role

SOC Analyst Interview Questions Interview Questions

Tier 1, 2, and 3 SOC Analyst interview questions — with answer guides covering SIEM, EDR, threat hunting, and incident response.

SOC interview loops typically run 3 stages: a technical screen on fundamentals, a scenario-based investigation interview, and a behavioural / shift-fit interview. Hands-on labs (KQL, Splunk SPL, or a takehome triage) are increasingly common at Tier 2+. ## Interview questions and strong-answer skeletons Each question below is drawn from recent UK and US interview loops for the role or framework. Use the answer skeletons as scaffolding — adapt to your specific experience.

Questions

  1. 01

    Walk me through the OSI model and where common attacks live.

    Show strong-answer outline

    L2: ARP spoofing, MAC flooding. L3: IP spoofing, route hijack. L4: SYN flood, port scanning. L5–7: app-layer (SQLi, XSS, deserialisation, BAC). Show you can map controls to layers.

  2. 02

    Describe the incident response lifecycle.

    Show strong-answer outline

    NIST 800-61r2: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident. Loop, not linear. Detection-and-analysis is where SOCs spend 80% of time.

  3. 03

    Difference between IDS and IPS?

    Show strong-answer outline

    IDS detects and alerts; IPS inline-blocks. IDS = monitoring-mode; IPS = enforcement-mode. Modern NDR (Vectra, Darktrace) blurs this with ML-driven detection.

  4. 04

    How do you triage a phishing email reported by a user?

    Show strong-answer outline

    Header analysis (SPF/DKIM/DMARC, Received chain), URL detonation (sandbox), payload extraction (if attachment), check delivery to other mailboxes (eDiscovery), search SIEM for click events, evaluate user credential exposure, contain (recall message, block sender domain), log in IR system.

  5. 05

    Walk me through investigating a brute-force alert on Entra ID.

    Show strong-answer outline

    Pull sign-in logs, group by user/IP/conditional access result, identify if successful auth occurred post-brute, check for MFA bypass / token theft signs, validate via UEBA, contain via account lock + risky-user response in Entra ID Protection.

  6. 06

    Write a KQL query to find failed sign-ins from the same IP across 5+ users in the last hour.

    Show strong-answer outline

    `SigninLogs | where ResultType != 0 | where TimeGenerated > ago(1h) | summarize FailedUsers=dcount(UserPrincipalName) by IPAddress | where FailedUsers >= 5`. Bonus: project unique users, sort desc.

  7. 07

    How do you tune false positives in a SIEM?

    Show strong-answer outline

    Quantify FP rate per rule, identify common FP source (legit admin tools, scanners, backup jobs), modify rule logic with allow-lists scoped to identity/asset/time-window, not blanket disabling. Document tuning rationale in detection content repo.

  8. 08

    Explain the MITRE ATT&CK framework.

    Show strong-answer outline

    Knowledge base of adversary TTPs across 14 tactics (Reconnaissance → Impact). Used to map detections, plan purple-team exercises, prioritise coverage. Distinguish from Cyber Kill Chain (linear) and D3FEND (defensive).

  9. 09

    A user opened a malicious doc; EDR shows winword.exe spawning powershell.exe. What do you do?

    Show strong-answer outline

    Treat as confirmed infection: isolate host via EDR, capture memory + disk, extract IOCs (hash, C2), sweep estate for same IOCs, identify lateral movement (recent logons from host), engage IR if scope grows. Document timeline.

  10. 10

    How would you detect Kerberoasting?

    Show strong-answer outline

    Look for unusual TGS-REQ patterns: many service-ticket requests for SPNs from a single account, often with RC4 encryption requested (downgrade). KQL: `SecurityEvent | where EventID == 4769 | where TicketEncryptionType == '0x17'`. Tune for service accounts.

  11. 11

    What is dwell time and how do you reduce it?

    Show strong-answer outline

    Time between initial compromise and detection. Reduce with: better baseline (UEBA), threat hunting cadence, deception (honeytokens, canaries), purple-team-validated detections.

  12. 12

    Tell me about a time you escalated something that turned out to be benign.

    Show strong-answer outline

    Behavioural. Show you erred on the side of escalation, communicated clearly, learned from the FP without becoming gun-shy.

Frequently asked questions

Are SOC interviews hands-on?

Tier 2+ usually includes a KQL/Splunk lab or take-home triage exercise. Practise on Microsoft Sentinel's Training Lab or BOTS data.

What's the most common SOC interview question?

Phishing triage walkthrough. Memorise the headers + URL + sandbox + SIEM-search loop.

How do I prep for a SOC behavioural interview?

Have 3 stories: a tough escalation, a false positive you owned, a detection you proposed. STAR format, results quantified.

Do I need scripting for SOC interviews?

PowerShell or Python at basic level for Tier 1; intermediate for Tier 2; required at Tier 3 / detection engineer.

Rehearse SOC Analyst Interview Questions questions live

Run AI-graded mock interviews with panel personas and structured feedback.

Start free
// related