This article is contributed. See the original author and article here.


Microsoft Defender ATP offers a variety of ways for security teams to investigate and assess threats and other critical information. The device timeline tab in the Microsoft Defender Security Center provides a chronological view of events and associated alerts that have been observed on the device. 


While navigating the device timeline, you can search and filter for specific events to narrow down the list and help you pinpoint key information in your analysis. We’re excited to share that now you can also flag events, giving you the ability to highlight and then quickly identify events that are of importance to you and your team. The new event flagging capability will enables your security team to:

  • Highlight the most important events
  • Mark events that require a deep dive
  • Build a clean breach timeline


Let’s take a look at how to use this new feature.



  1. Start by flagging events that you want to focus on
    1. Locate the flag column in the device timeline
    2. Flag events by hovering over the flag column next to events and clicking on the events you wish to flag
  2. View the flagged events
    1. In the timeline filters section, toggle on “Flagged events”
    2. Apply the filter
  3. Identify flagged events on the time bar to help you build a clean breach timeline
    1. Clicking the flag on the time bar will only show events prior to the flagged event


Applying the filter allows you to see only the eight flagged events over the month amongst thousands of events!


Example of a clean timeline


Getting started

This capability is in public preview and for those customers that have preview features turned on, you can start using event flagging today. If you haven’t yet opted in, we encourage you to turn on preview features in the Microsoft Defender Security Center.


To learn more about the Microsoft Defender ATP device timeline, please read our documentation.


If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender ATP today.



Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.