Which activity is least likely to be supported by logs in incident response?

Logs capture what happened and when, which incident responders use to reconstruct events and assess impact. They are especially helpful for building forensic timelines because each logged event provides a timestamp that can be arranged into a sequence of actions. Logs also surface indicators of compromise, such as unusual authentication events, malware alerts, or anomalous network connections, by recording relevant activity. They reveal attacker actions by showing commands executed, files accessed, processes started, and communications with external hosts as captured by endpoints or network devices. Real-time traffic shaping decisions, however, rely on live network telemetry and enforcement mechanisms—you need current state and policy controls to decide how to handle packets immediately. Logs are retrospective and may lag, so they’re not the primary source for making instant shaping choices during an incident. That’s why real-time traffic shaping decisions are the least supported by logs compared to the other activities.