From 9994d47a434aa2351d3a4ec7834f4983051ecce9 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Mon, 21 Nov 2022 16:46:47 -0500
Subject: [PATCH 1/2] Add 'ics' tag to events generated from ICS protocol logs

---
 salt/filebeat/etc/filebeat.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index f38ffd0d7..00146d5d1 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -145,6 +145,10 @@ filebeat.inputs:
       dataset: {{ LOGNAME }}
       category: network
   processors:
+    {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %}
+  - add_tags:
+    tags: ["ics"]
+    {%- endif %}
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
  
@@ -162,6 +166,10 @@ filebeat.inputs:
       category: network
       imported: true
   processors:
+    {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %}
+  - add_tags:
+    tags: ["ics"]
+    {%- endif %}
   - add_tags:
       tags: ["import"]
   - dissect:

From fe180d56575c68341c5a83e6dca6a556b6f2f9ea Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Mon, 21 Nov 2022 17:02:17 -0500
Subject: [PATCH 2/2] Fix indentation

---
 salt/filebeat/etc/filebeat.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 00146d5d1..10f80beea 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -147,7 +147,7 @@ filebeat.inputs:
   processors:
     {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %}
   - add_tags:
-    tags: ["ics"]
+      tags: ["ics"]
     {%- endif %}
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
@@ -168,7 +168,7 @@ filebeat.inputs:
   processors:
     {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*'|^profinet*'|^s7comm*') %}
   - add_tags:
-    tags: ["ics"]
+      tags: ["ics"]
     {%- endif %}
   - add_tags:
       tags: ["import"]