From bc57446e2c4c78b98032e27b3a94da39366cf541 Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Thu, 9 Jan 2025 13:56:52 -0700
Subject: [PATCH] standardize ICS protocols in network.protocol field, so they
 all get tagged with 'ics' properly cisagov/Malcolm#541

---
 logstash/pipelines/enrichment/11_lookups.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/logstash/pipelines/enrichment/11_lookups.conf b/logstash/pipelines/enrichment/11_lookups.conf
index 337148f92..fc67d51fa 100644
--- a/logstash/pipelines/enrichment/11_lookups.conf
+++ b/logstash/pipelines/enrichment/11_lookups.conf
@@ -420,12 +420,14 @@ filter {
       ("ethercat" in [network][protocol]) or
       ("ge_srtp" in [network][protocol]) or
       ("genisys" in [network][protocol]) or
-      ("cotp" in [network][protocol]) or
+      ("hart_ip" in [network][protocol]) or
       ("opcua-binary" in [network][protocol]) or
       ("modbus" in [network][protocol]) or
       ("profinet" in [network][protocol]) or
       ("profinet_dce_rpc" in [network][protocol]) or
+      ("profinet_io_cm" in [network][protocol]) or
       ("s7comm" in [network][protocol]) or
+      ("s7comm-plus" in [network][protocol]) or
       ("s7comm_plus" in [network][protocol]) or
       ("synchrophasor" in [network][protocol])) {
     mutate { id => "mutate_add_tag_ics_from_network_protocol"