Spur: IP Intelligence and Enrichment for Microsoft Sentinel

Real-Time IP Intelligence for Security & Fraud Detection

Spur Context API provides on-demand access to high-fidelity IP intelligence and enrichment data, enabling organizations to identify anonymized traffic, assess network risk, and improve threat detection across Microsoft security environments.

Built for modern security operations, fraud prevention, and threat intelligence workflows, Spur delivers continuously updated enrichment data to help teams detect VPNs, residential proxies, hosting providers, bot automation, and other forms of obscured or high-risk network activity in real time.

What does this solution provide?

This solution enables Microsoft customers to enrich IP addresses observed in Microsoft Sentinel, Microsoft Defender, SIEM, SOAR, and custom security workflows with Spur’s industry-leading IP intelligence datasets.

Spur Context API provides:

• Broad Anonymous IP Coverage - Tracks hundreds of millions of active anonymized IPs across more than 1,000 VPN, proxy, and tunneling providers worldwide.

• Real-Time Intelligence Updates - Continuously refreshed infrastructure and attribution data ensures security teams have access to the latest observed anonymization behavior and network changes.
• Deep IP Context & Attribution - Returns 20+ enrichment attributes per IP address, including:

• Low-Latency API Enrichment - Delivers enrichment responses with minimal latency, enabling inline security decisioning and automated workflows at scale.
• Flexible Security Integrations - Designed for integration into SIEM, SOAR, fraud prevention, identity protection, and threat hunting pipelines.

Who is this solution designed for?

This solution is designed for:

• Security Operations Center (SOC) teams
• Threat intelligence analysts
• Fraud prevention and trust & safety teams
• Identity and access management teams
• Detection engineers
• Security automation and SOAR teams
• Microsoft Sentinel users seeking advanced IP enrichment capabilities

It is particularly valuable for organizations that need to distinguish legitimate users from anonymized, automated, or high-risk traffic in real time.

What enrichment data is available?

Spur Context API enrichment includes:

• IP geolocation
• ASN and network ownership
• VPN detection
• Residential proxy detection
• Hosting provider attribution
• Proxy and tunneling identification
• Device and connection metadata
• ISP and carrier information
• Entry and exit node context
• Risk and anonymization indicators
• Real-time infrastructure attribution

Key Use Cases

• Threat Detection & Investigation - Enrich security telemetry with contextual IP intelligence to improve incident triage, identify malicious infrastructure, and accelerate investigations.
• Fraud Prevention & Account Protection - Detect suspicious login activity, account takeover attempts, fake account creation, and automated abuse originating from anonymized or proxy-based traffic.
• Security Automation & Response - Integrate real-time IP enrichment into automated playbooks, alerting workflows, and inline access controls to improve response speed and reduce manual analysis.
• Access & Network Policy Enforcement - Apply adaptive access policies and dynamic network controls based on IP risk, anonymization status, hosting classification, or geographic indicators.
• Threat Hunting & Intelligence - Correlate IP infrastructure across environments and uncover malicious activity linked to VPN providers, residential proxy networks, and hosting infrastructure.
• Reduce Alert Fatigue - Prioritize actionable alerts by enriching logs and detections with high-confidence IP context, helping analysts focus on legitimate threats.

How to access / activate this solution

Customers will need an active Spur Context API subscription and API credentials to begin enriching IP intelligence data within Microsoft Sentinel workflows. Visit https://spur.us/platform/api for more information.