Domain 4 of 5 · Chapter 4 of 9

Alerting and Monitoring

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Monitoring resources and the activity pipeline
  • SIEM: aggregation, correlation, and alerting
  • Sensors and standards: AV, DLP, scanners, SCAP, SNMP, NetFlow
  • Exam-pattern recognition for alerting and monitoring

Monitoring tools: what each one watches and what it emits

ToolWhat it monitorsOutput / signalExam tell
SIEMAggregated logs from all sourcesCorrelated alerts across systemsConnect events across many sources → SIEM
Antivirus / EDR agentEndpoint files and processesMalware detection / quarantineKnown/behavioral malware on a host
DLPData in use, in motion, at restBlock or alert on data exfiltrationSensitive data leaving the org
Vulnerability scanner (SCAP)Host config and software flawsFindings vs. benchmark baselineStandardized, automatable config/flaw checks
SNMP (traps)Device health and statusPush notification of notable eventsUp/down and performance health of gear
NetFlowTraffic flow metadataWho-talked-to-whom and volumeConversation/volume analysis, not payload

Decision tree

Need to correlate signals across many sources? Yes SIEM aggregate + correlate + alert No, single signal What is the signal about? data / host config / device / traffic Sensitive data leaving DLP use / motion / rest Host config vs. baseline SCAP scanner checks CIS benchmark Device or traffic? Device health or flow volume? Health / status push SNMP trap unsolicited event push Who/how much NetFlow flow metadata Always: aggregate logs off-host and tune alerts to cut false positives no host software allowed = agentless; validated alert = quarantine + remediate

Cheat sheet

  • Monitoring covers systems, applications, and infrastructure
  • Monitoring runs as a pipeline: aggregate, alert, respond
  • A SIEM is centralized logging for many log types
  • Only the SIEM correlates events across multiple sources
  • Cure alert fatigue with tuning, never by silencing the alert
  • Tuning trades false positives against false negatives
  • A validated alert leads to quarantine and remediation
  • Centralized off-host logging survives an attacker's log wipe
  • ISCM is ongoing awareness frequent enough for risk decisions
  • Agents give depth; agentless gives reach
  • Can't install software on the device, so go agentless
  • Antivirus and EDR monitor endpoint files and process behavior
  • SCAP standardizes how flaw and config data is expressed
  • A benchmark is the hardened baseline SCAP checks a system against
  • SNMP monitors device health; a trap pushes an event unsolicited
  • Scanning surfaces findings; vulnerability management acts on them
  • Normalization unifies log schemas before correlation can run
  • Syslog forwards events to a central collector on UDP 514

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification
  2. NIST SP 800-92, Guide to Computer Security Log Management Whitepaper
  3. Information security continuous monitoring (CSRC glossary)
  4. Security information and event management (CSRC glossary)
  5. Data loss prevention (CSRC glossary)
  6. Security content automation protocol (CSRC glossary)