Azure Sentinel Playbook to fetch IP-API Geolocation data

Mikko Koivunen


Sentinel Incident Screenshot

Solution overview

There are many uses for IP geolocation and WHOIS data in security operations.

There are also multiple ways to enrich your logs and alerts with this data. Sometimes you want every single log message containing an IP or domain name to also have geolocation information, sometimes you only want to get the data for entities in specific alerts or incidents.

This blog post describes one method of doing the latter; a Playbook and Automation Rule to fetch geolocation data for IP entities, after an incident has been generated in Azure Sentinel. This is a very simple solution, but it provides a quick way for the security analyst to see IP location and ownership data straight from the incident.

This playbook utilizes the free interface with a Sentinel Playbook (Logic App). has a very good quality Geolocation database that can be queried without any authentication for free, for non-commercial usage.

Before using the solution, make sure you read the IP-API Terms of Service and Usage Limits, and switch to the very reasonably priced Pro membership if needed.


Below is an overview and screenshot of the playbook workflow in Logic App Designer.

Logic App Designer

Automation Rule

To launch the Playbook we need to create an Automation Rule that triggers on Incident creation.

For the Condition you can either select specific Analytic Rules, or as I have done in the screenshot, select all Rules and filter for incidents that contain IP address entities.

Automation Rule


For convenience I have created a deployment template for the Playbook, which you can find below. The template is located in GitHub.

Deploy to Azure