Microsoft Sentinel Bookmarks
list_bookmarks returns a list of all the bookmarks saved in the workspace. This includes details of the bookmark, who created it, when and with what details. It also includes query text that can be executed with a QueryProvider in order to get the details of the bookmark’s logs.
You can create a bookmark with create_bookmark. When creating a bookmark the following details are needed: -name: The name of the bookmark to use. -query: The KQL query that generated the bookmark. -results: The results of the query to include with the bookmark, in a string format, by default None -notes: Any notes you want associated with the bookmark, by default None -labels: Any labels you want associated with the bookmark, by default None
sentinel.create_bookmark(name="Custom Bookmark", query="SecurityAlert | take 10", notes="Found by Pete")
Bookmarks can be deleted by calling delete_bookmark and passing in a bookmark name, or a GUID of a bookmark. If the bookmark cannot be found then an error will be raised.