Order the steps to investigate a user account compromise using Microsoft Sentinel incidents.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Investigation starts with incident details, then reviewing alerts and behavior analytics, followed by deep querying, and finally remediation.