Azure Sentinel 2. Incidents + Google - VirusTotal Code Insights Integration

• Sentinel Setup

• Logic App Setup

Playbook we are going to use by Koos Goossens:

In this article I’ll demonstrate how to leverage VirusTotal’s services to automatically scan all of your file hashes and IP addresses that come through Microsoft Sentinel as entities in their respective incidents. The scan results are then automatically attached to the security incidents so that your analysts see the reputation and other details in an instant, without having to go out and retrieve this information themselves.

https://github.com/TheCloudScout/incident-enrich-virustotal?tab=readme-ov-file

Logic App Overview: we are going to change a couple of things here

Obtain VirusTotal API Key

https://www.virustotal.com/gui/home/upload

Note, this wouldn't work for production without upgrading it to enterprise. For our testing purpose, this is perfectly fine.

Enable Logic App Identity

Do the same things for the following -

RBAC Assignment: assign responder role to the RG (at resource group level)

Now let's trigger the playbook against an incident

Playbook-VirusTotal-Incident-AI-Enrich
Oct 4, 2025 9:23 PM
Virustotal logo
IP address: 17.81.146.1
Detection
Harmless	Malicious	Suspicious	Undetected
62	0	0	33
'harmless' : site is not malicious
'undetected' : scanner has no opinion about this site
'suspicious' : scanner thinks the site is suspicious
'malicious' : scanner thinks the site is malicious
Community Score
Malicious	Harmless
2	0
Details
Network	17.0.0.0/9
ASN Number	714
ASN Label	APPLE-ENGINEERING
Regional Internet Registry	APNIC
Country	CN
Continent	AS
[Full report](https://www.virustotal.com/gui/ip-address/17.81.146.1)

Simulate malicious file:

• Import this analytic rule: ___

Click Edit > Set rule logic > View query results

Select line 1-23, and Run query

Not all files types are supported as of right now. Check supported file type here: https://docs.virustotal.com/docs/codeinsight-supported-files#:~:text=These%20are%20the%20file%20types,%2C%20XLS%2C%20XLSX%2C%20ZIP

Let's pick a docx file for now

Copy the hash and check VirusTotal against it:

i.e. d3e0384fc1e932671fcf881ca900b746195910aa4b60b390e86bb8305b542247

Now, go back to the rule, and replace the hash with the one you just spotted

Rerun query (including every query this time), and you will find the malicious alert

Review + create > Save

The rule will run every 5 minutes, so wait a little bit and check back incidents

Modify the Logic App

Add some variables:

We actually need to choose data from "VirusTotal | Retrieve information about a file" step, but we do not have that option so let's choose "FileType" for now and we can change it via "Code view"

Save the Logic App and click "Code view"

Find "set variable" section > change the "Filetype" to "data" > Save > go back to Designer view

Add a condition

Add another set variable

For the value, paste this in -

@{body('VirusTotal_|_Retrieve_information_about_a_file')?['data']?['attributes']?['crowdsourced_ai_results']?[0]?['analysis']}

Modify the comment:

Save and run playbook against the incident again