Getting GEO Information for IP Addresses without Using a Microsoft Sentinel Playbook

Eliminating bad latitudes

For the longest time I’ve regularly shown Logic Apps/Playbooks in my demos for conference sessions, webinars, executive briefings, etc., that would showcase how to interact with 3rd party APIs to retrieve GEO location information for IP addresses. There are many services like this, and I preferred to use the free IP-API.com as my mainstay.

A new Kusto function allows me to showcase the power of KQL instead of 3rd party APIs. Called geo_info_from_ip_address(), the function retrieves Country, State, City, Latitude, and Longitude from any IP address I supply. The function retrieves geolocation information about both IPv4 or IPv6 addresses.

For example, the following query…

print ip_location=geo_info_from_ip_address('174.97.246.36')

…produces the following result:

geo_info_from_ip_address results

IP-API.com does still produce some extra value like what entity manages the IP address and if it’s an IP from a mobile device or not (full IP-API.com return shown below) but that’s not always necessary.

IP-API.com full results

More info:

• geo_info_from_ip_address() reference page

• GA announcement page

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]