Skip to content

Update playbook documentation and deployment templates #12237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-prasadboke merged 10 commits into from
Jun 20, 2025
Merged

Update playbook documentation and deployment templates #12237

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0cecb97
Update playbook documentation and deployment templates
rahul0216 May 29, 2025
975981e
Update Solutions/VirusTotal/Playbooks/Get-VirusTotalURLReport/alert-t…
rahul0216 May 29, 2025
5715786
Corrected typos
rahul0216 May 29, 2025
5a90489
Merge branch 'origin/users/rahul/test-vt-playbooks' of https://github…
rahul0216 May 29, 2025
d67730c
Corrected typos
rahul0216 May 29, 2025
a0330fa
Update azuredeploy.json
rahul0216 May 29, 2025
9617931
solution packing for VirusTotal solution
v-maheshbh Jun 18, 2025
ad7893c
Update the readme files for clear instructions
rahul0216 Jun 19, 2025
ad2a65e
Merge branch 'origin/users/rahul/test-vt-playbooks' of https://github…
rahul0216 Jun 19, 2025
79514ed
Update readme files
rahul0216 Jun 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 12 additions & 21 deletions Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/alert-trigger/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,30 +6,23 @@
"title": "URL Enrichment - Virus Total domain report - Alert Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for Domain info (https://developers.virustotal.com/v3.0/reference#domain-info).",
"prerequisites": [
"Register on VirusTotal portal and get an API key."
"VirusTotal API key, Register to VirusTotal community. [Register here](https://www.virustotal.com/gui/join-us)"
],
"postDeployment": [
"1. Authorize/Configure all the connections.",
"2. Assign Microsoft Sentinel Responder Role to playbook."
"2. Assign Microsoft Sentinel Responder Role to playbook.",
"3. After deployment, attach this playbook to an **automation rule** and map URL entity so it runs when the incident is created.",
"[click here for detail instructions](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/readme.md)"
],
"lastUpdateTime": "2023-02-03T00:00:00.000Z",
"lastUpdateTime": "2025-05-28T00:00:00.000Z",
"entities": ["URL"],
"tags": ["Enrichment"],
"support": {
"tier": "Community"
},
"author": {
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.1",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
]
}
},
"parameters": {
"PlaybookName": {
Expand All @@ -38,9 +31,9 @@
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('virustotal-',parameters('PlaybookName'))]"
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('AzureLogAnalyticsDataCollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('VirusTotal-',parameters('PlaybookName'))]"
},
"resources": [
{
Expand All @@ -50,7 +43,6 @@
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
}
Expand All @@ -75,7 +67,6 @@
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
Expand Down Expand Up @@ -174,7 +165,7 @@
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely harmless<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely harmless domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -221,7 +212,7 @@
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely malicous<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely malicious domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -274,7 +265,7 @@
}
},
"method": "get",
"path": "/api/v3/domains/@{encodeURIComponent(split(items('For_each')?['Url'], '/')[2])}"
"path": "/api/v3/domains/@{encodeURIComponent(if(greater(length(split(items('For_each')?['Url'], '/')), 2), split(items('For_each')?['Url'], '/')[2], items('For_each')?['Url']))}"
}
}
},
Expand Down
40 changes: 17 additions & 23 deletions Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/incident-trigger/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,24 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "URL Enrichment - Virus Total domain report - Incident Triggered",
"title": "URL Enrichment - Virus Total Domain Report - Incident Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for Domain Report (https://developers.virustotal.com/v3.0/reference#domain-info). It will write the results to Log Analytics and add a comment to the incident.",
"prerequisites": [ "Register to Virus Total community for an API key." ],
"postDeployment": [ "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"prerequisites": [ "VirusTotal API key, Register to VirusTotal community. [Register here](https://www.virustotal.com/gui/join-us)" ],
"postDeployment": [
"1. Authorize/Configure all the connections.",
"2. Assign Microsoft Sentinel Responder Role to playbook.",
"3. After deployment, attach this playbook to an **automation rule** and map URL entity so it runs when the incident is created.",
"[click here for detail instructions](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/readme.md)"
],
"lastUpdateTime": "2025-05-28T00:00:00.000Z",
"entities": [ "URL" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "Community"
},
"author": {
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
]
}
},
"parameters": {
"PlaybookName": {
Expand All @@ -32,9 +28,9 @@
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('virustotal-',parameters('PlaybookName'))]"
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('AzureLogAnalyticsDataCollector-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"VirusTotalConnectionName": "[concat('VirusTotal-',parameters('PlaybookName'))]"
},
"resources": [
{
Expand All @@ -44,7 +40,6 @@
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
}
Expand All @@ -69,7 +64,6 @@
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
Expand Down Expand Up @@ -121,7 +115,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely harmless<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely harmless domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -163,7 +157,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']}which indicates likely malicous<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
"message": "<p>Virus Total File Report found for @{items('For_each')?['Url']}<br>\nReputation is: @{body('Get_Domain_report')?['data']?['attributes']?['reputation']} which indicates likely malicious domain.<br>\nQuery: VTURLReport_CL | where id_s == \"@{items('For_each')?['Url']}\"</p>"
},
"host": {
"connection": {
Expand Down Expand Up @@ -225,7 +219,7 @@
}
},
"method": "get",
"path": "/api/v3/domains/@{encodeURIComponent(split(items('For_each')?['Url'], '/')[2])}"
"path": "/api/v3/domains/@{encodeURIComponent(if(greater(length(split(items('For_each')?['Url'], '/')), 2), split(items('For_each')?['Url'], '/')[2], items('For_each')?['Url']))}"
},
"runAfter": {},
"type": "ApiConnection"
Expand Down Expand Up @@ -270,7 +264,7 @@
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataCollectorConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuresentinel": {
Expand Down
20 changes: 10 additions & 10 deletions Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,31 @@
# Get-VirusTotalDomainReport
author: Nicholas DiCola
Author: Nicholas DiCola, Microsoft, Microsoft, Microsoft

This playbook will take each URL entity and query VirusTotal for Domain info (https://developers.virustotal.com/v3.0/reference#domain-info).
This playbook processes each URL entity to query VirusTotal for detailed domain information. For more details, visit the [VirusTotal Domain Info API documentation](https://developers.virustotal.com/v3.0/reference#domain-info).

## Prerequisites
- You will need to register to Virus Total community for an API key
- Obtain a VirusTotal API key by registering with the VirusTotal community. [Register here](https://www.virustotal.com/gui/join-us)

## Quick Deployment
**Deploy with incident trigger** (recommended)
**Deploy with Incident Trigger** (Recommended)

After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
Deploy this playbook and attach it to an **automation rule** to ensure it runs automatically whenever an incident is created.

[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVirusTotal%2FPlaybooks%2FGet-VirusTotalDomainReport%2Fincident-trigger%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVirusTotal%2FPlaybooks%2FGet-VirusTotalDomainReport%2Fincident-trigger%2Fazuredeploy.json)

**Deploy with alert trigger**
**Deploy with Alert Trigger**

After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will run when an alert is created.
Deploy this playbook to run manually on alerts or attach it to an **analytics rule** to execute automatically when an alert is generated.

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVirusTotal%2FPlaybooks%2FGet-VirusTotalDomainReport%2Falert-trigger%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVirusTotal%2FPlaybooks%2FGet-VirusTotalDomainReport%2Falert-trigger%2Fazuredeploy.json)

## Post Deployment Instructions

**Assign Microsoft Sentinel Responder role to the playbook**
**Assign the Microsoft Sentinel Responder Role to the Playbook**

The playbook uses a managed identity, which require to have Microsoft Sentinel Responder role in Sentinel instances in order to add comments.
This playbook uses a managed identity, which must have the Microsoft Sentinel Responder role assigned in the Sentinel instances to enable adding comments.

1. Select the Playbook resource.
2. In the left menu, click Identity.
Expand All @@ -40,4 +40,4 @@ The playbook uses a managed identity, which require to have Microsoft Sentinel R
![Incident Trigger](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/incident-trigger/images/designerLight.png)

**Alert Trigger**
![Alert Trigger](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/alert-trigger/images/Get-VirusTotalDomainReport_alert.png)
![Alert Trigger](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/alert-trigger/images/Get-VirusTotalDomainReport_alert.png)
Loading