diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 2a225c80d2..6a30c6da4d 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -293,6 +293,7 @@
  
 #### [Devices list]()
 ##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
+##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md)
 ##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
  
 #### [Take response actions]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
new file mode 100644
index 0000000000..f972394dc4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
@@ -0,0 +1,45 @@
+---
+title: Microsoft Defender ATP device timeline event flags
+description: Use Microsoft Defender ATP device timeline event flags to 
+keywords: Defender ATP device timeline, event flags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance  
+ms.topic: article
+---
+
+# Microsoft Defender ATP device timeline event flags
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Event flags in the Microsoft Defender ATP device timeline help you filter and organize specific events when you're  investigate potential attacks.
+
+The Microsoft Defender ATP device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related. 
+
+After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged.
+
+While navigating the device timeline, you can search and filter for specific events. You can set event flags by: 
+
+- Highlighting the most important events 
+- Marking events that requires deep dive 
+- Building a clean breach timeline
+
+
+
+## Flag an event
+1. Find the event that you want to flag
+2. Click the flag icon in the Flag column. 
+![Image of device timeline flag](images/device-flags.png)
+
+## View flagged events  
+1. In the timeline **Filters** section, enable **Flagged events**.
+2. Click **Apply**. Only flagged events are displayed.
+You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.  
+![Image of device timeline flag with filter on](images/device-flag-filter.png)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-flag-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-flag-filter.png
new file mode 100644
index 0000000000..d2a5e26ce4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-flag-filter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-flags.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-flags.png
new file mode 100644
index 0000000000..082b367ad7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-flags.png differ