Inspired by Mikko Koivunen’s blog I decided to write a short blog post on how to enrich IP geolocation on Sentinel incidents using Microsoft Sentinel API and assign IP information to the incidents as tags.
Microsoft Sentinel API
The API that provides IP information is the ‘Geolocation API’.
API URI
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version={api-version}
Example
https://management.azure.com/subscriptions/<Subscription ID>/resourceGroups/<RG-Name>/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress=162.247.74.206&api-version=2019-01-01-previewThe documentation state that the API that needs to be used is ‘2019-01-01-preview’ but I found out that some of the other versions provide IP information such as ‘2022-07-01-preview’.
In the pictures below, you can find two (2) example queries. The left side is the IP address from Finnish ISP Elisa and on the right side Tor network IP address.
Playbook
The idea with the playbook is to use labels (shown as tags) instead of comments. I prefer to use tags because they are searchable from UI and more easily visible in one view from the incident page.
The playbook uses the following flow:
- Get entities IPs from the incident as an incident trigger
- For each IP
- Get IP information from the Sentinel API
- Parse JSON to contain needed information for the labels
- I noticed that there were some differences in what information API returns from the different ISPs. For that reason, I modified the JSON schema & labels a bit to cover most of the cases
- Add labels to the incident
Sentinel Automation Rule
I want this playbook to be run on every incident that contains an IP address. This can be easily achieved by an automation rule that is configured as in the picture below.
Outcome
Labels are shown as tags on the incidents that contain IP information. This makes an investigation faster and provides extra value for analysts.
The Azure Logic Apps template for the playbook is found in the GitHub repo.
Permissions
The playbook needs the following permission to be able to update Sentinel incidents and execute GET commands to the Sentinel API:
- Sentinel Responder permission to the Log Analytics workspace where Sentinel is integrated
- The preferred option is to use Managed Identity
- Reader permission – Managed Identity needs a Reader for the resource group where the Microsoft Sentinel is located
References
Enrich Entities in Sentinel with geolocation data via REST API
Sam's Corner 
Hi! Link to the Github repo is broken, it is pointing localhost. I would like to test your playbook.
Hi JP,
I found out last week that using labels (tags) as action is deprecated as seen from the link below. If you still would like to use tags drop me an email (samilamppu@hotmail.com) and I’ll share the code with you.
https://learn.microsoft.com/en-us/connectors/azuresentinel/#add-labels-to-incident-(deprecated)-%5Bdeprecated%5D
I also learned that and found workaround there. Got it already working but thank you for your reply!