Inspired by Mikko Koivunen’s blog I decided to write a short blog post on how to enrich IP geolocation on Sentinel incidents using Microsoft Sentinel API and assign IP information to the incidents as tags.

Microsoft Sentinel API

The API that provides IP information is the ‘Geolocation API’.

API URI
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version={api-version}

Example
https://management.azure.com/subscriptions/<Subscription ID>/resourceGroups/<RG-Name>/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress=162.247.74.206&api-version=2019-01-01-preview

The documentation state that the API that needs to be used is ‘2019-01-01-preview’ but I found out that some of the other versions provide IP information such as ‘2022-07-01-preview’.

In the pictures below, you can find two (2) example queries. The left side is the IP address from Finnish ISP Elisa and on the right side Tor network IP address.

Playbook

The idea with the playbook is to use labels (shown as tags) instead of comments. I prefer to use tags because they are searchable from UI and more easily visible in one view from the incident page.

The playbook uses the following flow:

  • Get entities IPs from the incident as an incident trigger
  • For each IP
    • Get IP information from the Sentinel API
    • Parse JSON to contain needed information for the labels
      • I noticed that there were some differences in what information API returns from the different ISPs. For that reason, I modified the JSON schema & labels a bit to cover most of the cases
    • Add labels to the incident

Sentinel Automation Rule

I want this playbook to be run on every incident that contains an IP address. This can be easily achieved by an automation rule that is configured as in the picture below.

Outcome

Labels are shown as tags on the incidents that contain IP information. This makes an investigation faster and provides extra value for analysts.

The Azure Logic Apps template for the playbook is found in the GitHub repo.

Permissions

The playbook needs the following permission to be able to update Sentinel incidents and execute GET commands to the Sentinel API:

  • Sentinel Responder permission to the Log Analytics workspace where Sentinel is integrated
    • The preferred option is to use Managed Identity
  • Reader permission – Managed Identity needs a Reader for the resource group where the Microsoft Sentinel is located

References

Enrich Entities in Sentinel with geolocation data via REST API

Security.Insights API version

Mikko’s blog on using Sentinel API in incidents