Skip to main content
Create or update a bookmark.
External DocumentationTo learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

ParameterDescription
Bookmark IDBookmark ID to upsert. If doesn’t exist, creates the bookmark with the given ID and properties (valid uuid). Otherwise, updates it.
Display NameThe display name of the bookmark.
QueryThe query of the bookmark.
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace.

Advanced Parameters

ParameterDescription
EtagThe Etag of the azure resource.
Event TimeThe bookmark event time.
Incident IDThe ID of the incident.
Incident InfoSelect to fill incident Info that describes an incident that relates to bookmark.
Incident Relation NameThe relation name of the incident.
Incident SeverityThe severity of the incident.
Incident TitleThe title of the incident.
LabelsA comma-separated list of labels that are relevant to this bookmark.
NotesThe notes for the bookmark.
Query End TimeThe end time of the query.
Query ResultThe query result for the bookmark.
Query Start timeThe start time of the query.

Example Output

{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
	"type": "Microsoft.SecurityInsights/bookmarks",
	"properties": {
		"displayName": "My bookmark",
		"created": "2019-01-01T13:15:30Z",
		"updated": "2019-01-01T13:15:30Z",
		"createdBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"updatedBy": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john@contoso.com",
			"name": "john doe"
		},
		"eventTime": "2021-03-28T02:54:43",
		"notes": "Found a suspicious activity",
		"labels": [
			"Tag1",
			"Tag2"
		],
		"query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
		"queryResult": "Security Event query result",
		"queryStartTime": "2024-08-21T05:23:46",
		"queryEndTime": "2020-02-15T16:49:25",
		"incidentInfo": {
			"incidentId": null,
			"title": null,
			"relationName": null,
			"severity": null
		}
	}
}

Workflow Library Example

Create or Update Bookmark with Microsoft Sentinel and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop
I