You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-query-results.md
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ ms.custom:
18
18
- cx-ti
19
19
- cx-ah
20
20
ms.topic: how-to
21
-
ms.date: 08/04/2025
21
+
ms.date: 08/13/2025
22
22
appliesto:
23
23
- Microsoft Defender XDR
24
24
- Microsoft Sentinel in the Microsoft Defender portal
@@ -37,6 +37,17 @@ While you can construct your [advanced hunting](advanced-hunting-overview.md) qu
37
37
- Drill down to detailed entity information
38
38
- Tweak your queries directly from the results
39
39
40
+
41
+
## Automatic timeline rendering
42
+
43
+
By default, a timeline appears above the advanced hunting results that displays event counts over time. The timeline is automatically rendered based on the `Timestamp` column in the query results. It automatically updates when you apply filters and can help you quickly identify abnormal behavior and trends and focus on interesting results.
44
+
45
+
::::image type="content" source="/defender/media/advanced-hunting-query-results-timeline.png" alt-text="Screenshot of the timeline above the query results in advanced hunting." lightbox="/defender/media/advanced-hunting-query-results-timeline.png":::
46
+
47
+
You can select whether or not the timeline is displayed by default in the **Page preferences** settings.
48
+
49
+
::::image type="content" source="/defender/media/advanced-hunting-page-preferences.png" alt-text="Screenshot of the Page preferences settings in advanced hunting." lightbox="/defender/media/advanced-hunting-page-preferences.png":::
50
+
40
51
## View query results as a table or chart
41
52
42
53
By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
@@ -135,13 +146,14 @@ This opens a dropdown showing the possible filters you can use further. Select o
135
146
136
147
:::image type="content" source="/defender/media/add-filter4.png" alt-text="Screenshot of new filter's dropdown in advanced hunting." lightbox="/defender/media/add-filter4.png":::
137
148
138
-
Confirm that you have added the filters that you wanted by checking the Filters section.
149
+
Confirm that you have added the filters that you wanted by checking the Filters section.
139
150
140
151
:::image type="content" source="/defender/media/add-filter5.png" alt-text="Screenshot of filters added advanced hunting." lightbox="/defender/media/add-filter5.png":::
141
152
142
153
## Drill down from query results
143
154
144
155
You can also explore the results in-line with the following features:
156
+
145
157
- Expand a result by selecting the dropdown arrow at the left of each result
146
158
- Where applicable, expand details for results that are in JSON and array formats by selecting the dropdown arrow at the left of applicable column names for added readability
147
159
- Open the side pane to see a record's details (concurrent with expanded rows)
0 commit comments