SOC Analyst Interview

Questions & Answers

(Scenario Based & Incident
Report Analysis)
So we start with the common questions as a cybersecurity analyst. If you
already work as a cybersecurity analyst L1/L2 you should know how to
answer this kind of question, because it’s is important part of your job
scope. Here the questions:

1. How do you configure rules within a SIEM to identify potential security

incidents? Please provide an example.

Situation: In my previous role as a cybersecurity analyst at XYZ company, we noticed a

rise in security incidents stemming from sophisticated phishing attacks that managed
to bypass our initial defenses.

Task: My responsibility was to develop SIEM rules to detect these advanced attacks
early and provide actionable data to the incident response team for quick intervention.

Action: I began by analysing past phishing incidents to identify key indicators and
patterns, such as multiple failed login attempts, logins from unregistered IP addresses,
and changes in IP location. With this data, I created SIEM rules, including one that
triggered an alert for five login attempts within a 10-minute window from the same IP
and another that flagged logins from unusual locations or times. After creating these
rules, I conducted tests to ensure their effectiveness and refined them based on the
results and feedback from the incident response team.

Result: In the first month, the incident response team quickly identified three phishing
attacks, changed the credentials for compromised accounts, and educated the affected SOC Analyst Interview Questions & Answers
users.

2. Describe a situation where you had to fine-tune an alert to reduce

false positives. What steps did you take?

Situation: In my previous role, I was responsible for managing the SIEM and monitoring
firewall logs to protect against potential security threats. However, there were numerous
false positives, particularly from legitimate port scanning activities, which overwhelmed
the incident response team and led to alert fatigue.

SIEM XPERT (https://siemxpert.com)

Task: My task was to fine-tune the existing SIEM rules to reduce false positives without
compromising the detection of legitimate security threats, thereby enhancing the
effectiveness of the rules.

Action: I began by conducting a thorough analysis of false positive alerts to understand

their common characteristics. Reviewing several weeks' worth of logs, I identified
patterns and the reasons legitimate activities were being flagged. I collaborated with the
network team to understand normal network traffic patterns, including legitimate
scanning activities from network monitoring tools and routine maintenance tasks. With
this data, I modified the SIEM rules to add context and exceptions. For instance, I adjusted
the threshold for triggering an alert based on the number of ports scanned within a specific
timeframe and excluded known safe IP addresses associated with our internal network
monitoring tools. I tested these changes in a controlled environment, simulating both
legitimate and malicious activities to ensure accurate differentiation.
After deploying the refined rules to production, I closely monitored the alerts and held
regular meetings with the incident response team to gather feedback and make further
adjustments as needed.

Result: Over two weeks of monitoring and regular meetings with the incident response
team, the fine-tuning led to a 70% reduction in false positives. This allowed the team to
focus on genuine threats and respond more effectively. Additionally, the improved
accuracy of our alerts enhanced our overall security posture and increased the team's
confidence in the SIEM system.

3. Walk me through the incident response process you followed for a

specific security incident at a previous job. What tools did you use?

Situation: In my previous role as a cybersecurity analyst, we encountered a situation

where a user reported suspicious activities in their account. This led us to discover a SOC Analyst Interview Questions & Answers
malware infection on several endpoints, which appeared to be designed for data
exfiltration.

Task: My task was to support the incident response team in analyzing the malware and
implementing mitigation steps to prevent its spread.

Action: We adhered to the NIST incident response framework, which includes the steps:
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Preparation:
Ensured the incident response team had up-to-date contact information and clearly
defined roles.

SIEM XPERT (https://siemxpert.com)

Verified that necessary resources were available and operational.
Identification:
Used the SIEM (Splunk) to analyze logs and correlate events with the reported suspicious
activities.
Employed EDR (CrowdStrike) to scan endpoints and identify the presence of malware.
Verified indicators of compromise (IOCs) such as unusual network traffic and unauthorized
access.
Containment:
Isolated affected devices from the network to prevent the malware from spreading.
Created network segmentations to further contain the malware.
Blocked malicious IP addresses and domains at the firewall and proxy levels.
Eradication:
Performed forensic analysis using tools like Encase to understand the infection's scope
and the affected files.
Removed the malware with anti-virus and anti-malware tools such as Malwarebytes.
Updated systems and applied patches to secure vulnerabilities exploited by the malware.
Recovery:
Restored systems from clean backups to ensure no malware residue remained.
Closely monitored the systems for signs of re-infection.
Communicated with users to reset their credentials and enhance their security awareness.
Lessons Learned:
Conducted a post-incident review to discuss successes and areas for improvement.
Documented the incident and response actions to update the response plan.
Provided additional training to associates on identifying phishing attacks and other
threats.

Result: The security incident was swiftly handled by the incident response team and other
associated teams such as SOC, email gateway, and network teams. The malware was
contained and eradicated without any data exfiltration. Affected devices were restored
with minimal downtime, and the lessons learned were used to enhance the incident
response plan and overall security posture. SOC Analyst Interview Questions & Answers

SIEM XPERT (https://siemxpert.com)

Now we move to scenario-based question and incident report analysis.
Before we go to the question, just to highlight that we will use NIST CSF
to apply reactive measures to cybersecurity threats. The 5 core
functions of the NIST CSF as below:

Identify: Manage security risks through regular audits of internal networks, systems,
devices, and access privileges to identify potential gaps in security.

Protect: Develop a strategy to protect internal assets through the implementation of SOC Analyst Interview Questions & Answers
policies, procedures, training and tools that help mitigate cybersecurity threats.

Detect: Scan for potential security incidents and improve monitoring capabilities to
increase the speed and efficiency of detections.

Respond: Ensure that the proper procedures are used to contain, neutralize and
analyse security incidents and implement improvements to the security process.

Recover: Return affected systems back to normal operation and restore systems data
and assets that have been affected by an incident.

SIEM XPERT (https://siemxpert.com)

Scenario:
You are a cybersecurity analyst working for a multimedia company that offers web design
services, graphic design, and social media marketing solutions to small businesses. Your
organization recently experienced a DDoS attack that compromised the internal network
for two hours before it was resolved.

During the attack, your organization's network services suddenly stopped responding due
to an incoming flood of ICMP packets, preventing normal internal network traffic from
accessing any network resources. The incident management team responded by blocking
incoming ICMP packets, taking all non-critical network services offline, and restoring
critical network services.

After the event, the company's cybersecurity team investigated and found that a malicious
actor had exploited an unconfigured firewall to flood the company's network with ICMP
pings, causing a distributed denial of service (DDoS) attack.

To address this security incident, the network security team implemented several
measures:
A new firewall rule to limit the rate of incoming ICMP packets.
Source IP address verification on the firewall to check for spoofed IP addresses in
incoming ICMP packets.
Network monitoring software to detect abnormal traffic patterns.
An IDS/IPS system to filter out suspicious ICMP traffic.

The organization was attacked by a DDoS attack in which a flood of ICMP

packets was sent to network devices, compromising the internal network.
Summary The incident response team acted quickly by blocking incoming ICMP
packets, isolating affected devices and networks, and restoring critical
network services once the issues were resolved.

SOC Analyst Interview Questions & Answers

A DDOS attack occurred in this scenario, where the attacker sent a flood
Identify of ICMP pings to the company's network. This attack caused the
company's network services to stop working.

Take all non-critical network services online and block incoming ICMP
Protect packets. Additionally, update the unconfigured firewall to reduce the
attack surface.

Implementing an IDS would be very helpful, as it would notify the incident

response team promptly based on the alerts they set. Firewall rules also
Detect
need to be updated so that traffic from spoofed IP addresses and
unwanted traffic are filtered out.

SIEM XPERT (https://siemxpert.com)

 The best way to contain cybersecurity incidents and affected devices is to
take them offline or isolate them. Using a playbook from CISA provides
Respond team members with a standard on what to do during incidents. The CS can
be used to analyse this incident. Training can improve the recovery
process for future cybersecurity incidents.

Business essential function need to be recovered immediately. The

Recover playbook should be in place to help the organization recover from the
incident.

Cybersecurity Incident Report:

Network Traffic Analysis

Part 1: Provide a summary of the problem found in the DNS and ICMP traffic log
SOC Analyst Interview Questions & Answers
The network protocol analyser logs indicate that port 53 is unreachable when attempting to
resolve the DNS request for the www.yummyrecipesforme.com website. Port 53 is typically
used for DNS traffic, particularly in the case of using the UDP protocol. The ICMP messages,
in response to the DNS queries, display an error for UDP port 53 as unreachable, which
might indicate a problem with the DNS server or potentially with network access between
the user's machine and the DNS server.

The UDP protocol reveals that:

Query ID#35084 at 13h:24m:32s the requesting device with IP 192.51.100.15 sent a
request in UDP packet to domain IP 203.0.113.2.
The web address is yummyrecipes.com through port 24.

SIEM XPERT (https://siemxpert.com)

 At 13h:24m:26s the domain at IP 203.0.113.2 sent a return UDP packet to the requesting
device with IP 192.51.100.15 with error: UDP port 53 unreachable for a ping time of
254ms.
The same occurred 2 minutes later at 13h:26m:32s. On this occasion ping time was
320ms.
A third attempt occurred a further 2 minutes later at 13h:28m:32s. On this occasion the
ping time was 150ms.
This is based on the results of the network analysis, which show that the ICMP echo
reply returned the error message: udp port 53 unreachable.
The port noted in the error message is used for: Domain Name System (DNS) normally
uses User Datagram Protocol (UDP) on port 53.

The most likely issue is:

Unresolved DNS connection / website is down.

Part 2: Explain your analysis of the data and provide at least one cause of the incident.

Upon receiving complaints from customers about their inability to access the website
www.yummyrecipesforme.com, a detailed network traffic analysis was conducted using
tcp dump.

The network logs disclose an unsuccessful DNS query to the server at 203.0.113.2 from
our system (IP address 192.51.100.15), with an ICMP error message indicating the
unavailability of UDP port 53. This error was consistently received over three distinct
attempts.

This recurring ICMP error message suggests potential issues with the DNS server's
configuration, or perhaps a disruption in the network pathway between the client and the
server. The cause could range from the DNS server being down, a firewall obstructing UDP
port 53 traffic, or other network irregularities. SOC Analyst Interview Questions & Answers

To further probe this issue, we should collaborate with the DNS service provider to inspect
the server's status and configuration. If the server is functional, a thorough investigation
into potential blockages in the network path between the client systems and the DNS
server is warranted. This step-by-step approach will help pinpoint the root cause and guide
us towards the most effective solution.

Time incident occurred:

13h:24m:32s

How the IT team became aware of the incident:

The IT team became aware of the incident due to the lodgement of Query ID#35084.

SIEM XPERT (https://siemxpert.com)

Actions taken by the IT department to investigate the incident:
IT was a alerted by Query ID#35084 that unresolved connection issue to website
yummyrecipes.com via port 53, a udp packet was sent and the destination domain was
unreachable.

Key findings of the IT department's investigation:

UDP packet via port 53 issue, which caused the inability to connect to the domain
yummyrecipes.com.

Likely cause of the incident:

Likely cause is DNS host is down.

SOC Analyst Interview Questions & Answers

SIEM XPERT (https://siemxpert.com)

Get in Touch !
We’re here to help with any questions or feedback. Reach out
to us anytime, we’d love to hear from you.

+91 9108318017

[email protected]

6th Floor, 21, Dutta Arcade, Outer Ring Rd, above Bank
of Baroda, Bellandur, Bengaluru, Karnataka 560103

www.siemxpert.com

SOC Analyst Interview Questions & Answers

SIEM XPERT (https://siemxpert.com)