Forum Discussion

Copper Contributor

Jun 17, 2021

Azure Sentinel Bookmark API entities

I'm having problems understanding how to map entities using Azure Sentinel Bookmarks via API. I can easily map entities when I manually create a bookmark (see screen shot below) However...

GaryBushey

Bronze Contributor

Jun 18, 2021

CharlieSmith555 Take a look here and look at the Expand example under Bookmarks:

https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview

CharlieSmith555
Copper Contributor
Jun 18, 2021
GaryBushey

Thanks for the response, however I'm still not clear under the Github examples 'where' entity mapping occurs during the Bookmark creation via API.

Under the section of ""query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)""

How do you map the "Account" entity to "UserPrincipalAccount" field based on the query results via API? Or map the "Host" entity to "ComputerName" field via API based on the query?

Obviously mapping entities manually when creating a bookmark is simple. I just don't see how this is done via API. I reviewed all of the examples and I'm just not seeing anything that calls this out. - Thanks!