4 – SOC Behavioural Telemetry Lab Report

Hybrid Endpoint Identity Investigation – Windows 11 Study

Understanding Normal Before Hunting Anomalies

Security investigation is most effective when we first learn how normal behaviour looks.

In this laboratory exercise using Windows 11 endpoint telemetry, audit signals were analysed to observe identity activity patterns on a managed workstation.

The goal was not to search for threats, but to establish a behavioural baseline.

Objective

The experiment explored endpoint identity telemetry through audit log inspection and scripting-assisted observation.

Using Event Viewer analysis and PowerShell-based querying, authentication rhythm and process execution patterns were studied.

This approach mirrors real SOC triage thinking, where analysts first separate signal normality from potential risk noise.

Key learning goals included:

• Understanding authentication signal structure
• Observing privilege context lifecycle behaviour
• Measuring action execution telemetry density
• Evaluating session termination signals

Methodology

Telemetry signals were grouped into functional security classes.

Data observation windows were defined as:

• 24 hours → Short-term behavioural snapshot
• 7 days → Operational pattern stability check
• 30 days → Strategic rhythm analysis

Analysis was conducted using Windows security audit logs and PowerShell queries.

Telemetry Interpretation Model

Endpoint identity behaviour can be conceptually aligned with cloud audit monitoring.

Modern security operations increasingly integrate endpoint and cloud telemetry under unified visibility frameworks such as Amazon Web Services identity monitoring ecosystems.

Examples of conceptual mapping include:

• Authentication events → IAM login signals
• Failure events → Policy or credential risk signals
• Privilege context → Role assumption behaviour
• Process creation → API invocation or workload launch activity
• Session closure → Token lifecycle termination

Key Observations

24-Hour Window

• Authentication success events (4624): 166
• Authentication failure events (4625): 0
• Privileged session events (4672): 159
• Process creation events (4688): 13
• Session termination events (4634): 4

7-Day Window

• Authentication success events: 901
• Authentication failure events: 1
• Privileged session events: 863
• Process creation events: 65
• Session termination events: 27

30-Day Window

• Authentication success events: 2657
• Authentication failure events: 28
• Privileged session events: 2543
• Process creation events: 156
• Session termination events: 130

Behavioural Interpretation

Authentication telemetry represented the dominant signal class.

Failure authentication events were rare, suggesting stable credential usage patterns.

Privilege context events followed authentication activity rhythm, indicating expected administrative session behaviour.

Process execution frequency remained relatively controlled.

No clustering behaviour consistent with obvious anomaly signatures was detected.

SOC Thinking Insight

Security monitoring is fundamentally about rhythm recognition.

Before searching for threats, an analyst should understand:

• How users normally authenticate
• How privileges are exercised
• How sessions close
• How workloads execute

Detection engineering is therefore not only about algorithms, but also about behavioural intuition.

Cloud Security Context

The same reasoning model can be extended beyond endpoints into cloud environments.

Identity-centric monitoring is becoming central to modern security architecture, particularly in IAM telemetry and audit trail analysis.

Career Relevance

This laboratory demonstrates foundational capability in:

• Behavioural security reasoning
• SOC triage decision thinking
• Telemetry interpretation
• Early-stage detection modelling
• Endpoint-to-cloud conceptual mapping

Learning Principle

Security defence begins with mapping normal behavioural rhythm.

Anomaly hunting is only meaningful after baseline intelligence is established.