diff --git a/defender-xdr/advanced-hunting-query-results.md b/defender-xdr/advanced-hunting-query-results.md index c6205c7ee7..8d5b2acba1 100644 --- a/defender-xdr/advanced-hunting-query-results.md +++ b/defender-xdr/advanced-hunting-query-results.md @@ -173,7 +173,24 @@ Select the three dots to the right of any column in the **Inspect record** panel - Exclude the selected value from the query (`!=`) - Get more advanced operators for adding the value to your query, such as `contains`, `starts with`, and `ends with` -:::image type="content" source="/defender/media/work-with-query-tweak-query.png" alt-text="The Action Type pane on the Inspect record page in the Microsoft Defender portal " lightbox="/defender/media/work-with-query-tweak-query.png"::: +:::image type="content" source="/defender/media/work-with-query-tweak-query.png" alt-text="Screenshot of the Action Type pane on the Inspect record page in the Microsoft Defender portal." lightbox="/defender/media/work-with-query-tweak-query.png"::: + + + +## Add items to Favorites +You can add your frequently used schemas, functions, queries, and detection rules to the Favorites section of each tab in the advanced hunting page for quick access. + +:::image type="content" source="media/faves-1.png" alt-text="Screenshot of the advanced hunting page with the Favorites section highlighted." lightbox="media/faves-1.png"::: + +For instance, to add `AlertInfo` to your **Favorites**, go to the **Schema** tab, and select the three dots to the right of the table and select **Add to favorites**. + +:::image type="content" source="media/faves-2.png" alt-text="Screenshot of the Add to Favorites option in the advanced hunting page." lightbox="media/faves-2.png"::: + +A notification appears to inform you that the item was successfully added to Favorites. + +![Screenshot of notification that a new item was added to Favorites in advanced hunting.](media/faves-3.png) + +You can do the same for your saved functions, queries, and custom detections in their respective Favorites sections right under each tab (**Functions**, **Queries**, and **Detection Rules**). > [!NOTE] > Some tables in this article might not be available at Microsoft Defender for Endpoint. [Turn on Microsoft Defender XDR](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md). diff --git a/defender-xdr/media/faves-1.png b/defender-xdr/media/faves-1.png new file mode 100644 index 0000000000..f3194bca36 Binary files /dev/null and b/defender-xdr/media/faves-1.png differ diff --git a/defender-xdr/media/faves-2.png b/defender-xdr/media/faves-2.png new file mode 100644 index 0000000000..eeeef4f3a0 Binary files /dev/null and b/defender-xdr/media/faves-2.png differ diff --git a/defender-xdr/media/faves-3.png b/defender-xdr/media/faves-3.png new file mode 100644 index 0000000000..d5e2fac956 Binary files /dev/null and b/defender-xdr/media/faves-3.png differ diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md index b2456c9aeb..d697fa14ea 100644 --- a/defender-xdr/whats-new.md +++ b/defender-xdr/whats-new.md @@ -36,6 +36,7 @@ You can also get product updates and important notifications through the [messag - (Preview) The [Link to incident](advanced-hunting-defender-results.md#link-query-results-to-an-incident) feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in [Defender XDR advanced hunting](advanced-hunting-link-to-incident.md), you can now specify whether an entity is an impacted asset or related evidence. - (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-adx-operator-for-azure-data-explorer-queries-preview), Microsoft Defender portal users can now use the `adx()` operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender. - New documentation library for Microsoft's unified security operations platform. Find centralized documentation about [Microsoft's unified SecOps platform in the Microsoft Defender portal](/unified-secops-platform/overview-unified-security). Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. +- (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the **[Favorites](advanced-hunting-query-results.md#add-items-to-favorites)** sections under each tab for quicker accesss. ## November 2024 diff --git a/defender/media/advanced-hunting-query-results-copy.png b/defender/media/advanced-hunting-query-results-copy.png new file mode 100644 index 0000000000..236044406b Binary files /dev/null and b/defender/media/advanced-hunting-query-results-copy.png differ diff --git a/defender/media/advanced-hunting-query-results-faves.png b/defender/media/advanced-hunting-query-results-faves.png new file mode 100644 index 0000000000..d7eb992ec9 Binary files /dev/null and b/defender/media/advanced-hunting-query-results-faves.png differ