Use hunting bookmarks for data investigations

Hunting bookmarks are a potent tool used by Security Operations Analysts conducting data investigations, especially those studying for the SC-200 Microsoft Security Operations Analyst exam. These bookmarks directly relate to organizing and consolidating critical events during an investigation to provide a holistic view of the security incidents.

Understanding Hunting Bookmarks

Before delving into the use of hunting bookmarks, it is crucial to understand what they are. Hunting bookmarks, within the purview of Microsoft Defender for Endpoint, provide a simplified way to manage, annotate, and share your findings. This feature aids in correlations of events, resources, and entities across various investigations and cases.

Why Use Hunting Bookmarks?

Hunting bookmarks have several definitive advantages when applied to data investigations. Here are some key reasons to employ hunting bookmarks for your data investigations:

1. Simplified Management: Hunting bookmarks enable coordinated management of all your findings in a single location. This significantly streamlines the analysis process by providing a one-stop overview of various investigation entities.
2. Seamless Sharing: As a collaborative tool, bookmarks facilitate sharing of key details and findings with other analysts or external stakeholders. This shared knowledge base can lead to a faster resolution of incidents and improved security posture.
3. Greater Context: Hunting bookmarks provide additional context to your investigations by allowing annotations and comments to be added. This functionality leads to a deeper understanding of incidents, trends, and potential threats.

Working With Hunting Bookmarks

Working with Hunting Bookmarks can be broken down into three essential steps: Creation, Viewing, and Updating.

Creating Hunting Bookmarks

To create a bookmark, you need to first run an advanced hunting query in Microsoft Defender Security Center. Once the query results are displayed, select an event you deem significant, click the ‘…’ button, and then select ‘Add bookmark.’

A new pane will open where you can provide additional details like title, description, severity, status, and tags. These fields help organize your bookmarks and make it easier for other analysts to understand your findings.

Viewing Hunting Bookmarks

To view your existing bookmarks, visit the Bookmarks tab in the Microsoft Defender Security Center. This view provides you with a consolidated view of all the bookmarks you’ve created so far, offering a snapshot of all significant events.

Updating Hunting Bookmarks

To edit a bookmark, you need to go to the Bookmark tab and select the bookmark you wish to edit. After making your desired changes, click ‘Save’ to update the bookmark.

Practical Scenario

As an example, let’s say you’re investigating a potential phishing campaign targeting your organization. You run an advanced hunting query scanning for any suspicious emails that contain specific phrases or originate from certain payers.

You find several emails that meet these criteria and seem concerning. Instead of trying to remember these instances or creating a separate note, you can simply create a hunting bookmark for each problematic email. Later, you can go back to your bookmarks, review them, update their status as the investigation progresses, and share your findings with other team members for further action.

In conclusion, hunting bookmarks are an invaluable tool for Microsoft Security Operations Analysts and candidates for the SC-200 exam. They allow analysts to efficiently manage, document, track, and share findings, contributing significantly to effective data investigations.

Practice Test

True or False: Hunting bookmarks are used to mark notable events during an investigation.

• True
• False

Answer: True

Explanation: Hunting bookmarks in Microsoft Security Operations serve the purpose of marking notable events during an open investigation, providing clear references and helping with the effective tracking of security issues.

True or False: One cannot add comments to a hunting bookmark.

• True
• False

Answer: False

Explanation: Comments can be added to a hunting bookmark to make the information more detailed and clearer for review or for team collaboration during an investigation.

What is the main purpose of using hunting bookmarks in data investigations?

• A) To mark significant moments in movies
• B) To bookmark favorite music tracks
• C) To mark notable events during an investigation
• D) To save favorite websites

Answer: C) To mark notable events during an investigation

Explanation: The main purpose of hunting bookmarks in the context of security operation analysis is to aid in tracking and referencing significant events during investigations.

Can you delete a hunting bookmark once it’s created?

• A) Yes
• B) No

Answer: A) Yes

Explanation: If a hunting bookmark is no longer needed, it can be deleted.

Is it possible to link hunting bookmarks with an incident?

• A) Yes
• B) No

Answer: A) Yes

Explanation: Hunting bookmarks can be associated with a specific incident if they’re relevant or belong in a sequence, aiding in seamless tracking of events.

True or False: Hunting bookmarks can only be used by a single investigator.

• True
• False

Answer: False

Explanation: Hunting bookmarks are useful for teams because they allow multiple investigators to reference the same notable events and foster collaboration.

Which Microsoft tool provides the Hunting Bookmark feature?

• A) Microsoft Excel
• B) Microsoft PowerPoint
• C) Microsoft Teams
• D) Microsoft 365 Defender

Answer: D) Microsoft 365 Defender

Explanation: Microsoft 365 Defender is a key tool for security operations analysis and it includes the Hunting Bookmark feature.

True or False: Hunting Bookmarks cannot be shared with your teammates.

• True
• False

Answer: False

Explanation: Sharing hunting bookmarks with teammates is highly encouraged as they make collaboration during investigations clearer and more effective.

Hunting bookmarks can be linked with _______.

• A) Incidents
• B) Emails
• C) Impressions
• D) Shopping items

Answer: A) Incidents

Explanation: Hunting bookmarks in security analysis are typically linked with incidents to help analyze and track the sequence of specific events.

True or False: In Microsoft 365 Defender, Hunting Bookmarks are stored indefinitely.

• True
• False

Answer: False

Explanation: In Microsoft 365 Defender, Hunting Bookmarks are stored only for 30 days. It is necessary to export them if you want to keep them stored beyond that period.

Interview Questions

What is the purpose of hunting bookmarks in data investigation?

Hunting bookmarks in data investigations are primarily used to capture important results during threat hunting. They can be used to reference later or shared with team members, thereby enhancing teamwork and collaboration.

How can you create a hunting bookmark in Microsoft Azure Sentinel?

Within Microsoft Azure Sentinel, you can create a hunting bookmark using the investigation graph or direct from the hunting result page.

How can you access saved hunting bookmarks in Azure Sentinel?

Saved hunting bookmarks can be accessed through the “Bookmarks” tab present in the Azure Sentinel navigation menu.

Can hunting bookmarks be shared among different analysts groups in Azure Sentinel?

Yes, hunting bookmarks can be shared amongst analysts. They are designed to improve collaboration in tracking and managing security events.

How can you include queries in Hunting Bookmarks?

You can include queries in Hunting Bookmarks by selecting a query from the “Query results” page in Azure Sentinel, then saving the results with the “Add bookmark” button.

Can you add notes or comments to hunting bookmarks in Azure Sentinel?

Yes, Azure Sentinel provides the option to add notes or comments
while creating or after creation of a bookmark to capture more information regarding the investigation.

How long is data retained within Hunting Bookmarks?

The retention period for data within Hunting Bookmarks is determined by the user or organization’s Azure Sentinel data retention policy.

Can you perform actions directly from a hunting bookmark in Azure Sentinel?

Yes, Azure Sentinel allows you to perform various actions directly from a hunting bookmark, including triggering a playbooks, launching further investigations, or updating the status or severity of a particular issue.

Are hunting bookmarks available across different workbooks in Azure Sentinel?

Hunting bookmarks are specific to the hunting queries that you have saved, and can therefore be used across different workbooks.

How does a hunting bookmark support the workflow of a Security Operations Analyst?

Hunting bookmarks help Security Operations Analysts capture important findings during investigations, share insights with their teams, and revisit past investigations for reference or further deep dives.

Can you export hunting bookmarks from Azure Sentinel?

Yes, hunting bookmarks can be exported from Azure Sentinel for offline analysis or for sharing with external teams.

What is necessary in order to delete a hunting bookmark in Azure Sentinel?

To delete a hunting bookmark in Azure Sentinel, you need to have write access permissions.

What does the ‘entities’ field in a hunting bookmark represent?

The ‘entities’ field in a hunting bookmark represents the entities like hosts, accounts, or IPs etc. that are the focus of the investigation.

Can Hunting Bookmarks integrate with Azure Sentinel automation rules?

Yes, Hunting Bookmarks can integrate with Azure Sentinel automation rules to help implement automated responses to specific type of events or behaviors.

What are the primary benefits of using Hunting Bookmarks?

The primary benefits of using Hunting Bookmarks include better collaboration, ensuring critical data from an investigation is saved for future reference, and facilitating the creation of a structured investigation process. It further enables the automation of responses to specific type of events or behaviors.