Skip to main content
Panther Knowledge Base

Different country values between IPInfo asn datalake and IPInfo location datalake in Panther

  1. Last updated
  2. Save as PDF

QUESTION

The country reported from the IPInfo asn datalake is returning a different value from the one returned from the IPInfo location datalake. Is this expected?

ANSWER

The fact that the ipinfo_asn_datalake returns one value while the ipinfo_location_datalake returns a different one is not unexpected or indicative of an issue.

The internet is split into ASes (Autonomous Systems). ASes contain IPs and are mainly used for routing. The AS is useful to know "who", while the Geo is useful to know "where" and both pieces of information are important for security.

In our case, this output means that the AS is registered in one country but that specific IP is located in a different country. The registration in the AS database can show where the company is based, whereas the IP location in the location database is where that IP actually is. ASNs themselves aren't a direct way to geo-locate IPs. Instead, they are useful for routing and network topology.