Which of the following is the main usage of Domain Name System (DNS) data in incident investigations and operational security monitoring?

To detect compromised systems or systems that have accessed known phishing sites, DNS information is often recorded in logs. DNS logs can be combined with IP reputation and lists of known malicious hostnames to detect such issues. However, DNS data cannot be used for identifying network scans and does not capture such activity. While domain transfers are not considered attacks, they can provide useful information and are recorded in the logs. DNS logs do not contain information about login attempts.