Objective 2.5High Priority10 min read

Security Monitoring

Continuous observation of systems, networks, and applications to detect threats, anomalies, and security events. Includes SIEM platforms, log analysis, alerting, and security analytics.

Understanding Security Monitoring

Security monitoring provides visibility into the security state of systems and networks, enabling detection of threats, anomalies, and policy violations. Without monitoring, attackers can operate undetected, dwell time increases, and breach impact grows.

Key monitoring components:Log collection — Gathering events from all sources • SIEM — Centralized analysis and correlation • Alerting — Notification of security events • Analytics — Pattern detection and anomaly identification

Effective monitoring reduces attacker dwell time and enables rapid incident response.

Why This Matters for the Exam

Security monitoring is heavily tested on SY0-701 as it enables detection and response capabilities. Questions cover monitoring sources, SIEM functionality, and what monitoring can and cannot detect.

Understanding monitoring helps with security operations, compliance requirements, and incident response. Many regulations require continuous monitoring.

The exam tests both conceptual understanding of monitoring and practical knowledge of what should be monitored.

Deep Dive

Security Information and Event Management (SIEM)

Centralized platform for log collection, analysis, and alerting.

SIEM Functions:

FunctionDescription
Log aggregationCollect logs from all sources
NormalizationConvert to common format
CorrelationLink related events
AnalysisIdentify patterns and threats
AlertingNotify on security events
ReportingCompliance and operational reports
RetentionStore logs for investigation

SIEM Data Sources:

  • Firewalls and IDS/IPS
  • Servers (Windows, Linux)
  • Applications and databases
  • Network devices
  • Endpoints (EDR)
  • Cloud services
  • Authentication systems

Log Sources and Monitoring

What to Monitor:

SourceKey Events
AuthenticationLogons, failures, privilege use
FirewallsAllowed/denied connections
ServersService events, errors, changes
ApplicationsErrors, access, transactions
EndpointsProcess execution, file changes
NetworkTraffic patterns, anomalies

Critical Logs:

  • Security event logs
  • Authentication logs
  • Privileged access
  • Configuration changes
  • Failed access attempts
  • Outbound connections

Log Retention:

  • Compliance requirements (often 1 year+)
  • Investigation needs (longer = more context)
  • Storage considerations
  • Legal hold requirements

Alerting and Thresholds

Alert Categories:

PriorityDescriptionResponse
CriticalActive attack, breachImmediate
HighLikely threatWithin 1 hour
MediumSuspicious activitySame day
LowAnomaly, informationalReview

Alert Design:

  • Clear, actionable alerts
  • Appropriate thresholds to minimize false positives
  • Context included for investigation
  • Escalation procedures defined

Alert Fatigue:

  • Too many alerts = important ones missed
  • Tune rules to reduce noise
  • Focus on high-fidelity detections
  • Use risk-based prioritization

Continuous Monitoring

Ongoing assessment of security posture.

Continuous Monitoring Components:

  • Real-time event monitoring
  • Vulnerability scanning
  • Configuration assessment
  • Compliance checking
  • Threat intelligence integration

Monitoring vs. Point-in-Time:

AspectContinuousPoint-in-Time
CoverageOngoingSnapshot
DetectionReal-timeAfter the fact
CostHigherLower
EffectivenessBetterLimited

Security Operations Center (SOC)

Team responsible for security monitoring and response.

SOC Functions:

  • Monitor security events 24/7
  • Investigate alerts
  • Respond to incidents
  • Threat hunting
  • Report on security posture

SOC Metrics:

  • Mean Time to Detect (MTTD)
  • Mean Time to Respond (MTTR)
  • Alert volume and types
  • Incidents by category
  • False positive rate

Analytics and Detection

Detection Approaches:

TypeDescription
Signature-basedKnown attack patterns
Anomaly-basedDeviations from baseline
BehavioralUnusual user/entity behavior
Machine learningAI-driven pattern detection

User and Entity Behavior Analytics (UEBA):

  • Baselines normal user behavior
  • Detects anomalies suggesting compromise
  • Identifies insider threats
  • Catches credential misuse

How CompTIA Tests This

Example Analysis

Scenario: A SIEM alert shows: User "admin" authenticated successfully from IP 203.0.113.50 (Russia) at 3:00 AM. This user normally works from the US office during business hours. Previous day logs show multiple failed authentications for this account from the same IP.

Analysis - SIEM Detection:

Alert Triggered By: • Authentication from unusual location (Russia vs. US) • Unusual time (3:00 AM vs. business hours) • Correlated failed attempts followed by success • Privileged account ("admin")

SIEM Correlation: 1. Geo-location anomaly detection 2. Time-based behavior analysis 3. Failed-to-success authentication pattern 4. Privileged account monitoring

Investigation Steps: 1. Verify user location (contact directly) 2. Check for VPN usage that might explain location 3. Review admin actions taken after login 4. Check for MFA bypass 5. Examine failed attempts for password spraying indicators

Response if Compromise Confirmed: 1. Disable account immediately 2. Terminate active sessions 3. Reset credentials 4. Audit actions taken during session 5. Check for persistence mechanisms 6. Expand investigation to related systems

Key insight: SIEM correlation of multiple factors (location, time, failed attempts, success) identified probable credential compromise that single-event analysis might miss.

Key Terms to Know

security monitoringSIEMlog analysisalertingcontinuous monitoringthreat detectionSOCsecurity analytics

Common Mistakes to Avoid

Collecting logs without analyzing them—logs only provide value when reviewed and correlated. Unanalyzed logs are just storage cost.
Setting too many alerts—alert fatigue leads to missing important events. Tune for quality over quantity.
Monitoring only perimeter—internal monitoring catches lateral movement and insider threats that perimeter misses.
Not retaining logs long enough—investigations often need historical context. Attackers may have been present for months.

Exam Tips

SIEM = Centralized log collection, correlation, analysis, and alerting.
Continuous monitoring = Ongoing vs. point-in-time assessments.
Alert fatigue = Too many alerts causes important ones to be missed.
MTTD = Mean Time to Detect. MTTR = Mean Time to Respond. Key SOC metrics.
UEBA = User and Entity Behavior Analytics. Baselines behavior to detect anomalies.
Log retention requirements often 1 year+ for compliance.

Memory Trick

"SCARA" - SIEM Functions

  • Store (log retention)
  • Collect (aggregate logs)
  • Analyze (correlate events)
  • Report (compliance, metrics)
  • Alert (notify on threats)
  • What to Monitor: "FANEC"
  • Firewall logs
  • Authentication events
  • Network traffic
  • Endpoint activity
  • Configuration changes
  • Detection Types:
  • Signature = Specific known patterns
  • Anomaly = Abnormal deviations
  • Behavior = Baseline comparison

SOC Metrics Memory: MTTD = "Moments To Threats Detected" MTTR = "Moments To Threats Resolved" Lower = Better

Alert Quality: "Quality over Quantity" 100 good alerts > 10,000 noisy alerts

Test Your Knowledge

Q1.What is the PRIMARY purpose of a SIEM in security monitoring?

Q2.A security team receives 5,000 alerts daily but only has resources to investigate 50. Most alerts are false positives. What problem does this describe?

Q3.A user's normal work pattern is 9 AM - 5 PM EST from their office. SIEM detects them logging in at 2 AM from a foreign country. What type of detection identified this anomaly?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Behavioral Indicators of Compromise

Ready to test your knowledge?

Practice questions on security monitoring and other Objective 2.5 concepts.

Start Practice
Encryption for MitigationConfiguration Enforcement