IPinfo Microsoft Sentinel Integration

The IPinfo for Microsoft Sentinel integration allows organizations to automatically ingest enriched IP data directly into their Sentinel workspace via Azure Functions and Data Collection Rules (DCR).

This documentation guides you through the complete setup process, from creating your Log Analytics Workspace to deploying connectors, verifying data ingestion, and running queries against the enriched data.

The IPinfo solution deploys Azure Function-based connectors that periodically download IPinfo datasets and ingest the data into custom Log Analytics tables in your Microsoft Sentinel workspace. Each connector runs as an independent Azure Function App that downloads IPinfo datasets and writes the data to your workspace using the Logs Ingestion API via Data Collection Rules.

Prerequisites & Permissions

Before you begin, ensure you have the following items ready.

Azure Subscription & Permissions

An active Azure subscription with billing enabled.
Owner or Contributor role on the resource group where you will deploy resources.
Microsoft Sentinel Contributor role (or higher) on the target workspace.
Ability to create App Registrations in Microsoft Entra ID (Azure AD) to obtain CLIENT_ID and CLIENT_SECRET.

IPinfo Account & Token

Sign up for an IPinfo account (ipinfo.io).
Navigate to the Dashboard and copy your token.
Ensure your plan includes access to the datasets you plan to deploy (ASN, Abuse, Company, Country, Domain, Privacy, Carrier, etc.).

Keep your IPinfo token secure. You will enter it as a parameter during connector deployment. Do not share it in logs or source control.

Required Parameters

You will need the following values during deployment:

Parameter	Where to Find It	Description
RESOURCE_ID	Azure Portal > Log Analytics Workspace > Properties	Full resource ID of your Log Analytics Workspace
TENANT_ID	Azure Portal > Microsoft Entra ID > Overview	Your Azure AD / Entra ID tenant ID
CLIENT_ID	Azure Portal > App Registrations > Your App > Overview	Application (client) ID of your registered app
CLIENT_SECRET	Azure Portal > App Registrations > Your App > Certificates & Secrets	Client secret value (copy immediately after creation)
IPINFO_TOKEN	IPinfo Dashboard > Token	Your IPinfo token

Register an App in Microsoft Entra ID

An App Registration is required so that the Azure Function can authenticate and write data to your workspace.

In the Azure Portal, go to Microsoft Entra ID > App registrations > New registration.
Enter a name (e.g., IPinfo-Sentinel-Connector) and select Single tenant.
Click Register. Copy the Application (client) ID and Directory (tenant) ID.
Go to Certificates & secrets > New client secret. Set an expiry and click Add.
Copy the secret Value immediately (it will not be shown again).
Go to Subscriptions and select your subscription > Access control (IAM) > Add role assignment.
Assign the Log Analytics Contributor, Monitoring Contributor, and Monitoring Metrics Publisher roles.

Each of the 3 roles is required for the Azure Function to write data via the Azure Monitor Ingestion API. Without these roles, data ingestion will fail with a 403 Forbidden error.

Creating a Log Analytics Workspace

A Log Analytics Workspace (LAW) is the central data store that Microsoft Sentinel uses. If you already have a workspace with Sentinel enabled, you can skip to Onboarding the Workspace to Microsoft Sentinel.

Steps to Create a Workspace

Sign in to the Azure Portal (https://portal.azure.com).
In the search bar at the top, type Log Analytics workspaces and select it.
Click + Create.
Select your Subscription and Resource Group (or create a new one).
Enter a Name for the workspace (e.g., ipinfo-sentinel-law).
Select a Region close to your operations for optimal performance.
Leave the Pricing tier as the default (Pay-As-You-Go) unless you have a commitment tier.
Click Review + Create, then click Create.

Choose the same region for all resources (workspace, Function App, etc.) to minimize latency and cross-region data transfer costs.

Note the Workspace Resource ID

After the workspace is created, you need its Resource ID for connector deployment:

Open the workspace in the Azure Portal.
Go to Settings > Properties.
Copy the Resource ID. It will look like: /subscriptions/{sub-id}/resourceGroups/{rg-name}/providers/Microsoft.OperationalInsights/workspaces/{ws-name}

Onboarding the Workspace to Microsoft Sentinel

Microsoft Sentinel must be enabled on your Log Analytics Workspace before connectors can ingest data.

Enable Microsoft Sentinel

In the Azure Portal, search for Microsoft Sentinel and select it.
Click + Create (or + Add if you see existing workspaces).
Select the Log Analytics Workspace you created in Creating a Log Analytics Workspace.
Click Add. Sentinel will be enabled on the workspace.

This process takes a few moments. Once complete, you will see the Sentinel Overview dashboard for your workspace.

Enabling Sentinel is free; you only pay for data ingestion and retention. The IPinfo connectors ingest data into custom tables, which are billed at Log Analytics ingestion rates.

Installing the IPinfo Solution from Content Hub

The IPinfo solution packages all data connectors, workbooks, and analytics rules into a single deployable solution available in Microsoft Sentinel Content Hub.

Find and Install the Solution

In Microsoft Sentinel, go to Content Hub (under Content management in the left menu).
In the search bar, type IPinfo.
Locate the IPinfo solution and click on it to open the details pane.
Click Install.
Select your Subscription, Resource Group, and Workspace.
Review the terms and click Create / Install.

The installation deploys the connector definitions and any associated content (workbooks, hunting queries, etc.) into your Sentinel workspace. After installation, the data connectors will appear under the Data connectors page.

Installing the solution only registers the connectors in Sentinel. You still need to deploy each connector (Deploying the Data Connectors) for data to start flowing.

Deploying the Data Connectors

Each IPinfo connector runs as an Azure Function App. Deployment is done through the connector page in Sentinel using an ARM template.

Deploy a Connector

In Microsoft Sentinel, go to Data connectors (under Configuration).
Find the IPinfo connector you want to deploy (e.g., IPinfo ASN) and click the Open connector page.
On the connector page, scroll to the Configuration section.
Click the Deploy to Azure button. This opens the ARM template deployment in a new tab.
Fill in the required parameters:

Parameter	Value
RESOURCE_ID	The full Resource ID of your Log Analytics Workspace
Function Name	The name of the Azure Function App
TENANT_ID	Your Microsoft Entra ID Tenant ID
CLIENT_ID	The Application (client) ID from your App Registration
CLIENT_SECRET	The client secret value from your App Registration
IPINFO_TOKEN	Your IPinfo token

Click Review + Create, then Create to start the deployment.
Wait for the deployment to complete (typically 2 to 5 minutes).

What Gets Deployed

Each connector deployment creates the following Azure resources:

Azure Function App (Elastic Premium EP2 plan) running Python 3.11
Storage Account for Function App state
Data Collection Rule (DCR) for ingesting data into the custom table
Data Collection Endpoint (DCE) for the Azure Monitor Ingestion API
Application Insights for monitoring

Repeat for Additional Connectors

Repeat the steps above for each IPinfo connector you want to deploy. Each connector is independent and can be deployed, updated, or removed individually.

Each Function App incurs compute costs. During initial testing, deploy and test one connector at a time to minimize costs. You can disable or delete Function Apps you are not actively using.

Verifying Deployment & Function App Logs

After deployment, verify that the Azure Function is running correctly and processing data.

Check the Function App Status

In the Azure Portal, navigate to Function Apps.
Find the Function App created by the connector deployment (it will be named based on the connector, e.g., ipinfo-asn-func-app).
On the Overview page, verify the Status shows Running.
Check the Functions section in the left menu. You should see the timer-triggered function listed.

Trigger a Manual Execution

Rather than waiting for the next scheduled run, trigger the function immediately:

In the Function App, go to Functions in the left menu.
Click on the timer-triggered function.
Click Code + Test → Test/Run → Run.

View Function Execution Logs

There are two ways to view logs from the Function App.

Method 1: Log Stream (Real-time)

Open your Function App in the Azure Portal.
In the left menu, go to Monitoring > Log stream.
Select App Insights Logs or Filesystem Logs from the dropdown.
You will see real-time log output from the function, including execution status, data download progress, and ingestion results.

Method 2: Application Insights

For historical logs and deeper analysis:

Open the Application Insights resource linked to your Function App.
Go to Monitoring > Logs.
Run the following Kusto query to see recent function executions:

KQL Query: Function App Traces

KQL

traces
| where timestamp > ago(24h)
| where operation_Name contains "ipinfo"
| order by timestamp desc
| take 50

Common Log Messages

Log Message	Meaning
Function started	The timer trigger fired and the function began execution
Downloading dataset...	The function is downloading the IPinfo dataset
Ingesting data to workspace...	Data is being sent to your workspace via the DCR
Function completed successfully	All data was ingested without errors
HTTP 403 Forbidden	The App Registration is missing the Monitoring Metrics Publisher role
HTTP 401 Unauthorized	Invalid or expired CLIENT_SECRET or IPINFO_TOKEN

Viewing Ingested Data in Log Analytics

Once the connector has run successfully, data will appear in custom tables in your Log Analytics Workspace.

Navigate to Logs

In the Azure Portal, open your Log Analytics Workspace.
In the left menu, click Logs (under General).
The query editor will open. You can run KQL (Kusto Query Language) queries here.

Find IPinfo Tables

IPinfo data is stored in custom tables. You can find them in the Tables section on the left side of the Logs editor, under the Custom Logs category. The tables follow the naming convention shown below:

All tables include TimeGenerated (datetime) and TenantId (guid) columns added automatically by Log Analytics.

Connector	Table Name	Fields
IPinfo Core	`Ipinfo_CORE_CL`	ip_range, city, region, region_code, country, country_code, continent, continent_code, latitude, longitude, timezone, postal_code, asn, as_name, as_domain, as_type, is_anonymous, is_anycast, is_hosting, is_mobile, is_satellite
IPinfo Plus	`Ipinfo_PLUS_CL`	ip_range, city, region, region_code, country, country_code, continent, continent_code, latitude, longitude, timezone, postal_code, geoname_id, radius, asn, as_name, as_domain, as_type, as_changed, geo_changed, is_anonymous, is_anycast, is_hosting, is_mobile, is_satellite, is_proxy, is_relay, is_tor, is_vpn
IPinfo ASN	`Ipinfo_ASN_CL`	asn, name, domain, route, asn_type, ip_range
IPinfo Abuse	`Ipinfo_Abuse_CL`	name, email, address, country, phone, network, ip_range
IPinfo Company	`Ipinfo_Company_CL`	as_domain, as_name, as_type, asn, country, company_domain, company_name, company_type, ip_range
IPinfo Country ASN	`Ipinfo_Country_CL`	as_domain, as_name, asn, continent, continent_name, country, country_name, ip_range
IPinfo Domain	`Ipinfo_Domain_CL`	domains, total, ip_range
IPinfo Privacy	`Ipinfo_Privacy_CL`	hosting, proxy, relay, service, tor, vpn, ip_range
IPinfo Privacy Extended	`Ipinfo_Privacy_extended_CL`	anycast, census, census_port, device_activity, hosting, network, proxy, relay, tor, vpn, vpn_config, vpn_name, whois, ip_range
IPinfo Carrier	`Ipinfo_Carrier_CL`	carrier, mcc, mnc, cc, network, ip_range
IPinfo IP Location	`Ipinfo_Location_CL`	city, country, geoname_id, lat, lng, postal_code, region, region_code, timezone, ip_range
IPinfo IP Location Extended	`Ipinfo_Location_extended_CL`	city, country, country_name, latitude, longitude, postal_code, radius, region_name, region, timezone, geoname_id, ip_range
IPinfo ResProxy	`Ipinfo_RESIDENTIAL_PROXY_CL`	ip, service, last_seen, percent_days_seen
IPinfo RIRWHOIS	`Ipinfo_RIRWHOIS_CL`	ip_range, whois_id, name, country, status, tech, maintainer, admin, source, whois_domain, updated, org, rdns_domain, domain, geoloc, org_address, asn, as_name, as_domain, as_type
IPinfo RWHOIS	`Ipinfo_RWHOIS_CL`	ip_range, whois_id, name, whois_desc, host, country, email, abuse, domain, city, street, postal, updated, imported
IPinfo WHOIS ASN	`Ipinfo_WHOIS_ASN_CL`	whois_id, name, country, org_id, created, updated, source
IPinfo WHOIS MNT	`Ipinfo_WHOIS_MNT_CL`	whois_id, name, admin_id, tech_id, org_id, created, updated, source
IPinfo WHOIS NET	`Ipinfo_WHOIS_NET_CL`	ip_range, whois_id, name, country, domain, org_id, status, tech_id, mnt_id, admin_id, abuse_id, created, updated, source
IPinfo WHOIS ORG	`Ipinfo_WHOIS_ORG_CL`	whois_id, name, address, street, city, state, postalcode, country, admin_id, tech_id, abuse_id, mnt_id, email, domain, created, updated, source
IPinfo WHOIS POC	`Ipinfo_WHOIS_POC_CL`	whois_id, name, mobilephone, officephone, fax, address, country, email, abuse_email, created, updated, source

Quick Validation Query

To verify data is present, run the following query for any connector (replacing the table name as appropriate):

KQL Query: Verify Data Ingestion

KQL

Ipinfo_ASN_CL
| take 10

If rows are returned, data ingestion is working. If no results appear, check the Function App logs (Verifying Deployment & Function App Logs) for errors.

Configuration

All parameters are stored as Application Settings in the Function App. To modify after deployment: Function App → Settings → Configuration → edit value → Save → Restart.

Optional Parameters

Variable	Type	Default	Description
`RETENTION_IN_DAYS`	Integer	`10`	Hot storage retention (days). Fast queries, higher cost.
`TOTAL_RETENTION_IN_DAYS`	Integer	`30`	Total retention including archive. Older data moves to lower-cost archive.
`SCHEDULE`	Cron	`0 30 9 * * *`	Execution schedule in UTC. IPinfo datasets update daily — more frequent runs provide no new data.

Basic KQL Queries

This section provides sample Kusto Query Language (KQL) queries to help you explore and analyze the ingested IPinfo data.

Row Count per Table

Check how many records have been ingested in each table:

KQL

Ipinfo_ASN_CL
| summarize Count = count()

KQL

Ipinfo_Abuse_CL
| summarize Count = count()

KQL

Ipinfo_Country_CL
| summarize Count = count()

Recent Ingestion Activity

View the most recently ingested records to confirm fresh data:

KQL

Ipinfo_ASN_CL
| order by TimeGenerated desc
| take 20

Lookup by IP Range or ASN

Search for a specific IP range or ASN in the ASN table:

KQL

Ipinfo_ASN_CL
| where asn == "AS13335"
| project asn, name, domain, type, TimeGenerated

Top ASN Types

Summarize records by ASN type to understand the distribution of ISP, hosting, business, and education networks:

KQL

Ipinfo_ASN_CL
| summarize Count = count() by type
| order by Count desc

Abuse Contact Lookup

Find the abuse contact for a specific IP range:

KQL

Ipinfo_Abuse_CL
| where ip_range has "8.8.8"
| project ip_range, name, email, country

Country Distribution

Analyze the distribution of IP ranges by country:

KQL

Ipinfo_Country_CL
| summarize Count = count() by country
| order by Count desc
| take 20

Privacy/VPN Detection

Identify IP ranges flagged as VPN, proxy, Tor, or hosting providers:

KQL

Ipinfo_Privacy_CL
| where is_vpn == true or is_proxy == true or is_tor == true
| summarize Count = count() by is_vpn, is_proxy, is_tor, is_hosting
| order by Count desc

Cross-Table Join Example

Enrich ASN data with abuse contact information:

KQL

Ipinfo_ASN_CL
| join kind=inner (Ipinfo_Abuse_CL) on $left.ip_range == $right.ip_range
| project ip_range, asn, name, abuse_email = email, country
| take 20

Ingestion Trend Over Time

Chart the volume of ingested records over the last 7 days:

KQL

Ipinfo_ASN_CL
| where TimeGenerated > ago(7d)
| summarize Count = count() by bin(TimeGenerated, 1d)
| render timechart

Longitude Filter

Analyze IP ranges located in the western hemisphere:

KQL

Ipinfo_Location_extended_CL
| where toreal(longitude) < 0
| take 50

Network and Firewall Requirements

The Azure Function App requires outbound HTTPS (port 443) access to the following endpoints:

Domain	Purpose
`ipinfo.io`	Dataset downloads (initial request to `ipinfo.io/data/`)
`storage.googleapis.com`	Dataset downloads redirect to this domain for file delivery
`login.microsoftonline.com`	Entra ID authentication (OAuth2 token acquisition)
`*.monitor.azure.com`	Data Collection Endpoint (log ingestion via DCR)
`*.blob.core.windows.net`	Azure Storage (Function App state and runtime)

Ensure these domains are allowlisted in your firewall or Network Security Group (NSG) configuration. If your organization uses an SSL-intercepting proxy or TLS inspection, the Function App may fail with certificate verification errors. In that case, the proxy must pass through traffic to these domains without inspection, or you must add your organization's root CA certificate to the Function App's certificate store.

Troubleshooting & Common Issues

No Data Appearing in Tables

If you do not see data in your custom tables after deployment:

Verify the Function App status is Running (Check the Function App Status).
Check the Function App logs for errors (View Function Execution Logs).
Confirm the App Registration has the Log Analytics Contributor, Monitoring Contributor and Monitoring Metrics Publisher roles assigned.
Ensure the IPINFO_TOKEN is valid and has the correct plan access.
Allow up to 15 minutes after the first function execution for data to appear in Log Analytics.

HTTP 403 Forbidden Error

This typically means the App Registration is missing the required role assignment.

Go to the resource group > Access control (IAM).
Verify that your App Registration has Log Analytics Contributor, Monitoring Contributor and Monitoring Metrics Publisher roles.
If the role was just assigned, wait a few minutes for propagation and trigger the function again.

HTTP 401 Unauthorized Error

This indicates an authentication failure.

Verify the CLIENT_SECRET has not expired in the App Registration.
Confirm the TENANT_ID and CLIENT_ID are correct.
Verify the IPINFO_TOKEN is valid by testing it at https://ipinfo.io/me?token=YOUR_TOKEN.

Function Timeout

Some connectors process large datasets and may take several hours to complete. The connectors run on an Elastic Premium (EP2) plan which supports long-running executions. If a function appears to time out:

Check Application Insights for any memory or execution errors.
Verify the Function App plan is EP2 (not Consumption/Y1, which has a 10-minute limit).
Review the Function App configuration to ensure the functionTimeout setting is not set to a low value.

Duplicate or Missing Data

If data appears duplicated or incomplete:

Check whether the function was triggered multiple times (review Application Insights for overlapping executions).
Verify the timer trigger schedule in the function configuration.
For missing data, review the function logs to confirm the dataset download completed successfully.

Deployment Failure

If the ARM template deployment fails:

Review the deployment error details in the Azure Portal under the resource group > Deployments.
Ensure all required parameters were provided and correctly formatted.
Verify the RESOURCE_ID follows the correct format: /subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{name}
Ensure you have Contributor permissions on the target resource group.

Client Secret Expired

Secrets have a limited lifespan (6 months, 1 year, or 2 years). When expired, the function silently fails.

Symptoms: HTTP 401 errors after weeks/months of normal operation.

Fix:

Entra ID → App registrations → your app → Certificates & secrets → create a new secret.
Function App → Configuration → update CLIENT_SECRET → Save → restart.

Prevention: Set a calendar reminder before expiry.

Resource Provider Not Registered

Symptoms: Deployment fails with MissingSubscriptionRegistration or "not registered to use namespace 'Microsoft.Insights".

Fix: Go to Subscriptions → your subscription → Resource providers → register Microsoft.Insights, Microsoft.Web, and Microsoft.OperationalInsights.

Storage Account Firewall Issues

Symptoms: Function App shows Error status or fails to start.

Fix: Navigate to the Storage Account → Networking → set Public network access to Enabled from all networks, or add the Function App's outbound IPs.

Redeployment Conflicts

Symptoms: Deployment fails with "Resource already exists".

Fix: Delete the previous Function App, DCR, DCE, and Storage Account from the resource group before redeploying, or use a different Function App name.

Monitoring Database Downloads

To verify that your connector is regularly downloading and ingesting fresh data, use either of these methods:

Method 1: Data Freshness Query

In your Log Analytics Workspace, run the following KQL query (replace the table name with your connector's table):

KQL

Ipinfo_ASN_CL
| summarize LastIngestion = max(TimeGenerated)

If the timestamp is recent (within the last 24 hours for a daily schedule), downloads and ingestion are working normally. If the timestamp is stale, check the Function App logs for errors.

Method 2: Application Insights

Open the Application Insights resource linked to your Function App and run:

KQL

traces
| where timestamp > ago(7d)
| where message has "downloaded successfully" or message has "Failed to download"
| project timestamp, message
| order by timestamp desc

Successful runs will show messages confirming the file was downloaded. Failed downloads will show error messages, often indicating an invalid or expired IPinfo token.

If no download messages appear at all, the Function App may not be running — verify its Status is Running in the Azure Portal.

Change Database Download Schedule

Each connector comes pre-configured with a default schedule that runs daily at 9:30 AM UTC. No manual schedule setup is required.

IPinfo datasets are updated once per day. Running the connector more frequently than daily provides no new data and only increases compute costs. But if you want to change the cron schedule:

In the Azure Portal, navigate to your Function App.
Go to Settings > Configuration.
Find the SCHEDULE application setting. The value is a cron expression in NCRONTAB format (six fields).
Edit the value, click Save, then restart the Function App.

Schedule	Cron Expression
Daily at 9:30 AM UTC (default)	`0 30 9 * * *`
Daily at midnight UTC	`0 0 0 * * *`
Weekly on Monday at 6 AM	`0 0 6 * * 1`

Key Azure Portal Paths

Action	Portal Path
Create Log Analytics Workspace	Azure Portal > Log Analytics workspaces > + Create
Enable Sentinel	Azure Portal > Microsoft Sentinel > + Create
Install Solution	Sentinel > Content Hub > Search "IPinfo" > Install
Deploy Connector	Sentinel > Data connectors > IPinfo [type] > Deploy to Azure
View Function Logs	Azure Portal > Function Apps > [App] > Monitoring > Log stream
Query Data	Log Analytics Workspace > Logs
App Registration	Azure Portal > Microsoft Entra ID > App registrations
Role Assignment	Subscriptions > Access control (IAM) > Add role assignment

We welcome your feedback, and if you have any feature requests or need support using the IPinfo Microsoft Sentinel integration, please create a post in our IPinfo Community or contact support@ipinfo.io.

Was this page helpful?

Google Cloud / BigQueryPrevious

Bring Your Own License (BYOL)Next