@Chris Smith Thanks for sharing additional details with us. The Sentinel UEBA is also capable of providing the enrichment about IP addresses, in your case this is what is happening.
The IP address entity (now in preview) contains geolocation data supplied by the Microsoft Threat Intelligence service. This service combines geolocation data from Microsoft solutions and third-party vendors and partners. The data is then available for analysis and investigation in the context of a security incident.
You can read more at : https://learn.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics
-----------------------------------------------------------------------------------------------------------------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.