The correct answer is D. NetFlow.
NetFlow records network traffic metadata, such as source IP address, destination IP address, source port, destination port, protocol, timestamps, and traffic volume. This makes it especially useful for detecting port scan activity, because port scans often show a pattern of one system attempting connections to many ports or many hosts in a short period of time.
This aligns with CompTIA Security+ SY0-701 security operations topics related to log analysis, network monitoring, and detection of suspicious traffic patterns.
Why the other options are incorrect:
A. Firewall
Firewall logs can detect some port scan activity, especially if the firewall blocks and logs connection attempts. However, NetFlow is generally better for identifying scan patterns across network traffic because it provides broader flow visibility.
B. Proxy
Proxy logs are mainly useful for web traffic analysis, URL filtering, and HTTP/HTTPS activity. They are not the best source for detecting port scans across many ports.
C. Endpoint
Endpoint logs may show local connection attempts or suspicious activity on a host, but they do not provide the same network-wide visibility as NetFlow.
Therefore, the best log source for detecting port scan activity is NetFlow.