Investigation Graph through the Hunting Blade ?

%3CLINGO-SUB%20id%3D%22lingo-sub-1364381%22%20slang%3D%22en-US%22%3EInvestigation%20Graph%20through%20the%20Hunting%20Blade%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20way%20to%20use%20the%20investigation%20graph%20through%20the%20hunting%20queries%20%3F%26nbsp%3B%3CBR%20%2F%3EI%20have%20created%20a%20hunting%20query%20to%20find%20when%20users%20are%20assigned%20Azure%20AD%20roles%20outside%20of%20PIM%2C%20with%20the%20associated%20entities%20(account%2C%20IpAddress).%20Can%20I%20investigate%20with%20the%20graph%20directly%20or%20do%20I%20have%20to%20create%20an%20analytic%20rule%20each%20time%20%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EEmmanuel%20NGUYEN%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364857%22%20slang%3D%22en-US%22%3ERe%3A%20Investigation%20Graph%20through%20the%20Hunting%20Blade%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364857%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F602895%22%20target%3D%22_blank%22%3E%40emmanuelnguyen%3C%2FA%3E%26nbsp%3BYou%20can%20save%20the%20results%20you%20care%20about%20as%20bookmarks%20and%20kick%20off%20the%20investigation%20from%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364869%22%20slang%3D%22en-US%22%3ERe%3A%20Investigation%20Graph%20through%20the%20Hunting%20Blade%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364869%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F602895%22%20target%3D%22_blank%22%3E%40emmanuelnguyen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20part%20of%20the%20Hunt%20save%20as%20a%20bookmark%2C%20then%20go%20to%20the%20Bookmark%20tab%2C%20and%20there%20is%20an%20%3CSTRONG%3EInvestigate%3C%2FSTRONG%3E%20button.%26nbsp%3B%26nbsp%3B%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fbookmarks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fbookmarks%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-05-06%20193922.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189564i16300FB9E2A6DB14%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-05-06%20193922.jpg%22%20alt%3D%22Annotation%202020-05-06%20193922.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369325%22%20slang%3D%22en-US%22%3ERe%3A%20Investigation%20Graph%20through%20the%20Hunting%20Blade%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369325%22%20slang%3D%22en-US%22%3EThank%20you%20so%20much%20!!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369329%22%20slang%3D%22en-US%22%3ERe%3A%20Investigation%20Graph%20through%20the%20Hunting%20Blade%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369329%22%20slang%3D%22en-US%22%3EThank%20you%20so%20much%20for%20the%20additional%20details%20!%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all, 

Is there a way to use the investigation graph through the hunting queries ? 
I have created a hunting query to find when users are assigned Azure AD roles outside of PIM, with the associated entities (account, IpAddress). Can I investigate with the graph directly or do I have to create an analytic rule each time ? 

Kind regards, 

Emmanuel NGUYEN

4 Replies

@emmanuelnguyen You can save the results you care about as bookmarks and kick off the investigation from them.

@emmanuelnguyen 

 

As part of the Hunt save as a bookmark, then go to the Bookmark tab, and there is an Investigate button.  https://docs.microsoft.com/en-us/azure/sentinel/bookmarks

Annotation 2020-05-06 193922.jpg

 

Thank you so much !!
Thank you so much for the additional details !