Spur-Microsoft Sentinel Integration Automates IP Investigation and Response Workflows

Microsoft has released an approved integration with Spur Context API on the Microsoft Marketplace. The integration enables Microsoft customers to enrich IP addresses observed in Microsoft Sentinel, Microsoft Defender, SIEM, SOAR, and custom security workflows, with Spur’s IP intelligence datasets – with no custom connectors or manual API configuration needed.

As a result, security teams are able to enrich IPs during investigation and response workflows inside Sentinel, giving analysts more context without leaving their existing SIEM/SOAR environment.

Spur Context API: IP Enrichment for Microsoft Sentinel

Spur Context API provides on-demand access to high-fidelity IP intelligence and enrichment data, enabling organizations to detect VPNs, residential proxies, hosting providers, bot automation, and other forms of obscured or high-risk network activity in real time. Context API delivers enrichment responses with minimal latency, enabling inline security decisioning and automated workflows at scale.

Built for SOC teams, threat intelligence analysts, and detection engineers, Spur IP enrichment for Microsoft Sentinel includes attributes such as:

• IP geolocation
• ASN and network ownership
• VPN detection
• Residential proxy detection
• Hosting provider attribution
• Proxy and tunneling identification
• Device and connection metadata
• ISP and carrier information
• Entry and exit node context
• Risk and anonymization indicators
• Real-time infrastructure attribution

By including this enrichment in Sentinel logs, organizations can better distinguish legitimate users from anonymized, automated, or high-risk traffic in real time to improve threat detection and simplify investigations across their Microsoft security environments.

Spur Context API provides deep intelligence to enrich IPs observed in Sentinel logs.

Key Use Cases

Microsoft Sentinel customers leverage the Context API integration to address multiple security, threat hunting, and incident response use cases.

• Threat Detection and Investigation: Enrich security telemetry with contextual IP intelligence to improve incident triage, identify malicious infrastructure, and accelerate investigations.
• Fraud Prevention and Account Protection: Detect suspicious login activity, account takeover attempts, fake account creation, and automated abuse originating from anonymized or proxy-based traffic.
• Security Automation and Response: Integrate real-time IP enrichment into automated playbooks, alerting workflows, and inline access controls to improve response speed and reduce manual analysis.
• Access and Network Policy Enforcement: Apply adaptive access policies and dynamic network controls based on IP risk, anonymization status, hosting classification, or geographic indicators.
• Threat Hunting and Intelligence: Correlate IP infrastructure across environments and uncover malicious activity linked to VPN providers, residential proxy networks, and hosting infrastructure.
• Reduce Alert Fatigue: Prioritize actionable alerts by enriching logs and detections with high-confidence IP context, helping analysts focus on legitimate threats.

The Spur Context API-Microsoft Sentinel integration provides real-time IP enrichment into automated playbooks to automate and accelerate incident investigations.

With the Spur-Microsoft Sentinel integration, customers can focus on legitimate threats with high-confidence IP context informing alerts.

How to Activate the Spur-Microsoft Sentinel Integration

Customers will need an active Spur Context API subscription and API credentials to begin enriching IP intelligence data within their Microsoft Sentinel workflows. To learn more, read the Microsoft Sentinel integration datasheet, get an overview of Context API, or view our pricing plans.