Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
An Azure Logic App that is triggered when a blob is added or modified in an Azure Storage account container. The Logic App sends the blob to VirusTotal for analysis.
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"If_the_new_or_modified_item_is_a_file": {
"actions": {
"Analyse_an_URL": {
"inputs": {
"body": {
"$content-type": "multipart/form-data",
"$multipart": [
{
"body": "@body('Create_SAS_URI_by_path')?['WebUrl']",
"headers": {
"Content-Disposition": "form-data; name=\"url\""
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['virustotal']['connectionId']"
}
},
"method": "post",
"path": "/api/v3/urls"
},
"runAfter": {
"Create_SAS_URI_by_path": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_SAS_URI_by_path": {
"inputs": {
"body": {
"AccessProtocol": "HttpsOnly",
"ExpiryTime": "@{addMinutes(utcNow(),5)}",
"Permissions": "Read"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "post",
"path": "/datasets/default/CreateSharedLinkByPath",
"queries": {
"path": "@triggerBody()?['Path']"
}
},
"runAfter": {},
"type": "ApiConnection"
},
"If_the_file_is_clean": {
"actions": {},
"expression": {
"and": [
{
"equals": [
"@body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['stats']['suspicious']",
0
]
},
{
"equals": [
"@body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['stats']['malicious']",
0
]
}
]
},
"runAfter": {
"Retrieve_analysis_until_the_analysis_is_complete": [
"Succeeded"
]
},
"type": "If"
},
"Retrieve_analysis_until_the_analysis_is_complete": {
"actions": {
"If_analysis_is_not_complete_yet": {
"actions": {
"Wait_an_additional_minute": {
"inputs": {
"interval": {
"count": 1,
"unit": "Minute"
}
},
"runAfter": {},
"type": "Wait"
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['status']",
"completed"
]
}
}
]
},
"runAfter": {
"Retrieve_information_about_a_file_or_URL_analysis": [
"Succeeded"
]
},
"type": "If"
},
"Retrieve_information_about_a_file_or_URL_analysis": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['virustotal']['connectionId']"
}
},
"method": "get",
"path": "/api/v3/analyses/@{encodeURIComponent(body('Analyse_an_URL')?['data']?['id'])}"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"expression": "@equals(body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['status'], 'completed')",
"limit": {
"count": 60,
"timeout": "PT1H"
},
"runAfter": {
"Wait_5_minutes_for_the_analysis_to_complete": [
"Succeeded"
]
},
"type": "Until"
},
"Wait_5_minutes_for_the_analysis_to_complete": {
"inputs": {
"interval": {
"count": 5,
"unit": "Minute"
}
},
"runAfter": {
"Analyse_an_URL": [
"Succeeded"
]
},
"type": "Wait"
}
},
"expression": {
"and": [
{
"equals": [
"@triggerBody()?['IsFolder']",
false
]
}
]
},
"runAfter": {},
"type": "If"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_blob_is_added_or_modified": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/datasets/default/triggers/batch/onupdatedfile",
"queries": {
"checkBothCreatedAndModifiedDateTime": false,
"folderId": "JTJmdXBsb2Fkcw==",
"maxFileCount": 1
}
},
"metadata": {
"JTJmdXBsb2Fkcw==": ""
},
"recurrence": {
"frequency": "Minute",
"interval": 1
},
"splitOn": "@triggerBody()",
"type": "ApiConnection"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "",
"connectionName": "azureblob",
"id": ""
},
"virustotal": {
"connectionId": "",
"connectionName": "virustotal",
"id": ""
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment