DOMAIN 2 Walk-Through

How tools reveal, analyze, block, and document attacks

The Mindset of Domain 2

This domain teaches visibility:

“How do I see what’s actually happening inside the system?”

1. SIEM — The security command center

A SIEM collects logs from everywhere and tells the story of an attack.

What students must grasp:

A SIEM doesn’t stop attacks —

it shows patterns that humans need to interpret:

• repeated failed logins
• new processes
• traffic spikes
• logins from new geography
• critical system changes

It’s the security analyst’s microscope.

2. EDR — Eyes and claws on every endpoint

EDR is the “bodyguard” of each device.