CompTIA Security+ (SY0-701) — Question 21

A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee’s corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the analyst use as a data source?

Answer options

• A. Application
• B. IPS/IDS
• C. Network
• D. Endpoint

Correct answer: D

Explanation

The Endpoint logs contain detailed information about the applications and processes running on the corporate laptop, which is essential for identifying the specific executable in question. In contrast, Application logs focus on software behavior, IPS/IDS logs detect intrusion attempts, and Network logs capture traffic data, none of which provide the granular details about executables needed for this investigation.