One of my favorite Playbooks is the one created by Nicholas DiCola that provides GEO information for IP Addresses that are associated with an Azure Sentinel Incident. Once the information is obtained, it’s placed in the Incident’s Tags for easy readability and quick-glance information about where the connections are coming from.
I run this Playbook often but have always felt that the information more quick-glance information would be useful.
My modification of the Playbook now writes the city, country, and IP Address to the Tags, as shown…
You can obtain the updated Playbook from my GitHub repository here: https://github.com/rod-trent/SentinelPlaybooks/tree/master/IP2GEO2Tags-2
