Azure
diff --git a/‎Solutions/VirusTotal/Package/3.0.1.zip‎
11.2 KB b/‎Solutions/VirusTotal/Package/3.0.1.zip‎
11.2 KB
diff --git a/‎Solutions/VirusTotal/Package/createUiDefinition.json‎
Lines changed: 2 additions & 2 deletions b/‎Solutions/VirusTotal/Package/createUiDefinition.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Solutions/VirusTotal/Package/mainTemplate.json‎
Lines changed: 158 additions & 156 deletions b/‎Solutions/VirusTotal/Package/mainTemplate.json‎
Lines changed: 158 additions & 156 deletions
diff --git a/‎Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/alert-trigger/azuredeploy.json‎
Lines changed: 14 additions & 22 deletions b/‎Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/alert-trigger/azuredeploy.json‎
Lines changed: 14 additions & 22 deletions
diff --git a/‎Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/incident-trigger/azuredeploy.json‎
Lines changed: 17 additions & 23 deletions b/‎Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/incident-trigger/azuredeploy.json‎
Lines changed: 17 additions & 23 deletions
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VirusTotal/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VirusTotal](https://www.virustotal.com/gui/) solution for Microsoft Sentinel contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from VirusTotal. Enriched information can help drive focused investigations in Security Operations.\n\n**Playbooks:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VirusTotal/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VirusTotal](https://www.virustotal.com/gui/) solution for Microsoft Sentinel contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from VirusTotal. Enriched information can help drive focused investigations in Security Operations.\n\n**Playbooks:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -86,4 +86,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}
@@ -3,33 +3,27 @@
     "contentVersion": "1.0.0.0",
     "metadata": {
         "comments": "This playbook will take each URL entity and query VirusTotal for domain info (https://developers.virustotal.com/v3.0/reference#domain-info).",
-        "title": "URL Enrichment - Virus Total domain report - Alert Triggered",
+        "title": "URL Enrichment - Virus Total Domain Report - Alert Triggered",
         "description": "This playbook will take each URL entity and query VirusTotal for Domain info (https://developers.virustotal.com/v3.0/reference#domain-info).",
         "prerequisites": [
-            "Register on VirusTotal portal and get an API key."
+            "VirusTotal API key, Register to VirusTotal community. [Register here](https://www.virustotal.com/gui/join-us)"
         ],
         "postDeployment": [
             "1. Authorize/Configure all the connections.",
-            "2. Assign Microsoft Sentinel Responder Role to playbook."
+            "2. Assign Log Analytics Reader Role to playbook on Log Analytics Workspace.",
+            "3. Assign Microsoft Sentinel Responder Role to playbook.",
+            "4. After deployment, attach this playbook to an **automation rule** and map URL entity so it runs when alert is triggered.",
+            "[click here for detail instructions](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/readme.md)"
         ],
-        "lastUpdateTime": "2023-02-03T00:00:00.000Z",
+        "lastUpdateTime": "2025-05-28T00:00:00.000Z",
         "entities": ["URL"],
         "tags": ["Enrichment"],
         "support": {
             "tier": "Community"
         },
         "author": {
             "name": "Nicholas DiCola"
-        },
-        "releaseNotes": [
-            {
-                "version": "1.0.1",
-                "title": "URL Enrichment - Virus Total domain report",
-                "notes": [
-                    "Initial version"
-                ]
-            }
-        ]
+        }
     },
     "parameters": {
         "PlaybookName": {
@@ -38,9 +32,9 @@
         }
     },
     "variables": {
-        "AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
-        "VirusTotalConnectionName": "[concat('virustotal-',parameters('PlaybookName'))]"
+        "AzureLogAnalyticsDataCollectorConnectionName": "[concat('AzureLogAnalyticsDataCollector-', parameters('PlaybookName'))]",
+        "AzureSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+        "VirusTotalConnectionName": "[concat('VirusTotal-',parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -50,7 +44,6 @@
             "location": "[resourceGroup().location]",
             "properties": {
                 "displayName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
-                "customParameterValues": {},
                 "api": {
                     "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
                 }
@@ -75,7 +68,6 @@
             "kind": "V1",
             "properties": {
                 "displayName": "[parameters('PlaybookName')]",
-                "customParameterValues": {},
                 "parameterValueType": "Alternative",
                 "api": {
                     "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
@@ -174,7 +166,7 @@
                                             "inputs": {
                                                 "body": {
                                                     "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                                    "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely harmless<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
+                                                    "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely harmless domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
                                                 },
                                                 "host": {
                                                     "connection": {
@@ -221,7 +213,7 @@
                                                 "inputs": {
                                                     "body": {
                                                         "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
-                                                        "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely malicous<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
+                                                        "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely malicious domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
                                                     },
                                                     "host": {
                                                         "connection": {
@@ -274,7 +266,7 @@
                                             }
                                         },
                                         "method": "get",
-                                        "path": "/api/v3/domains/@{encodeURIComponent(split(items('For_each')?['Url'], '/')[2])}"
+                                        "path": "/api/v3/domains/@{encodeURIComponent(if(greater(length(split(items('For_each')?['Url'], '/')), 2), split(items('For_each')?['Url'], '/')[2], items('For_each')?['Url']))}"
                                     }
                                 }
                             },
 
@@ -2,28 +2,24 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "metadata": {
-        "title": "URL Enrichment - Virus Total domain report  - Incident Triggered",
+        "title": "URL Enrichment - Virus Total Domain Report - Incident Triggered",
         "description": "This playbook will take each URL entity and query VirusTotal for Domain Report (https://developers.virustotal.com/v3.0/reference#domain-info). It will write the results to Log Analytics and add a comment to the incident.",
-        "prerequisites": [ "Register to Virus Total community for an API key." ],
-        "postDeployment": [ "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." ],
-        "lastUpdateTime": "2022-07-20T00:00:00.000Z",
+        "prerequisites": [ "VirusTotal API key, Register to VirusTotal community. [Register here](https://www.virustotal.com/gui/join-us)" ],
+        "postDeployment": [
+            "1. Authorize/Configure all the connections.",
+            "2. Assign Microsoft Sentinel Responder Role to playbook.",
+            "3. After deployment, attach this playbook to an **automation rule** and map URL entity so it runs when the incident is created.",
+            "[click here for detail instructions](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/readme.md)"
+        ],
+        "lastUpdateTime": "2025-05-28T00:00:00.000Z",
         "entities": [ "URL" ],
         "tags": [ "Enrichment" ],
         "support": {
             "tier": "Community"
         },
         "author": {
             "name": "Nicholas DiCola"
-        },
-        "releaseNotes": [
-            {
-                "version": "1.0.0",
-                "title": "URL Enrichment - Virus Total domain report",
-                "notes": [
-                    "Initial version"
-                ]
-            }
-        ]
+        }
     },
     "parameters": {
         "PlaybookName": {
@@ -32,9 +28,9 @@
         }
     },
     "variables": {
-        "AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
-        "VirusTotalConnectionName": "[concat('virustotal-',parameters('PlaybookName'))]"
+        "AzureLogAnalyticsDataCollectorConnectionName": "[concat('AzureLogAnalyticsDataCollector-', parameters('PlaybookName'))]",
+        "AzureSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+        "VirusTotalConnectionName": "[concat('VirusTotal-',parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -44,7 +40,6 @@
             "location": "[resourceGroup().location]",
             "properties": {
                 "displayName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
-                "customParameterValues": {},
                 "api": {
                     "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
                 }
@@ -69,7 +64,6 @@
             "kind": "V1",
             "properties": {
                 "displayName": "[parameters('PlaybookName')]",
-                "customParameterValues": {},
                 "parameterValueType": "Alternative",
                 "api": {
                     "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
@@ -121,7 +115,7 @@
                                             "inputs": {
                                                 "body": {
                                                     "incidentArmId": "@triggerBody()?['object']?['id']",
-                                                    "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely harmless<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
+                                                    "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely harmless domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
                                                 },
                                                 "host": {
                                                     "connection": {
@@ -163,7 +157,7 @@
                                                 "inputs": {
                                                     "body": {
                                                         "incidentArmId": "@triggerBody()?['object']?['id']",
-                                                        "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely malicous<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
+                                                        "message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely malicious domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
                                                     },
                                                     "host": {
                                                         "connection": {
@@ -225,7 +219,7 @@
                                             }
                                         },
                                         "method": "get",
-                                        "path": "/api/v3/domains/@{encodeURIComponent(split(items('For_each')?['Url'], '/')[2])}"
+                                        "path": "/api/v3/domains/@{encodeURIComponent(if(greater(length(split(items('For_each')?['Url'], '/')), 2), split(items('For_each')?['Url'], '/')[2], items('For_each')?['Url']))}"
                                     },
                                     "runAfter": {},
                                     "type": "ApiConnection"
@@ -270,7 +264,7 @@
                         "value": {
                             "azureloganalyticsdatacollector": {
                                 "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataCollectorConnectionName'))]",
-                                "connectionName": "[variables('AzureSentinelConnectionName')]",
+                                "connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
                                 "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
                             },
                             "azuresentinel": {
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`"config": {`
`7`	`7`	`"isWizard": false,`
`8`	`8`	`"basics": {`
`9`		- "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\nNote: Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VirusTotal/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VirusTotal](https://www.virustotal.com/gui/) solution for Microsoft Sentinel contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from VirusTotal. Enriched information can help drive focused investigations in Security Operations.\n\nPlaybooks: 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) \| [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
	`9`	+ "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\nNote: Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VirusTotal/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VirusTotal](https://www.virustotal.com/gui/) solution for Microsoft Sentinel contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from VirusTotal. Enriched information can help drive focused investigations in Security Operations.\n\nPlaybooks: 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) \| [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
`10`	`10`	`"subscription": {`
`11`	`11`	`"resourceProviders": [`
`12`	`12`	`"Microsoft.OperationsManagement/solutions",`
`@@ -86,4 +86,4 @@`
`86`	`86`	`"workspace": "[basics('workspace')]"`
`87`	`87`	`}`
`88`	`88`	`}`
`89`		`-}`
	`89`	`+}`