What information can be found in the Real Time Response (RTR) Audit Log?

The Real Time Response audit log records operational details about RTR sessions, including who connected, which host was accessed, when the session began, how long it lasted, which commands were run, and files retrieved through RTR activity. The course guidance describes the RTR sessions audit log as a history of recorded activity for the CID’s Real Time Response sessions. It includes session start time, session status, user, hostname, connected-from source, commands used, and session duration. Session details also include host details, retrieved files, and detections, with command history subject to specific exclusions such as help, clear, and history, which are not recorded. Option A describes host inventory and policy context rather than RTR session auditing. Option B is incomplete and emphasizes command return results, which is not the core listed audit-log summary. Option D is incorrect because RTR activity is explicitly collected in audit logs. CCFA reference topics: Real Time Response, RTR Audit Logs, Session Details, Host Management and Setup.