diff --git a/salt/logstash/defaults.yaml b/salt/logstash/defaults.yaml
index e4c18cc64..2cafce6fd 100644
--- a/salt/logstash/defaults.yaml
+++ b/salt/logstash/defaults.yaml
@@ -42,6 +42,24 @@ logstash:
     custom2: []
     custom3: []
     custom4: []
+  pipeline_config:
+    custom01: |-
+      filter {
+        if [event][module] =~ "zeek" {
+          mutate {
+            add_tag => ["network_stuff"]
+          }
+        }
+      }
+    custom02: PLACEHOLDER
+    custom03: PLACEHOLDER
+    custom04: PLACEHOLDER
+    custom05: PLACEHOLDER
+    custom06: PLACEHOLDER
+    custom07: PLACEHOLDER
+    custom08: PLACEHOLDER
+    custom09: PLACEHOLDER
+    custom10: PLACEHOLDER
   settings:
     lsheap: 500m
   config: