Q1
Walk us through how you would investigate a suspicious outbound connection detected in your SIEM. What tools would you use, what artifacts would you examine, and how would you determine if it's a true positive or false positive?
Why they ask this:* They want to assess your hands-on incident investigation methodology, familiarity with SIEM platforms, and ability to distinguish between legitimate and malicious activity using threat intelligence and endpoint data.
Q2
Explain the differences between signature-based and anomaly-based detection methods. Which approach have you found more effective in your SOC environment, and what are the trade-offs?
Why they ask this:* This evaluates your understanding of core detection methodologies and your ability to think critically about detection strategy trade-offs, including false positive rates and resource allocation.
Q3
You're reviewing logs and notice multiple failed login attempts followed by one successful login from an unusual geographic location. What could this indicate, and what additional data sources would you check to validate your hypothesis?
Why they ask this:* They're testing your ability to correlate log data, recognize attack patterns (credential stuffing, brute force), and understand the importance of multi-source data analysis in threat validation.
Q4
Describe your experience with MITRE ATT&CK framework. How have you used it in your previous role to enhance detection rules or improve incident response?