🔥 3-day streak
Microsoft Security Operations Analyst58 / 190
Question 58 of 190

A SOC analyst is reviewing a Microsoft Defender XDR incident that correlates a Defender for Cloud Apps 'Impossible travel' alert with an Entra ID sign-in from a new country and a subsequent Exchange Online inbox rule creation for a finance department user. The analyst needs to confirm whether the account is genuinely compromised before taking response actions, without disrupting the user if the activity is legitimate. Which investigative step should the analyst take FIRST to validate the compromise?

Reviewed for accuracy · Report an issueNext question