Forum Discussion
Geolocation query from IP address
Hi, Any idea if that's possible (and if yes - how) to add resolving of IP address to geolocation and any other IP information in a query in Log Analytics? For example, part of the message body I hav...
We really need Microsoft to provide us with this.
They have the defender in Azure - We can see city/country for all logons in AzureAD, the same in the Cloud Security.
Thus Microsoft do have the lookup data available and are actively using it to enrich their own log entries. They just need to provide the same info to use. But maybe they are not licensed to do that. or they would rather we all pay for something else running in their cloud.
Making it easier to call-out to webhooks / WebAPIs would help us, it is trivial to install the MaxMind GeoIP2 and expose it thru the web.
They have the defender in Azure - We can see city/country for all logons in AzureAD, the same in the Cloud Security.
Thus Microsoft do have the lookup data available and are actively using it to enrich their own log entries. They just need to provide the same info to use. But maybe they are not licensed to do that. or they would rather we all pay for something else running in their cloud.
Making it easier to call-out to webhooks / WebAPIs would help us, it is trivial to install the MaxMind GeoIP2 and expose it thru the web.
Any IP entity in Sentinel is enriched from the Microsoft geoLocation api (in the UI by default). You can also call the same data from a Playbook if required, what you can't do is use lookup to it in KQL, unless you first import it to a custom table or externaldata source.
Click on a IP in the Incident or Entity behaviour blade. this is in the top left of the screen.
IP Geodata - Get - REST API (Azure Sentinel) | Microsoft Docs
Geolocation - Get IP To Location - REST API (Azure Maps) | Microsoft Docs