Incident response and automation using VirusTotal Intel on Sentinel

M'hirsi Hamza
4 min readJan 3, 2023

Hi Medium! Here we are again with a new article about Sentinel.

In this article, we will take how we can introduce VirusTotal to Sentinel and how we use it for incident response.

Contents

Create a playbook or automation on Azure
Configure the automation process to VT
Add the playbook to our alert
Resources

Create a playbook or automation on Azure

In order to create the automation process, we need to first create a new playbook triggered by an alert as we will link it to our previous alert:

Automation

To configure the basics, we need to make sure that the new playbook is in the same region and the same resource group as our sentinel, please make sure that those prerequisites are granted so we don’t face any problems in the next steps.

Next, we need to link our log analytics as follows, as you see mine is ‘light-monitoring’:

Playbook creation

Choose a friendly name for the playbook. Once done we click on next and create the playbook.

Configure the automation process to VT

Once the playbook is created, we will be redirected automatically to the Logic App:

Logic app

We go ‘Logic App Design’, and the configuration is so easy, think of it like a puzzle.

The most important step is to pick your start point, the trigger that will initiate the process that we will be creating, we will go with the alert trigger:

Our trigger

The next action to configure is the location of the alert, in order to get the incident we need to specify the subscription ID, resource group, workspace ID, and Alert ID from where the code will get the incident as follows (we can add all inputs manually but it’s better to input dynamic variable so azure automatically will load the variable):

Loading workspace ID

Now, we need to extract the entities from the incident, from here we will get the IP to send it to VT API, and we add a new entity as follow:

Entities collection

The next step is to run a loop function “For each” that will get the IPs and use them as input to the VT (VirusTotal) API called “IP scan report V3”, we will be asked to input the API key of our VirusTotal, in order to get the API key we need to create an account on VirusTotal and go to our profile and click on ‘API Key’:

API key on VT

We can now use the API key in our action:

Loading API key

We use the dynamic variable IP address:

The next move, is to add a comment that describes the output of the VT analysis, there are a lot of fields, here is some important once I used it, the comment will be added automatically to the incident:

Incident comment management

We need to save the configuration first:

Saving configuration

Then we can test it and debug it if we have any problems in the Overview panel we will find the error message and issue related:

Running trigger

We got no issue and we are now all set. We need to add the playbook to the alert now.

Add the playbook to our alert

Now our playbook is running and we tested it, we only need to attach it to an alert, we go back to our Sentinel workspace and we edit our rule:

Alert

We go to ‘Automated response’ and we add our playbook:

Adding the playbook

From now on the playbook will automatically add a comment once an alert is triggered.

Conclusion

I hope that you enjoyed this simple introduction to how to use VT intel and add it to your alert automatically, if you have anything to add or correct please do not hesitate, see ya soon ^^

Resources

https://azurecloudai.blog/2021/03/04/how-to-take-advantage-of-the-new-virus-total-logic-app-connector-for-your-azure-sentinel-playbooks/

--

--

M'hirsi Hamza

Cyber Security Architect at Rakuten Symphony Deutschland, talks about #innovation, #technology, #cyberattack, #cyberdefense, and #cybersecurity