Tools & Technologies

Answer: To inspect packet captures, follow streams, identify protocols, confirm beaconing, and validate suspicious connections.

Tip: Mention filters (ip.addr, tcp.port, dns) and focusing on context, not just payload.

Answer: Port scanning and service discovery. In SOC, unexpected scans can indicate recon or lateral movement.

Tip: Know that internal scanning can be legit—validate source and change ticket.

Answer: A web security testing proxy used to intercept and analyze HTTP(S) traffic; common in appsec/pentesting.

Tip: SOC tie-in: suspicious proxy tools on endpoints can be a signal.

Answer: Elasticsearch (search/index), Logstash (ingest/parse), Kibana (visualization). Often used for log analytics/SIEM-like workflows.

Tip: Mention parsing/normalization and dashboards.

Answer: Splunk is a commercial platform with integrated features; ELK is open-source components you operate and tune. Both can ingest and query logs.

Tip: Don’t bash either—focus on what you can do: search, dashboards, detections.

Answer: A suite for deep Windows diagnostics (Process Explorer, Autoruns, Sysmon, etc.). Great for triage and persistence hunting.

Tip: Autoruns is a strong mention for persistence checks.

Answer: An isolated environment to detonate suspicious files/URLs and observe behavior safely.

Tip: You still validate results—sandbox output isn’t always definitive.

Answer: Curated information about threats (IOCs, TTPs, actors). Used to enrich alerts, block bad indicators, and guide hunting.

Tip: Show balance: TI supports decisions but doesn’t replace local evidence.

Answer: SOAR automates repetitive workflows (enrichment, ticketing, quarantining) and standardizes playbooks.

Tip: Mention reducing response time and improving consistency.

Answer: Start with low-risk tasks (enrichment, tagging), add approvals for disruptive actions, test in staging, and monitor outcomes/rollbacks.

Tip: Automation should reduce toil, not create outages.