Correct GEO IP Lookup

Brass Contributor

Right now with Azure P2 we get alerts and the GEO IP is incorrect so it reports a false positive on improbable travel.  How can I use MS Sentinel to fix how Azure GEO lookup is incorrect?

3 Replies
You can look at https://learn.microsoft.com/en-us/kusto/query/geo-info-from-ip-address-function?view=microsoft-fabri... in a Playbook to enrich the result. Just make sure you read the notes on the source, as Azure P2 may use the same, you'll need to test a few IPs.

@Clive_Watson 

 

Hi Clive, 

 

Do you know if this database look up is still referencing Azure or could you use another database for a reference?

@PedroNL 

it's using data as mentioned inthe link and below.  If you need another source you either bring that in with a custom connector or maybe use one of the supplier Playbooks that enrich with links to VirusTotal etc...these may need a subscription 

 

This function uses GeoLite2 data created by MaxMind, available from https://www.maxmind.com