Incident response and automation using VirusTotal Intel on Sentinel
Hi Medium! Here we are again with a new article about Sentinel.
In this article, we will take how we can introduce VirusTotal to Sentinel and how we use it for incident response.
Contents
Create a playbook or automation on Azure
Configure the automation process to VT
Add the playbook to our alert
Resources
Create a playbook or automation on Azure
In order to create the automation process, we need to first create a new playbook triggered by an alert as we will link it to our previous alert:
To configure the basics, we need to make sure that the new playbook is in the same region and the same resource group as our sentinel, please make sure that those prerequisites are granted so we don’t face any problems in the next steps.
Next, we need to link our log analytics as follows, as you see mine is ‘light-monitoring’:
Choose a friendly name for the playbook. Once done we click on next and create the playbook.
Configure the automation process to VT
Once the playbook is created, we will be redirected automatically to the Logic App:
We go ‘Logic App Design’, and the configuration is so easy, think of it like a puzzle.
The most important step is to pick your start point, the trigger that will initiate the process that we will be creating, we will go with the alert trigger:
The next action to configure is the location of the alert, in order to get the incident we need to specify the subscription ID, resource group, workspace ID, and Alert ID from where the code will get the incident as follows (we can add all inputs manually but it’s better to input dynamic variable so azure automatically will load the variable):
Now, we need to extract the entities from the incident, from here we will get the IP to send it to VT API, and we add a new entity as follow:
The next step is to run a loop function “For each” that will get the IPs and use them as input to the VT (VirusTotal) API called “IP scan report V3”, we will be asked to input the API key of our VirusTotal, in order to get the API key we need to create an account on VirusTotal and go to our profile and click on ‘API Key’:
We can now use the API key in our action:
We use the dynamic variable IP address:
The next move, is to add a comment that describes the output of the VT analysis, there are a lot of fields, here is some important once I used it, the comment will be added automatically to the incident:
We need to save the configuration first:
Then we can test it and debug it if we have any problems in the Overview panel we will find the error message and issue related:
We got no issue and we are now all set. We need to add the playbook to the alert now.
Add the playbook to our alert
Now our playbook is running and we tested it, we only need to attach it to an alert, we go back to our Sentinel workspace and we edit our rule:
We go to ‘Automated response’ and we add our playbook:
From now on the playbook will automatically add a comment once an alert is triggered.
Conclusion
I hope that you enjoyed this simple introduction to how to use VT intel and add it to your alert automatically, if you have anything to add or correct please do not hesitate, see ya soon ^^
