How Security Monitoring Works: Complete Guide for 2026

Quick Answer: Security monitoring is the continuous process of collecting data from your IT environment, analysing it for signs of attack, and responding before damage occurs. It works through a layered set of tools – EDR on endpoints, SIEM for log correlation, XDR for cross-environment visibility – operated by analysts in a Security Operations Centre (SOC) following structured detection and response processes.

Key Takeaways

• Median attacker dwell time in 2025 was 11 days (Mandiant M-Trends 2025) – without monitoring, attackers operate undetected for nearly two weeks.
• IBM’s 2025 Cost of a Data Breach Report found organisations averaged 158 days to identify breaches without mature monitoring.
• SIEM + EDR + XDR are the three core technology layers. Each covers a different data source; together they provide unified threat visibility.
• MITRE ATT&CK is the framework that maps real-world attacker techniques to detection rules – it is the shared language of modern security monitoring.
• MDR (Managed Detection and Response) is the outsourced version of a SOC – increasingly the right choice for Australian SMBs that cannot staff a 24/7 internal team.
• The two key metrics are MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) – top-performing SOCs detect threats within 60 minutes.

What Is Security Monitoring? (Direct Answer)

Security monitoring is the practice of continuously collecting, analysing, and acting on data from your IT environment to detect and respond to threats in real time.

It is the difference between discovering a breach after the damage is done – and stopping an attacker mid-movement before they reach your data.

Without monitoring, a threat actor can sit inside your network for days or weeks before anyone notices. Mandiant’s M-Trends 2025 Report places the global median attacker dwell time at 11 days. Every one of those days is time for credential theft, data exfiltration, lateral movement, and ransomware staging.

Security monitoring closes that window.

It is not a single product. It is a combination of tools, processes, and people – all working together to answer one question at scale: is something happening right now that should not be?

Why Does Security Monitoring Matter for Australian Businesses Specifically?

The ASD Cyber Threat Report 2024–25 recorded 94,000+ cybercrime reports in Australia – one every six minutes.

Average loss for a small business: $49,600. For a medium business: $62,800.

But the financial cost understates the compliance risk. Under the Privacy Act 1988 Notifiable Data Breaches scheme, organisations must notify the OAIC within 30 days of becoming aware of an eligible breach. The question regulators ask is: what monitoring was in place to detect it?

Without evidence of a monitoring programme, you are demonstrating that you did not take reasonable steps to protect personal data – the core obligation under the Privacy Act.

Security monitoring is also a direct requirement for:

• ACSC Essential Eight Maturity Level 2 – logging and monitoring of privileged access, application usage, and changes to security configurations
• APRA CPS 234 – financial entities must have the capability to detect and respond to information security incidents
• ISO 27001:2022 Annex A.8.15 (logging) and A.8.16 (monitoring activities)
• Cyber Security Act 2024 – critical infrastructure operators must have incident detection capabilities and mandatory reporting timelines

The Security Monitoring Stack: How the Tools Fit Together

Modern security monitoring is not one tool – it is a layered architecture. Each layer covers a different attack surface. Together they provide the visibility needed to catch threats that would escape any single tool.

Here is how the layers work, from device level to environment-wide.

What Is EDR – and What Does It Monitor?

EDR (Endpoint Detection and Response) monitors individual devices – laptops, desktops, servers, and mobile endpoints – by collecting continuous telemetry on everything that happens: processes running, files created, registry changes, network connections, user logins, and command execution.

EDR sits on every endpoint as a lightweight agent. It does not just scan for known malware signatures like traditional antivirus. It watches behaviour – and flags patterns that match attacker techniques even when no known malware is involved.

What EDR detects:

• Credential dumping from LSASS (Mimikatz-style attacks)
• Lateral movement via PsExec, WMI, or scheduled tasks
• Persistence mechanisms (registry run keys, scheduled tasks, services)
• Fileless malware running in memory only
• Command-and-control (C2) beaconing to external infrastructure
• Ransomware encryption behaviour – file modification at scale

Examples: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Cortex XDR.

Key limitation: EDR sees everything on the endpoint – but only the endpoint. It cannot see network traffic between devices, cloud platform activity, or email threats independently.

For Australian businesses using Microsoft 365 Business Premium, Microsoft Defender for Endpoint is already included. Our EDR services cover configuration, tuning, and managed response.

What Is SIEM – and What Does It Monitor?

SIEM (Security Information and Event Management) is the central nervous system of security monitoring. It collects log data from every source in the environment – endpoints, servers, firewalls, cloud platforms, identity systems, applications – and correlates events across all of them to detect multi-stage attack chains that no single source would reveal.

A single failed login is noise. Five failed logins from five different countries against the same account, followed by a successful login at 2am from a new device, is a detection. SIEM makes that correlation automatically, at scale, across millions of events per day.

What SIEM ingests:

• Endpoint EDR telemetry
• Firewall and network device logs
• Azure Active Directory / Entra ID sign-in logs
• Microsoft 365 unified audit logs
• Cloud platform logs (AWS CloudTrail, Azure Monitor, GCP Audit)
• Application logs (web servers, databases, line-of-business apps)
• Vulnerability scanner feeds
• Threat intelligence feeds (known malicious IPs, domains, file hashes)

What SIEM produces:

Correlated alerts mapped to MITRE ATT&CK tactics and techniques, compliance reports, threat hunting dashboards, and an audit-ready log store.

Examples: Microsoft Sentinel, Splunk, IBM QRadar, Elastic SIEM.

For Microsoft 365 environments: Microsoft Sentinel natively ingests all Microsoft 365 and Entra ID signals, making it the natural SIEM choice for most Australian businesses already in the Microsoft ecosystem.

What Is XDR – and How Does It Extend EDR?

XDR (Extended Detection and Response) extends the visibility of EDR across multiple layers of the security stack – endpoints, network, cloud, identity, and email – and correlates signals from all of them into unified incidents.

Where EDR sees one endpoint and SIEM aggregates logs, XDR takes the deep endpoint telemetry of EDR and combines it with network traffic analysis, email security signals, identity behaviour, and cloud platform activity to provide a single, correlated view of an attack chain.

The XDR advantage in practice:

An attacker compromises a cloud-hosted application, uses the access to steal credentials from Azure AD, then moves laterally using those credentials to a file server. Each step looks different to each tool individually. XDR correlates them into one incident: “Account X was accessed from a new cloud workload, credentials were immediately used to access an on-premise server outside business hours.”

Examples: Microsoft Defender XDR (covers endpoints, identity, email, cloud apps, and network in one console), Palo Alto Cortex XDR, CrowdStrike Falcon XDR.

XDR vs SIEM: XDR is more automated and tighter in scope – faster detection and response for the threats its data sources cover. SIEM is broader – it can ingest custom log sources and is required for compliance log retention. Most mature environments use both. According to Orange Cyberdefense, XDR has effectively replaced standalone EDR in the security market – vendors now sell XDR as the evolution.

What Is SOAR – and How Does It Automate Response?

SOAR (Security Orchestration, Automation and Response) automates the repetitive, time-sensitive tasks that follow a detection: enriching an alert with threat intelligence, isolating an affected endpoint, blocking a malicious IP at the firewall, disabling a compromised user account, and creating a ticket – all without analyst intervention.

A SOAR playbook defines: if alert type = “suspicious login from foreign IP,” then: check IP reputation, check user’s recent activity, check for active sessions, and if risk threshold exceeded – disable account and notify security team.

Without SOAR, every one of those steps requires an analyst with keyboard access. With SOAR, they happen in seconds.

Why it matters for MTTD and MTTR: SOAR directly reduces both Mean Time to Detect (by enriching alerts with context faster) and Mean Time to Respond (by automating containment actions). Splunk’s SOC uses its own platform to achieve a 7-minute MTTD for phishing attacks – automation is the reason.

What Is a SOC – and What Do Analysts Actually Do?

A Security Operations Centre (SOC) is the team – and the processes – that operate all the monitoring tools above. Without analysts, a SIEM full of alerts is just noise.

SOC analysts work in tiers:

Tier 1 – Alert Triage: Analysts receive alerts from the SIEM/XDR, assess them against the context provided by SOAR enrichment, and classify them as: false positive (no action), low severity (log and monitor), or escalate to Tier 2.

Tier 2 – Incident Investigation: Senior analysts take escalated alerts and conduct full investigation: what happened, how far did the attacker get, what data was accessed, what needs to be contained? They use threat hunting, log analysis, and timeline reconstruction.

Tier 3 – Threat Hunting and Engineering: Most experienced analysts proactively hunt for threats that did not trigger alerts (looking for attacker behaviour that evaded detection rules), and write new detection rules to close the gaps they find.

Playbooks: Every alert type a SOC handles should have a documented playbook – a structured response procedure defining exactly what steps to take, in what order, and who approves each action. Playbooks are what make SOC response consistent and measurable.

The SOC metrics that matter:

The IBM 2025 Cost of a Data Breach Report found organisations that detected breaches themselves (using monitoring) had $1.49M lower average breach costs than those notified by a third party or attacker.

How a Detection Is Made: Step by Step

Direct Answer: A detection starts with raw data, flows through normalisation and correlation, triggers an alert, is enriched with context, triaged by an analyst, and – if confirmed – triggers a response playbook. Here is every step.

Step 1: Data Collection

Agents, connectors, and API integrations send raw logs and telemetry from every data source to the SIEM or XDR platform. This includes:

• Endpoint EDR agents sending process and file activity
• Network devices sending NetFlow and firewall connection logs
• Entra ID sending authentication events
• Microsoft 365 audit logs (mailbox access, file downloads, admin changes)
• Cloud platforms sending API call logs

Without comprehensive data collection, monitoring has blind spots. An attacker who knows your coverage gaps will operate in them.

Step 2: Normalisation

Raw logs arrive in hundreds of different formats. Normalisation translates them into a consistent schema so events from a Cisco firewall, a Windows endpoint, and an Azure AD tenant can be compared and correlated.

In Microsoft Sentinel, this is handled by connectors that map source data to the ASIM (Advanced Security Information Model) schema. In Splunk, it is the Common Information Model (CIM).

Step 3: Correlation and Detection

Detection rules run continuously against the normalised data stream, identifying patterns that match known attacker behaviour.

Rules are mapped to MITRE ATT&CK tactics and techniques – the globally recognised framework of attacker behaviour covering 14 tactics (from Initial Access through Exfiltration) and hundreds of specific techniques. Good detection coverage means having rules for all the techniques most relevant to your threat profile.

Example correlation rule:

• Source: Entra ID sign-in logs + Endpoint EDR
• Condition: User X signs in from IP outside Australia → immediately accesses file server → copies 500+ files within 10 minutes
• Detection: Possible credential compromise + data exfiltration staging
• Severity: High
• MITRE ATT&CK: T1078 (Valid Accounts) + T1020 (Automated Exfiltration)

Step 4: Alert Generation and SOAR Enrichment

The matched rule generates an alert. Before an analyst sees it, SOAR automatically enriches it:

• IP reputation check (is the source IP known malicious?)
• User risk score from Entra ID Identity Protection
• Asset criticality (is the accessed file server business-critical?)
• Threat intelligence match (does the IP appear in any active campaign feeds?)
• Recent activity baseline (is this user’s behaviour unusual relative to their own history?)

The analyst receives a pre-enriched alert with context – not a raw event number. This is how SOAR reduces MTTD.

Step 5: Analyst Triage

The Tier 1 analyst reviews the enriched alert. They determine:

• Is this a false positive? (Rule fired on a legitimate activity)
• Is this a true positive – low severity? (Real finding, handle according to SOP)
• Is this a true positive – escalate? (Incident confirmed, pass to Tier 2)

Good SOC operations have triage SLAs – critical alerts must be triaged within 15 minutes, high within 1 hour. These SLAs directly determine MTTD.

Step 6: Incident Investigation

Tier 2 analysts conduct full investigation on escalated alerts. They answer:

• What was the initial access vector?
• Which accounts and systems are affected?
• Has the attacker moved laterally?
• What data has been accessed or exfiltrated?
• Is the attacker still active or has the session ended?

Investigation uses the SIEM’s log search, the EDR’s timeline view, and identity platform logs – a cross-environment picture assembled manually into an attack timeline.

Step 7: Containment and Response

With the scope of the incident understood, the response playbook is executed:

• Isolate affected endpoints from the network (EDR host isolation – one click or automated)
• Disable compromised user accounts (Entra ID → block sign-in)
• Block malicious IPs at the firewall
• Revoke active sessions (Entra ID → Revoke All Refresh Tokens)
• Preserve evidence (forensic image before wiping)
• Notify relevant stakeholders (legal, executive, insurer)

For incidents involving personal data under the Privacy Act NDB scheme, the 30-day notification clock starts from when the organisation becomes aware. A well-documented investigation with a clear timeline is what allows that clock to be managed.

Step 8: Recovery and Post-Incident Review

After containment:

• Systems are restored from clean backups (not from images taken after the attacker’s access)
• Root cause analysis determines how the attacker got in
• Detection rules are updated to catch the same technique earlier next time
• Playbooks are updated based on what worked and what did not
• Incident report is produced for insurance, compliance, and board reporting

This last step is where monitoring programmes improve over time. Each incident is an intelligence input that makes the next detection faster.

Internal SOC vs Managed Detection and Response (MDR)

For most Australian SMBs, building and staffing an internal 24/7 SOC is not realistic. Here is the honest comparison.

What Is MDR?

MDR (Managed Detection and Response) is a fully outsourced security monitoring service. The provider operates the SOC, the SIEM, the EDR, and the SOAR – delivering 24/7 monitoring, alert triage, threat hunting, and incident response as a managed service.

Gartner predicted that 50% of enterprises would adopt MDR solutions by 2025. For Australian SMBs, the adoption rate is now accelerating following mandatory cyber insurance requirements.

Internal SOC vs MDR: Side-by-Side

What to Look For in an MDR Provider

• Coverage of your specific environment – does the provider have connectors for Microsoft 365, Entra ID, and your SaaS applications?
• Transparent SLAs – what are the guaranteed MTTD and MTTR commitments?
• Response authority – can the provider isolate an endpoint and block an account on your behalf, or do they only alert you?
• Compliance outputs – does the service produce reports formatted for Essential Eight, ISO 27001, or APRA CPS 234 evidence requirements?
• Australian data residency – are your logs stored in Australian data centres? This matters for Privacy Act obligations.

Our SOC services and EDR management are built for Australian SMBs operating in the Microsoft 365 ecosystem.

The MITRE ATT&CK Framework: The Language of Modern Security Monitoring

Direct Answer: MITRE ATT&CK is a free, publicly maintained knowledge base of real-world attacker tactics and techniques. It is the framework that detection engineers use to write rules – and the language SOC analysts use to classify and communicate what an attacker is doing.

The framework organises attacker behaviour into 14 tactics (the “why” – what stage of the attack) and hundreds of techniques (the “how” – the specific method used).

The 14 MITRE ATT&CK Tactics in the Enterprise Matrix:

1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defence Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Collection
12. Command and Control
13. Exfiltration
14. Impact

When a SOC analyst classifies an alert, they map it to a tactic and technique. “Credential access via T1003 (OS Credential Dumping)” tells the next analyst in the chain exactly what technique was used, what the goal was, and what to look for next in the attack chain.

Good monitoring programmes track their ATT&CK coverage – which techniques do they have detection rules for? Which are blind spots? The MITRE ATT&CK Navigator is a free tool for visualising this coverage.

What Security Monitoring Looks Like in a Microsoft 365 Environment

For the majority of Australian businesses running Microsoft 365, the security monitoring architecture is built on Microsoft’s integrated platform.

The Microsoft security monitoring stack:

Microsoft Defender for Endpoint – EDR on all Windows, macOS, and mobile devices. Includes ASR rules, threat analytics, and automated investigation.

Microsoft Defender for Identity – monitors on-premise Active Directory for lateral movement, pass-the-hash, Kerberoasting, and other identity-based attack techniques.

Microsoft Defender for Office 365 – monitors email for phishing, malware, and BEC attempts. Provides Safe Links, Safe Attachments, and attack simulation training.

Microsoft Defender for Cloud Apps – CASB (Cloud Access Security Broker) monitoring of SaaS application usage, detecting risky behaviour, data exfiltration, and shadow IT.

Microsoft Entra ID Protection – identity risk scoring. Assigns risk levels to sign-in attempts and users based on AzureAD signals and Microsoft’s global threat intelligence.

Microsoft Sentinel – the SIEM/SOAR layer that ingests all of the above plus third-party sources, runs correlation rules, and provides the centralised alert management and investigation workspace.

Microsoft Secure Score – a continuous quantitative view of your security posture across all Microsoft 365 security controls.

All five Defender products feed signals into Microsoft Defender XDR – the unified console where cross-domain incidents are correlated, investigated, and responded to.

Our Microsoft 365 security services and Entra ID Protection guide cover how each layer is configured. Our dark web monitoring service adds external threat intelligence – alerting when your credentials or data appear in breach databases before an attacker uses them.

How Security Monitoring Supports Australian Compliance

For the full Essential Eight mapping, see our Essential Eight checklist. For how monitoring connects to incident response, see our incident response guide.

Real-World Example: What Effective Monitoring Caught Before It Became a Breach

A 90-person professional services firm in Sydney was using Microsoft 365 Business Premium with Defender for Endpoint deployed but not integrated into a SIEM. Alerts were visible in the Defender portal – but no one was reviewing them regularly.

Our SOC onboarded the environment to Microsoft Sentinel, connected all Microsoft 365 and Entra ID data sources, and deployed detection rules aligned to the firm’s threat profile: credential compromise, BEC, data exfiltration.

Within three weeks of monitoring going live, a detection fired.

What the alert showed: An Entra ID account signed in from an Australian IP at 9am as normal. Thirty minutes later, the same account signed in from a European IP address. Ninety minutes after that, the account accessed 340 files on SharePoint in three minutes – a pattern consistent with automated exfiltration staging.

What the investigation found: The original sign-in was legitimate. The European sign-in was an attacker using a VPN to mask their location. The credential had been obtained through a phishing email received six days earlier. The account had an active session token that had persisted for six days – the attacker had been monitoring the mailbox.

Response in 22 minutes from initial alert:

• Account disabled in Entra ID
• All active sessions revoked
• Endpoint isolated for forensic review
• SharePoint access logs reviewed – files accessed were client proposal documents, not client personal data
• Entra ID Conditional Access policy tightened: impossible travel detection enabled

Outcome: No data exfiltration confirmed. No NDB notification required. The attacker’s six-day access was terminated. Without monitoring, the same scenario ends with a ransomware deployment or exfiltration – and a notifiable data breach.

If your organisation is operating without security monitoring – or with monitoring that no one is actively reviewing – contact our team for a no-obligation security monitoring assessment.

Related Reading

• Security Operations Centre (SOC) Services – CodeHyper’s 24/7 managed SOC for Australian businesses
• EDR Services – Endpoint Detection and Response deployment and management
• Dark Web Monitoring – External threat intelligence that feeds your monitoring programme
• Microsoft 365 Security – Configuring the Microsoft security stack your monitoring depends on
• Entra ID Protection – Identity risk signals that are the highest-value monitoring source
• Conditional Access Policy Examples – Automated response policies triggered by monitoring alerts
• Mastering Incident Response – What happens after monitoring detects a threat
• Malware Alerts vs Behavioural Alerts – Understanding the alert types your monitoring system generates
• NOC vs SOC – How Security Operations differs from Network Operations
• Essential Eight Checklist 2025 – How monitoring fits within the full Essential Eight framework

Frequently Asked Questions

How does security monitoring work?

Security monitoring works by continuously collecting data from every part of your IT environment – endpoints, network devices, cloud platforms, identity systems, and applications – and analysing that data in real time for signs of attack. Data flows into a SIEM (Security Information and Event Management) platform where detection rules, mapped to the MITRE ATT&CK framework, correlate events across sources to identify attack patterns. When a detection fires, SOAR automation enriches the alert with context, an analyst triages it, and a response playbook guides containment. The full process – from attacker action to analyst response – is measured in MTTD (Mean Time to Detect).

What is the difference between EDR, SIEM, XDR, and MDR?

EDR (Endpoint Detection and Response) monitors individual devices. SIEM (Security Information and Event Management) collects and correlates logs from all sources across the environment. XDR (Extended Detection and Response) extends EDR across multiple layers – endpoints, network, cloud, identity, and email – in a unified platform. MDR (Managed Detection and Response) is a fully outsourced service where a provider operates the EDR, SIEM/XDR, and SOC analysts on your behalf. Each layer adds visibility. In practice, most Australian businesses benefit from XDR (Microsoft Defender XDR) for detection and MDR or a managed SOC for 24/7 human oversight.

What is MTTD and why does it matter?

MTTD stands for Mean Time to Detect – the average time between when an attack begins and when a security team identifies it. The shorter the MTTD, the less time an attacker has to escalate privileges, move laterally, steal data, or deploy ransomware. Mandiant’s M-Trends 2025 Report places the global median attacker dwell time at 11 days – meaning that without effective monitoring, attackers operate undetected for nearly two weeks. The SANS 2023 Incident Response Survey found that top-performing SOCs detect threats within 60 minutes. MTTD is reduced through better tool coverage, tuned detection rules, SOAR automation, and skilled SOC analysts.

What is the MITRE ATT&CK framework and how does it relate to security monitoring?

MITRE ATT&CK is a freely available, continuously updated knowledge base of real-world attacker tactics and techniques, maintained by MITRE Corporation. It organises attacker behaviour into 14 tactics (the stages of an attack from initial access to impact) and hundreds of specific techniques. Security monitoring teams use ATT&CK to write detection rules – each rule targets a specific technique that attackers use. When an alert fires, analysts use ATT&CK technique IDs to communicate precisely what the attacker was attempting. ATT&CK coverage – which techniques you have detection rules for – is the clearest measure of how comprehensive your monitoring programme is.

What is a Security Operations Centre (SOC)?

A Security Operations Centre is the team and facility that operates an organisation’s security monitoring programme. SOC analysts receive alerts from SIEM and XDR platforms, triage them using SOAR-enriched context, investigate confirmed incidents, and execute response playbooks to contain and remediate threats. SOCs operate in tiers: Tier 1 analysts handle alert triage, Tier 2 conduct investigations, and Tier 3 perform threat hunting and detection engineering. For organisations without the scale to build and staff an internal 24/7 SOC, MDR (Managed Detection and Response) provides the same capability as an outsourced service.

Do small Australian businesses need security monitoring?

Yes – more urgently than large enterprises in some ways, because they have fewer resources to recover from an undetected breach. The ASD Cyber Threat Report 2024–25 shows small businesses are actively targeted because they typically have weaker monitoring than enterprise targets. Cyber insurance in Australia now routinely requires evidence of monitoring capability as a condition of coverage. The good news is that for businesses on Microsoft 365 Business Premium, the core monitoring tools – Defender for Endpoint, Defender for Office 365, and Entra ID Protection – are already included. The gap for most SMBs is not tooling but configuration and 24/7 human oversight, which an MDR service provides cost-effectively.

How does security monitoring support Privacy Act and NDB obligations?

Under the Privacy Act 1988 Notifiable Data Breaches scheme, organisations must notify the OAIC within 30 days of becoming aware of an eligible data breach. “Aware” means when an organisation believes a breach has occurred – not when it is confirmed. A security monitoring programme that detects a breach earlier starts the investigation sooner, allows the 30-day clock to be managed deliberately, and provides the documented evidence the OAIC expects. Organisations without monitoring often discover breaches late – or only after an attacker has already caused public harm – and face regulatory scrutiny over whether their controls were reasonable. The monitoring programme itself is evidence of reasonable steps under the Privacy Act.

How is security monitoring different from antivirus?

Antivirus detects known malware signatures – it compares files against a database of known bad patterns. Security monitoring is fundamentally different: it watches behaviour across the entire environment, correlates events from multiple sources, and detects attack techniques regardless of whether a known malicious file is present. Modern attacks increasingly use “living off the land” techniques – abusing legitimate tools like PowerShell, WMI, and built-in Windows commands – specifically because they bypass signature-based antivirus. Security monitoring using EDR and SIEM detects these techniques based on what is happening, not what file is present. Antivirus is a baseline control. Security monitoring is how you actually catch sophisticated attackers.