Sdílet prostřednictvím


Incidents - List Bookmarks

Gets all bookmarks for an incident.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks?api-version=2024-09-01

URI Parameters

Name In Required Type Description
incidentId
path True

string

Incident ID

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Responses

Name Type Description
200 OK

IncidentBookmarkList

OK

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get all incident bookmarks.

Sample request

POST https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/bookmarks?api-version=2024-09-01

Sample response

{
  "value": [
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/afbd324f-6c48-459c-8710-8d1e1cd03812",
      "name": "afbd324f-6c48-459c-8710-8d1e1cd03812",
      "type": "Microsoft.SecurityInsights/Entities",
      "kind": "Bookmark",
      "properties": {
        "displayName": "SecurityEvent - 868f40f4698d",
        "created": "2020-06-17T15:34:01.4265524+00:00",
        "updated": "2020-06-17T15:34:01.4265524+00:00",
        "createdBy": {
          "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
          "email": "user@microsoft.com",
          "name": "user"
        },
        "updatedBy": {
          "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
          "email": "user@microsoft.com",
          "name": "user"
        },
        "eventTime": "2020-06-17T15:34:01.4265524+00:00",
        "labels": [],
        "query": "SecurityEvent\r\n| take 1\n",
        "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
        "additionalData": {
          "ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
          "EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
        },
        "friendlyName": "SecurityEvent - 868f40f4698d"
      }
    },
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/bbbd324f-6c48-459c-8710-8d1e1cd03812",
      "name": "bbbd324f-6c48-459c-8710-8d1e1cd03812",
      "type": "Microsoft.SecurityInsights/Entities",
      "kind": "Bookmark",
      "properties": {
        "displayName": "SecurityEvent - 868f40f4698d",
        "created": "2020-06-17T15:34:01.4265524+00:00",
        "updated": "2020-06-17T15:34:01.4265524+00:00",
        "createdBy": {
          "objectId": "303ca914-5eb6-45e5-9417-fe0797c372fd",
          "email": "user@microsoft.com",
          "name": "user"
        },
        "updatedBy": {
          "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
          "email": "user@microsoft.com",
          "name": "user"
        },
        "eventTime": "2020-06-17T15:34:01.4265524+00:00",
        "labels": [],
        "query": "SecurityEvent\r\n| take 1\n",
        "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
        "additionalData": {
          "ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
          "EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
        },
        "friendlyName": "SecurityEvent - 868f40f4698d"
      }
    }
  ]
}

Definitions

Name Description
CloudError

Error response structure.

CloudErrorBody

Error details.

createdByType

The type of identity that created the resource.

EntityKindEnum

The kind of the aggregated entity.

HuntingBookmark

Represents a Hunting bookmark entity.

IncidentBookmarkList

List of incident bookmarks.

IncidentInfo

Describes related incident information for the bookmark

IncidentSeverity

The severity of the incident

systemData

Metadata pertaining to creation and last modification of the resource.

UserInfo

User information that made some action

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

EntityKindEnum

The kind of the aggregated entity.

Name Type Description
Account

string

Entity represents account in the system.

AzureResource

string

Entity represents azure resource in the system.

Bookmark

string

Entity represents bookmark in the system.

CloudApplication

string

Entity represents cloud application in the system.

DnsResolution

string

Entity represents dns resolution in the system.

File

string

Entity represents file in the system.

FileHash

string

Entity represents file hash in the system.

Host

string

Entity represents host in the system.

IoTDevice

string

Entity represents IoT device in the system.

Ip

string

Entity represents ip in the system.

MailCluster

string

Entity represents mail cluster in the system.

MailMessage

string

Entity represents mail message in the system.

Mailbox

string

Entity represents mailbox in the system.

Malware

string

Entity represents malware in the system.

Process

string

Entity represents process in the system.

RegistryKey

string

Entity represents registry key in the system.

RegistryValue

string

Entity represents registry value in the system.

SecurityAlert

string

Entity represents security alert in the system.

SecurityGroup

string

Entity represents security group in the system.

SubmissionMail

string

Entity represents submission mail in the system.

Url

string

Entity represents url in the system.

HuntingBookmark

Represents a Hunting bookmark entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Bookmark

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.created

string

The time the bookmark was created

properties.createdBy

UserInfo

Describes a user that created the bookmark

properties.displayName

string

The display name of the bookmark

properties.eventTime

string

The time of the event

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.incidentInfo

IncidentInfo

Describes an incident that relates to bookmark

properties.labels

string[]

List of labels relevant to this bookmark

properties.notes

string

The notes of the bookmark

properties.query

string

The query of the bookmark.

properties.queryResult

string

The query result of the bookmark.

properties.updated

string

The last time the bookmark was updated

properties.updatedBy

UserInfo

Describes a user that updated the bookmark

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

IncidentBookmarkList

List of incident bookmarks.

Name Type Description
value

HuntingBookmark[]

Array of incident bookmarks.

IncidentInfo

Describes related incident information for the bookmark

Name Type Description
incidentId

string

Incident Id

relationName

string

Relation Name

severity

IncidentSeverity

The severity of the incident

title

string

The title of the incident

IncidentSeverity

The severity of the incident

Name Type Description
High

string

High severity

Informational

string

Informational severity

Low

string

Low severity

Medium

string

Medium severity

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

UserInfo

User information that made some action

Name Type Description
email

string

The email of the user.

name

string

The name of the user.

objectId

string

The object id of the user.