Autonomous System (AS) Sub-Fields
The as sub-fields represent Autonomous System (AS) attributes derived from IP addresses associated with entities described elsewhere in the event. These fields are not standalone entities; they are appended to top-level entity names to express network ownership properties, such as source_as_number or destination_as_organization.
AS fields apply to entities that carry network addressing context, including source, destination, and host. They are typically populated through IP-to-ASN enrichment and describe the organization, network operator, or internet service provider responsible for the address block containing the entity's IP at the time of the event.
Common applications include:
- Identifying the network operator or organization associated with an IP address for threat detection and investigation.
- Correlating traffic by ASN to detect patterns associated with known malicious or high-risk networks.
- Enriching events with ISP and domain context to support network-scoped analytics and asset classification.
Each field in this group corresponds to a specific attribute of the autonomous system:
as_number- The globally unique Autonomous System Number (ASN) identifying the network on the internet.as_organization- The organization name registered to the autonomous system.as_isp- The internet service provider associated with the IP address.as_domain- The domain associated with the IP address.
| field | field_type | description | example_values |
|---|---|---|---|
|
as_domain |
keyword |
Domain associated with the IP address resolved to this autonomous system. |
|
|
as_isp |
keyword |
Internet service provider associated with the IP address resolved to this autonomous system. |
|
|
as_number |
keyword |
Autonomous System Number (ASN) uniquely identifying the network on the internet. |
15169 |
|
as_organization |
keyword |
Organization name registered to the autonomous system. |
Graylog |
