The Scenario
It is 4:45 PM on a Tuesday. Your security team lead just forwarded you a SIEM export: 500 login IP addresses flagged as anomalous over the last 48 hours. She needs a triage sheet by end of day — country, ASN, and a threat flag for each one — so the team can decide which accounts to lock before the overnight window.
You open the export in Google Sheets. Column A is full of IPs. Columns B through F are blank.
The bad version:
- Open ipdata.co in a browser tab, paste the first IP, read the response, switch back to Sheets, type country into B2, ASN into C2, threat status into D2, repeat.
- After 30 rows you have lost track of which tab you were on and mistyped a country code.
- At row 80 you check the clock and realize the meeting is in 40 minutes and you have 420 IPs left.
The board is reviewing the incident tomorrow morning. Showing up with a half-finished triage sheet is not an option your manager is going to find acceptable.
The Easy Way: One Prompt in SheetXAI
SheetXAI is an AI agent that lives inside your Google Sheet. It reads the IP column, calls ipdata.co in bulk, and writes the enrichment results back into the right columns. No scripts, no row-by-row pasting.
For each IP address in column A, fetch the country, city, ASN organization, and threat status from ipdata.co and write the results to columns B through E. Flag any row where threat status is true as HIGH RISK in column F.
What You Get
- Column B: full country name for each IP (e.g., "United States," "Romania")
- Column C: city name where available
- Column D: ASN organization string (e.g., "Amazon.com Inc," "SIFY Technologies")
- Column E: boolean threat flag from ipdata.co
- Column F: "HIGH RISK" label on every row where threat is true
- Rows with no data returned (private ranges, lookup failures) noted with a blank or an error string so nothing silently disappears
What If the Data Is Not Quite Ready
The IP column has leading spaces or trailing characters
Before enriching, trim column A to remove any whitespace or trailing characters from each IP address, then run the ipdata.co lookup for country, ASN, and threat status and write to columns B through D.
Some rows have hostnames instead of IPs
For each value in column A: if it looks like an IP address, enrich it with ipdata.co for country, ASN, and threat status. If it looks like a hostname, write "hostname-skip" in column B and leave C and D blank.
The threat data needs to cross-reference a separate allowlist tab
Enrich all IPs in column A with ipdata.co threat status and write to column E. Then check column A against the allowlist in the Approved IPs tab — if the IP appears there, overwrite column E with "ALLOWLISTED" regardless of the threat flag.
Full kill-chain: deduplicate, enrich, flag, and summarize
Remove duplicate IPs from column A, then enrich each unique IP with ipdata.co for country, ASN organization, and threat status — writing results to columns B, C, and D. Flag any row where threat is true as HIGH RISK in column E. Add a summary below the data: total IPs checked, count of HIGH RISK rows, and the top three countries by frequency.
One prompt handles the cleanup, the enrichment, the flagging, and the summary in a single pass.
Try It
Get the 7-day free trial of SheetXAI and open your suspicious-IP triage sheet, then ask SheetXAI to enrich column A with ipdata.co threat flags and geolocation. When you are done, check out the sibling article on screening leads for bot traffic or return to the ipdata.co integration overview.