SOC RELATED INTERVIEW QUESTIONS

1. What is the purpose of the handover meeting in a SOC environment?

2. How do handover meetings ensure continuity between shifts?
3. What type of information is typically shared in a SOC handover meeting?
4. What is the role of a stand-up meeting in SOC operations, and how does it help in organizing
daily tasks?
5. How does the L2 analyst guide the SOC team during stand-up meetings?
6. What are the main responsibilities of a SOC analyst at the start of their shift?
7. How do SOC analysts use IBM Qradar for monitoring and investigating offenses?
8. What steps do you take during the triaging process of an offense?
9. How does checking an IP address on VirusTotal, Shodan, and Talos help in identifying
threats?
10. What role do firewall logs play in identifying malicious activities, and why are the user agent
and URL fields important?
11. How do you use CyberChef to decode malicious payloads, and why is this step crucial?
12. What are Indicators of Compromise (IOCs), and how do you investigate them?
13. How does Splunk complement IBM Qradar in analyzing and managing log data?
14. How do you correlate data between different tools such as Qradar and Splunk during an
investigation?
15. What are the key elements to include in a SOC investigation report in Jira?
16. How does using a ticketing management tool like Jira streamline the workflow in SOC?
17. What is included in the Analyst Assessment within a SOC ticket?
18. What types of Recommended Action items are typically proposed after analyzing an
offense?
19. How do L1 analysts collaborate with L2 analysts during the feedback and briefing session at
the end of a shift?
20. Why is it important to participate actively in the handover briefing, and how does it contribute
to the overall SOC process?

1. What is the purpose of the handover meeting in a SOC environment?

The handover meeting ensures a smooth transition between shifts by providing the incoming
team with updates on ongoing incidents, recent intelligence, and any unresolved offenses. This
continuity helps maintain consistent monitoring and response efforts, minimizing the risk of
oversight or duplication of work.

2. How do handover meetings ensure continuity between shifts?

Handover meetings facilitate the transfer of critical information about current threats,
investigations, and pending tasks from the outgoing shift to the incoming one. By sharing
detailed summaries and updates, both shifts stay informed and aligned, ensuring that no
important issues are missed or forgotten during the transition.

3. What type of information is typically shared in a SOC handover meeting?

Information shared includes the latest intelligence on cybersecurity threats and incidents
globally, details of offenses investigated by the previous shift, generated tickets, unresolved
issues requiring further analysis, and any significant changes in the security landscape that
might impact ongoing operations.

4. What is the role of a stand-up meeting in SOC operations, and how does it help in
organizing daily tasks?

The stand-up meeting serves as a daily planning session where team members receive
directions and assignments for the day. Led by the L2 analyst, it includes roll calls, task
allocations (such as server monitoring or offense investigations), and clarifications on priorities.
This helps organize and prioritize daily activities, ensuring that all team members are aware of
their responsibilities and can collaborate effectively.

5. How does the L2 analyst guide the SOC team during stand-up meetings?

The L2 analyst leads the stand-up by conducting roll calls, providing updates on current
threats or priorities, assigning specific tasks or servers to monitor, and distributing offenses that
need investigation. They offer guidance, set expectations, and ensure that each team member
understands their role for the day.

6. What are the main responsibilities of a SOC analyst at the start of their shift?

At the start of their shift, a SOC analyst attends the handover meeting to receive updates,
participates in the stand-up meeting to get task assignments, and begins monitoring for
malicious activities using tools like IBM Qradar. They prioritize their tasks based on the latest
intelligence and assigned duties, setting the stage for effective threat detection and response
throughout their shift.

7. How do SOC analysts use IBM Qradar for monitoring and investigating offenses?

IBM Qradar serves as a Security Information and Event Management (SIEM) tool that
aggregates and analyzes log data from various sources. SOC analysts use it to monitor
real-time security events, detect anomalies, correlate incidents, and generate alerts for potential
threats. Qradar helps in identifying patterns indicative of malicious activities, facilitating timely
investigation and response.
8. What steps do you take during the triaging process of an offense?

During triaging, the analyst first assesses the severity and potential impact of the offense.
They verify the legitimacy of the alert, prioritize it based on risk, and gather initial data such as
IP addresses and user agents. The analyst then conducts preliminary investigations using tools
like VirusTotal and Splunk to determine if further in-depth analysis is required, deciding whether
to escalate or resolve the offense.

9. How does checking an IP address on VirusTotal, Shodan, and Talos help in identifying
threats?

- VirusTotal: Scans the IP against multiple antivirus and threat intelligence databases to detect
known malicious activities or associations.
- Shodan: Provides information about the devices and services exposed on the IP, helping
identify potential vulnerabilities or unauthorized access points.
- Talos Reputational Checker: Offers Cisco's threat intelligence on the IP, indicating its
reputation and any history of malicious behavior.

Using these tools helps validate whether an IP address is associated with known threats,
aiding in the assessment of potential risks.

10. What role do firewall logs play in identifying malicious activities, and why are the user
agent and URL fields important?

Firewall logs record all incoming and outgoing network traffic, providing visibility into
attempted connections and data transfers. By analyzing these logs, analysts can identify
suspicious patterns, such as unusual traffic volumes or connections from known malicious IPs.
The user agent field helps identify the software or device initiating the request, while the URL
field can reveal attempts to access malicious or unauthorized web resources, both of which are
critical for detecting and understanding attacks.

11. How do you use CyberChef to decode malicious payloads, and why is this step
crucial?

CyberChef is a web-based tool for decoding and analyzing data. Analysts use it to decode
encoded or obfuscated payloads (e.g., Base64, hexadecimal, URL encoding) to reveal the
underlying malicious code or commands. Decoding payloads is crucial for understanding the
nature of the threat, determining its functionality, and devising appropriate mitigation strategies.

12. What are Indicators of Compromise (IOCs), and how do you investigate them?

IOCs are pieces of evidence that indicate a security breach or malicious activity, such as
suspicious IP addresses, domain names, file hashes, or unusual behavior patterns. To
investigate IOCs, analysts correlate them with log data, threat intelligence sources, and system
records to confirm the presence of a compromise, assess its scope, and determine the
necessary response actions.

13. How does Splunk complement IBM Qradar in analyzing and managing log data?

While IBM Qradar focuses on real-time event correlation and threat detection, Splunk excels
in log management, advanced searching, and data visualization. Using Splunk alongside
Qradar allows analysts to perform deeper investigations, create customized dashboards, and
correlate data from multiple sources, enhancing overall visibility and analytical capabilities within
the SOC.

14. How do you correlate data between different tools such as Qradar and Splunk during
an investigation?

Correlating data involves integrating and cross-referencing information from Qradar and
Splunk to build a comprehensive view of an incident. Analysts might use Qradar's alerts as entry
points and then delve into Splunk's detailed log data to trace the attacker's actions, identify
patterns, and uncover additional indicators. This multi-tool approach ensures thorough analysis
and more accurate threat assessment.

15. What are the key elements to include in a SOC investigation report in Jira?

A SOC investigation report in Jira should include:

- Source IP: Origin of the suspicious activity.
- User Agent: Information about the software or device involved.
- Payload Assessment: Details of the malicious code or data.
- Indicators of Compromise (IOCs): Specific markers of the threat.
- Analysis Summary: Findings from the investigation.
- Supporting Information: References to logs, tools used, and external resources.
- Analyst Assessment: Overall evaluation of the threat.
- Recommended Actions: Steps to mitigate or remediate the issue.

16. How does using a ticketing management tool like Jira streamline the workflow in
SOC?

Jira provides a centralized platform for tracking and managing incidents, assigning tasks, and
monitoring progress. It ensures that all team members are aware of their responsibilities,
deadlines are met, and nothing falls through the cracks. Jira's reporting and collaboration
features enhance communication, facilitate documentation, and enable efficient resolution of
security incidents.
17. What is included in the Analyst Assessment within a SOC ticket?

The Analyst Assessment encompasses the analyst's evaluation of the offense, including the
severity, potential impact, and validity of the threat. It outlines the evidence collected, the
analysis performed, and the conclusions drawn from the investigation. This section may also
highlight any patterns observed, the effectiveness of current defenses, and suggestions for
improving security measures.

18. What types of Recommended Action items are typically proposed after analyzing an
offense?

Recommended Action items may include:

- Immediate Mitigation: Steps to contain or eliminate the threat.
- Patch Management: Applying updates to vulnerable systems.
- Configuration Changes: Adjusting firewall rules or access controls.
- Enhanced Monitoring: Increasing surveillance on affected systems.
- User Education: Informing users about best practices to prevent similar incidents.
- Incident Response Plans: Refining procedures based on lessons learned.
- Further Investigations: Additional analysis if the threat is persistent or widespread.

19. How do L1 analysts collaborate with L2 analysts during the feedback and briefing
session at the end of a shift?

L1 analysts provide updates on the offenses they investigated, share the status of their
tickets, and discuss any challenges or insights gained during their shift. L2 analysts consolidate
this information, offer guidance, address any unresolved issues, and ensure that critical
information is communicated to the next shift. This collaboration fosters knowledge sharing,
continuous improvement, and ensures that all team members are aligned.

20. Why is it important to participate actively in the handover briefing, and how does it
contribute to the overall SOC process?

Active participation in the handover briefing ensures that all relevant information is accurately
communicated, questions are addressed, and any ambiguities are clarified. It promotes
accountability, enhances team cohesion, and ensures that the incoming shift is fully informed
about ongoing and new threats. This active engagement contributes to the effectiveness and
resilience of the SOC by maintaining high standards of situational awareness and coordinated
response.