Browse CompTIA Certification Guides

Use Data Sources in Investigations for Security+ (SY0-701)

Fuad Efendi March 28, 2026 3 min read

Learn which log, network, identity, and endpoint data sources support Security+ investigations and why source quality matters.

On this page

Security+ wants you to know where investigators get their answers. That means recognizing which data source helps confirm lateral movement, privilege misuse, malware execution, DNS abuse, or user behavior. Strong investigation answers pull from the most relevant source instead of treating all logs as interchangeable.

What the exam is really testing

CompTIA is usually checking whether you can:

  • pick the best first evidence source for a given question
  • correlate multiple sources instead of trusting one alert blindly
  • understand that cloud, SaaS, identity, endpoint, and network logs all answer different investigative questions

The strongest answer often comes from combining two or three sources, not from assuming one product log can explain the whole incident.

Useful data-source groups

Source What it helps answer
Endpoint and host logs process execution, user activity, local changes, malware behavior
Identity logs sign-in failures, MFA events, privilege elevation, impossible travel
Network telemetry traffic paths, DNS resolution, firewall decisions, suspicious connections
Application logs admin actions, API misuse, authentication failures, business-event anomalies
Security-tool output EDR detections, IDS alerts, DLP events, vulnerability reports

Question-to-source chooser

Question Strongest first source
Which user had repeated MFA failures? Identity logs
Which process launched the suspicious connection? Endpoint or host telemetry
Did the host resolve or contact the malicious domain? DNS plus network telemetry
Was sensitive data moved out of the environment? DLP and transfer logs
Did the attacker change the application configuration? Application audit logs

Investigation habit that matters

Use multiple sources to answer one question:

  • DNS logs may show where a host tried to connect
  • firewall or proxy logs may show whether that connection succeeded
  • endpoint logs may show which process initiated it
  • identity logs may show which user context was active at the time

That multi-source thinking is what makes an investigation defensible.

Small correlation example

1{
2  "time_utc": "2026-03-28T16:02:11Z",
3  "user": "mrivera",
4  "source_ip": "198.51.100.22",
5  "dns_query": "update-secure-login.example",
6  "process": "powershell.exe",
7  "mfa_result": "failed"
8}

What to notice:

  • the identity signal alone is not enough
  • the DNS query and endpoint process create a more defensible story
  • synchronized timestamps are what let investigators tie these events together

Cloud and SaaS reminder

Security+ increasingly assumes that not every useful source lives on a Windows or Linux host. SaaS audit logs, cloud control-plane activity, and identity-provider telemetry can be the strongest source when the incident path is administrative, identity-driven, or hosted externally.

Common traps

  • trusting one alert without checking supporting telemetry
  • forgetting time synchronization when comparing sources
  • using the wrong log source for the question being asked
  • assuming cloud and SaaS investigations work with only host logs
  • collecting logs but failing to preserve enough retention to investigate later

Harder scenario question

A user reports repeated MFA prompts they did not initiate. The security team also sees a successful login from an unfamiliar IP an hour later and wants to know whether the account was used to access a SaaS admin portal. Which combination is strongest first?

A. Physical visitor logs only B. Identity-provider logs plus the SaaS application audit log C. Printer maintenance records plus backup rotation history D. Asset tags only

Best answer: B. The question is about sign-in activity and application use after authentication, so identity telemetry plus SaaS audit records provide the strongest first correlation path.

Quiz

Loading quiz…

Continue with 5. Security Program Management & Oversight to connect operations to governance, risk, and accountability.

4.8 Incident Response & Forensics