You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/bookmarks.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,6 @@ appliesto:
10
10
- Microsoft Sentinel in the Microsoft Defender portal
11
11
- Microsoft Sentinel in the Azure portal
12
12
13
-
14
13
#Customer intent: As a security analyst, I want to create and manage hunting bookmarks so that I can preserve and collaborate on relevant threat investigation data.
15
14
16
15
---
@@ -19,16 +18,18 @@ appliesto:
19
18
20
19
Hunting bookmarks in Microsoft Sentinel helps you preserve the queries and query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration. For more information, see [Bookmarks](hunting.md#bookmarks-to-keep-track-of-data).
21
20
21
+
>[!NOTE]
22
+
> Bookmarks can only be created in the Azure portal. While you can't add bookmarks in the Microsoft Defender portal, you can see bookmarks that were already created.
Create a bookmark to preserve the queries, results, your observations, and findings.
27
29
28
-
1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management** select **Hunting**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Hunting**.
29
-
1. From the **Hunting** tab, select a hunt.
30
-
1. Select one of the hunting queries.
31
-
1. In the hunting query details, select **Run Query**.
30
+
1. Under **Threat management**, select **Hunting**.
31
+
1. From the **Queries** tab, select one or more of the hunting queries.
32
+
1. From the top command bar, select **Run selected queries**.
32
33
33
34
1. Select **View query results**. For example:
34
35
@@ -38,7 +39,7 @@ Create a bookmark to preserve the queries, results, your observations, and findi
38
39
39
40
1. From the log query results list, use the checkboxes to select one or more rows that contain the information you find interesting.
40
41
41
-
1.Select**Add bookmark**:
42
+
1.In Azure portal, select**Add bookmark**:
42
43
43
44
:::image type="content" source="media/bookmarks/add-hunting-bookmark.png" alt-text="Screenshot of adding hunting bookmark to query." lightbox="media/bookmarks/add-hunting-bookmark.png":::
44
45
@@ -54,9 +55,9 @@ Create a bookmark to preserve the queries, results, your observations, and findi
54
55
55
56
To view the bookmark in the investigation graph, you must map at least one entity. Entity mappings to account, host, IP, and URL entity types you created are supported, preserving backwards compatibility.
56
57
57
-
1. Select **Save** to commit your changes and add the bookmark. All bookmarked data is shared with other analysts, and is a first step toward a collaborative investigation experience.
58
+
1. Select **Create** to commit your changes and add the bookmark. All bookmarked data is shared with other analysts, and is a first step toward a collaborative investigation experience.
58
59
59
-
The log query results support bookmarks whenever this pane is opened from Microsoft Sentinel. For example, you select **General** > **Logs** from the navigation bar, select event links in the investigations graph, or select an alert ID from the full details of an incident. You can't create bookmarks when the **Logs** pane is opened from other locations, such as directly from Azure Monitor.
60
+
The log query results support bookmarks whenever this pane is opened from Microsoft Sentinel. For example, if you select **General** > **Logs** from the navigation bar, select event links in the investigations graph, or select an alert ID from the full details of an incident. You can't create bookmarks when the **Logs** pane is opened from another location, such as directly from Azure Monitor.
60
61
61
62
## View and update bookmarks
62
63
@@ -84,9 +85,9 @@ Visualize your bookmarked data by launching the investigation experience in whic
84
85
85
86
For instructions to use the investigation graph, see [Use the investigation graph to deep dive](investigate-cases.md#use-the-investigation-graph-to-deep-dive).
86
87
87
-
## Add bookmarks to a new or existing incident
88
+
## Add bookmarks to a new or existing incident (Azure portal only)
88
89
89
-
Add bookmarks to an incident from the bookmarks tab on the **Hunting** page.
90
+
Add bookmarks to an incident from the bookmarks tab on the **Hunting** page.
90
91
91
92
1. From the **Bookmarks** tab, select the bookmark or bookmarks you want to add to an incident.
92
93
@@ -104,7 +105,6 @@ Add bookmarks to an incident from the bookmarks tab on the **Hunting** page.
104
105
1. Select the incident with your bookmark and **View full details**.
105
106
1. On the incident page, in the left pane, select the **Bookmarks**.
106
107
107
-
108
108
## View bookmarked data in logs
109
109
110
110
View bookmarked queries, results, or their history.
Copy file name to clipboardExpand all lines: articles/sentinel/ci-cd.md
+12-3Lines changed: 12 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,11 +30,20 @@ When creating custom content, you can manage it from your own Microsoft Sentinel
30
30
Microsoft Sentinel currently supports connections to GitHub and Azure DevOps repositories. Before connecting your Microsoft Sentinel workspace to your source control repository, make sure that you have:
31
31
32
32
- An **Owner** role in the resource group that contains your Microsoft Sentinel workspace *or* a combination of **User Access Administrator** and **Sentinel Contributor** roles to create the connection
33
-
- Collaborator access to your GitHub repository or Project Administrator access to your Azure DevOps repository
33
+
- Ensure custom content files you want to deploy to your workspaces are in a supported format. For supported formats, see [Plan your repository content](ci-cd-custom-content.md#plan-your-repository-content).
34
+
35
+
### [GitHub prerequisites](#tab/github)
36
+
37
+
- Collaborator access to your GitHub repository
34
38
- Actions enabled for GitHub and Pipelines enabled for Azure DevOps
- Project Administrator access to your Azure DevOps repository
35
43
- Third-party application access via OAuth enabled for Azure DevOps [application connection policies](/azure/devops/organizations/accounts/change-application-access-policies#manage-a-policy).
36
-
- An Azure DevOps connection must be in the same tenant as your Microsoft Sentinel workspace
37
-
- Ensure custom content files you want to deploy to your workspaces are in a supported format. For supported formats, see [Plan your repository content](ci-cd-custom-content.md#plan-your-repository-content).
44
+
- An Azure DevOps connection in the same tenant as your Microsoft Sentinel workspace
45
+
46
+
---
38
47
39
48
For more information on deployable content types, see [Validate your content](ci-cd-custom-content.md#validate-your-content).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments