Creating an URL Detonation Demo for Microsoft Sentinel
URL detonation is built into Microsoft Sentinel so another tool to accomplish this is not necessary
URL Detonation is a valuable feature of Microsoft Sentinel that provides deeper insights that enable faster triage of alerts. URL detonation is built into Microsoft Sentinel so another tool to accomplish this is not necessary.
I have a method that enables one to create a quick demo for this scenario that utilizes a Watchlist and an Analytics Rule.
The rule and watchlist for importing into your Microsoft Sentinel environment are available from one of my GitHub repos here: SentinelKQL/URLDetonation at master · rod-trent/SentinelKQL (github.com)
The Watchlist contains some canned URLs, but it can be modified, of course, to include any URLs you want to test/show.
The Analytics Rule maps the Watchlist items to the URL Entity.
…so that the all the URLs from the Watchlist show up in the Incident’s Entities list…
These URLs are then detonated to show up in the Investigation graph.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]