Tutorial / Cram Notes
For security analysts using the Microsoft 365 Defender suite, the SC-200 Microsoft Security Operations Analyst exam prepares them for utilizing various tools in threat management, one of which includes hunting bookmarks in data investigations.
What are Hunting Bookmarks?
When a security operations analyst is scanning through logs and telemetry, they may come across interesting patterns or observations that warrant further investigation. Hunting bookmarks in Microsoft 365 Defender provide a convenient way to save these findings, together with all the context that may be important for understanding and responding to potential threats.
Bookmarks make it easier to manage a hunt for threats and can be thought of as a way of taking notes that tie observations to the data. They not only contain references to the relevant data but can also include analyst’s comments, tags, and event details that can help in forming a narrative around a suspected incident.
How to Use Hunting Bookmarks
Security analysts can create bookmarks during or after a hunting search using the following steps:
- Identify an anomaly or pattern while using the advanced hunting feature in Microsoft 365 Defender.
- Select the relevant event or set of events.
- Click on the “Bookmark” option to capture the information.
- Fill in the details, such as a name for the bookmark, a description or hypothesis, severity, and any relevant tags.
Examples of Hunting Bookmarks Usage
Example 1: Anomalies in Sign-in Locations
An analyst notices that there have been a series of sign-in attempts from an unusual location. To track and investigate this further, the analyst can create a bookmark for each sign-in attempt with details about the location, user, timestamp, and the suspected impact.
Example 2: Unexpected Application Activity
During a routine hunt, an analyst observes unexpected application activity on a high-value asset. A bookmark is created, detailing the application, asset information, activity timestamp, and any potential processes involved that could indicate compromise.
Benefits of Using Hunting Bookmarks
The use of bookmarks during threat hunting has numerous benefits, including:
- Organization: Bookmarks help analysts to categorize and prioritize findings.
- Collaboration: Share bookmarks with team members to streamline teamwork and response.
- Historical Reference: Maintain a record of what was investigated and the context behind it for future training and process improvement.
Hunting Bookmarks in Incident Response
When bookmarks are linked to an alert that evolves into an incident, they provide invaluable context for incident responders. This information aids in incident triage and helps responders understand the scope and scale of an attack.
Comparison Table of Hunting Bookmark Stages
The following table summarizes the key stages of using hunting bookmarks within a data investigation:
| Stage | Description | Example Action |
|---|---|---|
| Discovery | Initial observation of anomalies. | Noticing a spike in file downloads. |
| Bookmarking | Saving relevant data and context. | Creating a bookmark for the activity. |
| Analysis | In-depth exploration of the data. | Investigating the user’s file access and endpoint security logs. |
| Response | Taking action based on findings. | Isolating the affected endpoint, resetting user passwords. |
| Record-Keeping | Maintaining details for audits and training. | Reviewing bookmark logs during monthly security reviews. |
Best Practices for Hunting Bookmarks
For a more productive hunting experience, analysts should adhere to the following best practices:
- Consistency in Naming: Use a clear and consistent naming convention for bookmarks.
- Clear Descriptions: Provide detailed descriptions within bookmarks to ensure valuable context isn’t lost.
- Utilize Tags: Implement tags for easy categorization and future reference.
- Regular Review: Periodically review bookmarks to keep track of what has been investigated and to spot any patterns over time.
In conclusion, hunting bookmarks are a valuable tool within the Microsoft 365 Defender platform for Security Operations Analysts. They serve a wide range of functions, from organizing and retaining information regarding potential threats to facilitating collaboration among team members during incident response endeavors. Proper utilization of hunting bookmarks significantly contributes to the efficiency and effectiveness of data investigation workflows, a competence that is essential and reinforced by the SC-200 Microsoft Security Operations Analyst exam.
Practice Test with Explanation
True/False: Hunting bookmarks in Microsoft 365 Defender are temporary and are automatically deleted after 30 days.
- False
Hunting bookmarks are used to save observations or data during an investigation and are not automatically deleted after 30 days; they persist until the investigator deletes them.
Multiple Select: Which of the following can be included in a hunting bookmark? (Select all that apply)
- A) A note summarizing the findings
- B) An alert that triggered the investigation
- C) Remediation actions taken
- D) The entire query that was used to find the data
The correct answers are: A, B, D
Hunting bookmarks can include notes, related alerts, and queries, but they do not include remediation actions taken.
True/False: Hunting bookmarks are used to preserve state within automated security workflows but not for manual investigative processes.
- False
Hunting bookmarks are used to preserve the state for both manual investigative processes and can be used within automated security workflows as a reference point.
Single Select: What is the primary purpose of creating a hunting bookmark in a security investigation?
- A) To escalate an alert
- B) To automatically mitigate a threat
- C) To save interesting findings and come back to them later
- D) To delegate tasks to other team members
The correct answer is: C
The primary purpose of a hunting bookmark is to save interesting findings or data points so an investigator can easily return to them later in the investigation.
True/False: Hunting bookmarks can be shared with other team members to collaborate on an ongoing investigation.
- True
Hunting bookmarks can be shared with other security team members, which facilitates collaboration and knowledge sharing in an investigation.
Multiple Select: What information can you track using hunting bookmarks? (Select all that apply)
- A) Timestamps of when the data was discovered
- B) Names of users who accessed the data
- C) Evidence categorization (e.g., malicious, suspicious)
- D) Scheduled tasks related to the bookmark
The correct answers are: A, C
Hunting bookmarks can keep track of timestamps and help categorize evidence. While they can log who created or modified the bookmark, they don’t track general user access to the data and are not used for scheduling tasks.
True/False: Hunting bookmarks can only be created by security analysts with administrator privileges.
- False
Hunting bookmarks can be created by any security analyst with the appropriate permissions to the Microsoft 365 Defender portal, not just administrators.
Single Select: Which of the following is a benefit of using hunting bookmarks in data investigations?
- A) Increases the amount of data storage required
- B) Enables easier navigation of complex data sets
- C) Automatically responds to threats without human intervention
- D) Generates new security alerts
The correct answer is: B
Hunting bookmarks help security analysts by enabling easier navigation of complex data sets during an investigation.
True/False: Hunting bookmarks in Microsoft 365 Defender are specific to a single tool and can’t be used across the various Microsoft security solutions.
- False
Hunting bookmarks in Microsoft 365 Defender are designed to work across various Microsoft security solutions, providing a more integrated and efficient investigative experience.
Multiple Select: Which actions can be performed on a hunting bookmark from the Microsoft 365 Defender portal? (Select all that apply)
- A) Modify the bookmark’s description
- B) Assign the bookmark to a user
- C) Change the severity of the alert associated with the bookmark
- D) Automatically apply a security policy based on the bookmark
The correct answers are: A, B
From the Microsoft 365 Defender portal, users can modify the bookmark’s description and assign it to users for follow-up. It does not typically allow for changing the severity of associated alerts or automatically applying security policies.
Single Select: When should an analyst consider using a hunting bookmark?
- A) Only after an incident has been fully resolved
- B) During active investigation to mark anomalies or suspicious findings
- C) Exclusively for high-severity alerts
- D) When instructed by a regulatory body
The correct answer is: B
Analysts use hunting bookmarks during active investigations to mark anomalies or suspicious findings for easier access or follow-up later.
True/False: It is possible to export the information from a hunting bookmark into a report.
- True
Information from hunting bookmarks can be exported, allowing for further analysis or reporting outside of the immediate investigation environment.
Interview Questions
What are hunting bookmarks in Microsoft Sentinel?
Hunting bookmarks are named bookmarks of queries that enable SOC analysts to save and reuse frequently used KQL queries for future investigations.
How can hunting bookmarks help with investigations?
Hunting bookmarks provide a way to store and quickly access KQL queries that were previously used to investigate security incidents or perform threat hunting tasks.
How can you create a new hunting bookmark in Microsoft Sentinel?
To create a new hunting bookmark, first run the desired KQL query in a Sentinel workbook or notebook, then click on “Bookmark query” button, enter the name and description of the bookmark, and save it.
Can you edit an existing hunting bookmark in Microsoft Sentinel?
Yes, you can edit an existing hunting bookmark by opening it from the bookmarks panel, modifying the KQL query, and then saving the changes.
How can you delete a hunting bookmark in Microsoft Sentinel?
To delete a hunting bookmark, go to the bookmarks panel, locate the bookmark you want to delete, click on the three-dot menu next to it, and choose “Delete” option.
How can you share a hunting bookmark with other users in Microsoft Sentinel?
To share a hunting bookmark with other users, click on the “Share” button next to the bookmark in the bookmarks panel, select the users or groups you want to share it with, and then click “Add”.
Can you export hunting bookmarks from Microsoft Sentinel?
Yes, you can export hunting bookmarks as JSON files and import them into other Sentinel workspaces or share them with other users.
How can you search for a specific hunting bookmark in Microsoft Sentinel?
To search for a specific hunting bookmark, type the keyword in the search box in the bookmarks panel, and all bookmarks that match the search term will be displayed.
How can you filter hunting bookmarks in Microsoft Sentinel?
You can filter hunting bookmarks based on the name, description, query, or other metadata fields by using the filtering options in the bookmarks panel.
How can hunting bookmarks help with standardizing investigations in Microsoft Sentinel?
Hunting bookmarks can help standardize investigations by providing SOC analysts with a pre-defined set of KQL queries that have been tested and approved, and can be used as a starting point for future investigations.
Great blog! Hunting bookmarks are incredibly useful for organizing data investigations in SC-200.
Absolutely! They save so much time and streamline the entire analysis process.
I appreciate the blog post!
How do you manage your hunting bookmarks? Do you categorize them by type of threat?
I’ve been using hunting bookmarks, but I’m still unsure how to leverage them effectively in SC-200.
Thanks for the insightful blog post!
Does anyone have experience using hunting bookmarks in conjunction with Jupyter notebooks?
Is there a limit to the number of bookmarks you can create?