Your organization uses Microsoft Sentinel. A fusion incident was created involving multiple alerts from different sources. You need to investigate the incident to determine if it is a true positive. What is the first step you should take?
The timeline shows the sequence of events and helps correlate alerts.
Why this answer
Option C is correct because the first step is to review the incident timeline to understand the sequence of events and correlate the alerts. Option A is wrong because you should not immediately dismiss the incident. Option B is wrong because running KQL queries without context is inefficient.
Option D is wrong because assigning to another analyst without investigation delays response.