SEntinel - rmv conceptual frm create bookmark topic

cwatson-cat · cwatson-cat · commit 425a21fca5e8 · 2024-04-23T15:26:49.000-07:00
diff --git a/articles/sentinel/bookmarks.md b/articles/sentinel/bookmarks.md
@@ -1,10 +1,10 @@
 ---
-title: Use hunting bookmarks for data investigations in Microsoft Sentinel
+title: Hunt with bookmarks in Microsoft Sentinel
 description: This article describes how to use the Microsoft Sentinel hunting bookmarks to keep track of data.
 ms.author: austinmc
 author: austinmccollum
 ms.topic: how-to
-ms.date: 03/12/2024
+ms.date: 04/23/2024
 ms.collection: usx-security
 appliesto:
     - Microsoft Sentinel in the Azure portal
@@ -13,27 +13,7 @@ appliesto:
 
 # Keep track of data during hunting with Microsoft Sentinel
 
-Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise.
-
-Hunting bookmarks in Microsoft Sentinel help you by preserving the queries you ran in **Microsoft Sentinel - Logs**, along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.
-
-Now you can identify and address gaps in MITRE ATT&CK technique coverage, across all hunting queries, by mapping your custom hunting queries to MITRE ATT&CK techniques.
-
-Investigate more types of entities while hunting with bookmarks, by mapping the full set of entity types and identifiers supported by Microsoft Sentinel Analytics in your custom queries. Use bookmarks to explore the entities returned in hunting query results using [entity pages](entities.md#entity-pages), [incidents](investigate-cases.md) and the [investigation graph](investigate-cases.md#use-the-investigation-graph-to-deep-dive). If a bookmark captures results from a hunting query, it automatically inherits the query's MITRE ATT&CK technique and entity mappings.
-
-If you find something that urgently needs to be addressed while hunting in your logs, you can easily create a bookmark and either promote it to an incident or add it to an existing incident. For more information about incidents, see [Investigate incidents with Microsoft Sentinel](investigate-cases.md).
-
-If you found something worth bookmarking, but that isn't immediately urgent, you can create a bookmark and then revisit your bookmarked data at any time on the **Bookmarks** tab of the **Hunting** pane. You can use filtering and search options to quickly find specific data for your current investigation.
-
-You can visualize your bookmarked data by selecting **Investigate** from the bookmark details. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.
-
-Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in your Log Analytics workspace. For example:
-
-:::image type="content" source="media/bookmarks/bookmark-table.png" alt-text="Screenshot of viewing hunting bookmarks table." lightbox="media/bookmarks/bookmark-table.png":::
-
-Viewing bookmarks from the table enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
-
-[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
+Hunting bookmarks in Microsoft Sentinel helps you preserve the queries and query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration. For more information, see [Bookmarks](hunting.md#bookmarks).
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
@@ -42,7 +22,7 @@ Viewing bookmarks from the table enables you to filter, summarize, and join book
 Create a bookmark to preserve the queries, results, your observations, and findings.
 
 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**  select **Hunting**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Hunting**.
-
+1. From the **Hunting** tab, select a hunt.
 1. Select one of the hunting queries.
 1. In the hunting query details, select **Run Query**.
 
@@ -115,22 +95,18 @@ Add bookmarks to an incident from the bookmarks tab on the **Hunting** page.
     - For a new incident: Optionally update the details for the incident, and then select **Create**.
     - For adding a bookmark to an existing incident: Select one incident, and then select **Add**.
 
-As an alternative to the **Incident actions** option on the command bar, you can use the context menu (**...**) for one or more bookmarks to select options to **Create new incident**, **Add to existing incident**, and **Remove from incident**.
-
-To view the bookmark within the incident: Navigate to **Microsoft Sentinel** > **Threat management** > **Incidents** and select the incident with your bookmark. Select **View full details**, and then select the **Bookmarks** tab.
-
 ## View bookmarked data in logs
 
 View bookmarked queries, results, or their history.
 
-1. Select the bookmark from the **Hunting** > **Bookmarks** tab.
-1. Select the links provided in the details pane:
+1. From the **Hunting** > **Bookmarks** tab, select the bookmark. 
+1. From the details pane, select the following links:
 
    - **View source query** to view the source query in the **Logs** pane.
 
    - **View bookmark logs** to see all bookmark metadata, which includes who made the update, the updated values, and the time the update occurred.
 
-1. View the raw bookmark data for all bookmarks by selecting **Bookmark Logs** from the command bar on the **Hunting** > **Bookmarks** tab:
+1. From the command bar on the **Hunting** > **Bookmarks** tab, select **Bookmark Logs** to view the raw bookmark data for all bookmarks.
 
    :::image type="content" source="media/bookmarks/bookmark-logs.png" alt-text="Screenshot of bookmark logs command.":::
 
diff --git a/articles/sentinel/hunting.md b/articles/sentinel/hunting.md
@@ -126,7 +126,9 @@ In the example above, start with the table name SecurityEvent and add piped elem
 We recommend that your query uses an [Advanced Security Information Model (ASIM) parser](normalization-about-parsers.md) and not a built-in table. This ensures that the query will support any current or future relevant data source rather than a single data source.
 
 
-## Create bookmarks
+## Bookmarks
+
+Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise.
 
 During the hunting and investigation process, you might come across query results that look unusual or suspicious. Bookmark these items to refer back to them in the future, such as when creating or enriching an incident for investigation. Events such as potential root causes, indicators of compromise, or other notable events should be raised as a bookmark. If a key event you bookmarked is severe enough to warrant an investigation, escalate it to an incident.
 
@@ -137,10 +139,14 @@ During the hunting and investigation process, you might come across query result
 
 - View all the bookmarked findings by clicking on the **Bookmarks** tab in the main **Hunting** page. Add tags to bookmarks to classify them for filtering. For example, if you're investigating an attack campaign, you can create a tag for the campaign, apply the tag to any relevant bookmarks, and then filter all the bookmarks based on the campaign.
 
-- Investigate a single bookmarked finding by selecting the bookmark and then clicking **Investigate** in the details pane to open the investigation experience. You can also directly select a listed entity to view that entity’s corresponding entity page.
+- Investigate a single bookmarked finding by selecting the bookmark and then clicking **Investigate** in the details pane to open the investigation experience. View, investigate, and visually communicate your findings by using an interactive entity-graph diagram and timeline. You can also directly select a listed entity to view that entity’s corresponding entity page.
 
     You can also create an incident from one or more bookmarks, or add one or more bookmarks to an existing incident. Select a checkbox to the left of any bookmarks you want to use, and then select **Incident actions** > **Create new incident** or **Add to existing incident**. Triage and investigate the incident like any other.
+- Alternatively, view your bookmarked data directly in the **HuntingBookmark** table in your Log Analytics workspace. For example:
+
+    :::image type="content" source="media/bookmarks/bookmark-table.png" alt-text="Screenshot of the hunting bookmarks table in the Log Analytics workspace." lightbox="media/bookmarks/bookmark-table.png":::
 
+    Viewing bookmarks from the table enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
 For more information, see [Use bookmarks in hunting](bookmarks.md).
 
 ## Use notebooks to power investigations
