6.2 Custom Detections, Bookmarks & Notebooks
Key Takeaways
- A successful hunting query should be promoted: in Defender XDR it becomes a custom detection rule; in Microsoft Sentinel it becomes a scheduled or NRT analytics rule that generates alerts and incidents.
- Defender XDR custom detection rules require the query to return ReportId, Timestamp, and the impacted entity columns (DeviceId, AccountObjectId, etc.) so the rule can map alerts to entities and run response actions.
- Sentinel bookmarks preserve interesting hunt rows with context and can be added to a new or existing incident so a hunting finding becomes a tracked, assignable investigation.
- Jupyter notebooks (Azure ML / Sentinel MCP Server) extend hunting with multi-stage logic, external enrichment, machine learning, and visualizations that exceed what a single KQL query can express.
- Hunting maturity is measured: track hypotheses tested, queries promoted to detections, coverage of MITRE ATT&CK techniques, and mean time to detect — not just query volume.
From Hunt to Durable Detection
Finding something once is not enough — SC-200 expects you to close the loop by turning a proven hunt into an automated detection. There are two destinations depending on where you hunted.
Promote in Microsoft Defender XDR: Custom Detection Rules
In Defender XDR, an Advanced Hunting query can be saved as a custom detection rule. The rule runs the KQL on a schedule and raises alerts that participate in the unified incident, complete with automated response actions (isolate device, restrict app execution, disable user).
For a query to be eligible, it must return the required columns:
| Required output | Why |
|---|---|
Timestamp | Anchors when the activity occurred |
ReportId | Uniquely identifies the event row for alerting |
Impacted entity columns (for example DeviceId, DeviceName, AccountObjectId, AccountSid, RecipientEmailAddress) | Lets the rule map the alert to an entity and run response actions on it |
If an exam item says a custom detection rule cannot be created or response actions are unavailable, the usual cause is a missing entity or ReportId column in the query output.
Promote in Microsoft Sentinel: Analytics Rules
In Microsoft Sentinel, a valuable hunting query is promoted into a scheduled analytics rule (runs on an interval such as every 5 minutes to 14 days) or a near-real-time (NRT) rule (runs about once per minute for time-critical detections). The rule maps entities (Account, Host, IP, URL), sets severity and MITRE ATT&CK tactics, and can trigger an automation rule or playbook for response.
Decision guide the exam tests:
| Need | Use |
|---|---|
| Proactive, on-demand exploration, no alerts | Hunting query |
| Recurring detection with tunable interval | Scheduled analytics rule |
| Lowest-latency detection of a single condition | NRT analytics rule |
| One-time investigation snapshot of hunt rows | Bookmark |
Bookmarks: Turning Findings into Incidents
A Microsoft Sentinel bookmark preserves specific rows from a hunting query along with notes, MITRE tags, and mapped entities so the finding is not lost when the query is re-run. Crucially, a bookmark can be added to a new incident or appended to an existing incident, which converts an informal hunt result into an assignable, trackable investigation that flows through case management.
The exam pattern: a hunter finds three suspicious hosts and wants a teammate to investigate with full context. The correct action is create a bookmark and add it to an incident — not rerun the query, not email the rows, and not create an analytics rule (which would be for future recurrence, not this specific finding).
Jupyter Notebooks and the Sentinel MCP Server
Some hunts exceed what a single KQL statement can express — multi-step pivots, statistical baselining, machine-learning scoring, third-party enrichment, or rich visualization. Jupyter notebooks (run via Azure Machine Learning compute and authenticated against the Microsoft Sentinel workspace) let analysts combine KQL, Python, and libraries such as MSTICPy for repeatable, documented investigations.
The 2026 SC-200 update adds the Sentinel Model Context Protocol (MCP) Server, which exposes Sentinel data and tooling to notebooks and AI agents through a standard protocol — enabling agentic, notebook-driven hunting and automation. For the exam, associate notebooks with advanced, programmatic, multi-stage hunting and MCP Server with connecting that environment (and AI agents) to Sentinel data.
When to choose a notebook over plain KQL:
- The hunt needs iteration with branching logic or loops over many entities.
- You need external threat intel enrichment or geolocation/WHOIS lookups inline.
- You want machine learning (clustering, anomaly scoring) on the result set.
- The investigation must be shareable and reproducible with narrative and charts.
Hunting Hypotheses and Program Metrics
Mature hunting is hypothesis-driven and measured, not ad hoc. SC-200 may ask how to evaluate or improve a hunting program. Strong answers reference structured hypotheses and outcome metrics rather than raw query counts.
| Metric | What it tells you |
|---|---|
| Hypotheses tested per period | Hunting cadence and breadth |
| Queries promoted to detections | How much hunting hardens into automation |
| MITRE ATT&CK technique coverage | Where detection gaps remain |
| New incidents originated by hunting | Proactive value beyond existing alerts |
| Mean time to detect (MTTD) trend | Whether hunting shortens dwell time |
A good hypothesis is specific, testable, and tied to an adversary behavior: "Service accounts do not normally run interactive PowerShell, so interactive PowerShell under a service account in the last 14 days may indicate credential misuse." That sentence names the assumption, the anomaly, the data window, and the threat — everything needed to write the query and judge the result.
An SC-200 analyst saved an Advanced Hunting query in Microsoft Defender XDR and now wants to convert it into a custom detection rule with automated device isolation. The Create custom detection option is unavailable. What is the most likely cause?
While hunting in Microsoft Sentinel, an analyst identifies four suspicious sign-in events and wants to hand the investigation to a teammate with full context and tracked ownership. Which action best accomplishes this?
A SOC lead wants a repeatable, documented hunt that performs multi-stage pivots, enriches indicators with an external threat-intel feed, and applies anomaly scoring with Python libraries against Microsoft Sentinel data. Which tool is the best fit?
Which statement best describes a well-formed threat hunting hypothesis suitable for SC-200 program metrics?