To identify the root cause of unauthorized transactions, which data sources should a security operations analyst primarily consider?

The correct choice centers on the importance of endpoint logs, operating system log files, and logs from a host-based intrusion detection system in determining the root cause of unauthorized transactions. Endpoint logs provide insights into specific user activities and software behaviors on the affected devices, while operating system logs can reveal changes or anomalies in system operations that might indicate security breaches.

By analyzing these logs, a security operations analyst gains a comprehensive view of the events leading up to the unauthorized transactions. This includes tracking access attempts, identifying unusual behaviors, and correlating events that could suggest exploitation of vulnerabilities or malware presence.

Logs from a host-based intrusion detection system are particularly valuable as they are designed to monitor and respond to suspicious activities on the host. They can provide alerts on potentially malicious actions, additional context on when and where unauthorized access occurred, and the tools or techniques used by an attacker.

In contrast, the other choices, while useful in certain contexts, do not offer as direct or specific a link to identifying root causes of unauthorized transactions. Network traffic logs and firewall logs focus primarily on communication flows and potential unauthorized access attempts, which may not provide a complete picture. Backup logs deal with data recovery rather than transaction activities, and external threat intelligence feeds typically help in understanding broader threat landscapes rather than