Security Monitoring and SIEM Explained for Security+

A network without monitoring is a network where attackers can operate undetected for months. Security monitoring is the practice of continuously collecting signals from across the environment, correlating them into meaningful alerts, and responding before damage becomes catastrophic. SIEM platforms are the technology that makes this possible at scale. Security+ SY0-701 tests the role of SIEM, SOAR, and EDR, the concept of threat hunting, and how these tools work together in a Security Operations Center. Understanding what each tool does and does not do is what the scenario questions test.

8 min

3 sections · 6 exam key points

SIEM: log aggregation and correlation

A SIEM (Security Information and Event Management) platform collects log data from across the environment: firewalls, endpoints, servers, cloud services, identity systems, and applications. It normalizes the different log formats into a common structure, stores them in a searchable repository, and runs correlation rules across them to detect attack patterns that no single source would reveal.

The power of SIEM is correlation. A single failed login attempt on one server is noise. A thousand failed login attempts against the same account from different IP addresses over ten minutes is a credential stuffing attack. A successful login from an IP that just failed a hundred times is an account compromise. No individual log source would surface this pattern. SIEM correlates events across sources and time to produce actionable alerts.

SIEM outputs are alerts that analysts investigate. The quality of a SIEM implementation is measured by signal-to-noise ratio: too many low-quality alerts causes alert fatigue, where analysts miss real incidents buried in false positives. Good SIEM configuration requires tuning rules for the specific environment rather than deploying default rules unchanged.

SOAR, EDR, XDR, and threat hunting

SOAR (Security Orchestration, Automation, and Response) extends SIEM by automating responses to common alert types. When a SIEM alerts on a phishing email, a SOAR playbook can automatically quarantine the email, block the sender, isolate the endpoint that received it, and open a ticket, all without analyst intervention. SOAR reduces response time from hours to seconds for well-defined incident types.

EDR (Endpoint Detection and Response) is an agent installed on endpoints that continuously records process activity, network connections, file changes, and registry modifications. When an alert fires, EDR provides the forensic timeline needed to understand exactly what happened on that endpoint: which process was responsible, what it modified, where it connected, and whether it spread to other systems.

XDR (Extended Detection and Response) unifies data from endpoints, network, email, cloud, and identity sources into a single detection and investigation platform. It provides broader context than EDR alone and reduces the analyst effort of correlating data across separate tools.

Threat hunting is proactive security analysis where analysts search for signs of compromise without waiting for an alert to trigger. Instead of reacting, a threat hunter forms a hypothesis (for example, that a specific threat actor targeting their industry uses a particular technique) and searches for evidence of that technique in the environment. Threat hunting finds attacks that automated rules miss.

How to choose the correct answer

SIEM: aggregate logs, correlate events, alert on patterns. Does not automatically respond.

SOAR: automate response to alerts based on playbooks. Extends SIEM with action capability.

EDR: endpoint-focused agent, forensic detail, behavioral detection, response actions on the host.

XDR: multi-source (endpoint + network + email + cloud) unified detection and investigation.

Threat hunting: proactive, analyst-driven, hypothesis-based search for undetected compromise.

Alert fatigue: excessive false positives lead analysts to miss real incidents. Prevent with careful rule tuning and prioritization.

Security monitoring tools comparison

Tool	Primary function	Automated response?
SIEM	Log aggregation, correlation, alerting	No (alerts only)
SOAR	Alert response automation via playbooks	Yes
EDR	Endpoint behavior recording and response	Yes (quarantine, kill process)
XDR	Multi-source unified detection and response	Yes
Threat hunting	Proactive analyst-driven investigation	No (analyst-driven)

Key exam facts — Security+ / CISSP

SIEM: collects and correlates logs from many sources, generates alerts. Does not respond automatically.

SOAR: automates response playbooks triggered by SIEM alerts. Reduces mean time to respond.

EDR: endpoint agent with forensic detail. Behavioral detection. Response actions on the host.

XDR: unifies endpoint, network, email, and cloud data for broader detection.

Threat hunting: proactive, hypothesis-driven search. Not reactive to alerts.

Alert fatigue: too many false positives = analysts miss real incidents. Tune rules.

Common exam traps

SIEM automatically responds to and contains security incidents.

SIEM collects, correlates, and alerts. It does not automatically respond to incidents. SOAR provides the automation and orchestration layer that takes action in response to SIEM alerts through predefined playbooks.

Threat hunting is just running SIEM queries on demand.

Threat hunting is a proactive discipline. An analyst forms a hypothesis based on threat intelligence or behavioral knowledge, then searches for evidence of that specific technique whether or not any alert triggered. It requires attacker knowledge and analytical creativity, not just querying a SIEM.

EDR and antivirus are the same thing.

Antivirus uses signature-based detection to identify known malware by matching file hashes or patterns. EDR records all endpoint behavior continuously, detects anomalies that do not match any signature, provides forensic investigation capability, and supports active response. EDR catches fileless malware and novel attacks that AV cannot see.