Data sources encountered during my SecOps career
During my SecOps career I monitored event logs from multiple vendors. Below are concise notes on a few common sources I worked with.
Uncategorised
- Details
- Category: Uncategorised
- Hits: 129
What I bring to your security operations function
- Security Information and Event Management
- High-fidelity detections & meaningful dashboards
- Endpoint Detection and Response
- Deploying, tuning and responding on endpoint telemetry
- Extended Detection and Response
- Correlating endpoint, identity, email and cloud signals
- Cloud Native Application Protection Platform
- Securing modern development pipelines
- Vulnerability Management
- Prioritizing and driving remediation of real risk
- Mobile Device Management
- Securing laptops and mobiles with policy & compliance
- IT Asset Management
- Maintaining accurate inventories to support SecOps decisions
- Patch Management
- Coordinating timely updates to reduce exploitable surface
- Application Security
- Integrating security into the software development lifecycle
- Digital Forensic
- Collecting and analysing evidence to support incident response
- Data Loss Prevention
- Designing and tuning controls to prevent data exfiltration
- Cyber Threat Intelligence
- Operationalising threat intel to drive detections and response
- Privileged Access Management
- Controlling and monitoring admin access across critical systems
- Details
- Category: Uncategorised
- Hits: 126
Security Information and Event Management (SIEM)
High-fidelity detection, telemetry normalization and investigative tooling to surface and contextualise threats across your estate.
Overview
SIEM platforms collect, normalise and correlate logs and events from across cloud, identity, network and endpoints to detect suspicious activity, enable investigations and support compliance.
Key activities
- Log onboarding & normalization — ensure consistent schema and reliable ingestion.
- Detection engineering — author, test and tune rules mapped to ATT&CK TTPs.
- Alert triage & enrichment — prioritise signal and attach context for analysts.
- Dashboarding & reporting — surface KPI and business-facing risk views.
- Retention & compliance — manage storage, access and audit requirements.
SIEM Platforms
Familiar with commercial and open-source SIEMs. I choose solutions based on scale, telemetry profiles and operational needs.
Data Sources
Endpoint telemetry, Windows event logs / Sysmon, network and perimeter logs, cloud audit logs, identity logs and application/container logs.
Security use cases (general)
Credential misuse & lateral movement, ransomware detection, persistence and privilege escalation, data exfiltration and cloud misconfiguration monitoring.
Deliverables
- Prioritised detection catalog (mapped to MITRE ATT&CK)
- Onboarding playbooks and parsers
- Investigation runbooks and analyst guides
- Executive dashboards and operational KPIs
Best practices
- Design detections for high fidelity — prefer context-rich, low-noise rules.
- Normalize telemetry early — consistent fields reduce false positives.
- Automate enrichment — use threat intel and asset context to improve prioritisation.
- Measure detection performance — track true/false positives and MTTR.