We have aPlaybook out on the official GitHub Repothat queries the IP-API.com website with IP addresses and then writes the geographical information to an Incident’s Tags. This is useful, but it’s been found to be too limiting based on the amount of information IP-API returns versus how little data a Tag can hold.
Based on customer request I’ve modified this somewhat so that more information is retrieved and then housed in theCommentssection (instead of Tags) of a Microsoft Sentinel Incident. This ensures you can be creative in what data is stored for the Investigation without worrying about being careful about space allotment. Ultimately, the more context you can provide during your investigation research is going to help close Incidents quicker.