Microsoft Sentinel Bookmarks

List Bookmarks

list_bookmarks returns a list of all the bookmarks saved in the workspace. This includes details of the bookmark, who created it, when and with what details. It also includes query text that can be executed with a QueryProvider in order to get the details of the bookmark’s logs.

See list_bookmarks

azs.list_bookmarks()

Create Bookmarks

You can create a bookmark with create_bookmark. When creating a bookmark the following details are needed: -name: The name of the bookmark to use. -query: The KQL query that generated the bookmark. -results: The results of the query to include with the bookmark, in a string format, by default None -notes: Any notes you want associated with the bookmark, by default None -labels: Any labels you want associated with the bookmark, by default None

See create_bookmark

azs.create_bookmark(name="Custom Bookmark", query="SecurityAlert | take 10", notes="Found by Pete")

Delete Bookmarks

Bookmarks can be deleted by calling delete_bookmark and passing in a bookmark name, or a GUID of a bookmark. If the bookmark cannot be found then an error will be raised.

See delete_bookmark

azs.delete_bookmark(bookmark="8c9f6b38-53dc-458a-b436-350845224e3a")