Exam SC-200 topic 6 question 27 discussion

Hunting is correct answer. https://learn.microsoft.com/en-us/azure/sentinel/bookmarks#add-bookmarks-to-a-new-or-existing-incident

To CREATE a bookmark you go to Threat Management > Hunting, when you run a hunting query you need to go to the LOGS pane to create the bookmark. So the answer is Logs. If you want to add bookmarks to a new or existing incident, this is done through the Hunting pane. But the question specifically asks how you create a bookmark. Full explanation here including screenshots of the Logs pane being used. https://learn.microsoft.com/en-us/azure/sentinel/bookmarks#add-a-bookmark

To Create a bookmark -> For Microsoft Sentinel in the Azure portal, under Threat management select Hunting.

should be A

Bookmarks are exclusively created and managed within the Logs section. Here's a summary to solidify this: Incidents: The Incidents section is for managing and investigating security incidents. It provides a consolidated view of alerts, entities, and related information. You can't create bookmarks here.   Hunting: The Hunting section is for proactively searching for threats using hunting queries. While you might discover interesting data during a hunting exercise, you still need to go to the Logs section to create a bookmark for the corresponding KQL query.   Logs: The Logs section (powered by Log Analytics) is where you write and run KQL queries against your security data. This is the only place where you can create and manage bookmarks.

Use Hunting for proactive threat detection. Use Incidents for investigating and managing evidence for pre-aggregated alerts and related events.

I would prefer A. Not B, because Hunting is more appropriate for pro-active searching for anomalies Inside the incident, go to the Investigate tab. "As you investigate the various alerts, events, and entities related to the incident, you can bookmark the key items that are important for your investigation."

Per Azure What is it? Hunting bookmarks enable users to save, tag, annotate, share and investigate results from a Log Analytics query. How does it work? Select a hunting query from the Microsoft Sentinel hunting page and click "View query results" in hunting query details to view the results in Log Analytics. Use the check boxes to select one or more rows that contain the information you find interesting and click "Add bookmark". This preserves the data in the row for future reference.

GPT4: Here’s why Hunting is the appropriate setting: Hunting: This is where you can run queries to proactively search for threats in your environment. When you find something suspicious or noteworthy during your hunting activities, you can create a bookmark to save the specific event or finding for further investigation or correlation with other data.