| Category | Examples |
|---|
| Applications | Web apps, databases, APIs — errors, auth failures, anomalies |
| Systems | OS events, CPU/memory spikes, unauthorized changes |
| Infrastructure | Network devices, cloud resources, storage, firewalls |
| Metric | Purpose |
|---|
| Performance metrics | Detect compromise via unexpected resource use; establish baseline |
| Anomaly detection | Spot unusual processes, requests, or traffic patterns in real time |
| Availability metrics | Monitor uptime, latency, and stability of critical systems |
| EDR telemetry | Endpoint-level process, file, network, and registry events |
| Tool | Description |
|---|
| SIEM | Aggregates, correlates, and alerts on logs from all sources. Automates alerting, reporting, quarantine, and response. |
| SCAP | Standardized framework for security compliance checking and vulnerability management |
| Antivirus / EDR | Real-time detection, alerting, quarantine, and logging of threats at the endpoint |
| DLP | Monitors and prevents unauthorized access or exfiltration of sensitive data |
| SNMP Traps | Real-time network device alerts sent to a central management system |
| NetFlow | Network traffic flow data — useful for anomaly detection and threat hunting |
| Vulnerability scanners | Actively scan hosts for security weaknesses |
| Benchmarks | Compare system state against known-good performance and security standards |
| Type | Pros | Cons |
|---|
| Agent-based | Verbose real-time data, deep visibility | Resource overhead, agent management complexity |
| Agentless | Easy deployment, no installed software | Less granular, relies on existing protocols (WMI, SSH, SNMP) |
Log aggregation → Collect from all sources (endpoints, network, cloud)
Normalization → Common format across different log types
Correlation → Link related events across systems
Alerting → Notify on rule matches or anomalies
Dashboards → Visual security posture overview
Reporting → Compliance and post-incident documentation
Response automation → Quarantine, block, or escalate automatically
# Brute-force detection
Multiple failed logins (EventID 4625) from same IP in short window
# Lateral movement
New admin login from unexpected host or at unusual time
# Malware C2 beacon
Periodic outbound connection to unknown IP at regular intervals
# Data exfiltration
Large outbound data transfer to external IP / cloud storage
# Privilege escalation
User account added to admin group (EventID 4728/4732)