Table of Contents
For security analysts using the Microsoft 365 Defender suite, the SC-200 Microsoft Security Operations Analyst exam prepares them for utilizing various tools in threat management, one of which includes hunting bookmarks in data investigations.
When a security operations analyst is scanning through logs and telemetry, they may come across interesting patterns or observations that warrant further investigation. Hunting bookmarks in Microsoft 365 Defender provide a convenient way to save these findings, together with all the context that may be important for understanding and responding to potential threats.
Bookmarks make it easier to manage a hunt for threats and can be thought of as a way of taking notes that tie observations to the data. They not only contain references to the relevant data but can also include analyst’s comments, tags, and event details that can help in forming a narrative around a suspected incident.
Security analysts can create bookmarks during or after a hunting search using the following steps:
Example 1: Anomalies in Sign-in Locations
An analyst notices that there have been a series of sign-in attempts from an unusual location. To track and investigate this further, the analyst can create a bookmark for each sign-in attempt with details about the location, user, timestamp, and the suspected impact.
Example 2: Unexpected Application Activity
During a routine hunt, an analyst observes unexpected application activity on a high-value asset. A bookmark is created, detailing the application, asset information, activity timestamp, and any potential processes involved that could indicate compromise.
The use of bookmarks during threat hunting has numerous benefits, including:
When bookmarks are linked to an alert that evolves into an incident, they provide invaluable context for incident responders. This information aids in incident triage and helps responders understand the scope and scale of an attack.
The following table summarizes the key stages of using hunting bookmarks within a data investigation:
Stage | Description | Example Action |
---|---|---|
Discovery | Initial observation of anomalies. | Noticing a spike in file downloads. |
Bookmarking | Saving relevant data and context. | Creating a bookmark for the activity. |
Analysis | In-depth exploration of the data. | Investigating the user’s file access and endpoint security logs. |
Response | Taking action based on findings. | Isolating the affected endpoint, resetting user passwords. |
Record-Keeping | Maintaining details for audits and training. | Reviewing bookmark logs during monthly security reviews. |
For a more productive hunting experience, analysts should adhere to the following best practices:
In conclusion, hunting bookmarks are a valuable tool within the Microsoft 365 Defender platform for Security Operations Analysts. They serve a wide range of functions, from organizing and retaining information regarding potential threats to facilitating collaboration among team members during incident response endeavors. Proper utilization of hunting bookmarks significantly contributes to the efficiency and effectiveness of data investigation workflows, a competence that is essential and reinforced by the SC-200 Microsoft Security Operations Analyst exam.
Hunting bookmarks are used to save observations or data during an investigation and are not automatically deleted after 30 days; they persist until the investigator deletes them.
The correct answers are: A, B, D
Hunting bookmarks can include notes, related alerts, and queries, but they do not include remediation actions taken.
Hunting bookmarks are used to preserve the state for both manual investigative processes and can be used within automated security workflows as a reference point.
The correct answer is: C
The primary purpose of a hunting bookmark is to save interesting findings or data points so an investigator can easily return to them later in the investigation.
Hunting bookmarks can be shared with other security team members, which facilitates collaboration and knowledge sharing in an investigation.
The correct answers are: A, C
Hunting bookmarks can keep track of timestamps and help categorize evidence. While they can log who created or modified the bookmark, they don’t track general user access to the data and are not used for scheduling tasks.
Hunting bookmarks can be created by any security analyst with the appropriate permissions to the Microsoft 365 Defender portal, not just administrators.
The correct answer is: B
Hunting bookmarks help security analysts by enabling easier navigation of complex data sets during an investigation.
Hunting bookmarks in Microsoft 365 Defender are designed to work across various Microsoft security solutions, providing a more integrated and efficient investigative experience.
The correct answers are: A, B
From the Microsoft 365 Defender portal, users can modify the bookmark’s description and assign it to users for follow-up. It does not typically allow for changing the severity of associated alerts or automatically applying security policies.
The correct answer is: B
Analysts use hunting bookmarks during active investigations to mark anomalies or suspicious findings for easier access or follow-up later.
Information from hunting bookmarks can be exported, allowing for further analysis or reporting outside of the immediate investigation environment.
Hunting bookmarks are named bookmarks of queries that enable SOC analysts to save and reuse frequently used KQL queries for future investigations.
Hunting bookmarks provide a way to store and quickly access KQL queries that were previously used to investigate security incidents or perform threat hunting tasks.
To create a new hunting bookmark, first run the desired KQL query in a Sentinel workbook or notebook, then click on “Bookmark query” button, enter the name and description of the bookmark, and save it.
Yes, you can edit an existing hunting bookmark by opening it from the bookmarks panel, modifying the KQL query, and then saving the changes.
To delete a hunting bookmark, go to the bookmarks panel, locate the bookmark you want to delete, click on the three-dot menu next to it, and choose “Delete” option.
To share a hunting bookmark with other users, click on the “Share” button next to the bookmark in the bookmarks panel, select the users or groups you want to share it with, and then click “Add”.
Yes, you can export hunting bookmarks as JSON files and import them into other Sentinel workspaces or share them with other users.
To search for a specific hunting bookmark, type the keyword in the search box in the bookmarks panel, and all bookmarks that match the search term will be displayed.
You can filter hunting bookmarks based on the name, description, query, or other metadata fields by using the filtering options in the bookmarks panel.
Hunting bookmarks can help standardize investigations by providing SOC analysts with a pre-defined set of KQL queries that have been tested and approved, and can be used as a starting point for future investigations.
If this material is helpful, please leave a comment and support us to continue.