Pages

Sunday, September 7, 2025

SOC Interview Questions

1. What is a SOC (Security Operations Center)?

 A centralized team and facility that monitors, detects, analyzes, and responds to cybersecurity incidents in real time.


2. What are the primary responsibilities of a SOC?

  • Continuous monitoring of network and systems

  • Incident detection, triage, and response

  • Threat intelligence analysis

  • Log management & SIEM tuning

  • Vulnerability assessment coordination

  • Incident reporting and documentation


3. What is the difference between Tier 1, Tier 2, and Tier 3 SOC analysts?

  • Tier 1 (Monitoring/Alert Handling): Monitor SIEM alerts, escalate suspicious activity.

  • Tier 2 (Incident Response): Investigate escalations, analyze logs, confirm incidents, contain threats.

  • Tier 3 (Threat Hunting/Forensics): Deep investigation, malware analysis, proactive threat hunting.


4. What is SIEM and why is it important in SOC?

 SIEM (Security Information & Event Management) collects, correlates, and analyzes logs from different sources to detect threats and generate alerts.
Examples: Splunk, QRadar, Elastic SIEM, ArcSight.


5. What is the difference between an Event, Alert, and Incident?

  • Event → Any log or activity observed in the system.

  • Alert → Notification generated when an event matches suspicious patterns.

  • Incident → A confirmed security event that violates policy or indicates compromise.


6. How do you handle a false positive in SOC?

 Verify against threat intelligence, logs, and baselines. If confirmed false, tune SIEM rules/signatures to reduce noise.


7. What are Indicators of Compromise (IOCs) and Indicators of Attack (IOAs)?

  • IOCs → Evidence of compromise (malicious IPs, hashes, domains).

  • IOAs → Behavioral indicators showing intent of an attack (privilege escalation attempts, abnormal lateral movement).


8. What are the common log sources in a SOC?

  • Firewalls

  • IDS/IPS

  • Antivirus/EDR

  • Proxy/Web servers

  • Authentication systems (Active Directory)

  • Cloud services logs (AWS CloudTrail, Azure Security logs)


9. What is Threat Hunting and how is it different from Incident Response?

  • Threat Hunting → Proactive search for hidden threats before alerts trigger.

  • Incident Response → Reactive steps taken after an incident is detected.


10. What is a Playbook in SOC?

 A documented set of steps (manual or automated) to respond to specific incidents like phishing, malware infection, or brute-force attacks.


11. What are common SOC tools?

  • SIEM → Splunk, QRadar, Elastic SIEM

  • EDR/XDR → CrowdStrike, SentinelOne, Microsoft Defender

  • SOAR → Cortex XSOAR, Splunk Phantom

  • Threat Intel → MISP, Recorded Future

  • Packet Analysis → Wireshark, Zeek


12. How would you respond to a suspected phishing email reported by a user?

 Steps:

  1. Instruct user not to click/open.

  2. Analyze email headers, URLs, and attachments.

  3. Search if other users received similar emails.

  4. Quarantine email in mail server.

  5. Block malicious domains/IPs.

  6. Update detection rules & train users.


13. How do you detect lateral movement in a network?

 Look for:

  • Unusual authentication attempts

  • Multiple login failures

  • Access to uncommon servers

  • Use of tools like PsExec, RDP, SMB connections


14. What is the MITRE ATT&CK framework and why is it useful in SOC?

 MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs). SOC uses it to map detections, analyze threats, and build defenses.


15. What metrics/KPIs are important for SOC performance?

  • MTTD (Mean Time to Detect)

  • MTTR (Mean Time to Respond)

  • % of false positives

  • Number of incidents detected & resolved

  • Incident severity trends


Quick Tip for Interviews:
When answering scenario questions, always use the Incident Response Lifecycle:

  1. Identify

  2. Contain

  3. Eradicate

  4. Recover

  5. Lessons Learned


1. What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) is a centralized unit within an organization that is responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity threats and incidents. Its main goal is to protect the organization's information assets from cyberattacks.

2. What is the role of a SOC Analyst?

A SOC Analyst's primary role is to act as the first line of defense. They are responsible for:

  • Monitoring security systems and tools (like SIEMs, IDS/IPS).

  • Analyzing security alerts to differentiate between real threats and false positives.

  • Investigating potential security incidents.

  • Following established incident response procedures.

  • Creating and maintaining documentation for security incidents.

3. Explain the difference between a threat, a vulnerability, and a risk.

  • A threat is a potential cause of an incident that could harm an organization's systems or data. It's the "who" or "what" that could cause damage (e.g., a hacker, malware, or a natural disaster).

  • A vulnerability is a weakness in a system or an asset that a threat can exploit. It's the "how" an attack can happen (e.g., an unpatched software, a weak password, or a misconfigured firewall).

  • A risk is the potential for loss or damage when a threat exploits a vulnerability. It's the impact of the attack, usually measured in terms of likelihood and potential business impact. Risk = Threat x Vulnerability.

Technical and Tool-Based Questions

4. What is a SIEM and why is it important in a SOC?

SIEM stands for Security Information and Event Management. It is a security tool that centralizes and aggregates security data from various sources (like firewalls, servers, and endpoint devices). A SIEM is crucial because it helps SOC analysts by:

  • Providing a single pane of glass for monitoring.

  • Correlating log data to identify patterns that might indicate an attack.

  • Generating alerts for suspicious activity, which analysts can then investigate.

5. What is the difference between an IDS and an IPS?

  • IDS (Intrusion Detection System): A passive system that monitors network traffic for malicious activity and policy violations. When it finds something suspicious, it generates an alert. It does not block the traffic.

  • IPS (Intrusion Prevention System): An active, inline system that not only detects malicious activity but also takes action to block or prevent the attack in real-time.

6. How do you handle a false positive?

A false positive is a security alert generated by a tool for activity that is actually benign. My process would be:

  1. Analyze the Alert: Review the alert details to understand what triggered it (e.g., source IP, destination port, protocol).

  2. Verify the Activity: Use other tools (like log aggregators, network traffic analyzers, or endpoint protection) to confirm if the activity is legitimate.

  3. Document and Tune: If confirmed as a false positive, I would document the finding, explain why it was a false positive, and then work with the SIEM/tool administrator to tune the rules or add an exception to prevent it from triggering again.

Incident Response and Scenario Questions

7. Walk me through your process for investigating a phishing alert.

  1. Initial Triage: I would immediately review the alert details, including the sender's email address, subject line, and any attached files or links.

  2. User Contact: I would contact the user who reported the email to get more context and ensure they didn't click on any links or download attachments.

  3. Threat Analysis: I would analyze the email headers to check the sender's authenticity and trace its origin. I would then check the links and attachments in a secure sandboxed environment to see what they do.

  4. IOC Search: I would extract any Indicators of Compromise (IOCs), such as malicious URLs, file hashes, or IP addresses, and search our SIEM and endpoint logs for any other users who may have received or interacted with the same email.

  5. Containment and Eradication: If any user clicked the link or downloaded a file, I would work with the IT team to isolate the affected machine and remove the threat.

  6. Reporting: Finally, I would create an incident report detailing the findings, the steps taken, and recommendations to prevent a similar incident in the future.

8. What is an IOC (Indicator of Compromise)?

An IOC is a piece of forensic data, such as a log entry or a file hash, that identifies malicious activity on a system or network. It's essentially the "digital breadcrumbs" left behind by an attacker. Common examples include:

  • Malicious IP addresses or domains.

  • File hashes (MD5, SHA-256).

  • Unusual outbound network traffic.

  • Specific email subject lines or sender addresses.

9. What steps would you take if a critical server is reported as compromised?

This is a high-priority incident requiring a structured response:

  1. Verify and Validate: I would first confirm that the alert is legitimate and that the server is indeed compromised, using real-time monitoring and log analysis.

  2. Containment: The most critical step is to isolate the compromised server from the rest of the network to prevent the attack from spreading. This might involve unplugging the network cable or blocking its access via a firewall.

  3. Investigation and Eradication: Once contained, I would begin a detailed forensic investigation to understand how the compromise occurred. I would then work to remove the threat, such as wiping the system and restoring from a known clean backup.

  4. Recovery: I would restore the server and services to their operational state, ensuring that the vulnerability that led to the compromise is patched.

  5. Reporting: I would document the entire incident from start to finish for future reference and for a post-mortem analysis.

No comments:

Post a Comment