So last week we talked about the difference between Workbooks, Playbooks and Notebooks in Azure Sentinel. But there is still one more "book" that is important to making your life easier when working with the cloud-based SIEM. It's called a bookmark.
What is a bookmark exactly? I'm glad you asked. Just like a bookmark help you keep track of the last page you read in a physical book (am I the only one who still reads physical books?), a bookmark in Azure Sentinel helps you keep track of items you might want to revisit while you're threat hunting.
As you know, threat hunting usually has you looking through mountains of logs to find evidence of malicious behavior. During the hunting process, you may come across matches or findings, dashboards, or activities that look unusual or suspicious. In order to mark those items so you can come back to them in the future, use the bookmark functionality. Bookmarks let you save items for later, to be used to create a case for investigation.
While you're hunting, you'll probably come up with a hypotheses about what is going on. Bookmarks in help you do this by preserving the queries you ran along with the query results that you deem relevant. You can also record your contextual observations and reference your findings by adding notes and tags. Bookmarked data is visible to you and your teammates for easy collaboration.
You can revisit your bookmarked data at any time on the Bookmarks tab of the Hunting pane. You can use filtering and search options to quickly find specific data for your current investigation.
You can also visualize your bookmarked data, by clicking Investigate from within the Bookmark itself. This launches the investigation experience in which you can view, investigate, and visually communicate your findings using an interactive entity-graph diagram and timeline.
How do you add a Bookmark?
- In the Sentinel portal, navigate to Threat management - Hunting.
- Select one of the hunting queries and on the right.
- In the hunting query details, select Run Query.
- Select View query results. For example:
