Incidents - List Bookmarks
Gets all bookmarks for an incident.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks?api-version=2024-09-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
incident
|
path | True |
string |
Incident ID |
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
OK |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Get all incident bookmarks.
Sample request
POST https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/bookmarks?api-version=2024-09-01
Sample response
{
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/afbd324f-6c48-459c-8710-8d1e1cd03812",
"name": "afbd324f-6c48-459c-8710-8d1e1cd03812",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Bookmark",
"properties": {
"displayName": "SecurityEvent - 868f40f4698d",
"created": "2020-06-17T15:34:01.4265524+00:00",
"updated": "2020-06-17T15:34:01.4265524+00:00",
"createdBy": {
"objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"updatedBy": {
"objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"eventTime": "2020-06-17T15:34:01.4265524+00:00",
"labels": [],
"query": "SecurityEvent\r\n| take 1\n",
"queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
"additionalData": {
"ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
"EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
},
"friendlyName": "SecurityEvent - 868f40f4698d"
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/bbbd324f-6c48-459c-8710-8d1e1cd03812",
"name": "bbbd324f-6c48-459c-8710-8d1e1cd03812",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Bookmark",
"properties": {
"displayName": "SecurityEvent - 868f40f4698d",
"created": "2020-06-17T15:34:01.4265524+00:00",
"updated": "2020-06-17T15:34:01.4265524+00:00",
"createdBy": {
"objectId": "303ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"updatedBy": {
"objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"eventTime": "2020-06-17T15:34:01.4265524+00:00",
"labels": [],
"query": "SecurityEvent\r\n| take 1\n",
"queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
"additionalData": {
"ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
"EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
},
"friendlyName": "SecurityEvent - 868f40f4698d"
}
}
]
}
Definitions
Name | Description |
---|---|
Cloud |
Error response structure. |
Cloud |
Error details. |
created |
The type of identity that created the resource. |
Entity |
The kind of the aggregated entity. |
Hunting |
Represents a Hunting bookmark entity. |
Incident |
List of incident bookmarks. |
Incident |
Describes related incident information for the bookmark |
Incident |
The severity of the incident |
system |
Metadata pertaining to creation and last modification of the resource. |
User |
User information that made some action |
CloudError
Error response structure.
Name | Type | Description |
---|---|---|
error |
Error data |
CloudErrorBody
Error details.
Name | Type | Description |
---|---|---|
code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
EntityKindEnum
The kind of the aggregated entity.
Name | Type | Description |
---|---|---|
Account |
string |
Entity represents account in the system. |
AzureResource |
string |
Entity represents azure resource in the system. |
Bookmark |
string |
Entity represents bookmark in the system. |
CloudApplication |
string |
Entity represents cloud application in the system. |
DnsResolution |
string |
Entity represents dns resolution in the system. |
File |
string |
Entity represents file in the system. |
FileHash |
string |
Entity represents file hash in the system. |
Host |
string |
Entity represents host in the system. |
IoTDevice |
string |
Entity represents IoT device in the system. |
Ip |
string |
Entity represents ip in the system. |
MailCluster |
string |
Entity represents mail cluster in the system. |
MailMessage |
string |
Entity represents mail message in the system. |
Mailbox |
string |
Entity represents mailbox in the system. |
Malware |
string |
Entity represents malware in the system. |
Process |
string |
Entity represents process in the system. |
RegistryKey |
string |
Entity represents registry key in the system. |
RegistryValue |
string |
Entity represents registry value in the system. |
SecurityAlert |
string |
Entity represents security alert in the system. |
SecurityGroup |
string |
Entity represents security group in the system. |
SubmissionMail |
string |
Entity represents submission mail in the system. |
Url |
string |
Entity represents url in the system. |
HuntingBookmark
Represents a Hunting bookmark entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Bookmark |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.created |
string |
The time the bookmark was created |
properties.createdBy |
Describes a user that created the bookmark |
|
properties.displayName |
string |
The display name of the bookmark |
properties.eventTime |
string |
The time of the event |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.incidentInfo |
Describes an incident that relates to bookmark |
|
properties.labels |
string[] |
List of labels relevant to this bookmark |
properties.notes |
string |
The notes of the bookmark |
properties.query |
string |
The query of the bookmark. |
properties.queryResult |
string |
The query result of the bookmark. |
properties.updated |
string |
The last time the bookmark was updated |
properties.updatedBy |
Describes a user that updated the bookmark |
|
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
IncidentBookmarkList
List of incident bookmarks.
Name | Type | Description |
---|---|---|
value |
Array of incident bookmarks. |
IncidentInfo
Describes related incident information for the bookmark
Name | Type | Description |
---|---|---|
incidentId |
string |
Incident Id |
relationName |
string |
Relation Name |
severity |
The severity of the incident |
|
title |
string |
The title of the incident |
IncidentSeverity
The severity of the incident
Name | Type | Description |
---|---|---|
High |
string |
High severity |
Informational |
string |
Informational severity |
Low |
string |
Low severity |
Medium |
string |
Medium severity |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
UserInfo
User information that made some action
Name | Type | Description |
---|---|---|
string |
The email of the user. |
|
name |
string |
The name of the user. |
objectId |
string |
The object id of the user. |