One of the greatest challenges facing Security Operations Center (SOC) analysts is determining whether an activity is truly suspicious or simply part of normal business operations. Modern enterprise environments generate millions of events every day, including user logins, process creation, network connections, and application activity. Without understanding what “normal” looks like, analysts risk wasting valuable time investigating legitimate behaviour while overlooking genuine threats.
This is why establishing a security baseline is one of the most important practices in threat detection. A baseline represents the expected behaviour of users, systems, and applications under normal operating conditions. By comparing current activity against that baseline, analysts can more easily identify anomalies that may indicate malicious activity. This concept aligns closely with both the MITRE ATT&CK framework and the NIST Cybersecurity Framework (CSF).
What Is a Security Baseline?
A security baseline is a documented understanding of how systems normally operate. It includes information such as:
- Typical user logon times.
- Common administrative activities.
- Normal network communication patterns.
- Frequently executed processes.
- Expected authentication methods.
- Standard software installed on endpoints.
For example, if PowerShell is commonly used by IT administrators during business hours, its execution may not require immediate investigation. However, if PowerShell suddenly executes on a finance workstation late at night and is followed by external network connections, that behaviour may represent a significant deviation from the baseline.
The objective is not to alert on every event but to identify activity that differs from what is expected.
Using MITRE ATT&CK to Identify Anomalies
The MITRE ATT&CK framework documents how attackers behave after gaining access to a system. Many ATT&CK techniques appear similar to legitimate administrative activity, making context essential.
For example, attackers frequently use T1059 – Command and Scripting Interpreter to execute commands and T1021 – Remote Services to move laterally across a network. These same tools and protocols are also used by system administrators every day.
By comparing observed behaviour against an established baseline, analysts can determine whether these techniques are likely to represent legitimate administration or malicious activity.
ATT&CK provides the behavioural framework, while the baseline provides the operational context needed for accurate analysis.
NIST and Continuous Monitoring
The NIST Cybersecurity Framework emphasizes continuous monitoring as a key component of an effective cybersecurity program.
Organizations should regularly review authentication logs, endpoint activity, network traffic, and system configurations to establish and maintain normal operating patterns. As business processes change, security baselines should also be updated to reflect legitimate operational changes.
Continuous monitoring allows organizations to detect deviations quickly and respond before attackers achieve their objectives.
Without an accurate baseline, even sophisticated detection technologies may generate excessive false positives or fail to recognize subtle attacker behaviour.
Why Baselines Improve Investigations
Threat hunting is not simply about searching for known indicators of compromise. It also involves identifying behaviour that appears unusual within a specific environment.
When analysts understand normal activity, they can prioritize investigations more effectively.
Questions to consider include:
- Is this process normally executed on this endpoint?
- Has this user accessed this server before?
- Is this network connection expected?
- Does this authentication pattern match historical behaviour?
- Is this activity consistent with the user’s role?
These questions help analysts distinguish operational activity from genuine security incidents.
Conclusion
A strong security baseline is one of the most valuable tools available to SOC analysts. It provides the context necessary to distinguish legitimate business operations from potentially malicious activity and significantly improves the quality of threat hunting and incident investigations.
By combining environmental baselines with the behavioural guidance provided by the MITRE ATT&CK framework and the continuous monitoring principles outlined in the NIST Cybersecurity Framework, organizations can improve detection accuracy while reducing false positives. In cybersecurity, understanding normal behaviour is often the first step toward identifying abnormal behaviour before it becomes a serious security incident.