Study CompTIA SY0-701 Data Sources in Investigations: key concepts, common traps, and exam decision cues.
Security+ wants you to know where investigators get their answers. That means recognizing which data source helps confirm lateral movement, privilege misuse, malware execution, DNS abuse, or user behavior. Strong investigation answers pull from the most relevant source instead of treating all logs as interchangeable.
CompTIA is usually checking whether you can:
The strongest answer often comes from combining two or three sources, not from assuming one product log can explain the whole incident.
| Source | What it helps answer |
|---|---|
| Endpoint and host logs | process execution, user activity, local changes, malware behavior |
| Identity logs | sign-in failures, MFA events, privilege elevation, impossible travel |
| Network telemetry | traffic paths, DNS resolution, firewall decisions, suspicious connections |
| Application logs | admin actions, API misuse, authentication failures, business-event anomalies |
| Security-tool output | EDR detections, IDS alerts, DLP events, vulnerability reports |
| Question | Strongest first source |
|---|---|
| Which user had repeated MFA failures? | Identity logs |
| Which process launched the suspicious connection? | Endpoint or host telemetry |
| Did the host resolve or contact the malicious domain? | DNS plus network telemetry |
| Was sensitive data moved out of the environment? | DLP and transfer logs |
| Did the attacker change the application configuration? | Application audit logs |
Use multiple sources to answer one question:
That multi-source thinking is what makes an investigation defensible.
1{
2 "time_utc": "2026-03-28T16:02:11Z",
3 "user": "mrivera",
4 "source_ip": "198.51.100.22",
5 "dns_query": "update-secure-login.example",
6 "process": "powershell.exe",
7 "mfa_result": "failed"
8}
What to notice:
Security+ increasingly assumes that not every useful source lives on a Windows or Linux host. SaaS audit logs, cloud control-plane activity, and identity-provider telemetry can be the strongest source when the incident path is administrative, identity-driven, or hosted externally.
A user reports repeated MFA prompts they did not initiate. The security team also sees a successful login from an unfamiliar IP an hour later and wants to know whether the account was used to access a SaaS admin portal. Which combination is strongest first?
A. Physical visitor logs only B. Identity-provider logs plus the SaaS application audit log C. Printer maintenance records plus backup rotation history D. Asset tags only
Best answer: B. The question is about sign-in activity and application use after authentication, so identity telemetry plus SaaS audit records provide the strongest first correlation path.
Investigation questions are about using the right evidence source first. If you need domain lookups, use DNS logs. If you need sign-in patterns, use identity logs. If you need process execution, use endpoint telemetry. If you need cross-system event order, make sure time is synchronized. Security+ often rewards source selection more than raw tool memorization.
Continue with 5. Security Program Management & Oversight to connect operations to governance, risk, and accountability.