SkarpSkarp

Chapter 14 of 25

Security Operations Foundations: Techniques, Telemetry, and Tooling

Step into day-to-day security operations by surveying the common techniques, tools, and telemetry sources that power monitoring and response.

27 min readen

Security Operations in Context

Welcome to Security Operations

Security Operations (SecOps) is where security concepts become continuous monitoring and response. It turns your earlier work on data protection and resilience into daily practice.

Where This Fits in Security+

For SY0-701, this module lives mainly in the Security Operations domain, but also touches General Security Concepts, Threats, Vulnerabilities, and Mitigations, and Security Program Management and Oversight.

What SecOps Does

SecOps continuously collects telemetry, analyzes it, detects suspicious activity, triggers alerts, and guides incident response, feeding lessons learned back into controls and policies.

Why It Matters Today

In modern hybrid environments, SecOps is the glue that protects confidentiality, integrity, and availability in real time and makes business continuity and incident response plans usable.

Core Security Operations Techniques

Log Collection and Centralization

Security Operations starts with collecting and centralizing logs from servers, endpoints, firewalls, IDS/IPS, cloud services, and apps, then normalizing and protecting them from tampering.

Correlation

Correlation combines multiple events to reveal patterns. One failed login is normal; many failures from odd locations plus a privilege change in minutes is a correlated, suspicious pattern.

Alerting and Tuning

Correlation and signatures trigger alerts with severities. Tuning reduces false positives and false negatives so analysts focus on genuinely risky activity.

Enrichment and Context

Enrichment adds context like geo-IP, threat intel, asset criticality, and user role. This helps analysts quickly judge whether an alert is serious.

Playbooks and Runbooks

Playbooks describe high-level workflows for incident types; runbooks give step-by-step actions. They connect daily monitoring to structured incident response.

Telemetry 1: System, Application, and Endpoint Logs

What Is Telemetry?

Telemetry is data that describes what is happening in your environment. For Security+, you must recognize key telemetry sources and what each is good for.

Operating System Logs

Windows Event Logs and Linux/Unix logs in `/var/log` record logons, privilege changes, service events, and system errors that help detect misuse and misconfigurations.

Application Logs

Web, database, and custom application logs show authentication attempts, errors, and business actions, helping detect web attacks and abuse of app features.

Endpoint Security Logs

Anti-malware, EDR, and XDR agents report malware detections, suspicious processes, and file integrity changes, key for spotting lateral movement and ransomware.

Centralizing Logs

These system, app, and endpoint logs are usually forwarded to a central platform like a SIEM. For the exam, know which log type best answers a given investigation question.

Telemetry 2: Network, Cloud, and Identity Signals

Network Telemetry

Network telemetry includes NetFlow/IPFIX, packet captures, firewall logs, and IDS/IPS alerts. It reveals who talked to whom, when, and how, helping spot exfiltration and scans.

Firewall and IDS/IPS Logs

Firewall logs show allowed and blocked connections; IDS/IPS logs show detected attacks. Together they highlight suspicious network behaviors and rule matches.

Cloud Service Logs

Cloud logs track management actions (VMs, roles, keys) and data access (object reads, writes, API calls), helping detect misconfigurations and credential abuse.

Identity and Access Logs

Directory, SSO, and MFA logs record login attempts, MFA challenges, and privilege changes. They are key to spotting account compromise and privilege escalation.

Choosing the Right Telemetry

On exam scenarios, match behavior to telemetry: odd logins → identity logs; mass cloud downloads → cloud audit logs; strange outbound traffic → network flows.

SIEM: The Heart of Centralized Monitoring

What Is a SIEM?

A SIEM is a platform that ingests, normalizes, stores, and analyzes security events from many sources, acting as the heart of centralized monitoring.

Ingestion and Storage

SIEMs collect logs from endpoints, servers, network devices, cloud, and identity systems, normalize them, and store them with indexing and retention policies.

Correlation and Detection

SIEMs run rules and analytics to correlate events, such as failed logins plus new locations plus privilege changes, to detect suspicious patterns.

Alerts, Dashboards, and Reporting

They generate alerts, power dashboards for real-time visibility, and support investigations and compliance reporting by letting analysts pivot across events.

SIEM vs Blocking Tools

Remember: SIEMs focus on centralized log collection, correlation, and alerting. Blocking traffic is the job of firewalls and IPS, not the SIEM itself.

Baselines, Anomalies, and Detection Logic

What Is a Baseline?

A baseline is a documented understanding of what is typical for a system, user, or network, such as normal login hours, traffic levels, or running services.

Anomalies

An anomaly is a deviation from the baseline, like logins from unusual countries or sudden data transfers. It is a signal to investigate, not proof of an attack.

Signature vs Behavior Detection

Signature-based detection matches known patterns; behavior-based or anomaly-based detection looks for unusual activity compared to a baseline.

IoCs and IoAs

Indicators of compromise are artifacts of a likely breach; indicators of attack are behaviors that show an attack is underway, such as repeated privilege escalation attempts.

Why Baselines Matter

Baselines and anomalies help detect new or stealthy threats that signatures miss, especially in complex, changing environments.

Walkthrough: From Telemetry to Alert to Triage

Scenario Overview

You investigate a potential account compromise in a hybrid environment, combining identity, endpoint, and network telemetry to see the full picture.

Telemetry Collected

Identity logs show failed logins then a success from a new country; EDR logs show suspicious PowerShell; network flows show connections to a known C2 IP.

SIEM Correlation Rule

A SIEM rule links failed and successful logins, suspicious PowerShell, and C2 traffic within 10 minutes, generating a high-severity alert.

Alert Enrichment

The SIEM enriches the alert with asset criticality (Finance laptop) and threat intel (C2 blacklist), helping the analyst prioritize the case.

Playbook-Driven Triage

Following a playbook, the analyst checks MFA, isolates the endpoint, forces a password reset, revokes sessions, and collects artifacts before escalating.

Linking Security Operations to Incident Response

Preparation Phase

SecOps helps prepare by choosing log sources, defining SIEM use cases, building baselines, and writing and testing playbooks and runbooks.

Detection and Analysis

Most SecOps work happens here: tools generate alerts, analysts triage them, confirm incidents, and assess severity and scope.

Containment Actions

SecOps may isolate hosts, disable accounts, or block IPs and hashes to contain incidents, sometimes via automated workflows.

Eradication, Recovery, and Monitoring

During eradication and recovery, SecOps supplies timelines and logs and watches for reinfection or attacker persistence.

Lessons Learned

After incidents, SecOps updates detection rules, baselines, and playbooks and closes telemetry gaps to improve future detection.

Thought Exercise: Choosing Telemetry and Tools

Work through these short scenarios. For each, decide:

  1. Which telemetry source is most helpful.
  2. Which tool is the primary place you would look (e.g., SIEM, EDR dashboard, firewall console, cloud security center).

Write down your answers or say them out loud before checking the hints.

---

Scenario 1: Suspicious data transfer

You receive a report that a file server might be exfiltrating data to the internet. Users say performance is slow, and your ISP notes a spike in outbound traffic.

  • Q1: Which telemetry source do you check first?
  • Q2: Which tool do you primarily use?

Hint: Think about traffic volume and destinations.

---

Scenario 2: Unusual login behavior

HR reports that an employee who is on vacation appears to be accessing payroll data. You want to verify whether their account is active and from where logins are coming.

  • Q1: Which telemetry is key here?
  • Q2: Which tool do you start with?

Hint: Focus on user identity and access.

---

Scenario 3: Web application error spikes

Your public website starts throwing many 500 errors, and you suspect an attack. You need to confirm whether this is a misconfiguration or malicious traffic.

  • Q1: Which logs will give you the most detail?
  • Q2: Which platform or console is your first stop?

Hint: Think about HTTP requests and responses.

After you answer, compare with this solution sketch:

  • Scenario 1: Network flow logs, firewall or network monitoring tool (and SIEM if flows are centralized).
  • Scenario 2: Identity/SSO logs, identity provider or SIEM.
  • Scenario 3: Web server and WAF logs, web server/WAF console or SIEM.

Quiz 1: Techniques and Telemetry

Test your understanding of core Security Operations concepts.

Which scenario BEST illustrates the use of correlation in a SIEM?

  1. Reviewing a single firewall log entry that shows a blocked connection to a known malicious IP.
  2. Automatically quarantining a file on an endpoint when its hash matches a known malware signature.
  3. Generating an alert when a user has multiple failed logins, followed by a successful login from a new country, and then accesses sensitive data within 5 minutes.
  4. Blocking all outbound traffic on TCP port 22 at the perimeter firewall.
Show Answer

Answer: C) Generating an alert when a user has multiple failed logins, followed by a successful login from a new country, and then accesses sensitive data within 5 minutes.

Correlation combines multiple related events to reveal a pattern that would be missed if each event were viewed in isolation. Option 3 describes combining failed and successful logins, a new country, and rapid access to sensitive data within a time window, which is classic SIEM correlation. Option 1 is a single log entry, option 2 is signature-based endpoint detection, and option 4 is a static firewall rule.

Quiz 2: Baselines, Anomalies, and SIEM Role

Another quick check on detection concepts.

A Security Operations analyst notices that a database server, which normally sends almost no outbound traffic, suddenly begins transmitting large volumes of data to an unfamiliar external IP address. This detection primarily relies on:

  1. Signature-based detection using a known bad IP list.
  2. Anomaly-based detection compared against a baseline of normal behavior.
  3. Host-based firewall rules blocking all outbound connections.
  4. Encrypting the database to protect data at rest.
Show Answer

Answer: B) Anomaly-based detection compared against a baseline of normal behavior.

The key detail is that the server "normally" sends almost no outbound traffic, but now sends a lot to an unfamiliar IP. That is a deviation from a baseline, so it is anomaly-based detection. Signature-based detection would require the IP to be known bad (not stated), host-based firewall rules are a control, not a detection method, and encryption at rest is unrelated to detecting suspicious outbound traffic.

Key Term Flashcards: Security Operations Foundations

Use these flashcards to reinforce core terms from this module.

Telemetry
Data that describes what is happening in an environment, such as logs, events, and metrics from systems, networks, applications, cloud services, and security tools.
SIEM (Security Information and Event Management)
A centralized platform that ingests, normalizes, stores, correlates, and analyzes security events from multiple sources, generating alerts, dashboards, and reports for Security Operations.
Baseline behavior
A documented understanding of what is typical for a system, user, or network (such as normal login times or traffic levels), used as a reference for detecting anomalies.
Anomaly detection
A detection approach that identifies deviations from established baselines of normal behavior, potentially indicating malicious or risky activity.
Indicator of compromise (IoC)
An artifact or piece of evidence that suggests a system may already be compromised, such as a malicious file hash, known C2 IP address, or suspicious registry key.
Indicator of attack (IoA)
A pattern of behavior that suggests an attack is in progress, such as repeated privilege escalation attempts or lateral movement across hosts.
Playbook
A high-level workflow that describes how to respond to a particular type of security incident, such as phishing or ransomware.
Runbook
A detailed, step-by-step procedure that an analyst follows to carry out specific tasks during monitoring or incident response.
NetFlow/IPFIX
Network telemetry formats that summarize network conversations (source/destination IP, ports, protocol, bytes, timestamps) without capturing full packet contents.
Endpoint Detection and Response (EDR)
Endpoint-focused security tooling that continuously monitors hosts for suspicious activity, records detailed telemetry, and supports detection, investigation, and response actions like isolation.

Key Terms

Runbook
A detailed set of step-by-step instructions for analysts to perform specific operational or incident response tasks.
Playbook
A high-level, structured workflow describing how to respond to a specific type of security incident.
Telemetry
Data that describes what is happening in an environment, including logs, events, and metrics from systems, networks, applications, cloud services, and security tools.
NetFlow/IPFIX
Network flow telemetry formats that record summarized information about network conversations, such as IP addresses, ports, protocol, volume, and timestamps.
False negative
A failure to alert or detect when malicious activity is actually occurring.
False positive
An alert or detection that indicates malicious activity when the underlying behavior is actually benign.
Anomaly detection
A detection method that flags deviations from baseline behavior, which may indicate malicious or risky activity.
Baseline behavior
A documented understanding of normal activity for systems, users, or networks, used as a reference to identify anomalies.
Security Operations
The set of ongoing activities, processes, and tools used to monitor, detect, investigate, and respond to security events and incidents in an organization.
Correlation (in SIEM)
The process of combining multiple events from different sources to identify patterns that indicate security issues.
Indicator of attack (IoA)
Patterns of behavior that suggest an attack is underway, focusing on tactics and techniques rather than static artifacts.
Incident response lifecycle
The structured set of phases used to handle security incidents, commonly including preparation, detection and analysis, containment, eradication, recovery, and lessons learned.
Indicator of compromise (IoC)
Evidence or artifacts that suggest a system may already be compromised, such as malicious hashes, domains, or registry keys.
Endpoint Detection and Response (EDR)
Security technology deployed on endpoints to continuously monitor, detect, investigate, and respond to suspicious activity and threats.
SIEM (Security Information and Event Management)
A centralized platform that ingests, normalizes, stores, correlates, and analyzes security events from multiple sources to support monitoring, alerting, and investigations.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself