SOC Interview Q&A

What is a Security Operations Center (SOC)?

A centralized team that continuously monitors, detects, investigates, and responds to cybersecurity incidents using security tools and established processes.

What is a SOC Analyst?

A professional who monitors security alerts, investigates suspicious activities, analyzes logs, responds to incidents, and helps protect an organization's systems and data.

Levels of SOC Analysts?

• Level 1: Monitoring & Alert Triage
• Level 2: Investigation & Incident Response
• Level 3: Threat Hunting & Advanced Analysis
• SOC Manager

What is SIEM?

Security Information and Event Management — a platform that collects, correlates, analyzes, and monitors security logs from multiple sources to detect threats.

What is EDR?

Endpoint Detection and Response — monitors endpoints, detects suspicious behavior, investigates incidents, and supports response actions.

What is XDR?

Extended Detection and Response — integrates telemetry from endpoints, networks, cloud services, identity systems, and email to improve threat detection and response.

IDS vs IPS?

• IDS: Intrusion Detection System — detects and alerts.
• IPS: Intrusion Prevention System — detects and blocks.

What is Threat Intelligence?

Information about current cyber threats, threat actors, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs) that helps organizations improve their defenses.

What is an IOC?

Indicator of Compromise — evidence that may indicate a system has been compromised, such as malicious IP addresses, file hashes, domains, registry changes, or suspicious processes.

What is the Incident Response Lifecycle?

• Preparation
• Detection & Analysis
• Containment
• Eradication
• Recovery
• Lessons Learned

Explain the OSI Model.

7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.

TCP vs UDP?

• TCP: connection-oriented, reliable
• UDP: connectionless, faster

What is DNS?

Domain Name System — translates domain names to IP addresses.

What is DHCP?

Dynamic Host Configuration Protocol — automatically assigns IP addresses to devices.

What is NAT?

Network Address Translation — maps private IP addresses to public IP addresses.

What is a Firewall?

A security device that monitors and controls network traffic based on rules.

Common network ports?

• HTTP: 80
• HTTPS: 443
• SSH: 22
• DNS: 53
• FTP: 21
• SMB: 445

What are Windows Event Logs?

Windows Event Logs record system, security, and application events for monitoring and investigation.

What is Active Directory?

Microsoft's directory service for authentication, authorization, and centralized management.

What is Sysmon?

System Monitor — a Windows tool that logs detailed process, network, and file activity for security monitoring.

What is Group Policy?

A Windows feature that allows administrators to manage user and computer configurations centrally.

What is Kerberos?

Authentication protocol used in Active Directory environments.

Common Linux commands?

• ls, cd, pwd, cp, mv, rm
• chmod, chown, grep, find
• ps, top, kill, netstat, ss

What are Linux file permissions?

Read (r), write (w), execute (x) permissions for Owner, Group, and Others.

What is SSH?

Secure Shell — used for secure remote access to Linux systems.

What are Cron jobs?

Scheduled tasks that run automatically at specified times.

Linux log files location?

System logs are typically stored in /var/log/

Popular SIEM platforms?

• Splunk
• Microsoft Sentinel
• IBM QRadar
• Wazuh
• Elastic Security

What is Log Correlation?

Connecting related log events from different sources to identify patterns and security incidents.

What is Alert Tuning?

Adjusting SIEM detection rules to reduce false positives and improve alert accuracy.

What is a SIEM Dashboard?

A visual interface that displays security metrics, alerts, and data for monitoring and analysis.

What is Parsing in SIEM?

Extracting structured fields from raw log data for analysis and correlation.

Explain the Incident Response Lifecycle.

• Preparation
• Detection & Analysis
• Containment
• Eradication
• Recovery
• Lessons Learned

What is Containment?

Isolating affected systems to prevent the spread of an incident.

What is Chain of Custody?

Documentation that tracks evidence from collection to presentation to ensure integrity.

What is Evidence Collection?

Gathering and preserving digital evidence using forensically sound methods.

What is an Escalation Process?

Defined procedures for escalating incidents to higher-level teams based on severity and impact.

What is the MITRE ATT&CK Framework?

A knowledge base of adversary tactics and techniques based on real-world observations.

What is Threat Hunting?

Proactively searching for threats that may have evaded existing security controls.

What is a Sigma Rule?

A generic detection rule format for SIEM systems to identify threats.

What is a YARA Rule?

A pattern-based rule for identifying and classifying malware.

What is Detection Engineering?

Designing and developing detection rules and logic to identify security threats.

What is malware?

Software designed to disrupt, damage, or gain unauthorized access to systems.

Types of malware?

• Ransomware
• Trojan
• Worm
• Rootkit
• Spyware

What is Sandboxing?

Executing suspicious files in an isolated environment to observe behavior.

Static vs Dynamic Analysis?

• Static: examining code without executing it.
• Dynamic: analyzing behavior during execution.

What is Phishing?

A social engineering attack that tricks users into revealing sensitive information.

What is SPF?

Sender Policy Framework — prevents email spoofing by verifying sender IP addresses.

What is DKIM?

DomainKeys Identified Mail — uses cryptographic signatures to verify email authenticity.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance — builds on SPF and DKIM to protect email domains.

How to analyze an email header?

• Check sender and reply-to addresses
• Verify SPF/DKIM/DMARC
• Examine routing and source IP
• Inspect subject and content

What is AWS CloudTrail?

A service that logs API activity in AWS for security monitoring and compliance.

What is IAM in Cloud?

Identity and Access Management — controls access to cloud resources and services.

What is the Shared Responsibility Model?

Cloud providers secure the infrastructure; customers are responsible for securing their data and configurations.

What is Microsoft Defender for Cloud?

A security platform that provides threat detection and protection for Azure and hybrid cloud environments.

Tell me about yourself.

Briefly summarize your background, technical skills, and interest in SOC operations.

Why do you want to become a SOC Analyst?

Share your interest in defensive security, threat monitoring, and incident response.

How do you stay updated on cyber threats?

Follow threat intelligence feeds, security blogs, and participate in cybersecurity communities.

Describe your home lab.

Share details about your lab setup, tools you use, and what you practice.