Skip to content

Commit b0b42cb

Browse files
author
cabailey
committed
add ref for KQL
1 parent 3f73570 commit b0b42cb

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

articles/sentinel/bookmarks.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,9 @@ Threat hunting typically requires reviewing mountains of log data looking for ev
2525

2626
Hunting bookmarks in Azure Sentinel help you do this, by preserving the queries you ran in Log Analytics, along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.
2727

28-
You can revisit your bookmarked data at any time on the **Bookmark** tab of the **Hunting** page. You can use filtering and search options to quickly find specific data for your current investigation. Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in Log Analytics. This enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
28+
You can revisit your bookmarked data at any time on the **Bookmark** tab of the **Hunting** blade. You can use filtering and search options to quickly find specific data for your current investigation. Alternatively, you can view your bookmarked data directly in the **HuntingBookmark** table in Azure Monitor. This enables you to filter, summarize, and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
2929

30-
Currently in preview, if you find something that urgently needs to be addressed while hunting in Log Analytics, in a couple of clicks, you can create a bookmark and promote it to an incident, or add the bookmark to an existing incident. For more information about incidents, see [Tutorial: Investigate incidents with Azure Sentinel](tutorial-investigate-cases.md).
30+
Currently in preview, if you find something that urgently needs to be addressed while hunting in your logs, in a couple of clicks, you can create a bookmark and promote it to an incident, or add the bookmark to an existing incident. For more information about incidents, see [Tutorial: Investigate incidents with Azure Sentinel](tutorial-investigate-cases.md).
3131

3232
Also in preview, you can visualize your bookmarked data, by clicking **Investigate** from the bookmark details. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.
3333

@@ -72,7 +72,7 @@ Also in preview, you can visualize your bookmarked data, by clicking **Investiga
7272

7373
3. To help you find a specific bookmark, use the search box or filter options.
7474

75-
4. Select individual bookmarks and view the bookmark details in the right-hand details pane.
75+
4. Select individual bookmarks and view the bookmark details in the right-hand details blade.
7676

7777
5. Make your changes in the editable text boxes.
7878

@@ -114,7 +114,7 @@ To view the bookmark within the incident: Navigate to **Sentinel** > **Threat ma
114114

115115
## View bookmarked data in logs
116116

117-
To view bookmarked queries, results, or their history, select the bookmark from the **Hunting** > **Bookmarks** tab, and use the links provided in the details pane. Options include:
117+
To view bookmarked queries, results, or their history, select the bookmark from the **Hunting** > **Bookmarks** tab, and use the links provided in the details blade:
118118

119119
- **View source query** to view the source query in the **Logs** blade.
120120

@@ -125,7 +125,7 @@ You can also view the raw bookmark data for all bookmarks by selecting **Bookmar
125125
> [!div class="mx-imgBorder"]
126126
> ![Bookmark Logs](./media/bookmarks/bookmark-logs.png)
127127
128-
This view shows all your bookmarks with associated metadata. You can use KQL queries to filter down to the latest version of the specific bookmark you are looking for.
128+
This view shows all your bookmarks with associated metadata. You can use [Keyword Query Language](https://docs.microsoft.com/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference) (KQL) queries to filter down to the latest version of the specific bookmark you are looking for.
129129

130130
> [!NOTE]
131131
> There can be a significant delay (measured in minutes) between the time you create a bookmark and when it is displayed in the **Bookmarks** tab. Because of this delay, we recommend you create your bookmarks first, then analyze them after the data is ingested.

0 commit comments

Comments
 (0)