The two heaviest-tested axes of the six exam domains are Domain 1 (Threat Detection and Incident Response, ~14%) and Domain 2 (Security Logging and Monitoring, ~18%). They almost always appear as one flow in exams. "Logs must exist to detect, detection must exist to respond." Today, we review the pipeline — collection (logs) → analysis/detection (GuardDuty/Detective/Macie) → aggregation (Security Hub) → auto-response (EventBridge→Lambda/SSM) — as one nervous system.
Detection originates from logs. Exams endlessly ask: "To see this evidence, which log must you activate?"