From 7ea0aa87e4a7e491ccb1f16e827fb7d35a64c091 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@gmail.com>
Date: Tue, 29 Nov 2022 13:38:19 -0500
Subject: [PATCH] add ICS COTP dashboard to dashboards.queries.json

---
 salt/soc/files/soc/dashboards.queries.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json
index 6458d8806..0870864c6 100644
--- a/salt/soc/files/soc/dashboards.queries.json
+++ b/salt/soc/files/soc/dashboards.queries.json
@@ -52,6 +52,7 @@
             { "name": "ICS BACnet", "description": "BACnet (Building Automation and Control Networks) network metadata", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "ICS BSAP", "description": "BSAP (Bristol Standard Asynchronous Protocol) network metadata", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "ICS CIP", "description": "CIP (Common Industrial Protocol) network metadata", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
+            { "name": "ICS COTP", "description": "COTP (Connection Oriented Transport Protocol) network metadata", "query": "event.dataset:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "ICS DNP3", "description": "DNP3 (Distributed Network Protocol) network metadata", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "ICS ECAT", "description": "ECAT (Ethernet for Control Automation Technology) network metadata", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"},
             { "name": "ICS ENIP", "description": "ENIP (Ethernet Industrial Protocol) network metadata", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"},