Question 1

What is the difference between short-term and long-term containment during an incident? Can you provide examples of each type of containment action?

Accepted Answer

Containment is one of the most critical phases of incident response because it stops an active threat from causing additional damage. The distinction between short-term and long-term containment reflects the different objectives and timelines involved in managing an incident.

Short-term containment focuses on immediate actions to stop the bleeding. The goal is to prevent the incident from spreading or causing further harm right now, often within minutes of confirming the threat. These actions are typically temporary and may not address the root cause, but they buy the team time to plan a mo

Question 2

How do you classify the severity of a security incident, and what factors influence whether an incident is rated as critical versus high or medium?

Accepted Answer

Severity classification is the process of assigning a priority level to a security incident based on its potential or actual impact on the organization. Getting this classification right is essential because it determines the response urgency, the resources allocated, the escalation path, and the SLA timelines that the team must meet.

Most organizations use a four-tier classification system. Critical severity is reserved for incidents that pose an immediate and significant threat to the organization's core operations, data integrity, or reputation. Examples include active ransomware spreadi

Question 3

How would you approach threat hunting for insider threats? What makes hunting for insiders different from hunting for external adversaries, and what behavioral indicators would you focus on?

Accepted Answer

Hunting for insider threats is fundamentally different from hunting for external adversaries because insiders already have legitimate access to systems, data, and networks. They do not need to exploit vulnerabilities, bypass firewalls, or deploy malware. Their malicious activities often look nearly identical to their normal authorized activities, making detection exceptionally challenging.

The primary difference in hunting approach is the shift from looking for unauthorized access to looking for authorized access that is being misused. Instead of hunting for malware signatures or exploitati

Question 4

What is threat hunting, and how does it differ from traditional SOC monitoring? Why is proactive hunting necessary even when an organization has a well-tuned SIEM?

Accepted Answer

Threat hunting is the proactive, iterative search for threats that have evaded existing security controls and automated detection systems. Unlike traditional SOC monitoring, where analysts wait for alerts to appear in the SIEM and then react to them, threat hunting assumes that an attacker may already be inside the network and actively searches for evidence of their presence without relying on predefined rules or signatures.

The fundamental difference is one of posture. Traditional monitoring is reactive: a detection rule fires, an alert appears, and an analyst investigates. Threat hunting

Question 5

What is the difference between signature-based detection and behavior-based detection, and when would you use each approach?

Accepted Answer

Signature-based detection and behavior-based detection represent two fundamentally different philosophies for identifying threats, and understanding when to apply each is a core skill for any SOC L2 analyst working on detection engineering.

Signature-based detection works by matching observed activity against a known pattern or indicator. This could be a specific file hash, a known malicious IP address, a particular command-line string, or an exact sequence of bytes in network traffic. The strength of signature-based detection is precision. When you have a reliable indicator of compromise,

Question 6

What is a SIGMA rule, and why has it become a widely adopted standard in detection engineering?

Accepted Answer

A SIGMA rule is a generic, open-source detection rule format written in YAML that allows security analysts to describe log-based detection logic in a vendor-agnostic way. Originally created by Florian Roth and Thomas Patzke in 2017, SIGMA has become the de facto standard for sharing threat detection content across the security community. Think of it this way: SIGMA is to log files what Snort is to network traffic and YARA is to file scanning.

The core idea behind SIGMA is portability. When you write a detection rule in SIGMA format, you define the log source, the detection conditions, and m

Question 7

What is digital forensics, and how does it support incident response in a SOC environment?

Accepted Answer

Digital forensics is the discipline of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally admissible and scientifically sound. Within a SOC environment, digital forensics serves as a critical capability that transforms raw incident data into actionable intelligence and documented findings.

At its core, digital forensics follows a structured methodology. The process begins with identification, where analysts determine which systems, devices, and data sources are relevant to the incident under investigation. This is followed by preservation, where

Question 8

What is the difference between live forensics and dead-box forensics, and when would you use each approach?

Accepted Answer

Live forensics and dead-box forensics represent two fundamentally different approaches to collecting and analyzing digital evidence, and understanding when to use each is essential for any SOC analyst involved in incident response.

Live forensics refers to the examination and collection of evidence from a system that is still powered on and running. This approach focuses heavily on capturing volatile data, which is information that exists only in the system's current state and will be lost once the machine is powered off. Volatile data includes the contents of RAM, active network connection

Question 9

What is cyber threat intelligence, and can you walk through the six phases of the threat intelligence lifecycle? Explain how each phase contributes to producing actionable intelligence for a SOC team.

Accepted Answer

Cyber threat intelligence is the process of collecting, processing, and analyzing information about current and potential cyber threats so that organizations can make informed security decisions. Unlike raw threat data, which might be a list of suspicious IP addresses or file hashes, threat intelligence adds context, relevance, and actionability. It answers the questions: Who is attacking us? How are they doing it? Why should we care? And what should we do about it?

The intelligence lifecycle is a six-phase iterative process that transforms raw data into finished intelligence products. The

Question 10

Describe the three main types of threat intelligence: strategic, operational, and tactical. Who are the primary consumers of each type, and how does each type inform different security decisions?

Accepted Answer

Threat intelligence is commonly categorized into three types based on the audience it serves, the level of detail it provides, and the timeframe over which it remains relevant. Understanding these distinctions is essential for SOC L2 analysts because each type serves a different purpose in the overall security program.

Strategic threat intelligence is high-level, non-technical intelligence designed for executive and board-level audiences. It provides a broad view of the threat landscape, including trends in cybercrime, geopolitical factors that influence cyber operations, and the motivation

SOC Analyst

Topics

Incident Investigation & Response

Threat Hunting Fundamentals

Detection Engineering & Rule Tuning

Digital Forensics & Evidence Collection

Threat Intelligence & Analysis

Mock Interview

Quick Stats