How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

I saw a discussion internally today that exposed to me something I thought I might have missed, but, then realized this is brand new and available in public preview for everyone to test. So – hey – time to share…

In the past, we’ve provided Playbooks for interacting with the Virus Total service through the API. There’s now an official Logic App connector for Virus Total – and, let me say this… it’s amazing.

Here’s how to get started:

  1. If you haven’t already, drop out to and create an account and then request an API key.
  2. Use the following docs resource to get a feel for what the Virus Total Logic App connector provides:
  3. Create a new Playbook in the Azure Sentinel console and get started…

Some important steps for your Playbook:

  1. Make sure to set Azure Sentinel as the trigger.
  2. Make sure to create steps to get Incident and Entity information. (in my example below, I’m getting the IP address entity).
  3. Make sure to create a step to input your VT API key.
Define the Playbook steps

As you can guess, I have some experience with creating Playbooks for Azure Sentinel, but truly this was the easiest set of logic to create yet. The above example took me less than 5 minutes. And, the result is shown next. Lots of awesome, valuable information.

Too much data is never a bad thing…

DISCLAIMER: Keep in mind, though, this is PREVIEW. This means there’s ongoing development and things to could change significantly between now and official release. So anything you create today may need to be adjusted later on. Just don’t rely on preview-tagged items in production.

Have fun!


[Want to discuss this further? Hit me up on Twitter or LinkedIn]