VMRay Connector to Microsoft Sentinel

Solution: VMRay

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	VMRay
Support Tier	Partner
Support Link	https://www.vmray.com/contact/customer-support/
Categories	Security - Automation (SOAR),Security - Threat Intelligence
Version	3.0.0
Author	VMRay
First Published	2025-07-23
Solution Folder	VMRay
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (54%)

The VMRay Connector for Microsoft Sentinel enhances security operations by providing enriched threat intelligence, enabling faster and more informed responses to security incidents. The integration has two main parts: first, URL detonation and enrichment, which provides detailed insights into suspicious URLs. Second, it automatically generates and feeds threat intelligence for all submissions to VMRay, improving threat detection and incident response in Sentinel. This seamless integration empowers teams to proactively address emerging threats.

Contents

• Data Connectors
• Tables Used
• Content Items
• Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

• VMRayThreatIntelligence

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
ThreatIntelObjects	VMRayThreatIntelligence	-

Internal Tables

The following 1 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
ThreatIntelIndicators	VMRayThreatIntelligence	-

Content Items

This solution includes 2 content item(s):

Content Type	Count
Playbooks	2

Playbooks

Name	Description	Tables Used
VMRay Email Attachment Analyis	Submits a attachment or set of attachment associated with an office 365 email to VMRay for Analyis.	-
VMRay URL Analyis	Submits a url or set of urls associated with an incident to VMRay for Analyis.	-

Additional Documentation

📄 Source: VMRay/README.md

VMRay Threat Intelligence Feed and Enrichment Integration - Microsoft Sentinel

Latest Version: 3.0.1 - Release Date: 2025-11-07

Overview

Requirements

• Microsoft Sentinel.
• VMRay Analyzer, VMRay FinalVerdict, VMRay TotalInsight.
• Microsoft Azure

  1. Azure functions with Flex Consumption plan. Reference: https://learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-plan

     Note: Flex Consumption plans are not available in all regions, please check if the region your are deploying the function is supported, if not we suggest you to deploy the function app with premium plan. Reference: https://learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-how-to?tabs=azure-cli%2Cvs-code-publish&pivots=programming-language-python#view-currently-supported-regions

  2. Azure functions Premium plan. Reference: https://learn.microsoft.com/en-us/azure/azure-functions/functions-premium-plan

  3. Azure Logic App with Consumption plan. Reference: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing#consumption-multitenant

  4. Azure storage with Standard general-purpose v2.

VMRay Configurations

• In VMRay Console, you must create a Connector API key.Create it by following the steps below:

  1. Create a user dedicated for this API key (to avoid that the API key is deleted if an employee leaves)
  2. Create a role that allows to "View shared submission, analysis and sample" and "Submit sample, manage own jobs, reanalyse old analyses and regenerate analysis reports".
  3. Assign this role to the created user
  4. Login as this user and create an API key by opening Settings > Analysis > API Keys.
  5. Please save the keys, which will be used in configuring the Azure Function.

Microsoft Sentinel

Creating Application for API Access

• Open https://portal.azure.com/ and search Microsoft Entra ID service.

• Click Add->App registration.

• Enter the name of application and select supported account types and click on Register.

• In the application overview you can see Application Name, Application ID and Tenant ID.

• After creating the application, we need to set API permissions for connector. For this purpose,
  • Click Manage->API permissions tab
  • Click Microsoft Graph button
  • Search indicator and click on the ThreatIndicators.ReadWrite.OwnedBy, click Add permissions button below.
  • Click on Grant admin consent

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.1	07-11-2025	Fixed Premium ARM template
3.0.0	23-07-2025	Initial Solution Release

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index