🔥 3-day streak
Microsoft Security Operations Analyst104 / 190
Question 104 of 190

A SOC analyst opens a high-severity multi-stage incident in the Microsoft Defender portal. The incident spans an email alert, a suspicious sign-in alert, and an endpoint malware alert. Before taking any containment action, the analyst wants to understand the chronological order in which the alerts fired and how the involved entities (user, device, mailbox, IP) connect to one another across the different Defender services. Which feature of the incident page should the analyst use to satisfy this specific need?

Reviewed for accuracy · Report an issueNext question