SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Page cover
Edit

SOC Analysts Prep Interview Questions

Core Concepts

  1. What is the CIA Triad? Confidentiality (only authorised people see data), Integrity (data is not tampered with), Availability (systems work when needed). In practice: encryption = C, hashing/checksums = I, redundancy & DDoS protection = A.

  2. What are false positives and false negatives in a SOC context? False positive: benign activity flagged as malicious (e.g., admin running PowerShell). False negative: real threat missed (e.g., fileless malware not triggering signatures). Goal: <20 % false positives, zero false negatives.

  3. What is lateral movement in cybersecurity? After initial compromise, the attacker moves to other systems (e.g., RDP, PsExec, WMI, stolen tokens). Common TTPs: MITRE T1021 (Remote Services), T1078 (Valid Accounts).

  4. What is an Indicator of Compromise (IoC)? Forensic artifact: malicious IP, file hash, registry key, unusual process name, etc. Example: 8.8.8.8 is not an IoC by itself, but 185.117.118[.]88 seen in Qakbot campaigns is.

  5. Define a zero-day vulnerability. Flaw unknown to the vendor or without a patch, actively exploited in the wild (e.g., MOVEit 2023, Log4Shell before Dec 2021).

  6. What is the difference between IDS and IPS? IDS = passive detection + alert only (Snort, Suricata in tap mode). IPS = inline and can block/drop (Suricata in IPS mode, Palo Alto, FortiGate).

  7. What is phishing? Social-engineering attack tricking users into giving credentials or clicking on malicious links. 2025 twist: AI-generated deepfake voice + hyper-personalised emails.

  8. Explain the difference between encryption and hashing. Encryption: reversible with key (AES, RSA). Hashing: one-way, fixed-length (SHA-256, bcrypt). Use encryption for data in transit/rest, hashing for passwords/integrity checks.

  9. What is the role of SIEM in a SOC? Collects logs from everywhere β†’ normalises β†’ correlates β†’ alerts β†’ dashboards. 2025 SIEMs (Sentinel, Splunk, QRadar) now have built-in UEBA and auto-tuning.

  10. What is the principle of least privilege? Users/services get only the permissions they need. Example: Helpdesk can reset passwords but not read emails.

  11. What is the role of EDR in a SOC? Continuous endpoint monitoring, behavioural detection, response actions (isolate, kill process, rollback). Top 2025 players: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black.

  12. What is a web application firewall (WAF), and how does it work? Filters HTTP/S traffic, blocks OWASP Top 10 (SQLi, XSS, etc.). Works via signature + anomaly + ML (Cloudflare, Imperva, AWS WAF).

  13. Explain the difference between symmetric and asymmetric encryption. Symmetric: one shared key (AES-256-GCM – fast). Asymmetric: public/private pair (RSA, ECC – key exchange, signing).

  14. What is threat intelligence, and how is it used in a SOC? Actionable info about threats (IoCs, TTPs). Used to: enrich alerts, create detection rules, and conduct proactive hunting. Sources: MISP, OTX, Recorded Future, Microsoft Threat Intelligence.

  15. How would you use Splunk to detect unusual login patterns? index=security EventCode=4624 OR EventCode=4625 | stats count by user, src_ip | where count > 50 β†’ add geolocation, timechart, or use MLTK for anomalies.

  16. What is DNS poisoning, and how can it be detected? Attacker injects false DNS records. Detect: DNSSEC validation failures, sudden NXDOMAIN spikes, Zeek logs showing mismatched answers.

  17. How do you secure sensitive data in transit? Enforce TLS 1.3, HSTS, certificate pinning, disable TLS 1.0/1.1, and monitor for downgrade attacks.

  18. What is a honeypot, and how is it used in threat detection? Decoy system (e.g., Cowrie SSH, Dionaea) to attract attackers, log their TTPs, and alert when touched.

  19. How can you identify malicious PowerShell activity? Event IDs 4103/4104 (script block logging), obfuscated base64, Invoke-WebRequest to strange domains, AMSI failures, LOLBAS (powershell.exe spawning cmd.exe).

  20. What are the components of a secure software development lifecycle (SDLC)? Threat modelling β†’ SAST/DAST/SCA β†’ secure code review β†’ IaC scanning β†’ runtime protection (RASP) β†’ continuous monitoring.

Log Analysis & Windows Event IDs

  1. What are the key Windows Event IDs for monitoring logon activity? 4624 (success), 4625 (fail), 4648 (explicit creds), 4768/4769 (Kerberos), 4776 (NTLM).

  2. What are the key fields to monitor in Windows Event ID 4624? Logon Type (2=interactive, 3=network, 10=RD), SubjectUser (who initiated), TargetUser, WorkstationName, IpAddress, ProcessName.

  3. How would you identify suspicious command-line activities? Sysmon ID 1 or Event 4688 with CommandLine, look for base64, ^ escaping, certutil, bitsadmin, living-off-the-land binaries.

  4. What is the difference between security logs and application logs? Security = auth/access (audit policy). Application = software-specific events (IIS, SQL, custom app logs).

  5. How do you analyse suspicious log entries? Timeline β†’ context β†’ enrichment (VirusTotal, Greynoise) β†’ correlation with other sources β†’ pivot.

  6. What is the importance of time synchronisation in log analysis? Accurate correlation across devices. All hosts must sync to NTP (e.g., time.windows.com or pool.ntp.org).

  7. What tool would you use to parse large log files, and why? Splunk/Elastic for TB-scale, fast search, dashboards. For quick: grep, jq, or CyberChef.

  8. How can you identify privilege escalation attempts in Windows Event Logs? 4672/4673 (SeDebugPrivilege, SeTakeOwnership, etc.), 4674, UAC bypass techniques (eventvwr.exe, fodhelper.exe).

  9. How do you troubleshoot missing logs in a SIEM? Check forwarder/agent health β†’ network reachability β†’ parsing filters β†’ index/time range β†’ bucket freezes.

  10. What are common SIEM queries to detect brute-force attacks? EventCode=4625 | stats count by src_ip, user | where count > 15 in 5m β†’ add geo-filter for non-corporate countries.

Threat Hunting & Incident Response

  1. How would you detect PowerShell-based attacks? Enable Script Block + Module logging, AMSI, monitor 4104 for encoded commands and downloads.

  2. What is the MITRE ATT&CK framework? Global knowledge base of adversary TTPs, organised in matrices (Enterprise, Mobile, ICS). Used for detection coverage, hunting queries, and red/blue teaming.

  3. What methods would you use to hunt for malware on endpoints? YARA scans, Sigma rules, Velociraptor artifacts, EDR hunting queries, memory analysis (Volatility/WinDbg).

  4. How do you identify command-and-control (C2) communication? Regular beaconing (same interval & packet size), high-entropy payloads, JA3/JA3S anomalies, connections to suspicious TLDs (.top, .cc).

  5. What is the difference between a SOC playbook and a runbook? Playbook = high-level procedure for incident type (e.g., ransomware). Runbook = detailed step-by-step actions (e.g., β€œrun EDR isolate on host X”).

  6. What are the stages of the incident response lifecycle? NIST: Preparation β†’ Identification β†’ Containment β†’ Eradication β†’ Recovery β†’ Lessons Learned.

  7. What is the difference between IOC and IOA (Indicator of Attack)? IOC = static evidence (hash, IP). IOA = behavioural pattern (e.g., regsvr32 loading from temp).

  8. How do you handle obfuscated scripts during analysis? CyberChef β†’ PowerShell deobfuscator β†’ manual string extraction β†’ dynamic analysis in sandbox.

  9. What is the purpose of using a SOAR platform in a SOC? Automate repetitive tasks, orchestrate tools, and reduce MTTR (e.g., Splunk SOAR, Cortex XSOAR, Microsoft Sentinel Playbooks).

  10. How do you prioritise response actions during an active attack? Contain first β†’ preserve evidence β†’ eradicate β†’ recover. Use severity + business impact matrix.

  11. How would you use YARA rules in malware analysis? Write or import rules to match strings, hex, imports β†’ scan files, memory dumps, or network traffic.

  12. What is a memory dump, and how is it useful? Full RAM capture (DumpIt, WinPMEM). Reveals in-memory malware, injected code, decrypted strings.

  13. How would you use Velociraptor in threat hunting? Deploy agent β†’ run VQL artifacts (e.g., Windows.Persistence.Minimal) β†’ collect across fleet in seconds.

Network Security & Malware Analysis

  1. What is the purpose of a sandbox environment? Safe detonation of suspicious files to observe behaviour (C2, file drops, registry changes).

  2. How do you analyse packet captures for suspicious activity? Wireshark β†’ filters (http.request, tls.handshake), follow streams, statistics β†’ IO graph for beaconing, export objects.

  3. What is the purpose of network segmentation in security? Limit blast radius; separate OT, guest Wi-Fi, servers, etc. Zero-trust micro-segmentation is 2025 standard.

  4. How do you detect malicious traffic in a packet capture (PCAP)? Unusual ports, beaconing, DGA domains, high entropy, clear-text credentials, and known bad JA3 fingerprints.

  5. What is the role of NetFlow in network security? Flow metadata (src/dst IP, ports, bytes) for anomaly detection (exfil, scanning) without storing full packets.

  6. What are the steps to perform static malware analysis? Hash β†’ strings β†’ PE header (imports, sections) β†’ disassemble (IDA/Ghidra) β†’ check packer.

  7. How would you detect hidden persistence mechanisms? Autoruns, scheduled tasks, services, WMI subscriptions, registry Run keys, AppInit_DLLs, and DLL search order hijacking.

Cloud Security

  1. What are common threats in cloud environments? Misconfigurations (public S3), IAM abuse, insecure APIs, serverless flaws, supply-chain (tainted containers).

  2. How do you investigate a misconfigured cloud storage bucket? Check bucket policy/ACL β†’ CloudTrail for access events β†’ Prowler/ScoutSuite scan β†’ lock down + enable logging.

  3. What tools would you use for threat detection in the cloud? AWS GuardDuty, Azure Sentinel, GCP Security Command Centre, Prisma Cloud, Lacework.

  4. What are common vulnerabilities in cloud deployments? Over-permissive IAM, unencrypted EBS, exposed metadata endpoint (169.254.169.254), SSRF.

  5. Explain how SIEM helps with cloud security. Ingests CloudTrail, VPC Flow Logs, GuardDuty findings β†’ correlates with on-prem alerts β†’ single pane of glass.

Emerging & AI-Related Questions

  1. How does GenAI impact phishing detection in a SOC? Makes emails nearly perfect. Counter with NLP anomaly detection, sender reputation, and user behaviour.

  2. What role does AI play in SOC automation today? Auto-triage, false-positive suppression, case summarisation, playbook suggestions (Sentinel Copilot, Splunk Attack Analyser).

  3. How do you detect supply-chain attacks? SBOM monitoring, in-toto attestations, runtime integrity checks, anomaly detection on third-party processes.

  4. Compare CrowdStrike vs SentinelOne EDR. CrowdStrike: best threat intel + hunting. SentinelOne: strongest autonomous response & rollback.

  5. How would you safely use LLMs (e.g., ChatGPT) in a SOC workflow? Air-gapped or enterprise version, never paste PII/IoCs, use for query generation or summarisation only, always verify output.

  6. What is behavioural AI detection vs. signature-based detection? Signature = exact match (fast, misses new). Behavioural = ML baselines of normal (catches zero-days, higher FP).

  7. How do you secure AI models deployed in your environment? Model signing, input/output validation, red-teaming, monitoring for prompt injection and data poisoning.

Scenario-Based Questions

(Answers kept concise for interview delivery)

  1. User reports files disappearing β†’ Isolate host, check for ransomware processes (e.g., .exe writing .lock), preserve memory, restore from backup.

  2. Unauthorised access to critical server β†’ Kill sessions, force password reset + MFA, check 4624 Type 3/10, hunt lateral movement.

  3. Phishing email reported β†’ Quarantine in mailbox, detonate attachment, block URL/hash everywhere, send org-wide warning.

  4. Suspicious outbound traffic β†’ Block destination IP, isolate host, pull PCAP + EDR process tree, enrich IP.

  5. Ransomware outbreak β†’ Pull LAN cable / disable NIC via EDR, identify variant, don’t pay, restore from offline backups, full IR.

  6. Brute-force attack β†’ Block source IP, enforce account lockout/MFA, check if credentials were compromised.

  7. Critical patch released β†’ Scan affected assets, test in lab, phased rollout (canary β†’ pilots β†’ prod).

  8. Malicious insider β†’ Discreet evidence collection, disable accounts, involve HR/legal, full audit.

  9. Suspected malware infection β†’ Isolate β†’ memory dump β†’ live response β†’ hash + VT β†’ eradicate β†’ verify.

  10. Data exfiltration report β†’ Check DLP/NetFlow, contain egress, calculate impact, legal/compliance notification.

  11. Employee clicked phishing + downloaded β†’ Immediate isolation, full EDR scan, check lateral movement, user re-training.

  12. Multiple alerts at once β†’ Sort by severity + asset criticality (domain controller > workstation), escalate P1.

  13. Repeated false positives β†’ Tune rule (add exclusion, adjust threshold), update baselines, document change.

  14. Pop-ups & redirects β†’ Likely adware/PUP β†’ check browser extensions, rogue processes, reset browser.

  15. DNS traffic spike β†’ Investigate tunnelling or DGA β†’ Zeek DNS logs β†’ block suspicious domains.

  16. Thousands of failed logins from one IP β†’ Auto-block via WAF/fail2ban, confirm brute-force, notify user.

  17. Suspicious file encryption β†’ Quarantine host, check for ransomware note/process, stop spread, restore backups.

  18. Major incident efficiency β†’ Activate IR plan, clear roles, war room (Teams/Slack), automate containment via SOAR.

  19. Critical vuln discovered β†’ Inventory exposure β†’ virtual patch/WAF rule β†’ schedule real patch.

  20. Unauthorised email access β†’ Reset password + MFA, sign-out all sessions, check inbox rules/forwarding, O365 audit log.

  21. Spike in failed API calls β†’ Likely recon or stolen key β†’ rotate keys, rate-limit, check CloudTrail.

  22. DDoS on web app β†’ Enable CDN scrubbing (Cloudflare/Akamai), rate-limit, contact ISP.

  23. Exposed critical ports β†’ Block unless required β†’ require VPN/jump host β†’ justify business need.

  24. Suspicious file changes β†’ FIM alert β†’ correlate with user/process β†’ revert or investigate.

  25. EDR quarantines legit app β†’ Verify hash with vendor, temporary exclusion + monitoring.

  26. Repeated policy violations β†’ Document β†’ retrain β†’ escalate to HR if it continues.

  27. Secure remote access β†’ ZTNA or VPN + MFA + device compliance + session recording.

  28. XSS vulnerability β†’ Input validation/encoding, CSP headers, WAF rule, patch code.

  29. Unmanaged device on network β†’ NAC quarantine β†’ scan β†’ enforce compliance before access.

  30. Malware on USB β†’ Don’t plug in β†’ scan in isolated sandbox β†’ wipe β†’ update policy.

Behavioral Questions

  1. How do you manage multiple tasks/alerts under pressure? Prioritise by risk, use a ticketing system, clear handovers, and automate where possible.

  2. Describe a time you mitigated a real threat β†’ Use STAR: β€œDuring night shift, spotted credential dumping via 4624 Type 10 from Russia β†’ isolated host β†’ found Cobalt Strike β†’ blocked C2 β†’ prevented domain compromise.”

  3. How do you stay updated? Daily: Krebs, DFIR Report, Twitter lists. Weekly: podcasts (Darknet Diaries), labs (TryHackMe SOC Level 2).

  4. Disagreement with teammate on IR strategy? Discuss evidence-based, reference playbooks, escalate to lead if needed β€” goal is best outcome, not ego.

  5. What motivates you in cybersecurity? Constant cat-and-mouse game, direct impact on protecting people and organisations, and the field evolves every day.

PreviousBeyond the Perimeter: The Advanced, Hybrid Blue Team RoadmapNextSOC Analysts Roadmap

Last updated