Skip to content

Update playbook documentation and deployment templates #12237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-prasadboke merged 10 commits into from
Jun 20, 2025
Merged

Update playbook documentation and deployment templates #12237

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0cecb97
Update playbook documentation and deployment templates
rahul0216 May 29, 2025
975981e
Update Solutions/VirusTotal/Playbooks/Get-VirusTotalURLReport/alert-t…
rahul0216 May 29, 2025
5715786
Corrected typos
rahul0216 May 29, 2025
5a90489
Merge branch 'origin/users/rahul/test-vt-playbooks' of https://github…
rahul0216 May 29, 2025
d67730c
Corrected typos
rahul0216 May 29, 2025
a0330fa
Update azuredeploy.json
rahul0216 May 29, 2025
9617931
solution packing for VirusTotal solution
v-maheshbh Jun 18, 2025
ad7893c
Update the readme files for clear instructions
rahul0216 Jun 19, 2025
ad2a65e
Merge branch 'origin/users/rahul/test-vt-playbooks' of https://github…
rahul0216 Jun 19, 2025
79514ed
Update readme files
rahul0216 Jun 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added Solutions/VirusTotal/Package/3.0.1.zip
View file
Open in desktop
Binary file not shown.
4 changes: 2 additions & 2 deletions Solutions/VirusTotal/Package/createUiDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VirusTotal/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VirusTotal](https://www.virustotal.com/gui/) solution for Microsoft Sentinel contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from VirusTotal. Enriched information can help drive focused investigations in Security Operations.\n\n**Playbooks:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VirusTotal/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VirusTotal](https://www.virustotal.com/gui/) solution for Microsoft Sentinel contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from VirusTotal. Enriched information can help drive focused investigations in Security Operations.\n\n**Playbooks:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
Expand Down Expand Up @@ -86,4 +86,4 @@
"workspace": "[basics('workspace')]"
}
}
}
}
314 changes: 158 additions & 156 deletions Solutions/VirusTotal/Package/mainTemplate.json
View file
Open in desktop

Large diffs are not rendered by default.

36 changes: 14 additions & 22 deletions Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/alert-trigger/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,33 +3,27 @@
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook will take each URL entity and query VirusTotal for domain info (https://developers.virustotal.com/v3.0/reference#domain-info).",
"title": "URL Enrichment - Virus Total domain report - Alert Triggered",
"title": "URL Enrichment - Virus Total Domain Report - Alert Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for Domain info (https://developers.virustotal.com/v3.0/reference#domain-info).",
"prerequisites": [
"Register on VirusTotal portal and get an API key."
"VirusTotal API key, Register to VirusTotal community. [Register here](https://www.virustotal.com/gui/join-us)"
],
"postDeployment": [
"1. Authorize/Configure all the connections.",
"2. Assign Microsoft Sentinel Responder Role to playbook."
"2. Assign Log Analytics Reader Role to playbook on Log Analytics Workspace.",
"3. Assign Microsoft Sentinel Responder Role to playbook.",
"4. After deployment, attach this playbook to an **automation rule** and map URL entity so it runs when alert is triggered.",
"[click here for detail instructions](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/readme.md)"
],
"lastUpdateTime": "2023-02-03T00:00:00.000Z",
"lastUpdateTime": "2025-05-28T00:00:00.000Z",
"entities": ["URL"],
"tags": ["Enrichment"],
"support": {
"tier": "Community"
},
"author": {
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.1",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
]
}
},
"parameters": {
"PlaybookName": {
Expand All @@ -38,9 +32,9 @@
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('virustotal-',parameters('PlaybookName'))]"
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('AzureLogAnalyticsDataCollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('VirusTotal-',parameters('PlaybookName'))]"
},
"resources": [
{
Expand All @@ -50,7 +44,6 @@
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
}
Expand All @@ -75,7 +68,6 @@
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
Expand Down Expand Up @@ -174,7 +166,7 @@
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely harmless<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely harmless domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -221,7 +213,7 @@
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely malicous<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely malicious domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -274,7 +266,7 @@
}
},
"method": "get",
"path": "/api/v3/domains/@{encodeURIComponent(split(items('For_each')?['Url'], '/')[2])}"
"path": "/api/v3/domains/@{encodeURIComponent(if(greater(length(split(items('For_each')?['Url'], '/')), 2), split(items('For_each')?['Url'], '/')[2], items('For_each')?['Url']))}"
}
}
},
Expand Down
40 changes: 17 additions & 23 deletions Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/incident-trigger/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,24 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "URL Enrichment - Virus Total domain report - Incident Triggered",
"title": "URL Enrichment - Virus Total Domain Report - Incident Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for Domain Report (https://developers.virustotal.com/v3.0/reference#domain-info). It will write the results to Log Analytics and add a comment to the incident.",
"prerequisites": [ "Register to Virus Total community for an API key." ],
"postDeployment": [ "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"prerequisites": [ "VirusTotal API key, Register to VirusTotal community. [Register here](https://www.virustotal.com/gui/join-us)" ],
"postDeployment": [
"1. Authorize/Configure all the connections.",
"2. Assign Microsoft Sentinel Responder Role to playbook.",
"3. After deployment, attach this playbook to an **automation rule** and map URL entity so it runs when the incident is created.",
"[click here for detail instructions](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/readme.md)"
],
"lastUpdateTime": "2025-05-28T00:00:00.000Z",
"entities": [ "URL" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "Community"
},
"author": {
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
]
}
},
"parameters": {
"PlaybookName": {
Expand All @@ -32,9 +28,9 @@
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('virustotal-',parameters('PlaybookName'))]"
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('AzureLogAnalyticsDataCollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('VirusTotal-',parameters('PlaybookName'))]"
},
"resources": [
{
Expand All @@ -44,7 +40,6 @@
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
}
Expand All @@ -69,7 +64,6 @@
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
Expand Down Expand Up @@ -121,7 +115,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely harmless<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely harmless domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -163,7 +157,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely malicous<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely malicious domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -225,7 +219,7 @@
}
},
"method": "get",
"path": "/api/v3/domains/@{encodeURIComponent(split(items('For_each')?['Url'], '/')[2])}"
"path": "/api/v3/domains/@{encodeURIComponent(if(greater(length(split(items('For_each')?['Url'], '/')), 2), split(items('For_each')?['Url'], '/')[2], items('For_each')?['Url']))}"
},
"runAfter": {},
"type": "ApiConnection"
Expand Down Expand Up @@ -270,7 +264,7 @@
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataCollectorConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuresentinel": {
Expand Down
Loading