There is a series of tutorials for conducting investigations for Defender for Identity, Microsoft Defender for Identity reconnaissance phase security alerts | Microsoft Docs that are very helpful. I really like the way that the information is presented and suggested remediation steps are provided.
The MDI approach seems easier to follow that the investigation instructions provided for Defender for Office 365 Investigate malicious email that was delivered in Office 365, Find and investigate malicious email -... and Defender for Endpoint Investigate incidents in Microsoft Defender for Endpoint | Microsoft Docs
What do other people think?
@HeikeRitter it would be great if the MDO and MDE teams could use the same approach as MDI