Logging & Monitoring
From events to detection: the log-and-monitor pipeline
An organization can log exhaustively and still detect nothing, because logging only records and monitoring is the review that never ran: logs piling up unread are the most common detective-control failure. That gap is the spine of this subtopic. Treating logging and monitoring as one pipeline that turns raw events into timely detection, it defines each stage, separates the two terms, and names the controls that protect the record itself, the frame every mechanism later on this page plugs into.
One model: a pipeline that turns events into signal
Everything in this subtopic is one pipeline. An event happens; a log records it; the records are centralized; a tool correlates and analyzes them; analysis produces detection, an alert; and a human or automated control acts on it in response. Hold that pipeline in mind, because each named technology below is just a stage in it. Logging is the recording step (writing the event down); monitoring is the continuous review of those records and live telemetry to spot conditions that matter. The two are often said together but are not synonyms: an organization can log exhaustively and still detect nothing if no one reviews the records. Logs that accumulate unread are the most common detective-control failure, because the control that was supposed to catch the attack (review) never ran.
Centralize, then protect the record
Logs left on the host that generated them are deleted or altered the instant that host is compromised: an attacker's first move is often to clear the local log. The durable practice is to forward logs off-box to a central, access-controlled store as close to real time as possible. NIST SP 800-92, the Guide to Computer Security Log Management, frames this as the core problem: organizations must ensure logs are collected, stored, and protected so they remain available and trustworthy[1]. Centralization buys two things at once: the record survives the compromise of any single host, and events from many sources can finally be read together. To defend the record's integrity, a central store is commonly write-once or append-only so that even an admin (or an intruder with admin) cannot rewrite history.
Synchronized time makes correlation possible
Correlation (reading several sources side by side to reconstruct what happened) depends entirely on a shared clock. If two systems' timestamps disagree, no tool can correctly order their events, and the true sequence of an attack is lost. The control is to synchronize every device to a common time source using the Network Time Protocol (NTP). This is foundational, not cosmetic: without it the same incident appears as unrelated events scattered across an incoherent timeline, and the logs are far weaker as forensic evidence because their ordering cannot be trusted.
Retention answers "how long must we keep it"
Log retention is set by the longest applicable requirement (regulation, contract, and the organization's own incident-investigation needs) because many intrusions are discovered months after the initial breach, and a log already rotated away cannot be investigated. Retention is a policy decision (driven by Security Risk Management), but it lands here as the parameter that decides whether the evidence still exists when you need it.
Detection methods and the engines that run them
Every detector chooses between matching the known (signatures) and modeling the normal (anomaly/behavior), and that single choice determines its strengths and blind spots wherever it appears. Building on the centralized-logs pipeline, the methods here turn those logs and live traffic into alerts, and the devices below are where each method gets applied.
Signature-based vs. anomaly/behavior-based
Signature-based detection compares activity against a database of known-bad patterns: a malware hash, an exploit's packet shape, a known-malicious URL. It is precise and low-noise for threats already in the database, but it is structurally blind to anything novel: a zero-day or a never-seen variant has no signature, so it sails past. Anomaly-based (also called behavior-based) detection instead learns a baseline of normal first, then flags statistically significant deviations from it. That lets it catch unknown attacks (its whole point), but it pays for that with false positives when legitimate activity drifts outside the baseline. The trade-off is symmetric and is the most-tested idea in this subtopic: signatures miss the unknown; anomaly detection raises false alarms. When a stem asks how to detect a previously unseen attack, the answer is on the anomaly/behavior side.
IDS vs. IPS: detect-and-alert vs. inline-and-block
An Intrusion Detection System (IDS) observes traffic or host activity and raises an alert. It is a detective control that does not itself stop the attack. An Intrusion Prevention System (IPS) sits inline in the traffic path, so it can drop or reset a malicious connection in real time, making it a preventive control. NIST SP 800-94, the Guide to Intrusion Detection and Prevention Systems, treats the two together as IDPS because most modern products do both detection and prevention[2]. Placement is the entire distinction and the source of the trade-off: an IDS can tap a passive span/mirror port out of band, where a failure or false positive harms nothing, but an IPS must be inline, so a false positive or an IPS outage can now block legitimate traffic. That is the price of being able to stop an attack rather than merely report it.
Network-based vs. host-based sensors
Where a sensor lives decides what it can see. A network IDS/IPS (NIDS/NIPS) inspects traffic on a segment and catches attacks crossing the wire, but it is blind inside an encrypted tunnel and to anything that never leaves the host. A host IDS/IPS (HIDS/HIPS) runs on the endpoint and sees local file changes, process behavior, and post-decryption activity, but only for that one machine. Each covers the other's blind spot, so defense in depth places network sensors at chokepoints and host sensors on critical systems rather than choosing one.
SIEM: the correlation engine
A Security Information and Event Management (SIEM) platform is the analysis stage of the pipeline. It aggregates logs from many sources into one place, normalizes them into a common format, and correlates them with rules so that events which look innocuous individually (a failed login here, a firewall deny there, a privilege change elsewhere) combine into one high-fidelity alert. Its value is precisely the centralized, cross-source view: a SIEM reconstructs the attack timeline that no single host log reveals, which is why it depends utterly on the NTP-synchronized clocks from the first section. SIEM correlation rules themselves are usually signature-style (known patterns); newer platforms add anomaly analytics, which is where UEBA enters.
UEBA: anomaly detection for identities
User and Entity Behavior Analytics (UEBA) applies the anomaly method to identities. It builds a behavioral baseline per user and per entity (servers, devices, service accounts) and flags statistically significant deviations: a sudden mass download, a login at an unusual hour from a new location, lateral movement a user has never performed. This is the answer for a compromised credential or a malicious insider whose individual actions are all authorized but whose pattern is abnormal. Signature tools miss this case entirely because no malware is involved: the account is legitimate; only its behavior is wrong.
Continuous monitoring, egress monitoring, and threat intelligence
Three program-level activities the blueprint names sit above the detection methods: keeping security state continuously visible, watching what leaves the boundary, and feeding the whole machine with adversary knowledge.
Continuous monitoring (ISCM)
Information Security Continuous Monitoring (ISCM) is, per NIST SP 800-137, maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk-management decisions[3]. It replaces the once-a-year audit snapshot with persistent visibility, so that authorization and risk decisions rest on current data rather than a stale report. The distinction the exam tests: logging and monitoring are the data sources (the events and alerts) while ISCM is the governance program that consumes them to track control effectiveness, new vulnerabilities, and configuration drift as they happen. ISCM is why a control that quietly stops working between audits gets caught in days, not at the next yearly assessment.
Egress monitoring and DLP
Most monitoring instinctively watches inbound threats, but in a breach the loss event is data flowing out, so egress monitoring inspects outbound traffic, and Data Loss Prevention (DLP) inspects it specifically for sensitive content leaving the boundary. The diagram below walks the egress inspection path: outbound traffic reaches the egress point, and because DLP can only act on content it can read, an encrypted flow must first be decrypted before inspection can decide its fate. DLP enforces at three states: data in motion (network egress), data in use (endpoints), and data at rest (storage). The decisive constraint is that read step: strong end-to-end encryption or an unrecognized format defeats inspection. That is why network DLP typically performs TLS termination/decryption at the egress point before examining the payload: without it, an encrypted exfiltration channel passes uninspected. Egress filtering (allowing only expected destinations and protocols outbound) complements DLP by limiting command-and-control channels and blocking traffic to unexpected destinations.
Threat intelligence: feeds, IOCs, TTPs, and hunting
Threat intelligence is curated, contextual knowledge about adversaries that sharpens every detector by telling it what to look for. Threat feeds deliver two kinds of knowledge with very different shelf lives. Indicators of Compromise (IOCs) are observable artifacts (malicious IPs, file hashes, domains) that are easy to load into a SIEM or IDS but trivially changed by the attacker, so they go stale fast. Tactics, Techniques, and Procedures (TTPs) describe how an adversary operates (the MITRE ATT&CK knowledge base[4] catalogs them) and are far more durable because an attacker cannot change their fundamental behavior as cheaply as they rotate an IP. The practical rule: detection built on TTP behavior is more resilient than detection chasing individual IOCs.
Threat hunting is the proactive, human-led search for adversaries already inside the environment who slipped past automated detection. The hunter starts from a hypothesis ("if an attacker were using this technique, here is the trace it would leave") and queries the centralized logs to confirm or refute it, rather than waiting for an alert to fire. Hunting assumes compromise has already happened and looks for it; it is the human counterpart to the automated pipeline, and it leans on TTP-level intelligence precisely because behavior is what survives the attacker's evasion.
Exam-pattern recognition
CISSP dresses the methods and programs above in recurring question stems, each with one right answer and distractors that fail for a nameable reason.
Pattern 1: detect a previously unseen attack
A stem describes a novel or zero-day attack with no existing signature and asks which method detects it. The answer is anomaly/behavior-based detection (or UEBA when the scenario centers on a user or account), because it models normal and flags deviation. The trap is signature-based detection: it is precise for known threats but structurally blind to anything new. A signature for an attack nobody has seen yet does not exist.
Pattern 2: detect vs. prevent (IDS vs. IPS)
A stem hinges on whether the control must block the attack or merely report it. If it must drop/reset the connection in real time, the answer is an inline IPS (preventive). If it observes and alerts without stopping the traffic, it is an IDS (detective). The trap is choosing an IPS where the scenario can only tolerate alerting: an IPS is inline, so its false positive or outage can sever legitimate traffic; conversely, expecting an out-of-band IDS to stop an attack is wrong, because it has no inline position from which to block.
Pattern 3: the compromised insider
A stem describes a legitimate user whose actions are individually authorized but collectively abnormal: a mass download, off-hours access from a new location, lateral movement they have never done. The answer is UEBA, which baselines identity behavior and flags the deviation. The trap is reaching for signature-based tools or antivirus: no malware is present, the credentials are valid, so signature matching sees nothing wrong. This is exactly the case anomaly-on-identities was built for.
Pattern 4: why correlation failed
A stem describes a SIEM that cannot reconstruct an incident's timeline, or events that appear unrelated across systems. The root cause to recognize is clock skew (devices were not time-synchronized) and the fix is NTP to a common source. The trap is blaming the SIEM's rules or log volume; without synchronized timestamps, no correlation engine can order cross-source events correctly.
Pattern 5: stopping exfiltration
A stem about sensitive data leaving the organization points to egress monitoring with DLP. If the twist is that the outbound channel is encrypted and DLP sees nothing, the missing step is TLS termination/decryption at the egress point so the inspector can read the payload: DLP acts only on content it can read. The trap is assuming DLP inspects encrypted traffic transparently, or treating inbound firewall rules as a substitute for outbound inspection.
Pattern 6: scope boundaries CISSP loves
This subtopic owns the monitoring activity. If a stem is really about acting on an alert (containment, eradication, recovery) that is Incident Management. If it is about selecting and placing the appliances (firewall, IPS, honeypot) as a control set, that is Detective & Preventive Controls. If it is about forensically examining seized evidence with chain of custody, that is Investigations. If it is about scanning for and remediating weaknesses, that is Patch & Vulnerability Management. Match the question to the layer it actually tests rather than the nearest familiar keyword.
Detection methods and where they apply
| Dimension | Signature-based | Anomaly / behavior-based | UEBA |
|---|---|---|---|
| Detects by | Matching known-bad patterns in a database | Deviation from a learned baseline of normal | Deviation from a per-user/entity behavioral baseline |
| Catches unknown attacks | No: blind to anything with no signature | Yes: flags novel deviations | Yes: for identity-driven anomalies |
| False positives | Low: precise for known threats | Higher: legitimate drift looks anomalous | Higher: tuned to user/entity norms |
| Best at catching | Known malware, known exploit traffic | Zero-days, novel attack patterns | Compromised credentials, malicious insiders |
| Typical home | IDS/IPS, antivirus, SIEM rules | IDS/IPS anomaly engines, NDR | SIEM/identity analytics layer |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Logging records events; monitoring is the review that turns them into detection
Logging writes an event down when it happens, while monitoring is the continuous review of those records and live telemetry to spot what matters: the two form a pipeline, not a synonym pair. Logs that accumulate without anyone analyzing them are the most common detective-control failure, because the control that was supposed to catch the attack (review) never actually runs. The whole subtopic exists to extract signal from logs, so every tool here is a way to analyze records rather than to generate more of them.
Trap Treating exhaustive logging as detection on its own. Collection without review detects nothing.
- Centralize logs off the host so a compromise cannot erase the evidence
Logs left on the host that generated them are deleted or altered the moment that host is compromised, so forward them to a central, access-controlled store as close to real time as possible. Centralization also enables correlation: an event that looks innocuous in one server's log is obvious when many sources are read together. NIST SP 800-92 frames this as the core of security log management, and a write-once or append-only store further protects the record so even an intruder with admin rights cannot rewrite history.
Trap Leaving logs only on the originating host because they are also forwarded later in batch, giving an attacker a window to wipe them before they ship.
- Synchronize all clocks with NTP, or correlation and forensic ordering break
Every correlation depends on a shared, trustworthy clock, so synchronize all devices to a common time source using the Network Time Protocol (NTP). If two systems' timestamps disagree, no SIEM can correctly order their events and the true sequence of an attack is lost. Skewed clocks also weaken logs as forensic evidence because the ordering of records cannot be trusted.
Trap Blaming a SIEM's correlation rules for an incoherent timeline when the real cause is unsynchronized clocks.
- Signature detection catches known threats but is blind to anything novel
Signature-based detection matches activity against a database of known-bad patterns (hashes, exploit packet shapes, malicious URLs), making it precise and low-noise for known threats. Its structural weakness is that a zero-day or never-seen variant has no signature, so it passes straight through. Reach for anomaly/behavior-based detection instead when the threat may be previously unseen.
Trap Choosing signature-based detection to catch a zero-day. No signature exists yet for an attack nobody has seen.
- Anomaly detection catches the unknown by modeling normal, at the cost of false positives
Anomaly- (behavior-) based detection first learns a baseline of normal, then flags statistically significant deviations from it, which lets it catch novel attacks that no signature covers. The trade-off is false positives: legitimate activity that drifts outside the baseline triggers alerts that must be tuned out. This is the right side of the signature-vs-anomaly choice whenever a stem says 'detect a previously unseen attack.'
Trap Picking anomaly-based detection for its low false-positive rate, when its strength is catching the unknown and it actually generates more false positives than signature matching, not fewer.
- An IDS detects and alerts; an IPS sits inline and can block
An Intrusion Detection System (IDS) observes activity and raises an alert (a detective control that does not stop the attack) while an Intrusion Prevention System (IPS) sits inline in the traffic path and can drop or reset malicious connections, making it a preventive control. The placement is the whole difference: an IDS can tap a passive span/mirror port out of band, but an IPS must be inline, so a false positive or outage in an IPS can break legitimate traffic. NIST SP 800-94 treats them together as IDPS because most products now do both.
Trap Expecting an out-of-band IDS to stop an attack. It only alerts; only an inline IPS can block.
- NIDS sees the wire, HIDS sees the host, so critical environments run both
A network IDS/IPS (NIDS/NIPS) inspects traffic on a segment and catches attacks crossing the wire, but is blind inside encrypted tunnels and to activity that never leaves the host. A host IDS/IPS (HIDS/HIPS) runs on the endpoint and sees local file changes, process behavior, and post-decryption activity, but only for that one machine. Because each covers the other's blind spot, defense in depth places network sensors at chokepoints and host sensors on critical systems rather than choosing one.
Trap Relying on a NIDS alone to detect an attack inside an encrypted session or one confined to the host, where only a HIDS can see it.
- A SIEM aggregates and correlates logs so scattered events become one alert
A Security Information and Event Management (SIEM) platform aggregates logs from many sources, normalizes them to a common format, and correlates them with rules so individually innocuous events combine into one high-fidelity alert. Its value is the centralized cross-source view that reconstructs an attack timeline no single host log reveals, which is exactly why it depends on NTP-synchronized clocks. SIEM correlation rules are usually signature-style, with anomaly analytics (UEBA) layered on for behavioral detection.
Trap Treating a SIEM as a detection engine that finds threats on its own, when its value is correlating the logs other tools generate and its rules are only as good as the sources and clocks feeding it.
9 questions test this
- A security operations manager at a retailer must satisfy auditors who require that authentication events, firewall denials, and endpoint…
- An organization's SIEM ingests logs from multiple sources including vulnerability scanners, patch management systems, and endpoint…
- A security operations team is implementing a SIEM solution to correlate vulnerability scanner data with security events. They want to…
- A security analyst at a manufacturing firm is investigating signs of a stealthy intrusion in which the attacker's individual actions each…
- An organization is implementing a SIEM solution to centralize security monitoring. The security team discovers that firewall logs use…
- An organization has deployed multiple honeypots across different network segments and wants to leverage the collected data for proactive…
- During the implementation of a SIEM solution, the security team discovers that logs from different network devices use inconsistent field…
- A security administrator is configuring a new SIEM solution and notices that firewall logs use a different timestamp format than Windows…
- A SIEM analyst observes that a single user account generated failed login attempts from three different geographic locations within a…
- UEBA detects the compromised insider by baselining behavior, not matching signatures
User and Entity Behavior Analytics (UEBA) builds a behavioral baseline per user and per entity (servers, devices, service accounts) and flags significant deviations: a mass download, an off-hours login from a new location, lateral movement never seen before. It is the answer for a compromised credential or malicious insider whose individual actions are authorized but whose pattern is abnormal. Signature tools miss this because no malware is involved; the account is legitimate, only its behavior is wrong.
Trap Reaching for antivirus or signature tools against a compromised valid account. No malware is present, so they see nothing wrong.
- Egress monitoring and DLP watch what leaves, because exfiltration is the loss event
Most monitoring focuses inbound, but the damage in a breach happens when data flows out, so egress monitoring and Data Loss Prevention (DLP) inspect outbound traffic for sensitive content. DLP enforces across data in motion (network), data in use (endpoints), and data at rest (storage). Egress filtering, allowing only expected destinations and protocols outbound, complements DLP by limiting command-and-control channels and blocking traffic to unexpected destinations.
Trap Concentrating monitoring and firewall rules on inbound traffic, leaving outbound exfiltration and command-and-control channels unwatched.
- DLP only acts on content it can read, so network DLP must decrypt TLS first
DLP can inspect only content it can actually read, so strong end-to-end encryption or an unrecognized format defeats inspection entirely. That is why network DLP typically performs TLS termination/decryption at the egress point before examining the payload. Without it, an encrypted exfiltration channel passes uninspected. This makes decryption infrastructure, not the DLP engine itself, the usual missing piece when sensitive data still leaks.
Trap Assuming DLP transparently inspects encrypted traffic. It cannot read the payload until TLS is terminated and decrypted.
- Continuous monitoring (ISCM) replaces the annual snapshot with ongoing awareness
Information Security Continuous Monitoring (ISCM), defined in NIST SP 800-137, is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk-management decisions. It replaces the once-a-year audit snapshot so authorization decisions rest on current data and control drift is caught in days rather than at the next assessment. Logging and monitoring are the data sources; ISCM is the governance program that consumes them.
Trap Reading 'continuous' as fully automated and tool-only, when ISCM is a governance program that consumes monitoring data to drive risk decisions, not just a real-time scanner.
- IOCs are easy to load but go stale; TTPs are durable, so hunt on behavior
Threat feeds deliver Indicators of Compromise (IOCs), malicious IPs, file hashes, domains, that are easy to load into a SIEM or IDS but trivially changed by the attacker, so they go stale fast. Tactics, Techniques, and Procedures (TTPs), catalogued in frameworks like MITRE ATT&CK, describe how an adversary operates and are far more durable because behavior cannot be rotated as cheaply as an IP. Detection built on TTP behavior is therefore more resilient than detection chasing individual IOCs.
Trap Relying solely on IOC feeds for detection. Attackers change indicators trivially, so IOC-only detection ages out quickly.
- Threat hunting is the proactive, hypothesis-driven search for an attacker already inside
Threat hunting is the human-led search for adversaries who already slipped past automated detection, starting from a hypothesis ('if an attacker used this technique, here is the trace it would leave') and querying centralized logs to confirm or refute it. It assumes compromise has already happened rather than waiting for an alert to fire, which makes it the human counterpart to the automated pipeline. Hunting leans on TTP-level intelligence because behavior is what survives an attacker's evasion of indicator-based controls.
Trap Treating threat hunting as waiting for and triaging the alerts the SIEM fires, when it is a proactive hypothesis-driven search that assumes the alert never came.
- Threat intelligence is contextual adversary knowledge that tells detectors what to look for
Threat intelligence is curated, contextual knowledge about adversaries, delivered through threat feeds, that sharpens every detector by supplying what to watch for. It is the input layer to the SIEM and IDS, not a detection method itself: feeds carry both IOCs and TTPs. Good intelligence is timely and relevant to the organization's actual threat landscape, not just a raw firehose of indicators.
Trap Treating threat intelligence as a detection control in its own right, when it is the input that sharpens the SIEM and IDS rather than a tool that fires alerts itself.
- Set log retention by the longest applicable requirement, since breaches surface late
Log retention is driven by the longest of the applicable requirements (regulation, contract, and the organization's own investigation needs) because many intrusions are discovered months after the initial breach. A log already rotated away cannot be investigated, so under-retaining destroys evidence you may not know you need yet. Retention is a policy decision that lands in monitoring as the parameter deciding whether the evidence still exists when an incident is found.
Trap Setting retention to the shortest period that satisfies any single regulation, when the controlling figure is the longest of all applicable legal, contractual, and investigative needs.
- Protect log integrity with write-once storage so the record itself is trustworthy
Logs are only useful as evidence if they have not been tampered with, so a central log store is commonly write-once or append-only to prevent alteration even by an administrator or an intruder with admin rights. Integrity protection is what lets a SIEM alert and a forensic timeline be trusted, since an attacker's first move is often to edit or clear logs. This complements centralization: moving logs off-box keeps them, and write-once storage keeps them honest.
Trap Assuming restrictive file permissions or admin-only access protect log integrity, when a privileged admin or an intruder with those rights can still alter them and only write-once/append-only storage prevents it.
- Match DLP inspection to the data: exact data match for known DB values, corroborating context to cut false positives
Exact data match (EDM) compares content against actual values in a sensitive-source table, so it reliably catches specific records (a known SSN, medical-record number, or patient name) that pattern matching would miss. To suppress false positives on generic patterns like an SSN regex, require supporting evidence in proximity (keywords, corroborating identifiers, or a higher confidence threshold) so a match only fires with real context.
Trap Plain regex/pattern matching (or 'keyword only') flags every nine-digit number; it neither pins to known records like EDM nor carries the context that kills false positives.
4 questions test this
- A security administrator is implementing a DLP solution to protect patient health records. The organization maintains a database containing…
- A security analyst is configuring a DLP solution to protect sensitive patient records at a healthcare organization. The organization needs…
- An organization is experiencing a high false positive rate with their DLP policies that detect Social Security Numbers. Many legitimate…
- An organization is configuring DLP content inspection policies to detect protected health information. The security team wants to minimize…
- Cut alert fatigue by continuously tuning detections to the environment's baseline, not by disabling them
A flood of benign alerts buries real intrusions, so the durable fix is continuous tuning of detection rules and thresholds against the organization's normal baseline. Specific levers: granular per-protocol allowlists/whitelists for known-benign activity, entity exclusions for a specific service account that generates legitimate noise (while still detecting the same behavior from other accounts), and risk-based prioritization so the highest-criticality alerts surface first. The goal is a better signal-to-noise ratio with detection capability intact.
Trap Turning off a noisy rule entirely. That restores quiet by creating a blind spot; tune or scope the exclusion instead.
4 questions test this
- A security analyst notices that the organization's IPS is blocking legitimate business transactions, causing customer complaints. The…
- A security analyst notices that a SIEM analytics rule is generating numerous false positive alerts for a specific service account that…
- A security operations team is experiencing alert fatigue from their SIEM deployment. Many alerts for patch compliance violations are being…
- A SOC manager at an insurance company finds that analysts are overwhelmed by a high volume of detection alerts, the vast majority of which…
Also tested in
References
- NIST SP 800-92: Guide to Computer Security Log Management Whitepaper
- NIST SP 800-94: Guide to Intrusion Detection and Prevention Systems (IDPS) Whitepaper
- NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Whitepaper
- MITRE ATT&CK: knowledge base of adversary tactics and techniques (TTPs) Community