Detonation screenshot missing

Brass Contributor

Greetings

I came across this post again, regarding the Sentinel URL detonation feature, and it reminded me I need to check the forum for input on this.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-the-new-built-in-url-detonation....

I simply does not see the same information as presented by the blog post which is frustrating since having a screenshot of the URL would save our team a visit to a 3rd party service for the screenshot.

TheHoff70_0-1708070754910.png

 

What makes me qurious is the fact that the screenshot information seems to be there in the incident as seen by the above incident when it's sent to a playbook.

 

 

{
      "url": "mse-amx.csdata3.com",
      "additionalData": {
        "DetonationVerdict": "GOOD",
        "DetonationFinalUrl": "mse-amx.csdata3.com",
        "DetonationScreenshot": "https://sentineldetonateprodweu.blob.core.windows.net/daasimagestore/20240215%5C4ce5e731-e932-4dd1-8099-0e23c43680d3%5CScreenshot-0.png?skoid=df0239eb-5cb3-48ab-9e85-599bb72690f5&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-02-15T15%3A06%3A45Z&ske=2024-02-22T15%3A06%3A45Z&sks=b&skv=2021-08-06&sv=2021-08-06&st=2024-02-15T15%3A06%3A45Z&se=2024-02-22T15%3A06%3A45Z&sr=b&sp=r&sig=37RgHciOoQJEReT2MDxLlEO2R9LYPdpM28mbXl27dDg%3D"
      }

 

 

In this case the rule generating the incident is an NRT but that shouldn't be the issue since the URL to the screenshot is written to the incident.

Feels like a bug but I don't know.

 

Regards

Fredrik

0 Replies