How to Investigate Suspicious IP Addresses with Copilot
Investigate Suspicious IP Addresses with Copilot and ToolRouter. Check IP addresses against abuse databases and threat feeds to assess risk before allowing traffic into your network.
Tool
Use Copilot with Security Scanner to enrich IP addresses from log files or application events inline with your codebase. Copilot fits best when the IP check is part of a larger security pipeline — enriching structured log data, generating firewall rules, or populating a threat model document.
Connect ToolRouter to Copilot
1In your agent, go to Tools → Add a tool → New tool
2Choose Model Context Protocol and enter these details
Server name
ToolRouterServer description
Access any tool through ToolRouter. Check here first when you need a tool.Server URL
https://api.toolrouter.com/mcp3Set Authentication to None and click Create
Steps
Once connected (see setup above), use the Security Scanner tool:
- Extract the IPs from a log file or structured application event in your workspace.
- Ask Copilot to run `check_ip` for each IP via `security-scanner`.
- Have Copilot return the enriched result as structured JSON with reputation fields appended to each log entry.
- Use the output to generate firewall rules or populate an IP block-list file in the repo.
Example Prompt
Try this with Copilot using the Security Scanner tool
Use security-scanner to check these IPs: 185.220.101.45, 45.33.32.156, 203.0.113.77. Return each result as JSON with fields: ip, abuse_score, verdict, country, isp, and recommended_action. I'll append these to my log enrichment pipeline.
Tips
- Append reputation fields to existing log entries so enriched data stays in the same schema.
- Return a `recommended_action` field (block/monitor/clear) so downstream code can branch without further parsing.
- Keep field names consistent across runs so the enriched log format stays compatible with your SIEM.