Tier 1, 2, and 3 SOC Analyst interview questions — with answer guides covering SIEM, EDR, threat hunting, and incident response.
Walk me through the OSI model and where common attacks live.
L2: ARP spoofing, MAC flooding. L3: IP spoofing, route hijack. L4: SYN flood, port scanning. L5–7: app-layer (SQLi, XSS, deserialisation, BAC). Show you can map controls to layers.
Describe the incident response lifecycle.
NIST 800-61r2: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident. Loop, not linear. Detection-and-analysis is where SOCs spend 80% of time.
Difference between IDS and IPS?
IDS detects and alerts; IPS inline-blocks. IDS = monitoring-mode; IPS = enforcement-mode. Modern NDR (Vectra, Darktrace) blurs this with ML-driven detection.
How do you triage a phishing email reported by a user?
Header analysis (SPF/DKIM/DMARC, Received chain), URL detonation (sandbox), payload extraction (if attachment), check delivery to other mailboxes (eDiscovery), search SIEM for click events, evaluate user credential exposure, contain (recall message, block sender domain), log in IR system.
Walk me through investigating a brute-force alert on Entra ID.
Pull sign-in logs, group by user/IP/conditional access result, identify if successful auth occurred post-brute, check for MFA bypass / token theft signs, validate via UEBA, contain via account lock + risky-user response in Entra ID Protection.
Write a KQL query to find failed sign-ins from the same IP across 5+ users in the last hour.
`SigninLogs | where ResultType != 0 | where TimeGenerated > ago(1h) | summarize FailedUsers=dcount(UserPrincipalName) by IPAddress | where FailedUsers >= 5`. Bonus: project unique users, sort desc.
How do you tune false positives in a SIEM?
Quantify FP rate per rule, identify common FP source (legit admin tools, scanners, backup jobs), modify rule logic with allow-lists scoped to identity/asset/time-window, not blanket disabling. Document tuning rationale in detection content repo.
Explain the MITRE ATT&CK framework.
Knowledge base of adversary TTPs across 14 tactics (Reconnaissance → Impact). Used to map detections, plan purple-team exercises, prioritise coverage. Distinguish from Cyber Kill Chain (linear) and D3FEND (defensive).
A user opened a malicious doc; EDR shows winword.exe spawning powershell.exe. What do you do?
Treat as confirmed infection: isolate host via EDR, capture memory + disk, extract IOCs (hash, C2), sweep estate for same IOCs, identify lateral movement (recent logons from host), engage IR if scope grows. Document timeline.
How would you detect Kerberoasting?
Look for unusual TGS-REQ patterns: many service-ticket requests for SPNs from a single account, often with RC4 encryption requested (downgrade). KQL: `SecurityEvent | where EventID == 4769 | where TicketEncryptionType == '0x17'`. Tune for service accounts.
What is dwell time and how do you reduce it?
Time between initial compromise and detection. Reduce with: better baseline (UEBA), threat hunting cadence, deception (honeytokens, canaries), purple-team-validated detections.
Tell me about a time you escalated something that turned out to be benign.
Behavioural. Show you erred on the side of escalation, communicated clearly, learned from the FP without becoming gun-shy.
Tier 2+ usually includes a KQL/Splunk lab or take-home triage exercise. Practise on Microsoft Sentinel's Training Lab or BOTS data.
Phishing triage walkthrough. Memorise the headers + URL + sandbox + SIEM-search loop.
Have 3 stories: a tough escalation, a false positive you owned, a detection you proposed. STAR format, results quantified.
PowerShell or Python at basic level for Tier 1; intermediate for Tier 2; required at Tier 3 / detection engineer.
Run AI-graded mock interviews with panel personas and structured feedback.