An Azure Logic App that is triggered when a blob is added or modified in an Azure Storage account container. The Logic App sends the blob to VirusTotal for analysis.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "definition": { | |
| "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", | |
| "actions": { | |
| "If_the_new_or_modified_item_is_a_file": { | |
| "actions": { | |
| "Analyse_an_URL": { | |
| "inputs": { | |
| "body": { | |
| "$content-type": "multipart/form-data", | |
| "$multipart": [ | |
| { | |
| "body": "@body('Create_SAS_URI_by_path')?['WebUrl']", | |
| "headers": { | |
| "Content-Disposition": "form-data; name=\"url\"" | |
| } | |
| } | |
| ] | |
| }, | |
| "host": { | |
| "connection": { | |
| "name": "@parameters('$connections')['virustotal']['connectionId']" | |
| } | |
| }, | |
| "method": "post", | |
| "path": "/api/v3/urls" | |
| }, | |
| "runAfter": { | |
| "Create_SAS_URI_by_path": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "ApiConnection" | |
| }, | |
| "Create_SAS_URI_by_path": { | |
| "inputs": { | |
| "body": { | |
| "AccessProtocol": "HttpsOnly", | |
| "ExpiryTime": "@{addMinutes(utcNow(),5)}", | |
| "Permissions": "Read" | |
| }, | |
| "host": { | |
| "connection": { | |
| "name": "@parameters('$connections')['azureblob']['connectionId']" | |
| } | |
| }, | |
| "method": "post", | |
| "path": "/datasets/default/CreateSharedLinkByPath", | |
| "queries": { | |
| "path": "@triggerBody()?['Path']" | |
| } | |
| }, | |
| "runAfter": {}, | |
| "type": "ApiConnection" | |
| }, | |
| "If_the_file_is_clean": { | |
| "actions": {}, | |
| "expression": { | |
| "and": [ | |
| { | |
| "equals": [ | |
| "@body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['stats']['suspicious']", | |
| 0 | |
| ] | |
| }, | |
| { | |
| "equals": [ | |
| "@body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['stats']['malicious']", | |
| 0 | |
| ] | |
| } | |
| ] | |
| }, | |
| "runAfter": { | |
| "Retrieve_analysis_until_the_analysis_is_complete": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "If" | |
| }, | |
| "Retrieve_analysis_until_the_analysis_is_complete": { | |
| "actions": { | |
| "If_analysis_is_not_complete_yet": { | |
| "actions": { | |
| "Wait_an_additional_minute": { | |
| "inputs": { | |
| "interval": { | |
| "count": 1, | |
| "unit": "Minute" | |
| } | |
| }, | |
| "runAfter": {}, | |
| "type": "Wait" | |
| } | |
| }, | |
| "expression": { | |
| "and": [ | |
| { | |
| "not": { | |
| "equals": [ | |
| "@body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['status']", | |
| "completed" | |
| ] | |
| } | |
| } | |
| ] | |
| }, | |
| "runAfter": { | |
| "Retrieve_information_about_a_file_or_URL_analysis": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "If" | |
| }, | |
| "Retrieve_information_about_a_file_or_URL_analysis": { | |
| "inputs": { | |
| "host": { | |
| "connection": { | |
| "name": "@parameters('$connections')['virustotal']['connectionId']" | |
| } | |
| }, | |
| "method": "get", | |
| "path": "/api/v3/analyses/@{encodeURIComponent(body('Analyse_an_URL')?['data']?['id'])}" | |
| }, | |
| "runAfter": {}, | |
| "type": "ApiConnection" | |
| } | |
| }, | |
| "expression": "@equals(body('Retrieve_information_about_a_file_or_URL_analysis')['data']['attributes']['status'], 'completed')", | |
| "limit": { | |
| "count": 60, | |
| "timeout": "PT1H" | |
| }, | |
| "runAfter": { | |
| "Wait_5_minutes_for_the_analysis_to_complete": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "Until" | |
| }, | |
| "Wait_5_minutes_for_the_analysis_to_complete": { | |
| "inputs": { | |
| "interval": { | |
| "count": 5, | |
| "unit": "Minute" | |
| } | |
| }, | |
| "runAfter": { | |
| "Analyse_an_URL": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "Wait" | |
| } | |
| }, | |
| "expression": { | |
| "and": [ | |
| { | |
| "equals": [ | |
| "@triggerBody()?['IsFolder']", | |
| false | |
| ] | |
| } | |
| ] | |
| }, | |
| "runAfter": {}, | |
| "type": "If" | |
| } | |
| }, | |
| "contentVersion": "1.0.0.0", | |
| "outputs": {}, | |
| "parameters": { | |
| "$connections": { | |
| "defaultValue": {}, | |
| "type": "Object" | |
| } | |
| }, | |
| "triggers": { | |
| "When_a_blob_is_added_or_modified": { | |
| "inputs": { | |
| "host": { | |
| "connection": { | |
| "name": "@parameters('$connections')['azureblob']['connectionId']" | |
| } | |
| }, | |
| "method": "get", | |
| "path": "/datasets/default/triggers/batch/onupdatedfile", | |
| "queries": { | |
| "checkBothCreatedAndModifiedDateTime": false, | |
| "folderId": "JTJmdXBsb2Fkcw==", | |
| "maxFileCount": 1 | |
| } | |
| }, | |
| "metadata": { | |
| "JTJmdXBsb2Fkcw==": "" | |
| }, | |
| "recurrence": { | |
| "frequency": "Minute", | |
| "interval": 1 | |
| }, | |
| "splitOn": "@triggerBody()", | |
| "type": "ApiConnection" | |
| } | |
| } | |
| }, | |
| "parameters": { | |
| "$connections": { | |
| "value": { | |
| "azureblob": { | |
| "connectionId": "", | |
| "connectionName": "azureblob", | |
| "id": "" | |
| }, | |
| "virustotal": { | |
| "connectionId": "", | |
| "connectionName": "virustotal", | |
| "id": "" | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment