SOC L1 Interview Topics & Q&A

1. What is SOC and the role of a SOC Analyst (L1)?

SOC (Security Operations Center) is a centralized unit that deals with monitoring and analyzing

security events. The role of a SOC Analyst (L1) is to monitor logs, detect incidents, and escalate to

higher-level analysts if necessary.

2. What is SIEM and how does it work?

SIEM (Security Information and Event Management) tools collect, store, and analyze logs from

various sources. They help identify potential security incidents by correlating log data from different

systems.

3. Examples of SIEM tools (Splunk, QRadar, ArcSight)

SIEM tools like Splunk, QRadar, and ArcSight are used for log management, event correlation, and

alerting. They are essential for real-time analysis and incident detection in a SOC.

4. Types of logs analyzed in a SOC (Windows logs, firewall, proxy, IDS/IPS)

SOC analysts work with different types of logs such as Windows Event Logs, firewall logs, proxy

logs, and IDS/IPS logs to detect malicious activities or security breaches.

5. What is log analysis?

Log analysis involves reviewing system logs to identify signs of malicious activity. It includes looking

for abnormal behavior, failed login attempts, and known attack patterns.

6. What are common cyberattacks?

Common cyberattacks include Brute Force, Phishing, Malware, DDoS, and Man-in-the-Middle

(MITM). SOC Analysts need to detect these threats through log monitoring.

7. What is Incident Response and its steps?

Incident response involves a set of procedures to handle a security breach. The steps include
Identification, Containment, Eradication, Recovery, and Lessons Learned.

8. What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is a comprehensive model that categorizes tactics and techniques

used by cyber adversaries. It helps SOC teams detect and respond to attacks by mapping them to

known techniques.

9. What are IOCs (Indicators of Compromise)?

IOCs are forensic data that identify potential malicious activity on a network. Examples include

suspicious IP addresses, file hashes, and unusual network traffic.

10. What is the OSI Model and its layers?

The OSI model is a conceptual framework used to understand network interactions. It has 7 layers:

Physical, Data Link, Network, Transport, Session, Presentation, and Application.

11. What is TCP/IP and common port numbers (80, 443, 22, etc.)?

TCP/IP is a suite of communication protocols used for networking. Common port numbers include

80 (HTTP), 443 (HTTPS), and 22 (SSH).

12. How to detect a phishing attack in logs?

Phishing attacks can be detected by looking for signs like suspicious URLs, unusual email

addresses, or multiple failed login attempts associated with a compromised user.

13. What are Windows Event IDs for login/logout?

Windows Event IDs for login/logout are 4624 (successful login) and 4634 (logoff). These event IDs

help detect unauthorized access attempts.

14. Difference between IDS and IPS

IDS (Intrusion Detection System) detects and alerts on potential security threats, while IPS (Intrusion

Prevention System) actively prevents or blocks those threats.

15. Basic use of Wireshark or packet analysis tools

Wireshark is a network protocol analyzer used to capture and inspect network traffic. It helps SOC

Analysts analyze communication patterns and detect malicious activity.

16. What is threat intelligence? Examples (VirusTotal, AbuseIPDB)

Threat intelligence refers to the collection of data about potential threats. Tools like VirusTotal and

AbuseIPDB provide information about malicious files and IP addresses.

17. Difference between vulnerability and exploit

A vulnerability is a weakness in a system, while an exploit is a method used to take advantage of

that vulnerability to compromise the system.

18. What is a firewall?

A firewall is a security device that monitors and controls incoming and outgoing network traffic based

on predefined security rules.

19. Explain a recent attack or real-world cyber incident

A recent attack was the SolarWinds cyberattack, where attackers inserted malware into the software

update process of SolarWinds, compromising multiple organizations.

20. What are compliance frameworks? (ISO 27001, NIST basics)

Compliance frameworks like ISO 27001 and NIST help organizations implement security measures

and best practices to protect sensitive data.

21. What is a Brute Force attack and how is it detected?

A Brute Force attack is an attempt to guess a password by trying all possible combinations. It can be

detected by analyzing logs for repeated failed login attempts.

22. What is a Phishing attack and how do you handle it?

Phishing involves sending fraudulent emails to trick users into revealing sensitive information. SOC
analysts handle it by blocking phishing emails and investigating user impact.

23. What is a DDoS attack and how does it affect the network?

A DDoS attack involves overwhelming a network or server with traffic to make it unavailable.

Detection includes monitoring traffic spikes and unusual patterns.

24. What is a Malware attack and how is it identified?

Malware attacks involve malicious software that harms systems. It is identified by unusual file

activity, system performance degradation, and antivirus alerts.

25. How does an MITM attack work and how to detect it?

MITM (Man-in-the-Middle) attacks intercept communications between two parties. It is detected by

unusual traffic patterns or SSL/TLS certificate errors.

26. What is Cross-Site Scripting (XSS)?

XSS is an attack that injects malicious scripts into web pages. Detection involves inspecting web

application logs for unexpected script execution.

27. What is SQL Injection and how to prevent it?

SQL Injection is a vulnerability that allows attackers to manipulate database queries. Prevention

involves using parameterized queries and input sanitization.

28. What is Phishing and how to detect it?

Phishing involves tricking users into revealing credentials. Detection involves checking for

suspicious URLs, email addresses, and attachments.

29. What is a vulnerability scan?

A vulnerability scan is an automated process that checks systems for known security weaknesses. It

is used to identify and mitigate risks before they are exploited.

30. What is DNS and how does it function?

DNS (Domain Name System) resolves human-readable domain names to IP addresses. It's critical

for routing internet traffic.

31. What is the purpose of a Proxy Server?

A Proxy Server acts as an intermediary between a user and the internet, providing security,

anonymity, and caching services.

32. What are some signs of a compromised account?

Signs include unusual login times, multiple failed login attempts, and changes to account settings

without the user's knowledge.

33. What is Two-Factor Authentication (2FA)?

2FA adds an extra layer of security by requiring two forms of verification: something you know

(password) and something you have (device, token).

34. How to prioritize security incidents?

Prioritization is based on the impact of the incident, such as the criticality of the affected system, the

sensitivity of the data, and the severity of the attack.

35. What is a packet capture and when would you use it?

Packet capture involves capturing network traffic for analysis. It is used to diagnose network issues,

detect malicious activity, or gather evidence.

36. What are security patches and why are they important?

Security patches are updates designed to fix vulnerabilities in software. They are important for

protecting systems from exploits.

37. What is encryption and how does it protect data?

Encryption converts data into an unreadable format, ensuring that only authorized parties can read

or access it.
38. What is a HoneyPot?

A HoneyPot is a decoy system used to attract attackers and study their methods without risking the

actual systems.

39. What are malware signatures?

Malware signatures are unique patterns used to identify malicious files and detect malware

infections.

40. What is a Risk Assessment?

A Risk Assessment identifies potential threats, vulnerabilities, and the impact of security breaches to

prioritize security measures.

41. How do you detect a Ransomware attack?

Ransomware attacks are detected by looking for unusual file access patterns, encrypted files, or

ransom notes left in affected systems.

42. What is a VPN and how does it work?

A VPN (Virtual Private Network) provides a secure connection over the internet by encrypting traffic

between the user and the network.

43. What is a Security Audit?

A security audit involves reviewing a system's security posture to ensure it complies with standards

and is free from vulnerabilities.