LATEST SOC

ANALYST L1
INTERVIEW
QUESTIONS
(SCENARIO
AND EXAMPLE)

BY IZZMIER IZZUDDIN
1. Interviewer: What are some of the hardest alerts you have handled in your role as an
SOC Analyst L1 before? Can you provide an example?

Answer:
One of the most challenging alerts I encountered involved suspicious activity
detected on a critical server hosting sensitive customer data. Here’s how I
approached and resolved the situation:

 One evening, our SIEM system flagged unusual outbound traffic from a database
server that typically stores sensitive customer information.
 The initial analysis suggested possible data exfiltration, which raised significant
concerns about a potential security breach.
 I immediately notified the SOC team on current shift and began a detailed
examination of the alert. Given the sensitivity of the server and the potential
impact, swift action was crucial.
 I began by reviewing the firewall logs and server logs to gather more information
about the outbound traffic. This included identifying the source and destination
IPs, timestamps, and any anomalous patterns in data transfer.
 Concurrently, I examined the endpoint associated with the server to check for
signs of compromise or unauthorized access attempts. This involved verifying
user activity logs and running endpoint detection tools to identify any suspicious
processes or files.
 I consulted threat intelligence feeds to cross-reference the IPs involved in the
traffic against known malicious sources. This step aimed to identify if the activity
aligned with known attack vectors or if it was a novel threat.
 I collaborated closely with SOC Analysts L2 and others L1 to share findings and
gather additional insights. This collaboration helped validate my initial findings
and expand our investigation scope.
 Simultaneously, I initiated communication with the client to inform them of the
ongoing investigation and reassure them that we were taking necessary steps to
mitigate any potential impact.
 Through collective analysis and correlation of data points, we determined that the
outbound traffic was due to a misconfigured backup process rather than
malicious activity. This misconfiguration caused an unintended data transfer that
triggered the alert.
 We promptly corrected the misconfiguration and implemented additional
monitoring controls to prevent similar incidents in the future. This included
refining our alerting thresholds to differentiate between genuine threats and
benign anomalies.
 I thoroughly documented the incident, including our investigation steps, findings,
and the corrective actions taken. This documentation served as a valuable
reference for future incident response and knowledge sharing within the SOC
team.
2. Interviewer: You are finishing your night shift as an SOC Analyst L1. You've handled
several incidents, including a phishing attempt and a suspected malware infection
on a critical server. How would you prepare for handover?

Answer:
First:

 I documented all incidents in the SOC incident management system.

 Update incident logs with current statuses and actions taken.
 Prepare a shift report highlighting key incidents, actions, and unresolved
issues.
Then:

 I will arrange a meeting with the incoming analyst scheduled to start their shift.
 Discuss the phishing attempt and malware incident, detailing any necessary
follow-up actions.
 Provide access to incident details in the SOC management system and any
relevant documentation.
Next:
 I make sure that the incoming analyst understands the incidents, their current
status, and the actions required.
 Encourage the incoming analyst to reach out for further clarification or
assistance as needed during their shift.
Finally:
 Remain available for a brief period after the handover to address any last-
minute questions or concerns.
 Document the handover process in the shift handover log or incident
management system for future reference.

3. Interviewer: During a busy shift, you might overlook some alert. What will you do if
you miss an alert?

Answer:
If I were to miss an alert, my immediate response would be to follow established
incident response procedures to mitigate any potential impact. Here’s how I would
approach the situation:

 First, I would conduct a thorough review of the alerting system to identify any
missed alerts and understand their context, severity, and potential implications.
 Prioritize missed alerts based on their criticality and impact on our systems or
clients.
  If the missed alert impacts a client, I would promptly notify them of the incident,
providing a detailed explanation of what happened, the potential risks involved,
and the steps we are taking to rectify the situation.
 It’s crucial to maintain open communication with clients, ensuring they are
informed throughout the incident response process.
 Finally, I will conduct a post-incident with SOC Manager to review and identify
gaps in our alerting processes and incident response procedures.

4. Interviewer: As an SOC Analyst L1, after preparing an email notification for client A,
you accidentally send it to client B instead. What actions would you take in response?

Answer:
If I accidentally sent an email notification intended for client A to client B instead,
here’s how I would respond:

 I would immediately notify my shift lead and the SOC Manager about the incident
to ensure awareness and initiate appropriate actions.
 I would reach out to client B promptly to explain the situation and request that
they disregard the email containing sensitive information intended for client A.
 Without delay, I would inform client A about the mistake, providing a transparent
explanation of what occurred and assuring them that steps are being taken to
address the error.
 If feasible, I would attempt to recall the email using email client features to
mitigate the exposure of sensitive information.
 I would follow up with both clients A and B to confirm that the situation has been
resolved satisfactorily and to address any concerns they may have.
 To prevent future occurrences, I would advocate for improvements in email
verification processes and client communication protocols, emphasizing the
importance of accuracy and data protection.

5. Interviewer: You are working as an SOC Analyst L1 and have noticed a significant
increase in false positive alerts from routine network scans. This influx is causing alert
fatigue among your team, impacting productivity. How would you address this issue?

Answer:
As an SOC Analyst L1, I understand the significant challenge that alert fatigue poses,
particularly when dealing with a high volume of false positive alerts. Here’s how I
would handle this issue:

 First, I would conduct a thorough analysis of the alerts to identify patterns and
root causes of false positives. This involves reviewing alert triggers, thresholds,
and the context in which they are generated.
 I would work closely with SOC Engineer (SIEM Engineer) to adjust alert thresholds
and configurations within our SIEM (Security Information and Event Management)
 system. By fine-tuning these settings, we can reduce the number of false positives
while ensuring genuine threats are still captured.
 Collaboration with SOC Team and sharing insights across the team is crucial.
Regular discussions and knowledge sharing sessions help us refine our detection
rules and enhance our collective understanding of what constitutes a genuine
threat.

6. Interviewer: A new type of alert appears in the SIEM, indicating unusual activity that
has not been encountered by any SOC Analyst L1 before. The alert indicates a
potential security threat but lacks a clear precedent for handling. How you handle
this situation?

Answer:
If I encounter a new type of alert in the SIEM indicating unusual activity without a clear
precedent, my approach as an SOC Analyst L1 would be methodical and focused on
swift action and thorough investigation:

 I would acknowledge the alert promptly and initiate a preliminary assessment to

gather essential details about the nature of the activity, affected systems, and
potential implications.
 Understanding the urgency and potential threat posed by the alert, I would
prioritize isolation and containment measures to prevent further escalation or
compromise of systems.
 Engaging with SOC Analysts L2 or shift leads is essential. Their experience and
insights can provide valuable guidance in interpreting the alert and determining
the appropriate response.
 I would conduct a detailed investigation. This would include analysing endpoint
logs, reviewing network traffic patterns, and consulting threat intelligence
sources to gain deeper context.
 I would continue monitoring the affected systems closely. Adjusting detection
rules and enhancing monitoring capabilities ensures readiness to detect similar
incidents in the future.
 Documenting lessons learned and updating SOPs ensures that the team is better
prepared for similar alerts in the future. Knowledge sharing sessions with
colleagues help reinforce best practices and improve overall response
effectiveness.

7. Interviewer: Imagine you've sent an alert notification to a client concerning a

potential malware detection on one of their servers. In response, the client asks for
detailed information about the malware's specific actions, the risks it poses, and
comprehensive steps for remediation. What steps would you take to address their
inquiries, especially if the technical details are beyond your current expertise?

Answer:
 If I encounter a situation where a client responds with questions about a potential
malware detection that are beyond my current expertise, here’s how I would handle
it:

 First, I would acknowledge the client's questions and reassure them that I am
taking their concerns seriously.
 Immediately, I would escalate the matter to senior SOC analysts or team leads
who have deeper expertise in malware analysis and incident response. This
ensures that the client receives accurate and comprehensive information.
 Collaborate closely with the SOC Analyst L2 to gather detailed information about
the specific actions of the malware, the risks it poses, and the recommended
steps for remediation.
 Based on the guidance from the SOC Analyst L2, I would prepare a detailed
response addressing the client's questions. This response would include a clear
explanation of the malware's behaviour, its potential impact on their systems,
and step-by-step instructions for mitigation and remediation.
 Communicate the detailed response to the client in a clear and understandable
manner. It's essential to ensure that the client is informed about the severity of
the issue and the actions they need to take to mitigate risks effectively.
 Provide ongoing support to the client as they implement the remediation steps.
Offer assistance and guidance to address any further questions or concerns they
may have during the process.

8. Interviewer: What are your career goals for the next 2-3 years, and how do you see
yourself progressing within our SOC Team?

Answer:
In the next 2-3 years, I envision myself progressing from an SOC Analyst L1 to an L2
position. My primary goal is to deepen my technical skills and enhance my
understanding of advanced threat analysis and incident response. Here’s how I plan
to achieve this:

 In the first year, my focus will be on mastering the core responsibilities of an L1

analyst, including incident monitoring, initial triage, and basic threat analysis. I
will make sure to handle alerts efficiently, learn from each incident, and
document my findings comprehensively.
 I plan to pursue advanced certifications such as the Certified Information
Systems Security Professional (CISSP) to gain deeper insights into incident
handling and threat management.
 I will also engage in continuous learning through online courses and attend
relevant webinars and conferences to stay updated with the latest cybersecurity
trends and technologies.
  I aim to get involved in more complex incidents and projects by shadowing L2
analysts and learning from their expertise. This hands-on experience will help me
understand the intricacies of advanced threat detection and response.
 I will focus on honing my analytical skills by working with threat intelligence feeds,
performing detailed log analysis, and using advanced tools and techniques for
threat hunting. This will prepare me for the analytical demands of an L2 role.
 I plan to collaborate closely with the SOC team and contribute to improving our
incident response playbooks and processes. Additionally, as I gain more
experience, I would like to mentor new L1 analysts, sharing my knowledge and
helping them grow within the team.

9. Interviewer: Here's an IP address: 172.20.10.5, is this an internal or external IP?

Answer:
172.20.10.5 is an internal IP address because it falls within the 172.16.0.0 to
172.31.255.255 range, which is designated for private internal networks.

Interviewer: Here's an IP address: 203.0.113.5, is this an internal or external IP?

Answer:
203.0.113.5 is an external IP address because it does not fall within any of the private
IP address ranges (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or
192.168.0.0 to 192.168.255.255). It is a public IP address.

10. Interviewer: Can you identify whether the traffic is inbound or outbound based on
the alert details I will provide?

SIEM Alert 1:

SIEM Alert: Suspicious Traffic Detected

Timestamp: 2024-06-27 10:10:00
Source IP: 192.168.1.100
Destination IP: 203.0.113.50
Destination Port: 445 (SMB)
Action: Allowed

Firewall Log 1:
Firewall Log Entry:
Timestamp: 2024-06-27 10:11:00
Source IP: 192.168.1.100
Destination IP: 203.0.113.50
Destination Port: 445 (SMB)
Action: Allowed
 Determine whether this traffic is inbound (incoming to your network) or outbound
(outgoing from your network)?

Answer:
Based on the SIEM alert, the traffic appears to involve a connection attempt from
192.168.1.100 to 203.0.113.50 on port 445 (SMB). The firewall log confirms that the
traffic from 192.168.1.100 to 203.0.113.50 on port 445 was allowed, indicating
outbound traffic from your network.

SIEM Alert 2:

SIEM Alert: Suspicious Traffic Detected

Timestamp: 2024-06-27 10:10:00
Source IP: 203.0.113.50
Destination IP: 192.168.1.101
Destination Port: 3389 (RDP)
Action: Denied

Firewall Log 2:
Firewall Log Entry:
Timestamp: 2024-06-27 10:11:00
Source IP: 203.0.113.50
Destination IP: 192.168.1.101
Destination Port: 3389 (RDP)
Action: Denied

Determine whether this traffic is inbound (incoming to your network) or outbound

(outgoing from your network)?

Answer:
Based on the SIEM alert, the traffic appears from external IP 203.0.113.50 targeting
internal server 192.168.1.101 on port 3389 (RDP). The firewall log confirms that the
inbound traffic from external IP 203.0.113.50 to internal IP 192.168.1.101 on port
3389 (RDP) was denied, indicating inbound traffic.

11. Interviewer: As SOC Analyst L1, you receive an alert indicating unusual network
activity from the IP address 192.168.10.15. Your need to determine the subnet this IP
address belongs to. How would you find this information, and what would the subnet
be if the subnet mask is 255.255.255.0?

Answer:

To determine the subnet of the IP address 192.168.10.15 with a subnet mask of

255.255.255.0:
  Subnet Mask: 255.255.255.0 corresponds to a /24 network, meaning the first 24
bits of the IP address are the network portion, and the last 8 bits are the host
portion.
 Convert the IP address and subnet mask to binary:
o IP Address: 192.168.10.15 -> 11000000.10101000.00001010.00001111
o Subnet Mask: 255.255.255.0 -> 11111111.11111111.11111111.00000000
 Perform a bitwise AND operation between the IP address and the subnet mask to
find the network address:
 Network Address: 11000000.10101000.00001010.00000000
(binary)
 Network Address: 192.168.10.0 (decimal)
 Conclusion:
o The subnet for the IP address 192.168.10.15 with a subnet mask of
255.255.255.0 is 192.168.10.0/24.

12. Interviewer: Can you tell me the common port numbers used for the following
services: HTTP, HTTPS, FTP, SSH, and DNS?

Answer:
Of course. Here are the common port numbers for those services:

 HTTP (HyperText Transfer Protocol):

o Port: 80
o Description: HTTP is used for transferring web pages on the internet. It's
the foundation of data communication for the World Wide Web.
 HTTPS (HyperText Transfer Protocol Secure):
o Port: 443
o Description: HTTPS is the secure version of HTTP, used for secure
communication over a computer network, widely used on the internet.
 FTP (File Transfer Protocol):
o Ports: 20 and 21
o Description: FTP is used to transfer files between a client and server on a
computer network. Port 21 is used for control (commands), and port 20 is
used for data transfer.
 SSH (Secure Shell):
o Port: 22
o Description: SSH is a protocol for securely accessing and managing
network devices and servers over an unsecured network.
 DNS (Domain Name System):
o Port: 53
o Description: DNS is used to translate human-friendly domain names to IP
addresses, enabling users to access websites using domain names
instead of IP addresses.
13. Interviewer: Great, and what about some other common services like SMTP,
POP3, IMAP, and RDP?

Answer:
Sure, here are the common port numbers for those services:
 SMTP (Simple Mail Transfer Protocol):
o Port: 25
o Description: SMTP is used for sending emails from a client to a server or
between servers.
 POP3 (Post Office Protocol 3):
o Port: 110
o Description: POP3 is used by email clients to retrieve emails from a mail
server. It's a protocol that downloads the email from the server to the
client.
 IMAP (Internet Message Access Protocol):
o Port: 143
o Description: IMAP is used by email clients to retrieve messages from a
mail server, allowing clients to manage their email directly on the server.
 RDP (Remote Desktop Protocol):
o Port: 3389
o Description: RDP is used for remote management of a computer over a
network, allowing users to connect to another computer remotely.

14. Interviewer: As a SOC Analyst L1, you receive an alert indicating suspicious activity
from an external IP address, 203.0.113.45. Your need to determine whether this IP
address is malicious. Describe the steps you would take to verify its status and
provide a detailed example of how you would perform this analysis.

Answer:
Let's say I checked VirusTotal, and the IP address 203.0.113.45 was flagged by
multiple vendors as being associated with malware distribution. AbuseIPDB also has
several reports of this IP address being involved in phishing attacks.

Next, I would look at our internal logs and see that this IP address has attempted to
connect to our web server on port 443 multiple times over the past week, but the
connections were blocked by our firewall. The WHOIS lookup reveals that the IP
address is registered to an entity in a region known for cybercriminal activity.

Based on this analysis, I would classify the IP address as potentially malicious. I

would document all my findings and escalate the alert to senior analysts for further
investigation and to determine if additional security measures are needed, such as
blocking the IP address across our network.
15. Interviewer: During your shift, you receive an overwhelming number of alerts. How
do you prioritize and handle them to ensure critical threats are addressed promptly?

Answer:
If I receive an overwhelming number of alerts during my shift, I would take the
following steps to prioritize and handle them effectively:

 I would start by categorizing the alerts based on their severity and potential
impact. Critical alerts that indicate potential data breaches, malware infections,
or other high-risk activities would be given the highest priority.
 I would use the SIEM system's built-in features to filter and sort alerts by severity,
frequency, and affected assets. This helps in quickly identifying the most critical
threats that need immediate attention.
 For high-priority alerts, I would follow predefined playbooks and response
procedures to ensure a swift and effective response. This includes initial triage
steps, investigation techniques, and containment measures.
 I would communicate with my team members during my shift to delegate less
critical alerts. This ensures that while I focus on the most pressing issues, other
alerts are still being addressed by my colleagues.