Free training - skill primer
Learn Security monitoring for free
A free, source-cited path to learning defensive security monitoring, practiced only on logs, traffic, and systems you own — this is a learning path, not a certification and not a job guarantee. Monitoring is learned by collecting and reading your own telemetry, never by capturing or scanning anyone else's.
What it is
Security monitoring is the defensive skill of collecting security telemetry — logs, events, and network traffic — and interpreting it to identify, investigate, and escalate suspicious activity. It is framed here strictly as defense: the goal is to see what is happening on systems you are responsible for and to notice when something is wrong, not to observe anyone else's systems. The core building blocks are the sources of evidence (operating-system and application logs, authentication events, and captured network packets), the tooling that aggregates and searches them (a SIEM or log platform such as an Elastic/ELK stack or Microsoft Sentinel), the detection logic that flags patterns worth a human's attention (rules written in formats like Sigma), and the shared language of attacker behavior that turns a raw event into an understood technique (the MITRE ATT&CK knowledge base). Because these concepts apply to any environment on any platform, the skill is broadly transferable: the same collection, detection, and investigation habits underpin SOC-analyst, security-operations, incident-response, and security-engineering work across employers and tools.
The skill breaks into a few durable areas you can practice defensively on your own equipment. Collection: getting logs and events off a system into one searchable place and understanding what each source records. Reading traffic: capturing and interpreting packets from your own machine so you learn what normal looks like and can recognize an anomaly. Detection engineering: writing a rule that flags a specific pattern in your own logs, and understanding why a rule fires or misses. Investigation and triage: following an alert back to the events that caused it, deciding whether it matters, and knowing when to escalate. Mapping to technique: using MITRE ATT&CK to translate 'this odd event' into 'this is the kind of behavior an attacker uses,' which makes both detection and communication sharper. None of these require touching anyone else's environment — they are built on telemetry from systems you own.
The most important discipline in learning security monitoring is ethical and stays strictly defensive: you build the skill by collecting and analyzing telemetry from systems, networks, and logs you own or a resource's own sandbox — never by capturing traffic, scanning, or monitoring systems you do not control. This primer sequences free, official-first-leaning resources — NIST and MITRE for vocabulary and technique, vendor documentation for a packet analyzer and a log platform, and an open detection-rule project — and gives you a first hands-on exercise that reads your own machine's logs, captures your own traffic, and writes a simple detection idea against your own data. Nothing here involves observing any system, network, or traffic you do not own.
Why it matters
Security monitoring is the shared baseline beneath SOC-analyst, security-operations, incident-response, and security-engineering roles because detecting and investigating suspicious activity underlies nearly every decision in a security operations center. Collection, detection, investigation, and the shared ATT&CK vocabulary transfer across platforms and employers, so the defensive foundation compounds rather than tying you to one vendor's tool.
The free path, in order
- Ground the vocabulary of logs and detection. Learn precise terms (log, event, alert, false positive, telemetry) from NIST's glossary so your reasoning stays accurate. Understand which sources — authentication, system, application logs — record which kinds of evidence.
- Read your own logs. Practice finding and reading the logs your own machine already produces (sign-in events, service starts and failures). Learning what normal activity looks like is the prerequisite for noticing anything abnormal.
- Capture and interpret your own traffic. Use Wireshark's official documentation to capture and read packets from your own machine's interface or loopback. Understanding what actually crosses a link is core to network-side monitoring — practiced only on traffic you own.
- Learn a log platform / SIEM. Get hands-on with a free log platform — an Elastic/ELK stack you run yourself or Microsoft Sentinel's free-tier options — to aggregate and search events. Focus on collecting your own telemetry into one searchable place.
- Map events to technique with MITRE ATT&CK. Use the free MITRE ATT&CK knowledge base to translate observed behavior into named attacker techniques. This turns a raw event into an understood pattern and sharpens both detection and how you communicate findings.
- Write a detection rule against your own data. Study the open Sigma rules project and write a simple rule that flags a specific pattern in your own logs (for example repeated failed sign-ins on your own machine). Test whether it fires correctly on data you own.
Best free resources
- NIST Computer Security Resource Center — Glossary OfficialOfficial reference
The authoritative U.S. government reference for precise definitions of log, event, telemetry, and related terms — the source of truth for the vocabulary that keeps monitoring reasoning defensible.
- Wireshark — official documentation OfficialOfficial documentation
The authoritative free reference for the most common packet analyzer, so you can capture and read your own machine's traffic correctly and learn what normal looks like on a link you own.
- MITRE ATT&CK (knowledge base of adversary techniques) OfficialOfficial reference (defensive framework)
A free, widely adopted knowledge base that names and describes attacker techniques so defenders can map observed behavior to known patterns — the shared language of detection and investigation, used to defend, not to attack.
- Microsoft Sentinel documentation (free-tier options) OfficialOfficial documentation
Vendor documentation for a cloud SIEM, including guidance on free-tier ingestion and trial options, so you can practice aggregating and searching your own telemetry — an alternative to a self-hosted Elastic/ELK stack.
- Sigma — open detection-rule project Vetted communityFree open-source project
A free, open, vendor-neutral format and community rule set for writing detections. Studying real rules and writing your own against your own logs is how you learn detection engineering without any paid tooling.
Every resource is free and dated. Official sources are labeled; vetted community resources are labeled separately. Verify a resource is still free on its own page before relying on it.
Try it (free, safe, hands-on)
Read your own logs, capture your own traffic, and draft a detection
Do the core defensive-monitoring actions on systems you own: read the logs your machine already produces, capture your own traffic, and write a simple detection idea against your own data — entirely defensive, entirely on systems you control.
You will need: Your own computer or a VM you created (snapshot it first if it is a VM), with its built-in log viewer; Wireshark or the built-in tcpdump on your own machine, to capture only your own traffic; A text file to draft a Sigma-style detection rule and your investigation notes
- Snapshot your VM first if you are using one. Open your own machine's logs — Event Viewer on Windows (Security and System logs) or 'journalctl' on Linux — and find recent sign-in and service events so you learn what normal looks like on a system you own.
- Generate a benign, explainable event on your own machine: for example, intentionally mistype your own password a few times at a lock screen you control, then find the resulting failed-authentication entries in your own logs. You are creating and reading only your own telemetry.
- Capture your own traffic: run Wireshark or 'sudo tcpdump -i lo -n' and generate loopback traffic with 'ping -c 3 127.0.0.1'. Identify the request and reply packets — observing only traffic your own machine generated to itself.
- Open MITRE ATT&CK and find the technique that describes repeated failed logins (a brute-force / credential-access pattern). Write down the technique name so your finding is expressed in the shared defensive language.
- Draft a simple detection: in a text file, write a Sigma-style rule idea that would flag 'more than N failed sign-ins from the same account within M minutes' — the pattern you just generated in your own logs. Note how you would test whether it fires correctly on your own data.
- Clean up: stop the capture, discard the test log data you generated if you wish, and revert the VM snapshot if you used one. Nothing here touched any system, network, or log but your own.
What you should see: A set of your own machine's log entries you can read and explain, a packet capture of your own loopback traffic, an ATT&CK technique name that describes the behavior you generated, and a draft detection rule written against your own data — all defensive, all on systems you own and produced by actions you performed yourself.
Safety: This exercise is strictly defensive and stays entirely on systems, networks, and logs you own, or a resource's own sandbox. Never monitor, capture, scan, or collect telemetry from any system, network, or traffic you do not control. Capture only your own machine's traffic (loopback or your own interface), and analyze only logs and events from systems you own.
Where this skill gets used
Certifications that test it: microsoft-security-operations-analyst-associate, comptia-cysa-plus, isc2-sscp-systems-security-certified-practitioner, comptia-security-plus, isc2-cc-certified-in-cybersecurity.
Roles that need it: SOC analyst, Security operations analyst, Incident responder, Security engineer.
Sources
- NIST CSRC Glossary — log (as of 2026-07-11)
- Wireshark — official documentation (as of 2026-07-11)
- MITRE ATT&CK — adversary technique knowledge base (as of 2026-07-11)
- Microsoft Sentinel — official documentation (as of 2026-07-11)
- Sigma — open detection-rule project (as of 2026-07-11)
Every resource is free and dated; official-first, community clearly labeled. A skill primer is a free learning path, not a certification, not professional experience, and not a job or salary guarantee. This primer is strictly defensive; all collection and analysis run only on systems, networks, and logs you own or a resource's own sandbox. Born draft, pending human review.