Blog Post

Microsoft Sentinel Blog
3 MIN READ

Using the new built-in URL detonation in Azure Sentinel

Amar Patel (C AND E)'s avatar
Amar Patel (C AND E)
Icon for Microsoft rankMicrosoft
Nov 11, 2019

Last week at Ignite, we announced the public preview of URL detonation in Azure Sentinel. This blog post provides more details on its benefits and how to enable it.

 

Security operations center (SOC) analysts constantly face the challenge of determining where to focus. URL detonation provides insights that can enable SOC analysts to triage alerts faster. For example, logs ingested by Azure Sentinel can contain URLs. For alerts that include a URL (e.g., a URL visited by a user from within the corporate network), that URL can be automatically detonated to gain added insight that can help accelerate the triage process.

 

With Azure Sentinel, URL detonation is built-in and is seamlessly integrated, eliminating the need to stitch together separate SIEM and detonation products.

 

The sections that follow provide a step-by-step overview of how to enable integrated URL detonation.

 

Enabling URL detonation

 

When creating scheduled alert rules, any URL data in the query results can be mapped to the newly available URL entity type. Whenever an alert containing a URL fires, the mapped URL is automatically detonated, and the investigation graph is immediately enriched with the detonation results.

 

Mapping URL entities

 

To map URLs from logs to the URL entity type, navigate to the Analytics blade. At the top of blade, click +Create and select Scheduled query rule to navigate to the Rule creation wizard. Click Set rule logic. In the Rule query field, you can reference any log that contains a column of URLs.  We’ll illustrate this by entering “CommonSecurityLog” in the Rule query field. After entering “CommonSecurityLog”, you’ll notice that the Choose column drop down for the URL entity type in the Map entities section is enabled.

 

 

In “CommonSecurityLog”, there is a column called “RequestURL” that contains URLs. To map this column to the URL entity type, select it in the Choose column drop down and click Add.

 

 

Once the column is added, the following code is automatically added to your Rule query. It maps the column of interest to the URL entity denoted by “URLCustomEntity”.

 

 

CommonSecurityLog
| extend URLCustomEntity = RequestURL

 

 

The Rule query will look like this and the URL entity type will be mapped as defined in the Rule query:

 

  

To verify that the selected column contains well-formed URLs required for detonation, click View Query results > located below the Rule query field to navigate to the Logs blade where you can run the query. Inspecting the query results, you’ll notice that the URLs in the “URLCustomEntity” column are missing the protocol identifier:

 

  

Here’s an example of how you can append the protocol identifier to the URL to create a well-formed URL for detonation (Note: As an example, you’ll need to do this step for Palo Alto logs in CEF format):

 

 

CommonSecurityLog
| extend Url = case(ApplicationProtocol == "ssl" and RequestURL !startswith "https://", strcat("https://", trim ('"', RequestURL)), ApplicationProtocol == "web-browsing" and RequestURL !startswith "http://", strcat("http://", trim ('"', RequestURL)), RequestURL)
| extend URLCustomEntity = Url

 

 

You can test this directly in the Logs blade to validate the formatting:

 

 

The final Rule query will look like this:

 

 

You can then configure the other parameters, review everything, and then finish creating your Rule.

 

Viewing detonation results in the Investigation blade

 

Once you’ve activated your Rule, you can navigate to the Incidents blade, select any Incident associated with your Rule, and click Investigate to view the detonation results in the Investigation blade.

 

The Investigation blade will include a graph with a node for the detonated URL as well as the following information:

 

  • URL – the original detonated URL.
  • DetonationVerdict – the high-level Boolean determination from detonation. ‘Bad’ means the site was classified as hosting malware/phishing content.
  • DetonationFinalUrl – the final observed landing page URL after all redirects from the original URL.
  • DetonationScreenshot – what the page looked like at the time the alert fired; you can click the screenshot to enlarge.

 

 

Conclusion

 

URL detonation provides deeper insights that enable faster triage of alerts. Moreover, with Azure Sentinel, it’s seamlessly integrated and easy to enable. As a final tip, if you don’t’ see URLs in your logs, check that URL logging (e.g., threat logging) is enabled for your secure web gateways, web proxies, firewalls, or legacy IDS/IPS. You can also create custom logs to channel URLs of interest into Azure Sentinel.

 

Updated Nov 03, 2021
Version 3.0
detection
investigation
microsoft sentinel
security
  • andrew_bryant's avatar
    andrew_bryant
    Brass Contributor
    Dec 12, 2019

    Where can I access the verdicts other than the investigation graph?  Is there a query I can run to see verdicts?  What is the average time between submission and verdict?

  • secopsmcc's avatar
    secopsmcc
    Copper Contributor
    Jan 29, 2024

    This feature seems to work best for Sentinel Incidents that are created from ASI sheduled alerts, and not those Incidents that are created from other security alerts.
    Even then, it is not consistant about which URLS get detonated and which do.

  • TheHoff70's avatar
    TheHoff70
    Brass Contributor
    Feb 16, 2024

    I agree this feature seems very "preview" at the moment, which is a pity since a consistent result would allow my team to skip the step of sending the URL to an external API for a screenshot. I have an example below where an incident is generated by a NRT rule triggering on blocked URLs from our firewalls logging to CommonSecurityLog.

    The incident investigation has the DetonationFinalUrl entry but no screenshot.

     

     

    If I view the information in the incident object as seen by a playbook there is an URL to the DetonationScreenshot.

     

    "Urls": [ { "url": "https://ak.psergete.com/4/6444276", "additionalData": { "DetonationVerdict": "GOOD", "DetonationFinalUrl": "https://ak.psergete.com/partitial/5117836/?var=6444276&ab2r=0&prfrev=false&rhd=false&sf=1", "DetonationScreenshot": "https://sentineldetonateprodweu.blob.core.windows.net/daasimagestore/20240216%5Cb0f73138-345a-49d6-9479-be879721b66e%5CScreenshot-0.png?skoid=df0239eb-5cb3-48ab-9e85-599bb72690f5&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-02-16T06%3A29%3A00Z&ske=2024-02-23T06%3A29%3A00Z&sks=b&skv=2021-08-06&sv=2021-08-06&st=2024-02-16T06%3A29%3A00Z&se=2024-02-23T06%3A29%3A00Z&sr=b&sp=r&sig=AH6n1hWUfkZFyNKeCbFigicLlC8%2FXnIZ%2Bhm9lnH59mw%3D" },

     

    It's almost like Sentinel does the actual workload but fails to include the result.

     

    Peace

    Fredrik