Anaplan

Question 1

What’s your day-to-day in a SOC?

Answer 1

Triage alerts, enrich and investigate, escalate incidents, contain/eradicate threats, coordinate recovery, tune detections, and document lessons learned.

Question 2

How do you triage an alert from the SIEM?

Answer 2

Validate authenticity, check severity/context (asset, user, impact), enrich with threat intel, inspect logs/EDR, determine scope, and escalate per runbook.

Question 3

What’s the first thing you do when an incident is reported?

Answer 3

Confirm and classify the incident, isolate affected assets if needed, gather evidence, and follow the incident response playbook for containment.

Question 4

Explain the NIST incident response phases.

Answer 4

Prepare → Detect & Analyze → Contain → Eradicate → Recover → Post-Incident Activities / Lessons Learned.

Question 5

How do you use MITRE ATT&CK in investigations?

Answer 5

Map observed behaviors to TTPs to understand attacker intent, prioritize detections, inform response actions and build detection coverage.

Question 6

What’s the Cyber Kill Chain?

Answer 6

Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objective. Use to disrupt attacker stages.

Question 7

How would you respond to an EDR alert showing PowerShell spawned from Word?

Answer 7

Quarantine host, capture memory/process dump, collect logs, check parent/child processes, look for persistence, isolate network, and remediate based on findings.

Question 8

What log sources are essential for triage?

Answer 8

Endpoint (EDR), network (firewall, proxy), authentication (AD/Azure AD), application logs, cloud audit logs, email gateway, and SIEM correlation logs.

Question 9

How do you reduce false positives in a SIEM?

Answer 9

Tune rules (thresholds), add context (asset criticality, baselines), implement allowlists, use suppression windows, and validate with historical data.

Question 10

What’s the difference between detection and prevention?

Answer 10

Prevention blocks threats proactively (firewall, DLP, email filtering); detection finds adversary activity that bypassed prevention (SIEM, EDR).

Question 11

Describe containment vs eradication.

Answer 11

Containment limits impact (isolate systems); eradication removes threat artifacts and root cause (remove malware, close vulnerabilities).

Question 12

How do you prioritize alerts?

Answer 12

Use risk factors: asset criticality, scope, impact, exploitability, confidence, and business context—then prioritize response.

Question 13

What’s a playbook and why use one?

Answer 13

A playbook is a documented response process for specific incident types to ensure consistent, rapid, and auditable actions.

Question 14

Give an example of a simple SIEM query for failed logins.

Answer 14

index=auth sourcetype=linux_secure “Failed password” | stats count by src_ip, user (Splunk-style).

Question 15

How do you preserve evidence for forensics?

Answer 15

Isolate system, collect and image disk/memory, capture logs, record chain of custody, avoid altering evidence, and document actions.

Question 16

What is DLP and typical controls?

Answer 16

Data Loss Prevention detects/prevents exfiltration (endpoint agents, email/Gateway DLP, CASB, content discovery and classification).

Question 17

Explain SPF, DKIM, and DMARC.

Answer 17

SPF: sender IP authorization. DKIM: cryptographic signature. DMARC: policy and reporting for SPF/DKIM failures.

Question 18

How would you handle a phishing email reported by a user?

Answer 18

Quarantine message, analyze headers/links/attachments, search for other recipients, block URLs/IOCs, notify impacted users, and log the incident.

Question 19

What’s MTTR and why does it matter?

Answer 19

Mean Time To Respond/Recover — measures SOC effectiveness; lower MTTR reduces impact and risk.

Question 20

How do you use threat intelligence in triage?

Answer 20

Enrich IOCs with sources (VT, AbuseIPDB, OTX), check reputation, prioritize based on matching TTPs, and feed SIEM rules.

Question 21

What are common indicators of exfiltration?

Answer 21

Abnormal outbound traffic, large transfers to unknown IPs, unusual cloud storage usage, and spikes in data access.

Question 22

How do you handle an attacker with valid credentials?

Answer 22

Revoke sessions, reset credentials, investigate origin, search for lateral movement, check MFA, and perform forensic analysis.

Question 23

Describe Zero Trust principles.

Answer 23

Never trust implicitly, verify every request, least privilege access, microsegmentation, continuous authentication and device trust.

Question 24

What is device trust?

Answer 24

Ensuring only managed, healthy devices meeting policy (patching, posture) can access resources.

Question 25

Explain Access Gateways and Isolated Browsers.

Answer 25

Access Gateways broker secure access to apps; Isolated Browsers run browsing off-host to prevent web-based compromise from impacting endpoint.

Question 26

Which automation/scripting skills are useful in SOC?

Answer 26

Python for enrichment/automation, bash/PowerShell for host tasks, and basic API use for integrations.

Question 27

How do you automate enrichment?

Answer 27

Use scripts or SOAR to query VT/AbuseIPDB/Shodan and append results to SIEM/alerts for faster triage.

Question 28

What’s a good incident report structure?

Answer 28

Summary, timeline, scope, impact, root cause, actions taken, evidence, mitigations, and recommendations.

Question 29

How do you measure SOC success?

Answer 29

Metrics: MTTR, detection rate, false positive rate, number of incidents, mean time to contain, and coverage of critical assets.

Question 30

How do you handle stakeholder communication?

Answer 30

Use clear, non-technical summaries for execs; technical status for IT; provide timelines, impact, next steps, and remediation plans.

Question 31

Explain pivot analysis in investigations.

Answer 31

Use an IOC (IP, hash) to pivot across logs/sources to find related hosts, accounts, network flows, and lateral activity.

Question 32

What’s the role of EDR in incident response?

Answer 32

Provides endpoint telemetry, detection, remote response (kill/process, isolate), and forensic artifacts.

Question 33

How do you decide to isolate a host?

Answer 33

Based on impact/risk: active compromise, lateral movement, data exfiltration, or malware persistence that threatens broader environment.

Question 34

How do you test incident playbooks?

Answer 34

Run tabletop exercises, simulated incidents, red team/blue team drills, and post-exercise reviews to refine playbooks.

Question 35

What’s a false positive and how to handle one?

Answer 35

An alert that’s not malicious. Document reason, tune rules, add context, and update detection logic to reduce recurrence.

Question 36

How do you onboard new tooling?

Answer 36

Define requirements, pilot, integrate logs/alerts, create playbooks, train staff, and evaluate performance/ROI.

Question 37

What’s a SIEM correlation rule?

Answer 37

A rule that ties related events (e.g., failed logins + new admin creation) to detect suspicious multi-event patterns.

Question 38

How would you investigate unusual cloud admin activity?

Answer 38

Check CloudTrail/Audit logs, identify origin IP/user, check MFA/device, review recent changes, and rollback or revoke access if needed.

Question 39

What’s least privilege?

Answer 39

Grant users and services only the minimum permissions needed to perform tasks to reduce attack surface.

Question 40

How do you handle on-call rotations and escalations?

Answer 40

Follow escalation matrix, keep runbooks, document handoffs, use paging/SMS, and ensure 24/7 coverage and SLAs.

Question 41

How do you secure SaaS applications?

Answer 41

Enforce SSO/MFA, conditional access, DLP, logging/monitoring, app-level controls, and least privilege for service accounts.

Question 42

What’s the difference between detection engineering and incident response?

Answer 42

Detection engineering builds/optimizes detections; IR triages and responds to incidents those detections produce.

Question 43

How would you escalate a critical incident?

Answer 43

Follow escalation policy: notify incident manager, execs as defined, mobilize IR team, open incident channel, and start communication cadence.

Question 44

What’s an IOC vs TTP?

Answer 44

IOC: observable artefact (IP, hash). TTP: attacker behavior/method (technique or tactic used).

Question 45

How do you handle data privacy during an investigation?

Answer 45

Minimize access, follow data retention/policy, anonymize where possible, and consult legal/privacy teams before exfiltrating PII.

Question 46

Explain role of email security in SOC

Answer 46

Prevents phishing and malware—email gateways, URL detonation, SPF/DKIM/DMARC, and user reporting are key.

Question 47

How do you keep current with adversary TTPs?

Answer 47

Follow TI feeds, vendor blogs, MITRE, community sources, attend conferences, and subscribe to reputable intelligence sources.

Question 48

Give a concise example of an automation you built / would build.

Answer 48

A webhook that ingests IOC, auto-enriches with VT/AbuseIPDB, creates a ticket in Jira/ServiceNow, and notifies Slack if score > threshold.

Question 49

What are common recovery steps after eradication?

Answer 49

Patch systems, rotate credentials, restore from clean backups, validate system integrity, monitor for reoccurrence, and run post-mortem.

Question 50

Why do you want this role at Anaplan?

Answer 50

I want to apply my SOC/IR skills at a SaaS leader protecting high-value customers; I’m excited by their cloud scale and the chance to improve detection and automation while learning their stack.