Feb 16 2024 12:11 AM - edited Feb 16 2024 12:12 AM
Greetings
I came across this post again, regarding the Sentinel URL detonation feature, and it reminded me I need to check the forum for input on this.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-the-new-built-in-url-detonation....
I simply does not see the same information as presented by the blog post which is frustrating since having a screenshot of the URL would save our team a visit to a 3rd party service for the screenshot.
What makes me qurious is the fact that the screenshot information seems to be there in the incident as seen by the above incident when it's sent to a playbook.
{
"url": "mse-amx.csdata3.com",
"additionalData": {
"DetonationVerdict": "GOOD",
"DetonationFinalUrl": "mse-amx.csdata3.com",
"DetonationScreenshot": "https://sentineldetonateprodweu.blob.core.windows.net/daasimagestore/20240215%5C4ce5e731-e932-4dd1-8099-0e23c43680d3%5CScreenshot-0.png?skoid=df0239eb-5cb3-48ab-9e85-599bb72690f5&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-02-15T15%3A06%3A45Z&ske=2024-02-22T15%3A06%3A45Z&sks=b&skv=2021-08-06&sv=2021-08-06&st=2024-02-15T15%3A06%3A45Z&se=2024-02-22T15%3A06%3A45Z&sr=b&sp=r&sig=37RgHciOoQJEReT2MDxLlEO2R9LYPdpM28mbXl27dDg%3D"
}
In this case the rule generating the incident is an NRT but that shouldn't be the issue since the URL to the screenshot is written to the incident.
Feels like a bug but I don't know.
Regards
Fredrik