Working with bookmarks
While carrying out investigations, there may be times when you need to keep track of the results from previously run queries. It could be that you need to work on another project and will come back to this investigation later, or another user will be taking over the investigation. You may also need to keep certain results as evidence of an incident. In any case, using a bookmark will allow you to save this information for later.
Creating a bookmark
In order to create a new bookmark, you must run a query from the Logs page—refer to Chapter 6, Azure Sentinel Logs and Writing Queries, for a refresher. While on the Hunting page, clicking the Viewing Results button in the query's details pane will open the Logs page showing your results, as follows:
You may have noticed that there are checkboxes to the left of each result. To create a new bookmark, select one or more checkboxes...