New Spur Context API Solution: High-Fidelity IP Intelligence for VPN and Proxy Detection

What Changed

New Microsoft Sentinel solution for Spur Context API integration, providing high-fidelity IP intelligence capabilities for security operations.

Data Source

Spur Context API delivers hosted high-performance IP enrichment lookups tracking:

• Hundreds of millions of active anonymous IPs across 1,000+ VPN and proxy services
• Real-time updates on anonymization infrastructure and behavioral changes
• 20+ enrichment attributes per IP including geography, ASN, proxy/VPN attribution, device/connection type, and tunnel entry/exit context

Security Impact

Addresses detection blind spots around sophisticated evasion techniques:

• VPN Detection: Identifies traffic from virtual private networks used to obscure origin
• Residential Proxy Detection: Detects legitimate residential IPs being used as proxy infrastructure
• Bot Automation: Flags automated traffic attempting to appear legitimate

Content Delivered

Custom Connector: Provides three core actions:

• Get IP Context: Returns intelligence and risk context for IP addresses
• Get Tag Metadata: Retrieves provider/service tag information
• Check API Token Status: Monitors quota and service tier

Playbooks (2):

• Alert Trigger: Enriches IP entities in new alerts, adds context as incident comments, optionally saves to Log Analytics custom table
• Incident Trigger: Same enrichment capabilities triggered on incident creation

Deployment Requirements

• Spur API key
• Azure App Registration for authentication
• Data Collection Rule and Endpoint configuration for optional log storage
• ARM template deployment for custom connector and playbooks

Affected Files

Logos/Spur_Context_API.svg
Solutions/Spur/Images/Spur.png
Solutions/Spur/Package/testParameters.json
Solutions/Spur/Playbooks/CustomConnector/azuredeploy.json
Solutions/Spur/Playbooks/CustomConnector/readme.md
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/azuredeploy.json
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/images/comments.png
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/images/custom_table.png
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/images/deployment.png
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Alert-Trigger/readme.md
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/azuredeploy.json
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/comments.png
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/custom_table.png
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/deployment.png
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/images/post_deployment_connections.png
Solutions/Spur/Playbooks/Spur-Get-IP-Context-Data-Incident-Trigger/readme.md
Solutions/Spur/readme.md
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Spur.json, createUiDefinition.json, mainTemplate.json)