Merge remote-tracking branch 'remotes/origin/2.4/dev' into dockerips

2026-02-12 02:03:30 +01:00 · 2022-11-22 14:17:19 -05:00
parent b05839bb93 f9cc7888f4
commit b95a83b016
71 changed files with 963 additions and 17 deletions
--- a/salt/filebeat/defaults.yaml
+++ b/salt/filebeat/defaults.yaml
@@ -32,4 +32,61 @@ filebeat:
    - mysql
    - socks
    - x509
- 
+    - dnp3_objects
+    - modbus_detailed
+    - modbus_mask_write_single_register
+    - modbus_read_write_multiple_registers
+    - bacnet
+    - bacnet_discovery
+    - bacnet_property
+    - ecat_registers
+    - ecat_log_address
+    - ecat_dev_info
+    - ecat_aoe_info
+    - ecat_coe_info
+    - ecat_foe_info
+    - ecat_soe_info
+    - ecat_arp_info
+    - enip
+    - cip
+    - cip_io
+    - cip_identity
+    - opcua_binary
+    - opcua_binary_status_code_detail
+    - opcua_binary_diag_info_detail
+    - opcua_binary_get_endpoints
+    - opcua_binary_get_endpoints_discovery
+    - opcua_binary_get_endpoints_user_token
+    - opcua_binary_get_endpoints_description
+    - opcua_binary_get_endpoints_locale_id
+    - opcua_binary_get_endpoints_profile_uri
+    - opcua_binary_create_session
+    - opcua_binary_create_session_user_token
+    - opcua_binary_create_session_endpoints
+    - opcua_binary_create_session_discovery
+    - opcua_binary_activate_session
+    - opcua_binary_activate_session_client_software_cert
+    - opcua_binary_activate_session_locale_id
+    - opcua_binary_activate_session_diagnostic_info
+    - opcua_binary_browse
+    - opcua_binary_browse_description
+    - opcua_binary_browse_request_continuation_point
+    - opcua_binary_browse_result
+    - opcua_binary_browse_response_references
+    - opcua_binary_browse_diagnostic_info
+    - opcua_binary_create_subscription
+    - opcua_binary_read
+    - cotp
+    - s7comm
+    - s7comm_read_szl
+    - s7comm_upload_download
+    - s7comm_plus
+    - tds
+    - tds_rpc
+    - tds_sql_batch
+    - profinet_dce_rpc
+    - profinet
+    - profinet_debug
+    - stun
+    - stun_nat
+    - wireguard
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -145,6 +145,10 @@ filebeat.inputs:
      dataset: {{ LOGNAME }}
      category: network
  processors:
+    {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
+  - add_tags:
+      tags: ["ics"]
+    {%- endif %}
  - drop_fields:
      fields: ["source", "prospector", "input", "offset", "beat"]
 
@@ -162,6 +166,10 @@ filebeat.inputs:
      category: network
      imported: true
  processors:
+    {%- if LOGNAME is match('^bacnet*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
+  - add_tags:
+      tags: ["ics"]
+    {%- endif %}
  - add_tags:
      tags: ["import"]
  - dissect: