Forum Discussion
Azure Sentinel Bookmark API entities
I'm having problems understanding how to map entities using Azure Sentinel Bookmarks via API.
I can easily map entities when I manually create a bookmark (see screen shot below)
However when I create a Bookmark via API (found https://docs.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update#request-body), I don't see or how I can map entities. Instead the contents of the Bookmark appear blank (see screen shot below)
The KQL query I'm using is basic (which would generate results), more or less I'm using this as a test
Is there anything I'm missing or doing wrong?
2 Replies
CharlieSmith555 Take a look here and look at the Expand example under Bookmarks:
Thanks for the response, however I'm still not clear under the Github examples 'where' entity mapping occurs during the Bookmark creation via API.
Under the section of ""query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)""
How do you map the "Account" entity to "UserPrincipalAccount" field based on the query results via API? Or map the "Host" entity to "ComputerName" field via API based on the query?
Obviously mapping entities manually when creating a bookmark is simple. I just don't see how this is done via API. I reviewed all of the examples and I'm just not seeing anything that calls this out. - Thanks!
