MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 10 additions & 0 deletions
diff --git a/‎articles/sentinel/TOC.yml
Lines changed: 20 additions & 11 deletions b/‎articles/sentinel/TOC.yml
Lines changed: 20 additions & 11 deletions
diff --git a/‎articles/sentinel/bookmarks.md
Lines changed: 92 additions & 42 deletions b/‎articles/sentinel/bookmarks.md
Lines changed: 92 additions & 42 deletions
diff --git a/‎articles/sentinel/connect-aws.md
Lines changed: 3 additions & 3 deletions b/‎articles/sentinel/connect-aws.md
Lines changed: 3 additions & 3 deletions
@@ -26039,11 +26039,21 @@
       "redirect_url": "/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-powershell",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sentinel/tutorial-detect-threats.md",
+      "redirect_url": "/azure/sentinel/tutorial-detect-threats-built-in",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/sentinel/user-analytics.md",
       "redirect_url": "/azure/sentinel/overview",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sentinel/connect-fusion.md",
+      "redirect_url": "/azure/sentinel/fusion",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/security-center/security-center-ata-integration.md",
       "redirect_url": "/azure/security-center/security-center-partner-integration",
 
@@ -1,4 +1,4 @@
-- name: Azure Sentinel Preview Documentation
+- name: Azure Sentinel Documentation
   href: index.yml
 - name: Overview
   href: overview.md
@@ -9,22 +9,29 @@
     href: quickstart-onboard.md
   - name: Get visibility into alerts
     href: quickstart-get-visibility.md
-  
 - name: Tutorials
   items:
-  - name: Detect suspicious threats
-    href: tutorial-detect-threats.md
+  - name: Use built-in analytics to detect threats
+    href: tutorial-detect-threats-built-in.md
+  - name: Create custom rules to detect threats
+    href: tutorial-detect-threats-custom.md  
+  - name: Monitor your data
+    href: tutorial-monitor-your-data.md
   - name: Investigate incidents
     href: tutorial-investigate-cases.md 
   - name: Respond to threats
-    href: tutorial-respond-threats-playbook.md  
-
+    href: tutorial-respond-threats-playbook.md    
+- name: Concepts
+  items:
+  - name: Assign permissions using roles
+    href: roles.md
+  - name: Advanced multistage attack detection
+    href: fusion.md
 - name: How-to guides
   items:
   - name: Connect data sources
     href: connect-data-sources.md
     items:
-
     - name: Connect Microsoft services
       items:
       - name: Connect Azure AD
@@ -51,7 +58,6 @@
         href: connect-windows-firewall.md
       - name: Connect Windows security events
         href: connect-windows-security-events.md  
-
     - name: Connect external solutions
       items:
       - name: Connect generic CEF
@@ -78,16 +84,19 @@
       href: connect-threat-intelligence.md  
     - name: Connect Azure Stack VMs
       href: connect-azure-stack.md  
+  - name: Multiple tenants (MSSP)
+    href: multiple-tenants-service-providers.md
+  - name: Create incidents from alerts
+    href: create-incidents-from-alerts.md
   - name: Hunting
     href: hunting.md
     items:
     - name: Use notebooks to hunt
       href: notebooks.md
     - name: Use bookmarks to hunt
       href: bookmarks.md
-  - name: Enable fusion
-    href: connect-fusion.md
-
+  - name: Remove Azure Sentinel
+    href: offboard.md
 - name: Resources
   items:
   - name: Useful resources
 
@@ -1,5 +1,5 @@
 ---
-title: Keep track of data while hunting in Azure Sentinel Preview using hunting bookmarks | Microsoft Docs
+title: Keep track of data while hunting in Azure Sentinel using hunting bookmarks | Microsoft Docs
 description: This article describes how to use the Azure Sentinel hunting bookmarks to keep track of data.
 services: sentinel
 documentationcenter: na
@@ -15,80 +15,130 @@ ms.topic: conceptual
 ms.custom: mvc
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 2/28/2019
+ms.date: 09/24/2019
 ms.author: rkarlin
 ---
 
-# Keep track of data during hunting
+# Keep track of data during hunting with Azure Sentinel
 
-> [!IMPORTANT]
-> Azure Sentinel is currently in public preview.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. 
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
- 
 Threat hunting typically requires reviewing mountains of log data looking for evidence of malicious behavior. During this process, investigators find events that they want to remember, revisit, and analyze as part of validating potential hypotheses and understanding the full story of a compromise.
-Hunting bookmarks help you do this, by preserving the queries you ran in Log Analytics, along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.   
 
-You can revisit your bookmarked data at any time on the **Bookmark** tab of the **Hunting** page. You can use filtering and search options to quickly find specific data for your current investigation. Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in Log Analytics. This enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
+Hunting bookmarks in Azure Sentinel help you do this, by preserving the queries you ran in Log Analytics, along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.
+
+You can revisit your bookmarked data at any time on the **Bookmark** tab of the **Hunting** pane. You can use filtering and search options to quickly find specific data for your current investigation. Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in Azure Monitor. This enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
 
-You can also visualize your bookmarked data, by clicking **Investigate**. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.
+Currently in preview, if you find something that urgently needs to be addressed while hunting in your logs, in a couple of clicks, you can create a bookmark and promote it to an incident, or add the bookmark to an existing incident. For more information about incidents, see [Tutorial: Investigate incidents with Azure Sentinel](tutorial-investigate-cases.md). 
 
+Also in preview, you can visualize your bookmarked data, by clicking **Investigate** from the bookmark details. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.
 
-## Run a Log Analytics query from Azure Sentinel
+## Add a bookmark
 
-1. In the Azure Sentinel portal, click **Hunting** to run queries for suspicious and anomalous behavior.
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** to run queries for suspicious and anomalous behavior.
 
-1. To run a hunting campaign, select one of the hunting queries and on the left, review the results. 
+2. Select one of the hunting queries and on the right, in the hunting query details, select **Run Query**. 
 
-1. Click **View query results** in the hunting query **Details** page to view the query results in Log Analytics. Here's an example of what you see if you ran a custom SSH bruteforce attack query.
-  
-   ![show results](./media/bookmarks/ssh-bruteforce-example.png)
+3. Select **View query results**. For example:
+    
+    > [!div class="mx-imgBorder"]
+    > ![view query results from Azure Sentinel hunting](./media/bookmarks/new-processes-observed-example.png)
+    
+    This action opens the query results in the **Logs** pane.
 
-## Add a bookmark
+4. From the log query results list, expand the row that contains the information you find interesting.
 
-1. In the Log Analytics query results list, expand the row containing the information that you find interesting.
+5. Select the ellipsis (...) on the left, and then select **Add hunting bookmark**:
+    
+    > [!div class="mx-imgBorder"]
+    > ![Add hunting bookmark to query](./media/bookmarks/add-hunting-bookmark.png)
 
-4. Select the ellipsis (...) at the end of the row, and select **Add hunting bookmarks**.
-5. On the right, in the **Details** page, update the name, and add tags, and notes to help you identify what was interesting about the item.
-6. Click **Save** to commit your changes. All bookmarked data is shared with other investigators, and is a first step toward a collaborative investigation experience.
+6. On the right, in the **Add hunting bookmark** pane, optionally, update the bookmark name, add tags, and notes to help you identify what was interesting about the item.
 
-   ![show results](./media/bookmarks/add-bookmark-la.png)
+7. In the **Query Information** section, use the drop down boxes to extract information from the query results for the **Account**, **Host**, and **IP address** entity types. This action maps the selected entity type to a specific column from the query result. For example:
+    
+    > [!div class="mx-imgBorder"]
+    > ![Map entity types for hunting bookmark](./media/bookmarks/map-entity-types-bookmark.png)
+    
+    To view the bookmark in the investigation graph (currently in preview), you must map at least one entity type that is either **Account**, **Host**, or **IP address**. 
+
+5. Click **Add** to commit your changes and add the bookmark. All bookmarked data is shared with other investigators, and is a first step toward a collaborative investigation experience.
 
 
 > [!NOTE]
-> You can also use bookmarks with arbitrary Log Analytics queries launched from the Azure Sentinel Log Analytics Logs page, or queries created on the fly from the Log Analytics page and opened from the Hunting page. You will not be able to add a bookmark if you launch Log Analytics from outside of Azure Sentinel. 
+> The log query results support bookmarks whenever this pane is opened from Azure Sentinel. For example, you select **General** > **Logs** from the navigation bar, select event links in the investigations graph, or select an alert ID from the full details of an incident (currently in preview). You can't create bookmarks when the **Logs** pane is opened from other locations, such as directly from Azure Monitor.
 
 ## View and update bookmarks 
 
-1. In the Azure Sentinel portal, click **Hunting**. 
-2. Click the **Bookmarks** tab in the middle of the page to view the list of bookmarks.
-3. Use the search box or filter options to find a specific bookmark.
-4. Select individual bookmarks in the grid below to view the bookmark details in the right hand details pane.
-5. To update tags and notes, click on the editable text boxes and click **Save** to preserve your changes.
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting**. 
+
+2. Select the **Bookmarks** tab to view the list of bookmarks.
+
+3. To help you find a specific bookmark, use the search box or filter options.
+
+4. Select individual bookmarks and view the bookmark details in the right-hand details pane.
+
+5. Make your changes as needed, which are automatically saved.
+
+## Exploring bookmarks in the investigation graph
+
+> [!IMPORTANT]
+> Exploring bookmarks in the investigation graph and the investigation graph itself are currently in public preview.
+> These features are provided without a service level agreement, and not recommended for production workloads.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** > **Bookmarks** tab, and select the bookmark or bookmarks you want to investigate.
+
+2. In the bookmark details, ensure that at least one entity is mapped. For example, for **ENTITIES**, you see entries for **IP**, **Machine**, or **Account**.
+
+3. Click **Investigate** to view the bookmark in the investigation graph.
+
+For instructions to use the investigation graph, see [Use the investigation graph to deep dive](tutorial-investigate-cases.md#use-the-investigation-graph-to-deep-dive).
+
+## Add bookmarks to a new or existing incident
+
+> [!IMPORTANT]
+> Adding bookmarks to a new or existing incident is currently in public preview.
+> This feature is provided without a service level agreement, and it's not recommended for production workloads.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
-   ![show results](./media/bookmarks/view-update-bookmarks.png)
+1. In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** > **Bookmarks** tab, and select the bookmark or bookmarks you want to add to an incident.
 
-## View bookmarked data in Log Analytics 
+2. Select **Incident actions (Preview)** from the command bar:
+    
+    > [!div class="mx-imgBorder"]
+    > ![Add bookmarks to incident](./media/bookmarks/incident-actions.png)
 
-There are multiple options to viewing your bookmarked data in Log Analytics. 
+3. Select either **Create new incident** or **Add to existing incident**, as required. Then:
+    
+    - For a new incident: Optionally update the details for the incident, and then select **Create**.
+    - For adding a bookmark to an existing incident: Select one incident, and then select **Add**. 
 
-The easiest way to view bookmarked queries, results, or history is by selecting the desired bookmark in the **Bookmarks** table and use the links provided in the details pane. Options include: 
-- Click on **View query** to view the source query in Log Analytics.  
-- Click on **View bookmark history** to see all bookmark metadata including: who made the update, the updated values, and the time the update occurred. 
+To view the bookmark within the incident: Navigate to **Sentinel** > **Threat management** > **Incidents** and select the incident with your bookmark. Select **View full details**, and then select the **Bookmarks** tab.
 
-- You can also view the raw bookmark data for all bookmarks by clicking on **Bookmark logs** above the bookmark grid. This view will show the all your bookmarks in the hunting bookmark table with associated metadata. You can use KQL queries to filter down to the latest version of the specific bookmark you are looking for.  
+## View bookmarked data in logs
 
+To view bookmarked queries, results, or their history, select the bookmark from the **Hunting** > **Bookmarks** tab, and use the links provided in the details pane: 
+
+- **View source query** to view the source query in the **Logs** pane.
+
+- **View bookmark logs** to see all bookmark metadata, which includes who made the update, the updated values, and the time the update occurred.
+
+You can also view the raw bookmark data for all bookmarks by selecting **Bookmark Logs** from the command bar on the **Hunting** > **Bookmarks** tab:
+
+> [!div class="mx-imgBorder"]
+> ![Bookmark Logs](./media/bookmarks/bookmark-logs.png)
+
+This view shows all your bookmarks with associated metadata. You can use [Keyword Query Language](https://docs.microsoft.com/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference) (KQL) queries to filter down to the latest version of the specific bookmark you are looking for.
 
 > [!NOTE]
-> There can be significant delay (measured in minutes) between the creation of a bookmark and when it is displayed in the **HuntingBookmark** table. It is recommended to create your bookmarks first, then analyze them after the data is ingested. 
+> There can be a significant delay (measured in minutes) between the time you create a bookmark and when it is displayed in the **Bookmarks** tab.
 
 ## Delete a bookmark
-If you want to delete a bookmark do the following: 
-1.	Open th **Hunting bookmark** tab. 
-2.	Select the target bookmark.
-3.	Select the ellipsis (...) at the end of the row and select **Delete bookmark**.
+ 
+1.	In the Azure portal, navigate to **Sentinel** > **Threat management** > **Hunting** > **Bookmarks** tab, and select the bookmark or bookmarks you want to delete. 
+
+2. Select the ellipsis (...) at the end of the row and select **Delete bookmark**.
 
-Deleting the bookmark removes the bookmark from the list in the **Bookmark** tab.  The Log Analytics “HuntingBookmark” table will continue to contain previous bookmark entries, but the latest entry will change the **SoftDelete** value to true, making it easy to filter out old bookmarks.  Deleting a bookmark does not remove any entities from the investigation experience that are associated with other bookmarks or alerts. 
+Deleting the bookmark removes the bookmark from the list in the **Bookmark** tab. The Log Analytics **HuntingBookmark** table will continue to contain previous bookmark entries, but the latest entry will change the **SoftDelete** value to true, making it easy to filter out old bookmarks. Deleting a bookmark does not remove any entities from the investigation experience that are associated with other bookmarks or alerts. 
 
 
 ## Next steps
 
@@ -1,5 +1,5 @@
 ---
-title: Connect Symantec AWS data to Azure Sentinel Preview| Microsoft Docs
+title: Connect Symantec AWS data to Azure Sentinel | Microsoft Docs
 description: Learn how to connect Symantec AWS data to Azure Sentinel.
 services: sentinel
 documentationcenter: na
@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 07/10/2019
+ms.date: 09/23/2019
 ms.author: rkarlin
 
 ---
@@ -79,5 +79,5 @@ You must have write permission on the Azure Sentinel workspace.
 ## Next steps
 In this document, you learned how to connect AWS CloudTrail to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
 - Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
-- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats.md).
+- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).