Share via

Need to extract location information from IP addresses and then show it on a map panel in the sentinel workbook

Harsh Patel 0 Reputation points
2023-03-30T09:17:34.0466667+00:00

Need to extract location information from IP addresses and then show it on a map panel in the sentinel workbook

Hii,

I am currently having IP addresses in a log analytics table, without any data on their geographical location. So, I need to project IP address data on a map panel in the sentinel workbook. To project the IP addresses, I need the geographical location of the IP address first.

Is there any way in sentinel to extract the geographical location from an IP address and then project it in the map panel of the sentinel workbook?

Thank you.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clive Watson 5,951 Reputation points MVP
    2023-03-30T11:27:15.4+00:00

    Hi,

    To get the Latitude and Longitude you can use in a Workbook the Sentinel geodata api (use SRM rather than Logs - see below). You need to pass certain fields to the api - see below. This allows you to select an IP in a previous Grid and them get an answer.

    /subscriptions/{SubscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}

    User's image

    User's image

    You can then turn the Grid output into a Map

    User's image

    The other method will mean you need a lookup file (.csv) with the data or access to a service like RiskIQ, Greynoise etc... for both you can do an externaldata() lookup.

    1 person found this answer helpful.