5.4.2. Monitoring Activities

💡 First Principle: Monitoring activities are the specific practices that turn raw data collection into security intelligence. Each activity provides a different lens on the environment.

Log aggregation — collecting logs from all sources (servers, network devices, applications, security tools) into a centralized platform. Without aggregation, correlating events across systems is impossible. A SIEM ingests logs via syslog, API connectors, or agent-based forwarding. Centralized logging also protects evidence — if an attacker compromises a system and deletes local logs, the copies in the central repository survive.

Scanning — regular automated assessment of the environment: vulnerability scans, configuration scans, and compliance scans. Scheduled scanning catches changes between real-time monitoring intervals. Credentialed scans provide the most thorough results because they can examine installed software, patch levels, and local configurations.

Reporting — transforming monitoring data into actionable reports for different audiences: operational dashboards for SOC analysts showing real-time alerts, trend reports for management showing risk posture over time, and compliance reports for auditors documenting control effectiveness. The same data serves different purposes depending on the audience.

Archiving — retaining historical monitoring data for forensic investigations, compliance requirements, and trend analysis. Retention periods vary by regulation (PCI DSS requires one year with 90 days immediately available; HIPAA requires six years). Hot storage allows rapid access to recent data; cold storage archives older data at lower cost. Without proper archiving, you can't investigate incidents that occurred months ago.

Alerting — automated notification when monitoring data exceeds predefined thresholds or matches known attack patterns. Alert tuning is critical — too sensitive produces alert fatigue (analysts overwhelmed by false positives stop investigating), too loose misses real events. Effective alerting uses tiered severity levels: informational events log silently, warnings generate tickets, and critical alerts page analysts immediately.

⚠️ Exam Trap: Log aggregation is the foundation of SIEM. Without centralized log collection, you can't correlate events across systems to identify attack patterns that span multiple systems. If logs only exist locally, a compromised system's logs can be tampered with.