Summary
This section is for the ideas behind blue-team and detection work. These notes should make alerts, logs, and investigations easier to understand before tools and workflows become more complex.
What belongs here
- SIEM and logging basics
- detections and alerts
- triage and investigation concepts
- blue-team mental models
How to use this section
- Start here when the workflow depends on understanding alerts, telemetry, or detections first
- Use Guides for triage and investigation flows
- Use Commands for quick investigation checks
Available concepts
- What a SIEM Does
- Events, Alerts, and Detections
- Log Sources and Telemetry
- False Positives and Tuning