Your SOC team uses Microsoft Sentinel incident investigation. An analyst needs to quickly see all related entities (users, IPs, machines) for an incident. Which feature should the analyst use?
The investigation graph shows all related entities.
Why this answer
The Incident investigation graph in Microsoft Sentinel provides a visual, interactive map of all entities (users, IPs, machines) linked to an incident, allowing analysts to quickly see relationships and pivot between entities. This is the dedicated feature for entity-centric incident exploration, unlike other options that serve different purposes.
Exam trap
Microsoft often tests the distinction between a chronological timeline (incident timeline) and a relational graph (investigation graph), leading candidates to confuse the incident timeline's alert sequence with the entity relationship view.
How to eliminate wrong answers
Option A is wrong because the Incident timeline shows a chronological list of alerts and activities within an incident, not a visual graph of related entities. Option B is wrong because the Hunting blade is used for proactive threat hunting with KQL queries, not for viewing entities tied to an existing incident. Option C is wrong because the Entity behavior analytics page provides behavioral insights and anomalies for a single entity over time, not a consolidated view of all entities related to an incident.