We have a Playbook out on the official GitHub Repo that queries the IP-API.com website with IP addresses and then writes the geographical information to an Incident’s Tags. This is useful, but it’s been found to be too limiting based on the amount of information IP-API returns versus how little data a Tag can hold.
Based on customer request I’ve modified this somewhat so that more information is retrieved and then housed in the Comments section (instead of Tags) of a Microsoft Sentinel Incident. This ensures you can be creative in what data is stored for the Investigation without worrying about being careful about space allotment. Ultimately, the more context you can provide during your investigation research is going to help close Incidents quicker.
Original Post: New Blog Post | How to Add Geographical Data for IP Addresses to a Microsoft Sentinel Incident - Mic...