Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Using the new built-in URL detonation in Azure Sentinel
Published Nov 11 2019 09:52 AM 21.2K Views

Last week at Ignite, we announced the public preview of URL detonation in Azure Sentinel. This blog post provides more details on its benefits and how to enable it.

 

Security operations center (SOC) analysts constantly face the challenge of determining where to focus. URL detonation provides insights that can enable SOC analysts to triage alerts faster. For example, logs ingested by Azure Sentinel can contain URLs. For alerts that include a URL (e.g., a URL visited by a user from within the corporate network), that URL can be automatically detonated to gain added insight that can help accelerate the triage process.

 

With Azure Sentinel, URL detonation is built-in and is seamlessly integrated, eliminating the need to stitch together separate SIEM and detonation products.

 

The sections that follow provide a step-by-step overview of how to enable integrated URL detonation.

 

Enabling URL detonation

 

When creating scheduled alert rules, any URL data in the query results can be mapped to the newly available URL entity type. Whenever an alert containing a URL fires, the mapped URL is automatically detonated, and the investigation graph is immediately enriched with the detonation results.

 

Mapping URL entities

 

To map URLs from logs to the URL entity type, navigate to the Analytics blade. At the top of blade, click +Create and select Scheduled query rule to navigate to the Rule creation wizard. Click Set rule logic. In the Rule query field, you can reference any log that contains a column of URLs.  We’ll illustrate this by entering “CommonSecurityLog” in the Rule query field. After entering “CommonSecurityLog”, you’ll notice that the Choose column drop down for the URL entity type in the Map entities section is enabled.

 

RCW1.png

 

In “CommonSecurityLog”, there is a column called “RequestURL” that contains URLs. To map this column to the URL entity type, select it in the Choose column drop down and click Add.

 

RCW2.png

 

Once the column is added, the following code is automatically added to your Rule query. It maps the column of interest to the URL entity denoted by “URLCustomEntity”.

 

 

CommonSecurityLog
| extend URLCustomEntity = RequestURL

 

 

The Rule query will look like this and the URL entity type will be mapped as defined in the Rule query:

 

RCW3.png

  

To verify that the selected column contains well-formed URLs required for detonation, click View Query results > located below the Rule query field to navigate to the Logs blade where you can run the query. Inspecting the query results, you’ll notice that the URLs in the “URLCustomEntity” column are missing the protocol identifier:

 

RQ1.png

  

Here’s an example of how you can append the protocol identifier to the URL to create a well-formed URL for detonation (Note: As an example, you’ll need to do this step for Palo Alto logs in CEF format):

 

 

CommonSecurityLog
| extend Url = case(ApplicationProtocol == "ssl" and RequestURL !startswith "https://", strcat("https://", trim ('"', RequestURL)), ApplicationProtocol == "web-browsing" and RequestURL !startswith "http://", strcat("http://", trim ('"', RequestURL)), RequestURL)
| extend URLCustomEntity = Url

 

 

You can test this directly in the Logs blade to validate the formatting:

 

RQ2.png

 

The final Rule query will look like this:

 

RCW4.png

 

You can then configure the other parameters, review everything, and then finish creating your Rule.

 

Viewing detonation results in the Investigation blade

 

Once you’ve activated your Rule, you can navigate to the Incidents blade, select any Incident associated with your Rule, and click Investigate to view the detonation results in the Investigation blade.

 

The Investigation blade will include a graph with a node for the detonated URL as well as the following information:

 

  • URL – the original detonated URL.
  • DetonationVerdict – the high-level Boolean determination from detonation. ‘Bad’ means the site was classified as hosting malware/phishing content.
  • DetonationFinalUrl – the final observed landing page URL after all redirects from the original URL.
  • DetonationScreenshot – what the page looked like at the time the alert fired; you can click the screenshot to enlarge.

 

Palo Alto Alert Rule.png

 

Conclusion

 

URL detonation provides deeper insights that enable faster triage of alerts. Moreover, with Azure Sentinel, it’s seamlessly integrated and easy to enable. As a final tip, if you don’t’ see URLs in your logs, check that URL logging (e.g., threat logging) is enabled for your secure web gateways, web proxies, firewalls, or legacy IDS/IPS. You can also create custom logs to channel URLs of interest into Azure Sentinel.

 

4 Comments
Brass Contributor

Where can I access the verdicts other than the investigation graph?  Is there a query I can run to see verdicts?  What is the average time between submission and verdict?

Azure Sentinel has updated the entity mapping process. For information, see Map data fields to Azure Sentinel entities | Microsoft Docs. For more information about URL detonation, see Investigate incidents with UEBA data | Microsoft Docs.

Copper Contributor

This feature seems to work best for Sentinel Incidents that are created from ASI sheduled alerts, and not those Incidents that are created from other security alerts.
Even then, it is not consistant about which URLS get detonated and which do.

Copper Contributor

I agree this feature seems very "preview" at the moment, which is a pity since a consistent result would allow my team to skip the step of sending the URL to an external API for a screenshot. I have an example below where an incident is generated by a NRT rule triggering on blocked URLs from our firewalls logging to CommonSecurityLog.

The incident investigation has the DetonationFinalUrl entry but no screenshot.

 

 

If I view the information in the incident object as seen by a playbook there is an URL to the DetonationScreenshot.

 

"Urls": [ { "url": "https://ak.psergete.com/4/6444276", "additionalData": { "DetonationVerdict": "GOOD", "DetonationFinalUrl": "https://ak.psergete.com/partitial/5117836/?var=6444276&ab2r=0&prfrev=false&rhd=false&sf=1", "DetonationScreenshot": "https://sentineldetonateprodweu.blob.core.windows.net/daasimagestore/20240216%5Cb0f73138-345a-49d6-9479-be879721b66e%5CScreenshot-0.png?skoid=df0239eb-5cb3-48ab-9e85-599bb72690f5&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-02-16T06%3A29%3A00Z&ske=2024-02-23T06%3A29%3A00Z&sks=b&skv=2021-08-06&sv=2021-08-06&st=2024-02-16T06%3A29%3A00Z&se=2024-02-23T06%3A29%3A00Z&sr=b&sp=r&sig=AH6n1hWUfkZFyNKeCbFigicLlC8%2FXnIZ%2Bhm9lnH59mw%3D" },

 

It's almost like Sentinel does the actual workload but fails to include the result.

 

Peace

Fredrik

 

 

 

 

TheHoff70_0-1708066603726.png

Version history
Last update:
‎Nov 02 2021 05:43 PM
Updated by: