Microsoft SCOM

Microsoft

Microsoft System Center Operations Manager — enterprise monitoring of Windows, Linux, and applications.

Logging & SIEM Commercial Platform / Suite Learning Windows Linux

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Preparation

9 Detection & Analysis

10 Containment, Eradication & Recovery

11 Post-Incident Activity

Description

System Center Operations Manager (SCOM) is Microsoft's flagship on-premises monitoring platform. It uses management packs that encode vendor knowledge to monitor Windows servers, AD, Exchange, SQL Server, Hyper-V, and (via x-plat agents) Linux and Unix hosts.

For a CySA+ analyst SCOM is the canonical example of an operations monitoring tool that doubles as a security signal source — availability dips, service crashes, and policy violations all flow into its data warehouse and can be forwarded to a SIEM.

Use cases

Monitoring availability and health of Windows estates
Forwarding operational alerts to Sentinel/Splunk for correlation
Detecting service failures that may indicate tampering
Compliance reporting via SCOM Reporting Services