Chapter 87 · Concepts

Security Monitoring — Concept Tables

Six reference tables covering monitoring domains, SIEM capabilities, scanning outputs, reporting types, alerting methods, and alert response actions.

Table 1 — Three Monitoring Domains: Systems, Applications, Infrastructure
DomainWhat Is MonitoredKey Security Indicators
SystemsAuthentication events, server service activity, backup completion status, installed software versionsLogins from unexpected geographic locations; repeated failed logins; services stopping unexpectedly; backups failing (possible ransomware); unpatched software versions
ApplicationsUptime and availability, response times, inbound and outbound data transfer volumes, developer security notificationsApplication downtime (possible DoS or exploitation); sudden spike in data transfer volume (possible exfiltration); security notifications from developers/vendors
InfrastructureRemote access connections (employees, vendors, guests), firewall rule activity, IPS reports and blocked traffic patternsUnauthorized remote access sessions; unusual access patterns from vendor accounts; spike in blocked attack attempts at the firewall; new attack types appearing in IPS logs
Table 2 — SIEM Capabilities and Use Cases
CapabilityDescriptionSecurity Value
Log aggregationCollects logs from servers, firewalls, switches, routers, VPN concentrators, cloud services, SANs into one central databaseEliminates log silos; enables unified analysis across the entire environment
CorrelationConnects events across disparate sources to identify patterns invisible in any single logDetects multi-stage attacks, brute-force campaigns, and exfiltration patterns that span multiple systems
Centralized reportingGenerates reports from the unified log database using a single reporting engineConsistent, comprehensive reporting without manually querying each system individually
Authentication and access trackingLinks VPN authentication events to subsequent internal access and application usageIdentifies compromised credentials being used for lateral movement after initial authentication
Data transfer measurementBaselines normal transfer volumes and alerts when thresholds are exceededPrimary detection mechanism for data exfiltration, which often produces anomalous transfer spikes
Alert generationFires alerts when correlation rules or threshold conditions are metDelivers actionable notifications to analysts in real time rather than waiting for report reviews
Table 3 — Continuous Scanning: Data Collected and Security Purpose
Data CollectedSecurity Purpose
Operating system types and versionsIdentify systems running end-of-life OS versions with no vendor security support; match against newly disclosed OS-level CVEs
Installed applications and versionsDetect unauthorized software; identify applications with known CVEs; track patch compliance across the application stack
Device driver versionsDrivers are frequently overlooked in patch management; outdated drivers can be exploited for privilege escalation or kernel access
Configuration anomaliesDeviations from the security baseline may indicate tampering, misconfiguration, or unauthorized changes by an attacker or insider
Network presenceIdentify unauthorized devices on the network; detect changes in device inventory that may indicate new endpoints or rogue devices
Table 4 — Reporting Types and Their Security Purpose
Report TypeWhat It ShowsWhen It Is Used
Status reportNumber of compliant vs. non-compliant systems; patching coverage; devices running outdated OS versionsRoutine security reviews; management reporting; compliance audits
Vulnerability response reportWhich systems in the environment are running the software version affected by a newly disclosed CVEImmediately after a new CVE is published; drives emergency patching decisions
Ad hoc reportCustomized query against current or historical data for an unanticipated need; what-if analysis; end-of-life projectionsIncident investigations; forward planning; emerging threats that require immediate custom analysis
Trend reportChanges over time: alert volume trends, patching velocity, new device additionsIdentifying gradual degradation of security posture; measuring improvement from security investments
Table 5 — Archiving: Retention Requirements and Evidence Use
FactorDetail
Average breach discovery time~9 months (IBM Security 2022) — logs must span at least this window for historical forensic evidence to be available
Forensic investigationArchived logs allow investigators to reconstruct attacker activity from initial access through lateral movement and exfiltration
Compliance and legalHIPAA, PCI-DSS, SOX, and state breach notification laws mandate specific retention periods; failure to retain logs may result in regulatory penalties
Slow attack detectionLow-volume, persistent attacker activity may generate anomalies only visible when analyzed over months — short retention windows make this analysis impossible
Recommended minimum retentionAt least 12 months for most environments; longer for regulated industries; stored in a tamper-evident format to preserve evidentiary value
Table 6 — Alerting Methods and Alert Response Actions
CategoryItemDescription
Alert delivery methodsSMS / textImmediate notification to on-call personnel; works outside business hours; highest urgency delivery
EmailMore detail than SMS; creates documented record of alert time and content; suitable for lower-urgency or supplementary notification
SOC consoleCentralized dashboard for security operations teams actively monitoring; enables systematic triage, escalation, and tracking
Alert response actionsQuarantineIsolate the affected system from network communication; stop lateral spread; preserve system for forensics
Alert tuningAdjust thresholds and rules to reduce false positives and false negatives; ongoing process that improves accuracy over time
Alert calibration problemFalse positiveAlert fires on harmless activity — wastes analyst time; causes alert fatigue; risks real alerts being ignored
False negativeReal threat does not trigger an alert — organization is unaware of active incident; more dangerous than false positive