All topics › SOC Analyst
SOC Analyst Interview Questions
25 real interview questions from soc analyst interviews at Bangalore's top product, services, and BFSI companies. Each answer is the atomic version — for the full explanation, related concepts, and a complete topic guide, follow the link to the full version on Networkers Home.
Splunk SPL
Splunk SPL
Q. Write a Splunk SPL query to detect brute-force authentication attempts.
index=auth sourcetype=*ssh* OR sourcetype=*windows* action=failure | bucket _time span=5m | stats count by src_ip, _time | where count > 10 | sort -count
Key concepts: bucket _time aggregates events into 5-minute windows, stats count groups by source IP + time bucket, where filters thresholds. Tune…
Read full atomic answer → Splunk SPL
Q. How do you optimise a slow Splunk search?
Optimisation hierarchy: (1) Filter early — most-restrictive index/sourcetype/host first. Splunk performs left-to-right filtering. (2) Use earliest/latest as tight as possible. (3) Avoid wildcards at start of search terms. (4) Use stats over transaction (faster). (5) Use tstats on accelerated data mo…
Read full atomic answer → MITRE ATT&CK
MITRE ATT&CK
Q. Walk me through investigating a T1059 Command and Scripting Interpreter alert.
T1059 = adversary using Bash, PowerShell, cmd.exe, Python for execution. Investigation steps: (1) Get full command line from EDR/Sysmon Event 1; (2) Identify parent process (was PowerShell launched from Word? = malicious; from Sysmon Event 1 ParentImage); (3) Check for encoded commands (PowerShell -…
Read full atomic answer → MITRE ATT&CK
Q. What's the difference between MITRE ATT&CK and Cyber Kill Chain?
Cyber Kill Chain (Lockheed Martin, 2011) — linear 7-phase model: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives. Simple, easy to teach, but oversimplified — modern attacks don't follow strict linear paths. MITRE ATT&CK (2013, expanded continuousl…
Read full atomic answer → Incident Response
Incident Response
Q. Walk me through your incident response process for a confirmed malware infection.
NIST IR lifecycle: (1) Preparation — done before incident: tools, runbooks, contacts, comms plan; (2) Detection + Analysis — confirm true positive, scope (1 host vs lateral spread), severity classification; (3) Containment — isolate affected host(s) via EDR, block C2 IPs at firewall, disable affecte…
Read full atomic answer → Log Analysis
Log Analysis
Q. User reports their account is being locked out repeatedly. How do you investigate?
Multi-source investigation: (1) Active Directory — query event 4740 (account lockout) for source workstation/IP; (2) Filter logs from that workstation — what's authenticating? Could be: cached credentials on phone/Outlook/RDP after password change; service running with old credentials; brute-force a…
Read full atomic answer → Log Analysis
Q. What's the difference between Windows Security event 4624 vs 4625 vs 4634?
Critical events for SOC analysts: 4624 — successful login (logon type 2=interactive, 3=network, 10=remote interactive/RDP, 4=batch, 5=service). 4625 — failed login. 4634 — logoff. 4647 — user-initiated logoff (interactive). Investigation patterns: 4625 + 4624 from same source = brute-force success. …
Read full atomic answer → Threat Hunting
Threat Hunting
Q. What's the difference between alert-driven SOC and threat hunting?
Alert-driven (reactive): SIEM/EDR generates alerts → analyst investigates → confirms + responds. Most SOC L1 work is alert-driven. Threat hunting (proactive): analyst forms hypothesis ('adversary may have established persistence via WMI subscription') → searches data without preexisting alert → eith…
Read full atomic answer → Threat Hunting
Q. Walk me through a hypothesis-driven hunt for lateral movement.
(1) Hypothesis: 'Adversary may be using PsExec or remote service creation for lateral movement'. (2) Data sources needed: Windows Event Logs (5145 Network Share, 7045 Service Install), Sysmon Event 1 (process creation with psexec.exe / cmd.exe with /sc command), authentication events (4624 logon typ…
Read full atomic answer → EDR Platforms
EDR Platforms
Q. Compare CrowdStrike Falcon vs SentinelOne vs Microsoft Defender for Endpoint.
All three are EDR market leaders. CrowdStrike Falcon — strongest threat intelligence + detection efficacy, expensive (typically ₹3-5K/endpoint/year), rich Falcon OverWatch managed hunting. SentinelOne — strong rollback/remediation features, AI-driven detection, mid-tier pricing. Microsoft Defender f…
Read full atomic answer → Malware
Malware
Q. What's the first thing you do when you receive a suspicious email submission from a user?
(1) DO NOT click any links or open attachments. (2) Detonate in sandbox — VMRay, Joe Sandbox, Any.Run for safe analysis. (3) Extract IOCs — sender email, sender IP, URLs, file hashes (SHA-256). (4) Check IOC reputation — VirusTotal, AlienVault OTX, urlscan.io. (5) If malicious confirmed: search inbo…
Read full atomic answer → SIEM/SOAR
SIEM/SOAR
Q. Difference between SIEM and SOAR — when do you use each?
SIEM (Security Information + Event Management) — log collection, correlation, alerting. Examples: Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, Elastic Security. Output: alerts requiring human investigation. SOAR (Security Orchestration, Automation, Response) — playbook automation acro…
Read full atomic answer → Cloud SOC
Cloud SOC
Q. How do AWS CloudTrail, GuardDuty, and Security Hub work together?
CloudTrail — API call audit log (every action across AWS account, who/what/when/where). Free baseline + paid management/data event variants. GuardDuty — managed threat detection on CloudTrail + VPC Flow Logs + DNS logs. Outputs: alerts for known threat patterns (cryptomining, instance compromise, IA…
Read full atomic answer → Network Sec
Network Sec
Q. Explain how you'd detect DNS tunneling using Splunk.
DNS tunneling = encoding data in DNS queries/responses to bypass firewalls. Detection patterns: (1) Unusually long subdomain names (legitimate DNS rarely has 200+ char subdomains): index=dns | eval subdomain_length=len(query) | where subdomain_length > 100. (2) High query volume from single client: …
Read full atomic answer → Detection Engineering
Detection Engineering
Q. What's a Sigma rule and why is it useful for SOC?
Sigma rule (Florian Roth, 2017) — vendor-neutral YAML format for security detection logic. Structure: title, detection logic, log source, level. Example: detect PowerShell EncodedCommand → write once in Sigma → convert to Splunk SPL via sigmac → also convert to Elastic Lucene, QRadar AQL, Sentinel K…
Read full atomic answer → Investigation
Investigation
Q. User clicked phishing link. What's your investigation flow?
Time-bounded investigation in 30 minutes: (1) Identify what they clicked — pull email from M365, extract URL. (2) Reputation check — VirusTotal, urlscan.io. (3) If credential phishing: did they enter credentials? Check ADFS/M365 sign-in logs for that user — any new sign-ins from unusual IPs/location…
Read full atomic answer → Investigation
Q. How do you triage if a brute-force attack succeeded?
(1) Identify successful login (event 4624) following multiple failures (event 4625) from same source IP. (2) Check legitimate use — was the user actually working at that time? Pull sign-in logs from M365/ADFS. (3) Geographic anomaly — login from country user has never used before. (4) Velocity check…
Read full atomic answer → Compliance
Compliance
Q. What's the difference between PCI-DSS and ISO 27001 from SOC perspective?
PCI-DSS — payment card data security standard. SOC implications: cardholder data environment (CDE) requires extra logging, monitoring, daily review of security events. Specific requirements: log retention 1 year (90 days online), file integrity monitoring (FIM), quarterly internal vulnerability scan…
Read full atomic answer → Career
Career
Q. How do I move from SOC L1 to L2 faster?
Practical steps: (1) Master 1 SIEM platform deep (typically Splunk for Bangalore SOCs); (2) Earn Splunk Power User Certified or equivalent; (3) Volunteer for night shift incident handling — gets you hands-on with real incidents (not just runbook execution); (4) Document case studies from your invest…
Read full atomic answer → AI/Future
AI/Future
Q. How is AI changing the SOC analyst role in 2026?
Already changing meaningfully. (1) AI-powered triage — UEBA tools (Microsoft Sentinel UEBA, Splunk MLTK, Securonix) auto-prioritise alerts, reducing L1 alert volume 30-40%. (2) AI-assisted investigation — Microsoft Copilot for Security, Anthropic Claude integrations help analysts summarise alerts, w…
Read full atomic answer → Behavioural
Behavioural
Q. Tell me about a real incident you investigated.
STAR format (Situation, Task, Action, Result). Best examples: (1) Lab/training incidents — even from coursework, walk through the technical detail; (2) CTF investigation challenges — TryHackMe SOC L1 path provides real scenario practice; (3) Volunteer/consulting investigations; (4) Personal lab inci…
Read full atomic answer → Behavioural
Q. How do you handle disagreement with a senior analyst's call?
Show structured + respectful approach: (1) Acknowledge their perspective + experience; (2) Present specific data/observation that informs your view; (3) Frame as question, not challenge: 'I noticed X — does that change the analysis?'; (4) If still disagreed, escalate via process (L3 or manager) with…
Read full atomic answer → Tools
Tools
Q. Which Splunk certifications matter for SOC career?
Tier 1 (most useful for SOC roles): (1) Splunk Core Certified User — entry level, free at Splunk Education. (2) Splunk Power User Certified — proves SPL fluency. (3) Splunk Enterprise Certified Admin — system admin focus, better for L3/architect roles. Splunk Enterprise Security Certified Admin — pr…
Read full atomic answer → Networking
Networking
Q. Why does a SOC analyst need to know networking?
Most SOC investigations involve network logs (firewalls, IDS/IPS, NetFlow). Without networking foundations, you can't: (1) Read packet captures effectively (Wireshark requires TCP/IP fluency); (2) Distinguish normal vs anomalous traffic patterns (TCP handshake anomalies, port scans, unusual protocol…
Read full atomic answer → Closing
Closing
Q. What questions do you have for us?
Strong question categories: (1) Process — 'What's a typical week look like for SOC L1 here? Shift breakdown?'; (2) Tools — 'Which SIEM + EDR platforms do you use? Are there plans to add SOAR?'; (3) Growth — 'What's the typical L1 → L2 timeline at your team? What learning resources are available?'; (…
Read full atomic answer → SOC L1
SOC L1
Q. What are the key differences between IDS, IPS, and NGFW?
An IDS (Intrusion Detection System) monitors network traffic for suspicious activity and alerts, but does not block it. An IPS (Intrusion Prevention System) also monitors, but can actively block or prevent detected threats in real-time. A Next-Generation Firewall (NGFW) combines traditional firewall…
Read full atomic answer → SOC L1
Q. What is the difference between threat hunting and incident response?
Threat hunting proactively searches for unknown threats within a network, assuming a breach has already occurred, using hypotheses and data analysis to find hidden malicious activity. Incident response, conversely, is a reactive process that begins after a known security incident has been detected, …
Read full atomic answer → SOC Operations
SOC Operations
Q. What is L1, L2, L3 SOC analyst and how do responsibilities differ across tiers?
L1 analysts perform initial triage, monitor SIEM dashboards, and escalate confirmed incidents—think ticket validation and basic containment at Bangalore SOCs like HCL or Wipro. L2 analysts investigate escalated alerts, correlate threat intel, write Sigma rules, and map incidents to MITRE ATT&CK tech…
Read full atomic answer → Deeper context lives at networkershome.com.
Each of these Q&As is part of a structured topic guide on the main site, with
multi-part answers, code samples where relevant, strong vs weak answer notes, and
follow-up question patterns. View
the full soc analyst interview hub →