Jennifer, a SOC analyst, initiates an investigation after receiving an alert about potential unauthorized activity...

Jennifer is in the Incident Triage phase because she is validating whether the alert is a true incident and quickly assessing scope, severity, and credibility. Triage is the “is this real and how bad is it?” step, typically performed immediately after alert generation or escalation. Pulling EDR logs, SIEM network patterns, and email gateway data is classic triage activity: it helps confirm maliciousness, identify the likely entry vector (phishing attachment vs. drive-by vs. lateral movement), and determine whether containment is needed. Evidence gathering and forensic analysis usually implies a deeper, formalized investigation once an incident is confirmed, including preservation actions, comprehensive artifact collection, and detailed root cause work. Notification is about informing stakeholders after classification and initial scoping. Incident recording and assignment is the ticketing/logging step (creating the case, assigning ownership), which the scenario does not emphasize. Because her stated objective is specifically to determine whether the alert represents a legitimate security incident and she is rapidly checking multiple telemetry sources for confirmation, the best fit is Incident Triage.