Incident Response
Triage, containment, escalation, evidence handling, and documentation.
Showing 10 of 10
IR-01
What are the phases of incident response?
▾
IR-01
What are the phases of incident response?
Answer: Preparation, Detection/Analysis, Containment, Eradication, Recovery, and Lessons Learned.
Tip: Even Tier 1 should speak this fluently and tie actions to phases.
IR-02
How do you decide incident severity?
▾
IR-02
How do you decide incident severity?
Answer: Based on impact, scope, data sensitivity, business criticality, attacker control, and whether there is ongoing compromise.
Tip: Use your org’s rubric (P1/P2, SEV1/SEV2) if available.
IR-03
What does “containment” mean?
▾
IR-03
What does “containment” mean?
Answer: Stop the bleeding: isolate hosts, disable accounts, block IOCs, and prevent further spread while preserving evidence.
Tip: Containment first; don’t immediately “wipe” before evidence/scope.
IR-04
When should a Tier 1 analyst escalate?
▾
IR-04
When should a Tier 1 analyst escalate?
Answer: When scope is unclear, privileged accounts are involved, multiple systems are impacted, data exfiltration is suspected, or the playbook requires Tier 2/IR.
Tip: Mention escalation criteria and proper handoff (what you include).
IR-05
How do you handle suspected phishing reported by a user?
▾
IR-05
How do you handle suspected phishing reported by a user?
Answer: Collect headers/URL/attachment, check sandbox/reputation, search for similar emails across org, identify clicks, and remediate (quarantine, block, reset creds if needed).
Tip: Call out user education + reporting workflow improvements.
IR-06
What is evidence preservation and why is it important?
▾
IR-06
What is evidence preservation and why is it important?
Answer: Maintain integrity of logs/artifacts for investigation and potential legal needs. Avoid altering data; record chain-of-custody where applicable.
Tip: In SOC: at minimum document who did what, when, and what was collected.
IR-07
What should a good incident ticket include?
▾
IR-07
What should a good incident ticket include?
Answer: Timeline, affected assets/users, alert details, supporting evidence, triage steps taken, IOCs, containment actions, and next steps/recommendations.
Tip: Clear writing is a real SOC superpower—keep it structured and scannable.
IR-08
How would you respond to malware detected on one endpoint?
▾
IR-08
How would you respond to malware detected on one endpoint?
Answer: Validate alert → isolate host (if needed) → identify process/file/persistence → collect artifacts → remove/quarantine → patch/root cause → monitor for recurrence.
Tip: Also scope: check other hosts for same hashes/domains/behaviors.
IR-09
What’s the difference between eradication and recovery?
▾
IR-09
What’s the difference between eradication and recovery?
Answer: Eradication removes the threat (malware, persistence, bad accounts). Recovery returns systems to normal operations safely (restore, monitor, re-enable).
Tip: Recovery includes increased monitoring and verification.
IR-10
How do you handle a likely false positive alert?
▾
IR-10
How do you handle a likely false positive alert?
Answer: Prove it’s benign using evidence (baseline, change records, known tools), document reasoning, update tuning/allowlist if appropriate, and monitor for recurrence.
Tip: Don’t just close—explain why it’s safe and how you validated it.