🔥 3-day streak
Microsoft Security Operations Analyst109 / 190
Question 109 of 190
A SOC analyst opens a high-severity Microsoft Defender XDR incident that correlates alerts from Defender for Endpoint, Defender for Office 365, and Entra ID. The incident graph shows a phishing email leading to credential theft, followed by a suspicious sign-in from a new device and lateral movement toward a domain controller. Automated investigation and response is running. The analyst wants to quickly understand the full sequence of events and which entities are involved before taking manual containment steps, without pivoting into each individual product portal. Which action in the incident should the analyst take FIRST to establish this end-to-end understanding?
Reviewed for accuracy · Report an issueNext question