~/root@quiz $ cat guides/monitoring-ir.md

Network Monitoring & Incident Response

Detecting a threat is only half the job. Let's look at how security teams actually watch a network around the clock, and what happens the moment something goes wrong.

Practice with a quiz → ← Back home

The control room: SOC and SIEM

Picture a security team trying to watch thousands of devices, each generating thousands of log entries an hour. No human could read all of that in real time — which is exactly the problem a Security Information and Event Management (SIEM) system solves. A SIEM pulls in logs and events from across an entire organization, aggregates them into one place, and applies rules to highlight what actually matters, so a human only has to look at the alerts that rise to the top.

The team that watches those alerts and responds to them is the Security Operations Center (SOC) — think of it as mission control for an organization's security. Popular SIEM platforms you'll hear about constantly in the field include Splunk, IBM QRadar, and the free, open-source Security Onion distribution, which bundles several open-source tools together into one ready-to-use monitoring platform.

Meet the open-source watchdogs

A handful of open-source tools show up over and over in this field, and each one has a slightly different specialty worth remembering:

Notice the pattern: Snort and Suricata watch the network, OSSEC watches individual hosts. That distinction — network-based versus host-based — is one of the most frequently tested ideas in this entire subject, so it's worth locking in early.

From alerts to action: EDR, XDR, and SOAR

Detecting something suspicious is step one. What happens next is where these three acronyms come in, and they build on each other:

A playbook, by the way, is exactly what it sounds like — a documented, step-by-step procedure for handling a specific type of incident, so that response doesn't depend on whoever happens to be on shift improvising under pressure.

The problem every SOC fights: alert fatigue

Here's an uncomfortable truth about monitoring: more alerts isn't automatically better. When a system generates too many alerts — especially low-value or repetitive ones — analysts start to tune them out. This is called alert fatigue, and it's genuinely dangerous, because the one alert that matters can get lost in a sea of noise, the same way a car alarm going off constantly in a parking lot eventually gets ignored by everyone nearby, real theft or not.

This is why setting a good threshold (the value that actually triggers an alert) and carefully designing use cases (specific, well-defined scenarios a detection rule is built to catch) matters just as much as having powerful tools in the first place. A SIEM full of noisy, poorly-tuned rules is often worse than no SIEM at all.

Watching for the human anomaly: UEBA

Not every threat looks like malware — sometimes it's a legitimate account behaving strangely, like an employee suddenly downloading massive amounts of data at 3 AM. User and Entity Behavior Analytics (UEBA) builds a behavioral baseline for users and devices, then flags activity that doesn't match — catching compromised accounts and insider threats that traditional signature-based tools would completely miss, because technically, that account really did have valid credentials.

Ad space

Key takeaways

Quiz: Network Monitoring & Incident Response →