Hunting bookmarks are a powerful feature in Microsoft Sentinel that allow security analysts to preserve and organize important findings during threat hunting investigations. When conducting data investigations, bookmarks serve as markers that help analysts save relevant query results, evidence, and…Hunting bookmarks are a powerful feature in Microsoft Sentinel that allow security analysts to preserve and organize important findings during threat hunting investigations. When conducting data investigations, bookmarks serve as markers that help analysts save relevant query results, evidence, and insights for future reference.
To use hunting bookmarks effectively, analysts begin by running hunting queries in Microsoft Sentinel to search for suspicious activities or potential threats across their environment. When a query returns interesting results that warrant further investigation, analysts can select specific rows and add them as bookmarks rather than losing track of these findings.
When creating a bookmark, analysts can add custom tags, notes, and annotations to provide context about why the data is significant. This documentation proves invaluable when collaborating with team members or when returning to an investigation after time has passed. Bookmarks capture the original query, timestamp, and associated entities such as accounts, hosts, IP addresses, and URLs.
The bookmark feature integrates seamlessly with the investigation graph in Microsoft Sentinel. Analysts can promote bookmarks to incidents or add them to existing incidents, creating a clear audit trail of the investigation process. This capability enables teams to build comprehensive cases by linking related evidence together.
Bookmarks also support entity mapping, allowing analysts to extract and tag key entities from the saved data. These mapped entities can then be explored further using entity behavior analytics and other investigation tools within Sentinel.
For effective data investigations, analysts should establish consistent naming conventions and tagging strategies for bookmarks. This organization facilitates quick retrieval and helps teams maintain situational awareness during complex investigations. The livestream feature can also be combined with bookmarks, enabling real-time monitoring while preserving significant events for detailed analysis. By leveraging hunting bookmarks strategically, security teams enhance their investigation efficiency and maintain thorough documentation throughout the threat hunting lifecycle.
Use Hunting Bookmarks for Data Investigations
Why It Is Important
Hunting bookmarks are essential for security analysts because they allow you to preserve and organize critical evidence discovered during threat hunting activities in Microsoft Sentinel. When investigating potential security incidents, analysts often uncover suspicious activities that need further examination. Bookmarks ensure that this valuable data is not lost and can be shared with team members, attached to incidents, or used for building a comprehensive timeline of malicious activity.
What Are Hunting Bookmarks?
Hunting bookmarks in Microsoft Sentinel are saved query results that capture specific log entries or events identified during threat hunting sessions. They act as markers that highlight potentially malicious or suspicious activities within your data. Each bookmark stores:
• The specific log record or event data • The query used to find the data • Tags for categorization • Notes added by the analyst • Entity mappings (users, hosts, IP addresses) • Timestamps of when the activity occurred
How Hunting Bookmarks Work
1. Creation: While running hunting queries in Microsoft Sentinel, analysts can select specific rows from query results and click Add bookmark to save them.
2. Enrichment: Analysts can add notes, tags, and map entities to provide context about why the bookmark is significant.
3. Organization: Bookmarks appear in the Hunting blade under the Bookmarks tab, where they can be filtered, sorted, and managed.
4. Investigation Integration: Bookmarks can be added to existing incidents or used to create new incidents. They also integrate with the Investigation Graph to visualize relationships between entities.
5. Collaboration: Team members can view bookmarks, add their own notes, and build upon previous findings.
Key Features and Capabilities
• Attach to Incidents: Link bookmarks to incidents for comprehensive case documentation • Entity Mapping: Associate bookmarks with specific entities like accounts, hosts, or IP addresses • Investigation Graph: Visualize bookmark data and entity relationships in graphical format • Tagging: Categorize bookmarks with custom tags for easy filtering • Notes: Document analyst observations and hypotheses
Exam Tips: Answering Questions on Hunting Bookmarks
Understand the workflow: Questions often test whether you know the correct sequence - run hunting query, identify suspicious results, create bookmark, add to incident or investigation.
Know the location: Remember that bookmarks are managed under Threat Management > Hunting > Bookmarks in Microsoft Sentinel.
Entity mapping is crucial: Exam questions may ask about mapping entities to bookmarks. Know that you can map accounts, hosts, IP addresses, and other entity types.
Distinguish from other features: Do not confuse bookmarks with watchlists or analytics rules. Bookmarks are for preserving specific hunting findings, while watchlists contain reference data and analytics rules generate alerts.
Investigation Graph integration: Be prepared for questions about how bookmarks appear in the Investigation Graph and how they help visualize attack patterns.
Incident attachment: Remember that bookmarks can be attached to existing incidents OR used to create new incidents - both options may appear as answer choices.
Permissions: Know that creating and managing bookmarks requires appropriate Microsoft Sentinel permissions (Sentinel Contributor role).
Common question formats: Expect scenario-based questions where you must identify the best method to preserve evidence found during hunting activities - bookmarks are typically the correct answer in these contexts.