Back to Integrations

Microsoft Sentinel Integration

Enrich your Microsoft Sentinel incidents with real-time IP threat intelligence from ipinsights.io.

Overview

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response) solution built on top of Azure. It provides intelligent security analytics and threat intelligence across the enterprise, offering a single pane of glass for alert detection, threat visibility, proactive hunting, and automated response.

By integrating ipinsights.io you can automatically enrich every Sentinel incident that involves an IP address with real-time threat intelligence — including reputation scores, geolocation, ASN data, Tor/proxy/VPN detection and blocklist membership — giving your SOC analysts instant context without leaving the Azure portal.

The integration uses Azure Logic Apps (Playbooks) and optionally KQL (Kusto Query Language) analytics rules to seamlessly enrich incidents as they are created and trigger automated escalation workflows based on threat severity.

Architecture Overview

The diagram below shows the end-to-end data flow when a new Sentinel incident is created:

┌──────────────────┐ incident trigger ┌──────────────────────┐ HTTP GET ┌──────────────────────┐ │ Microsoft │ ─────────────────▶ │ Logic App │ ──────────▶ │ ipinsights.io API │ │ Sentinel │ │ (Playbook) │ │ /api/v1/lookup │ │ Incident │ └──────────┬───────────┘ └──────────┬───────────┘ └──────────────────┘ │ │ │ For each IP │ JSON response ▼ ▼ ┌──────────────────┐ ┌──────────────────────┐ │ Parse JSON │ ◀─────────── │ Threat score, │ │ Response │ │ geolocation, ASN, │ └──────────┬───────┘ │ blocklists, Tor … │ │ └──────────────────────┘ │ Enrich incident ▼ ┌──────────────────────────┐ │ Add comment to incident │ │ + Auto-severity update │ │ (if threat_score > 70) │ └──────────────────────────┘
  1. A new incident is created in Microsoft Sentinel (e.g. from an analytics rule or alert).
  2. The Logic App playbook is triggered automatically via the Microsoft Sentinel incident trigger.
  3. The playbook extracts all IP entities from the incident using the Entities – Get IPs action.
  4. For each IP address, an HTTP GET request is sent to the ipinsights.io API.
  5. The JSON response is parsed and a formatted comment is added to the incident with threat intelligence details.
  6. Optionally, if the threat score exceeds a configurable threshold, the incident severity is automatically escalated.

Prerequisites

  • An active Azure subscription with billing enabled
  • A Microsoft Sentinel workspace (Log Analytics workspace with Sentinel enabled)
  • Logic Apps Contributor role (or higher) on the resource group
  • Microsoft Sentinel Responder role (required for the playbook to update incidents)
  • An ipinsights.io API key — available on your profile page (or register for free)
  • Outbound HTTPS (port 443) access from Azure to https://ipinsights.io

Step 1 — Create a Logic App Playbook

Navigate to the Azure Portal and create a new Logic App that will serve as your Sentinel playbook.

Create the Logic App

  1. Go to Microsoft Sentinel → Configuration → Automation.
  2. Click Create → Playbook with incident trigger.
  3. Choose your subscription, resource group and give the playbook a name (e.g. IPInsights-Enrich-Incident).
  4. Click Review + Create, then Create.
  5. Once deployed, click Go to resource to open the Logic App Designer.

Add the "Entities – Get IPs" Action

After the Sentinel incident trigger, add the Entities – Get IPs action to extract all IP address entities from the incident. Set the Entities List parameter to the incident's Entities dynamic content.

Add a "For Each" Loop with HTTP Action

Add a For each control that iterates over the IPs array. Inside the loop, add an HTTP action configured as follows:

{ "method": "GET", "uri": "https://ipinsights.io/api/v1/lookup?ip=@{items('For_each')?['Address']}", "headers": { "X-API-Key": "@parameters('API_KEY')", "Accept": "application/json", "User-Agent": "AzureSentinel-IPInsights/1.0" } }

The @parameters('API_KEY') reference is configured in Step 5 using Azure Key Vault.

Step 2 — Parse the API Response

After the HTTP action, add a Parse JSON action. Set the Content to the Body output of the HTTP action. Use the following schema:

{ "type": "object", "properties": { "success": { "type": "boolean" }, "data": { "type": "object", "properties": { "ip": { "type": "string" }, "hostname": { "type": "string" }, "city": { "type": "string" }, "region": { "type": "string" }, "country": { "type": "string" }, "country_code": { "type": "string" }, "latitude": { "type": "number" }, "longitude": { "type": "number" }, "asn": { "type": "integer" }, "org": { "type": "string" }, "isp": { "type": "string" }, "is_tor": { "type": "boolean" }, "is_proxy": { "type": "boolean" }, "is_vpn": { "type": "boolean" }, "is_datacenter": { "type": "boolean" }, "threat_assessment": { "type": "object", "properties": { "score": { "type": "integer" }, "level": { "type": "string" }, "categories": { "type": "array", "items": { "type": "string" } } } }, "blocklists": { "type": "array", "items": { "type": "object", "properties": { "name": { "type": "string" }, "listed": { "type": "boolean" } } } } } } } }

Tip: you can auto-generate the schema by clicking Use sample payload to generate schema in the Parse JSON action and pasting a sample API response.

Step 3 — Add Enrichment to Incident

Still inside the For each loop, add an Add comment to incident (V3) action from the Microsoft Sentinel connector. Use the following template for the Incident Comment Message:

<h3>🔍 ipinsights.io Threat Intelligence</h3> <table> <tr><td><b>IP Address</b></td><td>@{body('Parse_JSON')?['data']?['ip']}</td></tr> <tr><td><b>Threat Score</b></td><td>@{body('Parse_JSON')?['data']?['threat_assessment']?['score']}/100 (@{body('Parse_JSON')?['data']?['threat_assessment']?['level']})</td></tr> <tr><td><b>Location</b></td><td>@{body('Parse_JSON')?['data']?['city']}, @{body('Parse_JSON')?['data']?['country']}</td></tr> <tr><td><b>ISP / Org</b></td><td>@{body('Parse_JSON')?['data']?['isp']} / @{body('Parse_JSON')?['data']?['org']}</td></tr> <tr><td><b>ASN</b></td><td>AS@{body('Parse_JSON')?['data']?['asn']}</td></tr> <tr><td><b>Tor Node</b></td><td>@{body('Parse_JSON')?['data']?['is_tor']}</td></tr> <tr><td><b>Proxy</b></td><td>@{body('Parse_JSON')?['data']?['is_proxy']}</td></tr> <tr><td><b>VPN</b></td><td>@{body('Parse_JSON')?['data']?['is_vpn']}</td></tr> <tr><td><b>Datacenter</b></td><td>@{body('Parse_JSON')?['data']?['is_datacenter']}</td></tr> </table>

Set the Incident ARM ID to the dynamic content Incident ARM ID from the trigger.

Step 4 — Auto-Severity Escalation (Optional)

After the comment action (still inside the For each loop), add a Condition control to automatically escalate incident severity when a high threat score is detected.

Condition Configuration

Setting Value
Value (left) @{body('Parse_JSON')?['data']?['threat_assessment']?['score']}
Operator is greater than
Value (right) 70

If True — Update Incident

In the True branch, add an Update incident (V3) action:

{ "incidentArmId": "@triggerBody()?['object']?['id']", "severity": "High", "status": "Active", "tagsToAdd": [ { "Tag": "ipinsights-high-threat" }, { "Tag": "auto-escalated" } ] }

You can adjust the threshold (70) to match your organisation's risk tolerance. Scores range from 0 (benign) to 100 (critical threat).

Step 5 — Configure API Key as a Secure Parameter

Never hard-code your API key in the Logic App definition. Instead, store it in Azure Key Vault and reference it as a secure parameter.

1. Create a Key Vault Secret

  1. Navigate to Key Vault → Secrets → Generate/Import.
  2. Set the name to ipinsights-api-key.
  3. Paste your ipinsights.io API key as the value.
  4. Click Create.

2. Grant Access to the Logic App

Enable a system-assigned managed identity on the Logic App, then assign it the Key Vault Secrets User role on the Key Vault.

3. Reference in ARM Template

Add the following parameter to your Logic App ARM template to reference the Key Vault secret:

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "parameters": { "API_KEY": { "type": "securestring", "metadata": { "description": "ipinsights.io API key from Key Vault" } } }, "resources": [ { "type": "Microsoft.Logic/workflows", "apiVersion": "2019-05-01", "name": "IPInsights-Enrich-Incident", "properties": { "definition": { "parameters": { "API_KEY": { "type": "SecureString", "defaultValue": "[parameters('API_KEY')]" } } } } } ] }

When deploying via the Azure Portal, reference the Key Vault secret using: @Microsoft.KeyVault(SecretUri=https://your-vault.vault.azure.net/secrets/ipinsights-api-key/)

Step 6 — Create an Analytics Rule (Optional)

For advanced use cases you can ingest ipinsights.io enrichment data into a custom Log Analytics table and query it with KQL. This enables correlation with other security data sources and historical threat analysis.

Custom Log Table

Send enrichment data to a custom table (e.g. IPInsights_CL) using the Azure Monitor Data Collector API or a Data Collection Rule (DCR).

KQL Analytics Rule

Create a Scheduled Analytics Rule in Sentinel with the following KQL query:

// Alert on high-threat IPs observed in the last hour IPInsights_CL | where TimeGenerated > ago(1h) | where threat_score_d > 70 | summarize ThreatCount = count(), MaxScore = max(threat_score_d), Countries = make_set(country_s), ISPs = make_set(isp_s), IsTor = make_set(is_tor_b), IsVPN = make_set(is_vpn_b) by ip_s | where ThreatCount >= 1 | project IP = ip_s, ThreatCount, MaxScore, Countries, ISPs, IsTor, IsVPN | order by MaxScore desc

Rule Configuration

Setting Value
Name High-Threat IP Detected (ipinsights.io)
Severity High
Query frequency Every 1 hour
Lookup period Last 1 hour
Alert threshold Greater than 0 results
Entity mapping IP → ip_s

Adjust the threshold, frequency and KQL filters to match your security posture.

Step 7 — Test the Playbook

Before deploying to production, test your playbook manually to verify end-to-end functionality.

  1. Go to Microsoft Sentinel → Incidents and select an existing incident that contains IP entities.
  2. Click Actions → Run playbook and select your IPInsights-Enrich-Incident playbook.
  3. Wait for the playbook to complete (typically a few seconds per IP).
  4. Refresh the incident and check the Comments tab for the enrichment data.
  5. Verify the severity was updated if the threat score exceeded your threshold.

Check Logic App Run History

Navigate to your Logic App → Overview → Run history. Click on a run to inspect each action's input/output. Verify the HTTP action returned a 200 OK status and the Parse JSON action succeeded without errors.

Best Practices

Use Managed Identity

Enable a system-assigned managed identity on the Logic App. Grant it the Microsoft Sentinel Responder role so it can read and update incidents without storing service principal credentials.

Store Secrets in Key Vault

Always store the ipinsights.io API key in Azure Key Vault. Never hard-code secrets in Logic App definitions, ARM templates, or source control.

Concurrency Control

In the Logic App's Settings, set the Concurrency Control on the trigger to a reasonable limit (e.g. 10). This prevents a burst of incidents from overwhelming the API rate limit.

Rate Limit Awareness

The ipinsights.io API enforces rate limits based on your plan. Configure the For each loop's concurrency to 1 (sequential) to avoid exceeding your limit. If you need higher throughput, request a limit increase using the form below.

Diagnostic Logging

Enable Diagnostic settings on the Logic App and send logs to the same Log Analytics workspace used by Sentinel. This gives you visibility into playbook performance, failures, and API response times — all queryable via KQL.

Troubleshooting

Logic App run fails with "Forbidden" or "Unauthorized"

  • Verify your API key is correct and has not been rotated since the Key Vault secret was created.
  • Check that the Key Vault access policy grants the Logic App's managed identity Get permission on secrets.
  • Ensure the X-API-Key header name is spelled correctly (it is case-sensitive).

HTTP action returns 429 (Too Many Requests)

  • You are exceeding your API rate limit. Reduce the For each concurrency to 1.
  • Add a Delay action (e.g. 1 second) between iterations.
  • Consider requesting a higher API limit using the form below.

Parse JSON action fails

  • Check that the HTTP action returned a 200 OK status code.
  • Verify the schema matches the current ipinsights.io API response format.
  • Add a Condition before Parse JSON to check @equals(outputs('HTTP')?['statusCode'], 200).

Incident comment is not added

  • Ensure the Logic App's managed identity has the Microsoft Sentinel Responder role on the workspace.
  • Verify the Incident ARM ID dynamic content is correctly mapped in the comment action.
  • Check the Logic App run history for the specific action's error message.

Playbook does not trigger automatically

  • Confirm an Automation Rule exists in Sentinel that runs the playbook on incident creation.
  • Check that the automation rule is enabled and its conditions match the expected incidents.
  • Verify the API connection in the Logic App is authorised (go to API connections and re-authenticate if needed).

Network connectivity issues

  • If your Logic App is in a VNET-integrated environment, ensure outbound HTTPS to https://ipinsights.io is permitted.
  • Check NSG (Network Security Group) and Azure Firewall rules if applicable.
  • Test connectivity from an Azure VM in the same VNET using curl https://ipinsights.io/api/v1/lookup?ip=8.8.8.8.

API Key: You can find your API key on your profile page. Don't have an account yet? Register for free.

Request Higher API Limit

Running a high-volume Sentinel deployment? If the default rate limit isn't enough for your environment, submit a request below and we'll review it.

Maximum 5,000 characters.