From 9dee43bd276abd9bad2b64e2f843a4538e7e5640 Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Thu, 15 Aug 2024 15:03:22 -0600
Subject: [PATCH] idaholab/Malcolm#542 add 'public' pseudo-segment for
 source/destination public IP addresses

---
 .../dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json   | 2 +-
 logstash/pipelines/enrichment/11_lookups.conf              | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
index 8a589ef6e..434969cba 100644
--- a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
+++ b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
@@ -150,7 +150,7 @@
         "description": "",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"source.segment.id:* OR destination.segment.id:*\",\"language\":\"lucene\"},\"filter\":[]}"
+          "searchSourceJSON": "{\"query\":{\"query\":\"source.segment:* OR destination.segment:*\",\"language\":\"lucene\"},\"filter\":[]}"
         },
         "savedSearchRefName": "search_0"
       },
diff --git a/logstash/pipelines/enrichment/11_lookups.conf b/logstash/pipelines/enrichment/11_lookups.conf
index c757561b8..042285e29 100644
--- a/logstash/pipelines/enrichment/11_lookups.conf
+++ b/logstash/pipelines/enrichment/11_lookups.conf
@@ -260,12 +260,19 @@ filter {
   } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) {
     mutate { id => "mutate_add_field_metadata_network_direction_outbound"
              add_field => { "[network][direction]" => "outbound" } }
+    mutate { id => "mutate_add_field_direction_outbound_destination_segment"
+             add_field => { "[destination][segment][name]" => "public" } }
   } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) {
     mutate { id => "mutate_add_field_metadata_network_direction_inbound"
              add_field => { "[network][direction]" => "inbound" } }
+    mutate { id => "mutate_add_field_direction_inbound_source_segment"
+             add_field => { "[source][segment][name]" => "public" } }
   } else if ("external_source" in [tags]) and ("external_destination" in [tags]) {
     mutate { id => "mutate_add_field_metadata_network_direction_external"
              add_field => { "[network][direction]" => "external" } }
+    mutate { id => "mutate_add_field_direction_external_segments"
+             add_field => { "[source][segment][name]" => "public"
+                            "[destination][segment][name]" => "public" } }
   } else if ("external_source" in [tags]) or ("external_destination" in [tags]) {
     mutate { id => "mutate_add_field_metadata_network_direction_external_one_sided"
              add_field => { "[network][direction]" => "external" } }