How to Add Weather Data for Collected IP Addresses to a Microsoft Sentinel Incident

Is weather data necessary information for an investigation? Maybe, maybe not – unless that information shows that a device is offline due to existing weather patterns.

Or, say you want to build weather alerts into the system so that you are notified for the potential for upcoming outages. I’ll not be covering that in this post, but I do plan to show how to develop Analytics Rules around this in the near future.

But, despite which side you fall on (is weather data necessary or not?) in truth, it’s just good fun and a great to way to continue developing your Playbook building skills.

To get started you need a solid weather API. I tested quite a few trying to determine the API that is easy to use, has a wealth of data, and provides the best JSON response body. All-in-all, I tested 5 different weather APIs and personally determined that the one from supplies the best of all the requirements. As soon as you sign-up for an account, you’re given your own API key. The Interactive API Explorer is gold and it allowed me to generate just the right payload to create my JSON parser in the Logic App.

Once you have your own API key, you can jump out to the following GitHub repository page and deploy the Weather2Comments and deploy it to your own Azure environment.

Weather2Comments Microsoft Sentinel Playbook:

As shown in the next image, you’ll need the API key to complete the deployment.

Info needed to deploy

This particular Playbook is just a simple one to show how to interact with the two APIs (IP-API and WeatherAPI). It only displays the temperature (in Fahrenheit), the current weather condition, and the related icon.

Here’s an example of what that looks like:

Example of the output

This Playbook also shows how to use Markdown to interact with the Incident Comments, particularly for images. In normal HTML the code would look like…

<img src="https://image.url">

…but using Markdown it looks like this…

![Alt text](https://image.url)

You’ll see that exhibited in the Add Comments to Incident step.

The data that WeatherAPI provides is enormous and you could spend days developing additional ways to look at the data and provide even more value. Have fun! I’d be happy to hear what you come up with (@rodtrent).

Playbook Logic

P.S. Thanks to Sreedhar for his wonderful Playbook ARM Template Generator! This awesome tool allows me to go from Playbook idea to sharing the deployment in less time than it takes to write a blog post (and I can write a blog post pretty quickly).


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]