SIEM & Log Analysis
Alert triage, false positives, correlation, and log investigation.
Showing 10 of 10
SIEM-01
Walk me through how you investigate a SIEM alert.
▾
SIEM-01
Walk me through how you investigate a SIEM alert.
Answer: Confirm alert context → validate evidence → scope affected users/hosts → identify root cause/IOC → take response steps or escalate → document.
Tip: Say “I start with what triggered it, then pivot to related logs/telemetry.”
SIEM-02
What’s the difference between a false positive and a false negative?
▾
SIEM-02
What’s the difference between a false positive and a false negative?
Answer: False positive: alert fires but no real threat. False negative: threat exists but alert doesn’t fire.
Tip: Mention impact: false negatives are dangerous; too many false positives cause alert fatigue.
SIEM-03
What are common log sources a SOC relies on?
▾
SIEM-03
What are common log sources a SOC relies on?
Answer: EDR, Windows/Linux logs, firewall, proxy, DNS, authentication (AD/IdP), email security, VPN, web/app logs, cloud audit logs.
Tip: Good SOC answers include identity and DNS—two high-value sources.
SIEM-04
Why do time zones and timestamps matter in investigations?
▾
SIEM-04
Why do time zones and timestamps matter in investigations?
Answer: Correlation depends on accurate time. Misaligned time zones or clock drift can make events look out of order or unrelated.
Tip: Mention NTP and normalizing timestamps in the SIEM.
SIEM-05
How would you detect brute-force attempts in logs?
▾
SIEM-05
How would you detect brute-force attempts in logs?
Answer: Look for repeated failed logins from the same IP/user, multiple users from one IP, short time windows, and success after many failures.
Tip: Mention lockouts, geo anomalies, and “impossible travel” if using an IdP.
SIEM-06
How would you investigate an “impossible travel” alert?
▾
SIEM-06
How would you investigate an “impossible travel” alert?
Answer: Validate user travel context, check device/IP reputation, review MFA prompts, confirm session tokens, and look for concurrent sessions or unusual user agent.
Tip: If real, recommend password reset, session revoke, MFA reset, and scope other access.
SIEM-07
What is a correlation rule?
▾
SIEM-07
What is a correlation rule?
Answer: Logic that links multiple events/signals into a meaningful detection (e.g., suspicious PowerShell + new scheduled task + outbound to rare domain).
Tip: Show you understand tuning and reducing noise with baselines/allowlists.
SIEM-08
How do you baseline “normal” behavior?
▾
SIEM-08
How do you baseline “normal” behavior?
Answer: Compare current activity to historical patterns: typical login times, common destinations, standard process usage, and normal data volumes.
Tip: Baselines differ by team/system—avoid one-size-fits-all tuning.
SIEM-09
What are IOCs and IOAs?
▾
SIEM-09
What are IOCs and IOAs?
Answer: IOCs are indicators of compromise (hashes, domains, IPs). IOAs are indicators of attack (behaviors and techniques).
Tip: Modern detection prioritizes behaviors (IOAs) because IOCs change quickly.
SIEM-10
What pivots do you usually do after finding a suspicious IP/domain?
▾
SIEM-10
What pivots do you usually do after finding a suspicious IP/domain?
Answer: Search for other hosts/users contacting it, first-seen time, DNS queries, proxy logs, EDR network events, and related processes/parent chain.
Tip: Always scope: “Is this isolated or widespread?”