🔥 3-day streak
Microsoft Security Operations Analyst111 / 190
Question 111 of 190
A SOC analyst opens a high-severity incident in the Microsoft Defender portal that spans several alerts. The incident includes a suspicious email alert from Defender for Office 365, an impossible-travel sign-in alert from Entra ID Protection, and a credential-theft alert from Defender for Endpoint — all involving the same user account and device. The analyst needs to quickly understand how these alerts relate to one another and reconstruct the sequence of the attacker's actions across email, identity, and endpoint. Which capability in the incident should the analyst use first?
Reviewed for accuracy · Report an issueNext question