A SIEM alert shows a successful VPN login for an executive account from an unusual country, followed 3 minutes later by large downloads from a file share the user rarely accesses. Which log source should the analyst review next to determine whether the session came from the user's assigned laptop or an unmanaged device?

VPN concentrator logs

These confirm the login and tunnel details, but they do not reliably identify the endpoint used.

DNS query logs from the internal resolver

DNS logs may show destinations, but they do not prove which device initiated the VPN session.

Email gateway logs for the executive mailbox

Email logs might help if phishing is suspected, but they do not validate the source device of the VPN login.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Endpoint detection and response telemetry from the user's laptop — EDR telemetry is the best next source because it gives host-level context that VPN logs cannot provide. The analyst can see whether the executive's assigned laptop was active, whether security controls were healthy, and whether suspicious processes or connections occurred around the time of the login. That makes it the most useful source for distinguishing a legitimate corporate device from an unmanaged or compromised one. Why others are wrong: VPN logs confirm that authentication occurred, but they usually do not prove device trust or host activity. DNS logs can help with destination analysis, yet they do not identify the endpoint behind the VPN session. Email gateway logs are useful for phishing investigations, but they are not the right evidence source for determining which device initiated the suspicious access.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.