuerySrv({
+                name: 'taxonomies',
+                root: undefined,
+                objectType: 'taxonomy',
+                version: 'v1',
+                scope: $scope,
+                sort: self.filtering.context.sort,
+                loadAll: false,
+                pageSize: self.filtering.context.pageSize,
+                filter: this.filtering.buildQuery(),
+                operations: [
+                    {'_name': 'listTaxonomy'}
+                ],
+                extraData: ['enabled'],
+                onUpdate: function() {
+                    self.loading = false;
+                }
+            });
+        };
+
+        self.show = function(taxonomy) {
+            // var modalInstance = $uibModal.open({
+
+            $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/admin/taxonomy/view.html',
+                controller: 'TaxonomyDialogCtrl',
+                controllerAs: '$modal',
+                size: 'max',
+                resolve: {
+                    taxonomy: angular.copy(taxonomy)
+                }
+            });
+
+            // modalInstance.result
+            //     .then(function() {
+            //         self.load();
+            //     })
+            //     .catch(function(err){
+            //         if(err && !_.isString(err)) {
+            //             NotificationSrv.error('Taxonomies import', err.data, err.status);
+            //         }
+            //     });
+        };
+
+
+        self.import = function () {
+            var modalInstance = $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/admin/taxonomy/import.html',
+                controller: 'TaxonomyImportCtrl',
+                controllerAs: '$vm',
+                size: 'lg',
+                resolve: {
+                    appConfig: self.appConfig
+                }
+            });
+
+            modalInstance.result
+                .then(function() {
+                    self.load();
+                })
+                .catch(function(err){
+                    if(err && !_.isString(err)) {
+                        NotificationSrv.error('Taxonomies import', err.data, err.status);
+                    }
+                });
+        };
+
+        this.toggleActive = function(taxonomy) {
+            var active = !taxonomy.extraData.enabled;
+
+            TaxonomySrv.toggleActive(taxonomy._id, active)
+                .then(function() {
+                    NotificationSrv.log(['Taxonomy [', taxonomy.namespace, '] has been successfully', (active ? 'activated' : 'deactivated')].join(' '), 'success');
+
+                    self.load();
+                })
+                .catch(function(err){
+                    if(err && !_.isString(err)) {
+                        NotificationSrv.error('Taxonomies ' + active ? 'activation' : 'deactivation', err.data, err.status);
+                    }
+                });
+        };
+
+        self.remove = function(taxonomy) {
+            var modalInstance = ModalSrv.confirm(
+                'Remove taxonomy',
+                'Are you sure you want to remove the selected taxonomy?', {
+                    flavor: 'danger',
+                    okText: 'Yes, remove it'
+                }
+            );
+
+            modalInstance.result
+                .then(function() {
+                    return TaxonomySrv.remove(taxonomy._id);
+                })
+                .then(function( /*response*/ ) {
+                    self.load();
+                    NotificationSrv.success(
+                        'Taxonomy ' + taxonomy.namespace + ' has been successfully removed.'
+                    );
+                })
+                .catch(function(err) {
+                    if (err && !_.isString(err)) {
+                        NotificationSrv.error('TaxonomyListCtrl', err.data, err.status);
+                    }
+                });
+        };
+
+        this.toggleFilters = function () {
+            this.filtering.toggleFilters();
+        };
+
+        this.filter = function () {
+            self.filtering.filter().then(this.applyFilters);
+        };
+
+        this.clearFilters = function () {
+            this.filtering.clearFilters()
+                .then(self.search);
+        };
+
+        this.removeFilter = function (index) {
+            self.filtering.removeFilter(index)
+                .then(self.search);
+        };
+
+        this.search = function () {
+            self.load();
+            self.filtering.storeContext();
+        };
+        this.addFilterValue = function (field, value) {
+            this.filtering.addFilterValue(field, value);
+            this.search();
+        };
+
+        self.$onInit = function() {
+            self.filtering = new FilteringSrv('taxonomy', 'taxonomy.list', {
+                version: 'v1',
+                defaults: {
+                    showFilters: true,
+                    showStats: false,
+                    pageSize: 15,
+                    sort: ['+namespace']
+                },
+                defaultFilter: []
+            });
+
+            self.filtering.initContext('list')
+                .then(function() {
+                    self.load();
+
+                    $scope.$watch('$vm.list.pageSize', function (newValue) {
+                        self.filtering.setPageSize(newValue);
+                    });
+                });
+        };
+    }
+
+    function TaxonomyDialogCtrl($uibModalInstance, TaxonomySrv, NotificationSrv, taxonomy) {
+        this.taxonomy = taxonomy;
+
+        this.ok = function () {
+            $uibModalInstance.close();
+        };
+
+        this.cancel = function () {
+            $uibModalInstance.dismiss('cancel');
+        };
+    }
+
+    function TaxonomyImportCtrl($uibModalInstance, TaxonomySrv, NotificationSrv, appConfig) {
+        this.appConfig = appConfig;
+        this.formData = {};
+
+        this.ok = function () {
+            TaxonomySrv.import(this.formData)
+                .then(function() {
+                    $uibModalInstance.close();
+                }, function(response) {
+                    NotificationSrv.error('TaxonomyImportCtrl', response.data, response.status);
+                });
+        };
+
+        this.cancel = function () {
+            $uibModalInstance.dismiss('cancel');
+        };
+    }
+})();
diff --git a/frontend/app/scripts/controllers/case/CaseCreationCtrl.js b/frontend/app/scripts/controllers/case/CaseCreationCtrl.js
index ec75824b87..724e46b3d7 100644
--- a/frontend/app/scripts/controllers/case/CaseCreationCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseCreationCtrl.js
@@ -4,7 +4,7 @@
 (function () {
     'use strict';
     angular.module('theHiveControllers').controller('CaseCreationCtrl',
-        function ($rootScope, $scope, $uibModalInstance, CaseSrv, NotificationSrv, TagSrv, template) {
+        function ($rootScope, $scope, $uibModalInstance, CaseSrv, TaxonomyCacheSrv, NotificationSrv, TagSrv, template) {
 
             $rootScope.title = 'New case';
             $scope.activeTlp = 'active';
@@ -18,6 +18,8 @@
             $scope.template = template;
             $scope.fromTemplate = angular.isDefined(template) && !_.isEqual($scope.template, {});
 
+            $scope.tags = [];
+
             if ($scope.fromTemplate === true) {
 
                 // Set basic info from template
@@ -37,7 +39,7 @@
                 $scope.tasks = _.map(template.tasks, function (t) {
                     return t.title;
                 });
-                
+
             } else {
                 $scope.tasks = [];
                 $scope.newCase = {
@@ -86,6 +88,13 @@
                 });
             };
 
+            $scope.fromTagLibrary = function() {
+                TaxonomyCacheSrv.openTagLibrary()
+                    .then(function(tags){
+                        $scope.tags = $scope.tags.concat(tags);
+                    })
+            };
+
             $scope.addTask = function (task) {
                 if ($scope.tasks.indexOf(task) === -1) {
                     $scope.tasks.push(task);
@@ -103,7 +112,7 @@
             };
 
             $scope.getTags = function(query) {
-                return TagSrv.fromCases(query);
+                return TagSrv.autoComplete(query);
             };
 
             $scope.keys = function(o) {
diff --git a/frontend/app/scripts/controllers/case/CaseDetailsCtrl.js b/frontend/app/scripts/controllers/case/CaseDetailsCtrl.js
index 030302eaae..b07cc8aaef 100644
--- a/frontend/app/scripts/controllers/case/CaseDetailsCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseDetailsCtrl.js
@@ -64,11 +64,11 @@
         };
 
         $scope.getCaseTags = function(query) {
-            return TagSrv.fromCases(query);
+            return TagSrv.autoComplete(query);
         };
     });
 
-    angular.module('theHiveControllers').controller('CaseCustomFieldsCtrl', function($scope, $uibModal, CustomFieldsSrv) {
+    angular.module('theHiveControllers').controller('CaseCustomFieldsCtrl', function($scope, $uibModal, NotificationSrv, ModalUtilsSrv, CustomFieldsSrv, CaseSrv) {
 
         $scope.getCustomFieldName = function(fieldDef) {
             return 'customFields.' + fieldDef.reference + '.' + fieldDef.type;
@@ -103,6 +103,30 @@
             });
         };
 
+        $scope.removeField = function(fieldId) {
+            ModalUtilsSrv.confirm('Remove custom field value', 'Are you sure you want to delete this case custom field value?', {
+                okText: 'Yes, remove it',
+                flavor: 'danger'
+            })
+                .then(function () {
+                    return CaseSrv.removeCustomField(fieldId);
+                })
+                .then(function() {
+                    var newList = _.reject($scope.caze.customFields, function(item) {
+                        return item._id === fieldId
+                    });
+
+                    $scope.caze.customFields = newList;
+
+                    $scope.updateCustomFieldsList();
+                })
+                .catch(function(err) {
+                    if(err && !_.isString(err)) {
+                        NotificationSrv.error('Remove custom field', err.data, err.status);
+                    }
+                });
+        }
+
         $scope.keys = function(obj) {
             return _.keys(obj);
         };
diff --git a/frontend/app/scripts/controllers/case/CaseListCtrl.js b/frontend/app/scripts/controllers/case/CaseListCtrl.js
index 4d44f9e5fe..1f1cea1a8f 100644
--- a/frontend/app/scripts/controllers/case/CaseListCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseListCtrl.js
@@ -1,9 +1,10 @@
 (function() {
     'use strict';
     angular.module('theHiveControllers')
-        .controller('CaseListCtrl', CaseListCtrl);
+        .controller('CaseListCtrl', CaseListCtrl)
+        .controller('CaseBulkDeleteModalCtrl', CaseBulkDeleteModalCtrl);
 
-    function CaseListCtrl($scope, $q, $state, $window, $uibModal, StreamQuerySrv, FilteringSrv, SecuritySrv, StreamStatSrv, PaginatedQuerySrv, EntitySrv, CaseSrv, UserSrv, AuthenticationSrv, CaseResolutionStatus, NotificationSrv, Severity, Tlp, CortexSrv) {
+    function CaseListCtrl($scope, $rootScope, $q, $uibModal, StreamQuerySrv, FilteringSrv, SecuritySrv, ModalUtilsSrv, PaginatedQuerySrv, EntitySrv, CaseSrv, UserSrv, AuthenticationSrv, CaseResolutionStatus, CaseImpactStatus, NotificationSrv, CortexSrv) {
         var self = this;
 
         this.openEntity = EntitySrv.open;
@@ -111,7 +112,7 @@
                 operations: [
                     {'_name': 'listCase'}
                 ],
-                extraData: ['observableStats', 'taskStats', 'isOwner', 'shareCount', 'permissions', 'actionRequired'],
+                extraData: ['observableStats', 'taskStats', 'procedureCount', 'isOwner', 'shareCount', 'permissions', 'actionRequired'],
                 onUpdate: function() {
                     self.resetSelection();
                 }
@@ -124,10 +125,24 @@
             } else {
                 self.selection = [];
                 self.menu.selectAll = false;
-                // self.updateMenu();
+                self.updateMenu();
             }
         };
 
+        self.updateMenu = function() {
+            // Handle flag/unflag menu items
+            var temp = _.uniq(_.pluck(self.selection, 'flag'));
+            self.menu.unflag = temp.length === 1 && temp[0] === true;
+            self.menu.flag = temp.length === 1 && temp[0] === false;
+
+            // Handle close menu item
+            temp = _.uniq(_.pluck(self.selection, 'status'));
+            self.menu.close = temp.length === 1 && temp[0] === 'Open';
+            self.menu.reopen = temp.length === 1 && temp[0] === 'Resolved';
+
+            self.menu.delete = self.selection.length > 0;
+        };
+
         self.select = function(caze) {
             if (caze.selected) {
                 self.selection.push(caze);
@@ -136,7 +151,7 @@
                     return item._id === caze._id;
                 });
             }
-            // self.updateMenu();
+            self.updateMenu();
         };
 
         self.selectAll = function() {
@@ -156,8 +171,7 @@
                 self.selection = [];
             }
 
-            //self.updateMenu();
-
+            self.updateMenu();
         };
 
         this.toggleStats = function () {
@@ -213,6 +227,44 @@
                 });
         };
 
+        this.filterMyOrgCases = function() {
+            this.filtering.clearFilters()
+                .then(function() {
+                    var currentUser = AuthenticationSrv.currentUser;
+                    self.filtering.addFilter({
+                        field: 'owningOrganisation',
+                        type: 'string',
+                        value: {
+                            operator: 'all',
+                            list: [{
+                                text: currentUser.organisation,
+                                label: currentUser.organisation
+                            }]
+                        }
+                    });
+                    self.search();
+                });
+        };
+
+        this.filterSharedWithMyOrg = function() {
+            this.filtering.clearFilters()
+                .then(function() {
+                    var currentUser = AuthenticationSrv.currentUser;
+                    self.filtering.addFilter({
+                        field: 'owningOrganisation',
+                        type: 'string',
+                        value: {
+                            operator: 'none',
+                            list: [{
+                                text: currentUser.organisation,
+                                label: currentUser.organisation
+                            }]
+                        }
+                    });
+                    self.search();
+                });
+        };
+
         this.filterMyOpenCases = function() {
             this.filtering.clearFilters()
                 .then(function() {
@@ -238,12 +290,49 @@
                 });
         };
 
+        this.filterByResolutionStatus = function(status) {
+            this.filtering.clearFilters()
+                .then(function() {
+                    self.filtering.addFilterValue('resolutionStatus', status);
+                    self.addFilterValue('status', 'Resolved');
+                });
+        };
+
         this.sortBy = function(sort) {
             this.list.sort = sort;
             this.list.update();
             this.filtering.setSort(sort);
         };
 
+        this.sortByField = function(field) {
+            var context = this.filtering.context;
+            var currentSort = Array.isArray(context.sort) ? _.without(context.sort, '-flag', '+flag')[0] : context.sort;
+            var sort = null;
+
+            if(currentSort.substr(1) !== field) {
+                sort = ['-flag', '+' + field];
+            } else {
+                sort = ['-flag', (currentSort === '+' + field) ? '-'+field : '+'+field];
+            }
+
+            self.list.sort = sort;
+            self.list.update();
+            self.filtering.setSort(sort);
+        };
+
+        this.bulkFlag = function(flag) {
+            var ids = _.pluck(self.selection, '_id');
+
+            return CaseSrv.bulkUpdate(ids, {flag: flag})
+                .then(function(/*responses*/) {
+                    NotificationSrv.log('Selected cases have been updated successfully', 'success');
+                })
+                .catch(function(err) {
+                    NotificationSrv.error('Bulk flag cases', err.data, err.status);
+                });
+
+        }
+
         this.bulkEdit = function() {
             var modal = $uibModal.open({
                 animation: 'true',
@@ -267,6 +356,99 @@
             });
         };
 
+        this.bulkRemove = function() {
+            var modal = $uibModal.open({
+                animation: 'true',
+                templateUrl: 'views/partials/case/case.bulk.delete.confirm.html',
+                controller: 'CaseBulkDeleteModalCtrl',
+                controllerAs: '$dialog',
+                size: 'lg',
+                resolve: {
+                    selection: function() {
+                        return self.selection;
+                    }
+                }
+            });
+
+            modal.result.catch(function(err) {
+                if(err && !_.isString(err)) {
+                    NotificationSrv.error('Case Remove', err.data, err.status);
+                }
+            })
+        }
+
+        this.bulkReopen = function() {
+            return ModalUtilsSrv.confirm('Reopen cases', 'Are you sure you want to reopen the selected cases?', {
+                okText: 'Yes, proceed'
+            }).then(function() {
+                var ids = _.pluck(self.selection, '_id');
+
+                return CaseSrv.bulkUpdate(ids, {status: 'Open'})
+                    .then(function(/*responses*/) {
+                        NotificationSrv.log('Selected cases have been reopened successfully', 'success');
+                    })
+                    .catch(function(err) {
+                        NotificationSrv.error('Bulk reopen cases', err.data, err.status);
+                    });
+            });
+        }
+
+        this.closeCase = function(caze) {
+            var scope = $rootScope.$new();
+
+            scope.CaseResolutionStatus = CaseResolutionStatus;
+            scope.CaseImpactStatus = CaseImpactStatus;
+            scope.caseId = caze._id;
+            scope.updateField = function(data) {
+                return CaseSrv.update({
+                    caseId: caze._id
+                }, data)
+                .$promise
+                .then(function(/*response*/) {
+                    return caze;
+                });
+            };
+
+            var modal = $uibModal.open({
+                scope: scope,
+                templateUrl: 'views/partials/case/case.close.html',
+                controller: 'CaseCloseModalCtrl',
+                size: 'lg',
+                resolve: {
+                    caze: function() {
+                        return angular.copy(caze);
+                    }
+                }
+            })
+
+            return modal.result.catch(function(err){
+                if(err && !_.isString(err)) {
+                    NotificationSrv.error('Case bulk close', err.data, err.status);
+                }
+            });
+        }
+
+        $scope.updateField = function(data) {
+            return CaseSrv.update({
+                caseId: caseId
+            }, data).$promise;
+        };
+
+        this.bulkClose = function() {
+            return ModalUtilsSrv.confirm('Close cases', 'Are you sure you want to close the selected ' + self.selection.length+' case(s)?', {
+                okText: 'Yes, proceed'
+            }).then(function() {
+                return self.selection.reduce(function(initialPromise, nextCase) {
+                    return initialPromise
+                        .then(self.closeCase(nextCase));
+                }, $q.resolve());
+            }).catch(function(err){
+                if(err && !_.isString(err)) {
+                    NotificationSrv.error('Case bulk close', err.data, err.status);
+                }
+            });
+        }
+
         this.getCaseResponders = function(caze, force) {
             if (!force && this.caseResponders !== null) {
                 return;
@@ -295,4 +477,40 @@
                 });
         };
     }
+
+    function CaseBulkDeleteModalCtrl($uibModalInstance, $q, CaseSrv, NotificationSrv, selection) {
+        var self = this;
+
+        this.selection = selection;
+        this.count = selection.length;
+        this.typedCount = undefined;
+        this.loading = false;
+
+        this.ok = function() {
+            $uibModalInstance.close();
+        }
+        this.cancel = function() {
+            $uibModalInstance.dismiss();
+        }
+        this.confirm = function() {
+            self.loading = true;
+
+            var promises = _.map(self.selection, function(caze) {
+                return CaseSrv.forceRemove({ caseId: caze._id }).$promise;
+            });
+
+            $q.all(promises)
+                .then(function(responses) {
+                    self.loading = false;
+                    NotificationSrv.log('Cases have been deleted successfully: ' + responses.length, 'success');
+                    $uibModalInstance.close();
+                })
+                .catch(function(errors) {
+                    self.loading = false;
+                    _.each(errors, function(err) {
+                        NotificationSrv.error('Bulk delete cases', err.data, err.status);
+                    });
+                })
+        }
+    }
 })();
diff --git a/frontend/app/scripts/controllers/case/CaseMainCtrl.js b/frontend/app/scripts/controllers/case/CaseMainCtrl.js
index f6b5e9763a..ebd98a62c1 100644
--- a/frontend/app/scripts/controllers/case/CaseMainCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseMainCtrl.js
@@ -187,7 +187,7 @@
                 var defer = $q.defer();
 
                 CaseSrv.update({
-                    caseId: caseId
+                    caseId: $scope.caseId
                 }, data, function(/*response*/) {
                     //UtilsSrv.shallowClearAndCopy(response, $scope.caze);
                     defer.resolve($scope.caze);
@@ -253,20 +253,25 @@
                 });
 
                 caseModal.result.then(function(selectedCase) {
-                    CaseSrv.merge({}, {
-                        caseId: $scope.caze.id,
-                        mergedCaseId: selectedCase.id
-                    }, function (merged) {
-
-                        $state.go('app.case.details', {
-                            caseId: merged.id
-                        });
-
-                        NotificationSrv.log('The cases have been successfully merged into a new case #' + merged.caseId, 'success');
-                    }, function (response) {
-                        //this.pendingAsync = false;
-                        NotificationSrv.error('Case Merge', response.data, response.status);
-                    });
+                    CaseSrv.merge([$scope.caze._id, selectedCase._id])
+                        .then(function (response) {
+                            var merged = response.data;
+
+                            $state.go('app.case.details', {
+                                caseId: merged._id
+                            });
+
+                            NotificationSrv.log('The cases have been successfully merged into a new case #' + merged.number, 'success');
+                        })
+                        .catch(function (response) {
+                            //this.pendingAsync = false;
+                            NotificationSrv.error('Case Merge', response.data, response.status);
+                        })
+
+                    // CaseSrv.merge({}, {
+                    //     caseId: $scope.caze.id,
+                    //     mergedCaseId: selectedCase.id
+                    // }, , );
                 }).catch(function(err) {
                     if(err && !_.isString(err)) {
                         NotificationSrv.error('Case Merge', err.data, err.status);
diff --git a/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js b/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js
index 919c1d67b3..4a59571002 100644
--- a/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseObservablesCtrl.js
@@ -18,7 +18,7 @@
             };
 
             this.$onInit = function() {
-                $scope.filtering = new FilteringSrv('case_artifact', 'observable.list', {
+                $scope.filtering = new FilteringSrv('observable', 'observable.list', {
                     version: 'v1',
                     defaults: {
                         showFilters: true,
@@ -68,7 +68,8 @@
                 $scope.artifacts = new PaginatedQuerySrv({
                     name: 'observables',
                     root: $scope.caseId,
-                    objectType: 'case_artifact',
+                    objectType: 'observable',
+                    streamObjectType: 'case_artifact',
                     version: 'v1',
                     scope: $scope,
                     sort: $scope.filtering.context.sort,
diff --git a/frontend/app/scripts/controllers/case/CaseObservablesItemCtrl.js b/frontend/app/scripts/controllers/case/CaseObservablesItemCtrl.js
index f9793b094c..2e09be4c74 100644
--- a/frontend/app/scripts/controllers/case/CaseObservablesItemCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseObservablesItemCtrl.js
@@ -45,7 +45,7 @@
                     })
                     .finally(function () {
                         if($scope.analysisEnabled) {
-                            $scope.jobs = CortexSrv.list($scope, $scope.caseId, observableId, $scope.onJobsChange);
+                            $scope.jobs = CortexSrv.listJobs($scope, $scope.caseId, observableId, $scope.onJobsChange);
                         }
                     });
 
@@ -310,7 +310,7 @@
             };
 
             $scope.getTags = function(query) {
-                return TagSrv.fromObservables(query);
+                return TagSrv.autoComplete(query);
             };
 
             $scope.loadShares = function () {
diff --git a/frontend/app/scripts/controllers/case/CaseProceduresCtrl.js b/frontend/app/scripts/controllers/case/CaseProceduresCtrl.js
new file mode 100644
index 0000000000..b602acf285
--- /dev/null
+++ b/frontend/app/scripts/controllers/case/CaseProceduresCtrl.js
@@ -0,0 +1,190 @@
+(function() {
+    'use strict';
+    angular.module('theHiveControllers')
+        .controller('CaseProceduresCtrl', CaseProceduresCtrl);
+
+    function CaseProceduresCtrl($scope, $state, $stateParams, $uibModal, ModalUtilsSrv, AttackPatternSrv, FilteringSrv, CaseTabsSrv, ProcedureSrv, PaginatedQuerySrv, NotificationSrv) {
+        var self = this;
+
+        CaseTabsSrv.activateTab($state.current.data.tab);
+
+        this.caseId = $stateParams.caseId;
+        this.tactics = AttackPatternSrv.tactics.values;
+        this.expanded = {};
+
+        this.$onInit = function() {
+            self.filtering = new FilteringSrv('procedure', 'procedure.list', {
+                version: 'v1',
+                defaults: {
+                    showFilters: true,
+                    showStats: false,
+                    pageSize: 15,
+                    sort: ['-occurDate'],
+                },
+                defaultFilter: []
+            });
+
+            self.filtering.initContext(self.caseId)
+                .then(function() {
+                    self.load();
+
+                    $scope.$watchCollection('$vm.list.pageSize', function (newValue) {
+                        self.filtering.setPageSize(newValue);
+                    });
+                });
+        };
+
+        this.addProcedure = function(procedure) {
+            var modalInstance = $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/case/procedures/add-procedure.modal.html',
+                controller: 'AddProcedureModalCtrl',
+                controllerAs: '$modal',
+                size: 'lg',
+                resolve: {
+                    caseId: function() {
+                        return self.caseId;
+                    },
+                    procedure: function() {
+                        return angular.copy(procedure);
+                    }
+                }
+            });
+
+            return modalInstance.result
+                .then(function() {
+                    self.load();
+                })
+                .catch(function(err) {
+                    if(err && !_.isString(err)) {
+                        NotificationSrv.error('ProcedureCtrl', err.data, err.status);
+                    }
+                });
+        };
+
+        this.updateField = function(procedure, field, reload) {
+            var data = {};
+            data[field] = procedure[field];
+
+            ProcedureSrv.update(procedure._id, data)
+                .then(function(/*response*/) {
+                    if(reload) {
+                        self.load();
+                    }
+                }).catch(function(err) {
+                    NotificationSrv.error('ProcedureCtrl', err.data, err.status);
+                });
+        };
+
+        this.load = function() {
+            self.list = new PaginatedQuerySrv({
+                name: 'case-procedures',
+                root: self.caseId,
+                version: 'v1',
+                scope: $scope,
+                sort: self.filtering.context.sort,
+                loadAll: false,
+                pageSize: self.filtering.context.pageSize,
+                filter: self.filtering.buildQuery(),
+                operations: [
+                    {'_name': 'getCase', "idOrName": self.caseId},
+                    {'_name': 'procedures'}
+                ],
+                extraData: ['pattern', 'patternParent']
+            });
+        };
+
+        self.remove = function(procedure) {
+            ModalUtilsSrv.confirm('Delete TTP', 'Are you sure you want to delete the selected tactic, technique and procedure?', {
+                okText: 'Yes, remove it',
+                flavor: 'danger'
+            }).then(function() {
+                ProcedureSrv.remove(procedure._id)
+                    .then(function() {
+                        self.load();
+                        NotificationSrv.success('TTP has been successfully removed');
+                    })
+                    .catch(function(err) {
+                        NotificationSrv.error('Procedure List', err.data, err.status);
+                    });
+            });
+        };
+
+        self.showPattern = function(patternId) {
+            $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/admin/attack/view.html',
+                controller: 'AttackPatternDialogCtrl',
+                controllerAs: '$modal',
+                size: 'max',
+                resolve: {
+                    pattern: function() {
+                        return AttackPatternSrv.get(patternId);
+                    }
+                }
+            });
+        };
+
+        this.toggleFilters = function () {
+            this.filtering.toggleFilters();
+        };
+
+
+        this.filter = function () {
+            self.filtering.filter().then(this.applyFilters);
+        };
+
+        this.clearFilters = function () {
+            this.filtering.clearFilters()
+                .then(self.search);
+        };
+
+        this.addFilter = function (field, value) {
+            self.filtering.addFilter(field, value).then(this.applyFilters);
+        };
+
+        this.removeFilter = function (index) {
+            self.filtering.removeFilter(index)
+                .then(self.search);
+        };
+
+        this.search = function () {
+            self.load();
+            self.filtering.storeContext();
+        };
+
+        this.addFilterValue = function (field, value) {
+            this.filtering.addFilterValue(field, value);
+            this.search();
+        };
+
+        self.filterBy = function(field, value) {
+            self.filtering.clearFilters()
+                .then(function() {
+                    self.addFilterValue(field, value);
+                });
+        };
+
+        this.sortBy = function(sort) {
+            self.list.sort = sort;
+            self.list.update();
+            self.filtering.setSort(sort);
+        };
+
+        self.sortByField = function(field) {
+            var context = this.filtering.context;
+            var currentSort = Array.isArray(context.sort) ? context.sort[0] : context.sort;
+            var sort = null;
+
+            if(currentSort.substr(1) !== field) {
+                sort = ['+' + field];
+            } else {
+                sort = [(currentSort === '+' + field) ? '-'+field : '+'+field];
+            }
+
+            self.list.sort = sort;
+            self.list.update();
+            self.filtering.setSort(sort);
+        };
+    }
+}());
diff --git a/frontend/app/scripts/controllers/case/CaseTasksCtrl.js b/frontend/app/scripts/controllers/case/CaseTasksCtrl.js
index 9cf31da969..039b1aafaa 100755
--- a/frontend/app/scripts/controllers/case/CaseTasksCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseTasksCtrl.js
@@ -18,8 +18,13 @@
         $scope.taskResponders = null;
         $scope.collapseOptions = {};
 
+        $scope.selection = [];
+        $scope.menu = {
+            selectAll: false
+        };
+
         this.$onInit = function() {
-            $scope.filtering = new FilteringSrv('case_task', 'task.list', {
+            $scope.filtering = new FilteringSrv('task', 'task.list', {
                 version: 'v1',
                 defaults: {
                     showFilters: true,
@@ -48,7 +53,7 @@
         };
 
         $scope.load = function() {
-            $scope.tasks = new PaginatedQuerySrv({
+            $scope.list = new PaginatedQuerySrv({
                 name: 'case-tasks',
                 root: $scope.caseId,
                 objectType: 'case_task',
@@ -71,11 +76,76 @@
                 extraData: ['shareCount', 'actionRequired'],
                 //extraData: ['isOwner', 'shareCount'],
                 onUpdate: function() {
-                    $scope.buildTaskGroups($scope.tasks.values);
+                    $scope.buildTaskGroups($scope.list.values);
+                    $scope.resetSelection();
                 }
             });
         };
 
+        $scope.resetSelection = function() {
+            if ($scope.menu.selectAll) {
+                $scope.selectAll();
+            } else {
+                $scope.selection = [];
+                $scope.menu.selectAll = false;
+                $scope.updateMenu();
+            }
+        };
+
+        $scope.updateMenu = function() {
+            // Handle flag/unflag menu items
+            var temp = _.uniq(_.pluck($scope.selection, 'flag'));
+            $scope.menu.unflag = temp.length === 1 && temp[0] === true;
+            $scope.menu.flag = temp.length === 1 && temp[0] === false;
+
+            // Handle start menu item
+            temp = _.uniq(_.pluck($scope.selection, 'status'));
+            $scope.menu.start = temp.length === 1 && temp[0] === 'Waiting';
+
+            // Handle close menu item
+            temp = _.uniq(_.pluck($scope.selection, 'status'));
+            $scope.menu.close = temp.indexOf('Completed') === -1;
+
+            // Handle reopen menu item
+            temp = _.uniq(_.pluck($scope.selection, 'status'));
+            $scope.menu.reopen = temp.length === 1 && temp[0] === 'Completed';
+
+            $scope.menu.delete = $scope.selection.length > 0;
+        };
+
+        $scope.select = function(task) {
+            if (task.selected) {
+                $scope.selection.push(task);
+            } else {
+                $scope.selection = _.reject($scope.selection, function(item) {
+                    return item._id === task._id;
+                });
+            }
+            $scope.updateMenu();
+        };
+
+        $scope.selectAll = function() {
+            var selected = $scope.menu.selectAll;
+
+            _.each($scope.list.values, function(item) {
+                // if(SecuritySrv.checkPermissions(['manageCase'], item.extraData.permissions)) {
+                item.selected = selected;
+                // }
+            });
+
+            if (selected) {
+                $scope.selection = _.filter($scope.list.values, function(item) {
+                    return !!item.selected;
+                });
+            } else {
+                $scope.selection = [];
+            }
+
+            $scope.updateMenu();
+        };
+
+        // ######################@@@
+
         $scope.toggleStats = function () {
             $scope.filtering.toggleStats();
         };
@@ -215,6 +285,53 @@
             });
         };
 
+        $scope.bulkUpdate = function(ids, patch) {
+            return CaseTaskSrv.bulkUpdate(ids, patch)
+                .then(function(/*responses*/) {
+                    NotificationSrv.log('Selected tasks have been updated successfully', 'success');
+                })
+                .catch(function(err) {
+                    NotificationSrv.error('Bulk update tasks', err.data, err.status);
+                });
+        }
+
+        $scope.bulkFlag = function(flag) {
+            var ids = _.pluck($scope.selection, '_id');
+
+            return $scope.bulkUpdate(ids, {flag: flag});
+        }
+
+        $scope.bulkStatus = function(status) {
+            var ids = _.pluck($scope.selection, '_id');
+
+            return $scope.bulkUpdate(ids, {status: status});
+        }
+
+        $scope.bulkRemove = function() {
+            var ids = _.pluck($scope.selection, '_id');
+
+            ModalUtilsSrv.confirm('Delete selected tasks', 'Are you sure you want to delete the selected tasks?', {
+                okText: 'Yes, proceed',
+                flavor: 'danger'
+            }).then(function() {
+                return CaseTaskSrv.bulkUpdate(ids, {status: 'Cancel'})
+                    .then(function(/*responses*/) {
+                        NotificationSrv.log('Selected tasks have been successfully removed', 'success');
+
+                        _.each($scope.selection, function(task) {
+                            $scope.$emit('tasks:task-removed', task);
+                        });
+                    })
+                    .catch(function(err) {
+                        NotificationSrv.error('Bulk remove tasks', err.data, err.status);
+                    });
+            }).catch(function(err) {
+                if(err && !_.isString(err)) {
+                    NotificationSrv.error('Bulk remove tasks', err.data, err.status);
+                }
+            })
+        }
+
         // open task tab with its details
         $scope.startTask = function(task) {
             var taskId = task._id;
diff --git a/frontend/app/scripts/controllers/case/CaseTasksItemCtrl.js b/frontend/app/scripts/controllers/case/CaseTasksItemCtrl.js
index d214fec5a3..1812852b8c 100644
--- a/frontend/app/scripts/controllers/case/CaseTasksItemCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseTasksItemCtrl.js
@@ -382,7 +382,7 @@
             };
 
             $scope.markShareAsActionRequired = function(task, org) {
-                CaseTaskSrv.promtForActionRequired('Require Action', 'Would you like to add a task log before requesting action?')
+                CaseTaskSrv.promtForActionRequired('Require Action', 'Would you like to add a task log before marking the required action as DONE?')
                     .then(function(response) {
                         if(response === 'skip-log') {
                             return $q.resolve();
@@ -394,11 +394,33 @@
                         return CaseTaskSrv.markAsActionRequired(task._id, org);
                     })
                     .then(function() {
-                        NotificationSrv.log('The task\'s required action flag has been set for organisation ' + org, 'success');
+                        NotificationSrv.log('The task\'s required action is completed', 'success');
                     })
                     .catch(function(err) {
                         if(err && !_.isString(err)) {
-                            NotificationSrv.error('Error', 'Task request action failed', err.status);
+                            NotificationSrv.error('Error', 'Task required action failed to be marked as done', err.status);
+                        }
+                    });
+            };
+
+            $scope.markShareAsActionDone = function(task, org) {
+                CaseTaskSrv.promtForActionRequired('Require Action', 'Would you like to add a task log before marking the required action as DONE?')
+                    .then(function(response) {
+                        if(response === 'skip-log') {
+                            return $q.resolve();
+                        } else {
+                            return $scope.showAddLog('Please add a task log');
+                        }
+                    })
+                    .then(function() {
+                        return CaseTaskSrv.markAsDone(task._id, org);
+                    })
+                    .then(function() {
+                        NotificationSrv.log('The task\'s required action is completed', 'success');
+                    })
+                    .catch(function(err) {
+                        if(err && !_.isString(err)) {
+                            NotificationSrv.error('Error', 'Task required action failed to be marked as done', err.status);
                         }
                     });
             };
diff --git a/frontend/app/scripts/controllers/case/CaseUpdateCtrl.js b/frontend/app/scripts/controllers/case/CaseUpdateCtrl.js
index cb241c6a0f..d099ab5c7b 100644
--- a/frontend/app/scripts/controllers/case/CaseUpdateCtrl.js
+++ b/frontend/app/scripts/controllers/case/CaseUpdateCtrl.js
@@ -1,7 +1,7 @@
 (function() {
     'use strict';
     angular.module('theHiveControllers').controller('CaseUpdateCtrl',
-        function($scope, $uibModalInstance, TagSrv, selection) {
+        function($scope, $uibModalInstance, TagSrv, TaxonomyCacheSrv, selection) {
             var self = this;
 
             this.selection = selection;
@@ -134,7 +134,20 @@
             };
 
             this.getTags = function(query) {
-                return TagSrv.fromCases(query);
+                return TagSrv.autoComplete(query);
+            };
+
+            self.fromTagLibrary = function(field) {
+                TaxonomyCacheSrv.openTagLibrary()
+                    .then(function(tags){
+                        if(field === 'add') {
+                            self.params.addTags = (self.params.addTags || []).concat(tags);
+                            self.toggleAddTags();
+                        } else if (field === 'remove') {
+                            self.params.removeTags = (self.params.removeTags || []).concat(tags);
+                            self.toggleRemoveTags();
+                        }
+                    })
             };
 
             this.toggleTlp = function(value) {
diff --git a/frontend/app/scripts/controllers/case/ObservableCreationCtrl.js b/frontend/app/scripts/controllers/case/ObservableCreationCtrl.js
index 03a3548272..a41c930dc8 100644
--- a/frontend/app/scripts/controllers/case/ObservableCreationCtrl.js
+++ b/frontend/app/scripts/controllers/case/ObservableCreationCtrl.js
@@ -5,7 +5,7 @@
     'use strict';
 
     angular.module('theHiveControllers').controller('ObservableCreationCtrl',
-        function($scope, $stateParams, $uibModalInstance, clipboard, CaseArtifactSrv, ObservableTypeSrv, NotificationSrv, TagSrv, params) {
+        function($scope, $stateParams, $uibModalInstance, TaxonomyCacheSrv, clipboard, CaseArtifactSrv, ObservableTypeSrv, NotificationSrv, TagSrv, params) {
 
             $scope.activeTlp = 'active';
             $scope.pendingAsync = false;
@@ -64,6 +64,13 @@
                 })), '', null, undefined).length;
             };
 
+            $scope.fromTagLibrary = function() {
+                TaxonomyCacheSrv.openTagLibrary()
+                    .then(function(tags){
+                        $scope.params.tags = $scope.params.tags.concat(tags);
+                    })
+            };
+
             $scope.add = function(form) {
                 if (!form.$valid) {
                     return;
@@ -189,7 +196,7 @@
             };
 
             $scope.getTags = function(query) {
-                return TagSrv.fromObservables(query);
+                return TagSrv.autoComplete(query);
             };
         }
     );
diff --git a/frontend/app/scripts/controllers/case/ObservableUpdateCtrl.js b/frontend/app/scripts/controllers/case/ObservableUpdateCtrl.js
index 533ad1ef3c..f596796264 100644
--- a/frontend/app/scripts/controllers/case/ObservableUpdateCtrl.js
+++ b/frontend/app/scripts/controllers/case/ObservableUpdateCtrl.js
@@ -1,7 +1,7 @@
 (function() {
     'use strict';
     angular.module('theHiveControllers').controller('ObservableUpdateCtrl',
-        function($scope, $uibModalInstance, TagSrv, selection) {
+        function($scope, $uibModalInstance, TagSrv, TaxonomyCacheSrv, selection) {
             var self = this;
 
             this.selection = selection;
@@ -137,7 +137,20 @@
             };
 
             this.getTags = function(query) {
-                return TagSrv.fromObservables(query);
+                return TagSrv.autoComplete(query);
+            };
+
+            self.fromTagLibrary = function(field) {
+                TaxonomyCacheSrv.openTagLibrary()
+                    .then(function(tags){
+                        if(field === 'add') {
+                            self.params.addTags = (self.params.addTags || []).concat(tags);
+                            self.toggleAddTags();
+                        } else if (field === 'remove') {
+                            self.params.removeTags = (self.params.removeTags || []).concat(tags);
+                            self.toggleRemoveTags();
+                        }
+                    })
             };
 
             this.toogleIoc = function() {
diff --git a/frontend/app/scripts/controllers/case/ObservablesStatsCtrl.js b/frontend/app/scripts/controllers/case/ObservablesStatsCtrl.js
index e48194916b..f50102984c 100644
--- a/frontend/app/scripts/controllers/case/ObservablesStatsCtrl.js
+++ b/frontend/app/scripts/controllers/case/ObservablesStatsCtrl.js
@@ -42,7 +42,7 @@
                 ], {
                     scope: $scope,
                     rootId: caseId,
-                    objectType: 'case_artifact',
+                    objectType: 'observable',
                     query: {
                         params: {
                             name: 'observables-by-tags-stats-' + caseId
@@ -69,7 +69,7 @@
                 ], {
                     scope: $scope,
                     rootId: caseId,
-                    objectType: 'case_artifact',
+                    objectType: 'observable',
                     query: {
                         params: {
                             name: 'observables-by-type-stats-' + caseId
@@ -95,7 +95,7 @@
                 ], {
                     scope: $scope,
                     rootId: caseId,
-                    objectType: 'case_artifact',
+                    objectType: 'observable',
                     query: {
                         params: {
                             name: 'observables-by-ioc-stats-' + caseId
diff --git a/frontend/app/scripts/controllers/case/procedure/AddProcedureModalCtrl.js b/frontend/app/scripts/controllers/case/procedure/AddProcedureModalCtrl.js
new file mode 100644
index 0000000000..a0eb17c6a4
--- /dev/null
+++ b/frontend/app/scripts/controllers/case/procedure/AddProcedureModalCtrl.js
@@ -0,0 +1,77 @@
+/**
+ * Controller for About TheHive modal page
+ */
+(function() {
+    'use strict';
+
+    angular.module('theHiveControllers').controller('AddProcedureModalCtrl', function($rootScope, $scope, $uibModalInstance, NotificationSrv, ProcedureSrv, AttackPatternSrv, caseId) {
+            var self = this;
+
+            this.caseId = caseId;
+
+            this.close = function() {
+                $uibModalInstance.close();
+            };
+
+            this.cancel = function() {
+                if($rootScope.markdownEditorObjects.procedure) {
+                    $rootScope.markdownEditorObjects.procedure.hidePreview();                    
+                }
+
+                $uibModalInstance.dismiss();
+            };
+
+            this.addProcedure = function() {
+                self.state.loading = true;
+
+                ProcedureSrv.create({
+                    caseId: self.caseId,
+                    tactic: self.procedure.tactic,
+                    description: self.procedure.description,
+                    patternId: self.procedure.patternId,
+                    occurDate: self.procedure.occurDate
+                }).then(function(/*response*/) {
+                    self.state.loading = false;
+                    $uibModalInstance.close();
+                    NotificationSrv.log('Tactic, Technique and Procedure added successfully', 'success');
+                }).catch(function(err) {
+                    NotificationSrv.error('Add TTP', err.data, err.status);
+                    self.state.loading = false;
+                });
+            };
+
+            this.showTechniques = function() {
+                AttackPatternSrv.getByTactic(self.procedure.tactic)
+                    .then(function(techniques) {
+                        self.state.techniques = techniques;
+
+                        self.procedure.patternId = null;
+                    });
+            };
+
+            this.$onInit = function() {
+                this.markdownEditorOptions = {
+                    iconlibrary: 'fa',
+                    addExtraButtons: true,
+                    resize: 'vertical'
+                };
+
+                this.procedure = {
+                    tactic: null,
+                    description: null,
+                    patternId: null
+                };
+
+                this.tactics = AttackPatternSrv.tactics;
+
+                this.state = {
+                    loading: false,
+                    selectedTactic: null,
+                    techniques: null
+                };
+
+                $scope.$broadcast('beforeProcedureModalShow');
+            };
+        }
+    );
+})();
diff --git a/frontend/app/scripts/controllers/dashboard/DashboardViewCtrl.js b/frontend/app/scripts/controllers/dashboard/DashboardViewCtrl.js
index 5d494a96a5..64946c42c8 100644
--- a/frontend/app/scripts/controllers/dashboard/DashboardViewCtrl.js
+++ b/frontend/app/scripts/controllers/dashboard/DashboardViewCtrl.js
@@ -8,7 +8,7 @@
 
             this.currentUser = AuthenticationSrv.currentUser;
             this.createdBy = dashboard.createdBy;
-            this.dashboardStatus = dashboard.dashboardStatus;
+            this.dashboardStatus = dashboard.status;
             this.metadata = metadata;
             this.toolbox = DashboardSrv.toolbox;
             this.dashboardPeriods = DashboardSrv.dashboardPeriods;
@@ -52,10 +52,8 @@
                 }
             });
 
-
-
             this.canEditDashboard = function() {
-                return (this.createdBy === this.currentUser.login) || this.dashboardStatus === 'Shared';                
+                return (this.createdBy === this.currentUser.login) || this.dashboardStatus === 'Shared';
             };
 
             this.options = {
diff --git a/frontend/app/scripts/controllers/dashboard/DashboardsCtrl.js b/frontend/app/scripts/controllers/dashboard/DashboardsCtrl.js
index 53fa3a851a..307c17ba0b 100644
--- a/frontend/app/scripts/controllers/dashboard/DashboardsCtrl.js
+++ b/frontend/app/scripts/controllers/dashboard/DashboardsCtrl.js
@@ -51,20 +51,54 @@
                 return $uibModalInstance.close(dashboard);
             };
         })
-        .controller('DashboardsCtrl', function($scope, $state, $uibModal, PSearchSrv, ModalUtilsSrv, NotificationSrv, DashboardSrv, AuthenticationSrv) {
+        .controller('DashboardsCtrl', function($scope, $state, $uibModal, PaginatedQuerySrv, FilteringSrv, ModalUtilsSrv, NotificationSrv, DashboardSrv, AuthenticationSrv) {
             this.dashboards = [];
             var self = this;
 
+            this.$onInit = function() {
+                self.filtering = new FilteringSrv('dashboard', 'dashboard.list', {
+                    version: 'v0',
+                    defaults: {
+                        showFilters: true,
+                        showStats: false,
+                        pageSize: 15,
+                        sort: ['+title']
+                    },
+                    defaultFilter: []
+                });
+
+                self.filtering.initContext('list')
+                    .then(function() {
+                        self.load();
+
+                        $scope.$watch('$vm.list.pageSize', function (newValue) {
+                            self.filtering.setPageSize(newValue);
+                        });
+                    });
+            }
+
             this.load = function() {
-                DashboardSrv.list().then(function(response) {
-                    self.dashboards = response.data;
-                }, function(err){
-                    NotificationSrv.error('DashboardsCtrl', err.data, err.status);
+
+                self.list = new PaginatedQuerySrv({
+                    name: 'dashboard-list',
+                    version: 'v0',
+                    skipStream: true,
+                    sort: self.filtering.context.sort,
+                    loadAll: false,
+                    pageSize: self.filtering.context.pageSize,
+                    filter: this.filtering.buildQuery(),
+                    operations: [
+                        {'_name': 'listDashboard'}
+                    ],
+                    onFailure: function(err) {
+                        if(err && err.status === 400) {
+                            self.filtering.resetContext();
+                            self.load();
+                        }
+                    }
                 });
             };
 
-            this.load();
-
             this.openDashboardModal = function(dashboard) {
                 return $uibModal.open({
                     templateUrl: 'views/partials/dashboard/create.dialog.html',
@@ -186,5 +220,62 @@
                     }
                 });
             }
+
+            // Filtering
+            this.toggleFilters = function () {
+                this.filtering.toggleFilters();
+            };
+
+            this.filter = function () {
+                self.filtering.filter().then(this.applyFilters);
+            };
+
+            this.clearFilters = function () {
+                this.filtering.clearFilters()
+                    .then(self.search);
+            };
+
+            this.removeFilter = function (index) {
+                self.filtering.removeFilter(index)
+                    .then(self.search);
+            };
+
+            this.search = function () {
+                self.load();
+                self.filtering.storeContext();
+            };
+            this.addFilterValue = function (field, value) {
+                this.filtering.addFilterValue(field, value);
+                this.search();
+            };
+
+            this.filterBy = function(field, value) {
+                self.filtering.clearFilters()
+                    .then(function(){
+                        self.addFilterValue(field, value);
+                    });
+            };
+
+            this.sortBy = function(sort) {
+                self.list.sort = sort;
+                self.list.update();
+                self.filtering.setSort(sort);
+            };
+
+            this.sortByField = function(field) {
+                var context = this.filtering.context;
+                var currentSort = Array.isArray(context.sort) ? context.sort[0] : context.sort;
+                var sort = null;
+
+                if(currentSort.substr(1) !== field) {
+                    sort = ['+' + field];
+                } else {
+                    sort = [(currentSort === '+' + field) ? '-'+field : '+'+field];
+                }
+
+                self.list.sort = sort;
+                self.list.update();
+                self.filtering.setSort(sort);
+            };
         });
 })();
diff --git a/frontend/app/scripts/controllers/misc/TaxonomySelectionModalCtrl.js b/frontend/app/scripts/controllers/misc/TaxonomySelectionModalCtrl.js
new file mode 100644
index 0000000000..88675b131c
--- /dev/null
+++ b/frontend/app/scripts/controllers/misc/TaxonomySelectionModalCtrl.js
@@ -0,0 +1,52 @@
+(function() {
+    'use strict';
+    angular.module('theHiveDirectives')
+        .controller('TaxonomySelectionModalCtrl', function($uibModalInstance, taxonomies) {
+            var self = this;
+
+            this.taxonomies = angular.copy(taxonomies);
+            this.selectedTags = [];
+
+            this.formData = {
+                selectedTaxonomy: null,
+                selectedTags: []
+            };
+
+            this.selectTaxonomy = function(taxonomy) {
+                self.formData.selectedTaxonomy = taxonomy;
+                self.search = '';
+            }
+
+            this.selectTag = function(tag) {
+                tag.selected = !!!tag.selected;
+
+                if(tag.selected === true) {
+                    // Add to selection
+                    self.formData.selectedTags.push(tag);
+                } else {
+                    // Remove from selection
+                    self.formData.selectedTags = _.without(self.formData.selectedTags, tag);
+                }
+            }
+
+            this.clearSelection = function() {
+                _.each(self.formData.selectedTags, function(tag) {
+                    tag.selected = false;
+                });
+
+                self.formData.selectedTags = [];
+            }
+
+            this.addSelectedTags = function() {
+                if (!self.formData.selectedTaxonomy || self.formData.selectedTags.length === 0) {
+                    return;
+                }
+
+                $uibModalInstance.close(self.formData.selectedTags);
+            };
+
+            this.cancel = function() {
+                $uibModalInstance.dismiss();
+            };
+        });
+})();
diff --git a/frontend/app/scripts/directives/dashboard/filter-editor.js b/frontend/app/scripts/directives/dashboard/filter-editor.js
index 9dbf55da66..7ac98ce833 100644
--- a/frontend/app/scripts/directives/dashboard/filter-editor.js
+++ b/frontend/app/scripts/directives/dashboard/filter-editor.js
@@ -1,6 +1,6 @@
 (function() {
     'use strict';
-    angular.module('theHiveDirectives').directive('filterEditor', function($q, AuthenticationSrv, UserSrv, TagSrv, UtilsSrv) {
+    angular.module('theHiveDirectives').directive('filterEditor', function($q, AuthenticationSrv, TaxonomyCacheSrv, UserSrv, TagSrv, UtilsSrv) {
         return {
             restrict: 'E',
             scope: {
@@ -10,7 +10,15 @@
             },
             templateUrl: 'views/directives/dashboard/filter-editor.html',
             link: function(scope) {
+                scope.operatorMap = {
+                    empty: 'Is Empty',
+                    any: 'Any Of',
+                    none: 'None Of',
+                    all: 'All Of'
+                };
+
                 scope.dateOperator = {
+                    empty: 'Empty',
                     custom: 'Custom',
                     today: 'Today',
                     last7days: 'Last 7 days',
@@ -64,13 +72,20 @@
                     return filter.type;
                 };
 
+                scope.fromTagLibrary = function(filter) {
+                    TaxonomyCacheSrv.openTagLibrary()
+                        .then(function(tags){
+                            filter.value.list = filter.value.list.concat(tags);
+                        })
+                }
+
                 scope.promiseFor = function(filter, query) {
                     var field = scope.metadata[scope.entity].attributes[filter.field];
 
                     var promise = null;
 
                     if(field.name === 'tags') {
-                        return TagSrv.getTagsFor(scope.entity, query);
+                        return TagSrv.autoComplete(query);
                     } else if(field.type === 'user') {
                         promise = AuthenticationSrv.current()
                             .then(function(user) {
diff --git a/frontend/app/scripts/directives/flow/flow-item.js b/frontend/app/scripts/directives/flow/flow-item.js
index 13cda323c9..a013a2209a 100644
--- a/frontend/app/scripts/directives/flow/flow-item.js
+++ b/frontend/app/scripts/directives/flow/flow-item.js
@@ -2,7 +2,7 @@
     'use strict';
 
     angular.module('theHiveDirectives')
-        .directive('flowItem', function($uibModal, $state, $window, HtmlSanitizer, UserSrv) {
+        .directive('flowItem', function($uibModal, $state, $window, HtmlSanitizer, UserSrv, AttackPatternSrv) {
             return {
                 restrict: 'E',
                 replace: true,
@@ -58,6 +58,8 @@
                         return false;
                     };
 
+                    scope.tactics = AttackPatternSrv.tactics.values;
+
                     scope.bulk = scope.isBulkOperation();
                 },
                 templateUrl: 'views/directives/flow/flow-item.html'
diff --git a/frontend/app/scripts/directives/tag-colour.js b/frontend/app/scripts/directives/tag-colour.js
new file mode 100644
index 0000000000..c6fb358884
--- /dev/null
+++ b/frontend/app/scripts/directives/tag-colour.js
@@ -0,0 +1,22 @@
+(function() {
+    'use strict';
+    angular.module('theHiveDirectives').directive('tagColour', function($timeout, TaxonomyCacheSrv) {
+        return {
+            restrict: 'A',
+            scope: {
+                tag: '='
+            },
+            link: function(scope, element/*, attrs*/) {
+                if(!scope.tag) {
+                    return;
+                }
+
+                scope.bgColour = TaxonomyCacheSrv.getColour(scope.tag) || TaxonomyCacheSrv.getColour('_freetags_:' + scope.tag) || '#3c8dbc';
+
+                $timeout(function() {
+                    angular.element(element[0]).attr('style', 'background-color:' + scope.bgColour);
+                });
+            }
+        };
+    });
+})();
diff --git a/frontend/app/scripts/directives/tag-item.js b/frontend/app/scripts/directives/tag-item.js
new file mode 100644
index 0000000000..0d060ec5c0
--- /dev/null
+++ b/frontend/app/scripts/directives/tag-item.js
@@ -0,0 +1,59 @@
+(function() {
+    'use strict';
+    angular.module('theHiveDirectives').directive('tagItem', function(TaxonomyCacheSrv) {
+        return {
+            restrict: 'E',
+            replace: true,
+            scope: {
+                value: '=',
+                colour: '='
+            },
+            templateUrl: 'views/directives/tag-item.html',
+            link: function(scope/*, element, attrs*/) {
+                if(!scope.value) {
+                    return;
+                }
+                if(_.isString(scope.value)) {
+                    scope.tag = scope.value;
+                    scope.bgColor = scope.colour ||
+                        TaxonomyCacheSrv.getColour(scope.value) ||
+                        TaxonomyCacheSrv.getColour('_freetags_:' + scope.value) ||
+                        '#000000';
+                } else {
+                    scope.tag = _.without([
+                        scope.value.namespace,
+                        ':',
+                        scope.value.predicate,
+                        scope.value.value ? ("=\"" + scope.value.value + "\"") : null
+                    ], null).join('');
+                    scope.bgColor = scope.value.colour || scope.colour || '#000000';
+                }
+
+                scope.$watch('colour', function(value) {
+                    if(!value) {
+                        return;
+                    }
+                    scope.bgColor = value;
+                });
+
+                scope.$watch('value', function(value) {
+                    if(!value) {
+                        return;
+                    }
+
+                    if(_.isString(value)) {
+                        scope.tag = value;
+                    } else {
+                        scope.tag = _.without([
+                            value.namespace,
+                            ':',
+                            value.predicate,
+                            value.value ? ("=\"" + value.value + "\"") : null
+                        ], null).join('');
+                    }
+                });
+            }
+        };
+    });
+
+})();
diff --git a/frontend/app/scripts/directives/updatableColour.js b/frontend/app/scripts/directives/updatableColour.js
new file mode 100644
index 0000000000..1ffbda4fae
--- /dev/null
+++ b/frontend/app/scripts/directives/updatableColour.js
@@ -0,0 +1,18 @@
+(function() {
+    'use strict';
+    angular.module('theHiveDirectives')
+        .directive('updatableColour', function(UtilsSrv) {
+            return {
+                'restrict': 'E',
+                'link': UtilsSrv.updatableLink,
+                'templateUrl': 'views/directives/updatable-colour.html',
+                'scope': {
+                    'value': '=?',
+                    'onUpdate': '&',
+                    'active': '=?',
+                    'placeholder': '@',
+                    'clearable': '<?'
+                }
+            };
+        });
+})();
diff --git a/frontend/app/scripts/directives/updatableTag.js b/frontend/app/scripts/directives/updatableTag.js
new file mode 100644
index 0000000000..419462dd92
--- /dev/null
+++ b/frontend/app/scripts/directives/updatableTag.js
@@ -0,0 +1,16 @@
+(function() {
+    'use strict';
+    angular.module('theHiveDirectives')
+        .directive('updatableTag', function(UtilsSrv) {
+            return {
+                'restrict': 'E',
+                'link': UtilsSrv.updatableLink,
+                'templateUrl': 'views/directives/updatable-tag.html',
+                'scope': {
+                    'value': '=?',
+                    'colour': '<?',
+                    'onUpdate': '&'
+                }
+            };
+        });
+})();
diff --git a/frontend/app/scripts/directives/updatableTagList.js b/frontend/app/scripts/directives/updatableTagList.js
new file mode 100644
index 0000000000..4e68fc36c4
--- /dev/null
+++ b/frontend/app/scripts/directives/updatableTagList.js
@@ -0,0 +1,61 @@
+(function() {
+    'use strict';
+    angular.module('theHiveDirectives')
+        .directive('updatableTagList', function(UtilsSrv, $uibModal, $filter, NotificationSrv, TaxonomyCacheSrv) {
+            return {
+                restrict: 'E',
+                link: UtilsSrv.updatableLink,
+                templateUrl: 'views/directives/updatable-tag-list.html',
+                scope: {
+                    value: '=?',
+                    onUpdate: '&',
+                    active: '=?',
+                    source: '=',
+                    clearable: '<?'
+                },
+                controllerAs: '$cmp',
+                controller: function($scope) {
+                    this.state = {
+                        type: null,
+                    };
+
+                    this.fromLibrary = function() {
+                        this.state.type = 'library';
+
+                        var modalInstance = $uibModal.open({
+                            controller: 'TaxonomySelectionModalCtrl',
+                            controllerAs: '$modal',
+                            animation: true,
+                            templateUrl: 'views/partials/misc/taxonomy-selection.modal.html',
+                            size: 'lg',
+                            resolve: {
+                                taxonomies: function() {
+                                    return TaxonomyCacheSrv.all();
+                                }
+                            }
+                        });
+
+                        modalInstance.result
+                            .then(function(selectedTags) {
+                                var filterFn = $filter('tagValue'),
+                                    tags = [];
+
+                                _.each(selectedTags, function(tag) {
+                                    tags.push({
+                                        text: filterFn(tag)
+                                    });
+                                });
+
+                                $scope.value = $scope.value.concat(tags);
+                            })
+                            .catch(function(err) {
+                                if (err && !_.isString(err)) {
+                                    NotificationSrv.error('Tag selection', err.data, err.status);
+                                }
+                            });
+                    };
+
+                }
+            };
+        });
+})();
diff --git a/frontend/app/scripts/filters/custom-field-value.js b/frontend/app/scripts/filters/custom-field-value.js
index 583749dabd..91afae1e66 100644
--- a/frontend/app/scripts/filters/custom-field-value.js
+++ b/frontend/app/scripts/filters/custom-field-value.js
@@ -1,14 +1,16 @@
 (function() {
     'use strict';
-    angular.module('theHiveFilters').filter('customFieldValue', function() {
+    angular.module('theHiveFilters').filter('customFieldValue', function(UiSettingsSrv) {
         return function(customField) {
             if(!customField) {
                 return '';
             }
 
+            var format = UiSettingsSrv.defaultDateFormat()
+
             switch(customField.type) {
                 case 'date':
-                    return moment(customField.value).format('MM/DD/YY H:mm');
+                    return moment(customField.value).format(format);
                 default:
                     return customField.value;
             }
diff --git a/frontend/app/scripts/filters/filter-value.js b/frontend/app/scripts/filters/filter-value.js
index fa7aeee565..1cd5921b23 100644
--- a/frontend/app/scripts/filters/filter-value.js
+++ b/frontend/app/scripts/filters/filter-value.js
@@ -1,8 +1,10 @@
 (function() {
     'use strict';
 
-    angular.module('theHiveFilters').filter('filterValue', function(UtilsSrv) {
+    angular.module('theHiveFilters').filter('filterValue', function(UtilsSrv, UiSettingsSrv) {
         return function(value) {
+            var dateFormat = UiSettingsSrv.defaultDateFormat();
+
             if (angular.isArray(value)) {
                 return _.map(value, function(item) {
                     return item.label || item.text;
@@ -33,11 +35,11 @@
                 }
 
                 if(start !== null) {
-                    result.push('From: ' + moment(start).hour(0).minutes(0).seconds(0).format('MM/DD/YY HH:mm'));
+                    result.push('From: ' + moment(start).hour(0).minutes(0).seconds(0).format(dateFormat));
                 }
 
                 if(end !== null) {
-                    result.push('To: ' + moment(end).hour(23).minutes(59).seconds(59).format('MM/DD/YY HH:mm'));
+                    result.push('To: ' + moment(end).hour(23).minutes(59).seconds(59).format(dateFormat));
                 }
 
                 return result.join(', ');
diff --git a/frontend/app/scripts/filters/shortDate.js b/frontend/app/scripts/filters/shortDate.js
index 45af6206e1..bbad28211a 100644
--- a/frontend/app/scripts/filters/shortDate.js
+++ b/frontend/app/scripts/filters/shortDate.js
@@ -1,8 +1,9 @@
 (function() {
     'use strict';
-    angular.module('theHiveFilters').filter('shortDate', function() {
+    angular.module('theHiveFilters').filter('shortDate', function(UiSettingsSrv) {
         return function(str) {
-            var format = 'MM/DD/YY H:mm';
+            var format = UiSettingsSrv.defaultDateFormat() || 'MM/DD/YY H:mm';
+
             if (angular.isString(str) && str.length > 0) {
                 return moment(str, ['YYYYMMDDTHHmmZZ', 'DD-MM-YYYY HH:mm']).format(format);
             } else if (angular.isNumber(str)) {
diff --git a/frontend/app/scripts/filters/tag-value.js b/frontend/app/scripts/filters/tag-value.js
new file mode 100644
index 0000000000..d3ed8630d5
--- /dev/null
+++ b/frontend/app/scripts/filters/tag-value.js
@@ -0,0 +1,18 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveFilters').filter('tagValue', function () {
+        return function (tag) {
+            if (!tag) {
+                return '';
+            }
+
+            return _.without([
+                tag.namespace,
+                ':',
+                tag.predicate,
+                tag.value ? ("=\"" + tag.value + "\"") : null
+            ], null).join('');
+        };
+    });
+})();
diff --git a/frontend/app/scripts/services/EntitySrv.js b/frontend/app/scripts/services/EntitySrv.js
index f531eff88f..d20d1d97b6 100644
--- a/frontend/app/scripts/services/EntitySrv.js
+++ b/frontend/app/scripts/services/EntitySrv.js
@@ -19,6 +19,12 @@
                     caseId: entity.case.id,
                     itemId: entity.id
                 };
+            } else if (entity._type === 'observable') {
+                state.name = 'app.case.observables-item';
+                state.params = {
+                    caseId: entity.case.id,
+                    itemId: entity.id
+                };
             } else if (entity._type === 'case_artifact_job') {
                 state.name = 'app.case.observables-item';
                 state.params = {
diff --git a/frontend/app/scripts/services/api/AlertingSrv.js b/frontend/app/scripts/services/api/AlertingSrv.js
index 4d53efc81e..7bea51dfe3 100644
--- a/frontend/app/scripts/services/api/AlertingSrv.js
+++ b/frontend/app/scripts/services/api/AlertingSrv.js
@@ -6,6 +6,10 @@
             var baseUrl = './api/alert';
 
             var similarityFilters = {
+                'none': {
+                    label: 'None',
+                    filters: []
+                },
                 'open-cases': {
                     label: 'Open Cases',
                     filters: [{
diff --git a/frontend/app/scripts/services/api/AttackPatternSrv.js b/frontend/app/scripts/services/api/AttackPatternSrv.js
new file mode 100644
index 0000000000..e2f6421eb7
--- /dev/null
+++ b/frontend/app/scripts/services/api/AttackPatternSrv.js
@@ -0,0 +1,203 @@
+
+(function() {
+    'use strict';
+    angular.module('theHiveServices')
+        .service('AttackPatternSrv', function($http, $q, QuerySrv) {
+            var self = this;
+            var baseUrl = './api/v1/pattern';
+
+            this.tacticsCache = {};
+
+            this.tactics = {
+                keys: [
+                    'reconnaissance',
+                    'resource-development',
+                    'initial-access',
+                    'execution',
+                    'persistence',
+                    'privilege-escalation',
+                    'defense-evasion',
+                    'credential-access',
+                    'discovery',
+                    'lateral-movement',
+                    'collection',
+                    'command-and-control',
+                    'exfiltration',
+                    'impact'
+                ],
+                values: {
+                    'reconnaissance': {
+                        label: 'Reconnaissance',
+                        color: '#D1BBD7'
+                    },
+                    'resource-development': {
+                        label: 'Resource Development',
+                        color: '#AE76A3'
+                    },
+                    'initial-access': {
+                        label: 'Initial Access',
+                        color: '#882E72'
+                    },
+                    'execution': {
+                        label: 'Execution',
+                        color: '#1965B0'
+                    },
+                    'persistence': {
+                        label: 'Persistence',
+                        color: '#5289C7'
+                    },
+                    'privilege-escalation': {
+                        label: 'Privilege Escalation',
+                        color: '#7BAFDE'
+                    },
+                    'defense-evasion': {
+                        label: 'Defense Evasion',
+                        color: '#4EB256'
+                    },
+                    'credential-access': {
+                        label: 'Credential Access',
+                        color: '#90C987'
+                    },
+                    'discovery': {
+                        label: 'Discovery',
+                        color: '#CAE0AB'
+                    },
+                    'lateral-movement': {
+                        label: 'Lateral Movement',
+                        color: '#F7F056'
+                    },
+                    'collection': {
+                        label: 'Collection',
+                        color: '#F6C141'
+                    },
+                    'command-and-control': {
+                        label: 'Command and Control',
+                        color: '#F1932D'
+                    },
+                    'exfiltration': {
+                        label: 'Exfiltration',
+                        color: '#E8601C'
+                    },
+                    'impact': {
+                        label: 'Impact',
+                        color: '#DC050C'
+                    }
+                }
+            };
+
+            this.list = function() {
+                return QuerySrv.call('v1', [
+                    { _name: 'listPattern' }
+                ], {
+                    name:'list-attack-patterns'
+                });
+            };
+
+            this.getByTactic = function(tactic) {
+                var defer = $q.defer();
+
+                if(self.tacticsCache[tactic]) {
+                    console.log('get techniques from cache for ', tactic);
+
+                    defer.resolve(self.tacticsCache[tactic]);
+                } else {
+                    console.log('get techniques from server for ', tactic);
+
+                    QuerySrv.call('v1', [
+                        { _name: 'listPattern'}
+                    ], {
+                        name:'list-attack-patterns-for-' + tactic,
+                        filter: {
+                            _and: [
+                                {
+                                    _field: 'patternType',
+                                    _value: 'attack-pattern'
+                                }, {
+                                    _like: {
+                                        _field: 'tactics',
+                                        _value: tactic
+                                    }
+                                },
+                                {
+                                    _field: 'revoked',
+                                    _value: false
+                                }
+                            ]
+                        },
+                        sort: ['+patternId'],
+                        page: {
+                            from: 0,
+                            to: 100,
+                            extraData: ['parent']
+                        }
+                    }).then(function(techniques) {
+
+                        _.each(techniques, function(technique) {
+                            technique.isSubTechnique = !!technique.extraData.parent;
+                        });
+
+                        self.tacticsCache[tactic] = techniques;
+
+                        defer.resolve(techniques);
+                    });
+                }
+
+                return defer.promise;
+            };
+
+            this.get = function(id) {
+
+                var defer = $q.defer();
+
+                QuerySrv.call('v1', [{
+                    '_name': 'getPattern',
+                    'idOrName': id
+                }], {
+                    name:'get-attach-pattern-' + id,
+                    page: {
+                        from: 0,
+                        to: 1,
+                        extraData: [
+                            'parent',
+                            'children'
+                        ]
+                    }
+                }).then(function(response) {
+                    defer.resolve(response[0]);
+                }).catch(function(err){
+                    defer.reject(err);
+                });
+
+                return defer.promise;
+            };
+
+            this.import = function(post) {
+                var postData = {
+                    file: post.attachment
+                };
+
+                return $http({
+                    method: 'POST',
+                    url: baseUrl + '/import/attack',
+                    headers: {
+                        'Content-Type': undefined
+                    },
+                    transformRequest: function (data) {
+                        var formData = new FormData(),
+                            copy = angular.copy(data, {});
+
+                        angular.forEach(data, function (value, key) {
+                            if (Object.getPrototypeOf(value) instanceof Blob || Object.getPrototypeOf(value) instanceof File) {
+                                formData.append(key, value);
+                                delete copy[key];
+                            }
+                        });
+
+                        return formData;
+                    },
+                    data: postData
+                });
+            };
+        });
+
+})();
diff --git a/frontend/app/scripts/services/api/AuthenticationSrv.js b/frontend/app/scripts/services/api/AuthenticationSrv.js
index 8ab43fe9ac..efd4125f84 100644
--- a/frontend/app/scripts/services/api/AuthenticationSrv.js
+++ b/frontend/app/scripts/services/api/AuthenticationSrv.js
@@ -79,6 +79,12 @@
                             return 'app.administration.analyzer-templates';
                         } else if(self.hasPermission('manageObservableTemplate')) {
                             return 'app.administration.observables';
+                        } else if(self.hasPermission('managePlatform')) {
+                            return 'app.administration.platform';
+                        } else if(self.hasPermission('manageTaxonomy')) {
+                            return 'app.administration.taxonomies';
+                        } else if(self.hasPermission('managePattern')) {
+                            return 'app.administration.attackPatterns';
                         }
                     } else {
                         return 'app.cases';
diff --git a/frontend/app/scripts/services/api/CaseSrv.js b/frontend/app/scripts/services/api/CaseSrv.js
index 1597dd9f9a..32a5446f16 100644
--- a/frontend/app/scripts/services/api/CaseSrv.js
+++ b/frontend/app/scripts/services/api/CaseSrv.js
@@ -12,14 +12,14 @@
                     url: './api/case/:caseId/links',
                     isArray: true
                 },
-                merge: {
-                    method: 'POST',
-                    url: './api/case/:caseId/_merge/:mergedCaseId',
-                    params: {
-                        caseId: '@caseId',
-                        mergedCaseId: '@mergedCaseId',
-                    }
-                },
+                // merge: {
+                //     method: 'POST',
+                //     url: './api/case/:caseId/_merge/:mergedCaseId',
+                //     params: {
+                //         caseId: '@caseId',
+                //         mergedCaseId: '@mergedCaseId',
+                //     }
+                // },
                 forceRemove: {
                     method: 'DELETE',
                     url: './api/case/:caseId/force',
@@ -94,6 +94,10 @@
                 return defer.promise;
             };
 
+            this.merge = function(ids) {
+                return $http.post('./api/v1/case/_merge/' + ids.join(','));
+            };
+
             this.bulkUpdate = function(ids, update) {
                 return $http.patch('./api/case/_bulk', _.extend({ids: ids}, update));
             };
@@ -122,6 +126,10 @@
                     }
                 });
             };
+
+            this.removeCustomField = function(customfFieldValueId) {
+                return $http.delete('./api/v1/case/customField/' + customfFieldValueId)
+            }
         });
 
 })();
diff --git a/frontend/app/scripts/services/api/CaseTaskSrv.js b/frontend/app/scripts/services/api/CaseTaskSrv.js
index 6b3e96e8a4..1c8d6c3469 100644
--- a/frontend/app/scripts/services/api/CaseTaskSrv.js
+++ b/frontend/app/scripts/services/api/CaseTaskSrv.js
@@ -57,6 +57,10 @@
                 });
             };
 
+            this.bulkUpdate = function(ids, update) {
+                return $http.patch('./api/v1/task/_bulk', _.extend({ids: ids}, update));
+            };
+
             this.removeShare = function(id, share) {
                 return $http.delete('./api/task/'+id+'/shares', {
                     data: {
diff --git a/frontend/app/scripts/services/api/CortexSrv.js b/frontend/app/scripts/services/api/CortexSrv.js
index 00921b0fae..40c99dec91 100644
--- a/frontend/app/scripts/services/api/CortexSrv.js
+++ b/frontend/app/scripts/services/api/CortexSrv.js
@@ -1,27 +1,30 @@
 (function() {
     'use strict';
-    angular.module('theHiveServices').service('CortexSrv', function($q, $http, $rootScope, $uibModal, QuerySrv, StatSrv, StreamSrv, AnalyzerSrv, PSearchSrv, ModalUtilsSrv) {
+    angular.module('theHiveServices').service('CortexSrv', function($q, $http, $rootScope, $uibModal, QuerySrv, PaginatedQuerySrv, StreamSrv, AnalyzerSrv, PSearchSrv, ModalUtilsSrv) {
         var self = this;
         var baseUrl = './api/connector/cortex';
 
-        this.list = function(scope, caseId, observableId, callback) {
-            return PSearchSrv(undefined, 'connector/cortex/job', {
+        this.listJobs = function(scope, caseId, observableId, callback) {
+            return new PaginatedQuerySrv({
+                name: 'observable-jobs-' + observableId,
+                version: 'v1',
                 scope: scope,
-                sort: ['-startDate'],
+                streamObjectType: 'case_artifact_job',
                 loadAll: false,
+                sort: ['-startDate'],
                 pageSize: 200,
                 onUpdate: callback || angular.noop,
-                streamObjectType: 'case_artifact_job',
-                filter: {
-                    _parent: {
-                        _type: 'case_artifact',
-                        _query: {
-                            _id: observableId
-                        }
-                    }
+                operations: [
+                    { '_name': 'getObservable', 'idOrName': observableId },
+                    { '_name': 'jobs' }
+                ],
+                guard: function(updates) {
+                    return _.find(updates, function(item) {
+                        return (item.base.details.objectType === 'Observable') && (item.base.details.objectId === observableId);
+                    }) !== undefined;
                 }
             });
-        };
+        }
 
         this.getJobs = function(caseId, observableId, analyzerId, limit) {
 
diff --git a/frontend/app/scripts/services/api/OrganisationSrv.js b/frontend/app/scripts/services/api/OrganisationSrv.js
index 9d9869b806..f043551b7a 100644
--- a/frontend/app/scripts/services/api/OrganisationSrv.js
+++ b/frontend/app/scripts/services/api/OrganisationSrv.js
@@ -54,7 +54,11 @@
                     {
                         '_name': 'users'
                     }
-                ]).then(function(response) {
+                ], {
+                    params: {
+                        name: 'users'
+                    }
+                }).then(function(response) {
                     return $q.resolve(response.data);
                 });
             };
@@ -67,7 +71,11 @@
                     {
                         '_name': 'caseTemplates'
                     }
-                ]).then(function(response) {
+                ], {
+                    params: {
+                        name: 'caseTemplates'
+                    }
+                }).then(function(response) {
                     return $q.resolve(response.data);
                 });
             };
diff --git a/frontend/app/scripts/services/api/PlatformSrv.js b/frontend/app/scripts/services/api/PlatformSrv.js
new file mode 100644
index 0000000000..bd3451ec11
--- /dev/null
+++ b/frontend/app/scripts/services/api/PlatformSrv.js
@@ -0,0 +1,23 @@
+(function() {
+    'use strict';
+    angular.module('theHiveServices')
+        .service('PlatformSrv', function($http) {
+
+            this.getIndexStatus = function() {
+                return $http.get('./api/v1/admin/index/status')
+            }
+
+            this.runReindex = function(indexName) {
+                return $http.get('./api/v1/admin/index/'+indexName+'/reindex');
+            }
+
+            this.getCheckStats = function() {
+                return $http.get('./api/v1/admin/check/stats')
+            }
+
+            this.runCheck = function(checkName) {
+                return $http.get('./api/v1/admin/check/'+checkName+'/trigger');
+            }
+
+        });
+})();
diff --git a/frontend/app/scripts/services/api/ProcedureSrv.js b/frontend/app/scripts/services/api/ProcedureSrv.js
new file mode 100644
index 0000000000..7ee6d90ea6
--- /dev/null
+++ b/frontend/app/scripts/services/api/ProcedureSrv.js
@@ -0,0 +1,29 @@
+(function() {
+    'use strict';
+    angular.module('theHiveServices')
+        .service('ProcedureSrv', function($q, $http) {
+            var self = this;
+            var baseUrl = './api/v1/procedure';
+
+            self.get = function(procedureId) {
+                return $http.get(baseUrl + '/' + procedureId)
+                    .then(function(response) {
+                        return $q.resolve(response.data);
+                    });
+            };
+
+            self.create = function(data) {
+                return $http.post(baseUrl, data || {});
+            };
+
+            self.update = function(procedureId, updates) {
+                return $http.patch(baseUrl + '/' + procedureId, updates);
+            };
+
+            self.remove = function(procedureId, updates) {
+                return $http.delete(baseUrl + '/' + procedureId, updates);
+            };
+
+        });
+
+})();
diff --git a/frontend/app/scripts/services/api/ProfileSrv.js b/frontend/app/scripts/services/api/ProfileSrv.js
index 40ebe5af40..3a1becdfac 100644
--- a/frontend/app/scripts/services/api/ProfileSrv.js
+++ b/frontend/app/scripts/services/api/ProfileSrv.js
@@ -11,24 +11,28 @@
                 admin: {
                     hints: 'Permissions for administration user profiles',
                     keys: [
-                        'manageUser',
                         'manageOrganisation',
+                        'manageProfile',
+                        'manageUser',
                         'manageCustomField',
                         'manageConfig',
-                        'manageTag',
-                        'manageProfile',
                         'manageAnalyzerTemplate',
-                        'manageObservableTemplate'
+                        'manageObservableTemplate',
+                        'manageTaxonomy',
+                        'managePattern',
+                        'managePlatform'
                     ],
                     labels: {
-                        manageUser: 'Manage users',
                         manageOrganisation: 'Manage organisations',
+                        manageProfile: 'Manage profiles',
+                        manageUser: 'Manage users',
                         manageCustomField: 'Manage custom fields',
                         manageConfig: 'Manage configurations',
-                        manageTag: 'Manage tags',
-                        manageProfile: 'Manage profiles',
                         manageAnalyzerTemplate: 'Manage analyzer templates',
-                        manageObservableTemplate: 'Manage observable types'
+                        manageObservableTemplate: 'Manage observable types',
+                        manageTaxonomy: 'Manage taxonomies',
+                        managePattern: 'Manage attack patterns',
+                        managePlatform: 'Manage the platform'
                     }
                 },
                 org: {
@@ -36,6 +40,7 @@
                     keys: [
                         'manageUser',
                         'manageCaseTemplate',
+                        'manageTag',
                         'manageAlert',
                         'manageCase',
                         'manageShare',
@@ -48,6 +53,7 @@
                     labels: {
                         manageUser: 'Manage users',
                         manageCaseTemplate: 'Manage case templates',
+                        manageTag: 'Manage custom tags',
                         manageAlert: 'Manage alert',
                         manageCase: 'Manage case',
                         manageShare: 'Manage sharing',
@@ -61,7 +67,9 @@
             };
 
             this.list = function() {
-                return $http.get(baseUrl);
+                return $http.get(baseUrl, {params: {
+                    range: 'all'
+                }});
             };
 
             this.get = function(name) {
diff --git a/frontend/app/scripts/services/api/TagSrv.js b/frontend/app/scripts/services/api/TagSrv.js
index d90300a3ca..83a6057a21 100644
--- a/frontend/app/scripts/services/api/TagSrv.js
+++ b/frontend/app/scripts/services/api/TagSrv.js
@@ -1,66 +1,51 @@
 (function() {
     'use strict';
     angular.module('theHiveServices')
-        .service('TagSrv', function(QuerySrv, $q) {
+        .service('TagSrv', function(QuerySrv, $q, $http) {
 
-            var self = this;
-
-            var getTags = function(objectType, term) {
+            this.getFreeTags = function() {
                 var defer = $q.defer();
-                var operations = [
-                    { _name: 'listTag' }
-                ];
 
-                if(objectType) {
-                    operations.push({ _name: objectType });
-                }
+                var operations = [
+                    { _name: 'listTag'},
+                    { _name: 'freetags'},
+                ]
 
-                operations.push({
-                    _name: 'filter',
-                    _like: {
-                        _field: 'text',
-                        _value: '*' + term + '*'
+                QuerySrv.query('v1', operations, {
+                    params: {
+                        name: 'list-tags'
                     }
+                }).then(function(response) {
+                    defer.resolve(response.data);
                 });
 
-                operations.push({ _name: 'text' });
-
-                // Get the list
-                QuerySrv.call('v0', operations, {name: 'tags-auto-complete'})
-                    .then(function(data) {
-                        defer.resolve(_.map(_.unique(data), function(tag) {
-                            return {text: tag};
-                        }));
-                    });
-
                 return defer.promise;
             };
 
-            this.getTagsFor = function(entity, query) {
-
-                switch(entity) {
-                    case 'case':
-                        return self.fromCases(query);
-                    case 'case_artifact':
-                        return self.fromObservables(query);
-                    case 'alert':
-                        return self.fromAlerts(query);
-                    default:
-                        return self.getTags(undefined, query);
-                }
+            this.updateTag = function(id, patch) {
+                return $http.patch('./api/v1/tag/' + id, patch);
+            }
 
-            };
+            this.removeTag = function(id) {
+                return $http.delete('./api/v1/tag/' + id);
+            }
 
-            this.fromCases = function(term) {
-                return getTags('fromCase', term);
-            };
+            this.autoComplete = function(term) {
+                var defer = $q.defer();
 
-            this.fromObservables = function(term) {
-                return getTags('fromObservable', term);
-            };
+                var operations = [
+                    { _name: 'tagAutoComplete', freeTag: term, limit: 20}
+                ]
+
+                QuerySrv.call('v1', operations, {
+                    name: 'tags-auto-complete'
+                }).then(function(response) {
+                    defer.resolve(_.map(response, function(tag) {
+                        return {text: tag};
+                    }));
+                });
 
-            this.fromAlerts = function(term) {
-                return getTags('fromAlert', term);
+                return defer.promise;
             };
 
         });
diff --git a/frontend/app/scripts/services/api/TaxonomyCacheSrv.js b/frontend/app/scripts/services/api/TaxonomyCacheSrv.js
new file mode 100644
index 0000000000..9a72d87700
--- /dev/null
+++ b/frontend/app/scripts/services/api/TaxonomyCacheSrv.js
@@ -0,0 +1,117 @@
+(function() {
+    'use strict';
+    angular.module('theHiveServices')
+        .service('TaxonomyCacheSrv', function($http, $q, $filter, $uibModal, TagSrv, QuerySrv) {
+            var self = this;
+
+            this.cache = null;
+            this.tagsCache = null;
+
+            this.list = function() {
+                return QuerySrv.call('v1', [
+                    { _name: 'listTaxonomy' }
+                ], {
+                    name:'list-taxonomies'
+                }, {
+                    name: 'filter',
+                    _field: 'enabled',
+                    _value: true
+                });
+            };
+
+            this.clearCache = function() {
+                self.cache = null;
+                self.tagsCache = null;
+            };
+
+            this.getCache = function(name) {
+                return self.cache[name];
+            };
+
+            this.getColour = function(tag) {
+                return self.tagsCache[tag];
+            };
+
+            this.cacheTagColors = function(tags) {
+                var fn = $filter('tagValue');
+
+                _.each(tags, function(tag) {
+                    var name = fn(tag);
+
+                    if(!_.isEmpty(name)) {
+                        self.tagsCache[name] =  tag.colour;
+                    }
+                });
+            };
+
+            this.all = function(reload) {
+                var deferred = $q.defer();
+
+                if (self.cache === null || reload === true) {
+                    self.list()
+                        .then(function(response) {
+                            self.cache = {};
+                            self.tagsCache = {};
+
+                            _.each(response, function(taxonomy) {
+                                self.cache[taxonomy.namespace] = taxonomy;
+
+                                self.cacheTagColors(taxonomy.tags);
+                            });
+                        })
+                        .then(function() {
+                            return TagSrv.getFreeTags();
+                        })
+                        .then(function(freeTags) {
+                            self.cacheTagColors(freeTags);
+
+                            deferred.resolve(self.cache);
+                        });
+                } else {
+                    deferred.resolve(self.cache);
+                }
+
+                return deferred.promise;
+            };
+
+            self.openTagLibrary = function() {
+                var defer = $q.defer();
+
+                var modalInstance = $uibModal.open({
+                    controller: 'TaxonomySelectionModalCtrl',
+                    controllerAs: '$modal',
+                    animation: true,
+                    templateUrl: 'views/partials/misc/taxonomy-selection.modal.html',
+                    size: 'lg',
+                    resolve: {
+                        taxonomies: function() {
+                            return self.all();
+                        }
+                    }
+                });
+
+                modalInstance.result
+                    .then(function(selectedTags) {
+                        var filterFn = $filter('tagValue'),
+                            tags = [];
+
+                        _.each(selectedTags, function(tag) {
+                            tags.push({
+                                text: filterFn(tag)
+                            });
+                        });
+
+                        //$scope.tags = $scope.tags.concat(tags);
+                        defer.resolve(tags);
+                    })
+                    .catch(function(err) {
+                        if (err && !_.isString(err)) {
+                            NotificationSrv.error('Tag selection', err.data, err.status);
+                        }
+                        defer.rejeect(err);
+                    });
+
+                return defer.promise;
+            };
+        });
+})();
diff --git a/frontend/app/scripts/services/api/TaxonomySrv.js b/frontend/app/scripts/services/api/TaxonomySrv.js
new file mode 100644
index 0000000000..70aafedca8
--- /dev/null
+++ b/frontend/app/scripts/services/api/TaxonomySrv.js
@@ -0,0 +1,64 @@
+(function() {
+    'use strict';
+    angular.module('theHiveServices')
+        .service('TaxonomySrv', function($http, QuerySrv) {
+            var baseUrl = './api/v1/taxonomy';
+
+            this.list = function() {
+                return QuerySrv.call('v1', [
+                    { _name: 'listTaxonomy' }
+                ], {
+                    name:'list-taxonomies'
+                });
+            };
+
+            this.get = function(name) {
+                return $http.get(baseUrl + '/' + name);
+            };
+
+            this.toggleActive = function(id, active) {
+                return $http.put([baseUrl, id, !!active ? 'activate' : 'deactivate'].join('/'));
+            };
+
+            this.create = function(profile) {
+                return $http.post(baseUrl, profile);
+            };
+
+            this.update = function(id, profile) {
+                return $http.patch(baseUrl + '/' + id, profile);
+            };
+
+            this.remove = function(id) {
+                return $http.delete(baseUrl + '/' + id);
+            };
+
+            this.import = function(post) {
+                var postData = {
+                    file: post.attachment
+                };
+
+                return $http({
+                    method: 'POST',
+                    url: baseUrl + '/import-zip',
+                    headers: {
+                        'Content-Type': undefined
+                    },
+                    transformRequest: function (data) {
+                        var formData = new FormData(),
+                            copy = angular.copy(data, {});
+
+                        angular.forEach(data, function (value, key) {
+                            if (Object.getPrototypeOf(value) instanceof Blob || Object.getPrototypeOf(value) instanceof File) {
+                                formData.append(key, value);
+                                delete copy[key];
+                            }
+                        });
+
+                        return formData;
+                    },
+                    data: postData
+                });
+            };
+        });
+
+})();
diff --git a/frontend/app/scripts/services/api/UiSettingsSrv.js b/frontend/app/scripts/services/api/UiSettingsSrv.js
index 4ffaabd92b..22bd5fc97d 100644
--- a/frontend/app/scripts/services/api/UiSettingsSrv.js
+++ b/frontend/app/scripts/services/api/UiSettingsSrv.js
@@ -9,7 +9,8 @@
         this.keys = [
             'hideEmptyCaseButton',
             'disallowMergeAlertInResolvedSimilarCases',
-            'defaultAlertSimilarCaseFilter'
+            'defaultAlertSimilarCaseFilter',
+            'defaultDateFormat'
         ];
 
         this.clearCache = function() {
diff --git a/frontend/app/scripts/services/api/UserSrv.js b/frontend/app/scripts/services/api/UserSrv.js
index 714fc51d42..db863e0459 100644
--- a/frontend/app/scripts/services/api/UserSrv.js
+++ b/frontend/app/scripts/services/api/UserSrv.js
@@ -266,7 +266,9 @@
                 QuerySrv.call('v1', [
                     {'_name': 'listOrganisation'},
                     {'_name': 'users'},
-                ])
+                    ], {
+                        name: 'users'
+                    })
                     .then(function(users) {
                         _.each(users, function(u) {
                             self.updateCache(u.login, u);
diff --git a/frontend/app/scripts/services/common/QueryBuilderSrv.js b/frontend/app/scripts/services/common/QueryBuilderSrv.js
index 93cf6b3ce3..584a833f5d 100644
--- a/frontend/app/scripts/services/common/QueryBuilderSrv.js
+++ b/frontend/app/scripts/services/common/QueryBuilderSrv.js
@@ -26,6 +26,15 @@
                 return null;
             }
             var operator = filter.value.operator || 'eq';
+
+            if(operator === 'empty') {
+                return {
+                    _not: {
+                        _contains: filter.field
+                    }
+                };
+            }
+
             var criterion = {};
             criterion[filter.field] = filter.value.value;
 
@@ -50,33 +59,44 @@
                 return null;
             }
             var operator = filter.value.operator || 'any';
-            var values = _.pluck(filter.value.list, 'text');
 
-            if(values.length > 0) {
-                var criterions = _.map(values, function(val) {
-                    return {_like: {
-                        _field: filter.field,
-                        _value: val
-                    }};
-                });
+            if(operator === 'empty') {
+                return {
+                    _not: {
+                        _contains: filter.field
+                    }
+                };
+            } else {
+                var values = _.pluck(filter.value.list, 'text');
 
-                var criteria = {};
-                switch(operator) {
-                    case 'all':
-                        criteria = criterions.length === 1 ? criterions[0] : { _and: criterions };
-                        break;
-                    case 'none':
-                        criteria = {
-                            _not: criterions.length === 1 ? criterions[0] : { _or: criterions }
-                        };
-                        break;
-                    default:
-                        criteria = criterions.length === 1 ? criterions[0] : { _or: criterions };
+                if(values.length > 0) {
+                    var criterions = _.map(values, function(val) {
+                        return {_like: {
+                            _field: filter.field,
+                            _value: val
+                        }};
+                    });
+
+                    var criteria = {};
+                    switch(operator) {
+                        case 'all':
+                            criteria = criterions.length === 1 ? criterions[0] : { _and: criterions };
+                            break;
+                        case 'none':
+                            criteria = {
+                                _not: criterions.length === 1 ? criterions[0] : { _or: criterions }
+                            };
+                            break;
+                        default:
+                            criteria = criterions.length === 1 ? criterions[0] : { _or: criterions };
+                    }
+
+                    return criteria;
                 }
-
-                return criteria;
             }
 
+
+
             return null;
         };
 
@@ -85,36 +105,47 @@
                 return null;
             }
             var operator = filter.value.operator || 'any';
-            var values = _.pluck(filter.value.list, 'text');
 
-            if(values.length > 0) {
-                var criterions = _.map(values, function(val) {
-                    return {
-                        _like: {
-                            _field: filter.field,
-                            _value: val
-                        }
-                    };
-                });
-
-                var criteria = {};
-                switch(operator) {
-                    case 'all':
-                        criteria = criterions.length === 1 ? criterions[0] : { _and: criterions };
-                        break;
-                    case 'none':
-                        criteria = {
-                            _not: criterions.length === 1 ? criterions[0] : { _or: criterions }
+            if(operator === 'empty') {
+                return {
+                    _not: {
+                        _contains: filter.field
+                    }
+                };
+            } else {
+                var values = _.pluck(filter.value.list, 'text');
+
+                if(values.length > 0) {
+                    var criterions = _.map(values, function(val) {
+                        return {
+                            _like: {
+                                _field: filter.field,
+                                _value: val
+                            }
                         };
-                        break;
-                    //case 'any':
-                    default:
-                        criteria = criterions.length === 1 ? criterions[0] : { _or: criterions };
+                    });
+
+                    var criteria = {};
+                    switch(operator) {
+                        case 'all':
+                            criteria = criterions.length === 1 ? criterions[0] : { _and: criterions };
+                            break;
+                        case 'none':
+                            criteria = {
+                                _not: criterions.length === 1 ? criterions[0] : { _or: criterions }
+                            };
+                            break;
+                        //case 'any':
+                        default:
+                            criteria = criterions.length === 1 ? criterions[0] : { _or: criterions };
+                    }
+
+                    return criteria;
                 }
-
-                return criteria;
             }
 
+
+
             return null;
         };
 
@@ -123,6 +154,15 @@
                 return null;
             }
             var operator = filter.value.operator || 'any';
+
+            if(operator === 'empty') {
+                return {
+                    _not: {
+                        _contains: filter.field
+                    }
+                };
+            }
+
             var values = _.pluck(filter.value.list, 'text');
 
             if(values.length > 0) {
@@ -157,6 +197,14 @@
                 start,
                 end;
 
+            if(operator === 'empty') {
+                return {
+                    _not: {
+                        _contains: filter.field
+                    }
+                };
+            }
+
             if(operator === 'custom') {
                 if(value.from && value.from !== null) {
                     start = _.isString(value.from) ? (new Date(value.from)).getTime() : value.from.getTime();
@@ -165,7 +213,7 @@
                 }
 
                 if(value.to && value.to !== null) {
-                    end = _.isString(value.to) ? (new Date(value.to)).setHours(23, 59, 59, 999) : value.to.getTime();
+                    end = _.isString(value.to) ? (new Date(value.to)).setHours(23, 59, 59, 999) : value.to.setHours(23, 59, 59, 999);
                 } else {
                     end = null;
                 }
diff --git a/frontend/app/scripts/services/common/UtilsSrv.js b/frontend/app/scripts/services/common/UtilsSrv.js
index 4ff664a257..e63a89ee41 100644
--- a/frontend/app/scripts/services/common/UtilsSrv.js
+++ b/frontend/app/scripts/services/common/UtilsSrv.js
@@ -124,8 +124,7 @@
                 },
 
                 getDateRange: function(operator) {
-                    var from,
-                        to = moment();
+                    var from;
 
                     switch(operator) {
                         case 'last7days':
@@ -149,6 +148,8 @@
                             break;
                     }
 
+                    var to = moment();
+
                     return {
                         from: from.hour(0).minutes(0).seconds(0).toDate(),
                         to: to.hour(23).minutes(59).seconds(59).toDate()
diff --git a/frontend/app/scripts/services/common/data/PaginatedQuerySrv.js b/frontend/app/scripts/services/common/data/PaginatedQuerySrv.js
index 29f077b1e7..25cce42f48 100644
--- a/frontend/app/scripts/services/common/data/PaginatedQuerySrv.js
+++ b/frontend/app/scripts/services/common/data/PaginatedQuerySrv.js
@@ -21,6 +21,7 @@
                 this.scope = options.scope;
                 this.loadAll = !!options.loadAll;
                 this.pageSize = options.pageSize || 10;
+                this.pageOptions = options.pageOptions || {};
                 this.baseFilter = options.baseFilter;
                 this.filter = options.filter;
                 this.sort = options.sort;
@@ -84,10 +85,14 @@
                     var from = to - this.pageSize;
                     //range = start + '-' + end;
 
-                    return _.extend({
-                        from: from,
-                        to: to
-                    }, self.extraData ? {extraData: self.extraData} : {});
+                    return _.extend(
+                        {
+                            from: from,
+                            to: to
+                        },
+                        self.extraData ? {extraData: self.extraData} : {},
+                        self.pageOptions ? self.pageOptions : {}
+                    );
                 };
 
 
diff --git a/frontend/app/scripts/services/ui/CaseTabsSrv.js b/frontend/app/scripts/services/ui/CaseTabsSrv.js
index 760537831f..456a687447 100644
--- a/frontend/app/scripts/services/ui/CaseTabsSrv.js
+++ b/frontend/app/scripts/services/ui/CaseTabsSrv.js
@@ -20,6 +20,12 @@
                 active: false,
                 label: 'Observables',
                 state: 'app.case.observables'
+            },
+            'procedures': {
+                name: 'procedures',
+                active: false,
+                label: 'TTPs',
+                state: 'app.case.procedures'
             }
         };
 
diff --git a/frontend/app/styles/case.css b/frontend/app/styles/case.css
index 839531f7eb..9ba0437f5f 100644
--- a/frontend/app/styles/case.css
+++ b/frontend/app/styles/case.css
@@ -80,7 +80,7 @@ table.case-list .case-tags .label,
     font-size: 12px !important;
     font-weight: normal;
 }
-
+table.data-list .btn-icon,
 table.case-list .btn-icon {
     padding: 6px;
     padding-top: 0;
@@ -95,3 +95,7 @@ pre.error-trace {
     white-space: pre-wrap;
     background-color: #f9f1f1;
 }
+
+td.case-status {
+    text-align: center;
+}
diff --git a/frontend/app/styles/components/tag.css b/frontend/app/styles/components/tag.css
new file mode 100644
index 0000000000..d231affb9e
--- /dev/null
+++ b/frontend/app/styles/components/tag.css
@@ -0,0 +1,6 @@
+.label.label-tag {
+    border-left-width: 8px;
+    border-left-style: solid;
+    /* border-top-left-radius: 0px;
+    border-bottom-left-radius: 0px; */
+}
diff --git a/frontend/app/styles/flex-table.css b/frontend/app/styles/flex-table.css
index 441a0c5967..bd3d83110a 100644
--- a/frontend/app/styles/flex-table.css
+++ b/frontend/app/styles/flex-table.css
@@ -1,4 +1,4 @@
-div.flex-header {
+/* div.flex-header {
   background-color: #fff;
   border-bottom: 2px solid #ecf0f5;
   font-size: 16px;
@@ -114,4 +114,97 @@ div.flex-header > div.flex-col.flex-icon {
 div.flex-row > div.flex-col.flex-icon i,
 div.flex-header > div.flex-col.flex-icon i {
   margin-right: 5px;
+} */
+
+div.flex-header {
+    background-color: #fff;
+    border-bottom: 2px solid #ecf0f5;
+    font-size: 16px;
+    padding-top: 8px;
+    padding-bottom: 8px;
+}
+div.flex-row:hover {
+    border: 1px dotted #3c8dbc !important;
+}
+div.flex-row, div.flex-header {
+    display: flex;
+    justify-content: space-between;
+    align-items: stretch;
+}
+div.flex-row:nth-child(odd), div.flex-header:nth-child(odd) {
+    background: #f9f9f9;
+    border: 1px dotted #f9f9f9;
+}
+div.flex-row:nth-child(even), div.flex-header:nth-child(even) {
+    background: #ecf0f5;
+    border: 1px dotted #ecf0f5;
+}
+div.flex-row > div.flex-col, div.flex-header > div.flex-col {
+    margin: 0 5px;
+    padding: 4px;
+}
+div.flex-row > div.flex-col .label.label-lg, div.flex-header > div.flex-col .label.label-lg {
+    font-size: 13px;
+    font-weight: normal;
+    line-height: 1;
+}
+div.flex-row > div.flex-col > *, div.flex-header > div.flex-col > * {
+    flex: 1;
+}
+div.flex-row > div.flex-col > span.label, div.flex-header > div.flex-col > span.label {
+    flex: none;
+}
+div.flex-row > div.flex-col.vertical, div.flex-header > div.flex-col.vertical {
+    display: flex;
+    align-items: center;
+}
+div.flex-row > div.flex-col.vertical.centered, div.flex-header > div.flex-col.vertical.centered {
+    justify-content: center;
+}
+div.flex-row > div.flex-col:first-child, div.flex-header > div.flex-col:first-child {
+    margin-left: 0;
+}
+div.flex-row > div.flex-col:last-child, div.flex-header > div.flex-col:last-child {
+    margin-right: 0;
+}
+div.flex-row > div.flex-col.flex-1, div.flex-header > div.flex-col.flex-1 {
+    flex: 1;
+}
+div.flex-row > div.flex-col.flex-2, div.flex-header > div.flex-col.flex-2 {
+    flex: 2;
+}
+div.flex-row > div.flex-col.flex-3, div.flex-header > div.flex-col.flex-3 {
+    flex: 3;
+}
+div.flex-row > div.flex-col.flex-4, div.flex-header > div.flex-col.flex-4 {
+    flex: 4;
+}
+div.flex-row > div.flex-col.flex-5, div.flex-header > div.flex-col.flex-5 {
+    flex: 5;
+}
+div.flex-row > div.flex-col.flex-w-80, div.flex-header > div.flex-col.flex-w-80 {
+    width: 80px;
+}
+div.flex-row > div.flex-col.flex-w-100, div.flex-header > div.flex-col.flex-w-100 {
+    width: 100px;
+}
+div.flex-row > div.flex-col.flex-w-120, div.flex-header > div.flex-col.flex-w-120 {
+    width: 120px;
+}
+div.flex-row > div.flex-col.flex-w-150, div.flex-header > div.flex-col.flex-w-150 {
+    width: 150px;
+}
+div.flex-row > div.flex-col.flex-w-200, div.flex-header > div.flex-col.flex-w-200 {
+    width: 200px;
+}
+div.flex-row > div.flex-col.flex-icon, div.flex-header > div.flex-col.flex-icon {
+    padding-left: 10px;
+    padding-right: 10px;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    cursor: pointer;
+}
+div.flex-row > div.flex-col.flex-icon i, div.flex-header > div.flex-col.flex-icon i {
+    margin-right: 5px;
 }
diff --git a/frontend/app/styles/main.css b/frontend/app/styles/main.css
index 686e27c413..4d94843ef2 100644
--- a/frontend/app/styles/main.css
+++ b/frontend/app/styles/main.css
@@ -58,7 +58,7 @@ body {
 }
 
 .container-main {
-    padding-top: 100px;
+    padding-top: 80px;
 }
 
 .marked>table, .markdown>table {
@@ -76,6 +76,13 @@ body {
     text-align: center;
     padding: 40px;
 }
+.loading-message {
+    background-color: #f5f5f5;
+    color: #AAA;
+    font-size: 18px;
+    text-align: center;
+    padding: 40px;
+}
 
 .tpad50 {
     padding-top: 50px
@@ -270,16 +277,16 @@ pre.clearpre {
     font-weight: normal !important;
 }
 
-.progress.progress-bar-sm {
-    height: 10px;
+.list-group-item .label.label-lg {
+    font-size: 12px !important;
 }
 
-.progress.progress-bar-sm .progress-bar {
-    line-height: 10px;
+.progress.progress-bar-sm {
+    height: 4px;
 }
 
-.progress.task-progress {
-    margin-bottom: 4px !important;
+.progress.progress-bar-sm .progress-bar {
+    line-height: 4px;
 }
 
 .progress.task-progress .progress-bar {
@@ -343,7 +350,7 @@ ul.observable-reports-summary li {
 
 .case-details dd,
 .case-custom-fields dd {
-    margin-left: 200px !important;
+    margin-left: 205px !important;
 }
 
 .case-custom-fields dt {
@@ -352,6 +359,14 @@ ul.observable-reports-summary li {
     border-left: 2px solid #337ab7;
 }
 
+.case-custom-fields dt a {
+    display: none;
+}
+
+.case-custom-fields dt:hover a {
+    display: block;
+}
+
 .case-custom-fields dd {
     margin-left: 205px;
 }
@@ -730,6 +745,7 @@ table tr td.task-actions span.action-button {
     /*background: rgba(0,0,0,0.2) !important;*/
 }
 
+.task-flags.inline div,
 .observable-flags.inline div {
     display: inline;
 }
@@ -772,3 +788,42 @@ table.tbody-stripped > tbody > tr > td {
     overflow: hidden;
 	text-overflow: ellipsis;
 }
+
+/* Customise tags input */
+
+tags-input.ti-tag-selector .tags .tag-item {
+    background-color: #d2d6de;
+    color: #444;
+    border: none;
+    padding: 0;
+    padding-right: 5px;
+    line-height: 26px;
+}
+
+tags-input.ti-tag-selector.ti-input-sm .tags .tag-item {
+    line-height: 22px;
+}
+
+tags-input.ti-tag-selector .tags .tag-item span.tag-item-border{
+    position: relative;
+    left:0;
+    width: 8px;
+    background-color: red;
+    display: inline-block;
+    border-top-left-radius: .25em;
+    border-bottom-left-radius: .25em;
+}
+
+tags-input.ti-tag-selector.ti-input-sm .tags .tag-item span.tag-item-border{
+    position: relative;
+    left:0;
+    width: 8px;
+    background-color: red;
+    display: inline-block;
+    border-top-left-radius: .25em;
+    border-bottom-left-radius: .25em;
+}
+
+.vtop {
+    vertical-align: top;
+}
diff --git a/frontend/app/styles/procedure.css b/frontend/app/styles/procedure.css
new file mode 100644
index 0000000000..8ab3a0aa9a
--- /dev/null
+++ b/frontend/app/styles/procedure.css
@@ -0,0 +1,124 @@
+.ttp-item {
+    margin-bottom: 6px;
+    border: 1px solid #f5f5f5;
+}
+
+.ttp-tactic {
+    width: 250px;
+    vertical-align: middle;
+}
+.ttp-name {
+    flex: 1;
+}
+.ttp-action {
+    width: 100px;
+    text-align: right
+}
+.ttp-date {
+    width: 140px;
+}
+.ttp-user {
+    width: 200px;
+}
+
+.ttp-item .ttp-header {
+    display: flex;
+    align-items: stretch;
+    justify-content: space-between;
+    flex-direction: row;
+    border-bottom: 1px solid #f5f5f5;
+    background-color: #fcfcfc;
+}
+.ttp-item .ttp-header > div {
+    padding: 2px 10px;
+    vertical-align: middle;
+}
+
+.ttp-item .ttp-header .ttp-tactic {
+    background-color: #f5f5f5;
+    border-left: 4px solid #337ab7;
+    color: #337ab7;
+    display: flex;
+    align-items: center;
+}
+.ttp-item .ttp-header .ttp-tactic > div {
+    flex: 1
+}
+.ttp-item .ttp-header .ttp-name {
+    flex: 1;
+    display: flex;
+    align-items: center;
+}
+.ttp-item .ttp-header .ttp-name > div {
+    flex: 1
+}
+.ttp-item .ttp-header .ttp-date {
+    display: flex;
+    align-items: center;
+}
+.ttp-item .ttp-header .ttp-actions {
+    display: flex;
+    align-items: center;
+}
+
+.ttp-item .ttp-body {
+    padding: 10px;
+}
+
+.ttp-item-header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    flex-direction: row;
+    margin-bottom: 10px;
+    border-bottom: 1px solid #f5f5f5;
+}
+
+.ttp-item-header > div {
+    font-weight: bold;
+    padding: 4px 10px;
+}
+
+.procedure-techniques-list {
+    height: 40vh;
+    overflow-y: scroll;
+    border-radius: 0;
+    box-shadow: none;
+    border: 1px solid #d2d6de;
+}
+
+.procedure-techniques-list .tooltip {
+    width: 600px;
+    text-align: left;
+}
+.procedure-techniques-list .tooltip-inner {
+    max-width: 100%;
+    text-align: left;
+}
+
+.procedure-techniques-list .procedure-techniques-item {
+    display: block;
+    padding: 2px 5px;
+}
+
+.procedure-techniques-list .procedure-techniques-item:hover {
+    background-color: #f5f5f5;
+}
+
+.procedure-techniques-list .procedure-techniques-item.active,
+.procedure-techniques-list .procedure-techniques-item.active:hover {
+    background-color: #3c8dbc;
+    color: #fff;
+}
+
+.procedure-techniques-list .procedure-techniques-item.active a{
+    color: #fff;
+}
+
+.procedure-technique {
+    display: block;
+}
+
+.procedure-technique.sub-technique {
+    margin-left: 30px;
+}
diff --git a/frontend/app/views/app.case.html b/frontend/app/views/app.case.html
index 4a14ff4051..e548b9ce1f 100644
--- a/frontend/app/views/app.case.html
+++ b/frontend/app/views/app.case.html
@@ -23,6 +23,11 @@
                                 <span class="badge badge-primary">{{observableCount}}</span>
                             </span>
 
+                            <span ng-switch-when="procedures">
+                                <i class="glyphicon glyphicon-knight"></i>&nbsp;&nbsp; TTPs&nbsp;&nbsp;
+                                <!-- <span class="badge badge-primary">{{observableCount}}</span> -->
+                            </span>
+
                             <span ng-switch-default>
                                 <span ng-switch on="name[0]">
                                     <span ng-switch-when="t">
diff --git a/frontend/app/views/components/alert/observable-list.component.html b/frontend/app/views/components/alert/observable-list.component.html
index 972b390937..131bca24ed 100644
--- a/frontend/app/views/components/alert/observable-list.component.html
+++ b/frontend/app/views/components/alert/observable-list.component.html
@@ -51,7 +51,7 @@
                           </div>
                           <div class="case-tags flexwrap mt-xxs" ng-if="observable.tags.length > 0">
                               <strong><i class="fa fa-tags mr-xxxs"></i></strong>
-                              <span ng-repeat="tag in observable.tags track by $index" class="label label-primary mb-xxxs mr-xxxs" ng-click="$cmp.addFilterValue('tags', tag)">{{tag}}</span>
+                              <tag-item ng-repeat="tag in observable.tags track by $index" ng-click="$cmp.addFilterValue('tags', tag)" value="tag"></tag-item>
                           </div>
                         </td>
                         <td>
diff --git a/frontend/app/views/components/alert/similar-case-list.component.html b/frontend/app/views/components/alert/similar-case-list.component.html
index 25a19018ac..7a28cb291e 100644
--- a/frontend/app/views/components/alert/similar-case-list.component.html
+++ b/frontend/app/views/components/alert/similar-case-list.component.html
@@ -114,11 +114,11 @@
                         <div class="case-tags flexwrap mt-xxs">
                             <span class="mr-xxxs text-muted"><i class="fa fa-tags"></i></span>
                             <strong class="text-muted mr-xxxs" ng-if="!item.case.tags || item.case.tags.length === 0">None</strong>
-                            <span ng-repeat="tag in item.case.tags track by $index" ng-click="$cmp.addFilterValue('tags', tag)" class="label label-primary mb-xxxs mr-xxxs pointer">{{tag}}</span>
+                            <tag-item ng-repeat="tag in item.case.tags track by $index" ng-click="$cmp.addFilterValue('tags', tag)" class="pointer" value="tag"></tag-item>
                         </div>
                         <div class="text-success" ng-show="item.case.status !== 'Open'">
                             <small>
-                                (Closed at {{item.case.endDate | showDate}} as <strong>{{$cmp.CaseResolutionStatus[item.case.resolutionStatus]}}</strong>)
+                                (Closed at {{item.case.endDate | shortDate}} as <strong>{{$cmp.CaseResolutionStatus[item.case.resolutionStatus]}}</strong>)
                             </small>
                         </div>
                         <div class="text-danger" ng-if="item.case.mergeFrom">
@@ -137,7 +137,7 @@
 
                     <div class="case-date">
                         <a href ng-click="$cmp.addFilterValue('_createdAt', item.case._createdAt)">
-                            <span uib-tooltip="{{item.case._createdAt | showDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{item.case._createdAt | shortDate}}</span>
+                            <span uib-tooltip="{{item.case._createdAt | shortDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{item.case._createdAt | shortDate}}</span>
                         </a>
                     </div>
 
diff --git a/frontend/app/views/components/app-container.component.html b/frontend/app/views/components/app-container.component.html
index fcc4481caf..f722376232 100644
--- a/frontend/app/views/components/app-container.component.html
+++ b/frontend/app/views/components/app-container.component.html
@@ -1,7 +1,17 @@
 <header class="main-header"></header>
 <!--<main-sidebar class="main-sidebar"></main-sidebar>-->
 <div class="content-wrapper" fixed-height>
-	<div class="container-fluid container-main" ng-if="currentUser.login" ui-view>
+	<div class="container-fluid container-main" ng-if="currentUser.login">
+
+        <div class="text-danger" ng-repeat="schema in appConfig.schemaStatus" ng-if="schema.error">
+            <div class="callout callout-danger">
+                <h4>Error in {{schema.name}} schema: expected version {{schema.expectedVersion}}, got {{schema.currentVersion}}</h4>
+                <p>Please contact the administrator</p>
+            </div>
+        </div>
+
+        <ui-view />
+
 	</div>
 </div>
 <footer class="main-footer">
@@ -26,7 +36,7 @@
 			</span>
 		</div>
 		<div>
-			<strong><a href="http://www.thehive-project.org" target="_blank">TheHive Project</a> 2016-2020, <a href="https://www.gnu.org/licenses/agpl-3.0.en.html" target="_blank">AGPL-V3</a></strong>
+			<strong><a href="http://www.thehive-project.org" target="_blank">TheHive Project</a> 2016-2021, <a href="https://www.gnu.org/licenses/agpl-3.0.en.html" target="_blank">AGPL-V3</a></strong>
 		</div>
 	</div>
 </footer>
diff --git a/frontend/app/views/components/common/custom-field-input.component.html b/frontend/app/views/components/common/custom-field-input.component.html
index ec4ad46a5d..e241299c69 100644
--- a/frontend/app/views/components/common/custom-field-input.component.html
+++ b/frontend/app/views/components/common/custom-field-input.component.html
@@ -1,5 +1,10 @@
 <dl class="dl-horizontal custom-field-input">
-    <dt class="pull-left" uib-tooltip="{{$ctrl.field.description}}">{{$ctrl.field.name}}</dt>
+    <dt class="pull-left">
+        <span uib-tooltip="{{$ctrl.field.description}}">{{$ctrl.field.name}}</span>
+        <a ng-if="$ctrl.removable" class="pull-right mr-xxxs" href ng-click="$ctrl.removeCustomField($ctrl.id)" uib-tooltip="Delete">
+            <i class="fa fa-trash text-danger"></i>
+        </a>
+    </dt>
     <dd ng-if="$ctrl.editable && $ctrl.field.options.length > 0">
         <updatable-select
             options="$ctrl.field.options"
diff --git a/frontend/app/views/components/common/tag.component.html b/frontend/app/views/components/common/tag.component.html
new file mode 100644
index 0000000000..c52f5c9b2b
--- /dev/null
+++ b/frontend/app/views/components/common/tag.component.html
@@ -0,0 +1 @@
+<span class="label label-tag label-default label-lg" style="border-left-color:{{$ctrl.bgColor}};">{{$ctrl.tag}}</span>
diff --git a/frontend/app/views/components/common/task-flags.component.html b/frontend/app/views/components/common/task-flags.component.html
new file mode 100644
index 0000000000..7e1afefc11
--- /dev/null
+++ b/frontend/app/views/components/common/task-flags.component.html
@@ -0,0 +1,30 @@
+<div class="task-flags" ng-class="{'inline': $ctrl.inline}">
+    <!-- TLP -->
+    <div class="task-status clickable" uib-tooltip="{{$ctrl.task.status}}" tooltip-popup-delay="500" tooltip-placement="bottom"
+        ng-click="$ctrl.filterBy('status', $ctrl.task.status)">
+        <i ng-class="{
+            'Waiting': 'glyphicon glyphicon-pause text-primary',
+            'InProgress': 'glyphicon glyphicon-hourglass text-yellow',
+            'Completed': 'glyphicon glyphicon-ok text-success',
+        }[$ctrl.task.status]"></i>
+    </div>
+
+    <!-- Flag -->
+    <div ng-if="!!$ctrl.task.flag" class="task-flag clickable" uib-tooltip="Is flagged" tooltip-popup-delay="500" tooltip-placement="bottom"
+        ng-click="$ctrl.filterBy('flag', true)">
+        <i class="glyphicon glyphicon-flag text-yellow"></i>
+    </div>
+    <div ng-if="!!!$ctrl.task.flag" class="task-flag clickable"
+        ng-click="$ctrl.filterBy('flag', false)">
+        <i class="glyphicon glyphicon-flag text-disabled"></i>
+    </div>
+
+    <!-- Assignee -->
+    <div ng-if="!!$ctrl.task.assignee" class="task-assignee" uib-tooltip="Is Assigned" tooltip-popup-delay="500" tooltip-placement="bottom">
+        <i class="glyphicon glyphicon-user text-muted"></i>
+    </div>
+    <div ng-if="!!!$ctrl.task.assignee" class="task-flag clickable" uib-tooltip="Not assigned" tooltip-popup-delay="500" tooltip-placement="bottom">
+        <i class="glyphicon glyphicon-user text-disabled"></i>
+    </div>
+
+</div>
diff --git a/frontend/app/views/components/header.component.html b/frontend/app/views/components/header.component.html
index 497dcd2a85..09d31c3719 100644
--- a/frontend/app/views/components/header.component.html
+++ b/frontend/app/views/components/header.component.html
@@ -110,12 +110,25 @@
                                 <span class="hpad5">Analyzer templates</span>
                             </a>
                         </li>
-                        <!-- <li>
-                            <a ui-sref="app.administration.ui-settings">
-                                <i class="fa fa-cogs"></i>
-                                <span class="hpad5">UI settings</span>
+                        <li if-permission="manageTaxonomy">
+                            <a ui-sref="app.administration.taxonomies">
+                                <i class="fa fa-tags"></i>
+                                <span class="hpad5">Taxonomies</span>
                             </a>
-                        </li> -->
+                        </li>
+                        <li if-permission="managePattern">
+                            <a ui-sref="app.administration.attackPatterns">
+                                <i class="fa fa-tags"></i>
+                                <span class="hpad5">ATT&CK Patterns</span>
+                            </a>
+                        </li>
+                        <li class="divider"></li>
+                        <li if-permission="managePlatform">
+                            <a ui-sref="app.administration.platform">
+                                <i class="fa fa-wrench"></i>
+                                <span class="hpad5">Platform Status</span>
+                            </a>
+                        </li>
                     </ul>
                 </li>
 
diff --git a/frontend/app/views/components/org/case-template/case-templates.html b/frontend/app/views/components/org/case-template/case-templates.html
index 77e2be68fa..cfb55ea068 100644
--- a/frontend/app/views/components/org/case-template/case-templates.html
+++ b/frontend/app/views/components/org/case-template/case-templates.html
@@ -1,72 +1,142 @@
-<div class="row mb-xs">
-    <div class="col-md-12">
-        <div class="btn-toolbar" role="toolbar">
-            <div class="btn-group">
-                <button class="btn btn-sm btn-primary" ng-click="$vm.newTemplate()">
-                    <i class="mr-xxs fa fa-plus"></i>New template
-                </button>
-            </div>
-            <div class="btn-group">
-                <button class="btn btn-sm btn-default" ng-click="$vm.importTemplate()">
-                    <i class="mr-xxs fa fa-upload"></i>Import template
-                </button>
-            </div>
-        </div>
-    </div>
-</div>
+<div ng-include="'views/components/org/case-template/toolbar.html'"></div>
 
+<div class="mt-xs filter-panel" ng-include="'views/components/org/case-template/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+<!-- Filters preview  -->
+<div class="row mt-xs">
+    <div class="col-md-12 clearfix">
+        <div class="pull-left">
+            <h4>
+                Case Template List ({{$vm.list.values.length || 0}} of {{$vm.list.total}})
+            </h4>
+        </div>
 
-<div class="row" ng-if="!$vm.template && $vm.templates.length === 0">
-    <div class="col-md-12">
-        <div class="empty-message">No case templates defined.</div>
+        <filters-preview filters="$vm.filtering.context.filters"
+            on-clear-item="$vm.removeFilter(field)"
+            on-clear-all="$vm.clearFilters()"></filters-preview>
     </div>
 </div>
 
-<div class="row" ng-if="$vm.template || $vm.templates.length > 0">
-    <div class="col-md-3">
-        <h4 class="mv-s text-primary">Current templates</h4>
-        <ul class="nav nav-pills nav-stacked" ng-show="$vm.templates">
-            <div class="list-group">
-                <a href ng-click="$vm.loadTemplate(template)" class="list-group-item" ng-class="{'active': $index === $vm.templateIndex}" ng-repeat="template in $vm.templates">
-                    <h4 class="list-group-item-heading">{{template.name}}</h4>
-                    <p class="list-group-item-text">{{template.displayName}}</p>
-                </a>
-            </div>
-            <!-- <li ng-class="{'active': $index === $vm.templateIndex}" ng-repeat="template in $vm.templates">
-                <a href ng-click="$vm.loadTemplate(template)">
-                    <div>{{template.name}}</div>
-                    <div class="help-block small">{{template.displayName}}</div>
-                </a>
-            </li> -->
-        </ul>
-        <div ng-hide="$vm.templates.length != 0">
-            There are no templates
-        </div>
+<!-- Datalist  -->
+<div class="row mt-xs">
+    <div class="col-md-12 mv-s" ng-show="$vm.list.total === 0">
+        <div class="empty-message">No records</div>
     </div>
-    <div class="col-md-9 left-border">
-        <form class="form-horizontal" name="templateEditForm" ng-submit="$vm.saveTemplate()" novalidate>
-            <div class="row">
-                <div class="col-md-6">
-                    <div class="mt-xs" ng-include="'views/components/org/case-template/details.html'"></div>
-                </div>
-                <div class="col-md-6">
-                    <div class="mt-xs" ng-include="'views/components/org/case-template/tasks.html'"></div>
-                    <div class="mt-xs" ng-include="'views/components/org/case-template/custom-fields.html'"></div>
-                </div>
-            </div>
 
-            <div class="vpad10"></div>
-            <div class="vpad10"></div>
+    <div class="col-md-12" ng-show="$vm.list.total > 0">
+        <psearch control="$vm.list"></psearch>
+
+        <table class="table table-striped case-list">
+            <thead>
+                <tr>
+                    <th style="width: 10px;" class="p-0"></th>
+                    <th>
+                      <a href class="text-default" ng-click="$vm.sortByField('displayName')">
+                        Display Name
+                        <i ng-show="$vm.filtering.context.sort.indexOf('+displayName') === -1 && $vm.filtering.context.sort.indexOf('-displayName') === -1" class="fa fa-sort"></i>
+                        <i ng-show="$vm.filtering.context.sort.indexOf('+displayName') !== -1" class="fa fa-caret-up"></i>
+                        <i ng-show="$vm.filtering.context.sort.indexOf('-displayName') !== -1" class="fa fa-caret-down"></i>
+                      </a>
+                    </th>
+                    <th width="150px">
+                        <a href class="text-default" ng-click="$vm.sortByField('name')">
+                          Name
+                          <i ng-show="$vm.filtering.context.sort.indexOf('+name') === -1 && $vm.filtering.context.sort.indexOf('-name') === -1" class="fa fa-sort"></i>
+                          <i ng-show="$vm.filtering.context.sort.indexOf('+name') !== -1" class="fa fa-caret-up"></i>
+                          <i ng-show="$vm.filtering.context.sort.indexOf('-name') !== -1" class="fa fa-caret-down"></i>
+                        </a>
+                    </th>
+                    <th width="80px">
+                        <a href class="text-default" ng-click="$vm.sortByField('severity')">
+                          Severity
+                          <i ng-show="$vm.filtering.context.sort.indexOf('+severity') === -1 && $vm.filtering.context.sort.indexOf('-severity') === -1" class="fa fa-sort"></i>
+                          <i ng-show="$vm.filtering.context.sort.indexOf('+severity') !== -1" class="fa fa-caret-up"></i>
+                          <i ng-show="$vm.filtering.context.sort.indexOf('-severity') !== -1" class="fa fa-caret-down"></i>
+                        </a>
+                    </th>
+
+                    <th width="80px">
+                        Tasks
+                    </th>
+                    <th width="120px">
+                        Custom Fields
+                    </th>
+                    <th style="width: 60px;">By</th>
+                    <th style="width: 150px">
+                        Dates
+                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_createdAt')" uib-tooltip="Sort by creation date">
+                            C.
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') === -1 && $vm.filtering.context.sort.indexOf('-_createdAt') === -1" class="fa fa-sort"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') !== -1" class="fa fa-caret-up"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('-_createdAt') !== -1" class="fa fa-caret-down"></i>
+                        </a>
+                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_updatedAt')" uib-tooltip="Sort by last update date">
+                            U.
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') === -1 && $vm.filtering.context.sort.indexOf('-_updatedAt') === -1" class="fa fa-sort"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') !== -1" class="fa fa-caret-up"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('-_updatedAt') !== -1" class="fa fa-caret-down"></i>
+                        </a>
+                    </th>
+                    <th style="width: 120px">Actions</th>
+                </tr>
+            </thead>
+
+            <tbody>
+                <tr ng-class="{true:'tr-warning'}[template.flag]" ng-repeat="template in $vm.list.values">
+                    <td class="p-0 bg-tlp-{{template.tlp}} clickable" ng-click="$vm.addFilterValue('tlp', template.tlp)"></td>
+                    <td>
+                        <span>{{template.displayName || template.name}}</span>
+                        <div class="case-tags flexwrap mt-xxs">
+                            <span class="mr-xxxs text-muted"><i class="fa fa-tags"></i></span>
+                            <strong class="text-muted mr-xxxs" ng-if="!template.tags || template.tags.length === 0">None</strong>
+                            <tag-item ng-repeat="tag in template.tags track by $index" class="pointer"
+                                ng-click="$vm.addFilterValue('tags', tag)" value="tag"></tag-item>
+                        </div>
+                    </td>
+                    <td>
+                        <div class="case-title wrap">
+                            <a ng-click="">{{template.name}}</a>
+                        </div>
+                        <!-- <custom-field-labels ng-if="$vm.filtering.context.showAdvanced" custom-fields="template.customFields" on-field-click="$vm.addFilterValue(name, value)"></custom-field-labels> -->
+                    </td>
+
+                    <td class="center">
+                        <div class="clickable" ng-click="$vm.addFilterValue('severity', template.severity)">
+                            <severity active="false" value="template.severity"></severity>
+                        </div>
+                    </td>
+                    <td>
+                        <span>{{template.tasks.length || 0}}</span>
+                    </td>
+                    <td>
+                        <span>{{template.customFields.length || 0}}</span>
+                    </td>
+                    <td class="nowrap">
+                        <user user-id="template._createdBy" icon-only="true" icon-size="m"></user>
+                    </td>
+                    <td>
+                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_createdAt') !== -1 || $vm.filtering.context.sort.indexOf('-_createdAt') !== -1}">
+                            C. <a href ng-click="$vm.addFilterValue('_createdAt', template._createdAt)">{{template._createdAt | shortDate}}</a>
+                        </div>
+                        <div ng-if="template._updatedAt > 0" ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_updatedAt') !== -1 || $vm.filtering.context.sort.indexOf('-_updatedAt') !== -1}">
+                            U. <a href ng-click="$vm.addFilterValue('_updatedAt', template._updatedAt)">{{template._updatedAt | shortDate}}</a>
+                        </div>
+                    </td>
+                    <td class="text-center">
+                        <a href class="btn btn-icon btn-clear" ng-click="$vm.showTemplate(template)">
+                            <i class="text-info fa fa-edit"></i>
+                        </a>
+                        <a href class="btn btn-icon btn-clear" ng-click="$vm.exportTemplate(template)">
+                            <i class="fa fa-download"></i>
+                        </a>
+                        <a href class="btn btn-icon btn-clear" ng-click="$vm.deleteTemplate(template)">
+                            <i class="text-info fa fa-trash text-danger"></i>
+                        </a>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
 
-            <div class="text-left">
-                <button class="btn btn-sm btn-danger" ng-click="$vm.deleteTemplate()" ng-disabled="!$vm.template.id" type="button">Delete case template</button>
-                <span class="hpad10">
-                    <i class="fa fa-asterisk text-danger"></i>&nbsp;Required field</span>
-                <button class="btn btn-sm btn-primary pull-right" ng-disabled="templateEditForm.$invalid" type="submit">
-                    <i class="fa fa-plus"></i>&nbsp;Save case template</button>
-                <button class="btn btn-sm btn-default pull-right mr-xxxs" ng-disabled="templateEditForm.$invalid" type="button" ng-click="$vm.exportTemplate()">
-                    <i class="fa fa-download"></i>&nbsp;Export case template</button>
-            </div>
-        </form>
+        <psearch control="$vm.list"></psearch>
     </div>
 </div>
diff --git a/frontend/app/views/components/org/case-template/custom-fields.html b/frontend/app/views/components/org/case-template/custom-fields.html
index acf8406b94..d36b4469f5 100644
--- a/frontend/app/views/components/org/case-template/custom-fields.html
+++ b/frontend/app/views/components/org/case-template/custom-fields.html
@@ -1,10 +1,11 @@
 <div class="case-template-section">
-    <h4 class="vpad10 text-primary">
-        Custom fields ({{$vm.keys($vm.template.customFields).length}})
-        <a class="pull-right" href ng-click="$vm.addCustomFieldRow()">
-            <i class="fa fa-plus"></i>
-        </a>
-    </h4>
+    <div class="mb-xs">
+        <div class="btn-group">
+            <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.addCustomFieldRow()">
+                <i class="mr-xxxs fa fa-plus"></i>Add custom field
+            </button>
+        </div>
+    </div>
 
     <div class="empty-message" ng-if="$vm.templateCustomFields.length === 0">
         No custom fields have been added. <a href class="mr-xxxs" ng-click="$vm.addCustomFieldRow()">Add a custom field</a>
diff --git a/frontend/app/views/components/org/case-template/details.html b/frontend/app/views/components/org/case-template/details.html
index cf7d7403fa..23ce66fd24 100644
--- a/frontend/app/views/components/org/case-template/details.html
+++ b/frontend/app/views/components/org/case-template/details.html
@@ -1,78 +1,99 @@
-<h4 class="vpad10 text-primary">Case basic information</h4>
-<div class="form-group">
-    <label class="col-md-3 control-label">Template name
-        <i class="fa fa-asterisk text-danger"></i>
-    </label>
-    <div class="col-md-9">
-        <input autocomplete="off" class="form-control" name="name" ng-model="$vm.template.name" placeholder="Template name" required type="text" />
-        <p class="help-block small">This name should be unique</p>
-    </div>
-</div>
+<div class="row">
+    <div class="col-sm-4">
+        <div class="form-group">
+            <label class="control-label">Template name<i class="fa fa-asterisk text-danger"></i></label>
+            <input autocomplete="off" class="form-control" name="name" ng-model="$vm.template.name" placeholder="Template name" required type="text" />
+            <p class="help-block small">This name should be unique</p>
+        </div>
 
-<div class="form-group">
-    <label class="col-md-3 control-label">Display name</label>
-    <div class="col-md-9">
-        <input autocomplete="off" class="form-control" name="displayName" ng-model="$vm.template.displayName" placeholder="Display name" type="text" />
-        <p class="help-block small">This is a display name of the template</p>
     </div>
-</div>
+    <div class="col-sm-4">
+        <div class="form-group">
+            <label class="control-label">Display name</label>
+            <input autocomplete="off" class="form-control" name="displayName" ng-model="$vm.template.displayName" placeholder="Display name" type="text" />
+            <p class="help-block small">This is a display name of the template</p>
+        </div>
 
-<div class="form-group">
-    <label class="col-md-3 control-label">Title prefix</label>
-    <div class="col-md-9">
-        <input class="form-control" name="titlePrefix" ng-model="$vm.template.titlePrefix" placeholder="Case title prefix" type="text" />
-        <p class="help-block small">This is used to prefix the case name</p>
     </div>
-</div>
-<div class="form-group">
-    <label class="col-md-3 control-label">Severity
-        <i class="fa fa10asterisk text-danger"></i>
-    </label>
-    <div class="col-md-9">
-        <a class="clearfix" href ng-click="activeSev = true" ng-init="activeSev = false">
-            <!-- <severity value="caze.severity" active="activeSev" on-update="updateField('severity', newValue)"></severity> -->
-            <severity active="activeSev" style="float:left; font-size:16px" value="$vm.template.severity"></severity>
-        </a>
-        <p class="help-block small vpad5">This will be the default case severity</p>
+    <div class="col-sm-4">
+        <div class="form-group">
+            <label class="control-label">Title prefix</label>
+            <input class="form-control" name="titlePrefix" ng-model="$vm.template.titlePrefix" placeholder="Case title prefix" type="text" />
+            <p class="help-block small">This is used to prefix the case name</p>
+        </div>
     </div>
 </div>
-<div class="form-group">
-    <label class="col-md-3 control-label">TLP
-        <i class="fa fa10asterisk text-danger"></i>
-    </label>
-    <div class="col-md-9">
-        <a class="clearfix" href ng-click="activeTlp = 'active'" ng-init="activeTlp = 'static'">
-            <tlp format="activeTlp" on-update="updateTlp(newValue)" style="float:left; font-size:16px" value="$vm.template.tlp"></tlp>
-        </a>
-        <p class="help-block small vpad5">This will be the default case TLP</p>
+
+<div class="row">
+    <div class="col-sm-4">
+        <div class="form-group">
+            <label class="control-label">Severity
+                <i class="fa fa10asterisk text-danger"></i>
+            </label>
+            <div>
+                <a class="clearfix" href ng-click="activeSev = true" ng-init="activeSev = true">
+                    <severity active="activeSev" style="float:left; font-size:16px" value="$vm.template.severity"></severity>
+                </a>
+                <p class="help-block small vpad5">This will be the default case severity</p>
+            </div>
+        </div>
     </div>
-</div>
-<div class="form-group">
-    <label class="col-md-3 control-label">PAP
-        <i class="fa fa10asterisk text-danger"></i>
-    </label>
-    <div class="col-md-9">
-        <a class="clearfix" href ng-click="activePap = 'active'" ng-init="activePap = 'static'">
-            <tlp format="activePap" on-update="updatePap(newValue)" style="float:left; font-size:16px" value="$vm.template.pap" namespace="PAP"></tlp>
-        </a>
-        <p class="help-block small vpad5">This will be the default case PAP</p>
+    <div class="col-sm-4">
+        <div class="form-group">
+            <label class="control-label">TLP
+                <i class="fa fa10asterisk text-danger"></i>
+            </label>
+            <div>
+                <a class="clearfix" href ng-click="activeTlp='active'" ng-init="activeTlp='active'">
+                    <tlp format="activeTlp" on-update="updateTlp(newValue)" style="float:left; font-size:16px" value="$vm.template.tlp"></tlp>
+                </a>
+            </div>
+            <div>
+                <p class="help-block small vpad5">This will be the default case TLP</p>
+            </div>
+        </div>
+    </div>
+    <div class="col-sm-4">
+        <div class="form-group">
+            <label class="control-label">PAP
+                <i class="fa fa10asterisk text-danger"></i>
+            </label>
+                <div>
+                    <a class="clearfix" href ng-click="activePap='active'" ng-init="activePap='active'">
+                        <tlp format="activePap" on-update="updatePap(newValue)" style="float:left; font-size:16px" value="$vm.template.pap" namespace="PAP"></tlp>
+                    </a>
+                </div>
+                <div>
+                    <p class="help-block small vpad5">This will be the default case PAP</p>
+                </div>
+
+            </div>
+        </div>
     </div>
 </div>
+
 <div class="form-group">
-    <label class="col-md-3 control-label">Tags</label>
-    <div class="col-md-9">
-        <tags-input min-length="2" name="tags" ng-model="$vm.tags" placeholder="Tags" replace-spaces-with-dashes="false">
-            <auto-complete min-length="3" debounce-delay="400" source="$vm.getTags($query)"></auto-complete>
-        </tags-input>
-        <p class="help-block small vpad5">These will be the default case tags</p>
+    <label class="control-label">Tags</label>
+
+        <div class="input-group">
+            <tags-input class="ti-tag-selector" min-length="2" name="tags" ng-model="$vm.tags" placeholder="Tags" replace-spaces-with-dashes="false" template="views/directives/tag-input-item.html">
+                <auto-complete min-length="3" debounce-delay="400" source="$vm.getTags($query)"></auto-complete>
+            </tags-input>
+
+            <span class="input-group-btn vtop">
+                <button type="button" class="btn btn-block btn-primary" ng-click="$vm.fromTagLibrary()" uib-tooltip="Add tag from library" tooltip-placement="left">
+                    <span class="fa fa-plus"></span>
+                </button>
+            </span>
+        </div>
+        <p class="help-block small">These will be the default case tags</p>
     </div>
 </div>
 <div class="form-group" ng-class="{ 'has-error' : templateEditForm.description.$invalid && !templateEditForm.description.$pristine }">
-    <label class="col-md-3 control-label">Description
+    <label class="control-label">Description
         <i class="fa fa-asterisk text-danger"></i>
     </label>
-    <div class="col-md-9">
-        <textarea class="form-control" name="description" ng-model="$vm.template.description" placeholder="Case description" required rows="3"></textarea>
-        <p class="help-block" ng-show="templateEditForm.description.$invalid && !templateEditForm.description.$pristine">The case description is required.</p>
-    </div>
+    <textarea class="form-control" name="description" ng-model="$vm.template.description" placeholder="Case description" required rows="3"></textarea>
+    <p class="help-block small">This will be the default case description</p>
+    <p class="help-block" ng-show="templateEditForm.description.$invalid && !templateEditForm.description.$pristine">The case description is required.</p>
 </div>
diff --git a/frontend/app/views/components/org/case-template/details.modal.html b/frontend/app/views/components/org/case-template/details.modal.html
new file mode 100644
index 0000000000..cc0b7bc9ec
--- /dev/null
+++ b/frontend/app/views/components/org/case-template/details.modal.html
@@ -0,0 +1,47 @@
+<form name="templateEditForm" ng-submit="$vm.saveTemplate()" novalidate>
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">{{$vm.action}} case template</h3>
+    </div>
+    <div class="modal-body">
+        <uib-tabset active="active" class="nav-tabs-custom">
+            <uib-tab index="0">
+                <uib-tab-heading>
+                    <span>
+                        <i class="mr-xxs glyphicon glyphicon-folder-open"></i>
+                        Basic Information
+                    </span>
+                </uib-tab-heading>
+                <div>
+                    <div class="mt-xs" ng-include="'views/components/org/case-template/details.html'"></div>
+                </div>
+            </uib-tab>
+            <uib-tab index="1">
+                <uib-tab-heading>
+                    <span>
+                        <i class="mr-xxs glyphicon glyphicon-tasks"></i>
+                        Tasks <span class="badge badge-default">{{$vm.template.tasks.length || 0}}</span>
+                    </span>
+                </uib-tab-heading>
+                <div>
+                    <div class="mt-xs" ng-include="'views/components/org/case-template/tasks.html'"></div>
+                </div>
+            </uib-tab>
+            <uib-tab index="2">
+                <uib-tab-heading>
+                    <span>
+                        <i class="mr-xxs fa fa-tags"></i>
+                        Custom Fields <span class="badge badge-default">{{$vm.templateCustomFields.length || 0}}</span>
+                    </span>
+                </uib-tab-heading>
+                <div>
+                    <div class="mt-xs" ng-include="'views/components/org/case-template/custom-fields.html'"></div>
+                </div>
+            </uib-tab>
+        </uib-tabset>
+    </div>
+    <div class="modal-footer text-left">
+        <button class="btn btn-default" ng-click="$vm.cancel()" type="button">Cancel</button>
+        <span class="ml-xxs"><i class="fa fa-asterisk text-danger mr-xxxs"></i>Required field</span>
+        <button class="btn btn-primary pull-right" ng-disabled="templateEditForm.$invalid" type="submit">Save template</button>
+    </div>
+</form>
diff --git a/frontend/app/views/components/org/case-template/filters.html b/frontend/app/views/components/org/case-template/filters.html
new file mode 100644
index 0000000000..12c948d197
--- /dev/null
+++ b/frontend/app/views/components/org/case-template/filters.html
@@ -0,0 +1,39 @@
+<div class="row">
+    <div class="col-md-12 active-filters">
+        <h4>Filters</h4>
+
+        <form ng-submit="$vm.search()">
+            <div class="row mb-xxxs" ng-repeat="filter in $vm.filtering.context.filters track by $index">
+                <div class="col-sm-4 col-md-4 col-lg-2">
+                    <div class="input-group">
+                        <span class="input-group-btn">
+                            <button class="btn btn-default" type="button" ng-click="$vm.removeFilter($index)">
+                                <i class="fa fa-times text-danger"></i>
+                            </button>
+                        </span>
+                        <select class="form-control" ng-model="filter.field"
+                            ng-options="item for item in $vm.filtering.attributeKeys"
+                            ng-change="$vm.filtering.setFilterField(filter, config.entity)"></select>
+                    </div>
+                </div>
+                <div class="col-sm-8 col-md-8 col-lg-6">
+                    <filter-editor metadata="$vm.filtering.metadata" filter="filter" entity="$vm.filtering.entity"></filter-editor>
+                </div>
+            </div>
+            <div class="mv-xs row">
+                <div class="col-sm-12 col-md-12 col-lg-8">
+                    <a href class="btn btn-sm  btn-link btn-clear" ng-click="$vm.filtering.addFilter()">
+                        <i class="fa fa-plus"></i> Add a filter
+                    </a>
+                    <a href class="btn btn-sm btn-danger" ng-click="$vm.clearFilters()" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-times"></i> Clear
+                    </a>
+                    <button href class="btn btn-sm btn-primary pull-right" type="submit" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-search"></i> Search
+                    </button>
+                </div>
+            </div>
+        </form>
+
+    </div>
+</div>
diff --git a/frontend/app/views/components/org/case-template/tasks.html b/frontend/app/views/components/org/case-template/tasks.html
index 6508fee37d..4b37095d32 100644
--- a/frontend/app/views/components/org/case-template/tasks.html
+++ b/frontend/app/views/components/org/case-template/tasks.html
@@ -1,10 +1,11 @@
 <div class="case-template-section">
-    <h4 class="vpad10 text-primary">
-        Tasks ({{$vm.template.tasks.length || 0}})
-        <a class="pull-right" href ng-click="$vm.addTask()">
-            <i class="fa fa-plus"></i>
-        </a>
-    </h4>
+    <div class="mb-xs">
+        <div class="btn-group">
+            <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.addTask()">
+                <i class="mr-xxxs fa fa-plus"></i>Add task
+            </button>
+        </div>
+    </div>
 
     <div class="empty-message" ng-if="!$vm.template.tasks || $vm.template.tasks.length === 0">
         No tasks have been specified. <a href class="mr-xxxs" ng-click="$vm.addTask()">Add a task</a>
diff --git a/frontend/app/views/components/org/case-template/toolbar.html b/frontend/app/views/components/org/case-template/toolbar.html
new file mode 100644
index 0000000000..bd18334d53
--- /dev/null
+++ b/frontend/app/views/components/org/case-template/toolbar.html
@@ -0,0 +1,55 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="btn-toolbar" role="toolbar">
+
+            <div class="btn-group">
+                <button class="btn btn-sm btn-primary" ng-click="$vm.newTemplate()">
+                    <i class="mr-xxxs fa fa-plus"></i>New template
+                </button>
+            </div>
+            <div class="btn-group">
+                <button class="btn btn-sm btn-default" ng-click="$vm.importTemplate()">
+                    <i class="mr-xxxs fa fa-upload"></i>Import template
+                </button>
+            </div>
+
+            <div class="btn-group" uib-dropdown>
+                <button class="btn btn-primary btn-sm dropdown-toggle" uib-dropdown-toggle type="button">
+                    <i class="mr-xxxs fa fa-sort"></i>
+                    Sort by
+                    <span class="caret"></span>
+                </button>
+                <ul class="dropdown-menu" uib-dropdown-menu>
+                    <li>
+                        <a ng-click="$vm.sortBy(['+displayName'])">Ascendant display name</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['-displayName'])">Descendent display name</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['-_createdAt'])">Newest first</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['+_createdAt'])">Oldest first</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['-_updatedAt'])">Most recently updated first</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['+_updatedAt'])">Least recently updated first</a>
+                    </li>
+                </ul>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/components/org/config.list.html b/frontend/app/views/components/org/config.list.html
index 7bcbfe2df3..6ec88724a1 100644
--- a/frontend/app/views/components/org/config.list.html
+++ b/frontend/app/views/components/org/config.list.html
@@ -2,8 +2,8 @@
     <div class="col-md-12">
         <form name="settingsForm" class="mt-xs form-horizontal" ng-submit="$ctrl.save(settingsForm)" novalidate>
             <div class="form-group">
-                <label class="col-md-3 control-label">Hide <em>Empty Case</em> button</label>
-                <div class="col-md-9">
+                <label class="col-lg-3 col-md-4 control-label">Hide <em>Empty Case</em> button</label>
+                <div class="col-lg-9 col-md-8">
                     <div class="checkbox">
                         <label>
                           <input name="hideEmptyCaseButton" type="checkbox" ng-model="$ctrl.configs['hideEmptyCaseButton']"> Check this to disallow creating empty cases
@@ -13,8 +13,8 @@
             </div>
 
             <div class="form-group">
-                <label class="col-md-3 control-label">Merge alerts into closed cases</label>
-                <div class="col-md-9">
+                <label class="col-lg-3 col-md-4 control-label">Merge alerts into closed cases</label>
+                <div class="col-lg-9 col-md-6">
                     <div class="checkbox">
                         <label>
                           <input name="disallowMergeAlertInResolvedSimilarCases" type="checkbox"
@@ -25,8 +25,8 @@
             </div>
 
             <div class="form-group">
-                <label class="col-md-3 control-label">Select the default filter of alert case similarity panel</label>
-                <div class="col-md-3">
+                <label class="col-lg-3 col-md-4 control-label">Select the default filter of alert case similarity panel</label>
+                <div class="col-lg-6 col-md-8">
                     <select class="form-control" name="defaultAlertSimilarCaseFilter"
                         ng-options="k as o.label for (k, o) in $ctrl.alertSimilarityFilters"
                         ng-model="$ctrl.configs['defaultAlertSimilarCaseFilter']">
@@ -34,6 +34,31 @@
                 </div>
             </div>
 
+            <div class="form-group">
+                <label class="col-lg-3 col-md-4 control-label">Define the default date format used to display dates</label>
+                <div class="col-lg-6 col-md-8">
+                    <input class="form-control" type="text" name="defaultDateFormat" ng-model="$ctrl.configs['defaultDateFormat']">
+                    <span>Result preview: <code>{{$ctrl.date | amDateFormat:$ctrl.configs['defaultDateFormat']}}</code></span>
+
+                    <div class="mt-xxs">
+                        <label>More examples:</label>
+                        <ul class="list-unstyled">
+                            <li><em class="text-bold">YYYY-MM-DD HH:mm</em> results in <code>{{$ctrl.date | amDateFormat:'YYYY-MM-DD HH:mm'}}</code></li>
+                            <li><em class="text-bold">DD/MM/YYYY HH:mm</em> results in <code>{{$ctrl.date | amDateFormat:'DD/MM/YYYY HH:mm'}}</code></li>
+                            <li><em class="text-bold">DD.MM.YY HH:mm:ss</em> results in <code>{{$ctrl.date | amDateFormat:'DD.MM.YY HH:mm:ss'}}</code></li>
+                            <li><em class="text-bold">MM-DD-YYYY HH:mm:ssZ</em> results in <code>{{$ctrl.date | amDateFormat:'MM-DD-YYYY HH:mm:ssZ'}}</code></li>
+                            <li><em class="text-bold">ddd, MMM Do, YYYY H:mm Z</em> results in <code>{{$ctrl.date | amDateFormat:'ddd, MMM Do, YYYY H:mm Z'}}</code></li>
+                        </ul>
+                        <div class="mt-xxs">
+                            <span>For more details about the format <a href="https://momentjs.com/docs/#/displaying/format/" target="_blank">click here</a></span>
+                        </div>
+
+                    </div>
+                </div>
+            </div>
+
+            <!-- defaultDateFormat -->
+
             <div class="mt-s">
                 <button class="btn btn-primary pull-right" ng-disabled="settingsForm.$invalid" type="submit">Save</button>
             </div>
diff --git a/frontend/app/views/components/org/custom-tags/filters.html b/frontend/app/views/components/org/custom-tags/filters.html
new file mode 100644
index 0000000000..12c948d197
--- /dev/null
+++ b/frontend/app/views/components/org/custom-tags/filters.html
@@ -0,0 +1,39 @@
+<div class="row">
+    <div class="col-md-12 active-filters">
+        <h4>Filters</h4>
+
+        <form ng-submit="$vm.search()">
+            <div class="row mb-xxxs" ng-repeat="filter in $vm.filtering.context.filters track by $index">
+                <div class="col-sm-4 col-md-4 col-lg-2">
+                    <div class="input-group">
+                        <span class="input-group-btn">
+                            <button class="btn btn-default" type="button" ng-click="$vm.removeFilter($index)">
+                                <i class="fa fa-times text-danger"></i>
+                            </button>
+                        </span>
+                        <select class="form-control" ng-model="filter.field"
+                            ng-options="item for item in $vm.filtering.attributeKeys"
+                            ng-change="$vm.filtering.setFilterField(filter, config.entity)"></select>
+                    </div>
+                </div>
+                <div class="col-sm-8 col-md-8 col-lg-6">
+                    <filter-editor metadata="$vm.filtering.metadata" filter="filter" entity="$vm.filtering.entity"></filter-editor>
+                </div>
+            </div>
+            <div class="mv-xs row">
+                <div class="col-sm-12 col-md-12 col-lg-8">
+                    <a href class="btn btn-sm  btn-link btn-clear" ng-click="$vm.filtering.addFilter()">
+                        <i class="fa fa-plus"></i> Add a filter
+                    </a>
+                    <a href class="btn btn-sm btn-danger" ng-click="$vm.clearFilters()" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-times"></i> Clear
+                    </a>
+                    <button href class="btn btn-sm btn-primary pull-right" type="submit" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-search"></i> Search
+                    </button>
+                </div>
+            </div>
+        </form>
+
+    </div>
+</div>
diff --git a/frontend/app/views/components/org/custom-tags/tag-list.html b/frontend/app/views/components/org/custom-tags/tag-list.html
new file mode 100644
index 0000000000..e9f81371e1
--- /dev/null
+++ b/frontend/app/views/components/org/custom-tags/tag-list.html
@@ -0,0 +1,106 @@
+<div ng-include="'views/components/org/custom-tags/toolbar.html'"></div>
+
+<div class="mt-xs filter-panel" ng-include="'views/components/org/custom-tags/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+<!-- Filters preview  -->
+<div class="row mt-xs">
+    <div class="col-md-12 clearfix">
+        <div class="pull-left">
+            <h4>
+                Custom tags List ({{$vm.list.values.length || 0}} of {{$vm.list.total}})
+            </h4>
+        </div>
+
+        <filters-preview filters="$vm.filtering.context.filters"
+            on-clear-item="$vm.removeFilter(field)"
+            on-clear-all="$vm.clearFilters()"></filters-preview>
+    </div>
+</div>
+
+<!-- Datalist  -->
+<div class="row mt-xs">
+    <div class="col-md-12 mv-s" ng-show="$vm.list.total === 0">
+        <div class="empty-message">No records</div>
+    </div>
+
+    <div class="col-md-12" ng-show="$vm.list.total > 0">
+        <psearch control="$vm.list"></psearch>
+
+        <table class="table table-striped case-tags">
+            <thead>
+                <tr>
+                    <th>
+                      <a href class="text-default" ng-click="$vm.sortByField('predicate')">
+                        Name
+                        <i ng-show="$vm.filtering.context.sort.indexOf('+predicate') === -1 && $vm.filtering.context.sort.indexOf('-predicate') === -1" class="fa fa-sort"></i>
+                        <i ng-show="$vm.filtering.context.sort.indexOf('+predicate') !== -1" class="fa fa-caret-up"></i>
+                        <i ng-show="$vm.filtering.context.sort.indexOf('-predicate') !== -1" class="fa fa-caret-down"></i>
+                      </a>
+                    </th>
+                    <th width="250px">
+                        Colour
+                    </th>
+                    <th width="100px">Cases</th>
+                    <th width="100px">Alerts</th>
+                    <th width="100px">Observables</th>
+                    <th width="100px">Templates</th>
+                    <th style="width: 60px;">By</th>
+                    <th style="width: 150px">
+                        Dates
+
+                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_createdAt')" uib-tooltip="Sort by creation date">
+                            C.
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') === -1 && $vm.filtering.context.sort.indexOf('-_createdAt') === -1" class="fa fa-sort"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') !== -1" class="fa fa-caret-up"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('-_createdAt') !== -1" class="fa fa-caret-down"></i>
+                        </a>
+                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_updatedAt')" uib-tooltip="Sort by last update date">
+                            U.
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') === -1 && $vm.filtering.context.sort.indexOf('-_updatedAt') === -1" class="fa fa-sort"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') !== -1" class="fa fa-caret-up"></i>
+                            <i ng-show="$vm.filtering.context.sort.indexOf('-_updatedAt') !== -1" class="fa fa-caret-down"></i>
+                        </a>
+                    </th>
+                    <th style="width: 60px">Actions</th>
+                </tr>
+            </thead>
+
+            <tbody>
+                <tr ng-repeat="tag in $vm.list.values">
+                    <td>
+                        <!-- <tag-item class="label-lg" value="tag.predicate" colour="tag.colour"></tag-item> -->
+                        <updatable-tag value="tag.predicate" colour="tag.colour" on-update="$vm.updateTag(tag._id, newValue)"></updatable-tag>
+                    </td>
+                    <td>
+                        <updatable-colour value="tag.colour" on-update="$vm.updateColour(tag._id, newValue)"></updatable-colour>
+                    </td>
+                    <td>{{tag.extraData.usage.case}}</td>
+                    <td>{{tag.extraData.usage.alert}}</td>
+                    <td>{{tag.extraData.usage.observable}}</td>
+                    <td>{{tag.extraData.usage.caseTemplate}}</td>
+                    <td class="nowrap">
+                        <user user-id="tag._createdBy" icon-only="true" icon-size="m"></user>
+                    </td>
+                    <td>
+                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_createdAt') !== -1 || $vm.filtering.context.sort.indexOf('-_createdAt') !== -1}">
+                            C. <a href ng-click="$vm.addFilterValue('_createdAt', tag._createdAt)">{{tag._createdAt | shortDate}}</a>
+                        </div>
+                        <div ng-if="tag._updatedAt > 0" ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_updatedAt') !== -1 || $vm.filtering.context.sort.indexOf('-_updatedAt') !== -1}">
+                            U. <a href ng-click="$vm.addFilterValue('_updatedAt', tag._updatedAt)">{{tag._updatedAt | shortDate}}</a>
+                        </div>
+                    </td>
+                    <td class="text-center">
+                        <!-- <a href class="btn btn-icon btn-clear" ng-click="$vm.showTemplate(template)">
+                            <i class="text-info fa fa-edit"></i>
+                        </a> -->
+                        <a href class="btn btn-icon btn-clear" ng-click="$vm.deleteTag(tag)">
+                            <i class="text-info fa fa-trash text-danger"></i>
+                        </a>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+
+        <psearch control="$vm.list"></psearch>
+    </div>
+</div>
diff --git a/frontend/app/views/components/org/custom-tags/toolbar.html b/frontend/app/views/components/org/custom-tags/toolbar.html
new file mode 100644
index 0000000000..aaf3ea782e
--- /dev/null
+++ b/frontend/app/views/components/org/custom-tags/toolbar.html
@@ -0,0 +1,16 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="btn-toolbar" role="toolbar">
+
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/components/org/orgSwitch.modal.html b/frontend/app/views/components/org/orgSwitch.modal.html
index 54be7e1218..598893c404 100644
--- a/frontend/app/views/components/org/orgSwitch.modal.html
+++ b/frontend/app/views/components/org/orgSwitch.modal.html
@@ -15,7 +15,7 @@ <h3 class="modal-title"><i class="fa fa-random"></i> Switch organisation</h3>
 
         <ul class="nav nav-pills nav-stacked">
             <div class="list-group">
-                <a href ng-click="$dialog.selectOrg(item.organisation)" class="list-group-item"
+                <a href ng-click="$dialog.selectOrg(item.organisationId)" class="list-group-item"
                     ng-class="{'active': $dialog.currentUser.organisation === item.organisation}"
                     ng-repeat="item in $dialog.currentUser.organisations | filter:$modal.filter track by $index">
                     <h4 class="list-group-item-heading">{{item.organisation}} <em class="pull-right" ng-if="$dialog.currentUser.organisation === item.organisation">(current)</em></h4>
diff --git a/frontend/app/views/components/org/user.list.html b/frontend/app/views/components/org/user.list.html
index fa2727fb8b..ac7eb20dfd 100644
--- a/frontend/app/views/components/org/user.list.html
+++ b/frontend/app/views/components/org/user.list.html
@@ -36,9 +36,16 @@
                     <th>Password</th>
                     <th>API Key</th>
                     <th class="text-center" style="width: 100px" ng-if="$ctrl.mfaEnabled">MFA</th>
-                    <th class="text-center" style="width: 120px">
+                    <th class="text-center" style="width: 150px">
+                        Dates
+                        <a href class="text-default" ng-click="$ctrl.sortByField('_createdAt')">
+                            C.
+                            <i ng-show="$ctrl.sort.indexOf('+_createdAt') === -1 && $ctrl.sort.indexOf('-_createdAt') === -1" class="fa fa-sort"></i>
+                            <i ng-show="$ctrl.sort.indexOf('+_createdAt') !== -1" class="fa fa-caret-up"></i>
+                            <i ng-show="$ctrl.sort.indexOf('-_createdAt') !== -1" class="fa fa-caret-down"></i>
+                        </a>
                         <a href class="text-default" ng-click="$ctrl.sortByField('_updatedAt')">
-                            Updated At
+                            U.
                             <i ng-show="$ctrl.sort.indexOf('+_updatedAt') === -1 && $ctrl.sort.indexOf('-_updatedAt') === -1" class="fa fa-sort"></i>
                             <i ng-show="$ctrl.sort.indexOf('+_updatedAt') !== -1" class="fa fa-caret-up"></i>
                             <i ng-show="$ctrl.sort.indexOf('-_updatedAt') !== -1" class="fa fa-caret-down"></i>
@@ -105,7 +112,14 @@
                             <button type="button" class="btn btn-danger btn-sm" ng-click="$ctrl.resetMfa(user)">Reset</button>
                         </span>
                     </td>
-                    <td>{{user._updatedAt | shortDate}}</td>
+                    <td>
+                        <div ng-class="{'text-bold': $ctrl.sort.indexOf('+_createdAt') !== -1 || $ctrl.sort.indexOf('-_createdAt') !== -1}">
+                            C. <a href ng-click="$ctrl.addFilterValue('_createdAt', user._createdAt)">{{user._createdAt | shortDate}}</a>
+                        </div>
+                        <div ng-if="user._updatedAt > 0" ng-class="{'text-bold': $ctrl.sort.indexOf('+_updatedAt') !== -1 || $ctrl.sort.indexOf('-_updatedAt') !== -1}">
+                            U. <a href ng-click="$ctrl.addFilterValue('_updatedAt', user._updatedAt)">{{user._updatedAt | shortDate}}</a>
+                        </div>
+                    </td>
                     <td>
                         <span class="clickable mr-xxs text-primary" ng-click="$ctrl.editUser(user)" uib-tooltip="Edit User">
                             <i class="text-20 fa fa-edit"></i>
diff --git a/frontend/app/views/components/sharing/task/sharing-list.html b/frontend/app/views/components/sharing/task/sharing-list.html
index a500758f41..51d11f7547 100644
--- a/frontend/app/views/components/sharing/task/sharing-list.html
+++ b/frontend/app/views/components/sharing/task/sharing-list.html
@@ -11,7 +11,7 @@
                 <th>Organisation</th>
                 <th width="250">Profile</th>
                 <th width="160">Shared At</th>
-                <th width="120" class="text-right" if-permission="manageTask" allowed="{{$ctrl.permissions}}"></th>
+                <th width="150" class="text-right" if-permission="manageTask" allowed="{{$ctrl.permissions}}"></th>
                 <th width="80" class="text-right" if-permission="manageShare" allowed="{{$ctrl.permissions}}">Actions</th>
             </thead>
             <tbody>
@@ -43,6 +43,9 @@
                         <span ng-if="!!!share.actionRequired" class="clickable text-primary" ng-click="$ctrl.requireAction(share.organisationName)">
                             <i class="fa fa-exclamation-triangle"></i> Require Action
                         </span>
+                        <span ng-if="!!share.actionRequired" class="clickable text-danger" ng-click="$ctrl.cancelRequireAction(share.organisationName)">
+                            <i class="fa fa-exclamation-triangle"></i> Cancel Request
+                        </span>
                     </td>
 
                     <td class="text-right" if-permission="manageShare" allowed="{{$ctrl.permissions}}">
diff --git a/frontend/app/views/directives/dashboard/filter-editor.html b/frontend/app/views/directives/dashboard/filter-editor.html
index 8c18989202..eb0c791f07 100644
--- a/frontend/app/views/directives/dashboard/filter-editor.html
+++ b/frontend/app/views/directives/dashboard/filter-editor.html
@@ -5,18 +5,19 @@
     <div ng-switch-when="number|integer|float" ng-switch-when-separator="|" class="row">
         <div class="col-xs-2 ph-0" uib-dropdown>
             <button type="button" class="btn btn-block btn-default dropdown-toggle" uib-dropdown-toggle>
-                {{filter.value.operator || '='}} <span class="caret"></span>
+                {{operatorMap[filter.value.operator] || '='}} <span class="caret"></span>
             </button>
             <ul class="dropdown-menu" uib-dropdown-menu>
-                <li><a href style="font-size:20px;" ng-click="filter.value.operator = '='">=</a></li>
-                <li><a href style="font-size:20px;" ng-click="filter.value.operator = '!='">!=</a></li>
-                <li><a href style="font-size:20px;" ng-click="filter.value.operator = '<'">&lt;</a></li>
-                <li><a href style="font-size:20px;" ng-click="filter.value.operator = '<='">&lt;=</a></li>
-                <li><a href style="font-size:20px;" ng-click="filter.value.operator = '>'">&gt;</a></li>
-                <li><a href style="font-size:20px;" ng-click="filter.value.operator = '>='">&gt;=</a></li>
+                <li><a href ng-click="filter.value.operator = 'empty'">is empty</a></li>
+                <li><a href ng-click="filter.value.operator = '='">=</a></li>
+                <li><a href ng-click="filter.value.operator = '!='">!=</a></li>
+                <li><a href ng-click="filter.value.operator = '<'">&lt;</a></li>
+                <li><a href ng-click="filter.value.operator = '<='">&lt;=</a></li>
+                <li><a href ng-click="filter.value.operator = '>'">&gt;</a></li>
+                <li><a href ng-click="filter.value.operator = '>='">&gt;=</a></li>
             </ul>
         </div>
-        <div class="col-xs-10 pl-xxxs">
+        <div class="col-xs-10 pl-xxxs" ng-show="filter.value.operator !== 'empty'">
             <input type="number" step=".01" class="form-control" ng-model="filter.value.value">
         </div>
     </div>
@@ -24,36 +25,47 @@
     <div ng-switch-when="tags" class="row">
         <div class="col-xs-2 ph-0" uib-dropdown>
             <button type="button" class="btn btn-block btn-default dropdown-toggle" uib-dropdown-toggle>
-                {{filter.value.operator || 'any'}} of <span class="caret"></span>
+                {{operatorMap[filter.value.operator || 'any']}} <span class="caret"></span>
             </button>
             <ul class="dropdown-menu" uib-dropdown-menu>
+                <li><a href ng-click="filter.value.operator = 'empty'">is empty</a></li>
                 <li><a href ng-click="filter.value.operator = 'any'">any of</a></li>
                 <li><a href ng-click="filter.value.operator = 'all'">all of</a></li>
                 <li><a href ng-click="filter.value.operator = 'none'">none of</a></li>
             </ul>
         </div>
-        <div class="col-xs-10 pl-xxxs clear">
-            <tags-input class="form-control-wrapper"
-                ng-model="filter.value.list"
-                placeholder="ex: Enter a tag"
-                replace-spaces-with-dashes="false">
-                    <auto-complete source="promiseFor(filter, $query)" min-length="3" debounce-delay="400"></auto-complete>
+        <div class="col-xs-10 pl-xxxs clear" ng-show="filter.value.operator !== 'empty'">
+            <div class="input-group">
+                <tags-input class="form-control-wrapper ti-tag-selector"
+                    ng-model="filter.value.list"
+                    placeholder="ex: Enter a tag"
+                    replace-spaces-with-dashes="false"
+                    template="views/directives/tag-input-item.html">
+                        <auto-complete source="promiseFor(filter, $query)" min-length="3" debounce-delay="400"></auto-complete>
                 </tags-input>
+
+                <span class="input-group-btn vtop">
+                    <button type="button" class="btn btn-block btn-default" ng-click="fromTagLibrary(filter)" uib-tooltip="Add tag from library" tooltip-placement="left">
+                        <span class="fa fa-plus"></span>
+                    </button>
+                </span>
+            </div>
         </div>
     </div>
 
     <div ng-switch-when="user" class="row">
         <div class="col-xs-2 ph-0" uib-dropdown>
             <button type="button" class="btn btn-block btn-default dropdown-toggle" uib-dropdown-toggle>
-                {{filter.value.operator || 'any'}} of <span class="caret"></span>
+                {{operatorMap[filter.value.operator || 'any']}} <span class="caret"></span>
             </button>
             <ul class="dropdown-menu" uib-dropdown-menu>
+                <li><a href ng-click="filter.value.operator = 'empty'">is empty</a></li>
                 <li><a href ng-click="filter.value.operator = 'any'">any of</a></li>
                 <li><a href ng-click="filter.value.operator = 'all'">all of</a></li>
                 <li><a href ng-click="filter.value.operator = 'none'">none of</a></li>
             </ul>
         </div>
-        <div class="col-xs-10 pl-xxxs">
+        <div class="col-xs-10 pl-xxxs" ng-show="filter.value.operator !== 'empty'">
             <tags-input class="form-control-wrapper" min-length="2" ng-model="filter.value.list"
                 placeholder="ex: Firstname Lastname"
                 replace-spaces-with-dashes="false"
@@ -67,15 +79,16 @@
     <div ng-switch-when="string" class="row">
         <div class="col-xs-2 ph-0" uib-dropdown>
             <button type="button" class="btn btn-block btn-default dropdown-toggle" uib-dropdown-toggle>
-                {{filter.value.operator || 'any'}} of <span class="caret"></span>
+                {{operatorMap[filter.value.operator || 'any']}} <span class="caret"></span>
             </button>
             <ul class="dropdown-menu" uib-dropdown-menu>
+                <li><a href ng-click="filter.value.operator = 'empty'">is empty</a></li>
                 <li><a href ng-click="filter.value.operator = 'any'">any of</a></li>
                 <li><a href ng-click="filter.value.operator = 'all'">all of</a></li>
                 <li><a href ng-click="filter.value.operator = 'none'">none of</a></li>
             </ul>
         </div>
-        <div class="col-xs-10 pl-xxxs">
+        <div class="col-xs-10 pl-xxxs" ng-show="filter.value.operator !== 'empty'">
             <tags-input class="form-control-wrapper" min-length="2"
                 ng-model="filter.value.list"
                 placeholder="Enter a {{filter.field}}"
@@ -86,15 +99,16 @@
     <div ng-switch-when="enumeration" class="row">
         <div class="col-xs-2 ph-0" uib-dropdown>
             <button type="button" class="btn btn-block btn-default dropdown-toggle" uib-dropdown-toggle>
-                {{filter.value.operator || 'any'}} of <span class="caret"></span>
+                {{operatorMap[filter.value.operator || 'any']}}<span class="caret"></span>
             </button>
             <ul class="dropdown-menu" uib-dropdown-menu>
+                <li><a href ng-click="filter.value.operator = 'empty'">is empty</a></li>
                 <li><a href ng-click="filter.value.operator = 'any'">any of</a></li>
                 <li><a href ng-click="filter.value.operator = 'all'">all of</a></li>
                 <li><a href ng-click="filter.value.operator = 'none'">none of</a></li>
             </ul>
         </div>
-        <div class="col-xs-10 pl-xxxs">
+        <div class="col-xs-10 pl-xxxs" ng-show="filter.value.operator !== 'empty'">
             <tags-input class="form-control-wrapper" min-length="2" ng-model="filter.value.list"
                 replace-spaces-with-dashes="false"
                 add-from-autocomplete-only="true"
@@ -125,6 +139,7 @@
                 {{dateOperator[filter.value.operator || 'custom']}} <span class="caret"></span>
             </button>
             <ul class="dropdown-menu" uib-dropdown-menu>
+                <li><a href ng-click="setDateFilterOperator(filter, 'empty')">Empty</a></li>
                 <li><a href ng-click="setDateFilterOperator(filter, 'custom')">Custom</a></li>
                 <li><a href ng-click="setDateFilterOperator(filter, 'today')">Today</a></li>
                 <li><a href ng-click="setDateFilterOperator(filter, 'last7days')">Last 7 days</a></li>
diff --git a/frontend/app/views/directives/entity-link.html b/frontend/app/views/directives/entity-link.html
index a3e9f6cb19..748cdaa916 100644
--- a/frontend/app/views/directives/entity-link.html
+++ b/frontend/app/views/directives/entity-link.html
@@ -1,50 +1,54 @@
 <span ng-if="value._type == 'case'">
-	<a class="text-muted wrap"href ng-click="openLink(entityUrl(value))">
-		<i class="glyphicon glyphicon-folder-open"></i>
-		&nbsp;#{{value.caseId || value.number}} - {{value.title}}&nbsp;
-	</a>
+    <a class="text-muted wrap"href ng-click="openLink(entityUrl(value))">
+        <i class="glyphicon glyphicon-folder-open"></i>
+        &nbsp;#{{value.caseId || value.number}} - {{value.title}}&nbsp;
+    </a>
 </span>
 <span ng-if="value._type == 'Case'">
-	<a class="text-muted wrap"href ng-click="openLink(entityUrl(value))">
-		<i class="glyphicon glyphicon-folder-open"></i>
-		&nbsp;#{{value.caseId || value.number}} - {{value.title}}&nbsp;
-	</a>
+    <a class="text-muted wrap"href ng-click="openLink(entityUrl(value))">
+        <i class="glyphicon glyphicon-folder-open"></i>
+        &nbsp;#{{value.caseId || value.number}} - {{value.title}}&nbsp;
+    </a>
 </span>
 <span ng-if="value._type == 'case_task'">
-	<entity-link value="value.case" target="target"></entity-link>
-	<a class="text-muted wrap" href ng-click="openLink(entityUrl(value))">
-		<i class=" glyphicon glyphicon-tasks"></i>
-		&nbsp;{{value.title}}
-	</a>
+    <entity-link value="value.case" target="target"></entity-link>
+    <a class="text-muted wrap" href ng-click="openLink(entityUrl(value))">
+        <i class=" glyphicon glyphicon-tasks"></i>
+        &nbsp;{{value.title}}
+    </a>
 </span>
 <span ng-if="value._type == 'Task'">
-	<entity-link value="value.extraData.case" target="target"></entity-link>
-	<a class="text-muted wrap" href ng-click="openLink(entityUrl(value))">
-		<i class=" glyphicon glyphicon-tasks"></i>
-		&nbsp;{{value.title}}
-	</a>
+    <entity-link value="value.extraData.case" target="target"></entity-link>
+    <a class="text-muted wrap" href ng-click="openLink(entityUrl(value))">
+        <i class=" glyphicon glyphicon-tasks"></i>
+        &nbsp;{{value.title}}
+    </a>
 </span>
 <span ng-if="value._type == 'case_task_log'">
-	<entity-link value="value.case_task" target="target"></entity-link>
-	<i class="text-muted wrap" class="glyphicon glyphicon-comment"></i>
+    <entity-link value="value.case_task" target="target"></entity-link>
+    <i class="text-muted wrap" class="glyphicon glyphicon-comment"></i>
 </span>
 <span ng-if="value._type == 'case_artifact'">
-	<entity-link value="value.case" target="target"></entity-link>
-	<a class="text-muted wrap" href ng-click="openLink(entityUrl(value))">
-		<i class="glyphicon glyphicon-pushpin"></i>
-		&nbsp;{{value.data | ellipsis:100}}{{value.attachment.name}}
-	</a>
+    <entity-link value="value.case" target="target"></entity-link>
+    <a class="text-muted wrap" href ng-click="openLink(entityUrl(value))">
+        <i class="glyphicon glyphicon-pushpin"></i>
+        &nbsp;{{value.data | ellipsis:100}}{{value.attachment.name}}
+    </a>
 </span>
 <span ng-if="value._type == 'case_artifact_job'">
-	<entity-link value="value.case_artifact" target="target"></entity-link>
+    <entity-link value="value.case_artifact" target="target"></entity-link>
 </span>
 
 <span ng-if="value._type == 'case_artifact_job_log'">
-	<entity-link value="value.case_artifact_job" target="target"></entity-link>
-	<i class="text-muted wrap" class=" glyphicon glyphicon-plus"></i>
+    <entity-link value="value.case_artifact_job" target="target"></entity-link>
+    <i class="text-muted wrap" class=" glyphicon glyphicon-plus"></i>
+</span>
+
+<span ng-if="value._type == 'Procedure'">
+    <entity-link value="value.case" target="target"></entity-link>
 </span>
 
 <span ng-if="value._type == 'analyzer'">
-	<i class="text-muted wrap" class=" glyphicon glyphicon-cog"></i>
-	ANALYZER / TODO
+    <i class="text-muted wrap" class=" glyphicon glyphicon-cog"></i>
+    ANALYZER / TODO
 </span>
diff --git a/frontend/app/views/directives/flow/action.html b/frontend/app/views/directives/flow/action.html
index cee267be57..ce31b2ffdf 100644
--- a/frontend/app/views/directives/flow/action.html
+++ b/frontend/app/views/directives/flow/action.html
@@ -11,10 +11,10 @@
     <div class="flow-item-updates wrap">
         <span ng-repeat="(k, v) in base.details" ng-switch="k">
             <div ng-switch-when="startDate">
-                {{k}}: <em>{{v | showDate}}</em>
+                {{k}}: <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-when="endDate">
-                {{k}}: <em>{{v | showDate}}</em>
+                {{k}}: <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-default>
                 {{k}}: <em>{{v | limitTo: 250}}</em>
diff --git a/frontend/app/views/directives/flow/alert.html b/frontend/app/views/directives/flow/alert.html
index 1941efcc91..c6cb860356 100644
--- a/frontend/app/views/directives/flow/alert.html
+++ b/frontend/app/views/directives/flow/alert.html
@@ -42,7 +42,7 @@
             <div ng-switch-when="tags">
                 {{k}}:
                 <span ng-repeat="tag in v">
-                    <span class="label label-primary">{{tag}}</span>
+                    <tag-item value="tag"></tag-item>
                 </span>
                 <span ng-if="v.length === 0">
                     <em>None</em>
diff --git a/frontend/app/views/directives/flow/case.html b/frontend/app/views/directives/flow/case.html
index a74c9f0f35..2cdff0c82d 100644
--- a/frontend/app/views/directives/flow/case.html
+++ b/frontend/app/views/directives/flow/case.html
@@ -28,17 +28,17 @@
             <div ng-switch-when="tags">
                 {{k}}:
                 <span ng-repeat="tag in v track by $index">
-                    <span class="label label-primary">{{tag}}</span>
+                    <tag-item value="tag"></tag-item>
                 </span>
                 <span ng-if="v.length === 0">
                     <em>None</em>
                 </span>
             </div>
             <div ng-switch-when="startDate">
-                {{k}}: <em>{{v | showDate}}</em>
+                {{k}}: <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-when="endDate">
-                {{k}}: <em>{{v | showDate}}</em>
+                {{k}}: <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-when="tlp">
                 {{k}}: <tlp format="'static'" value="v"></tlp>
@@ -47,7 +47,7 @@
                 {{k}}: <tlp format="'static'" value="v" namespace="PAP"></tlp>
             </div>
             <div ng-switch-when="owner">
-                {{k}}:                
+                {{k}}:
                 <em><user-info value="v" field="name"></user-info></em>
             </div>
             <div ng-switch-default>
diff --git a/frontend/app/views/directives/flow/flow.html b/frontend/app/views/directives/flow/flow.html
index 03a9bab26b..8ace7d2eba 100644
--- a/frontend/app/views/directives/flow/flow.html
+++ b/frontend/app/views/directives/flow/flow.html
@@ -11,5 +11,6 @@
         <flow-item target="targetWindow" type="caseTemplate" data="value" ng-switch-when="casetemplate"></flow-item>
         <flow-item target="targetWindow" type="organisation" data="value" ng-switch-when="organisation"></flow-item>
         <flow-item target="targetWindow" type="dashboard" data="value" ng-switch-when="dashboard"></flow-item>
+        <flow-item target="targetWindow" type="procedure" data="value" ng-switch-when="procedure"></flow-item>
 	</div>
 </div>
diff --git a/frontend/app/views/directives/flow/observable-job.html b/frontend/app/views/directives/flow/observable-job.html
index d84482cc36..197d15613d 100644
--- a/frontend/app/views/directives/flow/observable-job.html
+++ b/frontend/app/views/directives/flow/observable-job.html
@@ -11,10 +11,10 @@
     <div class="flow-item-updates wrap">
         <span ng-repeat="(k, v) in base.details" ng-switch="k">
             <div ng-switch-when="startDate">
-                {{k}}: <em>{{v | showDate}}</em>
+                {{k}}: <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-when="endDate">
-                {{k}}: <em>{{v | showDate}}</em>
+                {{k}}: <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-default>
                 {{k}}: <em>{{v | limitTo: 250}}</em>
diff --git a/frontend/app/views/directives/flow/observable.html b/frontend/app/views/directives/flow/observable.html
index 638736ac5a..5b1b6e5889 100644
--- a/frontend/app/views/directives/flow/observable.html
+++ b/frontend/app/views/directives/flow/observable.html
@@ -17,9 +17,9 @@
     <div class="flow-item-updates wrap" ng-switch-when="Creation">
         <div ng-if="base.object.message">description: {{base.object.message| limitTo: 250}}</div>
         <div ng-if="base.object.tags.length > 0">
-            Tags: 
+            Tags:
             <span ng-repeat="tag in base.object.tags">
-                <span class="label label-primary">{{tag}}</span>
+                <tag-item value="tag"></tag-item>
             </span>
         </div>
     </div>
@@ -32,7 +32,7 @@
             <div ng-switch-when="tags">
                 {{k}}:
                 <span ng-repeat="tag in v">
-                    <span class="label label-primary">{{tag}}</span>
+                    <tag-item value="tag"></tag-item>
                 </span>
                 <span ng-if="v.length === 0">
                     <em>None</em>
diff --git a/frontend/app/views/directives/flow/procedure.html b/frontend/app/views/directives/flow/procedure.html
new file mode 100644
index 0000000000..3fd1b95d0f
--- /dev/null
+++ b/frontend/app/views/directives/flow/procedure.html
@@ -0,0 +1,25 @@
+<div class="flow-task" ng-switch="base.operation">
+    <div class="flow-item-title">
+        <i class="glyphicon glyphicon-knight"></i>{{tactics[base.object.tactic].label}} - {{base.object.pattern.patternId}}: {{base.object.pattern.name}}
+    </div>
+    <div class="flow-item-updates" ng-switch-when="Creation">
+        <div>
+            occureDate: <span><em>{{base.details.occurDate | shortDate}}</em></span>
+        </div>
+        <div>
+            description: <span><em>{{(base.details.procedure || '-')| limitTo: 250}}</em></span>
+        </div>
+    </div>
+    <div class="flow-item-updates" ng-switch-default>
+        <span ng-repeat="(k, v) in base.details" ng-switch="k">
+            <div ng-switch-when="occurDate">
+                {{k}}:
+                <em>{{v | shortDate}}</em>
+            </div>
+            <div ng-switch-default>
+                {{k}}:
+                <em>{{v | limitTo: 250}}</em>
+            </div>
+        </span>
+    </div>
+</div>
diff --git a/frontend/app/views/directives/flow/task.html b/frontend/app/views/directives/flow/task.html
index 3f899e4c24..0c4de180ed 100644
--- a/frontend/app/views/directives/flow/task.html
+++ b/frontend/app/views/directives/flow/task.html
@@ -11,16 +11,16 @@
     <div class="flow-item-updates" ng-switch-default>
         <span ng-repeat="(k, v) in base.details" ng-switch="k">
             <div ng-switch-when="owner">
-                {{k}}:                
+                {{k}}:
                 <em><user-info value="v" field="name"></user-info></em>
             </div>
             <div ng-switch-when="startDate">
                 {{k}}:
-                <em>{{v | showDate}}</em>
+                <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-when="endDate">
                 {{k}}:
-                <em>{{v | showDate}}</em>
+                <em>{{v | shortDate}}</em>
             </div>
             <div ng-switch-default>
                 {{k}}:
diff --git a/frontend/app/views/directives/report-observables.html b/frontend/app/views/directives/report-observables.html
index a221402c9a..6efdd69d6a 100644
--- a/frontend/app/views/directives/report-observables.html
+++ b/frontend/app/views/directives/report-observables.html
@@ -56,10 +56,7 @@
                         <div class="case-tags flexwrap mt-xxs">
                             <span class="mr-xxxs text-muted"><i class="fa fa-tags"></i></span>
                             <strong class="text-muted mr-xxxs" ng-if="!observable.tags || observable.tags.length === 0">None</strong>
-                            <span class="label label-primary mb-xxxs mr-xxxs pointer"
-                                ng-repeat="tag in observable.tags track by $index">
-                                {{tag}}
-                            </span>
+                            <tag-item class="pointer" ng-repeat="tag in observable.tags track by $index" value="tag"></tag-item>
                         </div>
                     </td>
                     <td class="wrap">
diff --git a/frontend/app/views/directives/search/alert.html b/frontend/app/views/directives/search/alert.html
index 12f7240a89..b003bb28c0 100644
--- a/frontend/app/views/directives/search/alert.html
+++ b/frontend/app/views/directives/search/alert.html
@@ -12,7 +12,7 @@
 <div>
     <span>
         <i class="fa fa-calendar"></i> Date:
-        <strong class="text-muted">{{value.date | showDate}}</strong>
+        <strong class="text-muted">{{value.date | shortDate}}</strong>
     </span>
     <span class="ml-xxs">
         <i class="fa fa-certificate"></i> Type:
@@ -29,7 +29,7 @@
     <span class="ml-xxs">
         <i class="glyphicon glyphicon-pushpin"></i> Attributes:
         <strong class="text-muted">{{value.artifacts.length}}</strong>
-    </span>    
+    </span>
 </div>
 <div class="mt-xs wrap" ng-if="value.tags.length>0">
     <strong>Tags:</strong><tag-list data="value.tags"></tag-list>
diff --git a/frontend/app/views/directives/search/audit.html b/frontend/app/views/directives/search/audit.html
index 98e382ddf4..a329490db0 100644
--- a/frontend/app/views/directives/search/audit.html
+++ b/frontend/app/views/directives/search/audit.html
@@ -3,7 +3,7 @@
     by <user-info value="value.createdBy" field="name"></user-info>
 
     <i class="glyphicon glyphicon-calendar ml-xxs"></i>
-    Occurred on <span ng-bind="value.startDate | showDate"> </span>
+    Occurred on <span ng-bind="value.startDate | shortDate"> </span>
 </div>
 
 <div ng-switch="value.objectType">
@@ -23,17 +23,17 @@
             </a>
         </div>
         <div>
-            <i class="glyphicon glyphicon-user"></i>            
+            <i class="glyphicon glyphicon-user"></i>
             <user-info value="value.stats.owner" field="name"></user-info>
 
             <i class="glyphicon glyphicon-calendar ml-xxs"></i>
-            <span ng-bind="value.stats.startDate | showDate"></span>
+            <span ng-bind="value.stats.startDate | shortDate"></span>
 
             <span ng-if="value.stats.endDate" class="text-success">
                 (
                 <strong>Closed</strong>
                 on
-                {{value.stats.endDate | showDate}}
+                {{value.stats.endDate | shortDate}}
                 as
                 <strong>{{value.stats.resolutionStatus}}</strong>)
             </span>
@@ -80,7 +80,7 @@
         <div>
             <span>
                 <i class="fa fa-calendar"></i> Date:
-                <strong class="text-muted">{{value.stats.date | showDate}}</strong>
+                <strong class="text-muted">{{value.stats.date | shortDate}}</strong>
             </span>
             <span class="ml-xxs">
                 <i class="fa fa-certificate"></i> Type:
diff --git a/frontend/app/views/directives/search/case.html b/frontend/app/views/directives/search/case.html
index 91be942bd0..330c363d6f 100644
--- a/frontend/app/views/directives/search/case.html
+++ b/frontend/app/views/directives/search/case.html
@@ -8,13 +8,13 @@
     <user-info value="value.owner" field="name"></user-info>
 
     <i class="glyphicon glyphicon-calendar ml-xxs"></i>
-    <span ng-bind="value.startDate | showDate"></span>
+    <span ng-bind="value.startDate | shortDate"></span>
 
     <span ng-if="value.endDate" class="text-success">
         (
         <strong>Closed</strong>
         on
-        {{value.endDate | showDate}}
+        {{value.endDate | shortDate}}
         as
         <strong>{{value.resolutionStatus}}</strong>)
     </span>
diff --git a/frontend/app/views/directives/search/observable-job.html b/frontend/app/views/directives/search/observable-job.html
index bb04314d4f..42483fc035 100644
--- a/frontend/app/views/directives/search/observable-job.html
+++ b/frontend/app/views/directives/search/observable-job.html
@@ -8,13 +8,13 @@
     <user-info value="base.createdBy" field="name"></user-info>
 
     <i class="glyphicon glyphicon-calendar ml-xxs"></i>
-    Started on <span ng-bind="value.startDate | showDate"> </span>
+    Started on <span ng-bind="value.startDate | shortDate"> </span>
 
     <span ng-if="value.endDate" class="text-success">
         (
         <strong>Finished</strong>
         on
-        {{value.endDate | showDate}}
+        {{value.endDate | shortDate}}
         as
         <strong>{{value.status}}</strong>)
     </span>
diff --git a/frontend/app/views/directives/search/observable.html b/frontend/app/views/directives/search/observable.html
index 6e59010004..f86a2770eb 100644
--- a/frontend/app/views/directives/search/observable.html
+++ b/frontend/app/views/directives/search/observable.html
@@ -8,11 +8,11 @@
     </a>
 </div>
 <div>
-    <i class="glyphicon glyphicon-user"></i>    
+    <i class="glyphicon glyphicon-user"></i>
     <user-info value="value.createdBy" field="name"></user-info>
 
     <i class="glyphicon glyphicon-calendar ml-xxs"></i>
-    <span ng-bind="value.startDate | showDate"></span>
+    <span ng-bind="value.startDate | shortDate"></span>
 </div>
 <div class="mt-xs wrap" ng-if="value.tags.length>0">
     <strong>Tags:</strong><tag-list data="value.tags"></tag-list>
diff --git a/frontend/app/views/directives/search/task-log.html b/frontend/app/views/directives/search/task-log.html
index c243707b60..0b45d8ea48 100644
--- a/frontend/app/views/directives/search/task-log.html
+++ b/frontend/app/views/directives/search/task-log.html
@@ -5,7 +5,7 @@
 </div>
 <div>
     <i class="glyphicon glyphicon-calendar"></i>
-    <span ng-bind="value.startDate | showDate"></span>
+    <span ng-bind="value.startDate | shortDate"></span>
 
     <i class="glyphicon glyphicon-pushpin ml-xxs"></i>
     <span class="wrap" ng-bind="value.case_task.title"></span>
diff --git a/frontend/app/views/directives/search/task.html b/frontend/app/views/directives/search/task.html
index 6f6336764e..a74ac2d9c7 100644
--- a/frontend/app/views/directives/search/task.html
+++ b/frontend/app/views/directives/search/task.html
@@ -4,11 +4,11 @@
     </a>
 </div>
 <div>
-    <i class="glyphicon glyphicon-user"></i>    
+    <i class="glyphicon glyphicon-user"></i>
     <user-info value="value.owner" field="name"></user-info>
 
     <i class="glyphicon glyphicon-calendar ml-xxs" ng-if="value.startDate"></i>
-    <span ng-bind="value.startDate | showDate"></span>
+    <span ng-bind="value.startDate | shortDate"></span>
 </div>
 <div class="mt-xs wrap">
     <span ng-bind="(value.description || 'No Description') | limitTo: 250"></span>
diff --git a/frontend/app/views/directives/tag-input-item.html b/frontend/app/views/directives/tag-input-item.html
new file mode 100644
index 0000000000..c8493839d8
--- /dev/null
+++ b/frontend/app/views/directives/tag-input-item.html
@@ -0,0 +1,3 @@
+<span class="tag-item-border" tag-colour tag="$getDisplayText()">&nbsp;</span>
+<span ng-bind="$getDisplayText()"></span>
+<a class="remove-button" ng-click="$removeTag()" ng-bind="::$$removeTagSymbol"></a>
diff --git a/frontend/app/views/directives/tag-item.html b/frontend/app/views/directives/tag-item.html
new file mode 100644
index 0000000000..67beaf07df
--- /dev/null
+++ b/frontend/app/views/directives/tag-item.html
@@ -0,0 +1,3 @@
+<span class="label label-default label-tag mb-xxxs mr-xxxs"
+    style="border-left-color:{{bgColor}};">{{tag}}
+</span>
diff --git a/frontend/app/views/directives/tag-list.html b/frontend/app/views/directives/tag-list.html
index aaf6a2d7c8..86792dd24b 100644
--- a/frontend/app/views/directives/tag-list.html
+++ b/frontend/app/views/directives/tag-list.html
@@ -1,3 +1,3 @@
 <div class="tags-list flexwrap">
-    <span ng-repeat="tag in data track by $index" class="label label-primary mb-xxxs mr-xxxs">{{tag}}</span>
+    <tag-item ng-repeat="tag in data track by $index" value="tag"></tag-item>
 </div>
diff --git a/frontend/app/views/directives/task-progress.html b/frontend/app/views/directives/task-progress.html
index b95c5fbb5c..100d7e8b7a 100644
--- a/frontend/app/views/directives/task-progress.html
+++ b/frontend/app/views/directives/task-progress.html
@@ -1,4 +1,4 @@
-<div class="progress task-progress progress-bar-sm">
+<div class="progress task-progress progress-bar-sm mv-0">
     <div class="progress-bar progress-bar-danger" style="{{waiting}}" uib-tooltip="{{tasks.Waiting}} Waiting"></div>
     <div class="progress-bar progress-bar-success" style="{{completed}}" uib-tooltip="{{tasks.Completed}} Completed"></div>
     <div class="progress-bar progress-bar-warning" style="{{progress}}" uib-tooltip="{{tasks.InProgress}} In Progress"></div>
diff --git a/frontend/app/views/directives/updatable-colour.html b/frontend/app/views/directives/updatable-colour.html
new file mode 100644
index 0000000000..3b450087c2
--- /dev/null
+++ b/frontend/app/views/directives/updatable-colour.html
@@ -0,0 +1,31 @@
+<div class="updatable-input updatable-input-select">
+	<span class="updatable-input-value-wrapper" ng-hide="updatable.updating" ng-click="edit()">
+		<span ng-if="value!==null && value !==''" class="updatable-value"><i class="fa fa-stop" style="color: {{value}};"></i> {{value}}</span>
+		<span ng-if="value === null || value === undefined || value === ''" class="updatable-value text-warning"><em>Not Specified</em></span>
+
+		<small class="updatable-input-icon">
+			<i class="glyphicon glyphicon-pencil"></i>
+		</small>
+	</span>
+
+	<form ng-submit="update()" ng-show="updatable.updating">
+		<div class="input-group input-group-sm">
+            <input type="text" class="form-control" ng-model="value" placeholder="Colour" size="8">
+
+			<span class="input-group-btn">
+                <button colorpicker colorpicker-close-on-select class="btn btn-default" ng-model="value" type="button">
+                    <i class="fa fa-stop" style="color: {{value}};" ng-class="{'fa-stop': value, 'fa-ellipsis-h': !value}"></i>
+                </button>
+				<button class="btn btn-sm btn-default" type="submit">
+					<i class="text-success glyphicon glyphicon-ok"></i>
+				</button>
+				<button class="btn btn-sm btn-default" type="button" ng-click="cancel()">
+					<i class="text-danger glyphicon glyphicon-remove"></i>
+				</button>
+				<button class="btn btn-sm btn-default" type="button" ng-click="clear()" ng-if="clearable === true">
+					<i class="text-danger glyphicon glyphicon-erase"></i>
+				</button>
+	        </span>
+		</div>
+	</form>
+</div>
diff --git a/frontend/app/views/directives/updatable-tag-list.html b/frontend/app/views/directives/updatable-tag-list.html
new file mode 100644
index 0000000000..71d16cc082
--- /dev/null
+++ b/frontend/app/views/directives/updatable-tag-list.html
@@ -0,0 +1,38 @@
+<div class="updatable-input updatable-input-tags-list">
+    <span class="updatable-input-value-wrapper" ng-hide="updatable.updating" ng-click="edit()"
+        ng-class="{'tags-list flexwrap': value.length > 0}">
+        <span class="updatable-value text-warning" ng-show="!value || value.length === 0"><em>Not Specified</em></span>
+
+        <tag-item ng-repeat="tag in value" value="tag.text"></tag-item>
+
+        <small class="updatable-input-icon" ng-class="{'lg': value.length > 0}">
+            <i class="glyphicon glyphicon-pencil"></i>
+        </small>
+    </span>
+
+    <span ng-show="updatable.updating">
+        <div class="form-group">
+            <tags-input class="ti-input-sm ti-tag-selector" min-length="2" ng-model="value" placeholder="Add labels" replace-spaces-with-dashes="false"
+                template="views/directives/tag-input-item.html" tag-class="label-primary">
+                <auto-complete ng-if="source" min-length="3" debounce-delay="400" source="source($query)"></auto-complete>
+            </tags-input>
+        </div>
+        <div class="btn-group btn-group-sm">
+            <button type="button" class="btn btn-sm btn-default" ng-click='update()'>
+                <i class="text-success glyphicon glyphicon-ok"></i>
+            </button>
+            <button type="button" class="btn btn-sm btn-default" ng-click='cancel()'>
+                <i class="text-danger glyphicon glyphicon-remove"></i>
+            </button>
+            <button class="btn btn-sm btn-default" type="button" ng-click="clear()" ng-if="clearable === true">
+                <i class="text-danger glyphicon glyphicon-erase"></i>
+            </button>
+        </div>
+
+        <div class="btn-group btn-group-sm pull-right">
+            <button class="btn btn-sm btn-default" type="button" ng-click="$cmp.fromLibrary()">
+                <i class="glyphicon glyphicon-plus"></i> Add from Library
+            </button>
+        </div>
+    </span>
+</div>
diff --git a/frontend/app/views/directives/updatable-tag.html b/frontend/app/views/directives/updatable-tag.html
new file mode 100644
index 0000000000..4dc9d724c6
--- /dev/null
+++ b/frontend/app/views/directives/updatable-tag.html
@@ -0,0 +1,26 @@
+<div class="updatable-input updatable-input-text">
+	<span class="updatable-input-value-wrapper pb-xxxs" ng-hide="updatable.updating" ng-click="edit()">
+		<span ng-if="value!==null && value !==''" class="updatable-value"><tag-item value="value" colour="colour"></tag-item></span>
+		<span ng-if="value===null || value ===''" class="updatable-value text-warning"><em>Not Specified</em></span>
+
+		<small class="updatable-input-icon">
+			<i class="glyphicon glyphicon-pencil"></i>
+		</small>
+	</span>
+
+	<form ng-submit="update()" ng-show="updatable.updating">
+		<div class="input-group input-group-sm">
+
+			<input type="text" class="form-control input-sm" ng-model="value" autofocus="autofocus" required>
+
+			<span class="input-group-btn">
+				<button class="btn btn-sm btn-default" type="submit" ng-disabled="!value">
+					<i class="text-success glyphicon glyphicon-ok"></i>
+				</button>
+				<button class="btn btn-sm btn-default" type="button" ng-click="cancel()">
+					<i class="text-danger glyphicon glyphicon-remove"></i>
+				</button>
+	        </span>
+		</div>
+	</form>
+</div>
diff --git a/frontend/app/views/directives/updatable-text.html b/frontend/app/views/directives/updatable-text.html
index ef2ec25a26..634725c570 100644
--- a/frontend/app/views/directives/updatable-text.html
+++ b/frontend/app/views/directives/updatable-text.html
@@ -10,7 +10,7 @@
 
     <!-- Display empty text -->
     <span ng-if="!updatable.updating && value.length >0" class="updatable-input-value-wrapper updatable-input-markdown">
-        <small class="updatable-input-icon" ng-click="edit()">
+        <small class="updatable-input-icon clickable" ng-click="edit()">
             <i class="glyphicon glyphicon-pencil"></i>
         </small>
 
diff --git a/frontend/app/views/login.html b/frontend/app/views/login.html
index d4dfdd4229..c27a3b4977 100644
--- a/frontend/app/views/login.html
+++ b/frontend/app/views/login.html
@@ -1,3 +1,12 @@
+<div class="container-fluid mt-xs">
+    <div class="text-danger" ng-repeat="schema in appConfig.schemaStatus" ng-if="schema.error">
+        <div class="callout callout-danger">
+            <h4>Error in {{schema.name}} schema: expected version {{schema.expectedVersion}}, got {{schema.currentVersion}}</h4>
+            <p>Please contact the administrator</p>
+        </div>
+    </div>
+</div>
+
 <div class="login-box">
     <div class="login-logo">
         <img src="images/logo.svg" height="70"/>
diff --git a/frontend/app/views/partials/admin/attack/import.html b/frontend/app/views/partials/admin/attack/import.html
new file mode 100644
index 0000000000..0a8fbc0786
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/import.html
@@ -0,0 +1,22 @@
+<form class="" name="form" ng-submit="$vm.ok()">
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">Import MITRE ATT&CK patterns</h3>
+    </div>
+    <div class="modal-body">
+
+        <div class="filter-panel mb-s">
+            <h4>Download the official MITRE ATT&CK library</h4>
+            <p>You can download the latest archive of the official MITRE ATT&CK patterns <a target="_blank" href="https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json?version=TheHive-{{$vm.appConfig.versions.TheHive}}">from here</a></p>
+        </div>
+
+        <div class="form-group">
+            <label class="control-label">MITRE ATT&CK patterns</label>
+            <input type="hidden" name="attachment" ng-model="$vm.formData.attachment.status" required>
+            <div file-chooser="" filemodel="$vm.formData.attachment"></div>
+        </div>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-default pull-left" type="button" ng-click="$vm.cancel()">Cancel</button>
+        <button class="btn btn-primary pull-right" type="submit" ng-disabled="form.$invalid">Yes, Import it</button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/admin/attack/list.html b/frontend/app/views/partials/admin/attack/list.html
new file mode 100644
index 0000000000..1b89131e2b
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/list.html
@@ -0,0 +1,100 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="box">
+            <div class="box-header with-border">
+                <h3 class="box-title">List of ATT&CK patterns ({{$vm.list.values.length || 0}} of {{$vm.list.total}})</h3>
+            </div>
+            <div class="box-body">
+                <div ng-include="'views/partials/admin/attack/list/toolbar.html'"></div>
+
+                <div class="mt-xs filter-panel" ng-include="'views/partials/admin/attack/list/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+                <div class="row mt-xs">
+                    <div class="col-md-12 clearfix">
+
+                        <filters-preview filters="$vm.filtering.context.filters"
+                            on-clear-item="$vm.removeFilter(field)"
+                            on-clear-all="$vm.clearFilters()"></filters-preview>
+                    </div>
+                </div>
+
+                <div class="row mv-s" ng-show="$vm.loading === false && $vm.list.values.length === 0">
+                    <div class="col-md-12">
+                        <div class="empty-message">No ATT&CK patterns found.</div>
+                    </div>
+                </div>
+
+                <div class="row mv-s" ng-show="$vm.loading === true">
+                    <div class="col-md-12">
+                        <div class="loading-message">
+                            <i class="fa fa-circle-o-notch fa-spin fa-fw"></i>
+                            <span>loading patterns...</span>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Datalist  -->
+                <div class="row mt-s" ng-if="$vm.loading === false && $vm.list.values.length > 0">
+                    <psearch control="$vm.list"></psearch>
+
+                    <div class="col-md-12">
+                        <table class="table table-striped case-list">
+                            <thead>
+                                <tr>
+                                    <th width="100">ID</th>
+                                    <th width="200">Name</th>
+                                    <th width="200">Sub-Technique of</th>
+                                    <th width="200">Tactics</th>
+                                    <th>Description</th>
+                                    <th width="120"></th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                                <tr ng-repeat="pattern in $vm.list.values">
+                                    <td>
+                                        <a href ng-click="$vm.show(pattern.patternId)">{{::pattern.patternId}}</a>
+                                    </td>
+                                    <td ng-class="{'text-danger': pattern.revoked}">{{::pattern.name}}</td>
+                                    <td>
+                                        <span ng-if="!pattern.extraData.parent">-</span>
+                                        <span ng-if="::pattern.extraData.parent">
+                                            <a href ng-click="$vm.show(pattern.extraData.parent.patternId)" class="mr-xxs">{{::pattern.extraData.parent.patternId}}</a>
+                                            <a href ng-click="$vm.addFilterValue('parent', pattern.extraData.parent.patternId)"><i class="fa fa-filter"></i></a>
+                                        </span>
+
+                                    </td>
+                                    <td>
+                                        <div ng-repeat="tactic in ::pattern.tactics" class="mb-xxs">
+                                            <span class="label label-default clickable" ng-click="$vm.addFilterValue('tactics', tactic)">{{tactic}}</span>
+                                        </div>
+                                    </td>
+                                    <td class="wrap">
+                                        {{::pattern.description | limitTo:250}}...
+                                    </td>
+                                    <td class="clearfix">
+                                        <div class="pull-right">
+                                            <a class="btn btn-icon btn-clear" href="{{::pattern.url}}" target="_blank">
+                                                <i class="text-primary fa fa-external-link"></i>
+                                            </a>
+
+                                            <a class="btn btn-icon btn-clear" href  ng-click="$vm.show(pattern.patternId)" uib-tooltip="Show pattern">
+                                                <i class="text-primary fa fa-search"></i>
+                                            </a>
+<!--
+                                            <a class="btn btn-icon btn-clear" href  ng-click="$vm.remove(pattern)" uib-tooltip="Delete pattern">
+                                                <i class="text-danger fa fa-trash"></i>
+                                            </a> -->
+                                        </div>
+
+                                    </td>
+                                </tr>
+                            </tbody>
+                        </table>
+                    </div>
+
+                    <psearch control="$vm.list"></psearch>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/attack/list/filters.html b/frontend/app/views/partials/admin/attack/list/filters.html
new file mode 100644
index 0000000000..431c826ca5
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/list/filters.html
@@ -0,0 +1,38 @@
+<div class="row">
+    <div class="col-md-12 active-filters">
+        <h4>Filters</h4>
+        <form ng-submit="$vm.search()">
+            <div class="row mb-xxxs" ng-repeat="filter in $vm.filtering.context.filters track by $index">
+                <div class="col-sm-4 col-md-4 col-lg-2">
+                    <div class="input-group">
+                        <span class="input-group-btn">
+                            <button class="btn btn-default" type="button" ng-click="$vm.removeFilter($index)">
+                                <i class="fa fa-times text-danger"></i>
+                            </button>
+                        </span>
+                        <select class="form-control" ng-model="filter.field"
+                            ng-options="item for item in $vm.filtering.attributeKeys"
+                            ng-change="$vm.filtering.setFilterField(filter, config.entity)"></select>
+                    </div>
+                </div>
+                <div class="col-sm-8 col-md-8 col-lg-6">
+                    <filter-editor metadata="$vm.filtering.metadata" filter="filter" entity="$vm.filtering.entity"></filter-editor>
+                </div>
+            </div>
+            <div class="mv-xs row">
+                <div class="col-sm-12 col-md-12 col-lg-8">
+                    <a href class="btn btn-sm  btn-link btn-clear" ng-click="$vm.filtering.addFilter()">
+                        <i class="fa fa-plus"></i> Add a filter
+                    </a>
+                    <a href class="btn btn-sm btn-danger" ng-click="$vm.clearFilters()" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-times"></i> Clear
+                    </a>
+                    <button href class="btn btn-sm btn-primary pull-right" type="submit" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-search"></i> Search
+                    </button>
+                </div>
+            </div>
+        </form>
+
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/attack/list/toolbar.html b/frontend/app/views/partials/admin/attack/list/toolbar.html
new file mode 100644
index 0000000000..96afe4ba9e
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/list/toolbar.html
@@ -0,0 +1,21 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="btn-toolbar" role="toolbar">
+            <div class="btn-group">
+                <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.import()">
+                    <i class="fa fa-plus"></i>
+                    Import MITRE ATT&CK Patterns
+                </button>
+            </div>
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/attack/view.html b/frontend/app/views/partials/admin/attack/view.html
new file mode 100644
index 0000000000..fb18b589cf
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/view.html
@@ -0,0 +1,182 @@
+<form class="form">
+    <div class="modal-header" ng-class="{'bg-primary': !!!$modal.pattern.revoked, 'bg-danger': !!$modal.pattern.revoked}">
+        <h3 class="modal-title">{{$modal.pattern.isSubTechnique ? ($modal.pattern.parentName + ': ') : ''}}{{::$modal.pattern.name}}
+            <span ng-if="$modal.pattern.revoked" class="label label-danger">Revoked</span>
+        </h3>
+    </div>
+
+    <div class="modal-body">
+        <div class="row">
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>{{::$modal.pattern.isSubTechnique ? 'Sub-technique' : 'Technique'}} Name</label>
+                    <div>{{::$modal.pattern.name}}</div>
+                </div>
+            </div>
+            <div class="col-sm-4" ng-if="::$modal.pattern.isSubTechnique">
+                <div class="form-group">
+                    <label>Sub-Technique of</label>
+                    <div>{{::$modal.pattern.parentName || '-'}}</div>
+                </div>
+            </div>
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>URL</label>
+                    <div>
+                        <a href="{{::$modal.pattern.url}}" target="_blank">
+                            {{::$modal.pattern.url}}<i class="fa fa-external-link ml-xxxs"></i>
+                        </a>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="row">
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Tactics</label>
+                    <div ng-if="::$modal.pattern.tactics.length === 0">
+                        <em class="text-muted">None</em>
+                    </div>
+                    <div ng-repeat="tactic in ::$modal.pattern.tactics" class="mb-xxs">
+                        <span class="label label-default">{{tactic}}</span>
+                    </div>
+                </div>
+            </div>
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Data Sources</label>
+                    <div ng-if="::$modal.pattern.dataSources.length === 0">
+                        <em class="text-muted">None</em>
+                    </div>
+                    <div ng-repeat="ds in ::$modal.pattern.dataSources" class="mb-xxs">
+                        <span class="label label-default">{{ds}}</span>
+                    </div>
+                </div>
+            </div>
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Platforms</label>
+                    <div ng-if="::$modal.pattern.platforms.length === 0">
+                        <em class="text-muted">None</em>
+                    </div>
+                    <div ng-repeat="platform in ::$modal.pattern.platforms" class="mb-xxs">
+                        <span class="label label-default">{{platform}}</span>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="row">
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Defense Bypassed</label>
+                    <div ng-if="::$modal.pattern.defenseBypassed.length === 0">
+                        <em class="text-muted">None</em>
+                    </div>
+                    <div ng-repeat="defense in ::$modal.pattern.defenseBypassed" class="mb-xxs">
+                        <span class="label label-default">{{defense}}</span>
+                    </div>
+                </div>
+            </div>
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Permissions Required</label>
+                    <div ng-if="::$modal.pattern.permissionsRequired.length === 0">
+                        <em class="text-muted">None</em>
+                    </div>
+                    <div ng-repeat="perm in ::$modal.pattern.permissionsRequired" class="mb-xxs">
+                        <span class="label label-default">{{perm}}</span>
+                    </div>
+                </div>
+            </div>
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>System Requirements</label>
+                    <div ng-if="::$modal.pattern.systemRequirements.length === 0">
+                        <em class="text-muted">None</em>
+                    </div>
+                    <div ng-repeat="req in ::$modal.pattern.systemRequirements" class="mb-xxs">
+                        <span class="label label-default">{{req}}</span>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="row">
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Remote Support</label>
+                    <div>{{!!$modal.pattern.remoteSupport}}</div>
+                </div>
+            </div>
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Capec ID</label>
+                    <div ng-if="$modal.pattern.capecId">
+                        {{::$modal.pattern.capecId}}
+                    </div>
+                    <div ng-if="!$modal.pattern.capecId">
+                        <em class="text-muted">None</em>
+                    </div>
+                </div>
+            </div>
+            <div class="col-sm-4">
+                <div class="form-group">
+                    <label>Capec URL</label>
+                    <div ng-if="$modal.pattern.capecUrl">
+                        <a href="{{::$modal.pattern.capecUrl}}" target="_blank">
+                            {{::$modal.pattern.capecUrl}} <i class="fa fa-external-link ml-xxxs"></i>
+                        </a>
+                    </div>
+                    <div ng-if="!$modal.pattern.capecUrl">
+                        <em class="text-muted">None</em>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="form-group">
+            <label>Description</label>
+            <div ng-if="$modal.pattern.description">
+                {{::$modal.pattern.description}}
+            </div>
+            <div ng-if="!$modal.pattern.description">
+                <em class="text-muted">None</em>
+            </div>
+        </div>
+
+        <div class="row" ng-if="$modal.pattern.extraData.children.length > 0">
+            <div class="col-sm-12">
+                <table class="table table-striped">
+                    <thead>
+                        <tr>
+                            <th class="pl-0" width="200">ID</th>
+                            <th>Name</th>
+                            <th>Tactics</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        <tr ng-repeat="p in $modal.pattern.extraData.children">
+                            <td>
+                                {{::p.patternId}}
+                                <a class="ml-xxs" href="{{::p.url}}" target="_blank">
+                                    <i class="text-primary fa fa-external-link"></i>
+                                </a>
+                            </td>
+                            <td>{{::p.name}}</td>
+                            <td>
+                                <span ng-repeat="tactic in p.tactics" class="label label-default mr-xxxs mb-xxxs">{{tactic}}</span>
+                            </td>
+                        </tr>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-primary pull-right"
+            ng-class="{'btn-primary': !!!$modal.pattern.revoked, 'btn-danger': !!$modal.pattern.revoked}"
+            type="button" ng-click="$modal.cancel()">Close</button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/admin/organisation/case-templates/list.html b/frontend/app/views/partials/admin/organisation/case-templates/list.html
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/frontend/app/views/partials/admin/organisation/details.html b/frontend/app/views/partials/admin/organisation/details.html
index a019828945..6859dd9a96 100644
--- a/frontend/app/views/partials/admin/organisation/details.html
+++ b/frontend/app/views/partials/admin/organisation/details.html
@@ -27,7 +27,7 @@ <h3 class="box-title">
                             </span>
                             <span>
                                 <i class="glyphicon glyphicon-calendar"></i>
-                                <span class="mr-xxxs">{{$vm.org.createdAt | showDate}}</span>
+                                <span class="mr-xxxs">{{$vm.org.createdAt | shortDate}}</span>
                             </span>
                             <span ng-if="$vm.org.links.length > 0">
                                 <i class="fa fa-link"></i>
@@ -108,6 +108,7 @@ <h4>
                                 on-reload="$vm.loadUsers()"
                                 on-edit="$vm.showUserDialog(user)"
                                 on-sort="$vm.sortByField(field)"
+                                on-filter="$vm.addFilterValue(field, value)"
                                 sort="$vm.filtering.context.sort"
                                 set-password-enabled="$vm.canSetPass"
                                 mfa-enabled="$vm.canChangeMfa"></org-user-list>
@@ -121,10 +122,21 @@ <h4>
                             </span>
                         </uib-tab-heading>
                         <div if-permission="manageCaseTemplate">
-                            <org-case-template-list fields="$vm.fields" templates="$vm.templates"></org-case-template-list>
+                            <org-case-template-list fields="$vm.fields" templates="$vm.templates" organisation="$vm.org"></org-case-template-list>
+                        </div>
+                    </uib-tab>
+                    <uib-tab index="2" if-permission="manageTag">
+                        <uib-tab-heading>
+                            <span>
+                                <i class="mr-xxs fa fa-tag"></i>
+                                Custom Tags
+                            </span>
+                        </uib-tab-heading>
+                        <div if-permission="manageTag">
+                            <org-custom-tags-list organisation="$vm.org"></org-custom-tags-list>
                         </div>
                     </uib-tab>
-                    <uib-tab index="2" if-permission="manageConfig">
+                    <uib-tab index="3" if-permission="manageConfig">
                         <uib-tab-heading>
                             <span>
                                 <i class="mr-xxs fa fa-cogs"></i>
diff --git a/frontend/app/views/partials/admin/organisation/list.html b/frontend/app/views/partials/admin/organisation/list.html
index 9f032078f8..f4e3665039 100644
--- a/frontend/app/views/partials/admin/organisation/list.html
+++ b/frontend/app/views/partials/admin/organisation/list.html
@@ -2,25 +2,67 @@
     <div class="col-md-12">
         <div class="box">
             <div class="box-header with-border">
-                <h3 class="box-title">List of organisations</h3>
+                <h3 class="box-title">List of organisations ({{$vm.list.values.length || 0}} of {{$vm.list.total}})</h3>
             </div>
             <div class="box-body">
                 <div ng-include="'views/partials/admin/organisation/list/toolbar.html'"></div>
 
+                <div class="mt-xs filter-panel" ng-include="'views/partials/admin/organisation/list/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+                <!-- Filters preview  -->
+                <div class="row mt-xs">
+                    <div class="col-md-12 clearfix">
+                        <filters-preview filters="$vm.filtering.context.filters"
+                            on-clear-item="$vm.removeFilter(field)"
+                            on-clear-all="$vm.clearFilters()"></filters-preview>
+                    </div>
+                </div>
+
                 <!-- Datalist  -->
                 <div class="row mt-s">
                     <div class="col-md-12">
+                        <psearch control="$vm.list"></psearch>
+
                         <table class="table table-striped case-list">
                             <thead>
                                 <tr>
-                                    <th>Name</th>
-                                    <th style="width: 300px">Created By</th>
-                                    <th style="width: 160px">Created At</th>
+                                    <th>
+                                        <a href class="text-default" ng-click="$vm.sortByField('name')">
+                                            Name
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+name') === -1 && $vm.filtering.context.sort.indexOf('-name') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+name') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-name') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 300px">
+                                        <a href class="text-default" ng-click="$vm.sortByField('_createdBy')">
+                                            Created By
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdBy') === -1 && $vm.filtering.context.sort.indexOf('-_createdBy') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdBy') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-_createdBy') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 160px">
+                                        Dates
+
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_createdAt')" uib-tooltip="Sort by creation date">
+                                            C.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') === -1 && $vm.filtering.context.sort.indexOf('-_createdAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-_createdAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_updatedAt')" uib-tooltip="Sort by last update date">
+                                            U.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') === -1 && $vm.filtering.context.sort.indexOf('-_updatedAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-_updatedAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
                                     <th style="width: 250px"></th>
                                 </tr>
                             </thead>
                             <tbody>
-                                <tr ng-repeat="org in $vm.list">
+                                <tr ng-repeat="org in $vm.list.values">
                                     <td>
                                         <div class="org-name">
                                             <a ui-sref="app.administration.organisations-details({organisation: org.name})">{{::org.name}}</a>
@@ -39,9 +81,16 @@ <h3 class="box-title">List of organisations</h3>
                                     </td>
 
                                     <td class="clearfix">
-                                      <user user-id="org.createdBy" icon-only="false" icon-size="m"></user>
+                                      <user user-id="org._createdBy" icon-only="false" icon-size="m"></user>
+                                    </td>
+                                    <td>
+                                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_createdAt') !== -1 || $vm.filtering.context.sort.indexOf('-_createdAt') !== -1}">
+                                            C. <a href ng-click="$vm.addFilterValue('_createdAt', org._createdAt)">{{org._createdAt | shortDate}}</a>
+                                        </div>
+                                        <div ng-if="org._updatedAt > 0" ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_updatedAt') !== -1 || $vm.filtering.context.sort.indexOf('-_updatedAt') !== -1}">
+                                            U. <a href ng-click="$vm.addFilterValue('_updatedAt', org._updatedAt)">{{org._updatedAt | shortDate}}</a>
+                                        </div>
                                     </td>
-                                    <td>{{org.createdAt | showDate}}</td>
                                     <td>
                                         <span class="mr-xs text-primary">
                                             <a ui-sref="app.administration.organisations-details({organisation: org.name})">
@@ -59,6 +108,8 @@ <h3 class="box-title">List of organisations</h3>
                                 </tr>
                             </tbody>
                         </table>
+
+                        <psearch control="$vm.list"></psearch>
                     </div>
                 </div>
             </div>
diff --git a/frontend/app/views/partials/admin/organisation/list/link.modal.html b/frontend/app/views/partials/admin/organisation/list/link.modal.html
index 1c1efcb716..2640cdaf88 100644
--- a/frontend/app/views/partials/admin/organisation/list/link.modal.html
+++ b/frontend/app/views/partials/admin/organisation/list/link.modal.html
@@ -34,7 +34,7 @@ <h3 class="modal-title">Manage organisation links</h3>
                             {{org.name}}
                         </td>
                         <td>
-                            {{org.createdAt | showDate}}
+                            {{org.createdAt | shortDate}}
                         </td>
                     </tr>
                 </tbody>
diff --git a/frontend/app/views/partials/admin/organisation/list/toolbar.html b/frontend/app/views/partials/admin/organisation/list/toolbar.html
index 0a51cd7f65..c5a259003c 100644
--- a/frontend/app/views/partials/admin/organisation/list/toolbar.html
+++ b/frontend/app/views/partials/admin/organisation/list/toolbar.html
@@ -1,12 +1,23 @@
 <div class="row">
     <div class="col-md-12">
         <div class="btn-toolbar" role="toolbar">
+
             <div class="btn-group">
                 <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.showNewOrg('add')">
                     <i class="fa fa-plus"></i>
                     New Organisation
                 </button>
             </div>
+
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
         </div>
     </div>
 </div>
diff --git a/frontend/app/views/partials/admin/platform/status.html b/frontend/app/views/partials/admin/platform/status.html
new file mode 100644
index 0000000000..e514771def
--- /dev/null
+++ b/frontend/app/views/partials/admin/platform/status.html
@@ -0,0 +1,115 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="box">
+            <div class="box-header">
+                <h3 class="box-title">Platform Status</h3>
+            </div>
+
+            <div class="box-body">
+                <div class="row mb-xs">
+                    <div class="col-md-12">
+                        <div class="btn-toolbar" role="toolbar">
+                            <div class="btn-group">
+                                <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.exportReport()">
+                                    <i class="fa fa-save"></i>
+                                    Export status report
+                                </button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <h4 class="text-primary mt-m">Database Schema status</h4>
+                <div class="flex-table">
+                    <div class="flex-header mt-xs">
+                        <div class="flex-col flex-w-120 text-center">Status</div>
+                        <div class="flex-col flex-2">Schema name</div>
+                        <div class="flex-col flex-1">Schema version</div>
+                    </div>
+                    <div ng-repeat="schema in $vm.appConfig.schemaStatus" class="flex-table">
+                        <div class="flex-row mt-xs">
+                            <div class="flex-col flex-w-120 vertical centered">
+                                <span class="label label-lg label-default" ng-class="{
+                                        true: 'label-success',
+                                        false: 'label-danger'}[schema.error === null]">{{schema.error === null ? 'OK' : 'ERROR'}}</span>
+                            </div>
+                            <div class="flex-col flex-2">
+                                <h4 class="media-heading text-primary">
+                                    {{schema.name}}
+                                </h4>
+                                <div ng-if="schema.error" class="text-danger">
+                                    <p>{{schema.error}}</p>
+                                </div>
+                            </div>
+
+                            <div class="flex-col flex-1 vertical">
+                                {{schema.currentVersion}}
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <h4 class="text-primary mt-m">Data index status <small class="ml-m clickable" ng-click="$vm.loadIndexStatus()"><i class="fa fa-refresh"></i> Reload</small></h4>
+                <div class="empty-message" ng-if="$vm.loading.index">Loading index status...</div>
+                <div class="flex-table" ng-show="!$vm.loading.index">
+                    <div class="flex-header mt-xs">
+                        <div class="flex-col flex-w-120 text-center">Status</div>
+                        <div class="flex-col flex-2">Index name</div>
+                        <div class="flex-col flex-1"># Entities</div>
+                        <div class="flex-col flex-w-100"></div>
+                    </div>
+                    <div ng-repeat="(indexName, data) in $vm.indexStatus" class="flex-table">
+                        <div class="flex-row mt-xs">
+                            <div class="flex-col flex-w-120 vertical centered">
+                                <span class="label label-lg label-default" ng-class="{
+                                        'OK': 'label-success',
+                                        'Error': 'label-danger'}[data.status]">{{data.status | uppercase}}</span>
+                            </div>
+                            <div class="flex-col flex-2 vertical">
+                                <h4 class="media-heading text-primary">
+                                    {{indexName}}
+                                </h4>
+                            </div>
+
+                            <div class="flex-col flex-1 vertical">
+                                <span class="label label-lg label-default">
+                                    {{data.mixedCount}}
+                                </span>
+                            </div>
+
+                            <div class="flex-col flex-w-100">
+                                <a href class="text-primary" ng-click="$vm.reindex(indexName)"><i class="fa fa-edit mr-xxxs"></i> Reindex</a>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+
+                <h4 class="text-primary mt-m">Database integrity check</h4>
+                <div class="empty-message" ng-if="$vm.loading.check">Loading data health stats...</div>
+                <div class="flex-table" ng-show="!$vm.loading.check">
+                    <div class="flex-header mt-xs">
+                        <div class="flex-col flex-1">Control name</div>
+                        <div class="flex-col flex-w-100"></div>
+                    </div>
+                    <div ng-repeat="(checkName, data) in $vm.checkStats" class="flex-table">
+                        <div class="flex-row mt-xs">
+                            <div class="flex-col flex-1 vertical">
+                                <h4 class="media-heading text-primary">
+                                    {{checkName}}
+                                </h4>
+                            </div>
+
+                            <div class="flex-col flex-w-100">
+                                <a href class="text-primary" ng-click="$vm.checkControl(checkName)"><i
+                                        class="fa fa-edit mr-xxxs"></i> Trigger</a>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/taxonomy/import.html b/frontend/app/views/partials/admin/taxonomy/import.html
new file mode 100644
index 0000000000..634dce0d94
--- /dev/null
+++ b/frontend/app/views/partials/admin/taxonomy/import.html
@@ -0,0 +1,26 @@
+<form class="" name="form" ng-submit="$vm.ok()">
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">Import taxonomies archive</h3>
+    </div>
+    <div class="modal-body">
+
+        <div class="filter-panel mb-s">
+            <h4>Download the official MISP taxonomies archive</h4>
+            <p>You can download the latest archive of the official MISP Taxonomies <a target="_blank" href="https://github.com/MISP/misp-taxonomies/archive/main.zip?version=TheHive-{{$vm.appConfig.versions.TheHive}}">from here</a></p>
+        </div>
+
+        <div class="form-group">
+            <label class="control-label">Taxonomies archive</label>
+            <input type="hidden" name="attachment" ng-model="$vm.formData.attachment.status" required>
+            <div file-chooser="" filemodel="$vm.formData.attachment"></div>
+
+            <p class="help-block">
+                The taxonomies archive must be a valid ZIP file containing at least one file names <em>machinetag.json</em>
+            </p>
+        </div>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-default pull-left" type="button" ng-click="$vm.cancel()">Cancel</button>
+        <button class="btn btn-primary pull-right" type="submit" ng-disabled="form.$invalid">Yes, Import it</button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/admin/taxonomy/list.html b/frontend/app/views/partials/admin/taxonomy/list.html
new file mode 100644
index 0000000000..f8aa93d385
--- /dev/null
+++ b/frontend/app/views/partials/admin/taxonomy/list.html
@@ -0,0 +1,107 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="box">
+            <div class="box-header with-border">
+                <h3 class="box-title">List of taxonomies</h3>
+            </div>
+            <div class="box-body">
+                <div ng-include="'views/partials/admin/taxonomy/list/toolbar.html'"></div>
+
+                <div class="mt-xs filter-panel" ng-include="'views/partials/admin/taxonomy/list/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+                <div class="row mt-xs">
+                    <div class="col-md-12 clearfix">
+
+                        <filters-preview filters="$vm.filtering.context.filters"
+                            on-clear-item="$vm.removeFilter(field)"
+                            on-clear-all="$vm.clearFilters()"></filters-preview>
+                    </div>
+                </div>
+
+                <div class="row mv-s" ng-show="$vm.loading === false && $vm.list.values.length === 0">
+                    <div class="col-md-12">
+                        <div class="empty-message">No taxnomies found.</div>
+                    </div>
+                </div>
+
+                <div class="row mv-s" ng-show="$vm.loading === true">
+                    <div class="col-md-12">
+                        <div class="loading-message">
+                            <i class="fa fa-circle-o-notch fa-spin fa-fw"></i>
+                            <span>loading taxonomies...</span>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Datalist  -->
+                <div class="row mt-s" ng-if="$vm.loading === false && $vm.list.values.length > 0">
+                    <psearch control="$vm.list"></psearch>
+
+                    <div class="col-md-12">
+                        <table class="table table-striped case-list">
+                            <thead>
+                                <tr>
+                                    <th width="10"></th>
+                                    <th width="300">Namespace</th>
+                                    <th>Description</th>
+                                    <th width="100" class="text-center">Version</th>
+                                    <th width="80" class="text-center"># Tags</th>
+                                    <th width="120"></th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                                <tr ng-repeat="taxonomy in $vm.list.values">
+                                    <td>
+                                        <span class="clickable" ng-click="$vm.addFilterValue('enabled', !!taxonomy.extraData.enabled)">
+                                            <i class="fa" ng-class="{
+                                                    true: 'text-tlp-green fa-circle',
+                                                    false: 'text-tlp-red fa-circle',
+                                                }[!!taxonomy.extraData.enabled]"></i>
+                                        </span>
+                                    </td>
+                                    <td>
+                                        <div class="taxonomy-name">
+                                            <a href ng-click="$vm.show(taxonomy)">{{::taxonomy.namespace}}</a>
+                                        </div>
+                                    </td>
+                                    <td class="wrap">
+                                        {{::taxonomy.description}}
+                                    </td>
+                                    <td class="text-center">
+                                        {{::taxonomy.version}}
+                                    </td>
+                                    <td class="text-center">
+                                        {{::taxonomy.tags.length}}
+                                    </td>
+                                    <td class="clearfix">
+                                        <div class="pull-right">
+                                            <a class="btn btn-icon btn-clear" href  ng-click="$vm.toggleActive(taxonomy)"
+                                                uib-tooltip="{{!!taxonomy.extraData.enabled ? 'Disable taxonomy' : 'Enable taxonomy'}}">
+
+                                                <i class="fa" ng-class="{
+                                                    true: 'fa-times-circle text-danger',
+                                                    false: 'fa-check-circle text-success'
+                                                }[!!taxonomy.extraData.enabled]"></i>
+                                            </a>
+
+                                            <a class="btn btn-icon btn-clear" href  ng-click="$vm.show(taxonomy)" uib-tooltip="Edit taxonomy">
+                                                <i class="text-primary fa fa-search"></i>
+                                            </a>
+
+                                            <a class="btn btn-icon btn-clear" href  ng-click="$vm.remove(taxonomy)" uib-tooltip="Delete taxonomy">
+                                                <i class="text-danger fa fa-trash"></i>
+                                            </a>
+                                        </div>
+
+                                    </td>
+                                </tr>
+                            </tbody>
+                        </table>
+                    </div>
+
+                    <psearch control="$vm.list"></psearch>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/taxonomy/list/filters.html b/frontend/app/views/partials/admin/taxonomy/list/filters.html
new file mode 100644
index 0000000000..431c826ca5
--- /dev/null
+++ b/frontend/app/views/partials/admin/taxonomy/list/filters.html
@@ -0,0 +1,38 @@
+<div class="row">
+    <div class="col-md-12 active-filters">
+        <h4>Filters</h4>
+        <form ng-submit="$vm.search()">
+            <div class="row mb-xxxs" ng-repeat="filter in $vm.filtering.context.filters track by $index">
+                <div class="col-sm-4 col-md-4 col-lg-2">
+                    <div class="input-group">
+                        <span class="input-group-btn">
+                            <button class="btn btn-default" type="button" ng-click="$vm.removeFilter($index)">
+                                <i class="fa fa-times text-danger"></i>
+                            </button>
+                        </span>
+                        <select class="form-control" ng-model="filter.field"
+                            ng-options="item for item in $vm.filtering.attributeKeys"
+                            ng-change="$vm.filtering.setFilterField(filter, config.entity)"></select>
+                    </div>
+                </div>
+                <div class="col-sm-8 col-md-8 col-lg-6">
+                    <filter-editor metadata="$vm.filtering.metadata" filter="filter" entity="$vm.filtering.entity"></filter-editor>
+                </div>
+            </div>
+            <div class="mv-xs row">
+                <div class="col-sm-12 col-md-12 col-lg-8">
+                    <a href class="btn btn-sm  btn-link btn-clear" ng-click="$vm.filtering.addFilter()">
+                        <i class="fa fa-plus"></i> Add a filter
+                    </a>
+                    <a href class="btn btn-sm btn-danger" ng-click="$vm.clearFilters()" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-times"></i> Clear
+                    </a>
+                    <button href class="btn btn-sm btn-primary pull-right" type="submit" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-search"></i> Search
+                    </button>
+                </div>
+            </div>
+        </form>
+
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/taxonomy/list/toolbar.html b/frontend/app/views/partials/admin/taxonomy/list/toolbar.html
new file mode 100644
index 0000000000..87fe159685
--- /dev/null
+++ b/frontend/app/views/partials/admin/taxonomy/list/toolbar.html
@@ -0,0 +1,21 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="btn-toolbar" role="toolbar">
+            <div class="btn-group">
+                <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.import()">
+                    <i class="fa fa-plus"></i>
+                    Import taxonomies
+                </button>
+            </div>
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/taxonomy/view.html b/frontend/app/views/partials/admin/taxonomy/view.html
new file mode 100644
index 0000000000..bcfbdf1b61
--- /dev/null
+++ b/frontend/app/views/partials/admin/taxonomy/view.html
@@ -0,0 +1,65 @@
+<form class="form">
+
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">{{::$modal.taxonomy.namespace}} taxonomy</h3>
+    </div>
+
+    <div class="modal-body">
+        <div class="row">
+            <div class="col-sm-6">
+                <div class="form-group">
+                    <label>Namespace</label>
+                    <div>{{::$modal.taxonomy.namespace}}</div>
+                </div>
+            </div>
+            <div class="col-sm-6">
+                <div class="form-group">
+                    <label>Version</label>
+                    <div>{{::$modal.taxonomy.version}}</div>
+                </div>
+            </div>
+        </div>
+
+        <div class="form-group">
+            <label>Description</label>
+            <div>{{::$modal.taxonomy.description}}</div>
+        </div>
+
+        <div class="row">
+            <div class="col-sm-12">
+                <table class="table table-striped">
+                    <thead>
+                        <tr>
+                            <th class="pl-0" width="200">Tag</th>
+                            <th>Predicate</th>
+                            <th>Value</th>
+                            <th width="100">Color</th>
+                            <th width="10"></th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        <tr ng-repeat="tag in $modal.taxonomy.tags">
+                            <td>
+                                <span class="label">
+                                    <tag value="tag"></tag>
+                                </span>
+                            </td>
+                            <td>{{::tag.predicate}}</td>
+                            <td>{{::tag.value || '-'}}</td>
+                            <td>{{::tag.colour}}</td>
+                            <td>
+                                <span ng-if="::tag.description" uib-tooltip="{{::tag.description}}" tooltip-placement="left">
+                                    <i class="fa fa-question-circle"></i>
+                                </span>
+                            </td>
+                        </tr>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-default pull-left" type="button" ng-click="$modal.cancel()">Cancel</button>
+        <button class="btn btn-primary pull-right" type="button" ng-click="$modal.cancel()">Close</button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/alert/event.dialog.html b/frontend/app/views/partials/alert/event.dialog.html
index 465646c9cf..d5e950e1f9 100644
--- a/frontend/app/views/partials/alert/event.dialog.html
+++ b/frontend/app/views/partials/alert/event.dialog.html
@@ -24,7 +24,7 @@ <h4 class="text-primary">
                     </span>
                     <span class="ml-xxs">
                         <strong><i class="fa fa-calendar"></i> Date: </strong>
-                        <span>{{dialog.event.date | showDate}}</span>
+                        <span>{{dialog.event.date | shortDate}}</span>
                     </span>
                     <span class="ml-xxs">
                         <strong><i class="fa fa-certificate"></i> Type: </strong>
@@ -42,7 +42,7 @@ <h4 class="text-primary">
                 <div class="case-tags flexwrap mt-xxs">
                     <strong><i class="fa fa-tags mr-xxxs"></i></strong>
                     <strong class="text-muted mr-xxxs" ng-if="!dialog.event.tags || dialog.event.tags.length === 0">None</strong>
-                    <span ng-repeat="tag in dialog.event.tags track by $index" class="label label-primary mb-xxxs mr-xxxs">{{tag}}</span>
+                    <tag-item ng-repeat="tag in dialog.event.tags track by $index" value="tag"></tag-item>
                 </div>
 
                 <div class="mt-xs" ng-if="dialog.event.description">
diff --git a/frontend/app/views/partials/alert/event.similarity.html b/frontend/app/views/partials/alert/event.similarity.html
index e12fc07084..eb3fb3163a 100644
--- a/frontend/app/views/partials/alert/event.similarity.html
+++ b/frontend/app/views/partials/alert/event.similarity.html
@@ -35,7 +35,7 @@
             </div>
             <div class="text-success" ng-show="item.status !== 'Open'">
                 <small>
-                    (Closed at {{item.endDate | showDate}} as <strong>{{dialog.CaseResolutionStatus[item.resolutionStatus]}}</strong>)
+                    (Closed at {{item.endDate | shortDate}} as <strong>{{dialog.CaseResolutionStatus[item.resolutionStatus]}}</strong>)
                 </small>
             </div>
             <div class="text-danger" ng-if="item.mergeFrom">
@@ -53,7 +53,7 @@
         </div>
 
         <div class="case-date">
-            <span uib-tooltip="{{item.startDate | showDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{item.startDate | shortDate}}</span>
+            <span uib-tooltip="{{item.startDate | shortDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{item.startDate | shortDate}}</span>
         </div>
 
         <div class="case-similarity">
diff --git a/frontend/app/views/partials/alert/list.html b/frontend/app/views/partials/alert/list.html
index 7ccef1b92e..7282826230 100644
--- a/frontend/app/views/partials/alert/list.html
+++ b/frontend/app/views/partials/alert/list.html
@@ -79,13 +79,27 @@ <h3 class="box-title">List of alerts ({{$vm.list.total || 0}} of {{$vm.alertList
                                     <th width="80px">
                                       Observables
                                     </th>
-                                    <th style="width: 120px">
-                                      <a href class="text-default" ng-click="$vm.sortByField('date')">
-                                        Date
-                                        <i ng-show="$vm.filtering.context.sort.indexOf('+date') === -1 && $vm.filtering.context.sort.indexOf('-date') === -1" class="fa fa-sort"></i>
-                                        <i ng-show="$vm.filtering.context.sort.indexOf('+date') !== -1" class="fa fa-caret-up"></i>
-                                        <i ng-show="$vm.filtering.context.sort.indexOf('-date') !== -1" class="fa fa-caret-down"></i>
-                                      </a>
+                                    <th style="width: 150px">
+                                        Dates
+
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('date')" uib-tooltip="Sort by occur date">
+                                            O.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+date') === -1 && $vm.filtering.context.sort.indexOf('-date') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+date') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-date') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_createdAt')" uib-tooltip="Sort by creation date">
+                                            C.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') === -1 && $vm.filtering.context.sort.indexOf('-_createdAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-_createdAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_updatedAt')" uib-tooltip="Sort by last update date">
+                                            U.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') === -1 && $vm.filtering.context.sort.indexOf('-_updatedAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-_updatedAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
                                     </th>
                                     <th style="width: 160px"></th>
                                 </tr>
@@ -134,8 +148,17 @@ <h3 class="box-title">List of alerts ({{$vm.list.total || 0}} of {{$vm.alertList
                                         </div>
                                     </td>
                                     <td class="text-center">{{::event.observableCount || 0}}</td>
-                                    <td>
-                                        <a href ng-click="$vm.addFilterValue('date', event.date)">{{event.date | shortDate}}</a>
+                                    <td rowspan="3">
+                                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+date') !== -1 || $vm.filtering.context.sort.indexOf('-date') !== -1}">
+                                            O. <a href ng-click="$vm.addFilterValue('date', event.date)">{{event.date | shortDate}}</a>
+                                        </div>
+                                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_createdAt') !== -1 || $vm.filtering.context.sort.indexOf('-_createdAt') !== -1}">
+                                            C. <a href ng-click="$vm.addFilterValue('_createdAt', event._createdAt)">{{event._createdAt | shortDate}}</a>
+                                        </div>
+                                        <div ng-if="event._updatedAt > 0" ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_updatedAt') !== -1 || $vm.filtering.context.sort.indexOf('-_updatedAt') !== -1}">
+                                            U. <a href ng-click="$vm.addFilterValue('_updatedAt', event._updatedAt)">{{event._updatedAt | shortDate}}</a>
+                                        </div>
+
                                         <div ng-if="!!event.caseId">
                                             <alert-duration start="event._createdAt" end="event.extraData.importDate" icon="fa-clock-o"></alert-duration>
                                         </div>
@@ -169,18 +192,19 @@ <h3 class="box-title">List of alerts ({{$vm.list.total || 0}} of {{$vm.alertList
                                 </tr>
                                 <tr>
                                     <td></td>
-                                    <td colspan="9">
+                                    <td colspan="8">
                                         <div class="case-tags flexwrap">
                                             <span class="mr-xxxs text-muted"><i class="fa fa-tags"></i></span>
                                             <strong class="text-muted mr-xxxs" ng-if="!event.tags || event.tags.length === 0">None</strong>
-                                            <span ng-repeat="tag in event.tags track by $index" class="label label-primary mb-xxxs mr-xxxs pointer" ng-click="$vm.addFilterValue('tags', tag)">{{tag}}</span>
+                                            <tag-item ng-repeat="tag in event.tags track by $index" class="pointer"
+                                                ng-click="$vm.addFilterValue('tags', tag)" value="tag"></tag-item>
                                         </div>
                                     </td>
                                     <td></td>
                                 </tr>
                                 <tr ng-if="$vm.filtering.context.showAdvanced">
                                     <td></td>
-                                    <td colspan="9">
+                                    <td colspan="8">
                                         <custom-field-labels custom-fields="event.customFields" on-field-click="$vm.addFilterValue(name, value)"><custom-field-labels>
                                     </td>
                                     <td></td>
diff --git a/frontend/app/views/partials/case/case.bulk.delete.confirm.html b/frontend/app/views/partials/case/case.bulk.delete.confirm.html
new file mode 100644
index 0000000000..9d13453413
--- /dev/null
+++ b/frontend/app/views/partials/case/case.bulk.delete.confirm.html
@@ -0,0 +1,32 @@
+<form name="removeForm" ng-submit="$dialog.confirm()">
+    <div class="modal-header bg-danger">
+        <h3 class="modal-title">Permanently remove selected cases</h3>
+    </div>
+    <div class="modal-body">
+        <p>Are you sure you want to permanently delete the following <b>{{$dialog.selection.length}}</b> case(s)?</p>
+
+        <div class="mt-xs">
+            <table class="table table-striped">
+                <tr ng-repeat="item in $dialog.selection">
+                    <td>#{{item.number}} - {{item.title}}</td>
+                </tr>
+            </table>
+        </div>
+
+        <div class="mt-xs">
+            <p><b>To confirm, please type the number of cases to delete.</b></p>
+
+            <input class="form-control input-lg" name="count" type="number" placeholder="{{$dialog.count}}"
+                ng-required ng-model="$dialog.typedCount">
+
+            <p><b class="text-danger">This action might take a while and cannot be undone.</b></p>
+        </div>
+    </div>
+    <div class="modal-footer text-left">
+        <button class="btn btn-default" ng-click="$dialog.cancel()" ng-disabled="$dialog.loading" type="button">Cancel</button>
+        <button class="btn btn-danger pull-right" type="submit"
+            ng-disabled="$dialog.loading || removeForm.$invalid || ($dialog.count != $dialog.typedCount)">
+            Yes, confirm.
+        </button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/case/case.close.html b/frontend/app/views/partials/case/case.close.html
index 1abb66a9c8..7c7cfb4706 100644
--- a/frontend/app/views/partials/case/case.close.html
+++ b/frontend/app/views/partials/case/case.close.html
@@ -24,7 +24,7 @@ <h3 class="modal-title">Close Case #{{caze.number}}</h3>
                             <i class="text-success glyphicon glyphicon-ok"></i>
                         </td>
                         <td>{{task.title}}</td>
-                        <td><user-info value="task.owner" field="name"></user-info><br>{{task.startDate | showDate}}</td>
+                        <td><user-info value="task.owner" field="name"></user-info><br>{{task.startDate | shortDate}}</td>
                     </tr>
 
                     <tr ng-if="task.status == 'InProgress'" ng-class="{true:'warning'}[task.flag]">
@@ -32,7 +32,7 @@ <h3 class="modal-title">Close Case #{{caze.number}}</h3>
                             <i class=" glyphicon" ng-class="{true:'text-yellow glyphicon-flag', false:'text-primary glyphicon-play'}[task.flag]"></i>
                         </td>
                         <td>{{task.title}}</td>
-                        <td><user-info value="task.owner" field="name"></user-info><br>{{task.startDate | showDate}}</td>
+                        <td><user-info value="task.owner" field="name"></user-info><br>{{task.startDate | shortDate}}</td>
                     </tr>
 
                     <tr ng-if="task.status == 'Waiting'">
diff --git a/frontend/app/views/partials/case/case.creation.html b/frontend/app/views/partials/case/case.creation.html
index 6e5e150af1..4ade8cce88 100644
--- a/frontend/app/views/partials/case/case.creation.html
+++ b/frontend/app/views/partials/case/case.creation.html
@@ -1,4 +1,4 @@
-<form class="form-horizontal" name="caseCreateForm" ng-submit="createNewCase(caseCreateForm.$valid);" novalidate>
+<form name="caseCreateForm" ng-submit="createNewCase(caseCreateForm.$valid);" novalidate>
     <div class="modal-header bg-primary">
         <h3 class="modal-title">Create a new case</h3>
     </div>
@@ -7,11 +7,10 @@ <h4 class="vpad10 text-primary">Case details</h4>
         <div class="row">
             <div class="col-md-6">
                 <div class="form-group" ng-class="{ 'has-error' : caseCreateForm.title.$invalid && !caseCreateForm.title.$pristine }">
-                    <label class="col-md-3 control-label">Title
+                    <label class="control-label">Title
                         <i class="fa fa-asterisk text-danger"></i>
                     </label>
-                    <div class="col-md-9">
-
+                    <div>
                         <input class="form-control input-sm" name="title" ng-if="!fromTemplate" ng-model="newCase.title" placeholder="Title" required type="text"/>
 
                         <div class="input-group" ng-if="fromTemplate">
@@ -25,10 +24,10 @@ <h4 class="vpad10 text-primary">Case details</h4>
             </div>
             <div class="col-md-6">
                 <div class="form-group" ng-class="{ 'has-error' : caseCreateForm.startDate.$invalid && !caseCreateForm.startDate.$pristine }">
-                    <label class="col-md-3 control-label">Date
+                    <label class="control-label">Date
                         <i class="fa fa-asterisk text-danger"></i>
                     </label>
-                    <div class="col-md-9">
+                    <div>
                         <date-time-picker date="newCase.startDate" name="startDate"></date-time-picker>
                         <p class="help-block" ng-show="caseCreateForm.startDate.$invalid && !caseCreateForm.startDate.$pristine">The case start date is required.</p>
                     </div>
@@ -36,62 +35,75 @@ <h4 class="vpad10 text-primary">Case details</h4>
             </div>
         </div>
         <div class="row">
-            <div class="col-md-6">
+            <div class="col-md-4">
                 <div class="form-group">
-                    <label class="col-md-3 control-label">Severity
+                    <label class="control-label">Severity
                         <i class="fa fa-asterisk text-danger"></i>
                     </label>
-                    <div class="col-md-9">
+                    <div>
                         <severity active="active" value="newCase.severity"></severity>
                     </div>
                 </div>
             </div>
-            <div class="col-md-6">
+            <div class="col-md-4">
                 <div class="form-group">
-                    <label class="col-md-3 control-label">TLP
+                    <label class="control-label">TLP
                         <i class="fa fa-asterisk text-danger"></i>
                     </label>
-                    <div class="col-md-9">
+                    <div>
                         <a href ng-click="activeTlp='active'">
                             <tlp format="activeTlp" on-update="updateTlp(newValue)" value="newCase.tlp"></tlp>
                         </a>
                     </div>
                 </div>
             </div>
+            <div class="col-md-4">
+                <div class="form-group">
+                    <label class="control-label">PAP
+                        <i class="fa fa-asterisk text-danger"></i>
+                    </label>
+                    <div>
+                        <a href ng-click="activePap='active'">
+                            <tlp format="activePap" on-update="updatePap(newValue)" value="newCase.pap" namespace="PAP"></tlp>
+                        </a>
+                    </div>
+                </div>
+            </div>
         </div>
         <div class="row">
-            <div class="col-md-6">
+            <div class="col-md-12">
                 <div class="form-group">
-                    <label class="col-md-3 control-label">Tags</label>
-                    <div class="col-md-9">
-                        <!-- <tags-input class="ti-input-sm" replace-spaces-with-dashes="false"></tags-input> -->
-                        <tags-input class="ti-input-sm input-sm form-control form-control-wrapper"
+                    <label class="control-label">Tags</label>
+
+                    <div class="input-group">
+                        <tags-input class="ti-input-sm input-sm form-control form-control-wrapper ti-tag-selector"
                             name="tags"
-                            placeholder="Tags"
+                            placeholder="Case tags"
                             min-length="2"
                             ng-model="tags"
+                            template="views/directives/tag-input-item.html"
                             replace-spaces-with-dashes="false">
                                 <auto-complete min-length="3" debounce-delay="400" source="getTags($query)"></auto-complete>
-                            </tags-input>
-                    </div>
-                </div>
-                <div class="form-group">
-                    <label class="col-md-3 control-label">PAP
-                        <i class="fa fa-asterisk text-danger"></i>
-                    </label>
-                    <div class="col-md-9">
-                        <a href ng-click="activePap='active'">
-                            <tlp format="activePap" on-update="updatePap(newValue)" value="newCase.pap" namespace="PAP"></tlp>
-                        </a>
+                        </tags-input>
+
+                        <span class="input-group-btn vtop">
+                            <button type="button" class="btn btn-block btn-sm btn-primary" ng-click="fromTagLibrary()" uib-tooltip="Add tag from library" tooltip-placement="left">
+                                <span class="fa fa-plus"></span>
+                            </button>
+                        </span>
                     </div>
                 </div>
             </div>
-            <div class="col-md-6">
+
+        </div>
+
+        <div class="row">
+            <div class="col-sm-12">
                 <div class="form-group" ng-class="{ 'has-error' : caseCreateForm.description.$invalid && !caseCreateForm.description.$pristine }">
-                    <label class="col-sm-3 control-label">Description
+                    <label class="control-label">Description
                         <i class="fa fa-asterisk text-danger"></i>
                     </label>
-                    <div class="col-sm-9">
+                    <div>
                         <textarea class="form-control" name="description" ng-model="newCase.description" placeholder="Case description" required rows="3"></textarea>
                         <p class="help-block" ng-show="caseCreateForm.description.$invalid && !caseCreateForm.description.$pristine">The case description is required.</p>
                     </div>
diff --git a/frontend/app/views/partials/case/case.details.html b/frontend/app/views/partials/case/case.details.html
index bb252c4fd4..cc5edb5c74 100644
--- a/frontend/app/views/partials/case/case.details.html
+++ b/frontend/app/views/partials/case/case.details.html
@@ -64,14 +64,14 @@ <h4 class="vpad10 text-primary">Basic Information</h4>
                 <updatable-date on-update="updateField('startDate', newValue)" value="caze.startDate"></updatable-date>
             </dd>
             <dd ng-if="!canEdit">
-                {{caze.startDate | showDate}}
+                {{caze.startDate | shortDate}}
             </dd>
         </dl>
 
         <dl class="dl-horizontal">
             <dt class="pull-left">Tags</dt>
             <dd ng-if="canEdit">
-                <updatable-tags on-update="updateField('tags', getTags(newValue))" value="caze.tags" source="getCaseTags"></updatable-tags>
+                <updatable-tag-list on-update="updateField('tags', getTags(newValue))" value="caze.tags" source="getCaseTags"></updatable-tag-list>
             </dd>
             <dd ng-if="!canEdit">
                 <tag-list data="caze.tags"></tag-list>
@@ -84,7 +84,7 @@ <h4 class="vpad10 text-primary">Basic Information</h4>
                 <updatable-date on-update="updateField('endDate', newValue)" value="caze.endDate"></updatable-date>
             </dd>
             <dd class="text-success" ng-if="!canEdit">
-                {{caze.endDate | showDate}}
+                {{caze.endDate | shortDate}}
             </dd>
         </dl>
     </div>
diff --git a/frontend/app/views/partials/case/case.links.html b/frontend/app/views/partials/case/case.links.html
index ba0d6532fc..5d9f9c89ea 100644
--- a/frontend/app/views/partials/case/case.links.html
+++ b/frontend/app/views/partials/case/case.links.html
@@ -61,11 +61,11 @@
                 <div class="case-tags flexwrap mt-xxs">
                     <span class="mr-xxxs text-muted"><i class="fa fa-tags"></i></span>
                     <strong class="text-muted mr-xxxs" ng-if="!item.tags || item.tags.length === 0">None</strong>
-                    <span ng-repeat="tag in item.tags track by $index" class="label label-primary mb-xxxs mr-xxxs pointer">{{tag}}</span>
+                    <tag-item ng-repeat="tag in item.tags track by $index" value="tag"></tag-item>
                 </div>
                 <div class="text-success" ng-show="item.status !== 'Open'">
                     <small>
-                        (Closed at {{item.endDate | showDate}} as <strong>{{CaseResolutionStatus[item.resolutionStatus]}}</strong>)
+                        (Closed at {{item.endDate | shortDate}} as <strong>{{CaseResolutionStatus[item.resolutionStatus]}}</strong>)
                     </small>
                 </div>
                 <div class="text-danger" ng-if="item.mergeFrom">
@@ -82,9 +82,10 @@
                 </div>
             </div>
 
-            <div class="case-date">
-                <span uib-tooltip="{{item.startDate | showDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{item.startDate | shortDate}}</span><br/>
-                <case-duration start="item.startDate" end="item.endDate" icon="fa-clock-o"></case-duration>
+            <div class="case-date" ng-switch="item.status">
+                <span uib-tooltip="{{item.startDate | shortDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{item.startDate | shortDate}}</span><br/>
+                <case-duration ng-switch-when="Resolved" start="item.startDate" end="item.endDate" icon="fa-clock-o"></case-duration>
+                <case-duration ng-switch-when="Open" start="item.startDate" icon="fa-clock-o"></case-duration>
             </div>
 
             <div class="case-observables-count">
diff --git a/frontend/app/views/partials/case/case.list.html b/frontend/app/views/partials/case/case.list.html
index e2f43aac03..04dc3a3e6e 100644
--- a/frontend/app/views/partials/case/case.list.html
+++ b/frontend/app/views/partials/case/case.list.html
@@ -42,14 +42,69 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseCount}
                                     <th width="20px">
                                         <input if-permission="manageCase" type="checkbox" ng-model="$vm.menu.selectAll" ng-change="$vm.selectAll()">
                                     </th>
-                                    <th>Title</th>
+                                    <th width="100px">
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('status')" uib-tooltip="Sort by status">
+                                            Status
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+status') === -1 && $vm.filtering.context.sort.indexOf('-status') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+status') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-status') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('number')" uib-tooltip="Sort by number">
+                                            # Number
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+number') === -1 && $vm.filtering.context.sort.indexOf('-number') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+number') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-number') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('title')" uib-tooltip="Sort by title">
+                                            Title
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+title') === -1 && $vm.filtering.context.sort.indexOf('-title') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+title') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-title') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
                                     <th style="width: 70px;"></th>
-                                    <th style="width: 80px;text-align:center;">Severity</th>
-                                    <th style="width: 100px;">Tasks</th>
-                                    <th style="width: 100px;">Observables</th>
-                                    <th style="width: 60px;">Assignee</th>
-                                    <th style="width: 120px;">Date</th>
-                                    <th style="width: 40px;" ng-if="appConfig.connectors.cortex.enabled">Actions</th>
+                                    <th style="width: 90px;text-align:center;">
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('severity')" uib-tooltip="Sort by severity">
+                                            Severity
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+severity') === -1 && $vm.filtering.context.sort.indexOf('-severity') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+severity') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-severity') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 150px;">Details</th>
+                                    <th style="width: 90px;">
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('assignee')" uib-tooltip="Sort by assignee">
+                                            Assignee
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+assignee') === -1 && $vm.filtering.context.sort.indexOf('-assignee') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+assignee') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-assignee') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 150px">
+                                        Dates
+
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('startDate')" uib-tooltip="Sort by start date">
+                                            S.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+startDate') === -1 && $vm.filtering.context.sort.indexOf('-startDate') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+startDate') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-startDate') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_createdAt')" uib-tooltip="Sort by creation date">
+                                            C.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') === -1 && $vm.filtering.context.sort.indexOf('-_createdAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_createdAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-_createdAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('_updatedAt')" uib-tooltip="Sort by last update date">
+                                            U.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') === -1 && $vm.filtering.context.sort.indexOf('-_updatedAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+_updatedAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-_updatedAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 20px;" ng-if="appConfig.connectors.cortex.enabled"></th>
                                 </tr>
                             </thead>
 
@@ -60,6 +115,18 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseCount}
                                         <input if-permission="manageCase" allowed="{{currentCase.extraData.permissions.join(',')}}"
                                             type="checkbox" ng-model="currentCase.selected" ng-change="$vm.select(currentCase)">
                                     </td>
+                                    <td class="case-status">
+                                        <div class="mb-xxxs">
+                                            <span class="label label-default clickable" ng-class="{
+                                                'Resolved': 'label-success',
+                                                'Open': 'label-danger'
+                                            }[currentCase.status]" ng-click="$vm.addFilterValue('status', currentCase.status)">{{currentCase.status === 'Resolved' ? 'Closed' : currentCase.status}}</span>
+                                        </div>
+                                        <div ng-switch="currentCase.status">
+                                            <case-duration ng-switch-when="Resolved" start="currentCase.startDate" end="currentCase.endDate" icon="fa-clock-o"></case-duration>
+                                            <case-duration ng-switch-when="Open" start="currentCase.startDate" icon="fa-clock-o"></case-duration>
+                                        </div>
+                                    </td>
                                     <td>
                                         <div class="case-title wrap">
                                             <span class="mr-xxs text-primary" ng-if="!!!currentCase.extraData.isOwner"><i class="fa fa-share-square"
@@ -71,16 +138,15 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseCount}
                                         <div class="case-tags flexwrap mt-xxs">
                                             <span class="mr-xxxs text-muted"><i class="fa fa-tags"></i></span>
                                             <strong class="text-muted mr-xxxs" ng-if="!currentCase.tags || currentCase.tags.length === 0">None</strong>
-                                            <span ng-repeat="tag in currentCase.tags track by $index" class="label label-primary mb-xxxs mr-xxxs pointer" ng-click="$vm.addFilterValue('tags', tag)">{{tag}}
-
-                                            </span>
+                                            <tag-item ng-repeat="tag in currentCase.tags track by $index" class="pointer"
+                                                ng-click="$vm.addFilterValue('tags', tag)" value="tag"></tag-item>
                                         </div>
 
-                                        <custom-field-labels ng-if="$vm.filtering.context.showAdvanced" custom-fields="currentCase.customFields" on-field-click="$vm.addFilterValue(name, value)"><custom-field-labels>
+                                        <custom-field-labels ng-if="$vm.filtering.context.showAdvanced" custom-fields="currentCase.customFields" on-field-click="$vm.addFilterValue(name, value)"></custom-field-labels>
 
                                         <div class="text-success" ng-show="currentCase.status !== 'Open'">
                                             <small>
-                                                (Closed at {{currentCase.endDate | showDate}} as <strong>{{$vm.CaseResolutionStatus[currentCase.resolutionStatus]}}</strong>)
+                                                (Closed at {{currentCase.endDate | shortDate}} as <strong><a href ng-click="$vm.filterByResolutionStatus(currentCase.resolutionStatus)">{{$vm.CaseResolutionStatus[currentCase.resolutionStatus]}}</a></strong>)
                                             </small>
                                         </div>
                                         <div class="text-danger" ng-if="currentCase.mergeFrom">
@@ -111,7 +177,7 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseCount}
                                         </div>
                                     </td>
                                     <td>
-                                        <div ng-class="{'text-danger': !!currentCase.extraData.actionRequired}">
+                                        <div ng-class="{'text-danger': !!currentCase.extraData.actionRequired}" class="clearfix">
                                             <a href ng-click="$vm.addFilterValue('actionRequired', true)">
                                                 <span ng-if="!!currentCase.extraData.actionRequired" class="text-danger noline mr-xxxs" uib-tooltip="Action Required" tooltip-placement="left-middle">
                                                     <i class="fa fa-exclamation-triangle"></i>
@@ -119,25 +185,40 @@ <h3 class="box-title">List of cases ({{$vm.list.total || 0}} of {{$vm.caseCount}
                                             </a>
 
                                             <a ui-sref="app.case.tasks({caseId: currentCase._id})" ng-class="{'text-danger': !!currentCase.extraData.actionRequired}">
-                                                <ng-pluralize count="currentCase.extraData.taskStats.total" when="{'0': 'No Tasks', '1': '1 Task', 'other': '{} Tasks'}"></ng-pluralize>
+                                                <span>Tasks</span>
+                                                <strong class="pull-right">{{currentCase.extraData.taskStats.total || 0}}</strong>
                                             </a>
                                         </div>
-                                        <task-progress ng-show="currentCase.extraData.taskStats.total > 0" tasks="currentCase.extraData.taskStats"/>
-                                    </td>
-                                    <td>
-                                        <a ui-sref="app.case.observables({caseId: currentCase._id})">{{currentCase.extraData.observableStats.total}}</a>
+                                        <task-progress class="mt-0" ng-show="currentCase.extraData.taskStats.total > 0" tasks="currentCase.extraData.taskStats"></task-progress>
+
+                                        <div class="clearfix mt-xxs">
+
+                                            <a ui-sref="app.case.observables({caseId: currentCase._id})">
+                                                <span>Observables</span>
+                                                <strong class="pull-right">{{currentCase.extraData.observableStats.total || 0}}</strong>
+                                            </a>
+                                        </div>
+
+                                        <div class="clearfix mt-xxs">
+                                            <a ui-sref="app.case.procedures({caseId: currentCase._id})">
+                                                <span>TTPs</span>
+                                                <strong class="pull-right">{{currentCase.extraData.procedureCount || 0}}</strong>
+                                            </a>
+                                        </div>
+
                                     </td>
                                     <td class="nowrap">
                                         <user user-id="currentCase.assignee" icon-only="true" icon-size="m"></user>
                                     </td>
                                     <td>
-                                        <div>
-                                            <a href ng-click="$vm.addFilterValue('startDate', currentCase.startDate)">
-                                                <span uib-tooltip="{{currentCase.startDate | showDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{currentCase.startDate | shortDate}}</span>
-                                            </a>
+                                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+startDate') !== -1 || $vm.filtering.context.sort.indexOf('-startDate') !== -1}">
+                                            S. <a href ng-click="$vm.addFilterValue('startDate', currentCase.startDate)">{{currentCase.startDate | shortDate}}</a>
+                                        </div>
+                                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_createdAt') !== -1 || $vm.filtering.context.sort.indexOf('-_createdAt') !== -1}">
+                                            C. <a href ng-click="$vm.addFilterValue('_createdAt', currentCase._createdAt)">{{currentCase._createdAt | shortDate}}</a>
                                         </div>
-                                        <div>
-                                            <case-duration start="currentCase.startDate" end="currentCase.endDate" icon="fa-clock-o"></case-duration>
+                                        <div ng-if="currentCase._updatedAt > 0" ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+_updatedAt') !== -1 || $vm.filtering.context.sort.indexOf('-_updatedAt') !== -1}">
+                                            U. <a href ng-click="$vm.addFilterValue('_updatedAt', currentCase._updatedAt)">{{currentCase._updatedAt | shortDate}}</a>
                                         </div>
                                     </td>
                                     <td class="text-center">
diff --git a/frontend/app/views/partials/case/case.merge.html b/frontend/app/views/partials/case/case.merge.html
index 14b625697b..df94ac7cc1 100644
--- a/frontend/app/views/partials/case/case.merge.html
+++ b/frontend/app/views/partials/case/case.merge.html
@@ -33,13 +33,13 @@ <h4>{{c.title}}</h4>
         <div>
             <span>
                 <i class="glyphicon glyphicon-user"></i>
-                <user-info value="c.owner" field="name"></user-info>
+                <user-info value="c.assignee" field="name"></user-info>
             </span>
             <span class="ml-xxs">
                 <i class="glyphicon glyphicon-calendar"></i>
-                <span>{{c.startDate | showDate}}</span>&nbsp;&nbsp;
+                <span>{{c.startDate | shortDate}}</span>&nbsp;&nbsp;
             <span ng-show="isCaseClosed()" class="text-success">(Closed at
-                    {{c.endDate | showDate}}
+                    {{c.endDate | shortDate}}
                     as
                     <strong>{{CaseResolutionStatus[c.resolutionStatus]}}</strong>)</span>
             </span>
diff --git a/frontend/app/views/partials/case/case.panelinfo.html b/frontend/app/views/partials/case/case.panelinfo.html
index ae09874c02..659635fa3d 100644
--- a/frontend/app/views/partials/case/case.panelinfo.html
+++ b/frontend/app/views/partials/case/case.panelinfo.html
@@ -40,7 +40,10 @@ <h3 class="box-title text-primary">
             <span ng-show="isCaseTruePositive()"> with <strong>{{caze.impactStatus === 'NoImpact' ? 'No Impact' : 'Impact'}}</strong></span>
         </span>
 
-        <case-duration class="ml-xxs" start="caze.startDate" end="caze.endDate" icon="fa-clock-o"></case-duration>
+        <span class="ml-xxs" ng-switch="caze.status">
+            <case-duration ng-switch-when="Resolved" start="caze.startDate" end="caze.endDate" icon="fa-clock-o"></case-duration>
+            <case-duration ng-switch-when="Open" start="caze.startDate" icon="fa-clock-o"></case-duration>
+        </span>
 
         <span class="ml-xxs text-danger" ng-show="links.length > 0" uib-tooltip="Related to">
             <i class="glyphicon glyphicon-link"></i>
@@ -106,12 +109,12 @@ <h3 class="box-title text-primary">
                 </a>
             </span>
 
-            <!-- <span class="ml-xxs pull-right">
+            <span class="ml-xxs pull-right">
                 <a href ng-click="mergeCase()" class="text-primary noline" uib-tooltip="Merge case">
                     <i class="text-primary fa fa-compress"></i>
                     Merge
                 </a>
-            </span> -->
+            </span>
 
             <span class="ml-xxs pull-right" ng-if="!caze.flag || caze.flag == undefined">
                 <a href ng-click="switchFlag()" class="text-muted noline" uib-tooltip="Flag case">
diff --git a/frontend/app/views/partials/case/case.procedures.html b/frontend/app/views/partials/case/case.procedures.html
new file mode 100644
index 0000000000..27a86a1415
--- /dev/null
+++ b/frontend/app/views/partials/case/case.procedures.html
@@ -0,0 +1,141 @@
+<div ng-include="'views/partials/case/procedures/toolbar.html'"></div>
+
+<div class="mt-xs filter-panel" ng-include="'views/partials/case/procedures/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+<!-- Filters preview  -->
+<div class="row mt-xs">
+    <div class="col-md-12 clearfix">
+        <div class="pull-left">
+            <h4>
+                Tactics, Techniques and Procedures ({{$vm.list.values.length || 0}} of {{$vm.list.total}})
+            </h4>
+        </div>
+
+        <filters-preview filters="$vm.filtering.context.filters" on-clear-item="$vm.removeFilter(field)" on-clear-all="$vm.clearFilters()"></filters-preview>
+    </div>
+</div>
+
+<!-- Datalist  -->
+<div class="row mt-xs">
+    <div class="col-md-12 mv-s" ng-show="$vm.list.total === 0">
+        <div class="empty-message">No records</div>
+    </div>
+
+    <div class="col-md-12" ng-show="$vm.list.total > 0">
+        <psearch control="$vm.list"></psearch>
+
+        <div class="ttp-item-header">
+            <div class="ttp-tactic">
+                <a href class="text-default" ng-click="$vm.sortByField('tactic')">
+                    Tactic
+                    <i ng-show="$vm.filtering.context.sort.indexOf('+tactic') === -1 && $vm.filtering.context.sort.indexOf('-tactic') === -1" class="fa fa-sort"></i>
+                    <i ng-show="$vm.filtering.context.sort.indexOf('+tactic') !== -1" class="fa fa-caret-up"></i>
+                    <i ng-show="$vm.filtering.context.sort.indexOf('-tactic') !== -1" class="fa fa-caret-down"></i>
+                </a>
+            </div>
+            <div class="ttp-name">
+                <a href class="text-default" ng-click="$vm.sortByField('patternId')">
+                    Technique
+                    <i ng-show="$vm.filtering.context.sort.indexOf('+patternId') === -1 && $vm.filtering.context.sort.indexOf('-patternId') === -1" class="fa fa-sort"></i>
+                    <i ng-show="$vm.filtering.context.sort.indexOf('+patternId') !== -1" class="fa fa-caret-up"></i>
+                    <i ng-show="$vm.filtering.context.sort.indexOf('-patternId') !== -1" class="fa fa-caret-down"></i>
+                </a>
+            </div>
+            <!-- <div class="ttp-user">Created By</div> -->
+            <div class="ttp-date">
+                <a href class="text-default" ng-click="$vm.sortByField('occurDate')">
+                    Occur Date
+                    <i ng-show="$vm.filtering.context.sort.indexOf('+occurDate') === -1 && $vm.filtering.context.sort.indexOf('-occurDate') === -1" class="fa fa-sort"></i>
+                    <i ng-show="$vm.filtering.context.sort.indexOf('+occurDate') !== -1" class="fa fa-caret-up"></i>
+                    <i ng-show="$vm.filtering.context.sort.indexOf('-occurDate') !== -1" class="fa fa-caret-down"></i>
+                </a>
+            </div>
+            <div class="ttp-action text-right">Actions</div>
+        </div>
+
+        <div class="ttp-item" ng-repeat="proc in $vm.list.values">
+            <div class="ttp-header">
+                <div class="ttp-tactic clickable" ng-click="$vm.expanded[proc._id] = !$vm.expanded[proc._id]" style="border-color: {{$vm.tactics[proc.tactic].color}}">
+                    <div>
+                        <a class="mr-xxs">
+                            <i class="fa" ng-class="{true: 'fa-chevron-up', false: 'fa-chevron-down'}[!!$vm.expanded[proc._id]]"></i>
+                        </a>
+
+                        {{$vm.tactics[proc.tactic].label}}
+
+                        <a href class="pull-right" ng-click="$vm.addFilterValue('tactic', proc.tactic)"><i class="fa fa-filter"></i></a>
+                    </div>
+                </div>
+                <div class="ttp-name" ng-if="proc.extraData.patternParent">
+                    <div>
+                        <a href ng-click="$vm.showPattern(proc.patternId)">{{proc.patternId}}</a> - {{proc.extraData.patternParent.name}}:{{proc.extraData.pattern.name}}
+
+                        <a href class="pull-right" ng-click="$vm.addFilterValue('patternId', proc.patternId)"><i class="fa fa-filter"></i></a>
+                    </div>
+                </div>
+                <div class="ttp-name" ng-if="!proc.extraData.patternParent">
+                    <div>
+                        <a href ng-click="$vm.showPattern(proc.patternId)">{{proc.patternId}}</a> - {{proc.extraData.pattern.name}}
+
+                        <a href class="pull-right" ng-click="$vm.addFilterValue('patternId', proc.patternId)"><i class="fa fa-filter"></i></a>
+                    </div>
+                </div>
+
+                <!-- <div class="ttp-user">
+                    <user user-id="proc._createdBy" icon-only="false" icon-size="m"></user>
+                </div> -->
+                <div class="ttp-date">
+                    <a href ng-click="$vm.addFilterValue('occurDate', proc.occurDate)">
+                        <span uib-tooltip="{{proc.occurDate | shortDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{proc.occurDate | shortDate}}</span>
+                    </a>
+                </div>
+                <div class="ttp-action">
+                    <a class="btn btn-icon btn-clear text-danger" href ng-click="$vm.remove(proc)" uib-tooltip="Delete TTP" if-permission="manageCase" allowed="{{userPermissions}}">
+                        <i class="fa fa-trash"></i>
+                    </a>
+                </div>
+            </div>
+            <div class="ttp-body" ng-show="$vm.expanded[proc._id]">
+                <div class="row mb-xs">
+                    <div class="col-sm-3">
+                        <label>Created By</label>
+                        <div>
+                            <user-info value="proc._createdBy" field="organisation"></user-info>/<user-info value="proc._createdBy" field="name"></user-info>
+                        </div>
+                    </div>
+                    <div class="col-sm-3">
+                        <label>Created At</label>
+                        <div>
+                            <span uib-tooltip="{{proc._createdAt | shortDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{proc._createdAt | shortDate}}</span>
+                        </div>
+                    </div>
+                    <div class="col-sm-3">
+                        <label>Updated At</label>
+                        <div>
+                            <span uib-tooltip="{{proc._updatedAt | shortDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{(proc._updatedAt | shortDate) || '-'}}</span>
+                        </div>
+                    </div>
+                    <div class="col-sm-3">
+                        <label>Occured At</label>
+                        <div>
+                            <updatable-date on-update="$vm.updateField(proc, 'occurDate', true)" value="proc.occurDate" clearable="false"></updatable-date>
+                        </div>
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-sm-12">
+                        <label>Procedure</label>
+                        <div class="description-pane" if-permission="manageCase" allowed="{{userPermissions}}">
+                            <updatable-text on-update="$vm.updateField(proc, 'description')" value="proc.description"></updatable-text>
+                        </div>
+                        <div class="description-pane" if-not-permission="manageCase" allowed="{{userPermissions}}">
+                            <div marked="proc.description" class="markdown"></div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <psearch control="$vm.list"></psearch>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/case/case.tasks.html b/frontend/app/views/partials/case/case.tasks.html
index 0811411f68..5eb8fd57e3 100755
--- a/frontend/app/views/partials/case/case.tasks.html
+++ b/frontend/app/views/partials/case/case.tasks.html
@@ -7,7 +7,7 @@
     <div class="col-md-12 clearfix">
         <div class="pull-left">
             <h4>
-                Tasks List ({{tasks.values.length || 0}} of {{tasks.total}})
+                Tasks List ({{list.values.length || 0}} of {{list.total}})
             </h4>
         </div>
 
@@ -17,7 +17,7 @@ <h4>
     </div>
 </div>
 
-<div class="row mv-s" ng-show="tasks.total === 0">
+<div class="row mv-s" ng-show="list.total === 0">
     <div class="col-md-12">
         <div class="empty-message">No task found for this case.</div>
     </div>
@@ -52,38 +52,34 @@ <h4>
     </div>
 </div>
 
-<div class="row" ng-if="!state.showGrouped && tasks.total !== 0">
+<div class="row" ng-if="!state.showGrouped && list.total !== 0">
     <div class="col-md-12">
 
-        <psearch control="tasks"></psearch>
+        <psearch control="list"></psearch>
 
-        <table class="table table-hover valigned tasks-table">
+        <table class="table table-hover valigned tasks-table data-list">
             <thead>
                 <tr>
-                    <th style="width: 20px"></th>
-                    <th style="width: 40px"></th>
-                    <th style="width: 250px">Group</th>
+                    <th width="20px">
+                        <input if-permission="manageTask" allowed="{{userPermissions}}" type="checkbox" ng-model="menu.selectAll" ng-change="selectAll()">
+                    </th>
+                    <th style="width: 70px"></th>
+                    <th style="width: 150px">Group</th>
                     <th>Task</th>
                     <th style="width: 70px;"></th>
                     <th style="width: 150px">Date</th>
                     <th style="width: 150px">Assignee</th>
-                    <th style="width: 250px" class="text-right" if-permission="manageTask" allowed="{{userPermissions}}">Actions</th>
+                    <th style="width: 100px" class="text-right" if-permission="manageTask" allowed="{{userPermissions}}">Actions</th>
                 </tr>
             </thead>
-            <tbody ng-repeat="task in tasks.values">
-                <tr class="task-row" ng-class="{'warning': (task.status=== 'Waiting' || task.status=== 'InProgress') && task.flag == true}">
+            <tbody ng-repeat="task in list.values">
+                <tr class="task-row" ng-class="{'warning': task.flag == true}">
                     <td>
-                        <a href ng-click="collapseOptions[task._id] = !collapseOptions[task._id]" ng-show="task.description" uib-tooltip="Show/Hide description" tooltip-placement="right">
-                          <i class="fa" ng-class="{
-                            true: 'fa-chevron-up',
-                            false: 'fa-chevron-down'
-                          }[!!collapseOptions[task._id]]"></i>
-                        </a>
+                        <input if-permission="manageTask" allowed="{{userPermissions}}"
+                            type="checkbox" ng-model="task.selected" ng-change="select(task)">
                     </td>
                     <td class="task-status" align="center" ng-switch="task.status">
-                        <i ng-switch-when="Completed" class="text-success glyphicon glyphicon-ok"></i>
-                        <i ng-switch-when="InProgress" class="glyphicon" ng-class="{true:'text-yellow glyphicon-flag', false:'text-primary glyphicon-play'}[task.flag]"></i>
-                        <i ng-switch-when="Waiting" class="glyphicon" ng-class="{true:'text-yellow glyphicon-flag'}[task.flag]"></i>
+                        <task-flags task="task" on-filter="addFilterValue(fieldName, value)" inline="true"></task-flags>
                     </td>
                     <td ng-if="canEdit">
                         <updatable-select options="groups" on-update="updateField('group', newValue, task)" value="task.group"></updatable-select>
@@ -92,12 +88,18 @@ <h4>
                         {{task.group}}
                     </td>
                     <td>
-                      <div>
+                        <div>
                           <!-- FIXME -->
                           <!-- <span class="mr-xxs text-primary clickable" ng-if="!!!task.extraData.isOwner"><i class="fa fa-share-square"
                               uib-tooltip="Shared from another organisation" tooltip-placement="right"></i></span>
                           <span class="mr-xxs text-primary clickable" ng-if="!!task.extraData.isOwner"><i class="fa fa-building-o"
                               uib-tooltip="Created by my organisation" tooltip-placement="right"></i></span> -->
+                            <a href ng-click="collapseOptions[task._id] = !collapseOptions[task._id]" ng-show="task.description" uib-tooltip="Show/Hide description" tooltip-placement="right">
+                                <i class="fa" ng-class="{
+                                    true: 'fa-chevron-up',
+                                    false: 'fa-chevron-down'
+                                }[!!collapseOptions[task._id]]"></i>
+                            </a>
                           <a href ui-sref="app.case.tasks-item({caseId: caseId, itemId:task._id})" ng-class="{'text-danger': !!task.extraData.actionRequired}">
                               <span ng-if="!!task.extraData.actionRequired" class="text-danger noline mr-xxxs" uib-tooltip="Action Required" tooltip-placement="left-middle">
                                   <i class="fa fa-exclamation-triangle"></i>
@@ -142,80 +144,73 @@ <h4>
                     </td>
                     <!--  class="task-delete" -->
                     <td align="right" class="task-actions" if-permission="manageTask" allowed="{{userPermissions}}">
-                        <span class="ml-xs clickable text-danger task-delete" ng-click="removeTask(task)">
-                            <i class="fa fa-times"></i>
-                            Delete
-                        </span>
-                        <span class="ml-xs clickable text-success action-button" ng-show="task.status == 'Completed'" ng-click="openTask(task)">
-                            <i class="fa fa-check-circle"></i>
-                            Reopen
-                        </span>
-                        <span class="ml-xs clickable text-muted action-button" ng-show="task.status == 'InProgress'" ng-click="closeTask(task)">
-                            <i class="fa fa-check-circle-o"></i>
-                            Close
-                        </span>
-                        <span class="ml-xs clickable text-primary action-button" ng-show="task.status == 'Waiting'" ng-click="startTask(task)">
-                            <i class="fa fa-play"></i>
-                            Start
-                        </span>
 
-                        <span class="ml-xs" uib-dropdown ng-if="appConfig.connectors.cortex.enabled" if-permission="manageAction" allowed="{{userPermissions}}">
-                            <a href class="text-primary noline nowrap" ng-click="getTaskResponders(task, true)">
-                                <i class="text-primary fa fa-cog"></i>
-                            </a>
-                        </span>
+                        <a class="btn btn-icon btn-clear" ng-click="removeTask(task)" uib-tooltip="Delete">
+                            <i class="fa fa-trash text-danger"></i>
+                        </a>
+                        <a class="btn btn-icon btn-clear"  ng-show="task.status == 'Completed'" ng-click="openTask(task)" uib-tooltip="Reopen">
+                            <i class="fa fa-play text-success"></i>
+                        </a>
+                        <a class="btn btn-icon btn-clear" ng-show="task.status == 'InProgress'" ng-click="closeTask(task)" uib-tooltip="Close">
+                            <i class="fa fa-check-circle-o text-muted"></i>
+                        </a>
+                        <a class="btn btn-icon btn-clear" ng-show="task.status == 'Waiting'" ng-click="startTask(task)" uib-tooltip="Start">
+                            <i class="fa fa-play text-primary"></i>
+                        </a>
+                        <a href class="btn btn-icon btn-clear" ng-click="getTaskResponders(task, true)" ng-if="appConfig.connectors.cortex.enabled" if-permission="manageAction" allowed="{{userPermissions}}">
+                            <i class="text-primary fa fa-cog"></i>
+                        </a>
                     </td>
                 </tr>
 
                 <tr ng-if="task.description && collapseOptions[task._id]">
-                    <td colspan="7" class="wrap">
+                    <td colspan="9" class="wrap">
                         <div marked="task.description" class="mt-xxs filter-panel markdown"></div>
                     </td>
                 </tr>
             </tbody>
         </table>
 
-        <psearch control="tasks"></psearch>
+        <psearch control="list"></psearch>
     </div>
 </div>
 
-<div class="row" ng-if="state.showGrouped && tasks.total !== 0">
+<div class="row" ng-if="state.showGrouped && list.total !== 0">
     <div class="col-md-12">
 
-        <psearch control="tasks"></psearch>
+        <psearch control="list"></psearch>
 
         <div class="panel panel-default" ng-repeat="group in groupedTasks">
             <div class="panel-heading">
-                <strong>{{group.group || 'Not Specified'}}</strong> <small>({{group.tasks.length}} task(s))</small>
+                <strong>{{group.group || 'Not Specified'}}</strong> <small>({{group.list.length}} task(s))</small>
             </div>
             <div class="panel-body p-0">
-                <table class="table table-hover valigned tasks-table">
+                <table class="table table-hover valigned tasks-table data-list">
                     <thead>
                         <tr>
-                            <th style="width: 20px"></th>
-                            <th style="width: 40px"></th>
-                            <th style="width: 250px">Group</th>
+                            <th width="20px">
+                                <input if-permission="manageTask" allowed="{{userPermissions}}" type="checkbox" ng-model="menu.selectAll" ng-change="selectAll()">
+                            </th>
+                            <th style="width: 70px"></th>
+                            <th style="width: 150px">Group</th>
                             <th>Task</th>
                             <th style="width: 70px;"></th>
                             <th style="width: 150px">Date</th>
                             <th style="width: 150px">Assignee</th>
-                            <th style="width: 250px" class="text-right" if-permission="manageTask" allowed="{{userPermissions}}">Actions</th>
+                            <th style="width: 100px" class="text-right" if-permission="manageTask" allowed="{{userPermissions}}">Actions</th>
                         </tr>
                     </thead>
                     <tbody ng-repeat="task in group.tasks">
-                        <tr class="task-row" ng-class="{'warning': (task.status=== 'Waiting' || task.status=== 'InProgress') && task.flag == true}">
+                        <tr class="task-row" ng-class="{'warning': task.flag == true}">
                             <td>
-                                <a href ng-click="collapseOptions[task._id] = !collapseOptions[task._id]" ng-show="task.description" uib-tooltip="Show/Hide description" tooltip-placement="right">
-                                  <i class="fa" ng-class="{
-                                    true: 'fa-chevron-up',
-                                    false: 'fa-chevron-down'
-                                  }[!!collapseOptions[task._id]]"></i>
-                                </a>
+                                <input if-permission="manageTask" allowed="{{userPermissions}}" type="checkbox" ng-model="task.selected" ng-change="select(task)">
                             </td>
+
                             <td class="task-status" align="center" ng-switch="task.status">
-                                <i ng-switch-when="Completed" class="text-success glyphicon glyphicon-ok"></i>
-                                <i ng-switch-when="InProgress" class="glyphicon" ng-class="{true:'text-yellow glyphicon-flag', false:'text-primary glyphicon-play'}[task.flag]"></i>
-                                <i ng-switch-when="Waiting" class="glyphicon" ng-class="{true:'text-yellow glyphicon-flag'}[task.flag]"></i>
+                                <task-flags task="task" on-filter="addFilterValue(fieldName, value)" inline="true"></task-flags>
+                                <!-- <i ng-switch-when="Completed" class="text-success glyphicon glyphicon-ok" uib-tooltip="Completed"></i>
+                                <i ng-switch-when="InProgress" class="glyphicon" ng-class="{true:'text-yellow glyphicon-flag', false:'text-primary glyphicon-play'}[task.flag]" uib-tooltip="In Porgress"></i>
+                                <i ng-switch-when="Waiting" class="glyphicon" ng-class="{true:'text-yellow glyphicon-flag'}[task.flag]"></i> -->
                             </td>
                             <td ng-if="canEdit">
                                 <updatable-select options="groups" on-update="updateField('group', newValue, task)" value="task.group"></updatable-select>
@@ -225,6 +220,12 @@ <h4>
                             </td>
                             <td>
                               <div>
+                                <a href ng-click="collapseOptions[task._id] = !collapseOptions[task._id]" ng-show="task.description" uib-tooltip="Show/Hide description" tooltip-placement="right">
+                                    <i class="fa" ng-class="{
+                                      true: 'fa-chevron-up',
+                                      false: 'fa-chevron-down'
+                                    }[!!collapseOptions[task._id]]"></i>
+                                  </a>
                                   <a href ng-class="{'text-danger': !!task.extraData.actionRequired}" ng-click="addFilterValue('actionRequired', true)">
                                       <span ng-if="!!task.extraData.actionRequired" class="text-danger noline mr-xxxs" uib-tooltip="Action Required" tooltip-placement="left-middle">
                                           <i class="fa fa-exclamation-triangle"></i>
@@ -270,28 +271,22 @@ <h4>
                             </td>
                             <!--  class="task-delete" -->
                             <td align="right" class="task-actions" if-permission="manageTask" allowed="{{userPermissions}}">
-                                <span class="ml-xs clickable text-danger task-delete" ng-click="removeTask(task)">
-                                    <i class="fa fa-times"></i>
-                                    Delete
-                                </span>
-                                <span class="ml-xs clickable text-success action-button" ng-show="task.status == 'Completed'" ng-click="openTask(task)">
-                                    <i class="fa fa-check-circle"></i>
-                                    Reopen
-                                </span>
-                                <span class="ml-xs clickable text-muted action-button" ng-show="task.status == 'InProgress'" ng-click="closeTask(task)">
-                                    <i class="fa fa-check-circle-o"></i>
-                                    Close
-                                </span>
-                                <span class="ml-xs clickable text-primary action-button" ng-show="task.status == 'Waiting'" ng-click="startTask(task)">
-                                    <i class="fa fa-play"></i>
-                                    Start
-                                </span>
 
-                                <span class="ml-xs" uib-dropdown ng-if="appConfig.connectors.cortex.enabled" if-permission="manageAction" allowed="{{userPermissions}}">
-                                    <a href class="text-primary noline nowrap" ng-click="getTaskResponders(task, true)">
-                                        <i class="text-primary fa fa-cog"></i>
-                                    </a>
-                                </span>
+                                <a class="btn btn-icon btn-clear" ng-click="removeTask(task)" uib-tooltip="Delete">
+                                    <i class="fa fa-trash text-danger"></i>
+                                </a>
+                                <a class="btn btn-icon btn-clear"  ng-show="task.status == 'Completed'" ng-click="openTask(task)" uib-tooltip="Reopen">
+                                    <i class="fa fa-play text-success"></i>
+                                </a>
+                                <a class="btn btn-icon btn-clear" ng-show="task.status == 'InProgress'" ng-click="closeTask(task)" uib-tooltip="Close">
+                                    <i class="fa fa-check-circle-o text-muted"></i>
+                                </a>
+                                <a class="btn btn-icon btn-clear" ng-show="task.status == 'Waiting'" ng-click="startTask(task)" uib-tooltip="Start">
+                                    <i class="fa fa-play text-primary"></i>
+                                </a>
+                                <a href class="btn btn-icon btn-clear" ng-click="getTaskResponders(task, true)" ng-if="appConfig.connectors.cortex.enabled" if-permission="manageAction" allowed="{{userPermissions}}">
+                                    <i class="text-primary fa fa-cog"></i>
+                                </a>
                             </td>
                         </tr>
                         <tr ng-if="task.description && collapseOptions[task._id]">
@@ -304,7 +299,7 @@ <h4>
             </div>
         </div>
 
-        <psearch control="tasks"></psearch>
+        <psearch control="list"></psearch>
 
     </div>
 </div>
diff --git a/frontend/app/views/partials/case/case.tasks.item.html b/frontend/app/views/partials/case/case.tasks.item.html
index 4edd2e65d3..6190531c0e 100644
--- a/frontend/app/views/partials/case/case.tasks.item.html
+++ b/frontend/app/views/partials/case/case.tasks.item.html
@@ -256,6 +256,7 @@ <h4 class="vpad10 text-primary">Task sharing</h4>
                  shares="shares"
                  read-only="true"
                  on-require-action="markShareAsActionRequired(task, org)"
+                 on-cancel-require-action="markShareAsActionDone(task, org)"
                  on-delete="removeShare(share)"
                  permissions="userPermissions"
                  ></task-sharing-list>
diff --git a/frontend/app/views/partials/case/case.update.html b/frontend/app/views/partials/case/case.update.html
index a36677147d..bc4a58409b 100644
--- a/frontend/app/views/partials/case/case.update.html
+++ b/frontend/app/views/partials/case/case.update.html
@@ -45,11 +45,21 @@ <h3 class="modal-title">Update case(s)</h3>
             <label class="col-md-3 control-label">Add Tags <input class="ml-xxs" type="checkbox" ng-model="$dialog.state.enableAddTags"></label>
             <div class="col-md-9">
                 <input type="hidden" name="addTags" ng-model="$dialog.params.addTagNames" ng-required="$dialog.state.enableAddTags"/>
-                <tags-input name="addTagsInput" ng-model="$dialog.params.addTags" class="ti-input-sm"
-                    placeholder="Add tags" replace-spaces-with-dashes="false" min-length="2"
-                    on-tag-added="$dialog.toggleAddTags()">
-                    <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
-                </tags-input>
+
+                <div class="input-group">
+                    <tags-input name="addTagsInput" ng-model="$dialog.params.addTags" class="ti-input-sm ti-tag-selector"
+                        placeholder="Add tags" replace-spaces-with-dashes="false" min-length="2"
+                        on-tag-added="$dialog.toggleAddTags()" template="views/directives/tag-input-item.html">
+                        <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
+                    </tags-input>
+
+                    <span class="input-group-btn vtop">
+                        <button type="button" class="btn btn-block btn-sm btn-primary" ng-click="$dialog.fromTagLibrary('add')" uib-tooltip="Add tag from library" tooltip-placement="left">
+                            <span class="fa fa-plus"></span>
+                        </button>
+                    </span>
+                </div>
+
             </div>
         </div>
 
@@ -57,11 +67,19 @@ <h3 class="modal-title">Update case(s)</h3>
             <label class="col-md-3 control-label">Remove Tags <input class="ml-xxs" type="checkbox" ng-model="$dialog.state.enableRemoveTags"></label>
             <div class="col-md-9">
                 <input type="hidden" name="removeTags" ng-model="$dialog.params.removeTagNames" ng-required="$dialog.state.enableRemoveTags"/>
-                <tags-input name="removeTagsInput" ng-model="$dialog.params.removeTags" class="ti-input-sm"
-                    placeholder="Remove tags" replace-spaces-with-dashes="false" min-length="2"
-                    on-tag-added="$dialog.toggleRemoveTags()">
-                    <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
-                </tags-input>
+                <div class="input-group">
+                    <tags-input name="removeTagsInput" ng-model="$dialog.params.removeTags" class="ti-input-sm ti-tag-selector"
+                        placeholder="Remove tags" replace-spaces-with-dashes="false" min-length="2"
+                        on-tag-added="$dialog.toggleRemoveTags()" template="views/directives/tag-input-item.html">
+                        <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
+                    </tags-input>
+
+                    <span class="input-group-btn vtop">
+                        <button type="button" class="btn btn-block btn-sm btn-primary" ng-click="$dialog.fromTagLibrary('remove')" uib-tooltip="Add tag from library" tooltip-placement="left">
+                            <span class="fa fa-plus"></span>
+                        </button>
+                    </span>
+                </div>
             </div>
         </div>
     </div>
diff --git a/frontend/app/views/partials/case/details/custom.fields.html b/frontend/app/views/partials/case/details/custom.fields.html
index 27047213df..7e35868ac9 100644
--- a/frontend/app/views/partials/case/details/custom.fields.html
+++ b/frontend/app/views/partials/case/details/custom.fields.html
@@ -41,9 +41,12 @@ <h4 class="vpad10 text-primary">
                 <custom-field-input
                     index="$index"
                     editable="canEdit"
+                    removable="canEdit"
                     field="customFieldsCache[customField.name]"
                     on-update="updateField(fieldName, value)"
-                    value="customField.value"></custom-field-input>
+                    on-remove="removeField(fieldId)"
+                    value="customField.value"
+                    id="customField._id"></custom-field-input>
             </div>
         </div>
     </div>
diff --git a/frontend/app/views/partials/case/details/related.cases.html b/frontend/app/views/partials/case/details/related.cases.html
index 89b690e506..272d0c5b1a 100644
--- a/frontend/app/views/partials/case/details/related.cases.html
+++ b/frontend/app/views/partials/case/details/related.cases.html
@@ -4,7 +4,7 @@ <h4 class="vpad10 text-primary">Related cases</h4>
     <div>
         <h5>Newest (<a href ui-sref="app.case.details({caseId:links[0].id})">Case # {{newestLink.caseId}} - {{newestLink.title}}</a>)</h5>
         <div>
-            Created on <strong>{{newestLink.startDate | showDate:'YYYY-MM-DD'}}</strong>
+            Created on <strong>{{newestLink.startDate | shortDate:'YYYY-MM-DD'}}</strong>
         </div>
         <div>
             Shares <strong><ng-pluralize count="newestLink.linksCount" when="{'one': '1 observable', 'other': '{} observables'}"></ng-pluralize></strong>
@@ -21,7 +21,7 @@ <h5>Newest (<a href ui-sref="app.case.details({caseId:links[0].id})">Case # {{ne
     <div ng-show="links.length > 1">
         <h5>Oldest (<a href ui-sref="app.case.details({caseId:oldestLink.id})">Case # {{oldestLink.caseId}} - {{oldestLink.title}}</a>)</h5>
         <div>
-            Created on <strong>{{oldestLink.startDate | showDate:'YYYY-MM-DD'}}</strong>
+            Created on <strong>{{oldestLink.startDate | shortDate:'YYYY-MM-DD'}}</strong>
         </div>
         <div>
             Shares
diff --git a/frontend/app/views/partials/case/list/toolbar.html b/frontend/app/views/partials/case/list/toolbar.html
index 07be4940cc..d4a04f62e1 100644
--- a/frontend/app/views/partials/case/list/toolbar.html
+++ b/frontend/app/views/partials/case/list/toolbar.html
@@ -11,6 +11,23 @@
                     <li>
                         <a href ng-click="$vm.bulkEdit()"><i class="fa fa-edit"></i> Edit</a>
                     </li>
+                    <li class="divider"></li>
+                    <li ng-if="$vm.menu.flag">
+                        <a href ng-click="$vm.bulkFlag(true)"><i class="fa fa-flag"></i> Add flag</a>
+                    </li>
+                    <li ng-if="$vm.menu.unflag">
+                        <a href ng-click="$vm.bulkFlag(false)"><i class="fa fa-flag-o"></i> Remove flag</a>
+                    </li>
+                    <li ng-if="$vm.menu.reopen">
+                        <a href ng-click="$vm.bulkReopen()"><i class="fa fa-folder-open"></i> Reopen</a>
+                    </li>
+                    <li ng-if="$vm.menu.close">
+                        <a href ng-click="$vm.bulkClose()"><i class="fa fa-folder"></i> Close</a>
+                    </li>
+                    <li ng-if="$vm.menu.delete" class="divider"></li>
+                    <li>
+                        <a href ng-click="$vm.bulkRemove()"><i class="fa fa-trash"></i> Delete</a>
+                    </li>
                 </ul>
             </div>
 
@@ -34,6 +51,13 @@
                     <li>
                         <a ng-click="$vm.filterMyCases()"><i class="fa fa-user"></i> My cases</a>
                     </li>
+                    <li class="divider"></li>
+                    <li>
+                        <a ng-click="$vm.filterMyOrgCases()"><i class="fa fa-building-o"></i> Owned by my org</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.filterSharedWithMyOrg()"><i class="fa fa-share-square"></i> Shared with my org</a>
+                    </li>
                 </ul>
             </div>
 
diff --git a/frontend/app/views/partials/case/procedures/add-procedure.modal.html b/frontend/app/views/partials/case/procedures/add-procedure.modal.html
new file mode 100644
index 0000000000..8aef297d59
--- /dev/null
+++ b/frontend/app/views/partials/case/procedures/add-procedure.modal.html
@@ -0,0 +1,108 @@
+<form class="procedureForm" class="procedure-modal" ng-submit="$modal.addProcedure()" novalidate>
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">Add Tactic, Technique and Procedure</h3>
+    </div>
+    <div class="modal-body">
+
+        <div class="row">
+            <div class="col-sm-6">
+                <div class="form-group" ng-class="{ 'has-error' : procedureForm.tactic.$invalid && !procedureForm.tactic.$pristine }">
+                    <label>
+                        Tactic
+                        <i class="fa fa-asterisk text-danger"></i>
+                    </label>
+                    <select class="form-control" name="tactic" ng-model="$modal.procedure.tactic" autofocus="beforeProcedureModalShow"
+                        ng-options="tactic as $modal.tactics.values[tactic].label for tactic in $modal.tactics.keys" required ng-change="$modal.showTechniques()">
+                    </select>
+                    <p class="help-block" ng-show="procedureForm.tactic.$invalid && !procedureForm.tactic.$pristine">This field is required.</p>
+                </div>
+            </div>
+            <div class="col-sm-6">
+                <div class="form-group" ng-class="{ 'has-error' : procedureForm.occureDate.$invalid && !procedureForm.occureDate.$pristine }">
+                    <label>
+                        Occur Date
+                        <i class="fa fa-asterisk text-danger"></i>
+                    </label>
+                    <div>
+                        <date-time-picker date="$modal.procedure.occurDate" name="occurDate"></date-time-picker>
+                        <p class="help-block" ng-show="procedureForm.occureDate.$invalid && !procedureForm.occureDate.$pristine">The field is required.</p>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+
+        <div class="form-group" ng-class="{ 'has-error' : procedureForm.pattern.$invalid && !procedureForm.pattern.$pristine }">
+            <label>
+                Technique
+                <i class="fa fa-asterisk text-danger"></i>
+            </label>
+
+            <div ng-show="!$modal.procedure.tactic" class="text-muted">
+                Please select a tactic above.
+            </div>
+
+            <div ng-show="$modal.procedure.tactic">
+                <input type="text" class="form-control mv-xxxs" placeholder="Filter techniques" ng-model="$modal.state.search">
+                <input type="hidden"ng-model="$modal.procedure.patternId" required>
+                <div class="procedure-techniques-list p-xxs">
+
+                    <div ng-repeat="technique in $modal.state.techniques | filter:$modal.state.search">
+                        <div class="procedure-techniques-item" ng-class="{'active': $modal.procedure.patternId === technique.patternId}"
+                            ng-click="$modal.procedure.patternId = technique.patternId">
+                            <div class="radio">
+                                <label class="procedure-technique" ng-class="{'sub-technique': technique.isSubTechnique}">
+                                    <input type="radio" name="pattern" ng-value="technique.patternId" ng-model="$modal.procedure.patternId">
+
+                                    <span ng-if="!!!technique.isSubTechnique">{{technique.patternId}} - {{technique.name}}</span>
+                                    <span ng-if="!!technique.isSubTechnique">{{technique.patternId}} - {{technique.extraData.parent.name}}:{{technique.name}}</span>
+
+                                    <span class="pull-right ml-xxs">
+                                        <a href="{{technique.url}}" target="_blank">
+                                            <i class="fa fa-external-link"></i>
+                                        </a>
+                                    </span>
+                                    <span class="pull-right">
+                                        <i class="fa fa-question-circle" uib-tooltip="{{technique.description}}" tooltip-placement="left-center"></i>
+                                    </span>
+
+                                </label>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+                <p class="help-block" ng-show="procedureForm.pattern.$invalid && !procedureForm.pattern.$pristine">This field is required.</p>
+            </div>
+
+
+
+        </div>
+
+        <div class="mv-xxs" ng-if="!$modal.showProcedure">
+            <a href ng-click="$modal.showProcedure = true"><i class="fa fa-plus"></i> Add Procedure</a>
+        </div>
+
+        <div class="form-group" ng-if="$modal.showProcedure" ng-class="{ 'has-error' : procedureForm.description.$invalid && !procedureForm.description.$pristine }">
+            <label>Procedure</label>
+            <div>
+                <div class="clearfix">
+                    <a class="pull-right" href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet" target="_blank">
+                        <i class="fa fa-question-circle"></i> Markdown Reference
+                    </a>
+                </div>
+
+                <textarea name="procedure" class="content-box" markdown-editor="$modal.markdownEditorOptions" rows="10"
+                    ng-model="$modal.procedure.description" required></textarea>
+
+                <p class="help-block" ng-show="procedureForm.description.$invalid && !procedureForm.description.$pristine">This field is required.</p>
+            </div>
+        </div>
+    </div>
+    <div class="modal-footer text-left">
+        <button class="btn btn-default" ng-click="$modal.cancel()" type="button">Cancel</button>
+
+        <button class="btn btn-primary pull-right" type="submit" ng-disabled="$modal.state.loading || procedureForm.$invalid">
+            Add TTP
+        </button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/case/procedures/filters.html b/frontend/app/views/partials/case/procedures/filters.html
new file mode 100644
index 0000000000..12c948d197
--- /dev/null
+++ b/frontend/app/views/partials/case/procedures/filters.html
@@ -0,0 +1,39 @@
+<div class="row">
+    <div class="col-md-12 active-filters">
+        <h4>Filters</h4>
+
+        <form ng-submit="$vm.search()">
+            <div class="row mb-xxxs" ng-repeat="filter in $vm.filtering.context.filters track by $index">
+                <div class="col-sm-4 col-md-4 col-lg-2">
+                    <div class="input-group">
+                        <span class="input-group-btn">
+                            <button class="btn btn-default" type="button" ng-click="$vm.removeFilter($index)">
+                                <i class="fa fa-times text-danger"></i>
+                            </button>
+                        </span>
+                        <select class="form-control" ng-model="filter.field"
+                            ng-options="item for item in $vm.filtering.attributeKeys"
+                            ng-change="$vm.filtering.setFilterField(filter, config.entity)"></select>
+                    </div>
+                </div>
+                <div class="col-sm-8 col-md-8 col-lg-6">
+                    <filter-editor metadata="$vm.filtering.metadata" filter="filter" entity="$vm.filtering.entity"></filter-editor>
+                </div>
+            </div>
+            <div class="mv-xs row">
+                <div class="col-sm-12 col-md-12 col-lg-8">
+                    <a href class="btn btn-sm  btn-link btn-clear" ng-click="$vm.filtering.addFilter()">
+                        <i class="fa fa-plus"></i> Add a filter
+                    </a>
+                    <a href class="btn btn-sm btn-danger" ng-click="$vm.clearFilters()" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-times"></i> Clear
+                    </a>
+                    <button href class="btn btn-sm btn-primary pull-right" type="submit" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-search"></i> Search
+                    </button>
+                </div>
+            </div>
+        </form>
+
+    </div>
+</div>
diff --git a/frontend/app/views/partials/case/procedures/toolbar.html b/frontend/app/views/partials/case/procedures/toolbar.html
new file mode 100644
index 0000000000..5cf4cdb69c
--- /dev/null
+++ b/frontend/app/views/partials/case/procedures/toolbar.html
@@ -0,0 +1,45 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="btn-toolbar" role="toolbar">
+
+            <div class="btn-group" if-permission="manageCase" allowed="{{userPermissions}}">
+                <button class="btn btn-sm btn-primary" ng-click="$vm.addProcedure()">
+                    <i class="glyphicon glyphicon-plus"></i>
+                    Add TTP
+                </button>
+            </div>
+
+            <div class="btn-group" uib-dropdown>
+                <button class="btn btn-sm btn-primary dropdown-toggle" uib-dropdown-toggle type="button">
+                    <i class="fa fa-sort"></i>
+                    Sort by
+                    <span class="caret"></span>
+                </button>
+                <ul class="dropdown-menu" uib-dropdown-menu>
+                    <li>
+                        <a ng-click="$vm.sortBy(['-_createdAt'])">Newest first</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['+_createdAt'])">Oldest first</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['-_updatedAt'])">Recently updated</a>
+                    </li>
+                    <li>
+                        <a ng-click="$vm.sortBy(['+_updatedAt'])">Least recently updated</a>
+                    </li>
+                </ul>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/case/tasks/toolbar.html b/frontend/app/views/partials/case/tasks/toolbar.html
index afddfc4cd2..8fe46997a2 100644
--- a/frontend/app/views/partials/case/tasks/toolbar.html
+++ b/frontend/app/views/partials/case/tasks/toolbar.html
@@ -2,6 +2,34 @@
     <div class="col-md-12">
         <div class="btn-toolbar" role="toolbar">
 
+            <div class="btn-group" uib-dropdown if-permission="manageTask" allowed="{{userPermissions}}">
+                <button type="button" class="btn btn-sm btn-default" uib-dropdown-toggle ng-disabled="selection.length === 0">
+                    <ng-pluralize count="selection.length" when="{'0': 'No tasks selected', 'one': '{} selected task', 'other': '{} selected tasks'}"></ng-pluralize>
+                    <span class="caret"></span>
+                </button>
+                <ul class="dropdown-menu" uib-dropdown-menu>
+                    <li ng-if="menu.flag">
+                        <a href ng-click="bulkFlag(true)"><i class="fa fa-flag"></i> Add flag</a>
+                    </li>
+                    <li ng-if="menu.unflag">
+                        <a href ng-click="bulkFlag(false)"><i class="fa fa-flag-o"></i> Remove flag</a>
+                    </li>
+                    <li ng-if="menu.start">
+                        <a href ng-click="bulkStatus('InProgress')"><i class="fa fa-play"></i> Start</a>
+                    </li>
+                    <li ng-if="menu.reopen">
+                        <a href ng-click="bulkStatus('InProgress')"><i class="fa fa-folder-open"></i> Reopen</a>
+                    </li>
+                    <li ng-if="menu.close">
+                        <a href ng-click="bulkStatus('Completed')"><i class="fa fa-folder"></i> Close</a>
+                    </li>
+                    <li ng-if="menu.delete" class="divider"></li>
+                    <li>
+                        <a href ng-click="bulkRemove()"><i class="fa fa-trash"></i> Delete</a>
+                    </li>
+                </ul>
+            </div>
+
             <div class="btn-group" if-permission="manageTask" allowed="{{userPermissions}}">
                 <button class="btn btn-sm btn-primary" ng-click="state.isNewTask = true">
                     <i class="glyphicon glyphicon-plus"></i>
@@ -36,13 +64,6 @@
                 </ul>
             </div>
 
-            <div class="btn-group">
-                <button class="btn btn-sm btn-default" ng-click="toggleGroupedView()">
-                    <i class="glyphicon glyphicon-th-list"></i>
-                    Show {{state.showGrouped ? 'as a List' : 'Groups'}}
-                </button>
-            </div>
-
             <div class="btn-group pull-right" role="group">
                 <page-sizer collection="tasks" sizes="[10, 15, 30, 100]"></page-sizer>
             </div>
@@ -52,6 +73,12 @@
                     <i class="fa fa-search"></i> Filters
                 </button>
             </div>
+            <div class="btn-group pull-right">
+                <button class="btn btn-sm btn-default" ng-click="toggleGroupedView()">
+                    <i class="glyphicon glyphicon-th-list"></i>
+                    Show {{state.showGrouped ? 'as a List' : 'Groups'}}
+                </button>
+            </div>
         </div>
     </div>
 </div>
diff --git a/frontend/app/views/partials/dashboard/list.html b/frontend/app/views/partials/dashboard/list.html
index 8d5c1d6588..b056101190 100644
--- a/frontend/app/views/partials/dashboard/list.html
+++ b/frontend/app/views/partials/dashboard/list.html
@@ -1,42 +1,133 @@
-<div class="box">
-    <div class="box-header with-border">
-        <h3 class="box-title">Dashboards ({{$vm.dashboards.length}})</h3>
-    </div>
-    <div class="box-body">
-        <button class="btn btn-primary" type="button" ng-click="$vm.addDashboard()">Create new Dashboard</button>
-        <button class="btn btn-default" type="button" ng-click="$vm.importDashboard()">Import Dashboard</button>
-
-        <div class="row mv-s" ng-if="$vm.dashboards.length === 0">
-            <div class="col-md-12">
-                <div class="empty-message">No dashboards defined.</div>
+<div class="row">
+    <div class="col-md-12">
+        <div class="box">
+            <div class="box-header with-border">
+                <h3 class="box-title">
+                    Dashboard List ({{$vm.list.values.length || 0}} of {{$vm.list.total}})
+                </h3>
             </div>
-        </div>
+            <div class="box-body">
+                <div ng-include="'views/partials/dashboard/list/toolbar.html'"></div>
 
-        <div class="row mv-s" ng-if="$vm.dashboards.length > 0">
-            <div class="col-sm-12 dashboards-list">
-                <div class="dashboard-item media" ng-repeat="db in $vm.dashboards track by db.id">
-                    <div class="media-left">
-                        <span class="label label-default">{{db.status}}</span>
-                    </div>
-                    <div class="media-body">
-                        <h4 class="media-heading">
-                            <a href ui-sref="app.dashboards-view({id: db.id})">{{db.title}}</a>
-                        </h4>
-                        <span class="text-muted">{{db.description}}</span>
-                    </div>
-                    <div class="media-right ph-xs text-center" ng-if="(db.createdBy === currentUser.login)">
-                        <a href ng-click="$vm.editDashboard(db)"><i class="fa fa-pencil"></i>Edit</a>
-                    </div>
-                    <div class="media-right ph-xs text-center" ng-if="(db.createdBy === currentUser.login)">
-                        <a href class="text-danger" ng-click="$vm.deleteDashboard(db.id)"><i class="fa fa-trash"></i>Delete</a>
+                <div class="mt-xs filter-panel" ng-include="'views/partials/dashboard/list/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+                <!-- Filters preview  -->
+                <div class="row mt-xs">
+                    <div class="col-md-12 clearfix">
+                        <filters-preview filters="$vm.filtering.context.filters"
+                            on-clear-item="$vm.removeFilter(field)"
+                            on-clear-all="$vm.clearFilters()"></filters-preview>
                     </div>
-                    <div class="media-right ph-xs text-center">
-                        <a href ng-click="$vm.duplicateDashboard(db)"><i class="fa fa-copy"></i>Duplicate</a>
+                </div>
+
+                <!-- Datalist  -->
+                <div class="row mt-xs">
+                    <div class="col-md-12 mv-s" ng-show="$vm.list.total === 0">
+                        <div class="empty-message">No records</div>
                     </div>
-                    <div class="media-right ph-xs text-center">
-                        <a href ng-click="$vm.exportDashboard(db)"><i class="fa fa-download"></i> Export</a>
+
+                    <div class="col-md-12" ng-show="$vm.list.total > 0">
+                        <psearch control="$vm.list"></psearch>
+
+                        <table class="table table-striped case-list">
+                            <thead>
+                                <tr>
+                                    <th width="80px">
+                                        <a href class="text-default" ng-click="$vm.sortByField('status')">
+                                            Status
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+status') === -1 && $vm.filtering.context.sort.indexOf('-status') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+status') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-status') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th>
+                                        <a href class="text-default" ng-click="$vm.sortByField('title')">
+                                            Title
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+title') === -1 && $vm.filtering.context.sort.indexOf('-title') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+title') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-title') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 180px;">
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('createdBy')" uib-tooltip="Sort by owner">
+                                            Owned By
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+createdBy') === -1 && $vm.filtering.context.sort.indexOf('-createdBy') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+createdBy') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-createdBy') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 150px">
+                                        Dates
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('createdAt')" uib-tooltip="Sort by creation date">
+                                            C.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+createdAt') === -1 && $vm.filtering.context.sort.indexOf('-createdAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+createdAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-createdAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                        <a href class="text-default ml-xxxs" ng-click="$vm.sortByField('updatedAt')" uib-tooltip="Sort by last update date">
+                                            U.
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+updatedAt') === -1 && $vm.filtering.context.sort.indexOf('-updatedAt') === -1" class="fa fa-sort"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('+updatedAt') !== -1" class="fa fa-caret-up"></i>
+                                            <i ng-show="$vm.filtering.context.sort.indexOf('-updatedAt') !== -1" class="fa fa-caret-down"></i>
+                                        </a>
+                                    </th>
+                                    <th style="width: 160px"></th>
+                                </tr>
+                            </thead>
+
+                            <tbody>
+                                <tr ng-repeat="item in $vm.list.values">
+
+                                    <td class="wrap">
+                                        <span class="label label-default clickable" ng-click="$vm.addFilterValue('status', item.status)">{{item.status}}</span>
+                                    </td>
+
+                                    <td class="wrap">
+                                        <h4 class="mt-0">
+                                            <a href ui-sref="app.dashboards-view({id: item._id})">{{item.title}}</a>
+                                        </h4>
+                                        <span class="text-muted">{{item.description}}</span>
+                                    </td>
+                                    <td class="nowrap">
+                                        <user user-id="item.createdBy" icon-size="m"></user>
+                                    </td>
+                                    <td>
+                                        <div ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+createdAt') !== -1 || $vm.filtering.context.sort.indexOf('-createdAt') !== -1}">
+                                            C. <a href ng-click="$vm.addFilterValue('createdAt', item.createdAt)">{{item.createdAt | shortDate}}</a>
+                                        </div>
+                                        <div ng-if="item.updatedAt > 0" ng-class="{'text-bold': $vm.filtering.context.sort.indexOf('+updatedAt') !== -1 || $vm.filtering.context.sort.indexOf('-updatedAt') !== -1}">
+                                            U. <a href ng-click="$vm.addFilterValue('updatedAt', item.updatedAt)">{{item.updatedAt | shortDate}}</a>
+                                        </div>
+                                    </td>
+                                    <td>
+                                        <div class="media-right ph-xs text-center">
+                                            <a href ui-sref="app.dashboards-view({id: item._id})"><i class="fa fa-area-chart"></i> <br />View</a>
+                                        </div>
+                                        <div class="media-right ph-xs text-center">
+                                            <a href ng-click="$vm.editDashboard(item)"><i class="fa fa-pencil"></i> <br />Edit</a>
+                                        </div>
+                                        <div class="media-right ph-xs text-center">
+                                            <a href ng-click="$vm.duplicateDashboard(item)"><i class="fa fa-copy"></i> <br />Copy</a>
+                                        </div>
+                                        <div class="media-right ph-xs text-center">
+                                            <a href ng-click="$vm.exportDashboard(item)"><i class="fa fa-download"></i> <br />Export</a>
+                                        </div>
+                                        <div class="media-right ph-xs text-center">
+                                            <a href class="text-danger" ng-click="$vm.deleteDashboard(item._id)">
+                                                <i class="fa fa-trash"></i> <br />Delete
+                                            </a>
+                                        </div>
+                                    </td>
+                                </tr>
+                            </tbody>
+                        </table>
+
+                        <psearch control="$vm.list"></psearch>
                     </div>
                 </div>
+
+
+
             </div>
         </div>
     </div>
diff --git a/frontend/app/views/partials/dashboard/list/filters.html b/frontend/app/views/partials/dashboard/list/filters.html
new file mode 100644
index 0000000000..12c948d197
--- /dev/null
+++ b/frontend/app/views/partials/dashboard/list/filters.html
@@ -0,0 +1,39 @@
+<div class="row">
+    <div class="col-md-12 active-filters">
+        <h4>Filters</h4>
+
+        <form ng-submit="$vm.search()">
+            <div class="row mb-xxxs" ng-repeat="filter in $vm.filtering.context.filters track by $index">
+                <div class="col-sm-4 col-md-4 col-lg-2">
+                    <div class="input-group">
+                        <span class="input-group-btn">
+                            <button class="btn btn-default" type="button" ng-click="$vm.removeFilter($index)">
+                                <i class="fa fa-times text-danger"></i>
+                            </button>
+                        </span>
+                        <select class="form-control" ng-model="filter.field"
+                            ng-options="item for item in $vm.filtering.attributeKeys"
+                            ng-change="$vm.filtering.setFilterField(filter, config.entity)"></select>
+                    </div>
+                </div>
+                <div class="col-sm-8 col-md-8 col-lg-6">
+                    <filter-editor metadata="$vm.filtering.metadata" filter="filter" entity="$vm.filtering.entity"></filter-editor>
+                </div>
+            </div>
+            <div class="mv-xs row">
+                <div class="col-sm-12 col-md-12 col-lg-8">
+                    <a href class="btn btn-sm  btn-link btn-clear" ng-click="$vm.filtering.addFilter()">
+                        <i class="fa fa-plus"></i> Add a filter
+                    </a>
+                    <a href class="btn btn-sm btn-danger" ng-click="$vm.clearFilters()" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-times"></i> Clear
+                    </a>
+                    <button href class="btn btn-sm btn-primary pull-right" type="submit" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-search"></i> Search
+                    </button>
+                </div>
+            </div>
+        </form>
+
+    </div>
+</div>
diff --git a/frontend/app/views/partials/dashboard/list/toolbar.html b/frontend/app/views/partials/dashboard/list/toolbar.html
new file mode 100644
index 0000000000..d63a1a673b
--- /dev/null
+++ b/frontend/app/views/partials/dashboard/list/toolbar.html
@@ -0,0 +1,20 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="btn-toolbar" role="toolbar">
+
+            <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.addDashboard()">Create new Dashboard</button>
+
+            <button class="btn btn-sm btn-default" type="button" ng-click="$vm.importDashboard()">Import Dashboard</button>
+
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/dashboard/view.html b/frontend/app/views/partials/dashboard/view.html
index 2c7cba6221..8054246edc 100644
--- a/frontend/app/views/partials/dashboard/view.html
+++ b/frontend/app/views/partials/dashboard/view.html
@@ -4,7 +4,7 @@ <h3 class="box-title">
             {{$vm.dashboard.title}}
         </h3>
         <div class="box-tools pull-right">
-            <a href class="mr-xxs btn btn-sm btn-primary" ng-click="$vm.enableEditMode()" ng-show="$vm.canEditDashboard() && !$vm.options.editLayout">
+            <a href class="mr-xxs btn btn-sm btn-primary" ng-click="$vm.enableEditMode()" ng-show="!!$vm.dashboard.writable && !$vm.options.editLayout">
                 <i class="fa fa-pencil"></i> Edit
             </a>
             <a href class="mr-xxs btn btn-default btn-sm" ng-click="$vm.exportDashboard()" ng-show="!$vm.options.editLayout">
diff --git a/frontend/app/views/partials/main/index-mytasks.html b/frontend/app/views/partials/main/index-mytasks.html
index 61fb289b55..32aba54502 100644
--- a/frontend/app/views/partials/main/index-mytasks.html
+++ b/frontend/app/views/partials/main/index-mytasks.html
@@ -3,49 +3,53 @@
 <div class="empty-message" ng-show="$vm.list.total === 0">No records</div>
 
 <table class="table table-striped table-hover" ng-show="$vm.list.total > 0">
-	<thead>
-		<tr>
-			<th class="text-center" style="width: 60px;">Severity</th>
-			<th style="width: 200px;">Group</th>
-			<th>Task</th>
-			<th width="250px;">Date</th>
-		</tr>
-	</thead>
+    <thead>
+        <tr>
+            <th width="70px"></th>
+            <th class="text-center" style="width: 60px;">Severity</th>
+            <th style="width: 200px;">Group</th>
+            <th>Task</th>
+            <th width="250px;">Date</th>
+        </tr>
+    </thead>
 
-	<tbody>
-		<tr class="pointer task-row"
-			ng-repeat="value in $vm.list.values"
-			ng-class="{'warning': (value.flag == true)}"
-			ng-click="$vm.openEntity(value)">
-			<td class="text-center">
-				<severity active="false" value="value.extraData.case.severity"></severity>
-			</td>
-			<td>{{value.group}}</td>
-			<td>
-				<div>
-					<span class="text-primary mr-xxxs" ng-if="value.flag">
-						<i class="glyphicon glyphicon-flag"></i>
-					</span>
+    <tbody>
+        <tr class="pointer task-row"
+            ng-repeat="item in $vm.list.values"
+            ng-class="{'warning': (item.flag == true)}"
+            ng-click="$vm.openEntity(value)">
+            <td>
+                <task-flags task="item" inline="true"></task-flags>
+            </td>
+            <td class="text-center">
+                <severity active="false" value="item.extraData.case.severity"></severity>
+            </td>
+            <td>{{item.group}}</td>
+            <td>
+                <div>
+                    <span class="text-primary mr-xxxs" ng-if="item.flag">
+                        <i class="glyphicon glyphicon-flag"></i>
+                    </span>
 
-					<a href ui-sref="app.case.tasks-item({caseId: value.extraData.case._id, itemId:value._id})" ng-class="{'text-danger': !!value.extraData.actionRequired}">
-						<span ng-if="!!value.extraData.actionRequired" class="text-danger noline mr-xxxs" uib-tooltip="Action Required" tooltip-placement="left-middle">
-							<i class="fa fa-exclamation-triangle"></i>
-						</span>
-						{{value.title}}
-					</a>					
-				</div>
-				<div ng-show="value.status === 'InProgress'" class="text-warning">
-						Started <em am-time-ago="value.startDate"></em>
-				</div>
-				<div>
-					<small><entity-link value="value.extraData.case"></entity-link></small>
-				</div>
-			</td>
-			<td>
-				{{value.startDate | shortDate}}
-			</td>
-		</tr>
-	</tbody>
+                    <a href ui-sref="app.case.tasks-item({caseId: item.extraData.case._id, itemId:item._id})" ng-class="{'text-danger': !!item.extraData.actionRequired}">
+                        <span ng-if="!!item.extraData.actionRequired" class="text-danger noline mr-xxxs" uib-tooltip="Action Required" tooltip-placement="left-middle">
+                            <i class="fa fa-exclamation-triangle"></i>
+                        </span>
+                        {{item.title}}
+                    </a>
+                </div>
+                <div ng-show="item.status === 'InProgress'" class="text-warning">
+                        Started <em am-time-ago="item.startDate"></em>
+                </div>
+                <div>
+                    <small><entity-link value="item.extraData.case"></entity-link></small>
+                </div>
+            </td>
+            <td>
+                {{item.startDate | shortDate}}
+            </td>
+        </tr>
+    </tbody>
 
 </table>
 
diff --git a/frontend/app/views/partials/main/index-waitingtasks.html b/frontend/app/views/partials/main/index-waitingtasks.html
index 37c18e1d0f..15265aa687 100644
--- a/frontend/app/views/partials/main/index-waitingtasks.html
+++ b/frontend/app/views/partials/main/index-waitingtasks.html
@@ -5,6 +5,7 @@
 <table class="table table-striped table-hover" ng-show="$vm.list.total > 0">
 	<thead>
 		<tr>
+            <th width="70px"></th>
 			<th class="text-center" style="width: 60px;">Severity</th>
 			<th width="200px;">Group</th>
 			<th>Task</th>
@@ -14,26 +15,29 @@
 
 	<tbody>
 		<tr class="task-row"
-			ng-repeat="value in $vm.list.values">
+			ng-repeat="item in $vm.list.values">
+            <td>
+                <task-flags task="item" inline="true"></task-flags>
+            </td>
 			<td class="text-center">
-				<severity active="false" value="value.extraData.case.severity"></severity>
+				<severity active="false" value="item.extraData.case.severity"></severity>
 			</td>
-			<td>{{value.group}}</td>
+			<td>{{item.group}}</td>
 			<td>
 				<div>
-					<span class="text-primary mr-xxxs" ng-if="value.flag">
+					<span class="text-primary mr-xxxs" ng-if="item.flag">
 						<i class="glyphicon glyphicon-flag"></i>
 					</span>
 
-					<a href ui-sref="app.case.tasks-item({caseId: value.extraData.case._id, itemId:value._id})" ng-class="{'text-danger': !!value.extraData.actionRequired}">
-						<span ng-if="!!value.extraData.actionRequired" class="text-danger noline mr-xxxs" uib-tooltip="Action Required" tooltip-placement="left-middle">
+					<a href ui-sref="app.case.tasks-item({caseId: item.extraData.case._id, itemId:item._id})" ng-class="{'text-danger': !!item.extraData.actionRequired}">
+						<span ng-if="!!item.extraData.actionRequired" class="text-danger noline mr-xxxs" uib-tooltip="Action Required" tooltip-placement="left-middle">
 							<i class="fa fa-exclamation-triangle"></i>
 						</span>
-						{{value.title}}
+						{{item.title}}
 					</a>
 				</div>
 				<div>
-					<small><entity-link value="value.extraData.case"></entity-link></small>
+					<small><entity-link value="item.extraData.case"></entity-link></small>
 				</div>
 			</td>
 			<td>
diff --git a/frontend/app/views/partials/misc/taxonomy-selection.modal.html b/frontend/app/views/partials/misc/taxonomy-selection.modal.html
new file mode 100644
index 0000000000..5a5ce376d5
--- /dev/null
+++ b/frontend/app/views/partials/misc/taxonomy-selection.modal.html
@@ -0,0 +1,81 @@
+<form name="tagsForm" ng-submit="$modal.addSelectedTags()" novalidate>
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">Select tags from library</h3>
+    </div>
+    <div class="modal-body">
+
+        <div class="mb-xs">
+            <div class="clearfix">
+                <label>
+                    Selected tags ({{$modal.formData.selectedTags.length}})
+                </label>
+                <a class="pull-right" href ng-click="$modal.clearSelection()">Clear selection</a>
+            </div>
+
+            <div class="empty-message" ng-if="$modal.formData.selectedTags.length === 0">No tags selected</div>
+
+            <div ng-if="$modal.formData.selectedTags.length > 0">
+                <div class="empty-message">
+                    <div class="tags-list flexwrap">
+                        <tag-item ng-repeat="tag in $modal.formData.selectedTags track by $index"
+                            value="tag" class="clickable" ng-click="$modal.selectTag(tag)"></tag-item>
+                    </div>
+                </div>
+                <p class="help-block">Click on a tag to unselect it</p>
+            </div>
+        </div>
+
+        <div class="mv-xxs" ng-if="!$modal.formData.selectedTaxonomy">
+            <label>
+                Choose taxonomy
+            </label>
+            <div class="list-group">
+                <a href class="list-group-item" ng-repeat="taxonomy in $modal.taxonomies"
+                    ng-click="$modal.selectTaxonomy(taxonomy)" class="clearfix">
+                    <span class="badge" uib-tooltip="{{taxonomy.description}}" tooltip-placement="left" tooltip-append-to-body="true"><i class="fa fa-question"></i></span>
+                    <span>{{taxonomy.namespace}} </span>
+                    <small class="pull-right mr-m"><em class="text-muted">({{taxonomy.tags.length || 0}} tags)</em></small>
+                </a>
+            </div>
+        </div>
+
+        <div ng-if="$modal.formData.selectedTaxonomy">
+            <div class="clearfix">
+                <label>
+                    Choose tags from taxonomy: {{$modal.formData.selectedTaxonomy.namespace}}
+                </label>
+                <a class="pull-right" href ng-click="$modal.formData.selectedTaxonomy = undefined">Show all taxonomies</a>
+            </div>
+
+            <div class="row mb-xxs">
+                <div class="col-sm-12">
+                    <div class="has-feedback">
+                        <input type="text" ng-model="$modal.search" class="form-control" placeholder="Filter tags" autofocus>
+                        <span class="glyphicon glyphicon-search form-control-feedback"></span>
+                    </div>
+                </div>
+            </div>
+
+            <div style="height: 300px; max-height: 300px; overflow-y: scroll;">
+                <div class="list-group">
+                    <a href class="list-group-item" ng-repeat="tag in $modal.formData.selectedTaxonomy.tags | filter:$modal.search"
+                        ng-click="$modal.selectTag(tag)">
+                        <span class="mr-xs" ng-class="{'text-primary': !!tag.selected, 'text-disabled': !!!tag.selected}">
+                            <i class="fa fa-check"></i>
+                        </span>
+
+                        <span class="badge" ng-if="::tag.description" uib-tooltip="{{::tag.description}}" tooltip-placement="left" tooltip-append-to-body="true">
+                            <i class="fa fa-question"></i>
+                        </span>
+
+                        <tag value="tag"></tag>
+                    </a>
+                </div>
+            </div>
+        </div>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-default pull-left" type="button" ng-click="$modal.cancel()">Cancel</button>
+        <button class="btn btn-primary pull-right" type="submit" ng-disabled="$modal.formData.selectedTags === 0">Add Selected tags</button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/observables/creation/form.html b/frontend/app/views/partials/observables/creation/form.html
index 43de4393ac..89df393cc4 100644
--- a/frontend/app/views/partials/observables/creation/form.html
+++ b/frontend/app/views/partials/observables/creation/form.html
@@ -131,9 +131,19 @@
     </label>
     <div class="col-md-9">
         <input type="hidden" name="tags" ng-model="params.tagNames" ng-required="!params.message.length"/>
-        <tags-input name="tagsInput" ng-model="params.tags" class="ti-input-sm" placeholder="Add tags" replace-spaces-with-dashes="false" min-length="2">
-            <auto-complete min-length="3" debounce-delay="400" source="getTags($query)"></auto-complete>
-        </tags-input>
+
+        <div class="input-group">
+            <tags-input name="tagsInput" template="views/directives/tag-input-item.html" ng-model="params.tags" class="ti-input-sm ti-tag-selector" placeholder="Add tags" replace-spaces-with-dashes="false" min-length="2">
+                <auto-complete min-length="3" debounce-delay="400" source="getTags($query)"></auto-complete>
+            </tags-input>
+
+            <span class="input-group-btn vtop">
+                <button type="button" class="btn btn-block btn-sm btn-primary" ng-click="fromTagLibrary()" uib-tooltip="Add tag from library" tooltip-placement="left">
+                    <span class="fa fa-plus"></span>
+                </button>
+            </span>
+        </div>
+
         <p class="help-block" ng-show="observableForm.tags.$invalid && !observableForm.tagsInput.$pristine">The observable(s) description or tags are required.</p>
     </div>
 </div>
diff --git a/frontend/app/views/partials/observables/details/analysers.html b/frontend/app/views/partials/observables/details/analysers.html
index a07a59b7ab..57b43ef06d 100644
--- a/frontend/app/views/partials/observables/details/analysers.html
+++ b/frontend/app/views/partials/observables/details/analysers.html
@@ -45,7 +45,7 @@ <h4 class="pv-xxs pr-xxs text-primary">
                                     <i class="glyphicon" ng-class="{ Failure:'glyphicon-warning-sign text-warning', Success:'glyphicon-ok text-success', InProgress:'fa fa-cog fa-spin', Waiting:'fa fa-cog fa-spin'}[job.status]"></i>
                                 </span>
 
-                                <a href ng-click="showReport(job.id)" uib-tooltip="View report">{{(job.endDate || job.startDate) | showDate}}</a> ({{job.cortexId}})
+                                <a href ng-click="showReport(job.id)" uib-tooltip="View report">{{(job.endDate || job.startDate) | shortDate}}</a> ({{job.cortexId}})
                             </li>
                         </ul>
                     </td>
@@ -96,7 +96,7 @@ <h4 class="pv-xxs pr-xxs text-primary">
 <div class="row observable-report" ng-if="report">
     <div class="col-md-12">
         <h4 class="pad10 text-primary">
-            Report <small>for {{report.template}} analysis of {{(report.endDate || report.startDate) | showDate}}</small>
+            Report <small>for {{report.template}} analysis of {{(report.endDate || report.startDate) | shortDate}}</small>
             <span class="pull-right">
                 <small><a href class="text-primary" ng-click="showRaw = !showRaw">{{showRaw ? 'Hide': 'Show'}} Raw Report</a></small>
                 <small class="mh-xxxs">|</small>
diff --git a/frontend/app/views/partials/observables/details/summary.html b/frontend/app/views/partials/observables/details/summary.html
index bc01374393..6d1c056edb 100644
--- a/frontend/app/views/partials/observables/details/summary.html
+++ b/frontend/app/views/partials/observables/details/summary.html
@@ -47,7 +47,7 @@ <h4 class="vpad10 text-primary">
 
         <dl class="dl-horizontal clear">
             <dt class="pull-left">Date added</dt>
-            <dd>{{artifact.startDate | showDate}}</dd>
+            <dd>{{artifact.startDate | shortDate}}</dd>
         </dl>
 
         <dl class="dl-horizontal clear">
@@ -95,7 +95,7 @@ <h4 class="vpad10 text-primary">
         <dl class="dl-horizontal">
             <dt class="pull-left">Tags</dt>
             <dd ng-if="canEdit">
-                <updatable-tags value="artifact.tags" on-update="updateField('tags', getLabels(newValue))" source="getTags"></updatable-tags>
+                <updatable-tag-list on-update="updateField('tags', getLabels(newValue))" value="artifact.tags" source="getTags"></updatable-tag-list>
             </dd>
             <dd ng-if="!canEdit">
                 <tag-list ng-if="artifact.tags.length > 0" data="artifact.tags"></tag-list>
diff --git a/frontend/app/views/partials/observables/list/observables.html b/frontend/app/views/partials/observables/list/observables.html
index 7290b50631..1c10ddcd8d 100644
--- a/frontend/app/views/partials/observables/list/observables.html
+++ b/frontend/app/views/partials/observables/list/observables.html
@@ -30,29 +30,49 @@ <h4>
                 </th>
                 <th style="width: 100px">Flags</th>
                 <th style="width: 100px">
-                  <a href class="text-default" ng-click="sortByField('dataType')">
-                    Type
-                    <i ng-show="artifacts.sort !== '+dataType' && artifacts.sort !== '-dataType'" class="fa fa-sort"></i>
-                    <i ng-show="artifacts.sort === '+dataType'" class="fa fa-caret-up"></i>
-                    <i ng-show="artifacts.sort === '-dataType'" class="fa fa-caret-down"></i>
-                  </a>
+                    <a href class="text-default ml-xxxs" ng-click="sortByField('dataType')" uib-tooltip="Sort by dataType">
+                        Type
+                        <i ng-show="filtering.context.sort.indexOf('+dataType') === -1 && filtering.context.sort.indexOf('-dataType') === -1" class="fa fa-sort"></i>
+                        <i ng-show="filtering.context.sort.indexOf('+dataType') !== -1" class="fa fa-caret-up"></i>
+                        <i ng-show="filtering.context.sort.indexOf('-dataType') !== -1" class="fa fa-caret-down"></i>
+                    </a>
                 </th>
                 <th>
-                  <a href class="text-default" ng-click="sortByField('data')">
+                    <a href class="text-default ml-xxxs" ng-click="sortByField('data')" uib-tooltip="Sort by dataType">
+                        Value/Filename
+                        <i ng-show="filtering.context.sort.indexOf('+data') === -1 && filtering.context.sort.indexOf('-data') === -1" class="fa fa-sort"></i>
+                        <i ng-show="filtering.context.sort.indexOf('+data') !== -1" class="fa fa-caret-up"></i>
+                        <i ng-show="filtering.context.sort.indexOf('-data') !== -1" class="fa fa-caret-down"></i>
+                    </a>
+                  <!-- <a href class="text-default" ng-click="sortByField('data')">
                     Value/Filename
                     <i ng-show="artifacts.sort !== '+data' && artifacts.sort !== '-data'" class="fa fa-sort"></i>
                     <i ng-show="artifacts.sort === '+data'" class="fa fa-caret-up"></i>
                     <i ng-show="artifacts.sort === '-data'" class="fa fa-caret-down"></i>
-                  </a>
+                  </a> -->
                 </th>
                 <th style="width: 70px;"></th>
-                <th style="width: 120px">
-                  <a href class="text-default" ng-click="sortByField('startDate')">
-                    Date Added
-                    <i ng-show="artifacts.sort !== '+startDate' && artifacts.sort !== '-startDate'" class="fa fa-sort"></i>
-                    <i ng-show="artifacts.sort === '+startDate'" class="fa fa-caret-up"></i>
-                    <i ng-show="artifacts.sort === '-startDate'" class="fa fa-caret-down"></i>
-                  </a>
+                <th style="width: 150px">
+                    Dates
+
+                    <a href class="text-default ml-xxxs" ng-click="sortByField('startDate')" uib-tooltip="Sort by add date">
+                        S.
+                        <i ng-show="filtering.context.sort.indexOf('+startDate') === -1 && filtering.context.sort.indexOf('-startDate') === -1" class="fa fa-sort"></i>
+                        <i ng-show="filtering.context.sort.indexOf('+startDate') !== -1" class="fa fa-caret-up"></i>
+                        <i ng-show="filtering.context.sort.indexOf('-startDate') !== -1" class="fa fa-caret-down"></i>
+                    </a>
+                    <a href class="text-default ml-xxxs" ng-click="sortByField('_createdAt')" uib-tooltip="Sort by creation date">
+                        C.
+                        <i ng-show="filtering.context.sort.indexOf('+_createdAt') === -1 && filtering.context.sort.indexOf('-_createdAt') === -1" class="fa fa-sort"></i>
+                        <i ng-show="filtering.context.sort.indexOf('+_createdAt') !== -1" class="fa fa-caret-up"></i>
+                        <i ng-show="filtering.context.sort.indexOf('-_createdAt') !== -1" class="fa fa-caret-down"></i>
+                    </a>
+                    <a href class="text-default ml-xxxs" ng-click="sortByField('_updatedAt')" uib-tooltip="Sort by last update date">
+                        U.
+                        <i ng-show="filtering.context.sort.indexOf('+_updatedAt') === -1 && filtering.context.sort.indexOf('-_updatedAt') === -1" class="fa fa-sort"></i>
+                        <i ng-show="filtering.context.sort.indexOf('+_updatedAt') !== -1" class="fa fa-caret-up"></i>
+                        <i ng-show="filtering.context.sort.indexOf('-_updatedAt') !== -1" class="fa fa-caret-down"></i>
+                    </a>
                 </th>
                 <th style="width: 40px;" if-permission="manageAction" allowed="{{userPermissions}}" ng-if="appConfig.connectors.cortex.enabled">Actions</th>
             </tr>
@@ -80,11 +100,8 @@ <h4>
                     <div class="case-tags flexwrap mt-xxs">
                         <span class="mr-xxxs text-muted"><i class="fa fa-tags"></i></span>
                         <strong class="text-muted mr-xxxs" ng-if="!artifact.tags || artifact.tags.length === 0">None</strong>
-                        <span class="label label-primary mb-xxxs mr-xxxs pointer"
-                            ng-repeat="tag in artifact.tags track by $index"
-                            ng-click="addFilterValue('tags', tag)">
-                            {{tag}}
-                        </span>
+                        <tag-item class="pointer" ng-repeat="tag in artifact.tags track by $index"
+                            ng-click="addFilterValue('tags', tag)" value="tag"></tag-item>
                     </div>
 
                     <mini-report-list observable="artifact" reports="artifact.reports" on-item-clicked="showReport(observable, analyzerId)"></mini-report-list>
@@ -98,7 +115,15 @@ <h4>
                     </a>
                 </td>
                 <td>
-                    <a href ng-click="addFilterValue('startDate', artifact.startDate)"><span uib-tooltip="{{artifact.startDate | showDate}}" tooltip-popup-delay="500" tooltip-placement="bottom">{{artifact.startDate | shortDate}}</span></a>
+                    <div ng-class="{'text-bold': filtering.context.sort.indexOf('+startDate') !== -1 || filtering.context.sort.indexOf('-startDate') !== -1}">
+                        S. <a href ng-click="addFilterValue('startDate', artifact.startDate)">{{artifact.startDate | shortDate}}</a>
+                    </div>
+                    <div ng-class="{'text-bold': filtering.context.sort.indexOf('+_createdAt') !== -1 || filtering.context.sort.indexOf('-_createdAt') !== -1}">
+                        C. <a href ng-click="addFilterValue('_createdAt', artifact._createdAt)">{{artifact._createdAt | shortDate}}</a>
+                    </div>
+                    <div ng-if="artifact._updatedAt > 0" ng-class="{'text-bold': filtering.context.sort.indexOf('+_updatedAt') !== -1 || filtering.context.sort.indexOf('-_updatedAt') !== -1}">
+                        U. <a href ng-click="addFilterValue('_updatedAt', artifact._updatedAt)">{{artifact._updatedAt | shortDate}}</a>
+                    </div>
                 </td>
                 <td align="center" ng-if="appConfig.connectors.cortex.enabled" if-permission="manageAction" allowed="{{userPermissions}}">
                     <span>
diff --git a/frontend/app/views/partials/observables/observable.update.html b/frontend/app/views/partials/observables/observable.update.html
index 948bf59ad4..ebb3dc5bf1 100644
--- a/frontend/app/views/partials/observables/observable.update.html
+++ b/frontend/app/views/partials/observables/observable.update.html
@@ -56,11 +56,21 @@ <h3 class="modal-title">Update observable(s)</h3>
             <label class="col-md-3 control-label">Add Tags <input class="ml-xxs" type="checkbox" ng-model="$dialog.state.enableAddTags"></label>
             <div class="col-md-9">
                 <input type="hidden" name="addTags" ng-model="$dialog.params.addTagNames" ng-required="$dialog.state.enableAddTags"/>
-                <tags-input name="addTagsInput" ng-model="$dialog.params.addTags" class="ti-input-sm"
-                    placeholder="Add tags" replace-spaces-with-dashes="false" min-length="2"
-                    on-tag-added="$dialog.toggleAddTags()">
-                    <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
-                </tags-input>
+
+                <div class="input-group">
+                    <tags-input name="addTagsInput" ng-model="$dialog.params.addTags" class="ti-input-sm ti-tag-selector"
+                        placeholder="Add tags" replace-spaces-with-dashes="false" min-length="2"
+                        on-tag-added="$dialog.toggleAddTags()" template="views/directives/tag-input-item.html">
+                        <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
+                    </tags-input>
+
+                    <span class="input-group-btn vtop">
+                        <button type="button" class="btn btn-block btn-sm btn-primary" ng-click="$dialog.fromTagLibrary('add')" uib-tooltip="Add tag from library" tooltip-placement="left">
+                            <span class="fa fa-plus"></span>
+                        </button>
+                    </span>
+                </div>
+
             </div>
         </div>
 
@@ -68,13 +78,22 @@ <h3 class="modal-title">Update observable(s)</h3>
             <label class="col-md-3 control-label">Remove Tags <input class="ml-xxs" type="checkbox" ng-model="$dialog.state.enableRemoveTags"></label>
             <div class="col-md-9">
                 <input type="hidden" name="removeTags" ng-model="$dialog.params.removeTagNames" ng-required="$dialog.state.enableRemoveTags"/>
-                <tags-input name="removeTagsInput" ng-model="$dialog.params.removeTags" class="ti-input-sm"
-                    placeholder="Remove tags" replace-spaces-with-dashes="false" min-length="2"
-                    on-tag-added="$dialog.toggleRemoveTags()">
-                    <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
-                </tags-input>
+                <div class="input-group">
+                    <tags-input name="removeTagsInput" ng-model="$dialog.params.removeTags" class="ti-input-sm ti-tag-selector"
+                        placeholder="Remove tags" replace-spaces-with-dashes="false" min-length="2"
+                        on-tag-added="$dialog.toggleRemoveTags()" template="views/directives/tag-input-item.html">
+                        <auto-complete min-length="3" debounce-delay="400" source="$dialog.getTags($query)"></auto-complete>
+                    </tags-input>
+
+                    <span class="input-group-btn vtop">
+                        <button type="button" class="btn btn-block btn-sm btn-primary" ng-click="$dialog.fromTagLibrary('remove')" uib-tooltip="Add tag from library" tooltip-placement="left">
+                            <span class="fa fa-plus"></span>
+                        </button>
+                    </span>
+                </div>
             </div>
         </div>
+
     </div>
 
 
diff --git a/frontend/bower.json b/frontend/bower.json
index 4531f61020..458235d50e 100644
--- a/frontend/bower.json
+++ b/frontend/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "thehive",
-  "version": "4.0.5-1",
+  "version": "4.1.0-1",
   "license": "AGPL-3.0",
   "dependencies": {
     "jquery": "^3.4.1",
diff --git a/frontend/package.json b/frontend/package.json
index 1e768df322..d41920c98a 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
     "name": "thehive",
-    "version": "4.0.5-1",
+    "version": "4.1.0-1",
     "license": "AGPL-3.0",
     "repository": {
         "type": "git",
diff --git a/migration/src/main/resources/reference.conf b/migration/src/main/resources/reference.conf
index b890fa281c..b1f8f9e99a 100644
--- a/migration/src/main/resources/reference.conf
+++ b/migration/src/main/resources/reference.conf
@@ -38,6 +38,7 @@ input {
 }
 
 output {
+  caseNumberShift: 0
   removeData: false
   db {
     provider: janusgraph
diff --git a/migration/src/main/scala/org/thp/thehive/migration/Migrate.scala b/migration/src/main/scala/org/thp/thehive/migration/Migrate.scala
index 2e1b770131..f36146f9d8 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/Migrate.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/Migrate.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.migration
 
-import java.io.File
-
 import akka.actor.ActorSystem
 import akka.stream.Materializer
 import com.typesafe.config.{Config, ConfigFactory, ConfigValueFactory}
@@ -9,6 +7,7 @@ import play.api.libs.logback.LogbackLoggerConfigurator
 import play.api.{Configuration, Environment}
 import scopt.OParser
 
+import java.io.File
 import scala.collection.JavaConverters._
 import scala.concurrent.duration.{Duration, DurationInt}
 import scala.concurrent.{Await, ExecutionContext}
@@ -37,11 +36,11 @@ object Migrate extends App with MigrationOps {
         .text("global configuration file"),
       opt[File]('i', "input")
         .valueName("<file>")
-        .action((f, c) => addConfig(c, "input", ConfigFactory.parseFileAnySyntax(f).resolve().root()))
+        .action((f, c) => addConfig(c, "input", ConfigFactory.parseFileAnySyntax(f).resolve().root().withFallback(c.getConfig("input"))))
         .text("TheHive3 configuration file"),
       opt[File]('o', "output")
         .valueName("<file>")
-        .action((f, c) => addConfig(c, "output", ConfigFactory.parseFileAnySyntax(f).resolve().root()))
+        .action((f, c) => addConfig(c, "output", ConfigFactory.parseFileAnySyntax(f).resolve().root().withFallback(c.getConfig("output"))))
         .text("TheHive4 configuration file"),
       opt[Unit]('d', "drop-database")
         .action((_, c) => addConfig(c, "output.dropDatabase", true))
@@ -152,6 +151,9 @@ object Migrate extends App with MigrationOps {
       opt[Seq[String]]("exclude-audit-objectTypes")
         .text("don't migration audits with this objectType (case, case_artifact, case_task, ...)")
         .action((v, c) => addConfig(c, "input.filter.excludeAuditObjectTypes", v.asJava)),
+      opt[Int]("case-number-shift")
+        .text("transpose case number by adding this value")
+        .action((v, c) => addConfig(c, "output.caseNumberShift", v)),
       note("Accepted date formats are \"yyyyMMdd[HH[mm[ss]]]\" and \"MMdd\""),
       note(
         "The Format for duration is: <length> <unit>.\n" +
@@ -205,6 +207,9 @@ object Migrate extends App with MigrationOps {
       migrationStats.flush()
       logger.info(migrationStats.toString)
       System.exit(returnStatus)
-    } finally actorSystem.terminate()
+    } finally {
+      actorSystem.terminate()
+      ()
+    }
   }
 }
diff --git a/migration/src/main/scala/org/thp/thehive/migration/dto/InputAlert.scala b/migration/src/main/scala/org/thp/thehive/migration/dto/InputAlert.scala
index 1228b0cd48..7ab3dc1484 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/dto/InputAlert.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/dto/InputAlert.scala
@@ -7,7 +7,6 @@ case class InputAlert(
     alert: Alert,
     caseId: Option[String],
     organisation: String,
-    tags: Set[String],
     customFields: Map[String, Option[Any]],
     caseTemplate: Option[String]
 ) {
diff --git a/migration/src/main/scala/org/thp/thehive/migration/dto/InputCase.scala b/migration/src/main/scala/org/thp/thehive/migration/dto/InputCase.scala
index bb87636698..23b035b2cb 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/dto/InputCase.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/dto/InputCase.scala
@@ -4,12 +4,7 @@ import org.thp.thehive.models.Case
 
 case class InputCase(
     `case`: Case,
-    user: Option[String],
     organisations: Map[String, String],
-    tags: Set[String],
     customFields: Map[String, Option[Any]],
-    caseTemplate: Option[String],
-    resolutionStatus: Option[String],
-    impactStatus: Option[String],
     metaData: MetaData
 )
diff --git a/migration/src/main/scala/org/thp/thehive/migration/dto/InputCaseTemplate.scala b/migration/src/main/scala/org/thp/thehive/migration/dto/InputCaseTemplate.scala
index 76138e032c..684dd8950d 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/dto/InputCaseTemplate.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/dto/InputCaseTemplate.scala
@@ -7,6 +7,5 @@ case class InputCaseTemplate(
     metaData: MetaData,
     caseTemplate: CaseTemplate,
     organisation: String,
-    tags: Set[String],
     customFields: Seq[InputCustomFieldValue]
 )
diff --git a/migration/src/main/scala/org/thp/thehive/migration/dto/InputObservable.scala b/migration/src/main/scala/org/thp/thehive/migration/dto/InputObservable.scala
index 55975ec460..2fb3a179c4 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/dto/InputObservable.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/dto/InputObservable.scala
@@ -5,8 +5,6 @@ import org.thp.thehive.models.Observable
 case class InputObservable(
     metaData: MetaData,
     observable: Observable,
-    organisations: Seq[String],
-    `type`: String,
-    tags: Set[String],
+    organisations: Set[String],
     dataOrAttachment: Either[String, InputAttachment]
 )
diff --git a/migration/src/main/scala/org/thp/thehive/migration/dto/InputTask.scala b/migration/src/main/scala/org/thp/thehive/migration/dto/InputTask.scala
index b437ab7cd0..cfbba082de 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/dto/InputTask.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/dto/InputTask.scala
@@ -2,4 +2,4 @@ package org.thp.thehive.migration.dto
 
 import org.thp.thehive.models.Task
 
-case class InputTask(metaData: MetaData, task: Task, owner: Option[String], organisations: Seq[String])
+case class InputTask(metaData: MetaData, task: Task, owner: Option[String], organisations: Set[String])
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th3/Conversion.scala b/migration/src/main/scala/org/thp/thehive/migration/th3/Conversion.scala
index af1545e564..1189893faf 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th3/Conversion.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th3/Conversion.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.migration.th3
 
-import java.util.{Base64, Date}
-
 import akka.NotUsed
 import akka.stream.scaladsl.Source
 import akka.util.ByteString
@@ -14,6 +12,8 @@ import org.thp.thehive.models._
 import play.api.libs.functional.syntax._
 import play.api.libs.json._
 
+import java.util.{Base64, Date}
+
 case class Attachment(name: String, hashes: Seq[Hash], size: Long, contentType: String, id: String)
 trait Conversion {
 
@@ -63,7 +63,7 @@ trait Conversion {
       status      <- (json \ "status").validate[CaseStatus.Value]
       summary     <- (json \ "summary").validateOpt[String]
       user        <- (json \ "owner").validateOpt[String]
-      tags             = (json \ "tags").asOpt[Set[String]].getOrElse(Set.empty)
+      tags             = (json \ "tags").asOpt[Set[String]].getOrElse(Set.empty).filterNot(_.isEmpty)
       metrics          = (json \ "metrics").asOpt[JsObject].getOrElse(JsObject.empty)
       resolutionStatus = (json \ "resolutionStatus").asOpt[String]
       impactStatus     = (json \ "impactStatus").asOpt[String]
@@ -76,14 +76,27 @@ trait Conversion {
           name -> Some((value \ "string") orElse (value \ "boolean") orElse (value \ "number") orElse (value \ "date") getOrElse JsNull)
       }
     } yield InputCase(
-      Case(number, title, description, severity, startDate, endDate, flag, tlp, pap, status, summary),
-      user.map(normaliseLogin),
+      Case(
+        title = title,
+        description = description,
+        severity = severity,
+        startDate = startDate,
+        endDate = endDate,
+        flag = flag,
+        tlp = tlp,
+        pap = pap,
+        status = status,
+        summary = summary,
+        tags = tags.toSeq,
+        number = number,
+        organisationIds = Set.empty,
+        assignee = user.map(normaliseLogin),
+        impactStatus = impactStatus,
+        resolutionStatus = resolutionStatus,
+        caseTemplate = None
+      ), // organisation Ids are filled by output
       Map(mainOrganisation -> Profile.orgAdmin.name),
-      tags,
       (metricsValue ++ customFieldsValue).toMap,
-      None,
-      resolutionStatus,
-      impactStatus,
       metaData
     )
   }
@@ -108,10 +121,16 @@ trait Conversion {
           )
     } yield InputObservable(
       metaData,
-      Observable(message, tlp, ioc, sighted, None),
-      Seq(mainOrganisation),
-      dataType,
-      tags,
+      Observable(
+        message = message,
+        tlp = tlp,
+        ioc = ioc,
+        sighted = sighted,
+        ignoreSimilarity = None,
+        dataType = dataType,
+        tags = tags.toSeq
+      ),
+      Set(mainOrganisation),
       dataOrAttachment
     )
   }
@@ -132,18 +151,19 @@ trait Conversion {
     } yield InputTask(
       metaData,
       Task(
-        title,
-        group,
-        description,
-        status: TaskStatus.Value,
-        flag: Boolean,
-        startDate: Option[Date],
-        endDate: Option[Date],
-        order: Int,
-        dueDate: Option[Date]
+        title = title,
+        group = group,
+        description = description,
+        status = status,
+        flag = flag,
+        startDate = startDate,
+        endDate = endDate,
+        order = order,
+        dueDate = dueDate,
+        assignee = owner.map(normaliseLogin)
       ),
       owner.map(normaliseLogin),
-      Seq(mainOrganisation)
+      Set(mainOrganisation)
     )
   }
 
@@ -152,12 +172,11 @@ trait Conversion {
       metaData <- json.validate[MetaData]
       message  <- (json \ "message").validate[String]
       date     <- (json \ "startDate").validate[Date]
-      deleted = (json \ "status").asOpt[String].contains("Deleted")
       attachment =
         (json \ "attachment")
           .asOpt[Attachment]
           .map(a => InputAttachment(a.name, a.size, a.contentType, a.hashes.map(_.toString), readAttachment(a.id)))
-    } yield InputLog(metaData, Log(message, date, deleted), attachment.toSeq)
+    } yield InputLog(metaData, Log(message, date), attachment.toSeq)
   }
 
   implicit val alertReads: Reads[InputAlert] = Reads[InputAlert] { json =>
@@ -178,7 +197,7 @@ trait Conversion {
       read = status == "Ignored" || status == "Imported"
       follow <- (json \ "follow").validate[Boolean]
       caseId <- (json \ "case").validateOpt[String]
-      tags         = (json \ "tags").asOpt[Set[String]].getOrElse(Set.empty)
+      tags         = (json \ "tags").asOpt[Set[String]].getOrElse(Set.empty).filterNot(_.isEmpty)
       customFields = (json \ "metrics").asOpt[JsObject].getOrElse(JsObject.empty)
       customFieldsValue = customFields.value.map {
         case (name, value) =>
@@ -188,23 +207,23 @@ trait Conversion {
     } yield InputAlert(
       metaData: MetaData,
       Alert(
-        tpe,
-        source,
-        sourceRef,
-        externalLink,
-        title,
-        description,
-        severity,
-        date,
-        lastSyncDate,
-        tlp,
-        pap.getOrElse(2),
-        read,
-        follow
+        `type` = tpe,
+        source = source,
+        sourceRef = sourceRef,
+        externalLink = externalLink,
+        title = title,
+        description = description,
+        severity = severity,
+        date = date,
+        lastSyncDate = lastSyncDate,
+        tlp = tlp,
+        pap = pap.getOrElse(2),
+        read = read,
+        follow = follow,
+        tags = tags.toSeq
       ),
       caseId,
       mainOrganisation,
-      tags,
       customFieldsValue.toMap,
       caseTemplate: Option[String]
     )
@@ -229,10 +248,16 @@ trait Conversion {
             )
       } yield InputObservable(
         metaData,
-        Observable(message, tlp.getOrElse(2), ioc.getOrElse(false), sighted = false, ignoreSimilarity = None),
-        Nil,
-        dataType,
-        tags,
+        Observable(
+          message = message,
+          tlp = tlp.getOrElse(2),
+          ioc = ioc.getOrElse(false),
+          sighted = false,
+          ignoreSimilarity = None,
+          dataType = dataType,
+          tags = tags.toSeq
+        ),
+        Set(mainOrganisation),
         dataOrAttachment
       )
 
@@ -352,18 +377,18 @@ trait Conversion {
     } yield InputCaseTemplate(
       metaData,
       CaseTemplate(
-        name,
-        displayName,
-        titlePrefix,
-        description,
-        severity,
-        flag,
-        tlp,
-        pap,
-        summary
+        name = name,
+        displayName = displayName,
+        titlePrefix = titlePrefix,
+        description = description,
+        tags = tags.toSeq,
+        severity = severity,
+        flag = flag,
+        tlp = tlp,
+        pap = pap,
+        summary = summary
       ),
       mainOrganisation,
-      tags,
       (metricsValue ++ customFieldsValue).toSeq
     )
   }
@@ -384,18 +409,19 @@ trait Conversion {
       } yield InputTask(
         metaData,
         Task(
-          title,
-          group.getOrElse("default"),
-          description,
-          status.getOrElse(TaskStatus.Waiting),
-          flag.getOrElse(false),
-          startDate,
-          endDate,
-          order.getOrElse(1),
-          dueDate
+          title = title,
+          group = group.getOrElse("default"),
+          description = description,
+          status = status.getOrElse(TaskStatus.Waiting),
+          flag = flag.getOrElse(false),
+          startDate = startDate,
+          endDate = endDate,
+          order = order.getOrElse(1),
+          dueDate = dueDate,
+          assignee = owner.map(normaliseLogin)
         ),
         owner.map(normaliseLogin),
-        Seq(mainOrganisation)
+        Set(mainOrganisation)
       )
     }
 
@@ -448,10 +474,16 @@ trait Conversion {
           )
       } yield InputObservable(
         metaData,
-        Observable(message, tlp, ioc, sighted, ignoreSimilarity = None),
-        Seq(mainOrganisation),
-        dataType,
-        tags,
+        Observable(
+          message = message,
+          tlp = tlp,
+          ioc = ioc,
+          sighted = sighted,
+          ignoreSimilarity = None,
+          dataType = dataType,
+          tags = tags.toSeq
+        ),
+        Set(mainOrganisation),
         dataOrAttachment
       )
     }
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th3/DBConfiguration.scala b/migration/src/main/scala/org/thp/thehive/migration/th3/DBConfiguration.scala
index 315df391b3..27ef1bea17 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th3/DBConfiguration.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th3/DBConfiguration.scala
@@ -1,19 +1,15 @@
 package org.thp.thehive.migration.th3
 
-import java.nio.file.{Files, Paths}
-import java.security.KeyStore
-
 import akka.NotUsed
 import akka.actor.ActorSystem
 import akka.stream.scaladsl.{Sink, Source}
-import com.sksamuel.elastic4s.http._
-import com.sksamuel.elastic4s.http.bulk.BulkResponseItem
-import com.sksamuel.elastic4s.http.search.SearchHit
-import com.sksamuel.elastic4s.searches._
+import com.sksamuel.elastic4s.ElasticDsl._
+import com.sksamuel.elastic4s._
+import com.sksamuel.elastic4s.http.JavaClient
+import com.sksamuel.elastic4s.requests.bulk.BulkResponseItem
+import com.sksamuel.elastic4s.requests.searches.{SearchHit, SearchRequest}
 import com.sksamuel.elastic4s.streams.ReactiveElastic.ReactiveElastic
 import com.sksamuel.elastic4s.streams.{RequestBuilder, ResponseListener}
-import javax.inject.{Inject, Named, Singleton}
-import javax.net.ssl.{KeyManagerFactory, SSLContext, TrustManagerFactory}
 import org.apache.http.auth.{AuthScope, UsernamePasswordCredentials}
 import org.apache.http.client.CredentialsProvider
 import org.apache.http.client.config.RequestConfig
@@ -25,9 +21,13 @@ import play.api.inject.ApplicationLifecycle
 import play.api.libs.json.JsObject
 import play.api.{Configuration, Logger}
 
+import java.nio.file.{Files, Paths}
+import java.security.KeyStore
+import javax.inject.{Inject, Singleton}
+import javax.net.ssl.{KeyManagerFactory, SSLContext, TrustManagerFactory}
 import scala.collection.JavaConverters._
 import scala.concurrent.duration.DurationInt
-import scala.concurrent.{ExecutionContext, Future, Promise}
+import scala.concurrent.{Await, ExecutionContext, Future, Promise}
 
 /**
   * This class is a wrapper of ElasticSearch client from Elastic4s
@@ -38,30 +38,30 @@ import scala.concurrent.{ExecutionContext, Future, Promise}
 class DBConfiguration @Inject() (
     config: Configuration,
     lifecycle: ApplicationLifecycle,
-    @Named("databaseVersion") val version: Int,
-    implicit val ec: ExecutionContext,
     implicit val actorSystem: ActorSystem
 ) {
   private[DBConfiguration] lazy val logger = Logger(getClass)
-
-  def requestConfigCallback: RequestConfigCallback = (requestConfigBuilder: RequestConfig.Builder) => {
-    requestConfigBuilder.setAuthenticationEnabled(credentialsProviderMaybe.isDefined)
-    config.getOptional[Boolean]("search.circularRedirectsAllowed").foreach(requestConfigBuilder.setCircularRedirectsAllowed)
-    config.getOptional[Int]("search.connectionRequestTimeout").foreach(requestConfigBuilder.setConnectionRequestTimeout)
-    config.getOptional[Int]("search.connectTimeout").foreach(requestConfigBuilder.setConnectTimeout)
-    config.getOptional[Boolean]("search.contentCompressionEnabled").foreach(requestConfigBuilder.setContentCompressionEnabled)
-    config.getOptional[String]("search.cookieSpec").foreach(requestConfigBuilder.setCookieSpec)
-    config.getOptional[Boolean]("search.expectContinueEnabled").foreach(requestConfigBuilder.setExpectContinueEnabled)
-    //    config.getOptional[InetAddress]("search.localAddress").foreach(requestConfigBuilder.setLocalAddress)
-    config.getOptional[Int]("search.maxRedirects").foreach(requestConfigBuilder.setMaxRedirects)
-    //    config.getOptional[Boolean]("search.proxy").foreach(requestConfigBuilder.setProxy)
-    config.getOptional[Seq[String]]("search.proxyPreferredAuthSchemes").foreach(v => requestConfigBuilder.setProxyPreferredAuthSchemes(v.asJava))
-    config.getOptional[Boolean]("search.redirectsEnabled").foreach(requestConfigBuilder.setRedirectsEnabled)
-    config.getOptional[Boolean]("search.relativeRedirectsAllowed").foreach(requestConfigBuilder.setRelativeRedirectsAllowed)
-    config.getOptional[Int]("search.socketTimeout").foreach(requestConfigBuilder.setSocketTimeout)
-    config.getOptional[Seq[String]]("search.targetPreferredAuthSchemes").foreach(v => requestConfigBuilder.setTargetPreferredAuthSchemes(v.asJava))
-    requestConfigBuilder
-  }
+  implicit val ec: ExecutionContext        = actorSystem.dispatcher
+
+  def requestConfigCallback: RequestConfigCallback =
+    (requestConfigBuilder: RequestConfig.Builder) => {
+      requestConfigBuilder.setAuthenticationEnabled(credentialsProviderMaybe.isDefined)
+      config.getOptional[Boolean]("search.circularRedirectsAllowed").foreach(requestConfigBuilder.setCircularRedirectsAllowed)
+      config.getOptional[Int]("search.connectionRequestTimeout").foreach(requestConfigBuilder.setConnectionRequestTimeout)
+      config.getOptional[Int]("search.connectTimeout").foreach(requestConfigBuilder.setConnectTimeout)
+      config.getOptional[Boolean]("search.contentCompressionEnabled").foreach(requestConfigBuilder.setContentCompressionEnabled)
+      config.getOptional[String]("search.cookieSpec").foreach(requestConfigBuilder.setCookieSpec)
+      config.getOptional[Boolean]("search.expectContinueEnabled").foreach(requestConfigBuilder.setExpectContinueEnabled)
+      //    config.getOptional[InetAddress]("search.localAddress").foreach(requestConfigBuilder.setLocalAddress)
+      config.getOptional[Int]("search.maxRedirects").foreach(requestConfigBuilder.setMaxRedirects)
+      //    config.getOptional[Boolean]("search.proxy").foreach(requestConfigBuilder.setProxy)
+      config.getOptional[Seq[String]]("search.proxyPreferredAuthSchemes").foreach(v => requestConfigBuilder.setProxyPreferredAuthSchemes(v.asJava))
+      config.getOptional[Boolean]("search.redirectsEnabled").foreach(requestConfigBuilder.setRedirectsEnabled)
+      config.getOptional[Boolean]("search.relativeRedirectsAllowed").foreach(requestConfigBuilder.setRelativeRedirectsAllowed)
+      config.getOptional[Int]("search.socketTimeout").foreach(requestConfigBuilder.setSocketTimeout)
+      config.getOptional[Seq[String]]("search.targetPreferredAuthSchemes").foreach(v => requestConfigBuilder.setTargetPreferredAuthSchemes(v.asJava))
+      requestConfigBuilder
+    }
 
   lazy val credentialsProviderMaybe: Option[CredentialsProvider] =
     for {
@@ -86,9 +86,7 @@ class DBConfiguration @Inject() (
         val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
         kmf.init(keyStore, keyStorePassword)
         kmf.getKeyManagers
-      } finally {
-        keyInputStream.close()
-      }
+      } finally keyInputStream.close()
 
     val trustManagers = config
       .getOptional[String]("search.trustStore.path")
@@ -102,9 +100,7 @@ class DBConfiguration @Inject() (
           val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
           tmf.init(keyStore)
           tmf.getTrustManagers
-        } finally {
-          trustInputStream.close()
-        }
+        } finally trustInputStream.close()
       }
       .getOrElse(Array.empty)
 
@@ -114,27 +110,29 @@ class DBConfiguration @Inject() (
     sslContext
   }
 
-  def httpClientConfig: HttpClientConfigCallback = (httpClientBuilder: HttpAsyncClientBuilder) => {
-    sslContextMaybe.foreach(httpClientBuilder.setSSLContext)
-    credentialsProviderMaybe.foreach(httpClientBuilder.setDefaultCredentialsProvider)
-    httpClientBuilder
-  }
+  def httpClientConfig: HttpClientConfigCallback =
+    (httpClientBuilder: HttpAsyncClientBuilder) => {
+      sslContextMaybe.foreach(httpClientBuilder.setSSLContext)
+      credentialsProviderMaybe.foreach(httpClientBuilder.setDefaultCredentialsProvider)
+      httpClientBuilder
+    }
 
   /**
     * Underlying ElasticSearch client
     */
-  val client: ElasticClient = ElasticClient(ElasticProperties(config.get[String]("search.uri")), requestConfigCallback, httpClientConfig)
+  private val props  = ElasticProperties(config.get[String]("search.uri"))
+  private val client = ElasticClient(JavaClient(props, requestConfigCallback, httpClientConfig))
+
   // when application close, close also ElasticSearch connection
   lifecycle.addStopHook { () =>
-    Future {
-      client.close()
-    }
+    client.close()
+    Future.successful(())
   }
 
-  def execute[T, U](t: T)(
-      implicit
+  def execute[T, U](t: T)(implicit
       handler: Handler[T, U],
-      manifest: Manifest[U]
+      manifest: Manifest[U],
+      ec: ExecutionContext
   ): Future[U] = {
     logger.debug(s"Elasticsearch request: ${client.show(t)}")
     client.execute(t).flatMap {
@@ -157,7 +155,8 @@ class DBConfiguration @Inject() (
   /**
     * Creates a Source (akka stream) from the result of the search
     */
-  def source(searchRequest: SearchRequest): Source[SearchHit, NotUsed] = Source.fromPublisher(client.publisher(searchRequest))
+  def source(searchRequest: SearchRequest): Source[SearchHit, NotUsed] =
+    Source.fromPublisher(client.publisher(searchRequest))
 
   /**
     * Create a Sink (akka stream) that create entity in ElasticSearch
@@ -200,14 +199,18 @@ class DBConfiguration @Inject() (
       }
   }
 
-  /**
-    * Name of the index, suffixed by the current version
-    */
-  val indexName: String = config.get[String]("search.index") + "_" + version
+  private def exists(indexName: String): Boolean =
+    Await.result(execute(indexExists(indexName)), 20.seconds).isExists
 
   /**
-    * return a new instance of DBConfiguration that points to the previous version of the index schema
+    * Name of the index, suffixed by the current version
     */
-  def previousVersion: DBConfiguration =
-    new DBConfiguration(config, lifecycle, version - 1, ec, actorSystem)
+  lazy val indexName: String = {
+    val indexBaseName = config.get[String]("search.index")
+    val index_3_5_1   = indexBaseName + "_16"
+    val index_3_5_0   = indexBaseName + "_15"
+    if (exists(index_3_5_1)) index_3_5_1
+    else if (exists(index_3_5_0)) index_3_5_0
+    else ???
+  }
 }
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th3/DBFind.scala b/migration/src/main/scala/org/thp/thehive/migration/th3/DBFind.scala
index d3de9d4ee2..3b0b414e1e 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th3/DBFind.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th3/DBFind.scala
@@ -4,14 +4,14 @@ import akka.NotUsed
 import akka.stream.scaladsl.Source
 import akka.stream.stage.{AsyncCallback, GraphStage, GraphStageLogic, OutHandler}
 import akka.stream.{Attributes, Materializer, Outlet, SourceShape}
-import com.sksamuel.elastic4s.http.ElasticDsl._
-import com.sksamuel.elastic4s.http.search.{SearchHit, SearchResponse}
-import com.sksamuel.elastic4s.searches.SearchRequest
-import javax.inject.{Inject, Singleton}
+import com.sksamuel.elastic4s.ElasticDsl._
+import com.sksamuel.elastic4s.requests.searches.{SearchHit, SearchRequest, SearchResponse}
+import com.sksamuel.elastic4s.{ElasticRequest, Show}
 import org.thp.scalligraph.{InternalError, SearchError}
 import play.api.libs.json._
 import play.api.{Configuration, Logger}
 
+import javax.inject.{Inject, Singleton}
 import scala.collection.mutable
 import scala.concurrent.duration.{DurationLong, FiniteDuration}
 import scala.concurrent.{ExecutionContext, Future}
@@ -75,6 +75,9 @@ class DBFind(pageSize: Int, keepAlive: FiniteDuration, db: DBConfiguration, impl
     (src, total)
   }
 
+  def showQuery(request: SearchRequest): String =
+    Show[ElasticRequest].show(SearchHandler.build(request))
+
   /**
     * Search entities in ElasticSearch
     *
@@ -87,10 +90,10 @@ class DBFind(pageSize: Int, keepAlive: FiniteDuration, db: DBConfiguration, impl
   def apply(range: Option[String], sortBy: Seq[String])(query: String => SearchRequest): (Source[JsObject, NotUsed], Future[Long]) = {
     val (offset, limit) = getOffsetAndLimitFromRange(range)
     val sortDef         = DBUtils.sortDefinition(sortBy)
-    val searchRequest   = query(db.indexName).start(offset).sortBy(sortDef).version(true)
+    val searchRequest   = query(db.indexName).start(offset).sortBy(sortDef).seqNoPrimaryTerm(true)
 
     logger.debug(
-      s"search in ${searchRequest.indexesTypes.indexes.mkString(",")} / ${searchRequest.indexesTypes.types.mkString(",")} ${db.client.show(searchRequest)}"
+      s"search in ${searchRequest.indexes.values.mkString(",")} ${showQuery(searchRequest)}"
     )
     val (src, total) =
       if (limit > 2 * pageSize)
@@ -108,7 +111,7 @@ class DBFind(pageSize: Int, keepAlive: FiniteDuration, db: DBConfiguration, impl
   def apply(query: String => SearchRequest): Future[SearchResponse] = {
     val searchRequest = query(db.indexName)
     logger.debug(
-      s"search in ${searchRequest.indexesTypes.indexes.mkString(",")} / ${searchRequest.indexesTypes.types.mkString(",")} ${db.client.show(searchRequest)}"
+      s"search in ${searchRequest.indexes.values.mkString(",")} ${showQuery(searchRequest)}"
     )
 
     db.execute(searchRequest)
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th3/DBGet.scala b/migration/src/main/scala/org/thp/thehive/migration/th3/DBGet.scala
index 7994058184..44a4fe76f6 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th3/DBGet.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th3/DBGet.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.migration.th3
 
-import com.sksamuel.elastic4s.http.ElasticDsl._
-import javax.inject.{Inject, Singleton}
+import com.sksamuel.elastic4s.ElasticDsl._
 import org.thp.scalligraph.NotFoundError
 import play.api.libs.json.JsObject
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 
 @Singleton
@@ -23,7 +23,7 @@ class DBGet @Inject() (db: DBConfiguration, implicit val ec: ExecutionContext) {
       search(db.indexName)
         .query(idsQuery(id) /*.types(modelName)*/ )
         .size(1)
-        .version(true)
+        .seqNoPrimaryTerm(true)
     }.map { searchResponse =>
       searchResponse
         .hits
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th3/DBUtils.scala b/migration/src/main/scala/org/thp/thehive/migration/th3/DBUtils.scala
index 7f88364e52..b3ea19efc7 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th3/DBUtils.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th3/DBUtils.scala
@@ -1,9 +1,8 @@
 package org.thp.thehive.migration.th3
 
-import com.sksamuel.elastic4s.http.ElasticDsl.fieldSort
-import com.sksamuel.elastic4s.http.search.SearchHit
-import com.sksamuel.elastic4s.searches.sort.Sort
-import com.sksamuel.elastic4s.searches.sort.SortOrder.{ASC, DESC}
+import com.sksamuel.elastic4s.ElasticDsl.fieldSort
+import com.sksamuel.elastic4s.requests.searches.SearchHit
+import com.sksamuel.elastic4s.requests.searches.sort.{Sort, SortOrder}
 import play.api.libs.json._
 
 import scala.collection.IterableLike
@@ -29,9 +28,9 @@ object DBUtils {
   def sortDefinition(sortBy: Seq[String]): Seq[Sort] = {
     val byFieldList: Seq[(String, Sort)] = sortBy
       .map {
-        case f if f.startsWith("+") => f.drop(1) -> fieldSort(f.drop(1)).order(ASC)
-        case f if f.startsWith("-") => f.drop(1) -> fieldSort(f.drop(1)).order(DESC)
-        case f if f.length() > 0    => f         -> fieldSort(f)
+        case f if f.startsWith("+") => f.drop(1) -> fieldSort(f.drop(1)).order(SortOrder.ASC)
+        case f if f.startsWith("-") => f.drop(1) -> fieldSort(f.drop(1)).order(SortOrder.DESC)
+        case f if f.nonEmpty        => f         -> fieldSort(f)
       }
     // then remove duplicates
     // Same as : val fieldSortDefs = byFieldList.groupBy(_._1).map(_._2.head).values.toSeq
@@ -50,10 +49,10 @@ object DBUtils {
       case None    => JsNull -> (body \ "relations").as[JsString]
     }
     body - "relations" +
-      ("_type"    -> model) +
-      ("_routing" -> hit.routing.fold(id)(JsString.apply)) +
-      ("_parent"  -> parent) +
-      ("_id"      -> id) +
-      ("_version" -> JsNumber(hit.version))
+      ("_type"        -> model) +
+      ("_routing"     -> hit.routing.fold(id)(JsString.apply)) +
+      ("_parent"      -> parent) +
+      ("_id"          -> id) +
+      ("_primaryTerm" -> JsNumber(hit.primaryTerm))
   }
 }
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th3/Input.scala b/migration/src/main/scala/org/thp/thehive/migration/th3/Input.scala
index c6ce3faca7..dee7d2b14d 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th3/Input.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th3/Input.scala
@@ -1,17 +1,14 @@
 package org.thp.thehive.migration.th3
 
-import java.util.{Base64, Date}
-
 import akka.NotUsed
 import akka.actor.ActorSystem
 import akka.stream.Materializer
 import akka.stream.scaladsl.Source
 import akka.util.ByteString
 import com.google.inject.Guice
-import com.sksamuel.elastic4s.http.ElasticDsl._
-import com.sksamuel.elastic4s.searches.queries.RangeQuery
-import com.sksamuel.elastic4s.searches.queries.term.TermsQuery
-import javax.inject.{Inject, Singleton}
+import com.sksamuel.elastic4s.ElasticDsl._
+import com.sksamuel.elastic4s.requests.searches.queries.{Query, RangeQuery}
+import com.sksamuel.elastic4s.requests.searches.queries.term.TermsQuery
 import net.codingwell.scalaguice.ScalaModule
 import org.thp.thehive.migration
 import org.thp.thehive.migration.Filter
@@ -21,6 +18,8 @@ import play.api.inject.{ApplicationLifecycle, DefaultApplicationLifecycle}
 import play.api.libs.json._
 import play.api.{Configuration, Logger}
 
+import java.util.{Base64, Date}
+import javax.inject.{Inject, Singleton}
 import scala.collection.immutable
 import scala.concurrent.{ExecutionContext, Future}
 import scala.reflect.{classTag, ClassTag}
@@ -37,7 +36,6 @@ object Input {
           bind[Materializer].toInstance(Materializer(actorSystem))
           bind[ExecutionContext].toInstance(actorSystem.dispatcher)
           bind[ApplicationLifecycle].to[DefaultApplicationLifecycle]
-          bind[Int].annotatedWithName("databaseVersion").toInstance(15)
         }
       })
       .getInstance(classOf[Input])
@@ -223,44 +221,18 @@ class Input @Inject() (configuration: Configuration, dbFind: DBFind, dbGet: DBGe
     )._2
 
   override def listCaseTaskLogs(filter: Filter): Source[Try[(String, InputLog)], NotUsed] =
-    dbFind(Some("all"), Nil)(indexName =>
-      search(indexName).query(
-        bool(
-          Seq(
-            termQuery("relations", "case_task_log"),
-            hasParentQuery(
-              "case_task",
-              hasParentQuery("case", bool(caseFilter(filter), Nil, Nil), score = false),
-              score = false
-            )
-          ),
-          Nil,
-          Nil
-        )
-      )
-    )._1
-      .readWithParent[InputLog](json => Try((json \ "_parent").as[String]))
+    listCaseTaskLogs(bool(caseFilter(filter), Nil, Nil))
 
   override def countCaseTaskLogs(filter: Filter): Future[Long] =
-    dbFind(Some("0-0"), Nil)(indexName =>
-      search(indexName)
-        .query(
-          bool(
-            Seq(
-              termQuery("relations", "case_task_log"),
-              hasParentQuery(
-                "case_task",
-                hasParentQuery("case", bool(caseFilter(filter), Nil, Nil), score = false),
-                score = false
-              )
-            ),
-            Nil,
-            Nil
-          )
-        )
-    )._2
+    countCaseTaskLogs(bool(caseFilter(filter), Nil, Nil))
 
   override def listCaseTaskLogs(caseId: String): Source[Try[(String, InputLog)], NotUsed] =
+    listCaseTaskLogs(idsQuery(caseId))
+
+  override def countCaseTaskLogs(caseId: String): Future[Long] =
+    countCaseTaskLogs(idsQuery(caseId))
+
+  private def listCaseTaskLogs(query: Query): Source[Try[(String, InputLog)], NotUsed] =
     dbFind(Some("all"), Nil)(indexName =>
       search(indexName).query(
         bool(
@@ -268,18 +240,18 @@ class Input @Inject() (configuration: Configuration, dbFind: DBFind, dbGet: DBGe
             termQuery("relations", "case_task_log"),
             hasParentQuery(
               "case_task",
-              hasParentQuery("case", idsQuery(caseId), score = false),
+              hasParentQuery("case", query, score = false),
               score = false
             )
           ),
           Nil,
-          Nil
+          Seq(termQuery("status", "deleted"))
         )
       )
     )._1
       .readWithParent[InputLog](json => Try((json \ "_parent").as[String]))
 
-  override def countCaseTaskLogs(caseId: String): Future[Long] =
+  private def countCaseTaskLogs(query: Query): Future[Long] =
     dbFind(Some("0-0"), Nil)(indexName =>
       search(indexName)
         .query(
@@ -288,12 +260,12 @@ class Input @Inject() (configuration: Configuration, dbFind: DBFind, dbGet: DBGe
               termQuery("relations", "case_task_log"),
               hasParentQuery(
                 "case_task",
-                hasParentQuery("case", idsQuery(caseId), score = false),
+                hasParentQuery("case", query, score = false),
                 score = false
               )
             ),
             Nil,
-            Nil
+            Seq(termQuery("status", "deleted"))
           )
         )
     )._2
@@ -459,8 +431,8 @@ class Input @Inject() (configuration: Configuration, dbFind: DBFind, dbGet: DBGe
       .map { json =>
         for {
           metaData  <- json.validate[MetaData]
-          tasksJson <- (json \ "tasks").validate[Seq[JsValue]]
-        } yield (metaData, tasksJson)
+          tasksJson <- (json \ "tasks").validateOpt[Seq[JsValue]]
+        } yield (metaData, tasksJson.getOrElse(Nil))
       }
       .mapConcat {
         case JsSuccess(x, _) => List(x)
@@ -482,7 +454,7 @@ class Input @Inject() (configuration: Configuration, dbFind: DBFind, dbGet: DBGe
         dbGet("caseTemplate", caseTemplateId)
           .map { json =>
             val metaData = json.as[MetaData]
-            val tasks    = (json \ "tasks").as(Reads.seq(caseTemplateTaskReads(metaData)))
+            val tasks    = (json \ "tasks").asOpt(Reads.seq(caseTemplateTaskReads(metaData))).getOrElse(Nil)
             Source(tasks.to[immutable.Iterable].map(t => Success(caseTemplateId -> t)))
           }
           .recover {
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th4/JanusDatabaseProvider.scala b/migration/src/main/scala/org/thp/thehive/migration/th4/JanusDatabaseProvider.scala
new file mode 100644
index 0000000000..ef5e9b898b
--- /dev/null
+++ b/migration/src/main/scala/org/thp/thehive/migration/th4/JanusDatabaseProvider.scala
@@ -0,0 +1,40 @@
+package org.thp.thehive.migration.th4
+
+import akka.actor.ActorSystem
+import org.janusgraph.core.JanusGraph
+import org.thp.scalligraph.SingleInstance
+import org.thp.scalligraph.janus.JanusDatabase
+import org.thp.scalligraph.models.{Database, UpdatableSchema}
+import play.api.Configuration
+
+import javax.inject.{Inject, Provider, Singleton}
+import scala.collection.JavaConverters._
+import scala.collection.immutable
+
+@Singleton
+class JanusDatabaseProvider @Inject() (configuration: Configuration, system: ActorSystem, schemas: immutable.Set[UpdatableSchema])
+    extends Provider[Database] {
+
+  def dropOtherConnections(db: JanusGraph): Unit = {
+    val mgmt = db.openManagement()
+    mgmt
+      .getOpenInstances
+      .asScala
+      .filterNot(_.endsWith("(current)"))
+      .foreach(mgmt.forceCloseInstance)
+    mgmt.commit()
+  }
+
+  override lazy val get: Database = {
+    val janusDatabase = JanusDatabase.openDatabase(configuration, system)
+    dropOtherConnections(janusDatabase)
+    val db = new JanusDatabase(
+      janusDatabase,
+      configuration,
+      system,
+      new SingleInstance(true)
+    )
+    schemas.toTry(schema => schema.update(db)).get
+    db
+  }
+}
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th4/NoAuditSrv.scala b/migration/src/main/scala/org/thp/thehive/migration/th4/NoAuditSrv.scala
index 0ec7681f11..95dd205bb8 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th4/NoAuditSrv.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th4/NoAuditSrv.scala
@@ -2,26 +2,26 @@ package org.thp.thehive.migration.th4
 
 import akka.actor.ActorRef
 import com.google.inject.name.Named
-import javax.inject.{Inject, Provider, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services.EventSrv
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.Audit
 import org.thp.thehive.services.{AuditSrv, UserSrv}
 
+import javax.inject.{Inject, Provider, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
 class NoAuditSrv @Inject() (
     userSrvProvider: Provider[UserSrv],
     @Named("notification-actor") notificationActor: ActorRef,
-    eventSrv: EventSrv
-)(implicit @Named("with-thehive-schema") db: Database)
-    extends AuditSrv(userSrvProvider, notificationActor, eventSrv)(db) {
+    eventSrv: EventSrv,
+    db: Database
+) extends AuditSrv(userSrvProvider, notificationActor, eventSrv, db) {
 
-  override def create(audit: Audit, context: Option[Product with Entity], `object`: Option[Product with Entity])(
-      implicit graph: Graph,
+  override def create(audit: Audit, context: Product with Entity, `object`: Option[Product with Entity])(implicit
+      graph: Graph,
       authContext: AuthContext
   ): Try[Unit] =
     Success(())
diff --git a/migration/src/main/scala/org/thp/thehive/migration/th4/Output.scala b/migration/src/main/scala/org/thp/thehive/migration/th4/Output.scala
index d6575d9963..c1cc76b06b 100644
--- a/migration/src/main/scala/org/thp/thehive/migration/th4/Output.scala
+++ b/migration/src/main/scala/org/thp/thehive/migration/th4/Output.scala
@@ -1,42 +1,41 @@
 package org.thp.thehive.migration.th4
 
 import akka.actor.ActorSystem
+import akka.actor.typed.Scheduler
 import akka.stream.Materializer
-import com.google.inject.Guice
-import javax.inject.{Inject, Named, Provider, Singleton}
-import net.codingwell.scalaguice.ScalaModule
+import com.google.inject.{Guice, Injector => GInjector}
+import net.codingwell.scalaguice.{ScalaModule, ScalaMultibinder}
 import org.apache.tinkerpop.gremlin.process.traversal.P
-import org.apache.tinkerpop.gremlin.structure.Graph
+import org.janusgraph.core.schema.{SchemaStatus => JanusSchemaStatus}
 import org.thp.scalligraph._
 import org.thp.scalligraph.auth.{AuthContext, AuthContextImpl, UserSrv => UserDB}
 import org.thp.scalligraph.janus.JanusDatabase
-import org.thp.scalligraph.models.{Database, Entity, Schema, UMapping}
+import org.thp.scalligraph.models._
 import org.thp.scalligraph.services._
-import org.thp.scalligraph.traversal.Traversal
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.thehive.connector.cortex.models.{CortexSchemaDefinition, TheHiveCortexSchemaProvider}
 import org.thp.thehive.connector.cortex.services.{ActionSrv, JobSrv}
 import org.thp.thehive.dto.v1.InputCustomFieldValue
-import org.thp.thehive.migration
 import org.thp.thehive.migration.IdMapping
 import org.thp.thehive.migration.dto._
 import org.thp.thehive.models._
 import org.thp.thehive.services._
-import play.api.cache.SyncCacheApi
+import org.thp.thehive.{migration, ClusterSetup}
 import play.api.cache.ehcache.EhCacheModule
 import play.api.inject.guice.GuiceInjector
 import play.api.inject.{ApplicationLifecycle, DefaultApplicationLifecycle, Injector}
-import play.api.libs.concurrent.AkkaGuiceSupport
+import play.api.libs.concurrent.{AkkaGuiceSupport, AkkaSchedulerProvider}
 import play.api.{Configuration, Environment, Logger}
 
+import javax.inject.{Inject, Provider, Singleton}
 import scala.collection.JavaConverters._
 import scala.concurrent.ExecutionContext
 import scala.util.{Failure, Success, Try}
-import org.thp.thehive.controllers.v1.Conversion._
 
 object Output {
 
-  private def buildApp(configuration: Configuration)(implicit actorSystem: ActorSystem) =
+  private def buildApp(configuration: Configuration)(implicit actorSystem: ActorSystem): GInjector =
     Guice
       .createInjector(
         (play.api.inject.guice.GuiceableModule.guiceable(new EhCacheModule).guiced(Environment.simple(), configuration, Set.empty) :+
@@ -44,6 +43,7 @@ object Output {
             override def configure(): Unit = {
               bind[Configuration].toInstance(configuration)
               bind[ActorSystem].toInstance(actorSystem)
+              bind[Scheduler].toProvider[AkkaSchedulerProvider]
               bind[Materializer].toInstance(Materializer(actorSystem))
               bind[ExecutionContext].toInstance(actorSystem.dispatcher)
               bind[Injector].to[GuiceInjector]
@@ -53,11 +53,13 @@ object Output {
               bindActor[DummyActor]("cortex-actor")
               bindActor[DummyActor]("integrity-check-actor")
 
+              val schemaBindings = ScalaMultibinder.newSetBinder[UpdatableSchema](binder)
+              schemaBindings.addBinding.to[TheHiveSchemaDefinition]
+              schemaBindings.addBinding.to[CortexSchemaDefinition]
+              bind[SingleInstance].toInstance(new SingleInstance(true))
+
               bind[AuditSrv].to[NoAuditSrv]
-              bind[Database].to[JanusDatabase]
-              bind[Database].annotatedWithName("with-thehive-schema").toProvider[BasicDatabaseProvider]
-              bind[Database].annotatedWithName("with-thehive-cortex-schema").toProvider[BasicDatabaseProvider]
-              bind[Configuration].toInstance(configuration)
+              bind[Database].toProvider[JanusDatabaseProvider]
               bind[Environment].toInstance(Environment.simple())
               bind[ApplicationLifecycle].to[DefaultApplicationLifecycle]
               bind[Schema].toProvider[TheHiveCortexSchemaProvider]
@@ -67,6 +69,7 @@ object Output {
                 case "hdfs"     => bind(classOf[StorageSrv]).to(classOf[HadoopStorageSrv])
                 case "s3"       => bind(classOf[StorageSrv]).to(classOf[S3StorageSrv])
               }
+              bind[ClusterSetup].asEagerSingleton()
               ()
             }
           }).asJava
@@ -75,19 +78,15 @@ object Output {
   def apply(configuration: Configuration)(implicit actorSystem: ActorSystem): Output = {
     if (configuration.getOptional[Boolean]("dropDatabase").contains(true)) {
       Logger(getClass).info("Drop database")
-      new JanusDatabase(configuration, actorSystem).drop()
+      new JanusDatabase(configuration, actorSystem, fullTextIndexAvailable = false).drop()
     }
     buildApp(configuration).getInstance(classOf[Output])
   }
 }
 
-@Singleton
-class BasicDatabaseProvider @Inject() (database: Database) extends Provider[Database] {
-  override def get(): Database = database
-}
-
 @Singleton
 class Output @Inject() (
+    configuration: Configuration,
     theHiveSchema: TheHiveSchemaDefinition,
     cortexSchema: CortexSchemaDefinition,
     caseSrv: CaseSrv,
@@ -110,8 +109,7 @@ class Output @Inject() (
     resolutionStatusSrv: ResolutionStatusSrv,
     jobSrv: JobSrv,
     actionSrv: ActionSrv,
-    @Named("with-thehive-schema") db: Database,
-    cache: SyncCacheApi
+    db: Database
 ) extends migration.Output {
   lazy val logger: Logger = Logger(getClass)
   val defaultUserDomain: String = userSrv
@@ -119,6 +117,11 @@ class Output @Inject() (
     .getOrElse(
       throw BadConfigurationError("Default user domain is empty in configuration. Please add `auth.defaultUserDomain` in your configuration file.")
     )
+  val caseNumberShift: Int = configuration.get[Int]("caseNumberShift")
+  val observableDataIsIndexed: Boolean = db match {
+    case jdb: JanusDatabase => jdb.listIndexesWithStatus(JanusSchemaStatus.ENABLED).fold(_ => false, _.exists(_.startsWith("Data")))
+    case _                  => false
+  }
   lazy val observableSrv: ObservableSrv                                     = observableSrvProvider.get
   private var profiles: Map[String, Profile with Entity]                    = Map.empty
   private var organisations: Map[String, Organisation with Entity]          = Map.empty
@@ -130,6 +133,7 @@ class Output @Inject() (
   private var caseTemplates: Map[String, CaseTemplate with Entity]          = Map.empty
   private var caseNumbers: Set[Int]                                         = Set.empty
   private var alerts: Set[(String, String, String)]                         = Set.empty
+  private var tags: Map[String, Tag with Entity]                            = Map.empty
 
   private def retrieveExistingData(): Unit = {
     val profilesBuilder           = Map.newBuilder[String, Profile with Entity]
@@ -142,10 +146,11 @@ class Output @Inject() (
     val caseTemplatesBuilder      = Map.newBuilder[String, CaseTemplate with Entity]
     val caseNumbersBuilder        = Set.newBuilder[Int]
     val alertsBuilder             = Set.newBuilder[(String, String, String)]
+    val tagsBuilder               = Map.newBuilder[String, Tag with Entity]
 
     db.roTransaction { implicit graph =>
-      Traversal
-        .V()
+      graph
+        .VV()
         .unsafeHas(
           "_label",
           P.within(
@@ -158,7 +163,8 @@ class Output @Inject() (
             "CustomField",
             "CaseTemplate",
             "Case",
-            "Alert"
+            "Alert",
+            "Tag"
           )
         )
         .toIterator
@@ -195,6 +201,12 @@ class Output @Inject() (
             val source    = UMapping.string.getProperty(vertex, "source")
             val sourceRef = UMapping.string.getProperty(vertex, "sourceRef")
             alertsBuilder += ((`type`, source, sourceRef))
+          case ("Tag", vertex) =>
+            val tag = tagSrv.model.converter(vertex)
+            if (tag.namespace.startsWith(s"_freetags_"))
+              tagsBuilder += (s"${tag.namespace.drop(10)}-${tag.predicate}" -> tag)
+            else
+              tagsBuilder += (tag.toString -> tag)
           case _ =>
         }
     }
@@ -208,6 +220,7 @@ class Output @Inject() (
     caseTemplates = caseTemplatesBuilder.result()
     caseNumbers = caseNumbersBuilder.result()
     alerts = alertsBuilder.result()
+    tags = tagsBuilder.result()
     if (
       profiles.nonEmpty ||
       organisations.nonEmpty ||
@@ -218,7 +231,8 @@ class Output @Inject() (
       customFields.nonEmpty ||
       caseTemplates.nonEmpty ||
       caseNumbers.nonEmpty ||
-      alerts.nonEmpty
+      alerts.nonEmpty ||
+      tags.nonEmpty
     )
       logger.info(s"""Already migrated:
                      | ${profiles.size} profiles
@@ -230,29 +244,11 @@ class Output @Inject() (
                      | ${customFields.size} customFields
                      | ${caseTemplates.size} caseTemplates
                      | ${caseNumbers.size} caseNumbers
-                     | ${alerts.size} alerts""".stripMargin)
+                     | ${alerts.size} alerts
+                     | ${tags.size} tags""".stripMargin)
   }
 
-  def startMigration(): Try[Unit] = {
-    db match {
-      case jdb: JanusDatabase => jdb.dropOtherConnections.recover { case error => logger.error(s"Fail to remove other connection", error) }
-      case _                  =>
-    }
-    if (db.version("thehive") == 0)
-      db.createSchemaFrom(theHiveSchema)(LocalUserSrv.getSystemAuthContext)
-        .flatMap(_ => db.setVersion(theHiveSchema.name, theHiveSchema.operations.lastVersion))
-        .flatMap(_ => db.createSchemaFrom(cortexSchema)(LocalUserSrv.getSystemAuthContext))
-        .flatMap(_ => db.setVersion(cortexSchema.name, cortexSchema.operations.lastVersion))
-        .map(_ => retrieveExistingData())
-    else
-      theHiveSchema
-        .update(db)(LocalUserSrv.getSystemAuthContext)
-        .flatMap(_ => cortexSchema.update(db)(LocalUserSrv.getSystemAuthContext))
-        .map { _ =>
-          retrieveExistingData()
-          db.removeAllIndexes()
-        }
-  }
+  def startMigration(): Try[Unit] = Success(retrieveExistingData())
 
   def endMigration(): Try[Unit] = {
     db.addSchemaIndexes(theHiveSchema)
@@ -267,7 +263,7 @@ class Output @Inject() (
   }
 
   def updateMetaData(entity: Entity, metaData: MetaData)(implicit graph: Graph): Unit = {
-    val vertex = Traversal.V(entity._id).head
+    val vertex = graph.VV(entity._id).head
     UMapping.date.setProperty(vertex, "_createdAt", metaData.createdAt)
     UMapping.date.optional.setProperty(vertex, "_updatedAt", metaData.updatedAt)
   }
@@ -283,8 +279,16 @@ class Output @Inject() (
       body(graph)(getAuthContext(userId))
     }
 
-  def getTag(tagName: String)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] =
-    cache.getOrElseUpdate(s"tag-$tagName")(tagSrv.createEntity(Tag.fromString(tagName, tagSrv.defaultNamespace, tagSrv.defaultColour)))
+  def getTag(tagName: String, organisationId: String)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] =
+    tags
+      .get(tagName)
+      .orElse(tags.get(s"$organisationId-$tagName"))
+      .fold[Try[Tag with Entity]] {
+        tagSrv.createEntity(Tag(s"_freetags_$organisationId", tagName, None, None, tagSrv.freeTagColour)).map { tag =>
+          tags += (tagName -> tag)
+          tag
+        }
+      }(Success.apply)
 
   override def organisationExists(inputOrganisation: InputOrganisation): Boolean = organisations.contains(inputOrganisation.organisation.name)
 
@@ -462,20 +466,27 @@ class Output @Inject() (
     authTransaction(inputCaseTemplate.metaData.createdBy) { implicit graph => implicit authContext =>
       logger.debug(s"Create case template ${inputCaseTemplate.caseTemplate.name}")
       for {
-        organisation     <- getOrganisation(inputCaseTemplate.organisation)
-        tags             <- inputCaseTemplate.tags.toTry(getTag)
-        richCaseTemplate <- caseTemplateSrv.create(inputCaseTemplate.caseTemplate, organisation, tags, Nil, Nil)
-        _ = updateMetaData(richCaseTemplate.caseTemplate, inputCaseTemplate.metaData)
+        organisation        <- getOrganisation(inputCaseTemplate.organisation)
+        createdCaseTemplate <- caseTemplateSrv.createEntity(inputCaseTemplate.caseTemplate)
+        _                   <- caseTemplateSrv.caseTemplateOrganisationSrv.create(CaseTemplateOrganisation(), createdCaseTemplate, organisation)
+        _ <-
+          inputCaseTemplate
+            .caseTemplate
+            .tags
+            .toTry(
+              getTag(_, organisation._id.value).flatMap(t => caseTemplateSrv.caseTemplateTagSrv.create(CaseTemplateTag(), createdCaseTemplate, t))
+            )
+        _ = updateMetaData(createdCaseTemplate, inputCaseTemplate.metaData)
         _ = inputCaseTemplate.customFields.foreach {
           case InputCustomFieldValue(name, value, order) =>
             (for {
               cf  <- getCustomField(name)
               ccf <- CustomFieldType.map(cf.`type`).setValue(CaseTemplateCustomField(order = order), value)
-              _   <- caseTemplateSrv.caseTemplateCustomFieldSrv.create(ccf, richCaseTemplate.caseTemplate, cf)
+              _   <- caseTemplateSrv.caseTemplateCustomFieldSrv.create(ccf, createdCaseTemplate, cf)
             } yield ()).logFailure(s"Unable to set custom field $name=${value.getOrElse("<not set>")}")
         }
-        _ = caseTemplates += (inputCaseTemplate.caseTemplate.name -> richCaseTemplate.caseTemplate)
-      } yield IdMapping(inputCaseTemplate.metaData.id, richCaseTemplate._id)
+        _ = caseTemplates += (inputCaseTemplate.caseTemplate.name -> createdCaseTemplate)
+      } yield IdMapping(inputCaseTemplate.metaData.id, createdCaseTemplate._id)
     }
 
   override def createCaseTemplateTask(caseTemplateId: EntityId, inputTask: InputTask): Try[IdMapping] =
@@ -483,38 +494,70 @@ class Output @Inject() (
       logger.debug(s"Create task ${inputTask.task.title} in case template $caseTemplateId")
       for {
         caseTemplate <- caseTemplateSrv.getOrFail(caseTemplateId)
-        taskOwner = inputTask.owner.flatMap(getUser(_).toOption)
-        richTask <- taskSrv.create(inputTask.task, taskOwner)
+        richTask     <- caseTemplateSrv.createTask(caseTemplate, inputTask.task)
         _ = updateMetaData(richTask.task, inputTask.metaData)
-        _ <- caseTemplateSrv.addTask(caseTemplate, richTask.task)
       } yield IdMapping(inputTask.metaData.id, richTask._id)
     }
 
-  override def caseExists(inputCase: InputCase): Boolean = caseNumbers.contains(inputCase.`case`.number)
+  override def caseExists(inputCase: InputCase): Boolean = caseNumbers.contains(inputCase.`case`.number + caseNumberShift)
 
   private def getCase(caseId: EntityId)(implicit graph: Graph): Try[Case with Entity] = caseSrv.getByIds(caseId).getOrFail("Case")
 
   override def createCase(inputCase: InputCase): Try[IdMapping] =
     authTransaction(inputCase.metaData.createdBy) { implicit graph => implicit authContext =>
-      logger.debug(s"Create case #${inputCase.`case`.number}")
-      caseSrv.createEntity(inputCase.`case`).map { createdCase =>
+      logger.debug(s"Create case #${inputCase.`case`.number + caseNumberShift}")
+      val organisationIds = inputCase
+        .organisations
+        .flatMap {
+          case (orgName, _) => getOrganisation(orgName).map(_._id).toOption
+        }
+        .toSet
+      val assignee = inputCase
+        .`case`
+        .assignee
+        .flatMap(getUser(_).toOption)
+      val caseTemplate = inputCase
+        .`case`
+        .caseTemplate
+        .flatMap(getCaseTemplate)
+      val resolutionStatus = inputCase
+        .`case`
+        .resolutionStatus
+        .flatMap(getResolutionStatus(_).toOption)
+      val impactStatus = inputCase
+        .`case`
+        .impactStatus
+        .flatMap(getImpactStatus(_).toOption)
+      val `case` = inputCase
+        .`case`
+        .copy(
+          assignee = assignee.map(_.login),
+          organisationIds = organisationIds,
+          caseTemplate = caseTemplate.map(_.name),
+          impactStatus = impactStatus.map(_.value),
+          resolutionStatus = resolutionStatus.map(_.value)
+        )
+      caseSrv.createEntity(`case`.copy(number = `case`.number + caseNumberShift)).map { createdCase =>
         updateMetaData(createdCase, inputCase.metaData)
-        inputCase
-          .user
-          .foreach { userLogin =>
-            getUser(userLogin)
-              .flatMap(user => caseSrv.caseUserSrv.create(CaseUser(), createdCase, user))
-              .logFailure(s"Unable to assign case #${createdCase.number} to $userLogin")
+        assignee
+          .foreach { user =>
+            caseSrv
+              .caseUserSrv
+              .create(CaseUser(), createdCase, user)
+              .logFailure(s"Unable to assign case #${createdCase.number} to ${user.login}")
           }
-        inputCase
-          .caseTemplate
-          .flatMap(getCaseTemplate)
+        caseTemplate
           .foreach { ct =>
             caseSrv
               .caseCaseTemplateSrv
               .create(CaseCaseTemplate(), createdCase, ct)
               .logFailure(s"Unable to set case template ${ct.name} to case #${createdCase.number}")
           }
+        inputCase.`case`.tags.foreach { tagName =>
+          getTag(tagName, organisationIds.head.value)
+            .flatMap(tag => caseSrv.caseTagSrv.create(CaseTag(), createdCase, tag))
+            .logFailure(s"Unable to add tag $tagName to case #${createdCase.number}")
+        }
         inputCase.customFields.foreach {
           case (name, value) => // TODO Add order
             getCustomField(name)
@@ -537,23 +580,18 @@ class Output @Inject() (
             shared.logFailure(s"Unable to share case #${createdCase.number} with organisation $organisationName, profile $profileName")
             ownerSet || owner
         }
-        inputCase.tags.filterNot(_.isEmpty).foreach { tagName =>
-          getTag(tagName)
-            .flatMap(tag => caseSrv.caseTagSrv.create(CaseTag(), createdCase, tag))
-            .logFailure(s"Unable to add tag $tagName to case #${createdCase.number}")
-        }
-        inputCase
-          .resolutionStatus
+        resolutionStatus
           .foreach { resolutionStatus =>
-            getResolutionStatus(resolutionStatus)
-              .flatMap(caseSrv.caseResolutionStatusSrv.create(CaseResolutionStatus(), createdCase, _))
+            caseSrv
+              .caseResolutionStatusSrv
+              .create(CaseResolutionStatus(), createdCase, resolutionStatus)
               .logFailure(s"Unable to set resolution status $resolutionStatus to case #${createdCase.number}")
           }
-        inputCase
-          .impactStatus
+        impactStatus
           .foreach { impactStatus =>
-            getImpactStatus(impactStatus)
-              .flatMap(caseSrv.caseImpactStatusSrv.create(CaseImpactStatus(), createdCase, _))
+            caseSrv
+              .caseImpactStatusSrv
+              .create(CaseImpactStatus(), createdCase, impactStatus)
               .logFailure(s"Unable to set impact status $impactStatus to case #${createdCase.number}")
           }
 
@@ -564,14 +602,13 @@ class Output @Inject() (
   override def createCaseTask(caseId: EntityId, inputTask: InputTask): Try[IdMapping] =
     authTransaction(inputTask.metaData.createdBy) { implicit graph => implicit authContext =>
       logger.debug(s"Create task ${inputTask.task.title} in case $caseId")
-      val owner = inputTask.owner.flatMap(getUser(_).toOption)
+      val assignee      = inputTask.owner.flatMap(getUser(_).toOption)
+      val organisations = inputTask.organisations.flatMap(getOrganisation(_).toOption)
       for {
-        richTask <- taskSrv.create(inputTask.task, owner)
+        richTask <- taskSrv.create(inputTask.task.copy(relatedId = caseId, organisationIds = organisations.map(_._id)), assignee)
         _ = updateMetaData(richTask.task, inputTask.metaData)
         case0 <- getCase(caseId)
-        _ <- inputTask.organisations.toTry { organisation =>
-          getOrganisation(organisation).flatMap(shareSrv.shareTask(richTask, case0, _))
-        }
+        _     <- organisations.toTry(o => shareSrv.shareTask(richTask, case0, o._id))
       } yield IdMapping(inputTask.metaData.id, richTask._id)
     }
 
@@ -580,10 +617,9 @@ class Output @Inject() (
       for {
         task <- taskSrv.getOrFail(taskId)
         _ = logger.debug(s"Create log in task ${task.title}")
-        log <- logSrv.createEntity(inputLog.log)
-        _   <- logSrv.taskLogSrv.create(TaskLog(), task, log)
-        _   <- auditSrv.log.create(log, task, RichLog(log, Nil).toJson)
+        log <- logSrv.createEntity(inputLog.log.copy(taskId = task._id, organisationIds = task.organisationIds))
         _ = updateMetaData(log, inputLog.metaData)
+        _ <- logSrv.taskLogSrv.create(TaskLog(), task, log)
         _ <- inputLog.attachments.toTry { inputAttachment =>
           attachmentSrv.create(inputAttachment.name, inputAttachment.size, inputAttachment.contentType, inputAttachment.data).flatMap { attachment =>
             logSrv.logAttachmentSrv.create(LogAttachment(), log, attachment)
@@ -592,30 +628,76 @@ class Output @Inject() (
       } yield IdMapping(inputLog.metaData.id, log._id)
     }
 
+  private def getData(value: String)(implicit graph: Graph, authContext: AuthContext): Try[Data with Entity] =
+    if (observableDataIsIndexed) dataSrv.create(Data(value))
+    else dataSrv.createEntity(Data(value))
+
+  private def createSimpleObservable(observable: Observable, observableType: ObservableType with Entity, dataValue: String)(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[Observable with Entity] =
+    for {
+      data <- getData(dataValue)
+      _ <-
+        if (observableType.isAttachment) Failure(BadRequestError("A attachment observable doesn't accept string value"))
+        else Success(())
+      createdObservable <- observableSrv.createEntity(observable.copy(data = Some(dataValue)))
+      _                 <- observableSrv.observableDataSrv.create(ObservableData(), createdObservable, data)
+    } yield createdObservable
+
+  private def createAttachmentObservable(
+      observable: Observable,
+      observableType: ObservableType with Entity,
+      inputAttachment: InputAttachment
+  )(implicit graph: Graph, authContext: AuthContext): Try[Observable with Entity] =
+    for {
+      attachment <- attachmentSrv.create(inputAttachment.name, inputAttachment.size, inputAttachment.contentType, inputAttachment.data)
+      _ <-
+        if (!observableType.isAttachment) Failure(BadRequestError("A text observable doesn't accept attachment"))
+        else Success(())
+      createdObservable <- observableSrv.createEntity(observable.copy(data = None))
+      _                 <- observableSrv.observableAttachmentSrv.create(ObservableAttachment(), createdObservable, attachment)
+    } yield createdObservable
+
+  private def createObservable(relatedId: EntityId, inputObservable: InputObservable, organisationIds: Set[EntityId])(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ) =
+    for {
+      observableType <- getObservableType(inputObservable.observable.dataType)
+      observable <-
+        inputObservable
+          .dataOrAttachment
+          .fold(
+            data =>
+              createSimpleObservable(
+                inputObservable.observable.copy(organisationIds = organisationIds, relatedId = relatedId),
+                observableType,
+                data
+              ),
+            attachment =>
+              createAttachmentObservable(
+                inputObservable.observable.copy(organisationIds = organisationIds, relatedId = relatedId),
+                observableType,
+                attachment
+              )
+          )
+      _ = updateMetaData(observable, inputObservable.metaData)
+      _ <- observableSrv.observableObservableType.create(ObservableObservableType(), observable, observableType)
+      _ = inputObservable.observable.tags.foreach { tagName =>
+        getTag(tagName, organisationIds.head.value)
+          .foreach(tag => observableSrv.observableTagSrv.create(ObservableTag(), observable, tag))
+      }
+    } yield observable
+
   override def createCaseObservable(caseId: EntityId, inputObservable: InputObservable): Try[IdMapping] =
     authTransaction(inputObservable.metaData.createdBy) { implicit graph => implicit authContext =>
       logger.debug(s"Create observable ${inputObservable.dataOrAttachment.fold(identity, _.name)} in case $caseId")
       for {
-        observableType <- getObservableType(inputObservable.`type`)
-        tags           <- inputObservable.tags.filterNot(_.isEmpty).toTry(getTag)
-        richObservable <-
-          inputObservable
-            .dataOrAttachment
-            .fold(
-              dataValue =>
-                dataSrv.createEntity(Data(dataValue)).flatMap { data =>
-                  observableSrv.create(inputObservable.observable, observableType, data, tags, Nil)
-                },
-              inputAttachment =>
-                attachmentSrv.create(inputAttachment.name, inputAttachment.size, inputAttachment.contentType, inputAttachment.data).flatMap {
-                  attachment =>
-                    observableSrv.create(inputObservable.observable, observableType, attachment, tags, Nil)
-                }
-            )
-        _ = updateMetaData(richObservable.observable, inputObservable.metaData)
-        case0 <- getCase(caseId)
-        orgs  <- inputObservable.organisations.toTry(getOrganisation)
-        _     <- orgs.toTry(o => shareSrv.shareObservable(richObservable, case0, o))
+        organisations  <- inputObservable.organisations.toTry(getOrganisation)
+        richObservable <- createObservable(caseId, inputObservable, organisations.map(_._id).toSet)
+        case0          <- getCase(caseId)
+        _              <- organisations.toTry(o => shareSrv.shareObservable(RichObservable(richObservable, None, None, Nil), case0, o._id))
       } yield IdMapping(inputObservable.metaData.id, richObservable._id)
     }
 
@@ -633,26 +715,11 @@ class Output @Inject() (
     authTransaction(inputObservable.metaData.createdBy) { implicit graph => implicit authContext =>
       logger.debug(s"Create observable ${inputObservable.dataOrAttachment.fold(identity, _.name)} in job $jobId")
       for {
-        job            <- jobSrv.getOrFail(jobId)
-        observableType <- getObservableType(inputObservable.`type`)
-        tags = inputObservable.tags.filterNot(_.isEmpty).flatMap(getTag(_).toOption).toSeq
-        richObservable <-
-          inputObservable
-            .dataOrAttachment
-            .fold(
-              dataValue =>
-                dataSrv.createEntity(Data(dataValue)).flatMap { data =>
-                  observableSrv.create(inputObservable.observable, observableType, data, tags, Nil)
-                },
-              inputAttachment =>
-                attachmentSrv.create(inputAttachment.name, inputAttachment.size, inputAttachment.contentType, inputAttachment.data).flatMap {
-                  attachment =>
-                    observableSrv.create(inputObservable.observable, observableType, attachment, tags, Nil)
-                }
-            )
-        _ = updateMetaData(richObservable.observable, inputObservable.metaData)
-        _ <- jobSrv.addObservable(job, richObservable.observable)
-      } yield IdMapping(inputObservable.metaData.id, richObservable._id)
+        organisations <- inputObservable.organisations.toTry(getOrganisation)
+        observable    <- createObservable(jobId, inputObservable, organisations.map(_._id).toSet)
+        job           <- jobSrv.getOrFail(jobId)
+        _             <- jobSrv.addObservable(job, observable)
+      } yield IdMapping(inputObservable.metaData.id, observable._id)
     }
 
   override def alertExists(inputAlert: InputAlert): Boolean =
@@ -661,55 +728,43 @@ class Output @Inject() (
   override def createAlert(inputAlert: InputAlert): Try[IdMapping] =
     authTransaction(inputAlert.metaData.createdBy) { implicit graph => implicit authContext =>
       logger.debug(s"Create alert ${inputAlert.alert.`type`}:${inputAlert.alert.source}:${inputAlert.alert.sourceRef}")
+      val `case` = inputAlert.caseId.flatMap(c => getCase(EntityId.read(c)).toOption)
       for {
         organisation <- getOrganisation(inputAlert.organisation)
-        caseTemplate =
+        createdAlert <- alertSrv.createEntity(inputAlert.alert.copy(organisationId = organisation._id, caseId = `case`.map(_._id)))
+        tags = inputAlert.alert.tags.flatMap(getTag(_, organisation._id.value).toOption)
+        _    = updateMetaData(createdAlert, inputAlert.metaData)
+        _ <- alertSrv.alertOrganisationSrv.create(AlertOrganisation(), createdAlert, organisation)
+        _ <-
           inputAlert
             .caseTemplate
-            .flatMap(ct =>
-              getCaseTemplate(ct).orElse {
-                logger.warn(
-                  s"Case template $ct not found (used in alert ${inputAlert.alert.`type`}:${inputAlert.alert.source}:${inputAlert.alert.sourceRef})"
-                )
-                None
+            .flatMap(getCaseTemplate)
+            .map(ct => alertSrv.alertCaseTemplateSrv.create(AlertCaseTemplate(), createdAlert, ct))
+            .flip
+        _ = tags.foreach(t => alertSrv.alertTagSrv.create(AlertTag(), createdAlert, t))
+        _ = inputAlert.customFields.foreach {
+          case (name, value) => // TODO Add order
+            getCustomField(name)
+              .flatMap { cf =>
+                CustomFieldType
+                  .map(cf.`type`)
+                  .setValue(AlertCustomField(), value)
+                  .flatMap(acf => alertSrv.alertCustomFieldSrv.create(acf, createdAlert, cf))
               }
-            )
-        tags = inputAlert.tags.filterNot(_.isEmpty).flatMap(getTag(_).toOption).toSeq
-//        alert <- alertSrv.create(inputAlert.alert, organisation, tags, inputAlert.customFields, caseTemplate) // FIXME don't check duplicate
-        alert <- alertSrv.createEntity(inputAlert.alert)
-        _     <- alertSrv.alertOrganisationSrv.create(AlertOrganisation(), alert, organisation)
-        _     <- caseTemplate.map(ct => alertSrv.alertCaseTemplateSrv.create(AlertCaseTemplate(), alert, ct)).flip
-        _     <- tags.toTry(t => alertSrv.alertTagSrv.create(AlertTag(), alert, t))
-        _     <- inputAlert.customFields.toTry { case (name, value) => alertSrv.createCustomField(alert, InputCustomFieldValue(name, value, None)) }
-        _ = updateMetaData(alert, inputAlert.metaData)
-        _ = inputAlert.caseId.flatMap(c => getCase(EntityId.read(c)).toOption).foreach(alertSrv.alertCaseSrv.create(AlertCase(), alert, _))
-      } yield IdMapping(inputAlert.metaData.id, alert._id)
+              .logFailure(s"Unable to set custom field $name=${value
+                .getOrElse("<not set>")} to alert ${inputAlert.alert.`type`}:${inputAlert.alert.source}:${inputAlert.alert.sourceRef}")
+        }
+      } yield IdMapping(inputAlert.metaData.id, createdAlert._id)
     }
 
   override def createAlertObservable(alertId: EntityId, inputObservable: InputObservable): Try[IdMapping] =
     authTransaction(inputObservable.metaData.createdBy) { implicit graph => implicit authContext =>
       logger.debug(s"Create observable ${inputObservable.dataOrAttachment.fold(identity, _.name)} in alert $alertId")
       for {
-        observableType <- getObservableType(inputObservable.`type`)
-        tags = inputObservable.tags.filterNot(_.isEmpty).flatMap(getTag(_).toOption).toSeq
-        richObservable <-
-          inputObservable
-            .dataOrAttachment
-            .fold(
-              dataValue =>
-                dataSrv.createEntity(Data(dataValue)).flatMap { data =>
-                  observableSrv.create(inputObservable.observable, observableType, data, tags, Nil)
-                },
-              inputAttachment =>
-                attachmentSrv.create(inputAttachment.name, inputAttachment.size, inputAttachment.contentType, inputAttachment.data).flatMap {
-                  attachment =>
-                    observableSrv.create(inputObservable.observable, observableType, attachment, tags, Nil)
-                }
-            )
-        _ = updateMetaData(richObservable.observable, inputObservable.metaData)
-        alert <- alertSrv.getOrFail(alertId)
-        _     <- alertSrv.alertObservableSrv.create(AlertObservable(), alert, richObservable.observable)
-      } yield IdMapping(inputObservable.metaData.id, richObservable._id)
+        alert      <- alertSrv.getOrFail(alertId)
+        observable <- createObservable(alert._id, inputObservable, Set(alert.organisationId))
+        _          <- alertSrv.alertObservableSrv.create(AlertObservable(), alert, observable)
+      } yield IdMapping(inputObservable.metaData.id, observable._id)
     }
 
   private def getEntity(entityType: String, entityId: EntityId)(implicit graph: Graph): Try[Product with Entity] =
diff --git a/misp/client/src/main/scala/org/thp/misp/client/Base64Flow.scala b/misp/client/src/main/scala/org/thp/misp/client/Base64Flow.scala
index 7840d72535..594dcc2a2e 100644
--- a/misp/client/src/main/scala/org/thp/misp/client/Base64Flow.scala
+++ b/misp/client/src/main/scala/org/thp/misp/client/Base64Flow.scala
@@ -1,13 +1,13 @@
 package org.thp.misp.client
 
-import java.util.Base64
-
 import akka.NotUsed
 import akka.stream.scaladsl.Flow
 import akka.stream.stage.{GraphStage, GraphStageLogic, InHandler, OutHandler}
 import akka.stream.{Attributes, FlowShape, Inlet, Outlet}
 import akka.util.ByteString
 
+import java.util.Base64
+
 object Base64Flow {
   def encode(): Flow[ByteString, ByteString, NotUsed] = Flow.fromGraph(new Base64EncoderFlow)
 }
@@ -18,39 +18,40 @@ class Base64EncoderFlow extends GraphStage[FlowShape[ByteString, ByteString]] {
   override def shape: FlowShape[ByteString, ByteString] = FlowShape.of(in, out)
   val encoder: Base64.Encoder                           = Base64.getEncoder
 
-  override def createLogic(inheritedAttributes: Attributes): GraphStageLogic = new GraphStageLogic(shape) {
-    var remainingBytes: ByteString  = ByteString.empty
-    var upstreamIsFinished: Boolean = false
+  override def createLogic(inheritedAttributes: Attributes): GraphStageLogic =
+    new GraphStageLogic(shape) {
+      var remainingBytes: ByteString  = ByteString.empty
+      var upstreamIsFinished: Boolean = false
 
-    setHandler(
-      in,
-      new InHandler {
-        override def onPush(): Unit = {
-          val data = (remainingBytes ++ grab(in)).toArray[Byte]
-          val r    = data.length % 3
-          if (r == 0)
-            push(out, ByteString(encoder.encode(data)))
-          else {
-            remainingBytes = ByteString(data.drop(data.length - r))
-            push(out, ByteString(encoder.encode(data.take(data.length - r))))
+      setHandler(
+        in,
+        new InHandler {
+          override def onPush(): Unit = {
+            val data = (remainingBytes ++ grab(in)).toArray[Byte]
+            val r    = data.length % 3
+            if (r == 0)
+              push(out, ByteString(encoder.encode(data)))
+            else {
+              remainingBytes = ByteString(data.drop(data.length - r))
+              push(out, ByteString(encoder.encode(data.take(data.length - r))))
+            }
           }
-        }
 
-        override def onUpstreamFinish(): Unit =
-          upstreamIsFinished = true
-      }
-    )
-    setHandler(
-      out,
-      new OutHandler {
-        override def onPull(): Unit =
-          if (!upstreamIsFinished)
-            pull(in)
-          else {
-            push(out, ByteString(encoder.encode(remainingBytes.toArray)))
-            completeStage
-          }
-      }
-    )
-  }
+          override def onUpstreamFinish(): Unit =
+            upstreamIsFinished = true
+        }
+      )
+      setHandler(
+        out,
+        new OutHandler {
+          override def onPull(): Unit =
+            if (!upstreamIsFinished)
+              pull(in)
+            else {
+              push(out, ByteString(encoder.encode(remainingBytes.toArray)))
+              completeStage
+            }
+        }
+      )
+    }
 }
diff --git a/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala b/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
index e5d03cd2d6..2433ad8a94 100644
--- a/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
+++ b/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
@@ -167,7 +167,7 @@ class MispClient(
     val fromDate = (maxAge.map(a => System.currentTimeMillis() - a.toMillis).toSeq ++ publishDate.map(_.getTime))
       .sorted(Ordering[Long].reverse)
       .headOption
-      .map(d => "searchpublish_timestamp" -> JsNumber((d / 1000) + 1))
+      .map(d => "searchtimestamp" -> JsNumber((d / 1000) + 1))
     val tagFilter          = (whitelistTags ++ excludedTags.map("!" + _)).map(JsString.apply)
     val organisationFilter = (whitelistOrganisations ++ excludedOrganisations.map("!" + _)).map(JsString.apply)
     val query = JsObject
@@ -206,9 +206,11 @@ class MispClient(
       .mapAsyncUnordered(2) {
         case attribute @ Attribute(id, "malware-sample" | "attachment", _, _, _, _, _, _, _, None, _, _, _, _) =>
           // TODO need to unzip malware samples ?
-          downloadAttachment(id).map {
-            case (filename, contentType, src) => attribute.copy(data = Some((filename, contentType, src)))
-          }
+          downloadAttachment(id)
+            .map {
+              case (filename, contentType, src) => attribute.copy(data = Some((filename, contentType, src)))
+            }
+            .recover { case _ => attribute }
         case attribute => Future.successful(attribute)
       }
       .mapMaterializedValue(_ => NotUsed)
diff --git a/misp/client/src/main/scala/org/thp/misp/dto/Attribute.scala b/misp/client/src/main/scala/org/thp/misp/dto/Attribute.scala
index 1b4dc4fcdb..4a79cb0d57 100644
--- a/misp/client/src/main/scala/org/thp/misp/dto/Attribute.scala
+++ b/misp/client/src/main/scala/org/thp/misp/dto/Attribute.scala
@@ -1,14 +1,14 @@
 package org.thp.misp.dto
 
-import java.time.OffsetDateTime
-import java.time.format.{DateTimeFormatter, DateTimeFormatterBuilder}
-import java.util.{Base64, Date}
-
 import akka.stream.scaladsl.Source
 import akka.util.ByteString
 import play.api.libs.functional.syntax._
 import play.api.libs.json.{JsPath, Json, OWrites, Reads}
 
+import java.time.OffsetDateTime
+import java.time.format.{DateTimeFormatter, DateTimeFormatterBuilder}
+import java.util.{Base64, Date}
+
 case class Attribute(
     id: String,
     `type`: String,
diff --git a/misp/client/src/main/scala/org/thp/misp/dto/Event.scala b/misp/client/src/main/scala/org/thp/misp/dto/Event.scala
index 6162e4ffe0..0322378930 100644
--- a/misp/client/src/main/scala/org/thp/misp/dto/Event.scala
+++ b/misp/client/src/main/scala/org/thp/misp/dto/Event.scala
@@ -1,10 +1,10 @@
 package org.thp.misp.dto
 
-import java.util.Date
-
 import play.api.libs.functional.syntax._
 import play.api.libs.json._
 
+import java.util.Date
+
 case class Event(
     id: String,
     published: Boolean,
diff --git a/misp/client/src/main/scala/org/thp/misp/dto/Organisation.scala b/misp/client/src/main/scala/org/thp/misp/dto/Organisation.scala
index f8a6486110..39d21809ef 100644
--- a/misp/client/src/main/scala/org/thp/misp/dto/Organisation.scala
+++ b/misp/client/src/main/scala/org/thp/misp/dto/Organisation.scala
@@ -1,9 +1,9 @@
 package org.thp.misp.dto
 
-import java.util.UUID
-
 import play.api.libs.json.{Json, Reads}
 
+import java.util.UUID
+
 case class Organisation(id: String, name: String, description: Option[String], uuid: UUID)
 
 object Organisation {
diff --git a/misp/client/src/main/scala/org/thp/misp/dto/Tag.scala b/misp/client/src/main/scala/org/thp/misp/dto/Tag.scala
index 683b1ee489..eef50fdcdc 100644
--- a/misp/client/src/main/scala/org/thp/misp/dto/Tag.scala
+++ b/misp/client/src/main/scala/org/thp/misp/dto/Tag.scala
@@ -6,7 +6,7 @@ import play.api.libs.json._
 case class Tag(
     id: Option[String],
     name: String,
-    colour: Option[Int],
+    colour: Option[String],
     exportable: Option[Boolean]
 )
 
@@ -14,10 +14,7 @@ object Tag {
   implicit val reads: Reads[Tag] =
     ((JsPath \ "id").readNullable[String] and
       (JsPath \ "name").read[String] and
-      (JsPath \ "colour").readNullable[String].map {
-        case Some(c) if c.headOption.contains('#') => Some(Integer.parseUnsignedInt(c.tail, 16))
-        case _                                     => None
-      } and
+      (JsPath \ "colour").readNullable[String] and
       (JsPath \ "exportable").readNullable[Boolean])(Tag.apply _)
 
   implicit val writes: Writes[Tag] = Json.writes[Tag]
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/MispRouter.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/MispRouter.scala
index bce499ed20..771084f61c 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/MispRouter.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/MispRouter.scala
@@ -1,10 +1,11 @@
 package org.thp.thehive.connector.misp
 
-import javax.inject.{Inject, Provider, Singleton}
 import org.thp.thehive.connector.misp.controllers.v0
 import play.api.Logger
 import play.api.routing.Router
 
+import javax.inject.{Inject, Provider, Singleton}
+
 @Singleton
 class MispRouter @Inject() (routerV0: v0.Router) extends Provider[Router] {
 
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala
index ddccfd7d66..c59987537c 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala
@@ -10,7 +10,7 @@ import org.thp.thehive.connector.misp.services.{MispExportSrv, Synchro}
 import org.thp.thehive.models.Permissions
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.CaseOps._
-import org.thp.thehive.services.{AlertSrv, CaseSrv}
+import org.thp.thehive.services.{AlertSrv, CaseSrv, OrganisationSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
 import javax.inject.{Inject, Singleton}
@@ -23,7 +23,8 @@ class MispCtrl @Inject() (
     mispExportSrv: MispExportSrv,
     alertSrv: AlertSrv,
     caseSrv: CaseSrv,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
+    organisationSrv: OrganisationSrv,
     @Named("misp-actor") mispActor: ActorRef,
     implicit val ec: ExecutionContext
 ) {
@@ -55,7 +56,7 @@ class MispCtrl @Inject() (
         alertSrv
           .startTraversal
           .filterByType("misp")
-          .visible
+          .visible(organisationSrv)
           .toIterator
           .toTry(alertSrv.remove(_))
           .map(_ => Results.NoContent)
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala
index b952899f6e..62a79e08e7 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala
@@ -1,11 +1,12 @@
 package org.thp.thehive.connector.misp.controllers.v0
 
-import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.NotFoundError
 import play.api.routing.Router.Routes
 import play.api.routing.SimpleRouter
 import play.api.routing.sird._
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class Router @Inject() (mispCtrl: MispCtrl) extends SimpleRouter {
 
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/Connector.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/Connector.scala
index db70d09654..542a05dfa3 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/Connector.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/Connector.scala
@@ -2,13 +2,13 @@ package org.thp.thehive.connector.misp.services
 
 import akka.actor.ActorSystem
 import akka.stream.Materializer
-import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.services.config.ApplicationConfig.finiteDurationFormat
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
-import org.thp.thehive.models.{HealthStatus, ObservableType}
+import org.thp.thehive.models.HealthStatus
 import org.thp.thehive.services.{Connector => TheHiveConnector}
 import play.api.libs.json.{JsObject, Json}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.duration.FiniteDuration
 import scala.concurrent.{ExecutionContext, Future}
 
@@ -27,8 +27,8 @@ class Connector @Inject() (appConfig: ApplicationConfig, system: ActorSystem, ma
   def attributeConverter(attributeCategory: String, attributeType: String): Option[AttributeConverter] =
     attributeConvertersConfig.get.reverseIterator.find(a => a.mispCategory == attributeCategory && a.mispType == attributeType)
 
-  def attributeConverter(`type`: ObservableType): Option[(String, String)] =
-    attributeConvertersConfig.get.reverseIterator.find(_.`type`.value == `type`.name).map(a => a.mispCategory -> a.mispType)
+  def attributeConverter(observableType: String): Option[(String, String)] =
+    attributeConvertersConfig.get.reverseIterator.find(_.`type`.value == observableType).map(a => a.mispCategory -> a.mispType)
 
   val syncIntervalConfig: ConfigItem[FiniteDuration, FiniteDuration] = appConfig.item[FiniteDuration]("misp.syncInterval", "")
   def syncInterval: FiniteDuration                                   = syncIntervalConfig.get
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispActor.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispActor.scala
index 46a24bce0f..941ea78310 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispActor.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispActor.scala
@@ -2,7 +2,6 @@ package org.thp.thehive.connector.misp.services
 
 import akka.actor.{Actor, ActorRef, ActorSystem, Cancellable}
 import akka.cluster.singleton.{ClusterSingletonProxy, ClusterSingletonProxySettings}
-import org.thp.scalligraph.auth.UserSrv
 import play.api.Logger
 
 import javax.inject.{Inject, Named, Provider}
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala
index bf71fb3ed4..68db3f6be9 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala
@@ -1,12 +1,9 @@
 package org.thp.thehive.connector.misp.services
 
-import java.util.Date
-
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.misp.dto.{Attribute, Tag => MispTag}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{AuthorizationError, BadRequestError, NotFoundError}
 import org.thp.thehive.models._
@@ -16,6 +13,8 @@ import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.{AlertSrv, AttachmentSrv, CaseSrv, OrganisationSrv}
 import play.api.Logger
 
+import java.util.Date
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.Try
 
@@ -26,7 +25,7 @@ class MispExportSrv @Inject() (
     attachmentSrv: AttachmentSrv,
     alertSrv: AlertSrv,
     organisationSrv: OrganisationSrv,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) {
 
   lazy val logger: Logger = Logger(getClass)
@@ -34,14 +33,14 @@ class MispExportSrv @Inject() (
   def observableToAttribute(observable: RichObservable, exportTags: Boolean): Option[Attribute] = {
     lazy val mispTags =
       if (exportTags)
-        observable.tags.map(t => MispTag(None, t.toString, Some(t.colour), None)) ++ tlpTags.get(observable.tlp)
+        observable.tags.map(t => MispTag(None, t, None, None)) ++ tlpTags.get(observable.tlp) // FIXME Add colour
       else
         tlpTags.get(observable.tlp).toSeq
 
     observable
       .data
       .collect {
-        case data if observable.`type`.name == "hash" => data.data.length
+        case data if observable.dataType == "hash" => data.length
       }
       .collect {
         case 32  => "md5"
@@ -52,7 +51,7 @@ class MispExportSrv @Inject() (
         case 128 => "sha512"
       }
       .map("Payload delivery" -> _)
-      .orElse(connector.attributeConverter(observable.`type`))
+      .orElse(connector.attributeConverter(observable.dataType))
       .map {
         case (cat, tpe) =>
           Attribute(
@@ -66,7 +65,7 @@ class MispExportSrv @Inject() (
             comment = observable.message,
             deleted = false,
             data = observable.attachment.map(a => (a.name, a.contentType, attachmentSrv.source(a))),
-            value = observable.data.fold(observable.attachment.get.name)(_.data),
+            value = observable.data.getOrElse(observable.attachment.get.name),
             firstSeen = None,
             lastSeen = None,
             tags = mispTags
@@ -74,7 +73,7 @@ class MispExportSrv @Inject() (
       }
       .orElse {
         logger.warn(
-          s"Observable type ${observable.`type`} can't be converted to MISP attribute. You should add a mapping in `misp.attribute.mapping`"
+          s"Observable type ${observable.dataType} can't be converted to MISP attribute. You should add a mapping in `misp.attribute.mapping`"
         )
         None
       }
@@ -146,6 +145,7 @@ class MispExportSrv @Inject() (
       authContext: AuthContext
   ): Try[RichAlert] =
     for {
+      org <- organisationSrv.getOrFail(authContext.organisation)
       alert <- client.currentOrganisationName.map { orgName =>
         Alert(
           `type` = "misp",
@@ -160,11 +160,12 @@ class MispExportSrv @Inject() (
           tlp = `case`.tlp,
           pap = `case`.pap,
           read = false,
-          follow = true
+          follow = true,
+          tags = Nil,
+          caseId = Some(`case`._id)
         )
       }
-      org          <- organisationSrv.getOrFail(authContext.organisation)
-      createdAlert <- alertSrv.create(alert.copy(lastSyncDate = new Date(0L)), org, Seq.empty[Tag with Entity], Seq(), None)
+      createdAlert <- alertSrv.create(alert.copy(lastSyncDate = new Date(0L)), org, Set.empty, Nil, None)
       _            <- alertSrv.alertCaseSrv.create(AlertCase(), createdAlert.alert, `case`)
     } yield createdAlert
 
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala
index 39f8ebb1ca..d7242fa4f6 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala
@@ -4,14 +4,14 @@ import akka.stream.Materializer
 import akka.stream.scaladsl.{FileIO, Sink, Source}
 import akka.util.ByteString
 import org.apache.tinkerpop.gremlin.process.traversal.P
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.misp.dto.{Attribute, Event, Tag => MispTag}
 import org.thp.scalligraph.auth.{AuthContext, UserSrv}
 import org.thp.scalligraph.controllers.FFile
 import org.thp.scalligraph.models._
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.utils.FunctionalCondition._
-import org.thp.scalligraph.{EntityName, RichSeq}
+import org.thp.scalligraph.{CreateError, EntityId, EntityName, RichSeq}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
@@ -23,7 +23,7 @@ import play.api.libs.json._
 
 import java.nio.file.Files
 import java.util.Date
-import javax.inject.{Inject, Named, Singleton}
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.duration.DurationInt
 import scala.concurrent.{Await, ExecutionContext}
 import scala.util.{Failure, Success, Try}
@@ -35,18 +35,17 @@ class MispImportSrv @Inject() (
     observableSrv: ObservableSrv,
     organisationSrv: OrganisationSrv,
     observableTypeSrv: ObservableTypeSrv,
-    attachmentSrv: AttachmentSrv,
     caseTemplateSrv: CaseTemplateSrv,
+    db: Database,
     auditSrv: AuditSrv,
     userSrv: UserSrv,
-    @Named("with-thehive-schema") db: Database,
     implicit val ec: ExecutionContext,
     implicit val mat: Materializer
 ) {
 
   lazy val logger: Logger = Logger(getClass)
 
-  def eventToAlert(client: TheHiveMispClient, event: Event): Try[Alert] =
+  def eventToAlert(client: TheHiveMispClient, event: Event, organisationId: EntityId): Try[Alert] =
     client
       .currentOrganisationName
       .map { mispOrganisation =>
@@ -71,7 +70,10 @@ class MispImportSrv @Inject() (
             .getOrElse(2),
           pap = 2,
           read = false,
-          follow = true
+          follow = true,
+          organisationId = organisationId,
+          tags = event.tags.map(_.name),
+          caseId = None
         )
       }
 
@@ -93,7 +95,7 @@ class MispImportSrv @Inject() (
 
   def attributeToObservable(
       attribute: Attribute
-  )(implicit graph: Graph): List[(Observable, ObservableType with Entity, Set[String], Either[String, (String, String, Source[ByteString, _])])] =
+  )(implicit graph: Graph): List[(Observable, Either[String, (String, String, Source[ByteString, _])])] =
     attribute
       .`type`
       .split('|')
@@ -114,9 +116,15 @@ class MispImportSrv @Inject() (
           )
           List(
             (
-              Observable(attribute.comment, 0, ioc = false, sighted = false, ignoreSimilarity = None),
-              observableType,
-              attribute.tags.map(_.name).toSet ++ additionalTags,
+              Observable(
+                message = attribute.comment,
+                tlp = 0,
+                ioc = false,
+                sighted = false,
+                ignoreSimilarity = None,
+                dataType = observableType.name,
+                tags = additionalTags ++ attribute.tags.map(_.name)
+              ),
               Right(attribute.data.get)
             )
           )
@@ -126,9 +134,15 @@ class MispImportSrv @Inject() (
           )
           List(
             (
-              Observable(attribute.comment, 0, ioc = false, sighted = false, ignoreSimilarity = None),
-              observableType,
-              attribute.tags.map(_.name).toSet ++ additionalTags,
+              Observable(
+                message = attribute.comment,
+                tlp = 0,
+                ioc = false,
+                sighted = false,
+                ignoreSimilarity = None,
+                dataType = observableType.name,
+                tags = additionalTags ++ attribute.tags.map(_.name)
+              ),
               Left(attribute.value)
             )
           )
@@ -144,9 +158,15 @@ class MispImportSrv @Inject() (
                   s"attribute ${attribute.category}:${attribute.`type`} (${attribute.tags}) is converted to observable $observableType with tags $additionalTags"
                 )
                 (
-                  Observable(attribute.comment, 0, ioc = false, sighted = false, ignoreSimilarity = None),
-                  observableType,
-                  attribute.tags.map(_.name).toSet ++ additionalTags,
+                  Observable(
+                    message = attribute.comment,
+                    tlp = 0,
+                    ioc = false,
+                    sighted = false,
+                    ignoreSimilarity = None,
+                    dataType = observableType.name,
+                    tags = additionalTags ++ attribute.tags.map(_.name)
+                  ),
                   Left(value)
                 )
             }
@@ -161,73 +181,62 @@ class MispImportSrv @Inject() (
   ): Option[Date] = {
     val lastOrgSynchro = client
       .organisationFilter(organisationSrv.startTraversal)
-      .group(
-        _.by,
-        _.by(
-          _.alerts
-            .filterBySource(mispOrganisation)
-            .filterByType("misp")
-            .value(a => a.lastSyncDate)
-            .max
-        )
-      )
-      .head
-      .values
+      .notAdmin
+      ._id
+      .toIterator
+      .flatMap { orgId =>
+        alertSrv
+          .startTraversal
+          .filterBySource(mispOrganisation)
+          .filterByType("misp")
+          .has(_.organisationId, orgId)
+          .value(a => a.lastSyncDate)
+          .max
+          .headOption
+      }
+      .toSeq
 
     if (lastOrgSynchro.size == organisations.size && organisations.nonEmpty) Some(lastOrgSynchro.min)
     else None
   }
 
-  def updateOrCreateObservable(
+  def updateOrCreateSimpleObservable(
       alert: Alert with Entity,
       observable: Observable,
-      observableType: ObservableType with Entity,
-      data: String,
-      tags: Set[String],
-      creation: Boolean
-  )(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-
-    val existingObservable =
-      if (creation) None
-      else
-        alertSrv
-          .get(alert)
-          .observables
-          .filterOnType(observableType.name)
-          .filterOnData(data)
-          .richObservable
-          .headOption
-    existingObservable match {
-      case None =>
-        logger.debug(s"Observable ${observableType.name}:$data doesn't exist, create it")
-        for {
-          richObservable <- observableSrv.create(observable, observableType, data, tags, Nil)
-          _              <- alertSrv.addObservable(alert, richObservable)
-        } yield ()
-      case Some(richObservable) =>
-        logger.debug(s"Observable ${observableType.name}:$data exists, update it")
-        for {
-          updatedObservable <-
-            observableSrv
-              .get(richObservable.observable)
-              .when(richObservable.message != observable.message)(_.update(_.message, observable.message))
-              .when(richObservable.tlp != observable.tlp)(_.update(_.tlp, observable.tlp))
-              .when(richObservable.ioc != observable.ioc)(_.update(_.ioc, observable.ioc))
-              .when(richObservable.sighted != observable.sighted)(_.update(_.sighted, observable.sighted))
-              .getOrFail("Observable")
-          _ <- observableSrv.updateTagNames(updatedObservable, tags)
-        } yield ()
-    }
-  }
+      data: String
+  )(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    alertSrv
+      .createObservable(alert, observable, data)
+      .map(_ => ())
+      .recoverWith {
+        case _: CreateError =>
+          for {
+            richObservable <-
+              observableSrv
+                .startTraversal
+                .has(_.organisationIds, organisationSrv.currentId)
+                .has(_.relatedId, alert._id)
+                .has(_.data, data)
+                .richObservable
+                .getOrFail("Observable")
+            _ <-
+              observableSrv
+                .get(richObservable.observable)
+                .when(richObservable.message != observable.message)(_.update(_.message, observable.message))
+                .when(richObservable.tlp != observable.tlp)(_.update(_.tlp, observable.tlp))
+                .when(richObservable.ioc != observable.ioc)(_.update(_.ioc, observable.ioc))
+                .when(richObservable.sighted != observable.sighted)(_.update(_.sighted, observable.sighted))
+                .when(richObservable.tags.toSet != observable.tags.toSet)(_.update(_.tags, observable.tags))
+                .getOrFail("Observable")
+          } yield ()
+      }
 
-  def updateOrCreateObservable(
+  def updateOrCreateAttachmentObservable(
       alert: Alert with Entity,
       observable: Observable,
-      observableType: ObservableType with Entity,
       filename: String,
       contentType: String,
       src: Source[ByteString, _],
-      tags: Set[String],
       creation: Boolean
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
     val existingObservable =
@@ -236,40 +245,37 @@ class MispImportSrv @Inject() (
         alertSrv
           .get(alert)
           .observables
-          .filterOnType(observableType.name)
+          .filterOnType(observable.dataType)
           .filterOnAttachmentName(filename)
           .filterOnAttachmentName(contentType)
           .richObservable
           .headOption
     existingObservable match {
       case None =>
-        logger.debug(s"Observable ${observableType.name}:$filename:$contentType doesn't exist, create it")
+        logger.debug(s"Observable ${observable.dataType}:$filename:$contentType doesn't exist, create it")
         val file = Files.createTempFile("misp-attachment-", "")
         Await.result(src.runWith(FileIO.toPath(file)), 1.hour)
         val fFile = FFile(filename, file, contentType)
-        for {
-          createdAttachment <- attachmentSrv.create(fFile)
-          richObservable    <- observableSrv.create(observable, observableType, createdAttachment, tags, Nil)
-          _                 <- alertSrv.addObservable(alert, richObservable)
-          _ = Files.delete(file)
-        } yield ()
+        val res   = alertSrv.createObservable(alert, observable, fFile).map(_ => ())
+        Files.delete(file)
+        res
       case Some(richObservable) =>
-        logger.debug(s"Observable ${observableType.name}:$filename:$contentType exists, update it")
+        logger.debug(s"Observable ${observable.dataType}:$filename:$contentType exists, update it")
         for {
-          updatedObservable <-
+          _ <-
             observableSrv
               .get(richObservable.observable)
               .when(richObservable.message != observable.message)(_.update(_.message, observable.message))
               .when(richObservable.tlp != observable.tlp)(_.update(_.tlp, observable.tlp))
               .when(richObservable.ioc != observable.ioc)(_.update(_.ioc, observable.ioc))
               .when(richObservable.sighted != observable.sighted)(_.update(_.sighted, observable.sighted))
+              .when(richObservable.tags.toSet != observable.tags.toSet)(_.update(_.tags, observable.tags))
               .getOrFail("Observable")
-          _ <- observableSrv.updateTagNames(updatedObservable, tags)
         } yield ()
     }
   }
 
-  def importAttibutes(client: TheHiveMispClient, event: Event, alert: Alert with Entity, lastSynchro: Option[Date])(implicit
+  def importAttributes(client: TheHiveMispClient, event: Event, alert: Alert with Entity, lastSynchro: Option[Date])(implicit
       graph: Graph,
       authContext: AuthContext
   ): Unit = {
@@ -282,28 +288,35 @@ class MispImportSrv @Inject() (
         .fold(
           Map.empty[
             (String, String),
-            (Observable, ObservableType with Entity, Set[String], Either[String, (String, String, Source[ByteString, _])])
+            (Observable, Either[String, (String, String, Source[ByteString, _])])
           ]
         ) {
-          case (distinctMap, data @ (_, t, _, Left(d)))          => distinctMap + ((t.name, d) -> data)
-          case (distinctMap, data @ (_, t, _, Right((n, _, _)))) => distinctMap + ((t.name, n) -> data)
+          case (distinctMap, data @ (obs, Left(d)))          => distinctMap + ((obs.dataType, d) -> data)
+          case (distinctMap, data @ (obs, Right((n, _, _)))) => distinctMap + ((obs.dataType, n) -> data)
         }
         .mapConcat { m =>
           m.values.toList
         }
-        .runWith(Sink.queue[(Observable, ObservableType with Entity, Set[String], Either[String, (String, String, Source[ByteString, _])])])
+        .runWith(Sink.queue[(Observable, Either[String, (String, String, Source[ByteString, _])])])
     QueueIterator(queue).foreach {
-      case (observable, observableType, tags, Left(data)) =>
-        updateOrCreateObservable(alert, observable, observableType, data, tags ++ client.observableTags, lastSynchro.isEmpty)
+      case (observable, Left(data)) =>
+        updateOrCreateSimpleObservable(alert, observable, data)
           .recover {
             case error =>
-              logger.error(s"Unable to create observable $observable ${observableType.name}:$data", error)
+              logger.error(s"Unable to create observable $observable", error)
           }
-      case (observable, observableType, tags, Right((filename, contentType, src))) =>
-        updateOrCreateObservable(alert, observable, observableType, filename, contentType, src, tags ++ client.observableTags, lastSynchro.isEmpty)
+      case (observable, Right((filename, contentType, src))) =>
+        updateOrCreateAttachmentObservable(
+          alert,
+          observable,
+          filename,
+          contentType,
+          src,
+          lastSynchro.isEmpty
+        )
           .recover {
             case error =>
-              logger.error(s"Unable to create observable $observable ${observableType.name}:$filename", error)
+              logger.error(s"Unable to create observable $observable: $filename", error)
           }
     }
 
@@ -320,7 +333,7 @@ class MispImportSrv @Inject() (
       .toIterator
       .foreach { obs =>
         logger.debug(s"Delete  $obs")
-        observableSrv.remove(obs).recover {
+        observableSrv.delete(obs).recover {
           case error => logger.error(s"Fail to delete observable $obs", error)
         }
       }
@@ -336,11 +349,11 @@ class MispImportSrv @Inject() (
       caseTemplate: Option[CaseTemplate with Entity]
   )(implicit graph: Graph, authContext: AuthContext): Try[(Alert with Entity, JsObject)] = {
     logger.debug(s"updateOrCreateAlert ${client.name}#${event.id} for organisation ${organisation.name}")
-    eventToAlert(client, event).flatMap { alert =>
-      organisationSrv
-        .get(organisation)
-        .alerts
+    eventToAlert(client, event, organisation._id).flatMap { alert =>
+      alertSrv
+        .startTraversal
         .getBySourceId("misp", mispOrganisation, event.id)
+        .has(_.organisationId, organisation._id)
         .richAlert
         .headOption match {
         case None => // if the related alert doesn't exist, create it
@@ -370,7 +383,7 @@ class MispImportSrv @Inject() (
             )
           val tags = event.tags.map(_.name)
           for {
-            (addedTags, removedTags) <- alertSrv.updateTagNames(richAlert.alert, tags.toSet)
+            (addedTags, removedTags) <- alertSrv.updateTags(richAlert.alert, tags.toSet)
             updatedAlert             <- updatedAlertTraversal.getOrFail("Alert")
             updatedFieldWithTags =
               if (addedTags.nonEmpty || removedTags.nonEmpty) updatedFields + ("tags" -> JsArray(tags.map(JsString))) else updatedFields
@@ -393,7 +406,7 @@ class MispImportSrv @Inject() (
 
           logger.debug(s"Get eligible organisations")
           val organisations = db.roTransaction { implicit graph =>
-            client.organisationFilter(organisationSrv.startTraversal).toSeq
+            client.organisationFilter(organisationSrv.startTraversal).notAdmin.toSeq
           }
           val lastSynchro = db.roTransaction { implicit graph =>
             getLastSyncDate(client, mispOrganisation, organisations)
@@ -412,7 +425,7 @@ class MispImportSrv @Inject() (
                   updateOrCreateAlert(client, organisation, mispOrganisation, event, caseTemplate)
                     .map {
                       case (alert, updatedFields) =>
-                        importAttibutes(client, event, alert, if (alert._updatedBy.isEmpty) None else lastSynchro)
+                        importAttributes(client, event, alert, if (alert._updatedBy.isEmpty) None else lastSynchro)
                         (alert, updatedFields)
                     }
                     .recoverWith {
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/TheHiveMispClient.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/TheHiveMispClient.scala
index 176b6bec4a..83c91a33a7 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/TheHiveMispClient.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/TheHiveMispClient.scala
@@ -1,7 +1,6 @@
 package org.thp.thehive.connector.misp.services
 
 import akka.stream.Materializer
-import javax.inject.Inject
 import org.apache.tinkerpop.gremlin.process.traversal.P
 import org.thp.client.{Authentication, ProxyWS, ProxyWSConfig}
 import org.thp.misp.client.{MispClient, MispPurpose}
@@ -13,6 +12,7 @@ import play.api.libs.json._
 import play.api.libs.ws.WSClient
 import play.api.libs.ws.ahc.AhcWSClientConfig
 
+import javax.inject.Inject
 import scala.concurrent.duration.Duration
 import scala.concurrent.{ExecutionContext, Future}
 
diff --git a/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/MispImportSrvTest.scala b/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/MispImportSrvTest.scala
index 46d2746f1c..45e2ee97cb 100644
--- a/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/MispImportSrvTest.scala
+++ b/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/MispImportSrvTest.scala
@@ -3,15 +3,21 @@ package org.thp.thehive.connector.misp.services
 import akka.stream.Materializer
 import akka.stream.scaladsl.Sink
 import org.thp.misp.dto.{Event, Organisation, Tag, User}
-import org.thp.scalligraph.AppBuilder
 import org.thp.scalligraph.auth.AuthContext
-import org.thp.scalligraph.models.DummyUserSrv
+import org.thp.scalligraph.models.{Database, DummyUserSrv}
+import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.{AppBuilder, EntityName}
 import org.thp.thehive.TestAppBuilder
-import org.thp.thehive.models.Permissions
+import org.thp.thehive.models.{Alert, Permissions}
+import org.thp.thehive.services.AlertOps._
+import org.thp.thehive.services.ObservableOps._
+import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.{AlertSrv, OrganisationSrv}
 import play.api.test.PlaySpecification
 
 import java.util.{Date, UUID}
 import scala.concurrent.ExecutionContext
+import scala.concurrent.duration.DurationInt
 
 class MispImportSrvTest(implicit ec: ExecutionContext) extends PlaySpecification with TestAppBuilder {
   sequential
@@ -58,50 +64,57 @@ class MispImportSrvTest(implicit ec: ExecutionContext) extends PlaySpecification
           attributeCount = Some(11),
           distribution = 1,
           attributes = Nil,
-          tags = Seq(Tag(Some("1"), "TH-test", Some(0x36a3a3), None), Tag(Some("2"), "TH-test-2", Some(0x1ac7c7), None))
+          tags = Seq(Tag(Some("1"), "TH-test", Some("#36a3a3"), None), Tag(Some("2"), "TH-test-2", Some("#1ac7c7"), None))
         )
       )
     }
   }
 
-//  "MISP service" should {
-//    "import events" in testApp { app =>
-//      app[Database].roTransaction { implicit graph =>
-//        app[MispImportSrv].syncMispEvents(app[TheHiveMispClient])
-//        app[AlertSrv].startTraversal.getBySourceId("misp", "ORGNAME", "1").visible.getOrFail("Alert")
-//      } must beSuccessfulTry(
-//        Alert(
-//          `type` = "misp",
-//          source = "ORGNAME",
-//          sourceRef = "1",
-//          externalLink = Some("https://misp.test/events/1"),
-//          title = "#1 test1 -> 1.2",
-//          description = s"Imported from MISP Event #1, created at ${Event.simpleDateFormat.parse("2019-08-23")}",
-//          severity = 3,
-//          date = Event.simpleDateFormat.parse("2019-08-23"),
-//          lastSyncDate = new Date(1566913355000L),
-//          tlp = 2,
-//          pap = 2,
-//          read = false,
-//          follow = true
-//        )
-//      ).eventually(5, 100.milliseconds)
-//
-//      val observables = app[Database]
-//        .roTransaction { implicit graph =>
-//          app[OrganisationSrv]
-//            .get(EntityName("admin"))
-//            .alerts
-//            .getBySourceId("misp", "ORGNAME", "1")
-//            .observables
-//            .richObservable
-//            .toList
-//        }
-//        .map(o => (o.`type`.name, o.data.map(_.data), o.tlp, o.message, o.tags.map(_.toString).toSet))
-////        println(observables.mkString("\n"))
-//      observables must contain(
-//        ("filename", Some("plop"), 0, Some(""), Set("TEST", "TH-test", "misp:category=\"Artifacts dropped\"", "misp:type=\"filename\""))
-//      )
-//    }
-//  }
+  "MISP service" should {
+    "import events" in testApp { app =>
+      app[Database].roTransaction { implicit graph =>
+        app[MispImportSrv].syncMispEvents(app[TheHiveMispClient])
+        app[AlertSrv].startTraversal.getBySourceId("misp", "ORGNAME", "1").visible(app[OrganisationSrv]).getOrFail("Alert")
+      } must beSuccessfulTry
+        .which { alert: Alert =>
+          alert must beEqualTo(
+            Alert(
+              `type` = "misp",
+              source = "ORGNAME",
+              sourceRef = "1",
+              externalLink = Some("https://misp.test/events/1"),
+              title = "#1 test1 -> 1.2",
+              description = s"Imported from MISP Event #1, created at ${Event.simpleDateFormat.parse("2019-08-23")}",
+              severity = 3,
+              date = Event.simpleDateFormat.parse("2019-08-23"),
+              lastSyncDate = new Date(1566913355000L),
+              tlp = 2,
+              pap = 2,
+              read = false,
+              follow = true,
+              tags = Seq("TH-test", "TH-test-2"),
+              organisationId = alert.organisationId,
+              caseId = None
+            )
+          )
+        }
+        .eventually(5, 100.milliseconds)
+
+      val observables = app[Database]
+        .roTransaction { implicit graph =>
+          app[OrganisationSrv]
+            .get(EntityName("admin"))
+            .alerts
+            .getBySourceId("misp", "ORGNAME", "1")
+            .observables
+            .richObservable
+            .toList
+        }
+        .map(o => (o.dataType, o.data, o.tlp, o.message, o.tags.toSet))
+//        println(observables.mkString("\n"))
+      observables must contain(
+        ("filename", Some("plop"), 0, Some(""), Set("TEST", "TH-test", "misp:category=\"Artifacts dropped\"", "misp:type=\"filename\""))
+      )
+    }
+  }
 }
diff --git a/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/TestMispClientProvider.scala b/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/TestMispClientProvider.scala
index 1cea733c7d..ef1580e999 100644
--- a/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/TestMispClientProvider.scala
+++ b/misp/connector/src/test/scala/org/thp/thehive/connector/misp/services/TestMispClientProvider.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.connector.misp.services
 
-import javax.inject.{Inject, Provider}
 import mockws.MockWS
 import org.thp.client.NoAuthentication
 import org.thp.misp.client.MispPurpose
@@ -9,6 +8,7 @@ import play.api.libs.json.{JsValue, Json}
 import play.api.mvc.{DefaultActionBuilder, Results}
 import play.api.test.Helpers.{GET, POST}
 
+import javax.inject.{Inject, Provider}
 import scala.concurrent.ExecutionContext
 import scala.io.Source
 
diff --git a/package/debian/postinst b/package/debian/postinst
index 05daa43d5a..579cda1bd0 100755
--- a/package/debian/postinst
+++ b/package/debian/postinst
@@ -86,7 +86,9 @@ case "$1" in
     fi
 
     # Chown definitions created by SBT Native Packager
-    chown thehive:thehive /var/log/thehive
+    mkdir -p /var/log/thehive /opt/thp/thehive/index /opt/thp/thehive/database /opt/thp/thehive/files
+    touch /var/log/thehive/application.log
+    chown -R thehive:thehive /var/log/thehive /opt/thp/thehive/index /opt/thp/thehive/database /opt/thp/thehive/files
     chown root:thehive /etc/thehive/application.conf /etc/thehive/logback.xml /etc/thehive/secret.conf
     chmod 0640 /etc/thehive/application.conf /etc/thehive/logback.xml /etc/thehive/secret.conf
     test -x /bin/systemctl && /bin/systemctl daemon-reload || /bin/true
diff --git a/package/docker/Dockerfile b/package/docker/Dockerfile
index 6c25d72119..e9d948976d 100644
--- a/package/docker/Dockerfile
+++ b/package/docker/Dockerfile
@@ -55,6 +55,7 @@ RUN apt update && \
   mkdir /etc/thehive && \
   cp /opt/thehive/conf/logback.xml /etc/thehive/logback.xml && \
   chown -R root:root /opt/thehive && \
+  touch /var/log/thehive/application.log && \
   chown -R thehive:thehive /var/log/thehive /etc/thehive && \
   chmod +x /opt/thehive/entrypoint
 
diff --git a/package/rpm/post b/package/rpm/post
index 46e824ed8c..75db4f60ee 100644
--- a/package/rpm/post
+++ b/package/rpm/post
@@ -10,4 +10,9 @@ chown root:thehive /etc/thehive/application.conf /etc/thehive/logback.xml /etc/t
 chmod 0640 /etc/thehive/application.conf /etc/thehive/logback.xml /etc/thehive/secret.conf
 if test -x /bin/systemctl; then
  	/bin/systemctl daemon-reload || /bin/true
- fi
\ No newline at end of file
+ fi
+
+mkdir -p /var/log/thehive /opt/thp/thehive/index /opt/thp/thehive/database /opt/thp/thehive/files
+touch /var/log/thehive/application.log
+chown -R thehive:thehive /var/log/thehive /opt/thp/thehive/index /opt/thp/thehive/database /opt/thp/thehive/files
+
diff --git a/project/Common.scala b/project/Common.scala
index fea0713905..8885bb0b11 100644
--- a/project/Common.scala
+++ b/project/Common.scala
@@ -1,5 +1,4 @@
 import java.io.File
-
 import scala.util.matching.Regex
 
 object Common {
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index 8b8c345296..9c904e468a 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -1,61 +1,51 @@
 import sbt._
 
 object Dependencies {
-  val janusVersion        = "0.5.2"
+  val janusVersion        = "0.5.3"
   val akkaVersion: String = play.core.PlayVersion.akkaVersion
-  val elastic4sVersion    = "6.7.4"
+  val elastic4sVersion    = "7.10.2"
 
   lazy val specs                   = "com.typesafe.play"        %% "play-specs2"                        % play.core.PlayVersion.current
   lazy val playLogback             = "com.typesafe.play"        %% "play-logback"                       % play.core.PlayVersion.current
   lazy val playGuice               = "com.typesafe.play"        %% "play-guice"                         % play.core.PlayVersion.current
   lazy val playFilters             = "com.typesafe.play"        %% "filters-helpers"                    % play.core.PlayVersion.current
   lazy val playMockws              = "de.leanovate.play-mockws" %% "play-mockws"                        % "2.8.0"
+  lazy val akkaActor               = "com.typesafe.akka"        %% "akka-actor"                         % akkaVersion
   lazy val akkaCluster             = "com.typesafe.akka"        %% "akka-cluster"                       % akkaVersion
   lazy val akkaClusterTools        = "com.typesafe.akka"        %% "akka-cluster-tools"                 % akkaVersion
   lazy val akkaClusterTyped        = "com.typesafe.akka"        %% "akka-cluster-typed"                 % akkaVersion
-  lazy val akkaHttp                = "com.typesafe.akka"        %% "akka-http"                          % "10.1.12"
-  lazy val akkaHttpXml             = "com.typesafe.akka"        %% "akka-http-xml"                      % "10.1.12"
-  lazy val janusGraph              = "org.janusgraph"           % "janusgraph"                          % janusVersion
-  lazy val janusGraphCore          = "org.janusgraph"           % "janusgraph-core"                     % janusVersion
-  lazy val janusGraphBerkeleyDB    = "org.janusgraph"           % "janusgraph-berkeleyje"               % janusVersion
-  lazy val janusGraphHBase         = "org.janusgraph"           % "janusgraph-hbase"                    % janusVersion
-  lazy val janusGraphLucene        = "org.janusgraph"           % "janusgraph-lucene"                   % janusVersion
-  lazy val janusGraphElasticSearch = "org.janusgraph"           % "janusgraph-es"                       % janusVersion
-  lazy val janusGraphCassandra     = "org.janusgraph"           % "janusgraph-cql"                      % janusVersion
-  lazy val janusGraphInMemory      = "org.janusgraph"           % "janusgraph-inmemory"                 % janusVersion
-  lazy val janusGraphDriver        = "org.janusgraph"           % "janusgraph-driver"                   % janusVersion
-  lazy val tinkerpop               = "org.apache.tinkerpop"     % "gremlin-core"                        % "3.4.7"
-  lazy val gremlinScala            = "com.michaelpollmeier"     %% "gremlin-scala"                      % "3.4.4.5"
-  lazy val gremlinOrientdb         = "com.orientechnologies"    % "orientdb-gremlin"                    % "3.0.18"
-  lazy val hbaseClient             = "org.apache.hbase"         % "hbase-shaded-client"                 % "1.4.9" exclude ("org.slf4j", "slf4j-log4j12")
-  lazy val scalactic               = "org.scalactic"            %% "scalactic"                          % "3.1.1"
-  lazy val scalaGuice              = "net.codingwell"           %% "scala-guice"                        % "4.2.6"
-  lazy val sangria                 = "org.sangria-graphql"      %% "sangria"                            % "1.4.2"
-  lazy val sangriaPlay             = "org.sangria-graphql"      %% "sangria-play-json"                  % "1.0.5"
+  lazy val akkaHttp                = "com.typesafe.akka"        %% "akka-http"                          % play.core.PlayVersion.akkaHttpVersion
+  lazy val akkaHttpXml             = "com.typesafe.akka"        %% "akka-http-xml"                      % play.core.PlayVersion.akkaHttpVersion
+  lazy val janusGraph              = "org.janusgraph"            % "janusgraph"                         % janusVersion
+  lazy val janusGraphCore          = "org.janusgraph"            % "janusgraph-core"                    % janusVersion
+  lazy val janusGraphBerkeleyDB    = "org.janusgraph"            % "janusgraph-berkeleyje"              % janusVersion
+  lazy val janusGraphLucene        = "org.janusgraph"            % "janusgraph-lucene"                  % janusVersion
+  lazy val janusGraphElasticSearch = "org.janusgraph"            % "janusgraph-es"                      % janusVersion
+  lazy val janusGraphCassandra     = "org.janusgraph"            % "janusgraph-cql"                     % janusVersion
+  lazy val janusGraphInMemory      = "org.janusgraph"            % "janusgraph-inmemory"                % janusVersion
+  lazy val tinkerpop               = "org.apache.tinkerpop"      % "gremlin-core"                       % "3.4.6" // align with janusgraph
+  lazy val scalactic               = "org.scalactic"            %% "scalactic"                          % "3.2.3"
+  lazy val scalaGuice              = "net.codingwell"           %% "scala-guice"                        % "4.2.11"
   lazy val shapeless               = "com.chuusai"              %% "shapeless"                          % "2.3.3"
-  lazy val bouncyCastle            = "org.bouncycastle"         % "bcprov-jdk15on"                      % "1.65"
-  lazy val neo4jGremlin            = "org.apache.tinkerpop"     % "neo4j-gremlin"                       % "3.3.4"
-  lazy val neo4jTinkerpop          = "org.neo4j"                % "neo4j-tinkerpop-api-impl"            % "0.7-3.2.3" exclude ("org.slf4j", "slf4j-nop")
-  lazy val apacheConfiguration     = "commons-configuration"    % "commons-configuration"               % "1.10"
-  lazy val macroParadise           = "org.scalamacros"          % "paradise"                            % "2.1.1" cross CrossVersion.full
-  lazy val chimney                 = "io.scalaland"             %% "chimney"                            % "0.4.0"
+  lazy val bouncyCastle            = "org.bouncycastle"          % "bcprov-jdk15on"                     % "1.68"
+  lazy val apacheConfiguration     = "commons-configuration"     % "commons-configuration"              % "1.10"
+  lazy val macroParadise           = "org.scalamacros"           % "paradise"                           % "2.1.1" cross CrossVersion.full
+  lazy val chimney                 = "io.scalaland"             %% "chimney"                            % "0.6.1"
   lazy val elastic4sCore           = "com.sksamuel.elastic4s"   %% "elastic4s-core"                     % elastic4sVersion
   lazy val elastic4sHttpStreams    = "com.sksamuel.elastic4s"   %% "elastic4s-http-streams"             % elastic4sVersion
-  lazy val elastic4sHttp           = "com.sksamuel.elastic4s"   %% "elastic4s-http"                     % elastic4sVersion
-  lazy val log4jOverSlf4j          = "org.slf4j"                % "log4j-over-slf4j"                    % "1.7.25"
-  lazy val log4jToSlf4j            = "org.apache.logging.log4j" % "log4j-to-slf4j"                      % "2.9.1"
-  lazy val reflections             = "org.reflections"          % "reflections"                         % "0.9.12"
-  lazy val hadoopClient            = "org.apache.hadoop"        % "hadoop-client"                       % "3.2.1"
-  lazy val zip4j                   = "net.lingala.zip4j"        % "zip4j"                               % "2.3.1"
-  lazy val alpakka                 = "com.lightbend.akka"       %% "akka-stream-alpakka-json-streaming" % "1.1.2"
-  lazy val handlebars              = "com.github.jknack"        % "handlebars"                          % "4.1.2"
-  lazy val playMailer              = "com.typesafe.play"        %% "play-mailer"                        % "7.0.1"
-  lazy val playMailerGuice         = "com.typesafe.play"        %% "play-mailer-guice"                  % "7.0.1"
-  lazy val jts                     = "com.vividsolutions"       % "jts"                                 % "1.13"
+  lazy val elastic4sClient         = "com.sksamuel.elastic4s"   %% "elastic4s-client-esjava"            % elastic4sVersion
+  lazy val reflections             = "org.reflections"           % "reflections"                        % "0.9.12"
+  lazy val hadoopClient            = "org.apache.hadoop"         % "hadoop-client"                      % "3.3.0"
+  lazy val zip4j                   = "net.lingala.zip4j"         % "zip4j"                              % "2.6.4"
+  lazy val alpakka                 = "com.lightbend.akka"       %% "akka-stream-alpakka-json-streaming" % "2.0.2"
+  lazy val handlebars              = "com.github.jknack"         % "handlebars"                         % "4.2.0"
+  lazy val playMailer              = "com.typesafe.play"        %% "play-mailer"                        % "8.0.1"
+  lazy val playMailerGuice         = "com.typesafe.play"        %% "play-mailer-guice"                  % "8.0.1"
   lazy val pbkdf2                  = "io.github.nremond"        %% "pbkdf2-scala"                       % "0.6.5"
-  lazy val alpakkaS3               = "com.lightbend.akka"       %% "akka-stream-alpakka-s3"             % "1.1.2"
-  lazy val commonCodec             = "commons-codec"            % "commons-codec"                       % "1.11"
-  lazy val scopt                   = "com.github.scopt"         %% "scopt"                              % "4.0.0-RC2"
+  lazy val alpakkaS3               = "com.lightbend.akka"       %% "akka-stream-alpakka-s3"             % "2.0.2"
+  lazy val commonCodec             = "commons-codec"             % "commons-codec"                      % "1.15"
+  lazy val scopt                   = "com.github.scopt"         %% "scopt"                              % "4.0.0"
+  lazy val aix                     = "ai.x"                     %% "play-json-extensions"               % "0.42.0"
 
   def scalaReflect(scalaVersion: String)  = "org.scala-lang" % "scala-reflect"  % scalaVersion
   def scalaCompiler(scalaVersion: String) = "org.scala-lang" % "scala-compiler" % scalaVersion
diff --git a/project/build.properties b/project/build.properties
index c06db1bb2e..d91c272d4e 100644
--- a/project/build.properties
+++ b/project/build.properties
@@ -1 +1 @@
-sbt.version=1.4.5
+sbt.version=1.4.6
diff --git a/project/plugins.sbt b/project/plugins.sbt
index 171541c183..3cc2c244d7 100644
--- a/project/plugins.sbt
+++ b/project/plugins.sbt
@@ -1,3 +1,3 @@
-addSbtPlugin("com.typesafe.play"   % "sbt-plugin"           % "2.8.5")
+addSbtPlugin("com.typesafe.play"   % "sbt-plugin"           % "2.8.7")
 addSbtPlugin("org.scalameta"       % "sbt-scalafmt"         % "2.3.0")
 addSbtPlugin("org.thehive-project" % "sbt-github-changelog" % "0.3.0")
diff --git a/sbt b/sbt
index 2fad435eaf..abd0ae1b19 100755
--- a/sbt
+++ b/sbt
@@ -3,14 +3,42 @@
 # A more capable sbt runner, coincidentally also called sbt.
 # Author: Paul Phillips <paulp@improving.org>
 # https://github.com/paulp/sbt-extras
+#
+# Generated from http://www.opensource.org/licenses/bsd-license.php
+# Copyright (c) 2011, Paul Phillips. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#     * Neither the name of the author nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 set -o pipefail
 
-declare -r sbt_release_version="1.3.6"
-declare -r sbt_unreleased_version="1.3.6"
+declare -r sbt_release_version="1.4.6"
+declare -r sbt_unreleased_version="1.4.6"
 
-declare -r latest_213="2.13.1"
-declare -r latest_212="2.12.10"
+declare -r latest_213="2.13.4"
+declare -r latest_212="2.12.12"
 declare -r latest_211="2.11.12"
 declare -r latest_210="2.10.7"
 declare -r latest_29="2.9.3"
@@ -24,7 +52,7 @@ declare -r sbt_launch_mvn_release_repo="https://repo.scala-sbt.org/scalasbt/mave
 declare -r sbt_launch_mvn_snapshot_repo="https://repo.scala-sbt.org/scalasbt/maven-snapshots"
 
 declare -r default_jvm_opts_common="-Xms512m -Xss2m -XX:MaxInlineLevel=18"
-declare -r noshare_opts="-Dsbt.global.base=project/.sbtboot -Dsbt.boot.directory=project/.boot -Dsbt.ivy.home=project/.ivy"
+declare -r noshare_opts="-Dsbt.global.base=project/.sbtboot -Dsbt.boot.directory=project/.boot -Dsbt.ivy.home=project/.ivy -Dsbt.coursier.home=project/.coursier"
 
 declare sbt_jar sbt_dir sbt_create sbt_version sbt_script sbt_new
 declare sbt_explicit_version
@@ -99,6 +127,7 @@ init_default_option_file() {
 }
 
 sbt_opts_file="$(init_default_option_file SBT_OPTS .sbtopts)"
+sbtx_opts_file="$(init_default_option_file SBTX_OPTS .sbtxopts)"
 jvm_opts_file="$(init_default_option_file JVM_OPTS .jvmopts)"
 
 build_props_sbt() {
@@ -218,11 +247,18 @@ java_version() {
   echo "$version"
 }
 
+is_apple_silicon() { [[ "$(uname -s)" == "Darwin" && "$(uname -m)" == "arm64" ]]; }
+
 # MaxPermSize critical on pre-8 JVMs but incurs noisy warning on 8+
 default_jvm_opts() {
   local -r v="$(java_version)"
   if [[ $v -ge 10 ]]; then
-    echo "$default_jvm_opts_common -XX:+UnlockExperimentalVMOptions -XX:+UseJVMCICompiler"
+    if is_apple_silicon; then
+      # As of Dec 2020, JVM for Apple Silicon (M1) doesn't support JVMCI
+      echo "$default_jvm_opts_common"
+    else
+      echo "$default_jvm_opts_common -XX:+UnlockExperimentalVMOptions -XX:+UseJVMCICompiler"
+    fi
   elif [[ $v -ge 8 ]]; then
     echo "$default_jvm_opts_common"
   else
@@ -230,14 +266,6 @@ default_jvm_opts() {
   fi
 }
 
-build_props_scala() {
-  if [[ -r "$buildProps" ]]; then
-    versionLine="$(grep '^build.scala.versions' "$buildProps")"
-    versionString="${versionLine##build.scala.versions=}"
-    echo "${versionString%% .*}"
-  fi
-}
-
 execRunner() {
   # print the arguments one to a line, quoting any containing spaces
   vlog "# Executing command line:" && {
@@ -419,6 +447,12 @@ are not special.
                     Note: "@"-file is overridden by local '.sbtopts' or '-sbt-opts' argument.
   -sbt-opts <path>  file containing sbt args (if not given, .sbtopts in project root is used if present)
   -S-X              add -X to sbt's scalacOptions (-S is stripped)
+
+  # passing options exclusively to this runner
+  SBTX_OPTS         environment variable holding either the sbt-extras args directly, or
+                    the reference to a file containing sbt-extras args if given path is prepended by '@' (e.g. '@/etc/sbtxopts')
+                    Note: "@"-file is overridden by local '.sbtxopts' or '-sbtx-opts' argument.
+  -sbtx-opts <path> file containing sbt-extras args (if not given, .sbtxopts in project root is used if present)
 EOM
   exit 0
 }
@@ -444,7 +478,7 @@ process_args() {
       -trace)       require_arg integer "$1" "$2" && trace_level="$2" && shift 2 ;;
       -debug-inc)   addJava "-Dxsbt.inc.debug=true" && shift ;;
 
-      -no-colors)   addJava "-Dsbt.log.noformat=true" && shift ;;
+      -no-colors)   addJava "-Dsbt.log.noformat=true" && addJava "-Dsbt.color=false" && shift ;;
       -sbt-create)  sbt_create=true && shift ;;
       -sbt-dir)     require_arg path "$1" "$2" && sbt_dir="$2" && shift 2 ;;
       -sbt-boot)    require_arg path "$1" "$2" && addJava "-Dsbt.boot.directory=$2" && shift 2 ;;
@@ -475,6 +509,7 @@ process_args() {
       -scala-home)  require_arg path "$1" "$2" && setThisBuild scalaHome "_root_.scala.Some(file(\"$2\"))" && shift 2 ;;
       -java-home)   require_arg path "$1" "$2" && setJavaHome "$2" && shift 2 ;;
       -sbt-opts)    require_arg path "$1" "$2" && sbt_opts_file="$2" && shift 2 ;;
+      -sbtx-opts) require_arg path "$1" "$2" && sbtx_opts_file="$2" && shift 2 ;;
       -jvm-opts)    require_arg path "$1" "$2" && jvm_opts_file="$2" && shift 2 ;;
 
       -D*)          addJava "$1" && shift ;;
@@ -512,6 +547,18 @@ else
   vlog "No extra sbt options have been defined"
 fi
 
+# if there are file/environment sbtx_opts, process again so we
+# can supply args to this runner
+if [[ -r "$sbtx_opts_file" ]]; then
+  vlog "Using sbt options defined in file $sbtx_opts_file"
+  while read -r opt; do extra_sbt_opts+=("$opt"); done < <(readConfigFile "$sbtx_opts_file")
+elif [[ -n "$SBTX_OPTS" && ! ("$SBTX_OPTS" =~ ^@.*) ]]; then
+  vlog "Using sbt options defined in variable \$SBTX_OPTS"
+  IFS=" " read -r -a extra_sbt_opts <<<"$SBTX_OPTS"
+else
+  vlog "No extra sbt options have been defined"
+fi
+
 [[ -n "${extra_sbt_opts[*]}" ]] && process_args "${extra_sbt_opts[@]}"
 
 # reset "$@" to the residual args
diff --git a/thehive/app/org/thp/thehive/ClusterSetup.scala b/thehive/app/org/thp/thehive/ClusterSetup.scala
index 7a60a7f625..caebff6bbe 100644
--- a/thehive/app/org/thp/thehive/ClusterSetup.scala
+++ b/thehive/app/org/thp/thehive/ClusterSetup.scala
@@ -4,6 +4,7 @@ import akka.actor.{Actor, ActorSystem, Props}
 import akka.cluster.Cluster
 import akka.cluster.ClusterEvent.{InitialStateAsEvents, MemberEvent, _}
 import com.google.inject.Injector
+import org.thp.scalligraph.SingleInstance
 import play.api.{Configuration, Logger}
 
 import javax.inject.{Inject, Singleton}
@@ -13,9 +14,9 @@ class ClusterSetup @Inject() (
     configuration: Configuration,
     system: ActorSystem,
     injector: Injector
-) {
+) extends SingleInstance(configuration.get[Seq[String]]("akka.cluster.seed-nodes").isEmpty) {
   system.actorOf(Props[ClusterListener])
-  if (configuration.get[Seq[String]]("akka.cluster.seed-nodes").isEmpty) {
+  if (value) {
     val logger: Logger = Logger(getClass)
     logger.info("Initialising cluster")
     val cluster = Cluster(system)
diff --git a/thehive/app/org/thp/thehive/TheHiveModule.scala b/thehive/app/org/thp/thehive/TheHiveModule.scala
index 5edddcdc86..c3b10b6514 100644
--- a/thehive/app/org/thp/thehive/TheHiveModule.scala
+++ b/thehive/app/org/thp/thehive/TheHiveModule.scala
@@ -3,12 +3,13 @@ package org.thp.thehive
 import akka.actor.ActorRef
 import com.google.inject.AbstractModule
 import net.codingwell.scalaguice.{ScalaModule, ScalaMultibinder}
+import org.thp.scalligraph.SingleInstance
 import org.thp.scalligraph.auth._
-import org.thp.scalligraph.janus.JanusDatabase
-import org.thp.scalligraph.models.{Database, Schema}
+import org.thp.scalligraph.janus.JanusDatabaseProvider
+import org.thp.scalligraph.models.{Database, UpdatableSchema}
 import org.thp.scalligraph.services.{GenIntegrityCheckOps, HadoopStorageSrv, S3StorageSrv}
 import org.thp.thehive.controllers.v0.QueryExecutorVersion0Provider
-import org.thp.thehive.models.{DatabaseProvider, TheHiveSchemaDefinition}
+import org.thp.thehive.models.TheHiveSchemaDefinition
 import org.thp.thehive.services.notification.notifiers._
 import org.thp.thehive.services.notification.triggers._
 import org.thp.thehive.services.{UserSrv => _, _}
@@ -32,7 +33,7 @@ class TheHiveModule(environment: Environment, configuration: Configuration) exte
   override def configure(): Unit = {
 //    bind[UserSrv].to[LocalUserSrv]
     bind(classOf[UserSrv]).to(classOf[LocalUserSrv])
-//    bind[AuthSrv].toProvider[MultuAuthSrvProvider]
+//    bind[AuthSrv].toProvider[MultiAuthSrvProvider]
     bind(classOf[AuthSrv]).toProvider(classOf[TOTPAuthSrvProvider])
 
     val authBindings = ScalaMultibinder.newSetBinder[AuthSrvProvider](binder)
@@ -63,10 +64,9 @@ class TheHiveModule(environment: Environment, configuration: Configuration) exte
     notifierBindings.addBinding.to[WebhookProvider]
 
     configuration.get[String]("db.provider") match {
-      case "janusgraph" => bind[Database].to[JanusDatabase]
+      case "janusgraph" => bind[Database].toProvider[JanusDatabaseProvider]
       case other        => sys.error(s"Authentication provider [$other] is not recognized")
     }
-    bind[Database].annotatedWithName("with-thehive-schema").toProvider[DatabaseProvider]
 
     configuration.get[String]("storage.provider") match {
       case "localfs"  => bind(classOf[StorageSrv]).to(classOf[LocalFileSystemStorageSrv])
@@ -83,7 +83,7 @@ class TheHiveModule(environment: Environment, configuration: Configuration) exte
     queryExecutorBindings.addBinding.to[TheHiveQueryExecutorV1]
     bind[QueryExecutor].annotatedWithName("v0").toProvider[QueryExecutorVersion0Provider]
     ScalaMultibinder.newSetBinder[Connector](binder)
-    val schemaBindings = ScalaMultibinder.newSetBinder[Schema](binder)
+    val schemaBindings = ScalaMultibinder.newSetBinder[UpdatableSchema](binder)
     schemaBindings.addBinding.to[TheHiveSchemaDefinition]
 
     bindActor[ConfigActor]("config-actor")
@@ -106,7 +106,7 @@ class TheHiveModule(environment: Environment, configuration: Configuration) exte
 
     bind[ActorRef].annotatedWithName("flow-actor").toProvider[FlowActorProvider]
 
-    bind[ClusterSetup].asEagerSingleton()
+    bind[SingleInstance].to[ClusterSetup].asEagerSingleton()
     ()
   }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/dav/Router.scala b/thehive/app/org/thp/thehive/controllers/dav/Router.scala
index b746ba3ab7..d993ffb375 100644
--- a/thehive/app/org/thp/thehive/controllers/dav/Router.scala
+++ b/thehive/app/org/thp/thehive/controllers/dav/Router.scala
@@ -2,7 +2,6 @@ package org.thp.thehive.controllers.dav
 
 import akka.stream.scaladsl.StreamConverters
 import akka.util.ByteString
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -15,13 +14,13 @@ import play.api.routing.Router.Routes
 import play.api.routing.SimpleRouter
 import play.api.routing.sird._
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Success
 import scala.util.matching.Regex
 import scala.xml.{Node, NodeSeq}
 
 @Singleton
-class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, @Named("with-thehive-schema") db: Database, attachmentSrv: AttachmentSrv)
-    extends SimpleRouter {
+class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, db: Database, attachmentSrv: AttachmentSrv) extends SimpleRouter {
   lazy val logger: Logger = Logger(getClass)
 
   object PROPFIND {
diff --git a/thehive/app/org/thp/thehive/controllers/dav/VFS.scala b/thehive/app/org/thp/thehive/controllers/dav/VFS.scala
index ac2c7b8c16..7bdeff87d9 100644
--- a/thehive/app/org/thp/thehive/controllers/dav/VFS.scala
+++ b/thehive/app/org/thp/thehive/controllers/dav/VFS.scala
@@ -1,17 +1,18 @@
 package org.thp.thehive.controllers.dav
 
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.thehive.services.CaseOps._
-import org.thp.thehive.services.CaseSrv
 import org.thp.thehive.services.LogOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.TaskOps._
+import org.thp.thehive.services.{CaseSrv, OrganisationSrv}
+
+import javax.inject.{Inject, Singleton}
 
 @Singleton
-class VFS @Inject() (caseSrv: CaseSrv) {
+class VFS @Inject() (caseSrv: CaseSrv, organisationSrv: OrganisationSrv) {
 
   def get(path: List[String])(implicit graph: Graph, authContext: AuthContext): Seq[Resource] =
     path match {
@@ -45,7 +46,7 @@ class VFS @Inject() (caseSrv: CaseSrv) {
   def list(path: List[String])(implicit graph: Graph, authContext: AuthContext): Seq[Resource] =
     path match {
       case Nil | "" :: Nil       => List(StaticResource("cases"))
-      case "cases" :: Nil        => caseSrv.startTraversal.visible.toSeq.map(c => EntityResource(c, c.number.toString))
+      case "cases" :: Nil        => caseSrv.startTraversal.visible(organisationSrv).toSeq.map(c => EntityResource(c, c.number.toString))
       case "cases" :: cid :: Nil => List(StaticResource("observables"), StaticResource("tasks"))
       case "cases" :: cid :: "observables" :: Nil =>
         caseSrv
diff --git a/thehive/app/org/thp/thehive/controllers/v0/AlertCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/AlertCtrl.scala
index dd13a7bea7..da88cd00dd 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/AlertCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/AlertCtrl.scala
@@ -1,14 +1,23 @@
 package org.thp.thehive.controllers.v0
 
 import io.scalaland.chimney.dsl._
-import org.apache.tinkerpop.gremlin.structure.Graph
+import org.apache.tinkerpop.gremlin.process.traversal.{Compare, Contains}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers._
-import org.thp.scalligraph.models.{Database, UMapping}
+import org.thp.scalligraph.models.{Database, Entity, UMapping}
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IdentityConverter, IteratorOutput, Traversal}
-import org.thp.scalligraph.{AuthorizationError, BadRequestError, EntityId, EntityIdOrName, EntityName, InvalidFormatAttributeError, RichSeq}
+import org.thp.scalligraph.traversal._
+import org.thp.scalligraph.{
+  AuthorizationError,
+  BadRequestError,
+  EntityId,
+  EntityIdOrName,
+  EntityName,
+  InvalidFormatAttributeError,
+  RichOptionTry,
+  RichSeq
+}
 import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.{InputAlert, InputObservable, OutputSimilarCase}
 import org.thp.thehive.dto.v1.InputCustomFieldValue
@@ -18,14 +27,15 @@ import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
-import org.thp.thehive.services.TagOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
-import play.api.libs.json.{JsArray, JsBoolean, JsNumber, JsObject, JsString, JsValue, Json}
+import play.api.libs.json.{JsArray, JsObject, JsValue, Json}
 import play.api.mvc.{Action, AnyContent, Results}
 
-import java.util.{Base64, Date, List => JList, Map => JMap}
+import java.util.function.BiPredicate
+import java.util.{Base64, List => JList, Map => JMap}
 import javax.inject.{Inject, Named, Singleton}
+import scala.collection.JavaConverters._
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -33,14 +43,15 @@ class AlertCtrl @Inject() (
     override val entrypoint: Entrypoint,
     alertSrv: AlertSrv,
     caseTemplateSrv: CaseTemplateSrv,
-    observableSrv: ObservableSrv,
     observableTypeSrv: ObservableTypeSrv,
     attachmentSrv: AttachmentSrv,
     auditSrv: AuditSrv,
     userSrv: UserSrv,
     caseSrv: CaseSrv,
+    observableSrv: ObservableSrv,
+    organisationSrv: OrganisationSrv,
     override val publicData: PublicAlert,
-    @Named("with-thehive-schema") implicit val db: Database,
+    implicit val db: Database,
     @Named("v0") override val queryExecutor: QueryExecutor
 ) extends QueryCtrl {
   def create: Action[AnyContent] =
@@ -61,17 +72,15 @@ class AlertCtrl @Inject() (
               .organisations(Permissions.manageAlert)
               .get(request.organisation)
               .orFail(AuthorizationError("Operation not permitted"))
-          richObservables <- observables.toTry(createObservable).map(_.flatten)
-          richAlert       <- alertSrv.create(inputAlert.toAlert, organisation, inputAlert.tags, customFields, caseTemplate)
-          _               <- auditSrv.mergeAudits(richObservables.toTry(o => alertSrv.addObservable(richAlert.alert, o)))(_ => Success(()))
-          createdObservables = alertSrv.get(richAlert.alert).observables.richObservable.toSeq
+          richAlert          <- alertSrv.create(inputAlert.toAlert, organisation, inputAlert.tags, customFields, caseTemplate)
+          createdObservables <- auditSrv.mergeAudits(observables.toTry(createObservable(richAlert.alert, _)).map(_.flatten))(_ => Success(()))
         } yield Results.Created((richAlert -> createdObservables).toJson)
       }
 
   def alertSimilarityRenderer(implicit
       authContext: AuthContext
   ): Traversal.V[Alert] => Traversal[JsArray, JList[JMap[String, Any]], Converter[JsArray, JList[JMap[String, Any]]]] =
-    _.similarCases(None)
+    _.similarCases(organisationSrv, caseFilter = None)
       .fold
       .domainMap { similarCases =>
         JsArray {
@@ -87,7 +96,8 @@ class AlertCtrl @Inject() (
                 .withFieldComputed(_.id, _._id.toString)
                 .withFieldRenamed(_.number, _.caseId)
                 .withFieldComputed(_.status, _.status.toString)
-                .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+                .withFieldComputed(_.tags, _.tags.toSet)
+                .enableMethodAccessors
                 .transform
               Json.toJson(similarCase)
           }
@@ -102,7 +112,7 @@ class AlertCtrl @Inject() (
         val alert =
           alertSrv
             .get(EntityIdOrName(alertId))
-            .visible
+            .visible(organisationSrv)
         if (similarity.contains(true))
           alert
             .richAlertWithCustomRenderer(alertSimilarityRenderer(request))
@@ -110,7 +120,7 @@ class AlertCtrl @Inject() (
             .map {
               case (richAlert, similarCases) =>
                 val alertWithObservables: (RichAlert, Seq[RichObservable]) =
-                  richAlert -> alertSrv.get(richAlert.alert).observables.richObservableWithSeen.toSeq
+                  richAlert -> observableSrv.startTraversal.relatedTo(richAlert._id).richObservableWithSeen(organisationSrv).toSeq
 
                 Results.Ok(alertWithObservables.toJson.as[JsObject] + ("similarCases" -> similarCases))
             }
@@ -129,10 +139,10 @@ class AlertCtrl @Inject() (
   def update(alertIdOrName: String): Action[AnyContent] =
     entrypoint("update alert")
       .extract("alert", FieldsParser.update("alert", publicData.publicProperties))
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("alert")
         alertSrv
-          .update(_.get(EntityIdOrName(alertIdOrName)).can(Permissions.manageAlert), propertyUpdaters)
+          .update(_.get(EntityIdOrName(alertIdOrName)).visible(organisationSrv), propertyUpdaters)
           .flatMap { case (alertSteps, _) => alertSteps.richAlert.getOrFail("Alert") }
           .map { richAlert =>
             val alertWithObservables: (RichAlert, Seq[RichObservable]) = richAlert -> alertSrv.get(richAlert.alert).observables.richObservable.toSeq
@@ -142,12 +152,12 @@ class AlertCtrl @Inject() (
 
   def delete(alertIdOrName: String): Action[AnyContent] =
     entrypoint("delete alert")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         for {
           alert <-
             alertSrv
               .get(EntityIdOrName(alertIdOrName))
-              .can(Permissions.manageAlert)
+              .visible(organisationSrv)
               .getOrFail("Alert")
           _ <- alertSrv.remove(alert)
         } yield Results.NoContent
@@ -156,7 +166,7 @@ class AlertCtrl @Inject() (
   def bulkDelete: Action[AnyContent] =
     entrypoint("bulk delete alerts")
       .extract("ids", FieldsParser.string.sequence.on("ids"))
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         val ids: Seq[String] = request.body("ids")
         ids
           .toTry { alertId =>
@@ -164,7 +174,7 @@ class AlertCtrl @Inject() (
               alert <-
                 alertSrv
                   .get(EntityIdOrName(alertId))
-                  .can(Permissions.manageAlert)
+                  .visible(organisationSrv)
                   .getOrFail("Alert")
               _ <- alertSrv.remove(alert)
             } yield ()
@@ -174,9 +184,9 @@ class AlertCtrl @Inject() (
 
   def mergeWithCase(alertIdOrName: String, caseIdOrName: String): Action[AnyContent] =
     entrypoint("merge alert with case")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         for {
-          alert    <- alertSrv.get(EntityIdOrName(alertIdOrName)).can(Permissions.manageAlert).getOrFail("Alert")
+          alert    <- alertSrv.get(EntityIdOrName(alertIdOrName)).visible(organisationSrv).getOrFail("Alert")
           case0    <- caseSrv.get(EntityIdOrName(caseIdOrName)).can(Permissions.manageCase).getOrFail("Case")
           _        <- alertSrv.mergeInCase(alert, case0)
           richCase <- caseSrv.get(EntityIdOrName(caseIdOrName)).richCase.getOrFail("Case")
@@ -187,7 +197,7 @@ class AlertCtrl @Inject() (
     entrypoint("bulk merge with case")
       .extract("caseId", FieldsParser.string.on("caseId"))
       .extract("alertIds", FieldsParser.string.sequence.on("alertIds"))
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         val alertIds: Seq[String] = request.body("alertIds")
         val caseId: String        = request.body("caseId")
 
@@ -203,7 +213,7 @@ class AlertCtrl @Inject() (
               alert <-
                 alertSrv
                   .get(EntityIdOrName(alertId))
-                  .can(Permissions.manageAlert)
+                  .visible(organisationSrv)
                   .getOrFail("Alert")
               updatedCase <- alertSrv.mergeInCase(alert, case0)
             } yield updatedCase
@@ -214,12 +224,12 @@ class AlertCtrl @Inject() (
 
   def markAsRead(alertId: String): Action[AnyContent] =
     entrypoint("mark alert as read")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         for {
           alert <-
             alertSrv
               .get(EntityIdOrName(alertId))
-              .can(Permissions.manageAlert)
+              .visible(organisationSrv)
               .getOrFail("Alert")
           _ <- alertSrv.markAsRead(alert._id)
           alertWithObservables <-
@@ -232,12 +242,12 @@ class AlertCtrl @Inject() (
 
   def markAsUnread(alertId: String): Action[AnyContent] =
     entrypoint("mark alert as unread")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         for {
           alert <-
             alertSrv
               .get(EntityIdOrName(alertId))
-              .can(Permissions.manageAlert)
+              .visible(organisationSrv)
               .getOrFail("Alert")
           _ <- alertSrv.markAsUnread(alert._id)
           alertWithObservables <-
@@ -251,28 +261,31 @@ class AlertCtrl @Inject() (
   def createCase(alertId: String): Action[AnyContent] =
     entrypoint("create case from alert")
       .extract("caseTemplate", FieldsParser.string.optional.on("caseTemplate"))
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         val caseTemplate: Option[String] = request.body("caseTemplate")
         for {
-          (alert, organisation) <-
+          organisation <- organisationSrv.current.getOrFail("Organisation")
+          alert <-
             alertSrv
               .get(EntityIdOrName(alertId))
-              .can(Permissions.manageAlert)
-              .alertUserOrganisation(Permissions.manageCase)
+              .visible(organisationSrv)
+              .richAlert
               .getOrFail("Alert")
+          _ <- caseTemplate.map(ct => caseTemplateSrv.get(EntityIdOrName(ct)).visible.existsOrFail).flip
           alertWithCaseTemplate = caseTemplate.fold(alert)(ct => alert.copy(caseTemplate = Some(ct)))
-          richCase <- alertSrv.createCase(alertWithCaseTemplate, None, organisation)
+          assignee <- if (request.isPermitted(Permissions.manageCase)) userSrv.current.getOrFail("User").map(Some(_)) else Success(None)
+          richCase <- alertSrv.createCase(alertWithCaseTemplate, assignee, organisation)
         } yield Results.Created(richCase.toJson)
       }
 
   def followAlert(alertId: String): Action[AnyContent] =
     entrypoint("follow alert")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         for {
           alert <-
             alertSrv
               .get(EntityIdOrName(alertId))
-              .can(Permissions.manageAlert)
+              .visible(organisationSrv)
               .getOrFail("Alert")
           _ <- alertSrv.followAlert(alert._id)
           alertWithObservables <-
@@ -285,12 +298,12 @@ class AlertCtrl @Inject() (
 
   def unfollowAlert(alertId: String): Action[AnyContent] =
     entrypoint("unfollow alert")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         for {
           alert <-
             alertSrv
               .get(EntityIdOrName(alertId))
-              .can(Permissions.manageAlert)
+              .visible(organisationSrv)
               .getOrFail("Alert")
           _ <- alertSrv.unfollowAlert(alert._id)
           alertWithObservables <-
@@ -301,7 +314,7 @@ class AlertCtrl @Inject() (
         } yield Results.Ok(alertWithObservables.toJson)
       }
 
-  private def createObservable(observable: InputObservable)(implicit
+  private def createObservable(alert: Alert with Entity, observable: InputObservable)(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[Seq[RichObservable]] =
@@ -314,15 +327,18 @@ class AlertCtrl @Inject() (
               val data = Base64.getDecoder.decode(value)
               attachmentSrv
                 .create(filename, contentType, data)
-                .flatMap(attachment => observableSrv.create(observable.toObservable, attachmentType, attachment, observable.tags, Nil))
+                .flatMap(attachment => alertSrv.createObservable(alert, observable.toObservable, attachment))
             case Array(filename, contentType) =>
               attachmentSrv
                 .create(filename, contentType, Array.emptyByteArray)
-                .flatMap(attachment => observableSrv.create(observable.toObservable, attachmentType, attachment, observable.tags, Nil))
+                .flatMap(attachment => alertSrv.createObservable(alert, observable.toObservable, attachment))
             case data =>
               Failure(InvalidFormatAttributeError("artifacts.data", "filename;contentType;base64value", Set.empty, FString(data.mkString(";"))))
           }
-        case dataType => observable.data.toTry(d => observableSrv.create(observable.toObservable, dataType, d, observable.tags, Nil))
+        case _ =>
+          observable
+            .data
+            .toTry(d => alertSrv.createObservable(alert, observable.toObservable, d))
       }
 }
 
@@ -331,21 +347,22 @@ class PublicAlert @Inject() (
     alertSrv: AlertSrv,
     organisationSrv: OrganisationSrv,
     customFieldSrv: CustomFieldSrv,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) extends PublicData {
   override val entityName: String = "alert"
   override val initialQuery: Query =
     Query
-      .init[Traversal.V[Alert]]("listAlert", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).alerts)
+      .init[Traversal.V[Alert]](
+        "listAlert",
+        (graph, authContext) => alertSrv.startTraversal(graph).visible(organisationSrv)(authContext)
+      )
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Alert]](
     "getAlert",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => alertSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => alertSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] =
     Query.withParam[OutputParam, Traversal.V[Alert], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       (range, alertSteps, _) =>
         alertSteps
           .richPage(range.from, range.to, withTotal = true) { alerts =>
@@ -370,6 +387,25 @@ class PublicAlert @Inject() (
     ),
     Query.output[(RichAlert, Seq[RichObservable])]
   )
+
+  def statusFilter(status: String): Traversal.V[Alert] => Traversal.V[Alert] =
+    status match {
+      case "New"      => _.hasNot(_.caseId).has(_.read, false)
+      case "Updated"  => _.has(_.caseId).has(_.read, false)
+      case "Ignored"  => _.hasNot(_.caseId).has(_.read, true)
+      case "Imported" => _.has(_.caseId).has(_.read, true)
+      case _          => _.empty
+    }
+
+  def statusNotFilter(status: String): Traversal.V[Alert] => Traversal.V[Alert] =
+    status match {
+      case "New"      => _.or(_.has(_.caseId), _.has(_.read, true))
+      case "Updated"  => _.or(_.hasNot(_.caseId), _.has(_.read, true))
+      case "Ignored"  => _.or(_.has(_.caseId), _.has(_.read, false))
+      case "Imported" => _.or(_.hasNot(_.caseId), _.has(_.read, false))
+      case _          => identity
+    }
+
   override val publicProperties: PublicProperties =
     PublicPropertyListBuilder[Alert]
       .property("type", UMapping.string)(_.field.updatable)
@@ -381,26 +417,12 @@ class PublicAlert @Inject() (
       .property("date", UMapping.date)(_.field.updatable)
       .property("lastSyncDate", UMapping.date.optional)(_.field.updatable)
       .property("tags", UMapping.string.set)(
-        _.select(_.tags.displayName)
-          .filter((_, cases) =>
-            cases
-              .tags
-              .graphMap[String, String, Converter.Identity[String]](
-                { v =>
-                  val namespace = UMapping.string.getProperty(v, "namespace")
-                  val predicate = UMapping.string.getProperty(v, "predicate")
-                  val value     = UMapping.string.optional.getProperty(v, "value")
-                  Tag(namespace, predicate, value, None, 0).toString
-                },
-                Converter.identity[String]
-              )
-          )
-          .converter(_ => Converter.identity[String])
-          .custom { (_, value, vertex, _, graph, authContext) =>
+        _.field
+          .custom { (_, value, vertex, graph, authContext) =>
             alertSrv
               .get(vertex)(graph)
               .getOrFail("Alert")
-              .flatMap(alert => alertSrv.updateTagNames(alert, value)(graph, authContext))
+              .flatMap(alert => alertSrv.updateTags(alert, value)(graph, authContext))
               .map(_ => Json.obj("tags" -> value))
           }
       )
@@ -425,67 +447,53 @@ class PublicAlert @Inject() (
               },
             Converter.identity[String]
           )
-        }.readonly
+        }
+          .filter[String] {
+            case (_, alerts, _, Right(predicate)) =>
+              predicate.getBiPredicate.asInstanceOf[BiPredicate[_, _]] match {
+                case Compare.eq       => statusFilter(predicate.getValue)(alerts)
+                case Compare.neq      => statusNotFilter(predicate.getValue)(alerts)
+                case Contains.within  => alerts.or(predicate.getValue.asInstanceOf[JList[String]].asScala.map(statusFilter): _*)
+                case Contains.without => predicate.getValue.asInstanceOf[JList[String]].asScala.map(statusNotFilter).foldRight(alerts)(_ apply _)
+                case p =>
+                  logger.error(s"The predicate $p is not supported for alert status")
+                  alerts.empty
+              }
+            case (_, alerts, _, Left(true)) => alerts
+            case (_, alerts, _, _)          => alerts.empty
+          }
+          .readonly
       )
       .property("summary", UMapping.string.optional)(_.field.updatable)
       .property("user", UMapping.string)(_.field.updatable)
       .property("customFields", UMapping.jsonNative)(_.subSelect {
-        case (FPathElem(_, FPathElem(name, _)), alerts) =>
-          db
-            .roTransaction(implicit graph => customFieldSrv.get(EntityIdOrName(name)).value(_.`type`).getOrFail("CustomField"))
-            .map {
-              case CustomFieldType.boolean => alerts.customFields(EntityIdOrName(name)).value(_.booleanValue).domainMap(v => JsBoolean(v))
-              case CustomFieldType.date    => alerts.customFields(EntityIdOrName(name)).value(_.dateValue).domainMap(v => JsNumber(v.getTime))
-              case CustomFieldType.float   => alerts.customFields(EntityIdOrName(name)).value(_.floatValue).domainMap(v => JsNumber(v))
-              case CustomFieldType.integer => alerts.customFields(EntityIdOrName(name)).value(_.integerValue).domainMap(v => JsNumber(v))
-              case CustomFieldType.string  => alerts.customFields(EntityIdOrName(name)).value(_.stringValue).domainMap(v => JsString(v))
-            }
-            .getOrElse(alerts.constant2(null))
-        case (_, caseSteps) => caseSteps.customFields.nameJsonValue.fold.domainMap(JsObject(_))
+        case (FPathElem(_, FPathElem(idOrName, _)), alerts) =>
+          alerts
+            .customFields(EntityIdOrName(idOrName))
+            .jsonValue
+        case (_, alerts) => alerts.customFields.nameJsonValue.fold.domainMap(JsObject(_))
       }
-        .filter {
-          case (FPathElem(_, FPathElem(idOrName, _)), alerts) =>
-            db
-              .roTransaction(implicit graph => customFieldSrv.get(EntityIdOrName(idOrName)).value(_.`type`).getOrFail("CustomField"))
-              .map {
-                case CustomFieldType.boolean => alerts.customFields(EntityIdOrName(idOrName)).value(_.booleanValue)
-                case CustomFieldType.date    => alerts.customFields(EntityIdOrName(idOrName)).value(_.dateValue)
-                case CustomFieldType.float   => alerts.customFields(EntityIdOrName(idOrName)).value(_.floatValue)
-                case CustomFieldType.integer => alerts.customFields(EntityIdOrName(idOrName)).value(_.integerValue)
-                case CustomFieldType.string  => alerts.customFields(EntityIdOrName(idOrName)).value(_.stringValue)
-              }
-              .getOrElse(alerts.constant2(null))
-          case (_, alerts) => alerts.constant2(null)
-        }
-        .converter {
-          case FPathElem(_, FPathElem(idOrName, _)) =>
-            db
-              .roTransaction { implicit graph =>
-                customFieldSrv.get(EntityIdOrName(idOrName)).value(_.`type`).getOrFail("CustomField")
-              }
-              .map {
-                case CustomFieldType.boolean => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Boolean] }
-                case CustomFieldType.date    => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Date] }
-                case CustomFieldType.float   => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Double] }
-                case CustomFieldType.integer => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Long] }
-                case CustomFieldType.string  => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[String] }
-              }
-              .getOrElse((x: JsValue) => x)
-          case _ => (x: JsValue) => x
+        .filter[JsValue] {
+          case (FPathElem(_, FPathElem(name, _)), alerts, _, predicate) =>
+            predicate match {
+              case Right(predicate) => alerts.customFieldFilter(customFieldSrv, EntityIdOrName(name), predicate)
+              case Left(true)       => alerts.hasCustomField(customFieldSrv, EntityIdOrName(name))
+              case Left(false)      => alerts.hasNotCustomField(customFieldSrv, EntityIdOrName(name))
+            }
+          case (_, caseTraversal, _, _) => caseTraversal.empty
         }
         .custom {
-          case (FPathElem(_, FPathElem(name, _)), value, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathElem(name, _)), value, vertex, graph, authContext) =>
             for {
               c <- alertSrv.getByIds(EntityId(vertex.id))(graph).getOrFail("Alert")
               _ <- alertSrv.setOrCreateCustomField(c, InputCustomFieldValue(name, Some(value), None))(graph, authContext)
             } yield Json.obj(s"customField.$name" -> value)
-          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, graph, authContext) =>
             for {
               c   <- alertSrv.get(vertex)(graph).getOrFail("Alert")
               cfv <- values.fields.toTry { case (n, v) => customFieldSrv.getOrFail(EntityIdOrName(n))(graph).map(_ -> v) }
               _   <- alertSrv.updateCustomField(c, cfv)(graph, authContext)
             } yield Json.obj("customFields" -> values)
-
           case _ => Failure(BadRequestError("Invalid custom fields format"))
         })
       .property("case", db.idMapping)(_.select(_.`case`._id).readonly)
diff --git a/thehive/app/org/thp/thehive/controllers/v0/AttachmentCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/AttachmentCtrl.scala
index 7ca3615bd2..e52e34b826 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/AttachmentCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/AttachmentCtrl.scala
@@ -1,9 +1,6 @@
 package org.thp.thehive.controllers.v0
 
-import java.nio.file.Files
-
 import akka.stream.scaladsl.FileIO
-import javax.inject.{Inject, Named, Singleton}
 import net.lingala.zip4j.ZipFile
 import net.lingala.zip4j.model.ZipParameters
 import net.lingala.zip4j.model.enums.{CompressionLevel, EncryptionMethod}
@@ -18,6 +15,8 @@ import org.thp.thehive.services.AttachmentSrv
 import play.api.http.HttpEntity
 import play.api.mvc._
 
+import java.nio.file.Files
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -25,7 +24,7 @@ class AttachmentCtrl @Inject() (
     entrypoint: Entrypoint,
     appConfig: ApplicationConfig,
     attachmentSrv: AttachmentSrv,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) {
   val forbiddenChar: Seq[Char] = Seq('/', '\n', '\r', '\t', '\u0000', '\f', '`', '?', '*', '\\', '<', '>', '|', '\"', ':', ';')
 
@@ -34,72 +33,68 @@ class AttachmentCtrl @Inject() (
   def download(id: String, name: Option[String]): Action[AnyContent] =
     entrypoint("download attachment")
       .authRoTransaction(db) { implicit authContext => implicit graph =>
-        if (name.getOrElse("").intersect(forbiddenChar).nonEmpty)
-          Success(Results.BadRequest("File name is invalid"))
-        else
-          attachmentSrv
-            .get(EntityIdOrName(id))
-            .visible
-            .getOrFail("Attachment")
-            .filter(attachmentSrv.exists)
-            .map { attachment =>
-              Result(
-                header = ResponseHeader(
-                  200,
-                  Map(
-                    "Content-Disposition"       -> s"""attachment; ${HttpHeaderParameterEncoding.encode("filename", name.getOrElse(id))}""",
-                    "Content-Transfer-Encoding" -> "binary"
-                  )
-                ),
-                body = HttpEntity.Streamed(attachmentSrv.source(attachment), None, None)
-              )
-            }
-            .recoverWith {
-              case _: NoSuchElementException => Failure(NotFoundError(s"Attachment $id not found"))
-            }
+        val filename = name.getOrElse(id).map(c => if (forbiddenChar.contains(c)) '_' else c)
+        attachmentSrv
+          .get(EntityIdOrName(id))
+          .visible
+          .getOrFail("Attachment")
+          .filter(attachmentSrv.exists)
+          .map { attachment =>
+            Result(
+              header = ResponseHeader(
+                200,
+                Map(
+                  "Content-Disposition"       -> s"""attachment; ${HttpHeaderParameterEncoding.encode("filename", filename)}""",
+                  "Content-Transfer-Encoding" -> "binary"
+                )
+              ),
+              body = HttpEntity.Streamed(attachmentSrv.source(attachment), None, None)
+            )
+          }
+          .recoverWith {
+            case _: NoSuchElementException => Failure(NotFoundError(s"Attachment $id not found"))
+          }
       }
 
   def downloadZip(id: String, name: Option[String]): Action[AnyContent] =
     entrypoint("download attachment")
       .authRoTransaction(db) { implicit authContext => implicit graph =>
-        if (name.getOrElse("").intersect(forbiddenChar).nonEmpty)
-          Success(Results.BadRequest("File name is invalid"))
-        else
-          attachmentSrv
-            .get(EntityIdOrName(id))
-            .visible
-            .getOrFail("Attachment")
-            .filter(attachmentSrv.exists)
-            .flatMap { attachment =>
-              Try {
-                val f = Files.createTempFile("downloadzip-", id)
-                Files.delete(f)
-                val zipFile   = new ZipFile(f.toFile, password.toCharArray)
-                val zipParams = new ZipParameters
-                zipParams.setCompressionLevel(CompressionLevel.FASTEST)
-                zipParams.setEncryptFiles(true)
-                zipParams.setEncryptionMethod(EncryptionMethod.ZIP_STANDARD)
-                zipParams.setFileNameInZip(name.getOrElse(id))
-                //      zipParams.setSourceExternalStream(true)
-                zipFile.addStream(attachmentSrv.stream(attachment), zipParams)
+        val filename = name.getOrElse(id).map(c => if (forbiddenChar.contains(c)) '_' else c)
+        attachmentSrv
+          .get(EntityIdOrName(id))
+          .visible
+          .getOrFail("Attachment")
+          .filter(attachmentSrv.exists)
+          .flatMap { attachment =>
+            Try {
+              val f = Files.createTempFile("downloadzip-", id)
+              Files.delete(f)
+              val zipFile   = new ZipFile(f.toFile, password.toCharArray)
+              val zipParams = new ZipParameters
+              zipParams.setCompressionLevel(CompressionLevel.FASTEST)
+              zipParams.setEncryptFiles(true)
+              zipParams.setEncryptionMethod(EncryptionMethod.ZIP_STANDARD)
+              zipParams.setFileNameInZip(filename)
+              //      zipParams.setSourceExternalStream(true)
+              zipFile.addStream(attachmentSrv.stream(attachment), zipParams)
 
-                Result(
-                  header = ResponseHeader(
-                    200,
-                    Map(
-                      "Content-Disposition"       -> s"""attachment; filename="${name.getOrElse(id)}.zip"""",
-                      "Content-Type"              -> "application/zip",
-                      "Content-Transfer-Encoding" -> "binary",
-                      "Content-Length"            -> Files.size(f).toString
-                    )
-                  ),
-                  body = HttpEntity.Streamed(FileIO.fromPath(f), Some(Files.size(f)), Some("application/zip"))
-                ) // FIXME remove temporary file (but when ?)
-              }
-            }
-            .recoverWith {
-              case _: NoSuchElementException => Failure(NotFoundError(s"Attachment $id not found"))
+              Result(
+                header = ResponseHeader(
+                  200,
+                  Map(
+                    "Content-Disposition"       -> s"""attachment; filename="$filename.zip"""",
+                    "Content-Type"              -> "application/zip",
+                    "Content-Transfer-Encoding" -> "binary",
+                    "Content-Length"            -> Files.size(f).toString
+                  )
+                ),
+                body = HttpEntity.Streamed(FileIO.fromPath(f), Some(Files.size(f)), Some("application/zip"))
+              ) // FIXME remove temporary file (but when ?)
             }
+          }
+          .recoverWith {
+            case _: NoSuchElementException => Failure(NotFoundError(s"Attachment $id not found"))
+          }
       }
 
   def password: String = passwordConfig.get
diff --git a/thehive/app/org/thp/thehive/controllers/v0/AuditCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/AuditCtrl.scala
index 9ced6e86b6..1062143f3e 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/AuditCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/AuditCtrl.scala
@@ -3,9 +3,8 @@ package org.thp.thehive.controllers.v0
 import akka.actor.ActorRef
 import akka.pattern.ask
 import akka.util.Timeout
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
-import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
+import org.thp.scalligraph.controllers.Entrypoint
 import org.thp.scalligraph.models.{Database, UMapping}
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -17,6 +16,7 @@ import org.thp.thehive.services._
 import play.api.libs.json.{JsArray, JsObject, Json}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.concurrent.ExecutionContext
 import scala.concurrent.duration.DurationInt
 
@@ -26,7 +26,7 @@ class AuditCtrl @Inject() (
     auditSrv: AuditSrv,
     @Named("flow-actor") flowActor: ActorRef,
     override val publicData: PublicAudit,
-    @Named("with-thehive-schema") implicit override val db: Database,
+    implicit override val db: Database,
     implicit val ec: ExecutionContext,
     @Named("v0") override val queryExecutor: QueryExecutor
 ) extends AuditRenderer
@@ -36,7 +36,7 @@ class AuditCtrl @Inject() (
   def flow(caseId: Option[String]): Action[AnyContent] =
     entrypoint("audit flow")
       .asyncAuth { implicit request =>
-        (flowActor ? FlowId(request.organisation, caseId.filterNot(_ == "any").map(EntityIdOrName(_)))).map {
+        (flowActor ? FlowId(caseId.filterNot(_ == "any").map(EntityIdOrName(_)))).map {
           case AuditIds(auditIds) if auditIds.isEmpty => Results.Ok(JsArray.empty)
           case AuditIds(auditIds) =>
             val audits = db.roTransaction { implicit graph =>
@@ -52,7 +52,7 @@ class AuditCtrl @Inject() (
                       .deepMerge(
                         Json.obj(
                           "base"    -> Json.obj("object" -> obj, "rootId" -> audit.context._id),
-                          "summary" -> jsonSummary(auditSrv, audit.requestId)
+                          "summary" -> JsObject.empty //jsonSummary(auditSrv, audit.requestId)
                         )
                       )
                 }
@@ -64,22 +64,20 @@ class AuditCtrl @Inject() (
 }
 
 @Singleton
-class PublicAudit @Inject() (auditSrv: AuditSrv, @Named("with-thehive-schema") db: Database) extends PublicData {
+class PublicAudit @Inject() (auditSrv: AuditSrv, organisationSrv: OrganisationSrv, db: Database) extends PublicData {
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Audit]](
     "getAudit",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => auditSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => auditSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
 
   override val entityName: String = "audit"
 
   override val initialQuery: Query =
-    Query.init[Traversal.V[Audit]]("listAudit", (graph, authContext) => auditSrv.startTraversal(graph).visible(authContext))
+    Query.init[Traversal.V[Audit]]("listAudit", (graph, authContext) => auditSrv.startTraversal(graph).visible(organisationSrv)(authContext))
 
   override val pageQuery: ParamQuery[org.thp.thehive.controllers.v0.OutputParam] =
     Query.withParam[OutputParam, Traversal.V[Audit], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       (range, auditSteps, _) => auditSteps.richPage(range.from, range.to, withTotal = true)(_.richAudit)
     )
   override val outputQuery: Query = Query.output[RichAudit, Traversal.V[Audit]](_.richAudit)
diff --git a/thehive/app/org/thp/thehive/controllers/v0/AuditRenderer.scala b/thehive/app/org/thp/thehive/controllers/v0/AuditRenderer.scala
index 51f18fea54..3b60c188cd 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/AuditRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/AuditRenderer.scala
@@ -1,50 +1,53 @@
 package org.thp.thehive.controllers.v0
 
-import java.util.{Date, Map => JMap}
-
-import org.apache.tinkerpop.gremlin.structure.{Graph, Vertex}
+import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.models.UMapping
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal._
 import org.thp.thehive.controllers.v0.Conversion._
+import org.thp.thehive.controllers.v1.Conversion.{patternOutput, richProcedureRenderer}
 import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.AuditOps._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.LogOps._
 import org.thp.thehive.services.ObservableOps._
+import org.thp.thehive.services.PatternOps._
+import org.thp.thehive.services.ProcedureOps._
 import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services._
 import play.api.libs.json.{JsNumber, JsObject, JsString}
 
+import java.util.{Date, List => JList, Map => JMap}
+
 trait AuditRenderer {
 
-  def caseToJson: Traversal.V[Case] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
-    _.richCaseWithoutPerms.domainMap[JsObject](_.toJson.as[JsObject])
+  def caseToJson: Traversal.V[Case] => Traversal[JsObject, JList[JMap[String, Any]], Converter[JsObject, JList[JMap[String, Any]]]] =
+    _.richCaseWithoutPerms.option.domainMap[JsObject](_.fold(JsObject.empty)(_.toJson.as[JsObject]))
 
   def taskToJson: Traversal.V[Task] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
     _.project(
-      _.by(_.richTaskWithoutActionRequired.domainMap(_.toJson))
+      _.by(_.richTaskWithoutActionRequired.option.domainMap(_.fold(JsObject.empty)(_.toJson.as[JsObject])))
         .by(t => caseToJson(t.`case`))
     ).domainMap {
-      case (task, case0) => task.as[JsObject] + ("case" -> case0)
+      case (task, case0) => task + ("case" -> case0)
     }
 
-  def alertToJson: Traversal.V[Alert] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
-    _.richAlert.domainMap(_.toJson.as[JsObject])
+  def alertToJson: Traversal.V[Alert] => Traversal[JsObject, JList[JMap[String, Any]], Converter[JsObject, JList[JMap[String, Any]]]] =
+    _.richAlert.option.domainMap(_.fold(JsObject.empty)(_.toJson.as[JsObject]))
 
   def logToJson: Traversal.V[Log] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
     _.project(
-      _.by(_.richLog.domainMap(_.toJson))
+      _.by(_.richLog.option.domainMap(_.fold(JsObject.empty)(_.toJson.as[JsObject])))
         .by(l => taskToJson(l.task))
-    ).domainMap { case (log, task) => log.as[JsObject] + ("case_task" -> task) }
+    ).domainMap { case (log, task) => log + ("case_task" -> task) }
 
   def observableToJson: Traversal.V[Observable] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
     _.project(
-      _.by(_.richObservable.domainMap(_.toJson))
+      _.by(_.richObservable.option.domainMap(_.fold(JsObject.empty)(_.toJson.as[JsObject])))
         .by(_.coalesceMulti(o => caseToJson(o.`case`), o => alertToJson(o.alert)))
     ).domainMap {
-      case (obs, caseOrAlert) => obs.as[JsObject] + ((caseOrAlert \ "_type").asOpt[String].getOrElse("<unknwon>") -> caseOrAlert)
+      case (obs, caseOrAlert) => obs + ((caseOrAlert \ "_type").asOpt[String].getOrElse("<unknown>") -> caseOrAlert)
     }
 
   case class Job(
@@ -81,16 +84,30 @@ trait AuditRenderer {
           )
       }
 
+  def patternToJson: Traversal.V[Pattern] => Traversal[JsObject, JList[JMap[String, Any]], Converter[JsObject, JList[JMap[String, Any]]]] =
+    _.richPattern.option.domainMap(_.fold(JsObject.empty)(_.toJson.as[JsObject]))
+
+  def procedureToJson: Traversal.V[Procedure] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
+    _.project(
+      _.by(_.richProcedure.option.domainMap(_.fold(JsObject.empty)(_.toJson.as[JsObject])))
+        .by(t => caseToJson(t.`case`))
+        .by(t => patternToJson(t.pattern))
+    )
+      .domainMap {
+        case (procedure, case0, pattern) => procedure + ("case" -> case0) + ("pattern" -> pattern)
+      }
+
   def auditRenderer: Traversal.V[Audit] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
     (_: Traversal.V[Audit])
       .coalesceIdent[Vertex](_.`object`, _.identity)
-      .choose(
+      .chooseValue(
         _.on(_.label)
           .option("Case", t => caseToJson(t.v[Case]))
           .option("Task", t => taskToJson(t.v[Task]))
           .option("Log", t => logToJson(t.v[Log]))
           .option("Observable", t => observableToJson(t.v[Observable]))
           .option("Alert", t => alertToJson(t.v[Alert]))
+          .option("Procedure", t => procedureToJson(t.v[Procedure]))
           .option("Job", jobToJson)
           .none(_.constant2[JsObject, JMap[String, Any]](JsObject.empty))
       )
diff --git a/thehive/app/org/thp/thehive/controllers/v0/AuthenticationCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/AuthenticationCtrl.scala
index 7c679074f2..1cf0100032 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/AuthenticationCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/AuthenticationCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.auth.{AuthSrv, RequestOrganisation}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -11,6 +10,7 @@ import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services.UserSrv
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.ExecutionContext
 import scala.util.{Failure, Success}
 @Singleton
@@ -19,7 +19,7 @@ class AuthenticationCtrl @Inject() (
     authSrv: AuthSrv,
     requestOrganisation: RequestOrganisation,
     userSrv: UserSrv,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     implicit val ec: ExecutionContext
 ) {
 
diff --git a/thehive/app/org/thp/thehive/controllers/v0/CaseCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/CaseCtrl.scala
index 8ffe733918..35cd5d7e39 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/CaseCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/CaseCtrl.scala
@@ -1,26 +1,27 @@
 package org.thp.thehive.controllers.v0
 
+import org.apache.tinkerpop.gremlin.process.traversal.P
+import org.thp.scalligraph._
 import org.thp.scalligraph.controllers.{Entrypoint, FPathElem, FPathEmpty, FieldsParser}
 import org.thp.scalligraph.models.{Database, UMapping}
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IteratorOutput, Traversal}
-import org.thp.scalligraph.{RichSeq, _}
+import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
 import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.{InputCase, InputTask}
 import org.thp.thehive.dto.v1.InputCustomFieldValue
 import org.thp.thehive.models._
+import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.CustomFieldOps._
+import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
-import org.thp.thehive.services.TagOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import play.api.libs.json._
 import play.api.mvc.{Action, AnyContent, Results}
 
-import java.util.Date
 import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success}
 
@@ -29,11 +30,11 @@ class CaseCtrl @Inject() (
     override val entrypoint: Entrypoint,
     caseSrv: CaseSrv,
     caseTemplateSrv: CaseTemplateSrv,
-    tagSrv: TagSrv,
     userSrv: UserSrv,
+    organisationSrv: OrganisationSrv,
     override val publicData: PublicCase,
     @Named("v0") override val queryExecutor: QueryExecutor,
-    @Named("with-thehive-schema") implicit override val db: Database
+    implicit override val db: Database
 ) extends CaseRenderer
     with QueryCtrl {
   def create: Action[AnyContent] =
@@ -53,18 +54,15 @@ class CaseCtrl @Inject() (
               .organisations(Permissions.manageCase)
               .get(request.organisation)
               .orFail(AuthorizationError("Operation not permitted"))
+          user         <- inputCase.user.fold(userSrv.current.getOrFail("User"))(userSrv.getByName(_).getOrFail("User"))
           caseTemplate <- caseTemplateName.map(ct => caseTemplateSrv.get(EntityIdOrName(ct)).visible.richCaseTemplate.getOrFail("CaseTemplate")).flip
-          user         <- inputCase.user.map(u => userSrv.get(EntityIdOrName(u)).visible.getOrFail("User")).flip
-          tags         <- inputCase.tags.toTry(tagSrv.getOrCreate)
-          tasks        <- inputTasks.toTry(t => t.owner.map(o => userSrv.getOrFail(EntityIdOrName(o))).flip.map(owner => t.toTask -> owner))
           richCase <- caseSrv.create(
             caseTemplate.fold(inputCase)(inputCase.withCaseTemplate).toCase,
-            user,
+            Some(user),
             organisation,
-            tags.toSet,
             customFields,
             caseTemplate,
-            tasks
+            inputTasks.map(_.toTask)
           )
         } yield Results.Created(richCase.toJson)
       }
@@ -75,7 +73,7 @@ class CaseCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         val c = caseSrv
           .get(EntityIdOrName(caseIdOrNumber))
-          .visible
+          .visible(organisationSrv)
         val stats: Option[Boolean] = request.body("stats")
         if (stats.contains(true))
           c.richCaseWithCustomRenderer(caseStatsRenderer(request))
@@ -142,26 +140,18 @@ class CaseCtrl @Inject() (
               .get(EntityIdOrName(caseIdOrNumber))
               .can(Permissions.manageCase)
               .getOrFail("Case")
-          _ <- caseSrv.remove(c)
+          _ <- caseSrv.delete(c)
         } yield Results.NoContent
       }
 
-  def merge(caseIdsOrNumbers: String): Action[AnyContent] =
+  def merge(caseId: String, caseToMerge: String): Action[AnyContent] =
     entrypoint("merge cases")
       .authTransaction(db) { implicit request => implicit graph =>
-        caseIdsOrNumbers
-          .split(',')
-          .toSeq
-          .toTry(c =>
-            caseSrv
-              .get(EntityIdOrName(c))
-              .visible
-              .getOrFail("Case")
-          )
-          .map { cases =>
-            val mergedCase = caseSrv.merge(cases)
-            Results.Ok(mergedCase.toJson)
-          }
+        for {
+          caze    <- caseSrv.get(EntityIdOrName(caseId)).visible(organisationSrv).getOrFail("Case")
+          toMerge <- caseSrv.get(EntityIdOrName(caseToMerge)).visible(organisationSrv).getOrFail("Case")
+          merged  <- caseSrv.merge(Seq(caze, toMerge))
+        } yield Results.Created(merged.toJson)
       }
 
   def linkedCases(caseIdOrNumber: String): Action[AnyContent] =
@@ -169,7 +159,7 @@ class CaseCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         val relatedCases = caseSrv
           .get(EntityIdOrName(caseIdOrNumber))
-          .visible
+          .visible(organisationSrv)
           .linkedCases
           .map {
             case (c, o) =>
@@ -186,37 +176,50 @@ class CaseCtrl @Inject() (
 class PublicCase @Inject() (
     caseSrv: CaseSrv,
     organisationSrv: OrganisationSrv,
+    observableSrv: ObservableSrv,
     userSrv: UserSrv,
     customFieldSrv: CustomFieldSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) extends PublicData
     with CaseRenderer {
   override val entityName: String = "case"
   override val initialQuery: Query =
-    Query.init[Traversal.V[Case]]("listCase", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).cases)
-  override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Case]](
-    "getCase",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => caseSrv.get(idOrName)(graph).visible(authContext)
-  )
-  override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Case], IteratorOutput](
-    "page",
-    FieldsParser[OutputParam],
-    {
-      case (OutputParam(from, to, withStats, _), caseSteps, authContext) =>
-        caseSteps
-          .richPage(from, to, withTotal = true) {
-            case c if withStats =>
-              c.richCaseWithCustomRenderer(caseStatsRenderer(authContext))(authContext)
-            case c =>
-              c.richCase(authContext).domainMap(_ -> JsObject.empty)
-          }
-    }
-  )
+    Query.init[Traversal.V[Case]]("listCase", (graph, authContext) => caseSrv.startTraversal(graph).visible(organisationSrv)(authContext))
+  override val getQuery: ParamQuery[EntityIdOrName] =
+    Query.initWithParam[EntityIdOrName, Traversal.V[Case]](
+      "getCase",
+      (idOrName, graph, authContext) => caseSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
+    )
+  override val pageQuery: ParamQuery[OutputParam] =
+    Query.withParam[OutputParam, Traversal.V[Case], IteratorOutput](
+      "page",
+      {
+        case (OutputParam(from, to, withStats, _), caseSteps, authContext) =>
+          caseSteps
+            .richPage(from, to, withTotal = true) {
+              case c if withStats =>
+                c.richCaseWithCustomRenderer(caseStatsRenderer(authContext))(authContext)
+              case c =>
+                c.richCase(authContext).domainMap(_ -> JsObject.empty)
+            }
+      }
+    )
   override val outputQuery: Query = Query.outputWithContext[RichCase, Traversal.V[Case]]((caseSteps, authContext) => caseSteps.richCase(authContext))
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
-    Query[Traversal.V[Case], Traversal.V[Observable]]("observables", (caseSteps, authContext) => caseSteps.observables(authContext)),
-    Query[Traversal.V[Case], Traversal.V[Task]]("tasks", (caseSteps, authContext) => caseSteps.tasks(authContext))
+    Query[Traversal.V[Case], Traversal.V[Observable]](
+      "observables",
+      (caseSteps, authContext) =>
+        // caseSteps.observables(authContext)
+        observableSrv.startTraversal(caseSteps.graph).has(_.relatedId, P.within(caseSteps._id.toSeq: _*)).visible(organisationSrv)(authContext)
+    ),
+    Query[Traversal.V[Case], Traversal.V[Task]](
+      "tasks",
+      (caseSteps, authContext) => caseSteps.tasks(authContext)
+//        taskSrv.startTraversal(caseSteps.graph).has(_.relatedId, P.within(caseSteps._id.toSeq: _*)).visible(organisationSrv)(authContext)
+    ),
+    Query[Traversal.V[Case], Traversal.V[User]]("assignableUsers", (caseSteps, authContext) => caseSteps.assignableUsers(authContext)),
+    Query[Traversal.V[Case], Traversal.V[Organisation]]("organisations", (caseSteps, authContext) => caseSteps.organisations.visible(authContext)),
+    Query[Traversal.V[Case], Traversal.V[Alert]]("alerts", (caseSteps, authContext) => caseSteps.alert.visible(organisationSrv)(authContext))
   )
   override val publicProperties: PublicProperties =
     PublicPropertyListBuilder[Case]
@@ -227,26 +230,12 @@ class PublicCase @Inject() (
       .property("startDate", UMapping.date)(_.field.updatable)
       .property("endDate", UMapping.date.optional)(_.field.updatable)
       .property("tags", UMapping.string.set)(
-        _.select(_.tags.displayName)
-          .filter((_, cases) =>
-            cases
-              .tags
-              .graphMap[String, String, Converter.Identity[String]](
-                { v =>
-                  val namespace = UMapping.string.getProperty(v, "namespace")
-                  val predicate = UMapping.string.getProperty(v, "predicate")
-                  val value     = UMapping.string.optional.getProperty(v, "value")
-                  Tag(namespace, predicate, value, None, 0).toString
-                },
-                Converter.identity[String]
-              )
-          )
-          .converter(_ => Converter.identity[String])
-          .custom { (_, value, vertex, _, graph, authContext) =>
+        _.field
+          .custom { (_, value, vertex, graph, authContext) =>
             caseSrv
               .get(vertex)(graph)
               .getOrFail("Case")
-              .flatMap(`case` => caseSrv.updateTagNames(`case`, value)(graph, authContext))
+              .flatMap(`case` => caseSrv.updateTags(`case`, value)(graph, authContext))
               .map(_ => Json.obj("tags" -> value))
           }
       )
@@ -255,7 +244,7 @@ class PublicCase @Inject() (
       .property("pap", UMapping.int)(_.field.updatable)
       .property("status", UMapping.enum[CaseStatus.type])(_.field.updatable)
       .property("summary", UMapping.string.optional)(_.field.updatable)
-      .property("owner", UMapping.string.optional)(_.select(_.user.value(_.login)).custom { (_, login, vertex, _, graph, authContext) =>
+      .property("owner", UMapping.string.optional)(_.rename("assignee").custom { (_, login, vertex, graph, authContext) =>
         for {
           c    <- caseSrv.get(vertex)(graph).getOrFail("Case")
           user <- login.map(u => userSrv.get(EntityIdOrName(u))(graph).getOrFail("User")).flip
@@ -265,77 +254,47 @@ class PublicCase @Inject() (
           }
         } yield Json.obj("owner" -> user.map(_.login))
       })
-      .property("resolutionStatus", UMapping.string.optional)(_.select(_.resolutionStatus.value(_.value)).custom {
-        (_, resolutionStatus, vertex, _, graph, authContext) =>
-          for {
-            c <- caseSrv.get(vertex)(graph).getOrFail("Case")
-            _ <- resolutionStatus match {
-              case Some(s) => caseSrv.setResolutionStatus(c, s)(graph, authContext)
-              case None    => caseSrv.unsetResolutionStatus(c)(graph, authContext)
-            }
-          } yield Json.obj("resolutionStatus" -> resolutionStatus)
+      .property("resolutionStatus", UMapping.string.optional)(_.field.custom { (_, resolutionStatus, vertex, graph, authContext) =>
+        for {
+          c <- caseSrv.get(vertex)(graph).getOrFail("Case")
+          _ <- resolutionStatus match {
+            case Some(s) => caseSrv.setResolutionStatus(c, s)(graph, authContext)
+            case None    => caseSrv.unsetResolutionStatus(c)(graph, authContext)
+          }
+        } yield Json.obj("resolutionStatus" -> resolutionStatus)
       })
-      .property("impactStatus", UMapping.string.optional)(_.select(_.impactStatus.value(_.value)).custom {
-        (_, impactStatus, vertex, _, graph, authContext) =>
-          for {
-            c <- caseSrv.get(vertex)(graph).getOrFail("Case")
-            _ <- impactStatus match {
-              case Some(s) => caseSrv.setImpactStatus(c, s)(graph, authContext)
-              case None    => caseSrv.unsetImpactStatus(c)(graph, authContext)
-            }
-          } yield Json.obj("impactStatus" -> impactStatus)
+      .property("impactStatus", UMapping.string.optional)(_.field.custom { (_, impactStatus, vertex, graph, authContext) =>
+        for {
+          c <- caseSrv.get(vertex)(graph).getOrFail("Case")
+          _ <- impactStatus match {
+            case Some(s) => caseSrv.setImpactStatus(c, s)(graph, authContext)
+            case None    => caseSrv.unsetImpactStatus(c)(graph, authContext)
+          }
+        } yield Json.obj("impactStatus" -> impactStatus)
       })
       .property("customFields", UMapping.jsonNative)(_.subSelect {
-        case (FPathElem(_, FPathElem(name, _)), caseTraversal) =>
-          db
-            .roTransaction(implicit graph => customFieldSrv.get(EntityIdOrName(name)).value(_.`type`).getOrFail("CustomField"))
-            .map {
-              case CustomFieldType.boolean => caseTraversal.customFields(EntityIdOrName(name)).value(_.booleanValue).domainMap(v => JsBoolean(v))
-              case CustomFieldType.date    => caseTraversal.customFields(EntityIdOrName(name)).value(_.dateValue).domainMap(v => JsNumber(v.getTime))
-              case CustomFieldType.float   => caseTraversal.customFields(EntityIdOrName(name)).value(_.floatValue).domainMap(v => JsNumber(v))
-              case CustomFieldType.integer => caseTraversal.customFields(EntityIdOrName(name)).value(_.integerValue).domainMap(v => JsNumber(v))
-              case CustomFieldType.string  => caseTraversal.customFields(EntityIdOrName(name)).value(_.stringValue).domainMap(v => JsString(v))
-            }
-            .getOrElse(caseTraversal.constant2(null))
+        case (FPathElem(_, FPathElem(idOrName, _)), caseSteps) =>
+          caseSteps
+            .customFields(EntityIdOrName(idOrName))
+            .jsonValue
         case (_, caseSteps) => caseSteps.customFields.nameJsonValue.fold.domainMap(JsObject(_))
       }
-        .filter {
-          case (FPathElem(_, FPathElem(name, _)), caseTraversal) =>
-            db
-              .roTransaction(implicit graph => customFieldSrv.get(EntityIdOrName(name)).value(_.`type`).getOrFail("CustomField"))
-              .map {
-                case CustomFieldType.boolean => caseTraversal.customFields(EntityIdOrName(name)).value(_.booleanValue)
-                case CustomFieldType.date    => caseTraversal.customFields(EntityIdOrName(name)).value(_.dateValue)
-                case CustomFieldType.float   => caseTraversal.customFields(EntityIdOrName(name)).value(_.floatValue)
-                case CustomFieldType.integer => caseTraversal.customFields(EntityIdOrName(name)).value(_.integerValue)
-                case CustomFieldType.string  => caseTraversal.customFields(EntityIdOrName(name)).value(_.stringValue)
-              }
-              .getOrElse(caseTraversal.constant2(null))
-          case (_, caseTraversal) => caseTraversal.constant2(null)
-        }
-        .converter {
-          case FPathElem(_, FPathElem(name, _)) =>
-            db
-              .roTransaction { implicit graph =>
-                customFieldSrv.get(EntityIdOrName(name)).value(_.`type`).getOrFail("CustomField")
-              }
-              .map {
-                case CustomFieldType.boolean => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Boolean] }
-                case CustomFieldType.date    => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Date] }
-                case CustomFieldType.float   => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Double] }
-                case CustomFieldType.integer => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Long] }
-                case CustomFieldType.string  => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[String] }
-              }
-              .getOrElse((x: JsValue) => x)
-          case _ => (x: JsValue) => x
+        .filter[JsValue] {
+          case (FPathElem(_, FPathElem(name, _)), caseTraversal, _, predicate) =>
+            predicate match {
+              case Right(predicate) => caseTraversal.customFieldFilter(customFieldSrv, EntityIdOrName(name), predicate)
+              case Left(true)       => caseTraversal.hasCustomField(customFieldSrv, EntityIdOrName(name))
+              case Left(false)      => caseTraversal.hasNotCustomField(customFieldSrv, EntityIdOrName(name))
+            }
+          case (_, caseTraversal, _, _) => caseTraversal.empty
         }
         .custom {
-          case (FPathElem(_, FPathElem(name, _)), value, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathElem(name, _)), value, vertex, graph, authContext) =>
             for {
               c <- caseSrv.get(vertex)(graph).getOrFail("Case")
               _ <- caseSrv.setOrCreateCustomField(c, EntityIdOrName(name), Some(value), None)(graph, authContext)
             } yield Json.obj(s"customField.$name" -> value)
-          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, graph, authContext) =>
             for {
               c   <- caseSrv.get(vertex)(graph).getOrFail("Case")
               cfv <- values.fields.toTry { case (n, v) => customFieldSrv.getOrFail(EntityIdOrName(n))(graph).map(cf => (cf, v, None)) }
diff --git a/thehive/app/org/thp/thehive/controllers/v0/CaseTemplateCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/CaseTemplateCtrl.scala
index 0c23b45f7c..a0c435e2d9 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/CaseTemplateCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/CaseTemplateCtrl.scala
@@ -5,14 +5,13 @@ import org.thp.scalligraph.controllers._
 import org.thp.scalligraph.models.{Database, UMapping}
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IteratorOutput, Traversal}
+import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
 import org.thp.scalligraph.{AttributeCheckingError, BadRequestError, EntityIdOrName, RichSeq}
 import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.{InputCaseTemplate, InputTask}
-import org.thp.thehive.models.{CaseTemplate, Permissions, RichCaseTemplate, Tag, Task}
+import org.thp.thehive.models.{CaseTemplate, Permissions, RichCaseTemplate, Task}
 import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.OrganisationOps._
-import org.thp.thehive.services.TagOps._
 import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
@@ -31,7 +30,7 @@ class CaseTemplateCtrl @Inject() (
     userSrv: UserSrv,
     auditSrv: AuditSrv,
     override val publicData: PublicCaseTemplate,
-    @Named("with-thehive-schema") implicit override val db: Database,
+    implicit override val db: Database,
     @Named("v0") override val queryExecutor: QueryExecutor
 ) extends QueryCtrl {
   def create: Action[AnyContent] =
@@ -40,10 +39,10 @@ class CaseTemplateCtrl @Inject() (
       .authTransaction(db) { implicit request => implicit graph =>
         val inputCaseTemplate: InputCaseTemplate = request.body("caseTemplate")
         val customFields                         = inputCaseTemplate.customFields.sortBy(_.order.getOrElse(0)).map(c => c.name -> c.value)
+        val tasks                                = inputCaseTemplate.tasks.map(_.toTask)
         for {
-          tasks            <- inputCaseTemplate.tasks.toTry(t => t.owner.map(o => userSrv.getOrFail(EntityIdOrName(o))).flip.map(t.toTask -> _))
           organisation     <- userSrv.current.organisations(Permissions.manageCaseTemplate).get(request.organisation).getOrFail("CaseTemplate")
-          richCaseTemplate <- caseTemplateSrv.create(inputCaseTemplate.toCaseTemplate, organisation, inputCaseTemplate.tags, tasks, customFields)
+          richCaseTemplate <- caseTemplateSrv.create(inputCaseTemplate.toCaseTemplate, organisation, tasks, customFields)
         } yield Results.Created(richCaseTemplate.toJson)
       }
 
@@ -94,9 +93,7 @@ class CaseTemplateCtrl @Inject() (
 class PublicCaseTemplate @Inject() (
     caseTemplateSrv: CaseTemplateSrv,
     organisationSrv: OrganisationSrv,
-    customFieldSrv: CustomFieldSrv,
-    userSrv: UserSrv,
-    taskSrv: TaskSrv
+    customFieldSrv: CustomFieldSrv
 ) extends PublicData {
   lazy val logger: Logger         = Logger(getClass)
   override val entityName: String = "caseTemplate"
@@ -105,12 +102,10 @@ class PublicCaseTemplate @Inject() (
       .init[Traversal.V[CaseTemplate]]("listCaseTemplate", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).caseTemplates)
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[CaseTemplate]](
     "getCaseTemplate",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => caseTemplateSrv.get(idOrName)(graph).visible(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[CaseTemplate], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, caseTemplateSteps, _) => caseTemplateSteps.richPage(range.from, range.to, withTotal = true)(_.richCaseTemplate)
   )
   override val outputQuery: Query = Query.output[RichCaseTemplate, Traversal.V[CaseTemplate]](_.richCaseTemplate)
@@ -124,26 +119,12 @@ class PublicCaseTemplate @Inject() (
     .property("description", UMapping.string.optional)(_.field.updatable)
     .property("severity", UMapping.int.optional)(_.field.updatable)
     .property("tags", UMapping.string.set)(
-      _.select(_.tags.displayName)
-        .filter((_, cases) =>
-          cases
-            .tags
-            .graphMap[String, String, Converter.Identity[String]](
-              { v =>
-                val namespace = UMapping.string.getProperty(v, "namespace")
-                val predicate = UMapping.string.getProperty(v, "predicate")
-                val value     = UMapping.string.optional.getProperty(v, "value")
-                Tag(namespace, predicate, value, None, 0).toString
-              },
-              Converter.identity[String]
-            )
-        )
-        .converter(_ => Converter.identity[String])
-        .custom { (_, value, vertex, _, graph, authContext) =>
+      _.field
+        .custom { (_, value, vertex, graph, authContext) =>
           caseTemplateSrv
             .get(vertex)(graph)
             .getOrFail("CaseTemplate")
-            .flatMap(caseTemplate => caseTemplateSrv.updateTagNames(caseTemplate, value)(graph, authContext))
+            .flatMap(caseTemplate => caseTemplateSrv.updateTags(caseTemplate, value)(graph, authContext))
             .map(_ => Json.obj("tags" -> value))
         }
     )
@@ -156,12 +137,12 @@ class PublicCaseTemplate @Inject() (
       case (FPathElem(_, FPathElem(name, _)), caseTemplateSteps) => caseTemplateSteps.customFields(name).jsonValue
       case (_, caseTemplateSteps)                                => caseTemplateSteps.customFields.nameJsonValue.fold.domainMap(JsObject(_))
     }.custom {
-      case (FPathElem(_, FPathElem(name, _)), value, vertex, _, graph, authContext) =>
+      case (FPathElem(_, FPathElem(name, _)), value, vertex, graph, authContext) =>
         for {
           c <- caseTemplateSrv.get(vertex)(graph).getOrFail("CaseTemplate")
           _ <- caseTemplateSrv.setOrCreateCustomField(c, name, Some(value), None)(graph, authContext)
         } yield Json.obj(s"customFields.$name" -> value)
-      case (FPathElem(_, FPathEmpty), values: JsObject, vertex, _, graph, authContext) =>
+      case (FPathElem(_, FPathEmpty), values: JsObject, vertex, graph, authContext) =>
         for {
           c   <- caseTemplateSrv.get(vertex)(graph).getOrFail("CaseTemplate")
           cfv <- values.fields.toTry { case (n, v) => customFieldSrv.getOrFail(EntityIdOrName(n))(graph).map(_ -> v) }
@@ -171,22 +152,14 @@ class PublicCaseTemplate @Inject() (
     })
     .property("tasks", UMapping.jsonNative.sequence)(
       _.select(_.tasks.richTaskWithoutActionRequired.domainMap(_.toJson)).custom { //  FIXME select the correct mapping
-        (_, value, vertex, _, graph, authContext) =>
+        (_, value, vertex, graph, authContext) =>
           val fp = FieldsParser[InputTask]
 
           caseTemplateSrv.get(vertex)(graph).tasks.remove()
           for {
             caseTemplate <- caseTemplateSrv.get(vertex)(graph).getOrFail("CaseTemplate")
             tasks        <- value.validatedBy(t => fp(Field(t))).badMap(AttributeCheckingError(_)).toTry
-            createdTasks <-
-              tasks
-                .toTry(t =>
-                  t.owner
-                    .map(o => userSrv.getOrFail(EntityIdOrName(o))(graph))
-                    .flip
-                    .flatMap(owner => taskSrv.create(t.toTask, owner)(graph, authContext))
-                )
-            _ <- createdTasks.toTry(t => caseTemplateSrv.addTask(caseTemplate, t.task)(graph, authContext))
+            createdTasks <- tasks.toTry(task => caseTemplateSrv.createTask(caseTemplate, task.toTask)(graph, authContext))
           } yield Json.obj("tasks" -> createdTasks.map(_.toJson))
       }
     )
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ConfigCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ConfigCtrl.scala
index 4b58eab688..630fa3a814 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ConfigCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ConfigCtrl.scala
@@ -1,7 +1,6 @@
 package org.thp.thehive.controllers.v0
 
 import com.typesafe.config.{ConfigRenderOptions, Config => TypeSafeConfig}
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
@@ -15,6 +14,7 @@ import play.api.libs.json._
 import play.api.mvc.{Action, AnyContent, Result, Results}
 import play.api.{ConfigLoader, Configuration, Logger}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -26,7 +26,7 @@ class ConfigCtrl @Inject() (
     organisationSrv: OrganisationSrv,
     userSrv: UserSrv,
     entrypoint: Entrypoint,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) {
 
   lazy val logger: Logger = Logger(getClass)
diff --git a/thehive/app/org/thp/thehive/controllers/v0/Conversion.scala b/thehive/app/org/thp/thehive/controllers/v0/Conversion.scala
index f972afd972..e1c739654d 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/Conversion.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/Conversion.scala
@@ -1,15 +1,15 @@
 package org.thp.thehive.controllers.v0
 
-import java.util.Date
-
 import io.scalaland.chimney.dsl._
-import org.thp.scalligraph.auth.{Permission, PermissionDesc}
+import org.thp.scalligraph.auth.{AuthContext, Permission, PermissionDesc}
 import org.thp.scalligraph.controllers.Renderer
 import org.thp.scalligraph.models.Entity
 import org.thp.thehive.dto.v0._
 import org.thp.thehive.models._
 import play.api.libs.json.{JsObject, JsValue, Json, Writes}
 
+import java.util.Date
+
 object Conversion {
   implicit class RendererOps[F, O](f: F)(implicit renderer: Renderer.Aux[F, O]) {
     def toJson: JsValue = renderer.toOutput(f).toJson
@@ -58,6 +58,7 @@ object Conversion {
           }
       )
       .withFieldConst(_.similarCases, Nil)
+      .enableMethodAccessors
       .transform
   )
 
@@ -86,6 +87,7 @@ object Conversion {
         )
         .withFieldConst(_.artifacts, richAlertWithObservables._2.map(_.toValue))
         .withFieldConst(_.similarCases, Nil)
+        .enableMethodAccessors
         .transform
     )
 
@@ -101,6 +103,8 @@ object Conversion {
         .withFieldConst(_.read, false)
         .withFieldConst(_.lastSyncDate, new Date)
         .withFieldConst(_.follow, true)
+        .withFieldConst(_.tags, inputAlert.tags.toSeq)
+        .withFieldConst(_.caseId, None)
         .transform
   }
 
@@ -145,20 +149,21 @@ object Conversion {
       .withFieldComputed(_.id, _._id.toString)
       .withFieldComputed(_._id, _._id.toString)
       .withFieldRenamed(_.number, _.caseId)
-      .withFieldRenamed(_.assignee, _.owner)
+      .withFieldComputed(_.owner, _.assignee)
       .withFieldRenamed(_._updatedAt, _.updatedAt)
       .withFieldRenamed(_._updatedBy, _.updatedBy)
       .withFieldRenamed(_._createdAt, _.createdAt)
       .withFieldRenamed(_._createdBy, _.createdBy)
-      .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+      .withFieldComputed(_.tags, _.tags.toSet)
       .withFieldConst(_.stats, JsObject.empty)
       .withFieldComputed(_.permissions, _.userPermissions.asInstanceOf[Set[String]]) // Permission is String
+      .enableMethodAccessors
       .transform
   )
 
   implicit class InputCaseOps(inputCase: InputCase) {
 
-    def toCase: Case =
+    def toCase(implicit authContext: AuthContext): Case =
       inputCase
         .into[Case]
         .withFieldComputed(_.severity, _.severity.getOrElse(2))
@@ -167,7 +172,8 @@ object Conversion {
         .withFieldComputed(_.tlp, _.tlp.getOrElse(2))
         .withFieldComputed(_.pap, _.pap.getOrElse(2))
         .withFieldConst(_.status, CaseStatus.Open)
-        .withFieldConst(_.number, 0)
+        .withFieldComputed(_.assignee, c => Some(c.user.getOrElse(authContext.userId)))
+        .withFieldComputed(_.tags, _.tags.toSeq)
         .transform
 
     def withCaseTemplate(caseTemplate: RichCaseTemplate): InputCase =
@@ -199,14 +205,15 @@ object Conversion {
         .withFieldComputed(_.id, _._id.toString)
         .withFieldComputed(_._id, _._id.toString)
         .withFieldRenamed(_.number, _.caseId)
-        .withFieldRenamed(_.assignee, _.owner)
+        .withFieldComputed(_.owner, _.assignee)
         .withFieldRenamed(_._updatedAt, _.updatedAt)
         .withFieldRenamed(_._updatedBy, _.updatedBy)
         .withFieldRenamed(_._createdAt, _.createdAt)
         .withFieldRenamed(_._createdBy, _.createdBy)
-        .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+        .withFieldComputed(_.tags, _.tags.toSet)
         .withFieldConst(_.stats, richCaseWithStats._2)
-        .withFieldComputed(_.permissions, _.userPermissions.map(_.toString))
+        .withFieldComputed(_.permissions, _.userPermissions.asInstanceOf[Set[String]])
+        .enableMethodAccessors
         .transform
     )
 
@@ -234,9 +241,10 @@ object Conversion {
       .withFieldRenamed(_._createdBy, _.createdBy)
       .withFieldConst(_.status, "Ok")
       .withFieldConst(_._type, "caseTemplate")
-      .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+      .withFieldComputed(_.tags, _.tags.toSet)
       .withFieldComputed(_.tasks, _.tasks.map(_.toValue))
       .withFieldConst(_.metrics, JsObject.empty)
+      .enableMethodAccessors
       .transform
   )
 
@@ -251,6 +259,7 @@ object Conversion {
           }
         )
         .withFieldComputed(_.tpe, _.typeName)
+        .enableMethodAccessors
         .transform
     )
 
@@ -290,6 +299,7 @@ object Conversion {
       .withFieldConst(_.createdAt, dashboard._createdAt)
       .withFieldConst(_.createdBy, dashboard._createdBy)
       .withFieldComputed(_.definition, _.definition.toString)
+      .enableMethodAccessors
       .transform
   )
 
@@ -315,7 +325,7 @@ object Conversion {
       .withFieldComputed(_.message, _.message)
       .withFieldComputed(_.startDate, _._createdAt)
       .withFieldComputed(_.owner, _._createdBy)
-      .withFieldComputed(_.status, l => if (l.deleted) "Deleted" else "Ok")
+      .withFieldConst(_.status, "Ok")
       .withFieldComputed(_.attachment, _.attachments.headOption.map(_.toValue))
       .transform
   )
@@ -326,7 +336,6 @@ object Conversion {
       inputLog
         .into[Log]
         .withFieldConst(_.date, new Date)
-        .withFieldConst(_.deleted, false)
         .transform
   }
 
@@ -338,12 +347,15 @@ object Conversion {
         .withFieldComputed(_.tlp, _.tlp.getOrElse(2))
         .withFieldComputed(_.ioc, _.ioc.getOrElse(false))
         .withFieldComputed(_.sighted, _.sighted.getOrElse(false))
+        .withFieldConst(_.data, None)
+        .withFieldComputed(_.tags, _.tags.toSeq)
         .transform
   }
 
   implicit val reportTagWrites: Writes[ReportTag] = Writes[ReportTag] { tag =>
     Json.obj("level" -> tag.level.toString, "namespace" -> tag.namespace, "predicate" -> tag.predicate, "value" -> tag.value)
   }
+
   implicit val observableOutput: Renderer.Aux[RichObservable, OutputObservable] = Renderer.toJson[RichObservable, OutputObservable](
     _.into[OutputObservable]
       .withFieldConst(_._type, "case_artifact")
@@ -353,10 +365,7 @@ object Conversion {
       .withFieldComputed(_.updatedBy, _.observable._updatedBy)
       .withFieldComputed(_.createdAt, _.observable._createdAt)
       .withFieldComputed(_.createdBy, _.observable._createdBy)
-      .withFieldComputed(_.dataType, _.`type`.name)
       .withFieldComputed(_.startDate, _.observable._createdAt)
-      .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
-      .withFieldComputed(_.data, _.data.map(_.data))
       .withFieldComputed(_.attachment, _.attachment.map(_.toValue))
       .withFieldComputed(
         _.reports,
@@ -376,6 +385,7 @@ object Conversion {
       )
       .withFieldConst(_.stats, JsObject.empty)
       .withFieldConst(_.`case`, None)
+      .enableMethodAccessors
       .transform
   )
 
@@ -391,10 +401,7 @@ object Conversion {
           .withFieldComputed(_.updatedBy, _.observable._updatedBy)
           .withFieldComputed(_.createdAt, _.observable._createdAt)
           .withFieldComputed(_.createdBy, _.observable._createdBy)
-          .withFieldComputed(_.dataType, _.`type`.name)
           .withFieldComputed(_.startDate, _.observable._createdAt)
-          .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
-          .withFieldComputed(_.data, _.data.map(_.data))
           .withFieldComputed(_.attachment, _.attachment.map(_.toValue))
           .withFieldComputed(
             _.reports,
@@ -409,6 +416,7 @@ object Conversion {
           )
           .withFieldConst(_.stats, stats)
           .withFieldConst(_.`case`, richCase.map(_.toValue))
+          .enableMethodAccessors
           .transform
     }
 
@@ -424,10 +432,7 @@ object Conversion {
           .withFieldComputed(_.updatedBy, _.observable._updatedBy)
           .withFieldComputed(_.createdAt, _.observable._createdAt)
           .withFieldComputed(_.createdBy, _.observable._createdBy)
-          .withFieldComputed(_.dataType, _.`type`.name)
           .withFieldComputed(_.startDate, _.observable._createdAt)
-          .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
-          .withFieldComputed(_.data, _.data.map(_.data))
           .withFieldComputed(_.attachment, _.attachment.map(_.toValue))
           .withFieldComputed(
             _.reports,
@@ -442,6 +447,7 @@ object Conversion {
           )
           .withFieldConst(_.stats, stats)
           .withFieldConst(_.`case`, None)
+          .enableMethodAccessors
           .transform
     }
 
@@ -517,12 +523,14 @@ object Conversion {
       .withFieldComputed(_.caseId, _.caseId.toString)
       .withFieldComputed(_.createdAt, _.share._createdAt)
       .withFieldComputed(_.createdBy, _.share._createdBy)
+      .enableMethodAccessors
       .transform
   )
 
   implicit val tagOutput: Renderer.Aux[Tag with Entity, OutputTag] = Renderer.toJson[Tag with Entity, OutputTag](
     _.asInstanceOf[Tag]
       .into[OutputTag]
+      .withFieldComputed(_.namespace, t => if (t.isFreeTag) "_freetags_" else t.namespace)
       .transform
   )
 
@@ -535,6 +543,7 @@ object Conversion {
         .withFieldComputed(_.order, _.order.getOrElse(0))
         .withFieldComputed(_.flag, _.flag.getOrElse(false))
         .withFieldComputed(_.group, _.group.getOrElse("default"))
+        .withFieldRenamed(_.owner, _.assignee)
         .transform
   }
 
@@ -545,11 +554,12 @@ object Conversion {
       .withFieldComputed(_.status, _.status.toString)
       .withFieldConst(_._type, "case_task")
       .withFieldConst(_.`case`, None)
-      .withFieldComputed(_.owner, _.assignee.map(_.login))
+      .withFieldComputed(_.owner, _.assignee)
       .withFieldRenamed(_._updatedAt, _.updatedAt)
       .withFieldRenamed(_._updatedBy, _.updatedBy)
       .withFieldRenamed(_._createdAt, _.createdAt)
       .withFieldRenamed(_._createdBy, _.createdBy)
+      .enableMethodAccessors
       .transform
   )
 
@@ -563,11 +573,12 @@ object Conversion {
           .withFieldComputed(_.status, _.status.toString)
           .withFieldConst(_._type, "case_task")
           .withFieldConst(_.`case`, richCase.map(_.toValue))
-          .withFieldComputed(_.owner, _.assignee.map(_.login))
+          .withFieldComputed(_.owner, _.assignee)
           .withFieldRenamed(_._updatedAt, _.updatedAt)
           .withFieldRenamed(_._updatedBy, _.updatedBy)
           .withFieldRenamed(_._createdAt, _.createdAt)
           .withFieldRenamed(_._createdBy, _.createdBy)
+          .enableMethodAccessors
           .transform
     }
 
@@ -597,6 +608,7 @@ object Conversion {
       .withFieldRenamed(_._updatedBy, _.updatedBy)
       .withFieldRenamed(_._updatedAt, _.updatedAt)
       .withFieldConst(_._type, "user")
+      .enableMethodAccessors
       .transform
   )
 
diff --git a/thehive/app/org/thp/thehive/controllers/v0/CustomFieldCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/CustomFieldCtrl.scala
index d4293f404d..6ff80b0a9c 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/CustomFieldCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/CustomFieldCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
@@ -14,12 +13,13 @@ import org.thp.thehive.services.CustomFieldSrv
 import play.api.libs.json.{JsNumber, JsObject}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.Success
 
 @Singleton
 class CustomFieldCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     customFieldSrv: CustomFieldSrv,
     override val publicData: PublicCustomField,
     @Named("v0") override val queryExecutor: QueryExecutor
@@ -92,7 +92,6 @@ class PublicCustomField @Inject() (customFieldSrv: CustomFieldSrv) extends Publi
   override val initialQuery: Query = Query.init[Traversal.V[CustomField]]("listCustomField", (graph, _) => customFieldSrv.startTraversal(graph))
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[CustomField], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     {
       case (OutputParam(from, to, _, _), customFieldSteps, _) =>
         customFieldSteps.page(from, to, withTotal = true)
@@ -101,7 +100,6 @@ class PublicCustomField @Inject() (customFieldSrv: CustomFieldSrv) extends Publi
   override val outputQuery: Query = Query.output[CustomField with Entity]
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[CustomField]](
     "getCustomField",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => customFieldSrv.get(idOrName)(graph)
   )
   override val publicProperties: PublicProperties =
diff --git a/thehive/app/org/thp/thehive/controllers/v0/DashboardCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/DashboardCtrl.scala
index 60ae86a1d4..5224dfa4f3 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/DashboardCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/DashboardCtrl.scala
@@ -24,7 +24,7 @@ class DashboardCtrl @Inject() (
     override val entrypoint: Entrypoint,
     dashboardSrv: DashboardSrv,
     userSrv: UserSrv,
-    @Named("with-thehive-schema") implicit val db: Database,
+    implicit val db: Database,
     override val publicData: PublicDashboard,
     @Named("v0") override val queryExecutor: QueryExecutor
 ) extends QueryCtrl {
@@ -70,10 +70,9 @@ class DashboardCtrl @Inject() (
   def delete(dashboardId: String): Action[AnyContent] =
     entrypoint("delete dashboard")
       .authTransaction(db) { implicit request => implicit graph =>
-        userSrv
-          .current
-          .dashboards
+        dashboardSrv
           .get(EntityIdOrName(dashboardId))
+          .canUpdate
           .getOrFail("Dashboard")
           .map { dashboard =>
             dashboardSrv.remove(dashboard)
@@ -94,26 +93,24 @@ class PublicDashboard @Inject() (
     Query.init[Traversal.V[Dashboard]](
       "listDashboard",
       (graph, authContext) =>
-        Traversal
+        graph
           .union(
             organisationSrv.filterTraversal(_).get(authContext.organisation).dashboards,
             userSrv.filterTraversal(_).getByName(authContext.userId).dashboards
-          )(graph)
+          )
           .dedup
     )
 
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Dashboard]](
     "getDashboard",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => dashboardSrv.get(idOrName)(graph).visible(authContext)
   )
 
   val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Dashboard], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
-    (range, dashboardSteps, _) => dashboardSteps.richPage(range.from, range.to, withTotal = true)(_.richDashboard)
+    (range, dashboardSteps, authContext) => dashboardSteps.richPage(range.from, range.to, withTotal = true)(_.richDashboard(authContext))
   )
-  override val outputQuery: Query = Query.output[RichDashboard, Traversal.V[Dashboard]](_.richDashboard)
+  override val outputQuery: Query = Query.outputWithContext[RichDashboard, Traversal.V[Dashboard]](_.richDashboard(_))
   val publicProperties: PublicProperties = PublicPropertyListBuilder[Dashboard]
     .property("title", UMapping.string)(_.field.updatable)
     .property("description", UMapping.string)(_.field.updatable)
@@ -121,25 +118,25 @@ class PublicDashboard @Inject() (
     .property("status", UMapping.string)(
       _.select(_.choose(_.organisation, "Shared", "Private"))
         .custom {
-          case (_, "Shared", vertex, _, graph, authContext) =>
+          case (_, "Shared", vertex, graph, authContext) =>
             for {
               dashboard <- dashboardSrv.get(vertex)(graph).filter(_.user.current(authContext)).getOrFail("Dashboard")
-              _         <- dashboardSrv.share(dashboard, authContext.organisation, writable = false)(graph, authContext)
+              _         <- dashboardSrv.share(dashboard, authContext.organisation, writable = true)(graph, authContext)
             } yield Json.obj("status" -> "Shared")
 
-          case (_, "Private", vertex, _, graph, authContext) =>
+          case (_, "Private", vertex, graph, authContext) =>
             for {
               d <- dashboardSrv.get(vertex)(graph).filter(_.user.current(authContext)).getOrFail("Dashboard")
               _ <- dashboardSrv.unshare(d, authContext.organisation)(graph, authContext)
             } yield Json.obj("status" -> "Private")
 
-          case (_, "Deleted", vertex, _, graph, authContext) =>
+          case (_, "Deleted", vertex, graph, authContext) =>
             for {
               d <- dashboardSrv.get(vertex)(graph).filter(_.user.current(authContext)).getOrFail("Dashboard")
               _ <- dashboardSrv.remove(d)(graph, authContext)
             } yield Json.obj("status" -> "Deleted")
 
-          case (_, status, _, _, _, _) =>
+          case (_, status, _, _, _) =>
             Failure(InvalidFormatAttributeError("status", "String", Set("Shared", "Private", "Deleted"), FString(status)))
         }
     )
diff --git a/thehive/app/org/thp/thehive/controllers/v0/DescribeCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/DescribeCtrl.scala
index 1fbfc4b9ec..b6d5140f80 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/DescribeCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/DescribeCtrl.scala
@@ -1,9 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import java.lang.{Boolean => JBoolean}
-import java.util.Date
-import javax.inject.{Inject, Named, Singleton}
-import org.thp.scalligraph.{EntityId, NotFoundError}
 import org.thp.scalligraph.controllers.Entrypoint
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query.PublicProperty
@@ -11,6 +7,7 @@ import org.thp.scalligraph.services.config.ApplicationConfig.durationFormat
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.utils.Hash
+import org.thp.scalligraph.{EntityId, NotFoundError}
 import org.thp.thehive.services.CustomFieldSrv
 import play.api.Logger
 import play.api.cache.SyncCacheApi
@@ -18,6 +15,9 @@ import play.api.inject.Injector
 import play.api.libs.json._
 import play.api.mvc.{Action, AnyContent, Results}
 
+import java.lang.{Boolean => JBoolean}
+import java.util.Date
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.duration.Duration
 import scala.util.{Failure, Success, Try}
 
@@ -41,7 +41,7 @@ class DescribeCtrl @Inject() (
     userCtrl: UserCtrl,
     customFieldSrv: CustomFieldSrv,
     injector: Injector,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     applicationConfig: ApplicationConfig
 ) {
 
@@ -88,7 +88,7 @@ class DescribeCtrl @Inject() (
     ).toOption
 
   def entityDescriptions: Seq[EntityDescription] =
-    cacheApi.getOrElseUpdate(s"describe.v0", cacheExpire) {
+    cacheApi.getOrElseUpdate("describe.v0", cacheExpire) {
       Seq(
         EntityDescription("case", "/case", caseCtrl.publicData.publicProperties.list.flatMap(propertyToJson("case", _))),
         EntityDescription("case_task", "/case/task", taskCtrl.publicData.publicProperties.list.flatMap(propertyToJson("case_task", _))),
@@ -206,10 +206,12 @@ class DescribeCtrl @Inject() (
             )
           )
         )
+      case ("dashboard", "status") =>
+        Some(Seq(PropertyDescription("status", "enumeration", Seq(JsString("Shared"), JsString("Private"), JsString("Deleted")))))
       case _ => None
     }
 
-  def propertyToJson(model: String, prop: PublicProperty[_, _]): Seq[PropertyDescription] =
+  def propertyToJson(model: String, prop: PublicProperty): Seq[PropertyDescription] =
     customDescription(model, prop.propertyName).getOrElse {
       prop.mapping.domainTypeClass match {
         case c if c == classOf[Boolean] || c == classOf[JBoolean] => Seq(PropertyDescription(prop.propertyName, "boolean"))
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ListCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ListCtrl.scala
index 2e0e96da88..08a9700bb2 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ListCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ListCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -9,18 +8,18 @@ import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.InputCustomField
 import org.thp.thehive.models.ObservableType
 import org.thp.thehive.services.CustomFieldOps._
-import org.thp.thehive.services.{CustomFieldSrv, ObservableTypeSrv}
+import org.thp.thehive.services.CustomFieldSrv
 import play.api.libs.json.{JsObject, JsString, Json}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success}
 
 @Singleton
 class ListCtrl @Inject() (
     entrypoint: Entrypoint,
-    @Named("with-thehive-schema") db: Database,
-    customFieldSrv: CustomFieldSrv,
-    observableTypeSrv: ObservableTypeSrv
+    db: Database,
+    customFieldSrv: CustomFieldSrv
 ) {
 
   def list: Action[AnyContent] =
diff --git a/thehive/app/org/thp/thehive/controllers/v0/LogCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/LogCtrl.scala
index a2b2b47a2b..7f3135ee2d 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/LogCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/LogCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, UMapping}
@@ -11,16 +10,16 @@ import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.InputLog
 import org.thp.thehive.models.{Log, Permissions, RichLog}
 import org.thp.thehive.services.LogOps._
-import org.thp.thehive.services.OrganisationOps._
-import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services.{LogSrv, OrganisationSrv, TaskSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
+
 @Singleton
 class LogCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     logSrv: LogSrv,
     taskSrv: TaskSrv,
     @Named("v0") override val queryExecutor: QueryExecutor,
@@ -67,7 +66,7 @@ class LogCtrl @Inject() (
       .authTransaction(db) { implicit req => implicit graph =>
         for {
           log <- logSrv.get(EntityIdOrName(logId)).can(Permissions.manageTask).getOrFail("Log")
-          _   <- logSrv.cascadeRemove(log)
+          _   <- logSrv.delete(log)
         } yield Results.NoContent
       }
 }
@@ -76,15 +75,13 @@ class LogCtrl @Inject() (
 class PublicLog @Inject() (logSrv: LogSrv, organisationSrv: OrganisationSrv) extends PublicData {
   override val entityName: String = "log"
   override val initialQuery: Query =
-    Query.init[Traversal.V[Log]]("listLog", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).shares.tasks.logs)
+    Query.init[Traversal.V[Log]]("listLog", (graph, authContext) => logSrv.startTraversal(graph).visible(organisationSrv)(authContext))
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Log]](
     "getLog",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => logSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => logSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Log], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, logSteps, _) => logSteps.richPage(range.from, range.to, withTotal = true)(_.richLog)
   )
   override val outputQuery: Query = Query.output[RichLog, Traversal.V[Log]](_.richLog)
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala
index ca56c37fad..af294c2a2e 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala
@@ -8,7 +8,7 @@ import org.thp.scalligraph.controllers._
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IteratorOutput, Traversal}
+import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
 import org.thp.thehive.controllers.v0.Conversion._
 import org.thp.thehive.dto.v0.{InputAttachment, InputObservable}
 import org.thp.thehive.models._
@@ -17,30 +17,29 @@ import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
-import org.thp.thehive.services.TagOps._
 import org.thp.thehive.services._
 import play.api.Configuration
 import play.api.libs.Files.DefaultTemporaryFileCreator
 import play.api.libs.json.{JsArray, JsObject, JsValue, Json}
 import play.api.mvc.{Action, AnyContent, Results}
+import shapeless._
 
 import java.io.FilterInputStream
 import java.nio.file.Files
+import java.util.Base64
 import javax.inject.{Inject, Named, Singleton}
 import scala.collection.JavaConverters._
 import scala.util.{Failure, Success, Try}
-import shapeless._
-
-import java.util.Base64
 
 @Singleton
 class ObservableCtrl @Inject() (
     configuration: Configuration,
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     observableSrv: ObservableSrv,
     observableTypeSrv: ObservableTypeSrv,
     caseSrv: CaseSrv,
+    organisationSrv: OrganisationSrv,
     alertSrv: AlertSrv,
     attachmentSrv: AttachmentSrv,
     errorHandler: ErrorHandler,
@@ -79,10 +78,10 @@ class ObservableCtrl @Inject() (
               val successesAndFailures =
                 if (observableType.isAttachment)
                   inputAttachObs
-                    .flatMap(obs => obs.attachment.map(createAttachmentObservableInCase(case0, obs, observableType, _)))
+                    .flatMap(obs => obs.attachment.map(createAttachmentObservableInCase(case0, obs, _)))
                 else
                   inputAttachObs
-                    .flatMap(obs => obs.data.map(createSimpleObservableInCase(case0, obs, observableType, _)))
+                    .flatMap(obs => obs.data.map(createSimpleObservableInCase(case0, obs, _)))
               val (successes, failures) = successesAndFailures
                 .foldLeft[(Seq[JsValue], Seq[JsValue])]((Nil, Nil)) {
                   case ((s, f), Right(o)) => (s :+ o, f)
@@ -96,14 +95,11 @@ class ObservableCtrl @Inject() (
   private def createSimpleObservableInCase(
       `case`: Case with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
       data: String
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
-        observableSrv
-          .create(inputObservable.toObservable, observableType, data, inputObservable.tags, Nil)
-          .flatMap(o => caseSrv.addObservable(`case`, o).map(_ => o))
+        caseSrv.createObservable(`case`, inputObservable.toObservable, data)
       } match {
       case Success(o)     => Right(o.toJson)
       case Failure(error) => Left(errorHandler.toErrorResult(error)._2 ++ Json.obj("object" -> Json.obj("data" -> data)))
@@ -112,20 +108,19 @@ class ObservableCtrl @Inject() (
   private def createAttachmentObservableInCase(
       `case`: Case with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
       fileOrAttachment: Either[FFile, InputAttachment]
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
-        val observable = fileOrAttachment match {
-          case Left(file) => observableSrv.create(inputObservable.toObservable, observableType, file, inputObservable.tags, Nil)
+        fileOrAttachment match {
+          case Left(file) =>
+            caseSrv.createObservable(`case`, inputObservable.toObservable, file)
           case Right(attachment) =>
             for {
               attach <- attachmentSrv.duplicate(attachment.name, attachment.contentType, attachment.id)
-              obs    <- observableSrv.create(inputObservable.toObservable, observableType, attach, inputObservable.tags, Nil)
+              obs    <- caseSrv.createObservable(`case`, inputObservable.toObservable, attach)
             } yield obs
         }
-        observable.flatMap(o => caseSrv.addObservable(`case`, o).map(_ => o))
       } match {
       case Success(o) => Right(o.toJson)
       case _ =>
@@ -150,7 +145,7 @@ class ObservableCtrl @Inject() (
               alert <-
                 alertSrv
                   .get(EntityIdOrName(alertId))
-                  .can(Permissions.manageAlert)
+                  .can(organisationSrv, Permissions.manageAlert)
                   .orFail(AuthorizationError("Operation not permitted"))
               observableType <- observableTypeSrv.getOrFail(EntityName(inputObservable.dataType))
             } yield (alert, observableType)
@@ -163,11 +158,11 @@ class ObservableCtrl @Inject() (
                     .flatMap { obs =>
                       (obs.attachment.map(_.fold(Coproduct[AnyAttachmentType](_), Coproduct[AnyAttachmentType](_))) ++
                         obs.data.map(Coproduct[AnyAttachmentType](_)))
-                        .map(createAttachmentObservableInAlert(alert, obs, observableType, _))
+                        .map(createAttachmentObservableInAlert(alert, obs, _))
                     }
                 else
                   inputAttachObs
-                    .flatMap(obs => obs.data.map(createSimpleObservableInAlert(alert, obs, observableType, _)))
+                    .flatMap(obs => obs.data.map(createSimpleObservableInAlert(alert, obs, _)))
               val (successes, failures) = successesAndFailures
                 .foldLeft[(Seq[JsValue], Seq[JsValue])]((Nil, Nil)) {
                   case ((s, f), Right(o)) => (s :+ o, f)
@@ -181,14 +176,11 @@ class ObservableCtrl @Inject() (
   private def createSimpleObservableInAlert(
       alert: Alert with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
       data: String
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
-        observableSrv
-          .create(inputObservable.toObservable, observableType, data, inputObservable.tags, Nil)
-          .flatMap(o => alertSrv.addObservable(alert, o).map(_ => o))
+        alertSrv.createObservable(alert, inputObservable.toObservable, data)
       } match {
       case Success(o)     => Right(o.toJson)
       case Failure(error) => Left(errorHandler.toErrorResult(error)._2 ++ Json.obj("object" -> Json.obj("data" -> data)))
@@ -197,19 +189,18 @@ class ObservableCtrl @Inject() (
   private def createAttachmentObservableInAlert(
       alert: Alert with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
       attachment: AnyAttachmentType
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
         object createAttachment extends Poly1 {
           implicit val fromFile: Case.Aux[FFile, Try[RichObservable]] = at[FFile] { file =>
-            observableSrv.create(inputObservable.toObservable, observableType, file, inputObservable.tags, Nil)
+            alertSrv.createObservable(alert, inputObservable.toObservable, file)
           }
           implicit val fromAttachment: Case.Aux[InputAttachment, Try[RichObservable]] = at[InputAttachment] { attachment =>
             for {
               attach <- attachmentSrv.duplicate(attachment.name, attachment.contentType, attachment.id)
-              obs    <- observableSrv.create(inputObservable.toObservable, observableType, attach, inputObservable.tags, Nil)
+              obs    <- alertSrv.createObservable(alert, inputObservable.toObservable, attach)
             } yield obs
           }
 
@@ -219,20 +210,17 @@ class ObservableCtrl @Inject() (
                 val data = Base64.getDecoder.decode(value)
                 attachmentSrv
                   .create(filename, contentType, data)
-                  .flatMap(attachment => observableSrv.create(inputObservable.toObservable, observableType, attachment, inputObservable.tags, Nil))
+                  .flatMap(attachment => alertSrv.createObservable(alert, inputObservable.toObservable, attachment))
               case Array(filename, contentType) =>
                 attachmentSrv
                   .create(filename, contentType, Array.emptyByteArray)
-                  .flatMap(attachment => observableSrv.create(inputObservable.toObservable, observableType, attachment, inputObservable.tags, Nil))
+                  .flatMap(attachment => alertSrv.createObservable(alert, inputObservable.toObservable, attachment))
               case data =>
                 Failure(InvalidFormatAttributeError("artifacts.data", "filename;contentType;base64value", Set.empty, FString(data.mkString(";"))))
             }
           }
         }
-
-        attachment
-          .fold(createAttachment)
-          .flatMap(o => alertSrv.addObservable(alert, o).map(_ => o))
+        attachment.fold(createAttachment)
       } match {
       case Success(o) => Right(o.toJson)
       case _ =>
@@ -252,7 +240,7 @@ class ObservableCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         observableSrv
           .get(EntityIdOrName(observableId))
-          .visible
+          .visible(organisationSrv)
           .richObservable
           .getOrFail("Observable")
           .map { observable =>
@@ -267,7 +255,7 @@ class ObservableCtrl @Inject() (
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("observable")
         observableSrv
           .update(
-            _.get(EntityIdOrName(observableId)).canManage,
+            _.get(EntityIdOrName(observableId)).canManage(organisationSrv),
             propertyUpdaters
           )
           .flatMap {
@@ -284,10 +272,10 @@ class ObservableCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         val observables = observableSrv
           .get(EntityIdOrName(observableId))
-          .visible
+          .visible(organisationSrv)
           .filteredSimilar
-          .visible
-          .richObservableWithCustomRenderer(observableLinkRenderer)
+          .visible(organisationSrv)
+          .richObservableWithCustomRenderer(organisationSrv, observableLinkRenderer)
           .toSeq
 
         Success(Results.Ok(observables.toJson))
@@ -303,7 +291,7 @@ class ObservableCtrl @Inject() (
         ids
           .toTry { id =>
             observableSrv
-              .update(_.get(EntityIdOrName(id)).canManage, properties)
+              .update(_.get(EntityIdOrName(id)).canManage(organisationSrv), properties)
           }
           .map(_ => Results.NoContent)
       }
@@ -315,9 +303,9 @@ class ObservableCtrl @Inject() (
           observable <-
             observableSrv
               .get(EntityIdOrName(observableId))
-              .canManage
+              .canManage(organisationSrv)
               .getOrFail("Observable")
-          _ <- observableSrv.remove(observable)
+          _ <- observableSrv.delete(observable)
         } yield Results.NoContent
       }
 
@@ -380,26 +368,24 @@ class PublicObservable @Inject() (
     )
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Observable]](
     "getObservable",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => observableSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => observableSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] =
     Query.withParam[OutputParam, Traversal.V[Observable], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       {
         case (OutputParam(from, to, withStats, 0), observableSteps, authContext) =>
           observableSteps
             .richPage(from, to, withTotal = true) {
               case o if withStats =>
-                o.richObservableWithCustomRenderer(observableStatsRenderer(authContext))(authContext)
+                o.richObservableWithCustomRenderer(organisationSrv, observableStatsRenderer(organisationSrv)(authContext))(authContext)
                   .domainMap(ros => (ros._1, ros._2, None: Option[RichCase]))
               case o =>
                 o.richObservable.domainMap(ro => (ro, JsObject.empty, None))
             }
         case (OutputParam(from, to, _, _), observableSteps, authContext) =>
           observableSteps.richPage(from, to, withTotal = true)(
-            _.richObservableWithCustomRenderer(o => o.`case`.richCase(authContext))(authContext).domainMap(roc =>
+            _.richObservableWithCustomRenderer(organisationSrv, o => o.`case`.richCase(authContext))(authContext).domainMap(roc =>
               (roc._1, JsObject.empty, Some(roc._2): Option[RichCase])
             )
           )
@@ -413,7 +399,7 @@ class PublicObservable @Inject() (
     ),
     Query[Traversal.V[Observable], Traversal.V[Observable]](
       "similar",
-      (observableSteps, authContext) => observableSteps.filteredSimilar.visible(authContext)
+      (observableSteps, authContext) => observableSteps.filteredSimilar.visible(organisationSrv)(authContext)
     ),
     Query[Traversal.V[Observable], Traversal.V[Case]]("case", (observableSteps, _) => observableSteps.`case`),
     Query[Traversal.V[Observable], Traversal.V[Alert]]("alert", (observableSteps, _) => observableSteps.alert)
@@ -425,26 +411,12 @@ class PublicObservable @Inject() (
     .property("sighted", UMapping.boolean)(_.field.updatable)
     .property("ignoreSimilarity", UMapping.boolean)(_.field.updatable)
     .property("tags", UMapping.string.set)(
-      _.select(_.tags.displayName)
-        .filter((_, cases) =>
-          cases
-            .tags
-            .graphMap[String, String, Converter.Identity[String]](
-              { v =>
-                val namespace = UMapping.string.getProperty(v, "namespace")
-                val predicate = UMapping.string.getProperty(v, "predicate")
-                val value     = UMapping.string.optional.getProperty(v, "value")
-                Tag(namespace, predicate, value, None, 0).toString
-              },
-              Converter.identity[String]
-            )
-        )
-        .converter(_ => Converter.identity[String])
-        .custom { (_, value, vertex, _, graph, authContext) =>
+      _.field
+        .custom { (_, value, vertex, graph, authContext) =>
           observableSrv
             .get(vertex)(graph)
             .getOrFail("Observable")
-            .flatMap(observable => observableSrv.updateTagNames(observable, value)(graph, authContext))
+            .flatMap(observable => observableSrv.updateTags(observable, value)(graph, authContext))
             .map(_ => Json.obj("tags" -> value))
         }
     )
@@ -457,5 +429,6 @@ class PublicObservable @Inject() (
     .property("attachment.size", UMapping.long.optional)(_.select(_.attachments.value(_.size)).readonly)
     .property("attachment.contentType", UMapping.string.optional)(_.select(_.attachments.value(_.contentType)).readonly)
     .property("attachment.id", UMapping.string.optional)(_.select(_.attachments.value(_.attachmentId)).readonly)
+    .property("relatedId", UMapping.entityId)(_.field.readonly)
     .build
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ObservableRenderer.scala b/thehive/app/org/thp/thehive/controllers/v0/ObservableRenderer.scala
index 5076cdac72..b55f024c48 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ObservableRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ObservableRenderer.scala
@@ -1,8 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import java.lang.{Boolean => JBoolean, Long => JLong}
-import java.util.{Map => JMap}
-
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.traversal.Traversal.V
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -12,15 +9,19 @@ import org.thp.thehive.models.Observable
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.ObservableOps._
+import org.thp.thehive.services.OrganisationSrv
 import play.api.libs.json.{JsObject, Json}
 
+import java.lang.{Boolean => JBoolean, Long => JLong}
+import java.util.{Map => JMap}
+
 trait ObservableRenderer {
 
-  def observableStatsRenderer(implicit
+  def observableStatsRenderer(organisationSrv: OrganisationSrv)(implicit
       authContext: AuthContext
   ): Traversal.V[Observable] => Traversal[JsObject, JMap[JBoolean, JLong], Converter[JsObject, JMap[JBoolean, JLong]]] =
     _.filteredSimilar
-      .visible
+      .visible(organisationSrv)
       .groupCount(_.byValue(_.ioc))
       .domainMap { stats =>
         val nTrue  = stats.getOrElse(true, 0L)
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ObservableTypeCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ObservableTypeCtrl.scala
index ce4e22dab1..942027274d 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ObservableTypeCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ObservableTypeCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
@@ -13,10 +12,12 @@ import org.thp.thehive.models.{ObservableType, Permissions}
 import org.thp.thehive.services.ObservableTypeSrv
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
+
 @Singleton
 class ObservableTypeCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     observableTypeSrv: ObservableTypeSrv,
     @Named("v0") override val queryExecutor: QueryExecutor,
     override val publicData: PublicObservableType
@@ -54,13 +55,11 @@ class PublicObservableType @Inject() (observableTypeSrv: ObservableTypeSrv) exte
   override val pageQuery: ParamQuery[OutputParam] =
     Query.withParam[OutputParam, Traversal.V[ObservableType], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       (range, observableTypeSteps, _) => observableTypeSteps.richPage(range.from, range.to, withTotal = true)(identity)
     )
   override val outputQuery: Query = Query.output[ObservableType with Entity]
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[ObservableType]](
     "getObservableType",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => observableTypeSrv.get(idOrName)(graph)
   )
   override val publicProperties: PublicProperties = PublicPropertyListBuilder[ObservableType]
diff --git a/thehive/app/org/thp/thehive/controllers/v0/OrganisationCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/OrganisationCtrl.scala
index fdc5c9445c..75da26efd7 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/OrganisationCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/OrganisationCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
 import org.thp.scalligraph.query._
@@ -15,6 +14,7 @@ import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success}
 
 @Singleton
@@ -22,7 +22,7 @@ class OrganisationCtrl @Inject() (
     override val entrypoint: Entrypoint,
     organisationSrv: OrganisationSrv,
     userSrv: UserSrv,
-    @Named("with-thehive-schema") implicit override val db: Database,
+    implicit override val db: Database,
     @Named("v0") override val queryExecutor: QueryExecutor,
     override val publicData: PublicOrganisation
 ) extends QueryCtrl {
@@ -133,13 +133,11 @@ class PublicOrganisation @Inject() (organisationSrv: OrganisationSrv) extends Pu
     Query.init[Traversal.V[Organisation]]("listOrganisation", (graph, authContext) => organisationSrv.startTraversal(graph).visible(authContext))
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Organisation], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, organisationSteps, _) => organisationSteps.page(range.from, range.to, withTotal = true)
   )
   override val outputQuery: Query = Query.output[Organisation with Entity]
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Organisation]](
     "getOrganisation",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => organisationSrv.get(idOrName)(graph).visible(authContext)
   )
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
diff --git a/thehive/app/org/thp/thehive/controllers/v0/PageCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/PageCtrl.scala
index db97600f86..c8485a390a 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/PageCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/PageCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
@@ -15,11 +14,13 @@ import org.thp.thehive.services.PageOps._
 import org.thp.thehive.services.{OrganisationSrv, PageSrv}
 import play.api.mvc._
 
+import javax.inject.{Inject, Named, Singleton}
+
 @Singleton
 class PageCtrl @Inject() (
     override val entrypoint: Entrypoint,
     pageSrv: PageSrv,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     @Named("v0") override val queryExecutor: QueryExecutor,
     override val publicData: PublicPage
 ) extends QueryCtrl {
@@ -73,12 +74,10 @@ class PublicPage @Inject() (pageSrv: PageSrv, organisationSrv: OrganisationSrv)
     Query.init[Traversal.V[Page]]("listPage", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).pages)
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Page]](
     "getPage",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => pageSrv.get(idOrName)(graph).visible(authContext)
   )
   val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Page], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, pageSteps, _) => pageSteps.page(range.from, range.to, withTotal = true)
   )
   override val outputQuery: Query = Query.output[Page with Entity]
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ProfileCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ProfileCtrl.scala
index da4a28d934..5a7d98d8af 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ProfileCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ProfileCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
 import org.thp.scalligraph.query._
@@ -14,6 +13,7 @@ import org.thp.thehive.services.ProfileOps._
 import org.thp.thehive.services.ProfileSrv
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.Failure
 
 @Singleton
@@ -21,7 +21,7 @@ class ProfileCtrl @Inject() (
     override val entrypoint: Entrypoint,
     profileSrv: ProfileSrv,
     override val publicData: PublicProfile,
-    @Named("with-thehive-schema") implicit val db: Database,
+    implicit val db: Database,
     @Named("v0") override val queryExecutor: QueryExecutor
 ) extends QueryCtrl {
   def create: Action[AnyContent] =
@@ -75,7 +75,6 @@ class PublicProfile @Inject() (profileSrv: ProfileSrv) extends PublicData {
 
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Profile]](
     "getProfile",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => profileSrv.get(idOrName)(graph)
   )
   val initialQuery: Query =
@@ -83,7 +82,6 @@ class PublicProfile @Inject() (profileSrv: ProfileSrv) extends PublicData {
 
   val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Profile], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, profileSteps, _) => profileSteps.page(range.from, range.to, withTotal = true)
   )
   override val outputQuery: Query = Query.output[Profile with Entity]
diff --git a/thehive/app/org/thp/thehive/controllers/v0/QueryCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/QueryCtrl.scala
index b6c1028f17..936be7426d 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/QueryCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/QueryCtrl.scala
@@ -1,13 +1,13 @@
 package org.thp.thehive.controllers.v0
 
 import org.apache.tinkerpop.gremlin.process.traversal.Order
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.scalactic.Accumulation._
 import org.scalactic.Good
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers._
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query._
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.Traversal.Unk
 import org.thp.thehive.services.th3.TH3Aggregation
 import play.api.Logger
@@ -90,7 +90,7 @@ trait QueryCtrl {
             .map(inputFilter => filterQuery.toQuery(inputFilter))
             .fold(publicData.initialQuery)(publicData.initialQuery.andThen)
         aggs <- aggregationParser.sequence(field.get("stats"))
-      } yield aggs.map(a => filteredQuery andThen new AggregationQuery(db, queryExecutor.publicProperties, filterQuery).toQuery(a))
+      } yield aggs.map(a => filteredQuery andThen new AggregationQuery(queryExecutor.publicProperties, filterQuery).toQuery(a))
   }
 
   def searchParser(initialQuery: Query = publicData.initialQuery): FieldsParser[Query] =
@@ -103,7 +103,7 @@ trait QueryCtrl {
               .map(inputFilter => filterQuery.toQuery(inputFilter))
               .fold(initialQuery)(initialQuery.andThen)
           inputSort <- sortParser(field.get("sort"))
-          sortedQuery = filteredQuery andThen new SortQuery(db, queryExecutor.publicProperties).toQuery(inputSort)
+          sortedQuery = filteredQuery andThen new SortQuery(queryExecutor.publicProperties).toQuery(inputSort)
           outputParam <- outputParamParser.optional(field).map(_.getOrElse(OutputParam(0, 10, withStats = false, withParents = 0)))
           outputQuery = publicData.pageQuery.toQuery(outputParam)
         } yield sortedQuery andThen outputQuery
diff --git a/thehive/app/org/thp/thehive/controllers/v0/Router.scala b/thehive/app/org/thp/thehive/controllers/v0/Router.scala
index 56093f66d8..f527e5edd4 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/Router.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/Router.scala
@@ -1,10 +1,11 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Singleton}
 import play.api.routing.Router.Routes
 import play.api.routing.SimpleRouter
 import play.api.routing.sird._
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class Router @Inject() (
     alertCtrl: AlertCtrl,
@@ -118,17 +119,17 @@ class Router @Inject() (
     case GET(p"/case/artifact/$observableId/similar") => observableCtrl.findSimilar(observableId)
     //    case POST(p"/case/:caseId/artifact/_search")    => observableCtrl.findInCase(caseId)
 
-    case GET(p"/case")                  => caseCtrl.search
-    case POST(p"/case/_search")         => caseCtrl.search
-    case POST(p"/case/_stats")          => caseCtrl.stats
-    case POST(p"/case")                 => caseCtrl.create
-    case GET(p"/case/$caseId")          => caseCtrl.get(caseId)
-    case PATCH(p"/case/_bulk")          => caseCtrl.bulkUpdate     // Not used by the frontend
-    case PATCH(p"/case/$caseId")        => caseCtrl.update(caseId)
-    case DELETE(p"/case/$caseId")       => caseCtrl.delete(caseId) // Not used by the frontend
-    case DELETE(p"/case/$caseId/force") => caseCtrl.delete(caseId)
-    case POST(p"/case/_merge/$caseIds") => caseCtrl.merge(caseIds) // Not implemented in backend and not used by frontend
-    case GET(p"/case/$caseId/links")    => caseCtrl.linkedCases(caseId)
+    case GET(p"/case")                          => caseCtrl.search
+    case POST(p"/case")                         => caseCtrl.create         // Audit ok
+    case GET(p"/case/$caseId")                  => caseCtrl.get(caseId)
+    case PATCH(p"/case/_bulk")                  => caseCtrl.bulkUpdate     // Not used by the frontend
+    case PATCH(p"/case/$caseId")                => caseCtrl.update(caseId) // Audit ok
+    case POST(p"/case/$caseId/_merge/$toMerge") => caseCtrl.merge(caseId, toMerge)
+    case POST(p"/case/_search")                 => caseCtrl.search
+    case POST(p"/case/_stats")                  => caseCtrl.stats
+    case DELETE(p"/case/$caseId")               => caseCtrl.delete(caseId) // Not used by the frontend
+    case DELETE(p"/case/$caseId/force")         => caseCtrl.delete(caseId) // Audit ok
+    case GET(p"/case/$caseId/links")            => caseCtrl.linkedCases(caseId)
 
     case GET(p"/config/user")               => configCtrl.userList
     case GET(p"/config/user/$path")         => configCtrl.userGet(path)
@@ -214,7 +215,6 @@ class Router @Inject() (
     case GET(p"/tag")          => tagCtrl.search
     case POST(p"/tag/_search") => tagCtrl.search
     case POST(p"/tag/_stats")  => tagCtrl.stats
-    case POST(p"/tag/_import") => tagCtrl.importTaxonomy
     case GET(p"/tag/$id")      => tagCtrl.get(id)
 
     case GET(p"/user")                          => userCtrl.search
diff --git a/thehive/app/org/thp/thehive/controllers/v0/ShareCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ShareCtrl.scala
index 4d3c6f890c..6048337360 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ShareCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ShareCtrl.scala
@@ -1,10 +1,9 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{AuthorizationError, BadRequestError, EntityIdOrName, RichSeq}
 import org.thp.thehive.controllers.v0.Conversion._
@@ -18,6 +17,7 @@ import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services._
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -29,7 +29,7 @@ class ShareCtrl @Inject() (
     taskSrv: TaskSrv,
     observableSrv: ObservableSrv,
     profileSrv: ProfileSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) {
 
   def shareCase(caseId: String): Action[AnyContent] =
@@ -80,27 +80,21 @@ class ShareCtrl @Inject() (
       .extract("organisations", FieldsParser[String].sequence.on("organisations"))
       .authTransaction(db) { implicit request => implicit graph =>
         val organisations: Seq[String] = request.body("organisations")
-        organisations
-          .map(EntityIdOrName(_))
-          .toTry { organisationId =>
-            for {
-              organisation <- organisationSrv.get(organisationId).getOrFail("Organisation")
-              _ <-
-                if (request.organisation.fold(_ == organisation._id, _ == organisation.name))
-                  Failure(BadRequestError("You cannot remove your own share"))
-                else Success(())
-              shareId <-
-                caseSrv
-                  .get(EntityIdOrName(caseId))
-                  .can(Permissions.manageShare)
-                  .share(organisationId)
-                  .has(_.owner, false)
-                  ._id
-                  .orFail(AuthorizationError("Operation not permitted"))
-              _ <- shareSrv.remove(shareId)
-            } yield ()
-          }
-          .map(_ => Results.NoContent)
+
+        val organisationIds = organisations.map(o => organisationSrv.getId(EntityIdOrName(o)))
+        if (organisationIds.contains(organisationSrv.currentId))
+          Failure(BadRequestError("You cannot remove your own share"))
+        else
+          caseSrv
+            .get(EntityIdOrName(caseId))
+            .can(Permissions.manageShare)
+            .shares
+            .filter(_.organisation.getByIds(organisationIds: _*))
+            .has(_.owner, false)
+            ._id
+            .toSeq
+            .toTry(shareSrv.unshareCase)
+            .map(_ => Results.NoContent)
       }
 
   def removeTaskShares(taskId: String): Action[AnyContent] =
@@ -115,7 +109,7 @@ class ShareCtrl @Inject() (
             organisations.toTry { organisationName =>
               organisationSrv
                 .getOrFail(EntityIdOrName(organisationName))
-                .flatMap(shareSrv.removeShareTasks(task, _))
+                .flatMap(shareSrv.unshareTask(task, _))
             }
           }
           .map(_ => Results.NoContent)
@@ -133,7 +127,7 @@ class ShareCtrl @Inject() (
             organisations.toTry { organisationName =>
               organisationSrv
                 .getOrFail(EntityIdOrName(organisationName))
-                .flatMap(shareSrv.removeShareObservable(observable, _))
+                .flatMap(shareSrv.unshareObservable(observable, _))
             }
           }
           .map(_ => Results.NoContent)
@@ -147,7 +141,7 @@ class ShareCtrl @Inject() (
     else if (shareSrv.get(shareId).has(_.owner, true).exists)
       Failure(AuthorizationError("You can't remove initial shares"))
     else
-      shareSrv.remove(shareId)
+      shareSrv.unshareCase(shareId)
 
   def updateShare(shareId: String): Action[AnyContent] =
     entrypoint("update share")
@@ -164,7 +158,7 @@ class ShareCtrl @Inject() (
               .richShare
               .getOrFail("Share")
           profile <- profileSrv.getOrFail(EntityIdOrName(profile))
-          _       <- shareSrv.update(richShare.share, profile)
+          _       <- shareSrv.updateProfile(richShare.share, profile)
         } yield Results.Ok
       }
 
@@ -174,7 +168,8 @@ class ShareCtrl @Inject() (
         val shares = caseSrv
           .get(EntityIdOrName(caseId))
           .shares
-          .filter(_.organisation.filterNot(_.get(request.organisation)).visible)
+          .visible
+          .filterNot(_.organisation.current)
           .richShare
           .toSeq
 
diff --git a/thehive/app/org/thp/thehive/controllers/v0/StatsCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/StatsCtrl.scala
index be261c5bea..c34908d328 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/StatsCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/StatsCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.scalactic.Accumulation._
 import org.thp.scalligraph.AttributeCheckingError
 import org.thp.scalligraph.controllers.{Entrypoint, Field, FieldsParser}
@@ -9,6 +8,8 @@ import play.api.Logger
 import play.api.libs.json.JsObject
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class StatsCtrl @Inject() (
     entrypoint: Entrypoint,
@@ -26,7 +27,7 @@ class StatsCtrl @Inject() (
     tagCtrl: TagCtrl,
     pageCtrl: PageCtrl,
     queryExecutor: TheHiveQueryExecutor,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) {
   lazy val logger: Logger = Logger(getClass)
 
diff --git a/thehive/app/org/thp/thehive/controllers/v0/StatusCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/StatusCtrl.scala
index 61404c7d1f..f2d0aa0a6a 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/StatusCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/StatusCtrl.scala
@@ -2,17 +2,17 @@ package org.thp.thehive.controllers.v0
 
 import org.thp.scalligraph.auth.{AuthCapability, AuthSrv, MultiAuthSrv}
 import org.thp.scalligraph.controllers.Entrypoint
-import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.models.{Database, UpdatableSchema}
 import org.thp.scalligraph.services.config.ApplicationConfig.finiteDurationFormat
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
 import org.thp.scalligraph.{EntityName, ScalligraphApplicationLoader}
 import org.thp.thehive.TheHiveModule
-import org.thp.thehive.models.{HealthStatus, TheHiveSchemaDefinition, User}
+import org.thp.thehive.models.{HealthStatus, User}
 import org.thp.thehive.services.{Connector, UserSrv}
 import play.api.libs.json.{JsObject, JsString, Json}
 import play.api.mvc.{AbstractController, Action, AnyContent, Results}
 
-import javax.inject.{Inject, Named, Singleton}
+import javax.inject.{Inject, Singleton}
 import scala.collection.immutable
 import scala.concurrent.duration.FiniteDuration
 import scala.util.Success
@@ -24,8 +24,8 @@ class StatusCtrl @Inject() (
     authSrv: AuthSrv,
     userSrv: UserSrv,
     connectors: immutable.Set[Connector],
-    theHiveSchemaDefinition: TheHiveSchemaDefinition,
-    @Named("with-thehive-schema") db: Database
+    schemas: immutable.Set[UpdatableSchema],
+    db: Database
 ) {
 
   val passwordConfig: ConfigItem[String, String] = appConfig.item[String]("datastore.attachment.password", "Password used to protect attachment ZIP")
@@ -57,7 +57,7 @@ class StatusCtrl @Inject() (
               "ssoAutoLogin"    -> authSrv.capabilities.contains(AuthCapability.sso),
               "pollingDuration" -> streamPollingDuration.toMillis
             ),
-            "schemaStatus" -> (connectors.flatMap(_.schemaStatus) ++ theHiveSchemaDefinition.schemaStatus).map { schemaStatus =>
+            "schemaStatus" -> schemas.flatMap(_.schemaStatus).map { schemaStatus =>
               Json.obj(
                 "name"            -> schemaStatus.name,
                 "currentVersion"  -> schemaStatus.currentVersion,
diff --git a/thehive/app/org/thp/thehive/controllers/v0/StreamCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/StreamCtrl.scala
index d3281d63f5..6b65f7b165 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/StreamCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/StreamCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.Order
 import org.thp.scalligraph.auth.{ExpirationStatus, SessionAuthSrv}
 import org.thp.scalligraph.controllers.Entrypoint
@@ -12,6 +11,7 @@ import org.thp.thehive.services._
 import play.api.libs.json.{JsArray, JsObject, Json}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.Success
 
@@ -23,7 +23,7 @@ class StreamCtrl @Inject() (
     val caseSrv: CaseSrv,
     val taskSrv: TaskSrv,
     val userSrv: UserSrv,
-    @Named("with-thehive-schema") implicit val db: Database,
+    implicit val db: Database,
     implicit val schema: Schema,
     implicit val ec: ExecutionContext
 ) extends AuditRenderer {
diff --git a/thehive/app/org/thp/thehive/controllers/v0/TagCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/TagCtrl.scala
index 45a85f7abf..2f0cff7889 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/TagCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/TagCtrl.scala
@@ -1,98 +1,29 @@
 package org.thp.thehive.controllers.v0
 
-import java.nio.file.Files
-
-import javax.inject.{Inject, Named, Singleton}
+import org.apache.tinkerpop.gremlin.process.traversal.Order
 import org.apache.tinkerpop.gremlin.structure.Vertex
-import org.thp.scalligraph.controllers.{Entrypoint, FFile, FieldsParser, Renderer}
+import org.thp.scalligraph.EntityIdOrName
+import org.thp.scalligraph.controllers.{Entrypoint, Renderer}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal.{Converter, IteratorOutput, Traversal}
-import org.thp.scalligraph.{EntityIdOrName, RichSeq}
+import org.thp.scalligraph.utils.FunctionalCondition.When
 import org.thp.thehive.controllers.v0.Conversion._
-import org.thp.thehive.models.{Permissions, Tag}
+import org.thp.thehive.models.Tag
 import org.thp.thehive.services.TagOps._
-import org.thp.thehive.services.TagSrv
-import play.api.libs.json.{JsNumber, JsObject, JsValue, Json}
+import org.thp.thehive.services.{OrganisationSrv, TagSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
-import scala.util.Try
+import javax.inject.{Inject, Named, Singleton}
 
 class TagCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     tagSrv: TagSrv,
     @Named("v0") override val queryExecutor: QueryExecutor,
     override val publicData: PublicTag
 ) extends QueryCtrl {
-  def importTaxonomy: Action[AnyContent] =
-    entrypoint("import taxonomy")
-      .extract("file", FieldsParser.file.optional.on("file"))
-      .extract("content", FieldsParser.jsObject.optional.on("content"))
-      .authPermittedTransaction(db, Permissions.manageTag) { implicit request => implicit graph =>
-        val file: Option[FFile]       = request.body("file")
-        val content: Option[JsObject] = request.body("content")
-        val tags = file
-          .fold(Seq.empty[Tag])(ffile => parseTaxonomy(Json.parse(Files.newInputStream(ffile.filepath)))) ++
-          content.fold(Seq.empty[Tag])(parseTaxonomy)
-
-        tags
-          .filterNot(tagSrv.startTraversal.getTag(_).exists)
-          .toTry(tagSrv.create)
-          .map(ts => Results.Ok(JsNumber(ts.size)))
-      }
-
-  def parseTaxonomy(taxonomy: JsValue): Seq[Tag] =
-    (taxonomy \ "namespace").asOpt[String].fold(Seq.empty[Tag]) { namespace =>
-      (taxonomy \ "values").asOpt[Seq[JsObject]].filter(_.nonEmpty) match {
-        case Some(values) => parseValues(namespace, values)
-        case _            => (taxonomy \ "predicates").asOpt[Seq[JsObject]].fold(Seq.empty[Tag])(parsePredicates(namespace, _))
-      }
-    }
-
-  def parseValues(namespace: String, values: Seq[JsObject]): Seq[Tag] =
-    for {
-      value <-
-        values
-          .foldLeft((Seq.empty[JsObject], Seq.empty[String]))((acc, v) => distinct((v \ "predicate").asOpt[String], acc, v))
-          ._1
-      predicate <- (value \ "predicate").asOpt[String].toList
-      entry <-
-        (value \ "entry")
-          .asOpt[Seq[JsObject]]
-          .getOrElse(Nil)
-          .foldLeft((Seq.empty[JsObject], Seq.empty[String]))((acc, v) => distinct((v \ "value").asOpt[String], acc, v))
-          ._1
-      v <- (entry \ "value").asOpt[String]
-      colour =
-        (entry \ "colour")
-          .asOpt[String]
-          .map(parseColour)
-          .getOrElse(0) // black
-      e = (entry \ "description").asOpt[String] orElse (entry \ "expanded").asOpt[String]
-    } yield Tag(namespace, predicate, Some(v), e, colour)
-
-  def parseColour(colour: String): Int = if (colour(0) == '#') Try(Integer.parseUnsignedInt(colour.tail, 16)).getOrElse(0) else 0
-
-  private def distinct(valueOpt: Option[String], acc: (Seq[JsObject], Seq[String]), v: JsObject): (Seq[JsObject], Seq[String]) =
-    if (valueOpt.isDefined && acc._2.contains(valueOpt.get)) acc
-    else (acc._1 :+ v, valueOpt.fold(acc._2)(acc._2 :+ _))
-
-  def parsePredicates(namespace: String, predicates: Seq[JsObject]): Seq[Tag] =
-    for {
-      predicate <-
-        predicates
-          .foldLeft((Seq.empty[JsObject], Seq.empty[String]))((acc, v) => distinct((v \ "value").asOpt[String], acc, v))
-          ._1
-      v <- (predicate \ "value").asOpt[String]
-      e = (predicate \ "expanded").asOpt[String]
-      colour =
-        (predicate \ "colour")
-          .asOpt[String]
-          .map(parseColour)
-          .getOrElse(0) // black
-    } yield Tag(namespace, v, None, e, colour)
 
   def get(tagId: String): Action[AnyContent] =
     entrypoint("get tag")
@@ -105,19 +36,20 @@ class TagCtrl @Inject() (
       }
 }
 
+case class TagHint(freeTag: Option[String], namespace: Option[String], predicate: Option[String], value: Option[String], limit: Option[Long])
+
 @Singleton
-class PublicTag @Inject() (tagSrv: TagSrv) extends PublicData {
-  override val entityName: String  = "tag"
-  override val initialQuery: Query = Query.init[Traversal.V[Tag]]("listTag", (graph, _) => tagSrv.startTraversal(graph))
+class PublicTag @Inject() (tagSrv: TagSrv, organisationSrv: OrganisationSrv) extends PublicData {
+  override val entityName: String = "tag"
+  override val initialQuery: Query =
+    Query.init[Traversal.V[Tag]]("listTag", (graph, authContext) => tagSrv.startTraversal(graph).visible(authContext))
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Tag], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, tagSteps, _) => tagSteps.page(range.from, range.to, withTotal = true)
   )
   override val outputQuery: Query = Query.output[Tag with Entity]
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Tag]](
     "getTag",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => tagSrv.get(idOrName)(graph)
   )
   implicit val stringRenderer: Renderer[String] = Renderer.toJson[String, String](identity)
@@ -125,6 +57,17 @@ class PublicTag @Inject() (tagSrv: TagSrv) extends PublicData {
     Query[Traversal.V[Tag], Traversal.V[Tag]]("fromCase", (tagSteps, _) => tagSteps.fromCase),
     Query[Traversal.V[Tag], Traversal.V[Tag]]("fromObservable", (tagSteps, _) => tagSteps.fromObservable),
     Query[Traversal.V[Tag], Traversal.V[Tag]]("fromAlert", (tagSteps, _) => tagSteps.fromAlert),
+    Query.initWithParam[TagHint, Traversal[String, Vertex, Converter[String, Vertex]]](
+      "tagAutoComplete",
+      (tagHint, graph, authContext) =>
+        tagHint
+          .freeTag
+          .fold(tagSrv.startTraversal(graph).autoComplete(tagHint.namespace, tagHint.predicate, tagHint.value)(authContext).visible(authContext))(
+            tagSrv.startTraversal(graph).autoComplete(organisationSrv, _)(authContext).sort(_.by("predicate", Order.asc))
+          )
+          .merge(tagHint.limit)(_.limit(_))
+          .displayName
+    ),
     Query[Traversal.V[Tag], Traversal[String, Vertex, Converter[String, Vertex]]]("text", (tagSteps, _) => tagSteps.displayName),
     Query.output[String, Traversal[String, Vertex, Converter[String, Vertex]]]
   )
@@ -135,19 +78,11 @@ class PublicTag @Inject() (tagSrv: TagSrv) extends PublicData {
     .property("description", UMapping.string.optional)(_.field.readonly)
     .property("text", UMapping.string)(
       _.select(_.displayName)
-        .filter((_, tags) =>
-          tags
-            .graphMap[String, String, Converter.Identity[String]](
-              { v =>
-                val namespace = UMapping.string.getProperty(v, "namespace")
-                val predicate = UMapping.string.getProperty(v, "predicate")
-                val value     = UMapping.string.optional.getProperty(v, "value")
-                Tag(namespace, predicate, value, None, 0).toString
-              },
-              Converter.identity[String]
-            )
-        )
-        .converter(_ => Converter.identity[String])
+        .filter[String] {
+          case (_, tags, authContext, Right(predicate)) => tags.freetags(organisationSrv)(authContext).has(_.predicate, predicate)
+          case (_, tags, _, Left(true))                 => tags
+          case (_, tags, _, Left(false))                => tags.empty
+        }
         .readonly
     )
     .build
diff --git a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
index 7cb42df840..c4d11881dd 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/TaskCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.controllers._
 import org.thp.scalligraph.models.{Database, UMapping}
 import org.thp.scalligraph.query._
@@ -12,21 +11,20 @@ import org.thp.thehive.dto.v0.InputTask
 import org.thp.thehive.models._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.OrganisationOps._
-import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services._
 import play.api.libs.json.Json
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
+
 @Singleton
 class TaskCtrl @Inject() (
     override val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     taskSrv: TaskSrv,
     caseSrv: CaseSrv,
-    userSrv: UserSrv,
     organisationSrv: OrganisationSrv,
-    shareSrv: ShareSrv,
     @Named("v0") override val queryExecutor: QueryExecutor,
     override val publicData: PublicTask
 ) extends QueryCtrl {
@@ -37,11 +35,8 @@ class TaskCtrl @Inject() (
       .authTransaction(db) { implicit request => implicit graph =>
         val inputTask: InputTask = request.body("task")
         for {
-          case0        <- caseSrv.get(EntityIdOrName(caseId)).can(Permissions.manageTask).getOrFail("Case")
-          owner        <- inputTask.owner.map(o => userSrv.getOrFail(EntityIdOrName(o))).flip
-          createdTask  <- taskSrv.create(inputTask.toTask, owner)
-          organisation <- organisationSrv.getOrFail(request.organisation)
-          _            <- shareSrv.shareTask(createdTask, case0, organisation)
+          case0       <- caseSrv.get(EntityIdOrName(caseId)).can(Permissions.manageTask).getOrFail("Case")
+          createdTask <- caseSrv.createTask(case0, inputTask.toTask)
         } yield Results.Created(createdTask.toJson)
       }
 
@@ -50,7 +45,7 @@ class TaskCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         taskSrv
           .get(EntityIdOrName(taskId))
-          .visible
+          .visible(organisationSrv)
           .richTask
           .getOrFail("Task")
           .map { task =>
@@ -78,33 +73,39 @@ class TaskCtrl @Inject() (
           }
       }
 
-  def searchInCase(caseId: String): Action[AnyContent] =
+  def searchInCase(caseId: String): Action[AnyContent] = {
+    val query = Query.init[Traversal.V[Task]](
+      "tasksInCase",
+      (graph, authContext) =>
+        caseSrv
+          .get(EntityIdOrName(caseId))(graph)
+          .visible(organisationSrv)(authContext)
+          ._id
+          .headOption
+          .fold[Traversal.V[Task]](graph.empty)(c => taskSrv.startTraversal(graph).relatedTo(c))
+    )
     entrypoint("search task in case")
-      .extract(
-        "query",
-        searchParser(
-          Query.init[Traversal.V[Task]](
-            "tasksInCase",
-            (graph, authContext) => caseSrv.get(EntityIdOrName(caseId))(graph).visible(authContext).tasks(authContext)
-          )
-        )
-      )
+      .extract("query", searchParser(query))
       .auth { implicit request =>
         val query: Query = request.body("query")
         queryExecutor.execute(query, request)
       }
+  }
 }
 
 @Singleton
 class PublicTask @Inject() (taskSrv: TaskSrv, organisationSrv: OrganisationSrv, userSrv: UserSrv) extends PublicData {
   override val entityName: String = "task"
   override val initialQuery: Query =
-    Query.init[Traversal.V[Task]]("listTask", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).shares.tasks)
+    Query.init[Traversal.V[Task]](
+      "listTask",
+      (graph, authContext) => taskSrv.startTraversal(graph).inOrganisation(organisationSrv.currentId(graph, authContext))
+    )
+  //organisationSrv.get(authContext.organisation)(graph).shares.tasks)
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Task], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     {
-      case (OutputParam(from, to, _, 0), taskSteps, authContext) =>
+      case (OutputParam(from, to, _, 0), taskSteps, _) =>
         taskSteps.richPage(from, to, withTotal = true)(_.richTask.domainMap(_ -> (None: Option[RichCase])))
       case (OutputParam(from, to, _, _), taskSteps, authContext) =>
         taskSteps.richPage(from, to, withTotal = true)(
@@ -116,17 +117,30 @@ class PublicTask @Inject() (taskSrv: TaskSrv, organisationSrv: OrganisationSrv,
   )
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Task]](
     "getTask",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => taskSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => taskSrv.get(idOrName)(graph).inOrganisation(organisationSrv.currentId(graph, authContext))
   )
   override val outputQuery: Query =
-    Query.outputWithContext[RichTask, Traversal.V[Task]]((taskSteps, authContext) => taskSteps.richTask)
+    Query.outputWithContext[RichTask, Traversal.V[Task]]((taskSteps, _) => taskSteps.richTask)
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
     Query.output[(RichTask, Option[RichCase])],
     Query[Traversal.V[Task], Traversal.V[User]]("assignableUsers", (taskSteps, authContext) => taskSteps.assignableUsers(authContext)),
     Query.init[Traversal.V[Task]](
+      "waitingTasks",
+      (graph, authContext) =>
+        taskSrv.startTraversal(graph).has(_.status, TaskStatus.Waiting).inOrganisation(organisationSrv.currentId(graph, authContext))
+    ),
+    Query.init[Traversal.V[Task]]( // DEPRECATED
       "waitingTask",
-      (graph, authContext) => taskSrv.startTraversal(graph).has(_.status, TaskStatus.Waiting).visible(authContext)
+      (graph, authContext) =>
+        taskSrv.startTraversal(graph).has(_.status, TaskStatus.Waiting).inOrganisation(organisationSrv.currentId(graph, authContext))
+    ),
+    Query.init[Traversal.V[Task]](
+      "myTasks",
+      (graph, authContext) =>
+        taskSrv
+          .startTraversal(graph)
+          .assignTo(authContext.userId)
+          .inOrganisation(organisationSrv.currentId(graph, authContext))
     ),
     Query[Traversal.V[Task], Traversal.V[Log]]("logs", (taskSteps, _) => taskSteps.logs),
     Query[Traversal.V[Task], Traversal.V[Case]]("case", (taskSteps, _) => taskSteps.`case`),
@@ -136,14 +150,10 @@ class PublicTask @Inject() (taskSrv: TaskSrv, organisationSrv: OrganisationSrv,
   override val publicProperties: PublicProperties = PublicPropertyListBuilder[Task]
     .property("title", UMapping.string)(_.field.updatable)
     .property("description", UMapping.string.optional)(_.field.updatable)
-    .property("status", UMapping.enum[TaskStatus.type])(_.field.custom { (_, value, vertex, _, graph, authContext) =>
+    .property("status", UMapping.enum[TaskStatus.type])(_.field.custom { (_, value, vertex, graph, authContext) =>
       for {
         task <- taskSrv.get(vertex)(graph).getOrFail("Task")
-        user <-
-          userSrv
-            .current(graph, authContext)
-            .getOrFail("User")
-        _ <- taskSrv.updateStatus(task, user, value)(graph, authContext)
+        _    <- taskSrv.updateStatus(task, value)(graph, authContext)
       } yield Json.obj("status" -> value)
     })
     .property("flag", UMapping.boolean)(_.field.updatable)
@@ -154,7 +164,7 @@ class PublicTask @Inject() (taskSrv: TaskSrv, organisationSrv: OrganisationSrv,
     .property("group", UMapping.string)(_.field.updatable)
     .property("owner", UMapping.string.optional)(
       _.select(_.assignee.value(_.login))
-        .custom { (_, login: Option[String], vertex, _, graph, authContext) =>
+        .custom { (_, login: Option[String], vertex, graph, authContext) =>
           for {
             task <- taskSrv.get(vertex)(graph).getOrFail("Task")
             user <- login.map(l => userSrv.getOrFail(EntityIdOrName(l))(graph)).flip
diff --git a/thehive/app/org/thp/thehive/controllers/v0/TheHiveQueryExecutor.scala b/thehive/app/org/thp/thehive/controllers/v0/TheHiveQueryExecutor.scala
index efd82dcf72..a4f81dbb79 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/TheHiveQueryExecutor.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/TheHiveQueryExecutor.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Provider, Singleton}
 import org.scalactic.Good
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers.{FObject, Field, FieldsParser}
@@ -9,15 +8,16 @@ import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.utils.RichType
-import org.thp.scalligraph.{BadRequestError, EntityIdOrName, GlobalQueryExecutor}
-import org.thp.thehive.models.{Alert, Case, CaseTemplate, Log, Observable, Task}
-import org.thp.thehive.services.CaseOps._
-import org.thp.thehive.services.LogOps._
+import org.thp.scalligraph.{BadRequestError, EntityId, EntityIdOrName, GlobalQueryExecutor}
+import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
+import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.CaseTemplateOps._
+import org.thp.thehive.services.LogOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.TaskOps._
 
+import javax.inject.{Inject, Provider, Singleton}
 import scala.reflect.runtime.{universe => ru}
 
 case class OutputParam(from: Long, to: Long, withStats: Boolean, withParents: Int)
@@ -36,7 +36,7 @@ object OutputParam {
 
 @Singleton
 class TheHiveQueryExecutor @Inject() (
-    @Named("with-thehive-schema") override val db: Database,
+    override val db: Database,
     alert: PublicAlert,
     audit: PublicAudit,
     `case`: PublicCase,
@@ -82,7 +82,7 @@ class TheHiveQueryExecutor @Inject() (
     case (tpe, _) if SubType(tpe, ru.typeOf[Traversal.V[Observable]])        => ru.typeOf[Traversal.V[Case]]
     case (tpe, _) if SubType(tpe, ru.typeOf[Traversal.V[Log]])               => ru.typeOf[Traversal.V[Task]]
   }
-  override val customFilterQuery: FilterQuery = FilterQuery(db, publicProperties) { (tpe, globalParser) =>
+  override val customFilterQuery: FilterQuery = FilterQuery(publicProperties) { (tpe, globalParser) =>
     FieldsParser("parentChildFilter") {
       case (_, FObjOne("_parent", ParentIdFilter(parentType, parentId))) if parentTypes.isDefinedAt((tpe, parentType)) =>
         Good(new ParentIdInputFilter(parentType, parentId))
@@ -115,7 +115,6 @@ object ParentIdFilter {
 
 class ParentIdInputFilter(parentType: String, parentId: String) extends InputQuery[Traversal.Unk, Traversal.Unk] {
   override def apply(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -135,16 +134,21 @@ class ParentIdInputFilter(parentType: String, parentId: String) extends InputQue
             .asInstanceOf[Traversal.V[Task]]
             .filter(_.`case`.get(EntityIdOrName(parentId)))
             .asInstanceOf[Traversal.Unk]
-        case t if t <:< ru.typeOf[Observable] && parentType == "alert" =>
-          traversal
-            .asInstanceOf[Traversal.V[Observable]]
-            .filter(_.alert.get(EntityIdOrName(parentId)))
-            .asInstanceOf[Traversal.Unk]
         case t if t <:< ru.typeOf[Observable] =>
           traversal
             .asInstanceOf[Traversal.V[Observable]]
-            .filter(_.`case`.get(EntityIdOrName(parentId)))
+            .has(_.relatedId, EntityId(parentId))
             .asInstanceOf[Traversal.Unk]
+//          && parentType == "alert" =>
+//          traversal
+//            .asInstanceOf[Traversal.V[Observable]]
+//            .filter(_.alert.get(EntityIdOrName(parentId)))
+//            .asInstanceOf[Traversal.Unk]
+//        case t if t <:< ru.typeOf[Observable] =>
+//          traversal
+//            .asInstanceOf[Traversal.V[Observable]]
+//            .filter(_.`case`.get(EntityIdOrName(parentId)))
+//            .asInstanceOf[Traversal.Unk]
         case t if t <:< ru.typeOf[Log] =>
           traversal
             .asInstanceOf[Traversal.V[Log]]
@@ -168,7 +172,6 @@ object ParentQueryFilter {
 class ParentQueryInputFilter(parentType: String, parentFilter: InputQuery[Traversal.Unk, Traversal.Unk])
     extends InputQuery[Traversal.Unk, Traversal.Unk] {
   override def apply(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -177,7 +180,6 @@ class ParentQueryInputFilter(parentType: String, parentFilter: InputQuery[Traver
     def filter[F, T: ru.TypeTag](t: Traversal.V[F] => Traversal.V[T]): Traversal.Unk =
       traversal.filter(parent =>
         parentFilter(
-          db,
           publicProperties,
           ru.typeOf[Traversal.V[T]],
           t(parent.asInstanceOf[Traversal.V[F]]).asInstanceOf[Traversal.Unk],
@@ -212,7 +214,6 @@ object ChildQueryFilter {
 class ChildQueryInputFilter(childType: String, childFilter: InputQuery[Traversal.Unk, Traversal.Unk])
     extends InputQuery[Traversal.Unk, Traversal.Unk] {
   override def apply(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -221,7 +222,6 @@ class ChildQueryInputFilter(childType: String, childFilter: InputQuery[Traversal
     def filter[F, T: ru.TypeTag](t: Traversal.V[F] => Traversal.V[T]): Traversal.Unk =
       traversal.filter(child =>
         childFilter(
-          db,
           publicProperties,
           ru.typeOf[Traversal.V[T]],
           t(child.asInstanceOf[Traversal.V[F]]).asInstanceOf[Traversal.Unk],
diff --git a/thehive/app/org/thp/thehive/controllers/v0/UserCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/UserCtrl.scala
index 2f46fa2bb9..cc35809ad6 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/UserCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/UserCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import javax.inject.{Inject, Named, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.P
 import org.thp.scalligraph.auth.AuthSrv
 import org.thp.scalligraph.controllers.{Entrypoint, FString, FieldsParser}
@@ -18,6 +17,7 @@ import org.thp.thehive.services._
 import play.api.libs.json.Json
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -28,7 +28,7 @@ class UserCtrl @Inject() (
     authSrv: AuthSrv,
     organisationSrv: OrganisationSrv,
     auditSrv: AuditSrv,
-    @Named("with-thehive-schema") implicit override val db: Database,
+    override val db: Database,
     @Named("v0") override val queryExecutor: QueryExecutor,
     override val publicData: PublicUser
 ) extends QueryCtrl {
@@ -46,6 +46,7 @@ class UserCtrl @Inject() (
               .getOrFail("User")
           )
           .map(user => Results.Ok(user.toJson).withHeaders("X-Organisation" -> request.organisation.toString))
+          .recover { case _ => Results.Unauthorized.withHeaders("X-Logout" -> "1") }
       }
 
   def create: Action[AnyContent] =
@@ -226,18 +227,16 @@ class UserCtrl @Inject() (
 }
 
 @Singleton
-class PublicUser @Inject() (userSrv: UserSrv, organisationSrv: OrganisationSrv, @Named("with-thehive-schema") db: Database) extends PublicData {
+class PublicUser @Inject() (userSrv: UserSrv, organisationSrv: OrganisationSrv) extends PublicData {
   override val entityName: String = "user"
   override val initialQuery: Query =
     Query.init[Traversal.V[User]]("listUser", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).users)
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[User]](
     "getUser",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => userSrv.get(idOrName)(graph).visible(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[User], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, userSteps, authContext) => userSteps.richUser(authContext).page(range.from, range.to, withTotal = true)
   )
   override val outputQuery: Query =
@@ -245,14 +244,14 @@ class PublicUser @Inject() (userSrv: UserSrv, organisationSrv: OrganisationSrv,
   override val extraQueries: Seq[ParamQuery[_]] = Seq()
   override val publicProperties: PublicProperties = PublicPropertyListBuilder[User]
     .property("login", UMapping.string)(_.field.readonly)
-    .property("name", UMapping.string)(_.field.custom { (_, value, vertex, db, graph, authContext) =>
+    .property("name", UMapping.string)(_.field.custom { (_, value, vertex, graph, authContext) =>
       def isCurrentUser: Try[Unit] =
         userSrv.get(vertex)(graph).current(authContext).existsOrFail
 
       def isUserAdmin: Try[Unit] =
         userSrv
           .current(graph, authContext)
-          .organisations(Permissions.manageUser)(db)
+          .organisations(Permissions.manageUser)
           .users
           .getElement(vertex)
           .existsOrFail
@@ -266,10 +265,10 @@ class PublicUser @Inject() (userSrv: UserSrv, organisationSrv: OrganisationSrv,
     })
     .property("status", UMapping.string)(
       _.select(_.choose(predicate = _.value(_.locked).is(P.eq(true)), onTrue = "Locked", onFalse = "Ok"))
-        .custom { (_, value, vertex, _, graph, authContext) =>
+        .custom { (_, value, vertex, graph, authContext) =>
           userSrv
             .current(graph, authContext)
-            .organisations(Permissions.manageUser)(db)
+            .organisations(Permissions.manageUser)
             .users
             .getElement(vertex)
             .orFail(AuthorizationError("Operation not permitted"))
diff --git a/thehive/app/org/thp/thehive/controllers/v1/AdminCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/AdminCtrl.scala
new file mode 100644
index 0000000000..9d2fe6e0f2
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/AdminCtrl.scala
@@ -0,0 +1,92 @@
+package org.thp.thehive.controllers.v1
+
+import akka.actor.ActorRef
+import akka.pattern.ask
+import akka.util.Timeout
+import org.thp.scalligraph.controllers.Entrypoint
+import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.services.GenIntegrityCheckOps
+import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.thehive.models.Permissions
+import org.thp.thehive.services.{CheckState, CheckStats, GetCheckStats, GlobalCheckRequest}
+import play.api.Logger
+import play.api.libs.json.{JsObject, Json, OWrites}
+import play.api.mvc.{Action, AnyContent, Results}
+
+import javax.inject.{Inject, Named, Singleton}
+import scala.collection.immutable
+import scala.concurrent.duration.DurationInt
+import scala.concurrent.{ExecutionContext, Future}
+import scala.util.Success
+
+@Singleton
+class AdminCtrl @Inject() (
+    entrypoint: Entrypoint,
+    @Named("integrity-check-actor") integrityCheckActor: ActorRef,
+    integrityCheckOps: immutable.Set[GenIntegrityCheckOps],
+    db: Database,
+    implicit val ec: ExecutionContext
+) {
+
+  implicit val timeout: Timeout                      = Timeout(5.seconds)
+  implicit val checkStatsWrites: OWrites[CheckStats] = Json.writes[CheckStats]
+  implicit val checkStateWrites: OWrites[CheckState] = OWrites[CheckState] { state =>
+    Json.obj(
+      "needCheck"              -> state.needCheck,
+      "duplicateTimer"         -> state.duplicateTimer.isDefined,
+      "duplicateStats"         -> state.duplicateStats,
+      "globalStats"            -> state.globalStats,
+      "globalCheckRequestTime" -> state.globalCheckRequestTime
+    )
+  }
+  lazy val logger: Logger = Logger(getClass)
+
+  def triggerCheck(name: String): Action[AnyContent] =
+    entrypoint("Trigger check")
+      .authPermitted(Permissions.managePlatform) { _ =>
+        integrityCheckActor ! GlobalCheckRequest(name)
+        Success(Results.NoContent)
+      }
+
+  def checkStats: Action[AnyContent] =
+    entrypoint("Get check stats")
+      .asyncAuthPermitted(Permissions.managePlatform) { _ =>
+        Future
+          .traverse(integrityCheckOps.toSeq) { c =>
+            (integrityCheckActor ? GetCheckStats(c.name))
+              .mapTo[CheckState]
+              .recover {
+                case error =>
+                  logger.error(s"Fail to get check stats of ${c.name}", error)
+                  CheckState.empty
+              }
+              .map(c.name -> _)
+          }
+          .map { results =>
+            Results.Ok(JsObject(results.map(r => r._1 -> Json.toJson(r._2))))
+          }
+      }
+
+  private val indexedModels = Seq("Alert", "Attachment", "Audit", "Case", "Log", "Observable", "Tag", "Task")
+  def indexStatus: Action[AnyContent] =
+    entrypoint("Get index status")
+      .authPermittedRoTransaction(db, Permissions.managePlatform) { _ => graph =>
+        val status = indexedModels.map { label =>
+          val mixedCount     = graph.V(label).getCount
+          val compositeCount = graph.underlying.traversal().V().has("_label", label).count().next().toLong
+          label -> Json.obj(
+            "mixedCount"     -> mixedCount,
+            "compositeCount" -> compositeCount,
+            "status"         -> (if (mixedCount == compositeCount) "OK" else "Error")
+          )
+        }
+        Success(Results.Ok(JsObject(status)))
+      }
+
+  def reindex(label: String): Action[AnyContent] =
+    entrypoint("Reindex data")
+      .authPermitted(Permissions.managePlatform) { _ =>
+        Future(db.reindexData(label))
+        Success(Results.NoContent)
+      }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala
index 0a5477c2e3..53ff93d07d 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/AlertCtrl.scala
@@ -1,26 +1,25 @@
 package org.thp.thehive.controllers.v1
 
-import java.util.{Map => JMap}
-
-import javax.inject.{Inject, Named, Singleton}
-import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query._
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal.{Converter, IteratorOutput, Traversal}
+import org.thp.scalligraph.{EntityIdOrName, RichOptionTry}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.{InputAlert, InputCustomFieldValue}
 import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.CaseTemplateOps._
-import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import play.api.libs.json.{JsValue, Json}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Singleton}
 import scala.reflect.runtime.{universe => ru}
+import scala.util.Success
 
 case class SimilarCaseFilter()
 @Singleton
@@ -31,32 +30,31 @@ class AlertCtrl @Inject() (
     caseTemplateSrv: CaseTemplateSrv,
     userSrv: UserSrv,
     organisationSrv: OrganisationSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) extends QueryableCtrl
     with AlertRenderer {
 
   override val entityName: String                 = "alert"
   override val publicProperties: PublicProperties = properties.alert
   override val initialQuery: Query =
-    Query.init[Traversal.V[Alert]]("listAlert", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).alerts)
+    Query.init[Traversal.V[Alert]]("listAlert", (graph, authContext) => alertSrv.startTraversal(graph).visible(organisationSrv)(authContext))
+
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Alert]](
     "getAlert",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => alertSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => alertSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Alert], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, alertSteps, authContext) =>
       alertSteps
         .richPage(range.from, range.to, range.extraData.contains("total"))(
-          _.richAlertWithCustomRenderer(alertStatsRenderer(range.extraData)(authContext))
+          _.richAlertWithCustomRenderer(alertStatsRenderer(organisationSrv, range.extraData)(authContext))
         )
   )
   override val outputQuery: Query      = Query.output[RichAlert, Traversal.V[Alert]](_.richAlert)
   val caseProperties: PublicProperties = properties.`case` ++ properties.metaProperties
-  val caseFilterParser: FieldsParser[Option[InputQuery[Traversal.Unk, Traversal.Unk]]] =
-    FilterQuery.default(db, caseProperties).paramParser(ru.typeOf[Traversal.V[Case]]).optional.on("caseFilter")
+  implicit val caseFilterParser: FieldsParser[Option[InputQuery[Traversal.Unk, Traversal.Unk]]] =
+    FilterQuery.default(caseProperties).paramParser(ru.typeOf[Traversal.V[Case]]).optional.on("caseFilter")
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
     Query[Traversal.V[Alert], Traversal.V[Observable]]("observables", (alertSteps, _) => alertSteps.observables),
     Query[Traversal.V[Alert], Traversal.V[Case]]("case", (alertSteps, _) => alertSteps.`case`),
@@ -66,11 +64,10 @@ class AlertCtrl @Inject() (
       Converter[JsValue, JMap[String, Any]]
     ]](
       "similarCases",
-      caseFilterParser,
       { (maybeCaseFilterQuery, alertSteps, authContext) =>
-        val maybeCaseFilter: Option[Traversal.V[Case] => Traversal.V[Case]] =
-          maybeCaseFilterQuery.map(f => cases => f(db, caseProperties, ru.typeOf[Traversal.V[Case]], cases.cast, authContext).cast)
-        alertSteps.similarCases(maybeCaseFilter)(authContext).domainMap(Json.toJson(_))
+        val caseFilter: Option[Traversal.V[Case] => Traversal.V[Case]] =
+          maybeCaseFilterQuery.map(f => cases => f(caseProperties, ru.typeOf[Traversal.V[Case]], cases.cast, authContext).cast)
+        alertSteps.similarCases(organisationSrv, caseFilter)(authContext).domainMap(Json.toJson(_))
       }
     )
   )
@@ -95,7 +92,7 @@ class AlertCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         alertSrv
           .get(EntityIdOrName(alertIdOrName))
-          .visible
+          .visible(organisationSrv)
           .richAlert
           .getOrFail("Alert")
           .map(alert => Results.Ok(alert.toJson))
@@ -104,12 +101,12 @@ class AlertCtrl @Inject() (
   def update(alertIdOrName: String): Action[AnyContent] =
     entrypoint("update alert")
       .extract("alert", FieldsParser.update("alertUpdate", publicProperties))
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("alert")
         alertSrv
           .update(
             _.get(EntityIdOrName(alertIdOrName))
-              .can(Permissions.manageAlert),
+              .visible(organisationSrv),
             propertyUpdaters
           )
           .map(_ => Results.NoContent)
@@ -119,10 +116,10 @@ class AlertCtrl @Inject() (
 
   def markAsRead(alertIdOrName: String): Action[AnyContent] =
     entrypoint("mark alert as read")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         alertSrv
           .get(EntityIdOrName(alertIdOrName))
-          .can(Permissions.manageAlert)
+          .visible(organisationSrv)
           .getOrFail("Alert")
           .map { alert =>
             alertSrv.markAsRead(alert._id)
@@ -132,10 +129,10 @@ class AlertCtrl @Inject() (
 
   def markAsUnread(alertIdOrName: String): Action[AnyContent] =
     entrypoint("mark alert as unread")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         alertSrv
           .get(EntityIdOrName(alertIdOrName))
-          .can(Permissions.manageAlert)
+          .visible(organisationSrv)
           .getOrFail("Alert")
           .map { alert =>
             alertSrv.markAsUnread(alert._id)
@@ -145,19 +142,30 @@ class AlertCtrl @Inject() (
 
   def createCase(alertIdOrName: String): Action[AnyContent] =
     entrypoint("create case from alert")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .extract("caseTemplate", FieldsParser.string.optional.on("caseTemplate"))
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
+        val caseTemplate: Option[String] = request.body("caseTemplate")
         for {
-          (alert, organisation) <- alertSrv.get(EntityIdOrName(alertIdOrName)).alertUserOrganisation(Permissions.manageCase).getOrFail("Alert")
-          richCase              <- alertSrv.createCase(alert, None, organisation)
+          organisation <- organisationSrv.current.getOrFail("Organisation")
+          alert <-
+            alertSrv
+              .get(EntityIdOrName(alertIdOrName))
+              .visible(organisationSrv)
+              .richAlert
+              .getOrFail("Alert")
+          _ <- caseTemplate.map(ct => caseTemplateSrv.get(EntityIdOrName(ct)).visible.existsOrFail).flip
+          alertWithCaseTemplate = caseTemplate.fold(alert)(ct => alert.copy(caseTemplate = Some(ct)))
+          assignee <- if (request.isPermitted(Permissions.manageCase)) userSrv.current.getOrFail("User").map(Some(_)) else Success(None)
+          richCase <- alertSrv.createCase(alertWithCaseTemplate, assignee, organisation)
         } yield Results.Created(richCase.toJson)
       }
 
   def followAlert(alertIdOrName: String): Action[AnyContent] =
     entrypoint("follow alert")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         alertSrv
           .get(EntityIdOrName(alertIdOrName))
-          .can(Permissions.manageAlert)
+          .visible(organisationSrv)
           .getOrFail("Alert")
           .map { alert =>
             alertSrv.followAlert(alert._id)
@@ -167,10 +175,10 @@ class AlertCtrl @Inject() (
 
   def unfollowAlert(alertIdOrName: String): Action[AnyContent] =
     entrypoint("unfollow alert")
-      .authTransaction(db) { implicit request => implicit graph =>
+      .authPermittedTransaction(db, Permissions.manageAlert) { implicit request => implicit graph =>
         alertSrv
           .get(EntityIdOrName(alertIdOrName))
-          .can(Permissions.manageAlert)
+          .visible(organisationSrv)
           .getOrFail("Alert")
           .map { alert =>
             alertSrv.unfollowAlert(alert._id)
diff --git a/thehive/app/org/thp/thehive/controllers/v1/AlertRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/AlertRenderer.scala
index 935796ad4e..6c50e51912 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/AlertRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/AlertRenderer.scala
@@ -1,14 +1,16 @@
 package org.thp.thehive.controllers.v1
 
-import java.util.{Date, List => JList, Map => JMap}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal.{Converter, Traversal}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models.{Alert, RichCase, SimilarStats}
 import org.thp.thehive.services.AlertOps._
+import org.thp.thehive.services.OrganisationSrv
 import play.api.libs.json._
 
+import java.util.{Date, List => JList, Map => JMap}
+
 trait AlertRenderer extends BaseRenderer[Alert] {
   implicit val similarCaseWrites: Writes[(RichCase, SimilarStats)] = Writes[(RichCase, SimilarStats)] {
     case (richCase, similarStats) =>
@@ -21,7 +23,7 @@ trait AlertRenderer extends BaseRenderer[Alert] {
         "observableTypes"        -> similarStats.types
       )
   }
-  def similarCasesStats(implicit
+  def similarCasesStats(organisationSrv: OrganisationSrv)(implicit
       authContext: AuthContext
   ): Traversal.V[Alert] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] = {
     implicit val similarCaseOrdering: Ordering[(RichCase, SimilarStats)] = (x: (RichCase, SimilarStats), y: (RichCase, SimilarStats)) =>
@@ -35,20 +37,20 @@ trait AlertRenderer extends BaseRenderer[Alert] {
       else if (x._2.ioc._2 > y._2.ioc._2) -1
       else if (x._2.ioc._2 < y._2.ioc._2) 1
       else 0
-    _.similarCases(None).fold.domainMap(sc => JsArray(sc.sorted.map(Json.toJson(_))))
+    _.similarCases(organisationSrv, caseFilter = None).fold.domainMap(sc => JsArray(sc.sorted.map(Json.toJson(_))))
   }
 
   def importDate: Traversal.V[Alert] => Traversal[JsValue, JList[Date], Converter[JsValue, JList[Date]]] =
     _.importDate.fold.domainMap(_.headOption.fold[JsValue](JsNull)(d => JsNumber(d.getTime)))
 
-  def alertStatsRenderer(extraData: Set[String])(implicit
+  def alertStatsRenderer(organisationSrv: OrganisationSrv, extraData: Set[String])(implicit
       authContext: AuthContext
   ): Traversal.V[Alert] => JsTraversal = { implicit traversal =>
     baseRenderer(
       extraData,
       traversal,
       {
-        case (f, "similarCases") => addData("similarCases", f)(similarCasesStats)
+        case (f, "similarCases") => addData("similarCases", f)(similarCasesStats(organisationSrv))
         case (f, "importDate")   => addData("importDate", f)(importDate)
         case (f, _)              => f
       }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/AuditCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/AuditCtrl.scala
index e3c315eb91..9d389a7720 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/AuditCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/AuditCtrl.scala
@@ -1,8 +1,7 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
-import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
+import org.thp.scalligraph.controllers.Entrypoint
 import org.thp.scalligraph.models.{Database, Schema}
 import org.thp.scalligraph.query.{ParamQuery, PublicProperties, Query}
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -10,35 +9,35 @@ import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models.{Audit, RichAudit}
 import org.thp.thehive.services.AuditOps._
-import org.thp.thehive.services.AuditSrv
+import org.thp.thehive.services.{AuditSrv, OrganisationSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Success
 
 @Singleton
 class AuditCtrl @Inject() (
     entrypoint: Entrypoint,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     properties: Properties,
     auditSrv: AuditSrv,
+    organisationSrv: OrganisationSrv,
     implicit val schema: Schema
 ) extends QueryableCtrl {
 
   val entityName: String = "audit"
 
   val initialQuery: Query =
-    Query.init[Traversal.V[Audit]]("listAudit", (graph, authContext) => auditSrv.startTraversal(graph).visible(authContext))
+    Query.init[Traversal.V[Audit]]("listAudit", (graph, authContext) => auditSrv.startTraversal(graph).visible(organisationSrv)(authContext))
   val publicProperties: PublicProperties = properties.audit
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Audit]](
     "getAudit",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => auditSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => auditSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
 
   val pageQuery: ParamQuery[OutputParam] =
     Query.withParam[OutputParam, Traversal.V[Audit], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       (range, auditSteps, _) => auditSteps.richPage(range.from, range.to, range.extraData.contains("total"))(_.richAudit)
     )
   override val outputQuery: Query = Query.output[RichAudit, Traversal.V[Audit]](_.richAudit)
@@ -48,7 +47,7 @@ class AuditCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         val audits = auditSrv
           .startTraversal
-          .visible
+          .visible(organisationSrv)
           .range(0, 10)
           .richAudit
           .toSeq
diff --git a/thehive/app/org/thp/thehive/controllers/v1/AuthenticationCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/AuthenticationCtrl.scala
index 8b114353f3..a8263c963d 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/AuthenticationCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/AuthenticationCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.auth.{AuthSrv, RequestOrganisation}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -14,6 +13,7 @@ import org.thp.thehive.services.{TOTPAuthSrv, UserSrv}
 import play.api.libs.json.Json
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -22,7 +22,7 @@ class AuthenticationCtrl @Inject() (
     authSrv: AuthSrv,
     requestOrganisation: RequestOrganisation,
     userSrv: UserSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) {
 
   def login: Action[AnyContent] =
diff --git a/thehive/app/org/thp/thehive/controllers/v1/BaseRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/BaseRenderer.scala
index f671190351..6cf3747bc1 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/BaseRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/BaseRenderer.scala
@@ -1,32 +1,31 @@
 package org.thp.thehive.controllers.v1
 
-import java.util.{Map => JMap}
-
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal.{Converter, Traversal}
 import play.api.libs.json.{JsObject, JsValue}
 
+import java.util.{Map => JMap}
+
 trait BaseRenderer[A] {
 
   type JsConverter = Converter[JsObject, JMap[String, Any]]
   type JsTraversal = Traversal[JsObject, JMap[String, Any], JsConverter]
   def baseRenderer(
-    extraData: Set[String],
-    traversal: Traversal.V[A],
-    mapping: (JsTraversal, String) => JsTraversal
-  ): JsTraversal = {
+      extraData: Set[String],
+      traversal: Traversal.V[A],
+      mapping: (JsTraversal, String) => JsTraversal
+  ): JsTraversal =
     if (extraData.isEmpty) traversal.constant2[JsObject, JMap[String, Any]](JsObject.empty)
     else {
       val dataName = extraData.toSeq
       dataName.foldLeft[JsTraversal](
-        traversal.onRawMap[JsObject, JMap[String, Any], JsConverter](_.project(dataName.head, dataName.tail: _*))(_ =>
-          JsObject.empty
-        )
+        traversal.onRawMap[JsObject, JMap[String, Any], JsConverter](_.project(dataName.head, dataName.tail: _*))(_ => JsObject.empty)
       )(mapping)
     }
-  }
 
-  def addData[G](name: String, jsTraversal: JsTraversal)(f: Traversal.V[A] => Traversal[JsValue, G, Converter[JsValue, G]])(implicit traversal: Traversal.V[A]): JsTraversal = {
+  def addData[G](name: String, jsTraversal: JsTraversal)(
+      f: Traversal.V[A] => Traversal[JsValue, G, Converter[JsValue, G]]
+  )(implicit traversal: Traversal.V[A]): JsTraversal = {
     val dataTraversal = f(traversal.start)
     jsTraversal.onRawMap[JsObject, JMap[String, Any], JsConverter](_.by(dataTraversal.raw)) { jmap =>
       jsTraversal.converter(jmap) + (name -> dataTraversal.converter(jmap.get(name).asInstanceOf[G]))
diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
index 0440346733..c7af97fed4 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/CaseCtrl.scala
@@ -1,8 +1,8 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
+import org.apache.tinkerpop.gremlin.process.traversal.P
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
-import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query.{ParamQuery, PropertyUpdater, PublicProperties, Query}
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
@@ -13,12 +13,15 @@ import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.CaseTemplateOps._
+import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.ShareOps._
+import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import play.api.mvc.{Action, AnyContent, Results}
 
-import scala.util.{Success, Try}
+import javax.inject.{Inject, Singleton}
 
 @Singleton
 class CaseCtrl @Inject() (
@@ -26,25 +29,24 @@ class CaseCtrl @Inject() (
     properties: Properties,
     caseSrv: CaseSrv,
     caseTemplateSrv: CaseTemplateSrv,
+    observableSrv: ObservableSrv,
     userSrv: UserSrv,
-    tagSrv: TagSrv,
+    taskSrv: TaskSrv,
     organisationSrv: OrganisationSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    db: Database
 ) extends QueryableCtrl
     with CaseRenderer {
 
   override val entityName: String                 = "case"
   override val publicProperties: PublicProperties = properties.`case`
   override val initialQuery: Query =
-    Query.init[Traversal.V[Case]]("listCase", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).cases)
+    Query.init[Traversal.V[Case]]("listCase", (graph, authContext) => caseSrv.startTraversal(graph).visible(organisationSrv)(authContext))
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Case]](
     "getCase",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => caseSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => caseSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Case], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     {
       case (OutputParam(from, to, extraData), caseSteps, authContext) =>
         caseSteps.richPage(from, to, extraData.contains("total")) {
@@ -54,11 +56,23 @@ class CaseCtrl @Inject() (
   )
   override val outputQuery: Query = Query.outputWithContext[RichCase, Traversal.V[Case]]((caseSteps, authContext) => caseSteps.richCase(authContext))
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
-    Query[Traversal.V[Case], Traversal.V[Task]]("tasks", (caseSteps, authContext) => caseSteps.tasks(authContext)),
-    Query[Traversal.V[Case], Traversal.V[Observable]]("observables", (caseSteps, authContext) => caseSteps.observables(authContext)),
+    Query[Traversal.V[Case], Traversal.V[Observable]](
+      "observables",
+      (caseSteps, authContext) =>
+        // caseSteps.observables(authContext)
+        observableSrv.startTraversal(caseSteps.graph).has(_.relatedId, P.within(caseSteps._id.toSeq: _*)).visible(organisationSrv)(authContext)
+    ),
+    Query[Traversal.V[Case], Traversal.V[Task]](
+      "tasks",
+      (caseSteps, authContext) =>
+        // caseSteps.tasks(authContext)
+        taskSrv.startTraversal(caseSteps.graph).has(_.relatedId, P.within(caseSteps._id.toSeq: _*)).visible(organisationSrv)(authContext)
+    ),
     Query[Traversal.V[Case], Traversal.V[User]]("assignableUsers", (caseSteps, authContext) => caseSteps.assignableUsers(authContext)),
     Query[Traversal.V[Case], Traversal.V[Organisation]]("organisations", (caseSteps, authContext) => caseSteps.organisations.visible(authContext)),
-    Query[Traversal.V[Case], Traversal.V[Alert]]("alerts", (caseSteps, authContext) => caseSteps.alert.visible(authContext))
+    Query[Traversal.V[Case], Traversal.V[Alert]]("alerts", (caseSteps, authContext) => caseSteps.alert.visible(organisationSrv)(authContext)),
+    Query[Traversal.V[Case], Traversal.V[Share]]("shares", (caseSteps, authContext) => caseSteps.shares.visible(authContext)),
+    Query[Traversal.V[Case], Traversal.V[Procedure]]("procedures", (caseSteps, _) => caseSteps.procedure)
   )
 
   def create: Action[AnyContent] =
@@ -73,16 +87,14 @@ class CaseCtrl @Inject() (
         for {
           caseTemplate <- caseTemplateName.map(ct => caseTemplateSrv.get(EntityIdOrName(ct)).visible.richCaseTemplate.getOrFail("CaseTemplate")).flip
           organisation <- userSrv.current.organisations(Permissions.manageCase).get(request.organisation).getOrFail("Organisation")
-          user         <- inputCase.user.fold[Try[Option[User with Entity]]](Success(None))(u => userSrv.getOrFail(EntityIdOrName(u)).map(Some.apply))
-          tags         <- inputCase.tags.toTry(tagSrv.getOrCreate)
+          user         <- inputCase.user.fold(userSrv.current.getOrFail("User"))(userSrv.getByName(_).getOrFail("User"))
           richCase <- caseSrv.create(
             caseTemplate.fold(inputCase)(inputCase.withCaseTemplate).toCase,
-            user,
+            Some(user),
             organisation,
-            tags.toSet,
             inputCase.customFieldValues,
             caseTemplate,
-            inputTasks.map(t => t.toTask -> t.assignee.flatMap(u => userSrv.get(EntityIdOrName(u)).headOption))
+            inputTasks.map(_.toTask)
           )
         } yield Results.Created(richCase.toJson)
       }
@@ -92,7 +104,7 @@ class CaseCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         caseSrv
           .get(EntityIdOrName(caseIdOrNumber))
-          .visible
+          .visible(organisationSrv)
           .richCase
           .getOrFail("Case")
           .map(richCase => Results.Ok(richCase.toJson))
@@ -117,25 +129,39 @@ class CaseCtrl @Inject() (
               .get(EntityIdOrName(caseIdOrNumber))
               .can(Permissions.manageCase)
               .getOrFail("Case")
-          _ <- caseSrv.remove(c)
+          _ <- caseSrv.delete(c)
+        } yield Results.NoContent
+      }
+
+  def deleteCustomField(cfId: String): Action[AnyContent] =
+    entrypoint("delete a custom field")
+      .authPermittedTransaction(db, Permissions.manageCase) { implicit request => implicit graph =>
+        for {
+          _ <-
+            caseSrv
+              .caseCustomFieldSrv
+              .get(EntityIdOrName(cfId))
+              .filter(_.outV.v[Case].can(Permissions.manageCase))
+              .existsOrFail
+          _ <- caseSrv.deleteCustomField(EntityIdOrName(cfId))
         } yield Results.NoContent
       }
 
   def merge(caseIdsOrNumbers: String): Action[AnyContent] =
     entrypoint("merge cases")
       .authTransaction(db) { implicit request => implicit graph =>
-        caseIdsOrNumbers
-          .split(',')
-          .toSeq
-          .toTry(c =>
-            caseSrv
-              .get(EntityIdOrName(c))
-              .visible
-              .getOrFail("Case")
-          )
-          .map { cases =>
-            val mergedCase = caseSrv.merge(cases)
-            Results.Ok(mergedCase.toJson)
-          }
+        for {
+          cases <-
+            caseIdsOrNumbers
+              .split(',')
+              .toSeq
+              .toTry(c =>
+                caseSrv
+                  .get(EntityIdOrName(c))
+                  .visible(organisationSrv)
+                  .getOrFail("Case")
+              )
+          mergedCase <- caseSrv.merge(cases)
+        } yield Results.Created(mergedCase.toJson)
       }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
index fbfeacdb1a..60bea093d5 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
@@ -53,24 +53,32 @@ trait CaseRenderer extends BaseRenderer[Case] {
   def shareCountStats: Traversal.V[Case] => Traversal[JsValue, JLong, Converter[JsValue, JLong]] =
     _.organisations.count.domainMap(c => JsNumber(c - 1))
 
-  def permissions(implicit authContext: AuthContext): Traversal.V[Case] => Traversal[JsValue, Vertex, Converter[JsValue, Vertex]] =
+  def permissions(implicit authContext: AuthContext): Traversal.V[Case] => Traversal[JsValue, JList[String], Converter[JsValue, JList[String]]] =
     _.userPermissions.domainMap(permissions => Json.toJson(permissions))
 
   def actionRequired(implicit authContext: AuthContext): Traversal.V[Case] => Traversal[JsValue, Boolean, Converter[JsValue, Boolean]] =
     _.isActionRequired.domainMap(JsBoolean(_))
 
-  def caseStatsRenderer(extraData: Set[String])(
-    implicit authContext: AuthContext
+  def procedureCount: Traversal.V[Case] => Traversal[JsNumber, JLong, Converter[JsNumber, JLong]] =
+    _.procedure.count.domainMap(JsNumber(_))
+
+  def caseStatsRenderer(extraData: Set[String])(implicit
+      authContext: AuthContext
   ): Traversal.V[Case] => JsTraversal = { implicit traversal =>
-    baseRenderer(extraData, traversal, {
-      case (f, "observableStats") => addData("observableStats", f)(observableStats)
-      case (f, "taskStats")       => addData("taskStats", f)(taskStats)
-      case (f, "alerts")          => addData("alerts", f)(alertStats)
-      case (f, "isOwner")         => addData("isOwner", f)(isOwnerStats)
-      case (f, "shareCount")      => addData("shareCount", f)(shareCountStats)
-      case (f, "permissions")     => addData("permissions", f)(permissions)
-      case (f, "actionRequired")  => addData("actionRequired", f)(actionRequired)
-      case (f, _)                 => f
-    })
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "observableStats") => addData("observableStats", f)(observableStats)
+        case (f, "taskStats")       => addData("taskStats", f)(taskStats)
+        case (f, "alerts")          => addData("alerts", f)(alertStats)
+        case (f, "isOwner")         => addData("isOwner", f)(isOwnerStats)
+        case (f, "shareCount")      => addData("shareCount", f)(shareCountStats)
+        case (f, "permissions")     => addData("permissions", f)(permissions)
+        case (f, "actionRequired")  => addData("actionRequired", f)(actionRequired)
+        case (f, "procedureCount")  => addData("procedureCount", f)(procedureCount)
+        case (f, _)                 => f
+      }
+    )
   }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseTemplateCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseTemplateCtrl.scala
index ac31a52866..3e78ea966f 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/CaseTemplateCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/CaseTemplateCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -15,6 +14,7 @@ import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.{CaseTemplateSrv, OrganisationSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Success
 
 @Singleton
@@ -23,7 +23,7 @@ class CaseTemplateCtrl @Inject() (
     properties: Properties,
     caseTemplateSrv: CaseTemplateSrv,
     organisationSrv: OrganisationSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) extends QueryableCtrl {
 
   override val entityName: String                 = "caseTemplate"
@@ -33,12 +33,10 @@ class CaseTemplateCtrl @Inject() (
       .init[Traversal.V[CaseTemplate]]("listCaseTemplate", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).caseTemplates)
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[CaseTemplate]](
     "getCaseTemplate",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => caseTemplateSrv.get(idOrName)(graph).visible(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[CaseTemplate], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, caseTemplateSteps, _) => caseTemplateSteps.richPage(range.from, range.to, range.extraData.contains("total"))(_.richCaseTemplate)
   )
   override val outputQuery: Query = Query.output[RichCaseTemplate, Traversal.V[CaseTemplate]](_.richCaseTemplate)
@@ -51,11 +49,12 @@ class CaseTemplateCtrl @Inject() (
       .extract("caseTemplate", FieldsParser[InputCaseTemplate])
       .authTransaction(db) { implicit request => implicit graph =>
         val inputCaseTemplate: InputCaseTemplate = request.body("caseTemplate")
+        val tasks                                = inputCaseTemplate.tasks.map(_.toTask)
+        val customFields                         = inputCaseTemplate.customFieldValue.map(cf => cf.name -> cf.value)
+
         for {
-          organisation <- organisationSrv.current.getOrFail("Organisation")
-          tasks        = inputCaseTemplate.tasks.map(_.toTask -> None)
-          customFields = inputCaseTemplate.customFieldValue.map(cf => cf.name -> cf.value)
-          richCaseTemplate <- caseTemplateSrv.create(inputCaseTemplate.toCaseTemplate, organisation, inputCaseTemplate.tags, tasks, customFields)
+          organisation     <- organisationSrv.current.getOrFail("Organisation")
+          richCaseTemplate <- caseTemplateSrv.create(inputCaseTemplate.toCaseTemplate, organisation, tasks, customFields)
         } yield Results.Created(richCaseTemplate.toJson)
       }
 
diff --git a/thehive/app/org/thp/thehive/controllers/v1/Conversion.scala b/thehive/app/org/thp/thehive/controllers/v1/Conversion.scala
index ac556fca70..975e7c1520 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/Conversion.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/Conversion.scala
@@ -1,14 +1,15 @@
 package org.thp.thehive.controllers.v1
 
-import java.util.Date
-
 import io.scalaland.chimney.dsl._
+import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers.Renderer
 import org.thp.scalligraph.models.Entity
-import org.thp.thehive.dto.v1._
+import org.thp.thehive.dto.v1.{InputTaxonomy, OutputTaxonomy, _}
 import org.thp.thehive.models._
 import play.api.libs.json.{JsObject, JsValue, Json}
 
+import java.util.Date
+
 object Conversion {
   implicit class RendererOps[V, O](v: V)(implicit renderer: Renderer.Aux[V, O]) {
     def toJson: JsValue = renderer.toOutput(v).toJson
@@ -21,8 +22,9 @@ object Conversion {
       .withFieldComputed(_._id, _._id.toString)
       .withFieldComputed(_.caseId, _.caseId.map(_.toString))
       .withFieldComputed(_.customFields, _.customFields.map(_.toOutput).sortBy(_.order))
-      .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+      .withFieldComputed(_.tags, _.tags.toSet)
       .withFieldConst(_.extraData, JsObject.empty)
+      .enableMethodAccessors
       .transform
   )
 
@@ -35,8 +37,9 @@ object Conversion {
         .withFieldComputed(_._id, _._id.toString)
         .withFieldComputed(_.caseId, _.caseId.map(_.toString))
         .withFieldComputed(_.customFields, _.customFields.map(_.toOutput).sortBy(_.order))
-        .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+        .withFieldComputed(_.tags, _.tags.toSet)
         .withFieldConst(_.extraData, alertWithExtraData._2)
+        .enableMethodAccessors
         .transform
     }
 
@@ -75,6 +78,8 @@ object Conversion {
         .withFieldConst(_.read, false)
         .withFieldConst(_.lastSyncDate, new Date)
         .withFieldConst(_.follow, true)
+        .withFieldConst(_.tags, inputAlert.tags.toSeq)
+        .withFieldConst(_.caseId, None)
         .transform
   }
 
@@ -83,9 +88,11 @@ object Conversion {
       .withFieldConst(_._type, "Case")
       .withFieldComputed(_._id, _._id.toString)
       .withFieldComputed(_.customFields, _.customFields.map(_.toOutput).sortBy(_.order))
-      .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+      .withFieldComputed(_.tags, _.tags.toSet)
       .withFieldComputed(_.status, _.status.toString)
       .withFieldConst(_.extraData, JsObject.empty)
+      .withFieldComputed(_.assignee, _.assignee)
+      .enableMethodAccessors
       .transform
   )
 
@@ -97,15 +104,17 @@ object Conversion {
         .withFieldConst(_._type, "Case")
         .withFieldComputed(_._id, _._id.toString)
         .withFieldComputed(_.customFields, _.customFields.map(_.toOutput).sortBy(_.order))
-        .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+        .withFieldComputed(_.tags, _.tags.toSet)
         .withFieldComputed(_.status, _.status.toString)
         .withFieldConst(_.extraData, caseWithExtraData._2)
+        .withFieldComputed(_.assignee, _.assignee)
+        .enableMethodAccessors
         .transform
     }
 
   implicit class InputCaseOps(inputCase: InputCase) {
 
-    def toCase: Case =
+    def toCase(implicit authContext: AuthContext): Case =
       inputCase
         .into[Case]
         .withFieldComputed(_.severity, _.severity.getOrElse(2))
@@ -115,6 +124,10 @@ object Conversion {
         .withFieldComputed(_.pap, _.pap.getOrElse(2))
         .withFieldConst(_.status, CaseStatus.Open)
         .withFieldConst(_.number, 0)
+        .withFieldComputed(_.tags, _.tags.toSeq)
+        .withFieldComputed(_.assignee, c => Some(c.user.getOrElse(authContext.userId)))
+        .withFieldConst(_.impactStatus, None)
+        .withFieldConst(_.resolutionStatus, None)
         .transform
 
     def withCaseTemplate(caseTemplate: RichCaseTemplate): InputCase =
@@ -150,8 +163,9 @@ object Conversion {
       .withFieldConst(_._type, "CaseTemplate")
       .withFieldComputed(_._id, _._id.toString)
       .withFieldComputed(_.customFields, _.customFields.map(_.toOutput).sortBy(_.order))
-      .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
+      .withFieldComputed(_.tags, _.tags.toSet)
       .withFieldComputed(_.tasks, _.tasks.map(_.toOutput))
+      .enableMethodAccessors
       .transform
   )
 
@@ -162,6 +176,7 @@ object Conversion {
         .withFieldComputed(_.value, _.jsValue)
         .withFieldComputed(_.`type`, _.typeName)
         .withFieldComputed(_.order, _.order.getOrElse(0))
+        .enableMethodAccessors
         .transform
     )
 
@@ -198,10 +213,11 @@ object Conversion {
         .withFieldConst(_.name, organisation.name)
         .withFieldConst(_.description, organisation.description)
         .withFieldComputed(_.links, _.links.map(_.name))
+        .enableMethodAccessors
         .transform
     )
 
-  implicit val organiastionRenderer: Renderer.Aux[Organisation with Entity, OutputOrganisation] =
+  implicit val organisationRenderer: Renderer.Aux[Organisation with Entity, OutputOrganisation] =
     Renderer.toJson[Organisation with Entity, OutputOrganisation](organisation =>
       OutputOrganisation(
         organisation._id.toString,
@@ -233,8 +249,8 @@ object Conversion {
       .withFieldConst(_._type, "Task")
       .withFieldComputed(_._id, _._id.toString)
       .withFieldComputed(_.status, _.status.toString)
-      .withFieldComputed(_.assignee, _.assignee.map(_.login))
       .withFieldConst(_.extraData, JsObject.empty)
+      .enableMethodAccessors
       .transform
   )
 
@@ -246,11 +262,76 @@ object Conversion {
         .withFieldConst(_._type, "Task")
         .withFieldComputed(_._id, _._id.toString)
         .withFieldComputed(_.status, _.status.toString)
-        .withFieldComputed(_.assignee, _.assignee.map(_.login))
         .withFieldConst(_.extraData, taskWithExtraData._2)
+        .enableMethodAccessors
         .transform
     }
 
+  implicit class InputTaxonomyOps(inputTaxonomy: InputTaxonomy) {
+
+    def toTaxonomy: Taxonomy =
+      inputTaxonomy
+        .into[Taxonomy]
+        .transform
+  }
+
+  implicit val taxonomyOutput: Renderer.Aux[RichTaxonomy, OutputTaxonomy] =
+    Renderer.toJson[RichTaxonomy, OutputTaxonomy](
+      _.into[OutputTaxonomy]
+        .withFieldComputed(_._id, _._id.toString)
+        .withFieldConst(_._type, "Taxonomy")
+        .withFieldComputed(_.tags, _.tags.map(_.toOutput))
+        .withFieldConst(_.extraData, JsObject.empty)
+        .enableMethodAccessors
+        .transform
+    )
+
+  implicit val taxonomyWithStatsOutput: Renderer.Aux[(RichTaxonomy, JsObject), OutputTaxonomy] =
+    Renderer.toJson[(RichTaxonomy, JsObject), OutputTaxonomy] { taxoWithExtraData =>
+      taxoWithExtraData
+        ._1
+        .into[OutputTaxonomy]
+        .withFieldComputed(_._id, _._id.toString)
+        .withFieldConst(_._type, "Taxonomy")
+        .withFieldComputed(_.tags, _.tags.map(_.toOutput))
+        .withFieldConst(_.extraData, taxoWithExtraData._2)
+        .enableMethodAccessors
+        .transform
+    }
+
+  implicit val tagOutput: Renderer.Aux[Tag with Entity, OutputTag] =
+    Renderer.toJson[Tag with Entity, OutputTag](tag =>
+      tag
+        .asInstanceOf[Tag]
+        .into[OutputTag]
+        .withFieldConst(_._id, tag._id.toString)
+        .withFieldConst(_._updatedAt, tag._updatedAt)
+        .withFieldConst(_._updatedBy, tag._updatedBy)
+        .withFieldConst(_._createdAt, tag._createdAt)
+        .withFieldConst(_._createdBy, tag._createdBy)
+        .withFieldConst(_._type, "Tag")
+        .withFieldComputed(_.namespace, t => if (t.isFreeTag) "_freetags_" else t.namespace)
+        .withFieldConst(_.extraData, JsObject.empty)
+        .transform
+    )
+
+  implicit val tagWithStatsOutput: Renderer.Aux[(Tag with Entity, JsObject), OutputTag] =
+    Renderer.toJson[(Tag with Entity, JsObject), OutputTag] {
+      case (tag, stats) =>
+        tag
+          .asInstanceOf[Tag]
+          .into[OutputTag]
+          .withFieldConst(_._id, tag._id.toString)
+          .withFieldConst(_._updatedAt, tag._updatedAt)
+          .withFieldConst(_._updatedBy, tag._updatedBy)
+          .withFieldConst(_._createdAt, tag._createdAt)
+          .withFieldConst(_._createdBy, tag._createdBy)
+          .withFieldConst(_._type, "Tag")
+          .withFieldComputed(_.namespace, t => if (t.isFreeTag) "_freetags_" else t.namespace)
+          .withFieldConst(_.extraData, stats)
+          .transform
+    }
+
   implicit class InputUserOps(inputUser: InputUser) {
 
     def toUser: User =
@@ -272,22 +353,33 @@ object Conversion {
       .withFieldComputed(_._id, _._id.toString)
       .withFieldConst(_.organisations, Nil)
       .withFieldComputed(_.avatar, user => user.avatar.map(avatar => s"/api/v1/user/${user._id}/avatar/$avatar"))
+      .enableMethodAccessors
       .transform
   )
 
-  implicit val userWithOrganisationOutput: Renderer.Aux[(RichUser, Seq[(String, String)]), OutputUser] =
-    Renderer.toJson[(RichUser, Seq[(String, String)]), OutputUser] { userWithOrganisations =>
+  implicit val userWithOrganisationOutput: Renderer.Aux[(RichUser, Seq[(Organisation with Entity, String)]), OutputUser] =
+    Renderer.toJson[(RichUser, Seq[(Organisation with Entity, String)]), OutputUser] { userWithOrganisations =>
       val (user, organisations) = userWithOrganisations
       user
         .into[OutputUser]
         .withFieldComputed(_._id, _._id.toString)
         .withFieldComputed(_.permissions, _.permissions.asInstanceOf[Set[String]])
         .withFieldComputed(_.hasKey, _.apikey.isDefined)
-        .withFieldConst(_.organisations, organisations.map { case (org, role) => OutputOrganisationProfile(org, role) })
+        .withFieldConst(_.organisations, organisations.map { case (org, role) => OutputOrganisationProfile(org._id.toString, org.name, role) })
         .withFieldComputed(_.avatar, user => user.avatar.map(avatar => s"/api/v1/user/${user._id}/avatar/$avatar"))
+        .enableMethodAccessors
         .transform
     }
 
+  implicit val shareOutput: Renderer.Aux[RichShare, OutputShare] = Renderer.toJson[RichShare, OutputShare](
+    _.into[OutputShare]
+      .withFieldComputed(_._id, _.share._id.toString)
+      .withFieldConst(_._type, "Share")
+      .withFieldComputed(_.caseId, _.caseId.toString)
+      .enableMethodAccessors
+      .transform
+  )
+
   implicit val profileOutput: Renderer.Aux[Profile with Entity, OutputProfile] = Renderer.toJson[Profile with Entity, OutputProfile](profile =>
     profile
       .asInstanceOf[Profile]
@@ -315,6 +407,7 @@ object Conversion {
       .withFieldConst(_._createdAt, dashboard._createdAt)
       .withFieldConst(_._createdBy, dashboard._createdBy)
       .withFieldComputed(_.definition, _.definition.toString)
+      .enableMethodAccessors
       .transform
   )
 
@@ -333,8 +426,11 @@ object Conversion {
         .withFieldComputed(_.ioc, _.ioc.getOrElse(false))
         .withFieldComputed(_.sighted, _.sighted.getOrElse(false))
         .withFieldComputed(_.tlp, _.tlp.getOrElse(2))
+        .withFieldComputed(_.tags, _.tags.toSeq)
+        .withFieldConst(_.data, None)
         .transform
   }
+
   implicit val observableOutput: Renderer.Aux[RichObservable, OutputObservable] = Renderer.toJson[RichObservable, OutputObservable](richObservable =>
     richObservable
       .into[OutputObservable]
@@ -344,10 +440,8 @@ object Conversion {
       .withFieldComputed(_._updatedBy, _.observable._updatedBy)
       .withFieldComputed(_._createdAt, _.observable._createdAt)
       .withFieldComputed(_._createdBy, _.observable._createdBy)
-      .withFieldComputed(_.dataType, _.`type`.name)
       .withFieldComputed(_.startDate, _.observable._createdAt)
-      .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
-      .withFieldComputed(_.data, _.data.map(_.data))
+      .withFieldComputed(_.tags, _.tags.toSet)
       .withFieldComputed(_.attachment, _.attachment.map(_.toOutput))
       .withFieldComputed(
         _.reports,
@@ -361,6 +455,7 @@ object Conversion {
           })
       )
       .withFieldConst(_.extraData, JsObject.empty)
+      .enableMethodAccessors
       .transform
   )
 
@@ -371,10 +466,8 @@ object Conversion {
           .into[OutputObservable]
           .withFieldConst(_._type, "Observable")
           .withFieldComputed(_._id, _._id.toString)
-          .withFieldComputed(_.dataType, _.`type`.name)
           .withFieldComputed(_.startDate, _.observable._createdAt)
-          .withFieldComputed(_.tags, _.tags.map(_.toString).toSet)
-          .withFieldComputed(_.data, _.data.map(_.data))
+          .withFieldComputed(_.tags, _.tags.toSet)
           .withFieldComputed(_.attachment, _.attachment.map(_.toOutput))
           .withFieldComputed(
             _.reports,
@@ -388,6 +481,7 @@ object Conversion {
               })
           )
           .withFieldConst(_.extraData, extraData)
+          .enableMethodAccessors
           .transform
     }
 
@@ -400,6 +494,7 @@ object Conversion {
       .withFieldComputed(_.attachment, _.attachments.headOption.map(_.toOutput))
       .withFieldRenamed(_._createdBy, _.owner)
       .withFieldConst(_.extraData, JsObject.empty)
+      .enableMethodAccessors
       .transform
   )
 
@@ -414,6 +509,7 @@ object Conversion {
         .withFieldComputed(_.attachment, _.attachments.headOption.map(_.toOutput))
         .withFieldRenamed(_._createdBy, _.owner)
         .withFieldConst(_.extraData, logWithExtraData._2)
+        .enableMethodAccessors
         .transform
     }
 
@@ -423,7 +519,6 @@ object Conversion {
       inputLog
         .into[Log]
         .withFieldConst(_.date, new Date)
-        .withFieldConst(_.deleted, false)
         .transform
   }
 
@@ -449,4 +544,74 @@ object Conversion {
         .transform
   }
 
+  implicit class InputPatternOps(inputPattern: InputPattern) {
+    def toPattern: Pattern =
+      inputPattern
+        .into[Pattern]
+        .withFieldRenamed(_.external_id, _.patternId)
+        .withFieldComputed(_.tactics, _.kill_chain_phases.map(_.phase_name).toSet)
+        .withFieldRenamed(_.`type`, _.patternType)
+        .withFieldRenamed(_.capec_id, _.capecId)
+        .withFieldRenamed(_.capec_url, _.capecUrl)
+        .withFieldRenamed(_.x_mitre_data_sources, _.dataSources)
+        .withFieldRenamed(_.x_mitre_defense_bypassed, _.defenseBypassed)
+        .withFieldRenamed(_.x_mitre_detection, _.detection)
+        .withFieldRenamed(_.x_mitre_permissions_required, _.permissionsRequired)
+        .withFieldRenamed(_.x_mitre_platforms, _.platforms)
+        .withFieldRenamed(_.x_mitre_remote_support, _.remoteSupport)
+        .withFieldRenamed(_.x_mitre_system_requirements, _.systemRequirements)
+        .withFieldRenamed(_.x_mitre_version, _.revision)
+        .transform
+  }
+
+  implicit val patternOutput: Renderer.Aux[RichPattern, OutputPattern] =
+    Renderer.toJson[RichPattern, OutputPattern](
+      _.into[OutputPattern]
+        .withFieldComputed(_._id, _._id.toString)
+        .withFieldConst(_._type, "Pattern")
+        .withFieldConst(_.extraData, JsObject.empty)
+        .enableMethodAccessors
+        .transform
+    )
+
+  implicit val patternWithStatsOutput: Renderer.Aux[(RichPattern, JsObject), OutputPattern] =
+    Renderer.toJson[(RichPattern, JsObject), OutputPattern] { patternWithExtraData =>
+      patternWithExtraData
+        ._1
+        .into[OutputPattern]
+        .withFieldComputed(_._id, _._id.toString)
+        .withFieldConst(_._type, "Pattern")
+        .withFieldConst(_.extraData, patternWithExtraData._2)
+        .enableMethodAccessors
+        .transform
+    }
+
+  implicit class InputProcedureOps(inputProcedure: InputProcedure) {
+    def toProcedure: Procedure =
+      inputProcedure
+        .into[Procedure]
+        .transform
+  }
+
+  implicit val richProcedureRenderer: Renderer.Aux[RichProcedure, OutputProcedure] =
+    Renderer.toJson[RichProcedure, OutputProcedure](
+      _.into[OutputProcedure]
+        .withFieldComputed(_._id, _._id.toString)
+        .withFieldComputed(_.patternId, _.pattern.patternId)
+        .withFieldConst(_.extraData, JsObject.empty)
+        .enableMethodAccessors
+        .transform
+    )
+
+  implicit val richProcedureWithStatsRenderer: Renderer.Aux[(RichProcedure, JsObject), OutputProcedure] =
+    Renderer.toJson[(RichProcedure, JsObject), OutputProcedure] { procedureWithExtraData =>
+      procedureWithExtraData
+        ._1
+        .into[OutputProcedure]
+        .withFieldComputed(_._id, _._id.toString)
+        .withFieldComputed(_.patternId, _.pattern.patternId)
+        .withFieldConst(_.extraData, procedureWithExtraData._2)
+        .enableMethodAccessors
+        .transform
+    }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/CustomFieldCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/CustomFieldCtrl.scala
index 1e5c47e94a..344755ea12 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/CustomFieldCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/CustomFieldCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
@@ -12,17 +11,16 @@ import org.thp.thehive.models._
 import org.thp.thehive.services.CustomFieldSrv
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Success
 
 @Singleton
-class CustomFieldCtrl @Inject() (entrypoint: Entrypoint, @Named("with-thehive-schema") db: Database, customFieldSrv: CustomFieldSrv)
-    extends QueryableCtrl {
+class CustomFieldCtrl @Inject() (entrypoint: Entrypoint, db: Database, customFieldSrv: CustomFieldSrv) extends QueryableCtrl {
 
   override val entityName: String  = "CustomField"
   override val initialQuery: Query = Query.init[Traversal.V[CustomField]]("listCustomField", (graph, _) => customFieldSrv.startTraversal(graph))
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[CustomField], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     {
       case (OutputParam(from, to, _), customFieldSteps, _) =>
         customFieldSteps.page(from, to, withTotal = true)
@@ -31,7 +29,6 @@ class CustomFieldCtrl @Inject() (entrypoint: Entrypoint, @Named("with-thehive-sc
   override val outputQuery: Query = Query.output[CustomField with Entity]
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[CustomField]](
     "getCustomField",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => customFieldSrv.get(idOrName)(graph)
   )
   override val publicProperties: PublicProperties = PublicPropertyListBuilder[CustomField]
diff --git a/thehive/app/org/thp/thehive/controllers/v1/DashboardCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/DashboardCtrl.scala
new file mode 100644
index 0000000000..7b539e105b
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/DashboardCtrl.scala
@@ -0,0 +1,107 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.EntityIdOrName
+import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
+import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.query._
+import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
+import org.thp.thehive.controllers.v0.Conversion._
+import org.thp.thehive.dto.v0.InputDashboard
+import org.thp.thehive.models.{Dashboard, RichDashboard}
+import org.thp.thehive.services.DashboardOps._
+import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.UserOps._
+import org.thp.thehive.services.{DashboardSrv, OrganisationSrv, UserSrv}
+import play.api.mvc.{Action, AnyContent, Results}
+
+import javax.inject.{Inject, Singleton}
+import scala.util.Success
+
+@Singleton
+class DashboardCtrl @Inject() (
+    entrypoint: Entrypoint,
+    properties: Properties,
+    db: Database,
+    dashboardSrv: DashboardSrv,
+    userSrv: UserSrv,
+    organisationSrv: OrganisationSrv
+) extends QueryableCtrl {
+
+  override val entityName: String                 = "dashboard"
+  override val publicProperties: PublicProperties = properties.dashboard
+  override val initialQuery: Query =
+    Query.init[Traversal.V[Dashboard]](
+      "listDashboard",
+      (graph, authContext) =>
+        graph
+          .union(
+            organisationSrv.filterTraversal(_).get(authContext.organisation).dashboards,
+            userSrv.filterTraversal(_).getByName(authContext.userId).dashboards
+          )
+          .dedup
+    )
+
+  override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Dashboard]](
+    "getDashboard",
+    (idOrName, graph, authContext) => dashboardSrv.get(idOrName)(graph).visible(authContext)
+  )
+
+  override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Dashboard], IteratorOutput](
+    "page",
+    (range, dashboardSteps, authContext) => dashboardSteps.richPage(range.from, range.to, withTotal = true)(_.richDashboard(authContext))
+  )
+  override val outputQuery: Query = Query.outputWithContext[RichDashboard, Traversal.V[Dashboard]](_.richDashboard(_))
+
+  def create: Action[AnyContent] =
+    entrypoint("create dashboard")
+      .extract("dashboard", FieldsParser[InputDashboard])
+      .authTransaction(db) { implicit request => implicit graph =>
+        val dashboard: InputDashboard = request.body("dashboard")
+        dashboardSrv
+          .create(dashboard.toDashboard)
+          .flatMap {
+            case richDashboard if dashboard.status == "Shared" =>
+              dashboardSrv
+                .share(richDashboard.dashboard, request.organisation, writable = false)
+                .flatMap(_ => dashboardSrv.get(richDashboard.dashboard).richDashboard.getOrFail("Dashboard"))
+            case richDashboard => Success(richDashboard)
+          }
+          .map(richDashboard => Results.Created(richDashboard.toJson))
+      }
+
+  def get(dashboardId: String): Action[AnyContent] =
+    entrypoint("get dashboard")
+      .authRoTransaction(db) { implicit request => implicit graph =>
+        dashboardSrv
+          .get(EntityIdOrName(dashboardId))
+          .visible
+          .richDashboard
+          .getOrFail("Dashboard")
+          .map(dashboard => Results.Ok(dashboard.toJson))
+      }
+
+  def update(dashboardId: String): Action[AnyContent] =
+    entrypoint("update dashboard")
+      .extract("dashboard", FieldsParser.update("dashboard", publicProperties))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val propertyUpdaters: Seq[PropertyUpdater] = request.body("dashboard")
+        dashboardSrv
+          .update(_.get(EntityIdOrName(dashboardId)).canUpdate, propertyUpdaters) // TODO check permission
+          .flatMap { case (dashboardSteps, _) => dashboardSteps.richDashboard.getOrFail("Dashboard") }
+          .map(dashboard => Results.Ok(dashboard.toJson))
+      }
+
+  def delete(dashboardId: String): Action[AnyContent] =
+    entrypoint("delete dashboard")
+      .authTransaction(db) { implicit request => implicit graph =>
+        dashboardSrv
+          .get(EntityIdOrName(dashboardId))
+          .canUpdate
+          .getOrFail("Dashboard")
+          .map { dashboard =>
+            dashboardSrv.remove(dashboard)
+            Results.NoContent
+          }
+      }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/DescribeCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/DescribeCtrl.scala
index ada61aef97..9b2b3df80f 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/DescribeCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/DescribeCtrl.scala
@@ -1,9 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import java.lang.{Boolean => JBoolean}
-import java.util.Date
-import javax.inject.{Inject, Named, Singleton}
-import org.thp.scalligraph.{EntityId, NotFoundError}
 import org.thp.scalligraph.controllers.Entrypoint
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query.PublicProperty
@@ -11,14 +7,18 @@ import org.thp.scalligraph.services.config.ApplicationConfig.durationFormat
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.utils.Hash
+import org.thp.scalligraph.{EntityId, NotFoundError}
+import org.thp.thehive.controllers.v0.{QueryCtrl => QueryCtrlV0}
 import org.thp.thehive.services.{CustomFieldSrv, ImpactStatusSrv, ResolutionStatusSrv}
 import play.api.Logger
 import play.api.cache.SyncCacheApi
 import play.api.inject.Injector
 import play.api.libs.json._
 import play.api.mvc.{Action, AnyContent, Results}
-import org.thp.thehive.controllers.v0.{QueryCtrl => QueryCtrlV0}
 
+import java.lang.{Boolean => JBoolean}
+import java.util.Date
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.duration.Duration
 import scala.util.{Failure, Success, Try}
 
@@ -31,20 +31,24 @@ class DescribeCtrl @Inject() (
     caseCtrl: CaseCtrl,
     caseTemplateCtrl: CaseTemplateCtrl,
     customFieldCtrl: CustomFieldCtrl,
-//    dashboardCtrl: DashboardCtrl,
+    dashboardCtrl: DashboardCtrl,
     logCtrl: LogCtrl,
     observableCtrl: ObservableCtrl,
     observableTypeCtrl: ObservableTypeCtrl,
     organisationCtrl: OrganisationCtrl,
 //    pageCtrl: PageCtrl,
+    patternCtrl: PatternCtrl,
+    procedureCtrl: ProcedureCtrl,
     profileCtrl: ProfileCtrl,
+    tagCtrl: TagCtrl,
     taskCtrl: TaskCtrl,
+    taxonomyCtrl: TaxonomyCtrl,
     userCtrl: UserCtrl,
     customFieldSrv: CustomFieldSrv,
     impactStatusSrv: ImpactStatusSrv,
     resolutionStatusSrv: ResolutionStatusSrv,
     injector: Injector,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     applicationConfig: ApplicationConfig
 ) {
 
@@ -55,11 +59,12 @@ class DescribeCtrl @Inject() (
     PropertyDescription("_updatedBy", "user"),
     PropertyDescription("_updatedAt", "date")
   )
-  case class EntityDescription(label: String, attributes: Seq[PropertyDescription]) {
+  case class EntityDescription(label: String, initialQuery: String, attributes: Seq[PropertyDescription]) {
     def toJson: JsObject =
       Json.obj(
-        "label"      -> label,
-        "attributes" -> (attributes ++ metadata)
+        "label"        -> label,
+        "initialQuery" -> initialQuery,
+        "attributes"   -> (attributes ++ metadata)
       )
   }
 
@@ -71,12 +76,14 @@ class DescribeCtrl @Inject() (
 
   def describeCortexEntity(
       name: String,
+      initialQuery: String,
       className: String,
       packageName: String = "org.thp.thehive.connector.cortex.controllers.v0"
   ): Option[EntityDescription] =
     Try(
       EntityDescription(
         name,
+        initialQuery,
         injector
           .instanceOf(getClass.getClassLoader.loadClass(s"$packageName.$className"))
           .asInstanceOf[QueryCtrlV0]
@@ -88,24 +95,32 @@ class DescribeCtrl @Inject() (
     ).toOption
 
   def entityDescriptions: Seq[EntityDescription] =
-    cacheApi.getOrElseUpdate(s"describe.v1", cacheExpire) {
+    cacheApi.getOrElseUpdate("describe.v1", cacheExpire) {
       Seq(
-        EntityDescription("case", caseCtrl.publicProperties.list.flatMap(propertyToJson("case", _))),
-        EntityDescription("case_task", taskCtrl.publicProperties.list.flatMap(propertyToJson("case_task", _))),
-        EntityDescription("alert", alertCtrl.publicProperties.list.flatMap(propertyToJson("alert", _))),
-        EntityDescription("case_artifact", observableCtrl.publicProperties.list.flatMap(propertyToJson("case_artifact", _))),
-        EntityDescription("user", userCtrl.publicProperties.list.flatMap(propertyToJson("user", _))),
-        EntityDescription("case_task_log", logCtrl.publicProperties.list.flatMap(propertyToJson("case_task_log", _))),
-        EntityDescription("audit", auditCtrl.publicProperties.list.flatMap(propertyToJson("audit", _))),
-        EntityDescription("caseTemplate", caseTemplateCtrl.publicProperties.list.flatMap(propertyToJson("caseTemplate", _))),
-        EntityDescription("customField", customFieldCtrl.publicProperties.list.flatMap(propertyToJson("customField", _))),
-        EntityDescription("observableType", observableTypeCtrl.publicProperties.list.flatMap(propertyToJson("observableType", _))),
-        EntityDescription("organisation", organisationCtrl.publicProperties.list.flatMap(propertyToJson("organisation", _))),
-        EntityDescription("profile", profileCtrl.publicProperties.list.flatMap(propertyToJson("profile", _)))
-//        EntityDescription("dashboard", dashboardCtrl.publicProperties.list.flatMap(propertyToJson("dashboard", _))),
-//        EntityDescription("page", pageCtrl.publicProperties.list.flatMap(propertyToJson("page", _)))
-      ) ++ describeCortexEntity("case_artifact_job", "JobCtrl") ++
-        describeCortexEntity("action", "ActionCtrl")
+        EntityDescription("alert", "listAlert", alertCtrl.publicProperties.list.flatMap(propertyToJson("alert", _))),
+        EntityDescription("audit", "listAudit", auditCtrl.publicProperties.list.flatMap(propertyToJson("audit", _))),
+        EntityDescription("case", "listCase", caseCtrl.publicProperties.list.flatMap(propertyToJson("case", _))),
+        EntityDescription("caseTemplate", "listCaseTemplate", caseTemplateCtrl.publicProperties.list.flatMap(propertyToJson("caseTemplate", _))),
+        EntityDescription("customField", "listCustomField", customFieldCtrl.publicProperties.list.flatMap(propertyToJson("customField", _))),
+        EntityDescription("dashboard", "listDashboard", dashboardCtrl.publicProperties.list.flatMap(propertyToJson("dashboard", _))),
+        EntityDescription("log", "listLog", logCtrl.publicProperties.list.flatMap(propertyToJson("case_task_log", _))),
+        EntityDescription("observable", "listObservable", observableCtrl.publicProperties.list.flatMap(propertyToJson("observable", _))),
+        EntityDescription(
+          "observableType",
+          "listObservableType",
+          observableTypeCtrl.publicProperties.list.flatMap(propertyToJson("observableType", _))
+        ),
+        EntityDescription("organisation", "listOrganisation", organisationCtrl.publicProperties.list.flatMap(propertyToJson("organisation", _))),
+        // EntityDescription("page", "listPage", pageCtrl.publicProperties.list.flatMap(propertyToJson("page", _)))
+        EntityDescription("pattern", "listPattern", patternCtrl.publicProperties.list.flatMap(propertyToJson("pattern", _))),
+        EntityDescription("procedure", "listProcedure", procedureCtrl.publicProperties.list.flatMap(propertyToJson("procedure", _))),
+        EntityDescription("profile", "listProfile", profileCtrl.publicProperties.list.flatMap(propertyToJson("profile", _))),
+        EntityDescription("tag", "listTag", tagCtrl.publicProperties.list.flatMap(propertyToJson("tag", _))),
+        EntityDescription("task", "listTask", taskCtrl.publicProperties.list.flatMap(propertyToJson("task", _))),
+        EntityDescription("taxonomy", "listTaxonomy", taxonomyCtrl.publicProperties.list.flatMap(propertyToJson("taxonomy", _))),
+        EntityDescription("user", "listUser", userCtrl.publicProperties.list.flatMap(propertyToJson("user", _)))
+      ) ++ describeCortexEntity("job", "listJob", "JobCtrl") ++
+        describeCortexEntity("action", "listAction", "ActionCtrl")
     }
 
   implicit val propertyDescriptionWrites: Writes[PropertyDescription] =
@@ -146,28 +161,8 @@ class DescribeCtrl @Inject() (
         )
       case ("case", "impactStatus")     => Some(Seq(impactStatus))
       case ("case", "resolutionStatus") => Some(Seq(resolutionStatus))
-//    //case ("observable", "status") =>
-//    //  Some(PropertyDescription("status", "enumeration", Seq(JsString("Ok"))))
-//    //case ("observable", "dataType") =>
-//    //  Some(PropertyDescription("status", "enumeration", Seq(JsString("sometesttype", "fqdn", "url", "regexp", "mail", "hash", "registry", "custom-type", "uri_path", "ip", "user-agent", "autonomous-system", "file", "mail_subject", "filename", "other", "domain"))))
-//    case ("alert", "status") =>
-//      Some(Seq(PropertyDescription("status", "enumeration", Seq(JsString("New"), JsString("Updated"), JsString("Ignored"), JsString("Imported")))))
-//    case ("case_task", "status") =>
-//      Some(
-//        Seq(PropertyDescription("status", "enumeration", Seq(JsString("Waiting"), JsString("InProgress"), JsString("Completed"), JsString("Cancel"))))
-//      )
-//    case ("case", "impactStatus") =>
-//      Some(Seq(PropertyDescription("impactStatus", "enumeration", Seq(JsString("NoImpact"), JsString("WithImpact"), JsString("NotApplicable")))))
-//    case ("case", "resolutionStatus") =>
-//      Some(
-//        Seq(
-//          PropertyDescription(
-//            "resolutionStatus",
-//            "enumeration",
-//            Seq(JsString("FalsePositive"), JsString("Duplicated"), JsString("Indeterminate"), JsString("TruePositive"), JsString("Other"))
-//          )
-//        )
-//      )
+      case ("dashboard", "status") =>
+        Some(Seq(PropertyDescription("status", "enumeration", Seq(JsString("Shared"), JsString("Private"), JsString("Deleted")))))
       case (_, "tlp") =>
         Some(
           Seq(PropertyDescription("tlp", "number", Seq(JsNumber(0), JsNumber(1), JsNumber(2), JsNumber(3)), Seq("white", "green", "amber", "red")))
@@ -190,20 +185,10 @@ class DescribeCtrl @Inject() (
       case (_, "_createdBy")   => Some(Seq(PropertyDescription("_createdBy", "user")))
       case (_, "_updatedBy")   => Some(Seq(PropertyDescription("_updatedBy", "user")))
       case (_, "customFields") => Some(customFields)
-//    case ("case_artifact_job" | "action", "status") =>
-//      Some(
-//        Seq(
-//          PropertyDescription(
-//            "status",
-//            "enumeration",
-//            Seq(JsString("InProgress"), JsString("Success"), JsString("Failure"), JsString("Waiting"), JsString("Deleted"))
-//          )
-//        )
-//      )
-      case _ => None
+      case _                   => None
     }
 
-  def propertyToJson(model: String, prop: PublicProperty[_, _]): Seq[PropertyDescription] =
+  def propertyToJson(model: String, prop: PublicProperty): Seq[PropertyDescription] =
     customDescription(model, prop.propertyName).getOrElse {
       prop.mapping.domainTypeClass match {
         case c if c == classOf[Boolean] || c == classOf[JBoolean] => Seq(PropertyDescription(prop.propertyName, "boolean"))
@@ -213,7 +198,7 @@ class DescribeCtrl @Inject() (
         case c if c == classOf[String]                            => Seq(PropertyDescription(prop.propertyName, "string"))
         case c if c == classOf[EntityId]                          => Seq(PropertyDescription(prop.propertyName, "string"))
         case _ =>
-          logger.warn(s"Unrecognized property $prop. Add a custom description")
+          logger.warn(s"Unrecognized property ${prop.propertyName}:${prop.mapping.domainTypeClass.getSimpleName}. Add a custom description")
           Seq(PropertyDescription(prop.propertyName, "unknown"))
       }
     }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/LogCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/LogCtrl.scala
index 2627780719..7679720d7e 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/LogCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/LogCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -11,17 +10,17 @@ import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputLog
 import org.thp.thehive.models.{Log, Permissions, RichLog}
 import org.thp.thehive.services.LogOps._
-import org.thp.thehive.services.OrganisationOps._
-import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services.{LogSrv, OrganisationSrv, TaskSrv}
 import play.api.Logger
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class LogCtrl @Inject() (
     entrypoint: Entrypoint,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     properties: Properties,
     logSrv: LogSrv,
     taskSrv: TaskSrv,
@@ -32,15 +31,13 @@ class LogCtrl @Inject() (
   override val entityName: String                 = "log"
   override val publicProperties: PublicProperties = properties.log
   override val initialQuery: Query =
-    Query.init[Traversal.V[Log]]("listLog", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).shares.tasks.logs)
+    Query.init[Traversal.V[Log]]("listLog", (graph, authContext) => logSrv.startTraversal(graph).visible(organisationSrv)(authContext))
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Log]](
     "getLog",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => logSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => logSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Log], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, logSteps, authContext) =>
       logSteps.richPage(range.from, range.to, range.extraData.contains("total"))(
         _.richLogWithCustomRenderer(logStatsRenderer(range.extraData - "total")(authContext))
@@ -82,7 +79,7 @@ class LogCtrl @Inject() (
       .authTransaction(db) { implicit req => implicit graph =>
         for {
           log <- logSrv.get(EntityIdOrName(logId)).can(Permissions.manageTask).getOrFail("Log")
-          _   <- logSrv.cascadeRemove(log)
+          _   <- logSrv.delete(log)
         } yield Results.NoContent
       }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/LogRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/LogRenderer.scala
index 5d234c9523..64296fc12c 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/LogRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/LogRenderer.scala
@@ -1,8 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import java.lang.{Long => JLong}
-import java.util.{List => JList, Map => JMap}
-
 import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -14,14 +11,17 @@ import org.thp.thehive.services.LogOps._
 import org.thp.thehive.services.TaskOps._
 import play.api.libs.json._
 
+import java.lang.{Long => JLong}
+import java.util.{List => JList, Map => JMap}
+
 trait LogRenderer extends BaseRenderer[Log] {
 
-  def caseParent(implicit
+  private def caseParent(implicit
       authContext: AuthContext
   ): Traversal.V[Log] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
     _.`case`.richCase.fold.domainMap(_.headOption.fold[JsValue](JsNull)(_.toJson))
 
-  def taskParent(implicit
+  private def taskParent(implicit
       authContext: AuthContext
   ): Traversal.V[Log] => Traversal[JsValue, JMap[String, Any], Converter[JsValue, JMap[String, Any]]] =
     _.task.project(_.by(_.richTask.fold).by(_.`case`.richCase.fold)).domainMap {
@@ -29,21 +29,25 @@ trait LogRenderer extends BaseRenderer[Log] {
         task.headOption.fold[JsValue](JsNull)(_.toJson.as[JsObject] + ("case" -> case0.headOption.fold[JsValue](JsNull)(_.toJson)))
     }
 
-  def taskParentId: Traversal.V[Log] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
+  private def taskParentId: Traversal.V[Log] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
     _.task.fold.domainMap(_.headOption.fold[JsValue](JsNull)(c => JsString(c._id.toString)))
 
-  def actionCount: Traversal.V[Log] => Traversal[JsValue, JLong, Converter[JsValue, JLong]] =
+  private def actionCount: Traversal.V[Log] => Traversal[JsValue, JLong, Converter[JsValue, JLong]] =
     _.in("ActionContext").count.domainMap(JsNumber(_))
 
-  def logStatsRenderer(extraData: Set[String])(
-    implicit authContext: AuthContext
+  def logStatsRenderer(extraData: Set[String])(implicit
+      authContext: AuthContext
   ): Traversal.V[Log] => JsTraversal = { implicit traversal =>
-    baseRenderer(extraData, traversal, {
-      case (f, "case")        => addData("case", f)(caseParent)
-      case (f, "task")        => addData("task", f)(taskParent)
-      case (f, "taskId")      => addData("taskId", f)(taskParentId)
-      case (f, "actionCount") => addData("actionCount", f)(actionCount)
-      case (f, _)             => f
-    })
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "case")        => addData("case", f)(caseParent)
+        case (f, "task")        => addData("task", f)(taskParent)
+        case (f, "taskId")      => addData("taskId", f)(taskParentId)
+        case (f, "actionCount") => addData("actionCount", f)(actionCount)
+        case (f, _)             => f
+      }
+    )
   }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/MonitoringCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/MonitoringCtrl.scala
new file mode 100644
index 0000000000..3729b0a96d
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/MonitoringCtrl.scala
@@ -0,0 +1,47 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.controllers.Entrypoint
+import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
+import org.thp.thehive.models.Permissions
+import play.api.libs.json.{Format, JsArray, Json}
+import play.api.mvc.{Action, AnyContent, Results}
+
+import java.io.File
+import javax.inject.{Inject, Singleton}
+import scala.util.Success
+
+@Singleton
+class MonitoringCtrl @Inject() (
+    appConfig: ApplicationConfig,
+    entrypoint: Entrypoint,
+    db: Database
+) {
+  case class PartitionConfig(location: String)
+
+  object PartitionConfig {
+    implicit val format: Format[PartitionConfig] = Json.format[PartitionConfig]
+  }
+
+  val diskLocationsConfig: ConfigItem[Seq[PartitionConfig], Seq[PartitionConfig]] =
+    appConfig.item[Seq[PartitionConfig]]("monitor.disk", "disk locations to monitor")
+  def diskLocations: Seq[PartitionConfig] = diskLocationsConfig.get
+
+  def diskUsage: Action[AnyContent] =
+    entrypoint("monitor disk usage")
+      .authPermittedTransaction(db, Permissions.managePlatform)(implicit request =>
+        implicit graph =>
+          for {
+            _ <- Success(())
+            locations = diskLocations.map { dl =>
+              val file = new File(dl.location)
+              Json.obj(
+                "location"   -> dl.location,
+                "freeSpace"  -> file.getFreeSpace,
+                "totalSpace" -> file.getTotalSpace
+              )
+            }
+          } yield Results.Ok(JsArray(locations))
+      )
+
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
index 706c36481d..3c8f8aa531 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
@@ -22,17 +22,19 @@ import play.api.libs.Files.DefaultTemporaryFileCreator
 import play.api.libs.json.{JsArray, JsValue, Json}
 import play.api.mvc.{Action, AnyContent, Results}
 import play.api.{Configuration, Logger}
+import shapeless.{:+:, CNil, Coproduct, Poly1}
 
 import java.io.FilterInputStream
 import java.nio.file.Files
-import javax.inject.{Inject, Named, Singleton}
+import java.util.Base64
+import javax.inject.{Inject, Singleton}
 import scala.collection.JavaConverters._
-import scala.util.{Failure, Success}
+import scala.util.{Failure, Success, Try}
 
 @Singleton
 class ObservableCtrl @Inject() (
     entrypoint: Entrypoint,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     properties: Properties,
     observableSrv: ObservableSrv,
     observableTypeSrv: ObservableTypeSrv,
@@ -46,6 +48,8 @@ class ObservableCtrl @Inject() (
 ) extends QueryableCtrl
     with ObservableRenderer {
 
+  type AnyAttachmentType = InputAttachment :+: FFile :+: String :+: CNil
+
   lazy val logger: Logger                         = Logger(getClass)
   override val entityName: String                 = "observable"
   override val publicProperties: PublicProperties = properties.observable
@@ -56,16 +60,14 @@ class ObservableCtrl @Inject() (
     )
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Observable]](
     "getObservable",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => observableSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => observableSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Observable], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     {
       case (OutputParam(from, to, extraData), observableSteps, authContext) =>
         observableSteps.richPage(from, to, extraData.contains("total")) {
-          _.richObservableWithCustomRenderer(observableStatsRenderer(extraData - "total")(authContext))(authContext)
+          _.richObservableWithCustomRenderer(organisationSrv, observableStatsRenderer(organisationSrv, extraData - "total")(authContext))(authContext)
         }
     }
   )
@@ -78,19 +80,20 @@ class ObservableCtrl @Inject() (
     ),
     Query[Traversal.V[Observable], Traversal.V[Observable]](
       "similar",
-      (observableSteps, authContext) => observableSteps.filteredSimilar.visible(authContext)
+      (observableSteps, authContext) => observableSteps.filteredSimilar.visible(organisationSrv)(authContext)
     ),
     Query[Traversal.V[Observable], Traversal.V[Case]]("case", (observableSteps, _) => observableSteps.`case`),
-    Query[Traversal.V[Observable], Traversal.V[Alert]]("alert", (observableSteps, _) => observableSteps.alert)
+    Query[Traversal.V[Observable], Traversal.V[Alert]]("alert", (observableSteps, _) => observableSteps.alert),
+    Query[Traversal.V[Observable], Traversal.V[Share]]("shares", (observableSteps, authContext) => observableSteps.shares.visible(authContext))
   )
 
   def createInCase(caseId: String): Action[AnyContent] =
-    entrypoint("create artifact in case")
-      .extract("artifact", FieldsParser[InputObservable])
+    entrypoint("create observable in case")
+      .extract("observable", FieldsParser[InputObservable])
       .extract("isZip", FieldsParser.boolean.optional.on("isZip"))
       .extract("zipPassword", FieldsParser.string.optional.on("zipPassword"))
       .auth { implicit request =>
-        val inputObservable: InputObservable = request.body("artifact")
+        val inputObservable: InputObservable = request.body("observable")
         val isZip: Option[Boolean]           = request.body("isZip")
         val zipPassword: Option[String]      = request.body("zipPassword")
         val inputAttachObs                   = if (isZip.contains(true)) getZipFiles(inputObservable, zipPassword) else Seq(inputObservable)
@@ -108,11 +111,14 @@ class ObservableCtrl @Inject() (
           }
           .map {
             case (case0, observableType) =>
-              val (successes, failures) = inputAttachObs
-                .flatMap { obs =>
-                  obs.attachment.map(createAttachmentObservableInCase(case0, obs, observableType, _)) ++
-                    obs.data.map(createSimpleObservableInCase(case0, obs, observableType, _))
-                }
+              val successesAndFailures =
+                if (observableType.isAttachment)
+                  inputAttachObs
+                    .flatMap(obs => obs.attachment.map(createAttachmentObservableInCase(case0, obs, _)))
+                else
+                  inputAttachObs
+                    .flatMap(obs => obs.data.map(createSimpleObservableInCase(case0, obs, _)))
+              val (successes, failures) = successesAndFailures
                 .foldLeft[(Seq[JsValue], Seq[JsValue])]((Nil, Nil)) {
                   case ((s, f), Right(o)) => (s :+ o, f)
                   case ((s, f), Left(o))  => (s, f :+ o)
@@ -125,14 +131,11 @@ class ObservableCtrl @Inject() (
   private def createSimpleObservableInCase(
       `case`: Case with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
       data: String
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
-        observableSrv
-          .create(inputObservable.toObservable, observableType, data, inputObservable.tags, Nil)
-          .flatMap(o => caseSrv.addObservable(`case`, o).map(_ => o))
+        caseSrv.createObservable(`case`, inputObservable.toObservable, data)
       } match {
       case Success(o)     => Right(o.toJson)
       case Failure(error) => Left(errorHandler.toErrorResult(error)._2 ++ Json.obj("object" -> Json.obj("data" -> data)))
@@ -141,20 +144,19 @@ class ObservableCtrl @Inject() (
   private def createAttachmentObservableInCase(
       `case`: Case with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
       fileOrAttachment: Either[FFile, InputAttachment]
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
-        val observable = fileOrAttachment match {
-          case Left(file) => observableSrv.create(inputObservable.toObservable, observableType, file, inputObservable.tags, Nil)
+        fileOrAttachment match {
+          case Left(file) =>
+            caseSrv.createObservable(`case`, inputObservable.toObservable, file)
           case Right(attachment) =>
             for {
               attach <- attachmentSrv.duplicate(attachment.name, attachment.contentType, attachment.id)
-              obs    <- observableSrv.create(inputObservable.toObservable, observableType, attach, inputObservable.tags, Nil)
+              obs    <- caseSrv.createObservable(`case`, inputObservable.toObservable, attach)
             } yield obs
         }
-        observable.flatMap(o => caseSrv.addObservable(`case`, o).map(_ => o))
       } match {
       case Success(o) => Right(o.toJson)
       case _ =>
@@ -179,18 +181,25 @@ class ObservableCtrl @Inject() (
               alert <-
                 alertSrv
                   .get(EntityIdOrName(alertId))
-                  .can(Permissions.manageAlert)
+                  .can(organisationSrv, Permissions.manageAlert)
                   .orFail(AuthorizationError("Operation not permitted"))
               observableType <- observableTypeSrv.getOrFail(EntityName(inputObservable.dataType))
             } yield (alert, observableType)
           }
           .map {
             case (alert, observableType) =>
-              val (successes, failures) = inputAttachObs
-                .flatMap { obs =>
-                  obs.attachment.map(createAttachmentObservableInAlert(alert, obs, observableType, _)) ++
-                    obs.data.map(createSimpleObservableInAlert(alert, obs, observableType, _))
-                }
+              val successesAndFailures =
+                if (observableType.isAttachment)
+                  inputAttachObs
+                    .flatMap { obs =>
+                      (obs.attachment.map(_.fold(Coproduct[AnyAttachmentType](_), Coproduct[AnyAttachmentType](_))) ++
+                        obs.data.map(Coproduct[AnyAttachmentType](_)))
+                        .map(createAttachmentObservableInAlert(alert, obs, _))
+                    }
+                else
+                  inputAttachObs
+                    .flatMap(obs => obs.data.map(createSimpleObservableInAlert(alert, obs, _)))
+              val (successes, failures) = successesAndFailures
                 .foldLeft[(Seq[JsValue], Seq[JsValue])]((Nil, Nil)) {
                   case ((s, f), Right(o)) => (s :+ o, f)
                   case ((s, f), Left(o))  => (s, f :+ o)
@@ -203,14 +212,11 @@ class ObservableCtrl @Inject() (
   private def createSimpleObservableInAlert(
       alert: Alert with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
       data: String
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
-        observableSrv
-          .create(inputObservable.toObservable, observableType, data, inputObservable.tags, Nil)
-          .flatMap(o => alertSrv.addObservable(alert, o).map(_ => o))
+        alertSrv.createObservable(alert, inputObservable.toObservable, data)
       } match {
       case Success(o)     => Right(o.toJson)
       case Failure(error) => Left(errorHandler.toErrorResult(error)._2 ++ Json.obj("object" -> Json.obj("data" -> data)))
@@ -219,24 +225,49 @@ class ObservableCtrl @Inject() (
   private def createAttachmentObservableInAlert(
       alert: Alert with Entity,
       inputObservable: InputObservable,
-      observableType: ObservableType with Entity,
-      fileOrAttachment: Either[FFile, InputAttachment]
+      attachment: AnyAttachmentType
   )(implicit authContext: AuthContext): Either[JsValue, JsValue] =
     db
       .tryTransaction { implicit graph =>
-        val observable = fileOrAttachment match {
-          case Left(file) => observableSrv.create(inputObservable.toObservable, observableType, file, inputObservable.tags, Nil)
-          case Right(attachment) =>
+        object createAttachment extends Poly1 {
+          implicit val fromFile: Case.Aux[FFile, Try[RichObservable]] = at[FFile] { file =>
+            alertSrv.createObservable(alert, inputObservable.toObservable, file)
+          }
+          implicit val fromAttachment: Case.Aux[InputAttachment, Try[RichObservable]] = at[InputAttachment] { attachment =>
             for {
               attach <- attachmentSrv.duplicate(attachment.name, attachment.contentType, attachment.id)
-              obs    <- observableSrv.create(inputObservable.toObservable, observableType, attach, inputObservable.tags, Nil)
+              obs    <- alertSrv.createObservable(alert, inputObservable.toObservable, attach)
             } yield obs
+          }
+
+          implicit val fromString: Case.Aux[String, Try[RichObservable]] = at[String] { data =>
+            data.split(';') match {
+              case Array(filename, contentType, value) =>
+                val data = Base64.getDecoder.decode(value)
+                attachmentSrv
+                  .create(filename, contentType, data)
+                  .flatMap(attachment => alertSrv.createObservable(alert, inputObservable.toObservable, attachment))
+              case Array(filename, contentType) =>
+                attachmentSrv
+                  .create(filename, contentType, Array.emptyByteArray)
+                  .flatMap(attachment => alertSrv.createObservable(alert, inputObservable.toObservable, attachment))
+              case data =>
+                Failure(InvalidFormatAttributeError("artifacts.data", "filename;contentType;base64value", Set.empty, FString(data.mkString(";"))))
+            }
+          }
         }
-        observable.flatMap(o => alertSrv.addObservable(alert, o).map(_ => o))
+        attachment.fold(createAttachment)
       } match {
       case Success(o) => Right(o.toJson)
       case _ =>
-        val filename = fileOrAttachment.fold(_.filename, _.name)
+        object attachmentName extends Poly1 {
+          implicit val fromFile: Case.Aux[FFile, String]                 = at[FFile](_.filename)
+          implicit val fromAttachment: Case.Aux[InputAttachment, String] = at[InputAttachment](_.name)
+          implicit val fromString: Case.Aux[String, String] = at[String] { data =>
+            if (data.contains(';')) data.takeWhile(_ != ';') else "no name"
+          }
+        }
+        val filename = attachment.fold(attachmentName)
         Left(Json.obj("object" -> Json.obj("data" -> s"file:$filename", "attachment" -> Json.obj("name" -> filename))))
     }
 
@@ -245,7 +276,7 @@ class ObservableCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         observableSrv
           .get(EntityIdOrName(observableId))
-          .visible
+          .visible(organisationSrv)
           .richObservable
           .getOrFail("Observable")
           .map { observable =>
@@ -259,7 +290,7 @@ class ObservableCtrl @Inject() (
       .authTransaction(db) { implicit request => implicit graph =>
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("observable")
         observableSrv
-          .update(_.get(EntityIdOrName(observableId)).canManage, propertyUpdaters)
+          .update(_.get(EntityIdOrName(observableId)).canManage(organisationSrv), propertyUpdaters)
           .map(_ => Results.NoContent)
       }
 
@@ -273,21 +304,21 @@ class ObservableCtrl @Inject() (
         ids
           .toTry { id =>
             observableSrv
-              .update(_.get(EntityIdOrName(id)).canManage, properties)
+              .update(_.get(EntityIdOrName(id)).canManage(organisationSrv), properties)
           }
           .map(_ => Results.NoContent)
       }
 
   def delete(observableId: String): Action[AnyContent] =
-    entrypoint("delete")
+    entrypoint("delete observable")
       .authTransaction(db) { implicit request => implicit graph =>
         for {
           observable <-
             observableSrv
               .get(EntityIdOrName(observableId))
-              .canManage
+              .canManage(organisationSrv)
               .getOrFail("Observable")
-          _ <- observableSrv.remove(observable)
+          _ <- observableSrv.delete(observable)
         } yield Results.NoContent
       }
 
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala
index 603670c0a0..b757d50831 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala
@@ -1,8 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import java.lang.{Boolean => JBoolean, Long => JLong}
-import java.util.{List => JList, Map => JMap}
-
 import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -13,15 +10,19 @@ import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.OrganisationSrv
 import play.api.libs.json._
 
+import java.lang.{Boolean => JBoolean, Long => JLong}
+import java.util.{List => JList, Map => JMap}
+
 trait ObservableRenderer extends BaseRenderer[Observable] {
 
-  def seenStats(implicit
+  def seenStats(organisationSrv: OrganisationSrv)(implicit
       authContext: AuthContext
   ): Traversal.V[Observable] => Traversal[JsValue, JMap[JBoolean, JLong], Converter[JsValue, JMap[JBoolean, JLong]]] =
     _.filteredSimilar
-      .visible
+      .visible(organisationSrv)
       .groupCount(_.byValue(_.ioc))
       .domainMap { stats =>
         val nTrue  = stats.getOrElse(true, 0L)
@@ -52,17 +53,21 @@ trait ObservableRenderer extends BaseRenderer[Observable] {
   def permissions(implicit authContext: AuthContext): Traversal.V[Observable] => Traversal[JsValue, Vertex, Converter[JsValue, Vertex]] =
     _.userPermissions.domainMap(permissions => Json.toJson(permissions))
 
-  def observableStatsRenderer(extraData: Set[String])(
-    implicit authContext: AuthContext
+  def observableStatsRenderer(organisationSrv: OrganisationSrv, extraData: Set[String])(implicit
+      authContext: AuthContext
   ): Traversal.V[Observable] => JsTraversal = { implicit traversal =>
-    baseRenderer(extraData, traversal, {
-      case (f, "seen")        => addData("seen", f)(seenStats)
-      case (f, "shares")      => addData("shares", f)(sharesStats)
-      case (f, "links")       => addData("links", f)(observableLinks)
-      case (f, "permissions") => addData("permissions", f)(permissions)
-      case (f, "isOwner")     => addData("isOwner", f)(isOwner)
-      case (f, "shareCount")  => addData("shareCount", f)(shareCount)
-      case (f, _)             => f
-    })
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "seen")        => addData("seen", f)(seenStats(organisationSrv))
+        case (f, "shares")      => addData("shares", f)(sharesStats)
+        case (f, "links")       => addData("links", f)(observableLinks)
+        case (f, "permissions") => addData("permissions", f)(permissions)
+        case (f, "isOwner")     => addData("isOwner", f)(isOwner)
+        case (f, "shareCount")  => addData("shareCount", f)(shareCount)
+        case (f, _)             => f
+      }
+    )
   }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableTypeCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableTypeCtrl.scala
index 3d7353b0b6..e88f7ad107 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/ObservableTypeCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/ObservableTypeCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity, UMapping}
@@ -13,10 +12,12 @@ import org.thp.thehive.models.{ObservableType, Permissions}
 import org.thp.thehive.services.ObservableTypeSrv
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class ObservableTypeCtrl @Inject() (
     val entrypoint: Entrypoint,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     observableTypeSrv: ObservableTypeSrv
 ) extends QueryableCtrl {
   override val entityName: String = "ObservableType"
@@ -25,13 +26,11 @@ class ObservableTypeCtrl @Inject() (
   override val pageQuery: ParamQuery[OutputParam] =
     Query.withParam[OutputParam, Traversal.V[ObservableType], IteratorOutput](
       "page",
-      FieldsParser[OutputParam],
       (range, observableTypeSteps, _) => observableTypeSteps.richPage(range.from, range.to, withTotal = true)(identity)
     )
   override val outputQuery: Query = Query.output[ObservableType with Entity]
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[ObservableType]](
     "getObservableType",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => observableTypeSrv.get(idOrName)(graph)
   )
   override val publicProperties: PublicProperties = PublicPropertyListBuilder[ObservableType]
diff --git a/thehive/app/org/thp/thehive/controllers/v1/OrganisationCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/OrganisationCtrl.scala
index 115327a732..f4f5f70f2d 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/OrganisationCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/OrganisationCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -15,13 +14,15 @@ import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class OrganisationCtrl @Inject() (
     entrypoint: Entrypoint,
     properties: Properties,
     organisationSrv: OrganisationSrv,
     userSrv: UserSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) extends QueryableCtrl {
 
   override val entityName: String                 = "organisation"
@@ -36,13 +37,11 @@ class OrganisationCtrl @Inject() (
     )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Organisation], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, organisationSteps, _) => organisationSteps.richPage(range.from, range.to, range.extraData.contains("total"))(_.richOrganisation)
   )
   override val outputQuery: Query = Query.output[RichOrganisation, Traversal.V[Organisation]](_.richOrganisation)
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Organisation]](
     "getOrganisation",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => organisationSrv.get(idOrName)(graph).visible(authContext)
   )
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
diff --git a/thehive/app/org/thp/thehive/controllers/v1/PatternCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/PatternCtrl.scala
new file mode 100644
index 0000000000..03b1615796
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/PatternCtrl.scala
@@ -0,0 +1,136 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.controllers.{Entrypoint, FFile, FieldsParser}
+import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.query.{ParamQuery, PublicProperties, Query}
+import org.thp.scalligraph.traversal.TraversalOps.TraversalOpsDefs
+import org.thp.scalligraph.traversal.{Graph, IteratorOutput, Traversal}
+import org.thp.scalligraph.{BadRequestError, EntityIdOrName}
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.dto.v1.InputPattern
+import org.thp.thehive.models.{Pattern, Permissions, RichPattern}
+import org.thp.thehive.services.PatternOps._
+import org.thp.thehive.services.PatternSrv
+import play.api.libs.json.{JsArray, Json}
+import play.api.mvc.{Action, AnyContent, Results}
+
+import java.io.FileInputStream
+import javax.inject.{Inject, Singleton}
+import scala.util.{Failure, Success, Try}
+
+@Singleton
+class PatternCtrl @Inject() (
+    entrypoint: Entrypoint,
+    properties: Properties,
+    patternSrv: PatternSrv,
+    db: Database
+) extends QueryableCtrl
+    with PatternRenderer {
+  override val entityName: String                 = "pattern"
+  override val publicProperties: PublicProperties = properties.pattern
+  override val initialQuery: Query = Query.init[Traversal.V[Pattern]](
+    "listPattern",
+    (graph, _) =>
+      patternSrv
+        .startTraversal(graph)
+  )
+  override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Pattern], IteratorOutput](
+    "page",
+    {
+      case (OutputParam(from, to, extraData), patternSteps, _) =>
+        patternSteps.richPage(from, to, extraData.contains("total"))(_.richPatternWithCustomRenderer(patternRenderer(extraData - "total")))
+    }
+  )
+  override val outputQuery: Query = Query.output[RichPattern, Traversal.V[Pattern]](_.richPattern)
+  override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Pattern]](
+    "getPattern",
+    (idOrName, graph, _) => patternSrv.get(idOrName)(graph)
+  )
+
+  def importMitre: Action[AnyContent] =
+    entrypoint("import MITRE ATT&CK patterns")
+      .extract("file", FieldsParser.file.on("file"))
+      .authPermitted(Permissions.managePattern) { implicit request =>
+        val file: FFile = request.body("file")
+
+        for {
+          inputPatterns <- parseJsonFile(file)
+          importedPatterns =
+            inputPatterns
+              .sortBy(_.external_id.length) // sort to create sub-patterns after their parent
+              .foldLeft[JsArray](JsArray.empty) { (array, inputPattern) =>
+                array :+ db.tryTransaction { implicit graph =>
+                  createFromInput(inputPattern).transform(
+                    t => Success(Json.obj("status" -> "Success", "mitreId" -> t.patternId, "patternName" -> t.name)),
+                    e => Success(Json.obj("status" -> "Failure", "message" -> e.getMessage))
+                  )
+                }.get
+              }
+        } yield Results.Created(importedPatterns)
+      }
+
+  def get(patternId: String): Action[AnyContent] =
+    entrypoint("get pattern")
+      .authRoTransaction(db) { _ => implicit graph =>
+        patternSrv
+          .get(EntityIdOrName(patternId))
+          .richPattern
+          .getOrFail("Pattern")
+          .map(richPattern => Results.Ok(richPattern.toJson))
+      }
+
+  def getCasePatterns(caseId: String): Action[AnyContent] =
+    entrypoint("get case patterns")
+      .authRoTransaction(db) { implicit request => implicit graph =>
+        for {
+          patterns <- patternSrv.getCasePatterns(caseId)
+        } yield Results.Ok(patterns.toJson)
+      }
+
+  def delete(patternId: String): Action[AnyContent] =
+    entrypoint("delete pattern")
+      .authPermittedTransaction(db, Permissions.managePattern) { implicit request => implicit graph =>
+        patternSrv
+          .getOrFail(EntityIdOrName(patternId))
+          .flatMap(patternSrv.remove)
+          .map(_ => Results.NoContent)
+      }
+
+  private def parseJsonFile(file: FFile): Try[Seq[InputPattern]] =
+    for {
+      json <- Try(Json.parse(new FileInputStream(file.filepath.toString)))
+    } yield (json \ "objects").as[Seq[InputPattern]]
+
+  private def createFromInput(inputPattern: InputPattern)(implicit graph: Graph, authContext: AuthContext): Try[Pattern with Entity] =
+    if (inputPattern.external_id.isEmpty)
+      Failure(BadRequestError(s"A pattern with no MITRE id cannot be imported"))
+    else if (inputPattern.`type` != "attack-pattern")
+      Failure(BadRequestError(s"Only patterns with type attack-pattern are imported, this one is ${inputPattern.`type`}"))
+    else if (patternSrv.startTraversal.alreadyImported(inputPattern.external_id))
+      // Update a pattern
+      for {
+        pattern        <- patternSrv.get(EntityIdOrName(inputPattern.external_id)).getOrFail("Pattern")
+        updatedPattern <- patternSrv.update(pattern, inputPattern.toPattern)
+        _ = if (inputPattern.x_mitre_is_subtechnique) linkPattern(pattern)
+      } yield updatedPattern
+    else
+      // Create a pattern
+      for {
+        pattern <- patternSrv.createEntity(inputPattern.toPattern)
+        _ = if (inputPattern.x_mitre_is_subtechnique) linkPattern(pattern)
+      } yield pattern
+
+  private def linkPattern(child: Pattern with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
+    val firstDot = child.patternId.indexOf(".")
+    if (firstDot == -1)
+      Failure(BadRequestError(s"Invalid sub-pattern patternId ${child.patternId} (must contain a dot"))
+    else {
+      val parentId = child.patternId.substring(0, firstDot)
+      for {
+        parent <- patternSrv.startTraversal.getByPatternId(parentId).getOrFail("Pattern")
+        _      <- patternSrv.setParent(child, parent)
+      } yield ()
+    }
+  }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/PatternRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/PatternRenderer.scala
new file mode 100644
index 0000000000..3ceb219e5d
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/PatternRenderer.scala
@@ -0,0 +1,31 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.models.Pattern
+import org.thp.thehive.services.PatternOps._
+import play.api.libs.json._
+
+import java.util.{List => JList, Map => JMap}
+
+trait PatternRenderer extends BaseRenderer[Pattern] {
+
+  private def parent: Traversal.V[Pattern] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
+    _.parent.richPattern.fold.domainMap(_.headOption.fold[JsValue](JsNull)(_.toJson))
+
+  private def children: Traversal.V[Pattern] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
+    _.children.richPattern.fold.domainMap(_.toJson)
+
+  def patternRenderer(extraData: Set[String]): Traversal.V[Pattern] => JsTraversal = { implicit traversal =>
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "children") => addData("children", f)(children)
+        case (f, "parent")   => addData("parent", f)(parent)
+        case (f, _)          => f
+      }
+    )
+  }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ProcedureCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ProcedureCtrl.scala
new file mode 100644
index 0000000000..491bb636df
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/ProcedureCtrl.scala
@@ -0,0 +1,89 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.EntityIdOrName
+import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
+import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.query.{ParamQuery, PropertyUpdater, PublicProperties, Query}
+import org.thp.scalligraph.traversal.TraversalOps.TraversalOpsDefs
+import org.thp.scalligraph.traversal.{IteratorOutput, Traversal}
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.dto.v1.InputProcedure
+import org.thp.thehive.models.{Permissions, Procedure, RichProcedure}
+import org.thp.thehive.services.ProcedureOps._
+import org.thp.thehive.services.ProcedureSrv
+import play.api.mvc.{Action, AnyContent, Results}
+
+import javax.inject.{Inject, Singleton}
+
+@Singleton
+class ProcedureCtrl @Inject() (
+    entrypoint: Entrypoint,
+    properties: Properties,
+    procedureSrv: ProcedureSrv,
+    db: Database
+) extends QueryableCtrl
+    with ProcedureRenderer {
+  override val entityName: String                 = "procedure"
+  override val publicProperties: PublicProperties = properties.procedure
+  override val initialQuery: Query = Query.init[Traversal.V[Procedure]](
+    "listProcedure",
+    (graph, _) =>
+      procedureSrv
+        .startTraversal(graph)
+  )
+  override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Procedure], IteratorOutput](
+    "page",
+    (range, procedureSteps, _) =>
+      procedureSteps.richPage(range.from, range.to, range.extraData.contains("total"))(
+        _.richProcedureWithCustomRenderer(procedureStatsRenderer(range.extraData - "total"))
+      )
+  )
+  override val outputQuery: Query = Query.output[RichProcedure, Traversal.V[Procedure]](_.richProcedure)
+  override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Procedure]](
+    "getProcedure",
+    (idOrName, graph, _) => procedureSrv.get(idOrName)(graph)
+  )
+
+  def create: Action[AnyContent] =
+    entrypoint("create procedure")
+      .extract("procedure", FieldsParser[InputProcedure])
+      .authPermittedTransaction(db, Permissions.manageProcedure) { implicit request => implicit graph =>
+        val inputProcedure: InputProcedure = request.body("procedure")
+        for {
+          richProcedure <- procedureSrv.create(inputProcedure.toProcedure, inputProcedure.caseId, inputProcedure.patternId)
+        } yield Results.Created(richProcedure.toJson)
+      }
+
+  def get(procedureId: String): Action[AnyContent] =
+    entrypoint("get procedure")
+      .authRoTransaction(db) { _ => implicit graph =>
+        procedureSrv
+          .get(EntityIdOrName(procedureId))
+          .richProcedure
+          .getOrFail("Procedure")
+          .map(richProcedure => Results.Ok(richProcedure.toJson))
+      }
+
+  def update(procedureId: String): Action[AnyContent] =
+    entrypoint("update procedure")
+      .extract("procedure", FieldsParser.update("procedure", properties.procedure))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val propertyUpdaters: Seq[PropertyUpdater] = request.body("procedure")
+        procedureSrv
+          .update(
+            _.get(EntityIdOrName(procedureId)),
+            propertyUpdaters
+          )
+          .map(_ => Results.NoContent)
+      }
+
+  def delete(procedureId: String): Action[AnyContent] =
+    entrypoint("delete procedure")
+      .authPermittedTransaction(db, Permissions.manageProcedure) { implicit request => implicit graph =>
+        procedureSrv
+          .getOrFail(EntityIdOrName(procedureId))
+          .flatMap(procedureSrv.remove)
+          .map(_ => Results.NoContent)
+      }
+
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ProcedureRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/ProcedureRenderer.scala
new file mode 100644
index 0000000000..80237ffa27
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/ProcedureRenderer.scala
@@ -0,0 +1,32 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.traversal.TraversalOps.TraversalOpsDefs
+import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.models.Procedure
+import org.thp.thehive.services.PatternOps._
+import org.thp.thehive.services.ProcedureOps._
+import play.api.libs.json.{JsNull, JsValue}
+
+import java.util.{List => JList, Map => JMap}
+
+trait ProcedureRenderer extends BaseRenderer[Procedure] {
+  def patternStats: Traversal.V[Procedure] => Traversal[JsValue, JMap[String, Any], Converter[JsValue, JMap[String, Any]]] =
+    _.pattern.richPattern.domainMap(_.toJson)
+
+  def patternParentStats: Traversal.V[Procedure] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
+    _.pattern.parent.richPattern.fold.domainMap(_.headOption.fold[JsValue](JsNull)(_.toJson))
+
+  def procedureStatsRenderer(extraData: Set[String]): Traversal.V[Procedure] => JsTraversal = { implicit traversal =>
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "pattern")       => addData("pattern", f)(patternStats)
+        case (f, "patternParent") => addData("patternParent", f)(patternParentStats)
+        case (f, _)               => f
+      }
+    )
+  }
+
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ProfileCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ProfileCtrl.scala
index f9d4e5dcb2..778074801d 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/ProfileCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/ProfileCtrl.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.query.{ParamQuery, PropertyUpdater, PublicProperties, Query}
@@ -14,6 +13,7 @@ import org.thp.thehive.services.ProfileOps._
 import org.thp.thehive.services.ProfileSrv
 import play.api.mvc.{Action, AnyContent, Results}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Failure
 
 @Singleton
@@ -21,12 +21,11 @@ class ProfileCtrl @Inject() (
     entrypoint: Entrypoint,
     properties: Properties,
     profileSrv: ProfileSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) extends QueryableCtrl {
 
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Profile]](
     "getProfile",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, _) => profileSrv.get(idOrName)(graph)
   )
   val entityName: String                 = "profile"
@@ -37,7 +36,6 @@ class ProfileCtrl @Inject() (
 
   val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Profile], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, profileSteps, _) => profileSteps.page(range.from, range.to, range.extraData.contains("total"))
   )
   override val outputQuery: Query = Query.output[Profile with Entity]
diff --git a/thehive/app/org/thp/thehive/controllers/v1/Properties.scala b/thehive/app/org/thp/thehive/controllers/v1/Properties.scala
index 9bf4511f1d..e8da33fce3 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/Properties.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/Properties.scala
@@ -1,11 +1,12 @@
 package org.thp.thehive.controllers.v1
 
-import org.thp.scalligraph.controllers.{FPathElem, FPathEmpty}
+import org.apache.tinkerpop.gremlin.structure.T
+import org.thp.scalligraph.controllers.{FPathElem, FPathEmpty, FString}
 import org.thp.scalligraph.models.{Database, UMapping}
+import org.thp.scalligraph.query.PredicateOps._
 import org.thp.scalligraph.query.{PublicProperties, PublicPropertyListBuilder}
-import org.thp.scalligraph.traversal.Converter
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.{BadRequestError, EntityIdOrName, RichSeq}
+import org.thp.scalligraph.{BadRequestError, EntityId, EntityIdOrName, InvalidFormatAttributeError, RichSeq}
 import org.thp.thehive.dto.v1.InputCustomFieldValue
 import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
@@ -13,17 +14,21 @@ import org.thp.thehive.services.AuditOps._
 import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.CustomFieldOps._
+import org.thp.thehive.services.DashboardOps._
 import org.thp.thehive.services.LogOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.PatternOps._
+import org.thp.thehive.services.ProcedureOps._
+import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TagOps._
 import org.thp.thehive.services.TaskOps._
+import org.thp.thehive.services.TaxonomyOps._
 import org.thp.thehive.services.UserOps._
 import org.thp.thehive.services._
 import play.api.libs.json.{JsObject, JsValue, Json}
 
-import java.util.Date
-import javax.inject.{Inject, Named, Singleton}
+import javax.inject.{Inject, Singleton}
 import scala.util.Failure
 
 @Singleton
@@ -32,15 +37,26 @@ class Properties @Inject() (
     caseSrv: CaseSrv,
     taskSrv: TaskSrv,
     userSrv: UserSrv,
+    dashboardSrv: DashboardSrv,
     caseTemplateSrv: CaseTemplateSrv,
     observableSrv: ObservableSrv,
     customFieldSrv: CustomFieldSrv,
-    @Named("with-thehive-schema") db: Database
+    organisationSrv: OrganisationSrv,
+    db: Database
 ) {
 
   lazy val metaProperties: PublicProperties =
     PublicPropertyListBuilder
       .forType[Product](_ => true)
+      .property("_id", UMapping.entityId)(
+        _.select(_._id)
+          .filter[EntityId] {
+            case (_, t, _, Right(p))   => t.has(T.id, p.map(_.value))
+            case (_, t, _, Left(true)) => t
+            case (_, t, _, _)          => t.empty
+          }
+          .readonly
+      )
       .property("_createdBy", UMapping.string)(_.field.readonly)
       .property("_createdAt", UMapping.date)(_.field.readonly)
       .property("_updatedBy", UMapping.string.optional)(_.field.readonly)
@@ -58,26 +74,12 @@ class Properties @Inject() (
       .property("date", UMapping.date)(_.field.updatable)
       .property("lastSyncDate", UMapping.date.optional)(_.field.updatable)
       .property("tags", UMapping.string.set)(
-        _.select(_.tags.displayName)
-          .filter((_, alerts) =>
-            alerts
-              .tags
-              .graphMap[String, String, Converter.Identity[String]](
-                { v =>
-                  val namespace = UMapping.string.getProperty(v, "namespace")
-                  val predicate = UMapping.string.getProperty(v, "predicate")
-                  val value     = UMapping.string.optional.getProperty(v, "value")
-                  Tag(namespace, predicate, value, None, 0).toString
-                },
-                Converter.identity[String]
-              )
-          )
-          .converter(_ => Converter.identity[String])
-          .custom { (_, value, vertex, _, graph, authContext) =>
+        _.field
+          .custom { (_, value, vertex, graph, authContext) =>
             alertSrv
               .get(vertex)(graph)
               .getOrFail("Alert")
-              .flatMap(alert => alertSrv.updateTagNames(alert, value)(graph, authContext))
+              .flatMap(alert => alertSrv.updateTags(alert, value)(graph, authContext))
               .map(_ => Json.obj("tags" -> value))
           }
       )
@@ -87,7 +89,18 @@ class Properties @Inject() (
       .property("read", UMapping.boolean)(_.field.updatable)
       .property("follow", UMapping.boolean)(_.field.updatable)
       .property("read", UMapping.boolean)(_.field.updatable)
-      .property("imported", UMapping.boolean)(_.select(_.imported).readonly)
+      .property("imported", UMapping.boolean)(
+        _.select(_.imported)
+          .filter[Boolean]((_, alertTraversal, _, predicate) =>
+            predicate.fold(
+              b => if (b) alertTraversal else alertTraversal.empty,
+              p =>
+                if (p.getValue) alertTraversal.has(_.caseId)
+                else alertTraversal.hasNot(_.caseId)
+            )
+          )
+          .readonly
+      )
       .property("summary", UMapping.string.optional)(_.field.updatable)
       .property("user", UMapping.string)(_.field.updatable)
       .property("customFields", UMapping.jsonNative)(_.subSelect {
@@ -97,43 +110,22 @@ class Properties @Inject() (
             .jsonValue
         case (_, alerts) => alerts.customFields.nameJsonValue.fold.domainMap(JsObject(_))
       }
-        .filter {
-          case (FPathElem(_, FPathElem(idOrName, _)), alerts) =>
-            db
-              .roTransaction(implicit graph => customFieldSrv.get(EntityIdOrName(idOrName)).value(_.`type`).getOrFail("CustomField"))
-              .map {
-                case CustomFieldType.boolean => alerts.customFields(EntityIdOrName(idOrName)).value(_.booleanValue)
-                case CustomFieldType.date    => alerts.customFields(EntityIdOrName(idOrName)).value(_.dateValue)
-                case CustomFieldType.float   => alerts.customFields(EntityIdOrName(idOrName)).value(_.floatValue)
-                case CustomFieldType.integer => alerts.customFields(EntityIdOrName(idOrName)).value(_.integerValue)
-                case CustomFieldType.string  => alerts.customFields(EntityIdOrName(idOrName)).value(_.stringValue)
-              }
-              .getOrElse(alerts.constant2(null))
-          case (_, alerts) => alerts.constant2(null)
-        }
-        .converter {
-          case FPathElem(_, FPathElem(idOrName, _)) =>
-            db
-              .roTransaction { implicit graph =>
-                customFieldSrv.get(EntityIdOrName(idOrName)).value(_.`type`).getOrFail("CustomField")
-              }
-              .map {
-                case CustomFieldType.boolean => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Boolean] }
-                case CustomFieldType.date    => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Date] }
-                case CustomFieldType.float   => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Double] }
-                case CustomFieldType.integer => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Long] }
-                case CustomFieldType.string  => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[String] }
-              }
-              .getOrElse((x: JsValue) => x)
-          case _ => (x: JsValue) => x
+        .filter[JsValue] {
+          case (FPathElem(_, FPathElem(name, _)), alerts, _, predicate) =>
+            predicate match {
+              case Right(predicate) => alerts.customFieldFilter(customFieldSrv, EntityIdOrName(name), predicate)
+              case Left(true)       => alerts.hasCustomField(customFieldSrv, EntityIdOrName(name))
+              case Left(false)      => alerts.hasNotCustomField(customFieldSrv, EntityIdOrName(name))
+            }
+          case (_, caseTraversal, _, _) => caseTraversal.empty
         }
         .custom {
-          case (FPathElem(_, FPathElem(idOrName, _)), value, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathElem(idOrName, _)), value, vertex, graph, authContext) =>
             for {
               a <- alertSrv.get(vertex)(graph).getOrFail("Alert")
               _ <- alertSrv.setOrCreateCustomField(a, InputCustomFieldValue(idOrName, Some(value), None))(graph, authContext)
             } yield Json.obj(s"customField.$idOrName" -> value)
-          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, graph, authContext) =>
             for {
               c   <- alertSrv.get(vertex)(graph).getOrFail("Alert")
               cfv <- values.fields.toTry { case (n, v) => customFieldSrv.getOrFail(EntityIdOrName(n))(graph).map(_ -> v) }
@@ -172,28 +164,13 @@ class Properties @Inject() (
       .property("endDate", UMapping.date.optional)(_.field.updatable)
       .property("number", UMapping.int)(_.field.readonly)
       .property("tags", UMapping.string.set)(
-        _.select(_.tags.displayName)
-          .filter((_, cases) =>
-            cases
-              .tags
-              .graphMap[String, String, Converter.Identity[String]](
-                { v =>
-                  val namespace = UMapping.string.getProperty(v, "namespace")
-                  val predicate = UMapping.string.getProperty(v, "predicate")
-                  val value     = UMapping.string.optional.getProperty(v, "value")
-                  Tag(namespace, predicate, value, None, 0).toString
-                },
-                Converter.identity[String]
-              )
-          )
-          .converter(_ => Converter.identity[String])
-          .custom { (_, value, vertex, _, graph, authContext) =>
-            caseSrv
-              .get(vertex)(graph)
-              .getOrFail("Case")
-              .flatMap(`case` => caseSrv.updateTagNames(`case`, value)(graph, authContext))
-              .map(_ => Json.obj("tags" -> value))
-          }
+        _.field.custom { (_, value, vertex, graph, authContext) =>
+          caseSrv
+            .get(vertex)(graph)
+            .getOrFail("Case")
+            .flatMap(`case` => caseSrv.updateTags(`case`, value)(graph, authContext))
+            .map(_ => Json.obj("tags" -> value))
+        }
       )
       .property("flag", UMapping.boolean)(_.field.updatable)
       .property("tlp", UMapping.int)(_.field.updatable)
@@ -201,7 +178,7 @@ class Properties @Inject() (
       .property("status", UMapping.enum[CaseStatus.type])(_.field.updatable)
       .property("summary", UMapping.string.optional)(_.field.updatable)
       .property("actionRequired", UMapping.boolean)(_.authSelect((t, auth) => t.isActionRequired(auth)).readonly)
-      .property("assignee", UMapping.string.optional)(_.select(_.user.value(_.login)).custom { (_, login, vertex, _, graph, authContext) =>
+      .property("assignee", UMapping.string.optional)(_.field.custom { (_, login, vertex, graph, authContext) =>
         for {
           c    <- caseSrv.get(vertex)(graph).getOrFail("Case")
           user <- login.map(u => userSrv.get(EntityIdOrName(u))(graph).getOrFail("User")).flip
@@ -211,25 +188,23 @@ class Properties @Inject() (
           }
         } yield Json.obj("owner" -> user.map(_.login))
       })
-      .property("impactStatus", UMapping.string.optional)(_.select(_.impactStatus.value(_.value)).custom {
-        (_, value, vertex, _, graph, authContext) =>
-          caseSrv
-            .get(vertex)(graph)
-            .getOrFail("Case")
-            .flatMap { c =>
-              value.fold(caseSrv.unsetImpactStatus(c)(graph, authContext))(caseSrv.setImpactStatus(c, _)(graph, authContext))
-            }
-            .map(_ => Json.obj("impactStatus" -> value))
+      .property("impactStatus", UMapping.string.optional)(_.field.custom { (_, value, vertex, graph, authContext) =>
+        caseSrv
+          .get(vertex)(graph)
+          .getOrFail("Case")
+          .flatMap { c =>
+            value.fold(caseSrv.unsetImpactStatus(c)(graph, authContext))(caseSrv.setImpactStatus(c, _)(graph, authContext))
+          }
+          .map(_ => Json.obj("impactStatus" -> value))
       })
-      .property("resolutionStatus", UMapping.string.optional)(_.select(_.resolutionStatus.value(_.value)).custom {
-        (_, value, vertex, _, graph, authContext) =>
-          caseSrv
-            .get(vertex)(graph)
-            .getOrFail("Case")
-            .flatMap { c =>
-              value.fold(caseSrv.unsetResolutionStatus(c)(graph, authContext))(caseSrv.setResolutionStatus(c, _)(graph, authContext))
-            }
-            .map(_ => Json.obj("resolutionStatus" -> value))
+      .property("resolutionStatus", UMapping.string.optional)(_.field.custom { (_, value, vertex, graph, authContext) =>
+        caseSrv
+          .get(vertex)(graph)
+          .getOrFail("Case")
+          .flatMap { c =>
+            value.fold(caseSrv.unsetResolutionStatus(c)(graph, authContext))(caseSrv.setResolutionStatus(c, _)(graph, authContext))
+          }
+          .map(_ => Json.obj("resolutionStatus" -> value))
       })
       .property("customFields", UMapping.jsonNative)(_.subSelect {
         case (FPathElem(_, FPathElem(idOrName, _)), caseSteps) =>
@@ -238,43 +213,22 @@ class Properties @Inject() (
             .jsonValue
         case (_, caseSteps) => caseSteps.customFields.nameJsonValue.fold.domainMap(JsObject(_))
       }
-        .filter {
-          case (FPathElem(_, FPathElem(idOrName, _)), caseTraversal) =>
-            db
-              .roTransaction(implicit graph => customFieldSrv.get(EntityIdOrName(idOrName)).value(_.`type`).getOrFail("CustomField"))
-              .map {
-                case CustomFieldType.boolean => caseTraversal.customFields(EntityIdOrName(idOrName)).value(_.booleanValue)
-                case CustomFieldType.date    => caseTraversal.customFields(EntityIdOrName(idOrName)).value(_.dateValue)
-                case CustomFieldType.float   => caseTraversal.customFields(EntityIdOrName(idOrName)).value(_.floatValue)
-                case CustomFieldType.integer => caseTraversal.customFields(EntityIdOrName(idOrName)).value(_.integerValue)
-                case CustomFieldType.string  => caseTraversal.customFields(EntityIdOrName(idOrName)).value(_.stringValue)
-              }
-              .getOrElse(caseTraversal.constant2(null))
-          case (_, caseTraversal) => caseTraversal.constant2(null)
-        }
-        .converter {
-          case FPathElem(_, FPathElem(idOrName, _)) =>
-            db
-              .roTransaction { implicit graph =>
-                customFieldSrv.get(EntityIdOrName(idOrName)).value(_.`type`).getOrFail("CustomField")
-              }
-              .map {
-                case CustomFieldType.boolean => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Boolean] }
-                case CustomFieldType.date    => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Date] }
-                case CustomFieldType.float   => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Double] }
-                case CustomFieldType.integer => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[Long] }
-                case CustomFieldType.string  => new Converter[Any, JsValue] { def apply(x: JsValue): Any = x.as[String] }
-              }
-              .getOrElse((x: JsValue) => x)
-          case _ => (x: JsValue) => x
+        .filter[JsValue] {
+          case (FPathElem(_, FPathElem(name, _)), caseTraversal, _, predicate) =>
+            predicate match {
+              case Right(predicate) => caseTraversal.customFieldFilter(customFieldSrv, EntityIdOrName(name), predicate)
+              case Left(true)       => caseTraversal.hasCustomField(customFieldSrv, EntityIdOrName(name))
+              case Left(false)      => caseTraversal.hasNotCustomField(customFieldSrv, EntityIdOrName(name))
+            }
+          case (_, caseTraversal, _, _) => caseTraversal.empty
         }
         .custom {
-          case (FPathElem(_, FPathElem(idOrName, _)), value, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathElem(idOrName, _)), value, vertex, graph, authContext) =>
             for {
               c <- caseSrv.get(vertex)(graph).getOrFail("Case")
               _ <- caseSrv.setOrCreateCustomField(c, EntityIdOrName(idOrName), Some(value), None)(graph, authContext)
             } yield Json.obj(s"customField.$idOrName" -> value)
-          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, _, graph, authContext) =>
+          case (FPathElem(_, FPathEmpty), values: JsObject, vertex, graph, authContext) =>
             for {
               c   <- caseSrv.get(vertex)(graph).getOrFail("Case")
               cfv <- values.fields.toTry { case (n, v) => customFieldSrv.getOrFail(EntityIdOrName(n))(graph).map(cf => (cf, v, None)) }
@@ -293,6 +247,7 @@ class Properties @Inject() (
       .property("owningOrganisation", UMapping.string)(
         _.authSelect((cases, authContext) => cases.origin.visible(authContext).value(_.name)).readonly
       )
+      .property("procedures", UMapping.entityId.sequence)(_.select(_.procedure.value(_._id)).readonly)
       .build
 
   lazy val caseTemplate: PublicProperties =
@@ -303,26 +258,12 @@ class Properties @Inject() (
       .property("description", UMapping.string.optional)(_.field.updatable)
       .property("severity", UMapping.int.optional)(_.field.updatable)
       .property("tags", UMapping.string.set)(
-        _.select(_.tags.displayName)
-          .filter((_, cases) =>
-            cases
-              .tags
-              .graphMap[String, String, Converter.Identity[String]](
-                { v =>
-                  val namespace = UMapping.string.getProperty(v, "namespace")
-                  val predicate = UMapping.string.getProperty(v, "predicate")
-                  val value     = UMapping.string.optional.getProperty(v, "value")
-                  Tag(namespace, predicate, value, None, 0).toString
-                },
-                Converter.identity[String]
-              )
-          )
-          .converter(_ => Converter.identity[String])
-          .custom { (_, value, vertex, _, graph, authContext) =>
+        _.field
+          .custom { (_, value, vertex, graph, authContext) =>
             caseTemplateSrv
               .get(vertex)(graph)
               .getOrFail("CaseTemplate")
-              .flatMap(caseTemplate => caseTemplateSrv.updateTagNames(caseTemplate, value)(graph, authContext))
+              .flatMap(caseTemplate => caseTemplateSrv.updateTags(caseTemplate, value)(graph, authContext))
               .map(_ => Json.obj("tags" -> value))
           }
       )
@@ -335,7 +276,7 @@ class Properties @Inject() (
         case (FPathElem(_, FPathElem(name, _)), alertSteps) => alertSteps.customFields(name).jsonValue
         case (_, alertSteps)                                => alertSteps.customFields.nameJsonValue.fold.domainMap(JsObject(_))
       }.custom {
-        case (FPathElem(_, FPathElem(name, _)), value, vertex, _, graph, authContext) =>
+        case (FPathElem(_, FPathElem(name, _)), value, vertex, graph, authContext) =>
           for {
             c <- caseTemplateSrv.getOrFail(vertex)(graph)
             _ <- caseTemplateSrv.setOrCreateCustomField(c, name, Some(value), None)(graph, authContext)
@@ -350,12 +291,53 @@ class Properties @Inject() (
       .property("description", UMapping.string)(_.field.updatable)
       .build
 
+  lazy val pattern: PublicProperties =
+    PublicPropertyListBuilder[Pattern]
+      .property("patternId", UMapping.string)(_.field.readonly)
+      .property("name", UMapping.string)(_.field.readonly)
+      .property("description", UMapping.string.optional)(_.field.updatable)
+      .property("tactics", UMapping.string.set)(_.field.readonly)
+      .property("url", UMapping.string)(_.field.updatable)
+      .property("patternType", UMapping.string)(_.field.readonly)
+      .property("capecId", UMapping.string.optional)(_.field.readonly)
+      .property("capecUrl", UMapping.string.optional)(_.field.readonly)
+      .property("revoked", UMapping.boolean)(_.field.readonly)
+      .property("dataSources", UMapping.string.sequence)(_.field.readonly)
+      .property("defenseBypassed", UMapping.string.sequence)(_.field.readonly)
+      .property("detection", UMapping.string.optional)(_.field.readonly)
+      .property("permissionsRequired", UMapping.string.sequence)(_.field.readonly)
+      .property("platforms", UMapping.string.sequence)(_.field.readonly)
+      .property("remoteSupport", UMapping.boolean)(_.field.readonly)
+      .property("systemRequirements", UMapping.string.sequence)(_.field.readonly)
+      .property("version", UMapping.string.optional)(_.field.readonly)
+      .property("parent", UMapping.string.optional)(_.select(_.parent.value(_.patternId)).readonly)
+      .build
+
+  lazy val procedure: PublicProperties =
+    PublicPropertyListBuilder[Procedure]
+      .property("description", UMapping.string)(_.field.updatable)
+      .property("occurDate", UMapping.date)(_.field.updatable)
+      .property("tactic", UMapping.string)(_.field.updatable)
+      .property("patternId", UMapping.string)(_.select(_.pattern.value(_.patternId)).readonly)
+      .build
+
   lazy val profile: PublicProperties =
     PublicPropertyListBuilder[Profile]
       .property("name", UMapping.string)(_.field.updatable)
       .property("permissions", UMapping.string.set)(_.field.updatable)
       .build
 
+  lazy val share: PublicProperties =
+    PublicPropertyListBuilder[Share]
+      .property("caseId", UMapping.entityId)(_.select(_.`case`._id).readonly)
+      .property("caseNumber", UMapping.int)(_.select(_.`case`.value(_.number)).readonly)
+      .property("organisationId", UMapping.entityId)(_.select(_.organisation._id).readonly)
+      .property("organisationName", UMapping.string)(_.select(_.organisation.value(_.name)).readonly)
+      .property("profileId", UMapping.entityId)(_.select(_.profile._id).readonly)
+      .property("profileName", UMapping.string)(_.select(_.profile.value(_.name)).readonly)
+      .property("owner", UMapping.boolean)(_.field.readonly)
+      .build
+
   lazy val task: PublicProperties =
     PublicPropertyListBuilder[Task]
       .property("title", UMapping.string)(_.field.updatable)
@@ -367,8 +349,8 @@ class Properties @Inject() (
       .property("order", UMapping.int)(_.field.updatable)
       .property("dueDate", UMapping.date.optional)(_.field.updatable)
       .property("group", UMapping.string)(_.field.updatable)
-      .property("assignee", UMapping.string.optional)(_.select(_.assignee.value(_.login)).custom {
-        case (_, value, vertex, _, graph, authContext) =>
+      .property("assignee", UMapping.string.optional)(_.field.custom {
+        case (_, value, vertex, graph, authContext) =>
           taskSrv
             .get(vertex)(graph)
             .getOrFail("Task")
@@ -415,27 +397,12 @@ class Properties @Inject() (
       .property("sighted", UMapping.boolean)(_.field.updatable)
       .property("ignoreSimilarity", UMapping.boolean)(_.field.updatable)
       .property("tags", UMapping.string.set)(
-        _.select(_.tags.displayName)
-          .filter((_, cases) =>
-            cases
-              .tags
-              .graphMap[String, String, Converter.Identity[String]](
-                { v =>
-                  val namespace = UMapping.string.getProperty(v, "namespace")
-                  val predicate = UMapping.string.getProperty(v, "predicate")
-                  val value     = UMapping.string.optional.getProperty(v, "value")
-                  Tag(namespace, predicate, value, None, 0).toString
-                },
-                Converter.identity[String]
-              )
-          )
-          .converter(_ => Converter.identity[String])
-          .custom { (_, value, vertex, _, graph, authContext) =>
-            observableSrv
-              .getOrFail(vertex)(graph)
-              .flatMap(observable => observableSrv.updateTagNames(observable, value)(graph, authContext))
-              .map(_ => Json.obj("tags" -> value))
-          }
+        _.field.custom { (_, value, vertex, graph, authContext) =>
+          observableSrv
+            .getOrFail(vertex)(graph)
+            .flatMap(observable => observableSrv.updateTags(observable, value)(graph, authContext))
+            .map(_ => Json.obj("tags" -> value))
+        }
       )
       .property("message", UMapping.string)(_.field.updatable)
       .property("tlp", UMapping.int)(_.field.updatable)
@@ -447,4 +414,62 @@ class Properties @Inject() (
       .property("attachment.contentType", UMapping.string.optional)(_.select(_.attachments.value(_.contentType)).readonly)
       .property("attachment.id", UMapping.string.optional)(_.select(_.attachments.value(_.attachmentId)).readonly)
       .build
+
+  lazy val taxonomy: PublicProperties =
+    PublicPropertyListBuilder[Taxonomy]
+      .property("namespace", UMapping.string)(_.field.readonly)
+      .property("description", UMapping.string)(_.field.readonly)
+      .property("version", UMapping.int)(_.field.readonly)
+      .property("enabled", UMapping.boolean)(_.select(_.enabled).readonly)
+      .build
+
+  lazy val tag: PublicProperties =
+    PublicPropertyListBuilder[Tag]
+      .property("namespace", UMapping.string)(_.field.readonly)
+      .property("predicate", UMapping.string)(_.field.updatable)
+      .property("value", UMapping.string.optional)(_.field.readonly)
+      .property("description", UMapping.string.optional)(_.field.updatable)
+      .property("colour", UMapping.string)(_.field.updatable)
+      .property("text", UMapping.string)(
+        _.select(_.displayName)
+          .filter[String] {
+            case (_, tags, authContext, Right(predicate)) => tags.freetags(organisationSrv)(authContext).has(_.predicate, predicate)
+            case (_, tags, _, Left(true))                 => tags
+            case (_, tags, _, Left(false))                => tags.empty
+          }
+          .readonly
+      )
+      .build
+
+  lazy val dashboard: PublicProperties = PublicPropertyListBuilder[Dashboard]
+    .property("title", UMapping.string)(_.field.updatable)
+    .property("description", UMapping.string)(_.field.updatable)
+    .property("definition", UMapping.string)(_.field.updatable)
+    .property("status", UMapping.string)(
+      _.select(_.choose(_.organisation, "Shared", "Private"))
+        .custom {
+          case (_, "Shared", vertex, graph, authContext) =>
+            for {
+              dashboard <- dashboardSrv.get(vertex)(graph).filter(_.user.current(authContext)).getOrFail("Dashboard")
+              _         <- dashboardSrv.share(dashboard, authContext.organisation, writable = true)(graph, authContext)
+            } yield Json.obj("status" -> "Shared")
+
+          case (_, "Private", vertex, graph, authContext) =>
+            for {
+              d <- dashboardSrv.get(vertex)(graph).filter(_.user.current(authContext)).getOrFail("Dashboard")
+              _ <- dashboardSrv.unshare(d, authContext.organisation)(graph, authContext)
+            } yield Json.obj("status" -> "Private")
+
+          case (_, "Deleted", vertex, graph, authContext) =>
+            for {
+              d <- dashboardSrv.get(vertex)(graph).filter(_.user.current(authContext)).getOrFail("Dashboard")
+              _ <- dashboardSrv.remove(d)(graph, authContext)
+            } yield Json.obj("status" -> "Deleted")
+
+          case (_, status, _, _, _) =>
+            Failure(InvalidFormatAttributeError("status", "String", Set("Shared", "Private", "Deleted"), FString(status)))
+        }
+    )
+    .build
+
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/QueryableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/QueryableCtrl.scala
index 0bc90304f6..bc1a6833b8 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/QueryableCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/QueryableCtrl.scala
@@ -7,7 +7,7 @@ trait QueryableCtrl {
   val entityName: String
   val publicProperties: PublicProperties
   val initialQuery: Query
-  val pageQuery: ParamQuery[OutputParam]
+  val pageQuery: ParamQuery[_]
   val outputQuery: Query
   val getQuery: ParamQuery[EntityIdOrName]
   val extraQueries: Seq[ParamQuery[_]] = Nil
diff --git a/thehive/app/org/thp/thehive/controllers/v1/Router.scala b/thehive/app/org/thp/thehive/controllers/v1/Router.scala
index b236bc4f8b..652fbdd85d 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/Router.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/Router.scala
@@ -1,28 +1,53 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Singleton}
 import play.api.routing.Router.Routes
 import play.api.routing.SimpleRouter
 import play.api.routing.sird._
 
+import javax.inject.{Inject, Singleton}
+
 @Singleton
 class Router @Inject() (
+    adminCtrl: AdminCtrl,
+    authenticationCtrl: AuthenticationCtrl,
+    alertCtrl: AlertCtrl,
+    // attachmentCtrl: AttachmentCtrl,
+    auditCtrl: AuditCtrl,
     caseCtrl: CaseCtrl,
     caseTemplateCtrl: CaseTemplateCtrl,
-    userCtrl: UserCtrl,
+    // configCtrl: ConfigCtrl,
+    customFieldCtrl: CustomFieldCtrl,
+    // dashboardCtrl: DashboardCtrl,
+    describeCtrl: DescribeCtrl,
+    logCtrl: LogCtrl,
+    monitoringCtrl: MonitoringCtrl,
+    observableCtrl: ObservableCtrl,
+    observableTypeCtrl: ObservableTypeCtrl,
     organisationCtrl: OrganisationCtrl,
+    // pageCtrl: PageCtrl,
+    // permissionCtrl: PermissionCtrl,
+    patternCtrl: PatternCtrl,
+    procedureCtrl: ProcedureCtrl,
+    profileCtrl: ProfileCtrl,
+    tagCtrl: TagCtrl,
     taskCtrl: TaskCtrl,
-    customFieldCtrl: CustomFieldCtrl,
-    alertCtrl: AlertCtrl,
-    auditCtrl: AuditCtrl,
-    statusCtrl: StatusCtrl,
-    authenticationCtrl: AuthenticationCtrl,
-    describeCtrl: DescribeCtrl
+    shareCtrl: ShareCtrl,
+    taxonomyCtrl: TaxonomyCtrl,
+    // shareCtrl: ShareCtrl,
+    userCtrl: UserCtrl,
+    statusCtrl: StatusCtrl
+    // streamCtrl: StreamCtrl,
 ) extends SimpleRouter {
 
   override def routes: Routes = {
     case GET(p"/status") => statusCtrl.get
 //    GET  /health                              controllers.StatusCtrl.health
+
+    case GET(p"/admin/check/stats")         => adminCtrl.checkStats
+    case GET(p"/admin/check/$name/trigger") => adminCtrl.triggerCheck(name)
+    case GET(p"/admin/index/status")        => adminCtrl.indexStatus
+    case GET(p"/admin/index/$name/reindex") => adminCtrl.reindex(name)
+
 //    GET      /logout                              controllers.AuthenticationCtrl.logout()
     case GET(p"/logout")                 => authenticationCtrl.logout
     case POST(p"/logout")                => authenticationCtrl.logout
@@ -31,15 +56,25 @@ class Router @Inject() (
     case POST(p"/auth/totp/unset")       => authenticationCtrl.totpUnsetSecret(None)
     case POST(p"/auth/totp/unset/$user") => authenticationCtrl.totpUnsetSecret(Some(user))
 
-    case POST(p"/case")                 => caseCtrl.create
-    case GET(p"/case/$caseId")          => caseCtrl.get(caseId)
-    case PATCH(p"/case/$caseId")        => caseCtrl.update(caseId)
-    case POST(p"/case/_merge/$caseIds") => caseCtrl.merge(caseIds)
-    case DELETE(p"/case/$caseId")       => caseCtrl.delete(caseId)
-//    case PATCH(p"api/case/_bulk") =>                          caseCtrl.bulkUpdate()
+    case POST(p"/case")                     => caseCtrl.create
+    case GET(p"/case/$caseId")              => caseCtrl.get(caseId)
+    case PATCH(p"/case/$caseId")            => caseCtrl.update(caseId)
+    case POST(p"/case/_merge/$caseIds")     => caseCtrl.merge(caseIds)
+    case DELETE(p"/case/$caseId")           => caseCtrl.delete(caseId)
+    case DELETE(p"/case/customField/$cfId") => caseCtrl.deleteCustomField(cfId)
+    //    case PATCH(p"api/case/_bulk") =>                          caseCtrl.bulkUpdate()
 //    case POST(p"/case/_stats") =>                        caseCtrl.stats()
 //    case GET(p"/case/$caseId/links") =>                  caseCtrl.linkedCases(caseId)
 
+    case POST(p"/case/$caseId/observable")    => observableCtrl.createInCase(caseId)
+    case POST(p"/alert/$alertId/artifact")    => observableCtrl.createInAlert(alertId)
+    case GET(p"/observable/$observableId")    => observableCtrl.get(observableId)
+    case DELETE(p"/observable/$observableId") => observableCtrl.delete(observableId)
+    case PATCH(p"/observable/_bulk")          => observableCtrl.bulkUpdate
+    case PATCH(p"/observable/$observableId")  => observableCtrl.update(observableId)
+//    case GET(p"/observable/$observableId/similar") => observableCtrl.findSimilar(observableId)
+    case POST(p"/observable/$observableId/shares") => shareCtrl.shareObservable(observableId)
+
     case GET(p"/caseTemplate")                   => caseTemplateCtrl.list
     case POST(p"/caseTemplate")                  => caseTemplateCtrl.create
     case GET(p"/caseTemplate/$caseTemplateId")   => caseTemplateCtrl.get(caseTemplateId)
@@ -63,21 +98,33 @@ class Router @Inject() (
     case GET(p"/organisation/$organisationId")   => organisationCtrl.get(organisationId)
     case PATCH(p"/organisation/$organisationId") => organisationCtrl.update(organisationId)
 
-//    case GET(p"/share")            => shareCtrl.list
-//    case POST(p"/share")           => shareCtrl.create
-//    case GET(p"/share/$shareId")   => shareCtrl.get(shareId)
-//    case PATCH(p"/share/$shareId") => shareCtrl.update(shareId)
-
-    case GET(p"/task")                                 => taskCtrl.list
-    case POST(p"/task")                                => taskCtrl.create
-    case GET(p"/task/$taskId")                         => taskCtrl.get(taskId)
-    case PATCH(p"/task/$taskId")                       => taskCtrl.update(taskId)
-    case GET(p"/task/$taskId/actionRequired")          => taskCtrl.isActionRequired(taskId)
-    case PUT(p"/task/$taskId/actionRequired/$orgaId")  => taskCtrl.actionRequired(taskId, orgaId, required = true)
-    case PUT(p"/task/$taskId/actionDone/$orgaId")      => taskCtrl.actionRequired(taskId, orgaId, required = false)
+    case DELETE(p"/case/shares")                               => shareCtrl.removeShares()
+    case POST(p"/case/$caseId/shares")                         => shareCtrl.shareCase(caseId)
+    case DELETE(p"/case/$caseId/shares")                       => shareCtrl.removeShares(caseId)
+    case DELETE(p"/task/$taskId/shares")                       => shareCtrl.removeTaskShares(taskId)
+    case DELETE(p"/observable/$observableId/shares")           => shareCtrl.removeObservableShares(observableId)
+    case GET(p"/case/$caseId/shares")                          => shareCtrl.listShareCases(caseId)
+    case GET(p"/case/$caseId/task/$taskId/shares")             => shareCtrl.listShareTasks(caseId, taskId)
+    case GET(p"/case/$caseId/observable/$observableId/shares") => shareCtrl.listShareObservables(caseId, observableId)
+    case POST(p"/case/task/$taskId/shares")                    => shareCtrl.shareTask(taskId)
+    case DELETE(p"/case/share/$shareId")                       => shareCtrl.removeShare(shareId)
+    case PATCH(p"/case/share/$shareId")                        => shareCtrl.updateShare(shareId)
+
+    case GET(p"/task")                                => taskCtrl.list
+    case POST(p"/task")                               => taskCtrl.create
+    case GET(p"/task/$taskId")                        => taskCtrl.get(taskId)
+    case PATCH(p"/task/_bulk")                        => taskCtrl.bulkUpdate
+    case PATCH(p"/task/$taskId")                      => taskCtrl.update(taskId)
+    case GET(p"/task/$taskId/actionRequired")         => taskCtrl.isActionRequired(taskId)
+    case PUT(p"/task/$taskId/actionRequired/$orgaId") => taskCtrl.actionRequired(taskId, orgaId, required = true)
+    case PUT(p"/task/$taskId/actionDone/$orgaId")     => taskCtrl.actionRequired(taskId, orgaId, required = false)
     // POST     /case/:caseId/task/_search           controllers.TaskCtrl.findInCase(caseId)
     // POST     /case/task/_stats                    controllers.TaskCtrl.stats()
 
+    case POST(p"/task/$taskId/log") => logCtrl.create(taskId)
+    case PATCH(p"/log/$logId")      => logCtrl.update(logId)
+    case DELETE(p"/log/$logId")     => logCtrl.delete(logId)
+
     case GET(p"/customField")  => customFieldCtrl.list
     case POST(p"/customField") => customFieldCtrl.create
 
@@ -93,14 +140,45 @@ class Router @Inject() (
 //    DELETE   /alert/:alertId                      controllers.AlertCtrl.delete(alertId)
 //    POST     /alert/:alertId/merge/:caseId        controllers.AlertCtrl.mergeWithCase(alertId, caseId)
 
+    case POST(p"/taxonomy")                   => taxonomyCtrl.create
+    case POST(p"/taxonomy/import-zip")        => taxonomyCtrl.importZip
+    case GET(p"/taxonomy/$taxoId")            => taxonomyCtrl.get(taxoId)
+    case PUT(p"/taxonomy/$taxoId/activate")   => taxonomyCtrl.toggleActivation(taxoId, isActive = true)
+    case PUT(p"/taxonomy/$taxoId/deactivate") => taxonomyCtrl.toggleActivation(taxoId, isActive = false)
+    case DELETE(p"/taxonomy/$taxoId")         => taxonomyCtrl.delete(taxoId)
+
     case GET(p"/audit") => auditCtrl.flow
-//      GET      /flow                                controllers.AuditCtrl.flow(rootId: Option[String], count: Option[Int])
-//    GET      /audit                               controllers.AuditCtrl.find()
-//    POST     /audit/_search                       controllers.AuditCtrl.find()
-//    POST     /audit/_stats                        controllers.AuditCtrl.stats()
+    // GET      /flow                                controllers.AuditCtrl.flow(rootId: Option[String], count: Option[Int])
+    // GET      /audit                               controllers.AuditCtrl.find()
+    // POST     /audit/_search                       controllers.AuditCtrl.find()
+    // POST     /audit/_stats                        controllers.AuditCtrl.stats()
+
+    case POST(p"/pattern/import/attack") => patternCtrl.importMitre
+    case GET(p"/pattern/$patternId")     => patternCtrl.get(patternId)
+    case GET(p"/pattern/case/$caseId")   => patternCtrl.getCasePatterns(caseId)
+    case DELETE(p"/pattern/$patternId")  => patternCtrl.delete(patternId)
+
+    case POST(p"/procedure")                => procedureCtrl.create
+    case GET(p"/procedure/$procedureId")    => procedureCtrl.get(procedureId)
+    case PATCH(p"/procedure/$procedureId")  => procedureCtrl.update(procedureId)
+    case DELETE(p"/procedure/$procedureId") => procedureCtrl.delete(procedureId)
+
+    case POST(p"/profile")              => profileCtrl.create
+    case GET(p"/profile/$profileId")    => profileCtrl.get(profileId)
+    case PATCH(p"/profile/$profileId")  => profileCtrl.update(profileId)
+    case DELETE(p"/profile/$profileId") => profileCtrl.delete(profileId)
+
+    case GET(p"/tag/$id")    => tagCtrl.get(id)
+    case PATCH(p"/tag/$id")  => tagCtrl.update(id)
+    case DELETE(p"/tag/$id") => tagCtrl.delete(id)
 
     case GET(p"/describe/_all")       => describeCtrl.describeAll
     case GET(p"/describe/$modelName") => describeCtrl.describe(modelName)
 
+    case GET(p"/observable/type/$idOrName")    => observableTypeCtrl.get(idOrName)
+    case POST(p"/observable/type")             => observableTypeCtrl.create
+    case DELETE(p"/observable/type/$idOrName") => observableTypeCtrl.delete(idOrName)
+
+    case GET(p"/monitor/disk") => monitoringCtrl.diskUsage
   }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ShareCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ShareCtrl.scala
new file mode 100644
index 0000000000..afccb39d9a
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/ShareCtrl.scala
@@ -0,0 +1,262 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
+import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.query.{ParamQuery, PublicProperties, Query}
+import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, IteratorOutput, Traversal}
+import org.thp.scalligraph.{AuthorizationError, BadRequestError, EntityIdOrName, RichSeq}
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.dto.v1.{InputShare, ObservablesFilter, TasksFilter}
+import org.thp.thehive.models._
+import org.thp.thehive.services.CaseOps._
+import org.thp.thehive.services.ObservableOps._
+import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.ShareOps._
+import org.thp.thehive.services.TaskOps._
+import org.thp.thehive.services._
+import play.api.mvc.{Action, AnyContent, Results}
+
+import javax.inject.Inject
+import scala.util.{Failure, Success, Try}
+
+class ShareCtrl @Inject() (
+    entrypoint: Entrypoint,
+    shareSrv: ShareSrv,
+    properties: Properties,
+    organisationSrv: OrganisationSrv,
+    caseSrv: CaseSrv,
+    taskSrv: TaskSrv,
+    observableSrv: ObservableSrv,
+    profileSrv: ProfileSrv,
+    db: Database
+) extends QueryableCtrl {
+  override val entityName: String                 = "share"
+  override val publicProperties: PublicProperties = properties.share
+  override val initialQuery: Query =
+    Query.init[Traversal.V[Share]]("listShare", (graph, authContext) => organisationSrv.startTraversal(graph).visible(authContext).shares)
+  override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Share], IteratorOutput](
+    "page",
+    (range, shareSteps, _) => shareSteps.richPage(range.from, range.to, range.extraData.contains("total"))(_.richShare)
+  )
+  override val outputQuery: Query = Query.outputWithContext[RichShare, Traversal.V[Share]]((shareSteps, _) => shareSteps.richShare)
+  override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Share]](
+    "getShare",
+    (idOrName, graph, authContext) => shareSrv.get(idOrName)(graph).visible(authContext)
+  )
+  override val extraQueries: Seq[ParamQuery[_]] = Seq(
+    Query[Traversal.V[Share], Traversal.V[Case]]("case", (shareSteps, _) => shareSteps.`case`),
+    Query[Traversal.V[Share], Traversal.V[Observable]]("observables", (shareSteps, _) => shareSteps.observables),
+    Query[Traversal.V[Share], Traversal.V[Task]]("tasks", (shareSteps, _) => shareSteps.tasks),
+    Query[Traversal.V[Share], Traversal.V[Organisation]]("organisation", (shareSteps, _) => shareSteps.organisation)
+  )
+
+  def shareCase(caseId: String): Action[AnyContent] =
+    entrypoint("create case shares")
+      .extract("shares", FieldsParser[InputShare].sequence.on("shares"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val inputShares: Seq[InputShare] = request.body("shares")
+        caseSrv
+          .get(EntityIdOrName(caseId))
+          .can(Permissions.manageShare)
+          .getOrFail("Case")
+          .flatMap { `case` =>
+            inputShares.toTry { inputShare =>
+              for {
+                organisation <-
+                  organisationSrv
+                    .get(request.organisation)
+                    .visibleOrganisationsFrom
+                    .get(EntityIdOrName(inputShare.organisationName))
+                    .getOrFail("Organisation")
+                profile   <- profileSrv.getOrFail(EntityIdOrName(inputShare.profile))
+                share     <- shareSrv.shareCase(owner = false, `case`, organisation, profile)
+                richShare <- shareSrv.get(share).richShare.getOrFail("Share")
+                _         <- if (inputShare.tasks == TasksFilter.all) shareSrv.shareCaseTasks(share) else Success(Nil)
+                _         <- if (inputShare.observables == ObservablesFilter.all) shareSrv.shareCaseObservables(share) else Success(Nil)
+              } yield richShare
+            }
+          }
+          .map(shares => Results.Ok(shares.toJson))
+      }
+
+  def removeShare(shareId: String): Action[AnyContent] =
+    entrypoint("remove share")
+      .authTransaction(db) { implicit request => implicit graph =>
+        doRemoveShare(EntityIdOrName(shareId)).map(_ => Results.NoContent)
+      }
+
+  def removeShares(): Action[AnyContent] =
+    entrypoint("remove share")
+      .extract("shares", FieldsParser[String].sequence.on("ids"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val shareIds: Seq[String] = request.body("shares")
+        shareIds.map(EntityIdOrName.apply).toTry(doRemoveShare(_)).map(_ => Results.NoContent)
+      }
+
+  def removeShares(caseId: String): Action[AnyContent] =
+    entrypoint("remove share")
+      .extract("organisations", FieldsParser[String].sequence.on("organisations"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val organisations: Seq[String] = request.body("organisations")
+        organisations
+          .map(EntityIdOrName(_))
+          .toTry { organisationId =>
+            for {
+              organisation <- organisationSrv.get(organisationId).getOrFail("Organisation")
+              _ <-
+                if (request.organisation.fold(_ == organisation._id, _ == organisation.name))
+                  Failure(BadRequestError("You cannot remove your own share"))
+                else Success(())
+              shareId <-
+                caseSrv
+                  .get(EntityIdOrName(caseId))
+                  .can(Permissions.manageShare)
+                  .share(organisationId)
+                  .has(_.owner, false)
+                  .orFail(AuthorizationError("Operation not permitted"))
+              _ <- shareSrv.delete(shareId)
+            } yield ()
+          }
+          .map(_ => Results.NoContent)
+      }
+
+  def removeTaskShares(taskId: String): Action[AnyContent] =
+    entrypoint("remove share tasks")
+      .extract("organisations", FieldsParser[String].sequence.on("organisations"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val organisations: Seq[String] = request.body("organisations")
+
+        taskSrv
+          .getOrFail(EntityIdOrName(taskId))
+          .flatMap { task =>
+            organisations.toTry { organisationName =>
+              organisationSrv
+                .getOrFail(EntityIdOrName(organisationName))
+                .flatMap(shareSrv.unshareTask(task, _))
+            }
+          }
+          .map(_ => Results.NoContent)
+      }
+
+  def removeObservableShares(observableId: String): Action[AnyContent] =
+    entrypoint("remove share observables")
+      .extract("organisations", FieldsParser[String].sequence.on("organisations"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val organisations: Seq[String] = request.body("organisations")
+
+        observableSrv
+          .getOrFail(EntityIdOrName(observableId))
+          .flatMap { observable =>
+            organisations.toTry { organisationName =>
+              organisationSrv
+                .getOrFail(EntityIdOrName(organisationName))
+                .flatMap(shareSrv.unshareObservable(observable, _))
+            }
+          }
+          .map(_ => Results.NoContent)
+      }
+
+  private def doRemoveShare(shareId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    if (!shareSrv.get(shareId).`case`.can(Permissions.manageShare).exists)
+      Failure(AuthorizationError("You are not authorized to remove share"))
+    else if (shareSrv.get(shareId).byOrganisation(authContext.organisation).exists)
+      Failure(AuthorizationError("You can't remove your share"))
+    else if (shareSrv.get(shareId).has(_.owner, true).exists)
+      Failure(AuthorizationError("You can't remove initial shares"))
+    else
+      shareSrv.get(shareId).getOrFail("Share").flatMap(shareSrv.delete(_))
+
+  def updateShare(shareId: String): Action[AnyContent] =
+    entrypoint("update share")
+      .extract("profile", FieldsParser.string.on("profile"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val profile: String = request.body("profile")
+        if (!shareSrv.get(EntityIdOrName(shareId)).`case`.can(Permissions.manageShare).exists)
+          Failure(AuthorizationError("You are not authorized to remove share"))
+        for {
+          richShare <-
+            shareSrv
+              .get(EntityIdOrName(shareId))
+              .filter(_.organisation.visibleOrganisationsTo.visible)
+              .richShare
+              .getOrFail("Share")
+          profile <- profileSrv.getOrFail(EntityIdOrName(profile))
+          _       <- shareSrv.updateProfile(richShare.share, profile)
+        } yield Results.Ok
+      }
+
+  def listShareCases(caseId: String): Action[AnyContent] =
+    entrypoint("list case shares")
+      .authRoTransaction(db) { implicit request => implicit graph =>
+        val shares = caseSrv
+          .get(EntityIdOrName(caseId))
+          .shares
+          .visible
+          .filterNot(_.get(request.organisation))
+          .richShare
+          .toSeq
+
+        Success(Results.Ok(shares.toJson))
+      }
+
+  def listShareTasks(caseId: String, taskId: String): Action[AnyContent] =
+    entrypoint("list task shares")
+      .authRoTransaction(db) { implicit request => implicit graph =>
+        val shares = caseSrv
+          .get(EntityIdOrName(caseId))
+          .can(Permissions.manageShare)
+          .shares
+          .visible
+          .filterNot(_.get(request.organisation))
+          .byTask(EntityIdOrName(taskId))
+          .richShare
+          .toSeq
+
+        Success(Results.Ok(shares.toJson))
+      }
+
+  def listShareObservables(caseId: String, observableId: String): Action[AnyContent] =
+    entrypoint("list observable shares")
+      .authRoTransaction(db) { implicit request => implicit graph =>
+        val shares = caseSrv
+          .get(EntityIdOrName(caseId))
+          .can(Permissions.manageShare)
+          .shares
+          .visible
+          .filterNot(_.get(request.organisation))
+          .byObservable(EntityIdOrName(observableId))
+          .richShare
+          .toSeq
+
+        Success(Results.Ok(shares.toJson))
+      }
+
+  def shareTask(taskId: String): Action[AnyContent] =
+    entrypoint("share task")
+      .extract("organisations", FieldsParser.string.sequence.on("organisations"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val organisationIds: Seq[String] = request.body("organisations")
+
+        for {
+          task          <- taskSrv.getOrFail(EntityIdOrName(taskId))
+          _             <- taskSrv.get(task).`case`.can(Permissions.manageShare).existsOrFail
+          organisations <- organisationIds.map(EntityIdOrName(_)).toTry(organisationSrv.get(_).visible.getOrFail("Organisation"))
+          _             <- shareSrv.addTaskShares(task, organisations)
+        } yield Results.NoContent
+      }
+
+  def shareObservable(observableId: String): Action[AnyContent] =
+    entrypoint("share observable")
+      .extract("organisations", FieldsParser.string.sequence.on("organisations"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val organisationIds: Seq[String] = request.body("organisations")
+        for {
+          observable    <- observableSrv.getOrFail(EntityIdOrName(observableId))
+          _             <- observableSrv.get(observable).`case`.can(Permissions.manageShare).existsOrFail
+          organisations <- organisationIds.map(EntityIdOrName(_)).toTry(organisationSrv.get(_).visible.getOrFail("Organisation"))
+          _             <- shareSrv.addObservableShares(observable, organisations)
+        } yield Results.NoContent
+      }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/StatusCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/StatusCtrl.scala
index 99574a0bb7..536e563a58 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/StatusCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/StatusCtrl.scala
@@ -6,11 +6,10 @@ import akka.cluster.{Cluster, Member}
 import org.thp.scalligraph.ScalligraphApplicationLoader
 import org.thp.scalligraph.auth.{AuthCapability, AuthSrv, MultiAuthSrv}
 import org.thp.scalligraph.controllers.Entrypoint
+import org.thp.scalligraph.models.UpdatableSchema
 import org.thp.scalligraph.services.config.ApplicationConfig.finiteDurationFormat
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
 import org.thp.thehive.TheHiveModule
-import org.thp.thehive.models.TheHiveSchemaDefinition
-import org.thp.thehive.services.Connector
 import play.api.libs.json.{JsObject, JsString, Json, Writes}
 import play.api.mvc.{AbstractController, Action, AnyContent, Results}
 
@@ -24,8 +23,7 @@ class StatusCtrl @Inject() (
     entrypoint: Entrypoint,
     appConfig: ApplicationConfig,
     authSrv: AuthSrv,
-    connectors: immutable.Set[Connector],
-    theHiveSchemaDefinition: TheHiveSchemaDefinition,
+    schemas: immutable.Set[UpdatableSchema],
     system: ActorSystem
 ) {
 
@@ -78,7 +76,7 @@ class StatusCtrl @Inject() (
               "pollingDuration" -> streamPollingDuration.toMillis
             ),
             "cluster" -> cluster.state,
-            "schemaStatus" -> (connectors.flatMap(_.schemaStatus) ++ theHiveSchemaDefinition.schemaStatus).map { schemaStatus =>
+            "schemaStatus" -> schemas.flatMap(_.schemaStatus).map { schemaStatus =>
               Json.obj(
                 "name"            -> schemaStatus.name,
                 "currentVersion"  -> schemaStatus.currentVersion,
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TagCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TagCtrl.scala
new file mode 100644
index 0000000000..103dc91042
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/TagCtrl.scala
@@ -0,0 +1,90 @@
+package org.thp.thehive.controllers.v1
+
+import org.apache.tinkerpop.gremlin.process.traversal.Order
+import org.apache.tinkerpop.gremlin.structure.Vertex
+import org.thp.scalligraph.EntityIdOrName
+import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
+import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.query._
+import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Converter, IteratorOutput, Traversal}
+import org.thp.scalligraph.utils.FunctionalCondition.When
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.models.{Permissions, Tag}
+import org.thp.thehive.services.TagOps._
+import org.thp.thehive.services.{OrganisationSrv, TagSrv}
+import play.api.mvc.{Action, AnyContent, Results}
+
+import javax.inject.Inject
+
+case class TagHint(freeTag: Option[String], namespace: Option[String], predicate: Option[String], value: Option[String], limit: Option[Long])
+
+class TagCtrl @Inject() (
+    entrypoint: Entrypoint,
+    db: Database,
+    tagSrv: TagSrv,
+    val organisationSrv: OrganisationSrv,
+    properties: Properties
+) extends QueryableCtrl
+    with TagRenderer {
+  override val entityName: String                 = "Tag"
+  override val publicProperties: PublicProperties = properties.tag
+  override val initialQuery: Query =
+    Query.init[Traversal.V[Tag]]("listTag", (graph, authContext) => tagSrv.startTraversal(graph).visible(authContext))
+  override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Tag], IteratorOutput](
+    "page",
+    (params, tagSteps, authContext) =>
+      tagSteps.richPage(params.from, params.to, params.extraData.contains("total"))(
+        _.withCustomRenderer(tagStatsRenderer(params.extraData - "total")(authContext))
+      )
+  )
+  override val outputQuery: Query = Query.output[Tag with Entity]
+  override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Tag]](
+    "getTag",
+    (idOrName, graph, _) => tagSrv.get(idOrName)(graph)
+  )
+  override val extraQueries: Seq[ParamQuery[_]] = Seq(
+    Query[Traversal.V[Tag], Traversal.V[Tag]]("freetags", (tagSteps, authContext) => tagSteps.freetags(organisationSrv)(authContext)),
+    Query.initWithParam[TagHint, Traversal[String, Vertex, Converter[String, Vertex]]](
+      "tagAutoComplete",
+      (tagHint, graph, authContext) =>
+        tagHint
+          .freeTag
+          .fold(tagSrv.startTraversal(graph).autoComplete(tagHint.namespace, tagHint.predicate, tagHint.value)(authContext).visible(authContext))(
+            tagSrv.startTraversal(graph).autoComplete(organisationSrv, _)(authContext).sort(_.by("predicate", Order.asc))
+          )
+          .merge(tagHint.limit)(_.limit(_))
+          .displayName
+    ),
+    Query[Traversal.V[Tag], Traversal[String, Vertex, Converter[String, Vertex]]]("text", (tagSteps, _) => tagSteps.displayName),
+    Query.output[String, Traversal[String, Vertex, Converter[String, Vertex]]]
+  )
+
+  def get(tagId: String): Action[AnyContent] =
+    entrypoint("get tag")
+      .authRoTransaction(db) { _ => implicit graph =>
+        tagSrv
+          .getOrFail(EntityIdOrName(tagId))
+          .map(tag => Results.Ok(tag.toJson))
+      }
+
+  def update(tagId: String): Action[AnyContent] =
+    entrypoint("update tag")
+      .extract("tag", FieldsParser.update("tag", publicProperties))
+      .authPermittedTransaction(db, Permissions.manageTag) { implicit request => implicit graph =>
+        val propertyUpdaters: Seq[PropertyUpdater] = request.body("tag")
+        tagSrv
+          .update(_.getFreetag(organisationSrv, EntityIdOrName(tagId)), propertyUpdaters)
+          .map(_ => Results.NoContent)
+      }
+
+  def delete(tagId: String): Action[AnyContent] =
+    entrypoint("delete tag")
+      .authPermittedTransaction(db, Permissions.manageTag) { implicit request => implicit graph =>
+        tagSrv
+          .getFreetag(EntityIdOrName(tagId))
+          .getOrFail("Tag")
+          .flatMap(tagSrv.delete)
+          .map(_ => Results.NoContent)
+      }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala
new file mode 100644
index 0000000000..3b665045c3
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/TagRenderer.scala
@@ -0,0 +1,44 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.thehive.models.Tag
+import org.thp.thehive.services.TagOps._
+import play.api.libs.json._
+
+import java.util.{Map => JMap}
+
+trait TagRenderer extends BaseRenderer[Tag] {
+
+  def usageStats(implicit
+      authContext: AuthContext
+  ): Traversal.V[Tag] => Traversal[JsObject, JMap[String, Any], Converter[JsObject, JMap[String, Any]]] =
+    _.project(
+      _.by(_.`case`.count)
+        .by(_.alert.count)
+        .by(_.observable.count)
+        .by(_.caseTemplate.count)
+    ).domainMap {
+      case (caseCount, alertCount, observableCount, caseTemplateCount) =>
+        Json.obj(
+          "case"         -> caseCount,
+          "alert"        -> alertCount,
+          "observable"   -> observableCount,
+          "caseTemplate" -> caseTemplateCount
+        )
+    }
+
+  def tagStatsRenderer(extraData: Set[String])(implicit
+      authContext: AuthContext
+  ): Traversal.V[Tag] => JsTraversal = { implicit traversal =>
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "usage") => addData("usage", f)(usageStats)
+        case (f, _)       => f
+      }
+    )
+  }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
index 55be07a869..ce1450a715 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/TaskCtrl.scala
@@ -1,6 +1,6 @@
 package org.thp.thehive.controllers.v1
 
-import org.thp.scalligraph.EntityIdOrName
+import org.thp.scalligraph.{EntityIdOrName, _}
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query.{ParamQuery, PropertyUpdater, PublicProperties, Query}
@@ -10,34 +10,37 @@ import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputTask
 import org.thp.thehive.models._
 import org.thp.thehive.services.CaseOps._
+import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TaskOps._
-import org.thp.thehive.services.{CaseSrv, OrganisationSrv, ShareSrv, TaskSrv}
+import org.thp.thehive.services.{CaseSrv, OrganisationSrv, TaskSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
-import javax.inject.{Inject, Named, Singleton}
+import javax.inject.{Inject, Singleton}
 import scala.util.Success
 
 @Singleton
 class TaskCtrl @Inject() (
     entrypoint: Entrypoint,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     properties: Properties,
     taskSrv: TaskSrv,
     caseSrv: CaseSrv,
-    organisationSrv: OrganisationSrv,
-    shareSrv: ShareSrv
+    organisationSrv: OrganisationSrv
 ) extends QueryableCtrl
     with TaskRenderer {
 
   override val entityName: String                 = "task"
   override val publicProperties: PublicProperties = properties.task
   override val initialQuery: Query =
-    Query.init[Traversal.V[Task]]("listTask", (graph, authContext) => organisationSrv.get(authContext.organisation)(graph).shares.tasks)
+    Query.init[Traversal.V[Task]](
+      "listTask",
+      (graph, authContext) => taskSrv.startTraversal(graph).inOrganisation(organisationSrv.currentId(graph, authContext))
+//        organisationSrv.get(authContext.organisation)(graph).shares.tasks)
+    )
   override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[Task], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
     (range, taskSteps, authContext) =>
       taskSteps.richPage(range.from, range.to, range.extraData.contains("total"))(
         _.richTaskWithCustomRenderer(taskStatsRenderer(range.extraData)(authContext))
@@ -45,21 +48,33 @@ class TaskCtrl @Inject() (
   )
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[Task]](
     "getTask",
-    FieldsParser[EntityIdOrName],
-    (idOrName, graph, authContext) => taskSrv.get(idOrName)(graph).visible(authContext)
+    (idOrName, graph, authContext) => taskSrv.get(idOrName)(graph).visible(organisationSrv)(authContext)
   )
   override val outputQuery: Query =
     Query.outputWithContext[RichTask, Traversal.V[Task]]((taskSteps, _) => taskSteps.richTask)
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
     Query.init[Traversal.V[Task]](
+      "waitingTasks",
+      (graph, authContext) => taskSrv.startTraversal(graph).has(_.status, TaskStatus.Waiting).inCase.visible(organisationSrv)(authContext)
+    ),
+    Query.init[Traversal.V[Task]]( // DEPRECATED
       "waitingTask",
-      (graph, authContext) => taskSrv.startTraversal(graph).has(_.status, TaskStatus.Waiting).visible(authContext)
+      (graph, authContext) => taskSrv.startTraversal(graph).has(_.status, TaskStatus.Waiting).inCase.visible(organisationSrv)(authContext)
+    ),
+    Query.init[Traversal.V[Task]](
+      "myTasks",
+      (graph, authContext) =>
+        taskSrv
+          .startTraversal(graph)
+          .assignTo(authContext.userId)
+          .visible(organisationSrv)(authContext)
     ),
     Query[Traversal.V[Task], Traversal.V[User]]("assignableUsers", (taskSteps, authContext) => taskSteps.assignableUsers(authContext)),
     Query[Traversal.V[Task], Traversal.V[Log]]("logs", (taskSteps, _) => taskSteps.logs),
     Query[Traversal.V[Task], Traversal.V[Case]]("case", (taskSteps, _) => taskSteps.`case`),
-    Query[Traversal.V[Task], Traversal.V[CaseTemplate]]("caseTemplate", (taskSteps, _) => taskSteps.caseTemplate),
-    Query[Traversal.V[Task], Traversal.V[Organisation]]("organisations", (taskSteps, authContext) => taskSteps.organisations.visible(authContext))
+    Query[Traversal.V[Task], Traversal.V[CaseTemplate]]("caseTemplate", (taskSteps, authContext) => taskSteps.caseTemplate.visible(authContext)),
+    Query[Traversal.V[Task], Traversal.V[Organisation]]("organisations", (taskSteps, authContext) => taskSteps.organisations.visible(authContext)),
+    Query[Traversal.V[Task], Traversal.V[Share]]("shares", (taskSteps, authContext) => taskSteps.shares.visible(authContext))
   )
 
   def create: Action[AnyContent] =
@@ -70,10 +85,8 @@ class TaskCtrl @Inject() (
         val inputTask: InputTask = request.body("task")
         val caseId: String       = request.body("caseId")
         for {
-          case0        <- caseSrv.get(EntityIdOrName(caseId)).can(Permissions.manageTask).getOrFail("Case")
-          createdTask  <- taskSrv.create(inputTask.toTask, None)
-          organisation <- organisationSrv.getOrFail(request.organisation)
-          _            <- shareSrv.shareTask(createdTask, case0, organisation)
+          case0       <- caseSrv.get(EntityIdOrName(caseId)).can(Permissions.manageTask).getOrFail("Case")
+          createdTask <- caseSrv.createTask(case0, inputTask.toTask)
         } yield Results.Created(createdTask.toJson)
       }
 
@@ -82,7 +95,7 @@ class TaskCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         taskSrv
           .get(EntityIdOrName(taskId))
-          .visible
+          .visible(organisationSrv)
           .richTask
           .getOrFail("Task")
           .map(task => Results.Ok(task.toJson))
@@ -93,7 +106,7 @@ class TaskCtrl @Inject() (
       .authRoTransaction(db) { implicit request => implicit graph =>
         val tasks = taskSrv
           .startTraversal
-          .visible
+          .visible(organisationSrv)
           .richTask
           .toSeq
         Success(Results.Ok(tasks.toJson))
@@ -113,21 +126,52 @@ class TaskCtrl @Inject() (
           .map(_ => Results.NoContent)
       }
 
+  def bulkUpdate: Action[AnyContent] =
+    entrypoint("bulk update")
+      .extract("input", FieldsParser.update("task", publicProperties))
+      .extract("ids", FieldsParser.seq[String].on("ids"))
+      .authTransaction(db) { implicit request => implicit graph =>
+        val properties: Seq[PropertyUpdater] = request.body("input")
+        val ids: Seq[String]                 = request.body("ids")
+        ids
+          .toTry { id =>
+            taskSrv
+              .update(
+                _.get(EntityIdOrName(id))
+                  .can(Permissions.manageTask),
+                properties
+              )
+          }
+          .map(_ => Results.NoContent)
+      }
+
   def isActionRequired(taskId: String): Action[AnyContent] =
     entrypoint("is action required")
-      .authTransaction(db){ implicit request => implicit graph =>
-        val actionTraversal = taskSrv.get(EntityIdOrName(taskId)).visible.actionRequiredMap
+      .authTransaction(db) { implicit request => implicit graph =>
+        val actionTraversal = taskSrv.get(EntityIdOrName(taskId)).visible(organisationSrv).actionRequiredMap
         Success(Results.Ok(actionTraversal.toSeq.toMap.toJson))
       }
 
   def actionRequired(taskId: String, orgaId: String, required: Boolean): Action[AnyContent] =
     entrypoint("action required")
-      .authTransaction(db){ implicit request => implicit graph =>
+      .authTransaction(db) { implicit request => implicit graph =>
         for {
           organisation <- organisationSrv.get(EntityIdOrName(orgaId)).visible.getOrFail("Organisation")
-          task         <- taskSrv.get(EntityIdOrName(taskId)).visible.getOrFail("Task")
+          task         <- taskSrv.get(EntityIdOrName(taskId)).visible(organisationSrv).getOrFail("Task")
           _            <- taskSrv.actionRequired(task, organisation, required)
         } yield Results.NoContent
       }
 
+  def delete(taskId: String): Action[AnyContent] =
+    entrypoint("delete task")
+      .authTransaction(db) { implicit request => implicit graph =>
+        for {
+          t <-
+            taskSrv
+              .get(EntityIdOrName(taskId))
+              .can(Permissions.manageTask)
+              .getOrFail("Task")
+          _ <- taskSrv.delete(t)
+        } yield Results.NoContent
+      }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaskRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/TaskRenderer.scala
index 14b3d37f0e..172fda07b0 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/TaskRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/TaskRenderer.scala
@@ -1,8 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import java.lang.{Long => JLong, Boolean => JBoolean}
-import java.util.{List => JList, Map => JMap}
-
 import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -15,48 +12,56 @@ import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.TaskOps._
 import play.api.libs.json._
 
+import java.lang.{Boolean => JBoolean, Long => JLong}
+import java.util.{List => JList, Map => JMap}
+
 trait TaskRenderer extends BaseRenderer[Task] {
 
-  def caseParent(implicit
+  private def caseParent(implicit
       authContext: AuthContext
   ): Traversal.V[Task] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
     _.`case`.richCase.fold.domainMap(_.headOption.fold[JsValue](JsNull)(_.toJson))
 
-  def caseParentId: Traversal.V[Task] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
+  private def caseParentId: Traversal.V[Task] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
     _.`case`.fold.domainMap(_.headOption.fold[JsValue](JsNull)(c => JsString(c._id.toString)))
 
-  def caseTemplateParent: Traversal.V[Task] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
+  private def caseTemplateParent: Traversal.V[Task] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
     _.caseTemplate.richCaseTemplate.fold.domainMap(_.headOption.fold[JsValue](JsNull)(_.toJson))
 
-  def caseTemplateParentId: Traversal.V[Task] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
+  private def caseTemplateParentId: Traversal.V[Task] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
     _.caseTemplate.fold.domainMap(_.headOption.fold[JsValue](JsNull)(ct => JsString(ct._id.toString)))
 
-  def shareCount: Traversal.V[Task] => Traversal[JsValue, JLong, Converter[JsValue, JLong]] =
+  private def shareCount: Traversal.V[Task] => Traversal[JsValue, JLong, Converter[JsValue, JLong]] =
     _.organisations.count.domainMap(count => JsNumber(count - 1))
 
-  def isOwner(implicit authContext: AuthContext): Traversal.V[Task] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
+  private def isOwner(implicit authContext: AuthContext): Traversal.V[Task] => Traversal[JsValue, JList[Vertex], Converter[JsValue, JList[Vertex]]] =
     _.origin.get(authContext.organisation).fold.domainMap(l => JsBoolean(l.nonEmpty))
 
-  def actionRequired(implicit authContext: AuthContext): Traversal.V[Task] => Traversal[JsValue, JBoolean, Converter[JsValue, JBoolean]] =
+  private def actionRequired(implicit authContext: AuthContext): Traversal.V[Task] => Traversal[JsValue, JBoolean, Converter[JsValue, JBoolean]] =
     _.actionRequired.domainMap(JsBoolean(_))
 
-  def actionRequiredMap(implicit authContext: AuthContext):
-  Traversal.V[Task] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
+  private def actionRequiredMap(implicit
+      authContext: AuthContext
+  ): Traversal.V[Task] => Traversal[JsValue, JList[JMap[String, Any]], Converter[JsValue, JList[JMap[String, Any]]]] =
     _.actionRequiredMap.fold.domainMap(_.toMap.toJson)
 
-  def taskStatsRenderer(extraData: Set[String])(
-    implicit authContext: AuthContext
+  def taskStatsRenderer(extraData: Set[String])(implicit
+      authContext: AuthContext
   ): Traversal.V[Task] => JsTraversal = { implicit traversal =>
-    baseRenderer(extraData, traversal, {
-      case (f, "case")              => addData("case", f)(caseParent)
-      case (f, "caseId")            => addData("caseId", f)(caseParentId)
-      case (f, "caseTemplate")      => addData("caseTemplate", f)(caseTemplateParent)
-      case (f, "caseTemplateId")    => addData("caseTemplateId", f)(caseTemplateParentId)
-      case (f, "isOwner")           => addData("isOwner", f)(isOwner)
-      case (f, "shareCount")        => addData("shareCount", f)(shareCount)
-      case (f, "actionRequired")    => addData("actionRequired", f)(actionRequired)
-      case (f, "actionRequiredMap") => addData("actionRequiredMap", f)(actionRequiredMap)
-      case (f, _)                   => f
-    })
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "case")              => addData("case", f)(caseParent)
+        case (f, "caseId")            => addData("caseId", f)(caseParentId)
+        case (f, "caseTemplate")      => addData("caseTemplate", f)(caseTemplateParent)
+        case (f, "caseTemplateId")    => addData("caseTemplateId", f)(caseTemplateParentId)
+        case (f, "isOwner")           => addData("isOwner", f)(isOwner)
+        case (f, "shareCount")        => addData("shareCount", f)(shareCount)
+        case (f, "actionRequired")    => addData("actionRequired", f)(actionRequired)
+        case (f, "actionRequiredMap") => addData("actionRequiredMap", f)(actionRequiredMap)
+        case (f, _)                   => f
+      }
+    )
   }
 }
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaxonomyCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/TaxonomyCtrl.scala
new file mode 100644
index 0000000000..0bc454d5f7
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/TaxonomyCtrl.scala
@@ -0,0 +1,174 @@
+package org.thp.thehive.controllers.v1
+
+import net.lingala.zip4j.ZipFile
+import net.lingala.zip4j.model.FileHeader
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.controllers.{Entrypoint, FFile, FieldsParser}
+import org.thp.scalligraph.models.Database
+import org.thp.scalligraph.query._
+import org.thp.scalligraph.traversal.TraversalOps.TraversalOpsDefs
+import org.thp.scalligraph.traversal.{Graph, IteratorOutput, Traversal}
+import org.thp.scalligraph.{BadRequestError, EntityIdOrName, RichSeq}
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.dto.v1.InputTaxonomy
+import org.thp.thehive.models.{Permissions, RichTaxonomy, Tag, Taxonomy}
+import org.thp.thehive.services.TaxonomyOps._
+import org.thp.thehive.services.{TagSrv, TaxonomySrv}
+import play.api.libs.json.{JsArray, Json}
+import play.api.mvc.{Action, AnyContent, Results}
+
+import javax.inject.Inject
+import scala.collection.JavaConverters._
+import scala.util.{Failure, Success, Try}
+
+class TaxonomyCtrl @Inject() (
+    entrypoint: Entrypoint,
+    properties: Properties,
+    taxonomySrv: TaxonomySrv,
+    tagSrv: TagSrv,
+    db: Database
+) extends QueryableCtrl
+    with TaxonomyRenderer {
+
+  override val entityName: String                 = "taxonomy"
+  override val publicProperties: PublicProperties = properties.taxonomy
+  override val initialQuery: Query =
+    Query.init[Traversal.V[Taxonomy]]("listTaxonomy", (graph, authContext) => taxonomySrv.startTraversal(graph).visible(authContext))
+  override val getQuery: ParamQuery[EntityIdOrName] =
+    Query.initWithParam[EntityIdOrName, Traversal.V[Taxonomy]](
+      "getTaxonomy",
+      (idOrName, graph, authContext) => taxonomySrv.get(idOrName)(graph).visible(authContext)
+    )
+  override val pageQuery: ParamQuery[OutputParam] =
+    Query.withParam[OutputParam, Traversal.V[Taxonomy], IteratorOutput](
+      "page",
+      {
+        case (OutputParam(from, to, extraData), taxoSteps, _) =>
+          taxoSteps.richPage(from, to, extraData.contains("total"))(_.richTaxonomyWithCustomRenderer(taxoStatsRenderer(extraData - "total")))
+      }
+    )
+  override val outputQuery: Query =
+    Query.outputWithContext[RichTaxonomy, Traversal.V[Taxonomy]]((traversal, _) => traversal.richTaxonomy)
+  override val extraQueries: Seq[ParamQuery[_]] = Seq(
+    Query[Traversal.V[Taxonomy], Traversal.V[Tag]]("tags", (traversal, _) => traversal.tags)
+  )
+
+  def create: Action[AnyContent] =
+    entrypoint("import taxonomy")
+      .extract("taxonomy", FieldsParser[InputTaxonomy])
+      .authPermittedTransaction(db, Permissions.manageTaxonomy) { implicit request => implicit graph =>
+        for {
+          richTaxonomy <- createFromInput(request.body("taxonomy"))
+        } yield Results.Created(richTaxonomy.toJson)
+      }
+
+  def importZip: Action[AnyContent] =
+    entrypoint("import taxonomies zip")
+      .extract("file", FieldsParser.file.on("file"))
+      .authPermitted(Permissions.manageTaxonomy) { implicit request =>
+        val file: FFile = request.body("file")
+        val zipFile     = new ZipFile(file.filepath.toString)
+        val headers = zipFile
+          .getFileHeaders
+          .iterator()
+          .asScala
+
+        for {
+          inputTaxos <-
+            headers
+              .filter(h => h.getFileName.endsWith("machinetag.json"))
+              .toTry(parseJsonFile(zipFile, _))
+          richTaxos = inputTaxos.foldLeft[JsArray](JsArray.empty) { (array, taxo) =>
+            val res = db.tryTransaction { implicit graph =>
+              createFromInput(taxo)
+            } match {
+              case Failure(e) =>
+                Json.obj("namespace" -> taxo.namespace, "status" -> "Failure", "message" -> e.getMessage)
+              case Success(t) =>
+                Json.obj("namespace" -> t.namespace, "status" -> "Success", "numberOfTags" -> t.tags.size)
+            }
+            array :+ res
+          }
+        } yield Results.Created(richTaxos)
+      }
+
+  private def parseJsonFile(zipFile: ZipFile, h: FileHeader): Try[InputTaxonomy] =
+    Try(Json.parse(zipFile.getInputStream(h)).as[InputTaxonomy]).recoverWith {
+      case _ => Failure(BadRequestError(s"File '${h.getFileName}' does not comply with the MISP taxonomy formatting"))
+    }
+
+  private def createFromInput(inputTaxo: InputTaxonomy)(implicit graph: Graph, authContext: AuthContext): Try[RichTaxonomy] = {
+    // Create tags
+    val predicatesWithValue = inputTaxo.values.map(_.predicate).distinct
+    val predicateWithNoTags = inputTaxo.predicates.filterNot(p => predicatesWithValue.contains(p.value))
+
+    val tags = inputTaxo.values.flatMap { value =>
+      value
+        .entry
+        .map { e =>
+          Tag(
+            inputTaxo.namespace,
+            value.predicate,
+            Some(e.value),
+            e.expanded,
+            e.colour.getOrElse(tagSrv.freeTagColour)
+          )
+        }
+    }
+    // Create a tag for predicates with no tags associated
+
+    val allTags = tags ++ predicateWithNoTags.map(p => Tag(inputTaxo.namespace, p.value, None, None, p.colour.getOrElse(tagSrv.freeTagColour)))
+
+    if (inputTaxo.namespace.isEmpty)
+      Failure(BadRequestError(s"A taxonomy with no namespace cannot be imported"))
+    else if (inputTaxo.namespace.startsWith("_freetags"))
+      Failure(BadRequestError(s"Namespace _freetags is restricted for TheHive"))
+    else if (taxonomySrv.startTraversal.alreadyImported(inputTaxo.namespace))
+      // Update the taxonomy, update exisiting tags & create others
+      for {
+        _           <- allTags.toTry(t => taxonomySrv.updateOrCreateTag(inputTaxo.namespace, t))
+        taxonomy    <- taxonomySrv.get(EntityIdOrName(inputTaxo.namespace)).getOrFail("Taxonomy")
+        updatedTaxo <- taxonomySrv.update(taxonomy, inputTaxo.toTaxonomy)
+      } yield updatedTaxo
+    else
+      // Create the taxonomy and all its tags
+      for {
+        tagsEntities <- allTags.toTry(t => tagSrv.create(t))
+        richTaxonomy <- taxonomySrv.create(inputTaxo.toTaxonomy, tagsEntities)
+      } yield richTaxonomy
+  }
+
+  def get(taxonomyId: String): Action[AnyContent] =
+    entrypoint("get taxonomy")
+      .authRoTransaction(db) { implicit request => implicit graph =>
+        taxonomySrv
+          .get(EntityIdOrName(taxonomyId))
+          .visible
+          .richTaxonomy
+          .getOrFail("Taxonomy")
+          .map(taxonomy => Results.Ok(taxonomy.toJson))
+      }
+
+  def toggleActivation(taxonomyId: String, isActive: Boolean): Action[AnyContent] =
+    entrypoint("toggle taxonomy")
+      .authPermittedTransaction(db, Permissions.manageTaxonomy) { implicit request => implicit graph =>
+        val toggleF = if (isActive) taxonomySrv.activate _ else taxonomySrv.deactivate _
+        toggleF(EntityIdOrName(taxonomyId)).map(_ => Results.NoContent)
+      }
+
+  def delete(taxoId: String): Action[AnyContent] =
+    entrypoint("delete taxonomy")
+      .authPermittedTransaction(db, Permissions.manageTaxonomy) { implicit request => implicit graph =>
+        for {
+          taxo <-
+            taxonomySrv
+              .get(EntityIdOrName(taxoId))
+              .visible
+              .getOrFail("Taxonomy")
+          tags <- Try(taxonomySrv.get(taxo).tags.toSeq)
+          _    <- tags.toTry(t => tagSrv.delete(t))
+          _    <- taxonomySrv.delete(taxo)
+        } yield Results.NoContent
+      }
+
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TaxonomyRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/TaxonomyRenderer.scala
new file mode 100644
index 0000000000..8a90025f56
--- /dev/null
+++ b/thehive/app/org/thp/thehive/controllers/v1/TaxonomyRenderer.scala
@@ -0,0 +1,23 @@
+package org.thp.thehive.controllers.v1
+
+import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.thehive.models.Taxonomy
+import org.thp.thehive.services.TaxonomyOps._
+import play.api.libs.json._
+
+trait TaxonomyRenderer extends BaseRenderer[Taxonomy] {
+
+  def enabledStats: Traversal.V[Taxonomy] => Traversal[JsValue, Boolean, Converter[JsValue, Boolean]] =
+    _.enabled.domainMap(l => JsBoolean(l))
+
+  def taxoStatsRenderer(extraData: Set[String]): Traversal.V[Taxonomy] => JsTraversal = { implicit traversal =>
+    baseRenderer(
+      extraData,
+      traversal,
+      {
+        case (f, "enabled") => addData("enabled", f)(enabledStats)
+        case (f, _)         => f
+      }
+    )
+  }
+}
diff --git a/thehive/app/org/thp/thehive/controllers/v1/TheHiveQueryExecutor.scala b/thehive/app/org/thp/thehive/controllers/v1/TheHiveQueryExecutor.scala
index bbc3b86b81..b11fcace4a 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/TheHiveQueryExecutor.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/TheHiveQueryExecutor.scala
@@ -1,10 +1,11 @@
 package org.thp.thehive.controllers.v1
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.controllers.{FObject, FieldsParser}
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query._
 
+import javax.inject.{Inject, Singleton}
+
 case class OutputParam(from: Long, to: Long, extraData: Set[String])
 
 object OutputParam {
@@ -29,12 +30,17 @@ class TheHiveQueryExecutor @Inject() (
     observableCtrl: ObservableCtrl,
     observableTypeCtrl: ObservableTypeCtrl,
     organisationCtrl: OrganisationCtrl,
+    patternCtrl: PatternCtrl,
+    procedureCtrl: ProcedureCtrl,
     profileCtrl: ProfileCtrl,
+    shareCtrl: ShareCtrl,
+    tagCtrl: TagCtrl,
     taskCtrl: TaskCtrl,
     userCtrl: UserCtrl,
-    //    dashboardCtrl: DashboardCtrl,
+    taxonomyCtrl: TaxonomyCtrl,
+    dashboardCtrl: DashboardCtrl,
     properties: Properties,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) extends QueryExecutor {
 
   lazy val controllers: Seq[QueryableCtrl] =
@@ -44,16 +50,20 @@ class TheHiveQueryExecutor @Inject() (
       caseCtrl,
       caseTemplateCtrl,
       customFieldCtrl,
-//      dashboardCtrl,
+      dashboardCtrl,
       logCtrl,
       observableCtrl,
       observableTypeCtrl,
       organisationCtrl,
 //      pageCtrl,
+      patternCtrl,
+      procedureCtrl,
       profileCtrl,
-//      tagCtrl,
+      shareCtrl,
+      tagCtrl,
       taskCtrl,
-      userCtrl
+      userCtrl,
+      taxonomyCtrl
     )
 
   override val version: (Int, Int) = 1 -> 1
diff --git a/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala
index 676094fa54..2468a8e353 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/UserCtrl.scala
@@ -1,8 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import java.util.Base64
-
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.auth.AuthSrv
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
@@ -22,19 +19,24 @@ import play.api.http.HttpEntity
 import play.api.libs.json.{JsNull, JsObject, Json}
 import play.api.mvc._
 
+import java.util.{Base64, Date}
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success, Try}
 
+case class UserOutputParam(from: Long, to: Long, extraData: Set[String], organisation: Option[String])
+
 @Singleton
 class UserCtrl @Inject() (
     entrypoint: Entrypoint,
     properties: Properties,
+    caseSrv: CaseSrv,
     userSrv: UserSrv,
     authSrv: AuthSrv,
     organisationSrv: OrganisationSrv,
     profileSrv: ProfileSrv,
     auditSrv: AuditSrv,
     attachmentSrv: AttachmentSrv,
-    @Named("with-thehive-schema") implicit val db: Database
+    implicit val db: Database
 ) extends QueryableCtrl {
 
   override val entityName: String                 = "user"
@@ -45,22 +47,28 @@ class UserCtrl @Inject() (
 
   override val getQuery: ParamQuery[EntityIdOrName] = Query.initWithParam[EntityIdOrName, Traversal.V[User]](
     "getUser",
-    FieldsParser[EntityIdOrName],
     (idOrName, graph, authContext) => userSrv.get(idOrName)(graph).visible(authContext)
   )
 
-  override val pageQuery: ParamQuery[OutputParam] = Query.withParam[OutputParam, Traversal.V[User], IteratorOutput](
+  override val pageQuery: ParamQuery[UserOutputParam] = Query.withParam[UserOutputParam, Traversal.V[User], IteratorOutput](
     "page",
-    FieldsParser[OutputParam],
-    (range, userSteps, authContext) => userSteps.richUser(authContext).page(range.from, range.to, range.extraData.contains("total"))
+    (params, userSteps, authContext) =>
+      params
+        .organisation
+        .fold(userSteps.richUser(authContext))(org => userSteps.richUser(authContext, EntityIdOrName(org)))
+        .page(params.from, params.to, params.extraData.contains("total"))
   )
   override val outputQuery: Query =
     Query.outputWithContext[RichUser, Traversal.V[User]]((userSteps, authContext) => userSteps.richUser(authContext))
 
   override val extraQueries: Seq[ParamQuery[_]] = Seq(
     Query.init[Traversal.V[User]]("currentUser", (graph, authContext) => userSrv.current(graph, authContext)),
-    Query[Traversal.V[User], Traversal.V[Task]]("tasks", (userSteps, authContext) => userSteps.tasks.visible(authContext)),
-    Query[Traversal.V[User], Traversal.V[Case]]("cases", (userSteps, authContext) => userSteps.cases.visible(authContext))
+    Query[Traversal.V[User], Traversal.V[Task]]("tasks", (userSteps, authContext) => userSteps.tasks.visible(organisationSrv)(authContext)),
+    Query[Traversal.V[User], Traversal.V[Case]](
+      "cases",
+      (userSteps, authContext) =>
+        caseSrv.startTraversal(userSteps.graph).visible(organisationSrv)(authContext).assignedTo(userSteps.value(_.login).toSeq: _*)
+    )
   )
   def current: Action[AnyContent] =
     entrypoint("current user")
@@ -69,12 +77,16 @@ class UserCtrl @Inject() (
           .current
           .richUserWithCustomRenderer(request.organisation, _.organisationWithRole)
           .getOrFail("User")
-          .map(user =>
+          .map { user =>
+            val scope =
+              if (user._1.organisation == Organisation.administration.name) "admin"
+              else "organisation"
             Results
               .Ok(user.toJson)
               .withHeaders("X-Organisation" -> request.organisation.toString)
-              .withHeaders("X-Permissions" -> user._1.permissions.mkString(","))
-          )
+              .withHeaders("X-Permissions" -> (Permissions.forScope(scope) & user._1.permissions).mkString(","))
+          }
+          .recover { case _ => Results.Unauthorized.withHeaders("X-Logout" -> "1") }
       }
 
   def create: Action[AnyContent] =
@@ -197,10 +209,19 @@ class UserCtrl @Inject() (
                         .flatMap(userSrv.setAvatar(user, _))
                         .map(_ => Json.obj("avatar" -> "[binary data]"))
                   }.flip
-                } yield updateName.getOrElse(JsObject.empty) ++
-                  updateLocked.getOrElse(JsObject.empty) ++
-                  updateProfile.getOrElse(JsObject.empty) ++
-                  updatedAvatar.getOrElse(JsObject.empty)
+                } yield {
+                  val updatedProperties = updateName.getOrElse(JsObject.empty) ++
+                    updateLocked.getOrElse(JsObject.empty) ++
+                    updateProfile.getOrElse(JsObject.empty) ++
+                    updatedAvatar.getOrElse(JsObject.empty)
+                  if (updatedProperties.fields.nonEmpty)
+                    userSrv
+                      .get(user)
+                      .update(_._updatedBy, Some(request.userId))
+                      .update(_._updatedAt, Some(new Date))
+                      .iterate()
+                  updatedProperties
+                }
               }(update => auditSrv.user.update(user, update))
               .map(_ => Results.NoContent)
         }
@@ -247,6 +268,12 @@ class UserCtrl @Inject() (
               .users
               .get(EntityIdOrName(userIdOrName))
               .getOrFail("User")
+              .orElse {
+                userSrv
+                  .current
+                  .get(EntityIdOrName(userIdOrName))
+                  .getOrFail("User")
+              }
           }
           key <- authSrv.getKey(user.login)
         } yield Results.Ok(key)
diff --git a/thehive/app/org/thp/thehive/models/Alert.scala b/thehive/app/org/thp/thehive/models/Alert.scala
index 98a993bf4c..9a4dc54f03 100644
--- a/thehive/app/org/thp/thehive/models/Alert.scala
+++ b/thehive/app/org/thp/thehive/models/Alert.scala
@@ -1,11 +1,10 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
-import io.scalaland.chimney.dsl._
 import org.thp.scalligraph._
 import org.thp.scalligraph.models.{DefineIndex, Entity, IndexType}
 
+import java.util.Date
+
 @BuildEdgeEntity[Alert, CustomField]
 case class AlertCustomField(
     order: Option[Int] = None,
@@ -39,7 +38,22 @@ case class AlertCaseTemplate()
 case class AlertTag()
 
 @BuildVertexEntity
-@DefineIndex(IndexType.basic, "type", "source", "sourceRef")
+@DefineIndex(IndexType.unique, "type", "source", "sourceRef", "organisationId")
+@DefineIndex(IndexType.standard, "type")
+@DefineIndex(IndexType.standard, "source")
+@DefineIndex(IndexType.standard, "sourceRef")
+@DefineIndex(IndexType.fulltext, "title")
+@DefineIndex(IndexType.fulltext, "description")
+@DefineIndex(IndexType.standard, "severity")
+@DefineIndex(IndexType.standard, "date")
+@DefineIndex(IndexType.standard, "lastSyncDate")
+@DefineIndex(IndexType.standard, "tlp")
+@DefineIndex(IndexType.standard, "pap")
+@DefineIndex(IndexType.standard, "read")
+@DefineIndex(IndexType.standard, "follow")
+@DefineIndex(IndexType.standard, "tags")
+@DefineIndex(IndexType.standard, "organisationId")
+@DefineIndex(IndexType.standard, "caseId")
 case class Alert(
     `type`: String,
     source: String,
@@ -53,13 +67,15 @@ case class Alert(
     tlp: Int,
     pap: Int,
     read: Boolean,
-    follow: Boolean
+    follow: Boolean,
+    tags: Seq[String],
+    /* filled by the service */
+    organisationId: EntityId = EntityId(""),
+    caseId: Option[EntityId] = None
 )
 
 case class RichAlert(
     alert: Alert with Entity,
-    organisation: String,
-    tags: Seq[Tag with Entity],
     customFields: Seq[RichCustomField],
     caseId: Option[EntityId],
     caseTemplate: Option[String],
@@ -83,28 +99,5 @@ case class RichAlert(
   def pap: Int                     = alert.pap
   def read: Boolean                = alert.read
   def follow: Boolean              = alert.follow
-}
-
-object RichAlert {
-
-  def apply(
-      alert: Alert with Entity,
-      organisation: String,
-      tags: Seq[Tag with Entity],
-      customFields: Seq[RichCustomField],
-      caseId: Option[EntityId],
-      caseTemplate: Option[String],
-      observableCount: Long
-  ): RichAlert =
-    alert
-      .asInstanceOf[Alert]
-      .into[RichAlert]
-      .withFieldConst(_.alert, alert)
-      .withFieldConst(_.organisation, organisation)
-      .withFieldConst(_.tags, tags)
-      .withFieldConst(_.customFields, customFields)
-      .withFieldConst(_.caseId, caseId)
-      .withFieldConst(_.caseTemplate, caseTemplate)
-      .withFieldConst(_.observableCount, observableCount)
-      .transform
+  def tags: Seq[String]            = alert.tags
 }
diff --git a/thehive/app/org/thp/thehive/models/Attachment.scala b/thehive/app/org/thp/thehive/models/Attachment.scala
index 5bc2d396ef..e3214c59b8 100644
--- a/thehive/app/org/thp/thehive/models/Attachment.scala
+++ b/thehive/app/org/thp/thehive/models/Attachment.scala
@@ -1,7 +1,13 @@
 package org.thp.thehive.models
 
 import org.thp.scalligraph.BuildVertexEntity
+import org.thp.scalligraph.models.{DefineIndex, IndexType}
 import org.thp.scalligraph.utils.Hash
 
+@DefineIndex(IndexType.fulltext, "name")
+@DefineIndex(IndexType.standard, "size")
+@DefineIndex(IndexType.fulltext, "contentType")
+@DefineIndex(IndexType.standard, "hashes")
+@DefineIndex(IndexType.standard, "attachmentId")
 @BuildVertexEntity
 case class Attachment(name: String, size: Long, contentType: String, hashes: Seq[Hash], attachmentId: String)
diff --git a/thehive/app/org/thp/thehive/models/Audit.scala b/thehive/app/org/thp/thehive/models/Audit.scala
index a97ebad3e8..af82178b90 100644
--- a/thehive/app/org/thp/thehive/models/Audit.scala
+++ b/thehive/app/org/thp/thehive/models/Audit.scala
@@ -1,18 +1,25 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
-import org.apache.tinkerpop.gremlin.structure.{Edge, Graph, Vertex}
+import org.apache.tinkerpop.gremlin.structure.{Edge, Vertex}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
-import org.thp.scalligraph.traversal.Converter
+import org.thp.scalligraph.traversal.{Converter, Graph}
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
 
+import java.util.Date
+
 @BuildEdgeEntity[Audit, User]
 case class AuditUser()
 
-@DefineIndex(IndexType.basic, "requestId", "mainAction")
 @BuildVertexEntity
+@DefineIndex(IndexType.basic, "requestId", "mainAction")
+@DefineIndex(IndexType.standard, "requestId")
+@DefineIndex(IndexType.standard, "action")
+@DefineIndex(IndexType.standard, "mainAction")
+@DefineIndex(IndexType.standard, "objectId")
+@DefineIndex(IndexType.standard, "objectType")
+@DefineIndex(IndexType.standard, "_createdAt")
+@DefineIndex(IndexType.standard, "_updatedAt")
 case class Audit(
     requestId: String,
     action: String,
@@ -104,7 +111,7 @@ object Audited {
         override def _createdAt: Date           = entity._createdAt
         override def _updatedAt: Option[Date]   = entity._updatedAt
       }
-    override def create(e: Audited, from: Vertex, to: Vertex)(implicit db: Database, graph: Graph): Edge = from.addEdge(label, to)
+    override def create(e: Audited, from: Vertex, to: Vertex)(implicit graph: Graph): Edge = from.addEdge(label, to)
   }
 }
 case class AuditContext()
@@ -135,7 +142,7 @@ object AuditContext extends HasModel {
         override def _createdAt: Date           = entity._createdAt
         override def _updatedAt: Option[Date]   = entity._updatedAt
       }
-    override def create(e: AuditContext, from: Vertex, to: Vertex)(implicit db: Database, graph: Graph): Edge =
+    override def create(e: AuditContext, from: Vertex, to: Vertex)(implicit graph: Graph): Edge =
       from.addEdge(label, to)
   }
 }
diff --git a/thehive/app/org/thp/thehive/models/Case.scala b/thehive/app/org/thp/thehive/models/Case.scala
index 1990523baf..bb3408bd1f 100644
--- a/thehive/app/org/thp/thehive/models/Case.scala
+++ b/thehive/app/org/thp/thehive/models/Case.scala
@@ -1,12 +1,12 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph._
 import org.thp.scalligraph.auth.Permission
 import org.thp.scalligraph.models.{DefineIndex, Entity, IndexType}
 import play.api.libs.json.{Format, Json}
 
+import java.util.Date
+
 object CaseStatus extends Enumeration {
   val Open, Resolved, Duplicated = Value
 
@@ -16,7 +16,7 @@ object CaseStatus extends Enumeration {
 @BuildVertexEntity
 @DefineIndex(IndexType.unique, "value")
 case class ResolutionStatus(value: String) {
-  require(!value.isEmpty, "ResolutionStatus can't be empty")
+  require(value.nonEmpty, "ResolutionStatus can't be empty")
 }
 
 object ResolutionStatus {
@@ -35,7 +35,7 @@ case class CaseResolutionStatus()
 @BuildVertexEntity
 @DefineIndex(IndexType.unique, "value")
 case class ImpactStatus(value: String) {
-  require(!value.isEmpty, "ImpactStatus can't be empty")
+  require(value.nonEmpty, "ImpactStatus can't be empty")
 }
 
 object ImpactStatus {
@@ -77,14 +77,28 @@ case class CaseUser()
 @BuildEdgeEntity[Case, CaseTemplate]
 case class CaseCaseTemplate()
 
+@BuildEdgeEntity[Case, Procedure]
+case class CaseProcedure()
+
 @BuildVertexEntity
 @DefineIndex(IndexType.unique, "number")
-//@DefineIndex(IndexType.fulltext, "title")
-//@DefineIndex(IndexType.fulltext, "description")
-//@DefineIndex(IndexType.standard, "startDate")
-@DefineIndex(IndexType.basic, "status")
+@DefineIndex(IndexType.fulltext, "title")
+@DefineIndex(IndexType.fulltext, "description")
+@DefineIndex(IndexType.standard, "severity")
+@DefineIndex(IndexType.standard, "startDate")
+@DefineIndex(IndexType.standard, "endDate")
+@DefineIndex(IndexType.standard, "flag")
+@DefineIndex(IndexType.standard, "tlp")
+@DefineIndex(IndexType.standard, "pap")
+@DefineIndex(IndexType.standard, "status")
+@DefineIndex(IndexType.fulltext, "summary")
+@DefineIndex(IndexType.standard, "tags")
+@DefineIndex(IndexType.standard, "assignee")
+@DefineIndex(IndexType.standard, "organisationIds")
+@DefineIndex(IndexType.standard, "impactStatus")
+@DefineIndex(IndexType.standard, "resolutionStatus")
+@DefineIndex(IndexType.standard, "caseTemplate")
 case class Case(
-    number: Int,
     title: String,
     description: String,
     severity: Int,
@@ -94,34 +108,43 @@ case class Case(
     tlp: Int,
     pap: Int,
     status: CaseStatus.Value,
-    summary: Option[String]
+    summary: Option[String],
+    tags: Seq[String],
+    impactStatus: Option[String] = None,
+    resolutionStatus: Option[String] = None,
+    /* filled by the service */
+    assignee: Option[String] = None,
+    number: Int = 0,
+    organisationIds: Set[EntityId] = Set.empty,
+    caseTemplate: Option[String] = None
 )
 
 case class RichCase(
     `case`: Case with Entity,
-    tags: Seq[Tag with Entity],
-    impactStatus: Option[String],
-    resolutionStatus: Option[String],
-    assignee: Option[String],
     customFields: Seq[RichCustomField],
     userPermissions: Set[Permission]
 ) {
-  def _id: EntityId              = `case`._id
-  def _createdBy: String         = `case`._createdBy
-  def _updatedBy: Option[String] = `case`._updatedBy
-  def _createdAt: Date           = `case`._createdAt
-  def _updatedAt: Option[Date]   = `case`._updatedAt
-  def number: Int                = `case`.number
-  def title: String              = `case`.title
-  def description: String        = `case`.description
-  def severity: Int              = `case`.severity
-  def startDate: Date            = `case`.startDate
-  def endDate: Option[Date]      = `case`.endDate
-  def flag: Boolean              = `case`.flag
-  def tlp: Int                   = `case`.tlp
-  def pap: Int                   = `case`.pap
-  def status: CaseStatus.Value   = `case`.status
-  def summary: Option[String]    = `case`.summary
+  def _id: EntityId                    = `case`._id
+  def _createdBy: String               = `case`._createdBy
+  def _updatedBy: Option[String]       = `case`._updatedBy
+  def _createdAt: Date                 = `case`._createdAt
+  def _updatedAt: Option[Date]         = `case`._updatedAt
+  def number: Int                      = `case`.number
+  def title: String                    = `case`.title
+  def description: String              = `case`.description
+  def severity: Int                    = `case`.severity
+  def startDate: Date                  = `case`.startDate
+  def endDate: Option[Date]            = `case`.endDate
+  def flag: Boolean                    = `case`.flag
+  def tlp: Int                         = `case`.tlp
+  def pap: Int                         = `case`.pap
+  def status: CaseStatus.Value         = `case`.status
+  def summary: Option[String]          = `case`.summary
+  def tags: Seq[String]                = `case`.tags
+  def assignee: Option[String]         = `case`.assignee
+  def impactStatus: Option[String]     = `case`.impactStatus
+  def resolutionStatus: Option[String] = `case`.resolutionStatus
+  def caseTemplate: Option[String]     = `case`.caseTemplate
 }
 
 object RichCase {
@@ -138,7 +161,7 @@ object RichCase {
       severity: Int,
       startDate: Date,
       endDate: Option[Date],
-      tags: Seq[Tag with Entity],
+      tags: Seq[String],
       flag: Boolean,
       tlp: Int,
       pap: Int,
@@ -146,19 +169,38 @@ object RichCase {
       summary: Option[String],
       impactStatus: Option[String],
       resolutionStatus: Option[String],
-      user: Option[String],
+      assignee: Option[String],
       customFields: Seq[RichCustomField],
-      userPermissions: Set[Permission]
+      userPermissions: Set[Permission],
+      organisationIds: Set[EntityId]
   ): RichCase = {
-    val `case`: Case with Entity = new Case(number, title, description, severity, startDate, endDate, flag, tlp, pap, status, summary) with Entity {
-      override val _id: EntityId              = __id
-      override val _label: String             = "Case"
-      override val _createdBy: String         = __createdBy
-      override val _updatedBy: Option[String] = __updatedBy
-      override val _createdAt: Date           = __createdAt
-      override val _updatedAt: Option[Date]   = __updatedAt
-    }
-    RichCase(`case`, tags, impactStatus, resolutionStatus, user, customFields, userPermissions)
+    val `case`: Case with Entity =
+      new Case(
+        number = number,
+        title = title,
+        description = description,
+        severity = severity,
+        startDate = startDate,
+        endDate = endDate,
+        flag = flag,
+        tlp = tlp,
+        pap = pap,
+        status = status,
+        summary = summary,
+        organisationIds = organisationIds,
+        tags = tags,
+        assignee = assignee,
+        impactStatus = impactStatus,
+        resolutionStatus = resolutionStatus
+      ) with Entity {
+        override val _id: EntityId              = __id
+        override val _label: String             = "Case"
+        override val _createdBy: String         = __createdBy
+        override val _updatedBy: Option[String] = __updatedBy
+        override val _createdAt: Date           = __createdAt
+        override val _updatedAt: Option[Date]   = __updatedAt
+      }
+    RichCase(`case`, customFields, userPermissions)
   }
 }
 
diff --git a/thehive/app/org/thp/thehive/models/CaseTemplate.scala b/thehive/app/org/thp/thehive/models/CaseTemplate.scala
index dabb30d7a7..0fc11cf5ea 100644
--- a/thehive/app/org/thp/thehive/models/CaseTemplate.scala
+++ b/thehive/app/org/thp/thehive/models/CaseTemplate.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
 
+import java.util.Date
+
 @BuildEdgeEntity[CaseTemplate, Organisation]
 case class CaseTemplateOrganisation()
 
@@ -37,6 +37,7 @@ case class CaseTemplate(
     displayName: String,
     titlePrefix: Option[String],
     description: Option[String],
+    tags: Seq[String],
     severity: Option[Int],
     flag: Boolean,
     tlp: Option[Int],
@@ -47,7 +48,6 @@ case class CaseTemplate(
 case class RichCaseTemplate(
     caseTemplate: CaseTemplate with Entity,
     organisation: String,
-    tags: Seq[Tag with Entity],
     tasks: Seq[RichTask],
     customFields: Seq[RichCustomField]
 ) {
@@ -60,6 +60,7 @@ case class RichCaseTemplate(
   def displayName: String         = caseTemplate.displayName
   def titlePrefix: Option[String] = caseTemplate.titlePrefix
   def description: Option[String] = caseTemplate.description
+  def tags: Seq[String]           = caseTemplate.tags
   def severity: Option[Int]       = caseTemplate.severity
   def flag: Boolean               = caseTemplate.flag
   def tlp: Option[Int]            = caseTemplate.tlp
diff --git a/thehive/app/org/thp/thehive/models/CustomField.scala b/thehive/app/org/thp/thehive/models/CustomField.scala
index e059a5bef0..fb4edb5241 100644
--- a/thehive/app/org/thp/thehive/models/CustomField.scala
+++ b/thehive/app/org/thp/thehive/models/CustomField.scala
@@ -1,12 +1,11 @@
 package org.thp.thehive.models
 
-import java.util.{Date, NoSuchElementException}
-
 import org.apache.tinkerpop.gremlin.structure.Edge
 import org.thp.scalligraph._
 import org.thp.scalligraph.models._
 import play.api.libs.json._
 
+import java.util.{Date, NoSuchElementException}
 import scala.util.{Failure, Success, Try}
 
 trait CustomFieldValue[C] extends Product {
diff --git a/thehive/app/org/thp/thehive/models/Dashboard.scala b/thehive/app/org/thp/thehive/models/Dashboard.scala
index 25b2941989..e861c42f31 100644
--- a/thehive/app/org/thp/thehive/models/Dashboard.scala
+++ b/thehive/app/org/thp/thehive/models/Dashboard.scala
@@ -1,11 +1,11 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityIdOrName}
 import play.api.libs.json.JsObject
 
+import java.util.Date
+
 @BuildVertexEntity
 case class Dashboard(title: String, description: String, definition: JsObject)
 
@@ -17,7 +17,8 @@ case class OrganisationDashboard(writable: Boolean)
 
 case class RichDashboard(
     dashboard: Dashboard with Entity,
-    organisationShares: Map[String, Boolean]
+    organisationShares: Map[String, Boolean],
+    writable: Boolean
 ) {
   def _id: EntityIdOrName        = dashboard._id
   def _createdBy: String         = dashboard._createdBy
diff --git a/thehive/app/org/thp/thehive/models/KeyValue.scala b/thehive/app/org/thp/thehive/models/KeyValue.scala
index c6b38c171a..ef185061e4 100644
--- a/thehive/app/org/thp/thehive/models/KeyValue.scala
+++ b/thehive/app/org/thp/thehive/models/KeyValue.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph.BuildVertexEntity
 
+import java.util.Date
+
 object ValueType extends Enumeration {
   val string, integer, float, boolean, date = Value
 }
diff --git a/thehive/app/org/thp/thehive/models/Log.scala b/thehive/app/org/thp/thehive/models/Log.scala
index 4c5c54bb41..f1f48bf5f2 100644
--- a/thehive/app/org/thp/thehive/models/Log.scala
+++ b/thehive/app/org/thp/thehive/models/Log.scala
@@ -1,15 +1,25 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
-import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.models.{DefineIndex, Entity, IndexType}
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
 
+import java.util.Date
+
 @BuildEdgeEntity[Log, Attachment]
 case class LogAttachment()
 
+@DefineIndex(IndexType.fulltext, "message")
+@DefineIndex(IndexType.standard, "date")
+@DefineIndex(IndexType.standard, "taskId")
+@DefineIndex(IndexType.standard, "organisationIds")
 @BuildVertexEntity
-case class Log(message: String, date: Date, deleted: Boolean)
+case class Log(
+    message: String,
+    date: Date,
+    /* filled by the service */
+    taskId: EntityId = EntityId(""),
+    organisationIds: Set[EntityId] = Set.empty
+)
 
 case class RichLog(log: Log with Entity, attachments: Seq[Attachment with Entity]) {
   def _id: EntityId              = log._id
@@ -19,5 +29,4 @@ case class RichLog(log: Log with Entity, attachments: Seq[Attachment with Entity
   def _updatedAt: Option[Date]   = log._updatedAt
   def date: Date                 = log.date
   def message: String            = log.message
-  def deleted: Boolean           = log.deleted
 }
diff --git a/thehive/app/org/thp/thehive/models/Observable.scala b/thehive/app/org/thp/thehive/models/Observable.scala
index ae4d2715ce..8b3201d41f 100644
--- a/thehive/app/org/thp/thehive/models/Observable.scala
+++ b/thehive/app/org/thp/thehive/models/Observable.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph.models.{DefineIndex, Entity, IndexType}
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
 
+import java.util.Date
+
 @BuildEdgeEntity[Observable, KeyValue]
 case class ObservableKeyValue()
 
@@ -17,30 +17,53 @@ case class ObservableData()
 @BuildEdgeEntity[Observable, Tag]
 case class ObservableTag()
 
+@DefineIndex(IndexType.fulltext, "message")
+@DefineIndex(IndexType.standard, "tlp")
+@DefineIndex(IndexType.standard, "ioc")
+@DefineIndex(IndexType.standard, "sighted")
+@DefineIndex(IndexType.standard, "ignoreSimilarity")
+@DefineIndex(IndexType.standard, "dataType")
+@DefineIndex(IndexType.standard, "tags")
+@DefineIndex(IndexType.standard, "data")
+@DefineIndex(IndexType.standard, "attachmentId")
+@DefineIndex(IndexType.standard, "relatedId")
+@DefineIndex(IndexType.standard, "organisationIds")
 @BuildVertexEntity
-case class Observable(message: Option[String], tlp: Int, ioc: Boolean, sighted: Boolean, ignoreSimilarity: Option[Boolean])
+case class Observable(
+    message: Option[String],
+    tlp: Int,
+    ioc: Boolean,
+    sighted: Boolean,
+    ignoreSimilarity: Option[Boolean],
+    dataType: String,
+    tags: Seq[String],
+    /* filled by the service */
+    data: Option[String] = None,
+    attachmentId: Option[String] = None,
+    relatedId: EntityId = EntityId(""),
+    organisationIds: Set[EntityId] = Set.empty
+)
 
 case class RichObservable(
     observable: Observable with Entity,
-    `type`: ObservableType with Entity,
-    data: Option[Data with Entity],
     attachment: Option[Attachment with Entity],
-    tags: Seq[Tag with Entity],
     seen: Option[Boolean],
-    extensions: Seq[KeyValue with Entity],
     reportTags: Seq[ReportTag with Entity]
 ) {
-  def _id: EntityId                                                      = observable._id
-  def _createdBy: String                                                 = observable._createdBy
-  def _updatedBy: Option[String]                                         = observable._updatedBy
-  def _createdAt: Date                                                   = observable._createdAt
-  def _updatedAt: Option[Date]                                           = observable._updatedAt
-  def message: Option[String]                                            = observable.message
-  def tlp: Int                                                           = observable.tlp
-  def ioc: Boolean                                                       = observable.ioc
-  def sighted: Boolean                                                   = observable.sighted
-  def ignoreSimilarity: Option[Boolean]                                  = observable.ignoreSimilarity
-  def dataOrAttachment: Either[Data with Entity, Attachment with Entity] = data.toLeft(attachment.get)
+  def _id: EntityId                                            = observable._id
+  def _createdBy: String                                       = observable._createdBy
+  def _updatedBy: Option[String]                               = observable._updatedBy
+  def _createdAt: Date                                         = observable._createdAt
+  def _updatedAt: Option[Date]                                 = observable._updatedAt
+  def message: Option[String]                                  = observable.message
+  def tlp: Int                                                 = observable.tlp
+  def ioc: Boolean                                             = observable.ioc
+  def sighted: Boolean                                         = observable.sighted
+  def ignoreSimilarity: Option[Boolean]                        = observable.ignoreSimilarity
+  def dataOrAttachment: Either[String, Attachment with Entity] = observable.data.toLeft(attachment.get)
+  def dataType: String                                         = observable.dataType
+  def data: Option[String]                                     = observable.data
+  def tags: Seq[String]                                        = observable.tags
 }
 
 @DefineIndex(IndexType.unique, "data")
diff --git a/thehive/app/org/thp/thehive/models/Organisation.scala b/thehive/app/org/thp/thehive/models/Organisation.scala
index 41ca8dd5c2..aefa7efb23 100644
--- a/thehive/app/org/thp/thehive/models/Organisation.scala
+++ b/thehive/app/org/thp/thehive/models/Organisation.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph.models.{DefineIndex, Entity, IndexType}
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
 
+import java.util.Date
+
 @BuildVertexEntity
 @DefineIndex(IndexType.unique, "name")
 case class Organisation(name: String, description: String)
@@ -20,6 +20,9 @@ case class OrganisationShare()
 @BuildEdgeEntity[Organisation, Organisation]
 case class OrganisationOrganisation()
 
+@BuildEdgeEntity[Organisation, Taxonomy]
+case class OrganisationTaxonomy()
+
 case class RichOrganisation(organisation: Organisation with Entity, links: Seq[Organisation with Entity]) {
   def name: String               = organisation.name
   def description: String        = organisation.description
diff --git a/thehive/app/org/thp/thehive/models/Pattern.scala b/thehive/app/org/thp/thehive/models/Pattern.scala
new file mode 100644
index 0000000000..8fd1b87f36
--- /dev/null
+++ b/thehive/app/org/thp/thehive/models/Pattern.scala
@@ -0,0 +1,55 @@
+package org.thp.thehive.models
+
+import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
+
+import java.util.Date
+
+@BuildVertexEntity
+case class Pattern(
+    patternId: String,
+    name: String,
+    description: Option[String],
+    tactics: Set[String],
+    url: String,
+    patternType: String,
+    capecId: Option[String],
+    capecUrl: Option[String],
+    revoked: Boolean,
+    dataSources: Seq[String],
+    defenseBypassed: Seq[String],
+    detection: Option[String],
+    permissionsRequired: Seq[String],
+    platforms: Seq[String],
+    remoteSupport: Boolean,
+    systemRequirements: Seq[String],
+    revision: Option[String]
+)
+
+@BuildEdgeEntity[Pattern, Pattern]
+case class PatternPattern()
+
+case class RichPattern(pattern: Pattern with Entity, parent: Option[Pattern with Entity]) {
+  def patternId: String                = pattern.patternId
+  def name: String                     = pattern.name
+  def description: Option[String]      = pattern.description
+  def tactics: Set[String]             = pattern.tactics
+  def url: String                      = pattern.url
+  def patternType: String              = pattern.patternType
+  def capecId: Option[String]          = pattern.capecId
+  def capecUrl: Option[String]         = pattern.capecUrl
+  def revoked: Boolean                 = pattern.revoked
+  def dataSources: Seq[String]         = pattern.dataSources
+  def defenseBypassed: Seq[String]     = pattern.defenseBypassed
+  def detection: Option[String]        = pattern.detection
+  def permissionsRequired: Seq[String] = pattern.permissionsRequired
+  def platforms: Seq[String]           = pattern.platforms
+  def remoteSupport: Boolean           = pattern.remoteSupport
+  def systemRequirements: Seq[String]  = pattern.systemRequirements
+  def version: Option[String]          = pattern.revision
+  def _id: EntityId                    = pattern._id
+  def _createdAt: Date                 = pattern._createdAt
+  def _createdBy: String               = pattern._createdBy
+  def _updatedAt: Option[Date]         = pattern._updatedAt
+  def _updatedBy: Option[String]       = pattern._updatedBy
+}
diff --git a/thehive/app/org/thp/thehive/models/Permissions.scala b/thehive/app/org/thp/thehive/models/Permissions.scala
index 14b45cf5fc..d3521dfb6c 100644
--- a/thehive/app/org/thp/thehive/models/Permissions.scala
+++ b/thehive/app/org/thp/thehive/models/Permissions.scala
@@ -3,45 +3,53 @@ package org.thp.thehive.models
 import org.thp.scalligraph.auth.{Permission, PermissionDesc, Permissions => Perms}
 
 object Permissions extends Perms {
-  lazy val manageCase: PermissionDesc               = PermissionDesc("manageCase", "Manage cases", "organisation")
-  lazy val manageObservable: PermissionDesc         = PermissionDesc("manageObservable", "Manage observables", "organisation")
+  lazy val accessTheHiveFS: PermissionDesc          = PermissionDesc("accessTheHiveFS", "Access to TheHiveFS", "organisation")
+  lazy val manageAction: PermissionDesc             = PermissionDesc("manageAction", "Run Cortex responders ", "organisation")
   lazy val manageAlert: PermissionDesc              = PermissionDesc("manageAlert", "Manage alerts", "organisation")
-  lazy val manageUser: PermissionDesc               = PermissionDesc("manageUser", "Manage users", "organisation", "admin")
-  lazy val manageOrganisation: PermissionDesc       = PermissionDesc("manageOrganisation", "Manage organisations", "admin")
-  lazy val manageCaseTemplate: PermissionDesc       = PermissionDesc("manageCaseTemplate", "Manage case templates", "organisation")
+  lazy val manageAnalyse: PermissionDesc            = PermissionDesc("manageAnalyse", "Run Cortex analyzer", "organisation")
   lazy val manageAnalyzerTemplate: PermissionDesc   = PermissionDesc("manageAnalyzerTemplate", "Manage analyzer templates", "admin")
-  lazy val manageTask: PermissionDesc               = PermissionDesc("manageTask", "Manage tasks", "organisation")
-  lazy val manageAction: PermissionDesc             = PermissionDesc("manageAction", "Run Cortex responders ", "organisation")
+  lazy val manageCase: PermissionDesc               = PermissionDesc("manageCase", "Manage cases", "organisation")
+  lazy val manageCaseTemplate: PermissionDesc       = PermissionDesc("manageCaseTemplate", "Manage case templates", "organisation")
   lazy val manageConfig: PermissionDesc             = PermissionDesc("manageConfig", "Manage configurations", "organisation", "admin")
-  lazy val manageProfile: PermissionDesc            = PermissionDesc("manageProfile", "Manage user profiles", "admin")
-  lazy val manageTag: PermissionDesc                = PermissionDesc("manageTag", "Manage tags", "admin")
   lazy val manageCustomField: PermissionDesc        = PermissionDesc("manageCustomField", "Manage custom fields", "admin")
-  lazy val manageShare: PermissionDesc              = PermissionDesc("manageShare", "Manage shares", "organisation")
-  lazy val manageAnalyse: PermissionDesc            = PermissionDesc("manageAnalyse", "Run Cortex analyzer", "organisation")
-  lazy val managePage: PermissionDesc               = PermissionDesc("managePage", "Manage pages", "organisation")
+  lazy val manageObservable: PermissionDesc         = PermissionDesc("manageObservable", "Manage observables", "organisation")
   lazy val manageObservableTemplate: PermissionDesc = PermissionDesc("manageObservableTemplate", "Manage observable types", "admin")
-  lazy val accessTheHiveFS: PermissionDesc          = PermissionDesc("accessTheHiveFS", "Access to TheHiveFS", "organisation")
+  lazy val manageOrganisation: PermissionDesc       = PermissionDesc("manageOrganisation", "Manage organisations", "admin")
+  lazy val managePage: PermissionDesc               = PermissionDesc("managePage", "Manage pages", "organisation")
+  lazy val managePattern: PermissionDesc            = PermissionDesc("managePattern", "Manage patterns", "admin")
+  lazy val manageProcedure: PermissionDesc          = PermissionDesc("manageProcedure", "Manage procedures", "organisation")
+  lazy val manageProfile: PermissionDesc            = PermissionDesc("manageProfile", "Manage user profiles", "admin")
+  lazy val manageShare: PermissionDesc              = PermissionDesc("manageShare", "Manage shares", "organisation")
+  lazy val manageTag: PermissionDesc                = PermissionDesc("manageTag", "Manage tags", "organisation")
+  lazy val manageTaxonomy: PermissionDesc           = PermissionDesc("manageTaxonomy", "Manage taxonomies", "admin")
+  lazy val manageTask: PermissionDesc               = PermissionDesc("manageTask", "Manage tasks", "organisation")
+  lazy val manageUser: PermissionDesc               = PermissionDesc("manageUser", "Manage users", "organisation", "admin")
+  lazy val managePlatform: PermissionDesc           = PermissionDesc("managePlatform", "Manage TheHive platform", "admin")
 
   lazy val list: Set[PermissionDesc] =
     Set(
-      manageCase,
-      manageObservable,
+      accessTheHiveFS,
+      manageAction,
       manageAlert,
-      manageUser,
-      manageOrganisation,
-      manageCaseTemplate,
+      manageAnalyse,
       manageAnalyzerTemplate,
-      manageTask,
-      manageAction,
+      manageCase,
+      manageCaseTemplate,
       manageConfig,
-      manageProfile,
-      manageTag,
       manageCustomField,
-      manageShare,
-      manageAnalyse,
-      managePage,
+      manageObservable,
       manageObservableTemplate,
-      accessTheHiveFS
+      manageOrganisation,
+      managePage,
+      managePattern,
+      managePlatform,
+      manageProcedure,
+      manageProfile,
+      manageShare,
+      manageTag,
+      manageTask,
+      manageTaxonomy,
+      manageUser
     )
 
   // These permissions are available only if the user is in admin organisation, they are removed for other organisations
diff --git a/thehive/app/org/thp/thehive/models/Procedure.scala b/thehive/app/org/thp/thehive/models/Procedure.scala
new file mode 100644
index 0000000000..27ddcd81a2
--- /dev/null
+++ b/thehive/app/org/thp/thehive/models/Procedure.scala
@@ -0,0 +1,29 @@
+package org.thp.thehive.models
+
+import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
+
+import java.util.Date
+
+@BuildVertexEntity
+case class Procedure(
+    description: Option[String],
+    occurDate: Date,
+    tactic: String
+    // metadata
+)
+
+@BuildEdgeEntity[Procedure, Pattern]
+case class ProcedurePattern()
+
+case class RichProcedure(procedure: Procedure with Entity, pattern: Pattern with Entity) {
+  def description: Option[String] = procedure.description
+  def occurDate: Date             = procedure.occurDate
+  def tactic: String              = procedure.tactic
+  def _id: EntityId               = procedure._id
+  def _createdAt: Date            = procedure._createdAt
+  def _createdBy: String          = procedure._createdBy
+  def _updatedAt: Option[Date]    = procedure._updatedAt
+  def _updatedBy: Option[String]  = procedure._updatedBy
+
+}
diff --git a/thehive/app/org/thp/thehive/models/SchemaUpdaterActor.scala b/thehive/app/org/thp/thehive/models/SchemaUpdaterActor.scala
deleted file mode 100644
index f9edf6ea0f..0000000000
--- a/thehive/app/org/thp/thehive/models/SchemaUpdaterActor.scala
+++ /dev/null
@@ -1,130 +0,0 @@
-package org.thp.thehive.models
-
-import akka.actor.{Actor, ActorRef, ActorSystem, PoisonPill, Props}
-import akka.cluster.singleton.{ClusterSingletonManager, ClusterSingletonManagerSettings, ClusterSingletonProxy, ClusterSingletonProxySettings}
-import akka.pattern.ask
-import akka.util.Timeout
-import org.thp.scalligraph.janus.JanusDatabase
-import org.thp.scalligraph.models.Database
-import org.thp.thehive.ClusterSetup
-import org.thp.thehive.services.LocalUserSrv
-import play.api.{Configuration, Logger}
-
-import javax.inject.{Inject, Provider, Singleton}
-import scala.concurrent.duration.{DurationInt, FiniteDuration}
-import scala.concurrent.{Await, ExecutionContext}
-
-@Singleton
-class DatabaseProvider @Inject() (
-    configuration: Configuration,
-    database: Database,
-    theHiveSchema: TheHiveSchemaDefinition,
-    actorSystem: ActorSystem,
-    clusterSetup: ClusterSetup // this dependency is here to ensure that cluster setup is finished
-) extends Provider[Database] {
-
-  lazy val dbInitialisationTimeout: FiniteDuration = configuration.get[FiniteDuration]("db.initialisationTimeout")
-  lazy val schemaUpdaterActor: ActorRef = {
-    val singletonManager =
-      actorSystem.actorOf(
-        ClusterSingletonManager.props(
-          singletonProps = Props(classOf[SchemaUpdaterActor], theHiveSchema, database),
-          terminationMessage = PoisonPill,
-          settings = ClusterSingletonManagerSettings(actorSystem)
-        ),
-        name = "theHiveSchemaUpdaterSingletonManager"
-      )
-
-    actorSystem.actorOf(
-      ClusterSingletonProxy.props(
-        singletonManagerPath = singletonManager.path.toStringWithoutAddress,
-        settings = ClusterSingletonProxySettings(actorSystem)
-      ),
-      name = "theHiveSchemaUpdaterSingletonProxy"
-    )
-  }
-
-  def databaseInstance: String =
-    database match {
-      case jdb: JanusDatabase => jdb.instanceId
-      case _                  => ""
-    }
-
-  override def get(): Database = {
-    implicit val timeout: Timeout = Timeout(dbInitialisationTimeout)
-    Await.result(schemaUpdaterActor ? RequestDB(databaseInstance), timeout.duration) match {
-      case DBReady => database.asInstanceOf[Database]
-    }
-  }
-}
-
-sealed trait SchemaUpdaterMessage
-case class RequestDB(databaseInstanceId: String) extends SchemaUpdaterMessage
-case object DBReady                              extends SchemaUpdaterMessage
-case object Update                               extends SchemaUpdaterMessage
-
-class SchemaUpdaterActor @Inject() (theHiveSchema: TheHiveSchemaDefinition, database: Database) extends Actor {
-
-  lazy val logger: Logger = Logger(getClass)
-
-  implicit val ec: ExecutionContext      = context.dispatcher
-  var originalConnectionIds: Set[String] = Set.empty
-
-  def update(): Unit = {
-    theHiveSchema
-      .update(database)(LocalUserSrv.getSystemAuthContext)
-      .map(_ => logger.info("Database is up-to-date"))
-      .recover {
-        case error => logger.error(s"Database with TheHiveSchema schema update failure", error)
-      }
-    logger.info("Install eventual missing indexes")
-    database.addSchemaIndexes(theHiveSchema).recover {
-      case error => logger.error(s"Database with TheHiveSchema index update failure", error)
-    }
-    ()
-  }
-
-  override def preStart(): Unit = {
-    originalConnectionIds = database match {
-      case jdb: JanusDatabase => jdb.openInstances
-      case _                  => Set.empty
-    }
-    logger.debug(s"Database open instances are: ${originalConnectionIds.mkString(",")}")
-  }
-
-  def hasUnknownConnections(instanceIds: Set[String]): Boolean = (originalConnectionIds -- instanceIds).nonEmpty
-
-  def dropUnknownConnections(instanceIds: Set[String]): Unit =
-    database match {
-      case jdb: JanusDatabase => jdb.dropConnections((originalConnectionIds -- instanceIds).toSeq)
-      case _                  =>
-    }
-
-  override def receive: Receive = {
-    case RequestDB(instanceId) =>
-      val instanceIds = Set(instanceId)
-      if (hasUnknownConnections(instanceIds)) {
-        logger.info("Database has unknown connections, wait 5 seconds for full cluster initialisation")
-        context.system.scheduler.scheduleOnce(5.seconds, self, Update)
-        context.become(receive(instanceIds, Seq(sender)))
-      } else {
-        logger.info("Database is ready to be updated")
-        update()
-        sender ! DBReady
-        context.become(receive(instanceIds, Nil))
-      }
-
-      def receive(instanceIds: Set[String], waitingClients: Seq[ActorRef]): Receive = {
-        case RequestDB(instanceId) if waitingClients.nonEmpty =>
-          context.become(receive(instanceIds + instanceId, waitingClients :+ sender))
-        case RequestDB(_) =>
-          sender ! DBReady
-        case Update =>
-          logger.info("Drop unknown connections and update the database")
-          dropUnknownConnections(instanceIds)
-          update()
-          waitingClients.foreach(_ ! DBReady)
-          context.become(receive(instanceIds, Nil))
-      }
-  }
-}
diff --git a/thehive/app/org/thp/thehive/models/SchemaUpdaterSerializer.scala b/thehive/app/org/thp/thehive/models/SchemaUpdaterSerializer.scala
deleted file mode 100644
index 8a0ba3ea82..0000000000
--- a/thehive/app/org/thp/thehive/models/SchemaUpdaterSerializer.scala
+++ /dev/null
@@ -1,27 +0,0 @@
-package org.thp.thehive.models
-
-import akka.serialization.Serializer
-
-import java.io.NotSerializableException
-
-class SchemaUpdaterSerializer extends Serializer {
-  override def identifier: Int = 272437668
-
-  override def includeManifest: Boolean = false
-
-  override def toBinary(o: AnyRef): Array[Byte] =
-    o match {
-      case RequestDB(instanceId) => 0.toByte +: instanceId.getBytes
-      case DBReady               => Array(1)
-      case Update                => Array(2)
-      case _                     => throw new NotSerializableException
-    }
-
-  override def fromBinary(bytes: Array[Byte], manifest: Option[Class[_]]): AnyRef =
-    bytes(0) match {
-      case 0 => RequestDB(new String(bytes.tail))
-      case 1 => DBReady
-      case 2 => Update
-      case _ => throw new NotSerializableException
-    }
-}
diff --git a/thehive/app/org/thp/thehive/models/Share.scala b/thehive/app/org/thp/thehive/models/Share.scala
index fb54294efa..ee529d1817 100644
--- a/thehive/app/org/thp/thehive/models/Share.scala
+++ b/thehive/app/org/thp/thehive/models/Share.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
 
+import java.util.Date
+
 @BuildVertexEntity
 case class Share(owner: Boolean)
 
diff --git a/thehive/app/org/thp/thehive/models/Tag.scala b/thehive/app/org/thp/thehive/models/Tag.scala
index e188ee45c2..2acb23cc0f 100644
--- a/thehive/app/org/thp/thehive/models/Tag.scala
+++ b/thehive/app/org/thp/thehive/models/Tag.scala
@@ -2,26 +2,26 @@ package org.thp.thehive.models
 
 import org.thp.scalligraph.BuildVertexEntity
 import org.thp.scalligraph.models.{DefineIndex, IndexType}
-import play.api.Logger
-
-import scala.util.Try
-import scala.util.matching.Regex
 
 @DefineIndex(IndexType.unique, "namespace", "predicate", "value")
+@DefineIndex(IndexType.fulltext, "namespace", "predicate", "value", "description")
 @BuildVertexEntity
 case class Tag(
     namespace: String,
     predicate: String,
     value: Option[String],
     description: Option[String],
-    colour: Int
+    colour: String
 ) {
   override def hashCode(): Int = 31 * (31 * value.## + predicate.##) + namespace.##
 
-  override def equals(obj: Any): Boolean = obj match {
-    case Tag(n, p, v, _, _) => n == namespace && p == predicate && v == value
-    case _                  => false
-  }
+  override def equals(obj: Any): Boolean =
+    obj match {
+      case Tag(n, p, v, _, _) => n == namespace && p == predicate && v == value
+      case _                  => false
+    }
+
+  lazy val isFreeTag: Boolean = namespace.startsWith("_freetags_")
 
   override def canEqual(that: Any): Boolean = that.isInstanceOf[Tag]
 
@@ -30,27 +30,3 @@ case class Tag(
       (if (predicate.headOption.getOrElse('_') == '_') "" else predicate) +
       value.fold("")(v => f"""="$v"""") // #$colour%06X
 }
-
-object Tag {
-  lazy val logger: Logger            = Logger(getClass)
-  val tagColour: Regex               = "(.*)#(\\p{XDigit}{6})".r
-  val namespacePredicateValue: Regex = "([^\".:=]+)[.:]([^\".=]+)=\"?([^\"]+)\"?".r
-  val namespacePredicate: Regex      = "([^\".:=]+)[.]([^\".=]+)".r
-  val PredicateValue: Regex          = "([^\".:=]+)[=:]\"?([^\"]+)\"?".r
-  val predicate: Regex               = "([^\".:=]+)".r
-
-  def fromString(tagName: String, defaultNamespace: String, defaultColour: Int = 0): Tag = {
-    val (name, colour) = tagName match {
-      case tagColour(n, c) => n       -> Try(Integer.parseUnsignedInt(c, 16)).getOrElse(defaultColour)
-      case _               => tagName -> defaultColour
-    }
-    name match {
-      case namespacePredicateValue(namespace, predicate, value) if value.exists(_ != '=') =>
-        Tag(namespace.trim, predicate.trim, Some(value.trim), None, colour)
-      case namespacePredicate(namespace, predicate) => Tag(namespace.trim, predicate.trim, None, None, colour)
-      case PredicateValue(predicate, value)         => Tag(defaultNamespace, predicate.trim, Some(value.trim), None, colour)
-      case predicate(predicate)                     => Tag(defaultNamespace, predicate.trim, None, None, colour)
-      case _                                        => Tag(defaultNamespace, name, None, None, colour)
-    }
-  }
-}
diff --git a/thehive/app/org/thp/thehive/models/Task.scala b/thehive/app/org/thp/thehive/models/Task.scala
index 4ad6480153..300f2f20e4 100644
--- a/thehive/app/org/thp/thehive/models/Task.scala
+++ b/thehive/app/org/thp/thehive/models/Task.scala
@@ -1,11 +1,11 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph._
 import org.thp.scalligraph.models.{DefineIndex, Entity, IndexType}
 import play.api.libs.json.{Format, Json}
 
+import java.util.Date
+
 object TaskStatus extends Enumeration {
   val Waiting, InProgress, Completed, Cancel = Value
 
@@ -19,7 +19,17 @@ case class TaskUser()
 case class TaskLog()
 
 @BuildVertexEntity
-@DefineIndex(IndexType.basic, "status")
+@DefineIndex(IndexType.fulltext, "title")
+@DefineIndex(IndexType.standard, "group")
+@DefineIndex(IndexType.fulltext, "description")
+@DefineIndex(IndexType.standard, "status")
+@DefineIndex(IndexType.standard, "flag")
+@DefineIndex(IndexType.standard, "startDate")
+@DefineIndex(IndexType.standard, "endDate")
+@DefineIndex(IndexType.standard, "order")
+@DefineIndex(IndexType.standard, "dueDate")
+@DefineIndex(IndexType.standard, "assignee")
+@DefineIndex(IndexType.standard, "organisationIds")
 case class Task(
     title: String,
     group: String,
@@ -29,12 +39,15 @@ case class Task(
     startDate: Option[Date],
     endDate: Option[Date],
     order: Int,
-    dueDate: Option[Date]
+    dueDate: Option[Date],
+    /* filled by the service */
+    assignee: Option[String],
+    relatedId: EntityId = EntityId(""),
+    organisationIds: Set[EntityId] = Set.empty
 )
 
 case class RichTask(
-    task: Task with Entity,
-    assignee: Option[User with Entity]
+    task: Task with Entity
 ) {
   def _id: EntityId               = task._id
   def _createdBy: String          = task._createdBy
@@ -50,4 +63,5 @@ case class RichTask(
   def endDate: Option[Date]       = task.endDate
   def order: Int                  = task.order
   def dueDate: Option[Date]       = task.dueDate
+  def assignee: Option[String]    = task.assignee
 }
diff --git a/thehive/app/org/thp/thehive/models/Taxonomy.scala b/thehive/app/org/thp/thehive/models/Taxonomy.scala
new file mode 100644
index 0000000000..fc074467cc
--- /dev/null
+++ b/thehive/app/org/thp/thehive/models/Taxonomy.scala
@@ -0,0 +1,30 @@
+package org.thp.thehive.models
+
+import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
+
+import java.util.Date
+
+@BuildVertexEntity
+case class Taxonomy(
+    namespace: String,
+    description: String,
+    version: Int
+)
+
+@BuildEdgeEntity[Taxonomy, Tag]
+case class TaxonomyTag()
+
+case class RichTaxonomy(
+    taxonomy: Taxonomy with Entity,
+    tags: Seq[Tag with Entity]
+) {
+  def _id: EntityId              = taxonomy._id
+  def _createdBy: String         = taxonomy._createdBy
+  def _updatedBy: Option[String] = taxonomy._updatedBy
+  def _createdAt: Date           = taxonomy._createdAt
+  def _updatedAt: Option[Date]   = taxonomy._updatedAt
+  def namespace: String          = taxonomy.namespace
+  def description: String        = taxonomy.description
+  def version: Int               = taxonomy.version
+}
diff --git a/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala b/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala
index 5f797b4f89..e5e0e55460 100644
--- a/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala
+++ b/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala
@@ -1,22 +1,24 @@
 package org.thp.thehive.models
 
-import java.lang.reflect.Modifier
-
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.process.traversal.P
-import org.apache.tinkerpop.gremlin.structure.Graph
+import org.apache.tinkerpop.gremlin.process.traversal.{Order, P, TextP}
 import org.apache.tinkerpop.gremlin.structure.VertexProperty.Cardinality
 import org.janusgraph.core.schema.ConsistencyModifier
 import org.janusgraph.graphdb.types.TypeDefinitionCategory
 import org.reflections.Reflections
 import org.reflections.scanners.SubTypesScanner
 import org.reflections.util.ConfigurationBuilder
+import org.thp.scalligraph.EntityId
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.janus.JanusDatabase
 import org.thp.scalligraph.models._
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.thehive.services.LocalUserSrv
 import play.api.Logger
 
+import java.lang.reflect.Modifier
+import java.util.Date
+import javax.inject.{Inject, Singleton}
 import scala.collection.JavaConverters._
 import scala.reflect.runtime.{universe => ru}
 import scala.util.{Success, Try}
@@ -53,6 +55,7 @@ class TheHiveSchemaDefinition @Inject() extends Schema with UpdatableSchema {
               case error => logger.warn(s"Unable to remove lock on property $name: $error")
             }
         }
+      // TODO remove unused commented code ?
       // def removeIndexLock(name: String): Try[Unit] =
       //   db.managementTransaction { mgmt =>
       //     Try(mgmt.setConsistency(mgmt.getGraphIndex(name), ConsistencyModifier.DEFAULT))
@@ -83,11 +86,311 @@ class TheHiveSchemaDefinition @Inject() extends Schema with UpdatableSchema {
         .iterate()
       Success(())
     }
+    //=====[release 4.0.2]=====
     .addProperty[Boolean]("ShareTask", "actionRequired")
     .updateGraph("Add actionRequire property", "Share") { traversal =>
       traversal.outE[ShareTask].raw.property("actionRequired", false).iterate()
       Success(())
     }
+    //=====[release 4.0.3]=====
+    //=====[release 4.0.4]=====
+    //=====[release 4.0.5]=====
+    // Taxonomies
+    .addVertexModel[String]("Taxonomy")
+    .addProperty[String]("Taxonomy", "namespace")
+    .addProperty[String]("Taxonomy", "description")
+    .addProperty[Int]("Taxonomy", "version")
+    .dbOperation[Database]("Add Custom taxonomy vertex for each Organisation") { db =>
+      db.tryTransaction { implicit graph =>
+        // For each organisation, if there is no custom taxonomy, create it
+        graph.V("Organisation").unsafeHas("name", P.neq("admin")).foreach { o =>
+          val hasFreetagsTaxonomy = graph
+            .V("Organisation", EntityId(o.id))
+            .out[OrganisationTaxonomy]
+            .v[Taxonomy]
+            .unsafeHas("namespace", s"_freetags_${o.id()}")
+            .exists
+          if (!hasFreetagsTaxonomy) {
+            val taxoVertex = graph.addVertex("Taxonomy")
+            taxoVertex.property("_label", "Taxonomy")
+            taxoVertex.property("_createdBy", "system@thehive.local")
+            taxoVertex.property("_createdAt", new Date())
+            taxoVertex.property("namespace", s"_freetags_${o.id()}")
+            taxoVertex.property("description", "Custom taxonomy")
+            taxoVertex.property("version", 1)
+            o.addEdge("OrganisationTaxonomy", taxoVertex)
+          }
+        }
+        Success(())
+      }
+    }
+    .updateGraph("Add each tag to its Organisation's FreeTags taxonomy", "Tag") { tags =>
+      tags
+        .project(
+          _.by.by(
+            _.unionFlat(
+              _.in("CaseTag").in("ShareCase").in("OrganisationShare"),
+              _.in("ObservableTag").unionFlat(_.in("ShareObservable").in("OrganisationShare"), _.in("AlertObservable").out("AlertOrganisation")),
+              _.in("AlertTag").out("AlertOrganisation"),
+              _.in("CaseTemplateTag").out("CaseTemplateOrganisation")
+            )
+              .dedup
+              .sort(_.by("_createdAt", Order.desc))
+              .limit(1)
+              .out("OrganisationTaxonomy")
+              .unsafeHas("namespace", TextP.startingWith("_freetags_"))
+              .option
+          )
+        )
+        .foreach {
+          case (tag, Some(freetagsTaxo)) =>
+            val tagStr = tagString(
+              tag.property[String]("namespace").value(),
+              tag.property[String]("predicate").value(),
+              tag.property[String]("value").orElse("")
+            )
+            tag.property("namespace", freetagsTaxo.property[String]("namespace").value)
+            tag.property("predicate", tagStr)
+            tag.property("value").remove()
+            freetagsTaxo.addEdge("TaxonomyTag", tag)
+          case (tag, None) =>
+            val tagStr = tagString(
+              tag.property[String]("namespace").value(),
+              tag.property[String]("predicate").value(),
+              tag.property[String]("value").orElse("")
+            )
+            logger.warn(s"Tag $tagStr is not linked to any organisation")
+        }
+      Success(())
+    }
+    .updateGraph("Add manageTaxonomy to admin profile", "Profile") { traversal =>
+      traversal.unsafeHas("name", "admin").raw.property("permissions", "manageTaxonomy").iterate()
+      Success(())
+    }
+    .updateGraph("Remove colour property for Tags", "Tag") { traversal =>
+      traversal.removeProperty("colour").iterate()
+      Success(())
+    }
+    .removeProperty("Tag", "colour", usedOnlyByThisModel = true)
+    .addProperty[String]("Tag", "colour")
+    .updateGraph("Add property colour for Tags ", "Tag") { traversal =>
+      traversal.raw.property("colour", "#000000").iterate()
+      Success(())
+    }
+    // Patterns
+    .updateGraph("Add managePattern permission to admin profile", "Profile") { traversal =>
+      traversal.unsafeHas("name", "admin").raw.property("permissions", "managePattern").iterate()
+      Success(())
+    }
+    .updateGraph("Add manageProcedure permission to org-admin and analyst profiles", "Profile") { traversal =>
+      traversal
+        .unsafeHas("name", P.within("org-admin", "analyst"))
+        .raw
+        .property("permissions", "manageProcedure")
+        .iterate()
+      Success(())
+    }
+    // Index backend
+    /* Alert index  */
+    .addProperty[Seq[String]]("Alert", "tags")
+    .addProperty[EntityId]("Alert", "organisationId")
+    .addProperty[Option[EntityId]]("Alert", "caseId")
+    .updateGraph("Add tags, organisationId and caseId in alerts", "Alert") { traversal =>
+      traversal
+        .project(
+          _.by
+            .by(_.out("AlertTag").valueMap("namespace", "predicate", "value").fold)
+            .by(_.out("AlertOrganisation")._id.option)
+            .by(_.out("AlertCase")._id.option)
+        )
+        .foreach {
+          case (vertex, tagMaps, Some(organisationId), caseId) =>
+            val tags = for {
+              tag <- tagMaps.asInstanceOf[Seq[Map[String, String]]]
+              namespace = tag.getOrElse("namespace", "_autocreate")
+              predicate <- tag.get("predicate")
+              value = tag.get("value")
+            } yield
+              (if (namespace.headOption.getOrElse('_') == '_') "" else namespace + ':') +
+                (if (predicate.headOption.getOrElse('_') == '_') "" else predicate) +
+                value.fold("")(v => f"""="$v"""")
+
+            tags.foreach(vertex.property(Cardinality.list, "tags", _))
+            vertex.property("organisationId", organisationId.value)
+            caseId.foreach(vertex.property("caseId", _))
+          case _ =>
+        }
+      Success(())
+    }
+    /* Case index  */
+    .addProperty[Seq[String]]("Case", "tags")
+    .addProperty[Option[String]]("Case", "assignee")
+    .addProperty[Set[EntityId]]("Case", "organisationIds")
+    .addProperty[Option[String]]("Case", "impactStatus")
+    .addProperty[Option[String]]("Case", "resolutionStatus")
+    .addProperty[Option[String]]("Case", "caseTemplate")
+    .updateGraph("Add tags, assignee, organisationIds, impactStatus, resolutionStatus and caseTemplate data in cases", "Case") { traversal =>
+      traversal
+        .project(
+          _.by
+            .by(_.out("CaseTag").valueMap("namespace", "predicate", "value").fold)
+            .by(_.out("CaseUser").property("login", UMapping.string).option)
+            .by(_.in("ShareCase").in("OrganisationShare")._id.fold)
+            .by(_.out("CaseImpactStatus").property("value", UMapping.string).option)
+            .by(_.out("CaseResolutionStatus").property("value", UMapping.string).option)
+            .by(_.out("CaseCaseTemplate").property("name", UMapping.string).option)
+        )
+        .foreach {
+          case (vertex, tagMaps, assignee, organisationIds, impactStatus, resolutionStatus, caseTemplate) =>
+            val tags = for {
+              tag <- tagMaps.asInstanceOf[Seq[Map[String, String]]]
+              namespace = tag.getOrElse("namespace", "_autocreate")
+              predicate <- tag.get("predicate")
+              value = tag.get("value")
+            } yield
+              (if (namespace.headOption.getOrElse('_') == '_') "" else namespace + ':') +
+                (if (predicate.headOption.getOrElse('_') == '_') "" else predicate) +
+                value.fold("")(v => f"""="$v"""")
+
+            tags.foreach(vertex.property(Cardinality.list, "tags", _))
+            assignee.foreach(vertex.property("assignee", _))
+            organisationIds.foreach(id => vertex.property(Cardinality.set, "organisationIds", id.value))
+            impactStatus.foreach(vertex.property("impactStatus", _))
+            resolutionStatus.foreach(vertex.property("resolutionStatus", _))
+            caseTemplate.foreach(vertex.property("caseTemplate", _))
+        }
+      Success(())
+    }
+    /* CaseTemplate index  */
+    .addProperty[Seq[String]]("CaseTemplate", "tags")
+    .updateGraph("Add tags in caseTempates", "CaseTemplate") { traversal =>
+      traversal
+        .project(
+          _.by
+            .by(_.out("CaseTemplateTag").valueMap("namespace", "predicate", "value").fold)
+        )
+        .foreach {
+          case (vertex, tagMaps) =>
+            val tags = for {
+              tag <- tagMaps.asInstanceOf[Seq[Map[String, String]]]
+              namespace = tag.getOrElse("namespace", "_autocreate")
+              predicate <- tag.get("predicate")
+              value = tag.get("value")
+            } yield
+              (if (namespace.headOption.getOrElse('_') == '_') "" else namespace + ':') +
+                (if (predicate.headOption.getOrElse('_') == '_') "" else predicate) +
+                value.fold("")(v => f"""="$v"""")
+
+            tags.foreach(vertex.property(Cardinality.list, "tags", _))
+        }
+      Success(())
+    }
+    /* Log index */
+    .addProperty[String]("Log", "taskId")
+    .addProperty[Set[EntityId]]("Log", "organisationIds")
+    .updateGraph("Add taskId and organisationIds data in logs", "Log") { traversal =>
+      traversal
+        .project(
+          _.by
+            .by(_.in("TaskLog")._id)
+            .by(_.in("TaskLog").in("ShareTask").in("OrganisationShare")._id.fold)
+        )
+        .foreach {
+          case (vertex, taskId, organisationIds) =>
+            vertex.property("taskId", taskId)
+            organisationIds.foreach(id => vertex.property(Cardinality.set, "organisationIds", id.value))
+        }
+      Success(())
+    }
+    /* Observable index */
+    .addProperty[String]("Observable", "dataType")
+    .addProperty[Seq[String]]("Observable", "tags")
+    .addProperty[String]("Observable", "data")
+    .addProperty[EntityId]("Observable", "relatedId")
+    .addProperty[Set[EntityId]]("Observable", "organisationIds")
+    .updateGraph("Add dataType, tags, data, relatedId and organisationIds data in observables", "Observable") { traversal =>
+      traversal
+        .project(
+          _.by
+            .by(_.out("ObservableObservableType").property("name", UMapping.string))
+            .by(_.out("ObservableTag").valueMap("namespace", "predicate", "value").fold)
+            .by(_.out("ObservableData").property("data", UMapping.string).option)
+            .by(_.out("ObservableAttachment").property("attachmentId", UMapping.string).option)
+            .by(_.coalesceIdent(_.in("ShareObservable").out("ShareCase"), _.in("AlertObservable"), _.in("ReportObservable"))._id.option)
+            .by(
+              _.coalesceIdent(
+                _.optional(_.in("ReportObservable").in("ObservableJob")).in("ShareObservable").in("OrganisationShare"),
+                _.in("AlertObservable").out("AlertOrganisation")
+              )
+                ._id
+                .fold
+            )
+        )
+        .foreach {
+          case (vertex, dataType, tagMaps, data, attachmentId, Some(relatedId), organisationIds) =>
+            val tags = for {
+              tag <- tagMaps.asInstanceOf[Seq[Map[String, String]]]
+              namespace = tag.getOrElse("namespace", "_autocreate")
+              predicate <- tag.get("predicate")
+              value = tag.get("value")
+            } yield
+              (if (namespace.headOption.getOrElse('_') == '_') "" else namespace + ':') +
+                (if (predicate.headOption.getOrElse('_') == '_') "" else predicate) +
+                value.fold("")(v => f"""="$v"""")
+
+            vertex.property("dataType", dataType)
+            tags.foreach(vertex.property(Cardinality.list, "tags", _))
+            data.foreach(vertex.property("data", _))
+            attachmentId.foreach(vertex.property("attachmentId", _))
+            vertex.property("relatedId", relatedId.value)
+            organisationIds.foreach(id => vertex.property(Cardinality.set, "organisationIds", id.value))
+          case _ =>
+        }
+      Success(())
+    }
+    /* Task index */
+    .addProperty[Option[String]]("Task", "assignee")
+    .addProperty[Set[EntityId]]("Task", "organisationIds")
+    .addProperty[EntityId]("Task", "relatedId")
+    .updateGraph("Add assignee, relatedId and organisationIds data in tasks", "Task") { traversal =>
+      traversal
+        .project(
+          _.by
+            .by(_.out("TaskUser").property("login", UMapping.string).option)
+            .by(_.coalesceIdent(_.in("ShareTask").out("ShareCase"), _.in("CaseTemplateTask"))._id.option)
+            .by(_.coalesceIdent(_.in("ShareTask").in("OrganisationShare"), _.in("CaseTemplateTask").out("CaseTemplateOrganisation"))._id.fold)
+        )
+        .foreach {
+          case (vertex, assignee, Some(relatedId), organisationIds) =>
+            assignee.foreach(vertex.property("assignee", _))
+            vertex.property("relatedId", relatedId.value)
+            organisationIds.foreach(id => vertex.property(Cardinality.set, "organisationIds", id.value))
+          case _ =>
+        }
+      Success(())
+    }
+    .updateGraph("Add managePlatform permission to admin profile", "Profile") { traversal =>
+      traversal.unsafeHas("name", "admin").raw.property("permissions", "managePlatform").iterate()
+      Success(())
+    }
+    .updateGraph("Remove manageTag permission to admin profile", "Profile") { traversal =>
+      traversal.unsafeHas("name", "admin").raw.properties[String]("permissions").forEachRemaining(p => if (p.value() == "manageTag") p.remove())
+      Success(())
+    }
+    .updateGraph("Add manageTag permission to org-admin profile", "Profile") { traversal =>
+      traversal.unsafeHas("name", "org-admin").raw.property("permissions", "manageTag").iterate()
+      Success(())
+    }
+    .updateGraph("Remove deleted logs and deleted property from logs", "Log") { traversal =>
+      traversal.clone().unsafeHas("deleted", "true").remove()
+      traversal.removeProperty("deleted")
+      Success(())
+    }
+    .removeProperty(model = "Log", propertyName = "deleted", usedOnlyByThisModel = true)
+    .updateGraph("Make shared dashboard writable", "Dashboard") { traversal =>
+      traversal.outE("OrganisationDashboard").raw.property("writable", true).iterate()
+      Success(())
+    }
 
   val reflectionClasses = new Reflections(
     new ConfigurationBuilder()
@@ -115,5 +418,12 @@ class TheHiveSchemaDefinition @Inject() extends Schema with UpdatableSchema {
     case vertexModel: VertexModel => vertexModel.getInitialValues
   }.flatten
 
+  private def tagString(namespace: String, predicate: String, value: String): String =
+    (if (namespace.headOption.getOrElse('_') == '_') "" else namespace + ':') +
+      (if (predicate.headOption.getOrElse('_') == '_') "" else predicate) +
+      (if (value.isEmpty) "" else f"""="$value"""")
+
   override def init(db: Database)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = Success(())
+
+  override val authContext: AuthContext = LocalUserSrv.getSystemAuthContext
 }
diff --git a/thehive/app/org/thp/thehive/models/User.scala b/thehive/app/org/thp/thehive/models/User.scala
index 73a45f5309..6e20df04b5 100644
--- a/thehive/app/org/thp/thehive/models/User.scala
+++ b/thehive/app/org/thp/thehive/models/User.scala
@@ -1,12 +1,12 @@
 package org.thp.thehive.models
 
-import java.util.Date
-
 import org.thp.scalligraph.auth.{Permission, User => ScalligraphUser}
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.{BuildEdgeEntity, BuildVertexEntity, EntityId}
 import org.thp.thehive.services.LocalPasswordAuthSrv
 
+import java.util.Date
+
 @BuildEdgeEntity[User, Role]
 case class UserRole()
 
diff --git a/thehive/app/org/thp/thehive/services/AlertSrv.scala b/thehive/app/org/thp/thehive/services/AlertSrv.scala
index 63ded04b64..c72a62c876 100644
--- a/thehive/app/org/thp/thehive/services/AlertSrv.scala
+++ b/thehive/app/org/thp/thehive/services/AlertSrv.scala
@@ -1,13 +1,15 @@
 package org.thp.thehive.services
 
 import akka.actor.ActorRef
-import org.apache.tinkerpop.gremlin.structure.Graph
+import org.apache.tinkerpop.gremlin.process.traversal.{Order, P}
 import org.thp.scalligraph.auth.{AuthContext, Permission}
+import org.thp.scalligraph.controllers.FFile
 import org.thp.scalligraph.models._
+import org.thp.scalligraph.query.PredicateOps.PredicateOpsDefs
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IdentityConverter, StepLabel, Traversal}
+import org.thp.scalligraph.traversal._
 import org.thp.scalligraph.{BadRequestError, CreateError, EntityId, EntityIdOrName, RichOptionTry, RichSeq}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputCustomFieldValue
@@ -17,11 +19,10 @@ import org.thp.thehive.services.CaseOps._
 import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.CustomFieldOps._
 import org.thp.thehive.services.ObservableOps._
-import org.thp.thehive.services.OrganisationOps._
-import play.api.libs.json.{JsObject, Json}
+import play.api.libs.json.{JsObject, JsValue, Json}
 
 import java.lang.{Long => JLong}
-import java.util.{Date, List => JList, Map => JMap}
+import java.util.{Date, Map => JMap}
 import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success, Try}
 
@@ -34,9 +35,8 @@ class AlertSrv @Inject() (
     caseTemplateSrv: CaseTemplateSrv,
     observableSrv: ObservableSrv,
     auditSrv: AuditSrv,
+    attachmentSrv: AttachmentSrv,
     @Named("integrity-check-actor") integrityCheckActor: ActorRef
-)(implicit
-    @Named("with-thehive-schema") db: Database
 ) extends VertexSrv[Alert] {
 
   val alertTagSrv          = new EdgeSrv[AlertTag, Alert, Tag]
@@ -49,7 +49,7 @@ class AlertSrv @Inject() (
   override def getByName(name: String)(implicit graph: Graph): Traversal.V[Alert] =
     name.split(';') match {
       case Array(tpe, source, sourceRef) => startTraversal.getBySourceId(tpe, source, sourceRef)
-      case _                             => startTraversal.limit(0)
+      case _                             => startTraversal.empty
     }
 
   def create(
@@ -64,7 +64,7 @@ class AlertSrv @Inject() (
   ): Try[RichAlert] =
     tagNames.toTry(tagSrv.getOrCreate).flatMap(create(alert, organisation, _, customFields, caseTemplate))
 
-  def create(
+  private def create(
       alert: Alert,
       organisation: Organisation with Entity,
       tags: Seq[Tag with Entity],
@@ -74,17 +74,17 @@ class AlertSrv @Inject() (
       graph: Graph,
       authContext: AuthContext
   ): Try[RichAlert] = {
-    val alertAlreadyExist = startTraversal.getBySourceId(alert.`type`, alert.source, alert.sourceRef).organisation.current.exists
+    val alertAlreadyExist = startTraversal.getBySourceId(alert.`type`, alert.source, alert.sourceRef).inOrganisation(organisation._id).exists
     if (alertAlreadyExist)
       Failure(CreateError(s"Alert ${alert.`type`}:${alert.source}:${alert.sourceRef} already exist in organisation ${organisation.name}"))
     else
       for {
-        createdAlert <- createEntity(alert)
+        createdAlert <- createEntity(alert.copy(organisationId = organisation._id))
         _            <- alertOrganisationSrv.create(AlertOrganisation(), createdAlert, organisation)
         _            <- caseTemplate.map(ct => alertCaseTemplateSrv.create(AlertCaseTemplate(), createdAlert, ct)).flip
         _            <- tags.toTry(t => alertTagSrv.create(AlertTag(), createdAlert, t))
         cfs          <- customFields.toTry { cf: InputCustomFieldValue => createCustomField(createdAlert, cf) }
-        richAlert = RichAlert(createdAlert, organisation.name, tags, cfs, None, caseTemplate.map(_.name), 0)
+        richAlert = RichAlert(createdAlert, cfs, None, caseTemplate.map(_.name), 0)
         _ <- auditSrv.alert.create(createdAlert, richAlert.toJson)
       } yield richAlert
   }
@@ -101,62 +101,55 @@ class AlertSrv @Inject() (
           .flatMap(auditSrv.alert.update(_, updatedFields))
     }
 
-  def updateTags(alert: Alert with Entity, tags: Set[Tag with Entity])(implicit
+  def updateTags(alert: Alert with Entity, tags: Set[String])(implicit
       graph: Graph,
       authContext: AuthContext
-  ): Try[(Set[Tag with Entity], Set[Tag with Entity])] = {
-    val (tagsToAdd, tagsToRemove) = get(alert)
-      .tags
-      .toIterator
-      .foldLeft((tags, Set.empty[Tag with Entity])) {
-        case ((toAdd, toRemove), t) if toAdd.contains(t) => (toAdd - t, toRemove)
-        case ((toAdd, toRemove), t)                      => (toAdd, toRemove + t)
-      }
+  ): Try[(Seq[Tag with Entity], Seq[Tag with Entity])] =
     for {
-//      createdTags <- tagsToAdd.toTry(tagSrv.getOrCreate)
+      tagsToAdd <- (tags -- alert.tags).toTry(tagSrv.getOrCreate)
+      tagsToRemove = get(alert).tags.toSeq.filterNot(t => tags.contains(t.toString))
       _ <- tagsToAdd.toTry(alertTagSrv.create(AlertTag(), alert, _))
-      _ = get(alert).removeTags(tagsToRemove)
-      _ <- auditSrv.alert.update(alert, Json.obj("tags" -> tags.map(_.toString)))
+      _ = if (tags.nonEmpty) get(alert).outE[AlertTag].filter(_.otherV.hasId(tagsToRemove.map(_._id): _*)).remove()
+      _ <- get(alert).update(_.tags, tags.toSeq).getOrFail("Alert")
+      _ <- auditSrv.alert.update(alert, Json.obj("tags" -> tags))
     } yield (tagsToAdd, tagsToRemove)
 
-  }
+  def addTags(alert: Alert with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    updateTags(alert, tags ++ alert.tags).map(_ => ())
 
-  def updateTagNames(alert: Alert with Entity, tags: Set[String])(implicit
+  def createObservable(alert: Alert with Entity, observable: Observable, data: String)(implicit
       graph: Graph,
       authContext: AuthContext
-  ): Try[(Set[Tag with Entity], Set[Tag with Entity])] =
-    tags.toTry(tagSrv.getOrCreate).flatMap(t => updateTags(alert, t.toSet))
-
-  def addTags(alert: Alert with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    val currentTags = get(alert)
-      .tags
-      .toSeq
-      .map(_.toString)
-      .toSet
+  ): Try[RichObservable] =
     for {
-      createdTags <- (tags -- currentTags).toTry(tagSrv.getOrCreate)
-      _           <- createdTags.toTry(alertTagSrv.create(AlertTag(), alert, _))
-      _           <- auditSrv.alert.update(alert, Json.obj("tags" -> (currentTags ++ tags)))
-    } yield ()
-  }
+      createdObservable <- observableSrv.create(observable.copy(organisationIds = Set(organisationSrv.currentId), relatedId = alert._id), data)
+      _                 <- alertObservableSrv.create(AlertObservable(), alert, createdObservable.observable)
+      _                 <- auditSrv.observableInAlert.create(createdObservable.observable, alert, createdObservable.toJson)
+    } yield createdObservable
 
-  def removeObservable(alert: Alert with Entity, observable: Observable with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-    observableSrv
-      .get(observable)
-      .inE[AlertObservable]
-      .filter(_.outV.hasId(alert._id))
-      .getOrFail("Observable")
-      .flatMap { alertObservable =>
-        alertObservableSrv.get(alertObservable).remove()
-        auditSrv.observableInAlert.delete(observable, Some(alert))
-      }
+  def createObservable(alert: Alert with Entity, observable: Observable, attachment: Attachment with Entity)(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[RichObservable] =
+    for {
+      createdObservable <- observableSrv.create(observable.copy(organisationIds = Set(organisationSrv.currentId), relatedId = alert._id), attachment)
+      _                 <- alertObservableSrv.create(AlertObservable(), alert, createdObservable.observable)
+      _                 <- auditSrv.observableInAlert.create(createdObservable.observable, alert, createdObservable.toJson)
+    } yield createdObservable
+
+  def createObservable(alert: Alert with Entity, observable: Observable, file: FFile)(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[RichObservable] =
+    attachmentSrv.create(file).flatMap(attachment => createObservable(alert, observable, attachment))
 
+  @deprecated("use createObservable", "0.2")
   def addObservable(alert: Alert with Entity, richObservable: RichObservable)(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[Unit] = {
     val maybeExistingObservable = richObservable.dataOrAttachment match {
-      case Left(data)        => get(alert).observables.filterOnData(data.data)
+      case Left(data)        => get(alert).observables.filterOnData(data)
       case Right(attachment) => get(alert).observables.filterOnAttachmentId(attachment.attachmentId)
     }
     maybeExistingObservable
@@ -217,29 +210,29 @@ class AlertSrv @Inject() (
 
   def markAsUnread(alertId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     for {
-      alert <- get(alertId).update(_.read, false: Boolean).getOrFail("Alert")
+      alert <- get(alertId).update[Boolean](_.read, false).getOrFail("Alert")
       _     <- auditSrv.alert.update(alert, Json.obj("read" -> false))
     } yield ()
 
   def markAsRead(alertId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     for {
-      alert <- get(alertId).update(_.read, true: Boolean).getOrFail("Alert")
+      alert <- get(alertId).update[Boolean](_.read, true).getOrFail("Alert")
       _     <- auditSrv.alert.update(alert, Json.obj("read" -> true))
     } yield ()
 
   def followAlert(alertId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     for {
-      alert <- get(alertId).update(_.follow, true: Boolean).getOrFail("Alert")
+      alert <- get(alertId).update[Boolean](_.follow, true).getOrFail("Alert")
       _     <- auditSrv.alert.update(alert, Json.obj("follow" -> true))
     } yield ()
 
   def unfollowAlert(alertId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     for {
-      alert <- get(alertId).update(_.follow, false: Boolean).getOrFail("Alert")
+      alert <- get(alertId).update[Boolean](_.follow, false).getOrFail("Alert")
       _     <- auditSrv.alert.update(alert, Json.obj("follow" -> false))
     } yield ()
 
-  def createCase(alert: RichAlert, user: Option[User with Entity], organisation: Organisation with Entity)(implicit
+  def createCase(alert: RichAlert, assignee: Option[User with Entity], organisation: Organisation with Entity)(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[RichCase] =
@@ -253,7 +246,6 @@ class AlertSrv @Inject() (
               .flip
           customField = alert.customFields.map(f => InputCustomFieldValue(f.name, f.value, f.order))
           case0 = Case(
-            number = 0,
             title = caseTemplate.flatMap(_.titlePrefix).getOrElse("") + alert.title,
             description = alert.description,
             severity = alert.severity,
@@ -263,10 +255,11 @@ class AlertSrv @Inject() (
             tlp = alert.tlp,
             pap = alert.pap,
             status = CaseStatus.Open,
-            summary = None
+            summary = None,
+            alert.tags
           )
 
-          createdCase <- caseSrv.create(case0, user, organisation, alert.tags.toSet, customField, caseTemplate, Nil)
+          createdCase <- caseSrv.create(case0, assignee, organisation, customField, caseTemplate, Nil)
           _           <- importObservables(alert.alert, createdCase.`case`)
           _           <- alertCaseSrv.create(AlertCase(), alert.alert, createdCase.`case`)
           _           <- markAsRead(alert._id)
@@ -295,14 +288,14 @@ class AlertSrv @Inject() (
             _ <- markAsRead(alert._id)
             _ <- importObservables(alert, `case`)
             _ <- importCustomFields(alert, `case`)
-            _ <- caseSrv.addTags(`case`, get(alert).tags.toSeq.map(_.toString).toSet)
+            _ <- caseSrv.addTags(`case`, alert.tags.toSet)
             _ <- alertCaseSrv.create(AlertCase(), alert, `case`)
             c <- caseSrv.get(`case`).update(_.description, description).getOrFail("Case")
             details <- Success(
               Json.obj(
                 "customFields" -> get(alert).richCustomFields.toSeq.map(_.toOutput.toJson),
                 "description"  -> c.description,
-                "tags"         -> caseSrv.get(`case`).tags.toSeq.map(_.toString)
+                "tags"         -> (`case`.tags ++ alert.tags).distinct
               )
             )
           } yield details
@@ -319,23 +312,26 @@ class AlertSrv @Inject() (
       .richObservable
       .toIterator
       .toTry { richObservable =>
-        observableSrv
-          .duplicate(richObservable)
-          .flatMap(duplicatedObservable => caseSrv.addObservable(`case`, duplicatedObservable))
+        richObservable
+          .dataOrAttachment
+          .fold(
+            data => caseSrv.createObservable(`case`, richObservable.observable, data),
+            attachment => caseSrv.createObservable(`case`, richObservable.observable, attachment)
+          )
           .recover {
             case _: CreateError => // if case already contains observable, update tags
-              caseSrv
-                .get(`case`)
-                .observables
-                .filter { o =>
-                  richObservable.dataOrAttachment.fold(d => o.filterOnData(d.data), a => o.attachments.has(_.attachmentId, a.attachmentId))
-                }
+              richObservable
+                .dataOrAttachment
+                .fold(
+                  data => observableSrv.startTraversal.filterOnData(data),
+                  attachment => observableSrv.startTraversal.filterOnAttachmentId(attachment.attachmentId)
+                )
+                .filterOnData(richObservable.dataType)
+                .relatedTo(`case`._id)
+                .inOrganisation(organisationSrv.currentId)
                 .headOption
                 .foreach { observable =>
-                  val newTags = observableSrv
-                    .get(observable)
-                    .tags
-                    .toSet ++ richObservable.tags
+                  val newTags = (observable.tags ++ richObservable.tags).toSet
                   observableSrv.updateTags(observable, newTags)
                 }
           }
@@ -358,7 +354,7 @@ class AlertSrv @Inject() (
   def remove(alert: Alert with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     for {
       organisation <- organisationSrv.getOrFail(authContext.organisation)
-      _            <- get(alert).observables.toIterator.toTry(observableSrv.remove(_))
+      _            <- get(alert).observables.toIterator.toTry(observableSrv.delete(_))
       _ = get(alert).remove()
       _ <- auditSrv.alert.delete(alert, organisation)
     } yield ()
@@ -372,7 +368,7 @@ object AlertOps {
         traversal.getByIds(_),
         _.split(';') match {
           case Array(tpe, source, sourceRef) => getBySourceId(tpe, source, sourceRef)
-          case _                             => traversal.limit(0)
+          case _                             => traversal.empty
         }
       )
 
@@ -382,6 +378,9 @@ object AlertOps {
         .has(_.source, source)
         .has(_.sourceRef, sourceRef)
 
+    def inOrganisation(organisationId: EntityId): Traversal.V[Alert] =
+      traversal.has(_.organisationId, organisationId)
+
     def filterByType(`type`: String): Traversal.V[Alert] = traversal.has(_.`type`, `type`)
 
     def filterBySource(source: String): Traversal.V[Alert] = traversal.has(_.source, source)
@@ -392,23 +391,19 @@ object AlertOps {
 
     def `case`: Traversal.V[Case] = traversal.out[AlertCase].v[Case]
 
-    def removeTags(tags: Set[Tag with Entity]): Unit =
-      if (tags.nonEmpty)
-        traversal.outE[AlertTag].filter(_.otherV.hasId(tags.map(_._id).toSeq: _*)).remove()
-
-    def visible(implicit authContext: AuthContext): Traversal.V[Alert] =
-      traversal.filter(_.organisation.get(authContext.organisation))
+    def visible(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Alert] =
+      traversal.has(_.organisationId, organisationSrv.currentId(traversal.graph, authContext))
 
-    def can(permission: Permission)(implicit authContext: AuthContext): Traversal.V[Alert] =
+    def can(organisationSrv: OrganisationSrv, permission: Permission)(implicit authContext: AuthContext): Traversal.V[Alert] =
       if (authContext.permissions.contains(permission))
-        traversal.filter(_.organisation.get(authContext.organisation))
-      else traversal.limit(0)
+        traversal.visible(organisationSrv)
+      else traversal.empty
 
     def imported: Traversal[Boolean, Boolean, IdentityConverter[Boolean]] =
-      traversal.choose(_.outE[AlertCase], onTrue = true, onFalse = false)
+      traversal.choose(_.has(_.caseId), onTrue = true, onFalse = false)
 
     def isImported: Boolean =
-      traversal.outE[AlertCase].exists
+      traversal.has(_.caseId).exists
 
     def importDate: Traversal[Date, Date, Converter[Date, Date]] =
       traversal.outE[AlertCase].value(_._createdAt)
@@ -425,13 +420,13 @@ object AlertOps {
         _.constant(0L)
       )
 
-    def similarCases(maybeCaseFilter: Option[Traversal.V[Case] => Traversal.V[Case]])(implicit
+    def similarCases(organisationSrv: OrganisationSrv, caseFilter: Option[Traversal.V[Case] => Traversal.V[Case]])(implicit
         authContext: AuthContext
     ): Traversal[(RichCase, SimilarStats), JMap[String, Any], Converter[(RichCase, SimilarStats), JMap[String, Any]]] = {
       val similarObservables = observables
         .filteredSimilar
-        .visible
-      maybeCaseFilter
+        .visible(organisationSrv)
+      caseFilter
         .fold(similarObservables)(caseFilter => similarObservables.filter(o => caseFilter(o.`case`)))
         .group(_.by(_.`case`))
         .unfold
@@ -463,63 +458,6 @@ object AlertOps {
         }
     }
 
-    def alertUserOrganisation(
-        permission: Permission
-    )(implicit
-        authContext: AuthContext
-    ): Traversal[(RichAlert, Organisation with Entity), JMap[String, Any], Converter[(RichAlert, Organisation with Entity), JMap[String, Any]]] = {
-      val alertLabel            = StepLabel.v[Alert]
-      val organisationLabel     = StepLabel.v[Organisation]
-      val tagsLabel             = StepLabel.vs[Tag]
-      val customFieldValueLabel = StepLabel.e[AlertCustomField]
-      val customFieldLabel      = StepLabel.v[CustomField]
-      val customFieldWithValueLabel =
-        StepLabel[Seq[(AlertCustomField with Entity, CustomField with Entity)], JList[JMap[String, Any]], Converter.CList[
-          (AlertCustomField with Entity, CustomField with Entity),
-          JMap[String, Any],
-          Converter[(AlertCustomField with Entity, CustomField with Entity), JMap[String, Any]]
-        ]]
-      val caseIdLabel           = StepLabel[Seq[EntityId], JList[AnyRef], Converter.CList[EntityId, AnyRef, Converter[EntityId, AnyRef]]]
-      val caseTemplateNameLabel = StepLabel[Seq[String], JList[String], Converter.CList[String, String, Converter[String, String]]]
-
-      val observableCountLabel = StepLabel[Long, JLong, Converter[Long, JLong]]
-      val result =
-        traversal
-          .`match`(
-            _.as(alertLabel)(_.organisation.current).as(organisationLabel),
-            _.as(alertLabel)(_.tags.fold).as(tagsLabel),
-            _.as(alertLabel)(
-              _.outE[AlertCustomField]
-                .as(customFieldValueLabel)
-                .inV
-                .v[CustomField]
-                .as(customFieldLabel)
-                .select((customFieldValueLabel, customFieldLabel))
-                .fold
-            ).as(customFieldWithValueLabel),
-            _.as(alertLabel)(_.`case`._id.fold).as(caseIdLabel),
-            _.as(alertLabel)(_.caseTemplate.value(_.name).fold).as(caseTemplateNameLabel),
-            _.as(alertLabel)(_.observables.count).as(observableCountLabel)
-          )
-          .select((alertLabel, organisationLabel, tagsLabel, customFieldWithValueLabel, caseIdLabel, caseTemplateNameLabel, observableCountLabel))
-          .domainMap {
-            case (alert, organisation, tags, customFields, caseId, caseTemplateName, observableCount) =>
-              RichAlert(
-                alert,
-                organisation.name,
-                tags,
-                customFields.map(cf => RichCustomField(cf._2, cf._1)),
-                caseId.headOption,
-                caseTemplateName.headOption,
-                observableCount
-              ) -> organisation
-          }
-      if (authContext.permissions.contains(permission))
-        result
-      else
-        result.limit(0)
-    }
-
     def customFields(idOrName: EntityIdOrName): Traversal.E[AlertCustomField] =
       idOrName
         .fold(
@@ -537,6 +475,54 @@ object AlertOps {
           case (cfv, cf) => RichCustomField(cf, cfv)
         }
 
+    def customFieldFilter(customFieldSrv: CustomFieldSrv, customField: EntityIdOrName, predicate: P[JsValue]): Traversal.V[Alert] =
+      customFieldSrv
+        .get(customField)(traversal.graph)
+        .value(_.`type`)
+        .headOption
+        .map {
+          case CustomFieldType.boolean => traversal.filter(_.customFields(customField).has(_.booleanValue, predicate.map(_.as[Boolean])))
+          case CustomFieldType.date    => traversal.filter(_.customFields(customField).has(_.dateValue, predicate.map(_.as[Date])))
+          case CustomFieldType.float   => traversal.filter(_.customFields(customField).has(_.floatValue, predicate.map(_.as[Double])))
+          case CustomFieldType.integer => traversal.filter(_.customFields(customField).has(_.integerValue, predicate.map(_.as[Int])))
+          case CustomFieldType.string  => traversal.filter(_.customFields(customField).has(_.stringValue, predicate.map(_.as[String])))
+        }
+        .getOrElse(traversal.empty)
+
+    def hasCustomField(customFieldSrv: CustomFieldSrv, customField: EntityIdOrName): Traversal.V[Alert] = {
+      val cfFilter = (t: Traversal.V[CustomField]) => customField.fold(id => t.hasId(id), name => t.has(_.name, name))
+
+      customFieldSrv
+        .get(customField)(traversal.graph)
+        .value(_.`type`)
+        .headOption
+        .map {
+          case CustomFieldType.boolean => traversal.filter(t => cfFilter(t.outE[AlertCustomField].has(_.booleanValue).inV.v[CustomField]))
+          case CustomFieldType.date    => traversal.filter(t => cfFilter(t.outE[AlertCustomField].has(_.dateValue).inV.v[CustomField]))
+          case CustomFieldType.float   => traversal.filter(t => cfFilter(t.outE[AlertCustomField].has(_.floatValue).inV.v[CustomField]))
+          case CustomFieldType.integer => traversal.filter(t => cfFilter(t.outE[AlertCustomField].has(_.integerValue).inV.v[CustomField]))
+          case CustomFieldType.string  => traversal.filter(t => cfFilter(t.outE[AlertCustomField].has(_.stringValue).inV.v[CustomField]))
+        }
+        .getOrElse(traversal.empty)
+    }
+
+    def hasNotCustomField(customFieldSrv: CustomFieldSrv, customField: EntityIdOrName): Traversal.V[Alert] = {
+      val cfFilter = (t: Traversal.V[CustomField]) => customField.fold(id => t.hasId(id), name => t.has(_.name, name))
+
+      customFieldSrv
+        .get(customField)(traversal.graph)
+        .value(_.`type`)
+        .headOption
+        .map {
+          case CustomFieldType.boolean => traversal.filterNot(t => cfFilter(t.outE[AlertCustomField].has(_.booleanValue).inV.v[CustomField]))
+          case CustomFieldType.date    => traversal.filterNot(t => cfFilter(t.outE[AlertCustomField].has(_.dateValue).inV.v[CustomField]))
+          case CustomFieldType.float   => traversal.filterNot(t => cfFilter(t.outE[AlertCustomField].has(_.floatValue).inV.v[CustomField]))
+          case CustomFieldType.integer => traversal.filterNot(t => cfFilter(t.outE[AlertCustomField].has(_.integerValue).inV.v[CustomField]))
+          case CustomFieldType.string  => traversal.filterNot(t => cfFilter(t.outE[AlertCustomField].has(_.stringValue).inV.v[CustomField]))
+        }
+        .getOrElse(traversal.empty)
+    }
+
     def observables: Traversal.V[Observable] = traversal.out[AlertObservable].v[Observable]
 
     def caseTemplate: Traversal.V[CaseTemplate] = traversal.out[AlertCaseTemplate].v[CaseTemplate]
@@ -547,23 +533,19 @@ object AlertOps {
       traversal
         .project(
           _.by
-            .by(_.organisation.value(_.name))
-            .by(_.tags.fold)
             .by(_.richCustomFields.fold)
-            .by(_.`case`._id.fold)
-            .by(_.caseTemplate.value(_.name).fold)
+            .by(_.`case`._id.option)
+            .by(_.caseTemplate.value(_.name).option)
             .by(_.observables.count)
             .by(entityRenderer)
         )
         .domainMap {
-          case (alert, organisation, tags, customFields, caseId, caseTemplate, observableCount, renderedEntity) =>
+          case (alert, customFields, caseId, caseTemplate, observableCount, renderedEntity) =>
             RichAlert(
               alert,
-              organisation,
-              tags,
               customFields,
-              caseId.headOption,
-              caseTemplate.headOption,
+              caseId,
+              caseTemplate,
               observableCount
             ) -> renderedEntity
         }
@@ -572,22 +554,18 @@ object AlertOps {
       traversal
         .project(
           _.by
-            .by(_.organisation.value(_.name).fold)
-            .by(_.tags.fold)
             .by(_.richCustomFields.fold)
-            .by(_.`case`._id.fold)
-            .by(_.caseTemplate.value(_.name).fold)
+            .by(_.`case`._id.option)
+            .by(_.caseTemplate.value(_.name).option)
             .by(_.outE[AlertObservable].count)
         )
         .domainMap {
-          case (alert, organisation, tags, customFields, caseId, caseTemplate, observableCount) =>
+          case (alert, customFields, caseId, caseTemplate, observableCount) =>
             RichAlert(
               alert,
-              organisation.head,
-              tags,
               customFields,
-              caseId.headOption,
-              caseTemplate.headOption,
+              caseId,
+              caseTemplate,
               observableCount
             )
         }
@@ -596,17 +574,120 @@ object AlertOps {
   implicit class AlertCustomFieldsOpsDefs(traversal: Traversal.E[AlertCustomField]) extends CustomFieldValueOpsDefs(traversal)
 }
 
-class AlertIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: AlertSrv) extends IntegrityCheckOps[Alert] {
-  override def check(): Unit = {
-    db.tryTransaction { implicit graph =>
-      service
+class AlertIntegrityCheckOps @Inject() (val db: Database, val service: AlertSrv, organisationSrv: OrganisationSrv) extends IntegrityCheckOps[Alert] {
+
+  override def resolve(entities: Seq[Alert with Entity])(implicit graph: Graph): Try[Unit] = {
+    val (imported, notImported) = entities.partition(_.caseId.isDefined)
+    if (imported.nonEmpty && notImported.nonEmpty)
+      // Remove all non imported alerts
+      service.getByIds(notImported.map(_._id): _*).remove()
+    // Keep the last created alert
+    lastCreatedEntity(entities).foreach(e => service.getByIds(e._2.map(_._id): _*).remove())
+    Success(())
+  }
+
+  override def globalCheck(): Map[String, Long] = {
+    implicit val authContext: AuthContext = LocalUserSrv.getSystemAuthContext
+
+    val multiImport = db.tryTransaction { implicit graph =>
+      // Remove extra link with case
+      val linkIds = service
         .startTraversal
-        .flatMap(_.outE[AlertCase].range(1, 100))
-        .remove()
-      Success(())
+        .flatMap(_.outE[AlertCase].range(1, 100)._id)
+        .toSeq
+      if (linkIds.nonEmpty)
+        graph.E[AlertCase](linkIds: _*).remove()
+      Success(linkIds.length.toLong)
     }
-    ()
-  }
 
-  override def resolve(entities: Seq[Alert with Entity])(implicit graph: Graph): Try[Unit] = Success(())
+    val orgMetrics: Map[String, Long] = db
+      .tryTransaction { implicit graph =>
+        // Check links with organisation
+        Try {
+          service
+            .startTraversal
+            .project(
+              _.by
+                .by(_.organisation._id.fold)
+            )
+            .toIterator
+            .flatMap {
+              case (alert, Seq(organisationId)) if alert.organisationId == organisationId => None // It's OK
+
+              case (alert, Seq(organisationId)) =>
+                logger.warn(
+                  s"Invalid organisationId in alert ${alert._id}(${alert.`type`}:${alert.source}:${alert.sourceRef}), " +
+                    s"got ${alert.organisationId}, should be $organisationId. Fixing it."
+                )
+                service.get(alert).update(_.organisationId, organisationId).iterate()
+                Some("invalidOrganisationId")
+
+              case (alert, organisationIds) if organisationIds.isEmpty =>
+                organisationSrv.getOrFail(alert.organisationId) match {
+                  case Success(organisation) =>
+                    logger.warn(
+                      s"Link between alert ${alert._id}(${alert.`type`}:${alert.source}:${alert.sourceRef}) and " +
+                        s"organisation ${alert.organisationId} has disappeared. Fixing it."
+                    )
+                    service
+                      .alertOrganisationSrv
+                      .create(AlertOrganisation(), alert, organisation)
+                      .fold(
+                        error => {
+                          logger.error(
+                            s"Fail to create link between alert ${alert._id}(${alert.`type`}:${alert.source}:${alert.sourceRef}) " +
+                              s"and organisation ${alert.organisationId}",
+                            error
+                          )
+                          Some("missingOrganisationAndFail")
+                        },
+                        _ => Some("missingOrganisation")
+                      )
+                  case _ =>
+                    logger.warn(
+                      s"Alert ${alert._id}(${alert.`type`}:${alert.source}:${alert.sourceRef}) is not linked to " +
+                        s"existing organisation. Fixing it."
+                    )
+                    service.get(alert).remove()
+                    Some("nonExistentOrganisation")
+                }
+
+              case (alert, organisationIds) if organisationIds.contains(alert.organisationId) =>
+                val (extraLinks, extraOrganisationIds) = organisationIds.partition(_ == alert.organisationId)
+                if (extraOrganisationIds.nonEmpty) {
+                  logger.warn(
+                    s"Alert ${alert._id}(${alert.`type`}:${alert.source}:${alert.sourceRef}) is not linked to " +
+                      s"extra organisation(s): ${extraOrganisationIds.mkString(",")}. Fixing it."
+                  )
+                  service.get(alert).outE[AlertOrganisation].filter(_.inV.hasId(extraOrganisationIds: _*)).remove()
+                }
+                if (extraLinks.length > 1) {
+                  logger.warn(
+                    s"Alert ${alert._id}(${alert.`type`}:${alert.source}:${alert.sourceRef}) is linked more than once to " +
+                      s"organisation: ${alert.organisationId}. Fixing it."
+                  )
+                  service.get(alert).flatMap(_.outE[AlertOrganisation].range(1, 100)).remove()
+                }
+                Some("extraOrganisation")
+
+              case (alert, organisationIds) =>
+                logger.warn(
+                  s"Alert ${alert._id}(${alert.`type`}:${alert.source}:${alert.sourceRef}) has inconsistent organisation links: " +
+                    s"organisation is ${alert.organisationId} but links are ${organisationIds.mkString(",")}. Fixing it."
+                )
+                service.get(alert).flatMap(_.outE[AlertOrganisation].sort(_.by("_createdAt", Order.asc)).range(1, 100)).remove()
+                service.get(alert).organisation._id.getOrFail("Organisation").foreach { organisationId =>
+                  service.get(alert).update(_.organisationId, organisationId).iterate()
+                }
+                Some("incoherent")
+            }
+            .toSeq
+        }
+      }
+      .getOrElse(Seq("globalFailure"))
+      .groupBy(identity)
+      .mapValues(_.size.toLong)
+
+    orgMetrics + ("multiImport" -> multiImport.getOrElse(0L))
+  }
 }
diff --git a/thehive/app/org/thp/thehive/services/AttachmentSrv.scala b/thehive/app/org/thp/thehive/services/AttachmentSrv.scala
index 77e39fcd62..9f70d36a78 100644
--- a/thehive/app/org/thp/thehive/services/AttachmentSrv.scala
+++ b/thehive/app/org/thp/thehive/services/AttachmentSrv.scala
@@ -4,14 +4,13 @@ import akka.NotUsed
 import akka.stream.scaladsl.{Source, StreamConverters}
 import akka.stream.{IOResult, Materializer}
 import akka.util.ByteString
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.NotFoundError
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers.FFile
-import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.services.{StorageSrv, VertexSrv}
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.scalligraph.utils.Hasher
 import org.thp.thehive.models.Attachment
 import org.thp.thehive.services.AttachmentOps._
@@ -19,13 +18,12 @@ import play.api.Configuration
 
 import java.io.InputStream
 import java.nio.file.Files
-import javax.inject.{Inject, Named, Singleton}
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.Future
 import scala.util.Try
 
 @Singleton
 class AttachmentSrv @Inject() (configuration: Configuration, storageSrv: StorageSrv)(implicit
-    @Named("with-thehive-schema") db: Database,
     mat: Materializer
 ) extends VertexSrv[Attachment] {
 
@@ -85,9 +83,13 @@ class AttachmentSrv @Inject() (configuration: Configuration, storageSrv: Storage
 
   def exists(attachment: Attachment with Entity): Boolean = storageSrv.exists("attachment", attachment.attachmentId)
 
-  def cascadeRemove(attachment: Attachment with Entity)(implicit graph: Graph): Try[Unit] =
-    // TODO handle Storage data removal
+  override def delete(attachment: Attachment with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
+    val attachments = startTraversal.has(_.attachmentId, attachment.attachmentId).limit(2).getCount
+    if (attachments == 1)
+      storageSrv.delete("attachment", attachment.attachmentId)
+
     Try(get(attachment).remove())
+  }
 
 }
 
diff --git a/thehive/app/org/thp/thehive/services/AuditSrv.scala b/thehive/app/org/thp/thehive/services/AuditSrv.scala
index a1d3941b48..a88bf5573f 100644
--- a/thehive/app/org/thp/thehive/services/AuditSrv.scala
+++ b/thehive/app/org/thp/thehive/services/AuditSrv.scala
@@ -4,16 +4,22 @@ import akka.actor.ActorRef
 import com.google.inject.name.Named
 import org.apache.tinkerpop.gremlin.process.traversal.Order
 import org.apache.tinkerpop.gremlin.structure.Transaction.Status
-import org.apache.tinkerpop.gremlin.structure.{Graph, Vertex}
+import org.apache.tinkerpop.gremlin.structure.Vertex
+import org.thp.scalligraph.EntityId
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Entity, _}
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IdentityConverter, Traversal}
-import org.thp.scalligraph.{EntityId, EntityIdOrName}
+import org.thp.scalligraph.traversal.{Converter, Graph, IdentityConverter, Traversal}
 import org.thp.thehive.models._
+import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.AuditOps._
+import org.thp.thehive.services.CaseOps._
+import org.thp.thehive.services.CaseTemplateOps._
+import org.thp.thehive.services.DashboardOps._
+import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.TaskOps._
 import org.thp.thehive.services.notification.AuditNotificationMessage
 import play.api.libs.json.{JsObject, JsValue, Json}
 
@@ -21,33 +27,34 @@ import java.util.{Map => JMap}
 import javax.inject.{Inject, Provider, Singleton}
 import scala.util.{Success, Try}
 
-case class PendingAudit(audit: Audit, context: Option[Product with Entity], `object`: Option[Product with Entity])
+case class PendingAudit(audit: Audit, context: Product with Entity, `object`: Option[Product with Entity])
 
 @Singleton
 class AuditSrv @Inject() (
     userSrvProvider: Provider[UserSrv],
     @Named("notification-actor") notificationActor: ActorRef,
-    eventSrv: EventSrv
-)(implicit @Named("with-thehive-schema") db: Database)
-    extends VertexSrv[Audit] { auditSrv =>
-  lazy val userSrv: UserSrv = userSrvProvider.get
-  val auditUserSrv          = new EdgeSrv[AuditUser, Audit, User]
-  val auditedSrv            = new EdgeSrv[Audited, Audit, Product]
-  val auditContextSrv       = new EdgeSrv[AuditContext, Audit, Product]
-  val `case`                = new SelfContextObjectAudit[Case]
-  val task                  = new SelfContextObjectAudit[Task]
-  val observable            = new SelfContextObjectAudit[Observable]
-  val log                   = new ObjectAudit[Log, Task]
-  val caseTemplate          = new SelfContextObjectAudit[CaseTemplate]
-  val taskInTemplate        = new ObjectAudit[Task, CaseTemplate]
-  val alert                 = new AlertAudit
-//  val alertToCase                                           = new ObjectAudit[Alert, Case]
+    eventSrv: EventSrv,
+    db: Database
+) extends VertexSrv[Audit] { auditSrv =>
+  lazy val userSrv: UserSrv                                 = userSrvProvider.get
+  val auditUserSrv                                          = new EdgeSrv[AuditUser, Audit, User]
+  val auditedSrv                                            = new EdgeSrv[Audited, Audit, Product]
+  val auditContextSrv                                       = new EdgeSrv[AuditContext, Audit, Product]
+  val `case`                                                = new SelfContextObjectAudit[Case]
+  val task                                                  = new SelfContextObjectAudit[Task]
+  val observable                                            = new SelfContextObjectAudit[Observable]
+  val log                                                   = new ObjectAudit[Log, Task]
+  val caseTemplate                                          = new SelfContextObjectAudit[CaseTemplate]
+  val taskInTemplate                                        = new ObjectAudit[Task, CaseTemplate]
+  val alert                                                 = new AlertAudit
   val share                                                 = new ShareAudit
   val observableInAlert                                     = new ObjectAudit[Observable, Alert]
   val user                                                  = new UserAudit
   val dashboard                                             = new SelfContextObjectAudit[Dashboard]
   val organisation                                          = new SelfContextObjectAudit[Organisation]
   val profile                                               = new SelfContextObjectAudit[Profile]
+  val pattern                                               = new SelfContextObjectAudit[Pattern]
+  val procedure                                             = new ObjectAudit[Procedure, Case]
   val customField                                           = new SelfContextObjectAudit[CustomField]
   val page                                                  = new SelfContextObjectAudit[Page]
   private val pendingAuditsLock                             = new Object
@@ -108,7 +115,7 @@ class AuditSrv @Inject() (
     }
   }
 
-  private def createFromPending(tx: AnyRef, audit: Audit, context: Option[Product with Entity], `object`: Option[Product with Entity])(implicit
+  private def createFromPending(tx: AnyRef, audit: Audit, context: Product with Entity, `object`: Option[Product with Entity])(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[Unit] = {
@@ -118,13 +125,13 @@ class AuditSrv @Inject() (
       createdAudit <- createEntity(audit)
       _            <- auditUserSrv.create(AuditUser(), createdAudit, user)
       _            <- `object`.map(auditedSrv.create(Audited(), createdAudit, _)).flip
-      _ = context.map(auditContextSrv.create(AuditContext(), createdAudit, _)).flip // this could fail on delete (context doesn't exist)
+      _ = auditContextSrv.create(AuditContext(), createdAudit, context) // this could fail on delete (context doesn't exist)
     } yield transactionAuditIdsLock.synchronized {
       transactionAuditIds = (tx -> createdAudit._id) :: transactionAuditIds
     }
   }
 
-  def create(audit: Audit, context: Option[Product with Entity], `object`: Option[Product with Entity])(implicit
+  def create(audit: Audit, context: Product with Entity, `object`: Option[Product with Entity])(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[Unit] = {
@@ -163,47 +170,47 @@ class AuditSrv @Inject() (
   class ObjectAudit[E <: Product, C <: Product] {
 
     def create(entity: E with Entity, context: C with Entity, details: JsValue)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-      auditSrv.create(Audit(Audit.create, entity, Some(details.toString)), Some(context), Some(entity))
+      auditSrv.create(Audit(Audit.create, entity, Some(details.toString)), context, Some(entity))
 
     def update(entity: E with Entity, context: C with Entity, details: JsObject)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
       if (details == JsObject.empty) Success(())
-      else auditSrv.create(Audit(Audit.update, entity, Some(details.toString)), Some(context), Some(entity))
+      else auditSrv.create(Audit(Audit.update, entity, Some(details.toString)), context, Some(entity))
 
-    def delete(entity: E with Entity, context: Option[C with Entity])(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    def delete(entity: E with Entity, context: C with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
       auditSrv.create(Audit(Audit.delete, entity, None), context, None)
 
     def merge(entity: E with Entity, destination: C with Entity, details: Option[JsObject] = None)(implicit
         graph: Graph,
         authContext: AuthContext
     ): Try[Unit] =
-      auditSrv.create(Audit(Audit.merge, destination, details.map(_.toString())), Some(destination), Some(destination))
+      auditSrv.create(Audit(Audit.merge, destination, details.map(_.toString())), destination, Some(destination))
   }
 
   class SelfContextObjectAudit[E <: Product] {
 
     def create(entity: E with Entity, details: JsValue)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-      auditSrv.create(Audit(Audit.create, entity, Some(details.toString)), Some(entity), Some(entity))
+      auditSrv.create(Audit(Audit.create, entity, Some(details.toString)), entity, Some(entity))
 
     def update(entity: E with Entity, details: JsObject)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
       if (details == JsObject.empty) Success(())
-      else auditSrv.create(Audit(Audit.update, entity, Some(details.toString)), Some(entity), Some(entity))
+      else auditSrv.create(Audit(Audit.update, entity, Some(details.toString)), entity, Some(entity))
 
     def delete(entity: E with Entity, context: Product with Entity, details: Option[JsObject] = None)(implicit
         graph: Graph,
         authContext: AuthContext
     ): Try[Unit] =
-      auditSrv.create(Audit(Audit.delete, entity, details.map(_.toString())), Some(context), None)
+      auditSrv.create(Audit(Audit.delete, entity, details.map(_.toString())), context, None)
   }
 
   class UserAudit extends SelfContextObjectAudit[User] {
 
-    def changeProfile(user: User with Entity, organisation: Organisation, profile: Profile)(implicit
+    def changeProfile(user: User with Entity, organisation: Organisation with Entity, profile: Profile)(implicit
         graph: Graph,
         authContext: AuthContext
     ): Try[Unit] =
       auditSrv.create(
         Audit(Audit.update, user, Some(Json.obj("organisation" -> organisation.name, "profile" -> profile.name).toString)),
-        Some(user),
+        organisation,
         Some(user)
       )
 
@@ -213,7 +220,7 @@ class AuditSrv @Inject() (
     ): Try[Unit] =
       auditSrv.create(
         Audit(Audit.delete, user, Some(Json.obj("organisation" -> organisation.name).toString)),
-        None,
+        organisation,
         None
       )
   }
@@ -226,7 +233,7 @@ class AuditSrv @Inject() (
     ): Try[Unit] =
       auditSrv.create(
         Audit(Audit.update, `case`, Some(Json.obj("share" -> Json.obj("organisation" -> organisation.name, "profile" -> profile.name)).toString)),
-        Some(`case`),
+        `case`,
         Some(`case`)
       )
 
@@ -236,7 +243,7 @@ class AuditSrv @Inject() (
     ): Try[Unit] =
       auditSrv.create(
         Audit(Audit.update, task, Some(Json.obj("share" -> Json.obj("organisation" -> organisation.name)).toString)),
-        Some(task),
+        task,
         Some(`case`)
       )
 
@@ -246,14 +253,14 @@ class AuditSrv @Inject() (
     ): Try[Unit] =
       auditSrv.create(
         Audit(Audit.update, observable, Some(Json.obj("share" -> Json.obj("organisation" -> organisation.name)).toString)),
-        Some(observable),
+        observable,
         Some(`case`)
       )
 
     def unshareCase(`case`: Case with Entity, organisation: Organisation with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
       auditSrv.create(
         Audit(Audit.update, `case`, Some(Json.obj("unshare" -> Json.obj("organisation" -> organisation.name)).toString)),
-        Some(`case`),
+        `case`,
         Some(`case`)
       )
 
@@ -263,7 +270,7 @@ class AuditSrv @Inject() (
     ): Try[Unit] =
       auditSrv.create(
         Audit(Audit.update, task, Some(Json.obj("unshare" -> Json.obj("organisation" -> organisation.name)).toString)),
-        Some(task),
+        task,
         Some(`case`)
       )
 
@@ -273,7 +280,7 @@ class AuditSrv @Inject() (
     ): Try[Unit] =
       auditSrv.create(
         Audit(Audit.update, observable, Some(Json.obj("unshare" -> Json.obj("organisation" -> organisation.name)).toString)),
-        Some(observable),
+        observable,
         Some(`case`)
       )
   }
@@ -289,7 +296,7 @@ class AuditSrv @Inject() (
         "source"    -> alert.source,
         "sourceRef" -> alert.sourceRef
       ))
-      auditSrv.create(Audit(Audit.create, `case`, Some(detailsWithAlert.toString)), Some(`case`), Some(`case`))
+      auditSrv.create(Audit(Audit.create, `case`, Some(detailsWithAlert.toString)), `case`, Some(`case`))
     }
 
     def mergeToCase(alert: Alert with Entity, `case`: Case with Entity, details: JsObject)(implicit
@@ -302,15 +309,18 @@ class AuditSrv @Inject() (
         "source"    -> alert.source,
         "sourceRef" -> alert.sourceRef
       ))
-      auditSrv.create(Audit(Audit.merge, `case`, Some(detailsWithAlert.toString)), Some(`case`), Some(`case`))
+      auditSrv.create(Audit(Audit.merge, `case`, Some(detailsWithAlert.toString)), `case`, Some(`case`))
     }
   }
 }
 
 object AuditOps {
 
-  implicit class AuditOpsDefs(traversal: Traversal.V[Audit]) {
+  implicit class VertexDefs(traversal: Traversal[Vertex, Vertex, IdentityConverter[Vertex]]) {
+    def share: Traversal.V[Share] = traversal.coalesceIdent(_.in[ShareObservable], _.in[ShareTask], _.in[ShareCase]).v[Share]
+  }
 
+  implicit class AuditOpsDefs(traversal: Traversal.V[Audit]) {
     def auditContextObjectOrganisation
         : Traversal[(Audit with Entity, Option[Entity], Option[Entity], Option[Organisation with Entity]), JMap[String, Any], Converter[
           (Audit with Entity, Option[Entity], Option[Entity], Option[Organisation with Entity]),
@@ -365,7 +375,7 @@ object AuditOps {
     def `case`: Traversal.V[Case] =
       traversal
         .out[AuditContext]
-        .coalesceIdent[Vertex](_.in().hasLabel("Share"), _.hasLabel("Share"))
+        .share
         .out[ShareCase]
         .v[Case]
 
@@ -373,21 +383,57 @@ object AuditOps {
       traversal
         .out[AuditContext]
         .coalesceIdent[Vertex](
+          _.share.in[OrganisationShare],
+          _.out[AlertOrganisation],
           _.hasLabel("Organisation"),
-          _.in().hasLabel("Share").in[OrganisationShare],
-          _.both().hasLabel("Organisation")
+          _.out[CaseTemplateOrganisation],
+          _.in[OrganisationDashboard]
         )
         .v[Organisation]
 
-    def visible(implicit authContext: AuthContext): Traversal.V[Audit] = visible(authContext.organisation)
+    def organisationIds: Traversal[EntityId, AnyRef, Converter[EntityId, AnyRef]] =
+      traversal
+        .out[AuditContext]
+        .chooseBranch[String, AnyRef](
+          _.on(_.label)
+            .option("Case", _.v[Case].value(_.organisationIds).widen[AnyRef])
+            .option("Observable", _.v[Observable].value(_.organisationIds).widen[AnyRef])
+            .option("Task", _.v[Task].value(_.organisationIds).widen[AnyRef])
+            .option("Alert", _.v[Alert].value(_.organisationId).widen[AnyRef])
+            .option("Organisation", _.v[Organisation]._id)
+            .option("CaseTemplate", _.v[CaseTemplate].organisation._id)
+            .option("Dashboard", _.v[Dashboard].organisation._id)
+        )
+        .domainMap(EntityId.apply)
 
-    def visible(organisation: EntityIdOrName): Traversal.V[Audit] = traversal.filter(_.organisation.get(organisation))
+    def caseId: Traversal[EntityId, AnyRef, Converter[EntityId, AnyRef]] =
+      traversal
+        .out[AuditContext]
+        .chooseBranch[String, AnyRef](
+          _.on(_.label)
+            .option("Case", _.v[Case]._id)
+            .option("Observable", _.v[Observable].value(_.relatedId).widen[AnyRef])
+            .option("Task", _.v[Task].value(_.relatedId).widen[AnyRef])
+        )
+        .domainMap(EntityId.apply)
+
+    def visible(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Audit] =
+      traversal.filter(
+        _.out[AuditContext].chooseBranch[String, Any](
+          _.on(_.label)
+            .option("Case", _.v[Case].visible(organisationSrv).widen[Any])
+            .option("Observable", _.v[Observable].visible(organisationSrv).widen[Any])
+            .option("Task", _.v[Task].visible(organisationSrv).widen[Any])
+            .option("Alert", _.v[Alert].visible(organisationSrv).widen[Any])
+            .option("Organisation", _.v[Organisation].current.widen[Any])
+            .option("CaseTemplate", _.v[CaseTemplate].visible.widen[Any])
+            .option("Dashboard", _.v[Dashboard].visible.widen[Any])
+        )
+      )
 
     def `object`: Traversal[Vertex, Vertex, IdentityConverter[Vertex]] = traversal.out[Audited]
 
     def context: Traversal[Vertex, Vertex, IdentityConverter[Vertex]] = traversal.out[AuditContext]
-
-    //    Traversal(raw.out[AuditContext].map(_.asEntity))
   }
 
 }
diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
index d29415c808..0f86e0b7ed 100644
--- a/thehive/app/org/thp/thehive/services/CaseSrv.scala
+++ b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -1,20 +1,18 @@
 package org.thp.thehive.services
 
-import java.util.{Map => JMap}
-import java.lang.{Long => JLong}
 import akka.actor.ActorRef
-
-import javax.inject.{Inject, Named, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.{Order, P}
-import org.apache.tinkerpop.gremlin.structure.{Graph, Vertex}
+import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.auth.{AuthContext, Permission}
-import org.thp.scalligraph.controllers.FPathElem
+import org.thp.scalligraph.controllers.{FFile, FPathElem}
 import org.thp.scalligraph.models._
+import org.thp.scalligraph.query.PredicateOps.PredicateOpsDefs
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
+import org.thp.scalligraph.traversal.Converter.Identity
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IdentityConverter, StepLabel, Traversal}
-import org.thp.scalligraph.{CreateError, EntityIdOrName, EntityName, RichOptionTry, RichSeq}
+import org.thp.scalligraph.traversal._
+import org.thp.scalligraph.{BadRequestError, EntityId, EntityIdOrName, EntityName, RichOptionTry, RichSeq}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.dto.v1.InputCustomFieldValue
 import org.thp.thehive.models._
@@ -24,26 +22,35 @@ import org.thp.thehive.services.DataOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
-import play.api.libs.json.{JsNull, JsObject, Json}
+import org.thp.thehive.services.TaskOps._
+import org.thp.thehive.services.UserOps._
+import play.api.cache.SyncCacheApi
+import play.api.libs.json.{JsNull, JsObject, JsValue, Json}
 
+import java.lang.{Long => JLong}
+import java.util.{Date, List => JList, Map => JMap}
+import javax.inject.{Inject, Named, Provider, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
 class CaseSrv @Inject() (
     tagSrv: TagSrv,
     customFieldSrv: CustomFieldSrv,
-    userSrv: UserSrv,
     organisationSrv: OrganisationSrv,
     profileSrv: ProfileSrv,
     shareSrv: ShareSrv,
     taskSrv: TaskSrv,
-    observableSrv: ObservableSrv,
     auditSrv: AuditSrv,
     resolutionStatusSrv: ResolutionStatusSrv,
     impactStatusSrv: ImpactStatusSrv,
-    @Named("integrity-check-actor") integrityCheckActor: ActorRef
-)(implicit @Named("with-thehive-schema") db: Database)
-    extends VertexSrv[Case] {
+    observableSrv: ObservableSrv,
+    attachmentSrv: AttachmentSrv,
+    userSrv: UserSrv,
+    alertSrvProvider: Provider[AlertSrv],
+    @Named("integrity-check-actor") integrityCheckActor: ActorRef,
+    cache: SyncCacheApi
+) extends VertexSrv[Case] {
+  lazy val alertSrv: AlertSrv = alertSrvProvider.get
 
   val caseTagSrv              = new EdgeSrv[CaseTag, Case, Tag]
   val caseImpactStatusSrv     = new EdgeSrv[CaseImpactStatus, Case, ImpactStatus]
@@ -51,6 +58,8 @@ class CaseSrv @Inject() (
   val caseUserSrv             = new EdgeSrv[CaseUser, Case, User]
   val caseCustomFieldSrv      = new EdgeSrv[CaseCustomField, Case, CustomField]
   val caseCaseTemplateSrv     = new EdgeSrv[CaseCaseTemplate, Case, CaseTemplate]
+  val caseProcedureSrv        = new EdgeSrv[CaseProcedure, Case, Procedure]
+  val shareCaseSrv            = new EdgeSrv[ShareCase, Share, Case]
   val mergedFromSrv           = new EdgeSrv[MergedFrom, Case, Case]
 
   override def createEntity(e: Case)(implicit graph: Graph, authContext: AuthContext): Try[Case with Entity] =
@@ -61,24 +70,32 @@ class CaseSrv @Inject() (
 
   def create(
       `case`: Case,
-      user: Option[User with Entity],
+      assignee: Option[User with Entity],
       organisation: Organisation with Entity,
-      tags: Set[Tag with Entity],
       customFields: Seq[InputCustomFieldValue],
       caseTemplate: Option[RichCaseTemplate],
-      additionalTasks: Seq[(Task, Option[User with Entity])]
-  )(implicit graph: Graph, authContext: AuthContext): Try[RichCase] =
+      additionalTasks: Seq[Task]
+  )(implicit graph: Graph, authContext: AuthContext): Try[RichCase] = {
+    val caseNumber = if (`case`.number == 0) nextCaseNumber else `case`.number
+    val tagNames   = (`case`.tags ++ caseTemplate.fold[Seq[String]](Nil)(_.tags)).distinct
     for {
-      createdCase <- createEntity(if (`case`.number == 0) `case`.copy(number = nextCaseNumber) else `case`)
-      assignee    <- user.fold(userSrv.current.getOrFail("User"))(Success(_))
-      _           <- caseUserSrv.create(CaseUser(), createdCase, assignee)
-      _           <- shareSrv.shareCase(owner = true, createdCase, organisation, profileSrv.orgAdmin)
-      _           <- caseTemplate.map(ct => caseCaseTemplateSrv.create(CaseCaseTemplate(), createdCase, ct.caseTemplate)).flip
-
-      createdTasks <- caseTemplate.fold(additionalTasks)(_.tasks.map(t => t.task -> t.assignee)).toTry {
-        case (task, owner) => taskSrv.create(task, owner)
-      }
-      _ <- createdTasks.toTry(t => shareSrv.shareTask(t, createdCase, organisation))
+      tags <- tagNames.toTry(tagSrv.getOrCreate)
+      createdCase <- createEntity(
+        `case`.copy(
+          number = caseNumber,
+          assignee = assignee.map(_.login),
+          organisationIds = Set(organisation._id),
+          caseTemplate = caseTemplate.map(_.name),
+          impactStatus = None,
+          resolutionStatus = None,
+          tags = tagNames
+        )
+      )
+      _ <- assignee.map(u => caseUserSrv.create(CaseUser(), createdCase, u)).flip
+      _ <- shareSrv.shareCase(owner = true, createdCase, organisation, profileSrv.orgAdmin)
+      _ <- caseTemplate.map(ct => caseCaseTemplateSrv.create(CaseCaseTemplate(), createdCase, ct.caseTemplate)).flip
+      _ <- caseTemplate.fold(additionalTasks)(_.tasks.map(_.task) ++ additionalTasks).toTry(task => createTask(createdCase, task))
+      _ <- tags.toTry(caseTagSrv.create(CaseTag(), createdCase, _))
 
       caseTemplateCf =
         caseTemplate
@@ -88,13 +105,13 @@ class CaseSrv @Inject() (
         case InputCustomFieldValue(name, value, order) => createCustomField(createdCase, EntityIdOrName(name), value, order)
       }
 
-      caseTemplateTags = caseTemplate.fold[Seq[Tag with Entity]](Nil)(_.tags)
-      allTags          = tags ++ caseTemplateTags
-      _ <- allTags.toTry(t => caseTagSrv.create(CaseTag(), createdCase, t))
-
-      richCase = RichCase(createdCase, allTags.toSeq, None, None, Some(assignee.login), cfs, authContext.permissions)
+      richCase = RichCase(createdCase, cfs, authContext.permissions)
       _ <- auditSrv.`case`.create(createdCase, richCase.toJson)
     } yield richCase
+  }
+
+  def caseId(idOrName: EntityIdOrName)(implicit graph: Graph): EntityId =
+    idOrName.fold(identity, oid => cache.getOrElseUpdate(s"case-$oid")(getByName(oid)._id.getOrFail("Case").get))
 
   private def cleanCustomFields(caseTemplateCf: Seq[InputCustomFieldValue], caseCf: Seq[InputCustomFieldValue]): Seq[InputCustomFieldValue] = {
     val uniqueFields = caseTemplateCf.filter {
@@ -114,14 +131,14 @@ class CaseSrv @Inject() (
       traversal: Traversal.V[Case],
       propertyUpdaters: Seq[PropertyUpdater]
   )(implicit graph: Graph, authContext: AuthContext): Try[(Traversal.V[Case], JsObject)] = {
-    val closeCase = PropertyUpdater(FPathElem("closeCase"), "") { (vertex, _, _, _) =>
+    val closeCase = PropertyUpdater(FPathElem("closeCase"), "") { (vertex, _, _) =>
       get(vertex)
         .tasks
         .or(_.has(_.status, TaskStatus.Waiting), _.has(_.status, TaskStatus.InProgress))
         .toIterator
         .toTry {
-          case task if task.status == TaskStatus.InProgress => taskSrv.updateStatus(task, null, TaskStatus.Completed)
-          case task                                         => taskSrv.updateStatus(task, null, TaskStatus.Cancel)
+          case task if task.status == TaskStatus.InProgress => taskSrv.updateStatus(task, TaskStatus.Completed)
+          case task                                         => taskSrv.updateStatus(task, TaskStatus.Cancel)
         }
         .flatMap { _ =>
           vertex.property("endDate", System.currentTimeMillis())
@@ -141,67 +158,72 @@ class CaseSrv @Inject() (
     }
   }
 
-  def updateTagNames(`case`: Case with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-    tags.toTry(tagSrv.getOrCreate).flatMap(t => updateTags(`case`, t.toSet))
-
-  def updateTags(`case`: Case with Entity, tags: Set[Tag with Entity])(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    val (tagsToAdd, tagsToRemove) = get(`case`)
-      .tags
-      .toIterator
-      .foldLeft((tags, Set.empty[Tag with Entity])) {
-        case ((toAdd, toRemove), t) if toAdd.contains(t) => (toAdd - t, toRemove)
-        case ((toAdd, toRemove), t)                      => (toAdd, toRemove + t)
-      }
+  def updateTags(`case`: Case with Entity, tags: Set[String])(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[(Seq[Tag with Entity], Seq[Tag with Entity])] =
     for {
+      tagsToAdd <- (tags -- `case`.tags).toTry(tagSrv.getOrCreate)
+      tagsToRemove = get(`case`).tags.toSeq.filterNot(t => tags.contains(t.toString))
       _ <- tagsToAdd.toTry(caseTagSrv.create(CaseTag(), `case`, _))
-      _ = get(`case`).removeTags(tagsToRemove)
-      _ <- auditSrv.`case`.update(`case`, Json.obj("tags" -> tags.map(_.toString)))
-    } yield ()
-  }
+      _ = if (tagsToRemove.nonEmpty) get(`case`).outE[CaseTag].filter(_.otherV.hasId(tagsToRemove.map(_._id): _*)).remove()
+      _ <- get(`case`).update(_.tags, tags.toSeq).getOrFail("Case")
+      _ <- auditSrv.`case`.update(`case`, Json.obj("tags" -> tags))
+    } yield (tagsToAdd, tagsToRemove)
 
-  def addTags(`case`: Case with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    val currentTags = get(`case`)
-      .tags
-      .toSeq
-      .map(_.toString)
-      .toSet
+  def addTags(`case`: Case with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    updateTags(`case`, tags ++ `case`.tags).map(_ => ())
+
+  def createTask(`case`: Case with Entity, task: Task)(implicit graph: Graph, authContext: AuthContext): Try[RichTask] =
     for {
-      createdTags <- (tags -- currentTags).toTry(tagSrv.getOrCreate)
-      _           <- createdTags.toTry(caseTagSrv.create(CaseTag(), `case`, _))
-      _           <- auditSrv.`case`.update(`case`, Json.obj("tags" -> (currentTags ++ tags)))
-    } yield ()
-  }
+      assignee <- task.assignee.map(u => get(`case`).assignableUsers.getByName(u).getOrFail("User")).flip
+      task     <- taskSrv.create(task.copy(relatedId = `case`._id, organisationIds = Set(organisationSrv.currentId)), assignee)
+      _        <- shareSrv.shareTask(task, `case`, organisationSrv.currentId)
+    } yield task
 
-  def addObservable(`case`: Case with Entity, richObservable: RichObservable)(implicit
+  def createObservable(`case`: Case with Entity, observable: Observable, data: String)(implicit
       graph: Graph,
       authContext: AuthContext
-  ): Try[Unit] = {
-    val alreadyExistInThatCase = richObservable
-      .data
-      .fold(false)(data => get(`case`).observables.data.has(_.data, data.data).exists)
+  ): Try[RichObservable] =
+    for {
+      createdObservable <- observableSrv.create(observable.copy(organisationIds = Set(organisationSrv.currentId), relatedId = `case`._id), data)
+      _                 <- shareSrv.shareObservable(createdObservable, `case`, organisationSrv.currentId)
+    } yield createdObservable
 
-    if (alreadyExistInThatCase)
-      Failure(CreateError("Observable already exists"))
-    else
-      for {
-        organisation <- organisationSrv.getOrFail(authContext.organisation)
-        _            <- shareSrv.shareObservable(richObservable, `case`, organisation)
-      } yield ()
-  }
+  def createObservable(`case`: Case with Entity, observable: Observable, attachment: Attachment with Entity)(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[RichObservable] =
+    for {
+      createdObservable <- observableSrv.create(observable.copy(organisationIds = Set(organisationSrv.currentId), relatedId = `case`._id), attachment)
+      _                 <- shareSrv.shareObservable(createdObservable, `case`, organisationSrv.currentId)
+    } yield createdObservable
+
+  def createObservable(`case`: Case with Entity, observable: Observable, file: FFile)(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[RichObservable] =
+    attachmentSrv.create(file).flatMap(attachment => createObservable(`case`, observable, attachment))
 
-  def remove(`case`: Case with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
+  override def delete(`case`: Case with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
     val details = Json.obj("number" -> `case`.number, "title" -> `case`.title)
-    for {
-      organisation <- organisationSrv.getOrFail(authContext.organisation)
-      _            <- auditSrv.`case`.delete(`case`, organisation, Some(details))
-    } yield {
-      get(`case`).share.remove()
-      get(`case`).remove()
+    organisationSrv.get(authContext.organisation).getOrFail("Organisation").flatMap { organisation =>
+      shareSrv
+        .get(`case`, authContext.organisation)
+        .getOrFail("Share")
+        .flatMap {
+          case share if share.owner =>
+            get(`case`).shares.toSeq.toTry(s => shareSrv.unshareCase(s._id)).map(_ => get(`case`).remove())
+          case _ =>
+            throw BadRequestError("Your organisation must be owner of the case")
+          // shareSrv.unshareCase(share._id)
+        }
+        .map(_ => auditSrv.`case`.delete(`case`, organisation, Some(details)))
     }
   }
 
   override def getByName(name: String)(implicit graph: Graph): Traversal.V[Case] =
-    Try(startTraversal.getByNumber(name.toInt)).getOrElse(startTraversal.limit(0))
+    Try(startTraversal.getByNumber(name.toInt)).getOrElse(startTraversal.empty)
 
   def getCustomField(`case`: Case with Entity, customFieldIdOrName: EntityIdOrName)(implicit graph: Graph): Option[RichCustomField] =
     get(`case`).customFields(customFieldIdOrName).richCustomField.headOption
@@ -244,6 +266,16 @@ class CaseSrv @Inject() (
       ccfe <- caseCustomFieldSrv.create(ccf, `case`, cf)
     } yield RichCustomField(cf, ccfe)
 
+  def deleteCustomField(
+      cfIdOrName: EntityIdOrName
+  )(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    Try(
+      caseCustomFieldSrv
+        .get(cfIdOrName)
+        .filter(_.outV.v[Case])
+        .remove()
+    )
+
   def setImpactStatus(
       `case`: Case with Entity,
       impactStatus: String
@@ -254,13 +286,13 @@ class CaseSrv @Inject() (
       `case`: Case with Entity,
       impactStatus: ImpactStatus with Entity
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(`case`).unsetImpactStatus()
+    get(`case`).update(_.impactStatus, Some(impactStatus.value)).outE[CaseImpactStatus].remove()
     caseImpactStatusSrv.create(CaseImpactStatus(), `case`, impactStatus)
     auditSrv.`case`.update(`case`, Json.obj("impactStatus" -> impactStatus.value))
   }
 
   def unsetImpactStatus(`case`: Case with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(`case`).unsetImpactStatus()
+    get(`case`).update(_.impactStatus, None).outE[CaseImpactStatus].remove()
     auditSrv.`case`.update(`case`, Json.obj("impactStatus" -> JsNull))
   }
 
@@ -274,80 +306,132 @@ class CaseSrv @Inject() (
       `case`: Case with Entity,
       resolutionStatus: ResolutionStatus with Entity
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(`case`).unsetResolutionStatus()
+    get(`case`).update(_.resolutionStatus, Some(resolutionStatus.value)).outE[CaseResolutionStatus].remove()
     caseResolutionStatusSrv.create(CaseResolutionStatus(), `case`, resolutionStatus)
     auditSrv.`case`.update(`case`, Json.obj("resolutionStatus" -> resolutionStatus.value))
   }
 
   def unsetResolutionStatus(`case`: Case with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(`case`).unsetResolutionStatus()
+    get(`case`).update(_.resolutionStatus, None).outE[CaseResolutionStatus].remove()
     auditSrv.`case`.update(`case`, Json.obj("resolutionStatus" -> JsNull))
   }
 
   def assign(`case`: Case with Entity, user: User with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(`case`).unassign()
+    get(`case`).update(_.assignee, Some(user.login)).outE[CaseUser].remove()
     caseUserSrv.create(CaseUser(), `case`, user)
     auditSrv.`case`.update(`case`, Json.obj("owner" -> user.login))
   }
 
   def unassign(`case`: Case with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(`case`).unassign()
+    get(`case`).update(_.assignee, None).outE[CaseUser].remove()
     auditSrv.`case`.update(`case`, Json.obj("owner" -> JsNull))
   }
 
-  def merge(cases: Seq[Case with Entity])(implicit graph: Graph, authContext: AuthContext): RichCase = ???
-//  {
-//    val summaries         = cases.flatMap(_.summary)
-//    val user              = userSrv.getOrFail(authContext.userId)
-//    val organisation      = organisationSrv.getOrFail(authContext.organisation)
-//    val caseTaskSrv       = new EdgeSrv[CaseTask, Case, Task]
-//    val caseObservableSrv = new EdgeSrv[CaseObservable, Case, Observable] nop
-//
-//    val mergedCase = create(
-//      Case(
-//        nextCaseNumber,
-//        cases.map(_.title).mkString(" / "),
-//        cases.map(_.description).mkString("\n\n"),
-//        cases.map(_.severity).max,
-//        cases.map(_.startDate).min,
-//        None,
-//        cases.flatMap(_.tags).distinct,
-//        cases.exists(_.flag),
-//        cases.map(_.tlp).max,
-//        cases.map(_.pap).max,
-//        CaseStatus.open,
-//        if (summaries.isEmpty) None else Some(summaries.mkString("\n\n"))
-//      ))
-//    caseUserSrv.create(CaseUser(), mergedCase, user)
-//    caseOrganisationSrv.create(CaseOrganisation(), mergedCase, organisation)
-//    cases
-//      .map(get)
-//      .flatMap(_.customFields().toList
-//      .groupBy(_.name)
-//      .foreach {
-//        case (name, l) =>
-//          val values = l.collect { case cfwv: CustomFieldWithValue if cfwv.value.isDefined => cfwv.value.get }
-//          val cf     = customFieldSrv.getOrFail(name)
-//          val caseCustomField =
-//            if (values.size == 1) cf.`type`.setValue(CaseCustomField(), values.head)
-//            else CaseCustomField()
-//          caseCustomFieldSrv.create(caseCustomField, mergedCase, cf)
-//      }
-//
-//    cases.foreach(mergedFromSrv.create(MergedFrom(), mergedCase, _))
-//
-//    cases
-//      .map(get)
-//      .flatMap(_.tasks.toList
-//      .foreach(task => caseTaskSrv.create(CaseTask(), task, mergedCase))
-//
-//    cases
-//      .map(get)
-//      .flatMap(_.observables.toList
-//      .foreach(observable => observableCaseSrv.create(ObservableCase(), observable, mergedCase))
-//
-//    get(mergedCase).richCase.head
-//  }
+  def merge(cases: Seq[Case with Entity])(implicit graph: Graph, authContext: AuthContext): Try[RichCase] =
+    if (cases.size > 1 && canMerge(cases)) {
+      val mergedCase = Case(
+        cases.map(_.title).mkString(" / "),
+        cases.map(_.description).mkString("\n\n"),
+        cases.map(_.severity).max,
+        cases.map(_.startDate).min,
+        None,
+        cases.exists(_.flag),
+        cases.map(_.tlp).max,
+        cases.map(_.pap).max,
+        CaseStatus.Open,
+        cases.map(_.summary).fold(None)((s1, s2) => (s1 ++ s2).reduceOption(_ + "\n\n" + _)),
+        cases.flatMap(_.tags).distinct
+      )
+
+      val allProfilesOrgas: Seq[(Profile with Entity, Organisation with Entity)] = get(cases.head)
+        .shares
+        .project(_.by(_.profile).by(_.organisation))
+        .toSeq
+
+      for {
+        user        <- userSrv.current.getOrFail("User")
+        currentOrga <- organisationSrv.current.getOrFail("Organisation")
+        richCase    <- create(mergedCase, Some(user), currentOrga, Seq(), None, Seq())
+        // Share case with all organisations except the one who created the merged case
+        _ <-
+          allProfilesOrgas
+            .filterNot(_._2._id == currentOrga._id)
+            .toTry(profileOrg => shareSrv.shareCase(owner = false, richCase.`case`, profileOrg._2, profileOrg._1))
+        _ <- cases.toTry { c =>
+          for {
+
+            _ <- shareMergedCaseTasks(allProfilesOrgas.map(_._2), c, richCase.`case`)
+            _ <- shareMergedCaseObservables(allProfilesOrgas.map(_._2), c, richCase.`case`)
+            _ <-
+              get(c)
+                .alert
+                .update(_.caseId, Some(richCase._id))
+                .toSeq
+                .toTry(alertSrv.alertCaseSrv.create(AlertCase(), _, richCase.`case`))
+            _ <-
+              get(c)
+                .procedure
+                .toSeq
+                .toTry(caseProcedureSrv.create(CaseProcedure(), richCase.`case`, _))
+            _ <-
+              get(c)
+                .richCustomFields
+                .toSeq
+                .toTry(c => createCustomField(richCase.`case`, EntityIdOrName(c.customField.name), c.value, c.order))
+          } yield Success(())
+        }
+        _ <- cases.toTry(super.delete(_))
+      } yield richCase
+    } else
+      Failure(BadRequestError("To be able to merge, cases must have same organisation / profile pair and user must be org-admin"))
+
+  private def canMerge(cases: Seq[Case with Entity])(implicit graph: Graph, authContext: AuthContext): Boolean = {
+    val allOrgProfiles = getByIds(cases.map(_._id): _*)
+      .flatMap(_.shares.project(_.by(_.profile.value(_.name)).by(_.organisation._id)).fold)
+      .toSeq
+      .map(_.toSet)
+      .distinct
+
+    // All cases must have the same organisation / profile pair &&
+    // case organisation must match current organisation and be of org-admin profile
+    allOrgProfiles.size == 1 && allOrgProfiles
+      .head
+      .exists {
+        case (profile, orgId) => orgId == organisationSrv.currentId && profile == Profile.orgAdmin.name
+      }
+  }
+
+  private def shareMergedCaseTasks(orgs: Seq[Organisation with Entity], fromCase: Case with Entity, mergedCase: Case with Entity)(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[Unit] =
+    orgs
+      .toTry { org =>
+        get(fromCase)
+          .share(org._id)
+          .tasks
+          .update(_.relatedId, mergedCase._id)
+          .richTask
+          .toSeq
+          .toTry(shareSrv.shareTask(_, mergedCase, org._id))
+      }
+      .map(_ => ())
+
+  private def shareMergedCaseObservables(orgs: Seq[Organisation with Entity], fromCase: Case with Entity, mergedCase: Case with Entity)(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[Unit] =
+    orgs
+      .toTry { org =>
+        get(fromCase)
+          .share(org._id)
+          .observables
+          .update(_.relatedId, mergedCase._id)
+          .richObservable
+          .toSeq
+          .toTry(shareSrv.shareObservable(_, mergedCase, org._id))
+      }
+      .map(_ => ())
 }
 
 object CaseOps {
@@ -361,21 +445,26 @@ object CaseOps {
 
     def getByNumber(caseNumber: Int): Traversal.V[Case] = traversal.has(_.number, caseNumber)
 
-    def visible(implicit authContext: AuthContext): Traversal.V[Case] = visible(authContext.organisation)
-
-    def visible(organisationIdOrName: EntityIdOrName): Traversal.V[Case] =
-      traversal.filter(_.organisations.get(organisationIdOrName))
+    def visible(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Case] =
+      traversal.has(_.organisationIds, organisationSrv.currentId(traversal.graph, authContext))
 
     def assignee: Traversal.V[User] = traversal.out[CaseUser].v[User]
 
+    def assignedTo(userLogin: String*): Traversal.V[Case] =
+      if (userLogin.isEmpty) traversal.empty
+      else if (userLogin.size == 1) traversal.has(_.assignee, userLogin.head)
+      else traversal.has(_.assignee, P.within(userLogin: _*))
+
+    def caseTemplate: Traversal.V[CaseTemplate] = traversal.out[CaseCaseTemplate].v[CaseTemplate]
+
     def can(permission: Permission)(implicit authContext: AuthContext): Traversal.V[Case] =
       if (authContext.permissions.contains(permission))
-        traversal.filter(_.shares.filter(_.profile.has(_.permissions, permission)).organisation.current)
+        traversal.filter(_.share.profile.has(_.permissions, permission))
       else
-        traversal.limit(0)
+        traversal.empty
 
     def getLast: Traversal.V[Case] =
-      traversal.sort(_.by("number", Order.desc))
+      traversal.sort(_.by("number", Order.desc)).limit(1)
 
     def richCaseWithCustomRenderer[D, G, C <: Converter[D, G]](
         entityRenderer: Traversal.V[Case] => Traversal[D, G, C]
@@ -383,44 +472,83 @@ object CaseOps {
       traversal
         .project(
           _.by
-            .by(_.tags.v[Tag].fold)
-            .by(_.impactStatus.value(_.value).fold)
-            .by(_.resolutionStatus.value(_.value).fold)
-            .by(_.assignee.value(_.login).fold)
             .by(_.richCustomFields.fold)
             .by(entityRenderer)
             .by(_.userPermissions)
         )
         .domainMap {
-          case (caze, tags, impactStatus, resolutionStatus, user, customFields, renderedEntity, userPermissions) =>
+          case (caze, customFields, renderedEntity, userPermissions) =>
             RichCase(
               caze,
-              tags,
-              impactStatus.headOption,
-              resolutionStatus.headOption,
-              user.headOption,
               customFields,
               userPermissions
             ) -> renderedEntity
         }
 
+    def customFields: Traversal.E[CaseCustomField] = traversal.outE[CaseCustomField]
+
     def customFields(idOrName: EntityIdOrName): Traversal.E[CaseCustomField] =
       idOrName
         .fold(
-          id => traversal.outE[CaseCustomField].filter(_.inV.getByIds(id)),
-          name => traversal.outE[CaseCustomField].filter(_.inV.v[CustomField].has(_.name, name))
+          id => customFields.filter(_.inV.getByIds(id)),
+          name => customFields.filter(_.inV.v[CustomField].has(_.name, name))
         )
 
-    def customFields: Traversal.E[CaseCustomField] = traversal.outE[CaseCustomField]
-
     def richCustomFields: Traversal[RichCustomField, JMap[String, Any], Converter[RichCustomField, JMap[String, Any]]] =
-      traversal
-        .outE[CaseCustomField]
+      customFields
         .project(_.by.by(_.inV.v[CustomField]))
         .domainMap {
           case (cfv, cf) => RichCustomField(cf, cfv)
         }
 
+    def customFieldFilter(customFieldSrv: CustomFieldSrv, customField: EntityIdOrName, predicate: P[JsValue]): Traversal.V[Case] =
+      customFieldSrv
+        .get(customField)(traversal.graph)
+        .value(_.`type`)
+        .headOption
+        .map {
+          case CustomFieldType.boolean => traversal.filter(_.customFields(customField).has(_.booleanValue, predicate.map(_.as[Boolean])))
+          case CustomFieldType.date    => traversal.filter(_.customFields(customField).has(_.dateValue, predicate.map(_.as[Date])))
+          case CustomFieldType.float   => traversal.filter(_.customFields(customField).has(_.floatValue, predicate.map(_.as[Double])))
+          case CustomFieldType.integer => traversal.filter(_.customFields(customField).has(_.integerValue, predicate.map(_.as[Int])))
+          case CustomFieldType.string  => traversal.filter(_.customFields(customField).has(_.stringValue, predicate.map(_.as[String])))
+        }
+        .getOrElse(traversal.empty)
+
+    def hasCustomField(customFieldSrv: CustomFieldSrv, customField: EntityIdOrName): Traversal.V[Case] = {
+      val cfFilter = (t: Traversal.V[CustomField]) => customField.fold(id => t.hasId(id), name => t.has(_.name, name))
+
+      customFieldSrv
+        .get(customField)(traversal.graph)
+        .value(_.`type`)
+        .headOption
+        .map {
+          case CustomFieldType.boolean => traversal.filter(t => cfFilter(t.outE[CaseCustomField].has(_.booleanValue).inV.v[CustomField]))
+          case CustomFieldType.date    => traversal.filter(t => cfFilter(t.outE[CaseCustomField].has(_.dateValue).inV.v[CustomField]))
+          case CustomFieldType.float   => traversal.filter(t => cfFilter(t.outE[CaseCustomField].has(_.floatValue).inV.v[CustomField]))
+          case CustomFieldType.integer => traversal.filter(t => cfFilter(t.outE[CaseCustomField].has(_.integerValue).inV.v[CustomField]))
+          case CustomFieldType.string  => traversal.filter(t => cfFilter(t.outE[CaseCustomField].has(_.stringValue).inV.v[CustomField]))
+        }
+        .getOrElse(traversal.empty)
+    }
+
+    def hasNotCustomField(customFieldSrv: CustomFieldSrv, customField: EntityIdOrName): Traversal.V[Case] = {
+      val cfFilter = (t: Traversal.V[CustomField]) => customField.fold(id => t.hasId(id), name => t.has(_.name, name))
+
+      customFieldSrv
+        .get(customField)(traversal.graph)
+        .value(_.`type`)
+        .headOption
+        .map {
+          case CustomFieldType.boolean => traversal.filterNot(t => cfFilter(t.outE[CaseCustomField].has(_.booleanValue).inV.v[CustomField]))
+          case CustomFieldType.date    => traversal.filterNot(t => cfFilter(t.outE[CaseCustomField].has(_.dateValue).inV.v[CustomField]))
+          case CustomFieldType.float   => traversal.filterNot(t => cfFilter(t.outE[CaseCustomField].has(_.floatValue).inV.v[CustomField]))
+          case CustomFieldType.integer => traversal.filterNot(t => cfFilter(t.outE[CaseCustomField].has(_.integerValue).inV.v[CustomField]))
+          case CustomFieldType.string  => traversal.filterNot(t => cfFilter(t.outE[CaseCustomField].has(_.stringValue).inV.v[CustomField]))
+        }
+        .getOrElse(traversal.empty)
+    }
+
     def share(implicit authContext: AuthContext): Traversal.V[Share] = share(authContext.organisation)
 
     def share(organisation: EntityIdOrName): Traversal.V[Share] =
@@ -433,39 +561,25 @@ object CaseOps {
     def organisations(permission: Permission): Traversal.V[Organisation] =
       shares.filter(_.profile.has(_.permissions, permission)).organisation
 
-    def userPermissions(implicit authContext: AuthContext): Traversal[Set[Permission], Vertex, Converter[Set[Permission], Vertex]] =
+    def userPermissions(implicit authContext: AuthContext): Traversal[Set[Permission], JList[String], Converter[Set[Permission], JList[String]]] =
       traversal
         .share(authContext.organisation)
         .profile
-        .domainMap(profile => profile.permissions & authContext.permissions)
+        .value(_.permissions)
+        .fold
+        .domainMap(_.toSet & authContext.permissions)
 
     def origin: Traversal.V[Organisation] = shares.has(_.owner, true).organisation
 
-    def audits(implicit authContext: AuthContext): Traversal.V[Audit] = audits(authContext.organisation)
-
-    def audits(organisationIdOrName: EntityIdOrName): Traversal.V[Audit] =
-      traversal
-        .unionFlat(_.visible(organisationIdOrName), _.observables(organisationIdOrName), _.tasks(organisationIdOrName), _.share(organisationIdOrName))
-        .in[AuditContext]
-        .v[Audit]
-
-    // Warning: this method doesn't generate audit log
-    def unassign(): Unit =
-      traversal.outE[CaseUser].remove()
-
-    def unsetResolutionStatus(): Unit =
-      traversal.outE[CaseResolutionStatus].remove()
-
-    def unsetImpactStatus(): Unit =
-      traversal.outE[CaseImpactStatus].remove()
-
-    def removeTags(tags: Set[Tag with Entity]): Unit =
-      if (tags.nonEmpty)
-        traversal.outE[CaseTag].filter(_.otherV.hasId(tags.map(_._id).toSeq: _*)).remove()
+//    def audits(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Audit] =
+//      traversal
+//        .unionFlat(_.visible(organisationSrv), _.observables(organisationIdOrName), _.tasks(organisationIdOrName), _.share(organisationIdOrName))
+//        .in[AuditContext]
+//        .v[Audit]
 
     def linkedCases(implicit authContext: AuthContext): Seq[(RichCase, Seq[RichObservable])] = {
       val originCaseLabel = StepLabel.v[Case]
-      val observableLabel = StepLabel.v[Observable]
+      val observableLabel = StepLabel.v[Observable] // TODO add similarity on attachment
       traversal
         .as(originCaseLabel)
         .observables
@@ -484,25 +598,20 @@ object CaseOps {
         .toSeq
     }
 
+    def isShared: Traversal[Boolean, Boolean, Identity[Boolean]] =
+      traversal.choose(_.inE[ShareCase].count.is(P.gt(1)), true, false)
+
     def richCase(implicit authContext: AuthContext): Traversal[RichCase, JMap[String, Any], Converter[RichCase, JMap[String, Any]]] =
       traversal
         .project(
           _.by
-            .by(_.tags.fold)
-            .by(_.impactStatus.value(_.value).fold)
-            .by(_.resolutionStatus.value(_.value).fold)
-            .by(_.assignee.value(_.login).fold)
             .by(_.richCustomFields.fold)
             .by(_.userPermissions)
         )
         .domainMap {
-          case (caze, tags, impactStatus, resolutionStatus, user, customFields, userPermissions) =>
+          case (caze, customFields, userPermissions) =>
             RichCase(
               caze,
-              tags,
-              impactStatus.headOption,
-              resolutionStatus.headOption,
-              user.headOption,
               customFields,
               userPermissions
             )
@@ -514,20 +623,12 @@ object CaseOps {
       traversal
         .project(
           _.by
-            .by(_.tags.fold)
-            .by(_.impactStatus.value(_.value).fold)
-            .by(_.resolutionStatus.value(_.value).fold)
-            .by(_.assignee.value(_.login).fold)
             .by(_.richCustomFields.fold)
         )
         .domainMap {
-          case (caze, tags, impactStatus, resolutionStatus, user, customFields) =>
+          case (caze, customFields) =>
             RichCase(
               caze,
-              tags,
-              impactStatus.headOption,
-              resolutionStatus.headOption,
-              user.headOption,
               customFields,
               Set.empty
             )
@@ -555,6 +656,8 @@ object CaseOps {
 
     def alert: Traversal.V[Alert] = traversal.in[AlertCase].v[Alert]
 
+    def procedure: Traversal.V[Procedure] = traversal.out[CaseProcedure].v[Procedure]
+
     def isActionRequired(implicit authContext: AuthContext): Traversal[Boolean, Boolean, Converter.Identity[Boolean]] =
       traversal.choose(_.share(authContext).outE[ShareTask].has(_.actionRequired, true), true, false)
 
@@ -572,9 +675,10 @@ object CaseOps {
   }
 }
 
-class CaseIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: CaseSrv) extends IntegrityCheckOps[Case] {
+class CaseIntegrityCheckOps @Inject() (val db: Database, val service: CaseSrv, userSrv: UserSrv, caseTemplateSrv: CaseTemplateSrv)
+    extends IntegrityCheckOps[Case] {
   def removeDuplicates(): Unit =
-    duplicateEntities
+    findDuplicates()
       .foreach { entities =>
         db.tryTransaction { implicit graph =>
           resolve(entities)
@@ -594,4 +698,88 @@ class CaseIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Dat
     )
     Success(())
   }
+
+  private def organisationCheck(`case`: Case with Entity, organisationIds: Set[EntityId])(implicit graph: Graph): Seq[String] =
+    if (`case`.organisationIds == organisationIds) Nil
+    else {
+      service.get(`case`).update(_.organisationIds, organisationIds).iterate()
+      Seq("invalidOrganisationIds")
+    }
+
+  private def assigneeCheck(`case`: Case with Entity, assignees: Seq[String])(implicit graph: Graph, authContext: AuthContext): Seq[String] =
+    `case`.assignee match {
+      case None if assignees.isEmpty      => Nil
+      case Some(a) if assignees == Seq(a) => Nil
+      case None if assignees.size == 1 =>
+        service.get(`case`).update(_.assignee, assignees.headOption).iterate()
+        Seq("invalidAssigneeLink")
+      case Some(a) if assignees.isEmpty =>
+        userSrv.getByName(a).getOrFail("User") match {
+          case Success(user) =>
+            service.caseUserSrv.create(CaseUser(), `case`, user)
+            Seq("missingAssigneeLink")
+          case _ =>
+            service.get(`case`).update(_.assignee, None).iterate()
+            Seq("invalidAssignee")
+        }
+      case None if assignees.toSet.size == 1 =>
+        service.get(`case`).update(_.assignee, assignees.headOption).flatMap(_.outE[CaseUser].range(1, 100)).remove()
+        Seq("multiAssignment")
+      case _ =>
+        service.get(`case`).flatMap(_.outE[CaseUser].sort(_.by("_createdAt", Order.desc)).range(1, 100)).remove()
+        service.get(`case`).update(_.assignee, service.get(`case`).assignee.value(_.login).headOption).iterate()
+        Seq("incoherentAssignee")
+    }
+
+  def caseTemplateCheck(`case`: Case with Entity, caseTemplates: Seq[String])(implicit graph: Graph, authContext: AuthContext): Seq[String] =
+    `case`.caseTemplate match {
+      case None if caseTemplates.isEmpty        => Nil
+      case Some(ct) if caseTemplates == Seq(ct) => Nil
+      case None if caseTemplates.size == 1 =>
+        service.get(`case`).update(_.caseTemplate, caseTemplates.headOption).iterate()
+        Seq("invalidCaseTemplateLink")
+      case Some(ct) if caseTemplates.isEmpty =>
+        caseTemplateSrv.getByName(ct).getOrFail("User") match {
+          case Success(caseTemplate) =>
+            service.caseCaseTemplateSrv.create(CaseCaseTemplate(), `case`, caseTemplate)
+            Seq("missingCaseTemplateLink")
+          case _ =>
+            service.get(`case`).update(_.caseTemplate, None).iterate()
+            Seq("invalidCaseTemplate")
+        }
+      case None if caseTemplates.toSet.size == 1 =>
+        service.get(`case`).update(_.caseTemplate, caseTemplates.headOption).flatMap(_.outE[CaseCaseTemplate].range(1, 100)).remove()
+        Seq("multiCaseTemplate")
+      case _ =>
+        service.get(`case`).flatMap(_.outE[CaseCaseTemplate].sort(_.by("_createdAt", Order.asc)).range(1, 100)).remove()
+        service.get(`case`).update(_.caseTemplate, service.get(`case`).caseTemplate.value(_.name).headOption).iterate()
+        Seq("incoherentCaseTemplate")
+    }
+  override def globalCheck(): Map[String, Long] = {
+    implicit val authContext: AuthContext = LocalUserSrv.getSystemAuthContext
+
+    db.tryTransaction { implicit graph =>
+      Try {
+        service
+          .startTraversal
+          .project(
+            _.by
+              .by(_.organisations._id.fold)
+              .by(_.assignee.value(_.login).fold)
+              .by(_.caseTemplate.value(_.name).fold)
+          )
+          .toIterator
+          .flatMap {
+            case (case0, organisationIds, assigneeIds, caseTemplateNames) if organisationIds.nonEmpty =>
+              organisationCheck(case0, organisationIds.toSet) ++ assigneeCheck(case0, assigneeIds) ++ caseTemplateCheck(case0, caseTemplateNames)
+            case (case0, _, _, _) =>
+              service.get(case0).remove()
+              Seq("orphan")
+          }
+          .toSeq
+      }
+    }.getOrElse(Seq("globalFailure"))
+      .groupBy(identity)
+      .mapValues(_.size.toLong)
+  }
 }
diff --git a/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala b/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala
index 00e12667c3..cda9c8d8e1 100644
--- a/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala
+++ b/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala
@@ -1,17 +1,13 @@
 package org.thp.thehive.services
 
-import java.util.{Map => JMap}
-
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named}
 import org.apache.tinkerpop.gremlin.process.traversal.P
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, StepLabel, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, StepLabel, Traversal}
 import org.thp.scalligraph.{CreateError, EntityIdOrName, EntityName, RichSeq}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
@@ -19,8 +15,11 @@ import org.thp.thehive.services.CaseTemplateOps._
 import org.thp.thehive.services.CustomFieldOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.TaskOps._
+import org.thp.thehive.services.UserOps._
 import play.api.libs.json.{JsObject, Json}
 
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Named}
 import scala.util.{Failure, Success, Try}
 
 class CaseTemplateSrv @Inject() (
@@ -30,8 +29,7 @@ class CaseTemplateSrv @Inject() (
     taskSrv: TaskSrv,
     auditSrv: AuditSrv,
     @Named("integrity-check-actor") integrityCheckActor: ActorRef
-)(implicit @Named("with-thehive-schema") db: Database)
-    extends VertexSrv[CaseTemplate] {
+) extends VertexSrv[CaseTemplate] {
 
   val caseTemplateTagSrv          = new EdgeSrv[CaseTemplateTag, CaseTemplate, Tag]
   val caseTemplateCustomFieldSrv  = new EdgeSrv[CaseTemplateCustomField, CaseTemplate, CustomField]
@@ -49,19 +47,7 @@ class CaseTemplateSrv @Inject() (
   def create(
       caseTemplate: CaseTemplate,
       organisation: Organisation with Entity,
-      tagNames: Set[String],
-      tasks: Seq[(Task, Option[User with Entity])],
-      customFields: Seq[(String, Option[Any])]
-  )(implicit
-      graph: Graph,
-      authContext: AuthContext
-  ): Try[RichCaseTemplate] = tagNames.toTry(tagSrv.getOrCreate).flatMap(tags => create(caseTemplate, organisation, tags, tasks, customFields))
-
-  def create(
-      caseTemplate: CaseTemplate,
-      organisation: Organisation with Entity,
-      tags: Seq[Tag with Entity],
-      tasks: Seq[(Task, Option[User with Entity])],
+      tasks: Seq[Task],
       customFields: Seq[(String, Option[Any])]
   )(implicit
       graph: Graph,
@@ -73,22 +59,20 @@ class CaseTemplateSrv @Inject() (
       for {
         createdCaseTemplate <- createEntity(caseTemplate)
         _                   <- caseTemplateOrganisationSrv.create(CaseTemplateOrganisation(), createdCaseTemplate, organisation)
-        createdTasks        <- tasks.toTry { case (task, owner) => taskSrv.create(task, owner) }
-        _                   <- createdTasks.toTry(rt => addTask(createdCaseTemplate, rt.task))
-        _                   <- tags.toTry(t => caseTemplateTagSrv.create(CaseTemplateTag(), createdCaseTemplate, t))
+        createdTasks        <- tasks.toTry(createTask(createdCaseTemplate, _))
+        _                   <- caseTemplate.tags.toTry(tagSrv.getOrCreate(_).flatMap(t => caseTemplateTagSrv.create(CaseTemplateTag(), createdCaseTemplate, t)))
         cfs                 <- customFields.zipWithIndex.toTry { case ((name, value), order) => createCustomField(createdCaseTemplate, name, value, Some(order + 1)) }
-        richCaseTemplate = RichCaseTemplate(createdCaseTemplate, organisation.name, tags, createdTasks, cfs)
+        richCaseTemplate = RichCaseTemplate(createdCaseTemplate, organisation.name, createdTasks, cfs)
         _ <- auditSrv.caseTemplate.create(createdCaseTemplate, richCaseTemplate.toJson)
       } yield richCaseTemplate
 
-  def addTask(caseTemplate: CaseTemplate with Entity, task: Task with Entity)(implicit
-      graph: Graph,
-      authContext: AuthContext
-  ): Try[Unit] =
+  def createTask(caseTemplate: CaseTemplate with Entity, task: Task)(implicit graph: Graph, authContext: AuthContext): Try[RichTask] =
     for {
-      _ <- caseTemplateTaskSrv.create(CaseTemplateTask(), caseTemplate, task)
-      _ <- auditSrv.taskInTemplate.create(task, caseTemplate, RichTask(task, None).toJson)
-    } yield ()
+      assignee <- task.assignee.map(u => organisationSrv.current.users(Permissions.manageTask).getByName(u).getOrFail("User")).flip
+      richTask <- taskSrv.create(task.copy(relatedId = caseTemplate._id, organisationIds = Set(organisationSrv.currentId)), assignee)
+      _        <- caseTemplateTaskSrv.create(CaseTemplateTask(), caseTemplate, richTask.task)
+      _        <- auditSrv.taskInTemplate.create(richTask.task, caseTemplate, richTask.toJson)
+    } yield richTask
 
   override def update(
       traversal: Traversal.V[CaseTemplate],
@@ -101,37 +85,21 @@ class CaseTemplateSrv @Inject() (
           .getOrFail("CaseTemplate")
           .flatMap(auditSrv.caseTemplate.update(_, updatedFields))
     }
-
-  def updateTagNames(caseTemplate: CaseTemplate with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-    tags.toTry(tagSrv.getOrCreate).flatMap(t => updateTags(caseTemplate, t.toSet))
-
-  def updateTags(caseTemplate: CaseTemplate with Entity, tags: Set[Tag with Entity])(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    val (tagsToAdd, tagsToRemove) = get(caseTemplate)
-      .tags
-      .toIterator
-      .foldLeft((tags, Set.empty[Tag with Entity])) {
-        case ((toAdd, toRemove), t) if toAdd.contains(t) => (toAdd - t, toRemove)
-        case ((toAdd, toRemove), t)                      => (toAdd, toRemove + t)
-      }
+  def updateTags(caseTemplate: CaseTemplate with Entity, tags: Set[String])(implicit
+      graph: Graph,
+      authContext: AuthContext
+  ): Try[(Seq[Tag with Entity], Seq[Tag with Entity])] =
     for {
+      tagsToAdd <- (tags -- caseTemplate.tags).toTry(tagSrv.getOrCreate)
+      tagsToRemove = get(caseTemplate).tags.toSeq.filterNot(t => tags.contains(t.toString))
       _ <- tagsToAdd.toTry(caseTemplateTagSrv.create(CaseTemplateTag(), caseTemplate, _))
-      _ = get(caseTemplate).removeTags(tagsToRemove)
-      _ <- auditSrv.caseTemplate.update(caseTemplate, Json.obj("tags" -> tags.map(_.toString)))
-    } yield ()
-  }
+      _ = if (tags.nonEmpty) get(caseTemplate).outE[CaseTemplateTag].filter(_.otherV.hasId(tagsToRemove.map(_._id): _*)).remove()
+      _ <- get(caseTemplate).update(_.tags, tags.toSeq).getOrFail("CaseTemplate")
+      _ <- auditSrv.caseTemplate.update(caseTemplate, Json.obj("tags" -> tags))
+    } yield (tagsToAdd, tagsToRemove)
 
-  def addTags(caseTemplate: CaseTemplate with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    val currentTags = get(caseTemplate)
-      .tags
-      .toSeq
-      .map(_.toString)
-      .toSet
-    for {
-      createdTags <- (tags -- currentTags).toTry(tagSrv.getOrCreate)
-      _           <- createdTags.toTry(caseTemplateTagSrv.create(CaseTemplateTag(), caseTemplate, _))
-      _           <- auditSrv.caseTemplate.update(caseTemplate, Json.obj("tags" -> (currentTags ++ tags)))
-    } yield ()
-  }
+  def addTags(caseTemplate: CaseTemplate with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    updateTags(caseTemplate, tags ++ caseTemplate.tags).map(_ => ())
 
   def getCustomField(caseTemplate: CaseTemplate with Entity, customFieldName: String)(implicit graph: Graph): Option[RichCustomField] =
     get(caseTemplate).customFields(customFieldName).richCustomField.headOption
@@ -192,7 +160,7 @@ object CaseTemplateOps {
       if (authContext.permissions.contains(permission))
         traversal.filter(_.organisation.current)
       else
-        traversal.limit(0)
+        traversal.empty
 
     def richCaseTemplate: Traversal[RichCaseTemplate, JMap[String, Any], Converter[RichCaseTemplate, JMap[String, Any]]] = {
       val caseTemplateCustomFieldLabel = StepLabel.e[CaseTemplateCustomField]
@@ -201,7 +169,6 @@ object CaseTemplateOps {
         .project(
           _.by
             .by(_.organisation.value(_.name))
-            .by(_.tags.fold)
             .by(_.tasks.richTaskWithoutActionRequired.fold)
             .by(
               _.outE[CaseTemplateCustomField]
@@ -214,11 +181,10 @@ object CaseTemplateOps {
             )
         )
         .domainMap {
-          case (caseTemplate, organisation, tags, tasks, customFields) =>
+          case (caseTemplate, organisation, tasks, customFields) =>
             RichCaseTemplate(
               caseTemplate,
               organisation,
-              tags,
               tasks,
               customFields.map(cf => RichCustomField(cf._2, cf._1))
             )
@@ -231,10 +197,6 @@ object CaseTemplateOps {
 
     def tags: Traversal.V[Tag] = traversal.out[CaseTemplateTag].v[Tag]
 
-    def removeTags(tags: Set[Tag with Entity]): Unit =
-      if (tags.nonEmpty)
-        traversal.outE[CaseTemplateTag].filter(_.inV.hasId(tags.map(_._id).toSeq: _*)).remove()
-
     def customFields(name: String): Traversal.E[CaseTemplateCustomField] =
       traversal.outE[CaseTemplateCustomField].filter(_.inV.v[CustomField].has(_.name, name))
 
@@ -246,11 +208,11 @@ object CaseTemplateOps {
 }
 
 class CaseTemplateIntegrityCheckOps @Inject() (
-    @Named("with-thehive-schema") val db: Database,
+    val db: Database,
     val service: CaseTemplateSrv,
     organisationSrv: OrganisationSrv
 ) extends IntegrityCheckOps[CaseTemplate] {
-  override def duplicateEntities: Seq[Seq[CaseTemplate with Entity]] =
+  override def findDuplicates: Seq[Seq[CaseTemplate with Entity]] =
     db.roTransaction { implicit graph =>
       organisationSrv
         .startTraversal
@@ -275,4 +237,16 @@ class CaseTemplateIntegrityCheckOps @Inject() (
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] =
+    db.tryTransaction { implicit graph =>
+      Try {
+        val orphanIds = service.startTraversal.filterNot(_.organisation)._id.toSeq
+        if (orphanIds.nonEmpty) {
+          logger.warn(s"Found ${orphanIds.length} caseTemplate orphan(s) (${orphanIds.mkString(",")})")
+          service.getByIds(orphanIds: _*).remove()
+        }
+        Map("orphans" -> orphanIds.size.toLong)
+      }
+    }.getOrElse(Map("globalFailure" -> 1L))
 }
diff --git a/thehive/app/org/thp/thehive/services/ConfigContext.scala b/thehive/app/org/thp/thehive/services/ConfigContext.scala
index 7ef17ea550..096d76a2a9 100644
--- a/thehive/app/org/thp/thehive/services/ConfigContext.scala
+++ b/thehive/app/org/thp/thehive/services/ConfigContext.scala
@@ -1,16 +1,16 @@
 package org.thp.thehive.services
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityName
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.services.config.ConfigContext
 import play.api.libs.json.JsValue
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Try
 
 @Singleton
-class UserConfigContext @Inject() (@Named("with-thehive-schema") db: Database, configSrv: ConfigSrv) extends ConfigContext[AuthContext] {
+class UserConfigContext @Inject() (db: Database, configSrv: ConfigSrv) extends ConfigContext[AuthContext] {
   override def defaultPath(path: String): String = s"user.defaults.$path"
 
   override def getValue(context: AuthContext, path: String): Option[JsValue] =
@@ -36,7 +36,7 @@ class UserConfigContext @Inject() (@Named("with-thehive-schema") db: Database, c
 }
 
 @Singleton
-class OrganisationConfigContext @Inject() (@Named("with-thehive-schema") db: Database, configSrv: ConfigSrv) extends ConfigContext[AuthContext] {
+class OrganisationConfigContext @Inject() (db: Database, configSrv: ConfigSrv) extends ConfigContext[AuthContext] {
   override def defaultPath(path: String): String = s"organisation.defaults.$path"
 
   override def getValue(context: AuthContext, path: String): Option[JsValue] =
diff --git a/thehive/app/org/thp/thehive/services/ConfigSrv.scala b/thehive/app/org/thp/thehive/services/ConfigSrv.scala
index f4d7683165..cbbbc0459b 100644
--- a/thehive/app/org/thp/thehive/services/ConfigSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ConfigSrv.scala
@@ -1,12 +1,10 @@
 package org.thp.thehive.services
 
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services.{EdgeSrv, VertexSrv}
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, StepLabel, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, StepLabel, Traversal}
 import org.thp.scalligraph.{EntityId, EntityIdOrName}
 import org.thp.thehive.models._
 import org.thp.thehive.services.ConfigOps._
@@ -16,13 +14,14 @@ import org.thp.thehive.services.notification.NotificationSrv
 import org.thp.thehive.services.notification.triggers.Trigger
 import play.api.libs.json.{JsValue, Reads}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Try
 
 @Singleton
 class ConfigSrv @Inject() (
     organisationSrv: OrganisationSrv,
     userSrv: UserSrv
-)(@Named("with-thehive-schema") implicit val db: Database)
+)(implicit val db: Database)
     extends VertexSrv[Config] {
   val organisationConfigSrv = new EdgeSrv[OrganisationConfig, Organisation, Config]
   val userConfigSrv         = new EdgeSrv[UserConfig, User, Config]
diff --git a/thehive/app/org/thp/thehive/services/Connector.scala b/thehive/app/org/thp/thehive/services/Connector.scala
index e53de30a9d..fec3027ce2 100644
--- a/thehive/app/org/thp/thehive/services/Connector.scala
+++ b/thehive/app/org/thp/thehive/services/Connector.scala
@@ -1,12 +1,10 @@
 package org.thp.thehive.services
 
-import org.thp.scalligraph.models.SchemaStatus
 import org.thp.thehive.models.HealthStatus
 import play.api.libs.json.{JsObject, Json}
 
 trait Connector {
   val name: String
-  def status: JsObject                   = Json.obj("enabled" -> true)
-  def health: HealthStatus.Value         = HealthStatus.Ok
-  def schemaStatus: Option[SchemaStatus] = None
+  def status: JsObject           = Json.obj("enabled" -> true)
+  def health: HealthStatus.Value = HealthStatus.Ok
 }
diff --git a/thehive/app/org/thp/thehive/services/CustomFieldSrv.scala b/thehive/app/org/thp/thehive/services/CustomFieldSrv.scala
index 51be2623bc..5b0c9af5be 100644
--- a/thehive/app/org/thp/thehive/services/CustomFieldSrv.scala
+++ b/thehive/app/org/thp/thehive/services/CustomFieldSrv.scala
@@ -1,10 +1,7 @@
 package org.thp.thehive.services
 
-import java.util.{Map => JMap}
-
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.{Edge, Graph}
+import org.apache.tinkerpop.gremlin.structure.Edge
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.query.PropertyUpdater
@@ -15,17 +12,25 @@ import org.thp.scalligraph.{EntityIdOrName, RichSeq}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.CustomFieldOps._
+import play.api.cache.SyncCacheApi
 import play.api.libs.json.{JsObject, JsValue}
 
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
-class CustomFieldSrv @Inject() (auditSrv: AuditSrv, organisationSrv: OrganisationSrv, @Named("integrity-check-actor") integrityCheckActor: ActorRef)(
-    implicit @Named("with-thehive-schema") db: Database
+class CustomFieldSrv @Inject() (
+    auditSrv: AuditSrv,
+    organisationSrv: OrganisationSrv,
+    @Named("integrity-check-actor") integrityCheckActor: ActorRef,
+    cacheApi: SyncCacheApi
 ) extends VertexSrv[CustomField] {
 
   override def createEntity(e: CustomField)(implicit graph: Graph, authContext: AuthContext): Try[CustomField with Entity] = {
     integrityCheckActor ! EntityAdded("CustomField")
+    cacheApi.remove("describe.v0")
+    cacheApi.remove("describe.v1")
     super.createEntity(e)
   }
 
@@ -39,6 +44,8 @@ class CustomFieldSrv @Inject() (auditSrv: AuditSrv, organisationSrv: Organisatio
 
   def delete(c: CustomField with Entity, force: Boolean)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
     get(c).remove() // TODO use force
+    cacheApi.remove("describe.v0")
+    cacheApi.remove("describe.v1")
     organisationSrv.getOrFail(authContext.organisation).flatMap { organisation =>
       auditSrv.customField.delete(c, organisation)
     }
@@ -60,7 +67,11 @@ class CustomFieldSrv @Inject() (auditSrv: AuditSrv, organisationSrv: Organisatio
         customFieldSteps
           .clone()
           .getOrFail("CustomFields")
-          .flatMap(auditSrv.customField.update(_, updatedFields))
+          .flatMap { cf =>
+            cacheApi.remove("describe.v0")
+            cacheApi.remove("describe.v1")
+            auditSrv.customField.update(cf, updatedFields)
+          }
     }
 
   override def getByName(name: String)(implicit graph: Graph): Traversal.V[CustomField] =
@@ -135,16 +146,16 @@ object CustomFieldOps {
         }
 
     def selectValue: Traversal[Any, JMap[String, Any], Converter[Any, JMap[String, Any]]] =
-      traversal.choose[String, Any](
+      traversal.chooseValue(
         _.on(
           _.inV
             .v[CustomField]
             .value(_.`type`)
-        ).option("boolean", _.value(_.booleanValue).cast[Any, Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
-          .option("date", _.value(_.dateValue).cast[Any, Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
-          .option("float", _.value(_.floatValue).cast[Any, Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
-          .option("integer", _.value(_.integerValue).cast[Any, Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
-          .option("string", _.value(_.stringValue).cast[Any, Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
+        ).option("boolean", _.value(_.booleanValue).widen[Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
+          .option("date", _.value(_.dateValue).widen[Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
+          .option("float", _.value(_.floatValue).widen[Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
+          .option("integer", _.value(_.integerValue).widen[Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
+          .option("string", _.value(_.stringValue).widen[Any].setConverter[Any, Converter.Identity[Any]](Converter.identity[Any]))
       )
 
 //    def value: Traversal[Any, JMap[String, Any], Converter[Any, JMap[String, Any]]] =
@@ -174,8 +185,7 @@ object CustomFieldOps {
 
 }
 
-class CustomFieldIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: CustomFieldSrv)
-    extends IntegrityCheckOps[CustomField] {
+class CustomFieldIntegrityCheckOps @Inject() (val db: Database, val service: CustomFieldSrv) extends IntegrityCheckOps[CustomField] {
   override def resolve(entities: Seq[CustomField with Entity])(implicit graph: Graph): Try[Unit] =
     entities match {
       case head :: tail =>
@@ -184,4 +194,6 @@ class CustomFieldIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] = Map.empty
 }
diff --git a/thehive/app/org/thp/thehive/services/DashboardSrv.scala b/thehive/app/org/thp/thehive/services/DashboardSrv.scala
index ddedda2344..9da90a3c19 100644
--- a/thehive/app/org/thp/thehive/services/DashboardSrv.scala
+++ b/thehive/app/org/thp/thehive/services/DashboardSrv.scala
@@ -1,28 +1,24 @@
 package org.thp.thehive.services
 
-import java.util.{List => JList, Map => JMap}
-
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.auth.AuthContext
-import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.UserOps._
 import play.api.libs.json.{JsObject, Json}
 
+import java.util.{List => JList, Map => JMap}
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
-class DashboardSrv @Inject() (organisationSrv: OrganisationSrv, userSrv: UserSrv, auditSrv: AuditSrv)(implicit
-    @Named("with-thehive-schema") db: Database
-) extends VertexSrv[Dashboard] {
+class DashboardSrv @Inject() (organisationSrv: OrganisationSrv, userSrv: UserSrv, auditSrv: AuditSrv) extends VertexSrv[Dashboard] {
   val organisationDashboardSrv = new EdgeSrv[OrganisationDashboard, Organisation, Dashboard]
   val dashboardUserSrv         = new EdgeSrv[DashboardUser, Dashboard, User]
 
@@ -31,8 +27,9 @@ class DashboardSrv @Inject() (organisationSrv: OrganisationSrv, userSrv: UserSrv
       createdDashboard <- createEntity(dashboard)
       user             <- userSrv.current.getOrFail("User")
       _                <- dashboardUserSrv.create(DashboardUser(), createdDashboard, user)
-      _                <- auditSrv.dashboard.create(createdDashboard, RichDashboard(createdDashboard, Map.empty).toJson)
-    } yield RichDashboard(createdDashboard, Map.empty)
+      richDashboard = RichDashboard(createdDashboard, Map.empty, writable = true)
+      _ <- auditSrv.dashboard.create(createdDashboard, richDashboard.toJson)
+    } yield richDashboard
 
   override def update(
       traversal: Traversal.V[Dashboard],
@@ -87,7 +84,7 @@ object DashboardOps {
   implicit class DashboardOpsDefs(traversal: Traversal.V[Dashboard]) {
 
     def get(idOrName: EntityIdOrName): Traversal.V[Dashboard] =
-      idOrName.fold(traversal.getByIds(_), _ => traversal.limit(0))
+      idOrName.fold(traversal.getByIds(_), _ => traversal.empty)
 
     def visible(implicit authContext: AuthContext): Traversal.V[Dashboard] =
       traversal.filter(_.or(_.user.current, _.organisation.current))
@@ -111,14 +108,15 @@ object DashboardOps {
         .fold
         .domainMap(_.map { case (writable, orgs) => (orgs.value[String]("name"), writable) })
 
-    def richDashboard: Traversal[RichDashboard, JMap[String, Any], Converter[RichDashboard, JMap[String, Any]]] =
+    def richDashboard(implicit authContext: AuthContext): Traversal[RichDashboard, JMap[String, Any], Converter[RichDashboard, JMap[String, Any]]] =
       traversal
         .project(
           _.by
             .by(_.organisationShares)
+            .by(_.choose(_.canUpdate, true, false))
         )
         .domainMap {
-          case (dashboard, organisationShares) => RichDashboard(dashboard, organisationShares.toMap)
+          case (dashboard, organisationShares, writable) => RichDashboard(dashboard, organisationShares.toMap, writable)
         }
 
   }
diff --git a/thehive/app/org/thp/thehive/services/DataSrv.scala b/thehive/app/org/thp/thehive/services/DataSrv.scala
index 1471129e20..f40ce08c81 100644
--- a/thehive/app/org/thp/thehive/services/DataSrv.scala
+++ b/thehive/app/org/thp/thehive/services/DataSrv.scala
@@ -1,24 +1,22 @@
 package org.thp.thehive.services
 
-import java.lang.{Long => JLong}
-
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.P
-import org.apache.tinkerpop.gremlin.structure.{Graph, T}
+import org.apache.tinkerpop.gremlin.structure.T
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services.{VertexSrv, _}
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
 import org.thp.thehive.models._
 import org.thp.thehive.services.DataOps._
 
+import java.lang.{Long => JLong}
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
-class DataSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef)(implicit @Named("with-thehive-schema") db: Database)
-    extends VertexSrv[Data] {
+class DataSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef) extends VertexSrv[Data] {
   override def createEntity(e: Data)(implicit graph: Graph, authContext: AuthContext): Try[Data with Entity] =
     super.createEntity(e).map { data =>
       integrityCheckActor ! EntityAdded("Data")
@@ -32,6 +30,9 @@ class DataSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: Ac
       .fold(createEntity(e))(Success(_))
 
   override def exists(e: Data)(implicit graph: Graph): Boolean = startTraversal.getByData(e.data).exists
+
+  override def getByName(name: String)(implicit graph: Graph): Traversal.V[Data] =
+    startTraversal.getByData(name)
 }
 
 object DataOps {
@@ -56,7 +57,7 @@ object DataOps {
 
 }
 
-class DataIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: DataSrv) extends IntegrityCheckOps[Data] {
+class DataIntegrityCheckOps @Inject() (val db: Database, val service: DataSrv) extends IntegrityCheckOps[Data] {
   override def resolve(entities: Seq[Data with Entity])(implicit graph: Graph): Try[Unit] =
     entities match {
       case head :: tail =>
@@ -65,4 +66,15 @@ class DataIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Dat
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] =
+    db.tryTransaction { implicit graph =>
+      Try {
+        val orphans = service.startTraversal.filterNot(_.inE[ObservableData])._id.toSeq
+        if (orphans.nonEmpty) {
+          service.getByIds(orphans: _*).remove()
+          Map("orphan" -> orphans.size.toLong)
+        } else Map.empty[String, Long]
+      }
+    }.getOrElse(Map("globalFailure" -> 1L))
 }
diff --git a/thehive/app/org/thp/thehive/services/FlowActor.scala b/thehive/app/org/thp/thehive/services/FlowActor.scala
index b92fa907ab..578852f73e 100644
--- a/thehive/app/org/thp/thehive/services/FlowActor.scala
+++ b/thehive/app/org/thp/thehive/services/FlowActor.scala
@@ -1,40 +1,50 @@
 package org.thp.thehive.services
 
-import java.util.Date
-
 import akka.actor.{Actor, ActorRef, ActorSystem, PoisonPill, Props}
 import akka.cluster.singleton.{ClusterSingletonManager, ClusterSingletonManagerSettings, ClusterSingletonProxy, ClusterSingletonProxySettings}
-import com.google.inject.name.Names
-import com.google.inject.{Injector, Key => GuiceKey}
-import javax.inject.{Inject, Provider, Singleton}
-import org.apache.tinkerpop.gremlin.process.traversal.{Order, P}
+import com.google.inject.Injector
+import org.apache.tinkerpop.gremlin.process.traversal.Order
+import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.services.EventSrv
 import org.thp.scalligraph.services.config.ApplicationConfig.finiteDurationFormat
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
 import org.thp.scalligraph.{EntityId, EntityIdOrName}
 import org.thp.thehive.GuiceAkkaExtension
+import org.thp.thehive.models.{Audit, AuditContext}
 import org.thp.thehive.services.AuditOps._
 import org.thp.thehive.services.CaseOps._
+import org.thp.thehive.services.ObservableOps._
+import org.thp.thehive.services.TaskOps._
 import play.api.cache.SyncCacheApi
 
+import java.util.Date
+import javax.inject.{Inject, Provider, Singleton}
 import scala.concurrent.duration.FiniteDuration
 
 sealed trait FlowMessage
-case class FlowId(organisation: EntityIdOrName, caseId: Option[EntityIdOrName]) extends FlowMessage {
-  override def toString: String = s"$organisation;${caseId.getOrElse("-")}"
+case class FlowId(caseId: Option[EntityIdOrName])(implicit val authContext: AuthContext) extends FlowMessage {
+  def organisationId: Option[EntityId] = authContext.organisation.fold(Some(_), _ => None)
+}
+object FlowId {
+  def toString(organisationId: EntityId, caseId: Option[EntityIdOrName]): String =
+    s"$organisationId;${caseId.getOrElse("-")}"
 }
 case class AuditIds(ids: Seq[EntityId]) extends FlowMessage
 
 class FlowActor extends Actor {
 
-  lazy val injector: Injector           = GuiceAkkaExtension(context.system).injector
-  lazy val cache: SyncCacheApi          = injector.getInstance(classOf[SyncCacheApi])
-  lazy val auditSrv: AuditSrv           = injector.getInstance(classOf[AuditSrv])
-  lazy val caseSrv: CaseSrv             = injector.getInstance(classOf[CaseSrv])
-  lazy val db: Database                 = injector.getInstance(GuiceKey.get(classOf[Database], Names.named("with-thehive-schema")))
-  lazy val appConfig: ApplicationConfig = injector.getInstance(classOf[ApplicationConfig])
+  lazy val injector: Injector               = GuiceAkkaExtension(context.system).injector
+  lazy val cache: SyncCacheApi              = injector.getInstance(classOf[SyncCacheApi])
+  lazy val auditSrv: AuditSrv               = injector.getInstance(classOf[AuditSrv])
+  lazy val caseSrv: CaseSrv                 = injector.getInstance(classOf[CaseSrv])
+  lazy val observableSrv: ObservableSrv     = injector.getInstance(classOf[ObservableSrv])
+  lazy val organisationSrv: OrganisationSrv = injector.getInstance(classOf[OrganisationSrv])
+  lazy val taskSrv: TaskSrv                 = injector.getInstance(classOf[TaskSrv])
+  lazy val db: Database                     = injector.getInstance(classOf[Database])
+  lazy val appConfig: ApplicationConfig     = injector.getInstance(classOf[ApplicationConfig])
   lazy val maxAgeConfig: ConfigItem[FiniteDuration, FiniteDuration] =
     appConfig.item[FiniteDuration]("flow.maxAge", "Max age of audit logs shown in initial flow")
   def fromDate: Date = new Date(System.currentTimeMillis() - maxAgeConfig.get.toMillis)
@@ -42,18 +52,44 @@ class FlowActor extends Actor {
   lazy val eventSrv: EventSrv   = injector.getInstance(classOf[EventSrv])
   override def preStart(): Unit = eventSrv.subscribe(StreamTopic(), self)
   override def postStop(): Unit = eventSrv.unsubscribe(StreamTopic(), self)
+
+  def flowQuery(
+      caseId: Option[EntityIdOrName]
+  )(implicit graph: Graph, authContext: AuthContext): Traversal[EntityId, AnyRef, Converter[EntityId, AnyRef]] =
+    caseId match {
+      case None =>
+        auditSrv
+          .startTraversal
+          .has(_.mainAction, true)
+          .sort(_.by("_createdAt", Order.desc))
+          .visible(organisationSrv)
+          .limit(10)
+          ._id
+      case Some(cid) =>
+        graph
+          .union(
+            caseSrv.filterTraversal(_).get(cid).visible(organisationSrv).in[AuditContext],
+            observableSrv.filterTraversal(_).visible(organisationSrv).relatedTo(caseSrv.caseId(cid)).in[AuditContext],
+            taskSrv.filterTraversal(_).visible(organisationSrv).relatedTo(caseSrv.caseId(cid)).in[AuditContext]
+          )
+          .v[Audit]
+          .has(_.mainAction, true)
+          .sort(_.by("_createdAt", Order.desc))
+          .limit(10)
+          ._id
+
+    }
+
   override def receive: Receive = {
-    case flowId @ FlowId(organisation, caseId) =>
-      val auditIds = cache.getOrElseUpdate(flowId.toString) {
+    case flowId: FlowId =>
+      val organisationId = flowId.organisationId.getOrElse {
+        db.roTransaction { implicit graph =>
+          organisationSrv.currentId(graph, flowId.authContext)
+        }
+      }
+      val auditIds = cache.getOrElseUpdate(FlowId.toString(organisationId, flowId.caseId)) {
         db.roTransaction { implicit graph =>
-          caseId
-            .fold(auditSrv.startTraversal.has(_.mainAction, true).has(_._createdAt, P.gt(fromDate)).visible(organisation))(
-              caseSrv.get(_).audits(organisation)
-            )
-            .sort(_.by("_createdAt", Order.desc))
-            .range(0, 10)
-            ._id
-            .toSeq
+          flowQuery(flowId.caseId)(graph, flowId.authContext).toSeq
         }
       }
       sender ! AuditIds(auditIds)
@@ -64,18 +100,18 @@ class FlowActor extends Actor {
           .has(_.mainAction, true)
           .project(
             _.by(_._id)
-              .by(_.organisation._id.fold)
-              .by(_.`case`._id.fold)
+              .by(_.organisationIds.dedup().fold)
+              .by(_.caseId.fold)
           )
           .toIterator
           .foreach {
             case (id, organisations, cases) =>
               organisations.foreach { organisation =>
-                val cacheKey = FlowId(organisation, None).toString
+                val cacheKey = FlowId.toString(organisation, None)
                 val ids      = cache.get[List[String]](cacheKey).getOrElse(Nil)
                 cache.set(cacheKey, (id :: ids).take(10))
                 cases.foreach { caseId =>
-                  val cacheKey: String = FlowId(organisation, Some(caseId)).toString
+                  val cacheKey: String = FlowId.toString(organisation, Some(caseId))
                   val ids              = cache.get[List[String]](cacheKey).getOrElse(Nil)
                   cache.set(cacheKey, (id :: ids).take(10))
                 }
diff --git a/thehive/app/org/thp/thehive/services/FlowSerializer.scala b/thehive/app/org/thp/thehive/services/FlowSerializer.scala
index 9cff3137d6..518b946cd3 100644
--- a/thehive/app/org/thp/thehive/services/FlowSerializer.scala
+++ b/thehive/app/org/thp/thehive/services/FlowSerializer.scala
@@ -1,7 +1,9 @@
 package org.thp.thehive.services
 
 import akka.serialization.Serializer
+import org.thp.scalligraph.auth.{AuthContextImpl, Permission}
 import org.thp.scalligraph.{EntityId, EntityIdOrName}
+import play.api.libs.json._
 
 import java.io.NotSerializableException
 
@@ -10,23 +12,39 @@ class FlowSerializer extends Serializer {
 
   override def includeManifest: Boolean = false
 
+  def readFlowId(input: String): FlowId = {
+    val json = Json.parse(input)
+    FlowId((json \ "caseId").asOpt[String].map(EntityIdOrName.apply))(
+      AuthContextImpl(
+        (json \ "userId").as[String],
+        (json \ "userName").as[String],
+        EntityIdOrName((json \ "organisation").as[String]),
+        (json \ "requestId").as[String],
+        (json \ "permissions").as[Set[String]].map(Permission.apply)
+      )
+    )
+  }
+  def writeFlowId(flowId: FlowId): JsObject =
+    Json.obj(
+      "caseId"       -> flowId.caseId.fold[JsValue](JsNull)(c => JsString(c.toString)),
+      "userId"       -> flowId.authContext.userId,
+      "userName"     -> flowId.authContext.userName,
+      "organisation" -> flowId.authContext.organisation.toString,
+      "requestId"    -> flowId.authContext.requestId,
+      "permissions"  -> flowId.authContext.permissions
+    )
+
   override def toBinary(o: AnyRef): Array[Byte] =
     o match {
-      case FlowId(organisation, None)         => 0.toByte +: organisation.toString.getBytes
-      case FlowId(organisation, Some(caseId)) => 1.toByte +: s"$organisation|$caseId".getBytes
-      case AuditIds(ids)                      => 2.toByte +: ids.map(_.value).mkString("|").getBytes
-      case _                                  => throw new NotSerializableException
+      case f: FlowId     => 0.toByte +: writeFlowId(f).toString().getBytes
+      case AuditIds(ids) => 1.toByte +: ids.map(_.value).mkString("|").getBytes
+      case _             => throw new NotSerializableException
     }
 
   override def fromBinary(bytes: Array[Byte], manifest: Option[Class[_]]): AnyRef =
     bytes(0) match {
-      case 0 => FlowId(EntityIdOrName(new String(bytes.tail)), None)
-      case 1 =>
-        new String(bytes.tail).split('|') match {
-          case Array(organisation, caseId) => FlowId(EntityIdOrName(organisation), Some(EntityIdOrName(caseId)))
-          case _                           => throw new NotSerializableException
-        }
-      case 2 => AuditIds(new String(bytes.tail).split('|').toSeq.map(EntityId.apply))
+      case 0 => readFlowId(new String(bytes.tail))
+      case 1 => AuditIds(new String(bytes.tail).split('|').toSeq.map(EntityId.apply))
       case _ => throw new NotSerializableException
     }
 }
diff --git a/thehive/app/org/thp/thehive/services/ImpactStatusSrv.scala b/thehive/app/org/thp/thehive/services/ImpactStatusSrv.scala
index 43b9ab1a33..3444fd8315 100644
--- a/thehive/app/org/thp/thehive/services/ImpactStatusSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ImpactStatusSrv.scala
@@ -1,23 +1,20 @@
 package org.thp.thehive.services
 
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services.{IntegrityCheckOps, VertexSrv}
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.scalligraph.{CreateError, EntityIdOrName}
 import org.thp.thehive.models.ImpactStatus
 import org.thp.thehive.services.ImpactStatusOps._
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
-class ImpactStatusSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef)(implicit
-    @Named("with-thehive-schema") db: Database
-) extends VertexSrv[ImpactStatus] {
+class ImpactStatusSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef) extends VertexSrv[ImpactStatus] {
 
   override def getByName(name: String)(implicit graph: Graph): Traversal.V[ImpactStatus] =
     startTraversal.getByName(name)
@@ -45,8 +42,7 @@ object ImpactStatusOps {
   }
 }
 
-class ImpactStatusIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: ImpactStatusSrv)
-    extends IntegrityCheckOps[ImpactStatus] {
+class ImpactStatusIntegrityCheckOps @Inject() (val db: Database, val service: ImpactStatusSrv) extends IntegrityCheckOps[ImpactStatus] {
   override def resolve(entities: Seq[ImpactStatus with Entity])(implicit graph: Graph): Try[Unit] =
     entities match {
       case head :: tail =>
@@ -55,4 +51,6 @@ class ImpactStatusIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] = Map.empty
 }
diff --git a/thehive/app/org/thp/thehive/services/IntegrityCheckActor.scala b/thehive/app/org/thp/thehive/services/IntegrityCheckActor.scala
index e864d75cd2..4e26cf9682 100644
--- a/thehive/app/org/thp/thehive/services/IntegrityCheckActor.scala
+++ b/thehive/app/org/thp/thehive/services/IntegrityCheckActor.scala
@@ -1,52 +1,124 @@
 package org.thp.thehive.services
 
-import java.util.{Set => JSet}
-
 import akka.actor.{Actor, ActorRef, ActorSystem, Cancellable, PoisonPill, Props}
 import akka.cluster.singleton.{ClusterSingletonManager, ClusterSingletonManagerSettings, ClusterSingletonProxy, ClusterSingletonProxySettings}
 import com.google.inject.util.Types
 import com.google.inject.{Injector, Key, TypeLiteral}
-import javax.inject.{Inject, Provider, Singleton}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Schema}
+import org.thp.scalligraph.services.config.ApplicationConfig.finiteDurationFormat
+import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
 import org.thp.scalligraph.services.{GenIntegrityCheckOps, IntegrityCheckOps}
 import org.thp.thehive.GuiceAkkaExtension
-import play.api.{Configuration, Logger}
+import play.api.Logger
 
+import java.util.concurrent.Executors
+import java.util.{Set => JSet}
+import javax.inject.{Inject, Provider, Singleton}
 import scala.collection.JavaConverters._
 import scala.collection.immutable
-import scala.concurrent.duration.{Duration, FiniteDuration}
-import scala.util.Success
+import scala.concurrent.duration.{Duration, FiniteDuration, NANOSECONDS}
+import scala.concurrent.{ExecutionContext, Future}
+import scala.util.{Random, Success}
 
 sealed trait IntegrityCheckMessage
-case class EntityAdded(name: String) extends IntegrityCheckMessage
-case class NeedCheck(name: String)   extends IntegrityCheckMessage
-case class Check(name: String)       extends IntegrityCheckMessage
+case class EntityAdded(name: String)                                      extends IntegrityCheckMessage
+case class NeedCheck(name: String)                                        extends IntegrityCheckMessage
+case class DuplicationCheck(name: String)                                 extends IntegrityCheckMessage
+case class DuplicationCheckResult(name: String, stats: Map[String, Long]) extends IntegrityCheckMessage
+case class GlobalCheckRequest(name: String)                               extends IntegrityCheckMessage
+case class GlobalCheckResult(name: String, stats: Map[String, Long])      extends IntegrityCheckMessage
+case class GetCheckStats(name: String)                                    extends IntegrityCheckMessage
+
+case class CheckStats(global: Map[String, Long], last: Map[String, Long], lastDate: Long) extends IntegrityCheckMessage {
+  def +(stats: Map[String, Long]): CheckStats = {
+    val mergedMap = (stats.keySet ++ global.keySet).map(k => k -> (global.getOrElse(k, 0L) + stats.getOrElse(k, 0L))).toMap
+    CheckStats(mergedMap + ("iteration" -> (mergedMap.getOrElse("iteration", 0L) + 1)), stats, System.currentTimeMillis())
+  }
+}
+object CheckState {
+  val empty: CheckState = {
+    val emptyStats = CheckStats(Map.empty, Map.empty, 0L)
+    CheckState(needCheck = true, None, emptyStats, emptyStats, 0L)
+  }
+}
+case class CheckState(
+    needCheck: Boolean,
+    duplicateTimer: Option[Cancellable],
+    duplicateStats: CheckStats,
+    globalStats: CheckStats,
+    globalCheckRequestTime: Long
+)
 
 class IntegrityCheckActor() extends Actor {
 
+  import context.dispatcher
+
   lazy val logger: Logger               = Logger(getClass)
   lazy val injector: Injector           = GuiceAkkaExtension(context.system).injector
-  lazy val configuration: Configuration = injector.getInstance(classOf[Configuration])
+  lazy val appConfig: ApplicationConfig = injector.getInstance(classOf[ApplicationConfig])
   lazy val integrityCheckOps: immutable.Set[IntegrityCheckOps[_ <: Product]] = injector
     .getInstance(Key.get(TypeLiteral.get(Types.setOf(classOf[GenIntegrityCheckOps]))))
     .asInstanceOf[JSet[IntegrityCheckOps[_ <: Product]]]
     .asScala
     .toSet
-  lazy val db: Database                       = injector.getInstance(classOf[Database])
-  lazy val schema: Schema                     = injector.getInstance(classOf[Schema])
-  lazy val defaultInitalDelay: FiniteDuration = configuration.get[FiniteDuration]("integrityCheck.default.initialDelay")
+  lazy val db: Database                            = injector.getInstance(classOf[Database])
+  lazy val schema: Schema                          = injector.getInstance(classOf[Schema])
+  lazy val checkExecutionContext: ExecutionContext = ExecutionContext.fromExecutorService(Executors.newFixedThreadPool(1))
+
+  val defaultInitialDelayConfig: ConfigItem[FiniteDuration, FiniteDuration] =
+    appConfig.item[FiniteDuration]("integrityCheck.default.initialDelay", "Default delay between the creation of data and the check")
+
+  def defaultInitialDelay: FiniteDuration = defaultInitialDelayConfig.get
+
+  val defaultIntervalConfig: ConfigItem[FiniteDuration, FiniteDuration] =
+    appConfig.item[FiniteDuration]("integrityCheck.default.interval", "Default interval between two checks")
+
+  def defaultInterval: FiniteDuration = defaultIntervalConfig.get
+
+  val defaultGlobalCheckIntervalConfig: ConfigItem[FiniteDuration, FiniteDuration] =
+    appConfig.item[FiniteDuration]("integrityCheck.default.globalInterval", "Default interval between two global checks")
+
+  def defaultGlobalCheckInterval: FiniteDuration = defaultGlobalCheckIntervalConfig.get
+
+  integrityCheckOps.map(_.name).foreach { name =>
+    appConfig.item[FiniteDuration](s"integrityCheck.$name.initialDelay", s"Delay between the creation of data and the check for $name")
+    appConfig.item[FiniteDuration](s"integrityCheck.$name.interval", s"Interval between two checks for $name")
+    appConfig.item[FiniteDuration](s"integrityCheck.$name.globalInterval", s"Interval between two global checks for $name")
+  }
+
   def initialDelay(name: String): FiniteDuration =
-    configuration.getOptional[FiniteDuration](s"integrityCheck.$name.initialDelay").getOrElse(defaultInitalDelay)
-  lazy val defaultInterval: FiniteDuration = configuration.get[FiniteDuration]("integrityCheck.default.interval")
+    appConfig
+      .get(s"integrityCheck.$name.initialDelay")
+      .asInstanceOf[Option[ConfigItem[FiniteDuration, FiniteDuration]]]
+      .fold(defaultInitialDelay)(_.get)
+
   def interval(name: String): FiniteDuration =
-    configuration.getOptional[FiniteDuration](s"integrityCheck.$name.interval").getOrElse(defaultInitalDelay)
+    appConfig
+      .get(s"integrityCheck.$name.interval")
+      .asInstanceOf[Option[ConfigItem[FiniteDuration, FiniteDuration]]]
+      .fold(defaultInterval)(_.get)
+
+  def globalInterval(name: String): FiniteDuration =
+    appConfig
+      .get(s"integrityCheck.$name.globalInterval")
+      .asInstanceOf[Option[ConfigItem[FiniteDuration, FiniteDuration]]]
+      .fold(defaultGlobalCheckInterval)(_.get)
 
   lazy val integrityCheckMap: Map[String, IntegrityCheckOps[_]] =
     integrityCheckOps.map(d => d.name -> d).toMap
-  def check(name: String): Unit = integrityCheckMap.get(name).foreach(_.check())
+
+  def duplicationCheck(name: String): Map[String, Long] = {
+    val startDate = System.currentTimeMillis()
+    val result    = integrityCheckMap.get(name).fold(Map("checkNotFound" -> 1L))(_.duplicationCheck())
+    val endDate   = System.currentTimeMillis()
+    result + ("startDate" -> startDate) + ("endDate" -> endDate) + ("duration" -> (endDate - startDate))
+  }
+
+  private var globalTimers: Seq[Cancellable] = Nil
 
   override def preStart(): Unit = {
+    super.preStart()
     implicit val authContext: AuthContext = LocalUserSrv.getSystemAuthContext
     integrityCheckOps.foreach { integrityCheck =>
       db.tryTransaction { implicit graph =>
@@ -54,34 +126,105 @@ class IntegrityCheckActor() extends Actor {
       }
     }
     integrityCheckOps.foreach { integrityCheck =>
-      Success(integrityCheck.check())
+      self ! DuplicationCheck(integrityCheck.name)
+    }
+    globalTimers = integrityCheckOps.map { integrityCheck =>
+      val interval     = globalInterval(integrityCheck.name)
+      val initialDelay = FiniteDuration((interval.toNanos * Random.nextDouble()).round, NANOSECONDS)
+      context
+        .system
+        .scheduler
+        .scheduleWithFixedDelay(initialDelay, interval) { () =>
+          logger.debug(s"Global check of ${integrityCheck.name}")
+          val startDate = System.currentTimeMillis()
+          val result    = integrityCheck.globalCheck()
+          val duration  = System.currentTimeMillis() - startDate
+          self ! GlobalCheckResult(integrityCheck.name, result + ("duration" -> duration))
+        }
+    }.toSeq
+  }
+
+  override def postStop(): Unit = {
+    super.postStop()
+    globalTimers.foreach(_.cancel())
+  }
+
+  override def receive: Receive = {
+    val globalTimers = integrityCheckOps.map { integrityCheck =>
+      val interval     = globalInterval(integrityCheck.name)
+      val initialDelay = FiniteDuration((interval.toNanos * Random.nextDouble()).round, NANOSECONDS)
+      context
+        .system
+        .scheduler
+        .scheduleWithFixedDelay(initialDelay, interval) { () =>
+          logger.debug(s"Global check of ${integrityCheck.name}")
+          val startDate = System.currentTimeMillis()
+          val result    = integrityCheckMap.get(integrityCheck.name).fold(Map("checkNotFound" -> 1L))(_.globalCheck())
+          val duration  = System.currentTimeMillis() - startDate
+          self ! GlobalCheckResult(integrityCheck.name, result + ("duration" -> duration))
+        }
+      integrityCheck.name -> CheckState.empty
     }
+    receive(globalTimers.toMap)
   }
-  override def receive: Receive = receive(Map.empty)
-  def receive(states: Map[String, (Boolean, Cancellable)]): Receive = {
+
+  def receive(states: Map[String, CheckState]): Receive = {
     case EntityAdded(name) =>
       logger.debug(s"An entity $name has been created")
-      context.system.scheduler.scheduleOnce(initialDelay(name), self, NeedCheck(name))(context.system.dispatcher)
+      context.system.scheduler.scheduleOnce(initialDelay(name), self, NeedCheck(name))
       ()
-    case NeedCheck(name) if !states.contains(name) => // initial check
-      logger.debug(s"Initial integrity check of $name")
-      check(name)
-      val timer = context.system.scheduler.scheduleAtFixedRate(Duration.Zero, interval(name), self, Check(name))(context.system.dispatcher)
-      context.become(receive(states + (name -> (false -> timer))))
     case NeedCheck(name) =>
-      if (!states(name)._1) {
-        val timer = states(name)._2
-        context.become(receive(states + (name -> (true -> timer))))
+      states.get(name).foreach { state =>
+        if (state.duplicateTimer.isEmpty) {
+          val timer = context.system.scheduler.scheduleWithFixedDelay(Duration.Zero, interval(name), self, DuplicationCheck(name))
+          context.become(receive(states + (name -> state.copy(needCheck = true, duplicateTimer = Some(timer)))))
+        } else if (!state.needCheck)
+          context.become(receive(states + (name -> state.copy(needCheck = true))))
+      }
+    case DuplicationCheck(name) =>
+      states.get(name).foreach { state =>
+        if (state.needCheck) {
+          Future {
+            logger.debug(s"Duplication check of $name")
+            val startDate = System.currentTimeMillis()
+            val result    = integrityCheckMap.get(name).fold(Map("checkNotFound" -> 1L))(_.duplicationCheck())
+            val duration  = System.currentTimeMillis() - startDate
+            self ! DuplicationCheckResult(name, result + ("duration" -> duration))
+          }(checkExecutionContext)
+          context.become(receive(states + (name -> state.copy(needCheck = false))))
+        } else {
+          state.duplicateTimer.foreach(_.cancel())
+          context.become(receive(states + (name -> state.copy(duplicateTimer = None))))
+        }
+      }
+    case DuplicationCheckResult(name, stats) =>
+      states.get(name).foreach { state =>
+        context.become(receive(states + (name -> state.copy(duplicateStats = state.duplicateStats + stats))))
       }
-    case Check(name) if states.get(name).fold(false)(_._1) => // stats.needCheck == true
-      logger.debug(s"Integrity check of $name")
-      check(name)
-      val timer = states(name)._2
-      context.become(receive(states + (name -> (false -> timer))))
-    case Check(name) =>
-      logger.debug(s"Pause integrity checks of $name, wait new add")
-      states(name)._2.cancel()
-      context.become(receive(states - name))
+
+    case GlobalCheckRequest(name) =>
+      states.get(name).foreach { state =>
+        val now                   = System.currentTimeMillis()
+        val lastRequestIsObsolete = state.globalStats.lastDate >= state.globalCheckRequestTime
+        val checkIsRunning        = state.globalStats.lastDate + globalInterval(name).toMillis > now
+        if (lastRequestIsObsolete && !checkIsRunning) {
+          Future {
+            logger.debug(s"Global check of $name")
+            val startDate = System.currentTimeMillis()
+            val result    = integrityCheckMap.get(name).fold(Map("checkNotFound" -> 1L))(_.globalCheck())
+            val duration  = System.currentTimeMillis() - startDate
+            self ! GlobalCheckResult(name, result + ("duration" -> duration))
+          }(checkExecutionContext)
+          context.become(receive(states = states + (name -> state.copy(globalCheckRequestTime = now))))
+        }
+      }
+    case GlobalCheckResult(name, stats) =>
+      states.get(name).foreach { state =>
+        context.become(receive(states + (name -> state.copy(globalStats = state.globalStats + stats))))
+      }
+
+    case GetCheckStats(name) =>
+      sender() ! states.getOrElse(name, CheckStats(Map("checkNotFound" -> 1L), Map("checkNotFound" -> 1L), 0L))
   }
 }
 
diff --git a/thehive/app/org/thp/thehive/services/IntegrityCheckSerializer.scala b/thehive/app/org/thp/thehive/services/IntegrityCheckSerializer.scala
index 4ab8dc9650..1e9cfb7114 100644
--- a/thehive/app/org/thp/thehive/services/IntegrityCheckSerializer.scala
+++ b/thehive/app/org/thp/thehive/services/IntegrityCheckSerializer.scala
@@ -11,17 +11,17 @@ class IntegrityCheckSerializer extends Serializer {
 
   override def toBinary(o: AnyRef): Array[Byte] =
     o match {
-      case EntityAdded(name) => 0.toByte +: name.getBytes
-      case NeedCheck(name)   => 1.toByte +: name.getBytes
-      case Check(name)       => 2.toByte +: name.getBytes
-      case _                 => throw new NotSerializableException
+      case EntityAdded(name)      => 0.toByte +: name.getBytes
+      case NeedCheck(name)        => 1.toByte +: name.getBytes
+      case DuplicationCheck(name) => 2.toByte +: name.getBytes
+      case _                      => throw new NotSerializableException
     }
 
   override def fromBinary(bytes: Array[Byte], manifest: Option[Class[_]]): AnyRef =
     bytes(0) match {
       case 0 => EntityAdded(new String(bytes.tail))
       case 1 => NeedCheck(new String(bytes.tail))
-      case 2 => Check(new String(bytes.tail))
+      case 2 => DuplicationCheck(new String(bytes.tail))
       case _ => throw new NotSerializableException
     }
 }
diff --git a/thehive/app/org/thp/thehive/services/KeyValueSrv.scala b/thehive/app/org/thp/thehive/services/KeyValueSrv.scala
index 4f88fb5a05..7390eea8ac 100644
--- a/thehive/app/org/thp/thehive/services/KeyValueSrv.scala
+++ b/thehive/app/org/thp/thehive/services/KeyValueSrv.scala
@@ -1,15 +1,15 @@
 package org.thp.thehive.services
 
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
-import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.services.VertexSrv
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.KeyValue
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Try
 
 @Singleton
-class KeyValueSrv @Inject() ()(implicit @Named("with-thehive-schema") db: Database) extends VertexSrv[KeyValue] {
+class KeyValueSrv @Inject() () extends VertexSrv[KeyValue] {
   def create(e: KeyValue)(implicit graph: Graph, authContext: AuthContext): Try[KeyValue with Entity] = createEntity(e)
 }
diff --git a/thehive/app/org/thp/thehive/services/LocalKeyAuthSrv.scala b/thehive/app/org/thp/thehive/services/LocalKeyAuthSrv.scala
index ca3c63febd..9887005101 100644
--- a/thehive/app/org/thp/thehive/services/LocalKeyAuthSrv.scala
+++ b/thehive/app/org/thp/thehive/services/LocalKeyAuthSrv.scala
@@ -1,8 +1,5 @@
 package org.thp.thehive.services
 
-import java.util.Base64
-
-import javax.inject.{Inject, Named, Provider, Singleton}
 import org.thp.scalligraph.auth._
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -11,11 +8,13 @@ import org.thp.thehive.services.UserOps._
 import play.api.Configuration
 import play.api.mvc.RequestHeader
 
+import java.util.Base64
+import javax.inject.{Inject, Provider, Singleton}
 import scala.concurrent.ExecutionContext
 import scala.util.{Failure, Random, Success, Try}
 
 class LocalKeyAuthSrv(
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     userSrv: UserSrv,
     localUserSrv: LocalUserSrv,
     authSrv: AuthSrv,
@@ -69,7 +68,7 @@ class LocalKeyAuthSrv(
 
 @Singleton
 class LocalKeyAuthProvider @Inject() (
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     userSrv: UserSrv,
     localUserSrv: LocalUserSrv,
     authSrvProvider: Provider[AuthSrv],
diff --git a/thehive/app/org/thp/thehive/services/LocalPasswordAuthSrv.scala b/thehive/app/org/thp/thehive/services/LocalPasswordAuthSrv.scala
index adaec1a90b..2c24ce5a86 100644
--- a/thehive/app/org/thp/thehive/services/LocalPasswordAuthSrv.scala
+++ b/thehive/app/org/thp/thehive/services/LocalPasswordAuthSrv.scala
@@ -1,7 +1,6 @@
 package org.thp.thehive.services
 
 import io.github.nremond.SecureHash
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.auth.{AuthCapability, AuthContext, AuthSrv, AuthSrvProvider}
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -11,6 +10,7 @@ import org.thp.thehive.models.User
 import play.api.mvc.RequestHeader
 import play.api.{Configuration, Logger}
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success, Try}
 
 object LocalPasswordAuthSrv {
@@ -19,7 +19,7 @@ object LocalPasswordAuthSrv {
     SecureHash.createHash(password)
 }
 
-class LocalPasswordAuthSrv(@Named("with-thehive-schema") db: Database, userSrv: UserSrv, localUserSrv: LocalUserSrv) extends AuthSrv {
+class LocalPasswordAuthSrv(db: Database, userSrv: UserSrv, localUserSrv: LocalUserSrv) extends AuthSrv {
   val name                                             = "local"
   override val capabilities: Set[AuthCapability.Value] = Set(AuthCapability.changePassword, AuthCapability.setPassword)
   lazy val logger: Logger                              = Logger(getClass)
@@ -68,8 +68,7 @@ class LocalPasswordAuthSrv(@Named("with-thehive-schema") db: Database, userSrv:
 }
 
 @Singleton
-class LocalPasswordAuthProvider @Inject() (@Named("with-thehive-schema") db: Database, userSrv: UserSrv, localUserSrv: LocalUserSrv)
-    extends AuthSrvProvider {
+class LocalPasswordAuthProvider @Inject() (db: Database, userSrv: UserSrv, localUserSrv: LocalUserSrv) extends AuthSrvProvider {
   override val name: String                               = "local"
   override def apply(config: Configuration): Try[AuthSrv] = Success(new LocalPasswordAuthSrv(db, userSrv, localUserSrv))
 }
diff --git a/thehive/app/org/thp/thehive/services/LocalUserSrv.scala b/thehive/app/org/thp/thehive/services/LocalUserSrv.scala
index 356879d506..d5d37ed194 100644
--- a/thehive/app/org/thp/thehive/services/LocalUserSrv.scala
+++ b/thehive/app/org/thp/thehive/services/LocalUserSrv.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.services
 
-import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.auth.{AuthContext, AuthContextImpl, User => ScalligraphUser, UserSrv => ScalligraphUserSrv}
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -12,11 +11,12 @@ import play.api.Configuration
 import play.api.libs.json.JsObject
 import play.api.mvc.RequestHeader
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
 class LocalUserSrv @Inject() (
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     userSrv: UserSrv,
     organisationSrv: OrganisationSrv,
     profileSrv: ProfileSrv,
diff --git a/thehive/app/org/thp/thehive/services/LogSrv.scala b/thehive/app/org/thp/thehive/services/LogSrv.scala
index 801f2c82a0..3ffe236605 100644
--- a/thehive/app/org/thp/thehive/services/LogSrv.scala
+++ b/thehive/app/org/thp/thehive/services/LogSrv.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.services
 
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.controllers.FFile
@@ -8,7 +7,7 @@ import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.LogOps._
@@ -16,35 +15,30 @@ import org.thp.thehive.services.TaskOps._
 import play.api.libs.json.JsObject
 
 import java.util
-import javax.inject.{Inject, Named, Singleton}
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
-class LogSrv @Inject() (attachmentSrv: AttachmentSrv, auditSrv: AuditSrv, taskSrv: TaskSrv, userSrv: UserSrv)(implicit
-    @Named("with-thehive-schema") db: Database
-) extends VertexSrv[Log] {
+class LogSrv @Inject() (attachmentSrv: AttachmentSrv, auditSrv: AuditSrv, taskSrv: TaskSrv) extends VertexSrv[Log] {
   val taskLogSrv       = new EdgeSrv[TaskLog, Task, Log]
   val logAttachmentSrv = new EdgeSrv[LogAttachment, Log, Attachment]
 
   def create(log: Log, task: Task with Entity, file: Option[FFile])(implicit graph: Graph, authContext: AuthContext): Try[RichLog] =
     for {
-      createdLog <- createEntity(log)
+      createdLog <- createEntity(log.copy(taskId = task._id, organisationIds = task.organisationIds))
       _          <- taskLogSrv.create(TaskLog(), task, createdLog)
-      user       <- userSrv.current.getOrFail("User") // user is used only if task status is waiting but the code is cleaner
-      _          <- if (task.status == TaskStatus.Waiting) taskSrv.updateStatus(task, user, TaskStatus.InProgress) else Success(())
+      _          <- if (task.status == TaskStatus.Waiting) taskSrv.updateStatus(task, TaskStatus.InProgress) else Success(())
       attachment <- file.map(attachmentSrv.create).flip
       _          <- attachment.map(logAttachmentSrv.create(LogAttachment(), createdLog, _)).flip
       richLog = RichLog(createdLog, Nil)
       _ <- auditSrv.log.create(createdLog, task, richLog.toJson)
     } yield richLog
 
-  def cascadeRemove(log: Log with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-    for {
-      _    <- get(log).attachments.toIterator.toTry(attachmentSrv.cascadeRemove(_))
-      task <- get(log).task.getOrFail("Task")
-      _ = get(log).remove()
-      _ <- auditSrv.log.delete(log, Some(task))
-    } yield ()
+  override def delete(log: Log with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    get(log).attachments.toSeq.toTry(attachmentSrv.delete(_)).map { _ =>
+      get(log).task.headOption.foreach(task => auditSrv.log.delete(log, task))
+      get(log).remove()
+    }
 
   override def update(
       traversal: Traversal.V[Log],
@@ -64,10 +58,13 @@ object LogOps {
     def task: Traversal.V[Task] = traversal.in("TaskLog").v[Task]
 
     def get(idOrName: EntityIdOrName): Traversal.V[Log] =
-      idOrName.fold(traversal.getByIds(_), _ => traversal.limit(0))
+      idOrName.fold(traversal.getByIds(_), _ => traversal.empty)
 
-    def visible(implicit authContext: AuthContext): Traversal.V[Log] =
-      traversal.filter(_.task.visible)
+    def organisations: Traversal.V[Organisation] =
+      task.organisations
+
+    def visible(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Log] =
+      traversal.has(_.organisationIds, organisationSrv.currentId(traversal.graph, authContext))
 
     def attachments: Traversal.V[Attachment] = traversal.out[LogAttachment].v[Attachment]
 
@@ -77,7 +74,7 @@ object LogOps {
       if (authContext.permissions.contains(permission))
         traversal.filter(_.task.can(permission))
       else
-        traversal.limit(0)
+        traversal.empty
 
     def richLog: Traversal[RichLog, util.Map[String, Any], Converter[RichLog, util.Map[String, Any]]] =
       traversal
@@ -111,3 +108,63 @@ object LogOps {
         }
   }
 }
+
+class LogIntegrityCheckOps @Inject() (val db: Database, val service: LogSrv, taskSrv: TaskSrv) extends IntegrityCheckOps[Log] {
+  override def resolve(entities: Seq[Log with Entity])(implicit graph: Graph): Try[Unit] = Success(())
+
+  override def globalCheck(): Map[String, Long] = {
+    implicit val authContext: AuthContext = LocalUserSrv.getSystemAuthContext
+
+    db.tryTransaction { implicit graph =>
+      Try {
+        service
+          .startTraversal
+          .project(_.by.by(_.task.fold))
+          .toIterator
+          .flatMap {
+            case (log, tasks) =>
+              val (extraLinks, extraTasks) = tasks.partition(_._id == log.taskId)
+              if (extraLinks.nonEmpty)
+                (if (extraLinks.length == 1) Nil
+                 else {
+                   service.get(log).inE[TaskLog].flatMap(_.range(1, 100)).remove()
+                   Seq("extraTaskLink")
+                 }) ++
+                  (if (extraTasks.isEmpty) Nil
+                   else {
+                     service.get(log).inE[TaskLog].filterNot(_.outV.hasId(log.taskId)).remove()
+                     Seq("extraTask")
+                   }) ++
+                  (if (log.organisationIds != extraLinks.head.organisationIds) {
+                     service.get(log).update(_.organisationIds, extraLinks.head.organisationIds).iterate()
+                     Seq("invalidOrganisationIds")
+                   } else Nil)
+              else if (extraTasks.nonEmpty)
+                if (extraTasks.size == 1) {
+                  service.get(log).update(_.taskId, extraTasks.head._id).update(_.organisationIds, extraTasks.head.organisationIds).iterate()
+                  Seq("invalidTaskId")
+                } else {
+                  service.get(log).remove()
+                  Seq("incoherent")
+                }
+              else {
+                taskSrv.getOrFail(log.taskId) match {
+                  case Success(task) =>
+                    service
+                      .taskLogSrv
+                      .create(TaskLog(), task, log)
+                    service.get(log).update(_.organisationIds, task.organisationIds).iterate()
+                    Seq("taskMissing")
+                  case _ => Seq("nonExistentTask")
+                }
+                service.get(log).remove()
+                Seq("incoherent")
+              }
+          }
+          .toSeq
+      }
+    }.getOrElse(Seq("globalFailure"))
+      .groupBy(identity)
+      .mapValues(_.size.toLong)
+  }
+}
diff --git a/thehive/app/org/thp/thehive/services/ObservableSrv.scala b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
index e63e74016b..cbea7a27e1 100644
--- a/thehive/app/org/thp/thehive/services/ObservableSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
@@ -1,113 +1,112 @@
 package org.thp.thehive.services
 
-import java.util.{Map => JMap}
-
-import javax.inject.{Inject, Named, Provider, Singleton}
-import org.apache.tinkerpop.gremlin.process.traversal.{P => JP}
-import org.apache.tinkerpop.gremlin.structure.{Graph, Vertex}
+import org.apache.tinkerpop.gremlin.process.traversal.P
+import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.controllers.FFile
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
+import org.thp.scalligraph.traversal.Converter.Identity
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, StepLabel, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, StepLabel, Traversal}
 import org.thp.scalligraph.utils.Hash
-import org.thp.scalligraph.{EntityIdOrName, RichSeq}
+import org.thp.scalligraph.{BadRequestError, CreateError, EntityId, EntityIdOrName, EntityName, RichSeq}
 import org.thp.thehive.models._
 import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
-import play.api.libs.json.JsObject
+import play.api.libs.json.{JsObject, Json}
 
-import scala.util.Try
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Provider, Singleton}
+import scala.util.{Failure, Success, Try}
 
 @Singleton
 class ObservableSrv @Inject() (
-    keyValueSrv: KeyValueSrv,
     dataSrv: DataSrv,
+    observableTypeSrv: ObservableTypeSrv,
     attachmentSrv: AttachmentSrv,
     tagSrv: TagSrv,
-    caseSrvProvider: Provider[CaseSrv],
     auditSrv: AuditSrv,
+    shareSrvProvider: Provider[ShareSrv],
+    caseSrvProvider: Provider[CaseSrv],
+    organisationSrv: OrganisationSrv,
     alertSrvProvider: Provider[AlertSrv]
-)(implicit
-    @Named("with-thehive-schema") db: Database
 ) extends VertexSrv[Observable] {
+  lazy val shareSrv: ShareSrv  = shareSrvProvider.get
   lazy val caseSrv: CaseSrv    = caseSrvProvider.get
   lazy val alertSrv: AlertSrv  = alertSrvProvider.get
-  val observableKeyValueSrv    = new EdgeSrv[ObservableKeyValue, Observable, KeyValue]
   val observableDataSrv        = new EdgeSrv[ObservableData, Observable, Data]
   val observableObservableType = new EdgeSrv[ObservableObservableType, Observable, ObservableType]
   val observableAttachmentSrv  = new EdgeSrv[ObservableAttachment, Observable, Attachment]
   val observableTagSrv         = new EdgeSrv[ObservableTag, Observable, Tag]
 
-  def create(observable: Observable, `type`: ObservableType with Entity, file: FFile, tagNames: Set[String], extensions: Seq[KeyValue])(implicit
+  def create(observable: Observable, file: FFile)(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[RichObservable] =
     attachmentSrv.create(file).flatMap { attachment =>
-      create(observable, `type`, attachment, tagNames, extensions)
+      create(observable, attachment)
     }
 
   def create(
       observable: Observable,
-      `type`: ObservableType with Entity,
-      attachment: Attachment with Entity,
-      tagNames: Set[String],
-      extensions: Seq[KeyValue]
+      attachment: Attachment with Entity
   )(implicit
       graph: Graph,
       authContext: AuthContext
-  ): Try[RichObservable] =
-    tagNames.toTry(tagSrv.getOrCreate).flatMap(tags => create(observable, `type`, attachment, tags, extensions))
-
-  def create(
-      observable: Observable,
-      `type`: ObservableType with Entity,
-      attachment: Attachment with Entity,
-      tags: Seq[Tag with Entity],
-      extensions: Seq[KeyValue]
-  )(implicit
-      graph: Graph,
-      authContext: AuthContext
-  ): Try[RichObservable] =
-    for {
-      createdObservable <- createEntity(observable)
-      _                 <- observableObservableType.create(ObservableObservableType(), createdObservable, `type`)
-      _                 <- observableAttachmentSrv.create(ObservableAttachment(), createdObservable, attachment)
-      _                 <- tags.toTry(observableTagSrv.create(ObservableTag(), createdObservable, _))
-      ext               <- addExtensions(createdObservable, extensions)
-    } yield RichObservable(createdObservable, `type`, None, Some(attachment), tags, None, ext, Nil)
-
-  def create(observable: Observable, `type`: ObservableType with Entity, dataValue: String, tagNames: Set[String], extensions: Seq[KeyValue])(implicit
-      graph: Graph,
-      authContext: AuthContext
-  ): Try[RichObservable] =
-    for {
-      tags           <- tagNames.toTry(tagSrv.getOrCreate)
-      data           <- dataSrv.create(Data(dataValue))
-      richObservable <- create(observable, `type`, data, tags, extensions)
-    } yield richObservable
+  ): Try[RichObservable] = {
+    val alreadyExists = startTraversal
+      .has(_.organisationIds, organisationSrv.currentId)
+      .has(_.relatedId, observable.relatedId)
+      .has(_.dataType, observable.dataType)
+      .filterOnAttachmentId(attachment.attachmentId)
+      .exists
+    if (alreadyExists) Failure(CreateError("Observable already exists"))
+    else
+      for {
+        observableType <- observableTypeSrv.getOrFail(EntityName(observable.dataType))
+        _ <-
+          if (!observableType.isAttachment) Failure(BadRequestError("A text observable doesn't accept attachment"))
+          else Success(())
+        tags              <- observable.tags.toTry(tagSrv.getOrCreate)
+        createdObservable <- createEntity(observable.copy(data = None))
+        _                 <- observableObservableType.create(ObservableObservableType(), createdObservable, observableType)
+        _                 <- observableAttachmentSrv.create(ObservableAttachment(), createdObservable, attachment)
+        _                 <- tags.toTry(observableTagSrv.create(ObservableTag(), createdObservable, _))
+      } yield RichObservable(createdObservable, Some(attachment), None, Nil)
+  }
 
   def create(
       observable: Observable,
-      `type`: ObservableType with Entity,
-      data: Data with Entity,
-      tags: Seq[Tag with Entity],
-      extensions: Seq[KeyValue]
+      dataValue: String
   )(implicit
       graph: Graph,
       authContext: AuthContext
-  ): Try[RichObservable] =
-    for {
-      createdObservable <- createEntity(observable)
-      _                 <- observableObservableType.create(ObservableObservableType(), createdObservable, `type`)
-      _                 <- observableDataSrv.create(ObservableData(), createdObservable, data)
-      _                 <- tags.toTry(observableTagSrv.create(ObservableTag(), createdObservable, _))
-      ext               <- addExtensions(createdObservable, extensions)
-    } yield RichObservable(createdObservable, `type`, Some(data), None, tags, None, ext, Nil)
+  ): Try[RichObservable] = {
+    val alreadyExists = startTraversal
+      .has(_.organisationIds, organisationSrv.currentId)
+      .has(_.relatedId, observable.relatedId)
+      .has(_.data, dataValue)
+      .has(_.dataType, observable.dataType)
+      .exists
+    if (alreadyExists) Failure(CreateError("Observable already exists"))
+    else
+      for {
+        observableType <- observableTypeSrv.getOrFail(EntityName(observable.dataType))
+        _ <-
+          if (observableType.isAttachment) Failure(BadRequestError("A attachment observable doesn't accept string value"))
+          else Success(())
+        tags              <- observable.tags.toTry(tagSrv.getOrCreate)
+        data              <- dataSrv.create(Data(dataValue))
+        createdObservable <- createEntity(observable.copy(data = Some(dataValue)))
+        _                 <- observableObservableType.create(ObservableObservableType(), createdObservable, observableType)
+        _                 <- observableDataSrv.create(ObservableData(), createdObservable, data)
+        _                 <- tags.toTry(observableTagSrv.create(ObservableTag(), createdObservable, _))
+      } yield RichObservable(createdObservable, None, None, Nil)
+  }
 
   def addTags(observable: Observable with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Seq[Tag with Entity]] = {
     val currentTags = get(observable)
@@ -122,60 +121,43 @@ class ObservableSrv @Inject() (
     } yield createdTags
   }
 
-  private def addExtensions(observable: Observable with Entity, extensions: Seq[KeyValue])(implicit
+  def updateTags(observable: Observable with Entity, tags: Set[String])(implicit
       graph: Graph,
       authContext: AuthContext
-  ): Try[Seq[KeyValue with Entity]] =
-    for {
-      keyValues <- extensions.toTry(keyValueSrv.create)
-      _         <- keyValues.toTry(kv => observableKeyValueSrv.create(ObservableKeyValue(), observable, kv))
-    } yield keyValues
-
-  def updateTagNames(observable: Observable with Entity, tags: Set[String])(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-    tags.toTry(tagSrv.getOrCreate).flatMap(t => updateTags(observable, t.toSet))
-
-  def updateTags(observable: Observable with Entity, tags: Set[Tag with Entity])(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    val (tagsToAdd, tagsToRemove) = get(observable)
-      .tags
-      .toIterator
-      .foldLeft((tags, Set.empty[Tag with Entity])) {
-        case ((toAdd, toRemove), t) if toAdd.contains(t) => (toAdd - t, toRemove)
-        case ((toAdd, toRemove), t)                      => (toAdd, toRemove + t)
-      }
+  ): Try[(Seq[Tag with Entity], Seq[Tag with Entity])] =
     for {
+      tagsToAdd <- (tags -- observable.tags).toTry(tagSrv.getOrCreate)
+      tagsToRemove = get(observable).tags.toSeq.filterNot(t => tags.contains(t.toString))
       _ <- tagsToAdd.toTry(observableTagSrv.create(ObservableTag(), observable, _))
-      _ = get(observable).removeTags(tagsToRemove)
-      //      _ <- auditSrv.observable.update(observable, Json.obj("tags" -> tags)) TODO add context (case or alert ?)
-    } yield ()
-  }
+      _ = if (tags.nonEmpty) get(observable).outE[ObservableTag].filter(_.otherV.hasId(tagsToRemove.map(_._id): _*)).remove()
+      _ <- get(observable).update(_.tags, tags.toSeq).getOrFail("Observable")
+      _ <- auditSrv.observable.update(observable, Json.obj("tags" -> tags))
+    } yield (tagsToAdd, tagsToRemove)
 
-  def duplicate(richObservable: RichObservable)(implicit
-      graph: Graph,
-      authContext: AuthContext
-  ): Try[RichObservable] =
-    for {
-      createdObservable <- createEntity(richObservable.observable)
-      _                 <- observableObservableType.create(ObservableObservableType(), createdObservable, richObservable.`type`)
-      _                 <- richObservable.data.map(data => observableDataSrv.create(ObservableData(), createdObservable, data)).flip
-      _                 <- richObservable.attachment.map(attachment => observableAttachmentSrv.create(ObservableAttachment(), createdObservable, attachment)).flip
-      _                 <- richObservable.tags.toTry(tag => observableTagSrv.create(ObservableTag(), createdObservable, tag))
-      // TODO copy or link key value ?
-    } yield richObservable.copy(observable = createdObservable)
-
-  def remove(observable: Observable with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+  override def delete(observable: Observable with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     get(observable).alert.headOption match {
       case None =>
-        get(observable)
-          .shares
-          .toIterator
-          .toTry { share =>
-            auditSrv
-              .observable
-              .delete(observable, share)
+        get(observable).share.getOrFail("Share").flatMap {
+          case share if share.owner =>
+            get(observable)
+              .shares
+              .toIterator
+              .toTry { share =>
+                auditSrv
+                  .observable
+                  .delete(observable, share)
+              }
               .map(_ => get(observable).remove())
-          }
-          .map(_ => ())
-      case Some(alert) => alertSrv.removeObservable(alert, observable)
+          case share =>
+            for {
+              organisation <- organisationSrv.current.getOrFail("Organisation")
+              _            <- shareSrv.unshareObservable(observable, organisation)
+              _            <- auditSrv.observable.delete(observable, share)
+            } yield ()
+        }
+      case Some(alert) =>
+        get(observable).remove()
+        auditSrv.observableInAlert.delete(observable, alert)
     }
 
   override def update(
@@ -195,13 +177,13 @@ object ObservableOps {
 
   implicit class ObservableOpsDefs(traversal: Traversal.V[Observable]) {
     def get(idOrName: EntityIdOrName): Traversal.V[Observable] =
-      idOrName.fold(traversal.getByIds(_), _ => traversal.limit(0))
+      idOrName.fold(traversal.getByIds(_), _ => traversal.empty)
 
     def filterOnType(`type`: String): Traversal.V[Observable] =
-      traversal.filter(_.observableType.has(_.name, `type`))
+      traversal.has(_.dataType, `type`)
 
     def filterOnData(data: String): Traversal.V[Observable] =
-      traversal.filter(_.data.has(_.data, data))
+      traversal.has(_.data, data)
 
     def filterOnAttachmentName(name: String): Traversal.V[Observable] =
       traversal.filter(_.attachments.has(_.name, name))
@@ -218,21 +200,27 @@ object ObservableOps {
     def filterOnAttachmentId(attachmentId: String): Traversal.V[Observable] =
       traversal.filter(_.attachments.has(_.attachmentId, attachmentId))
 
+    def relatedTo(caseId: EntityId): Traversal.V[Observable] =
+      traversal.has(_.relatedId, caseId)
+
+    def inOrganisation(organisationId: EntityId): Traversal.V[Observable] =
+      traversal.has(_.organisationIds, organisationId)
+
     def isIoc: Traversal.V[Observable] =
       traversal.has(_.ioc, true)
 
-    def visible(implicit authContext: AuthContext): Traversal.V[Observable] =
-      traversal.filter(_.organisations.get(authContext.organisation))
+    def visible(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Observable] =
+      traversal.has(_.organisationIds, organisationSrv.currentId(traversal.graph, authContext))
 
     def can(permission: Permission)(implicit authContext: AuthContext): Traversal.V[Observable] =
       if (authContext.permissions.contains(permission))
         traversal.filter(_.shares.filter(_.filter(_.profile.has(_.permissions, permission))).organisation.current)
       else
-        traversal.limit(0)
+        traversal.empty
 
-    def canManage(implicit authContext: AuthContext): Traversal.V[Observable] =
+    def canManage(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Observable] =
       if (authContext.isPermitted(Permissions.manageAlert))
-        traversal.filter(_.or(_.alert.visible, _.can(Permissions.manageObservable)))
+        traversal.filter(_.or(_.alert.visible(organisationSrv), _.can(Permissions.manageObservable)))
       else
         can(Permissions.manageObservable)
 
@@ -247,84 +235,64 @@ object ObservableOps {
 
     def origin: Traversal.V[Organisation] = shares.has(_.owner, true).organisation
 
+    def isShared: Traversal[Boolean, Boolean, Identity[Boolean]] =
+      traversal.choose(_.inE[ShareObservable].count.is(P.gt(1)), true, false)
+
     def richObservable: Traversal[RichObservable, JMap[String, Any], Converter[RichObservable, JMap[String, Any]]] =
       traversal
         .project(
           _.by
-            .by(_.observableType.fold)
-            .by(_.data.fold)
             .by(_.attachments.fold)
-            .by(_.tags.fold)
-            .by(_.keyValues.fold)
             .by(_.reportTags.fold)
         )
         .domainMap {
-          case (observable, tpe, data, attachment, tags, extensions, reportTags) =>
+          case (observable, attachment, reportTags) =>
             RichObservable(
               observable,
-              tpe.head,
-              data.headOption,
               attachment.headOption,
-              tags,
               None,
-              extensions,
               reportTags
             )
         }
 
-    def richObservableWithSeen(implicit
+    def richObservableWithSeen(organisationSrv: OrganisationSrv)(implicit
         authContext: AuthContext
     ): Traversal[RichObservable, JMap[String, Any], Converter[RichObservable, JMap[String, Any]]] =
       traversal
         .project(
           _.by
-            .by(_.observableType.fold)
-            .by(_.data.fold)
             .by(_.attachments.fold)
-            .by(_.tags.fold)
-            .by(_.filteredSimilar.visible.limit(1).count)
-            .by(_.keyValues.fold)
+            .by(_.filteredSimilar.visible(organisationSrv).limit(1).count)
             .by(_.reportTags.fold)
         )
         .domainMap {
-          case (observable, tpe, data, attachment, tags, count, extensions, reportTags) =>
+          case (observable, attachment, count, reportTags) =>
             RichObservable(
               observable,
-              tpe.head,
-              data.headOption,
               attachment.headOption,
-              tags,
               Some(count != 0),
-              extensions,
               reportTags
             )
         }
 
     def richObservableWithCustomRenderer[D, G, C <: Converter[D, G]](
+        organisationSrv: OrganisationSrv,
         entityRenderer: Traversal.V[Observable] => Traversal[D, G, C]
     )(implicit authContext: AuthContext): Traversal[(RichObservable, D), JMap[String, Any], Converter[(RichObservable, D), JMap[String, Any]]] =
       traversal
         .project(
           _.by
-            .by(_.observableType.fold)
-            .by(_.data.fold)
             .by(_.attachments.fold)
-            .by(_.tags.fold)
-            .by(_.filteredSimilar.visible.limit(1).count)
-            .by(_.keyValues.fold)
+            .by(_.filteredSimilar.visible(organisationSrv).limit(1).count)
             .by(_.reportTags.fold)
             .by(entityRenderer)
         )
         .domainMap {
-          case (observable, tpe, data, attachment, tags, count, extensions, reportTags, renderedEntity) =>
+          case (observable, attachment, count, reportTags, renderedEntity) =>
             RichObservable(
               observable,
-              tpe.head,
-              data.headOption,
               attachment.headOption,
-              tags,
               Some(count != 0),
-              extensions,
               reportTags
             ) -> renderedEntity
         }
@@ -357,7 +325,7 @@ object ObservableOps {
           _.out[ObservableAttachment]
             .in[ObservableAttachment] // FIXME this doesn't work. Link must be done with attachmentId
         )
-        .where(JP.without(originLabel.name))
+        .where(P.without(originLabel.name))
         .dedup
         .v[Observable]
     }
@@ -380,3 +348,19 @@ object ObservableOps {
       shares.filter(_.byOrganisation(organisationName))
   }
 }
+
+class ObservableIntegrityCheckOps @Inject() (val db: Database, val service: ObservableSrv) extends IntegrityCheckOps[Observable] {
+  override def resolve(entities: Seq[Observable with Entity])(implicit graph: Graph): Try[Unit] = Success(())
+
+  override def globalCheck(): Map[String, Long] =
+    db.tryTransaction { implicit graph =>
+      Try {
+        val orphanIds = service.startTraversal.filterNot(_.or(_.shares, _.alert, _.in("ReportObservable")))._id.toSeq
+        if (orphanIds.nonEmpty) {
+          logger.warn(s"Found ${orphanIds.length} observables orphan(s) (${orphanIds.mkString(",")})")
+          service.getByIds(orphanIds: _*).remove()
+        }
+        Map("orphans" -> orphanIds.size.toLong)
+      }
+    }.getOrElse(Map("globalFailure" -> 1L))
+}
diff --git a/thehive/app/org/thp/thehive/services/ObservableTypeSrv.scala b/thehive/app/org/thp/thehive/services/ObservableTypeSrv.scala
index 1a3c2fff26..6c9b255329 100644
--- a/thehive/app/org/thp/thehive/services/ObservableTypeSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ObservableTypeSrv.scala
@@ -1,23 +1,20 @@
 package org.thp.thehive.services
 
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services._
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.scalligraph.{BadRequestError, CreateError, EntityIdOrName}
 import org.thp.thehive.models._
 import org.thp.thehive.services.ObservableTypeOps._
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
-class ObservableTypeSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef)(implicit
-    @Named("with-thehive-schema") db: Database
-) extends VertexSrv[ObservableType] {
+class ObservableTypeSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef) extends VertexSrv[ObservableType] {
 
   val observableObservableTypeSrv = new EdgeSrv[ObservableObservableType, Observable, ObservableType]
 
@@ -56,8 +53,7 @@ object ObservableTypeOps {
   }
 }
 
-class ObservableTypeIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: ObservableTypeSrv)
-    extends IntegrityCheckOps[ObservableType] {
+class ObservableTypeIntegrityCheckOps @Inject() (val db: Database, val service: ObservableTypeSrv) extends IntegrityCheckOps[ObservableType] {
   override def resolve(entities: Seq[ObservableType with Entity])(implicit graph: Graph): Try[Unit] =
     entities match {
       case head :: tail =>
@@ -66,4 +62,6 @@ class ObservableTypeIntegrityCheckOps @Inject() (@Named("with-thehive-schema") v
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] = Map.empty
 }
diff --git a/thehive/app/org/thp/thehive/services/OrganisationSrv.scala b/thehive/app/org/thp/thehive/services/OrganisationSrv.scala
index bc8221e55c..0086d8d29a 100644
--- a/thehive/app/org/thp/thehive/services/OrganisationSrv.scala
+++ b/thehive/app/org/thp/thehive/services/OrganisationSrv.scala
@@ -1,39 +1,39 @@
 package org.thp.thehive.services
 
-import java.util.{Map => JMap}
-
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
 import org.thp.scalligraph.{BadRequestError, EntityId, EntityIdOrName, RichSeq}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.RoleOps._
 import org.thp.thehive.services.UserOps._
+import play.api.cache.SyncCacheApi
 import play.api.libs.json.JsObject
 
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Named, Provider, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
 class OrganisationSrv @Inject() (
+    taxonomySrvProvider: Provider[TaxonomySrv],
     roleSrv: RoleSrv,
     profileSrv: ProfileSrv,
     auditSrv: AuditSrv,
     userSrv: UserSrv,
-    @Named("integrity-check-actor") integrityCheckActor: ActorRef
-)(implicit
-    @Named("with-thehive-schema") db: Database
+    @Named("integrity-check-actor") integrityCheckActor: ActorRef,
+    cache: SyncCacheApi
 ) extends VertexSrv[Organisation] {
-
-  val organisationOrganisationSrv = new EdgeSrv[OrganisationOrganisation, Organisation, Organisation]
-  val organisationShareSrv        = new EdgeSrv[OrganisationShare, Organisation, Share]
+  lazy val taxonomySrv: TaxonomySrv = taxonomySrvProvider.get
+  val organisationOrganisationSrv   = new EdgeSrv[OrganisationOrganisation, Organisation, Organisation]
+  val organisationShareSrv          = new EdgeSrv[OrganisationShare, Organisation, Share]
+  val organisationTaxonomySrv       = new EdgeSrv[OrganisationTaxonomy, Organisation, Taxonomy]
 
   override def createEntity(e: Organisation)(implicit graph: Graph, authContext: AuthContext): Try[Organisation with Entity] = {
     integrityCheckActor ! EntityAdded("Organisation")
@@ -48,14 +48,24 @@ class OrganisationSrv @Inject() (
       _                   <- roleSrv.create(user, createdOrganisation, profileSrv.orgAdmin)
     } yield createdOrganisation
 
-  def create(e: Organisation)(implicit graph: Graph, authContext: AuthContext): Try[Organisation with Entity] =
+  def create(e: Organisation)(implicit graph: Graph, authContext: AuthContext): Try[Organisation with Entity] = {
+    val activeTaxos = getByName("admin").taxonomies.toSeq
     for {
-      createdOrganisation <- createEntity(e)
-      _                   <- auditSrv.organisation.create(createdOrganisation, createdOrganisation.toJson)
-    } yield createdOrganisation
+      newOrga <- createEntity(e)
+      _       <- taxonomySrv.createFreetagTaxonomy(newOrga)
+      _       <- activeTaxos.toTry(t => organisationTaxonomySrv.create(OrganisationTaxonomy(), newOrga, t))
+      _       <- auditSrv.organisation.create(newOrga, newOrga.toJson)
+    } yield newOrga
+  }
 
   def current(implicit graph: Graph, authContext: AuthContext): Traversal.V[Organisation] = get(authContext.organisation)
 
+  def currentId(implicit graph: Graph, authContext: AuthContext): EntityId =
+    getId(authContext.organisation)
+
+  def getId(organisationIdOrName: EntityIdOrName)(implicit graph: Graph): EntityId =
+    organisationIdOrName.fold(identity, oid => cache.getOrElseUpdate(s"organisation-$oid")(getByName(oid)._id.getOrFail("Organisation").get))
+
   def visibleOrganisation(implicit graph: Graph, authContext: AuthContext): Traversal.V[Organisation] =
     userSrv.current.organisations.visibleOrganisationsFrom
 
@@ -139,6 +149,8 @@ object OrganisationOps {
 
     def shares: Traversal.V[Share] = traversal.out[OrganisationShare].v[Share]
 
+    def taxonomies: Traversal.V[Taxonomy] = traversal.out[OrganisationTaxonomy].v[Taxonomy]
+
     def caseTemplates: Traversal.V[CaseTemplate] = traversal.in[CaseTemplateOrganisation].v[CaseTemplate]
 
     def users(requiredPermission: Permission): Traversal.V[User] =
@@ -176,6 +188,8 @@ object OrganisationOps {
             RichOrganisation(organisation, linkedOrganisations)
         }
 
+    def notAdmin: Traversal.V[Organisation] = traversal.hasNot(_.name, Organisation.administration.name)
+
     def isAdmin: Boolean = traversal.has(_.name, Organisation.administration.name).exists
 
     def users: Traversal.V[User] = traversal.in[RoleOrganisation].in[UserRole].v[User]
@@ -196,8 +210,7 @@ object OrganisationOps {
 
 }
 
-class OrganisationIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: OrganisationSrv)
-    extends IntegrityCheckOps[Organisation] {
+class OrganisationIntegrityCheckOps @Inject() (val db: Database, val service: OrganisationSrv) extends IntegrityCheckOps[Organisation] {
   override def resolve(entities: Seq[Organisation with Entity])(implicit graph: Graph): Try[Unit] =
     entities match {
       case head :: tail =>
@@ -206,4 +219,6 @@ class OrganisationIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] = Map.empty
 }
diff --git a/thehive/app/org/thp/thehive/services/PageSrv.scala b/thehive/app/org/thp/thehive/services/PageSrv.scala
index 4e28fbe934..3d53fcba25 100644
--- a/thehive/app/org/thp/thehive/services/PageSrv.scala
+++ b/thehive/app/org/thp/thehive/services/PageSrv.scala
@@ -1,23 +1,21 @@
 package org.thp.thehive.services
 
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
-import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services.{EdgeSrv, VertexSrv}
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.thehive.models.{Organisation, OrganisationPage, Page}
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.PageOps._
 import play.api.libs.json.Json
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Try
 
 @Singleton
-class PageSrv @Inject() (implicit @Named("with-thehive-schema") db: Database, organisationSrv: OrganisationSrv, auditSrv: AuditSrv)
-    extends VertexSrv[Page] {
+class PageSrv @Inject() (organisationSrv: OrganisationSrv, auditSrv: AuditSrv) extends VertexSrv[Page] {
 
   val organisationPageSrv = new EdgeSrv[OrganisationPage, Organisation, Page]
 
@@ -38,7 +36,7 @@ class PageSrv @Inject() (implicit @Named("with-thehive-schema") db: Database, or
       _       <- auditSrv.page.update(p, Json.obj("title" -> p.title))
     } yield p
 
-  def delete(page: Page with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+  override def delete(page: Page with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     organisationSrv.getOrFail(authContext.organisation).flatMap { organisation =>
       get(page).remove()
       auditSrv.page.delete(page, organisation)
diff --git a/thehive/app/org/thp/thehive/services/PatternSrv.scala b/thehive/app/org/thp/thehive/services/PatternSrv.scala
new file mode 100644
index 0000000000..8ba0e6bb16
--- /dev/null
+++ b/thehive/app/org/thp/thehive/services/PatternSrv.scala
@@ -0,0 +1,119 @@
+package org.thp.thehive.services
+
+import org.thp.scalligraph.EntityIdOrName
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.services._
+import org.thp.scalligraph.traversal.TraversalOps.TraversalOpsDefs
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
+import org.thp.scalligraph.utils.FunctionalCondition._
+import org.thp.thehive.models._
+import org.thp.thehive.services.CaseOps._
+import org.thp.thehive.services.PatternOps._
+import org.thp.thehive.services.ProcedureOps._
+
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Singleton}
+import scala.util.{Success, Try}
+
+@Singleton
+class PatternSrv @Inject() (
+    auditSrv: AuditSrv,
+    caseSrv: CaseSrv,
+    organisationSrv: OrganisationSrv
+) extends VertexSrv[Pattern] {
+  val patternPatternSrv = new EdgeSrv[PatternPattern, Pattern, Pattern]
+
+  def cannotBeParent(child: Pattern with Entity, parent: Pattern with Entity)(implicit graph: Graph): Boolean =
+    child._id == parent._id || get(child).parent.getEntity(parent).exists
+
+  def setParent(child: Pattern with Entity, parent: Pattern with Entity)(implicit authContext: AuthContext, graph: Graph): Try[Unit] =
+    if (cannotBeParent(child, parent)) Success(())
+    else patternPatternSrv.create(PatternPattern(), parent, child).map(_ => ())
+
+  override def getByName(name: String)(implicit graph: Graph): Traversal.V[Pattern] =
+    Try(startTraversal.getByPatternId(name)).getOrElse(startTraversal.limit(0))
+
+  def getCasePatterns(caseId: String)(implicit authContext: AuthContext, graph: Graph): Try[Seq[RichPattern]] =
+    for {
+      caze <- caseSrv.get(EntityIdOrName(caseId)).visible(organisationSrv).getOrFail("Case")
+    } yield caseSrv.get(caze).procedure.pattern.richPattern.toSeq
+
+  def update(
+      pattern: Pattern with Entity,
+      input: Pattern
+  )(implicit graph: Graph): Try[Pattern with Entity] =
+    for {
+      updatedPattern <- get(pattern)
+        .when(pattern.patternId != input.patternId)(_.update(_.patternId, input.patternId))
+        .when(pattern.name != input.name)(_.update(_.name, input.name))
+        .when(pattern.description != input.description)(_.update(_.description, input.description))
+        .when(pattern.tactics != input.tactics)(_.update(_.tactics, input.tactics))
+        .when(pattern.url != input.url)(_.update(_.url, input.url))
+        .when(pattern.patternType != input.patternType)(_.update(_.patternType, input.patternType))
+        .when(pattern.capecId != input.capecId)(_.update(_.capecId, input.capecId))
+        .when(pattern.capecUrl != input.capecUrl)(_.update(_.capecUrl, input.capecUrl))
+        .when(pattern.revoked != input.revoked)(_.update(_.revoked, input.revoked))
+        .when(pattern.dataSources != input.dataSources)(_.update(_.dataSources, input.dataSources))
+        .when(pattern.defenseBypassed != input.defenseBypassed)(_.update(_.defenseBypassed, input.defenseBypassed))
+        .when(pattern.detection != input.detection)(_.update(_.detection, input.detection))
+        .when(pattern.permissionsRequired != input.permissionsRequired)(_.update(_.permissionsRequired, input.permissionsRequired))
+        .when(pattern.platforms != input.platforms)(_.update(_.platforms, input.platforms))
+        .when(pattern.remoteSupport != input.remoteSupport)(_.update(_.remoteSupport, input.remoteSupport))
+        .when(pattern.systemRequirements != input.systemRequirements)(_.update(_.systemRequirements, input.systemRequirements))
+        .when(pattern.revision != input.revision)(_.update(_.revision, input.revision))
+        .getOrFail("Pattern")
+    } yield updatedPattern
+
+  def remove(pattern: Pattern with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    for {
+      organisation <- organisationSrv.getOrFail(authContext.organisation)
+      _            <- auditSrv.pattern.delete(pattern, organisation)
+    } yield get(pattern).remove()
+
+}
+
+object PatternOps {
+  implicit class PatternOpsDefs(traversal: Traversal.V[Pattern]) {
+
+    def getByPatternId(patternId: String): Traversal.V[Pattern] = traversal.has(_.patternId, patternId)
+
+    def parent: Traversal.V[Pattern] =
+      traversal.in[PatternPattern].v[Pattern]
+
+    def children: Traversal.V[Pattern] =
+      traversal.out[PatternPattern].v[Pattern]
+
+    def procedure: Traversal.V[Procedure] =
+      traversal.in[ProcedurePattern].v[Procedure]
+
+    def alreadyImported(patternId: String): Boolean =
+      traversal.getByPatternId(patternId).exists
+
+    def richPattern: Traversal[RichPattern, JMap[String, Any], Converter[RichPattern, JMap[String, Any]]] =
+      traversal
+        .project(
+          _.by
+            .by(_.in[PatternPattern].v[Pattern].fold)
+        )
+        .domainMap {
+          case (pattern, parent) =>
+            RichPattern(pattern, parent.headOption)
+        }
+
+    def richPatternWithCustomRenderer[D, G, C <: Converter[D, G]](
+        entityRenderer: Traversal.V[Pattern] => Traversal[D, G, C]
+    ): Traversal[(RichPattern, D), JMap[String, Any], Converter[(RichPattern, D), JMap[String, Any]]] =
+      traversal
+        .project(
+          _.by
+            .by(_.in[PatternPattern].v[Pattern].fold)
+            .by(entityRenderer)
+        )
+        .domainMap {
+          case (pattern, parent, renderedEntity) =>
+            RichPattern(pattern, parent.headOption) -> renderedEntity
+        }
+
+  }
+}
diff --git a/thehive/app/org/thp/thehive/services/ProcedureSrv.scala b/thehive/app/org/thp/thehive/services/ProcedureSrv.scala
new file mode 100644
index 0000000000..845937575d
--- /dev/null
+++ b/thehive/app/org/thp/thehive/services/ProcedureSrv.scala
@@ -0,0 +1,94 @@
+package org.thp.thehive.services
+
+import org.thp.scalligraph.EntityIdOrName
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.query.PropertyUpdater
+import org.thp.scalligraph.services._
+import org.thp.scalligraph.traversal.TraversalOps.TraversalOpsDefs
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
+import org.thp.thehive.controllers.v1.Conversion._
+import org.thp.thehive.models._
+import org.thp.thehive.services.ProcedureOps._
+import play.api.libs.json.JsObject
+
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Singleton}
+import scala.util.Try
+
+@Singleton
+class ProcedureSrv @Inject() (
+    auditSrv: AuditSrv,
+    caseSrv: CaseSrv,
+    patternSrv: PatternSrv
+) extends VertexSrv[Procedure] {
+  val caseProcedureSrv    = new EdgeSrv[CaseProcedure, Case, Procedure]
+  val procedurePatternSrv = new EdgeSrv[ProcedurePattern, Procedure, Pattern]
+
+  def create(p: Procedure, caseId: String, patternId: String)(implicit graph: Graph, authContext: AuthContext): Try[RichProcedure] =
+    for {
+      caze      <- caseSrv.getOrFail(EntityIdOrName(caseId))
+      pattern   <- patternSrv.getOrFail(EntityIdOrName(patternId))
+      procedure <- createEntity(p)
+      _         <- caseProcedureSrv.create(CaseProcedure(), caze, procedure)
+      _         <- procedurePatternSrv.create(ProcedurePattern(), procedure, pattern)
+      richProcedure = RichProcedure(procedure, pattern)
+      _ <- auditSrv.procedure.create(procedure, caze, richProcedure.toJson)
+    } yield richProcedure
+
+  override def get(idOrName: EntityIdOrName)(implicit graph: Graph): Traversal.V[Procedure] =
+    idOrName.fold(getByIds(_), _ => startTraversal.limit(0))
+
+  override def update(
+      traversal: Traversal.V[Procedure],
+      propertyUpdaters: Seq[PropertyUpdater]
+  )(implicit graph: Graph, authContext: AuthContext): Try[(Traversal.V[Procedure], JsObject)] =
+    auditSrv.mergeAudits(super.update(traversal, propertyUpdaters)) {
+      case (procedureSteps, updatedFields) =>
+        procedureSteps.clone().project(_.by.by(_.`case`)).getOrFail("Procedure").flatMap {
+          case (procedure, caze) => auditSrv.procedure.update(procedure, caze, updatedFields)
+        }
+    }
+
+  def remove(procedure: Procedure with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    for {
+      caze <- get(procedure).`case`.getOrFail("Case")
+      _    <- auditSrv.procedure.delete(procedure, caze)
+    } yield get(procedure).remove()
+
+}
+
+object ProcedureOps {
+  implicit class ProcedureOpsDefs(traversal: Traversal.V[Procedure]) {
+
+    def pattern: Traversal.V[Pattern] =
+      traversal.out[ProcedurePattern].v[Pattern]
+
+    def `case`: Traversal.V[Case] =
+      traversal.in[CaseProcedure].v[Case]
+
+    def get(idOrName: EntityIdOrName): Traversal.V[Procedure] =
+      idOrName.fold(traversal.getByIds(_), _ => traversal.limit(0))
+
+    def richProcedure: Traversal[RichProcedure, JMap[String, Any], Converter[RichProcedure, JMap[String, Any]]] =
+      traversal
+        .project(
+          _.by
+            .by(_.pattern)
+        )
+        .domainMap { case (procedure, pattern) => RichProcedure(procedure, pattern) }
+
+    def richProcedureWithCustomRenderer[D, G, C <: Converter[D, G]](
+        entityRenderer: Traversal.V[Procedure] => Traversal[D, G, C]
+    ): Traversal[(RichProcedure, D), JMap[String, Any], Converter[(RichProcedure, D), JMap[String, Any]]] =
+      traversal
+        .project(
+          _.by
+            .by(_.pattern)
+            .by(entityRenderer)
+        )
+        .domainMap {
+          case (procedure, pattern, renderedEntity) => (RichProcedure(procedure, pattern), renderedEntity)
+        }
+  }
+}
diff --git a/thehive/app/org/thp/thehive/services/ProfileSrv.scala b/thehive/app/org/thp/thehive/services/ProfileSrv.scala
index e0941b7581..bf7f10117c 100644
--- a/thehive/app/org/thp/thehive/services/ProfileSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ProfileSrv.scala
@@ -1,20 +1,19 @@
 package org.thp.thehive.services
 
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Provider, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.{AuthContext, Permission}
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.scalligraph.{BadRequestError, EntityIdOrName, EntityName}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.ProfileOps._
 import play.api.libs.json.JsObject
 
+import javax.inject.{Inject, Named, Provider, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -23,7 +22,7 @@ class ProfileSrv @Inject() (
     organisationSrvProvider: Provider[OrganisationSrv],
     @Named("integrity-check-actor") integrityCheckActor: ActorRef
 )(implicit
-    @Named("with-thehive-schema") val db: Database
+    val db: Database
 ) extends VertexSrv[Profile] {
   lazy val organisationSrv: OrganisationSrv = organisationSrvProvider.get
   lazy val orgAdmin: Profile with Entity    = db.roTransaction(graph => getOrFail(EntityName(Profile.orgAdmin.name))(graph)).get
@@ -83,8 +82,7 @@ object ProfileOps {
 
 }
 
-class ProfileIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: ProfileSrv)
-    extends IntegrityCheckOps[Profile] {
+class ProfileIntegrityCheckOps @Inject() (val db: Database, val service: ProfileSrv) extends IntegrityCheckOps[Profile] {
   override def resolve(entities: Seq[Profile with Entity])(implicit graph: Graph): Try[Unit] =
     entities match {
       case head :: tail =>
@@ -93,4 +91,6 @@ class ProfileIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db:
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] = Map.empty
 }
diff --git a/thehive/app/org/thp/thehive/services/ReportTagSrv.scala b/thehive/app/org/thp/thehive/services/ReportTagSrv.scala
index a22d578e3a..ef2c33d214 100644
--- a/thehive/app/org/thp/thehive/services/ReportTagSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ReportTagSrv.scala
@@ -1,21 +1,20 @@
 package org.thp.thehive.services
 
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.RichSeq
 import org.thp.scalligraph.auth.AuthContext
-import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.models.Entity
 import org.thp.scalligraph.services.{EdgeSrv, VertexSrv}
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.thehive.models.{Observable, ObservableReportTag, ReportTag}
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.ReportTagOps._
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Try
 
 @Singleton
-class ReportTagSrv @Inject() (observableSrv: ObservableSrv)(implicit @Named("with-thehive-schema") db: Database) extends VertexSrv[ReportTag] {
+class ReportTagSrv @Inject() (observableSrv: ObservableSrv) extends VertexSrv[ReportTag] {
   val observableReportTagSrv = new EdgeSrv[ObservableReportTag, Observable, ReportTag]
 
   def updateTags(observable: Observable with Entity, origin: String, reportTags: Seq[ReportTag])(implicit
diff --git a/thehive/app/org/thp/thehive/services/ResolutionStatusSrv.scala b/thehive/app/org/thp/thehive/services/ResolutionStatusSrv.scala
index 02e8bbc873..a35f333143 100644
--- a/thehive/app/org/thp/thehive/services/ResolutionStatusSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ResolutionStatusSrv.scala
@@ -1,23 +1,20 @@
 package org.thp.thehive.services
 
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services.{IntegrityCheckOps, VertexSrv}
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.scalligraph.{CreateError, EntityIdOrName}
 import org.thp.thehive.models.ResolutionStatus
 import org.thp.thehive.services.ResolutionStatusOps._
 
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
-class ResolutionStatusSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef)(implicit
-    @Named("with-thehive-schema") db: Database
-) extends VertexSrv[ResolutionStatus] {
+class ResolutionStatusSrv @Inject() (@Named("integrity-check-actor") integrityCheckActor: ActorRef) extends VertexSrv[ResolutionStatus] {
 
   override def getByName(name: String)(implicit graph: Graph): Traversal.V[ResolutionStatus] =
     startTraversal.getByName(name)
@@ -45,8 +42,7 @@ object ResolutionStatusOps {
   }
 }
 
-class ResolutionStatusIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: ResolutionStatusSrv)
-    extends IntegrityCheckOps[ResolutionStatus] {
+class ResolutionStatusIntegrityCheckOps @Inject() (val db: Database, val service: ResolutionStatusSrv) extends IntegrityCheckOps[ResolutionStatus] {
   override def resolve(entities: Seq[ResolutionStatus with Entity])(implicit graph: Graph): Try[Unit] =
     entities match {
       case head :: tail =>
@@ -55,4 +51,6 @@ class ResolutionStatusIntegrityCheckOps @Inject() (@Named("with-thehive-schema")
         Success(())
       case _ => Success(())
     }
+
+  override def globalCheck(): Map[String, Long] = Map.empty
 }
diff --git a/thehive/app/org/thp/thehive/services/RoleSrv.scala b/thehive/app/org/thp/thehive/services/RoleSrv.scala
index c4178722d2..7d58b977b3 100644
--- a/thehive/app/org/thp/thehive/services/RoleSrv.scala
+++ b/thehive/app/org/thp/thehive/services/RoleSrv.scala
@@ -1,26 +1,25 @@
 package org.thp.thehive.services
 
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.services._
-import org.thp.scalligraph.traversal.Traversal
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.traversal.{Graph, Traversal}
 import org.thp.thehive.models._
 import org.thp.thehive.services.RoleOps._
 
+import javax.inject.{Inject, Singleton}
 import scala.util.Try
 
 @Singleton
-class RoleSrv @Inject() (@Named("with-thehive-schema") implicit val db: Database) extends VertexSrv[Role] {
+class RoleSrv @Inject() extends VertexSrv[Role] {
 
   val roleOrganisationSrv = new EdgeSrv[RoleOrganisation, Role, Organisation]
   val userRoleSrv         = new EdgeSrv[UserRole, User, Role]
   val roleProfileSrv      = new EdgeSrv[RoleProfile, Role, Profile]
 
-  def create(user: User with Entity, organisation: Organisation with Entity, profile: Profile with Entity)(
-      implicit graph: Graph,
+  def create(user: User with Entity, organisation: Organisation with Entity, profile: Profile with Entity)(implicit
+      graph: Graph,
       authContext: AuthContext
   ): Try[Role with Entity] =
     for {
diff --git a/thehive/app/org/thp/thehive/services/ShareSrv.scala b/thehive/app/org/thp/thehive/services/ShareSrv.scala
index a385687ed3..f9cb89a6cd 100644
--- a/thehive/app/org/thp/thehive/services/ShareSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ShareSrv.scala
@@ -1,16 +1,13 @@
 package org.thp.thehive.services
 
-import java.util.{Map => JMap}
-
-import javax.inject.{Inject, Named, Provider, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.P
-import org.apache.tinkerpop.gremlin.structure.{Graph, T}
+import org.apache.tinkerpop.gremlin.structure.T
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
-import org.thp.scalligraph.{CreateError, EntityIdOrName}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
+import org.thp.scalligraph.{CreateError, EntityId, EntityIdOrName}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.CaseOps._
@@ -19,15 +16,17 @@ import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
 import org.thp.thehive.services.TaskOps._
 
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Provider, Singleton}
 import scala.util.{Failure, Try}
 
 @Singleton
-class ShareSrv @Inject() (
-    @Named("with-thehive-schema") implicit val db: Database,
+class ShareSrv @Inject() (implicit
     auditSrv: AuditSrv,
     caseSrvProvider: Provider[CaseSrv],
     taskSrv: TaskSrv,
-    observableSrvProvider: Provider[ObservableSrv]
+    observableSrvProvider: Provider[ObservableSrv],
+    organisationSrv: OrganisationSrv
 ) extends VertexSrv[Share] {
   lazy val caseSrv: CaseSrv             = caseSrvProvider.get
   lazy val observableSrv: ObservableSrv = observableSrvProvider.get
@@ -60,6 +59,7 @@ class ShareSrv @Inject() (
           _            <- organisationShareSrv.create(OrganisationShare(), organisation, createdShare)
           _            <- shareCaseSrv.create(ShareCase(), createdShare, `case`)
           _            <- shareProfileSrv.create(ShareProfile(), createdShare, profile)
+          _            <- caseSrv.get(`case`).addValue(_.organisationIds, organisation._id).getOrFail("Case")
           _            <- auditSrv.share.shareCase(`case`, organisation, profile)
         } yield createdShare
     }
@@ -73,7 +73,7 @@ class ShareSrv @Inject() (
   def get(task: Task with Entity, organisationName: EntityIdOrName)(implicit graph: Graph): Traversal.V[Share] =
     taskSrv.get(task).share(organisationName)
 
-  def update(
+  def updateProfile(
       share: Share with Entity,
       profile: Profile with Entity
   )(implicit graph: Graph, authContext: AuthContext): Try[ShareProfile with Entity] = {
@@ -86,23 +86,26 @@ class ShareSrv @Inject() (
     } yield newShareProfile
   }
 
-//  def remove(`case`: Case with Entity, organisationId: String)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-//    caseSrv.get(`case`).in[ShareCase].filter(_.in[OrganisationShare])._id.getOrFail().flatMap(remove(_)) // FIXME add organisation ?
+  private def delete(shareId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    for {
+      share <- getOrFail(shareId)
+      tasks = get(share).tasks.toSeq
+      obs   = get(share).observables.toSeq
+      _ <- tasks.toTry(taskSrv.delete(_))
+      _ <- obs.toTry(observableSrv.delete(_))
+    } yield get(shareId).remove()
 
-  def remove(shareId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+  def unshareCase(shareId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     for {
-      case0        <- get(shareId).`case`.getOrFail("Case")
       organisation <- get(shareId).organisation.getOrFail("Organisation")
-      _            <- auditSrv.share.unshareCase(case0, organisation)
-    } yield get(shareId).remove()
+      case0        <- get(shareId).`case`.removeValue(_.organisationIds, organisation._id).getOrFail("Case")
+      _ = get(shareId).observables.removeValue(_.organisationIds, organisation._id).barrier().filterNot(_.shares.range(1, 2)).remove()
+      _ = get(shareId).tasks.removeValue(_.organisationIds, organisation._id).barrier().filterNot(_.shares.range(1, 2)).remove()
+      _ <- auditSrv.share.unshareCase(case0, organisation)
+      _ <- delete(shareId)
+    } yield ()
 
-  /**
-    * Unshare Task for a given Organisation
-    * @param task task to unshare
-    * @param organisation organisation the task must be unshared with
-    * @return
-    */
-  def removeShareTasks(
+  def unshareTask(
       task: Task with Entity,
       organisation: Organisation with Entity
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
@@ -110,6 +113,7 @@ class ShareSrv @Inject() (
       shareTask <-
         taskSrv
           .get(task)
+          .removeValue(_.organisationIds, organisation._id)
           .inE[ShareTask]
           .filter(_.outV.v[Share].byOrganisation(organisation._id))
           .getOrFail("Task")
@@ -117,13 +121,7 @@ class ShareSrv @Inject() (
       _     <- auditSrv.share.unshareTask(task, case0, organisation)
     } yield shareTaskSrv.get(shareTask).remove()
 
-  /**
-    * Unshare Task for a given Organisation
-    * @param observable observable to unshare
-    * @param organisation organisation the task must be unshared with
-    * @return
-    */
-  def removeShareObservable(
+  def unshareObservable(
       observable: Observable with Entity,
       organisation: Organisation with Entity
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
@@ -131,6 +129,7 @@ class ShareSrv @Inject() (
       shareObservable <-
         observableSrv
           .get(observable)
+          .removeValue(_.organisationIds, organisation._id)
           .inE[ShareObservable]
           .filter(_.outV.in[OrganisationShare].hasId(organisation._id))
           .getOrFail("Share")
@@ -146,12 +145,22 @@ class ShareSrv @Inject() (
   def shareCaseTasks(
       share: Share with Entity
   )(implicit graph: Graph, authContext: AuthContext): Try[Seq[ShareTask with Entity]] =
-    get(share)
-      .`case`
-      .tasks
-      .filterNot(_.taskToShares.hasId(share._id))
-      .toIterator
-      .toTry(shareTaskSrv.create(ShareTask(), share, _))
+    for {
+      organisation <- get(share).organisation.getOrFail("Share")
+      shareTask <-
+        get(share)
+          .`case`
+          .tasks
+          .filter(_.shares.has(T.id, P.neq(share._id)))
+          .toIterator
+          .toTry { task =>
+            taskSrv
+              .get(task)
+              .addValue(_.organisationIds, organisation._id)
+              .getOrFail("Task")
+              .flatMap(shareTaskSrv.create(ShareTask(), share, _))
+          }
+    } yield shareTask
 
   /**
     * Shares a task for an already shared case
@@ -160,14 +169,15 @@ class ShareSrv @Inject() (
   def shareTask(
       richTask: RichTask,
       `case`: Case with Entity,
-      organisation: Organisation with Entity
+      organisationId: EntityId
   )(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[Unit] =
     for {
-      share <- get(`case`, organisation._id).getOrFail("Case")
+      share <- get(`case`, organisationId).getOrFail("Case")
       _     <- shareTaskSrv.create(ShareTask(), share, richTask.task)
+      _     <- taskSrv.get(richTask.task).addValue(_.organisationIds, organisationId).getOrFail("Task")
       _     <- auditSrv.task.create(richTask.task, richTask.toJson)
     } yield ()
 
@@ -175,13 +185,14 @@ class ShareSrv @Inject() (
     * Shares an observable for an already shared case
     * @return
     */
-  def shareObservable(richObservable: RichObservable, `case`: Case with Entity, organisation: Organisation with Entity)(implicit
+  def shareObservable(richObservable: RichObservable, `case`: Case with Entity, organisationId: EntityId)(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[Unit] =
     for {
-      share <- get(`case`, organisation._id).getOrFail("Case")
+      share <- get(`case`, organisationId).getOrFail("Case")
       _     <- shareObservableSrv.create(ShareObservable(), share, richObservable.observable)
+      _     <- observableSrv.get(richObservable.observable).addValue(_.organisationIds, organisationId).getOrFail("Observable")
       _     <- auditSrv.observable.create(richObservable.observable, richObservable.toJson)
     } yield ()
 
@@ -193,12 +204,23 @@ class ShareSrv @Inject() (
   def shareCaseObservables(
       share: Share with Entity
   )(implicit graph: Graph, authContext: AuthContext): Try[Seq[ShareObservable with Entity]] =
-    get(share)
-      .`case`
-      .observables
-      .filter(_.shares.has(T.id, P.neq(share._id)))
-      .toIterator
-      .toTry(shareObservableSrv.create(ShareObservable(), share, _))
+    for {
+      organisation <- get(share).organisation.getOrFail("Share")
+      shareObservable <-
+        get(share)
+          .`case`
+          .observables // list observables related to authContext
+          .filter(_.shares.has(T.id, P.neq(share._id)))
+          .toIterator
+          .toTry { obs =>
+            observableSrv
+              .get(obs)
+              .addValue(_.organisationIds, organisation._id)
+              .getOrFail("Observable")
+              .flatMap(_ => shareObservableSrv.create(ShareObservable(), share, obs))
+
+          }
+    } yield shareObservable
 
   /**
     * Does a full rebuild of the share status of a task,
@@ -209,14 +231,15 @@ class ShareSrv @Inject() (
     */
   def updateTaskShares(
       task: Task with Entity,
-      organisations: Seq[Organisation with Entity]
+      organisations: Set[Organisation with Entity]
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
     val (orgsToAdd, orgsToRemove) = taskSrv
       .get(task)
-      .taskToShares
+      .update(_.organisationIds, organisations.map(_._id))
+      .shares
       .organisation
       .toIterator
-      .foldLeft((organisations.toSet, Set.empty[Organisation with Entity])) {
+      .foldLeft((organisations, Set.empty[Organisation with Entity])) {
         case ((toAdd, toRemove), o) if toAdd.contains(o) => (toAdd - o, toRemove)
         case ((toAdd, toRemove), o)                      => (toAdd, toRemove + o)
       }
@@ -239,7 +262,7 @@ class ShareSrv @Inject() (
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
     val existingOrgs = taskSrv
       .get(task)
-      .taskToShares
+      .shares
       .organisation
       .toSeq
 
@@ -247,7 +270,7 @@ class ShareSrv @Inject() (
       .filterNot(existingOrgs.contains)
       .toTry { organisation =>
         for {
-          case0 <- taskSrv.get(task).`case`.getOrFail("Task")
+          case0 <- taskSrv.get(task).addValue(_.organisationIds, organisation._id).`case`.getOrFail("Task")
           share <- caseSrv.get(case0).share(organisation._id).getOrFail("Case")
           _     <- shareTaskSrv.create(ShareTask(), share, task)
           _     <- auditSrv.share.shareTask(task, case0, organisation)
@@ -270,7 +293,7 @@ class ShareSrv @Inject() (
       .filterNot(existingOrgs.contains)
       .toTry { organisation =>
         for {
-          case0 <- observableSrv.get(observable).`case`.getOrFail("Observable")
+          case0 <- observableSrv.get(observable).addValue(_.organisationIds, organisation._id).`case`.getOrFail("Observable")
           share <- caseSrv.get(case0).share(organisation._id).getOrFail("Case")
           _     <- shareObservableSrv.create(ShareObservable(), share, observable)
           _     <- auditSrv.share.shareObservable(observable, case0, organisation)
@@ -288,22 +311,23 @@ class ShareSrv @Inject() (
     */
   def updateObservableShares(
       observable: Observable with Entity,
-      organisations: Seq[Organisation with Entity]
+      organisations: Set[Organisation with Entity]
   )(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
     val (orgsToAdd, orgsToRemove) = observableSrv
       .get(observable)
+      .update(_.organisationIds, organisations.map(_._id))
       .shares
       .organisation
       .toIterator
-      .foldLeft((organisations.toSet, Set.empty[Organisation with Entity])) {
+      .foldLeft((organisations, Set.empty[Organisation with Entity])) {
         case ((toAdd, toRemove), o) if toAdd.contains(o) => (toAdd - o, toRemove)
         case ((toAdd, toRemove), o)                      => (toAdd, toRemove + o)
       }
-    orgsToRemove.foreach(o => observableSrv.get(observable).share(o._id).remove())
+    orgsToRemove.foreach(o => observableSrv.get(observable).removeValue(_.organisationIds, o._id).share(o._id).remove())
     orgsToAdd
       .toTry { organisation =>
         for {
-          case0 <- observableSrv.get(observable).`case`.getOrFail("Observable")
+          case0 <- observableSrv.get(observable).addValue(_.organisationIds, organisation._id).`case`.getOrFail("Observable")
           share <- caseSrv.get(case0).share(organisation._id).getOrFail("Case")
           _     <- shareObservableSrv.create(ShareObservable(), share, observable)
           _     <- auditSrv.share.shareObservable(observable, case0, organisation)
@@ -316,7 +340,7 @@ class ShareSrv @Inject() (
 object ShareOps {
   implicit class ShareOpsDefs(traversal: Traversal.V[Share]) {
     def get(idOrName: EntityIdOrName): Traversal.V[Share] =
-      idOrName.fold(traversal.getByIds(_), _ => traversal.limit(0))
+      idOrName.fold(traversal.getByIds(_), _ => traversal.empty)
 
     def relatedTo(`case`: Case with Entity): Traversal.V[Share] = traversal.filter(_.`case`.hasId(`case`._id))
 
@@ -326,6 +350,8 @@ object ShareOps {
 
     def organisation: Traversal.V[Organisation] = traversal.in[OrganisationShare].v[Organisation]
 
+    def visible(implicit authContext: AuthContext): Traversal.V[Share] = traversal.filter(_.organisation.visible)
+
     def tasks: Traversal.V[Task] = traversal.out[ShareTask].v[Task]
 
     def byTask(taskId: EntityIdOrName): Traversal.V[Share] =
diff --git a/thehive/app/org/thp/thehive/services/StreamSrv.scala b/thehive/app/org/thp/thehive/services/StreamSrv.scala
index 225e9c29fb..88a73c5d51 100644
--- a/thehive/app/org/thp/thehive/services/StreamSrv.scala
+++ b/thehive/app/org/thp/thehive/services/StreamSrv.scala
@@ -17,7 +17,7 @@ import play.api.Logger
 import play.api.libs.json.Json
 
 import java.io.NotSerializableException
-import javax.inject.{Inject, Named, Singleton}
+import javax.inject.{Inject, Singleton}
 import scala.collection.immutable
 import scala.concurrent.duration.{DurationInt, FiniteDuration}
 import scala.concurrent.{ExecutionContext, Future}
@@ -39,17 +39,18 @@ case object Commit            extends StreamMessage
   * to global stream actor.
   */
 class StreamActor(
+    organisationSrv: OrganisationSrv,
     authContext: AuthContext,
     refresh: FiniteDuration,
     maxWait: FiniteDuration,
     graceDuration: FiniteDuration,
     keepAlive: FiniteDuration,
     auditSrv: AuditSrv,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) extends Actor {
   import context.dispatcher
 
-  lazy val logger: Logger = Logger(s"${getClass.getName}.$self")
+  lazy val logger: Logger = Logger(getClass)
 
   override def receive: Receive = {
     val keepAliveTimer = context.system.scheduler.scheduleOnce(keepAlive, self, PoisonPill)
@@ -72,7 +73,7 @@ class StreamActor(
       db.roTransaction { implicit graph =>
         val visibleIds = auditSrv
           .getByIds(ids: _*)
-          .visible(authContext)
+          .visible(organisationSrv)(authContext)
           .toSeq
           .map(_._id)
         logger.debug(s"[$self] AuditStreamMessage $ids => $visibleIds")
@@ -112,7 +113,7 @@ class StreamActor(
       db.roTransaction { implicit graph =>
         val visibleIds = auditSrv
           .getByIds(ids: _*)
-          .visible(authContext)
+          .visible(organisationSrv)(authContext)
           .toSeq
           .map(_._id)
         logger.debug(s"[$self] AuditStreamMessage $ids => $visibleIds")
@@ -135,8 +136,9 @@ class StreamActor(
 class StreamSrv @Inject() (
     appConfig: ApplicationConfig,
     eventSrv: EventSrv,
+    organisationSrv: OrganisationSrv,
     auditSrv: AuditSrv,
-    @Named("with-thehive-schema") db: Database,
+    db: Database,
     system: ActorSystem,
     implicit val ec: ExecutionContext
 ) {
@@ -185,7 +187,7 @@ class StreamSrv @Inject() (
     val streamId = generateStreamId()
     val streamActor =
       system.actorOf(
-        Props(classOf[StreamActor], authContext, refresh, maxWait, graceDuration, keepAlive, auditSrv, db),
+        Props(classOf[StreamActor], organisationSrv, authContext, refresh, maxWait, graceDuration, keepAlive, auditSrv, db),
         s"stream-$streamId"
       )
     logger.debug(s"Register stream actor ${streamActor.path}")
@@ -196,7 +198,7 @@ class StreamSrv @Inject() (
 
   def get(streamId: String): Future[Seq[EntityId]] = {
     implicit val timeout: Timeout = Timeout(refresh + 1.second)
-    Retry(maxAttempts).withBackoff(minBackoff, maxBackoff, randomFactor)(system) {
+    Retry(maxAttempts).withBackoff(minBackoff, maxBackoff, randomFactor)(system.scheduler, system.dispatcher) {
       // Check if stream actor exists
       eventSrv
         .publishAsk(StreamTopic(streamId))(Identify(1))(Timeout(2.seconds))
diff --git a/thehive/app/org/thp/thehive/services/TOTPAuthSrv.scala b/thehive/app/org/thp/thehive/services/TOTPAuthSrv.scala
index 94441d57ba..01f3176010 100644
--- a/thehive/app/org/thp/thehive/services/TOTPAuthSrv.scala
+++ b/thehive/app/org/thp/thehive/services/TOTPAuthSrv.scala
@@ -1,21 +1,20 @@
 package org.thp.thehive.services
 
-import java.net.URI
-import java.util.concurrent.TimeUnit
-
-import javax.crypto.Mac
-import javax.crypto.spec.SecretKeySpec
-import javax.inject.{Inject, Named, Provider, Singleton}
 import org.apache.commons.codec.binary.Base32
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.auth._
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{AuthenticationError, EntityIdOrName, MultiFactorCodeRequired}
 import play.api.Configuration
 import play.api.mvc.RequestHeader
 
+import java.net.URI
+import java.util.concurrent.TimeUnit
+import javax.crypto.Mac
+import javax.crypto.spec.SecretKeySpec
+import javax.inject.{Inject, Provider, Singleton}
 import scala.collection.immutable
 import scala.util.{Failure, Random, Success, Try}
 
@@ -24,7 +23,7 @@ class TOTPAuthSrv(
     appConfig: ApplicationConfig,
     availableAuthProviders: immutable.Set[AuthSrvProvider],
     userSrv: UserSrv,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) extends MultiAuthSrv(configuration, appConfig, availableAuthProviders) {
   override val name: String = "totp"
 
@@ -103,7 +102,7 @@ class TOTPAuthSrvProvider @Inject() (
     appConfig: ApplicationConfig,
     authProviders: immutable.Set[AuthSrvProvider],
     userSrv: UserSrv,
-    @Named("with-thehive-schema") db: Database
+    db: Database
 ) extends Provider[AuthSrv] {
   override def get(): AuthSrv = new TOTPAuthSrv(configuration, appConfig, authProviders, userSrv, db)
 }
diff --git a/thehive/app/org/thp/thehive/services/TagSrv.scala b/thehive/app/org/thp/thehive/services/TagSrv.scala
index 9620a7b3d0..8ba71be3ae 100644
--- a/thehive/app/org/thp/thehive/services/TagSrv.scala
+++ b/thehive/app/org/thp/thehive/services/TagSrv.scala
@@ -1,65 +1,114 @@
 package org.thp.thehive.services
 
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
-import org.apache.tinkerpop.gremlin.structure.{Graph, Vertex}
+import org.apache.tinkerpop.gremlin.process.traversal.TextP
+import org.apache.tinkerpop.gremlin.structure.Vertex
+import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
-import org.thp.scalligraph.services.{IntegrityCheckOps, VertexSrv}
+import org.thp.scalligraph.services.{EdgeSrv, IntegrityCheckOps, VertexSrv}
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
-import org.thp.thehive.models.{AlertTag, CaseTag, ObservableTag, Tag}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
+import org.thp.scalligraph.utils.FunctionalCondition.When
+import org.thp.thehive.models._
+import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.TagOps._
 
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Named, Provider, Singleton}
+import scala.util.matching.Regex
 import scala.util.{Success, Try}
 
 @Singleton
-class TagSrv @Inject() (appConfig: ApplicationConfig, @Named("integrity-check-actor") integrityCheckActor: ActorRef)(implicit
-    @Named("with-thehive-schema") db: Database
+class TagSrv @Inject() (
+    organisationSrv: OrganisationSrv,
+    taxonomySrvProvider: Provider[TaxonomySrv],
+    appConfig: ApplicationConfig,
+    @Named("integrity-check-actor") integrityCheckActor: ActorRef
 ) extends VertexSrv[Tag] {
+  lazy val taxonomySrv: TaxonomySrv = taxonomySrvProvider.get
 
-  val autoCreateConfig: ConfigItem[Boolean, Boolean] =
-    appConfig.item[Boolean]("tags.autocreate", "If true, create automatically tag if it doesn't exist")
+  val taxonomyTagSrv = new EdgeSrv[TaxonomyTag, Taxonomy, Tag]
+  private val freeTagColourConfig: ConfigItem[String, String] =
+    appConfig.item[String]("tags.freeTagColour", "Default colour for free tags")
 
-  def autoCreate: Boolean = autoCreateConfig.get
+  def freeTagColour: String = freeTagColourConfig.get
 
-  val defaultNamespaceConfig: ConfigItem[String, String] =
-    appConfig.item[String]("tags.defaultNamespace", "Default namespace of the automatically created tags")
+  private def freeTagNamespace(implicit graph: Graph, authContext: AuthContext): String =
+    s"_freetags_${organisationSrv.currentId(graph, authContext).value}"
 
-  def defaultNamespace: String = defaultNamespaceConfig.get
+  def fromString(tagName: String): Option[(String, String, Option[String])] = {
+    val namespacePredicateValue: Regex = "([^\".:=]+)[.:]([^\".=]+)=\"?([^\"]+)\"?".r
+    val namespacePredicate: Regex      = "([^\".:=]+)[.:]([^\".=]+)".r
 
-  val defaultColourConfig: ConfigItem[String, Int] =
-    appConfig.mapItem[String, Int](
-      "tags.defaultColour",
-      "Default colour of the automatically created tags",
-      {
-        case s if s(0) == '#' => Try(Integer.parseUnsignedInt(s.tail, 16)).getOrElse(defaultColour)
-        case _                => defaultColour
-      }
-    )
-  def defaultColour: Int = defaultColourConfig.get
-
-  def parseString(tagName: String): Tag =
-    Tag.fromString(tagName, defaultNamespace, defaultColour)
+    tagName match {
+      case namespacePredicateValue(namespace, predicate, value) if value.exists(_ != '=') =>
+        Some((namespace.trim, predicate.trim, Some(value.trim)))
+      case namespacePredicate(namespace, predicate) =>
+        Some((namespace.trim, predicate.trim, None))
+      case _ => None
+    }
+  }
 
   def getTag(tag: Tag)(implicit graph: Graph): Traversal.V[Tag] = startTraversal.getTag(tag)
 
-  def getOrCreate(tagName: String)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] = {
-    val tag = parseString(tagName)
-    getTag(tag).getOrFail("Tag").recoverWith {
-      case _ if autoCreate => create(tag)
-    }
-  }
+  def getFreetag(idOrName: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Traversal.V[Tag] =
+    startTraversal.getFreetag(organisationSrv, idOrName)
 
-  override def createEntity(e: Tag)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] = {
+  def getOrCreate(tagName: String)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] =
+    fromString(tagName)
+      .flatMap {
+        case (ns, pred, v) => startTraversal.getByName(ns, pred, v).headOption
+      }
+      .fold {
+        startTraversal
+          .getByName(freeTagNamespace, tagName, None)
+          .getOrFail("Tag")
+          .orElse(createFreeTag(tagName))
+      }(Success(_))
+
+  private def createFreeTag(tagName: String)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] =
+    for {
+      freetagTaxonomy <- taxonomySrv.getFreetagTaxonomy
+      tag             <- createEntity(Tag(freeTagNamespace, tagName, None, None, freeTagColour))
+      _               <- taxonomyTagSrv.create(TaxonomyTag(), freetagTaxonomy, tag)
+    } yield tag
+
+  def create(tag: Tag)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] = {
     integrityCheckActor ! EntityAdded("Tag")
-    super.createEntity(e)
+    super.createEntity(tag)
   }
 
-  def create(tag: Tag)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] = createEntity(tag)
-
   override def exists(e: Tag)(implicit graph: Graph): Boolean = startTraversal.getByName(e.namespace, e.predicate, e.value).exists
+
+  def update(
+      tag: Tag with Entity,
+      input: Tag
+  )(implicit graph: Graph): Try[Tag with Entity] =
+    for {
+      updatedTag <- get(tag)
+        .when(tag.description != input.description)(_.update(_.description, input.description))
+        .when(tag.colour != input.colour)(_.update(_.colour, input.colour))
+        .getOrFail("Tag")
+    } yield updatedTag
+
+  // TODO add audit
+  override def delete(tag: Tag with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
+    val tagName = tag.toString
+    Try {
+      get(tag)
+        .sideEffect(
+          _.unionFlat(
+            _.`case`.removeValue(_.tags, tagName),
+            _.alert.removeValue(_.tags, tagName),
+            _.observable.removeValue(_.tags, tagName),
+            _.caseTemplate.removeValue(_.tags, tagName)
+          )
+        )
+        .remove()
+    }
+  }
 }
 
 object TagOps {
@@ -75,18 +124,56 @@ object TagOps {
       value.fold(t.hasNot(_.value))(v => t.has(_.value, v))
     }
 
+    def taxonomy: Traversal.V[Taxonomy] = traversal.in[TaxonomyTag].v[Taxonomy]
+
+    def organisation: Traversal.V[Organisation]                           = traversal.in[TaxonomyTag].in[OrganisationTaxonomy].v[Organisation]
     def displayName: Traversal[String, Vertex, Converter[String, Vertex]] = traversal.domainMap(_.toString)
 
     def fromCase: Traversal.V[Tag] = traversal.filter(_.in[CaseTag])
+    def `case`: Traversal.V[Case]  = traversal.in[CaseTag].v[Case]
 
-    def fromObservable: Traversal.V[Tag] = traversal.filter(_.in[ObservableTag])
+    def fromObservable: Traversal.V[Tag]    = traversal.filter(_.in[ObservableTag])
+    def observable: Traversal.V[Observable] = traversal.in[ObservableTag].v[Observable]
 
     def fromAlert: Traversal.V[Tag] = traversal.filter(_.in[AlertTag])
-  }
+    def alert: Traversal.V[Alert]   = traversal.in[AlertTag].v[Alert]
 
+    def fromCaseTemplate: Traversal.V[Tag]      = traversal.filter(_.in[CaseTemplateTag])
+    def caseTemplate: Traversal.V[CaseTemplate] = traversal.in[CaseTemplateTag].v[CaseTemplate]
+
+    def freetags(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Tag] = {
+      val freeTagNamespace: String = s"_freetags_${organisationSrv.currentId(traversal.graph, authContext).value}"
+      traversal
+        .has(_.namespace, freeTagNamespace)
+    }
+
+    def getFreetag(organisationSrv: OrganisationSrv, idOrName: EntityIdOrName)(implicit authContext: AuthContext): Traversal.V[Tag] =
+      idOrName.fold(traversal.getByIds(_), traversal.has(_.predicate, _)).freetags(organisationSrv)
+
+    def autoComplete(organisationSrv: OrganisationSrv, freeTag: String)(implicit authContext: AuthContext): Traversal.V[Tag] =
+      freetags(organisationSrv)
+        .has(_.predicate, TextP.containing(freeTag))
+
+    def autoComplete(namespace: Option[String], predicate: Option[String], value: Option[String])(implicit
+        authContext: AuthContext
+    ): Traversal.V[Tag] =
+      traversal
+        .merge(namespace)((t, ns) => t.has(_.namespace, TextP.containing(ns)))
+        .merge(predicate)((t, p) => t.has(_.predicate, TextP.containing(p)))
+        .merge(value)((t, v) => t.has(_.value, TextP.containing(v)))
+        .visible
+
+    def visible(implicit authContext: AuthContext): Traversal.V[Tag] =
+      traversal.filter(_.organisation.current)
+
+    def withCustomRenderer[D, G, C <: Converter[D, G]](
+        entityRenderer: Traversal.V[Tag] => Traversal[D, G, C]
+    ): Traversal[(Tag with Entity, D), JMap[String, Any], Converter[(Tag with Entity, D), JMap[String, Any]]] =
+      traversal.project(_.by.by(entityRenderer))
+  }
 }
 
-class TagIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Database, val service: TagSrv) extends IntegrityCheckOps[Tag] {
+class TagIntegrityCheckOps @Inject() (val db: Database, val service: TagSrv) extends IntegrityCheckOps[Tag] {
 
   override def resolve(entities: Seq[Tag with Entity])(implicit graph: Graph): Try[Unit] = {
     firstCreatedEntity(entities).foreach {
@@ -98,4 +185,20 @@ class TagIntegrityCheckOps @Inject() (@Named("with-thehive-schema") val db: Data
     }
     Success(())
   }
+
+  override def globalCheck(): Map[String, Long] =
+    db.tryTransaction { implicit graph =>
+      Try {
+        val orphans = service
+          .startTraversal
+          .filter(_.taxonomy.has(_.namespace, TextP.startingWith("_freetags_")))
+          .filterNot(_.or(_.inE[AlertTag], _.inE[ObservableTag], _.inE[CaseTag], _.inE[CaseTemplateTag]))
+          ._id
+          .toSeq
+        if (orphans.nonEmpty) {
+          service.getByIds(orphans: _*).remove()
+          Map("orphan" -> orphans.size.toLong)
+        } else Map.empty[String, Long]
+      }
+    }.getOrElse(Map("globalFailure" -> 1L))
 }
diff --git a/thehive/app/org/thp/thehive/services/TaskSrv.scala b/thehive/app/org/thp/thehive/services/TaskSrv.scala
index 5602d2e68a..dfa95b9093 100644
--- a/thehive/app/org/thp/thehive/services/TaskSrv.scala
+++ b/thehive/app/org/thp/thehive/services/TaskSrv.scala
@@ -1,13 +1,16 @@
 package org.thp.thehive.services
 
-import org.apache.tinkerpop.gremlin.structure.Graph
-import org.thp.scalligraph.EntityIdOrName
+import org.apache.tinkerpop.gremlin.process.traversal.P
+import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.auth.{AuthContext, Permission}
-import org.thp.scalligraph.models.{Database, Entity}
+import org.thp.scalligraph.models.{Entity, Model}
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
+import org.thp.scalligraph.traversal.Converter.Identity
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
+import org.thp.scalligraph.utils.FunctionalCondition._
+import org.thp.scalligraph.{EntityId, EntityIdOrName}
 import org.thp.thehive.models.{TaskStatus, _}
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
@@ -16,46 +19,40 @@ import play.api.libs.json.{JsNull, JsObject, Json}
 
 import java.lang.{Boolean => JBoolean}
 import java.util.{Date, Map => JMap}
-import javax.inject.{Inject, Named, Provider, Singleton}
-import scala.util.{Failure, Success, Try}
+import javax.inject.{Inject, Provider, Singleton}
+import scala.util.{Failure, Try}
 
 @Singleton
-class TaskSrv @Inject() (caseSrvProvider: Provider[CaseSrv], auditSrv: AuditSrv, organisationSrv: OrganisationSrv)(implicit
-    @Named("with-thehive-schema") db: Database
+class TaskSrv @Inject() (
+    caseSrvProvider: Provider[CaseSrv],
+    auditSrv: AuditSrv,
+    organisationSrv: OrganisationSrv,
+    userSrv: UserSrv,
+    shareSrvProvider: Provider[ShareSrv],
+    logSrvProvider: Provider[LogSrv]
 ) extends VertexSrv[Task] {
 
-  lazy val caseSrv: CaseSrv = caseSrvProvider.get
-  val caseTemplateTaskSrv   = new EdgeSrv[CaseTemplateTask, CaseTemplate, Task]
-  val taskUserSrv           = new EdgeSrv[TaskUser, Task, User]
-  val taskLogSrv            = new EdgeSrv[TaskLog, Task, Log]
+  lazy val shareSrv: ShareSrv = shareSrvProvider.get
+  lazy val caseSrv: CaseSrv   = caseSrvProvider.get
+  lazy val logSrv: LogSrv     = logSrvProvider.get
+  val caseTemplateTaskSrv     = new EdgeSrv[CaseTemplateTask, CaseTemplate, Task]
+  val taskUserSrv             = new EdgeSrv[TaskUser, Task, User]
+  val taskLogSrv              = new EdgeSrv[TaskLog, Task, Log]
 
-  def create(e: Task, owner: Option[User with Entity])(implicit graph: Graph, authContext: AuthContext): Try[RichTask] =
+  def create(task: Task, assignee: Option[User with Entity])(implicit graph: Graph, authContext: AuthContext): Try[RichTask] =
     for {
-      task <- createEntity(e)
-      _    <- owner.map(taskUserSrv.create(TaskUser(), task, _)).flip
-    } yield RichTask(task, owner)
-
-  def isAvailableFor(taskId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Boolean =
-    get(taskId).visible(authContext).exists
+      createdTask <- createEntity(task.copy(assignee = assignee.map(_.login)))
+      _           <- assignee.map(taskUserSrv.create(TaskUser(), createdTask, _)).flip
+    } yield RichTask(createdTask)
 
   def unassign(task: Task with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(task).unassign()
+    get(task).update(_.assignee, None).outE[TaskUser].remove()
     auditSrv.task.update(task, Json.obj("assignee" -> JsNull))
   }
 
   def remove(task: Task with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
     get(task).caseTemplate.headOption match {
-      case None =>
-        get(task)
-          .taskToShares
-          .toIterator
-          .toTry { share =>
-            auditSrv
-              .task
-              .delete(task, share)
-              .map(_ => get(task).remove())
-          }
-          .map(_ => ())
+      case None => Try(get(task).remove())
       case Some(caseTemplate) =>
         auditSrv
           .caseTemplate
@@ -63,6 +60,16 @@ class TaskSrv @Inject() (caseSrvProvider: Provider[CaseSrv], auditSrv: AuditSrv,
           .map(_ => get(task).remove())
     }
 
+  override def delete(t: Task with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    if (get(t).isShared.head)
+      for {
+        orga <- organisationSrv.getOrFail(authContext.organisation)
+      } yield shareSrv.unshareTask(t, orga)
+    else
+      for {
+        _ <- get(t).logs.toSeq.toTry(logSrv.delete(_))
+      } yield remove(t)
+
   override def update(
       traversal: Traversal.V[Task],
       propertyUpdaters: Seq[PropertyUpdater]
@@ -78,36 +85,38 @@ class TaskSrv @Inject() (caseSrvProvider: Provider[CaseSrv], auditSrv: AuditSrv,
   /**
     * Tries to update the status of a task with related fields
     * according the status value if empty
-    * @param t the task to update
-    * @param o the potential owner
-    * @param s the status to set
+    * @param task the task to update
+    * @param status the status to set
     * @param graph db
     * @param authContext auth db
     * @return
     */
-  def updateStatus(t: Task with Entity, o: User with Entity, s: TaskStatus.Value)(implicit
+  def updateStatus(task: Task with Entity, status: TaskStatus.Value)(implicit
       graph: Graph,
       authContext: AuthContext
   ): Try[Task with Entity] = {
-    def setStatus(): Try[Task with Entity] = get(t).update(_.status, s).getOrFail("")
-
-    s match {
-      case TaskStatus.Cancel | TaskStatus.Waiting => setStatus()
-      case TaskStatus.Completed =>
-        t.endDate.fold(get(t).update(_.status, s).update(_.endDate, Some(new Date())).getOrFail(""))(_ => setStatus())
+    def setStatus(): Traversal.V[Task] = get(task).update(_.status, status)
 
+    status match {
+      case TaskStatus.Cancel | TaskStatus.Waiting => setStatus().getOrFail("Task")
+      case TaskStatus.Completed                   => setStatus().when(task.endDate.isEmpty)(_.update(_.endDate, Some(new Date()))).getOrFail("Task")
       case TaskStatus.InProgress =>
-        for {
-          _       <- get(t).assignee.headOption.fold(assign(t, o))(_ => Success(()))
-          updated <- t.startDate.fold(get(t).update(_.status, s).update(_.startDate, Some(new Date())).getOrFail(""))(_ => setStatus())
-        } yield updated
-
-      case _ => Failure(new Exception(s"Invalid TaskStatus $s for update"))
+        setStatus()
+          .when(task.startDate.isEmpty)(_.update(_.startDate, Some(new Date())))
+          .getOrFail("Task")
+          .when(task.assignee.isEmpty) { updatedTask =>
+            for {
+              t        <- updatedTask
+              assignee <- userSrv.current.getOrFail("User")
+              _        <- assign(t, assignee)
+            } yield t
+          }
+      case _ => Failure(new Exception(s"Invalid TaskStatus $status for update"))
     }
   }
 
   def assign(task: Task with Entity, user: User with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
-    get(task).unassign()
+    get(task).update(_.assignee, Some(user.login)).outE[TaskUser].remove()
     for {
       _ <- taskUserSrv.create(TaskUser(), task, user)
       _ <- auditSrv.task.update(task, Json.obj("assignee" -> user.login))
@@ -136,28 +145,35 @@ object TaskOps {
   implicit class TaskOpsDefs(traversal: Traversal.V[Task]) {
 
     def get(idOrName: EntityIdOrName): Traversal.V[Task] =
-      idOrName.fold(traversal.getByIds(_), _ => traversal.limit(0))
+      idOrName.fold(traversal.getByIds(_), _ => traversal.empty)
 
-    def visible(implicit authContext: AuthContext): Traversal.V[Task] =
-      traversal.filter(_.organisations.current)
+    def visible(organisationSrv: OrganisationSrv)(implicit authContext: AuthContext): Traversal.V[Task] =
+      traversal.has(_.organisationIds, organisationSrv.currentId(traversal.graph, authContext))
 
-    def active: Traversal.V[Task] = traversal.filterNot(_.has(_.status, TaskStatus.Cancel))
+    def assignTo(login: String): Traversal.V[Task] = traversal.has(_.assignee, login)
+
+    def relatedTo(caseId: EntityId): Traversal.V[Task] =
+      traversal.has(_.relatedId, caseId)
+
+    def inOrganisation(organisationId: EntityId): Traversal.V[Task] =
+      traversal.has(_.organisationIds, organisationId)
+
+    def active: Traversal.V[Task] = traversal.hasNot(_.status, TaskStatus.Cancel)
 
     def can(permission: Permission)(implicit authContext: AuthContext): Traversal.V[Task] =
       if (authContext.permissions.contains(permission))
-        traversal.filter(_.taskToShares.filter(_.profile.has(_.permissions, permission)).organisation.current)
+        traversal.filter(_.shares.filter(_.profile.has(_.permissions, permission)).organisation.current)
       else
-        traversal.limit(0)
+        traversal.empty
+
+    def inCase: Traversal.V[Task] = traversal.filter(_.inE[ShareTask])
 
     def `case`: Traversal.V[Case] = traversal.in[ShareTask].out[ShareCase].dedup.v[Case]
 
     def caseTemplate: Traversal.V[CaseTemplate] = traversal.in[CaseTemplateTask].v[CaseTemplate]
 
-    def caseTasks: Traversal.V[Task] = traversal.filter(_.inE[ShareTask]).v[Task]
-
-    def caseTemplateTasks: Traversal.V[Task] = traversal.filter(_.inE[CaseTemplateTask]).v[Task]
-
-    def logs: Traversal.V[Log] = traversal.out[TaskLog].v[Log]
+    def logs: Traversal.V[Log] = //traversal.out[TaskLog].v[Log]
+      traversal.graph.V()(Model.vertex[Log]).has(_.taskId, P.within(traversal._id.toSeq: _*))
 
     def assignee: Traversal.V[User] = traversal.out[TaskUser].v[User]
 
@@ -166,9 +182,9 @@ object TaskOps {
     def organisations: Traversal.V[Organisation] = traversal.in[ShareTask].in[OrganisationShare].v[Organisation]
 
     def organisations(permission: Permission): Traversal.V[Organisation] =
-      taskToShares.filter(_.profile.has(_.permissions, permission)).organisation
+      shares.filter(_.profile.has(_.permissions, permission)).organisation
 
-    def origin: Traversal.V[Organisation] = taskToShares.has(_.owner, true).organisation
+    def origin: Traversal.V[Organisation] = shares.has(_.owner, true).organisation
 
     def assignableUsers(implicit authContext: AuthContext): Traversal.V[User] =
       organisations(Permissions.manageTask)
@@ -176,6 +192,9 @@ object TaskOps {
         .users(Permissions.manageTask)
         .dedup
 
+    def isShared: Traversal[Boolean, Boolean, Identity[Boolean]] =
+      traversal.choose(_.inE[ShareTask].count.is(P.gt(1)), true, false)
+
     def actionRequired(implicit authContext: AuthContext): Traversal[Boolean, JBoolean, Converter[Boolean, JBoolean]] =
       traversal.inE[ShareTask].filter(_.outV.v[Share].organisation.current).value(_.actionRequired)
 
@@ -190,25 +209,11 @@ object TaskOps {
             .byValue(_.actionRequired)
         )
 
-    def richTask: Traversal[RichTask, JMap[String, Any], Converter[RichTask, JMap[String, Any]]] =
-      traversal
-        .project(
-          _.by
-            .by(_.out[TaskUser].v[User].fold)
-        )
-        .domainMap {
-          case (task, user) => RichTask(task, user.headOption)
-        }
+    def richTask: Traversal[RichTask, Vertex, Converter[RichTask, Vertex]] =
+      traversal.identity.domainMap(RichTask) // FIXME add actionRequired ?
 
-    def richTaskWithoutActionRequired: Traversal[RichTask, JMap[String, Any], Converter[RichTask, JMap[String, Any]]] =
-      traversal
-        .project(
-          _.by
-            .by(_.out[TaskUser].v[User].fold)
-        )
-        .domainMap {
-          case (task, user) => RichTask(task, user.headOption)
-        }
+    def richTaskWithoutActionRequired: Traversal[RichTask, Vertex, Converter[RichTask, Vertex]] =
+      traversal.identity.domainMap(RichTask)
 
     def richTaskWithCustomRenderer[D, G, C <: Converter[D, G]](
         entityRenderer: Traversal.V[Task] => Traversal[D, G, C]
@@ -216,17 +221,14 @@ object TaskOps {
       traversal
         .project(
           _.by
-            .by(_.assignee.fold)
             .by(entityRenderer)
         )
         .domainMap {
-          case (task, user, renderedEntity) =>
-            RichTask(task, user.headOption) -> renderedEntity
+          case (task, renderedEntity) =>
+            RichTask(task) -> renderedEntity
         }
 
-    def unassign(): Unit = traversal.outE[TaskUser].remove()
-
-    def taskToShares: Traversal.V[Share] = traversal.in[ShareTask].v[Share]
+    def shares: Traversal.V[Share] = traversal.in[ShareTask].v[Share]
 
     def share(implicit authContext: AuthContext): Traversal.V[Share] = share(authContext.organisation)
 
diff --git a/thehive/app/org/thp/thehive/services/TaxonomySrv.scala b/thehive/app/org/thp/thehive/services/TaxonomySrv.scala
new file mode 100644
index 0000000000..dd7929c1aa
--- /dev/null
+++ b/thehive/app/org/thp/thehive/services/TaxonomySrv.scala
@@ -0,0 +1,157 @@
+package org.thp.thehive.services
+
+import org.apache.tinkerpop.gremlin.process.traversal.TextP
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.services.{EdgeSrv, VertexSrv}
+import org.thp.scalligraph.traversal.Converter.Identity
+import org.thp.scalligraph.traversal.TraversalOps.TraversalOpsDefs
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
+import org.thp.scalligraph.utils.FunctionalCondition.When
+import org.thp.scalligraph.{BadRequestError, EntityId, EntityIdOrName, RichSeq}
+import org.thp.thehive.models._
+import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.TagOps._
+import org.thp.thehive.services.TaxonomyOps._
+
+import java.util.{Map => JMap}
+import javax.inject.{Inject, Singleton}
+import scala.util.{Failure, Success, Try}
+
+@Singleton
+class TaxonomySrv @Inject() (organisationSrv: OrganisationSrv, tagSrv: TagSrv) extends VertexSrv[Taxonomy] {
+
+  val taxonomyTagSrv          = new EdgeSrv[TaxonomyTag, Taxonomy, Tag]
+  val organisationTaxonomySrv = new EdgeSrv[OrganisationTaxonomy, Organisation, Taxonomy]
+
+  def create(taxo: Taxonomy, tags: Seq[Tag with Entity])(implicit graph: Graph, authContext: AuthContext): Try[RichTaxonomy] =
+    for {
+      taxonomy     <- createEntity(taxo)
+      _            <- tags.toTry(t => taxonomyTagSrv.create(TaxonomyTag(), taxonomy, t))
+      richTaxonomy <- Try(RichTaxonomy(taxonomy, tags))
+    } yield richTaxonomy
+
+  def createFreetagTaxonomy(organisation: Organisation with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Taxonomy with Entity] = {
+    val customTaxo = Taxonomy(s"_freetags_${organisation._id.value}", "Custom taxonomy", 1)
+    for {
+      taxonomy <- createEntity(customTaxo)
+      _        <- organisationTaxonomySrv.create(OrganisationTaxonomy(), organisation, taxonomy)
+    } yield taxonomy
+  }
+
+  def getFreetagTaxonomy(implicit graph: Graph, authContext: AuthContext): Try[Taxonomy with Entity] =
+    getByName(s"_freetags_${organisationSrv.currentId.value}")
+      .getOrFail("FreetagTaxonomy")
+      .orElse {
+        organisationSrv.current.notAdmin.getOrFail("Organisation").flatMap(createFreetagTaxonomy)
+      }
+
+  override def getByName(name: String)(implicit graph: Graph): Traversal.V[Taxonomy] =
+    startTraversal.getByNamespace(name)
+
+  def update(taxonomy: Taxonomy with Entity, input: Taxonomy)(implicit graph: Graph): Try[RichTaxonomy] =
+    for {
+      updatedTaxonomy <-
+        get(taxonomy)
+          .when(taxonomy.namespace != input.namespace)(_.update(_.namespace, input.namespace))
+          .when(taxonomy.description != input.description)(_.update(_.description, input.description))
+          .when(taxonomy.version != input.version)(_.update(_.version, input.version))
+          .richTaxonomy
+          .getOrFail("Taxonomy")
+    } yield updatedTaxonomy
+
+  def updateOrCreateTag(namespace: String, t: Tag)(implicit graph: Graph, authContext: AuthContext): Try[Tag with Entity] =
+    if (getByName(namespace).doesTagExists(t))
+      for {
+        tag        <- tagSrv.getTag(t).getOrFail("Tag")
+        updatedTag <- tagSrv.update(tag, t)
+      } yield updatedTag
+    else
+      for {
+        tag  <- tagSrv.create(t)
+        taxo <- getByName(namespace).getOrFail("Taxonomy")
+        _    <- taxonomyTagSrv.create(TaxonomyTag(), taxo, tag)
+      } yield tag
+
+  def activate(taxonomyId: EntityIdOrName)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
+    for {
+      taxo <- get(taxonomyId).getOrFail("Taxonomy")
+      _ <-
+        if (taxo.namespace.startsWith("_freetags")) Failure(BadRequestError("Cannot activate a freetags taxonomy"))
+        else Success(())
+      _ <-
+        organisationSrv
+          .startTraversal
+          .filterNot(_.out[OrganisationTaxonomy].v[Taxonomy].has(_.namespace, taxo.namespace))
+          .toSeq
+          .toTry(o => organisationTaxonomySrv.create(OrganisationTaxonomy(), o, taxo))
+    } yield ()
+
+  def deactivate(taxonomyId: EntityIdOrName)(implicit graph: Graph): Try[Unit] =
+    for {
+      taxo <- getOrFail(taxonomyId)
+      _ <-
+        if (taxo.namespace.startsWith("_freetags")) Failure(BadRequestError("Cannot deactivate a freetags taxonomy"))
+        else Success(())
+    } yield get(taxonomyId).inE[OrganisationTaxonomy].remove()
+
+}
+
+object TaxonomyOps {
+  implicit class TaxonomyOpsDefs(traversal: Traversal.V[Taxonomy]) {
+
+    def get(idOrName: EntityId): Traversal.V[Taxonomy] =
+      idOrName.fold(traversal.getByIds(_), getByNamespace)
+
+    def getByNamespace(namespace: String): Traversal.V[Taxonomy] = traversal.has(_.namespace, namespace)
+
+    def visible(implicit authContext: AuthContext): Traversal.V[Taxonomy] =
+      if (authContext.isPermitted(Permissions.manageTaxonomy))
+        noFreetags
+      else
+        noFreetags.filter(_.organisations.get(authContext.organisation))
+
+    def noFreetags: Traversal.V[Taxonomy] =
+      traversal.hasNot(_.namespace, TextP.startingWith("_freetags"))
+
+    def freetags: Traversal.V[Taxonomy] =
+      traversal.has(_.namespace, TextP.startingWith("_freetags"))
+
+    def alreadyImported(namespace: String): Boolean =
+      traversal.getByNamespace(namespace).exists
+
+    def organisations: Traversal.V[Organisation] = traversal.in[OrganisationTaxonomy].v[Organisation]
+
+    def enabled: Traversal[Boolean, Boolean, Identity[Boolean]] =
+      traversal.choose(_.organisations, true, false)
+
+    def tags: Traversal.V[Tag] = traversal.out[TaxonomyTag].v[Tag]
+
+    def doesTagExists(tag: Tag): Boolean = traversal.tags.getTag(tag).exists
+
+    def richTaxonomy: Traversal[RichTaxonomy, JMap[String, Any], Converter[RichTaxonomy, JMap[String, Any]]] =
+      traversal
+        .project(
+          _.by
+            .by(_.tags.fold)
+        )
+        .domainMap { case (taxonomy, tags) => RichTaxonomy(taxonomy, tags) }
+
+    def richTaxonomyWithCustomRenderer[D, G, C <: Converter[D, G]](
+        entityRenderer: Traversal.V[Taxonomy] => Traversal[D, G, C]
+    ): Traversal[(RichTaxonomy, D), JMap[String, Any], Converter[(RichTaxonomy, D), JMap[String, Any]]] =
+      traversal
+        .project(
+          _.by
+            .by(_.tags.fold)
+            .by(entityRenderer)
+        )
+        .domainMap {
+          case (taxo, tags, renderedEntity) =>
+            RichTaxonomy(
+              taxo,
+              tags
+            ) -> renderedEntity
+        }
+  }
+}
diff --git a/thehive/app/org/thp/thehive/services/UserSrv.scala b/thehive/app/org/thp/thehive/services/UserSrv.scala
index b236698813..dcf8255262 100644
--- a/thehive/app/org/thp/thehive/services/UserSrv.scala
+++ b/thehive/app/org/thp/thehive/services/UserSrv.scala
@@ -1,12 +1,8 @@
 package org.thp.thehive.services
 
-import java.util.regex.Pattern
-import java.util.{List => JList, Map => JMap}
-
 import akka.actor.ActorRef
-import javax.inject.{Inject, Named, Singleton}
 import org.apache.tinkerpop.gremlin.process.traversal.Order
-import org.apache.tinkerpop.gremlin.structure.{Graph, Vertex}
+import org.apache.tinkerpop.gremlin.structure.Vertex
 import org.thp.scalligraph.auth.{AuthContext, AuthContextImpl, Permission}
 import org.thp.scalligraph.controllers.FFile
 import org.thp.scalligraph.models._
@@ -14,8 +10,8 @@ import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.services._
 import org.thp.scalligraph.traversal.Converter.CList
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, Traversal}
-import org.thp.scalligraph.{AuthorizationError, BadRequestError, EntityIdOrName, EntityName, InternalError, RichOptionTry}
+import org.thp.scalligraph.traversal.{Converter, Graph, Traversal}
+import org.thp.scalligraph.{AuthorizationError, BadRequestError, EntityIdOrName, EntityName, RichOptionTry}
 import org.thp.thehive.controllers.v1.Conversion._
 import org.thp.thehive.models._
 import org.thp.thehive.services.OrganisationOps._
@@ -25,6 +21,9 @@ import org.thp.thehive.services.UserOps._
 import play.api.Configuration
 import play.api.libs.json.{JsObject, Json}
 
+import java.util.regex.Pattern
+import java.util.{List => JList, Map => JMap}
+import javax.inject.{Inject, Named, Singleton}
 import scala.util.{Failure, Success, Try}
 
 @Singleton
@@ -33,19 +32,13 @@ class UserSrv @Inject() (
     roleSrv: RoleSrv,
     auditSrv: AuditSrv,
     attachmentSrv: AttachmentSrv,
-    @Named("integrity-check-actor") integrityCheckActor: ActorRef,
-    @Named("with-thehive-schema") implicit val db: Database
+    @Named("integrity-check-actor") integrityCheckActor: ActorRef
 ) extends VertexSrv[User] {
   val defaultUserDomain: Option[String] = configuration.getOptional[String]("auth.defaultUserDomain")
   val fullUserNameRegex: Pattern        = "[\\p{Graph}&&[^@.]](?:[\\p{Graph}&&[^@]]*)*@\\p{Alnum}+(?:[\\p{Alnum}-.])*".r.pattern
 
   val userAttachmentSrv = new EdgeSrv[UserAttachment, User, Attachment]
 
-  override def createEntity(e: User)(implicit graph: Graph, authContext: AuthContext): Try[User with Entity] = {
-    integrityCheckActor ! EntityAdded("User")
-    super.createEntity(e)
-  }
-
   def checkUser(user: User): Try[User] = {
     val login =
       if (!user.login.contains('@') && defaultUserDomain.isDefined) s"${user.login}@${defaultUserDomain.get}".toLowerCase
@@ -64,6 +57,7 @@ class UserSrv @Inject() (
        roleSrv.create(user, organisation, profile)
      else
        Success(())).flatMap { _ =>
+      integrityCheckActor ! EntityAdded("User")
       for {
         richUser <- get(user).richUser(authContext, organisation._id).getOrFail("User")
         _        <- auditSrv.user.create(user, richUser.toJson)
@@ -93,7 +87,7 @@ class UserSrv @Inject() (
 
   def delete(user: User with Entity, organisation: Organisation with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Unit] = {
     if (get(user).organisations.filterNot(_.get(organisation._id)).exists)
-      get(user).role.filterNot(_.organisation.get(organisation._id)).remove()
+      get(user).role.filter(_.organisation.get(organisation._id)).remove()
     else {
       get(user).role.remove()
       get(user).remove()
@@ -177,7 +171,7 @@ object UserOps {
 
     def isNotLocked: Traversal.V[User] = traversal.has(_.locked, false)
 
-    def can(requiredPermission: Permission)(implicit authContext: AuthContext, db: Database): Traversal.V[User] =
+    def can(requiredPermission: Permission)(implicit authContext: AuthContext): Traversal.V[User] =
       traversal.filter(_.organisations(requiredPermission).get(authContext.organisation))
 
     def getByAPIKey(key: String): Traversal.V[User] = traversal.has(_.apikey, key).v[User]
@@ -187,19 +181,20 @@ object UserOps {
     protected def organisations0(requiredPermission: Permission): Traversal.V[Organisation] =
       role.filter(_.profile.has(_.permissions, requiredPermission)).organisation
 
-    def organisations(requiredPermission: Permission)(implicit db: Database): Traversal.V[Organisation] = {
+    def organisations(requiredPermission: Permission): Traversal.V[Organisation] = {
       val isInAdminOrganisation = traversal.clone().organisations0(requiredPermission).getByName(Organisation.administration.name).exists
-      if (isInAdminOrganisation) db.labelFilter("Organisation")(traversal.V()).v[Organisation]
+      if (isInAdminOrganisation) traversal.graph.V[Organisation]()
       else organisations0(requiredPermission)
     }
 
-    def organisationWithRole: Traversal[Seq[(String, String)], JList[JMap[String, Any]], CList[(String, String), JMap[String, Any], Converter[
-      (String, String),
-      JMap[String, Any]
-    ]]] =
+    def organisationWithRole: Traversal[Seq[(Organisation with Entity, String)], JList[JMap[String, Any]], CList[
+      (Organisation with Entity, String),
+      JMap[String, Any],
+      Converter[(Organisation with Entity, String), JMap[String, Any]]
+    ]] =
       role
         .project(
-          _.by(_.organisation.value(_.name))
+          _.by(_.organisation)
             .by(_.profile.value(_.name))
         )
         .fold
@@ -260,12 +255,11 @@ object UserOps {
       traversal
         .project(
           _.by
-            .by(_.avatar.fold)
+            .by(_.avatar.value(_.attachmentId).option)
             .by(_.role.project(_.by(_.profile).by(_.organisation.visible(authContext).project(_.by(_._id).byValue(_.name)).fold)).fold)
         )
         .domainMap {
-          case (user, attachment, profileOrganisations) =>
-            val avatar = attachment.headOption.map(_.attachmentId)
+          case (user, avatar, profileOrganisations) =>
             organisation
               .fold(id => profileOrganisations.find(_._2.exists(_._1 == id)), name => profileOrganisations.find(_._2.exists(_._2 == name)))
               .orElse(profileOrganisations.headOption)
@@ -275,27 +269,6 @@ object UserOps {
               }
         }
 
-    /*
-    def richUser(organisationId: EntityId): Traversal[RichUser, JMap[String, Any], Converter[RichUser, JMap[String, Any]]] =
-      traversal
-        .project(
-          _.by
-            .by(_.profile(organisation).fold)
-            .by(_.avatar.fold)
-        )
-        .domainMap {
-          case (user, profiles, attachment) =>
-            RichUser(
-              user,
-              attachment.headOption.map(_.attachmentId),
-              profiles.headOption.fold("")(_.name),
-              profiles.headOption.fold(Set.empty[Permission])(_.permissions),
-              organisation
-            )
-        }
-
-     */
-
     def richUserWithCustomRenderer[D, G, C <: Converter[D, G]](
         organisation: EntityIdOrName,
         entityRenderer: Traversal.V[User] => Traversal[D, G, C]
@@ -303,18 +276,17 @@ object UserOps {
       traversal
         .project(
           _.by
-            .by(_.avatar.fold)
+            .by(_.avatar.value(_.attachmentId).option)
             .by(_.role.project(_.by(_.profile).by(_.organisation.visible.project(_.by(_._id).byValue(_.name)).fold)).fold)
             .by(entityRenderer)
         )
         .domainMap {
-          case (user, attachment, profileOrganisations, renderedEntity) =>
+          case (user, avatar, profileOrganisations, renderedEntity) =>
             organisation
               .fold(id => profileOrganisations.find(_._2.exists(_._1 == id)), name => profileOrganisations.find(_._2.exists(_._2 == name)))
               .orElse(profileOrganisations.headOption)
-              .fold(throw InternalError(s"")) { // FIXME
+              .fold(RichUser(user, avatar, Profile.admin.name, Set.empty, "no org") -> renderedEntity) { // fake user (probably "system")
                 case (profile, organisationIdAndName) =>
-                  val avatar = attachment.headOption.map(_.attachmentId)
                   RichUser(user, avatar, profile.name, profile.permissions, organisationIdAndName.headOption.fold("***")(_._2)) -> renderedEntity
               }
         }
@@ -338,7 +310,7 @@ object UserOps {
 
 @Singleton
 class UserIntegrityCheckOps @Inject() (
-    @Named("with-thehive-schema") val db: Database,
+    val db: Database,
     val service: UserSrv,
     profileSrv: ProfileSrv,
     organisationSrv: OrganisationSrv,
@@ -364,19 +336,26 @@ class UserIntegrityCheckOps @Inject() (
     ()
   }
 
-  override def check(): Unit = {
-    super.check()
+  override def duplicationCheck(): Map[String, Long] = {
+    super.duplicationCheck()
     db.tryTransaction { implicit graph =>
-      duplicateInEdges[TaskUser](service.startTraversal).flatMap(firstCreatedElement(_)).foreach(e => removeEdges(e._2))
-      duplicateInEdges[CaseUser](service.startTraversal).flatMap(firstCreatedElement(_)).foreach(e => removeEdges(e._2))
-      duplicateLinks[Vertex, Vertex](
+      val duplicateTaskAssignments =
+        duplicateInEdges[TaskUser](service.startTraversal).flatMap(firstCreatedElement(_)).map(e => removeEdges(e._2)).size.toLong
+      val duplicateCaseAssignments =
+        duplicateInEdges[CaseUser](service.startTraversal).flatMap(firstCreatedElement(_)).map(e => removeEdges(e._2)).size.toLong
+      val duplicateUsers = duplicateLinks[Vertex, Vertex](
         service.startTraversal,
         (_.out("UserRole"), _.in("UserRole")),
         (_.out("RoleOrganisation"), _.in("RoleOrganisation"))
-      ).flatMap(firstCreatedElement(_)).foreach(e => removeVertices(e._2))
-      Success(())
-    }
-    ()
+      ).flatMap(firstCreatedElement(_)).map(e => removeVertices(e._2)).size.toLong
+      Success(
+        Map(
+          "duplicateTaskAssignments" -> duplicateTaskAssignments,
+          "duplicateCaseAssignments" -> duplicateCaseAssignments,
+          "duplicateUsers"           -> duplicateUsers
+        )
+      )
+    }.getOrElse(Map("globalFailure" -> 1L))
   }
 
   override def resolve(entities: Seq[User with Entity])(implicit graph: Graph): Try[Unit] = {
@@ -387,4 +366,6 @@ class UserIntegrityCheckOps @Inject() (
     }
     Success(())
   }
+
+  override def globalCheck(): Map[String, Long] = Map.empty
 }
diff --git a/thehive/app/org/thp/thehive/services/notification/NotificationActor.scala b/thehive/app/org/thp/thehive/services/notification/NotificationActor.scala
index 390ba0fdaa..8563d2c3f3 100644
--- a/thehive/app/org/thp/thehive/services/notification/NotificationActor.scala
+++ b/thehive/app/org/thp/thehive/services/notification/NotificationActor.scala
@@ -2,10 +2,9 @@ package org.thp.thehive.services.notification
 
 import akka.actor.{Actor, ActorIdentity, Identify}
 import akka.util.Timeout
-import javax.inject.{Inject, Named}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.{Database, Entity, Schema}
 import org.thp.scalligraph.services.EventSrv
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{BadConfigurationError, EntityId}
 import org.thp.thehive.models.{Audit, Organisation, User}
@@ -19,6 +18,7 @@ import play.api.cache.SyncCacheApi
 import play.api.libs.json.{Format, JsValue, Json}
 import play.api.{Configuration, Logger}
 
+import javax.inject.Inject
 import scala.collection.immutable
 import scala.concurrent.Future
 import scala.concurrent.duration.DurationInt
@@ -82,7 +82,7 @@ class NotificationActor @Inject() (
     userSrv: UserSrv,
     notificationSrv: NotificationSrv,
     cache: SyncCacheApi,
-    @Named("with-thehive-schema") implicit val db: Database,
+    implicit val db: Database,
     implicit val schema: Schema
 ) extends Actor {
   import context.dispatcher
diff --git a/thehive/app/org/thp/thehive/services/notification/NotificationSerializer.scala b/thehive/app/org/thp/thehive/services/notification/NotificationSerializer.scala
index 6a6a578708..271cbddf93 100644
--- a/thehive/app/org/thp/thehive/services/notification/NotificationSerializer.scala
+++ b/thehive/app/org/thp/thehive/services/notification/NotificationSerializer.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.services.notification
 
-import java.io.NotSerializableException
-
 import akka.serialization.Serializer
 import play.api.libs.json.Json
 
+import java.io.NotSerializableException
+
 class NotificationSerializer extends Serializer {
   override def identifier: Int = 226591536
 
diff --git a/thehive/app/org/thp/thehive/services/notification/notifiers/AppendToFile.scala b/thehive/app/org/thp/thehive/services/notification/notifiers/AppendToFile.scala
index 52ae69a9f8..957dff11db 100644
--- a/thehive/app/org/thp/thehive/services/notification/notifiers/AppendToFile.scala
+++ b/thehive/app/org/thp/thehive/services/notification/notifiers/AppendToFile.scala
@@ -1,15 +1,14 @@
 package org.thp.thehive.services.notification.notifiers
 
-import java.nio.charset.Charset
-import java.nio.file.{Files, Paths, StandardOpenOption}
-
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.{Entity, Schema}
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 import play.api.Configuration
 
+import java.nio.charset.Charset
+import java.nio.file.{Files, Paths, StandardOpenOption}
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.Try
 
@@ -42,8 +41,8 @@ class AppendToFile(filename: String, template: String, charset: Charset, baseUrl
       `object`: Option[Entity],
       organisation: Organisation with Entity,
       user: Option[User with Entity]
-  )(
-      implicit graph: Graph
+  )(implicit
+      graph: Graph
   ): Future[Unit] =
     buildMessage(template, audit, context, `object`, user, baseUrl).fold(
       Future.failed[Unit],
diff --git a/thehive/app/org/thp/thehive/services/notification/notifiers/Emailer.scala b/thehive/app/org/thp/thehive/services/notification/notifiers/Emailer.scala
index e49c69be06..914bdd3316 100644
--- a/thehive/app/org/thp/thehive/services/notification/notifiers/Emailer.scala
+++ b/thehive/app/org/thp/thehive/services/notification/notifiers/Emailer.scala
@@ -1,13 +1,13 @@
 package org.thp.thehive.services.notification.notifiers
 
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.{Entity, Schema}
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 import play.api.libs.mailer.{Email, MailerClient}
 import play.api.{Configuration, Logger}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Success, Try}
 
@@ -54,8 +54,8 @@ class Emailer(
       `object`: Option[Entity],
       organisation: Organisation with Entity,
       user: Option[User with Entity]
-  )(
-      implicit graph: Graph
+  )(implicit
+      graph: Graph
   ): Future[Unit] =
     user.fold(Future.successful(logger.warn(s"Email can't be sent to an organisation"))) { u =>
       buildMessage(template, audit, context, `object`, user, baseUrl)
diff --git a/thehive/app/org/thp/thehive/services/notification/notifiers/Mattermost.scala b/thehive/app/org/thp/thehive/services/notification/notifiers/Mattermost.scala
index 97b6309158..6c1d5458a7 100644
--- a/thehive/app/org/thp/thehive/services/notification/notifiers/Mattermost.scala
+++ b/thehive/app/org/thp/thehive/services/notification/notifiers/Mattermost.scala
@@ -1,16 +1,16 @@
 package org.thp.thehive.services.notification.notifiers
 
 import akka.stream.Materializer
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.client.{ProxyWS, ProxyWSConfig}
 import org.thp.scalligraph.models.{Entity, Schema}
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 import play.api.libs.json.{Json, Reads, Writes}
 import play.api.libs.ws.WSClient
 import play.api.{Configuration, Logger}
 
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Success, Try}
 
@@ -69,13 +69,14 @@ class Mattermost(ws: WSClient, mattermostNotification: MattermostNotification, b
       `object`: Option[Entity],
       organisation: Organisation with Entity,
       user: Option[User with Entity]
-  )(
-      implicit graph: Graph
+  )(implicit
+      graph: Graph
   ): Future[Unit] =
     for {
       finalMessage <- Future.fromTry(buildMessage(mattermostNotification.text, audit, context, `object`, user, baseUrl))
-      _ <- ws
-        .url(mattermostNotification.url)
-        .post(Json.toJson(mattermostNotification.copy(text = finalMessage)))
+      _ <-
+        ws
+          .url(mattermostNotification.url)
+          .post(Json.toJson(mattermostNotification.copy(text = finalMessage)))
     } yield ()
 }
diff --git a/thehive/app/org/thp/thehive/services/notification/notifiers/Notifier.scala b/thehive/app/org/thp/thehive/services/notification/notifiers/Notifier.scala
index 59f4cdb569..71a8a14229 100644
--- a/thehive/app/org/thp/thehive/services/notification/notifiers/Notifier.scala
+++ b/thehive/app/org/thp/thehive/services/notification/notifiers/Notifier.scala
@@ -1,8 +1,8 @@
 package org.thp.thehive.services.notification.notifiers
 
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.BadConfigurationError
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 import play.api.{ConfigLoader, Configuration}
 
@@ -19,8 +19,8 @@ trait Notifier {
       `object`: Option[Entity],
       organisation: Organisation with Entity,
       user: Option[User with Entity]
-  )(
-      implicit graph: Graph
+  )(implicit
+      graph: Graph
   ): Future[Unit]
 
 }
diff --git a/thehive/app/org/thp/thehive/services/notification/notifiers/Template.scala b/thehive/app/org/thp/thehive/services/notification/notifiers/Template.scala
index 1ad397e682..84710738a2 100644
--- a/thehive/app/org/thp/thehive/services/notification/notifiers/Template.scala
+++ b/thehive/app/org/thp/thehive/services/notification/notifiers/Template.scala
@@ -1,12 +1,11 @@
 package org.thp.thehive.services.notification.notifiers
 
-import java.util.{HashMap => JHashMap}
-
 import com.github.jknack.handlebars.Handlebars
 import com.github.jknack.handlebars.helper.ConditionalHelpers
 import org.thp.scalligraph.models.{Entity, Schema}
 import org.thp.thehive.models.{Audit, User}
 
+import java.util.{HashMap => JHashMap}
 import scala.collection.JavaConverters._
 import scala.util.Try
 
diff --git a/thehive/app/org/thp/thehive/services/notification/notifiers/Webhook.scala b/thehive/app/org/thp/thehive/services/notification/notifiers/Webhook.scala
index f88bca8aeb..69db24a794 100644
--- a/thehive/app/org/thp/thehive/services/notification/notifiers/Webhook.scala
+++ b/thehive/app/org/thp/thehive/services/notification/notifiers/Webhook.scala
@@ -1,15 +1,12 @@
 package org.thp.thehive.services.notification.notifiers
 
-import java.util.{Date, Map => JMap}
-
 import akka.stream.Materializer
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.{Graph, Vertex}
-import org.thp.client.{ProxyWS, ProxyWSConfig}
+import org.apache.tinkerpop.gremlin.structure.Vertex
+import org.thp.client.{Authentication, ProxyWS, ProxyWSConfig}
 import org.thp.scalligraph.models.{Entity, UMapping}
 import org.thp.scalligraph.services.config.{ApplicationConfig, ConfigItem}
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.traversal.{Converter, IdentityConverter, Traversal}
+import org.thp.scalligraph.traversal.{Converter, Graph, IdentityConverter, Traversal}
 import org.thp.scalligraph.{BadConfigurationError, EntityIdOrName}
 import org.thp.thehive.controllers.v0.AuditRenderer
 import org.thp.thehive.controllers.v0.Conversion.fromObjectType
@@ -25,6 +22,8 @@ import play.api.libs.json.Json.WithDefaultValues
 import play.api.libs.json._
 import play.api.{Configuration, Logger}
 
+import java.util.{Date, Map => JMap}
+import javax.inject.{Inject, Singleton}
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success, Try}
 
@@ -32,6 +31,7 @@ case class WebhookNotification(
     name: String,
     url: String,
     version: Int = 0,
+    auth: Authentication,
     wsConfig: ProxyWSConfig = ProxyWSConfig(),
     includedTheHiveOrganisations: Seq[String] = Seq("*"),
     excludedTheHiveOrganisations: Seq[String] = Nil
@@ -155,7 +155,7 @@ class Webhook(
       (_: Traversal.V[Audit])
         .coalesce(
           _.`object` //.out[Audited]
-            .choose(
+            .chooseValue(
               _.on(_.label)
                 .option("Case", t => caseToJson(t.v[Case]))
                 .option("Task", t => taskToJson(t.v[Task]))
@@ -260,7 +260,7 @@ class Webhook(
       val async = for {
         message <- Future.fromTry(buildMessage(config.version, audit))
         _ = logger.debug(s"Request webhook with message $message")
-        resp <- ws.url(config.url).post(message)
+        resp <- config.auth(ws.url(config.url)).post(message)
       } yield if (resp.status >= 400) logger.warn(s"Webhook call on ${config.url} returns ${resp.status} ${resp.statusText}") else ()
       async.andThen { case _ => ws.close() }
     }
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/AlertCreated.scala b/thehive/app/org/thp/thehive/services/notification/triggers/AlertCreated.scala
index eff157e25b..8253acd668 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/AlertCreated.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/AlertCreated.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.services.notification.triggers
 
-import javax.inject.{Inject, Singleton}
 import org.thp.thehive.models.Audit
 import play.api.Configuration
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/AnyEvent.scala b/thehive/app/org/thp/thehive/services/notification/triggers/AnyEvent.scala
index 8d50d82843..30697abc54 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/AnyEvent.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/AnyEvent.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive.services.notification.triggers
 
-import javax.inject.Singleton
 import org.thp.scalligraph.models.Entity
 import org.thp.thehive.models.{Audit, Organisation}
 import play.api.Configuration
 
+import javax.inject.Singleton
 import scala.util.{Success, Try}
 
 @Singleton
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/CaseCreated.scala b/thehive/app/org/thp/thehive/services/notification/triggers/CaseCreated.scala
index 484b530d52..c6eddc6201 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/CaseCreated.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/CaseCreated.scala
@@ -1,11 +1,11 @@
 package org.thp.thehive.services.notification.triggers
 
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 import play.api.Configuration
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/CaseShared.scala b/thehive/app/org/thp/thehive/services/notification/triggers/CaseShared.scala
index d439e38554..97cd77253b 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/CaseShared.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/CaseShared.scala
@@ -1,11 +1,11 @@
 package org.thp.thehive.services.notification.triggers
 
-import javax.inject.{Inject, Singleton}
 import org.thp.scalligraph.models.Entity
 import org.thp.thehive.models.{Audit, Organisation}
 import play.api.Configuration
 import play.api.libs.json.Json
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/FilteredEvent.scala b/thehive/app/org/thp/thehive/services/notification/triggers/FilteredEvent.scala
index 7328a31e5f..791ab10841 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/FilteredEvent.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/FilteredEvent.scala
@@ -1,15 +1,15 @@
 package org.thp.thehive.services.notification.triggers
 
 import com.typesafe.config.ConfigRenderOptions
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 import play.api.Configuration
 import play.api.libs.functional.syntax._
 import play.api.libs.json.Reads._
 import play.api.libs.json._
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 object EventFilterOnMissingUser extends Exception
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/GlobalTrigger.scala b/thehive/app/org/thp/thehive/services/notification/triggers/GlobalTrigger.scala
index e728493570..c399a67971 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/GlobalTrigger.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/GlobalTrigger.scala
@@ -1,7 +1,7 @@
 package org.thp.thehive.services.notification.triggers
 
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 
 trait GlobalTrigger extends Trigger {
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/JobFinished.scala b/thehive/app/org/thp/thehive/services/notification/triggers/JobFinished.scala
index 83719ec413..51d1d784d5 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/JobFinished.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/JobFinished.scala
@@ -1,9 +1,9 @@
 package org.thp.thehive.services.notification.triggers
 
-import javax.inject.{Inject, Singleton}
 import org.thp.thehive.models.Audit
 import play.api.Configuration
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/LogInMyTask.scala b/thehive/app/org/thp/thehive/services/notification/triggers/LogInMyTask.scala
index c98751d464..a7a28e96d0 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/LogInMyTask.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/LogInMyTask.scala
@@ -1,9 +1,8 @@
 package org.thp.thehive.services.notification.triggers
 
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.EntityId
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.thehive.models.{Audit, Organisation, User}
 import org.thp.thehive.services.LogOps._
@@ -11,6 +10,7 @@ import org.thp.thehive.services.LogSrv
 import org.thp.thehive.services.TaskOps._
 import play.api.Configuration
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/TaskAssigned.scala b/thehive/app/org/thp/thehive/services/notification/triggers/TaskAssigned.scala
index 1ff4598baa..c7c79a6ca5 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/TaskAssigned.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/TaskAssigned.scala
@@ -1,9 +1,8 @@
 package org.thp.thehive.services.notification.triggers
 
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.EntityId
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.thehive.models.{Audit, Organisation, User}
 import org.thp.thehive.services.TaskOps._
@@ -11,6 +10,7 @@ import org.thp.thehive.services.TaskSrv
 import org.thp.thehive.services.UserOps._
 import play.api.Configuration
 
+import javax.inject.{Inject, Singleton}
 import scala.util.{Success, Try}
 
 @Singleton
diff --git a/thehive/app/org/thp/thehive/services/notification/triggers/Trigger.scala b/thehive/app/org/thp/thehive/services/notification/triggers/Trigger.scala
index 2224dd846f..f47b660d02 100644
--- a/thehive/app/org/thp/thehive/services/notification/triggers/Trigger.scala
+++ b/thehive/app/org/thp/thehive/services/notification/triggers/Trigger.scala
@@ -1,8 +1,8 @@
 package org.thp.thehive.services.notification.triggers
 
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.thp.scalligraph.BadConfigurationError
 import org.thp.scalligraph.models.Entity
+import org.thp.scalligraph.traversal.Graph
 import org.thp.thehive.models.{Audit, Organisation, User}
 import play.api.{ConfigLoader, Configuration}
 
@@ -13,8 +13,8 @@ trait Trigger {
 
   def preFilter(audit: Audit with Entity, context: Option[Entity], organisation: Organisation with Entity): Boolean
 
-  def filter(audit: Audit with Entity, context: Option[Entity], organisation: Organisation with Entity, user: Option[User with Entity])(
-      implicit graph: Graph
+  def filter(audit: Audit with Entity, context: Option[Entity], organisation: Organisation with Entity, user: Option[User with Entity])(implicit
+      graph: Graph
   ): Boolean = user.fold(true)(!_.locked)
 
   override def toString: String = s"Trigger($name)"
diff --git a/thehive/app/org/thp/thehive/services/th3/Aggregation.scala b/thehive/app/org/thp/thehive/services/th3/Aggregation.scala
index ce0f320799..511da78b9d 100644
--- a/thehive/app/org/thp/thehive/services/th3/Aggregation.scala
+++ b/thehive/app/org/thp/thehive/services/th3/Aggregation.scala
@@ -1,21 +1,20 @@
 package org.thp.thehive.services.th3
 
-import java.lang.{Long => JLong}
-import java.time.temporal.ChronoUnit
-import java.util.{Calendar, Date, List => JList}
 import org.apache.tinkerpop.gremlin.process.traversal.Order
 import org.scalactic.Accumulation._
 import org.scalactic._
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers._
-import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.query.{Aggregation, InputQuery, PublicProperties}
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.traversal._
 import org.thp.scalligraph.{BadRequestError, InvalidFormatAttributeError}
 import play.api.Logger
-import play.api.libs.json.{JsNull, JsNumber, JsObject, Json}
+import play.api.libs.json._
 
+import java.lang.{Long => JLong}
+import java.time.temporal.ChronoUnit
+import java.util.{Calendar, Date, List => JList}
 import scala.reflect.runtime.{universe => ru}
 import scala.util.Try
 import scala.util.matching.Regex
@@ -160,7 +159,6 @@ object TH3Aggregation {
 case class AggSum(aggName: Option[String], fieldName: String, filter: Option[InputQuery[Traversal.Unk, Traversal.Unk]])
     extends Aggregation(aggName.getOrElse(s"sum_$fieldName")) {
   override def getTraversal(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -171,7 +169,7 @@ case class AggSum(aggName: Option[String], fieldName: String, filter: Option[Inp
       .get[Traversal.UnkD, Traversal.UnkDU](fieldPath, traversalType)
       .getOrElse(throw BadRequestError(s"Property $fieldName for type $traversalType not found"))
     filter
-      .fold(traversal)(_(db, publicProperties, traversalType, traversal, authContext))
+      .fold(traversal)(_(publicProperties, traversalType, traversal, authContext))
       .coalesce(
         t =>
           property
@@ -187,7 +185,6 @@ case class AggSum(aggName: Option[String], fieldName: String, filter: Option[Inp
 case class AggAvg(aggName: Option[String], fieldName: String, filter: Option[InputQuery[Traversal.Unk, Traversal.Unk]])
     extends Aggregation(aggName.getOrElse(s"sum_$fieldName")) {
   override def getTraversal(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -198,7 +195,7 @@ case class AggAvg(aggName: Option[String], fieldName: String, filter: Option[Inp
       .get[Traversal.UnkD, Traversal.UnkDU](fieldPath, traversalType)
       .getOrElse(throw BadRequestError(s"Property $fieldName for type $traversalType not found"))
     filter
-      .fold(traversal)(_(db, publicProperties, traversalType, traversal, authContext))
+      .fold(traversal)(_(publicProperties, traversalType, traversal, authContext))
       .coalesce(
         t =>
           property
@@ -214,7 +211,6 @@ case class AggAvg(aggName: Option[String], fieldName: String, filter: Option[Inp
 case class AggMin(aggName: Option[String], fieldName: String, filter: Option[InputQuery[Traversal.Unk, Traversal.Unk]])
     extends Aggregation(aggName.getOrElse(s"min_$fieldName")) {
   override def getTraversal(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -225,13 +221,13 @@ case class AggMin(aggName: Option[String], fieldName: String, filter: Option[Inp
       .get[Traversal.UnkD, Traversal.UnkDU](fieldPath, traversalType)
       .getOrElse(throw BadRequestError(s"Property $fieldName for type $traversalType not found"))
     filter
-      .fold(traversal)(_(db, publicProperties, traversalType, traversal, authContext))
+      .fold(traversal)(_(publicProperties, traversalType, traversal, authContext))
       .coalesce(
         t =>
           property
             .select(fieldPath, t, authContext)
             .min
-            .domainMap(min => Output(Json.obj(name -> property.mapping.selectRenderer.toJson(min)))),
+            .domainMap(min => Output(Json.obj(name -> property.toJson(min)))),
         Output(Json.obj(name -> JsNull))
       )
   }
@@ -240,7 +236,6 @@ case class AggMin(aggName: Option[String], fieldName: String, filter: Option[Inp
 case class AggMax(aggName: Option[String], fieldName: String, filter: Option[InputQuery[Traversal.Unk, Traversal.Unk]])
     extends Aggregation(aggName.getOrElse(s"max_$fieldName")) {
   override def getTraversal(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -251,13 +246,13 @@ case class AggMax(aggName: Option[String], fieldName: String, filter: Option[Inp
       .get[Traversal.UnkD, Traversal.UnkDU](fieldPath, traversalType)
       .getOrElse(throw BadRequestError(s"Property $fieldName for type $traversalType not found"))
     filter
-      .fold(traversal)(_(db, publicProperties, traversalType, traversal, authContext))
+      .fold(traversal)(_(publicProperties, traversalType, traversal, authContext))
       .coalesce(
         t =>
           property
             .select(fieldPath, t, authContext)
             .max
-            .domainMap(max => Output(Json.obj(name -> property.mapping.selectRenderer.toJson(max)))),
+            .domainMap(max => Output(Json.obj(name -> property.toJson(max)))),
         Output(Json.obj(name -> JsNull))
       )
   }
@@ -266,14 +261,13 @@ case class AggMax(aggName: Option[String], fieldName: String, filter: Option[Inp
 case class AggCount(aggName: Option[String], filter: Option[InputQuery[Traversal.Unk, Traversal.Unk]])
     extends Aggregation(aggName.getOrElse("count")) {
   override def getTraversal(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
       authContext: AuthContext
   ): Traversal.Domain[Output[_]] =
     filter
-      .fold(traversal)(_(db, publicProperties, traversalType, traversal, authContext))
+      .fold(traversal)(_(publicProperties, traversalType, traversal, authContext))
       .count
       .domainMap(count => Output(Json.obj(name -> count)))
       .castDomain[Output[_]]
@@ -292,7 +286,6 @@ case class FieldAggregation(
   lazy val logger: Logger = Logger(getClass)
 
   override def getTraversal(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -307,7 +300,7 @@ case class FieldAggregation(
       .select(
         fieldPath,
         filter
-          .fold(traversal)(_(db, publicProperties, traversalType, traversal, authContext))
+          .fold(traversal)(_(publicProperties, traversalType, traversal, authContext))
           .as(label),
         authContext
       )
@@ -332,7 +325,7 @@ case class FieldAggregation(
         Traversal.UnkD,
         Traversal.UnkG
       ]]]) =>
-        s.by(t => agg.getTraversal(db, publicProperties, traversalType, t.unfold, authContext).castDomain[Output[_]])
+        s.by(t => agg.getTraversal(publicProperties, traversalType, t.unfold, authContext).castDomain[Output[_]])
     }
 
     sizedSortedAndGroupedVertex
@@ -353,7 +346,12 @@ case class FieldAggregation(
           )
       )
       .fold
-      .domainMap(kvs => Output(JsObject(kvs.map(kv => kv._1.toString -> kv._2.toJson))))
+      .domainMap(kvs =>
+        Output(JsObject(kvs.map {
+          case (JsString(k), v) => k          -> v.toJson
+          case (k, v)           => k.toString -> v.toJson
+        }))
+      )
       .castDomain[Output[_]]
   }
 }
@@ -403,7 +401,6 @@ case class TimeAggregation(
   def keyToDate(key: Long): Date = new Date(key)
 
   override def getTraversal(
-      db: Database,
       publicProperties: PublicProperties,
       traversalType: ru.Type,
       traversal: Traversal.Unk,
@@ -418,7 +415,7 @@ case class TimeAggregation(
       .select(
         fieldPath,
         filter
-          .fold(traversal)(_(db, publicProperties, traversalType, traversal, authContext))
+          .fold(traversal)(_(publicProperties, traversalType, traversal, authContext))
           .as(label),
         authContext
       )
@@ -432,7 +429,7 @@ case class TimeAggregation(
         JList[Traversal.UnkG],
         Converter.CList[Traversal.UnkD, Traversal.UnkG, Converter[Traversal.UnkD, Traversal.UnkG]]
       ]) =>
-        s.by(t => agg.getTraversal(db, publicProperties, traversalType, t.unfold, authContext).castDomain[Output[_]])
+        s.by(t => agg.getTraversal(publicProperties, traversalType, t.unfold, authContext).castDomain[Output[_]])
     }
 
     groupedVertex
diff --git a/thehive/conf/play/reference-overrides.conf b/thehive/conf/play/reference-overrides.conf
index afb748cb43..a4d40ea45d 100644
--- a/thehive/conf/play/reference-overrides.conf
+++ b/thehive/conf/play/reference-overrides.conf
@@ -22,7 +22,7 @@ akka.actor {
   serializers {
     stream = "org.thp.thehive.services.StreamSerializer"
     notification = "org.thp.thehive.services.notification.NotificationSerializer"
-    thehive-schema-updater = "org.thp.thehive.models.SchemaUpdaterSerializer"
+    //thehive-schema-updater = "org.thp.thehive.models.SchemaUpdaterSerializer"
     flow = "org.thp.thehive.services.FlowSerializer"
     integrity = "org.thp.thehive.services.IntegrityCheckSerializer"
   }
@@ -30,7 +30,7 @@ akka.actor {
   serialization-bindings {
     "org.thp.thehive.services.StreamMessage" = stream
     "org.thp.thehive.services.notification.NotificationMessage" = notification
-    "org.thp.thehive.models.SchemaUpdaterMessage" = thehive-schema-updater
+    //"org.thp.thehive.models.SchemaUpdaterMessage" = thehive-schema-updater
     "org.thp.thehive.services.FlowMessage" = flow
     "org.thp.thehive.services.IntegrityCheckMessage" = integrity
   }
diff --git a/thehive/conf/reference.conf b/thehive/conf/reference.conf
index cfab71532e..fd90ce7b82 100644
--- a/thehive/conf/reference.conf
+++ b/thehive/conf/reference.conf
@@ -1,12 +1,20 @@
 db {
   provider: janusgraph
-  janusgraph.index.search.directory: /tmp/thehive.idx
+  janusgraph {
+    index.search {
+      backend: lucene
+      directory: /opt/thp/thehive/index
+    }
+    storage {
+      directory: /opt/thp/thehive/database
+    }
+  }
   initialisationTimeout: 1 hour
 }
 
 storage {
   provider: localfs
-  localfs.directory: /data/thehive
+  localfs.directory: /opt/thp/thehive/files
 }
 
 flow.maxAge: 1 day
@@ -53,11 +61,7 @@ stream {
   }
 }
 
-tags {
-  autocreate: true
-  defaultNamespace: "_autocreate"
-  defaultColour: "#000000"
-}
+tags.freeTagColour: "#000000"
 
 user {
   defaults {
@@ -84,6 +88,8 @@ play.mailer {
 
 application.baseUrl: "http://localhost"
 
+monitor.disk: []
+
 notification {
   webhook {
     endpoints: []
@@ -127,54 +133,67 @@ integrityCheck {
   default {
     initialDelay: 1 minute
     interval: 10 minutes
+    globalInterval: 6 hours
   }
-  profile {
+  Profile {
     initialDelay: 10 seconds
     interval: 1 minutes
+    globalInterval: 6 hours
   }
-  organisation {
+  Organisation {
     initialDelay: 30 seconds
     interval: 1 minutes
+    globalInterval: 6 hours
   }
-  tag {
+  Tag {
     initialDelay: 5 minute
     interval: 30 minutes
+    globalInterval: 6 hours
   }
-  user {
+  User {
     initialDelay: 30 seconds
     interval: 1 minutes
+    globalInterval: 6 hours
   }
-  impactStatus {
+  ImpactStatus {
     initialDelay: 30 seconds
     interval: 1 minutes
+    globalInterval: 6 hours
   }
-  resolutionStatus {
+  ResolutionStatus {
     initialDelay: 30 seconds
     interval: 1 minutes
+    globalInterval: 6 hours
   }
-  observableType {
+  ObservableType {
     initialDelay: 30 seconds
     interval: 1 minutes
+    globalInterval: 6 hours
   }
-  customField {
+  CustomField {
     initialDelay: 1 minute
     interval: 10 minutes
+    globalInterval: 6 hours
   }
-  caseTemplate {
+  CaseTemplate {
     initialDelay: 1 minute
     interval: 10 minutes
+    globalInterval: 6 hours
   }
-  data {
+  Data {
     initialDelay: 5 minute
     interval: 30 minutes
+    globalInterval: 6 hours
   }
-  case {
+  Case {
     initialDelay: 1 minute
     interval: 10 minutes
+    globalInterval: 6 hours
   }
-  alert {
+  Alert {
     initialDelay: 5 minute
     interval: 30 minutes
+    globalInterval: 6 hours
   }
 }
 
@@ -182,5 +201,6 @@ integrityCheck {
 organisation.defaults {
   ui.hideEmptyCaseButton: false
   ui.disallowMergeAlertInResolvedSimilarCases: false
-  ui.defaultAlertSimilarCaseFilter: "open-cases"
+  ui.defaultAlertSimilarCaseFilter: "open-cases",
+  ui.defaultDateFormat: "MM/DD/YY HH:mm"
 }
diff --git a/thehive/test/org/thp/thehive/DatabaseBuilder.scala b/thehive/test/org/thp/thehive/DatabaseBuilder.scala
index 51767a822f..3a5484dea2 100644
--- a/thehive/test/org/thp/thehive/DatabaseBuilder.scala
+++ b/thehive/test/org/thp/thehive/DatabaseBuilder.scala
@@ -1,20 +1,28 @@
 package org.thp.thehive
 
-import java.io.File
-
-import javax.inject.{Inject, Singleton}
-import org.apache.tinkerpop.gremlin.structure.Graph
 import org.scalactic.Or
-import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.auth.{AuthContext, AuthContextImpl}
 import org.thp.scalligraph.controllers._
 import org.thp.scalligraph.models.{Database, Entity, Schema}
 import org.thp.scalligraph.services.{EdgeSrv, GenIntegrityCheckOps, VertexSrv}
+import org.thp.scalligraph.traversal.Graph
+import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.scalligraph.{EntityId, EntityName, RichOption}
 import org.thp.thehive.models._
+import org.thp.thehive.services.AlertOps._
+import org.thp.thehive.services.CaseOps._
+import org.thp.thehive.services.CaseTemplateOps._
+import org.thp.thehive.services.LogOps._
+import org.thp.thehive.services.ObservableOps._
+import org.thp.thehive.services.OrganisationOps._
+import org.thp.thehive.services.TaskOps._
+import org.thp.thehive.services.TaxonomyOps._
 import org.thp.thehive.services._
 import play.api.Logger
 import play.api.libs.json.{JsArray, JsObject, JsValue, Json}
 
+import java.io.File
+import javax.inject.{Inject, Singleton}
 import scala.io.Source
 import scala.reflect.runtime.{universe => ru}
 import scala.util.{Failure, Success, Try}
@@ -22,71 +30,81 @@ import scala.util.{Failure, Success, Try}
 @Singleton
 class DatabaseBuilder @Inject() (
     schema: Schema,
-    userSrv: UserSrv,
-    organisationSrv: OrganisationSrv,
-    profileSrv: ProfileSrv,
+    alertSrv: AlertSrv,
+    attachmentSrv: AttachmentSrv,
     caseSrv: CaseSrv,
-    customFieldSrv: CustomFieldSrv,
     caseTemplateSrv: CaseTemplateSrv,
+    customFieldSrv: CustomFieldSrv,
+    dashboardSrv: DashboardSrv,
+    dataSrv: DataSrv,
     impactStatusSrv: ImpactStatusSrv,
-    resolutionStatusSrv: ResolutionStatusSrv,
-    shareSrv: ShareSrv,
-    roleSrv: RoleSrv,
-    observableSrv: ObservableSrv,
-    observableTypeSrv: ObservableTypeSrv,
-    taskSrv: TaskSrv,
-    tagSrv: TagSrv,
     keyValueSrv: KeyValueSrv,
-    dataSrv: DataSrv,
     logSrv: LogSrv,
-    alertSrv: AlertSrv,
-    attachmentSrv: AttachmentSrv,
-    dashboardSrv: DashboardSrv,
+    observableSrv: ObservableSrv,
+    observableTypeSrv: ObservableTypeSrv,
+    organisationSrv: OrganisationSrv,
     pageSrv: PageSrv,
+    patternSrv: PatternSrv,
+    procedureSrv: ProcedureSrv,
+    profileSrv: ProfileSrv,
+    resolutionStatusSrv: ResolutionStatusSrv,
+    roleSrv: RoleSrv,
+    shareSrv: ShareSrv,
+    tagSrv: TagSrv,
+    taskSrv: TaskSrv,
+    taxonomySrv: TaxonomySrv,
+    userSrv: UserSrv,
     integrityChecks: Set[GenIntegrityCheckOps]
 ) {
 
   lazy val logger: Logger = Logger(getClass)
 
-  def build()(implicit db: Database, authContext: AuthContext): Try[Unit] = {
+  def build()(implicit db: Database): Try[Unit] = {
 
     lazy val logger: Logger = Logger(getClass)
     logger.info("Initialize database schema")
-    db.createSchemaFrom(schema)
+    db.createSchemaFrom(schema)(LocalUserSrv.getSystemAuthContext)
       .flatMap(_ => db.addSchemaIndexes(schema))
       .flatMap { _ =>
         integrityChecks.foreach { check =>
           db.tryTransaction { implicit graph =>
-            Success(check.initialCheck())
+            Success(check.initialCheck()(graph, LocalUserSrv.getSystemAuthContext))
           }
           ()
         }
         db.tryTransaction { implicit graph =>
+          implicit val authContext: AuthContext = LocalUserSrv.getSystemAuthContext
           val idMap =
             createVertex(caseSrv, FieldsParser[Case]) ++
-              createVertex(userSrv, FieldsParser[User]) ++
-              createVertex(customFieldSrv, FieldsParser[CustomField]) ++
-              createVertex(organisationSrv, FieldsParser[Organisation]) ++
+              createVertex(alertSrv, FieldsParser[Alert]) ++
+              createVertex(attachmentSrv, FieldsParser[Attachment]) ++
               createVertex(caseTemplateSrv, FieldsParser[CaseTemplate]) ++
-              createVertex(shareSrv, FieldsParser[Share]) ++
-              createVertex(roleSrv, FieldsParser[Role]) ++
-              createVertex(profileSrv, FieldsParser[Profile]) ++
+              createVertex(customFieldSrv, FieldsParser[CustomField]) ++
+              createVertex(dashboardSrv, FieldsParser[Dashboard]) ++
+//              createVertex(dataSrv, FieldsParser[Data]) ++
+//              createVertex(impactStatusSrv, FieldsParser[ImpactStatus]) ++
+//              createVertex(keyValueSrv, FieldsParser[KeyValue]) ++
+              createVertex(logSrv, FieldsParser[Log]) ++
               createVertex(observableSrv, FieldsParser[Observable]) ++
               createVertex(observableTypeSrv, FieldsParser[ObservableType]) ++
-              createVertex(taskSrv, FieldsParser[Task]) ++
-              createVertex(keyValueSrv, FieldsParser[KeyValue]) ++
-              createVertex(dataSrv, FieldsParser[Data]) ++
-              createVertex(logSrv, FieldsParser[Log]) ++
-              createVertex(alertSrv, FieldsParser[Alert]) ++
-              createVertex(resolutionStatusSrv, FieldsParser[ResolutionStatus]) ++
-              createVertex(impactStatusSrv, FieldsParser[ImpactStatus]) ++
-              createVertex(attachmentSrv, FieldsParser[Attachment]) ++
-              createVertex(tagSrv, FieldsParser[Tag]) ++
+              createVertex(organisationSrv, FieldsParser[Organisation]) ++
               createVertex(pageSrv, FieldsParser[Page]) ++
-              createVertex(dashboardSrv, FieldsParser[Dashboard])
+              createVertex(patternSrv, FieldsParser[Pattern]) ++
+              createVertex(procedureSrv, FieldsParser[Procedure]) ++
+              createVertex(profileSrv, FieldsParser[Profile]) ++
+//              createVertex(resolutionStatusSrv, FieldsParser[ResolutionStatus]) ++
+              createVertex(roleSrv, FieldsParser[Role]) ++
+              createVertex(shareSrv, FieldsParser[Share]) ++
+              createVertex(tagSrv, FieldsParser[Tag]) ++
+              createVertex(taskSrv, FieldsParser[Task]) ++
+              createVertex(taxonomySrv, FieldsParser[Taxonomy]) ++
+              createVertex(userSrv, FieldsParser[User])
 
           createEdge(organisationSrv.organisationOrganisationSrv, organisationSrv, organisationSrv, FieldsParser[OrganisationOrganisation], idMap)
           createEdge(organisationSrv.organisationShareSrv, organisationSrv, shareSrv, FieldsParser[OrganisationShare], idMap)
+          createEdge(organisationSrv.organisationTaxonomySrv, organisationSrv, taxonomySrv, FieldsParser[OrganisationTaxonomy], idMap)
+
+          createEdge(taxonomySrv.taxonomyTagSrv, taxonomySrv, tagSrv, FieldsParser[TaxonomyTag], idMap)
 
           createEdge(roleSrv.userRoleSrv, userSrv, roleSrv, FieldsParser[UserRole], idMap)
 
@@ -98,39 +116,162 @@ class DatabaseBuilder @Inject() (
           createEdge(roleSrv.roleOrganisationSrv, roleSrv, organisationSrv, FieldsParser[RoleOrganisation], idMap)
           createEdge(roleSrv.roleProfileSrv, roleSrv, profileSrv, FieldsParser[RoleProfile], idMap)
 
-          createEdge(observableSrv.observableKeyValueSrv, observableSrv, keyValueSrv, FieldsParser[ObservableKeyValue], idMap)
-          createEdge(observableSrv.observableObservableType, observableSrv, observableTypeSrv, FieldsParser[ObservableObservableType], idMap)
-          createEdge(observableSrv.observableDataSrv, observableSrv, dataSrv, FieldsParser[ObservableData], idMap)
+          //          createEdge(observableSrv.observableKeyValueSrv, observableSrv, keyValueSrv, FieldsParser[ObservableKeyValue], idMap)
+//          createEdge(observableSrv.observableObservableType, observableSrv, observableTypeSrv, FieldsParser[ObservableObservableType], idMap)
+//          createEdge(observableSrv.observableDataSrv, observableSrv, dataSrv, FieldsParser[ObservableData], idMap)
           createEdge(observableSrv.observableAttachmentSrv, observableSrv, attachmentSrv, FieldsParser[ObservableAttachment], idMap)
-          createEdge(observableSrv.observableTagSrv, observableSrv, tagSrv, FieldsParser[ObservableTag], idMap)
+//          createEdge(observableSrv.observableTagSrv, observableSrv, tagSrv, FieldsParser[ObservableTag], idMap)
 
-          createEdge(taskSrv.taskUserSrv, taskSrv, userSrv, FieldsParser[TaskUser], idMap)
+//          createEdge(taskSrv.taskUserSrv, taskSrv, userSrv, FieldsParser[TaskUser], idMap)
           createEdge(taskSrv.taskLogSrv, taskSrv, logSrv, FieldsParser[TaskLog], idMap)
 
-          createEdge(caseSrv.caseUserSrv, caseSrv, userSrv, FieldsParser[CaseUser], idMap)
-          createEdge(caseSrv.mergedFromSrv, caseSrv, caseSrv, FieldsParser[MergedFrom], idMap)
-          createEdge(caseSrv.caseCaseTemplateSrv, caseSrv, caseTemplateSrv, FieldsParser[CaseCaseTemplate], idMap)
-          createEdge(caseSrv.caseResolutionStatusSrv, caseSrv, resolutionStatusSrv, FieldsParser[CaseResolutionStatus], idMap)
-          createEdge(caseSrv.caseImpactStatusSrv, caseSrv, impactStatusSrv, FieldsParser[CaseImpactStatus], idMap)
+          createEdge(logSrv.logAttachmentSrv, logSrv, attachmentSrv, FieldsParser[LogAttachment], idMap)
+//          createEdge(caseSrv.caseUserSrv, caseSrv, userSrv, FieldsParser[CaseUser], idMap)
+//          createEdge(caseSrv.mergedFromSrv, caseSrv, caseSrv, FieldsParser[MergedFrom], idMap)
+//          createEdge(caseSrv.caseCaseTemplateSrv, caseSrv, caseTemplateSrv, FieldsParser[CaseCaseTemplate], idMap)
+//          createEdge(caseSrv.caseResolutionStatusSrv, caseSrv, resolutionStatusSrv, FieldsParser[CaseResolutionStatus], idMap)
+//          createEdge(caseSrv.caseImpactStatusSrv, caseSrv, impactStatusSrv, FieldsParser[CaseImpactStatus], idMap)
           createEdge(caseSrv.caseCustomFieldSrv, caseSrv, customFieldSrv, FieldsParser[CaseCustomField], idMap)
-          createEdge(caseSrv.caseTagSrv, caseSrv, tagSrv, FieldsParser[CaseTag], idMap)
+//          createEdge(caseSrv.caseTagSrv, caseSrv, tagSrv, FieldsParser[CaseTag], idMap)
 
           createEdge(caseTemplateSrv.caseTemplateOrganisationSrv, caseTemplateSrv, organisationSrv, FieldsParser[CaseTemplateOrganisation], idMap)
-          createEdge(caseTemplateSrv.caseTemplateTaskSrv, caseTemplateSrv, taskSrv, FieldsParser[CaseTemplateTask], idMap)
+//          createEdge(caseTemplateSrv.caseTemplateTaskSrv, caseTemplateSrv, taskSrv, FieldsParser[CaseTemplateTask], idMap)
           createEdge(caseTemplateSrv.caseTemplateCustomFieldSrv, caseTemplateSrv, customFieldSrv, FieldsParser[CaseTemplateCustomField], idMap)
-          createEdge(caseTemplateSrv.caseTemplateTagSrv, caseTemplateSrv, tagSrv, FieldsParser[CaseTemplateTag], idMap)
+//          createEdge(caseTemplateSrv.caseTemplateTagSrv, caseTemplateSrv, tagSrv, FieldsParser[CaseTemplateTag], idMap)
 
           createEdge(alertSrv.alertOrganisationSrv, alertSrv, organisationSrv, FieldsParser[AlertOrganisation], idMap)
           createEdge(alertSrv.alertObservableSrv, alertSrv, observableSrv, FieldsParser[AlertObservable], idMap)
           createEdge(alertSrv.alertCaseSrv, alertSrv, caseSrv, FieldsParser[AlertCase], idMap)
           createEdge(alertSrv.alertCaseTemplateSrv, alertSrv, caseTemplateSrv, FieldsParser[AlertCaseTemplate], idMap)
           createEdge(alertSrv.alertCustomFieldSrv, alertSrv, customFieldSrv, FieldsParser[AlertCustomField], idMap)
-          createEdge(alertSrv.alertTagSrv, alertSrv, tagSrv, FieldsParser[AlertTag], idMap)
+//          createEdge(alertSrv.alertTagSrv, alertSrv, tagSrv, FieldsParser[AlertTag], idMap)
 
           createEdge(pageSrv.organisationPageSrv, organisationSrv, pageSrv, FieldsParser[OrganisationPage], idMap)
 
           createEdge(dashboardSrv.dashboardUserSrv, dashboardSrv, userSrv, FieldsParser[DashboardUser], idMap)
           createEdge(dashboardSrv.organisationDashboardSrv, organisationSrv, dashboardSrv, FieldsParser[OrganisationDashboard], idMap)
+
+//          createEdge(patternSrv.patternPatternSrv, patternSrv, patternSrv, FieldsParser[PatternPattern], idMap)
+
+          createEdge(procedureSrv.caseProcedureSrv, caseSrv, procedureSrv, FieldsParser[CaseProcedure], idMap)
+          createEdge(procedureSrv.procedurePatternSrv, procedureSrv, patternSrv, FieldsParser[ProcedurePattern], idMap)
+          Success(())
+        }
+
+        db.tryTransaction { implicit graph =>
+          val (defaultOrganisation, defaultUser) = organisationSrv.startTraversal.notAdmin.project(_.by.by(_.users)).head
+          implicit val authContext: AuthContext =
+            AuthContextImpl(defaultUser.login, defaultUser.name, defaultOrganisation._id, "init", Permissions.all)
+          // For each organisation, if there is no custom taxonomy, create it
+          organisationSrv
+            .startTraversal
+            .hasNot(_.name, "admin")
+            .filterNot(_.taxonomies.freetags)
+            .foreach(o => taxonomySrv.createFreetagTaxonomy(o).get)
+
+          caseSrv
+            .startTraversal
+            .project(
+              _.by
+                .by(_.organisations._id.fold)
+            )
+            .foreach {
+              case (case0, organisationIds) =>
+                case0.tags.foreach(tag => tagSrv.getOrCreate(tag).flatMap(caseSrv.caseTagSrv.create(CaseTag(), case0, _)).get)
+                case0.assignee.foreach(userSrv.getByName(_).getOrFail("User").flatMap(caseSrv.caseUserSrv.create(CaseUser(), case0, _)).get)
+                case0
+                  .resolutionStatus
+                  .foreach(
+                    resolutionStatusSrv
+                      .getByName(_)
+                      .getOrFail("ResolutionStatus")
+                      .flatMap(caseSrv.caseResolutionStatusSrv.create(CaseResolutionStatus(), case0, _))
+                      .get
+                  )
+                case0
+                  .impactStatus
+                  .foreach(
+                    impactStatusSrv
+                      .getByName(_)
+                      .getOrFail("ImpectStatus")
+                      .flatMap(caseSrv.caseImpactStatusSrv.create(CaseImpactStatus(), case0, _))
+                      .get
+                  )
+                case0
+                  .caseTemplate
+                  .foreach(
+                    caseTemplateSrv
+                      .getByName(_)
+                      .getOrFail("CaseTemplate")
+                      .flatMap(caseSrv.caseCaseTemplateSrv.create(CaseCaseTemplate(), case0, _))
+                      .get
+                  )
+                caseSrv.get(case0).update(_.organisationIds, organisationIds.toSet).iterate()
+            }
+
+          alertSrv
+            .startTraversal
+            .project(_.by.by(_.organisation._id).by(_.`case`._id.option))
+            .foreach {
+              case (alert, organisationId, caseId) =>
+                alert.tags.foreach(tag => tagSrv.getOrCreate(tag).flatMap(alertSrv.alertTagSrv.create(AlertTag(), alert, _)).get)
+                alertSrv.get(alert).update(_.organisationId, organisationId).update(_.caseId, caseId).iterate()
+            }
+
+          observableSrv
+            .startTraversal
+            .project(_.by.by(_.coalesceIdent(_.`case`, _.alert)._id).by(_.organisations._id.fold))
+            .foreach {
+              case (observable, relatedId, organisationIds) =>
+                observable
+                  .tags
+                  .foreach(tag => tagSrv.getOrCreate(tag).flatMap(observableSrv.observableTagSrv.create(ObservableTag(), observable, _)).get)
+                observableTypeSrv
+                  .getByName(observable.dataType)
+                  .getOrFail("ObservableType")
+                  .flatMap(observableSrv.observableObservableType.create(ObservableObservableType(), observable, _))
+                  .get
+                observable
+                  .data
+                  .foreach(data =>
+                    dataSrv
+                      .getByName(data)
+                      .getOrFail("data")
+                      .orElse(dataSrv.create(Data(data)))
+                      .flatMap(observableSrv.observableDataSrv.create(ObservableData(), observable, _))
+                      .get
+                  )
+                observableSrv.get(observable).update(_.relatedId, relatedId).update(_.organisationIds, organisationIds.toSet).iterate()
+            }
+
+          caseTemplateSrv
+            .startTraversal
+            .foreach { caseTemplate =>
+              caseTemplate
+                .tags
+                .foreach(tag => tagSrv.getOrCreate(tag).flatMap(caseTemplateSrv.caseTemplateTagSrv.create(CaseTemplateTag(), caseTemplate, _)).get)
+            }
+
+          logSrv
+            .startTraversal
+            .project(_.by.by(_.task._id).by(_.organisations._id.fold))
+            .foreach {
+              case (log, taskId, organisationIds) =>
+                logSrv.get(log).update(_.taskId, taskId).update(_.organisationIds, organisationIds.toSet).iterate()
+            }
+
+          taskSrv
+            .startTraversal
+            .project(
+              _.by
+                .by(_.coalesceIdent(_.`case`, _.caseTemplate)._id)
+                .by(_.coalesceIdent(_.organisations, _.caseTemplate.organisation)._id.fold)
+            )
+            .foreach {
+              case (task, relatedId, organisationIds) =>
+                task.assignee.foreach(userSrv.getByName(_).getOrFail("User").flatMap(taskSrv.taskUserSrv.create(TaskUser(), task, _)).get)
+                taskSrv.get(task).update(_.relatedId, relatedId).update(_.organisationIds, organisationIds.toSet).iterate()
+            }
           Success(())
         }
       }
diff --git a/thehive/test/org/thp/thehive/DevStart.scala b/thehive/test/org/thp/thehive/DevStart.scala
index 21ab8291bc..d50f10beaf 100644
--- a/thehive/test/org/thp/thehive/DevStart.scala
+++ b/thehive/test/org/thp/thehive/DevStart.scala
@@ -1,10 +1,10 @@
 package org.thp.thehive
 
-import java.io.File
-
 import play.api._
 import play.core.server.{RealServerProcess, ServerConfig, ServerProcess, ServerProvider}
 
+import java.io.File
+
 object DevStart extends App {
   val process = new RealServerProcess(args)
   val config  = readConfig(process)
diff --git a/thehive/test/org/thp/thehive/QueryTest.scala b/thehive/test/org/thp/thehive/QueryTest.scala
new file mode 100644
index 0000000000..f2e212cc16
--- /dev/null
+++ b/thehive/test/org/thp/thehive/QueryTest.scala
@@ -0,0 +1,3 @@
+package org.thp.thehive
+
+class QueryTest {}
diff --git a/thehive/test/org/thp/thehive/TestAppBuilder.scala b/thehive/test/org/thp/thehive/TestAppBuilder.scala
index e46cae76ec..f947769405 100644
--- a/thehive/test/org/thp/thehive/TestAppBuilder.scala
+++ b/thehive/test/org/thp/thehive/TestAppBuilder.scala
@@ -1,23 +1,21 @@
 package org.thp.thehive
 
-import java.io.File
-import java.nio.file.{Files, Paths}
-
-import akka.actor.ActorSystem
-import com.google.inject.Injector
-import javax.inject.{Inject, Provider, Singleton}
 import org.apache.commons.io.FileUtils
 import org.thp.scalligraph.auth._
-import org.thp.scalligraph.models.{Database, Schema}
+import org.thp.scalligraph.janus.JanusDatabaseProvider
+import org.thp.scalligraph.models.{Database, Schema, UpdatableSchema}
 import org.thp.scalligraph.query.QueryExecutor
 import org.thp.scalligraph.services.{GenIntegrityCheckOps, LocalFileSystemStorageSrv, StorageSrv}
-import org.thp.scalligraph.{janus, AppBuilder}
+import org.thp.scalligraph.{AppBuilder, SingleInstance}
 import org.thp.thehive.controllers.v0.TheHiveQueryExecutor
 import org.thp.thehive.models.TheHiveSchemaDefinition
 import org.thp.thehive.services.notification.notifiers.{AppendToFileProvider, EmailerProvider, NotifierProvider}
 import org.thp.thehive.services.notification.triggers._
 import org.thp.thehive.services.{UserSrv => _, _}
 
+import java.io.File
+import java.nio.file.{Files, Paths}
+import javax.inject.{Inject, Provider, Singleton}
 import scala.util.Try
 
 object TestAppBuilderLock
@@ -31,6 +29,7 @@ trait TestAppBuilder {
       .bind[UserSrv, LocalUserSrv]
       .bind[StorageSrv, LocalFileSystemStorageSrv]
       .bind[Schema, TheHiveSchemaDefinition]
+      .multiBind[UpdatableSchema](classOf[TheHiveSchemaDefinition])
       .bindNamed[QueryExecutor, TheHiveQueryExecutor]("v0")
       .multiBind[AuthSrvProvider](classOf[LocalPasswordAuthProvider], classOf[LocalKeyAuthProvider], classOf[HeaderAuthProvider])
       .multiBind[NotifierProvider](classOf[AppendToFileProvider])
@@ -40,6 +39,7 @@ trait TestAppBuilder {
       .multiBind[TriggerProvider](classOf[TaskAssignedProvider])
       .multiBind[TriggerProvider](classOf[AlertCreatedProvider])
       .bindToProvider[AuthSrv, MultiAuthSrvProvider]
+      .bindInstance[SingleInstance](new SingleInstance(true))
       .multiBind[GenIntegrityCheckOps](
         classOf[ProfileIntegrityCheckOps],
         classOf[OrganisationIntegrityCheckOps],
@@ -51,7 +51,8 @@ trait TestAppBuilder {
         classOf[CustomFieldIntegrityCheckOps],
         classOf[CaseTemplateIntegrityCheckOps],
         classOf[DataIntegrityCheckOps],
-        classOf[CaseIntegrityCheckOps]
+        classOf[CaseIntegrityCheckOps],
+        classOf[AlertIntegrityCheckOps]
       )
       .bindActor[DummyActor]("config-actor")
       .bindActor[DummyActor]("notification-actor")
@@ -62,10 +63,11 @@ trait TestAppBuilder {
       .addConfiguration("play.mailer.mock = yes")
       .addConfiguration("play.mailer.debug = yes")
       .addConfiguration(s"storage.localfs.location = ${System.getProperty("user.dir")}/target/storage")
-      .bindEagerly[AkkaGuiceExtensionSetup]
+      .bindEagerly[ClusterSetup]
 
   def testApp[A](body: AppBuilder => A): A = {
     val storageDirectory = Files.createTempDirectory(Paths.get("target"), "janusgraph-test-database").toFile
+    val indexDirectory   = Files.createTempDirectory(Paths.get("target"), storageDirectory.getName).toFile
     TestAppBuilderLock.synchronized {
       if (!Files.exists(Paths.get(s"target/janusgraph-test-database-$databaseName"))) {
         val app = appConfigure
@@ -76,21 +78,24 @@ trait TestAppBuilder {
                                |    storage.backend: berkeleyje
                                |    storage.directory: "target/janusgraph-test-database-$databaseName"
                                |    berkeleyje.freeDisk: 2
+                               |    index.search {
+                               |      backend : lucene
+                               |      directory: target/janusgraph-test-database-$databaseName-idx
+                               |    }
                                |  }
                                |}
                                |akka.cluster.jmx.multi-mbeans-in-same-jvm: on
                                |""".stripMargin)
-          .bind[Database, janus.JanusDatabase]
-          .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-schema")
+          .bindToProvider[Database, JanusDatabaseProvider]
 
-        app[DatabaseBuilder].build()(app[Database], app[UserSrv].getSystemAuthContext)
+        app[DatabaseBuilder].build()(app[Database])
         app[Database].close()
       }
       FileUtils.copyDirectory(new File(s"target/janusgraph-test-database-$databaseName"), storageDirectory)
+      FileUtils.copyDirectory(new File(s"target/janusgraph-test-database-$databaseName-idx"), indexDirectory)
     }
     val app = appConfigure
-      .bind[Database, janus.JanusDatabase]
-      .bindNamedToProvider[Database, BasicDatabaseProvider]("with-thehive-schema")
+      .bindToProvider[Database, JanusDatabaseProvider]
       .addConfiguration(s"""
                            |db {
                            |  provider: janusgraph
@@ -98,6 +103,10 @@ trait TestAppBuilder {
                            |    storage.backend: berkeleyje
                            |    storage.directory: $storageDirectory
                            |    berkeleyje.freeDisk: 2
+                           |    index.search {
+                           |      backend : lucene
+                           |      directory: $indexDirectory
+                           |    }
                            |  }
                            |}
                            |""".stripMargin)
@@ -114,8 +123,3 @@ trait TestAppBuilder {
 class BasicDatabaseProvider @Inject() (database: Database) extends Provider[Database] {
   override def get(): Database = database
 }
-
-@Singleton
-class AkkaGuiceExtensionSetup @Inject() (system: ActorSystem, injector: Injector) {
-  GuiceAkkaExtension(system).set(injector)
-}
diff --git a/thehive/test/org/thp/thehive/controllers/v0/AlertCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/AlertCtrlTest.scala
index fd5da90598..a4de95d8b2 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/AlertCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/AlertCtrlTest.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import java.util.Date
-
 import io.scalaland.chimney.dsl._
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.models.{Database, DummyUserSrv}
@@ -15,6 +13,8 @@ import org.thp.thehive.services.ObservableOps._
 import play.api.libs.json.{JsNull, JsObject, JsString, Json}
 import play.api.test.{FakeRequest, PlaySpecification}
 
+import java.util.Date
+
 case class TestAlert(
     `type`: String,
     source: String,
@@ -145,7 +145,7 @@ class AlertCtrlTest extends PlaySpecification with TestAppBuilder {
       description = "description of alert #1",
       severity = 2,
       date = new Date(1555359572000L),
-      tags = Set("testNamespace:testPredicate=\"alert\"", "testNamespace:testPredicate=\"test\""),
+      tags = Set("alert", "test"),
       tlp = 2,
       pap = 2,
       status = "New",
@@ -163,7 +163,7 @@ class AlertCtrlTest extends PlaySpecification with TestAppBuilder {
         Some("h.fr"),
         None,
         1,
-        Set("testNamespace:testPredicate=\"hello\""),
+        Set("hello"),
         ioc = true,
         sighted = true,
         Some("observable from alert")
@@ -267,10 +267,10 @@ class AlertCtrlTest extends PlaySpecification with TestAppBuilder {
       pap = 2,
       status = "Open",
       tags = Set(
-        "testNamespace:testPredicate=\"alert\"",
-        "testNamespace:testPredicate=\"test\"",
-        "testNamespace:testPredicate=\"spam\"",
-        "testNamespace:testPredicate=\"src:mail\""
+        "alert",
+        "test",
+        "spam",
+        "src:mail"
       ),
       summary = None,
       owner = Some("certuser@thehive.local"),
@@ -289,11 +289,8 @@ class AlertCtrlTest extends PlaySpecification with TestAppBuilder {
     observables must contain(
       exactly(
         beLike[RichObservable] {
-          case RichObservable(_, tpe, Some(data), None, _, _, _, _) if tpe.name == "domain" && data.data == "c.fr" => ok
-        } /*,
-        beLike[RichObservable] {
-          case RichObservable(obs, tpe, None, Some(attachment), tags, _, _) if tpe.name == "file" && attachment.name == "hello.txt" => ok
-        }*/
+          case obs if obs.dataType == "domain" && obs.data.contains("c.fr") => ok
+        }
       )
     )
   }
diff --git a/thehive/test/org/thp/thehive/controllers/v0/AuditCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/AuditCtrlTest.scala
index 82abfb9c27..a7fb114faf 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/AuditCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/AuditCtrlTest.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, DummyUserSrv}
 import org.thp.scalligraph.{AppBuilder, EntityIdOrName}
@@ -11,6 +9,8 @@ import org.thp.thehive.services.{CaseSrv, FlowActor, OrganisationSrv}
 import play.api.libs.json.JsObject
 import play.api.test.{FakeRequest, PlaySpecification}
 
+import java.util.Date
+
 class AuditCtrlTest extends PlaySpecification with TestAppBuilder {
   override def appConfigure: AppBuilder =
     super
@@ -33,14 +33,26 @@ class AuditCtrlTest extends PlaySpecification with TestAppBuilder {
 
     // Create an event first
     val `case` = app[Database].tryTransaction { implicit graph =>
+      val organisation = app[OrganisationSrv].getOrFail(EntityIdOrName("admin")).get
       app[CaseSrv].create(
-        Case(0, "case audit", "desc audit", 1, new Date(), None, flag = false, 1, 1, CaseStatus.Open, None),
-        None,
-        app[OrganisationSrv].getOrFail(EntityIdOrName("admin")).get,
-        Set.empty,
-        Seq.empty,
-        None,
-        Nil
+        `case` = Case(
+          title = "case audit",
+          description = "desc audit",
+          severity = 1,
+          startDate = new Date,
+          endDate = None,
+          flag = false,
+          tlp = 1,
+          pap = 1,
+          status = CaseStatus.Open,
+          summary = None,
+          tags = Nil
+        ),
+        assignee = None,
+        organisation = organisation,
+        customFields = Nil,
+        caseTemplate = None,
+        additionalTasks = Nil
       )(graph, authContext)
     }.get
 
diff --git a/thehive/test/org/thp/thehive/controllers/v0/CaseCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/CaseCtrlTest.scala
index edbc06388d..1b2f9f1010 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/CaseCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/CaseCtrlTest.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import java.util.Date
-
 import akka.stream.Materializer
 import io.scalaland.chimney.dsl._
 import org.thp.scalligraph.EntityIdOrName
@@ -14,6 +12,8 @@ import org.thp.thehive.services.CaseSrv
 import play.api.libs.json._
 import play.api.test.{FakeRequest, PlaySpecification}
 
+import java.util.Date
+
 case class TestCase(
     caseId: Int,
     title: String,
@@ -33,7 +33,6 @@ case class TestCase(
 )
 
 object TestCase {
-
   def apply(outputCase: OutputCase): TestCase =
     outputCase.into[TestCase].transform
 }
@@ -86,7 +85,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
         tlp = 1,
         pap = 3,
         status = "Open",
-        tags = Set("testNamespace:testPredicate=\"spam\"", "testNamespace:testPredicate=\"src:mail\"", "tag1", "tag2"),
+        tags = Set("spam", "src:mail", "tag1", "tag2"),
         summary = None,
         owner = Some("certuser@thehive.local"),
         customFields = Json.obj(
@@ -119,7 +118,8 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
                            "flag":false,
                            "status":"Waiting"
                         }
-                     ]
+                     ],
+                     "user":"certro@thehive.local"
                   }"""
             )
             .as[JsObject]
@@ -141,7 +141,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
           pap = 2,
           status = "Open",
           tags = Set.empty,
-          owner = Some("certuser@thehive.local"),
+          owner = Some("certro@thehive.local"),
           stats = JsObject.empty
         )
       )
@@ -156,7 +156,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
       val assignee = app[Database].roTransaction(implicit graph => app[CaseSrv].get(EntityIdOrName(outputCase._id)).assignee.getOrFail("Case"))
 
       assignee must beSuccessfulTry
-      assignee.get.login shouldEqual "certuser@thehive.local"
+      assignee.get.login shouldEqual "certro@thehive.local"
     }
 
     "try to get a case" in testApp { app =>
@@ -182,7 +182,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
         tlp = 2,
         pap = 2,
         status = "Open",
-        tags = Set("testNamespace:testPredicate=\"t2\"", "testNamespace:testPredicate=\"t1\""),
+        tags = Set("t2", "t1"),
         summary = None,
         owner = Some("certuser@thehive.local"),
         customFields = JsObject.empty,
@@ -206,7 +206,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
       val resultCase = contentAsJson(result).as[OutputCase]
 
       resultCase.title must equalTo("new title")
-      resultCase.flag must equalTo(true)
+      resultCase.flag  must equalTo(true)
     }
 
     "update a bulk of cases properly" in testApp { app =>
@@ -226,8 +226,8 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
       resultCases must have size 2
 
       resultCases.map(_.description) must contain(be_==("new description")).forall
-      resultCases.map(_.tlp) must contain(be_==(1)).forall
-      resultCases.map(_.pap) must contain(be_==(1)).forall
+      resultCases.map(_.tlp)         must contain(be_==(1)).forall
+      resultCases.map(_.pap)         must contain(be_==(1)).forall
 
       val requestGet1 = FakeRequest("GET", s"/api/v0/case/1")
         .withHeaders("user" -> "certuser@thehive.local")
@@ -251,7 +251,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
           Json.parse("""{"query":{"severity":2}}""")
         )
       val result = app[CaseCtrl].search()(request)
-      status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
+      status(result)            must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
       header("X-Total", result) must beSome("2")
       val resultCases = contentAsJson(result)(defaultAwaitTimeout, app[Materializer]).as[Seq[OutputCase]]
 
@@ -296,7 +296,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
           Json.parse("""{"query":{"_and":[{"_field":"customFields.boolean1","_value":true}]}}""")
         )
       val resultSearch = app[CaseCtrl].search()(requestSearch)
-      status(resultSearch) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(resultSearch)}")
+      status(resultSearch)                                                                     must equalTo(200).updateMessage(s => s"$s\n${contentAsString(resultSearch)}")
       contentAsJson(resultSearch)(defaultAwaitTimeout, app[Materializer]).as[List[OutputCase]] must not(beEmpty)
     }
 
@@ -327,10 +327,10 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
       status(result) must_=== 200
       val resultCase = contentAsJson(result)
 
-      (resultCase \ "count").asOpt[Int] must beSome(3)
-      (resultCase \ "testNamespace:testPredicate=\"t1\"" \ "count").asOpt[Int] must beSome(2)
-      (resultCase \ "testNamespace:testPredicate=\"t2\"" \ "count").asOpt[Int] must beSome(1)
-      (resultCase \ "testNamespace:testPredicate=\"t3\"" \ "count").asOpt[Int] must beSome(1)
+      (resultCase \ "count").asOpt[Int]        must beSome(10)
+      (resultCase \ "t1" \ "count").asOpt[Int] must beSome(2)
+      (resultCase \ "t2" \ "count").asOpt[Int] must beSome(1)
+      (resultCase \ "t3" \ "count").asOpt[Int] must beSome(1)
     }
 
     "assign a case to an user" in testApp { app =>
@@ -362,5 +362,63 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
 //        tasks.flatMap(task => app[TaskSrv].get(task).headOption) must beEmpty
       }
     }
+
+    "merge two cases correctly" in testApp { app =>
+      val request21 = FakeRequest("GET", s"/api/v0/case/#21")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val case21 = app[CaseCtrl].get("21")(request21)
+      status(case21) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(case21)}")
+      val output21 = contentAsJson(case21).as[OutputCase]
+
+      val request = FakeRequest("POST", "/api/v0/case/21/_merge/22")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[CaseCtrl].merge("21", "22")(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      val outputCase = contentAsJson(result).as[OutputCase]
+
+      // Merge result
+      TestCase(outputCase) must equalTo(
+        TestCase(
+          caseId = 36,
+          title = "case#21 / case#22",
+          description = "description of case #21\n\ndescription of case #22",
+          severity = 3,
+          startDate = output21.startDate,
+          flag = true,
+          tlp = 4,
+          pap = 3,
+          status = "Open",
+          tags = Set("toMerge:pred1=\"value1\"", "toMerge:pred2=\"value2\""),
+          owner = Some("certuser@thehive.local"),
+          stats = JsObject.empty
+        )
+      )
+
+      // Merged cases should be deleted
+      val deleted21 = app[CaseCtrl].get("21")(request)
+      status(deleted21) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(deleted21)}")
+      val deleted22 = app[CaseCtrl].get("22")(request)
+      status(deleted22) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(deleted22)}")
+    }
+
+    "merge two cases error, not same organisation" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v0/case/21/_merge/24")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[CaseCtrl].merge("21", "24")(request)
+      // User shouldn't be able to see others cases, resulting in 404
+      status(result) must beEqualTo(400).updateMessage(s => s"$s\n${contentAsString(result)}")
+    }
+
+    "merge two cases error, not same profile" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v0/case/21/_merge/25")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[CaseCtrl].merge("21", "25")(request)
+      status(result)                              must beEqualTo(400).updateMessage(s => s"$s\n${contentAsString(result)}")
+      (contentAsJson(result) \ "type").as[String] must beEqualTo("BadRequest")
+    }
   }
 }
diff --git a/thehive/test/org/thp/thehive/controllers/v0/ConfigCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/ConfigCtrlTest.scala
index 46caf3274b..732f7d6602 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/ConfigCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/ConfigCtrlTest.scala
@@ -6,6 +6,9 @@ import play.api.libs.json.{JsObject, Json}
 import play.api.test.{FakeRequest, PlaySpecification}
 
 class ConfigCtrlTest extends PlaySpecification with TestAppBuilder {
+
+// TODO leave unused code ?
+//
 //    def getList = {
 //      val request = FakeRequest("GET", "/api/config")
 //        .withHeaders("user" -> "admin@thehive.local")
@@ -29,16 +32,17 @@ class ConfigCtrlTest extends PlaySpecification with TestAppBuilder {
 
     "set configuration item" in testApp { app =>
       app[TagSrv]
-      val request = FakeRequest("PUT", "/api/config/tags.defaultColour")
+      val request = FakeRequest("PUT", "/api/config/tags.freeTagColour")
         .withHeaders("user" -> "admin@thehive.local")
         .withJsonBody(Json.parse("""{"value": "#00FF00"}"""))
-      val result = app[ConfigCtrl].set("tags.defaultColour")(request)
+      val result = app[ConfigCtrl].set("tags.freeTagColour")(request)
 
       status(result) must equalTo(204).updateMessage(s => s"$s\n${contentAsString(result)}")
 
-      app[TagSrv].defaultColour must beEqualTo(0xff00)
+      app[TagSrv].freeTagColour must beEqualTo("#00FF00")
     }
-
+// TODO leave unused tests ?
+//
 //      "get user specific configuration" in testApp { app =>
 //        val request = FakeRequest("GET", "/api/config/user/organisation")
 //          .withHeaders("user" -> "admin@thehive.local")
diff --git a/thehive/test/org/thp/thehive/controllers/v0/ObservableCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/ObservableCtrlTest.scala
index b4900adc36..b46290e51d 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/ObservableCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/ObservableCtrlTest.scala
@@ -1,9 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import java.io.File
-import java.nio.file.{Path, Files => JFiles}
-import java.util.UUID
-
 import akka.stream.Materializer
 import io.scalaland.chimney.dsl._
 import org.thp.scalligraph.AppBuilder
@@ -23,6 +19,10 @@ import play.api.mvc.MultipartFormData.FilePart
 import play.api.mvc.{AnyContentAsMultipartFormData, Headers, MultipartFormData}
 import play.api.test.{FakeRequest, NoTemporaryFileCreator, PlaySpecification}
 
+import java.io.File
+import java.nio.file.{Path, Files => JFiles}
+import java.util.UUID
+
 case class TestObservable(
     dataType: String,
     data: Option[String] = None,
diff --git a/thehive/test/org/thp/thehive/controllers/v0/QueryTest.scala b/thehive/test/org/thp/thehive/controllers/v0/QueryTest.scala
index b75d8b1e4a..ab415bebd3 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/QueryTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/QueryTest.scala
@@ -25,9 +25,7 @@ class QueryTest extends PlaySpecification with Mockito {
     mock[Database],
     mock[TaskSrv],
     mock[CaseSrv],
-    mock[UserSrv],
     mock[OrganisationSrv],
-    mock[ShareSrv],
     queryExecutor,
     publicTask
   )
diff --git a/thehive/test/org/thp/thehive/controllers/v0/ShareCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/ShareCtrlTest.scala
index df32702057..0200582d11 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/ShareCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/ShareCtrlTest.scala
@@ -7,7 +7,7 @@ import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.dto.v0._
 import org.thp.thehive.models.Profile
 import org.thp.thehive.services.CaseOps._
-import org.thp.thehive.services.CaseSrv
+import org.thp.thehive.services.{CaseSrv, OrganisationSrv}
 import play.api.libs.json.Json
 import play.api.test.{FakeRequest, PlaySpecification}
 
@@ -21,7 +21,7 @@ class ShareCtrlTest extends PlaySpecification with TestAppBuilder {
     status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
 
     app[Database].roTransaction { implicit graph =>
-      app[CaseSrv].get(EntityName("1")).visible(DummyUserSrv(organisation = "soc").authContext).exists
+      app[CaseSrv].get(EntityName("1")).visible(app[OrganisationSrv])(DummyUserSrv(organisation = "soc").authContext).exists
     } must beTrue
   }
 
@@ -43,7 +43,7 @@ class ShareCtrlTest extends PlaySpecification with TestAppBuilder {
     status(result) must equalTo(204).updateMessage(s => s"$s\n${contentAsString(result)}")
 
     app[Database].roTransaction { implicit graph =>
-      app[CaseSrv].get(EntityName("2")).visible(DummyUserSrv(userId = "socro@thehive.local").authContext).exists
+      app[CaseSrv].get(EntityName("2")).visible(app[OrganisationSrv])(DummyUserSrv(organisation = "soc").authContext).exists
     } must beFalse
   }
 
diff --git a/thehive/test/org/thp/thehive/controllers/v0/StatusCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/StatusCtrlTest.scala
index d1d1f91ce7..77121cd741 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/StatusCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/StatusCtrlTest.scala
@@ -1,11 +1,10 @@
 package org.thp.thehive.controllers.v0
 
-import org.thp.scalligraph.models.SchemaStatus
 import org.thp.scalligraph.{AppBuilder, ScalligraphApplicationLoader}
 import org.thp.thehive.models.HealthStatus
 import org.thp.thehive.services.Connector
 import org.thp.thehive.{TestAppBuilder, TheHiveModule}
-import play.api.libs.json.{JsObject, Json}
+import play.api.libs.json.{JsNull, JsObject, Json}
 import play.api.mvc.AbstractController
 import play.api.test.{FakeRequest, PlaySpecification}
 import play.api.{Configuration, Environment}
@@ -29,8 +28,6 @@ class StatusCtrlTest extends PlaySpecification with TestAppBuilder {
       )
 
     override def health: HealthStatus.Value = HealthStatus.Warning
-
-    override def schemaStatus: Option[SchemaStatus] = None
   }
 
   override def appConfigure: AppBuilder = super.appConfigure.multiBindInstance[Connector](fakeCortexConnector)
@@ -72,7 +69,9 @@ class StatusCtrlTest extends PlaySpecification with TestAppBuilder {
           "ssoAutoLogin"         -> config.get[Boolean]("user.autoCreateOnSso"),
           "pollingDuration"      -> 1000
         ),
-        "schemaStatus" -> Json.arr()
+        "schemaStatus" -> Json.arr(
+          Json.obj("name" -> "thehive", "currentVersion" -> 59, "expectedVersion" -> 59, "error" -> JsNull)
+        )
       )
 
       resultJson shouldEqual expectedJson
diff --git a/thehive/test/org/thp/thehive/controllers/v0/StreamCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/StreamCtrlTest.scala
index 3fc3885aa5..38764e64b8 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/StreamCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/StreamCtrlTest.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.controllers.v0
 
-import java.util.Date
-
 import org.thp.scalligraph.EntityName
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, DummyUserSrv}
@@ -10,6 +8,8 @@ import org.thp.thehive.models._
 import org.thp.thehive.services.{CaseSrv, OrganisationSrv}
 import play.api.test.{FakeRequest, PlaySpecification}
 
+import java.util.Date
+
 class StreamCtrlTest extends PlaySpecification with TestAppBuilder {
   "stream controller" should {
     "create a stream" in testApp { app =>
@@ -17,7 +17,7 @@ class StreamCtrlTest extends PlaySpecification with TestAppBuilder {
         .withHeaders("user" -> "certuser@thehive.local")
       val result = app[StreamCtrl].create(request)
 
-      status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
+      status(result)          must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
       contentAsString(result) must not(beEmpty)
     }
 
@@ -33,14 +33,26 @@ class StreamCtrlTest extends PlaySpecification with TestAppBuilder {
 
       // Add an event
       app[Database].tryTransaction { implicit graph =>
+        val organisation = app[OrganisationSrv].getOrFail(EntityName("cert")).get
         app[CaseSrv].create(
-          Case(0, s"case audit", s"desc audit", 1, new Date(), None, flag = false, 1, 1, CaseStatus.Open, None),
-          None,
-          app[OrganisationSrv].getOrFail(EntityName("cert")).get,
-          Set.empty,
-          Seq.empty,
-          None,
-          Nil
+          Case(
+            title = "case audit",
+            description = "desc audit",
+            severity = 1,
+            startDate = new Date,
+            endDate = None,
+            flag = false,
+            tlp = 1,
+            pap = 1,
+            status = CaseStatus.Open,
+            summary = None,
+            tags = Nil
+          ),
+          assignee = None,
+          organisation = organisation,
+          customFields = Nil,
+          caseTemplate = None,
+          additionalTasks = Nil
         )
       } must beASuccessfulTry
 
diff --git a/thehive/test/org/thp/thehive/controllers/v0/TagCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v0/TagCtrlTest.scala
index 3d143dee34..118518ca69 100644
--- a/thehive/test/org/thp/thehive/controllers/v0/TagCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v0/TagCtrlTest.scala
@@ -1,124 +1,16 @@
 package org.thp.thehive.controllers.v0
 
-import java.io.File
-import java.nio.file.{Path, Files => JFiles}
-
 import akka.stream.Materializer
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.dto.v0.OutputTag
 import org.thp.thehive.services.TagSrv
-import play.api.libs.Files
-import play.api.libs.Files.TemporaryFileCreator
 import play.api.libs.json.Json
-import play.api.mvc.MultipartFormData.FilePart
-import play.api.mvc.{AnyContentAsMultipartFormData, Headers, MultipartFormData}
-import play.api.test.{FakeRequest, NoTemporaryFileCreator, PlaySpecification}
+import play.api.test.{FakeRequest, PlaySpecification}
 
 class TagCtrlTest extends PlaySpecification with TestAppBuilder {
   "tag controller" should {
-    "import a taxonomy json" in testApp { app =>
-      val request = FakeRequest("POST", "/api/tag/_import")
-        .withHeaders("user" -> "admin@thehive.local")
-        .withJsonBody(Json.parse(s"""{
-          "content": {
-            "namespace": "access-method",
-            "description": "The access method used to remotely access a system.",
-            "version": 1,
-            "expanded": "Access method",
-            "predicates": [
-              {
-                "value": "brute-force",
-                "expanded": "Brute force",
-                "description": "Access was gained through systematic trial of credentials in bulk."
-              },
-              {
-                "value": "password-guessing",
-                "expanded": "Password guessing",
-                "description": "Access was gained through guessing passwords through trial and error."
-              }
-            ]
-          }
-          }""".stripMargin))
-      val result = app[TagCtrl].importTaxonomy(request)
-
-      status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
-      contentAsString(result) shouldEqual "2"
-    }
-
-    "import a taxonomy json with value" in testApp { app =>
-      val request = FakeRequest("POST", "/api/tag/_import")
-        .withHeaders("user" -> "admin@thehive.local")
-        .withJsonBody(Json.parse(s"""{
-           "content":{
-              "namespace":"dark-web",
-              "expanded":"Dark Web",
-              "description":"Criminal motivation on the dark web: A categorisation model for law enforcement.",
-              "version":3,
-              "predicates":[
-                 {
-                    "value":"topic",
-                    "description":"Topic associated with the materials tagged",
-                    "expanded":"Topic"
-                 },
-                 {
-                    "value":"topic",
-                    "description":"Topic associated with the materials tagged",
-                    "expanded":"Topic"
-                 },
-                 {
-                    "value":"structure",
-                    "description":"Structure of the materials tagged",
-                    "expanded":"Structure"
-                 }
-              ],
-              "values":[
-                 {
-                    "predicate":"topic",
-                    "entry":[
-                       {
-                          "value":"drugs-narcotics",
-                          "expanded":"Drugs/Narcotics",
-                          "description":"Illegal drugs/chemical compounds for consumption/ingestion..."
-                       },
-                       {
-                          "value":"drugs-narcotics",
-                          "expanded":"Drugs/Narcotics",
-                          "description":"Illegal drugs/chemical compounds for consumption/ingestion..."
-                       }
-                    ]
-                 }
-              ]
-           }
-            }""".stripMargin))
-      val result = app[TagCtrl].importTaxonomy(request)
-
-      status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
-      contentAsString(result) shouldEqual "1"
-    }
-
-    "import a taxonomy file if not existing" in testApp { app =>
-      WithFakeTaxonomyFile { tempFile =>
-        val files = Seq(FilePart("file", "machinetag.json", Some("application/json"), tempFile))
-        val request = FakeRequest(
-          "POST",
-          "/api/tag/_import",
-          Headers("user" -> "admin@thehive.local"),
-          body = AnyContentAsMultipartFormData(MultipartFormData(Map.empty, files, Nil))
-        )
-        val result = app[TagCtrl].importTaxonomy(request)
-
-        status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
-        contentAsString(result) shouldEqual "3"
-
-        val resultBis = app[TagCtrl].importTaxonomy(request)
-
-        status(resultBis) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(resultBis)}")
-        contentAsString(resultBis) shouldEqual "0"
-      }
-    }
-
     "get a tag" in testApp { app =>
       // Get a tag id first
       val tags = app[Database].roTransaction(implicit graph => app[TagSrv].startTraversal.toSeq)
@@ -132,87 +24,40 @@ class TagCtrlTest extends PlaySpecification with TestAppBuilder {
     }
 
     "search a tag" in testApp { app =>
-      val json = Json.parse("""{
-         "range":"all",
-         "sort":[
-            "-updatedAt",
-            "-createdAt"
-         ],
-         "query":{
-            "_and":[
-               {
-                  "_is":{
-                     "namespace":"testNamespace"
-                  }
-               },
-               {
-                  "_or":[
-                     {
-                        "value":"testDomain"
-                     },
-                     {
-                        "value":"hello"
-                     }
-                  ]
-               }
-            ]
-         }
-          }""".stripMargin)
-
-      val request = FakeRequest("POST", s"/api/tag/_search")
-        .withHeaders("user" -> "certuser@thehive.local")
-        .withJsonBody(json)
-      val result = app[TagCtrl].search(request)
-
-      status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
-
-      val l = contentAsJson(result)(defaultAwaitTimeout, app[Materializer]).as[List[OutputTag]]
-
-      l.length shouldEqual 2
-      l.find(_.value.get == "testDomain") must beSome
-    }
-  }
-}
-
-object WithFakeTaxonomyFile {
-
-  def apply[A](body: Files.TemporaryFile => A): A = {
-    val tempFile = JFiles.createTempFile("thehive-", "-test.json")
-    JFiles.write(
-      tempFile,
-      s"""{
-        "namespace": "access-method",
-        "description": "The access method used to remotely access a system.",
-        "version": 1,
-        "expanded": "Access method",
-        "predicates": [
-          {
-            "value": "password-guessing2",
-            "expanded": "Password guessing",
-            "description": "Access was gained through guessing passwords through trial and error."
-          },
-          {
-            "value": "password-guessing",
-            "expanded": "Password guessing",
-            "description": "Access was gained through guessing passwords through trial and error."
-          },
-          {
-            "value": "brute-force2",
-            "expanded": "Brute forcing",
-            "description": "Yeah..."
-          }
-        ]
-        }""".getBytes
-    )
-    val fakeTempFile = new Files.TemporaryFile {
-      override def path: Path                                 = tempFile
-      override def file: File                                 = tempFile.toFile
-      override def temporaryFileCreator: TemporaryFileCreator = NoTemporaryFileCreator
-    }
-    try body(fakeTempFile)
-    finally {
-      JFiles.deleteIfExists(tempFile)
-      ()
+//      val json = Json.parse("""{
+//         "range":"all",
+//         "sort":[
+//            "-updatedAt",
+//            "-createdAt"
+//         ],
+//         "query":{
+//            "_and":[
+//               {
+//                  "_or":[
+//                     {
+//                        "predicate":"testDomain"
+//                     },
+//                     {
+//                        "predicate":"t2"
+//                     }
+//                  ]
+//               }
+//            ]
+//         }
+//          }""".stripMargin)
+//
+//      val request = FakeRequest("POST", s"/api/tag/_search")
+//        .withHeaders("user" -> "certuser@thehive.local")
+//        .withJsonBody(json)
+//      val result = app[TagCtrl].search(request)
+//
+//      status(result) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
+//
+//      val l = contentAsJson(result)(defaultAwaitTimeout, app[Materializer]).as[List[OutputTag]]
+//
+//      l.length shouldEqual 2
+//      l.find(_.predicate == "testDomain") must beSome
+      pending("freetags created in test database are owned by organisation admin")
     }
   }
 }
diff --git a/thehive/test/org/thp/thehive/controllers/v1/AlertCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v1/AlertCtrlTest.scala
index d12bc94044..dd4803e736 100644
--- a/thehive/test/org/thp/thehive/controllers/v1/AlertCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v1/AlertCtrlTest.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.controllers.v1
 
-import java.util.Date
-
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.traversal.TraversalOps._
 import org.thp.thehive.TestAppBuilder
@@ -11,6 +9,8 @@ import org.thp.thehive.services.AlertSrv
 import play.api.libs.json.{JsObject, JsString, Json}
 import play.api.test.{FakeRequest, PlaySpecification}
 
+import java.util.Date
+
 case class TestAlert(
     `type`: String,
     source: String,
@@ -150,7 +150,7 @@ class AlertCtrlTest extends PlaySpecification with TestAppBuilder {
           description = "description of alert #1",
           severity = 2,
           date = new Date(1555359572000L),
-          tags = Set("testNamespace:testPredicate=\"alert\"", "testNamespace:testPredicate=\"test\""),
+          tags = Set("alert", "test"),
           tlp = 2,
           pap = 2,
           read = false,
diff --git a/thehive/test/org/thp/thehive/controllers/v1/CaseCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v1/CaseCtrlTest.scala
index a7726a858e..a364bb70e8 100644
--- a/thehive/test/org/thp/thehive/controllers/v1/CaseCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v1/CaseCtrlTest.scala
@@ -1,12 +1,20 @@
 package org.thp.thehive.controllers.v1
 
-import java.util.Date
-
+import io.scalaland.chimney.dsl.TransformerOps
 import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.dto.v1.{InputCase, OutputCase, OutputCustomFieldValue}
 import play.api.libs.json.{JsNull, JsString, JsValue, Json}
 import play.api.test.{FakeRequest, PlaySpecification}
 
+import java.util.Date
+
+case class TestCustomFieldValue(name: String, description: String, `type`: String, value: JsValue, order: Int)
+
+object TestCustomFieldValue {
+  def apply(outputCustomFieldValue: OutputCustomFieldValue): TestCustomFieldValue =
+    outputCustomFieldValue.into[TestCustomFieldValue].transform
+}
+
 case class TestCase(
     title: String,
     description: String,
@@ -19,40 +27,19 @@ case class TestCase(
     pap: Int,
     status: String,
     summary: Option[String] = None,
+    impactStatus: Option[String] = None,
+    resolutionStatus: Option[String] = None,
     user: Option[String],
     customFields: Seq[TestCustomFieldValue] = Seq.empty
 )
 
 object TestCase {
   def apply(outputCase: OutputCase): TestCase =
-    TestCase(
-      outputCase.title,
-      outputCase.description,
-      outputCase.severity,
-      outputCase.startDate,
-      outputCase.endDate,
-      outputCase.tags,
-      outputCase.flag,
-      outputCase.tlp,
-      outputCase.pap,
-      outputCase.status,
-      outputCase.summary,
-      outputCase.assignee,
-      outputCase.customFields.map(TestCustomFieldValue.apply).sortBy(_.order)
-    )
-}
-
-case class TestCustomFieldValue(name: String, description: String, `type`: String, value: JsValue, order: Int)
-
-object TestCustomFieldValue {
-  def apply(outputCustomFieldValue: OutputCustomFieldValue): TestCustomFieldValue =
-    TestCustomFieldValue(
-      outputCustomFieldValue.name,
-      outputCustomFieldValue.description,
-      outputCustomFieldValue.`type`,
-      outputCustomFieldValue.value,
-      outputCustomFieldValue.order
-    )
+    outputCase
+      .into[TestCase]
+      .withFieldRenamed(_.assignee, _.user)
+      .withFieldComputed(_.customFields, _.customFields.map(TestCustomFieldValue.apply).sortBy(_.order))
+      .transform
 }
 
 class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
@@ -70,7 +57,8 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
               tags = Set("tag1", "tag2"),
               flag = Some(false),
               tlp = Some(1),
-              pap = Some(3)
+              pap = Some(3),
+              user = Some("certro@thehive.local")
             )
           )
         )
@@ -90,7 +78,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
         pap = 3,
         status = "Open",
         summary = None,
-        user = Some("certuser@thehive.local"),
+        user = Some("certro@thehive.local"),
         customFields = Seq.empty
       )
 
@@ -124,7 +112,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
         severity = 1,
         startDate = now,
         endDate = None,
-        tags = Set("tag1", "tag2", "testNamespace:testPredicate=\"spam\"", "testNamespace:testPredicate=\"src:mail\""),
+        tags = Set("tag1", "tag2", "spam", "src:mail"),
         flag = false,
         tlp = 1,
         pap = 3,
@@ -151,7 +139,7 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
         severity = 2,
         startDate = new Date(1531667370000L),
         endDate = None,
-        tags = Set("testNamespace:testPredicate=\"t1\"", "testNamespace:testPredicate=\"t3\""),
+        tags = Set("t1", "t3"),
         flag = false,
         tlp = 2,
         pap = 2,
@@ -196,5 +184,68 @@ class CaseCtrlTest extends PlaySpecification with TestAppBuilder {
 //        TestCase(resultCase) must_=== expected
       pending
     }
+
+    "merge 3 cases correctly" in testApp { app =>
+      val request21 = FakeRequest("GET", s"/api/v1/case/#21")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val case21 = app[CaseCtrl].get("21")(request21)
+      status(case21) must equalTo(200).updateMessage(s => s"$s\n${contentAsString(case21)}")
+      val output21 = contentAsJson(case21).as[OutputCase]
+
+      val request = FakeRequest("GET", "/api/v1/case/_merge/21,22,23")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[CaseCtrl].merge("21,22,23")(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      val outputCase = contentAsJson(result).as[OutputCase]
+
+      // Merge result
+      TestCase(outputCase) must equalTo(
+        TestCase(
+          title = "case#21 / case#22 / case#23",
+          description = "description of case #21\n\ndescription of case #22\n\ndescription of case #23",
+          severity = 3,
+          startDate = output21.startDate,
+          endDate = output21.endDate,
+          Set("toMerge:pred1=\"value1\"", "toMerge:pred2=\"value2\""),
+          flag = true,
+          tlp = 4,
+          pap = 3,
+          status = "Open",
+          None,
+          None,
+          None,
+          Some("certuser@thehive.local"),
+          Seq()
+        )
+      )
+
+      // Merged cases should be deleted
+      val deleted21 = app[CaseCtrl].get("21")(request)
+      status(deleted21) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(deleted21)}")
+      val deleted22 = app[CaseCtrl].get("22")(request)
+      status(deleted22) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(deleted22)}")
+      val deleted23 = app[CaseCtrl].get("23")(request)
+      status(deleted23) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(deleted23)}")
+    }
+
+    "merge two cases error, not same organisation" in testApp { app =>
+      val request = FakeRequest("GET", "/api/v1/case/_merge/21,24")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[CaseCtrl].merge("21,24")(request)
+      // User shouldn't be able to see others cases, resulting in 404
+      status(result) must beEqualTo(400).updateMessage(s => s"$s\n${contentAsString(result)}")
+    }
+
+    "merge two cases error, not same profile" in testApp { app =>
+      val request = FakeRequest("GET", "/api/v1/case/_merge/21,25")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[CaseCtrl].merge("21,25")(request)
+      status(result)                              must beEqualTo(400).updateMessage(s => s"$s\n${contentAsString(result)}")
+      (contentAsJson(result) \ "type").as[String] must beEqualTo("BadRequest")
+    }
   }
 }
diff --git a/thehive/test/org/thp/thehive/controllers/v1/PatternCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v1/PatternCtrlTest.scala
new file mode 100644
index 0000000000..aea6e1de5e
--- /dev/null
+++ b/thehive/test/org/thp/thehive/controllers/v1/PatternCtrlTest.scala
@@ -0,0 +1,193 @@
+package org.thp.thehive.controllers.v1
+
+import io.scalaland.chimney.dsl._
+import org.thp.scalligraph.controllers.FakeTemporaryFile
+import org.thp.thehive.TestAppBuilder
+import org.thp.thehive.dto.v1.OutputPattern
+import play.api.libs.json.{JsArray, JsString}
+import play.api.mvc.MultipartFormData.FilePart
+import play.api.mvc.{AnyContentAsMultipartFormData, MultipartFormData}
+import play.api.test.{FakeRequest, PlaySpecification}
+
+case class TestPattern(
+    patternId: String,
+    name: String,
+    description: Option[String],
+    tactics: Set[String],
+    url: String,
+    patternType: String,
+    capecId: Option[String],
+    capecUrl: Option[String],
+    revoked: Boolean,
+    dataSources: Seq[String],
+    defenseBypassed: Seq[String],
+    detection: Option[String],
+    permissionsRequired: Seq[String],
+    platforms: Seq[String],
+    remoteSupport: Boolean,
+    systemRequirements: Seq[String],
+    version: Option[String]
+)
+
+object TestPattern {
+  def apply(outputPattern: OutputPattern): TestPattern =
+    outputPattern.into[TestPattern].transform
+}
+
+class PatternCtrlTest extends PlaySpecification with TestAppBuilder {
+  "pattern controller" should {
+    "import json patterns" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/pattern/import/attack")
+        .withHeaders("user" -> "admin@thehive.local")
+        .withBody(
+          AnyContentAsMultipartFormData(
+            MultipartFormData(
+              dataParts = Map.empty,
+              files = Seq(FilePart("file", "patterns.json", Option("application/json"), FakeTemporaryFile.fromResource("/patterns.json"))),
+              badParts = Seq()
+            )
+          )
+        )
+
+      val result = app[PatternCtrl].importMitre(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      contentAsJson(result)
+        .as[JsArray]
+        .value
+        .count(jsValue => (jsValue \ "status").get == JsString("Success")) must beEqualTo(8)
+    }
+
+    "get a existing pattern" in testApp { app =>
+      val request = FakeRequest("GET", "/api/v1/pattern/T123")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[PatternCtrl].get("T123")(request)
+      status(result) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
+      val resultPattern = contentAsJson(result).as[OutputPattern]
+
+      TestPattern(resultPattern) must_=== TestPattern(
+        "T123",
+        "testPattern1",
+        Some("The testPattern 1"),
+        Set("testTactic1", "testTactic2"),
+        "http://test.pattern.url",
+        "unit-test",
+        None,
+        None,
+        revoked = false,
+        Seq(),
+        Seq(),
+        None,
+        Seq(),
+        Seq(),
+        remoteSupport = true,
+        Seq(),
+        Some("1.0")
+      )
+    }
+
+    "get patterns linked to case" in testApp { app =>
+      val request = FakeRequest("GET", "/api/v1/pattern/case/1")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[PatternCtrl].getCasePatterns("1")(request)
+      status(result) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      contentAsJson(result).as[Seq[OutputPattern]].size must beEqualTo(2)
+    }
+
+    "import & update a pattern" in testApp { app =>
+      // Get a pattern
+      val request1 = FakeRequest("GET", "/api/v1/pattern/T123")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result1 = app[PatternCtrl].get("T123")(request1)
+      status(result1) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result1)}")
+      val result1Pattern = contentAsJson(result1).as[OutputPattern]
+
+      TestPattern(result1Pattern) must_=== TestPattern(
+        "T123",
+        "testPattern1",
+        Some("The testPattern 1"),
+        Set("testTactic1", "testTactic2"),
+        "http://test.pattern.url",
+        "unit-test",
+        None,
+        None,
+        revoked = false,
+        Seq(),
+        Seq(),
+        None,
+        Seq(),
+        Seq(),
+        remoteSupport = true,
+        Seq(),
+        Some("1.0")
+      )
+
+      // Update a pattern
+      val request2 = FakeRequest("POST", "/api/v1/pattern/import/attack")
+        .withHeaders("user" -> "admin@thehive.local")
+        .withBody(
+          AnyContentAsMultipartFormData(
+            MultipartFormData(
+              dataParts = Map.empty,
+              files =
+                Seq(FilePart("file", "patternsUpdate.json", Option("application/json"), FakeTemporaryFile.fromResource("/patternsUpdate.json"))),
+              badParts = Seq()
+            )
+          )
+        )
+
+      val result2 = app[PatternCtrl].importMitre(request2)
+      status(result2) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result2)}")
+
+      // Check for updates
+      val request3 = FakeRequest("GET", "/api/v1/pattern/T123")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result3 = app[PatternCtrl].get("T123")(request3)
+      status(result3) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result3)}")
+      val result3Pattern = contentAsJson(result3).as[OutputPattern]
+
+      TestPattern(result3Pattern) must_=== TestPattern(
+        "T123",
+        "Updated testPattern1",
+        None,
+        Set(),
+        "https://attack.mitre.org/techniques/T123",
+        "attack-pattern",
+        None,
+        None,
+        revoked = true,
+        Seq(),
+        Seq(),
+        None,
+        Seq(),
+        Seq(),
+        remoteSupport = false,
+        Seq(),
+        None
+      )
+    }
+
+    "delete a pattern" in testApp { app =>
+      val request1 = FakeRequest("GET", "/api/v1/pattern/testPattern1")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result1 = app[PatternCtrl].get("T123")(request1)
+      status(result1) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result1)}")
+
+      val request2 = FakeRequest("DELETE", "/api/v1/pattern/testPattern1")
+        .withHeaders("user" -> "admin@thehive.local")
+      val result2 = app[PatternCtrl].delete("T123")(request2)
+      status(result2) must beEqualTo(204).updateMessage(s => s"$s\n${contentAsString(result2)}")
+
+      val request3 = FakeRequest("GET", "/api/v1/pattern/testPattern1")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result3 = app[PatternCtrl].get("T123")(request3)
+      status(result3) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(result3)}")
+    }
+
+  }
+}
diff --git a/thehive/test/org/thp/thehive/controllers/v1/ProcedureCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v1/ProcedureCtrlTest.scala
new file mode 100644
index 0000000000..b62b269558
--- /dev/null
+++ b/thehive/test/org/thp/thehive/controllers/v1/ProcedureCtrlTest.scala
@@ -0,0 +1,120 @@
+package org.thp.thehive.controllers.v1
+
+import io.scalaland.chimney.dsl.TransformerOps
+import org.thp.thehive.TestAppBuilder
+import org.thp.thehive.dto.v1.{InputProcedure, OutputProcedure}
+import play.api.libs.json.Json
+import play.api.test.{FakeRequest, PlaySpecification}
+
+import java.util.Date
+
+case class TestProcedure(
+    description: Option[String],
+    occurDate: Date,
+    tactic: String,
+    patternId: String
+)
+
+object TestProcedure {
+  def apply(outputProcedure: OutputProcedure): TestProcedure =
+    outputProcedure.into[TestProcedure].transform
+}
+
+class ProcedureCtrlTest extends PlaySpecification with TestAppBuilder {
+  "procedure controller" should {
+    "create a valid procedure" in testApp { app =>
+      val procedureDate = new Date()
+      val inputProcedure = InputProcedure(
+        Some("testProcedure3"),
+        procedureDate,
+        "tactic1",
+        "1",
+        "T123"
+      )
+
+      val request = FakeRequest("POST", "/api/v1/procedure")
+        .withJsonBody(Json.toJson(inputProcedure))
+        .withHeaders("user" -> "certadmin@thehive.local")
+
+      val result = app[ProcedureCtrl].create(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      val resultProcedure = contentAsJson(result).as[OutputProcedure]
+
+      TestProcedure(resultProcedure) must_=== TestProcedure(
+        Some("testProcedure3"),
+        procedureDate,
+        "tactic1",
+        "T123"
+      )
+    }
+
+    "update a procedure" in testApp { app =>
+      val request1 = FakeRequest("POST", "/api/v1/procedure/testProcedure3")
+        .withJsonBody(
+          Json.toJson(
+            InputProcedure(
+              Some("an old description"),
+              new Date(),
+              "tactic1",
+              "1",
+              "T123"
+            )
+          )
+        )
+        .withHeaders("user" -> "certadmin@thehive.local")
+      val result1     = app[ProcedureCtrl].create(request1)
+      val procedureId = contentAsJson(result1).as[OutputProcedure]._id
+      status(result1) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result1)}")
+
+      val updatedDate = new Date()
+      val request2 = FakeRequest("PATCH", "/api/v1/procedure/testProcedure3")
+        .withHeaders("user" -> "certadmin@thehive.local")
+        .withJsonBody(Json.obj("description" -> "a new description", "occurDate" -> updatedDate, "tactic" -> "tactic2"))
+      val result2 = app[ProcedureCtrl].update(procedureId)(request2)
+      status(result2) must beEqualTo(204).updateMessage(s => s"$s\n${contentAsString(result2)}")
+
+      val request3 = FakeRequest("GET", "/api/v1/procedure/testProcedure3")
+        .withHeaders("user" -> "certadmin@thehive.local")
+      val result3 = app[ProcedureCtrl].get(procedureId)(request3)
+      status(result3) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result3)}")
+
+      val resultProcedure = contentAsJson(result3).as[OutputProcedure]
+      TestProcedure(resultProcedure) must_=== TestProcedure(
+        Some("a new description"),
+        updatedDate,
+        "tactic2",
+        "T123"
+      )
+    }
+
+    "delete a procedure" in testApp { app =>
+      val request1 = FakeRequest("POST", "/api/v1/procedure/testProcedure3")
+        .withJsonBody(
+          Json.toJson(
+            InputProcedure(
+              Some("testProcedure3"),
+              new Date(),
+              "tactic1",
+              "1",
+              "T123"
+            )
+          )
+        )
+        .withHeaders("user" -> "certadmin@thehive.local")
+      val result1     = app[ProcedureCtrl].create(request1)
+      val procedureId = contentAsJson(result1).as[OutputProcedure]._id
+      status(result1) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result1)}")
+
+      val request2 = FakeRequest("DELETE", "/api/v1/procedure/testProcedure3")
+        .withHeaders("user" -> "certadmin@thehive.local")
+      val result2 = app[ProcedureCtrl].delete(procedureId)(request2)
+      status(result2) must beEqualTo(204).updateMessage(s => s"$s\n${contentAsString(result2)}")
+
+      val request3 = FakeRequest("GET", "/api/v1/procedure/testProcedure3")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result3 = app[ProcedureCtrl].get(procedureId)(request3)
+      status(result3) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(result3)}")
+    }
+  }
+}
diff --git a/thehive/test/org/thp/thehive/controllers/v1/TaxonomyCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v1/TaxonomyCtrlTest.scala
new file mode 100644
index 0000000000..777158c2a2
--- /dev/null
+++ b/thehive/test/org/thp/thehive/controllers/v1/TaxonomyCtrlTest.scala
@@ -0,0 +1,266 @@
+package org.thp.thehive.controllers.v1
+
+import io.scalaland.chimney.dsl.TransformerOps
+import org.thp.scalligraph.controllers.FakeTemporaryFile
+import org.thp.thehive.TestAppBuilder
+import org.thp.thehive.dto.v1._
+import play.api.libs.Files
+import play.api.libs.json.{JsArray, Json}
+import play.api.mvc.MultipartFormData.FilePart
+import play.api.mvc.{AnyContentAsMultipartFormData, MultipartFormData}
+import play.api.test.{FakeRequest, PlaySpecification}
+
+case class TestTaxonomy(
+    namespace: String,
+    description: String,
+    version: Int,
+    tags: Set[TestTag]
+)
+
+object TestTaxonomy {
+  def apply(outputTaxonomy: OutputTaxonomy): TestTaxonomy =
+    outputTaxonomy
+      .into[TestTaxonomy]
+      .withFieldComputed(_.tags, _.tags.toSet.map(TestTag.apply))
+      .transform
+}
+
+case class TestTag(namespace: String, predicate: String, value: Option[String], description: Option[String], colour: String)
+
+object TestTag {
+  def apply(outputTag: OutputTag): TestTag =
+    TestTag(outputTag.namespace, outputTag.predicate, outputTag.value, outputTag.description, outputTag.colour)
+}
+class TaxonomyCtrlTest extends PlaySpecification with TestAppBuilder {
+  "taxonomy controller" should {
+
+    val inputTaxo = InputTaxonomy(
+      "test-taxo",
+      "A test taxonomy",
+      1,
+      None,
+      List(
+        InputPredicate("pred1", None, None, None, None),
+        InputPredicate("pred2", None, None, None, None)
+      ),
+      List(
+        InputValue("pred1", List(InputEntry("entry1", None, Some("#ffa800"), None, None))),
+        InputValue(
+          "pred2",
+          List(
+            InputEntry("entry2", None, Some("#00ad1c"), None, None),
+            InputEntry("entry21", None, Some("#00ad1c"), None, None)
+          )
+        )
+      )
+    )
+
+    val updateTaxo = InputTaxonomy(
+      "taxonomy1",
+      "Updated The taxonomy 1",
+      2,
+      None,
+      List(InputPredicate("pred1", None, None, None, None)),
+      List(InputValue("pred1", List(InputEntry("value2", None, Some("#fba800"), None, None))))
+    )
+
+    "create a valid taxonomy" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/taxonomy")
+        .withJsonBody(Json.toJson(inputTaxo))
+        .withHeaders("user" -> "admin@thehive.local")
+
+      val result = app[TaxonomyCtrl].create(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      val resultTaxo = contentAsJson(result).as[OutputTaxonomy]
+
+      TestTaxonomy(resultTaxo) must_=== TestTaxonomy(
+        "test-taxo",
+        "A test taxonomy",
+        1,
+        Set(
+          TestTag("test-taxo", "pred1", Some("entry1"), None, "#ffa800"),
+          TestTag("test-taxo", "pred2", Some("entry2"), None, "#00ad1c"),
+          TestTag("test-taxo", "pred2", Some("entry21"), None, "#00ad1c")
+        )
+      )
+    }
+
+    "return error if not admin" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/taxonomy")
+        .withJsonBody(Json.toJson(inputTaxo))
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[TaxonomyCtrl].create(request)
+      status(result) must beEqualTo(403).updateMessage(s => s"$s\n${contentAsString(result)}")
+      (contentAsJson(result) \ "type").as[String] must beEqualTo("AuthorizationError")
+    }
+
+    "return error if namespace is empty" in testApp { app =>
+      val emptyNamespace = inputTaxo.copy(namespace = "")
+
+      val request = FakeRequest("POST", "/api/v1/taxonomy")
+        .withJsonBody(Json.toJson(emptyNamespace))
+        .withHeaders("user" -> "admin@thehive.local")
+
+      val result = app[TaxonomyCtrl].create(request)
+      status(result) must beEqualTo(400).updateMessage(s => s"$s\n${contentAsString(result)}")
+      (contentAsJson(result) \ "type").as[String] must beEqualTo("BadRequest")
+
+    }
+
+    "get a taxonomy present" in testApp { app =>
+      val request = FakeRequest("GET", "/api/v1/taxonomy/taxonomy1")
+        .withHeaders("user" -> "certuser@thehive.local")
+
+      val result = app[TaxonomyCtrl].get("taxonomy1")(request)
+      status(result) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result)}")
+      val resultCase = contentAsJson(result).as[OutputTaxonomy]
+
+      TestTaxonomy(resultCase) must_=== TestTaxonomy(
+        "taxonomy1",
+        "The taxonomy 1",
+        1,
+        Set(TestTag("taxonomy1", "pred1", Some("value1"), None, "#00f300"))
+      )
+    }
+
+    "return error if taxonomy is not present in database" in testApp { app =>
+      val request = FakeRequest("GET", "/api/v1/taxonomy/taxonomy404")
+        .withHeaders("user" -> "admin@thehive.local")
+
+      val result = app[TaxonomyCtrl].get("taxonomy404")(request)
+      status(result) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(result)}")
+      (contentAsJson(result) \ "type").as[String] must beEqualTo("NotFoundError")
+    }
+
+    "import zip file correctly" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/taxonomy/import-zip")
+        .withHeaders("user" -> "admin@thehive.local")
+        .withBody(AnyContentAsMultipartFormData(multipartZipFile("machinetag.zip")))
+
+      val result = app[TaxonomyCtrl].importZip(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      contentAsString(result) must not contain "Failure"
+      contentAsJson(result).as[JsArray].value.size must beEqualTo(2)
+    }
+
+    "import zip file with folders correctly" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/taxonomy/import-zip")
+        .withHeaders("user" -> "admin@thehive.local")
+        .withBody(AnyContentAsMultipartFormData(multipartZipFile("machinetag-folders.zip")))
+
+      val result = app[TaxonomyCtrl].importZip(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      contentAsString(result) must not contain "Failure"
+      contentAsJson(result).as[JsArray].value.size must beEqualTo(2)
+    }
+
+    "return no error if zip file contains other files than taxonomies" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/taxonomy/import-zip")
+        .withHeaders("user" -> "admin@thehive.local")
+        .withBody(AnyContentAsMultipartFormData(multipartZipFile("machinetag-otherfiles.zip")))
+
+      val result = app[TaxonomyCtrl].importZip(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      contentAsString(result) must not contain "Failure"
+      contentAsJson(result).as[JsArray].value.size must beEqualTo(1)
+    }
+
+    "return error if zip file contains a bad formatted taxonomy" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/taxonomy/import-zip")
+        .withHeaders("user" -> "admin@thehive.local")
+        .withBody(AnyContentAsMultipartFormData(multipartZipFile("machinetag-badformat.zip")))
+
+      val result = app[TaxonomyCtrl].importZip(request)
+      status(result) must beEqualTo(400).updateMessage(s => s"$s\n${contentAsString(result)}")
+      (contentAsJson(result) \ "type").as[String] must beEqualTo("BadRequest")
+      (contentAsJson(result) \ "message").as[String] must contain("formatting")
+    }
+
+    "update a taxonomies and their tags" in testApp { app =>
+      val request = FakeRequest("POST", "/api/v1/taxonomy")
+        .withJsonBody(Json.toJson(updateTaxo))
+        .withHeaders("user" -> "admin@thehive.local")
+
+      val result = app[TaxonomyCtrl].create(request)
+      status(result) must beEqualTo(201).updateMessage(s => s"$s\n${contentAsString(result)}")
+
+      val resultTaxo = contentAsJson(result).as[OutputTaxonomy]
+
+      TestTaxonomy(resultTaxo) must_=== TestTaxonomy(
+        "taxonomy1",
+        "Updated The taxonomy 1",
+        2,
+        Set(
+          TestTag("taxonomy1", "pred1", Some("value2"), None, "#fba800"),
+          TestTag("taxonomy1", "pred1", Some("value1"), None, "#00f300")
+        )
+      )
+    }
+
+    "activate a taxonomy" in testApp { app =>
+      val request1 = FakeRequest("GET", "/api/v1/taxonomy/taxonomy2")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result1 = app[TaxonomyCtrl].get("taxonomy2")(request1)
+      status(result1) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(result1)}")
+
+      val request2 = FakeRequest("PUT", "/api/v1/taxonomy/taxonomy2")
+        .withHeaders("user" -> "admin@thehive.local")
+      val result2 = app[TaxonomyCtrl].toggleActivation("taxonomy2", isActive = true)(request2)
+      status(result2) must beEqualTo(204).updateMessage(s => s"$s\n${contentAsString(result2)}")
+
+      val request3 = FakeRequest("GET", "/api/v1/taxonomy/taxonomy2")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result3 = app[TaxonomyCtrl].get("taxonomy2")(request3)
+      status(result3) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result3)}")
+    }
+
+    "deactivate a taxonomy" in testApp { app =>
+      val request1 = FakeRequest("GET", "/api/v1/taxonomy/taxonomy1")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result1 = app[TaxonomyCtrl].get("taxonomy1")(request1)
+      status(result1) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result1)}")
+
+      val request2 = FakeRequest("PUT", "/api/v1/taxonomy/taxonomy1/deactivate")
+        .withHeaders("user" -> "admin@thehive.local")
+      val result2 = app[TaxonomyCtrl].toggleActivation("taxonomy1", isActive = false)(request2)
+      status(result2) must beEqualTo(204).updateMessage(s => s"$s\n${contentAsString(result2)}")
+
+      val request3 = FakeRequest("GET", "/api/v1/taxonomy/taxonomy1")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result3 = app[TaxonomyCtrl].get("taxonomy1")(request3)
+      status(result3) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(result3)}")
+    }
+
+    "delete a taxonomy" in testApp { app =>
+      val request1 = FakeRequest("GET", "/api/v1/taxonomy/taxonomy1")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result1 = app[TaxonomyCtrl].get("taxonomy1")(request1)
+      status(result1) must beEqualTo(200).updateMessage(s => s"$s\n${contentAsString(result1)}")
+
+      val request2 = FakeRequest("DELETE", "/api/v1/taxonomy/taxonomy1")
+        .withHeaders("user" -> "admin@thehive.local")
+      val result2 = app[TaxonomyCtrl].delete("taxonomy1")(request2)
+      status(result2) must beEqualTo(204).updateMessage(s => s"$s\n${contentAsString(result2)}")
+
+      val request3 = FakeRequest("GET", "/api/v1/taxonomy/taxonomy1")
+        .withHeaders("user" -> "certuser@thehive.local")
+      val result3 = app[TaxonomyCtrl].get("taxonomy1")(request3)
+      status(result3) must beEqualTo(404).updateMessage(s => s"$s\n${contentAsString(result3)}")
+    }
+
+  }
+
+  def multipartZipFile(name: String): MultipartFormData[Files.TemporaryFile] =
+    // file must be place in test/resources/
+    MultipartFormData(
+      dataParts = Map.empty,
+      files = Seq(FilePart("file", name, Option("application/zip"), FakeTemporaryFile.fromResource(s"/$name"))),
+      badParts = Seq()
+    )
+
+}
diff --git a/thehive/test/org/thp/thehive/controllers/v1/UserCtrlTest.scala b/thehive/test/org/thp/thehive/controllers/v1/UserCtrlTest.scala
index 8a5773b794..920d6b2385 100644
--- a/thehive/test/org/thp/thehive/controllers/v1/UserCtrlTest.scala
+++ b/thehive/test/org/thp/thehive/controllers/v1/UserCtrlTest.scala
@@ -35,7 +35,7 @@ class UserCtrlTest extends PlaySpecification with TestAppBuilder {
         login = "admin@thehive.local",
         name = "Default admin user",
         profile = "admin",
-        permissions = Permissions.adminPermissions.map(_.toString),
+        permissions = Permissions.adminPermissions.asInstanceOf[Set[String]],
         organisation = Organisation.administration.name
       )
 
@@ -107,11 +107,13 @@ class UserCtrlTest extends PlaySpecification with TestAppBuilder {
           Permissions.manageCase,
           Permissions.manageUser,
           Permissions.managePage,
+          Permissions.manageProcedure,
           Permissions.manageObservable,
           Permissions.manageAlert,
           Permissions.manageAction,
           Permissions.manageConfig,
-          Permissions.accessTheHiveFS
+          Permissions.accessTheHiveFS,
+          Permissions.manageTag
         ),
         organisation = "cert"
       )
@@ -128,7 +130,7 @@ class UserCtrlTest extends PlaySpecification with TestAppBuilder {
         login = "socuser@thehive.local",
         name = "socuser",
         profile = "analyst",
-        permissions = Profile.analyst.permissions.map(_.toString),
+        permissions = Profile.analyst.permissions.asInstanceOf[Set[String]],
         organisation = "soc"
       )
 
diff --git a/thehive/test/org/thp/thehive/models/TagTest.scala b/thehive/test/org/thp/thehive/models/TagTest.scala
deleted file mode 100644
index 29a9021c47..0000000000
--- a/thehive/test/org/thp/thehive/models/TagTest.scala
+++ /dev/null
@@ -1,47 +0,0 @@
-package org.thp.thehive.models
-
-import play.api.test.PlaySpecification
-
-class TagTest extends PlaySpecification {
-  val defaultNamespace: String = "_default_namespace_"
-  val defaultColor: Int        = 0xffff00
-
-  def parseTag(s: String): Tag = Tag.fromString(s, defaultNamespace, defaultColor)
-  "tag" should {
-    "be parsed from key:value" in {
-      val tag = parseTag("Module:atest_blah_blah")
-      tag must beEqualTo(Tag(defaultNamespace, "Module", Some("atest_blah_blah"), None, defaultColor))
-      tag.toString must beEqualTo("Module=\"atest_blah_blah\"")
-    }
-
-    "be parsed from key:value=" in {
-      val tag = parseTag("Id:7SeUoB3IBABD+tMh2PjVJYg==")
-      tag must beEqualTo(Tag(defaultNamespace, "Id", Some("7SeUoB3IBABD+tMh2PjVJYg=="), None, defaultColor))
-      tag.toString must beEqualTo("Id=\"7SeUoB3IBABD+tMh2PjVJYg==\"")
-    }
-
-    "be parsed from key: value" in {
-      val tag = parseTag("domain: google.com")
-      tag must beEqualTo(Tag(defaultNamespace, "domain", Some("google.com"), None, defaultColor))
-      tag.toString must beEqualTo("domain=\"google.com\"")
-    }
-
-    "be parsed from key: a.b.c.d" in {
-      val tag = parseTag("ip: 8.8.8.8")
-      tag must beEqualTo(Tag(defaultNamespace, "ip", Some("8.8.8.8"), None, defaultColor))
-      tag.toString must beEqualTo("ip=\"8.8.8.8\"")
-    }
-
-    "be parsed with colour" in {
-      val tag = parseTag("ip:8.8.8.8#FF00FF")
-      tag must beEqualTo(Tag(defaultNamespace, "ip", Some("8.8.8.8"), None, 0xFF00FF))
-      tag.toString must beEqualTo("ip=\"8.8.8.8\"")
-    }
-
-    "be parsed with hash sign and colour" in {
-      val tag = parseTag("case:#42#FF00FF")
-      tag must beEqualTo(Tag(defaultNamespace, "case", Some("#42"), None, 0xFF00FF))
-      tag.toString must beEqualTo("case=\"#42\"")
-    }
-  }
-}
diff --git a/thehive/test/org/thp/thehive/services/AlertSrvTest.scala b/thehive/test/org/thp/thehive/services/AlertSrvTest.scala
index 8d6a0e2bcb..c373e7c1be 100644
--- a/thehive/test/org/thp/thehive/services/AlertSrvTest.scala
+++ b/thehive/test/org/thp/thehive/services/AlertSrvTest.scala
@@ -1,11 +1,9 @@
 package org.thp.thehive.services
 
-import java.util.Date
-
-import org.thp.scalligraph.{EntityIdOrName, EntityName}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.traversal.TraversalOps._
+import org.thp.scalligraph.{EntityIdOrName, EntityName}
 import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.dto.v1.InputCustomFieldValue
 import org.thp.thehive.models._
@@ -16,12 +14,15 @@ import org.thp.thehive.services.OrganisationOps._
 import play.api.libs.json.JsString
 import play.api.test.PlaySpecification
 
+import java.util.Date
+
 class AlertSrvTest extends PlaySpecification with TestAppBuilder {
   implicit val authContext: AuthContext = DummyUserSrv(userId = "certuser@thehive.local", organisation = "cert").authContext
 
   "alert service" should {
     "create an alert" in testApp { app =>
       val a = app[Database].tryTransaction { implicit graph =>
+        val organisation = app[OrganisationSrv].getOrFail(EntityName("cert")).get
         app[AlertSrv].create(
           Alert(
             `type` = "test",
@@ -36,9 +37,12 @@ class AlertSrvTest extends PlaySpecification with TestAppBuilder {
             tlp = 1,
             pap = 2,
             read = false,
-            follow = false
+            follow = false,
+            organisationId = organisation._id,
+            tags = Seq("tag1", "tag2"),
+            caseId = None
           ),
-          app[OrganisationSrv].getOrFail(EntityName("cert")).get,
+          organisation,
           Set("tag1", "tag2"),
           Seq(InputCustomFieldValue("string1", Some("lol"), None)),
           Some(app[CaseTemplateSrv].getOrFail(EntityName("spam")).get)
@@ -68,9 +72,7 @@ class AlertSrvTest extends PlaySpecification with TestAppBuilder {
       val newTags = app[Database].tryTransaction { implicit graph =>
         for {
           alert <- app[AlertSrv].getOrFail(EntityName("testType;testSource;ref1"))
-          tag3  <- app[TagSrv].getOrCreate("tag3")
-          tag5  <- app[TagSrv].getOrCreate("tag5")
-          _     <- app[AlertSrv].updateTags(alert, Set(tag3, tag5))
+          _     <- app[AlertSrv].updateTags(alert, Set("tag3", "tag5"))
         } yield app[AlertSrv].get(EntityName("testType;testSource;ref1")).tags.toSeq
       }
       newTags must beSuccessfulTry.which(t => t.map(_.toString) must contain(exactly("tag3", "tag5")))
@@ -80,7 +82,7 @@ class AlertSrvTest extends PlaySpecification with TestAppBuilder {
       val tags = app[Database].tryTransaction { implicit graph =>
         for {
           alert <- app[AlertSrv].getOrFail(EntityName("testType;testSource;ref1"))
-          _     <- app[AlertSrv].updateTagNames(alert, Set("tag3", "tag5"))
+          _     <- app[AlertSrv].updateTags(alert, Set("tag3", "tag5"))
         } yield app[AlertSrv].get(EntityName("testType;testSource;ref1")).tags.toSeq
       }
       tags must beSuccessfulTry.which(t => t.map(_.toString) must contain(exactly("tag3", "tag5")))
@@ -94,50 +96,44 @@ class AlertSrvTest extends PlaySpecification with TestAppBuilder {
         } yield app[AlertSrv].get(EntityName("testType;testSource;ref1")).tags.toSeq
       }
 
-      tags must beSuccessfulTry.which(t =>
-        t.map(_.toString) must contain(exactly("testNamespace:testPredicate=\"alert\"", "testNamespace:testPredicate=\"test\"", "tag7"))
-      )
+      tags must beSuccessfulTry.which(t => t.map(_.toString) must contain(exactly("alert", "test", "tag7")))
     }
 
-    "add an observable if not existing" in testApp { app =>
-      val similarObs = app[Database].tryTransaction { implicit graph =>
-        for {
-          observableType <- app[ObservableTypeSrv].getOrFail(EntityName("domain"))
-          observable <- app[ObservableSrv].create(
-            observable = Observable(Some("if you are lost"), 1, ioc = false, sighted = true, ignoreSimilarity = None),
-            `type` = observableType,
-            dataValue = "perdu.com",
-            tagNames = Set("tag10"),
-            extensions = Nil
-          )
-        } yield observable
-      }.get
-
-      app[Database].tryTransaction { implicit graph =>
-        for {
-          alert <- app[AlertSrv].getOrFail(EntityName("testType;testSource;ref4"))
-          _     <- app[AlertSrv].addObservable(alert, similarObs)
-        } yield ()
-      } must beASuccessfulTry
-
-      app[Database].tryTransaction { implicit graph =>
-        for {
-          alert <- app[AlertSrv].getOrFail(EntityName("testType;testSource;ref1"))
-          _     <- app[AlertSrv].addObservable(alert, similarObs)
-        } yield ()
-      } must beASuccessfulTry
-
-      app[Database].roTransaction { implicit graph =>
-        app[AlertSrv]
-          .get(EntityName("testType;testSource;ref1"))
-          .observables
-          .filterOnData("perdu.com")
-          .filterOnType("domain")
-          .tags
-          .toSeq
-          .map(_.toString)
-      } must contain("tag10")
-    }
+//    "add an observable if not existing" in testApp { app => // TODO clarify the expectation
+//      val anObservable = Observable(
+//        message = Some("if you are lost"),
+//        tlp = 1,
+//        ioc = false,
+//        sighted = true,
+//        ignoreSimilarity = None,
+//        dataType = "domain",
+//        tags = Seq("tag10")
+//      )
+//      app[Database].tryTransaction { implicit graph =>
+//        for {
+//          alert <- app[AlertSrv].getOrFail(EntityName("testType;testSource;ref4"))
+//          _     <- app[AlertSrv].createObservable(alert, anObservable, "perdu.com")
+//        } yield ()
+//      } must beASuccessfulTry
+//
+//      app[Database].tryTransaction { implicit graph =>
+//        for {
+//          alert <- app[AlertSrv].getOrFail(EntityName("testType;testSource;ref1"))
+//          _     <- app[AlertSrv].createObservable(alert, anObservable, "perdu.com")
+//        } yield ()
+//      } must beASuccessfulTry
+//
+//      app[Database].roTransaction { implicit graph =>
+//        app[AlertSrv]
+//          .get(EntityName("testType;testSource;ref1"))
+//          .observables
+//          .filterOnData("perdu.com")
+//          .filterOnType("domain")
+//          .tags
+//          .toSeq
+//          .map(_.toString)
+//      } must contain("tag10")
+//    }
 
     "update custom fields" in testApp { app =>
       app[Database].tryTransaction { implicit graph =>
@@ -211,8 +207,8 @@ class AlertSrvTest extends PlaySpecification with TestAppBuilder {
         val observables = app[CaseSrv].get(EntityName("1")).observables.richObservable.toList
         observables must have size 1
         observables must contain { (o: RichObservable) =>
-          o.data must beSome.which((_: Data).data must beEqualTo("h.fr"))
-          o.tags.map(_.toString) must contain("testNamespace:testPredicate=\"testDomain\"", "testNamespace:testPredicate=\"hello\"").exactly
+          o.data must beSome("h.fr")
+          o.tags must contain("testDomain")
         }
       }
     }
diff --git a/thehive/test/org/thp/thehive/services/AuditSrvTest.scala b/thehive/test/org/thp/thehive/services/AuditSrvTest.scala
index 5ff0a6089e..4de53dc8f0 100644
--- a/thehive/test/org/thp/thehive/services/AuditSrvTest.scala
+++ b/thehive/test/org/thp/thehive/services/AuditSrvTest.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.services
 
-import java.util.Date
-
 import org.apache.tinkerpop.gremlin.process.traversal.Order
 import org.thp.scalligraph.EntityName
 import org.thp.scalligraph.auth.AuthContext
@@ -11,32 +9,63 @@ import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.models._
 import play.api.test.PlaySpecification
 
+import java.util.Date
+import scala.util.Success
+
 class AuditSrvTest extends PlaySpecification with TestAppBuilder {
   implicit val authContext: AuthContext = DummyUserSrv(userId = "certuser@thehive.local", organisation = "cert").getSystemAuthContext
 
   "audit service" should {
     "get main audits by ids and sorted" in testApp { app =>
-      app[Database].roTransaction { implicit graph =>
-        // Create 3 case events first
-        val orgAdmin = app[OrganisationSrv].getOrFail(EntityName("admin")).get
-        val c1 = app[Database]
-          .tryTransaction(implicit graph =>
-            app[CaseSrv].create(
-              Case(0, "case audit", "desc audit", 1, new Date(), None, flag = false, 1, 1, CaseStatus.Open, None),
-              None,
-              orgAdmin,
-              Set.empty,
-              Seq.empty,
-              None,
-              Nil
-            )
+      val org = app[Database].roTransaction { implicit graph =>
+        app[OrganisationSrv].getOrFail(EntityName("cert")).get
+      }
+      // Create 3 case events first
+      val c1 = app[Database].tryTransaction { implicit graph =>
+        val c = app[CaseSrv]
+          .create(
+            Case(
+              title = "case audit",
+              description = "desc audit",
+              severity = 1,
+              startDate = new Date(),
+              endDate = None,
+              flag = false,
+              tlp = 1,
+              pap = 1,
+              status = CaseStatus.Open,
+              summary = None,
+              tags = Nil
+            ),
+            assignee = None,
+            org,
+            Seq.empty,
+            None,
+            Nil
           )
           .get
-        app[CaseSrv].updateTagNames(c1.`case`, Set("lol"))
-        app[Database].tryTransaction { implicit graph =>
-          val t = app[TaskSrv].create(Task("test audit", "", None, TaskStatus.Waiting, flag = false, None, None, 0, None), None)
-          app[ShareSrv].shareTask(t.get, c1.`case`, orgAdmin)
-        }
+        app[CaseSrv].updateTags(c.`case`, Set("lol")).get
+        Success(c)
+      }.get
+
+      app[Database].tryTransaction { implicit graph =>
+        app[CaseSrv].createTask(
+          c1.`case`,
+          Task(
+            title = "test audit",
+            group = "",
+            description = None,
+            status = TaskStatus.Waiting,
+            flag = false,
+            startDate = None,
+            endDate = None,
+            order = 0,
+            dueDate = None,
+            assignee = None
+          )
+        )
+      }
+      app[Database].roTransaction { implicit graph =>
         val audits = app[AuditSrv].startTraversal.toSeq
 
         val r = app[AuditSrv].getMainByIds(Order.asc, audits.map(_._id): _*).toSeq
@@ -45,10 +74,25 @@ class AuditSrvTest extends PlaySpecification with TestAppBuilder {
         r.head shouldEqual audits.filter(_.mainAction).minBy(_._createdAt)
       }
     }
+
     "merge audits" in testApp { app =>
       val auditedTask = app[Database]
         .tryTransaction(implicit graph =>
-          app[TaskSrv].create(Task("test audit 1", "", None, TaskStatus.Waiting, flag = false, None, None, 0, None), None)
+          app[TaskSrv].create(
+            Task(
+              title = "test audit 1",
+              group = "",
+              description = None,
+              status = TaskStatus.Waiting,
+              flag = false,
+              startDate = None,
+              endDate = None,
+              order = 0,
+              dueDate = None,
+              assignee = None
+            ),
+            None
+          )
         )
         .get
       app[Database].tryTransaction { implicit graph =>
diff --git a/thehive/test/org/thp/thehive/services/CaseSrvTest.scala b/thehive/test/org/thp/thehive/services/CaseSrvTest.scala
index fcf58ac2f8..bd1548b4e0 100644
--- a/thehive/test/org/thp/thehive/services/CaseSrvTest.scala
+++ b/thehive/test/org/thp/thehive/services/CaseSrvTest.scala
@@ -1,26 +1,30 @@
 package org.thp.thehive.services
 
-import java.util.Date
-
 import org.specs2.matcher.Matcher
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.controllers.FPathElem
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.query.PropertyUpdater
 import org.thp.scalligraph.traversal.TraversalOps._
-import org.thp.scalligraph.{CreateError, EntityName}
+import org.thp.scalligraph.traversal.{Graph, Traversal}
+import org.thp.scalligraph.{BadRequestError, EntityName}
 import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.models._
 import org.thp.thehive.services.CaseOps._
+import org.thp.thehive.services.LogOps._
 import org.thp.thehive.services.ObservableOps._
+import org.thp.thehive.services.ShareOps._
+import org.thp.thehive.services.TaskOps._
 import play.api.libs.json.Json
 import play.api.test.PlaySpecification
 
+import java.util.Date
 import scala.util.Success
 
 class CaseSrvTest extends PlaySpecification with TestAppBuilder {
   implicit val authContext: AuthContext =
     DummyUserSrv(userId = "certuser@thehive.local", organisation = "cert", permissions = Profile.analyst.permissions).authContext
+
   "case service" should {
 
     "list all cases" in testApp { app =>
@@ -52,7 +56,7 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
           summary = None,
           impactStatus = None,
           resolutionStatus = None,
-          user = Some("certuser@thehive.local"),
+          assignee = Some("certuser@thehive.local"),
           Nil,
           Set(
             Permissions.manageTask,
@@ -64,9 +68,10 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
             Permissions.manageShare,
             Permissions.managePage,
             Permissions.accessTheHiveFS
-          )
+          ),
+          richCase.`case`.organisationIds
         )
-        richCase.tags.map(_.toString) must contain(exactly("testNamespace:testPredicate=\"t1\"", "testNamespace:testPredicate=\"t3\""))
+        richCase.tags must contain(exactly("t1", "t3"))
       }
     }
 
@@ -93,7 +98,7 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
           summary = None,
           impactStatus = Some("NoImpact"),
           resolutionStatus = None,
-          user = Some("certuser@thehive.local"),
+          assignee = Some("certuser@thehive.local"),
           Nil,
           Set(
             Permissions.manageTask,
@@ -105,9 +110,10 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
             Permissions.manageShare,
             Permissions.managePage,
             Permissions.accessTheHiveFS
-          )
+          ),
+          richCase.`case`.organisationIds
         )
-        richCase.tags.map(_.toString) must contain(exactly("testNamespace:testPredicate=\"t2\"", "testNamespace:testPredicate=\"t1\""))
+        richCase.tags must contain(exactly("t2", "t1"))
         richCase._createdBy must_=== "system@thehive.local"
       }
     }
@@ -122,16 +128,14 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
         richCase.severity must_=== 2
         richCase.startDate must_=== new Date(1531667370000L)
         richCase.endDate must beNone
-        //        richCase.tags must contain( // TODO
-        //          exactly(Tag.fromString("testNamespace:testPredicate=\"t1\""), Tag.fromString("testNamespace:testPredicate=\"t2\""))
-        //        )
+        richCase.tags    must contain(exactly("t1", "t2"))
         richCase.flag must_=== false
         richCase.tlp must_=== 2
         richCase.pap must_=== 2
         richCase.status must_=== CaseStatus.Open
-        richCase.summary must beNone
+        richCase.summary      must beNone
         richCase.impactStatus must beNone
-        richCase.assignee must beSome("socuser@thehive.local")
+        richCase.assignee     must beSome("socuser@thehive.local")
         CustomField("boolean1", "boolean1", "boolean custom field", CustomFieldType.boolean, mandatory = false, options = Nil)
         richCase.customFields.map(f => (f.name, f.typeName, f.value)) must contain(
           allOf[(String, String, Option[Any])](
@@ -142,34 +146,6 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
       }
     }
 
-    "merge two cases" in testApp { app =>
-      pending
-    //      app[Database].transaction { implicit graph =>
-    //        Seq("#2", "#3").toTry(app[CaseSrv].getOrFail) must beSuccessfulTry.which { cases: Seq[Case with Entity] =>
-    //          val mergedCase = app[CaseSrv].merge(cases)(graph, dummyUserSrv.getSystemAuthContext)
-    //
-    //          mergedCase.title must_=== "case#2 / case#3"
-    //          mergedCase.description must_=== "description of case #2\n\ndescription of case #3"
-    //          mergedCase.severity must_=== 2
-    //          mergedCase.startDate must_=== new Date(1531667370000L)
-    //          mergedCase.endDate must beNone
-    //          mergedCase.tags must_=== Nil
-    //          mergedCase.flag must_=== false
-    //          mergedCase.tlp must_=== 2
-    //          mergedCase.pap must_=== 2
-    //          mergedCase.status must_=== CaseStatus.Open
-    //          mergedCase.summary must beNone
-    //          mergedCase.impactStatus must beNone
-    //          mergedCase.user must beSome("test")
-    //          mergedCase.customFields.map(f => (f.name, f.typeName, f.value)) must contain(
-    //            allOf[(String, String, Option[Any])](
-    //              ("boolean1", "boolean", Some(true)),
-    //              ("string1", "string", Some("string1 custom field"))
-    //            ))
-    //        }
-    //      }
-    }
-
     "add custom field with wrong type" in testApp { app =>
       app[Database].transaction { implicit graph =>
         app[CaseSrv].getOrFail(EntityName("3")) must beSuccessfulTry.which { `case`: Case with Entity =>
@@ -182,7 +158,7 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
       app[Database].transaction { implicit graph =>
         app[CaseSrv].getOrFail(EntityName("3")) must beSuccessfulTry.which { `case`: Case with Entity =>
           app[CaseSrv].setOrCreateCustomField(`case`, EntityName("boolean1"), Some(true), None) must beSuccessfulTry
-          app[CaseSrv].getCustomField(`case`, EntityName("boolean1")).flatMap(_.value) must beSome.which(_ == true)
+          app[CaseSrv].getCustomField(`case`, EntityName("boolean1")).flatMap(_.value)          must beSome.which(_ == true)
         }
       }
     }
@@ -191,7 +167,7 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
       app[Database].transaction { implicit graph =>
         app[CaseSrv].getOrFail(EntityName("3")) must beSuccessfulTry.which { `case`: Case with Entity =>
           app[CaseSrv].setOrCreateCustomField(`case`, EntityName("boolean1"), Some(false), None) must beSuccessfulTry
-          app[CaseSrv].getCustomField(`case`, EntityName("boolean1")).flatMap(_.value) must beSome.which(_ == false)
+          app[CaseSrv].getCustomField(`case`, EntityName("boolean1")).flatMap(_.value)           must beSome.which(_ == false)
         }
       }
     }
@@ -207,12 +183,12 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
 
     "get correct next case number" in testApp { app =>
       app[Database].roTransaction { implicit graph =>
-        app[CaseSrv].nextCaseNumber shouldEqual 6
+        app[CaseSrv].nextCaseNumber shouldEqual 36
       }
     }
 
     "close a case properly" in testApp { app =>
-      val updates = Seq(PropertyUpdater(FPathElem("status"), CaseStatus.Resolved) { (vertex, _, _, _) =>
+      val updates = Seq(PropertyUpdater(FPathElem("status"), CaseStatus.Resolved) { (vertex, _, _) =>
         vertex.property("status", CaseStatus.Resolved)
         Success(Json.obj("status" -> CaseStatus.Resolved))
       })
@@ -230,36 +206,44 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
       app[Database].tryTransaction { implicit graph =>
         for {
           c3 <- app[CaseSrv].get(EntityName("3")).getOrFail("Case")
-          _  <- app[CaseSrv].updateTagNames(c3, Set("""testNamespace:testPredicate="t2"""", """testNamespace:testPredicate="yolo""""))
+          _  <- app[CaseSrv].updateTags(c3, Set("t2", "yolo"))
         } yield app[CaseSrv].get(c3).tags.toList.map(_.toString)
       } must beASuccessfulTry.which { tags =>
-        tags must contain(exactly("""testNamespace:testPredicate="t2"""", """testNamespace:testPredicate="yolo""""))
+        tags must contain(exactly("t2", "yolo"))
       }
     }
 
     "add new tags and not previous ones" in testApp { app =>
       // Create a case with tags first
-      val c = app[Database]
-        .tryTransaction(implicit graph =>
-          app[CaseSrv].create(
-            Case(0, "case 5", "desc 5", 1, new Date(), None, flag = false, 2, 3, CaseStatus.Open, None),
-            None,
-            app[OrganisationSrv].getOrFail(EntityName("cert")).get,
-            app[TagSrv].startTraversal.toSeq.toSet,
-            Seq.empty,
-            None,
-            Nil
-          )
+      val c = app[Database].tryTransaction { implicit graph =>
+        val organisation = app[OrganisationSrv].getOrFail(EntityName("cert")).get
+        app[CaseSrv].create(
+          Case(
+            title = "case 5",
+            description = "desc 5",
+            severity = 1,
+            startDate = new Date(),
+            endDate = None,
+            flag = false,
+            tlp = 2,
+            pap = 3,
+            status = CaseStatus.Open,
+            summary = None,
+            tags = Seq("tag1", "tag2")
+          ),
+          assignee = None,
+          organisation,
+          Seq.empty,
+          None,
+          Nil
         )
-        .get
+      }.get
 
       c.tags must not(beEmpty)
 
       val currentLen = c.tags.length
 
-      app[Database].tryTransaction(implicit graph =>
-        app[CaseSrv].addTags(c.`case`, Set("""testNamespace:testPredicate="t2"""", """testNamespace:testPredicate="newOne""""))
-      ) must beSuccessfulTry
+      app[Database].tryTransaction(implicit graph => app[CaseSrv].addTags(c.`case`, Set("tag1", "tag3"))) must beSuccessfulTry
 
       app[Database].roTransaction { implicit graph =>
         app[CaseSrv].startTraversal.has(_.title, "case 5").tags.toList.length shouldEqual currentLen + 1
@@ -267,50 +251,70 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
     }
 
     "add an observable if not existing" in testApp { app =>
-      app[Database].roTransaction { implicit graph =>
-        val c1          = app[CaseSrv].get(EntityName("1")).getOrFail("Case").get
-        val observables = app[ObservableSrv].startTraversal.richObservable.toList
-
-        observables must not(beEmpty)
-
-        val hfr = observables.find(_.message.contains("Some weird domain")).get
-
-        app[Database].tryTransaction { implicit graph =>
-          app[CaseSrv].addObservable(c1, hfr)
-        }.get must throwA[CreateError]
-
-        val newObs = app[Database].tryTransaction { implicit graph =>
-          app[ObservableSrv].create(
-            Observable(Some("if you feel lost"), 1, ioc = false, sighted = true, ignoreSimilarity = None),
-            app[ObservableTypeSrv].get(EntityName("domain")).getOrFail("Case").get,
-            "lost.com",
-            Set[String](),
-            Nil
-          )
-        }.get
-
-        app[Database].tryTransaction { implicit graph =>
-          app[CaseSrv].addObservable(c1, newObs)
-        } must beSuccessfulTry
-      }
+      //      app[Database].roTransaction { implicit graph =>
+      //        val c1          = app[CaseSrv].get(EntityName("1")).getOrFail("Case").get
+      //        val observables = app[ObservableSrv].startTraversal.richObservable.toList
+      //
+      //        observables must not(beEmpty)
+      //
+      //        val hfr = observables.find(_.message.contains("Some weird domain")).get
+      //
+      //        app[Database].tryTransaction { implicit graph =>
+      ////          app[CaseSrv].addObservable(c1, hfr)
+      //          app[CaseSrv].createObservable(c1, hfr, hfr.data.get)
+      //        }.get must throwA[CreateError]
+      //
+      //        val newObs = app[Database].tryTransaction { implicit graph =>
+      //          val organisation = app[OrganisationSrv].current.getOrFail("Organisation").get
+      //          app[ObservableSrv].create(
+      //            Observable(
+      //              message = Some("if you feel lost"),
+      //              tlp = 1,
+      //              ioc = false,
+      //              sighted = true,
+      //              ignoreSimilarity = None,
+      //              dataType = "domain",
+      //              tags = Nil,
+      //              organisationIds = Seq(organisation._id),
+      //              relatedId = c1._id
+      //            ),
+      //            "lost.com"
+      //          )
+      //        }.get
+      //
+      //        app[Database].tryTransaction { implicit graph =>
+      //          app[CaseSrv].addObservable(c1, newObs)
+      //        } must beSuccessfulTry
+      //      }
+      pending
     }
 
     "remove a case and its dependencies" in testApp { app =>
-      val c1 = app[Database]
-        .tryTransaction(implicit graph =>
-          app[CaseSrv].create(
-            Case(0, "case 9", "desc 9", 1, new Date(), None, flag = false, 2, 3, CaseStatus.Open, None),
-            None,
-            app[OrganisationSrv].getOrFail(EntityName("cert")).get,
-            Set[Tag with Entity](),
-            Seq.empty,
-            None,
-            Nil
-          )
+      val c1 = app[Database].tryTransaction { implicit graph =>
+        val organisation = app[OrganisationSrv].getOrFail(EntityName("cert")).get
+        app[CaseSrv].create(
+          Case(
+            title = "case 9",
+            description = "desc 9",
+            severity = 1,
+            startDate = new Date(),
+            endDate = None,
+            flag = false,
+            tlp = 2,
+            pap = 3,
+            status = CaseStatus.Open,
+            summary = None,
+            tags = Nil
+          ),
+          assignee = None,
+          organisation,
+          Seq.empty,
+          None,
+          Nil
         )
-        .get
+      }.get
 
-      app[Database].tryTransaction(implicit graph => app[CaseSrv].remove(c1.`case`)) must beSuccessfulTry
+      app[Database].tryTransaction(implicit graph => app[CaseSrv].delete(c1.`case`)) must beSuccessfulTry
       app[Database].roTransaction { implicit graph =>
         app[CaseSrv].get(c1._id).exists must beFalse
       }
@@ -320,11 +324,23 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
       app[Database]
         .tryTransaction { implicit graph =>
           for {
+            organisation <- app[OrganisationSrv].getOrFail(EntityName("cert"))
             case0 <- app[CaseSrv].create(
-              Case(0, "case 6", "desc 6", 1, new Date(), None, flag = false, 2, 3, CaseStatus.Open, None),
-              None,
-              app[OrganisationSrv].getOrFail(EntityName("cert")).get,
-              app[TagSrv].startTraversal.toSeq.toSet,
+              Case(
+                title = "case 6",
+                description = "desc 6",
+                severity = 1,
+                startDate = new Date(),
+                endDate = None,
+                flag = false,
+                tlp = 2,
+                pap = 3,
+                status = CaseStatus.Open,
+                summary = None,
+                tags = Seq("tag1", "tag2")
+              ),
+              assignee = None,
+              organisation,
               Seq.empty,
               None,
               Nil
@@ -341,21 +357,31 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
 
     "set or unset case resolution status" in testApp { app =>
       app[Database].roTransaction { implicit graph =>
-        val c7 = app[Database]
-          .tryTransaction(implicit graph =>
-            app[CaseSrv].create(
-              Case(0, "case 7", "desc 7", 1, new Date(), None, flag = false, 2, 3, CaseStatus.Open, None),
-              None,
-              app[OrganisationSrv].getOrFail(EntityName("cert")).get,
-              app[TagSrv].startTraversal.toSeq.toSet,
-              Seq.empty,
-              None,
-              Nil
-            )
+        val c7 = app[Database].tryTransaction { implicit graph =>
+          val organisation = app[OrganisationSrv].getOrFail(EntityName("cert")).get
+          app[CaseSrv].create(
+            Case(
+              title = "case 7",
+              description = "desc 7",
+              severity = 1,
+              startDate = new Date(),
+              endDate = None,
+              flag = false,
+              tlp = 2,
+              pap = 3,
+              status = CaseStatus.Open,
+              summary = None,
+              tags = Seq("tag1", "tag2")
+            ),
+            assignee = None,
+            organisation,
+            Seq.empty,
+            None,
+            Nil
           )
-          .get
+        }.get
 
-        app[CaseSrv].get(c7._id).resolutionStatus.exists must beFalse
+        app[CaseSrv].get(c7._id).resolutionStatus.exists                                                          must beFalse
         app[Database].tryTransaction(implicit graph => app[CaseSrv].setResolutionStatus(c7.`case`, "Duplicated")) must beSuccessfulTry
         app[Database].roTransaction(implicit graph => app[CaseSrv].get(c7._id).resolutionStatus.exists must beTrue)
         app[Database].tryTransaction(implicit graph => app[CaseSrv].unsetResolutionStatus(c7.`case`)) must beSuccessfulTry
@@ -365,17 +391,31 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
 
     "assign/unassign a case" in testApp { app =>
       val c8 = app[Database]
-        .tryTransaction(implicit graph =>
+        .tryTransaction { implicit graph =>
+          val organisation = app[OrganisationSrv].getOrFail(EntityName("cert")).get
+          val certuser     = app[UserSrv].getOrFail(EntityName("certuser@thehive.local")).get
           app[CaseSrv].create(
-            Case(0, "case 8", "desc 8", 2, new Date(), None, flag = false, 2, 3, CaseStatus.Open, None),
-            Some(app[UserSrv].get(EntityName("certuser@thehive.local")).getOrFail("Case").get),
-            app[OrganisationSrv].getOrFail(EntityName("cert")).get,
-            app[TagSrv].startTraversal.toSeq.toSet,
+            Case(
+              title = "case 8",
+              description = "desc 8",
+              severity = 2,
+              startDate = new Date(),
+              endDate = None,
+              flag = false,
+              tlp = 2,
+              pap = 3,
+              status = CaseStatus.Open,
+              summary = None,
+              tags = Seq("tag1", "tag2"),
+              assignee = Some("certuser@thehive.local")
+            ),
+            assignee = Some(certuser),
+            organisation,
             Seq.empty,
             None,
             Nil
           )
-        )
+        }
         .get
         .`case`
 
@@ -393,7 +433,7 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
 
     "show only visible cases" in testApp { app =>
       app[Database].roTransaction { implicit graph =>
-        app[CaseSrv].get(EntityName("3")).visible.getOrFail("Case") must beFailedTry
+        app[CaseSrv].get(EntityName("3")).visible(app[OrganisationSrv]).getOrFail("Case") must beFailedTry
       }
     }
 
@@ -407,17 +447,238 @@ class CaseSrvTest extends PlaySpecification with TestAppBuilder {
     }
 
     "show linked cases" in testApp { app =>
-      app[Database].roTransaction { implicit graph =>
-        app[CaseSrv].get(EntityName("1")).linkedCases must beEmpty
-        val observables = app[ObservableSrv].startTraversal.richObservable.toList
-        val hfr         = observables.find(_.message.contains("Some weird domain")).get
+      //      app[Database].roTransaction { implicit graph =>
+      //        app[CaseSrv].get(EntityName("1")).linkedCases must beEmpty
+      //        val observables = app[ObservableSrv].startTraversal.richObservable.toList
+      //        val hfr         = observables.find(_.message.contains("Some weird domain")).get
+      //
+      //        app[Database].tryTransaction { implicit graph =>
+      //          app[CaseSrv].addObservable(app[CaseSrv].get(EntityName("2")).getOrFail("Case").get, hfr)
+      //        }
+      //
+      //        app[Database].roTransaction(implicit graph => app[CaseSrv].get(EntityName("1")).linkedCases must not(beEmpty))
+      //      }
+      pending
+    }
+
+    "merge cases, happy path with one organisation" in testApp { app =>
+      app[Database].tryTransaction { implicit graph =>
+        def case21 = app[CaseSrv].get(EntityName("21")).clone()
+
+        def case22 = app[CaseSrv].get(EntityName("22")).clone()
+
+        def case23 = app[CaseSrv].get(EntityName("23")).clone()
+        // Procedures
+        case21.procedure.getCount must beEqualTo(1).updateMessage(s => s"$s: invalid number of procedure in case 21")
+        case22.procedure.getCount must beEqualTo(2).updateMessage(s => s"$s: invalid number of procedure in case 22")
+        case23.procedure.getCount must beEqualTo(0).updateMessage(s => s"$s: invalid number of procedure in case 23")
+        // CustomFields
+        case21.customFields.getCount must beEqualTo(0).updateMessage(s => s"$s: invalid number of custom fields in case 21")
+        case22.customFields.getCount must beEqualTo(1).updateMessage(s => s"$s: invalid number of custom fields in case 22")
+        case23.customFields.getCount must beEqualTo(1).updateMessage(s => s"$s: invalid number of custom fields in case 23")
+        // Tasks
+        case21.tasks.getCount must beEqualTo(2).updateMessage(s => s"$s: invalid number of tasks in case 21")
+        case22.tasks.getCount must beEqualTo(0).updateMessage(s => s"$s: invalid number of tasks in case 22")
+        case23.tasks.getCount must beEqualTo(1).updateMessage(s => s"$s: invalid number of tasks in case 23")
+        // Observables
+        case21.observables.getCount must beEqualTo(1).updateMessage(s => s"$s: invalid number of observables in case 21")
+        case22.observables.getCount must beEqualTo(0).updateMessage(s => s"$s: invalid number of observables in case 22")
+        case23.observables.getCount must beEqualTo(2).updateMessage(s => s"$s: invalid number of observables in case 23")
+        // Alerts
+        case21.alert.getCount must beEqualTo(1).updateMessage(s => s"$s: invalid number of alert in case 21")
+        case22.alert.getCount must beEqualTo(0).updateMessage(s => s"$s: invalid number of alert in case 22")
+        case23.alert.getCount must beEqualTo(0).updateMessage(s => s"$s: invalid number of alert in case 23")
 
-        app[Database].tryTransaction { implicit graph =>
-          app[CaseSrv].addObservable(app[CaseSrv].get(EntityName("2")).getOrFail("Case").get, hfr)
+        for {
+          c21     <- case21.getOrFail("Case")
+          c22     <- case22.getOrFail("Case")
+          c23     <- case23.getOrFail("Case")
+          newCase <- app[CaseSrv].merge(Seq(c21, c22, c23))
+        } yield newCase
+      } must beASuccessfulTry.which { richCase =>
+        app[Database].roTransaction { implicit graph =>
+          def mergedCase = app[CaseSrv].get(EntityName(richCase.number.toString)).clone()
+
+          mergedCase.procedure.getCount    must beEqualTo(3).updateMessage(s => s"$s: invalid number of procedure in merged case")
+          mergedCase.customFields.getCount must beEqualTo(2).updateMessage(s => s"$s: invalid number of customFields in merged case")
+          mergedCase.tasks.getCount        must beEqualTo(3).updateMessage(s => s"$s: invalid number of tasks in merged case")
+          mergedCase.observables.getCount  must beEqualTo(3).updateMessage(s => s"$s: invalid number of observables in merged case")
+          mergedCase.alert.getCount        must beEqualTo(1).updateMessage(s => s"$s: invalid number of alert in merged case")
+
+          app[CaseSrv].get(EntityName("21")).getOrFail("Case") must beAFailedTry.updateMessage(s => s"$s: case 21 is not removed")
+          app[CaseSrv].get(EntityName("22")).getOrFail("Case") must beAFailedTry.updateMessage(s => s"$s: case 22 is not removed")
+          app[CaseSrv].get(EntityName("23")).getOrFail("Case") must beAFailedTry.updateMessage(s => s"$s: case 23 is not removed")
         }
+      }
+    }
+
+    "refuse to merge cases with different shares" in testApp { app =>
+      app[Database].tryTransaction { implicit graph =>
+        val case21 = app[CaseSrv].getOrFail(EntityName("21")).get
+        val case24 = app[CaseSrv].getOrFail(EntityName("24")).get
+        val case26 = app[CaseSrv].getOrFail(EntityName("26")).get
+        app[CaseSrv].merge(Seq(case21, case24, case26))
+      } must beFailedTry.withThrowable[BadRequestError]
+    }
+
+    "merge cases, happy path with three organisations" in testApp { app =>
+      implicit val authContext: AuthContext =
+        DummyUserSrv(organisation = "soc", permissions = Profile.analyst.permissions).authContext
+
+      def getCase(number: Int)(implicit graph: Graph): Traversal.V[Case] = app[CaseSrv].getByName(number.toString)
+
+      app[Database].tryTransaction { implicit graph =>
+        // Tasks
+        getCase(24).share(EntityName("cert")).tasks.getCount mustEqual 1
+        getCase(24).share(EntityName("soc")).tasks.getCount mustEqual 2
+        getCase(25).share(EntityName("cert")).tasks.getCount mustEqual 0
+        getCase(25).share(EntityName("soc")).tasks.getCount mustEqual 0
+
+        // Observables
+        getCase(24).share(EntityName("cert")).observables.getCount mustEqual 0
+        getCase(24).share(EntityName("soc")).observables.getCount mustEqual 0
+        getCase(25).share(EntityName("cert")).observables.getCount mustEqual 2
+        getCase(25).share(EntityName("soc")).observables.getCount mustEqual 1
 
-        app[Database].roTransaction(implicit graph => app[CaseSrv].get(EntityName("1")).linkedCases must not(beEmpty))
+        for {
+          c24     <- getCase(24).getOrFail("Case")
+          c25     <- getCase(25).getOrFail("Case")
+          newCase <- app[CaseSrv].merge(Seq(c24, c25))
+        } yield newCase
+      } must beASuccessfulTry.which { richCase =>
+        app[Database].roTransaction { implicit graph =>
+          getCase(richCase.number).share(EntityName("cert")).tasks.getCount mustEqual 1
+          getCase(richCase.number).share(EntityName("soc")).tasks.getCount mustEqual 2
+          getCase(richCase.number).share(EntityName("cert")).observables.getCount mustEqual 2
+          getCase(richCase.number).share(EntityName("soc")).observables.getCount mustEqual 1
+
+          getCase(24).getOrFail("Case") must beAFailedTry
+          getCase(25).getOrFail("Case") must beAFailedTry
+        }
+      }
+    }
+
+    "cascade remove, case not shared" in testApp { app =>
+      app[Database].transaction { implicit graph =>
+        implicit val authContext: AuthContext = DummyUserSrv(organisation = "cert", permissions = Set(Permissions.manageCase)).authContext
+
+        def caze = app[CaseSrv].startTraversal.has(_.number, 35).getOrFail("Case")
+        caze must beSuccessfulTry
+
+        def taskTraversal = app[TaskSrv].startTraversal.has(_.title, "task-cascade-remove-simple")
+        def taskDelete    = taskTraversal.getOrFail("Task")
+        def logs          = taskTraversal.logs.toSeq.size
+        def logsAttach    = taskTraversal.logs.attachments.toSeq.size
+        taskDelete must beSuccessfulTry
+        logs       must beEqualTo(1)
+        logsAttach must beEqualTo(1)
+
+        def obsTraversal = app[ObservableSrv].startTraversal.has(_.message, "obs-cascade-remove-simple")
+        def obsDelete    = obsTraversal.getOrFail("Observable")
+        def obsAttach    = obsTraversal.attachments.toSeq.size
+        obsDelete must beSuccessfulTry
+        obsAttach must beEqualTo(1)
+
+        app[CaseSrv].delete(caze.get) must beASuccessfulTry
+
+        taskDelete must beAFailedTry
+        logs       must beEqualTo(0)
+        logsAttach must beEqualTo(0)
+        obsDelete  must beAFailedTry
+        obsAttach  must beEqualTo(0)
+        caze       must beAFailedTry
       }
     }
+
+    "cascade remove, shared" in testApp { app =>
+      app[Database].roTransaction { implicit graph =>
+        // Check users of soc have access to case 4
+        implicit val authContext: AuthContext = DummyUserSrv(organisation = "soc", permissions = Set(Permissions.manageCase)).authContext
+
+        app[CaseSrv]
+          .startTraversal
+          .has(_.number, 34)
+          .getOrFail("Case") must beSuccessfulTry
+
+        app[TaskSrv]
+          .startTraversal
+          .has(_.title, "task-cascade-remove-unshare")
+          .getOrFail("Task") must beSuccessfulTry
+
+        app[ObservableSrv]
+          .startTraversal
+          .has(_.message, "obs-cascade-remove-unshare")
+          .getOrFail("Observable") must beSuccessfulTry
+      }
+
+      app[Database].transaction { implicit graph =>
+        // Check entities & cascade remove the case
+        implicit val authContext: AuthContext = DummyUserSrv(organisation = "cert", permissions = Set(Permissions.manageCase)).authContext
+
+        def caze = app[CaseSrv].startTraversal.has(_.number, 34).getOrFail("Case")
+        caze must beSuccessfulTry
+
+        def taskTraversal  = app[TaskSrv].startTraversal.has(_.title, "task-cascade-remove-delete")
+        def taskTraversal2 = app[TaskSrv].startTraversal.has(_.title, "task-cascade-remove-unshare")
+        def taskDelete     = taskTraversal.getOrFail("Task")
+        def taskUnshare    = taskTraversal2.getOrFail("Task")
+        def logs           = taskTraversal.logs.toSeq.size
+        def logs2          = taskTraversal2.logs.toSeq.size
+        def taskAttach     = taskTraversal.logs.attachments.toSeq.size
+        def taskAttach2    = taskTraversal2.logs.attachments.toSeq.size
+        taskDelete  must beSuccessfulTry
+        logs        must beEqualTo(1)
+        taskAttach  must beEqualTo(1)
+        taskUnshare must beSuccessfulTry
+        logs2       must beEqualTo(0)
+        taskAttach2 must beEqualTo(0)
+
+        def obsTraversal  = app[ObservableSrv].startTraversal.has(_.message, "obs-cascade-remove-delete")
+        def obsTraversal2 = app[ObservableSrv].startTraversal.has(_.message, "obs-cascade-remove-unshare")
+        def obsDelete     = obsTraversal.getOrFail("Observable")
+        def obsUnshare    = obsTraversal2.getOrFail("Observable")
+        def obsAttach     = obsTraversal.attachments.toSeq.size
+        def obsAttach2    = obsTraversal2.attachments.toSeq.size
+        obsDelete  must beSuccessfulTry
+        obsAttach  must beEqualTo(1)
+        obsUnshare must beSuccessfulTry
+        obsAttach2 must beEqualTo(0)
+
+        app[CaseSrv].delete(caze.get) must beASuccessfulTry
+
+        caze        must beASuccessfulTry
+        taskDelete  must beAFailedTry
+        taskUnshare must beASuccessfulTry
+        logs        must beEqualTo(0)
+        taskAttach  must beEqualTo(0)
+        logs2       must beEqualTo(0)
+        taskAttach2 must beEqualTo(0)
+        obsDelete   must beAFailedTry
+        obsUnshare  must beASuccessfulTry
+        obsAttach   must beEqualTo(0)
+        obsAttach2  must beEqualTo(0)
+      }
+
+      app[Database].roTransaction { implicit graph =>
+        // Users of soc should still have access to case
+        implicit val authContext: AuthContext = DummyUserSrv(organisation = "soc", permissions = Set(Permissions.manageCase)).authContext
+
+        app[CaseSrv]
+          .startTraversal
+          .has(_.number, 4)
+          .getOrFail("Case") must beSuccessfulTry
+
+        app[TaskSrv]
+          .startTraversal
+          .has(_.title, "task-cascade-remove-unshare")
+          .getOrFail("Task") must beSuccessfulTry
+
+        app[ObservableSrv]
+          .startTraversal
+          .has(_.message, "obs-cascade-remove-unshare")
+          .getOrFail("Observable") must beSuccessfulTry
+      }
+    }
+
   }
 }
diff --git a/thehive/test/org/thp/thehive/services/CaseTemplateSrvTest.scala b/thehive/test/org/thp/thehive/services/CaseTemplateSrvTest.scala
index 5e4b3cb102..63ef590903 100644
--- a/thehive/test/org/thp/thehive/services/CaseTemplateSrvTest.scala
+++ b/thehive/test/org/thp/thehive/services/CaseTemplateSrvTest.scala
@@ -24,17 +24,25 @@ class CaseTemplateSrvTest extends PlaySpecification with TestAppBuilder {
             titlePrefix = Some("[CTT]"),
             description = Some("description ctt1"),
             severity = Some(2),
+            tags = Seq("""t2""", """newOne"""),
             flag = false,
             tlp = Some(1),
             pap = Some(3),
             summary = Some("summary case template test 1")
           ),
           organisation = app[OrganisationSrv].getOrFail(EntityName("cert")).get,
-          tagNames = Set("""testNamespace:testPredicate="t2"""", """testNamespace:testPredicate="newOne""""),
           tasks = Seq(
-            (
-              Task("task case template case template test 1", "group1", None, TaskStatus.Waiting, flag = false, None, None, 0, None),
-              app[UserSrv].get(EntityName("certuser@thehive.local")).headOption
+            Task(
+              title = "task case template case template test 1",
+              group = "group1",
+              description = None,
+              status = TaskStatus.Waiting,
+              flag = false,
+              startDate = None,
+              endDate = None,
+              order = 0,
+              dueDate = None,
+              assignee = None
             )
           ),
           customFields = Seq(("string1", Some("love")), ("boolean1", Some(false)))
@@ -42,7 +50,8 @@ class CaseTemplateSrvTest extends PlaySpecification with TestAppBuilder {
       } must beASuccessfulTry
 
       app[Database].roTransaction { implicit graph =>
-        app[TagSrv].startTraversal.getByName("testNamespace", "testPredicate", Some("newOne")).exists must beTrue
+        val orgId = app[OrganisationSrv].currentId.value
+        app[TagSrv].startTraversal.getByName(s"_freetags_$orgId", "newOne", None).exists           must beTrue
         app[TaskSrv].startTraversal.has(_.title, "task case template case template test 1").exists must beTrue
         val richCT = app[CaseTemplateSrv].startTraversal.getByName("case template test 1").richCaseTemplate.getOrFail("CaseTemplate").get
         richCT.customFields.length shouldEqual 2
@@ -52,9 +61,22 @@ class CaseTemplateSrvTest extends PlaySpecification with TestAppBuilder {
     "add a task to a template" in testApp { app =>
       app[Database].tryTransaction { implicit graph =>
         for {
-          richTask     <- app[TaskSrv].create(Task("t1", "default", None, TaskStatus.Waiting, flag = false, None, None, 1, None), None)
           caseTemplate <- app[CaseTemplateSrv].getOrFail(EntityName("spam"))
-          _            <- app[CaseTemplateSrv].addTask(caseTemplate, richTask.task)
+          _ <- app[CaseTemplateSrv].createTask(
+            caseTemplate,
+            Task(
+              title = "t1",
+              group = "default",
+              description = None,
+              status = TaskStatus.Waiting,
+              flag = false,
+              startDate = None,
+              endDate = None,
+              order = 1,
+              dueDate = None,
+              assignee = None
+            )
+          )
         } yield ()
       } must beSuccessfulTry
 
@@ -67,16 +89,16 @@ class CaseTemplateSrvTest extends PlaySpecification with TestAppBuilder {
       app[Database].tryTransaction { implicit graph =>
         for {
           caseTemplate <- app[CaseTemplateSrv].getOrFail(EntityName("spam"))
-          _ <- app[CaseTemplateSrv].updateTagNames(
+          _ <- app[CaseTemplateSrv].updateTags(
             caseTemplate,
-            Set("""testNamespace:testPredicate="t2"""", """testNamespace:testPredicate="newOne2"""", """newNspc.newPred="newOne3"""")
+            Set("""t2""", """newOne2""", """newNspc:newPred="newOne3"""")
           )
         } yield ()
       } must beSuccessfulTry
       app[Database].roTransaction { implicit graph =>
         app[CaseTemplateSrv].get(EntityName("spam")).tags.toList.map(_.toString)
       } must containTheSameElementsAs(
-        Seq("testNamespace:testPredicate=\"t2\"", "testNamespace:testPredicate=\"newOne2\"", "newNspc:newPred=\"newOne3\"")
+        Seq("t2", "newOne2", "newNspc:newPred=\"newOne3\"")
       )
     }
 
@@ -84,17 +106,17 @@ class CaseTemplateSrvTest extends PlaySpecification with TestAppBuilder {
       app[Database].tryTransaction { implicit graph =>
         for {
           caseTemplate <- app[CaseTemplateSrv].getOrFail(EntityName("spam"))
-          _            <- app[CaseTemplateSrv].addTags(caseTemplate, Set("""testNamespace:testPredicate="t2"""", """testNamespace:testPredicate="newOne2""""))
+          _            <- app[CaseTemplateSrv].addTags(caseTemplate, Set("""t2""", """newOne2"""))
         } yield ()
       } must beSuccessfulTry
       app[Database].roTransaction { implicit graph =>
         app[CaseTemplateSrv].get(EntityName("spam")).tags.toList.map(_.toString)
       } must containTheSameElementsAs(
         Seq(
-          "testNamespace:testPredicate=\"t2\"",
-          "testNamespace:testPredicate=\"newOne2\"",
-          "testNamespace:testPredicate=\"spam\"",
-          "testNamespace:testPredicate=\"src:mail\""
+          "t2",
+          "newOne2",
+          "spam",
+          "src:mail"
         )
       )
     }
diff --git a/thehive/test/org/thp/thehive/services/DataSrvTest.scala b/thehive/test/org/thp/thehive/services/DataSrvTest.scala
index 922926dd91..eddb81e4f4 100644
--- a/thehive/test/org/thp/thehive/services/DataSrvTest.scala
+++ b/thehive/test/org/thp/thehive/services/DataSrvTest.scala
@@ -1,6 +1,5 @@
 package org.thp.thehive.services
 
-import org.thp.scalligraph.EntityName
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models._
 import org.thp.scalligraph.traversal.TraversalOps._
@@ -22,11 +21,16 @@ class DataSrvTest extends PlaySpecification with TestAppBuilder {
     "get related observables" in testApp { app =>
       app[Database].tryTransaction { implicit graph =>
         app[ObservableSrv].create(
-          Observable(Some("love"), 1, ioc = false, sighted = true, ignoreSimilarity = None),
-          app[ObservableTypeSrv].get(EntityName("domain")).getOrFail("Observable").get,
-          "love.com",
-          Set("tagX"),
-          Nil
+          Observable(
+            message = Some("love"),
+            tlp = 1,
+            ioc = false,
+            sighted = true,
+            ignoreSimilarity = None,
+            dataType = "domain",
+            tags = Seq("tagX")
+          ),
+          "love.com"
         )
       }
 
diff --git a/thehive/test/org/thp/thehive/services/TagSrvTest.scala b/thehive/test/org/thp/thehive/services/TagSrvTest.scala
new file mode 100644
index 0000000000..196c757b9a
--- /dev/null
+++ b/thehive/test/org/thp/thehive/services/TagSrvTest.scala
@@ -0,0 +1,57 @@
+package org.thp.thehive.services
+
+import org.thp.scalligraph.auth.AuthContext
+import org.thp.scalligraph.models.{Database, DummyUserSrv}
+import org.thp.thehive.TestAppBuilder
+import org.thp.thehive.models.Profile
+import play.api.test.PlaySpecification
+
+import scala.util.Success
+
+class TagSrvTest extends PlaySpecification with TestAppBuilder {
+
+  implicit val authContext: AuthContext =
+    DummyUserSrv(userId = "certuser@thehive.local", organisation = "cert", permissions = Profile.analyst.permissions).authContext
+
+  "tag service" should {
+    "fromString" should {
+      "be parsed from namespace:predicate" in testApp { app =>
+        app[TagSrv].fromString("namespace:predicate") must beEqualTo(Some("namespace", "predicate", None))
+      }
+
+      "be parsed from namespace:predicate=" in testApp { app =>
+        app[TagSrv].fromString("namespace:predicate=") must beEqualTo(None)
+      }
+
+      "be parsed from namespace: predicate" in testApp { app =>
+        app[TagSrv].fromString("namespace: predicate") must beEqualTo(Some("namespace", "predicate", None))
+      }
+
+      "be parsed from namespace:predicate=value" in testApp { app =>
+        app[TagSrv].fromString("namespace:predicate=value") must beEqualTo(Some("namespace", "predicate", Some("value")))
+      }
+    }
+
+    "getOrCreate" should {
+      "get a tag from a taxonomy" in testApp { app =>
+        // TODO add tags property in Taxonomy.json to test get
+        app[Database].transaction { implicit graph =>
+          val tag = app[TagSrv].getOrCreate("taxonomy1:pred1=value1")
+          tag.map(_.toString) must beEqualTo(Success("taxonomy1:pred1=\"value1\""))
+        }
+      }
+
+      "get a _freetag tag" in testApp { app =>
+        app[Database].transaction { implicit graph =>
+          val orgId = app[OrganisationSrv].currentId.value
+          val tag   = app[TagSrv].getOrCreate("afreetag")
+          tag.map(_.namespace) must beEqualTo(Success(s"_freetags_$orgId"))
+          tag.map(_.predicate) must beEqualTo(Success("afreetag"))
+          tag.map(_.predicate) must beEqualTo(Success("afreetag"))
+          tag.map(_.colour) must beEqualTo(Success(app[TagSrv].freeTagColour))
+        }
+      }
+    }
+
+  }
+}
diff --git a/thehive/test/org/thp/thehive/services/UserSrvTest.scala b/thehive/test/org/thp/thehive/services/UserSrvTest.scala
index fc121bcac8..fae17af39a 100644
--- a/thehive/test/org/thp/thehive/services/UserSrvTest.scala
+++ b/thehive/test/org/thp/thehive/services/UserSrvTest.scala
@@ -61,7 +61,7 @@ class UserSrvTest extends PlaySpecification with TestAppBuilder {
         if (userCount == 2) Success(())
         else Failure(new Exception(s"User certadmin is not in cert organisation twice ($userCount)"))
       }
-      new UserIntegrityCheckOps(db, userSrv, profileSrv, organisationSrv, roleSrv).check()
+      new UserIntegrityCheckOps(db, userSrv, profileSrv, organisationSrv, roleSrv).duplicationCheck()
       db.roTransaction { implicit graph =>
         val userCount = userSrv.get(EntityName("certadmin@thehive.local")).organisations.get(EntityName("cert")).getCount
         userCount must beEqualTo(1)
diff --git a/thehive/test/org/thp/thehive/services/notification/notifiers/NotificationTemplateTest.scala b/thehive/test/org/thp/thehive/services/notification/notifiers/NotificationTemplateTest.scala
index 882f1f1491..c87ac72162 100644
--- a/thehive/test/org/thp/thehive/services/notification/notifiers/NotificationTemplateTest.scala
+++ b/thehive/test/org/thp/thehive/services/notification/notifiers/NotificationTemplateTest.scala
@@ -1,7 +1,5 @@
 package org.thp.thehive.services.notification.notifiers
 
-import java.util.{HashMap => JHashMap}
-
 import org.thp.scalligraph.EntityName
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, DummyUserSrv, Schema}
@@ -10,10 +8,11 @@ import org.thp.thehive.TestAppBuilder
 import org.thp.thehive.services.{AuditSrv, CaseSrv, UserSrv}
 import play.api.test.PlaySpecification
 
+import java.util.{HashMap => JHashMap}
 import scala.collection.JavaConverters._
 
 class NotificationTemplateTest extends PlaySpecification with TestAppBuilder {
-  implicit val authContext: AuthContext = DummyUserSrv(userId = "certuser@thehive.local").authContext
+  implicit val authContext: AuthContext = DummyUserSrv(userId = "certuser@thehive.local", organisation = "cert").authContext
   def templateEngine(testSchema: Schema): Template =
     new Object with Template {
       override val schema: Schema = testSchema
diff --git a/thehive/test/resources/data/Alert.json b/thehive/test/resources/data/Alert.json
index 98d2a39648..a5a4f0d535 100644
--- a/thehive/test/resources/data/Alert.json
+++ b/thehive/test/resources/data/Alert.json
@@ -13,7 +13,9 @@
     "tlp": 2,
     "pap": 2,
     "read": false,
-    "follow": true
+    "follow": true,
+    "organisationId": "",
+    "tags": ["test", "alert"]
   },
   {
     "id": "alert2",
@@ -29,7 +31,9 @@
     "tlp": 2,
     "pap": 2,
     "read": false,
-    "follow": true
+    "follow": true,
+    "organisationId": "",
+    "tags": ["test", "alert"]
   },
   {
     "id": "alert3",
@@ -45,7 +49,9 @@
     "tlp": 2,
     "pap": 2,
     "read": false,
-    "follow": true
+    "follow": true,
+    "organisationId": "",
+    "tags": ["test", "alert"]
   },
   {
     "id": "alert4",
@@ -61,7 +67,9 @@
     "tlp": 2,
     "pap": 2,
     "read": false,
-    "follow": true
+    "follow": true,
+    "organisationId": "",
+    "tags": ["test", "alert"]
   },
   {
     "id": "alert5",
@@ -77,6 +85,25 @@
     "tlp": 2,
     "pap": 2,
     "read": false,
-    "follow": true
+    "follow": true,
+    "organisationId": "",
+    "tags": ["test", "alert"]
+  },
+  {
+    "id": "alertMerge1",
+    "type": "testType",
+    "source": "testSource",
+    "sourceRef": "ref6",
+    "title": "alert#6",
+    "description": "description of alert #6",
+    "severity": 2,
+    "date": 1555359572000,
+    "lastSyncDate": 1555359600000,
+    "flag": false,
+    "tlp": 2,
+    "pap": 2,
+    "read": false,
+    "follow": true,
+    "organisationId": ""
   }
-]
\ No newline at end of file
+]
diff --git a/thehive/test/resources/data/AlertCase.json b/thehive/test/resources/data/AlertCase.json
new file mode 100644
index 0000000000..1d47dfc7cc
--- /dev/null
+++ b/thehive/test/resources/data/AlertCase.json
@@ -0,0 +1,3 @@
+[
+  {"from": "alertMerge1", "to": "caseMerge21"}
+]
\ No newline at end of file
diff --git a/thehive/test/resources/data/AlertOrganisation.json b/thehive/test/resources/data/AlertOrganisation.json
index 91180cf87e..0cc2ee54f1 100644
--- a/thehive/test/resources/data/AlertOrganisation.json
+++ b/thehive/test/resources/data/AlertOrganisation.json
@@ -3,5 +3,6 @@
   {"from": "alert2", "to": "cert"},
   {"from": "alert3", "to": "cert"},
   {"from": "alert4", "to": "cert"},
-  {"from": "alert5", "to": "cert"}
-]
\ No newline at end of file
+  {"from": "alert5", "to": "cert"},
+  {"from": "alertMerge1", "to": "cert"}
+]
diff --git a/thehive/test/resources/data/AlertTag.json b/thehive/test/resources/data/AlertTag.json
deleted file mode 100644
index a6e2661284..0000000000
--- a/thehive/test/resources/data/AlertTag.json
+++ /dev/null
@@ -1,12 +0,0 @@
-[
-  {"from": "alert1", "to": "tagtest"},
-  {"from": "alert1", "to": "tagalert"},
-  {"from": "alert2", "to": "tagtest"},
-  {"from": "alert2", "to": "tagalert"},
-  {"from": "alert3", "to": "tagtest"},
-  {"from": "alert3", "to": "tagalert"},
-  {"from": "alert4", "to": "tagtest"},
-  {"from": "alert4", "to": "tagalert"},
-  {"from": "alert5", "to": "tagtest"},
-  {"from": "alert5", "to": "tagalert"}
-]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Attachment.json b/thehive/test/resources/data/Attachment.json
index 6c28345222..af587ae943 100644
--- a/thehive/test/resources/data/Attachment.json
+++ b/thehive/test/resources/data/Attachment.json
@@ -10,5 +10,25 @@
       "905138a85e85e74344e90d25dba7299e"
     ],
     "attachmentId": "a4bf1f6be616bf6a0de2ff6264de43a64bb768d38c783ec2bc74b5d4dcf5f889"
+  },
+  {
+    "id": "cascade-remove-attachment1",
+    "name": "cascade1.txt",
+    "size": 13,
+    "contentType": "text/plain",
+    "hashes": [
+      "905138a85e85e74344e90d25dba7299e"
+    ],
+    "attachmentId": "b4bf1f6be616bf6a0de2ff6264de43a64bb768d38c783ec2bc74b5d4dcf5f889"
+  },
+  {
+    "id": "cascade-remove-attachment2",
+    "name": "cascade2.txt",
+    "size": 13,
+    "contentType": "text/plain",
+    "hashes": [
+      "a4bf1f6be616bf6a0de2ff6264de43a64bb768d38c783ec2bc74b5d4dcf5f889"
+    ],
+    "attachmentId": "c4bf1f6be616bf6a0de2ff6264de43a64bb768d38c783ec2bc74b5d4dcf5f889"
   }
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Case.json b/thehive/test/resources/data/Case.json
index 15a632b69a..dcc44d54df 100644
--- a/thehive/test/resources/data/Case.json
+++ b/thehive/test/resources/data/Case.json
@@ -9,7 +9,9 @@
     "flag": false,
     "tlp": 2,
     "pap": 2,
-    "status": "Open"
+    "status": "Open",
+    "tags": ["t1", "t3"],
+    "assignee": "certuser@thehive.local"
   },
   {
     "id": "case2",
@@ -21,7 +23,10 @@
     "flag": false,
     "tlp": 2,
     "pap": 2,
-    "status": "Open"
+    "status": "Open",
+    "tags": ["t1","t2"],
+    "impactStatus": "NoImpact",
+    "assignee": "certuser@thehive.local"
   },
   {
     "id": "case3",
@@ -33,7 +38,10 @@
     "flag": false,
     "tlp": 2,
     "pap": 2,
-    "status": "Open"
+    "status": "Open",
+    "caseTemplate": "spam",
+    "tags": ["t1","t2"],
+    "assignee": "socuser@thehive.local"
   },
   {
     "id": "caseActionRequired1",
@@ -58,5 +66,109 @@
     "tlp": 2,
     "pap": 2,
     "status": "Open"
+  },
+  {
+    "id": "caseMerge21",
+    "number": 21,
+    "title": "case#21",
+    "description": "description of case #21",
+    "severity": 1,
+    "startDate": 1531664370000,
+    "flag": false,
+    "tlp": 4,
+    "pap": 3,
+    "status": "Open",
+    "tags": ["toMerge:pred1=\"value1\""],
+    "assignee": "certuser@thehive.local"
+  },
+  {
+    "id": "caseMerge22",
+    "number": 22,
+    "title": "case#22",
+    "description": "description of case #22",
+    "severity": 3,
+    "startDate": 1531667370000,
+    "flag": true,
+    "tlp": 1,
+    "pap": 2,
+    "status": "Open",
+    "tags": ["toMerge:pred2=\"value2\""],
+    "assignee": "certuser@thehive.local"
+  },
+  {
+    "id": "caseMerge23",
+    "number": 23,
+    "title": "case#23",
+    "description": "description of case #23",
+    "severity": 3,
+    "startDate": 1531667370000,
+    "flag": false,
+    "tlp": 2,
+    "pap": 2,
+    "status": "Open",
+    "assignee": "certuser@thehive.local"
+  },
+  {
+    "id": "caseMerge24",
+    "number": 24,
+    "title": "case#24",
+    "description": "description of case #24",
+    "severity": 3,
+    "startDate": 1531667370000,
+    "flag": false,
+    "tlp": 2,
+    "pap": 2,
+    "status": "Open",
+    "assignee": "socuser@thehive.local"
+  },
+  {
+    "id": "caseMerge25",
+    "number": 25,
+    "title": "case#25",
+    "description": "description of case #25",
+    "severity": 3,
+    "startDate": 1531667370000,
+    "flag": false,
+    "tlp": 2,
+    "pap": 2,
+    "status": "Open",
+    "assignee": "certuser@thehive.local"
+  },
+  {
+    "id": "caseMerge26",
+    "number": 26,
+    "title": "case#26",
+    "description": "description of case #26",
+    "severity": 2,
+    "startDate": 1531667370000,
+    "flag": false,
+    "tlp": 1,
+    "pap": 2,
+    "status": "Open",
+    "assignee": "puguser@thehive.local"
+  },
+  {
+    "id": "case4",
+    "number": 34,
+    "title": "case#4",
+    "description": "description of case cascade remove",
+    "severity": 3,
+    "startDate": 1531667370000,
+    "flag": false,
+    "tlp": 2,
+    "pap": 2,
+    "status": "Open"
+  },
+  {
+    "id": "case5",
+    "number": 35,
+    "title": "case#5",
+    "description": "description of case cascade remove",
+    "severity": 3,
+    "startDate": 1531667370000,
+    "flag": false,
+    "tlp": 2,
+    "pap": 2,
+    "status": "Open"
   }
-]
\ No newline at end of file
+]
diff --git a/thehive/test/resources/data/CaseCaseTemplate.json b/thehive/test/resources/data/CaseCaseTemplate.json
deleted file mode 100644
index fc3499ffe6..0000000000
--- a/thehive/test/resources/data/CaseCaseTemplate.json
+++ /dev/null
@@ -1,3 +0,0 @@
-[
-  {"from": "case3", "to": "spam"}
-]
\ No newline at end of file
diff --git a/thehive/test/resources/data/CaseCustomField.json b/thehive/test/resources/data/CaseCustomField.json
index 9e85e9ba03..628b5afacc 100644
--- a/thehive/test/resources/data/CaseCustomField.json
+++ b/thehive/test/resources/data/CaseCustomField.json
@@ -1,4 +1,6 @@
 [
   {"from": "case3", "to": "string1", "stringValue": "string1 custom field"},
-  {"from": "case3", "to": "boolean1", "booleanValue": true}
+  {"from": "case3", "to": "boolean1", "booleanValue": true},
+  {"from": "caseMerge22", "to": "string1", "stringValue": "merge string1"},
+  {"from": "caseMerge23", "to": "integer1", "integerValue": 3}
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/CaseImpactStatus.json b/thehive/test/resources/data/CaseImpactStatus.json
deleted file mode 100644
index b25a6ea0dd..0000000000
--- a/thehive/test/resources/data/CaseImpactStatus.json
+++ /dev/null
@@ -1,6 +0,0 @@
-[
-  {
-    "from": "case2",
-    "to": "NoImpact"
-  }
-]
\ No newline at end of file
diff --git a/thehive/test/resources/data/CaseProcedure.json b/thehive/test/resources/data/CaseProcedure.json
new file mode 100644
index 0000000000..75237cc11e
--- /dev/null
+++ b/thehive/test/resources/data/CaseProcedure.json
@@ -0,0 +1,7 @@
+[
+  {"from": "case1", "to": "testProcedure1"},
+  {"from": "case1", "to": "testProcedure2"},
+  {"from": "caseMerge21", "to": "mergeProcedure211"},
+  {"from": "caseMerge22", "to": "mergeProcedure221"},
+  {"from": "caseMerge22", "to": "mergeProcedure222"}
+]
\ No newline at end of file
diff --git a/thehive/test/resources/data/CaseResolutionStatus.json b/thehive/test/resources/data/CaseResolutionStatus.json
deleted file mode 100644
index 0637a088a0..0000000000
--- a/thehive/test/resources/data/CaseResolutionStatus.json
+++ /dev/null
@@ -1 +0,0 @@
-[]
\ No newline at end of file
diff --git a/thehive/test/resources/data/CaseTag.json b/thehive/test/resources/data/CaseTag.json
deleted file mode 100644
index 781e8159a3..0000000000
--- a/thehive/test/resources/data/CaseTag.json
+++ /dev/null
@@ -1,8 +0,0 @@
-[
-  {"from": "case3", "to": "tagt1"},
-  {"from": "case3", "to": "tagt2"},
-  {"from": "case2", "to": "tagt1"},
-  {"from": "case2", "to": "tagt2"},
-  {"from": "case1", "to": "tagt1"},
-  {"from": "case1", "to": "tagt3"}
-]
\ No newline at end of file
diff --git a/thehive/test/resources/data/CaseTemplateTag.json b/thehive/test/resources/data/CaseTemplateTag.json
deleted file mode 100644
index 25e6c2d4e9..0000000000
--- a/thehive/test/resources/data/CaseTemplateTag.json
+++ /dev/null
@@ -1,4 +0,0 @@
-[
-  {"from": "spam", "to": "tagspam"},
-  {"from": "spam", "to": "tagsrc:mail"}
-]
\ No newline at end of file
diff --git a/thehive/test/resources/data/CaseUser.json b/thehive/test/resources/data/CaseUser.json
deleted file mode 100644
index f778b3fefb..0000000000
--- a/thehive/test/resources/data/CaseUser.json
+++ /dev/null
@@ -1,5 +0,0 @@
-[
-  { "from": "case1", "to": "certuser@thehive.local"},
-  { "from": "case2", "to": "certuser@thehive.local"},
-  { "from": "case3", "to": "socuser@thehive.local"}
-]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Data.json b/thehive/test/resources/data/Data.json
deleted file mode 100644
index 3cb9acf636..0000000000
--- a/thehive/test/resources/data/Data.json
+++ /dev/null
@@ -1,14 +0,0 @@
-[
-  {
-    "id": "data-h.fr",
-    "data": "h.fr"
-  },
-  {
-    "id": "data-c.fr",
-    "data": "c.fr"
-  },
-  {
-    "id": "data-perdu.com",
-    "data": "perdu.com"
-  }
-]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Log.json b/thehive/test/resources/data/Log.json
index 594a72f724..c679817200 100644
--- a/thehive/test/resources/data/Log.json
+++ b/thehive/test/resources/data/Log.json
@@ -3,6 +3,18 @@
     "id": "log1",
     "message": "log for action test",
     "date": 1566303875000,
-    "deleted": false
+    "taskId": ""
+  },
+  {
+    "id": "log-cascade-remove-simple",
+    "message": "log cascade remove simple",
+    "date": 1566303875000,
+    "taskId": ""
+  },
+  {
+    "id": "log-cascade-remove-delete",
+    "message": "log cascade remove delete",
+    "date": 1566303875000,
+    "taskId": ""
   }
-]
\ No newline at end of file
+]
diff --git a/thehive/test/resources/data/LogAttachment.json b/thehive/test/resources/data/LogAttachment.json
new file mode 100644
index 0000000000..520f3ea9e5
--- /dev/null
+++ b/thehive/test/resources/data/LogAttachment.json
@@ -0,0 +1,4 @@
+[
+  {"from": "log-cascade-remove-simple", "to": "cascade-remove-attachment2"},
+  {"from": "log-cascade-remove-delete", "to": "cascade-remove-attachment2"}
+]
diff --git a/thehive/test/resources/data/Observable.json b/thehive/test/resources/data/Observable.json
index 88e79ee5cc..4c21b60250 100644
--- a/thehive/test/resources/data/Observable.json
+++ b/thehive/test/resources/data/Observable.json
@@ -4,34 +4,132 @@
     "message": "Some weird domain",
     "tlp": 3,
     "ioc": true,
-    "sighted": false
+    "sighted": false,
+    "dataType": "domain",
+    "data": "h.fr",
+    "tags": ["testDomain"],
+    "relatedId": ""
   },
   {
     "id": "c.fr",
     "message": "This domain",
     "tlp": 2,
     "ioc": false,
-    "sighted": false
+    "sighted": false,
+    "dataType": "domain",
+    "data": "c.fr",
+    "tags": ["testDomain"],
+    "relatedId": ""
   },
   {
     "id": "helloworld",
     "message": "hello world",
     "tlp": 1,
     "ioc": false,
-    "sighted": false
+    "sighted": false,
+    "dataType": "file",
+    "tags": ["hello", "world"],
+    "relatedId": ""
   },
   {
     "id": "perdu.com",
     "message": "if you are lost",
     "tlp": 1,
     "ioc": false,
-    "sighted": true
+    "sighted": true,
+    "dataType": "domain",
+    "data": "perdu.com",
+    "relatedId": ""
   },
   {
     "id": "alert-h.fr",
     "message": "observable from alert",
     "tlp": 1,
     "ioc": true,
-    "sighted": true
+    "sighted": true,
+    "dataType": "domain",
+    "data": "h.fr",
+    "tags": ["hello"],
+    "relatedId": ""
+  },
+  {
+    "id": "mergeObs211",
+    "message": "merge Obs 211",
+    "tlp": 1,
+    "ioc": true,
+    "dataType": "ip",
+    "data": "127.0.0.1",
+    "sighted": false,
+    "relatedId": ""
+  },
+  {
+    "id": "mergeObs231",
+    "message": "merge Obs 231",
+    "tlp": 2,
+    "ioc": false,
+    "dataType": "ip",
+    "data": "127.0.0.1",
+    "sighted": true,
+    "relatedId": ""
+  },
+  {
+    "id": "mergeObs232",
+    "message": "merge Obs 232",
+    "tlp": 4,
+    "ioc": true,
+    "dataType": "ip",
+    "data": "127.0.0.1",
+    "sighted": true,
+    "relatedId": ""
+  },
+  {
+    "id": "mergeObs251",
+    "message": "merge Obs 251",
+    "tlp": 4,
+    "ioc": true,
+    "dataType": "ip",
+    "data": "127.0.0.1",
+    "sighted": true,
+    "relatedId": ""
+  },
+  {
+    "id": "mergeObs252",
+    "message": "merge Obs 252",
+    "tlp": 4,
+    "ioc": true,
+    "dataType": "ip",
+    "data": "127.0.0.1",
+    "sighted": true,
+    "relatedId": ""
+  },
+  {
+    "id": "obs-cascade-remove-simple",
+    "message": "obs-cascade-remove-simple",
+    "tlp": 1,
+    "ioc": true,
+    "dataType": "ip",
+    "data": "127.0.0.2",
+    "sighted": true,
+    "relatedId": ""
+  },
+  {
+    "id": "obs-cascade-remove-unshare",
+    "message": "obs-cascade-remove-unshare",
+    "tlp": 1,
+    "ioc": true,
+    "dataType": "ip",
+    "data": "127.0.0.3",
+    "sighted": true,
+    "relatedId": ""
+  },
+  {
+    "id": "obs-cascade-remove-delete",
+    "message": "obs-cascade-remove-delete",
+    "tlp": 1,
+    "ioc": true,
+    "dataType": "ip",
+    "data": "127.0.0.4",
+    "sighted": true,
+    "relatedId": ""
   }
 ]
diff --git a/thehive/test/resources/data/ObservableAttachment.json b/thehive/test/resources/data/ObservableAttachment.json
index e96a0e3fa3..8aa6ad9726 100644
--- a/thehive/test/resources/data/ObservableAttachment.json
+++ b/thehive/test/resources/data/ObservableAttachment.json
@@ -1,3 +1,5 @@
 [
-  {"from": "helloworld", "to": "attachment-hello"}
+  {"from": "helloworld", "to": "attachment-hello"},
+  {"from": "obs-cascade-remove-simple", "to": "cascade-remove-attachment1"},
+  {"from": "obs-cascade-remove-delete", "to": "cascade-remove-attachment1"}
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/ObservableData.json b/thehive/test/resources/data/ObservableData.json
deleted file mode 100644
index 344dc8f62b..0000000000
--- a/thehive/test/resources/data/ObservableData.json
+++ /dev/null
@@ -1,6 +0,0 @@
-[
-  {"from": "h.fr", "to": "data-h.fr"},
-  {"from": "c.fr", "to": "data-c.fr"},
-  {"from": "perdu.com", "to": "data-perdu.com"},
-  {"from": "alert-h.fr", "to": "data-h.fr"}
-]
diff --git a/thehive/test/resources/data/ObservableObservableType.json b/thehive/test/resources/data/ObservableObservableType.json
deleted file mode 100644
index bf3337b719..0000000000
--- a/thehive/test/resources/data/ObservableObservableType.json
+++ /dev/null
@@ -1,7 +0,0 @@
-[
-  {"from": "h.fr", "to": "domain"},
-  {"from": "c.fr", "to": "domain"},
-  {"from": "helloworld", "to": "file"},
-  {"from": "perdu.com", "to": "domain"},
-  {"from": "alert-h.fr", "to": "domain"}
-]
diff --git a/thehive/test/resources/data/ObservableTag.json b/thehive/test/resources/data/ObservableTag.json
deleted file mode 100644
index f5b3cb72a8..0000000000
--- a/thehive/test/resources/data/ObservableTag.json
+++ /dev/null
@@ -1,7 +0,0 @@
-[
-  {"from": "h.fr", "to": "tagtestDomain"},
-  {"from": "c.fr", "to": "tagtestDomain"},
-  {"from": "helloworld", "to": "taghello"},
-  {"from": "helloworld", "to": "tagworld"},
-  {"from": "alert-h.fr", "to":  "taghello"}
-]
diff --git a/thehive/test/resources/data/ObservableType.json b/thehive/test/resources/data/ObservableType.json
deleted file mode 100644
index 0637a088a0..0000000000
--- a/thehive/test/resources/data/ObservableType.json
+++ /dev/null
@@ -1 +0,0 @@
-[]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Organisation.json b/thehive/test/resources/data/Organisation.json
index a89248400c..ffdd9d0df7 100644
--- a/thehive/test/resources/data/Organisation.json
+++ b/thehive/test/resources/data/Organisation.json
@@ -8,5 +8,10 @@
     "id": "soc",
     "name": "soc",
     "description": "soc"
+  },
+  {
+    "id": "pug",
+    "name": "pug",
+    "description": "pug"
   }
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/OrganisationShare.json b/thehive/test/resources/data/OrganisationShare.json
index 4f715d24fa..a31844b787 100644
--- a/thehive/test/resources/data/OrganisationShare.json
+++ b/thehive/test/resources/data/OrganisationShare.json
@@ -1,8 +1,19 @@
 [
   {"from": "cert", "to": "case1-cert"},
   {"from": "cert", "to": "case2-cert"},
+  {"from": "cert", "to": "cascade-remove-simple"},
+  {"from": "cert", "to": "share-cascade-remove"},
+  {"from": "soc", "to": "share-cascade-remove2"},
   {"from": "soc", "to": "case2-soc"},
   {"from": "soc", "to": "case3-soc"},
   {"from": "soc", "to": "case-actionRequired-soc"},
-  {"from": "cert", "to": "case-actionRequired-cert"}
-]
\ No newline at end of file
+  {"from": "cert", "to": "case-actionRequired-cert"},
+  {"from": "cert", "to": "case21-merge-cert"},
+  {"from": "cert", "to": "case22-merge-cert"},
+  {"from": "cert", "to": "case23-merge-cert"},
+  {"from": "cert", "to": "case24-merge-cert"},
+  {"from": "soc", "to": "case24-merge-soc"},
+  {"from": "cert", "to": "case25-merge-cert"},
+  {"from": "soc", "to": "case25-merge-soc"},
+  {"from": "pug", "to": "case26-merge-pug"}
+]
diff --git a/thehive/test/resources/data/OrganisationTaxonomy.json b/thehive/test/resources/data/OrganisationTaxonomy.json
new file mode 100644
index 0000000000..df6a1338b2
--- /dev/null
+++ b/thehive/test/resources/data/OrganisationTaxonomy.json
@@ -0,0 +1,5 @@
+[
+  {"from": "admin", "to": "taxonomy1"},
+  {"from": "cert", "to": "taxonomy1"},
+  {"from": "soc", "to": "taxonomy1"}
+]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Pattern.json b/thehive/test/resources/data/Pattern.json
new file mode 100644
index 0000000000..98be700a1b
--- /dev/null
+++ b/thehive/test/resources/data/Pattern.json
@@ -0,0 +1,38 @@
+[
+  {
+    "id": "testPattern1",
+    "patternId": "T123",
+    "name": "testPattern1",
+    "description": "The testPattern 1",
+    "tactics": [
+      "testTactic1",
+      "testTactic2"
+    ],
+    "url": "http://test.pattern.url",
+    "patternType": "unit-test",
+    "revoked": false,
+    "dataSources": [],
+    "defenseBypassed": [],
+    "platforms": [],
+    "remoteSupport": true,
+    "revision": "1.0"
+  },
+  {
+    "id": "testPattern2",
+    "patternId": "T234",
+    "name": "testPattern2",
+    "description": "The testPattern 2",
+    "tactics": [
+      "testTactic2",
+      "testTactic3"
+    ],
+    "url": "http://test.pattern2.url",
+    "patternType": "unit-test",
+    "revoked": false,
+    "dataSources": [],
+    "defenseBypassed": [],
+    "platforms": [],
+    "remoteSupport": false,
+    "revision": "1.1"
+  }
+]
diff --git a/thehive/test/resources/data/Procedure.json b/thehive/test/resources/data/Procedure.json
new file mode 100644
index 0000000000..298436bd33
--- /dev/null
+++ b/thehive/test/resources/data/Procedure.json
@@ -0,0 +1,32 @@
+[
+  {
+    "id": "testProcedure1",
+    "description": "The testProcedure 1",
+    "occurDate": 1531667370000,
+    "tactic": "tactic1"
+  },
+  {
+    "id": "testProcedure2",
+    "description": "The testProcedure 2",
+    "occurDate": 1531667370000,
+    "tactic": "tactic2"
+  },
+  {
+    "id": "mergeProcedure211",
+    "description": "merge Procedure 211",
+    "occurDate": 1531667370000,
+    "tactic": "tactic 21"
+  },
+  {
+    "id": "mergeProcedure221",
+    "description": "merge Procedure 221",
+    "occurDate": 1531667370000,
+    "tactic": "tactic 22"
+  },
+  {
+    "id": "mergeProcedure222",
+    "description": "merge Procedure 222",
+    "occurDate": 1531667370000,
+    "tactic": "tactic 22"
+  }
+]
\ No newline at end of file
diff --git a/thehive/test/resources/data/ProcedurePattern.json b/thehive/test/resources/data/ProcedurePattern.json
new file mode 100644
index 0000000000..19541f6f82
--- /dev/null
+++ b/thehive/test/resources/data/ProcedurePattern.json
@@ -0,0 +1,4 @@
+[
+  {"from": "testProcedure1", "to": "testPattern1"},
+  {"from": "testProcedure2", "to": "testPattern2"}
+]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Role.json b/thehive/test/resources/data/Role.json
index 4b4654e618..2ed22cde24 100644
--- a/thehive/test/resources/data/Role.json
+++ b/thehive/test/resources/data/Role.json
@@ -4,5 +4,8 @@
   {"id": "admin-cert"},
   {"id": "ro-soc"},
   {"id": "user-soc"},
-  {"id": "admin-soc"}
+  {"id": "admin-soc"},
+  {"id": "ro-pug"},
+  {"id": "user-pug"},
+  {"id": "admin-pug"}
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/RoleOrganisation.json b/thehive/test/resources/data/RoleOrganisation.json
index 5a7df8b559..be2a75ba2b 100644
--- a/thehive/test/resources/data/RoleOrganisation.json
+++ b/thehive/test/resources/data/RoleOrganisation.json
@@ -4,5 +4,8 @@
   {"from": "admin-cert", "to":  "cert"},
   {"from": "ro-soc", "to":  "soc"},
   {"from": "user-soc", "to":  "soc"},
-  {"from": "admin-soc", "to":  "soc"}
+  {"from": "admin-soc", "to":  "soc"},
+  {"from": "ro-pug", "to":  "pug"},
+  {"from": "user-pug", "to":  "pug"},
+  {"from": "admin-pug", "to":  "pug"}
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/RoleProfile.json b/thehive/test/resources/data/RoleProfile.json
index 6e3e5f6a2f..793bd9b497 100644
--- a/thehive/test/resources/data/RoleProfile.json
+++ b/thehive/test/resources/data/RoleProfile.json
@@ -4,5 +4,8 @@
   {"from": "admin-cert", "to":  "org-admin"},
   {"from": "ro-soc", "to":  "read-only"},
   {"from": "user-soc", "to":  "analyst"},
-  {"from": "admin-soc", "to":  "org-admin"}
+  {"from": "admin-soc", "to":  "org-admin"},
+  {"from": "ro-pug", "to":  "read-only"},
+  {"from": "user-pug", "to":  "analyst"},
+  {"from": "admin-pug", "to":  "org-admin"}
 ]
diff --git a/thehive/test/resources/data/Share.json b/thehive/test/resources/data/Share.json
index 9f3e4d9714..0fa5284226 100644
--- a/thehive/test/resources/data/Share.json
+++ b/thehive/test/resources/data/Share.json
@@ -4,5 +4,16 @@
   {"id": "case2-soc", "owner":  false},
   {"id": "case3-soc", "owner":  true},
   {"id": "case-actionRequired-soc", "owner":  true},
-  {"id": "case-actionRequired-cert", "owner":  true}
-]
\ No newline at end of file
+  {"id": "case-actionRequired-cert", "owner":  true},
+  {"id": "case21-merge-cert", "owner":  true},
+  {"id": "case22-merge-cert", "owner":  true},
+  {"id": "case23-merge-cert", "owner":  true},
+  {"id": "case24-merge-soc", "owner":  true},
+  {"id": "case24-merge-cert", "owner":  false},
+  {"id": "case25-merge-cert", "owner":  true},
+  {"id": "case25-merge-soc", "owner":  false},
+  {"id": "case26-merge-pug", "owner":  true},
+  {"id": "cascade-remove-simple", "owner":  true},
+  {"id": "share-cascade-remove", "owner":  false},
+  {"id": "share-cascade-remove2", "owner":  true}
+]
diff --git a/thehive/test/resources/data/ShareCase.json b/thehive/test/resources/data/ShareCase.json
index 6a4a54d2fa..8cfc4630eb 100644
--- a/thehive/test/resources/data/ShareCase.json
+++ b/thehive/test/resources/data/ShareCase.json
@@ -4,5 +4,16 @@
   {"from": "case2-soc", "to": "case2"},
   {"from": "case3-soc", "to": "case3"},
   {"from": "case-actionRequired-soc", "to": "caseActionRequired1"},
-  {"from": "case-actionRequired-cert", "to": "caseActionRequired2"}
-]
\ No newline at end of file
+  {"from": "case-actionRequired-cert", "to": "caseActionRequired2"},
+  {"from": "case21-merge-cert", "to": "caseMerge21"},
+  {"from": "case22-merge-cert", "to": "caseMerge22"},
+  {"from": "case23-merge-cert", "to": "caseMerge23"},
+  {"from": "case24-merge-soc", "to": "caseMerge24"},
+  {"from": "case24-merge-cert", "to": "caseMerge24"},
+  {"from": "case25-merge-cert", "to": "caseMerge25"},
+  {"from": "case25-merge-soc", "to": "caseMerge25"},
+  {"from": "case26-merge-pug", "to": "caseMerge26"},
+  {"from": "cascade-remove-simple", "to": "case5"},
+  {"from": "share-cascade-remove", "to": "case4"},
+  {"from": "share-cascade-remove2", "to": "case4"}
+]
diff --git a/thehive/test/resources/data/ShareObservable.json b/thehive/test/resources/data/ShareObservable.json
index 136f6ec8bf..91d33bcbd6 100644
--- a/thehive/test/resources/data/ShareObservable.json
+++ b/thehive/test/resources/data/ShareObservable.json
@@ -1,5 +1,15 @@
 [
   {"from": "case1-cert", "to": "h.fr"},
   {"from": "case2-cert", "to": "helloworld"},
-  {"from": "case2-soc", "to": "helloworld"}
-]
\ No newline at end of file
+  {"from": "case2-soc", "to": "helloworld"},
+  {"from": "case21-merge-cert", "to": "mergeObs211"},
+  {"from": "case23-merge-cert", "to": "mergeObs231"},
+  {"from": "case23-merge-cert", "to": "mergeObs232"},
+  {"from": "case25-merge-soc", "to": "mergeObs251"},
+  {"from": "case25-merge-cert", "to": "mergeObs251"},
+  {"from": "case25-merge-cert", "to": "mergeObs252"},
+  {"from": "cascade-remove-simple", "to": "obs-cascade-remove-simple"},
+  {"from": "share-cascade-remove", "to": "obs-cascade-remove-delete"},
+  {"from": "share-cascade-remove", "to": "obs-cascade-remove-unshare"},
+  {"from": "share-cascade-remove2", "to": "obs-cascade-remove-unshare"}
+]
diff --git a/thehive/test/resources/data/ShareProfile.json b/thehive/test/resources/data/ShareProfile.json
index c52d4fa5d4..b48ac8c1ec 100644
--- a/thehive/test/resources/data/ShareProfile.json
+++ b/thehive/test/resources/data/ShareProfile.json
@@ -2,5 +2,13 @@
   {"from": "case1-cert", "to": "org-admin"},
   {"from": "case2-cert", "to": "org-admin"},
   {"from": "case2-soc", "to": "read-only"},
-  {"from": "case3-soc", "to": "org-admin"}
-]
\ No newline at end of file
+  {"from": "case3-soc", "to": "org-admin"},
+  {"from": "case21-merge-cert", "to": "org-admin"},
+  {"from": "case22-merge-cert", "to": "org-admin"},
+  {"from": "case23-merge-cert", "to": "org-admin"},
+  {"from": "case24-merge-soc", "to": "org-admin"},
+  {"from": "case24-merge-cert", "to": "read-only"},
+  {"from": "case25-merge-cert", "to": "read-only"},
+  {"from": "case25-merge-soc", "to": "org-admin"},
+  {"from": "case26-merge-pug", "to": "read-only"}
+]
diff --git a/thehive/test/resources/data/ShareTask.json b/thehive/test/resources/data/ShareTask.json
index 3d0b13d34e..33ee108ff6 100644
--- a/thehive/test/resources/data/ShareTask.json
+++ b/thehive/test/resources/data/ShareTask.json
@@ -7,5 +7,16 @@
   {"from": "case-actionRequired-soc", "to": "taskActionRequired1", "actionRequired":  false},
   {"from": "case-actionRequired-cert", "to": "taskActionRequired1", "actionRequired":  false},
   {"from": "case-actionRequired-soc", "to": "taskActionRequired2", "actionRequired":  false},
-  {"from": "case-actionRequired-cert", "to": "taskActionRequired2", "actionRequired":  true}
-]
\ No newline at end of file
+  {"from": "case-actionRequired-cert", "to": "taskActionRequired2", "actionRequired":  true},
+  {"from": "case21-merge-cert", "to": "taskMerge211", "actionRequired":  false},
+  {"from": "case21-merge-cert", "to": "taskMerge212", "actionRequired":  false},
+  {"from": "case23-merge-cert", "to": "taskMerge231", "actionRequired":  false},
+  {"from": "case24-merge-soc", "to": "taskMerge241", "actionRequired":  false},
+  {"from": "case24-merge-soc", "to": "taskMerge242", "actionRequired":  false},
+  {"from": "case24-merge-cert", "to": "taskMerge242", "actionRequired":  false},
+  {"from": "cascade-remove-simple", "to": "task-cascade-remove-simple", "actionRequired":  false},
+  {"from": "share-cascade-remove", "to": "task-cascade-remove-delete", "actionRequired":  false},
+  {"from": "share-cascade-remove", "to": "task-cascade-remove-unshare", "actionRequired":  false},
+  {"from": "share-cascade-remove2", "to": "task-cascade-remove-unshare", "actionRequired":  false}
+
+]
diff --git a/thehive/test/resources/data/Tag.json b/thehive/test/resources/data/Tag.json
index c6136decb4..f5c988dc28 100644
--- a/thehive/test/resources/data/Tag.json
+++ b/thehive/test/resources/data/Tag.json
@@ -1,72 +1,9 @@
 [
   {
-    "id": "tagt1",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "t1",
-    "colour": 0
-  },
-  {
-    "id": "tagt2",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "t2",
-    "colour": 0
-  },
-  {
-    "id": "tagt3",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "t3",
-    "colour": 0
-  },
-  {
-    "id": "tagalert",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "alert",
-    "colour": 0
-  },
-  {
-    "id": "tagtest",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "test",
-    "colour": 0
-  },
-  {
-    "id": "tagspam",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "spam",
-    "colour": 0
-  },
-  {
-    "id": "tagsrc:mail",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "src:mail",
-    "colour": 0
-  },
-  {
-    "id": "tagtestDomain",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "testDomain",
-    "colour": 0
-  },
-  {
-    "id": "taghello",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "hello",
-    "colour": 0
-  },
-  {
-    "id": "tagworld",
-    "namespace": "testNamespace",
-    "predicate": "testPredicate",
-    "value": "world",
-    "colour": 0
+    "id": "taxonomy-tag1",
+    "namespace": "taxonomy1",
+    "predicate": "pred1",
+    "value": "value1",
+    "colour": "#00f300"
   }
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/Task.json b/thehive/test/resources/data/Task.json
index b285d22a9b..b6e88418e2 100644
--- a/thehive/test/resources/data/Task.json
+++ b/thehive/test/resources/data/Task.json
@@ -6,7 +6,9 @@
     "description": "description task 1",
     "status": "Waiting",
     "flag": false,
-    "order": 0
+    "order": 0,
+    "assignee": "certuser@thehive.local",
+    "relatedId": ""
   },
   {
     "id": "task2",
@@ -15,7 +17,8 @@
     "description": "description task 2",
     "status": "Waiting",
     "flag": true,
-    "order": 1
+    "order": 1,
+    "relatedId": ""
   },
   {
     "id": "task3",
@@ -24,7 +27,9 @@
     "description": "description task 3",
     "status": "Waiting",
     "flag": true,
-    "order": 0
+    "order": 0,
+    "assignee": "certuser@thehive.local",
+    "relatedId": ""
   },
   {
     "id": "task4",
@@ -33,7 +38,8 @@
     "description": "description task 4",
     "status": "Waiting",
     "flag": true,
-    "order": 0
+    "order": 0,
+    "relatedId": ""
   },
   {
     "id": "task5",
@@ -42,7 +48,8 @@
     "description": "description task 5",
     "status": "Waiting",
     "flag": true,
-    "order": 0
+    "order": 0,
+    "relatedId": ""
   },
   {
     "id": "taskActionRequired1",
@@ -51,7 +58,8 @@
     "description": "description task Required",
     "status": "Waiting",
     "flag": true,
-    "order": 0
+    "order": 0,
+    "relatedId": ""
   },
   {
     "id": "taskActionRequired2",
@@ -60,6 +68,87 @@
     "description": "description task Required",
     "status": "Waiting",
     "flag": true,
-    "order": 0
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "taskMerge211",
+    "title": "taskMerge211",
+    "group": "task merge",
+    "description": "description task merge 21 1",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "taskMerge212",
+    "title": "taskMerge212",
+    "group": "task merge",
+    "description": "description task merge 21 2",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "taskMerge231",
+    "title": "taskMerge231",
+    "group": "task merge",
+    "description": "description task merge 23 1",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "taskMerge241",
+    "title": "taskMerge241",
+    "group": "task merge",
+    "description": "description task merge 24 1",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "taskMerge242",
+    "title": "taskMerge242",
+    "group": "task merge",
+    "description": "description task merge 24 2",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "task-cascade-remove-simple",
+    "title": "task-cascade-remove-simple",
+    "group": "group1",
+    "description": "description task simple",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "task-cascade-remove-unshare",
+    "title": "task-cascade-remove-unshare",
+    "group": "group1",
+    "description": "description task unshare",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
+  },
+  {
+    "id": "task-cascade-remove-delete",
+    "title": "task-cascade-remove-delete",
+    "group": "group1",
+    "description": "description task delete",
+    "status": "Waiting",
+    "flag": true,
+    "order": 0,
+    "relatedId": ""
   }
-]
\ No newline at end of file
+]
diff --git a/thehive/test/resources/data/TaskLog.json b/thehive/test/resources/data/TaskLog.json
index be493e0362..bf30ec599f 100644
--- a/thehive/test/resources/data/TaskLog.json
+++ b/thehive/test/resources/data/TaskLog.json
@@ -1,3 +1,5 @@
 [
-  {"from": "task4", "to": "log1"}
-]
\ No newline at end of file
+  {"from": "task4", "to": "log1"},
+  {"from": "task-cascade-remove-simple", "to": "log-cascade-remove-simple"},
+  {"from": "task-cascade-remove-delete", "to": "log-cascade-remove-delete"}
+]
diff --git a/thehive/test/resources/data/TaskUser.json b/thehive/test/resources/data/TaskUser.json
deleted file mode 100644
index f14868e601..0000000000
--- a/thehive/test/resources/data/TaskUser.json
+++ /dev/null
@@ -1,4 +0,0 @@
-[
-  {"from": "task1", "to": "certuser@thehive.local"},
-  {"from": "task3", "to": "certuser@thehive.local"}
-]
diff --git a/thehive/test/resources/data/Taxonomy.json b/thehive/test/resources/data/Taxonomy.json
new file mode 100644
index 0000000000..5c661448dc
--- /dev/null
+++ b/thehive/test/resources/data/Taxonomy.json
@@ -0,0 +1,14 @@
+[
+  {
+    "id": "taxonomy1",
+    "namespace": "taxonomy1",
+    "description": "The taxonomy 1",
+    "version": 1
+  },
+  {
+    "id": "taxonomy2",
+    "namespace": "taxonomy2",
+    "description": "The taxonomy 2",
+    "version": 1
+  }
+]
\ No newline at end of file
diff --git a/thehive/test/resources/data/TaxonomyTag.json b/thehive/test/resources/data/TaxonomyTag.json
new file mode 100644
index 0000000000..80806c707c
--- /dev/null
+++ b/thehive/test/resources/data/TaxonomyTag.json
@@ -0,0 +1,3 @@
+[
+  {"from": "taxonomy1", "to": "taxonomy-tag1"}
+]
\ No newline at end of file
diff --git a/thehive/test/resources/data/User.json b/thehive/test/resources/data/User.json
index 04b8bbf603..2bc2293038 100644
--- a/thehive/test/resources/data/User.json
+++ b/thehive/test/resources/data/User.json
@@ -12,6 +12,12 @@
     "name": "socuser",
     "locked": false
   },
+  {
+    "id": "puguser",
+    "login": "puguser@thehive.local",
+    "name": "puguser",
+    "locked": false
+  },
   {
     "id": "certadmin",
     "login": "certadmin@thehive.local",
@@ -24,6 +30,12 @@
     "name": "socadmin",
     "locked": false
   },
+  {
+    "id": "pugadmin",
+    "login": "pugadmin@thehive.local",
+    "name": "pugadmin",
+    "locked": false
+  },
   {
     "id": "certro",
     "login": "certro@thehive.local",
@@ -37,5 +49,12 @@
     "name": "socro",
     "locked": false,
     "password": "*random*seed*,d57cb64654764ab43edfc76a0a84e4e2fda867e761ab5a82859b00ad8412b2a1"
+  },
+  {
+    "id": "pugro",
+    "login": "pugro@thehive.local",
+    "name": "pugro",
+    "locked": false,
+    "password": "*random*seed*,d57cb64654764ab43edfc76a0a84e4e2fda867e761ab5a82859b00ad8412b2a1"
   }
 ]
\ No newline at end of file
diff --git a/thehive/test/resources/data/UserRole.json b/thehive/test/resources/data/UserRole.json
index 8c0e886f19..7434c5b0b8 100644
--- a/thehive/test/resources/data/UserRole.json
+++ b/thehive/test/resources/data/UserRole.json
@@ -4,5 +4,8 @@
   {"from": "certadmin@thehive.local","to": "admin-cert"},
   {"from": "socro@thehive.local","to": "ro-soc"},
   {"from": "socuser@thehive.local","to": "user-soc"},
-  {"from": "socadmin@thehive.local","to": "admin-soc"}
+  {"from": "socadmin@thehive.local","to": "admin-soc"},
+  {"from": "pugro@thehive.local","to": "ro-pug"},
+  {"from": "puguser@thehive.local","to": "user-pug"},
+  {"from": "pugadmin@thehive.local","to": "admin-pug"}
 ]
diff --git a/thehive/test/resources/machinetag-badformat.zip b/thehive/test/resources/machinetag-badformat.zip
new file mode 100644
index 0000000000..f18619f184
Binary files /dev/null and b/thehive/test/resources/machinetag-badformat.zip differ
diff --git a/thehive/test/resources/machinetag-folders.zip b/thehive/test/resources/machinetag-folders.zip
new file mode 100644
index 0000000000..f11bf049db
Binary files /dev/null and b/thehive/test/resources/machinetag-folders.zip differ
diff --git a/thehive/test/resources/machinetag-otherfiles.zip b/thehive/test/resources/machinetag-otherfiles.zip
new file mode 100644
index 0000000000..8150184178
Binary files /dev/null and b/thehive/test/resources/machinetag-otherfiles.zip differ
diff --git a/thehive/test/resources/machinetag-present.zip b/thehive/test/resources/machinetag-present.zip
new file mode 100644
index 0000000000..bcaa2464e5
Binary files /dev/null and b/thehive/test/resources/machinetag-present.zip differ
diff --git a/thehive/test/resources/machinetag.zip b/thehive/test/resources/machinetag.zip
new file mode 100644
index 0000000000..49be7a25c0
Binary files /dev/null and b/thehive/test/resources/machinetag.zip differ
diff --git a/thehive/test/resources/patterns.json b/thehive/test/resources/patterns.json
new file mode 100644
index 0000000000..173fff9930
--- /dev/null
+++ b/thehive/test/resources/patterns.json
@@ -0,0 +1,481 @@
+{
+  "type": "bundle",
+  "id": "bundle--ad5f3bce-004b-417e-899d-392f8591ab55",
+  "spec_version": "2.0",
+  "objects": [
+  {
+    "id": "attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8",
+    "name": ".bash_profile and .bashrc",
+    "external_references": [
+      {
+        "source_name": "mitre-attack",
+        "external_id": "T1156",
+        "url": "https://attack.mitre.org/techniques/T1156"
+      },
+      {
+        "url": "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/",
+        "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.",
+        "source_name": "amnesia malware"
+      }
+    ],
+    "revoked": true,
+    "type": "attack-pattern",
+    "modified": "2020-01-24T14:14:05.452Z",
+    "created": "2017-12-14T16:46:06.044Z"
+  },
+  {
+    "external_references": [
+      {
+        "source_name": "mitre-attack",
+        "external_id": "T1546.004",
+        "url": "https://attack.mitre.org/techniques/T1546/004"
+      },
+      {
+        "url": "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/",
+        "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.",
+        "source_name": "amnesia malware"
+      }
+    ],
+    "object_marking_refs": [
+      "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+    ],
+    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+    "name": ".bash_profile and .bashrc",
+    "description": "Adversaries may establish persistence by executing malicious content triggered by a user’s shell. <code>~/.bash_profile</code> and <code>~/.bashrc</code> are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly.\n\n<code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the <code>~/.bash_profile</code> script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the <code>~/.bashrc</code> script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment.\n\nThe macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.\n\nAdversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware)",
+    "id": "attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
+    "type": "attack-pattern",
+    "kill_chain_phases": [
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "privilege-escalation"
+      },
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "persistence"
+      }
+    ],
+    "modified": "2020-03-24T16:28:04.990Z",
+    "created": "2020-01-24T14:13:45.936Z",
+    "x_mitre_version": "1.0",
+    "x_mitre_is_subtechnique": true,
+    "x_mitre_permissions_required": [
+      "User",
+      "Administrator"
+    ],
+    "x_mitre_detection": "While users may customize their <code>~/.bashrc</code> and <code>~/.bash_profile</code> files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.",
+    "x_mitre_data_sources": [
+      "Process use of network",
+      "Process command-line parameters",
+      "Process monitoring",
+      "File monitoring"
+    ],
+    "x_mitre_platforms": [
+      "Linux",
+      "macOS"
+    ]
+  },
+  {
+    "external_references": [
+      {
+        "url": "https://attack.mitre.org/techniques/T1003/008",
+        "external_id": "T1003.008",
+        "source_name": "mitre-attack"
+      },
+      {
+        "description": "The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.",
+        "url": "https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html",
+        "source_name": "Linux Password and Shadow File Formats"
+      },
+      {
+        "description": "Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.",
+        "url": "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/",
+        "source_name": "nixCraft - John the Ripper"
+      }
+    ],
+    "object_marking_refs": [
+      "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+    ],
+    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+    "name": "/etc/passwd and /etc/shadow",
+    "description": "Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\n\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>\n",
+    "id": "attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4",
+    "type": "attack-pattern",
+    "kill_chain_phases": [
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "credential-access"
+      }
+    ],
+    "modified": "2020-03-20T15:56:55.022Z",
+    "created": "2020-02-11T18:46:56.263Z",
+    "x_mitre_detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid, process name, and arguments of such programs.",
+    "x_mitre_permissions_required": [
+      "root"
+    ],
+    "x_mitre_version": "1.0",
+    "x_mitre_is_subtechnique": true,
+    "x_mitre_platforms": [
+      "Linux"
+    ]
+  },
+  {
+    "external_references": [
+      {
+        "source_name": "mitre-attack",
+        "external_id": "T1557.002",
+        "url": "https://attack.mitre.org/techniques/T1557/002"
+      },
+      {
+        "source_name": "RFC826 ARP",
+        "url": "https://tools.ietf.org/html/rfc826",
+        "description": "Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020."
+      },
+      {
+        "source_name": "Sans ARP Spoofing Aug 2003",
+        "url": "https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411",
+        "description": "Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020."
+      },
+      {
+        "source_name": "Cylance Cleaver",
+        "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.",
+        "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
+      }
+    ],
+    "object_marking_refs": [
+      "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+    ],
+    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+    "name": "ARP Cache Poisoning",
+    "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n",
+    "id": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213",
+    "type": "attack-pattern",
+    "kill_chain_phases": [
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "credential-access"
+      },
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "collection"
+      }
+    ],
+    "modified": "2020-10-16T15:22:11.604Z",
+    "created": "2020-10-15T12:05:58.755Z",
+    "x_mitre_version": "1.0",
+    "x_mitre_is_subtechnique": true,
+    "x_mitre_permissions_required": [
+      "User"
+    ],
+    "x_mitre_detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.",
+    "x_mitre_data_sources": [
+      "Packet capture",
+      "Netflow/Enclave netflow"
+    ],
+    "x_mitre_contributors": [
+      "Jon Sternstein, Stern Security"
+    ],
+    "x_mitre_platforms": [
+      "Linux",
+      "Windows",
+      "macOS"
+    ]
+  },
+  {
+    "external_references": [
+      {
+        "source_name": "mitre-attack",
+        "external_id": "T1558.004",
+        "url": "https://attack.mitre.org/techniques/T1558/004"
+      },
+      {
+        "source_name": "Harmj0y Roasting AS-REPs Jan 2017",
+        "url": "http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/",
+        "description": "HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020."
+      },
+      {
+        "source_name": "Microsoft Kerberos Preauth 2014",
+        "url": "https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx",
+        "description": "Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why It Should Not Be Disabled. Retrieved August 25, 2020."
+      },
+      {
+        "source_name": "Stealthbits Cracking AS-REP Roasting Jun 2019",
+        "url": "https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/",
+        "description": "Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020."
+      },
+      {
+        "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.",
+        "source_name": "SANS Attacking Kerberos Nov 2014",
+        "url": "https://redsiege.com/kerberoast-slides"
+      },
+      {
+        "url": "https://adsecurity.org/?p=2293",
+        "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.",
+        "source_name": "AdSecurity Cracking Kerberos Dec 2015"
+      },
+      {
+        "url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/",
+        "description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.",
+        "source_name": "Microsoft Detecting Kerberoasting Feb 2018"
+      },
+      {
+        "source_name": "Microsoft 4768 TGT 2017",
+        "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768",
+        "description": "Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication ticket (TGT) was requested. Retrieved August 24, 2020."
+      }
+    ],
+    "object_marking_refs": [
+      "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+    ],
+    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+    "name": "AS-REP Roasting",
+    "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
+    "id": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b",
+    "type": "attack-pattern",
+    "kill_chain_phases": [
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "credential-access"
+      }
+    ],
+    "modified": "2020-10-20T19:30:11.783Z",
+    "created": "2020-08-24T13:43:00.028Z",
+    "x_mitre_version": "1.0",
+    "x_mitre_is_subtechnique": true,
+    "x_mitre_system_requirements": [
+      "Valid domain account"
+    ],
+    "x_mitre_permissions_required": [
+      "User"
+    ],
+    "x_mitre_detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)",
+    "x_mitre_data_sources": [
+      "Windows event logs",
+      "Authentication logs"
+    ],
+    "x_mitre_contributors": [
+      "James Dunn, @jamdunnDFW, EY",
+      "Swapnil Kumbhar",
+      "Jacques Pluviose, @Jacqueswildy_IT",
+      "Dan Nutting, @KerberToast"
+    ],
+    "x_mitre_platforms": [
+      "Windows"
+    ]
+  },
+  {
+    "external_references": [
+      {
+        "source_name": "mitre-attack",
+        "external_id": "T1548",
+        "url": "https://attack.mitre.org/techniques/T1548"
+      }
+    ],
+    "object_marking_refs": [
+      "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+    ],
+    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+    "name": "Abuse Elevation Control Mechanism",
+    "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.",
+    "id": "attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b",
+    "type": "attack-pattern",
+    "kill_chain_phases": [
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "privilege-escalation"
+      },
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "defense-evasion"
+      }
+    ],
+    "modified": "2020-07-22T21:36:52.825Z",
+    "created": "2020-01-30T13:58:14.373Z",
+    "x_mitre_data_sources": [
+      "Windows Registry",
+      "File monitoring",
+      "Process command-line parameters",
+      "API monitoring",
+      "Process monitoring"
+    ],
+    "x_mitre_permissions_required": [
+      "Administrator",
+      "User"
+    ],
+    "x_mitre_detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for <code>/usr/libexec/security_authtrampoline</code> executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the <code>LOG_INPUT</code> and <code>LOG_OUTPUT</code> directives in the <code>/etc/sudoers</code> file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.",
+    "x_mitre_version": "1.0",
+    "x_mitre_is_subtechnique": false,
+    "x_mitre_platforms": [
+      "Linux",
+      "macOS",
+      "Windows"
+    ]
+  },
+  {
+    "object_marking_refs": [
+      "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+    ],
+    "external_references": [
+      {
+        "source_name": "mitre-attack",
+        "external_id": "T1134",
+        "url": "https://attack.mitre.org/techniques/T1134"
+      },
+      {
+        "external_id": "CAPEC-633",
+        "source_name": "capec",
+        "url": "https://capec.mitre.org/data/definitions/633.html"
+      },
+      {
+        "url": "https://pentestlab.blog/2017/04/03/token-manipulation/",
+        "description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.",
+        "source_name": "Pentestlab Token Manipulation"
+      },
+      {
+        "url": "https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing",
+        "description": "Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.",
+        "source_name": "Microsoft Command-line Logging"
+      },
+      {
+        "url": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx",
+        "description": "Microsoft TechNet. (n.d.). Retrieved April 25, 2017.",
+        "source_name": "Microsoft LogonUser"
+      },
+      {
+        "url": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx",
+        "description": "Microsoft TechNet. (n.d.). Retrieved April 25, 2017.",
+        "source_name": "Microsoft DuplicateTokenEx"
+      },
+      {
+        "url": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx",
+        "description": "Microsoft TechNet. (n.d.). Retrieved April 25, 2017.",
+        "source_name": "Microsoft ImpersonateLoggedOnUser"
+      },
+      {
+        "url": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf",
+        "description": "Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.",
+        "source_name": "BlackHat Atkinson Winchester Token Manipulation"
+      }
+    ],
+    "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
+    "name": "Access Token Manipulation",
+    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+    "id": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48",
+    "type": "attack-pattern",
+    "kill_chain_phases": [
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "defense-evasion"
+      },
+      {
+        "kill_chain_name": "mitre-attack",
+        "phase_name": "privilege-escalation"
+      }
+    ],
+    "modified": "2020-04-16T19:37:02.355Z",
+    "created": "2017-12-14T16:46:06.044Z",
+    "x_mitre_defense_bypassed": [
+      "Windows User Account Control",
+      "System access controls",
+      "File system access controls",
+      "Heuristic Detection",
+      "Host forensic analysis"
+    ],
+    "x_mitre_is_subtechnique": false,
+    "x_mitre_version": "2.0",
+    "x_mitre_contributors": [
+      "Tom Ueltschi @c_APT_ure",
+      "Travis Smith, Tripwire",
+      "Robby Winchester, @robwinchester3",
+      "Jared Atkinson, @jaredcatkinson"
+    ],
+    "x_mitre_data_sources": [
+      "Authentication logs",
+      "Windows event logs",
+      "API monitoring",
+      "Access tokens",
+      "Process monitoring",
+      "Process command-line parameters"
+    ],
+    "x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the <code>runas</code> command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., <code>LogonUser</code> (Citation: Microsoft LogonUser), <code>DuplicateTokenEx</code>(Citation: Microsoft DuplicateTokenEx), and <code>ImpersonateLoggedOnUser</code>(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\n\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.",
+    "x_mitre_permissions_required": [
+      "User",
+      "Administrator"
+    ],
+    "x_mitre_effective_permissions": [
+      "SYSTEM"
+    ],
+    "x_mitre_platforms": [
+      "Windows"
+    ]
+  },
+  {
+    "external_references": [
+      {
+        "source_name": "mitre-attack",
+        "external_id": "T1015",
+        "url": "https://attack.mitre.org/techniques/T1015"
+      },
+      {
+        "external_id": "CAPEC-558",
+        "source_name": "capec",
+        "url": "https://capec.mitre.org/data/definitions/558.html"
+      },
+      {
+        "url": "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html",
+        "description": "Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.",
+        "source_name": "FireEye Hikit Rootkit"
+      },
+      {
+        "url": "https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom",
+        "description": "Maldonado, D., McGuffin, T. (2016, August 6). Sticky Keys to the Kingdom. Retrieved July 5, 2017.",
+        "source_name": "DEFCON2016 Sticky Keys"
+      },
+      {
+        "url": "http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/",
+        "description": "Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 12, 2014.",
+        "source_name": "Tilbury 2014"
+      }
+    ],
+    "name": "Accessibility Features",
+    "id": "attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3",
+    "revoked": true,
+    "type": "attack-pattern",
+    "modified": "2020-05-13T20:37:30.008Z",
+    "created": "2017-05-31T21:30:26.946Z"
+  },
+    {
+      "object_marking_refs": [
+        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+      ],
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "url": "https://attack.mitre.org/software/S0066",
+          "external_id": "S0066"
+        },
+        {
+          "source_name": "CrowdStrike Putter Panda",
+          "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.",
+          "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
+        }
+      ],
+      "description": "[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)",
+      "name": "3PARA RAT",
+      "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+      "id": "malware--7bec698a-7e20-4fd3-bb6a-12787770fb1a",
+      "type": "malware",
+      "labels": [
+        "malware"
+      ],
+      "modified": "2020-03-30T18:34:04.031Z",
+      "created": "2017-05-31T21:32:44.131Z",
+      "x_mitre_version": "1.1",
+      "x_mitre_aliases": [
+        "3PARA RAT"
+      ],
+      "x_mitre_platforms": [
+        "Windows"
+      ]
+    }
+]
+}
\ No newline at end of file
diff --git a/thehive/test/resources/patternsUpdate.json b/thehive/test/resources/patternsUpdate.json
new file mode 100644
index 0000000000..5862bc5561
--- /dev/null
+++ b/thehive/test/resources/patternsUpdate.json
@@ -0,0 +1,22 @@
+{
+  "type": "bundle",
+  "id": "bundle--ad5f3bce-004b-417e-899d-392f8591ab55",
+  "spec_version": "2.0",
+  "objects": [
+    {
+      "id": "testPattern1",
+      "name": "Updated testPattern1",
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "external_id": "T123",
+          "url": "https://attack.mitre.org/techniques/T123"
+        }
+      ],
+      "revoked": true,
+      "type": "attack-pattern",
+      "modified": "2020-01-24T14:14:05.452Z",
+      "created": "2017-12-14T16:46:06.044Z"
+    }
+  ]
+}
\ No newline at end of file