new timeline feature

Author: mberdugo

.openpublishing.redirection.defender-xdr.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path": "microsoft-365/security/defender/advanced-hunting-IdentityEvents-table.md",
+      "redirect_url": "/defender-xdr/advanced-hunting-identityevents-table",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/microsoft-365-security-center-defender-cloud-apps.md",
       "redirect_url": "/defender-cloud-apps/microsoft-365-security-center-defender-cloud-apps",

defender-office-365/tenant-allow-block-list-email-spoof-configure.md

@@ -15,7 +15,7 @@ ms.collection:
   - tier1
 description: Admins can learn how to allow or block email and spoofed sender entries in the Tenant Allow/Block List.
 ms.service: defender-office-365
-ms.date: 07/08/2025
+ms.date: 08/13/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -82,6 +82,15 @@ This article describes how admins can manage entries for email senders in the Mi
 
 ## Domains and email addresses in the Tenant Allow/Block List
 
+> [!NOTE]
+> Entries for email addresses with special characters (for example, spaces, quotes, or symbols) must use UTF-8 hexadecimal URL encoding for the special characters. Otherwise, you might receive errors when you try to add the entries.
+>
+> For example, to block the email address `"bad+ attacker"@fourthcoffee.com`, use the value `%22bad%2B%20attacker%[email protected]`:
+>
+> - `%22` represents the double quotation marks (").
+> - `%2B` represents the plus sign (+).
+> - `%20` represents the space ( ).
+
 ### Create allow entries for domains and email addresses
 
 Unnecessary allow entries expose your organization to malicious email that the system would otherwise filter, so there are limitations for creating allow entries directly in the Tenant Allow/Block List.

defender-xdr/advanced-hunting-query-results.md

@@ -37,16 +37,49 @@ While you can construct your [advanced hunting](advanced-hunting-overview.md) qu
 - Drill down to detailed entity information
 - Tweak your queries directly from the results
 
-
 ## Automatic timeline rendering
 
 By default, a timeline appears above the advanced hunting results that displays event counts over time. The timeline is automatically rendered based on the `Timestamp` column in the query results. It automatically updates when you apply filters and can help you quickly identify abnormal behavior and trends and focus on interesting results.
 
-::::image type="content" source="/defender/media/advanced-hunting-query-results-timeline.png" alt-text="Screenshot of the timeline above the query results in advanced hunting." lightbox="/defender/media/advanced-hunting-query-results-timeline.png":::
+:::image type="content" source="/defender/media/advanced-hunting-query-results-timeline.png" alt-text="Screenshot of the timeline above the query results in advanced hunting." lightbox="/defender/media/advanced-hunting-query-results-timeline.png":::
 
 You can select whether or not the timeline is displayed by default in the **Page preferences** settings.
 
-::::image type="content" source="/defender/media/advanced-hunting-page-preferences.png" alt-text="Screenshot of the Page preferences settings in advanced hunting." lightbox="/defender/media/advanced-hunting-page-preferences.png":::
+:::image type="content" source="/defender/media/advanced-hunting-page-preferences.png" alt-text="Screenshot of the Page preferences settings in advanced hunting." lightbox="/defender/media/advanced-hunting-page-preferences.png":::
+
+The timeline automatically adjusts its resolution based on the range of results. You can click any point on the timeline to filter both the results and the timeline to that specific time range. The timeline also updates its scale to match the selected time period, so when you filter by a specific range, it zooms in to show event distribution in high resolution.
+
+The timeline only appears if there are more than 40 events in your results and there's `Timestamp` or `timeGenerated` column.
+
+### [Unfiltered timeline](#tab/unfiltered)
+
+The following screenshot shows the results of a query that returns 1,000 email events. The timeline is unfiltered, so it displays the full range of results with a timestamp for each day. Select a day or range of days to filter the results for that time period.
+
+:::image type="content" source="/defender/media/advanced-hunting-unfiltered-results.png" alt-text="Screenshot of an advanced hunting query of 1,000 email events with all the results unfiltered." lightbox="/defender/media/advanced-hunting-unfiltered-results.png":::
+
+### [Filtered timeline](#tab/filtered)
+
+The following screenshot shows the zoomed in results of a query filtered to a specific date.
+
+:::image type="content" source="/defender/media/advanced-hunting-filtered-results.png" alt-text="Screenshot of an advanced hunting query of 1,000 email events with the results filtered to a specific date." lightbox="/defender/media/advanced-hunting-filtered-results.png":::
+
+---
+
+You can group the results in the timeline by any column that has at least two but less than 50 unique values.
+
+### [Ungrouped timeline](#tab/ungrouped)
+
+The following screenshot shows the results of a query that returns 1,000 email events. The timeline is ungrouped, so it displays all the results in a single line.
+
+:::image type="content" source="/defender/media/advanced-hunting-ungrouped.png" alt-text="Screenshot of an advanced hunting query of 1,000 email events with the results all together in one line." lightbox="/defender/media/advanced-hunting-ungrouped.png":::
+
+### [Grouped timeline](#tab/grouped)
+
+The following screenshot shows the results grouped by last email action with a separate line for each action.
+
+:::image type="content" source="/defender/media/advanced-hunting-grouped.png" alt-text="Screenshot of an advanced hunting query of 1,000 email events with the results grouped by last email action." lightbox="/defender/media/advanced-hunting-grouped.png":::
+
+---
 
 ## View query results as a table or chart
 

defender-xdr/phishing-triage-agent.md

@@ -139,17 +139,6 @@ To assign the appropriate permissions to the agent:
    > [!TIP]
    > Microsoft advises assigning a role to the agent's identity that includes only the minimum permissions necessary. 
 
-1. Assign the agent's identity contributor access to your Microsoft Security Copilot workspace.
-
-    1. Sign in to Security Copilot (https://securitycopilot.microsoft.com).
-    1. Select the home menu icon. 
-    1. Make sure you're in your default workspace.
-    1. Select **Role assignment > Add members**.
-    1. Start typing the name of agent identity in the **Add members** dialog box.
-    1. Select the identity.
-    1. Select **Contributor**.
-    1. Select **Add**.
-
 After assigning the agent its permissions, ensure the user group monitoring the agent has equal or higher permissions to oversee its activity and output. To do this, compare the permissions of the user group to the agent in the Permissions page in the Microsoft Defender portal.
 
 #### Conditional access policies
@@ -427,4 +416,4 @@ The Phishing Triage Agent operates within a zero-trust environment. The system e
 ## Related content
 
 - [Microsoft Security Copilot agents](/copilot/security/agents-overview)
-- [Responsible AI FAQs for Security Copilot Agent](/copilot/security/rai-faqs-security-copilot-agents)
+- [Responsible AI FAQs for Security Copilot Agent](/copilot/security/rai-faqs-security-copilot-agents)

defender/media/advanced-hunting-filtered-results.png

@@ -161,6 +161,8 @@ When you switch the primary workspace for Microsoft Sentinel, the Defender XDR c
 
 If you decide to offboard a workspace from the Defender portal, disconnect the workspace from the settings for Microsoft Sentinel.
 
+If your workspace has the [Microsoft Defender XDR connector](/azure/sentinel/connect-microsoft-365-defender) configured, offboarding the workspace from the Defender portal will also disconnect the Microsoft Defender XDR connector.
+
 1. Go to the [Microsoft Defender portal](https://security.microsoft.com/) and sign in.
 1. In the Defender portal, under **System**, select **Settings** > **Microsoft Sentinel**.
 1. On the **Workspaces** page, select the connected workspace and **Disconnect workspace**.
@@ -178,3 +180,4 @@ If you want to connect to a different workspace, from the **Workspaces** page, s
 - [Automatic attack disruption in Microsoft Defender XDR](/defender-xdr/automatic-attack-disruption)
 - [Investigate incidents in Microsoft Defender portal](/defender-xdr/investigate-incidents)
 - [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access?tabs=defender-portal)
+