Table of Contents
Microsoft Azure Sentinel provides many features to help you investigate incidents and detect threats. One of these features is hunting bookmarks, which allow you to save and share your investigations with others. Hunting bookmarks are a great way to collaborate with colleagues and to help you stay organized.
In this post, we’ll discuss how to use hunting bookmarks for data investigations in Azure Sentinel.
Hunting bookmarks are a type of bookmark that you can create in Azure Sentinel. These bookmarks are used to save and share data investigations, including queries, filter expressions, visualizations, and more. You can use hunting bookmarks to save your work so that you can easily return to it later, or you can share your bookmarks with others to collaborate on an investigation.
Open the Azure Sentinel console.
In the navigation pane, select Hunting.
Run a query or investigation that you want to save as a bookmark.
Click the Save as bookmark button at the top of the page.
Enter a name for the bookmark and a description, and then click Create.
You can now access your new bookmark by clicking the Hunting bookmarks button at the top of the page.
Once you have created a hunting bookmark, you can use it to quickly access your saved query or investigation. You can also share your bookmark with others so that they can use it in their own investigations.
To use a hunting bookmark, follow these steps:
Click the Hunting bookmarks button at the top of the Hunting page.
Select the bookmark that you want to use.
Click the Open button to load the bookmark.
Once the bookmark is loaded, you can modify the query or investigation as needed. You can also save your changes as a new bookmark if you want to preserve the original.
Hunting bookmarks are a useful tool for organizing and sharing data investigations in Azure Sentinel. By creating hunting bookmarks, you can save your work and easily return to it later, or you can share your bookmarks with others to collaborate on an investigation. If you’re not already using hunting bookmarks, give them a try and see how they can help you investigate incidents and detect threats more effectively.
Hunting bookmarks are named bookmarks of queries that enable SOC analysts to save and reuse frequently used KQL queries for future investigations.
Hunting bookmarks provide a way to store and quickly access KQL queries that were previously used to investigate security incidents or perform threat hunting tasks.
To create a new hunting bookmark, first run the desired KQL query in a Sentinel workbook or notebook, then click on “Bookmark query” button, enter the name and description of the bookmark, and save it.
Yes, you can edit an existing hunting bookmark by opening it from the bookmarks panel, modifying the KQL query, and then saving the changes.
To delete a hunting bookmark, go to the bookmarks panel, locate the bookmark you want to delete, click on the three-dot menu next to it, and choose “Delete” option.
To share a hunting bookmark with other users, click on the “Share” button next to the bookmark in the bookmarks panel, select the users or groups you want to share it with, and then click “Add”.
Yes, you can export hunting bookmarks as JSON files and import them into other Sentinel workspaces or share them with other users.
To search for a specific hunting bookmark, type the keyword in the search box in the bookmarks panel, and all bookmarks that match the search term will be displayed.
You can filter hunting bookmarks based on the name, description, query, or other metadata fields by using the filtering options in the bookmarks panel.
Hunting bookmarks can help standardize investigations by providing SOC analysts with a pre-defined set of KQL queries that have been tested and approved, and can be used as a starting point for future investigations.
If this material is helpful, please leave a comment and support us to continue.