How to Add Geographical Data for IP Addresses to an Azure Sentinel Incident

We have a Playbook out on the official GitHub Repo that queries the IP-API.com website with IP addresses and then writes the geographical information to an Incident’s Tags. This is useful, but it’s been found to be too limiting based on the amount of information IP-API returns versus how little data a Tag can hold.

Based on customer request I’ve modified this somewhat so that more information is retrieved and then housed in the Comments section (instead of Tags) of an Azure Sentinel Incident. This ensures you can be creative in what data is stored for the Investigation without worrying about being careful about space allotment. Ultimately, the more context you can provide during your investigation research is going to help close Incidents quicker.

Here’s what this looks like:

More details…

I’ve placed the new Playbook (with full Deploy to Azure capability) on my own GitHub repo here: https://github.com/rod-trent/SentinelPlaybooks/tree/master/IPAddr2GEO2Comments

Don’t forget to jump through each step to make sure you’ve made the proper connections after deployment.

Thanks to Nicholas DiCola for developing the original!

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors