Creating an URL Detonation Demo for Microsoft Sentinel

URL Detonation is a valuable feature of Microsoft Sentinel that provides deeper insights that enable faster triage of alerts. URL detonation is built into Microsoft Sentinel so another tool to accomplish this is not necessary.

I have a method that enables one to create a quick demo for this scenario that utilizes a Watchlist and an Analytics Rule.

The rule and watchlist for importing into your Microsoft Sentinel environment are available from one of my GitHub repos here: SentinelKQL/URLDetonation at master ยท rod-trent/SentinelKQL (

The Watchlist contains some canned URLs, but it can be modified, of course, to include any URLs you want to test/show.

Watchlist URLs

The Analytics Rule maps the Watchlist items to the URL Entity.

Analytics Rule Entity mapping

…so that the all the URLs from the Watchlist show up in the Incident’s Entities list…

Entities in the Incident

These URLs are then detonated to show up in the Investigation graph.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]