Explain security alerting and monitoring concepts and tools
Monitoring is how you see what’s happening. Alerting is how the system tells you something needs attention. Without both, attacks proceed undetected — and the average attacker dwell time in unmonitored environments is measured in months.
SIEM (Security Information and Event Management)
Centralized platform that collects, correlates, and analyzes log data from across the enterprise.
Core Functions
- Log aggregation: Collect logs from firewalls, servers, endpoints, applications, cloud services
- Normalization: Translate diverse log formats into a common schema
- Correlation: Identify patterns across multiple data sources (e.g., failed login + privilege escalation + data transfer = potential breach)
- Alerting: Generate alerts when correlation rules or thresholds are triggered
- Dashboards: Real-time visualization of security posture
- Retention: Store logs for forensic investigation and compliance
Correlation Rules
- Failed login from Country X → successful login from Country X → file access on sensitive share → alert
- Same source IP scanning multiple ports across subnet → alert
- Service account authenticating from a workstation (instead of expected server) → alert
Challenges
- Alert fatigue: Too many false positives bury real incidents. Tuning correlation rules is critical.
- Data volume: Logging everything is expensive. Selective logging creates blind spots.
- Garbage in, garbage out: SIEM is only as good as the data sources feeding it.
SOAR (Security Orchestration, Automation, and Response)
Automates repetitive security operations tasks and orchestrates multi-tool workflows.
Capabilities
- Playbooks: Automated response workflows (phishing email received → extract URLs → check reputation → block domain → notify user → create ticket)
- Orchestration: Coordinate actions across SIEM, firewall, EDR, ticketing systems
- Automation: Eliminate manual steps for common incidents
Value
- Reduces MTTR (Mean Time to Respond)
- Frees analysts from repetitive tasks to focus on complex investigations
- Ensures consistent response regardless of which analyst is on shift
Endpoint Detection and Response (EDR)
Agent on endpoints that monitors behavior, detects threats, and enables response.
Capabilities
- Process execution monitoring, file system changes, network connections
- Behavioral detection (not just signatures)
- Threat hunting — proactive searching for indicators of compromise
- Remote response: isolate endpoint, kill process, collect forensic data
XDR (Extended Detection and Response)
Extends EDR across multiple data sources: network, cloud, email, identity.
- Correlated detection across the full attack chain, not just endpoints
- Single console for cross-domain visibility
Network Monitoring
NetFlow/sFlow/IPFIX
Metadata about network conversations — source/dest IPs, ports, protocols, byte counts, timestamps.
- Doesn’t capture packet content — just conversation records
- Useful for identifying anomalous traffic patterns, C2 beaconing, data exfiltration volumes
Full Packet Capture
Captures complete packet content for forensic analysis.
- High storage requirements. Often limited to key network segments.
- Used for incident investigation, not real-time monitoring at scale.
Protocol Analyzers
Tools for deep inspection of captured traffic (Wireshark, tcpdump).
- Decode protocol structures, identify anomalies, extract artifacts
SNMP (Simple Network Management Protocol)
Monitoring network device health — uptime, CPU, memory, interface statistics.
- Security concern: SNMPv1/v2c send community strings in plaintext. Use SNMPv3 (encrypted, authenticated).
Log Sources
| Source | What it captures |
|---|---|
| Firewall logs | Allowed/denied connections, NAT translations |
| IDS/IPS logs | Alert details, signature matches, anomaly detections |
| Authentication logs | Login success/failure, source IP, account name |
| Application logs | Application errors, user actions, API calls |
| OS logs | System events, service starts/stops, security events |
| DNS logs | Query requests, resolution results — valuable for detecting C2 and tunneling |
| DHCP logs | IP address assignments — maps IPs to devices over time |
| Proxy/web filter logs | URLs visited, categorization, blocks |
Alerting Concepts
Thresholds
- Static: Alert when metric exceeds a fixed value (>100 failed logins/hour)
- Dynamic/adaptive: Alert based on deviation from learned baseline (200% above normal)
Alert Severity
- Critical: Confirmed compromise, active data exfiltration, ransomware deployment
- High: Strong indicators of compromise, active exploitation attempt
- Medium: Suspicious activity warranting investigation
- Low/Informational: Anomalies for awareness, potential policy violations
Tuning
- Reduce false positives by refining rules, whitelisting known-good behavior
- Danger of over-tuning: Too aggressive and you suppress real alerts
- Regular review of suppressed/closed alerts to catch missed detections
Threat Intelligence Integration
Feeding external threat data into monitoring tools:
- IOC feeds: Known-bad IPs, domains, file hashes integrated into SIEM/firewall/EDR
- STIX/TAXII: Standards for threat intelligence exchange
- Threat intelligence platforms (TIP): Aggregate multiple feeds, score confidence, distribute to security tools
Offensive Context
Monitoring is the detective control that makes every other attack harder. An attacker operating in an environment with mature SIEM correlation, EDR on every endpoint, and tuned alerting has to move slowly, avoid known patterns, and clean up after themselves — all of which increases their cost and risk. An attacker in an unmonitored environment moves freely. The difference between “breach detected in 4 hours” and “breach detected in 200 days” is monitoring maturity. JA3/JA4 TLS fingerprinting as a detection technique catches malware that uses its own TLS stack — and understanding how attackers evade detection informs how you tune your rules.