Merge pull request #9188 from Security-Onion-Solutions/feature/filebeat_config_ics_event_tag

Add 'ics' tag to events generated from ICS protocol logs

salt/filebeat/etc/filebeat.yml

@@ -144,6 +144,10 @@ filebeat.inputs:
       dataset: {{ LOGNAME }}
       category: network
   processors:
+    {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %}
+  - add_tags:
+      tags: ["ics"]
+    {%- endif %}
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
  
@@ -161,6 +165,10 @@ filebeat.inputs:
       category: network
       imported: true
   processors:
+    {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %}
+  - add_tags:
+      tags: ["ics"]
+    {%- endif %}
   - add_tags:
       tags: ["import"]
   - dissect: