Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Plugin: IP Geolocation
Copy link
Facebook
Email
Notes
More

Copilot for Security Plugin: IP Geolocation

This plugin will match IP Addresses to their geolocation based on the Sentinel SecurityEvents table and a publicly available database.

Rod Trent
Apr 25, 2024
1

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Plugin: IP Geolocation
Copy link
Facebook
Email
Notes
More
Share

If you need to identify IP Addresses to their geolocation this plugin should work great for you. It utilizes the externaldata operator to get the information from a publicly available GitHub dataset (https://github.com/datasets). This is a great example of how to use KQL with Copilot for Security to pull data from external sources.

Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/IP4toGEO.yaml

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

What’s inside the yaml file:

Descriptor:
  Name: IP4toGeo
  DisplayName: Sentinel IP Addresses in Geo Ranges
  Description: Identify the IP Geo location range for IP Addresses located in Sentinel SecurityEvents

SkillGroups:
  - Format: KQL
    Skills:
      - Name: IP4toGeo
        DisplayName: Sentinel IP Addresses in Geo Ranges
        Description: Identify the IP Geo location range for IP Addresses located in Sentinel SecurityEvents
        Settings:
          Target: Sentinel
          TenantId: <your_tenant_ID>
          SubscriptionId: <your_subscription_ID>
          ResourceGroupName: <your_RG_name>
          WorkspaceName: <your_WS_name>
          Template: |-
            let geoData = externaldata (network:string,geoname_id:string,continent_code:string,continent_name:string, country_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string) [@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"] with (ignoreFirstRecord=true, format="csv"); SecurityEvent | where TimeGenerated >=ago(24h) | evaluate ipv4_lookup (geoData, IpAddress,  network, false)

Note that you’ll need to adjust the items in BOLD with your own environment details.

Example 1 of a prompt/something you can ask: What are the distinct geolocations for IP addresses in Sentinel?

Example 2 of a prompt/something you can ask: What countries are represented in the geolocations for IP Addresses in Sentinel?

The KQL query that is being utilized by the plugin:

let geoData = externaldata
(network:string,geoname_id:string,continent_code:string,continent_name:string,
country_iso_code:string,country_name:string,is_anonymous_proxy:string,is_satellite_provider:string)
[@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"] with (ignoreFirstRecord=true, format="csv");
SecurityEvent
| evaluate ipv4_lookup (geoData, IpAddress,  network, false)

To install this in your own Copilot for Security instance, see: Add custom plugins

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

1

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Plugin: IP Geolocation
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More