This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 77%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Hi,
I am currently trying to make an alert that detects successful authentications from a country the user has not signed in from before. While setting up this alert I have not found an option to add Entity mapping for the Location field.
Is there a way to be able to add this into the alert as this would help prevent duplicate alerts and provide more information straight away when the alert is raised.
Thanks
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
https://learn.microsoft.com/en-us/azure/sentinel/entities-reference#ip-address
Geo Location is part of the IP Address entity
I do not get the option for Geo location within the IP Address entity, I only get the options for Address and Address Scope.
Love that, You might also try STAT: https://github.com/briandelmsft/SentinelAutomationModules
You won't be able to map the location as part of the entity. You will need a logic app, something like STAT, to process each IP to record the location. UEBA will also add geo location to each entity. Not sure how you could use that for alert triage though. If the STAT docs are unclear, it is an enrichment playbook solution...adds more info to entities.