Network Security Monitoring Data Types

Understanding the hierarchy of data available for security analysis

The NSM Data Pyramid

Security analysts work with different types of data, each offering varying levels of detail and storage requirements. Click each level to learn more.

Alert Data Smallest

Statistical Data Small

Transaction Data Medium

Session Data Large

Full Packet Capture Largest

Select a data type

Why Multiple Data Types?

No single data type is perfect for every situation. The choice depends on:

Storage capacity — How much data can you retain?
Analysis speed — How quickly do you need answers?
Investigation depth — What level of detail is required?
Compliance requirements — What must you retain legally?

Data Type Deep Dive

Explore each data type's characteristics, tools, and use cases

Full Packet Capture (PCAP)

Complete copy of all network traffic including headers and payloads

Storage Very High

Detail Maximum

Tools Wireshark, tcpdump

Session Data

Connection metadata without payload content

Storage High

Detail High

Tools Zeek, NetFlow

Transaction Data

Application-layer request/response pairs

Storage Medium

Detail Medium

Tools Zeek, Proxy Logs

Statistical Data

Aggregated metrics and summaries

Storage Low

Detail Low

Tools SIEM, Grafana

Alert Data

Security events triggered by detection rules

Storage Very Low

Detail Varies

Tools Snort, Suricata, SIEM

Comparison Matrix

Data Type	Storage Cost	Retention	Best For
Full Packet	$$$$$	Hours-Days	Deep forensics, malware analysis
Session	$$$	Days-Weeks	Connection analysis, baseline
Transaction	$$	Weeks-Months	App behavior, user activity
Statistical	$	Months-Years	Trend analysis, capacity
Alert	$	Years	Incident response, compliance

Real-World Scenarios

Match the investigation type to the appropriate data source

Scenario Matching Exercise

For each scenario, select the BEST data type to use for the investigation.

Use Case Reference

Malware Payload Analysis

Extract and analyze the actual malicious code transferred

Full Packet Capture

C2 Beacon Detection

Identify periodic outbound connections to suspicious IPs

Session Data

Data Exfiltration Hunt

Find unusual HTTP POST requests with large payloads

Transaction Data

DDoS Impact Assessment

Measure traffic volume changes during an attack

Statistical Data

IDS Rule Validation

Review triggered alerts for false positive tuning

Alert Data

Lateral Movement Tracking

Map internal connections between compromised hosts

Session Data

Knowledge Assessment

Test your understanding of NSM data types

Network Security Monitoring Data Types

The NSM Data Pyramid

Select a data type

Why Multiple Data Types?

Data Type Deep Dive

Full Packet Capture (PCAP)

Session Data

Transaction Data

Statistical Data

Alert Data

Comparison Matrix

Real-World Scenarios

Scenario Matching Exercise

Exercise Complete!

Use Case Reference

Malware Payload Analysis

C2 Beacon Detection

Data Exfiltration Hunt

DDoS Impact Assessment

IDS Rule Validation

Lateral Movement Tracking

Knowledge Assessment

Assessment Complete!