MicrosoftI agree this feature seems very "preview" at the moment, which is a pity since a consistent result would allow my team to skip the step of sending the URL to an external API for a screenshot. I have an example below where an incident is generated by a NRT rule triggering on blocked URLs from our firewalls logging to CommonSecurityLog.
The incident investigation has the DetonationFinalUrl entry but no screenshot.
If I view the information in the incident object as seen by a playbook there is an URL to the DetonationScreenshot.
"Urls": [ { "url": "https://ak.psergete.com/4/6444276", "additionalData": { "DetonationVerdict": "GOOD", "DetonationFinalUrl": "https://ak.psergete.com/partitial/5117836/?var=6444276&ab2r=0&prfrev=false&rhd=false&sf=1", "DetonationScreenshot": "https://sentineldetonateprodweu.blob.core.windows.net/daasimagestore/20240216%5Cb0f73138-345a-49d6-9479-be879721b66e%5CScreenshot-0.png?skoid=df0239eb-5cb3-48ab-9e85-599bb72690f5&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-02-16T06%3A29%3A00Z&ske=2024-02-23T06%3A29%3A00Z&sks=b&skv=2021-08-06&sv=2021-08-06&st=2024-02-16T06%3A29%3A00Z&se=2024-02-23T06%3A29%3A00Z&sr=b&sp=r&sig=AH6n1hWUfkZFyNKeCbFigicLlC8%2FXnIZ%2Bhm9lnH59mw%3D" },
It's almost like Sentinel does the actual workload but fails to include the result.
Peace
Fredrik