Security Monitoring and Log Analysis
What the Exam Is Really Testing
A SOC analyst starts their shift and opens the SIEM dashboard. There are 4,200 events from the last 12 hours. Most are noise — routine logins, scheduled tasks, DNS queries. Somewhere in that pile, there might be a credential stuffing attack, a lateral movement attempt, or data exfiltration in progress. Without correlation, it all looks the same.
Individual logs tell stories. Correlated logs reveal attacks. Without centralized monitoring, threats hide in the noise of normal operations.
The exam tests whether you understand how monitoring works end-to-end: where logs come from, how they are aggregated and correlated, what SIEM and SOAR platforms do, and how analysts separate real threats from background noise.
SIEM: Security Information and Event Management
A SIEM is the central nervous system of a security operations center (SOC). It collects, normalizes, stores, and analyzes log data from across the entire environment.
Core SIEM Functions
- Log aggregation — Collects logs from firewalls, servers, endpoints, applications, network devices, and cloud services into a single platform
- Normalization — Converts logs from different formats into a common schema so they can be compared and correlated
- Correlation — Applies rules that connect events across multiple sources to identify patterns that no single log source would reveal
- Alerting — Triggers notifications when correlation rules match predefined threat patterns or thresholds
- Dashboards and reporting — Provides real-time visibility into security posture and compliance status
- Retention — Stores logs for the periods required by policy and compliance frameworks
Why Correlation Matters
A single failed login is noise. Ten failed logins from different accounts, originating from the same IP, within five minutes, followed by a successful login — that is a potential brute-force attack.
Correlation rules connect the dots that individual log sources cannot. Examples include:
- Multiple authentication failures followed by success (credential stuffing)
- Outbound traffic to known malicious IPs after a suspicious download (command and control)
- Privilege escalation followed by mass file access (insider threat or compromised account)
- New admin account creation outside business hours (potential persistence mechanism)
Log Sources
The value of a SIEM depends entirely on the quality and breadth of its log sources. Key sources tested on Security+ include:
Firewall Logs
Record allowed and denied connections, source/destination IPs and ports, protocol information. Essential for identifying unauthorized access attempts, port scans, and data exfiltration.
Application Logs
Record user actions within applications: logins, data access, errors, configuration changes. Critical for detecting unauthorized data access and application-layer attacks.
Endpoint Logs
Record process execution, file changes, registry modifications, USB connections, and user activity on workstations and servers. Essential for detecting malware execution and insider threats.
Network Logs
Include DNS queries, DHCP leases, proxy logs, and network flow data. Reveal communication patterns, domain lookups to suspicious destinations, and lateral movement.
Operating System Logs
Windows Event Logs, Linux syslog/journald — record authentication events, privilege changes, service starts/stops, and security policy changes.
Network Traffic Analysis
NetFlow and sFlow
NetFlow (Cisco) and sFlow (vendor-neutral) capture metadata about network conversations without recording full packet content:
- Source and destination IP addresses
- Source and destination ports
- Protocol
- Byte and packet counts
- Timestamps
Flow data is excellent for identifying traffic patterns, detecting unusual data volumes (potential exfiltration), and mapping communication between hosts — without the storage overhead of full packet capture.
Packet Capture (PCAP)
Full packet capture records every byte of network traffic. It provides complete visibility but requires massive storage and is typically used for:
- Incident investigation (after an alert)
- Forensic analysis
- Validating SIEM alerts
- Troubleshooting specific network issues
For the exam: flow data for monitoring patterns, packet capture for investigating specific incidents.
SOAR Integration
SOAR (Security Orchestration, Automation, and Response) platforms extend SIEM capabilities by automating response actions:
- Orchestration — Connects security tools together so they can share data and coordinate responses
- Automation — Executes predefined playbooks automatically when specific conditions are met (block an IP, quarantine a host, disable an account)
- Response — Reduces the time between detection and containment from hours to seconds
SOAR does not replace human analysts. It handles the repetitive, time-sensitive actions so analysts can focus on complex investigations.
Anomaly Detection and Baselines
Effective monitoring requires knowing what normal looks like before you can identify what is abnormal.
Behavioral Baselines
Establish baselines for:
- Normal network traffic volumes and patterns
- Typical login times and locations for users
- Standard process execution on endpoints
- Expected DNS query patterns
- Usual data transfer volumes
Anomaly Detection
Once baselines are established, deviations trigger investigation:
- A user logging in at 3 AM from a foreign country
- A server sending 10x its normal outbound data volume
- A workstation making DNS queries to randomized domain names (potential DNS tunneling or C2 communication)
- A service account suddenly accessing file shares it has never touched
Anomaly detection catches threats that signature-based rules miss — including zero-day attacks and insider threats that do not match known attack patterns.
Pattern Recognition
When you see monitoring and log analysis questions, look for these patterns:
- Need to correlate events across multiple sources = SIEM
- Need to automate response to common alerts = SOAR
- Need to see traffic patterns without full packet capture = NetFlow/sFlow
- Need detailed investigation of a specific incident = packet capture
- Unusual behavior from a trusted user = anomaly detection / behavioral baseline deviation
- Logs from different systems pointing to the same attack = correlation rules
Trap Patterns
Watch for these distractors:
- "Deploy more firewalls" — Firewalls generate logs but do not correlate or analyze them
- "Increase log retention to 10 years" — Retention is a compliance issue, not a detection improvement
- "Monitor all traffic with full packet capture" — Impractical at scale for ongoing monitoring; use flow data for patterns
- "Write custom detection scripts" — SIEM correlation rules and SOAR playbooks are the structured approach
Scenario Practice
Question 1
A security analyst notices that a user account logged in from New York at 9:00 AM and from Singapore at 9:15 AM the same day.
What type of detection identified this threat?
A. Signature-based detection
B. Anomaly-based detection using behavioral baselines
C. Heuristic analysis
D. Vulnerability scanning
Answer & reasoning
Correct: B
Impossible travel detection compares login locations against what is physically possible. This is a behavioral anomaly — the system knows the user's normal patterns and flags deviations that are physically impossible.
No signature exists for this; it requires baseline comparison. Heuristic analysis applies to malware behavior. Vulnerability scanning identifies weaknesses, not active threats.
Question 2
An organization receives thousands of security alerts daily. Most are false positives, and the security team cannot investigate them all manually.
What should the organization implement to improve response efficiency?
A. Hire additional security analysts for 24/7 coverage
B. Deploy a SOAR platform with automated playbooks
C. Disable low-severity alerts to reduce volume
D. Forward all alerts to the help desk for triage
Answer & reasoning
Correct: B
SOAR platforms automate repetitive triage and response tasks through predefined playbooks, dramatically reducing the burden on analysts and improving response times for common alert types.
Hiring alone does not solve the efficiency problem. Disabling alerts creates blind spots. The help desk lacks security expertise for triage.
Question 3
A security team needs to identify which internal hosts are communicating with a known command-and-control server without capturing full packet content.
What technology is MOST appropriate?
A. Full packet capture on all network segments
B. NetFlow analysis correlated with threat intelligence feeds
C. Host-based intrusion detection on every endpoint
D. DNS filtering to block the known domain
Answer & reasoning
Correct: B
NetFlow records metadata about network conversations (source, destination, protocol, volume) without capturing content. Correlating flow data with threat intelligence identifies which hosts are communicating with known malicious infrastructure.
Full packet capture works but is not required for this purpose and generates massive storage overhead. DNS filtering blocks traffic but does not identify already-communicating hosts. HIDS does not track network connections to external servers.
Key Takeaway
Logs without correlation are just noise. A SIEM turns scattered data points into actionable intelligence by connecting events across sources. SOAR takes it a step further by automating the response — so the time between detection and containment drops from hours to seconds. When you see monitoring questions, think about whether the scenario describes a collection problem, a correlation problem, or a response problem. That distinction usually points straight to the answer. Detection without response is just observation. The goal is to turn visibility into action.