Jun 17 2021 12:33 PM
I'm having problems understanding how to map entities using Azure Sentinel Bookmarks via API.
I can easily map entities when I manually create a bookmark (see screen shot below)
However when I create a Bookmark via API (found here), I don't see or how I can map entities. Instead the contents of the Bookmark appear blank (see screen shot below)
The KQL query I'm using is basic (which would generate results), more or less I'm using this as a test
Is there anything I'm missing or doing wrong?
Jun 18 2021 03:42 AM
@CharlieSmith555 Take a look here and look at the Expand example under Bookmarks:
Jun 18 2021 07:20 AM
Thanks for the response, however I'm still not clear under the Github examples 'where' entity mapping occurs during the Bookmark creation via API.
Under the section of ""query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)""
How do you map the "Account" entity to "UserPrincipalAccount" field based on the query results via API? Or map the "Host" entity to "ComputerName" field via API based on the query?
Obviously mapping entities manually when creating a bookmark is simple. I just don't see how this is done via API. I reviewed all of the examples and I'm just not seeing anything that calls this out. - Thanks!