Add Autonomous System (AS) fields (#341)

This adds fields for Autonomous System (AS) information. It's common to enrich events containing IP addresses with information about the AS controlling that address.
elastic · Jul 8, 2019 · a35a903 · a35a903
1 parent ccba36b
commit a35a903
Show file tree

Hide file tree

Showing 13 changed files with 634 additions and 2 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -14,7 +14,7 @@
 * Added `file.created`, and `file.accessed`. #445
 * Added `domain` field to user. #486
 * Added `.nat.ip` and `.nat.port` to `source`, `destination`, `client` and `server`. #491 
-
+* Added `as` fields for Autonomous System information (i.e. ASN). #341
 
 ### Improvements
 

diff --git a/code/go/ecs/as.go b/code/go/ecs/as.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -154,6 +154,52 @@ example: `6.0.0-rc2`
 
 |=====
 
+[[ecs-as]]
+=== Autonomous System Fields
+
+An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
+
+==== Autonomous System Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| as.number
+| Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+
+type: long
+
+example: `15169`
+
+| extended
+
+// ===============================================================
+
+| as.organization.name
+| Organization name.
+
+type: keyword
+
+example: `Google LLC`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+==== Field Reuse
+
+The `as` fields are expected to be nested at: `client.as`, `destination.as`, `server.as`, `source.as`.
+
+Note also that the `as` fields are not expected to be used directly at the top level.
+
+
+
+
 [[ecs-client]]
 === Client Fields
 
@@ -295,6 +341,12 @@ type: long
 // ===============================================================
 
 
+| <<ecs-as,client.as.*>>
+| Fields describing an Autonomous System (Internet routing prefix).
+
+// ===============================================================
+
+
 | <<ecs-geo,client.geo.*>>
 | Fields describing a location.
 
@@ -625,6 +677,12 @@ type: long
 // ===============================================================
 
 
+| <<ecs-as,destination.as.*>>
+| Fields describing an Autonomous System (Internet routing prefix).
+
+// ===============================================================
+
+
 | <<ecs-geo,destination.geo.*>>
 | Fields describing a location.
 
@@ -2563,6 +2621,12 @@ type: long
 // ===============================================================
 
 
+| <<ecs-as,server.as.*>>
+| Fields describing an Autonomous System (Internet routing prefix).
+
+// ===============================================================
+
+
 | <<ecs-geo,server.geo.*>>
 | Fields describing a location.
 
@@ -2817,6 +2881,12 @@ type: long
 // ===============================================================
 
 
+| <<ecs-as,source.as.*>>
+| Fields describing an Autonomous System (Internet routing prefix).
+
+// ===============================================================
+
+
 | <<ecs-geo,source.geo.*>>
 | Fields describing a location.
 

diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
@@ -22,6 +22,8 @@ all fields are defined.
 
 | <<ecs-agent,Agent>> | Fields about the monitoring agent.
 
+| <<ecs-as,Autonomous System>> | Fields describing an Autonomous System (Internet routing prefix).
+
 | <<ecs-client,Client>> | Fields about the client side of a network connection, used with server.
 
 | <<ecs-cloud,Cloud>> | Fields about the cloud resource.

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -110,6 +110,27 @@
       ignore_above: 1024
       description: Version of the agent.
       example: 6.0.0-rc2
+  - name: as
+    title: Autonomous System
+    group: 2
+    description: An autonomous system (AS) is a collection of connected Internet Protocol
+      (IP) routing prefixes under the control of one or more network operators on
+      behalf of a single administrative entity or domain that presents a common, clearly
+      defined routing policy to the internet.
+    type: group
+    fields:
+    - name: number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Organization name.
+      example: Google LLC
   - name: client
     title: Client
     group: 2
@@ -140,6 +161,18 @@
 
         Then it should be duplicated to `.ip` or `.domain`, depending on which one
         it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Organization name.
+      example: Google LLC
     - name: bytes
       level: core
       type: long
@@ -403,6 +436,18 @@
 
         Then it should be duplicated to `.ip` or `.domain`, depending on which one
         it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Organization name.
+      example: Google LLC
     - name: bytes
       level: core
       type: long
@@ -1816,6 +1861,18 @@
 
         Then it should be duplicated to `.ip` or `.domain`, depending on which one
         it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Organization name.
+      example: Google LLC
     - name: bytes
       level: core
       type: long
@@ -2053,6 +2110,18 @@
 
         Then it should be duplicated to `.ip` or `.domain`, depending on which one
         it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Organization name.
+      example: Google LLC
     - name: bytes
       level: core
       type: long

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -8,7 +8,11 @@ agent.id,keyword,core,8a4f500d,1.1.0-dev
 agent.name,keyword,core,foo,1.1.0-dev
 agent.type,keyword,core,filebeat,1.1.0-dev
 agent.version,keyword,core,6.0.0-rc2,1.1.0-dev
+as.number,long,extended,15169,1.1.0-dev
+as.organization.name,keyword,extended,Google LLC,1.1.0-dev
 client.address,keyword,extended,,1.1.0-dev
+client.as.number,long,extended,15169,1.1.0-dev
+client.as.organization.name,keyword,extended,Google LLC,1.1.0-dev
 client.bytes,long,core,184,1.1.0-dev
 client.domain,keyword,core,,1.1.0-dev
 client.geo.city_name,keyword,core,Montreal,1.1.0-dev
@@ -47,6 +51,8 @@ container.labels,object,extended,,1.1.0-dev
 container.name,keyword,extended,,1.1.0-dev
 container.runtime,keyword,extended,docker,1.1.0-dev
 destination.address,keyword,extended,,1.1.0-dev
+destination.as.number,long,extended,15169,1.1.0-dev
+destination.as.organization.name,keyword,extended,Google LLC,1.1.0-dev
 destination.bytes,long,core,184,1.1.0-dev
 destination.domain,keyword,core,,1.1.0-dev
 destination.geo.city_name,keyword,core,Montreal,1.1.0-dev
@@ -231,6 +237,8 @@ process.uptime,long,extended,1325,1.1.0-dev
 process.working_directory,keyword,extended,/home/alice,1.1.0-dev
 related.ip,ip,extended,,1.1.0-dev
 server.address,keyword,extended,,1.1.0-dev
+server.as.number,long,extended,15169,1.1.0-dev
+server.as.organization.name,keyword,extended,Google LLC,1.1.0-dev
 server.bytes,long,core,184,1.1.0-dev
 server.domain,keyword,core,,1.1.0-dev
 server.geo.city_name,keyword,core,Montreal,1.1.0-dev
@@ -262,6 +270,8 @@ service.state,keyword,core,,1.1.0-dev
 service.type,keyword,core,elasticsearch,1.1.0-dev
 service.version,keyword,core,3.2.4,1.1.0-dev
 source.address,keyword,extended,,1.1.0-dev
+source.as.number,long,extended,15169,1.1.0-dev
+source.as.organization.name,keyword,extended,Google LLC,1.1.0-dev
 source.bytes,long,core,184,1.1.0-dev
 source.domain,keyword,core,,1.1.0-dev
 source.geo.city_name,keyword,core,Montreal,1.1.0-dev