Early draft

yelevin · yelevin · commit 33b1663cb80e · 2021-10-29T00:37:48.000+03:00
diff --git a/articles/sentinel/bookmarks.md b/articles/sentinel/bookmarks.md
@@ -14,10 +14,21 @@ ms.date: 10/24/2019
 
 # Keep track of data during hunting with Azure Sentinel
 
+> [!IMPORTANT]
+>
+> The features for mapping MITRE ATT&CK techniques and mapping an expanded set of entity types and identifiers for bookmarks are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
+[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
+
 Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise.
 
 Hunting bookmarks in Azure Sentinel help you do this, by preserving the queries you ran in **Azure Sentinel - Logs**, along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.
 
+Now you can identify and address gaps in MITRE ATT&CK technique coverage, across all hunting queries, by mapping your custom hunting queries to MITRE ATT&CK techniques.
+Also in preview, you can investigate more types of entities while hunting with bookmarks by mapping the full set of entity types and identifiers supported by Microsoft Sentinel Analytics in your custom queries.  This enables you to use bookmarks to explore the entities returned in hunting query results using Entity Pages, incidents and the investigation graph.  If a bookmark captures results from a hunting query, it automatically inherits the MITRE ATT&CK technique and entity mappings. For additional information on the preview see our blog post here. 
+If you find something that urgently needs to be addressed while hunting in your logs, in a couple of clicks, you can create a bookmark and promote it to an incident, or add the bookmark to an existing incident. For more information about incidents, see Tutorial: Investigate incidents with Azure Sentinel.
+
 You can revisit your bookmarked data at any time on the **Bookmarks** tab of the **Hunting** pane. You can use filtering and search options to quickly find specific data for your current investigation. Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in your Log Analytics workspace. For example:
 
 > [!div class="mx-imgBorder"]
diff --git a/articles/sentinel/hunting.md b/articles/sentinel/hunting.md
@@ -1,29 +1,19 @@
 ---
 title: Hunting capabilities in Azure Sentinel| Microsoft Docs
 description: Use Azure Sentinel's built-in hunting queries to guide you into asking the right questions to find issues in your data.
-services: sentinel
-documentationcenter: na
 author: yelevin
-manager: rkarlin
-editor: ''
-
-ms.assetid: 6aa9dd27-6506-49c5-8e97-cc1aebecee87
 ms.service: azure-sentinel
 ms.subservice: azure-sentinel
-ms.devlang: na
 ms.topic: conceptual
 ms.custom: mvc
-ms.tgt_pltfrm: na
-ms.workload: na
 ms.date: 08/08/2021
 ms.author: yelevin
 ---
-
 # Hunt for threats with Azure Sentinel
 
 > [!IMPORTANT]
 >
-> The cross-resource query experience and upgrades to the **hunting dashboard** (see marked items below) are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The cross-resource query experience and upgrades to **custom queries and bookmarks** (see marked items below) are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
@@ -61,40 +51,90 @@ Use queries before, during, and after a compromise to take the following actions
 > - Use community resources, such as the [Azure Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries) to find additional queries and data sources.
 >
 
-## Use the hunting dashboard (Public preview)
+## Use the hunting dashboard
 
 The hunting dashboard enables you to run all your queries, or a selected subset, in a single selection. In the Azure Sentinel portal, select **Hunting**.
 
-The table shown lists all the queries written by Microsoft's team of security analysts and any extra query you created or modified. Each query provides a description of what it hunts for, and what kind of data it runs on. These templates are grouped by their various tactics - the icons on the right categorize the type of threat, such as initial access, persistence, and exfiltration.
+The table shown lists all the queries written by Microsoft's team of security analysts and any extra query you created or modified. Each query provides a description of what it hunts for, and what kind of data it runs on. These queries are grouped by their MITRE ATT&CK **tactics**. The icons on the right categorize the type of threat, such as initial access, persistence, and exfiltration. MITRE ATT&CK **techniques** are shown in the **Techniques** column and describe the specific behavior identified by the hunting query.
 
 :::image type="content" source="media/hunting/hunting-start.png" alt-text="Azure Sentinel starts hunting" lightbox="media/hunting/hunting-start.png":::
 
-Use the hunting dashboard to identify where to start hunting, by looking at result count, spikes, or the change in result count over a 24-hour period. Sort and filter by favorites, data source, MITRE ATT&CK tactic or technique, results, or results delta. View queries that still need data sources connected**, and get recommendations on how to enable these queries.
+Use the hunting dashboard to identify where to start hunting, by looking at result count, spikes, or the change in result count over a 24-hour period. Sort and filter by favorites, data source, MITRE ATT&CK tactic or technique, results, results delta, or results delta percentage. View queries that still need data sources connected**, and get recommendations on how to enable these queries.
 
 The following table describes detailed actions available from the hunting dashboard:
 
 |Action  |Description  |
 |---------|---------|
 |**See how queries apply to your environment**     |   Select the **Run all queries (Preview)** button, or select a subset of queries using the check boxes to the left of each row and select the **Run selected queries (Preview)** button. <br><br>Running your queries can take anywhere from a few seconds to many minutes, depending on how many queries are selected, the time range, and the amount of data that is being queried.      |
 |**View the queries that returned results**    |      After your queries are done running, view the queries that returned results using the **Results** filter: <br>- Sort to see which queries had the most or fewest results. <br>- View the queries that are not at all active in your environment by selecting *N/A* in the **Results** filter. <br>- Hover over the info icon (**i**) next to the *N/A* to see which data sources are required to make this query active.  |
-|**Identify spikes in your data**     |   Identify spikes in the data by sorting or filtering on **Results delta**. <br><br>This compares the results of the last 24 hours against the results of the previous 24-48 hours, highlighting any large differences in volume.     |
-|**View queries mapped to the MITRE Att&CK tactic**     | The **MITRE ATT&CK tactic bar**, at the top of the table, lists how many queries are mapped to each MITRE ATT&CK tactic. The tactic bar gets dynamically updated based on the current set of filters applied. <br><br>This enables you to see which MITRE ATT&CK tactics show up when you filter by a given result count, a high result delta, *N/A* results, or any other set of filters.        |
+|**Identify spikes in your data**     |   Identify spikes in the data by sorting or filtering on **Results delta** or **Results delta percentage**. <br><br>This compares the results of the last 24 hours against the results of the previous 24-48 hours, highlighting any large differences or relative difference in volume.     |
+|**View queries mapped to the MITRE ATT&CK tactic**     | The **MITRE ATT&CK tactic bar**, at the top of the table, lists how many queries are mapped to each MITRE ATT&CK tactic. The tactic bar gets dynamically updated based on the current set of filters applied. <br><br>This enables you to see which MITRE ATT&CK tactics show up when you filter by a given result count, a high result delta, *N/A* results, or any other set of filters.        |
 |**View queries mapped to MITRE ATT&CK techniques**     | Queries can also be mapped to MITRE ATT&CK techniques. You can filter or sort by MITRE ATT&CK techniques using the **Technique** filter. By opening a query, you will be able to select the technique to see the MITRE ATT&CK description of the technique.        |
 |**Save a query to your favorites**     |   Queries saved to your favorites automatically run each time the **Hunting** page is accessed. You can create your own hunting query or clone and customize an existing hunting query template.      |
 |**Run queries**     |   Select **Run Query** in the hunting query details page to run the query directly from the hunting page. The number of matches is displayed within the table, in the **Results** column. Review the list of hunting queries and their matches.     |
 |**Review an underlying query**     | Perform a quick review of the underlying query in the query details pane. You can see the results by clicking the **View query results** link (below the query window) or the **View Results** button (at the bottom of the pane). The query will open in the **Logs** (Log Analytics) blade, and below the query, you can review the matches for the query.         |
 |     |         |
 
 
-## Create your own bookmarks
+## Create a custom hunting query
+
+Create or modify a query and save it as your own query or share it with users who are in the same tenant.
+
+:::image type="content" source="./media/hunting/save-query.png" alt-text="Save query" lightbox="./media/hunting/save-query.png":::
+
+**To create a new query**:
+
+1. Select **New query**.
+
+1. Fill in all the blank fields and select **Create**.
+
+    1. (Preview) Create entity mappings by selecting entity types, identifiers and columns. 
+
+    1. (Preview) Map MITRE ATT&CK techniques to your hunting queries by selecting the tactic, technique and sub-technique (if applicable).
+
+    :::image type="content" source="./media/hunting/new-query.png" alt-text="New query" lightbox="./media/hunting/new-query.png":::
+
+**To clone and modify an existing query**:
+
+1. Select the hunting query in the table you want to modify.
+
+1. Select the ellipsis (...) in the line of the query you want to modify, and select **Clone query**.
+
+    :::image type="content" source="./media/hunting/clone-query.png" alt-text="Clone query" lightbox="./media/hunting/clone-query.png":::
+
+1. Modify the query and select **Create**.
+
+    :::image type="content" source="./media/hunting/custom-query.png" alt-text="Custom query" lightbox="./media/hunting/custom-query.png":::
+
+
+
+## Sample query
+
+A typical query starts with a table name followed by a series of operators separated by \|.
+
+In the example above, start with the table name SecurityEvent and add piped elements as needed.
+
+1. Define a time filter to review only records from the previous seven days.
+
+1. Add a filter in the query to only show event ID 4688.
+
+1. Add a filter in the query on the CommandLine to contain only instances of cscript.exe.
+
+1. Project only the columns you're interested in exploring and limit the results to 1000 and select **Run query**.
+
+1. Select the green triangle and run the query. You can test the query and run it to look for anomalous behavior.
 
-During the hunting and investigation process, you may come across query results that may look unusual or suspicious. Bookmark these items refer back to them in the future, such as when creating or enriching an incident for investigation.
+## Create bookmarks
+
+During the hunting and investigation process, you may come across query results that may look unusual or suspicious. Bookmark these items to refer back to them in the future, such as when creating or enriching an incident for investigation.
 
 - In your results, mark the checkboxes for any rows you want to preserve, and select **Add bookmark**. This creates for a record for each marked row - a bookmark - that contains the row results, the query that created the results, and entity mappings to extract users, hosts, and IP addresses. You can add your own tags and notes to each bookmark.
 
+    - (Preview) Bookmarks will default to use the same entity and MITRE ATT&CK technique mappings as the hunting query being investigated. 
+
 - View all the bookmarked findings by clicking on the **Bookmarks** tab in the main **Hunting** page. Add tags to bookmarks to classify them for filtering. For example, if you're investigating an attack campaign, you can create a tag for the campaign, apply the tag to any relevant bookmarks, and then filter all the bookmarks based on the campaign.
 
-- Investigate a single bookmarked finding by selecting the bookmark and then clicking **Investigate** in the details pane to open the investigation experience.
+- Investigate a single bookmarked finding by selecting the bookmark and then clicking **Investigate** in the details pane to open the investigation experience. You can also directly select a listed entity to view that entity’s corresponding entity page.
 
     You can also create an incident from one or more bookmarks or add one or more bookmarks to an existing incident. Select a checkbox to the left of any bookmarks you want to use, and then select **Incident actions** > **Create new incident** or **Add to existing incident**. Triage and investigate the incident like any other.
 
@@ -184,50 +224,6 @@ The following operators are especially helpful in Azure Sentinel hunting queries
 
 - **adx() (preview)** - This function performs cross-resource queries of Azure Data Explorer data sources from the Azure Sentinel hunting experience and Log Analytics. For more information, see [Cross-resource query Azure Data Explorer by using Azure Monitor](../azure-monitor/logs/azure-monitor-data-explorer-proxy.md).
 
-## Save a query
-
-Create or modify a query and save it as your own query or share it with users who are in the same tenant.
-
-:::image type="content" source="./media/hunting/save-query.png" alt-text="Save query" lightbox="./media/hunting/save-query.png":::
-
-**To create a new query**:
-
-1. Select **New query**.
-
-1. Fill in all the blank fields and select **Create**.
-
-    :::image type="content" source="./media/hunting/new-query.png" alt-text="New query" lightbox="./media/hunting/new-query.png":::
-
-**To clone and modify an existing query**:
-
-1. Select the hunting query in the table you want to modify.
-
-1. Select the ellipsis (...) in the line of the query you want to modify, and select **Clone query**.
-
-    :::image type="content" source="./media/hunting/clone-query.png" alt-text="Clone query" lightbox="./media/hunting/clone-query.png":::
-
-1. Modify the query and select **Create**.
-
-    :::image type="content" source="./media/hunting/custom-query.png" alt-text="Custom query" lightbox="./media/hunting/custom-query.png":::
-
-
-
-## Sample query
-
-A typical query starts with a table name followed by a series of operators separated by \|.
-
-In the example above, start with the table name SecurityEvent and add piped elements as needed.
-
-1. Define a time filter to review only records from the previous seven days.
-
-1. Add a filter in the query to only show event ID 4688.
-
-1. Add a filter in the query on the CommandLine to contain only instances of cscript.exe.
-
-1. Project only the columns you're interested in exploring and limit the results to 1000 and select **Run query**.
-
-1. Select the green triangle and run the query. You can test the query and run it to look for anomalous behavior.
-
 ## Next steps
 
 In this article, you learned how to run a hunting investigation with Azure Sentinel. 
