Plugin: Use IP-API with Copilot for Security

A free API with lots of valuable data

I’ve long used IP-API.com for many automation implementations, including for Playbooks in Microsoft Sentinel. The API is simple and free and can be configured to return all of the following for an IP address: status, message, continent, continentCode, country, countryCode, region, regionName, city, district, zip, lat, lon, timezone, offset, currency, isp, org, as, asname, reverse, mobile, proxy, hosting, and query.

The Plugin

Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/IP-API/IP-API.yaml

The API is a simple one. You literally just submit the IP address and IP-API.com returns the data.

To dig deeper into IP-API, see: https://ip-api.com/docs

What’s inside the yaml file:

Descriptor:
  Name: IP-API
  DisplayName: IP-API
  Description: IP-API IP Address Lookup

SkillGroups:
  - Format: API
    Settings:
      OpenApiSpecUrl: https://raw.githubusercontent.com/rod-trent/Copilot-for-Security/main/Plugins/IP-API/IP-API.txt

Examples prompts:

1. Use IP-API to lookup <IP Address>

2. Use IP-API and tell me what the continent, district, and currency is for this IP address.

3. Use IP-API to tell me about Bing.com

4. Use IP-API to tell me the address of Google.com

To install this in your own Copilot for Security instance, see: Add custom plugins

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]