There are many uses for IP geolocation and WHOIS data in security operations.
There are also multiple ways to enrich your logs and alerts with this data. Sometimes you want every single log message containing an IP or domain name to also have geolocation information, sometimes you only want to get the data for entities in specific alerts or incidents.
This blog post describes one method of doing the latter; a Playbook and Automation Rule to fetch geolocation data for IP entities, after an incident has been generated in Azure Sentinel. This is a very simple solution, but it provides a quick way for the security analyst to see IP location and ownership data straight from the incident.
This playbook utilizes the free IP-API.com interface with a Sentinel Playbook (Logic App). IP-API.com has a very good quality Geolocation database that can be queried without any authentication for free, for non-commercial usage.
Before using the solution, make sure you read the IP-API Terms of Service and Usage Limits, and switch to the very reasonably priced Pro membership if needed.
Below is an overview and screenshot of the playbook workflow in Logic App Designer.
- The playbook triggers from Sentinel incident creation.
- All IP Entity data is fetched from the incident, and then filtered so we only store individual IP addresses.
- For each IP address we query the free IP-API database and parse the results to JSON format.
- Based on the results we write a comment to the Sentinel Incident.
To launch the Playbook we need to create an Automation Rule that triggers on Incident creation.
For the Condition you can either select specific Analytic Rules, or as I have done in the screenshot, select all Rules and filter for incidents that contain IP address entities.
For convenience I have created a deployment template for the Playbook, which you can find below. The template is located in GitHub.