Create Or Update Bookmark - Blink Documentation

Create or update a bookmark.

External DocumentationTo learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

Parameter	Description
Bookmark ID	Bookmark ID to upsert. If doesn’t exist, creates the bookmark with the given ID and properties (valid uuid). Otherwise, updates it.
Display Name	The display name of the bookmark.
Query	The query of the bookmark.
Resource Group Name	The name of the resource group. The name is case insensitive.
Subscription ID	The ID of the target subscription.
Workspace Name	The name of the workspace.

Advanced Parameters

Parameter	Description
Etag	The Etag of the azure resource.
Event Time	The bookmark event time.
Incident ID	The ID of the incident.
Incident Info	Select to fill `incident Info` that describes an incident that relates to bookmark.
Incident Relation Name	The relation name of the incident.
Incident Severity	The severity of the incident.
Incident Title	The title of the incident.
Labels	A comma-separated list of labels that are relevant to this bookmark.
Notes	The notes for the bookmark.
Query End Time	The end time of the query.
Query Result	The query result for the bookmark.
Query Start time	The start time of the query.

Example Output

{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
	"type": "Microsoft.SecurityInsights/bookmarks",
	"properties": {
		"displayName": "My bookmark",
		"created": "2019-01-01T13:15:30Z",
		"updated": "2019-01-01T13:15:30Z",
		"createdBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"updatedBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"eventTime": "2021-03-28T02:54:43",
		"notes": "Found a suspicious activity",
		"labels": [
			"Tag1",
			"Tag2"
		],
		"query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
		"queryResult": "Security Event query result",
		"queryStartTime": "2024-08-21T05:23:46",
		"queryEndTime": "2020-02-15T16:49:25",
		"incidentInfo": {
			"incidentId": null,
			"title": null,
			"relationName": null,
			"severity": null
		}
	}
}

Workflow Library Example

Create or Update Bookmark with Microsoft Sentinel and Send Results Via Email

Preview this Workflow on desktop

Integrations

​Basic Parameters

​Advanced Parameters

​Example Output

​Workflow Library Example

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example