├── Convert-html-content-to-json-string.ps1 ├── readme.md ├── logicapp-enrich-incident-virustotal-ip-comment.html ├── logicapp-enrich-incident-virustotal-filehash-comment.html └── logicapp-enrich-incident-virustotal.template.json /Convert-html-content-to-json-string.ps1: -------------------------------------------------------------------------------- 1 | $jsonString = (Get-Content ./logicapp-enrich-incident-virustotal-filehash-comment.html -Raw) -replace "`r`n" | ConvertTo-Json 2 | Write-Host $jsonString -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | **This repository is referred to by one of my articles on Medium** 4 | 5 | > Once a security incident is raised, and triage begins, our security analysts often take very similar steps during their investigations. 6 | 7 | > Automation might be able to help to shorten investigations, bring down ‘alert fatigue’ and in turn make sure your analysts have more time to make your organization even safer. 8 | 9 | > In this article I’ll demonstrate how to leverage VirusTotal’s services to automatically scan all of your file hashes and IP addresses that come through Microsoft Sentinel as entities in their respective incidents. The scan results are then automatically attached to the security incidents so that your analysts see the reputation and other details in an instant, without having to go out and retrieve this information themselves. 10 | 11 | https://medium.com/@koosg/automate-your-sentinel-incident-triage-a316d229f2fc 12 | 13 |
14 | 15 | # Contents 16 | 17 | ### logicapp-enrich-incident-virustotal.template.json 18 | 19 | This is the ARM template you can use to deploy the Logic App used as an example in the article. 20 | 21 | To deploy this playbook, click the button below. After deployment you still need to fix the Sentinel and VirusTotal steps and create a new connection for them with your own settings/API key. 22 | 23 |
24 | 25 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FTheCloudScout%2Fincident-enrich-virustotal%2Fmain%2Flogicapp-enrich-incident-virustotal.template.json) 26 | 27 |
28 | 29 | ### logicapp-enrich-incident-virustotal-filehash-comment.html 30 | 31 | This is the unaltered html code used to construct the Sentinel comment for file hash(es) reports. 32 | 33 | ### logicapp-enrich-incident-virustotal-ip-comment.html 34 | 35 | This is the unaltered html code used to construct the Sentinel comment for IP reports. 36 | 37 | ### Convert-html-content-to-json-string.ps1 38 | 39 | An example PowerShell commandline to convert the contents of an html file into a proper JSON formated single string to put into the `message` value of your playbook. -------------------------------------------------------------------------------- /logicapp-enrich-incident-virustotal-ip-comment.html: -------------------------------------------------------------------------------- 1 | ![alt text](https://vt-gtm-wp-media.storage.googleapis.com/logo.png 'VirusTotal') 2 |

IP address: @{body('VirusTotal_|_IP_scan_report')?['data']?['id']}

3 | 4 |

Detection

5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 |

Harmless	Malicious	Suspicious	Undetected
@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}

19 |

'harmless' : site is not malicious
'undetected' : scanner has no opinion about this site
'suspicious' : scanner thinks the site is suspicious
'malicious' : scanner thinks the site is malicious

25 |

Community Score

26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 |

Malicious	Harmless
@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['total_votes']?['malicious']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['total_votes']?['harmless']}

36 |

Details

37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 |

Network	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['network']}
ASN Number	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['asn']}
ASN Label	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['as_owner']}
Regional Internet Registry	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['regional_internet_registry']}
Country	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['country']}
Continent	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['continent']}

63 | [Full report](https://www.virustotal.com/gui/ip-address/@{body('VirusTotal_|_IP_scan_report')?['data']?['id']}) -------------------------------------------------------------------------------- /logicapp-enrich-incident-virustotal-filehash-comment.html: -------------------------------------------------------------------------------- 1 | ![alt text](https://vt-gtm-wp-media.storage.googleapis.com/logo.png 'VirusTotal') 2 |

File: @{body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes']?['meaningful_name']} - @{body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['id']}

3 |

4 |

Detection

5 | 6 | @{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'sigma_analysis_stats'),concat(' 7 |

Crowdsourced Sigma Rules

8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 |

Critical	High	Medium	Low
',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['critical'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['high'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['medium'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['low'],'

22 | '),null)} 23 | 24 | @{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'crowdsourced_ids_stats'),concat(' 25 |

Crowdsourced IDS Rules

26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 |

High	Medium	Low	Info
',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['high'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['medium'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['low'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['info'],'

40 | '),null)} 41 | 42 |

Analyses

43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 |

Harmless	Malicious	Suspicious	Undetected
@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['harmless']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['malicious']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['undetected']}

57 | 58 |

Community Score

59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 |

Malicious	Harmless
@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['total_votes']?['malicious']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['total_votes']?['harmless']}

69 | 70 |

Details

71 |

Basic Properties

72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 |

MD5	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['md5']}
SHA-1	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sha1']}
SHA-256	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sha256']}
File type	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['type_description']}
Magic	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['magic']}
File size	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['size']} bytes

98 | 99 |

History

100 | 101 | @{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'creation_date'),concat(' 102 | 103 | 104 | 105 | 106 | '),null)} 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | @{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'last_modification_date'),concat(' 120 | 121 | 122 | 123 | 124 | '),null)} 125 |

Creation Time	',addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['creation_date'],'Second','u'),'
First Submission	@{addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['first_submission_date'],'Second','u')}
Last Submission	@{addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_submission_date'],'Second','u')}
Last Analysis	@{addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_date'],'Second','u')}
Latest Contents Modification	',addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_modification_date'],'Second','u'),'

126 | 127 | @{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'trusted_verdict'),concat(' 128 |

Known source

129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 |

Organization	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['trusted_verdict']?['organization'],'
File name	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['trusted_verdict']?['filename'],'

139 | '),null)} 140 | 141 | @{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'signature_info'),concat( 142 | '

Signature Info

143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 |

Signature verifiation	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['verified'],'
Copyright	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['copyright'],'
Product	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['product'],'
Description	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['description'],'
Original Name	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['original name'],'
Internal Name	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['internal name'],'
File Version	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['file version'],'
Date signed	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['signing date'],'

177 | '),null)} 178 | 179 | [Full report](https://www.virustotal.com/gui/file/@{body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['id']}) -------------------------------------------------------------------------------- /logicapp-enrich-incident-virustotal.template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "playbook_name": { 6 | "defaultValue": "enrich-incident-virustotal", 7 | "type": "String" 8 | } 9 | }, 10 | "resources": [ 11 | { 12 | "type": "Microsoft.Web/connections", 13 | "apiVersion": "2016-06-01", 14 | "name": "api-connection-azuresentinel", 15 | "location": "[resourceGroup().location]", 16 | "kind": "V1", 17 | "properties": { 18 | "displayName": "api-connection-azuresentinel", 19 | "api": { 20 | "name": "api-connection-azuresentinel", 21 | "displayName": "Microsoft Sentinel", 22 | "description": "Cloud-native SIEM with a built-in AI so you can focus on what matters most", 23 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", 24 | "type": "Microsoft.Web/locations/managedApis" 25 | } 26 | } 27 | }, 28 | { 29 | "type": "Microsoft.Web/connections", 30 | "apiVersion": "2016-06-01", 31 | "name": "api-connection-virustotal", 32 | "location": "[resourceGroup().location]", 33 | "kind": "V1", 34 | "properties": { 35 | "displayName": "api-connection-virustotal", 36 | "api": { 37 | "name": "api-connection-virustotal", 38 | "displayName": "Virus Total", 39 | "description": "Virus Total is an online service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. It provides an API that allows users to access the information generated by VirusTotal.", 40 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/virustotal')]", 41 | "type": "Microsoft.Web/locations/managedApis" 42 | } 43 | } 44 | }, 45 | { 46 | "type": "Microsoft.Logic/workflows", 47 | "apiVersion": "2017-07-01", 48 | "name": "[parameters('playbook_name')]", 49 | "location": "[resourceGroup().location]", 50 | "dependsOn": [ 51 | "api-connection-azuresentinel", 52 | "api-connection-virustotal" 53 | ], 54 | "properties": { 55 | "state": "Enabled", 56 | "definition": { 57 | "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", 58 | "contentVersion": "1.0.0.0", 59 | "parameters": { 60 | "$connections": { 61 | "defaultValue": {}, 62 | "type": "Object" 63 | } 64 | }, 65 | "triggers": { 66 | "Microsoft_Sentinel_incident": { 67 | "type": "ApiConnectionWebhook", 68 | "inputs": { 69 | "body": { 70 | "callback_url": "@{listCallbackUrl()}" 71 | }, 72 | "host": { 73 | "connection": { 74 | "name": "@parameters('$connections')['azuresentinel']['connectionId']" 75 | } 76 | }, 77 | "path": "/incident-creation" 78 | } 79 | } 80 | }, 81 | "actions": { 82 | "Entities_-_Get_FileHashes": { 83 | "runAfter": { 84 | "Entities_-_Get_IPs": [ 85 | "Succeeded" 86 | ] 87 | }, 88 | "type": "ApiConnection", 89 | "inputs": { 90 | "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", 91 | "host": { 92 | "connection": { 93 | "name": "@parameters('$connections')['azuresentinel']['connectionId']" 94 | } 95 | }, 96 | "method": "post", 97 | "path": "/entities/filehash" 98 | } 99 | }, 100 | "Entities_-_Get_IPs": { 101 | "runAfter": {}, 102 | "type": "ApiConnection", 103 | "inputs": { 104 | "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", 105 | "host": { 106 | "connection": { 107 | "name": "@parameters('$connections')['azuresentinel']['connectionId']" 108 | } 109 | }, 110 | "method": "post", 111 | "path": "/entities/ip" 112 | } 113 | }, 114 | "Initialize_array_|_reported_ids": { 115 | "runAfter": { 116 | "Entities_-_Get_FileHashes": [ 117 | "Succeeded" 118 | ] 119 | }, 120 | "type": "InitializeVariable", 121 | "inputs": { 122 | "variables": [ 123 | { 124 | "name": "reported_ids", 125 | "type": "array" 126 | } 127 | ] 128 | } 129 | }, 130 | "Loop_through_all_IPs": { 131 | "foreach": "@body('Entities_-_Get_IPs')?['IPs']", 132 | "actions": { 133 | "Add_comment_to_incident_(V3)": { 134 | "runAfter": { 135 | "VirusTotal_|_IP_scan_report": [ 136 | "Succeeded" 137 | ] 138 | }, 139 | "type": "ApiConnection", 140 | "inputs": { 141 | "body": { 142 | "incidentArmId": "@triggerBody()?['object']?['id']", 143 | "message": " $\"Virustotal$

IP address: @{body('VirusTotal_|_IP_scan_report')?['data']?['id']}

Detection

Harmless	Malicious	Suspicious	Undetected
@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['harmless']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['malicious']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['last_analysis_stats']?['undetected']}

'harmless' : site is not malicious
'undetected' : scanner has no opinion about this site
'suspicious' : scanner thinks the site is suspicious
'malicious' : scanner thinks the site is malicious

Community Score

Malicious	Harmless
@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['total_votes']?['malicious']}	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['total_votes']?['harmless']}

Details

Network	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['network']}
ASN Number	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['asn']}
ASN Label	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['as_owner']}
Regional Internet Registry	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['regional_internet_registry']}
Country	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['country']}
Continent	@{body('VirusTotal_\|_IP_scan_report')?['data']?['attributes']?['continent']}

[Full report](https://www.virustotal.com/gui/ip-address/@{body('VirusTotal_|_IP_scan_report')?['data']?['id']})" 144 | }, 145 | "host": { 146 | "connection": { 147 | "name": "@parameters('$connections')['azuresentinel']['connectionId']" 148 | } 149 | }, 150 | "method": "post", 151 | "path": "/Incidents/Comment" 152 | } 153 | }, 154 | "VirusTotal_|_IP_scan_report": { 155 | "runAfter": {}, 156 | "type": "ApiConnection", 157 | "inputs": { 158 | "host": { 159 | "connection": { 160 | "name": "@parameters('$connections')['virustotal']['connectionId']" 161 | } 162 | }, 163 | "method": "get", 164 | "path": "/api/v3/ip_addresses/@{encodeURIComponent(items('Loop_through_all_IPs')?['Address'])}" 165 | } 166 | } 167 | }, 168 | "runAfter": { 169 | "Entities_-_Get_FileHashes": [ 170 | "Succeeded" 171 | ] 172 | }, 173 | "type": "Foreach" 174 | }, 175 | "Loop_through_all_file_hashes": { 176 | "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", 177 | "actions": { 178 | "If_not_reported_before": { 179 | "actions": { 180 | "Add_comment_to_incident_(V3)_2": { 181 | "runAfter": {}, 182 | "type": "ApiConnection", 183 | "inputs": { 184 | "body": { 185 | "incidentArmId": "@triggerBody()?['object']?['id']", 186 | "message": " $\"Virustotal$

File: @{body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes']?['meaningful_name']} - @{body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['id']}

Detection

@{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'sigma_analysis_stats'),concat('

Crowdsourced Sigma Rules

Critical	High	Medium	Low
',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['critical'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['high'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['medium'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sigma_analysis_stats']?['low'],'

'),null)}@{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'crowdsourced_ids_stats'),concat('

Crowdsourced IDS Rules

High	Medium	Low	Info
',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['high'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['medium'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['low'],'	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ids_stats']?['info'],'

'),null)}

Analyses

Harmless	Malicious	Suspicious	Undetected
@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['harmless']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['malicious']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['suspicious']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_stats']?['undetected']}

Community Score

Malicious	Harmless
@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['total_votes']?['malicious']}	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['total_votes']?['harmless']}

Details

Basic Properties

MD5	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['md5']}
SHA-1	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sha1']}
SHA-256	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['sha256']}
File type	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['type_description']}
Magic	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['magic']}
File size	@{body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['size']} bytes

History

@{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'creation_date'),concat(''),null)}@{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'last_modification_date'),concat(''),null)}

Creation Time	',addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['creation_date'],'Second','u'),'
First Submission	@{addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['first_submission_date'],'Second','u')}
Last Submission	@{addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_submission_date'],'Second','u')}
Last Analysis	@{addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_analysis_date'],'Second','u')}
Latest Contents Modification	',addToTime('1970-01-01T00:00:00Z',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['last_modification_date'],'Second','u'),'

@{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'trusted_verdict'),concat('

Known source

Organization	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['trusted_verdict']?['organization'],'
File name	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['trusted_verdict']?['filename'],'

'),null)}@{if(contains(body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes'],'signature_info'),concat('

Signature Info

Signature verifiation	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['verified'],'
Copyright	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['copyright'],'
Product	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['product'],'
Description	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['description'],'
Original Name	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['original name'],'
Internal Name	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['internal name'],'
File Version	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['file version'],'
Date signed	',body('VirusTotal_\|_Retrieve_information_about_a_file')?['data']?['attributes']?['signature_info']?['signing date'],'

'),null)}[Full report](https://www.virustotal.com/gui/file/@{body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['id']})" 187 | }, 188 | "host": { 189 | "connection": { 190 | "name": "@parameters('$connections')['azuresentinel']['connectionId']" 191 | } 192 | }, 193 | "method": "post", 194 | "path": "/Incidents/Comment" 195 | } 196 | }, 197 | "Append_to_array_variable": { 198 | "runAfter": { 199 | "Add_comment_to_incident_(V3)_2": [ 200 | "Succeeded" 201 | ] 202 | }, 203 | "type": "AppendToArrayVariable", 204 | "inputs": { 205 | "name": "reported_ids", 206 | "value": "@body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['id']" 207 | } 208 | } 209 | }, 210 | "runAfter": { 211 | "VirusTotal_|_Retrieve_information_about_a_file": [ 212 | "Succeeded" 213 | ] 214 | }, 215 | "expression": { 216 | "and": [ 217 | { 218 | "not": { 219 | "contains": [ 220 | "@variables('reported_ids')", 221 | "@body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['id']" 222 | ] 223 | } 224 | } 225 | ] 226 | }, 227 | "type": "If" 228 | }, 229 | "VirusTotal_|_Retrieve_information_about_a_file": { 230 | "runAfter": {}, 231 | "type": "ApiConnection", 232 | "inputs": { 233 | "host": { 234 | "connection": { 235 | "name": "@parameters('$connections')['virustotal']['connectionId']" 236 | } 237 | }, 238 | "method": "get", 239 | "path": "/api/v3/files/@{encodeURIComponent(items('Loop_through_all_file_hashes')?['Value'])}" 240 | } 241 | } 242 | }, 243 | "runAfter": { 244 | "Initialize_array_|_reported_ids": [ 245 | "Succeeded" 246 | ] 247 | }, 248 | "type": "Foreach", 249 | "runtimeConfiguration": { 250 | "concurrency": { 251 | "repetitions": 1 252 | } 253 | } 254 | } 255 | }, 256 | "outputs": {} 257 | }, 258 | "parameters": { 259 | "$connections": { 260 | "value": { 261 | "azuresentinel": { 262 | "connectionId": "[resourceId('Microsoft.Web/connections', 'api-connection-azuresentinel')]", 263 | "connectionName": "azuresentinel", 264 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" 265 | }, 266 | "virustotal": { 267 | "connectionId": "[resourceId('Microsoft.Web/connections', 'api-connection-virustotal')]", 268 | "connectionName": "virustotal", 269 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/virustotal')]" 270 | } 271 | } 272 | } 273 | } 274 | } 275 | } 276 | ] 277 | } --------------------------------------------------------------------------------