cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Sentinel Bookmark API entities

CharlieSmith555
Copper Contributor

‎Jun 17 2021 12:33 PM

‎Jun 17 2021 12:33 PM

Azure Sentinel Bookmark API entities

I'm having problems understanding how to map entities using Azure Sentinel Bookmarks via API.

 

I can easily map entities when I manually create a bookmark (see screen shot below)

CharlieSmith555_0-1623957817489.png

 

However when I create a Bookmark via API (found here), I don't see or how I can map entities. Instead the contents of the Bookmark appear blank (see screen shot below)

CharlieSmith555_1-1623958150080.png

 

The KQL query I'm using is basic (which would generate results), more or less I'm using this as a test

CharlieSmith555_2-1623958258540.png

 

Is there anything I'm missing or doing wrong?

 

735 Views
0 Likes
2 Replies
Reply
2 Replies
CharlieSmith555

‎Jun 18 2021 07:20 AM

‎Jun 18 2021 07:20 AM

Re: Azure Sentinel Bookmark API entities

 @Gary Bushey 

 

Thanks for the response, however I'm still not clear under the Github examples 'where' entity mapping occurs during the Bookmark creation via API.

 

Under the section of ""query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)""

 

How do you map the "Account" entity to "UserPrincipalAccount" field based on the query results via API? Or map the "Host" entity to "ComputerName" field via API based on the query?

 

Obviously mapping entities manually when creating a bookmark is simple. I just don't see how this is done via API. I reviewed all of the examples and I'm just not seeing anything that calls this out. - Thanks!

0 Likes
Reply