Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows you how to enrich entities in Microsoft Sentinel with geolocation data using the REST API.
Important
This feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The following are the common URI parameters for the geolocation API:
| Name | In | Required | Type | Description |
|---|---|---|---|---|
| {subscriptionId} | path | yes | GUID | The Azure subscription ID |
| {resourceGroupName} | path | yes | string | The name of the resource group within the subscription |
| {api-version} | query | yes | string | The version of the protocol used to make this request. As of April 30 2021, the geolocation API version is 2019-01-01-preview. |
| {ipAddress} | query | yes | string | The IP Address for which geolocation information is needed, in an IPv4 or IPv6 format. |
This command retrieves geolocation data for a given IP Address.
| Method | Request URI |
|---|---|
| GET | https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version={api-version} |
| Status code | Description |
|---|---|
| 200 | Success |
| 400 | IP address not provided or is in invalid format |
| 404 | Geolocation data not found for this IP address |
| 429 | Too many requests, try again in the specified timeframe |
| Field name | Description |
|---|---|
| ASN | The autonomous system number associated with this IP address |
| carrier | The name of the carrier for this IP address |
| city | The city where this IP address is located |
| cityCf | A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100 |
| continent | The continent where this IP address is located |
| country | The country/region where this IP address is located |
| countryCf | A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100 |
| ipAddr | The dotted-decimal or colon-separated string representation of the IP address |
| ipRoutingType | A description of the connection type for this IP address |
| latitude | The latitude of this IP address |
| longitude | The longitude of this IP address |
| organization | The name of the organization for this IP address |
| organizationType | The type of the organization for this IP address |
| region | The geographic region where this IP address is located |
| state | The state where this IP address is located |
| stateCf | A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100 |
| stateCode | The abbreviated name for the state where this IP address is located |
This API has a limit of 100 calls, per user, per hour.
"body":
{
"asn": "12345",
"carrier": "Microsoft",
"city": "Redmond",
"cityCf": 90,
"continent": "north america",
"country": "united states",
"countryCf": 99
"ipAddr": "1.2.3.4",
"ipRoutingType": "fixed",
"latitude": "40.2436",
"longitude": "-100.8891",
"organization": "Microsoft",
"organizationType": "tech",
"region": "western usa",
"state": "washington",
"stateCf": null
"stateCode": "wa"
}
To learn more about Microsoft Sentinel, see the following articles:
Learn more about entities:
Explore other uses of the Microsoft Sentinel API