Merge pull request #89252 from cabailey/cabailey-azuredocs-bookmarks

Updates for bookmarks (preview features)

Author: ktoliver

articles/sentinel/bookmarks.md

@@ -15,77 +15,130 @@ ms.topic: conceptual
 ms.custom: mvc
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 09/10/2019
+ms.date: 09/24/2019
 ms.author: rkarlin
 ---
 
-# Keep track of data during hunting
+# Keep track of data during hunting with Azure Sentinel
 
-
- 
 Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise.
-Hunting bookmarks help you do this, by preserving the queries you ran in Log Analytics, along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.   
 
-You can revisit your bookmarked data at any time on the **Bookmark** tab of the **Hunting** page. You can use filtering and search options to quickly find specific data for your current investigation. Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in Log Analytics. This enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
+Hunting bookmarks in Azure Sentinel help you do this, by preserving the queries you ran in Log Analytics, along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.
 
-You can also visualize your bookmarked data, by clicking **Investigate**. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.
+You can revisit your bookmarked data at any time on the **Bookmark** tab of the **Hunting** pane. You can use filtering and search options to quickly find specific data for your current investigation. Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in Azure Monitor. This enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
 
+Currently in preview, if you find something that urgently needs to be addressed while hunting in your logs, in a couple of clicks, you can create a bookmark and promote it to an incident, or add the bookmark to an existing incident. For more information about incidents, see [Tutorial: Investigate incidents with Azure Sentinel](tutorial-investigate-cases.md). 
 
-## Run a Log Analytics query from Azure Sentinel
+Also in preview, you can visualize your bookmarked data, by clicking **Investigate** from the bookmark details. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.
 
-1. In the Azure Sentinel portal, click **Hunting** to run queries for suspicious and anomalous behavior.
+## Add a bookmark
 
-1. To run a hunting campaign, select one of the hunting queries and on the left, review the results. 
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** to run queries for suspicious and anomalous behavior.
 
-1. Click **View query results** in the hunting query **Details** page to view the query results in Log Analytics. Here's an example of what you see if you ran a custom SSH bruteforce attack query.
-  
-   ![show results](./media/bookmarks/ssh-bruteforce-example.png)
+2. Select one of the hunting queries and on the right, in the hunting query details, select **Run Query**. 
 
-## Add a bookmark
+3. Select **View query results**. For example:
+    
+    > [!div class="mx-imgBorder"]
+    > ![view query results from Azure Sentinel hunting](./media/bookmarks/new-processes-observed-example.png)
+    
+    This action opens the query results in the **Logs** pane.
 
-1. In the Log Analytics query results list, expand the row containing the information that you find interesting.
+4. From the log query results list, expand the row that contains the information you find interesting.
 
-4. Select the ellipsis (...) at the end of the row, and select **Add hunting bookmarks**.
-5. On the right, in the **Details** page, update the name, and add tags, and notes to help you identify what was interesting about the item.
-6. Click **Save** to commit your changes. All bookmarked data is shared with other investigators, and is a first step toward a collaborative investigation experience.
+5. Select the ellipsis (...) on the left, and then select **Add hunting bookmark**:
+    
+    > [!div class="mx-imgBorder"]
+    > ![Add hunting bookmark to query](./media/bookmarks/add-hunting-bookmark.png)
 
-   ![show results](./media/bookmarks/add-bookmark-la.png)
+6. On the right, in the **Add hunting bookmark** pane, optionally, update the bookmark name, add tags, and notes to help you identify what was interesting about the item.
+
+7. In the **Query Information** section, use the drop down boxes to extract information from the query results for the **Account**, **Host**, and **IP address** entity types. This action maps the selected entity type to a specific column from the query result. For example:
+    
+    > [!div class="mx-imgBorder"]
+    > ![Map entity types for hunting bookmark](./media/bookmarks/map-entity-types-bookmark.png)
+    
+    To view the bookmark in the investigation graph (currently in preview), you must map at least one entity type that is either **Account**, **Host**, or **IP address**. 
+
+5. Click **Add** to commit your changes and add the bookmark. All bookmarked data is shared with other investigators, and is a first step toward a collaborative investigation experience.
 
 
 > [!NOTE]
-> You can also use bookmarks with arbitrary Log Analytics queries launched from the Azure Sentinel Log Analytics Logs page, or queries created on the fly from the Log Analytics page and opened from the Hunting page. You will not be able to add a bookmark if you launch Log Analytics from outside of Azure Sentinel. 
+> The log query results support bookmarks whenever this pane is opened from Azure Sentinel. For example, you select **General** > **Logs** from the navigation bar, select event links in the investigations graph, or select an alert ID from the full details of an incident (currently in preview). You can't create bookmarks when the **Logs** pane is opened from other locations, such as directly from Azure Monitor.
 
 ## View and update bookmarks 
 
-1. In the Azure Sentinel portal, click **Hunting**. 
-2. Click the **Bookmarks** tab in the middle of the page to view the list of bookmarks.
-3. Use the search box or filter options to find a specific bookmark.
-4. Select individual bookmarks in the grid below to view the bookmark details in the right hand details pane.
-5. To update tags and notes, click on the editable text boxes and click **Save** to preserve your changes.
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting**. 
+
+2. Select the **Bookmarks** tab to view the list of bookmarks.
+
+3. To help you find a specific bookmark, use the search box or filter options.
+
+4. Select individual bookmarks and view the bookmark details in the right-hand details pane.
+
+5. Make your changes as needed, which are automatically saved.
+
+## Exploring bookmarks in the investigation graph
+
+> [!IMPORTANT]
+> Exploring bookmarks in the investigation graph and the investigation graph itself are currently in public preview.
+> These features are provided without a service level agreement, and not recommended for production workloads.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** > **Bookmarks** tab, and select the bookmark or bookmarks you want to investigate.
 
-   ![show results](./media/bookmarks/view-update-bookmarks.png)
+2. In the bookmark details, ensure that at least one entity is mapped. For example, for **ENTITIES**, you see entries for **IP**, **Machine**, or **Account**.
 
-## View bookmarked data in Log Analytics 
+3. Click **Investigate** to view the bookmark in the investigation graph.
 
-There are multiple options to viewing your bookmarked data in Log Analytics. 
+For instructions to use the investigation graph, see [Use the investigation graph to deep dive](tutorial-investigate-cases.md#use-the-investigation-graph-to-deep-dive).
 
-The easiest way to view bookmarked queries, results, or history is by selecting the desired bookmark in the **Bookmarks** table and use the links provided in the details pane. Options include: 
-- Click on **View query** to view the source query in Log Analytics.  
-- Click on **View bookmark history** to see all bookmark metadata including: who made the update, the updated values, and the time the update occurred. 
+## Add bookmarks to a new or existing incident
 
-- You can also view the raw bookmark data for all bookmarks by clicking on **Bookmark logs** above the bookmark grid. This view will show the all your bookmarks in the hunting bookmark table with associated metadata. You can use KQL queries to filter down to the latest version of the specific bookmark you are looking for.  
+> [!IMPORTANT]
+> Adding bookmarks to a new or existing incident is currently in public preview.
+> This feature is provided without a service level agreement, and it's not recommended for production workloads.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** > **Bookmarks** tab, and select the bookmark or bookmarks you want to add to an incident.
+
+2. Select **Incident actions (Preview)** from the command bar:
+    
+    > [!div class="mx-imgBorder"]
+    > ![Add bookmarks to incident](./media/bookmarks/incident-actions.png)
+
+3. Select either **Create new incident** or **Add to existing incident**, as required. Then:
+    
+    - For a new incident: Optionally update the details for the incident, and then select **Create**.
+    - For adding a bookmark to an existing incident: Select one incident, and then select **Add**. 
+
+To view the bookmark within the incident: Navigate to **Sentinel** > **Threat management** > **Incidents** and select the incident with your bookmark. Select **View full details**, and then select the **Bookmarks** tab.
+
+## View bookmarked data in logs
+
+To view bookmarked queries, results, or their history, select the bookmark from the **Hunting** > **Bookmarks** tab, and use the links provided in the details pane: 
+
+- **View source query** to view the source query in the **Logs** pane.
+
+- **View bookmark logs** to see all bookmark metadata, which includes who made the update, the updated values, and the time the update occurred.
+
+You can also view the raw bookmark data for all bookmarks by selecting **Bookmark Logs** from the command bar on the **Hunting** > **Bookmarks** tab:
+
+> [!div class="mx-imgBorder"]
+> ![Bookmark Logs](./media/bookmarks/bookmark-logs.png)
+
+This view shows all your bookmarks with associated metadata. You can use [Keyword Query Language](https://docs.microsoft.com/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference) (KQL) queries to filter down to the latest version of the specific bookmark you are looking for.
 
 > [!NOTE]
-> There can be significant delay (measured in minutes) between the creation of a bookmark and when it is displayed in the **HuntingBookmark** table. It is recommended to create your bookmarks first, then analyze them after the data is ingested. 
+> There can be a significant delay (measured in minutes) between the time you create a bookmark and when it is displayed in the **Bookmarks** tab.
 
 ## Delete a bookmark
-If you want to delete a bookmark, do the following: 
-1.	Open th **Hunting bookmark** tab. 
-2.	Select the target bookmark.
-3.	Select the ellipsis (...) at the end of the row and select **Delete bookmark**.
+ 
+1.	In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** > **Bookmarks** tab, and select the bookmark or bookmarks you want to delete. 
+
+2. Select the ellipsis (...) at the end of the row and select **Delete bookmark**.
 
-Deleting the bookmark removes the bookmark from the list in the **Bookmark** tab.  The Log Analytics “HuntingBookmark” table will continue to contain previous bookmark entries, but the latest entry will change the **SoftDelete** value to true, making it easy to filter out old bookmarks.  Deleting a bookmark does not remove any entities from the investigation experience that are associated with other bookmarks or alerts. 
+Deleting the bookmark removes the bookmark from the list in the **Bookmark** tab. The Log Analytics **HuntingBookmark** table will continue to contain previous bookmark entries, but the latest entry will change the **SoftDelete** value to true, making it easy to filter out old bookmarks. Deleting a bookmark does not remove any entities from the investigation experience that are associated with other bookmarks or alerts. 
 
 
 ## Next steps

articles/sentinel/media/bookmarks/add-hunting-bookmark.png

@@ -60,7 +60,7 @@ You'll only be able to investigate the incident if you used the entity mapping f
 
 1. Select **Investigate** to view the investigation map.
 
-## Use the investigation graph to deep dive (preview)
+## Use the investigation graph to deep dive
 
 The investigation graph enables analysts to ask the right questions for each investigation. The investigation graph helps you understand the scope, and identify the root cause, of a potential security threat by correlating relevant data with any involved entity. You can dive deeper and investigate any entity presented in the graph by selecting it and choosing between different expansion options.