An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs, the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident? 

Answer options:

A. Patching logs
B. Threat feed
C. Backup logs
D. Change requests
E. Data classification matrix

E