Which combination of data sources should an analyst prioritize to trace malware activities on an endpoint?

Prioritizing endpoint logs and OS component logs is essential for tracing malware activities on an endpoint because these logs contain vital information about the internal workings of the operating system and applications running on the device. Endpoint logs provide insights into user activities, installed applications, and any processes that are initiated or terminated, making it easier for analysts to identify any suspicious behavior linked to malware.

OS component logs further enrich this analysis by capturing system-level events, such as changes in configuration, security policy modifications, or abnormal system operations. This combination not only highlights direct malware footprints but also helps identify any changes made by the malware that could indicate persistence mechanisms or attempts to evade detection.

In contrast, other combinations—like application logs and network logs—tend to focus more on interactions with applications and network communications, which might not provide a comprehensive view of what is happening internally on the endpoint itself. That context is crucial for a thorough investigation of malware activities, as many malware types operate discreetly within the OS environment before attempting external communication.