A company suffered a critical incident where 30GB of data was exfiltrated from the corporate...

To efficiently identify where data was exfiltrated from and where it was sent, the best action is to analyze firewall and network logs for unusually large outbound data transfers. Security+ SY0-701 emphasizes that network-level telemetry provides the most direct evidence of data exfiltration, including source IPs, destination IPs or domains, ports, protocols, timestamps, and data volume.

Firewall and flow logs can quickly reveal which internal systems transmitted large quantities of data externally and identify the attacker’s destination infrastructure. This approach is efficient because it focuses directly on the movement of data rather than preliminary or secondary indicators.

IPS/IDS logs (B) are more useful for detecting reconnaissance or intrusion attempts, not confirming data theft paths. Endpoint and application logs (C) may help identify tools used but are less efficient for mapping data movement. External vulnerability scans (D) identify weaknesses, not exfiltration activity.

Therefore, the most efficient action is A: Analyze firewall and network logs for large outbound traffic.