Log Sources and Telemetry
Key Takeaways
- Telemetry is useful only when it is timely, trustworthy, normalized, and tied to an asset or identity.
- Security monitoring commonly uses logs from endpoints, identity providers, network devices, cloud platforms, applications, and DNS.
- Timestamps, source, destination, user, action, result, and asset context are core fields for investigation.
- Time synchronization via NTP supports accurate cross-system correlation; UTC timestamps avoid time-zone confusion.
- Log retention, write-once storage, and access control preserve evidence integrity for incident response and compliance.
Telemetry Is the Foundation of Detection
Telemetry is the collection of events, metrics, alerts, and records that describe what happened in an environment. On the CompTIA Security+ SY0-701 exam, logging and monitoring fall under Domain 4 (Security Operations), which carries roughly 28% of scored content — the largest single domain. A single log line rarely tells the whole story. Analysts combine endpoint, identity, network, cloud, and application data to reconstruct user behavior and system activity into a coherent timeline.
The exam expects you to know not just that logs exist, but which source answers a given investigative question. Knowing that a DNS query log reveals domain resolution, while a firewall log reveals the actual connection, is the kind of distinction performance-based questions (PBQs) test directly.
Common Log Sources and What They Answer
| Source | Useful events | Example investigation question |
|---|---|---|
| Identity provider (IdP) | Logins, MFA, token use, group changes | Was the user authenticated from an unusual source? |
| Endpoint detection and response (EDR) | Process starts, file writes, network connections | Did a script launch a suspicious child process? |
| Firewall | Allowed and denied traffic, 5-tuple flows | Did the host connect to an unexpected destination? |
| Domain Name System (DNS) | Name lookups, NXDOMAIN responses | Did the endpoint query a suspicious or newly registered domain? |
| Web proxy | URL access, user agent, content category | Did the user download a payload? |
| Cloud control plane | API calls, role changes, storage access | Did someone open a public storage bucket or alter a security group? |
| Operating system (OS) | Authentication, service starts, audit policy | Was a privileged logon (Windows Event ID 4672) seen? |
| Application | Authentication, transactions, errors | Was sensitive data accessed or changed? |
Fields That Matter
Useful logs answer five questions fast: who, what, when, where, and result. Security+ scenarios add noise, but these core fields remain constant.
| Field | Why it matters |
|---|---|
| Timestamp (UTC) | Establishes sequence and supports correlation |
| User or principal | Ties action to an identity |
| Source IP or host | Shows where activity originated |
| Destination | Shows what was accessed |
| Action | Shows what was attempted |
| Result | Success, failure, blocked, allowed, or error |
| Process or command line | Distinguishes user action from malware behavior |
| Asset criticality | Drives response prioritization |
Worked Example: One Event vs. a Chain
Read these four normalized events as a single sequence:
2026-06-14T12:01:14Z idp user=kmorgan result=success mfa=success source_ip=198.51.100.18 device=unmanaged
2026-06-14T12:04:39Z edr host=LAP-044 user=kmorgan process=powershell.exe parent=winword.exe command="-enc SQBFAFgA..." severity=high
2026-06-14T12:04:41Z dns host=LAP-044 query=cdn-update-example.net result=198.51.100.77
2026-06-14T12:04:43Z firewall src=LAP-044 dst=198.51.100.77 dst_port=443 action=allow bytes_out=88412
The IdP line alone reads as a normal login. The combined telemetry tells a far worse story: an unmanaged-device login, a document spawning an encoded PowerShell command, a lookup to an attacker-controlled domain, and outbound HTTPS to that same resolved IP. No single source proves compromise — the correlation across sources does.
Time and Integrity
Time synchronization is critical. If endpoint clocks drift five minutes behind accurate firewall clocks, an analyst may invert cause and effect. Use Network Time Protocol (NTP) against an authoritative source and store timestamps in Coordinated Universal Time (UTC) so events from different zones line up without conversion errors.
Logs must also be protected, because attackers routinely clear event logs, stop agents, or disable audit settings to cover tracks. Defenses include:
- Centralized collection so logs leave the host quickly (an attacker who owns the host cannot retroactively edit forwarded data).
- Write-once / WORM storage so records cannot be altered after capture.
- Access control limiting who can read or delete logs.
- Alerting on log-source silence — a host that suddenly stops logging is itself a signal.
- Retention policies that keep data long enough for slow-burn investigations and compliance mandates.
Normalization, Parsing, and Severity
Raw logs arrive in dozens of formats: syslog from network gear, the Windows Event log, JSON from cloud APIs, and key-value pairs from applications. Normalization parses each into a common schema so a query can compare them. Many environments standardize on syslog severity levels (0 through 7), where 0 (Emergency) is most severe and 7 (Debug) is least. Mapping vendor-specific severities onto one scale lets analysts filter consistently. Knowing that syslog runs over UDP port 514 by default — and that secure transport adds TLS on TCP 6514 — is the kind of concrete detail Security+ rewards.
Logging the Right Volume
More logging is not automatically better. Verbose debug logging fills storage, slows search, and buries the signal. The practical target is security-relevant events: authentication outcomes, privilege changes, process execution, configuration changes, and data access. A useful test for any proposed log source is whether it would help answer a real investigative question from the table above.
Common Traps
- Collecting logs but retaining them too briefly to support an investigation.
- Logging only blocked traffic and missing allowed malicious traffic.
- Ignoring clock drift, which scrambles event ordering.
- Treating an alert as proof without reviewing the supporting telemetry chain.
- Capturing high-volume debug data with no asset, user, or business context to make it actionable.
- Forwarding logs in clear text over UDP 514, where they can be lost or tampered with, instead of using a reliable, encrypted transport.
An analyst must correlate an identity-provider login with a firewall connection and place them in the correct order across two different systems. Which factor most directly enables this?
An EDR log shows winword.exe spawning powershell.exe with an encoded command, immediately followed by a DNS lookup and outbound HTTPS to the resolved IP. What does the combined telemetry most strongly suggest?
Which log sources are commonly the most useful starting points during security monitoring? Select three.
Select all that apply