As a Microsoft Security Operations Analyst, tracking query results is an integral part of your job. The SC-200 exam includes this part, for which it’s essential to familiarize yourself with Azure Sentinel. Specifically, one needs to know how to track query results using bookmarks.
Introduction to Bookmarks
In Azure Sentinel, a bookmark is a saved result of an analytic query. They are used when you want to record specific activities that are of interest or relevance to your investigation. They are used to mark, save, and share valuable insights that you obtain after running a query or viewing analytical outputs. These bookmarks serve as a point of reference that can be used later for further investigation.
For example, you might have run a query to detect failed sign-in attempts. Whenever there’s a sign-in attempt that you suspect as a malicious activity, you can create a bookmark to save these findings.
Creating Bookmarks in Azure Sentinel
Creating bookmarks in Azure Sentinel is a straightforward process. After running your query, simply do the following steps:
- Select the results you want to bookmark–one or multiple entries–from the Logs section.
- Click the ellipsis (three dots) at the top right of the results and select ‘Create Bookmark’ from the options that appear.
- Complete the ‘Add Bookmark’ form by filling important details such as the Bookmark name, Notes, and any relevant Entities. Then click ‘Create’.
Remember to give your bookmark a meaningful name as it will make it easier to identify. Adding notes can also be of relevance if you need to remember details about the bookmark.
Using Bookmarks for Investigations
Bookmarks are most helpful when paired with investigations in Azure Sentinel. To add a bookmark to your investigation, follow these steps:
- Open ‘Incident page’ and select ‘View full details’ for the related alert.
- Under ‘Graph View’, click ‘Add bookmark’.
- Select the bookmark you want to add. If needed, you can filter existing bookmarks with Bookmark name, Notes, and Entities.
Once a bookmark is added to an investigation, it links all the involved entities as nodes in the investigation graph. For instance, if a bookmark was created for an event involving an IP address and a user, the bookmark includes these entities and shows visual links between them.
Deleting Bookmarks
There may be instances when you need to delete a bookmark. This can be done by:
- Navigating to the ‘Bookmarks’ page under ‘Threat management’ in Azure Sentinel.
- Selecting the specific bookmark you want to delete and clicking on the trash bin icon.
Conclusion
To recap, tracking query results with bookmarks is a crucial aspect of working with Azure Sentinel and essentially playing an extensive role in being a successful Microsoft Security Operations Analyst. Understanding and mastering this will help you pass the SC-200 Microsoft Security Operations Analyst exam and excel in real-world situations. With bookmarks, you can keep track of relevant data from your security investigations, share findings with other team members and rapidly access pertinent information.
Remember, success in SC-200 exam and in your career depends largely on practical expertise. Therefore, it’s recommended to apply these instructions in your Azure Sentinel environment to gain hands-on experience.
Practice Test
A bookmark is a mechanism in Microsoft Azure that allows you to track the results of your queries.
- A. True
- B. False
Answer: A. True
Explanation: Microsoft Azure provides a Bookmark feature that is used to save and track investigation queries and the activities related to them.
In Microsoft Azure, you cannot share a bookmark with anybody else.
- A. True
- B. False
Answer: B. False
Explanation: In Microsoft Azure, you can share bookmarks with other investigators.
Is it possible to add notes to a bookmark in Microsoft Azure?
- A. Yes
- B. No
Answer: A. Yes
Explanation: In Microsoft Azure, it is possible to add notes to a bookmark as a part of the investigation process.
In Microsoft Azure, are bookmarks related to a single entity only?
- A. True
- B. False
Answer: B. False
Explanation: Bookmarks in Microsoft Azure can be associated with multiple entities in an investigation.
Bookmarks allow you to track investigation progress over time.
- A. True
- B. False
Answer: A. True
Explanation: Bookmarks in Microsoft Azure help track investigation progress over time, as they provide snapshots of queries.
Is it possible to include a bookmark in a live stream?
- A. Yes
- B. No
Answer: B. No
Explanation: Live Stream is a separate feature of Azure Sentinel and bookmarks can’t be included in a live stream.
Bookmarks cannot be deleted once created
- A. True
- B. False
Answer: B. False
Explanation: Bookmarks can be deleted if they are no longer required.
Which of the following actions is NOT possible with bookmarks in Azure Sentinel?
- A. Export bookmarks
- B. Add a note to a bookmark
- C. Assign a bookmark to another investigator team member
- D. Change the color of a bookmark
Answer: D. Change the color of a bookmark
Explanation: The other actions are possible with bookmarks, but changing the color of a bookmark is not a functionality provided by Azure Sentinel.
Are all bookmarks private by default in Azure Sentinel?
- A. True
- B. False
Answer: A. True
Explanation: By default, bookmarks are private when created. They can be shared manually if necessary.
Queries in bookmarks can be modified after creation.
- A. True
- B. False
Answer: A. True
Explanation: The data in a bookmark can be updated post-creation, meaning that the query it is based on can be adjusted, as necessary.
Bookmarks are used only to track query results.
- A. True
- B. False
Answer: B. False
Explanation: Although bookmarks are primarily used to track query results, they can also be used to save and label interesting or potentially worrisome events, assign these labeled events to others for investigation, and to maintain investigation state.
Which Azure Sentinel feature provides a way to save and track queries?
- A. Cases
- B. Bookmarks
- C. Incidents
- D. Workbooks
Answer: B. Bookmarks
Explanation: The Bookmark feature in Azure Sentinel allows you to save and track your investigation queries and activities related to them.
Bookmarks cannot be used for collaborative working in Azure Sentinel.
- A. True
- B. False
Answer: B. False
Explanation: Bookmarks enable collaborative working as they can be shared with other investigators.
What is the purpose of tracking query results with bookmarks in Azure Sentinel?
- A. To document an investigation
- B. To build an interactive dashboard
- C. To manage log data
- D. To automate responses
Answer: A. To document an investigation
Explanation: Bookmarks in Azure Sentinel are used to track and document an investigation, helping to provide insight into the investigation process.
Can bookmarks in Azure Sentinel be tagged with labels for easy reference?
- A. Yes
- B. No
Answer: A. Yes
Explanation: Bookmarks in Azure Sentinel can be tagged with labels, providing an easy way to categorize and reference them during an investigation.
Interview Questions
What is the primary function of bookmarks in Azure Sentinel?
Bookmarks in Azure Sentinel are primarily used to save and track interesting or significant findings within your data for future reference.
How does a bookmark help in tracking query results in Azure Sentinel?
Bookmarks in Azure Sentinel allow analysts to highlight and persist important data points in event records, making it easier to monitor and track query results or notable investigations.
Are bookmarks in Azure Sentinel shared among all users?
Yes, bookmarks in Azure Sentinel are shared across all users, enabling collaboration among analysts on the same case or investigation.
Can bookmarks be tagged with entities in Azure Sentinel?
Yes, bookmarks can be tagged with entities to provide more context and make it easier to find and correlate interesting findings.
What are the types of entities that can be tagged in a bookmark?
Entities that can be tagged in a bookmark include Account, Host, IP, URL, Mailbox, Azure resources, and many others.
Is it possible to add notes to a Azure Sentinel bookmark?
Yes, analysts can add notes to a bookmark to document their observations or suspicions about the bookmarked data.
How can bookmarks be used to create incidents in Azure Sentinel?
Bookmarks can be used to create incidents directly from the bookmark page. The created incident will include a link to the bookmark.
Can bookmarks in Azure Sentinel be edited after creation?
Yes, bookmarks can be edited after creation to update their details or add new information as the investigation progresses.
Can you create a bookmark without running a query in Azure Sentinel?
No, a bookmark in Azure Sentinel can only be created after you run a query and get results that you want to track.
Can you export bookmarks from Azure Sentinel?
Yes, it’s possible to export bookmarks to a CSV file in Azure Sentinel. This can be done from the bookmark page.
Can bookmarks from Azure Sentinel be imported into another tool?
Yes, by exporting bookmarks to a CSV file, they can then be imported into any tool that supports this format.
How are bookmarks beneficial in a multi-analyst environment?
Bookmarks are beneficial in a multi-analyst environment as they help in sharing and collaborating findings with other team members, which can lead to a deeper understanding of issues and faster resolution of incidents.
What happens when a bookmarked entity is deleted in Azure Sentinel?
When an entity associated with a bookmark is deleted, Azure Sentinel will retain the bookmark but it will indicate that the entity is no longer available.
Can you delete bookmarks in Azure Sentinel?
Yes, bookmarks can be deleted in Azure Sentinel when they are no longer needed.
Is bookmark creation limited in Azure Sentinel?
No, Azure Sentinel does not explicitly limit the number of bookmarks you can create. However, an excessively large number of bookmarks could potentially impact the system’s performance.