SOC > SOC > Flashcards

SOC Flashcards

(103 cards)

Study These Flashcards
1
Q

What does SIEM stand for and what is its primary function?

A

SIEM stands for Security Information and Event Management. It collects, centralizes, and analyzes security event data across an organization in real time, enabling fast detection, investigation, and response to threats.

Source: splunk.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Name common SIEM platforms used in security operations.

A

Common SIEM platforms include:
* Splunk
* IBM QRadar
* Microsoft Sentinel (formerly Azure Sentinel)
* Google Chronicle
* Others

Source: nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Splunk used for in a SOC?

A

Splunk is a popular SIEM/log analysis tool that ingests and indexes machine data (logs) from across the network, allowing analysts to search and visualize security events, detect anomalies, and generate alerts.

Source: splunk.com, nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is IBM QRadar?

A

IBM QRadar is a SIEM solution that collects and correlates logs and network events to identify security incidents by matching patterns across data sources, similar to other SIEMs.

Source: nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Microsoft Sentinel?

A

Microsoft Sentinel is a cloud-native SIEM by Microsoft that gathers security data from on-premises and cloud sources and applies analytics to detect threats.

Source: nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does it mean to ‘normalize logs’ in a SIEM?

A

Normalizing logs means converting log data from different sources into a standard format to ensure uniform fields and structure across diverse log sources, enabling centralized analysis and correlation.

Source: nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Why is TCP/IP network traffic analysis important for SOC analysts?

A

TCP/IP network traffic analysis is crucial because many attacks manifest as unusual patterns in network traffic, and analysts must understand TCP/IP flows to spot intrusion attempts and data exfiltration.

Source: nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name some SIEM query languages.

A

Common SIEM query languages include:
* Splunk’s SPL (Search Processing Language)
* Azure Sentinel’s KQL (Kusto Query Language)
* IBM QRadar’s AQL (Ariel Query Language)

Source: nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do SIEM systems support compliance and auditing?

A

SIEMs support compliance and auditing by centralizing log retention and providing built-in reporting dashboards, helping organizations meet audit and compliance requirements.

Source: splunk.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do SOC analysts use log data to detect incidents?

A

SOC analysts continuously monitor and analyze log data from various sources to identify anomalies, triaging alerts and correlating log events to detect and investigate potential security incidents.

Source: nttdata.jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the MITRE ATT&CK framework?

A

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations, classifying how attackers operate across stages of an intrusion to help SOCs understand and anticipate attacks.

Source: paloaltonetworks.co.uk, en.wikipedia.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In ATT&CK, what do ‘tactics’ and ‘techniques’ mean?

A

‘Tactics’ refer to an adversary’s technical objectives (the ‘why’ of an attack), while ‘techniques’ are specific actions used to achieve those objectives.

Source: en.wikipedia.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How many tactics are in the ATT&CK Enterprise matrix? Name a few.

A

There are 14 tactics in the Enterprise matrix. Examples include:
* Reconnaissance
* Initial Access
* Persistence
* Privilege Escalation
* Defense Evasion
* Credential Access
* Lateral Movement
* Command and Control
* Exfiltration
* Impact

Source: en.wikipedia.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why do SOC teams use the MITRE ATT&CK framework?

A

SOC teams use ATT&CK to map observed alerts and incidents to known attacker behaviors, helping identify gaps in detection and design defenses aligned with real adversary operations.

Source: paloaltonetworks.co.uk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How is ATT&CK different from the Cyber Kill Chain?

A

The Kill Chain describes stages of an attack, while MITRE ATT&CK provides a detailed matrix of tactics and techniques covering all attack phases, especially post-compromise behavior, making it more granular and behavior-focused.

Source: en.wikipedia.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Give an example of a MITRE ATT&CK tactic and a technique under it.

A

An example is ‘Privilege Escalation’ as a tactic and ‘Credential Dumping’ as a technique, which involves extracting credentials to gain higher access.

Source: en.wikipedia.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the ‘Initial Access’ tactic in MITRE ATT&CK?

A

‘Initial Access’ covers techniques used to gain an initial foothold in a network, such as phishing or exploiting a public-facing application.

Source: en.wikipedia.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the ‘Lateral Movement’ tactic in MITRE ATT&CK?

A

‘Lateral Movement’ refers to techniques adversaries use to move within a network after initial compromise, like using stolen credentials to log into other systems.

Source: en.wikipedia.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is threat intelligence?

A

Threat intelligence is evidence-based knowledge about cyber threats and adversaries, including context, tools, and behavior, used to turn threat data into actionable insights for security decisions.

Source: crowdstrike.com, socprime.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are Indicators of Compromise (IOCs)?

A

IOCs are forensic artifacts that signal a breach, such as known malicious IP addresses, domain names, URLs, or file hashes, used by SOCs to detect and block known threats quickly.

Source: crowdstrike.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How do SOC analysts use threat intelligence?

A

SOC analysts integrate intel feeds (IOCs, TTPs) into monitoring tools, enriching SIEM alerts with IOCs to confirm incidents or update rules, often collaborating with threat intel teams to improve detection logic.

Source: nttdata.jobs, crowdstrike.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What’s the difference between tactical and strategic threat intelligence?

A

Tactical intel focuses on immediate technical details for active defenses, while strategic intel provides high-level insights to inform long-term strategy.

Source: crowdstrike.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a threat intelligence feed?

A

A threat intelligence feed is an automated stream of threat data, usually IOCs like malicious IPs or file hashes, that SOC tools ingest to update blocklists and detection rules in near real time.

Source: crowdstrike.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is threat hunting?

A

Threat hunting is the proactive search for hidden threats in the environment, where analysts use threat intelligence and hypotheses to comb through logs and identify malicious activity that automated systems may have missed.

Source: nttdata.jobs, crowdstrike.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
How does threat intelligence enable proactive defense?
Threat intelligence allows SOCs to anticipate attacks by providing advance warning and context about known attacker TTPs, enabling proactive adjustments to monitoring and controls. ## Footnote Source: crowdstrike.com
26
What is Gartner’s definition of threat intelligence?
Gartner defines threat intelligence as 'evidence-based knowledge about threats,' which includes context and recommendations, not just raw data. ## Footnote Source: socprime.com
27
How is threat intelligence used during incident response?
Threat intelligence is used to contextualize incidents, matching incidents to known attacker campaigns or IOCs to prioritize response actions. ## Footnote Source: crowdstrike.com
28
What is the first step when a SOC analyst sees an alert?
The analyst triages the alert, quickly assessing its context and severity to determine if it’s a false positive or a real incident. ## Footnote Source: nttdata.jobs
29
What are the four main phases of NIST’s Incident Response lifecycle?
The four main phases are: * Preparation * Detection and Analysis * Containment, Eradication, and Recovery * Post-Incident Activity (lessons learned) ## Footnote Source: cynet.com
30
What happens during 'Containment' in incident response?
Containment involves isolating the threat to prevent further damage, followed by eradication and recovery. ## Footnote Source: cynet.com
31
What is a SOC playbook/runbook?
A playbook is a documented procedure for a specific incident type, used by SOC teams to ensure consistent, automated responses. ## Footnote Source: nttdata.jobs
32
Why is incident documentation important?
Incident documentation is critical for communication during post-incident review and compliance, requiring detailed reports on what happened and response steps taken. ## Footnote Source: nttdata.jobs
33
What role does the SIEM play in incident response?
The SIEM is the central monitoring tool that collects alerts and logs during an incident, aiding analysts in investigating events and timelines. ## Footnote Source: nttdata.jobs
34
What is 'eradication' in incident response?
Eradication is the process of removing the root cause of an incident, such as deleting malware or closing exploited vulnerabilities, after containment. ## Footnote Source: cynet.com
35
What does 'lessons learned' involve after an incident?
'Lessons learned' is the post-incident review phase where the SOC evaluates the incident and response effectiveness, updating processes for future improvement. ## Footnote Source: cynet.com
36
Why is Python knowledge useful for SOC analysts?
Python is widely used to automate tasks in SOCs, allowing analysts to write scripts for log parsing, querying security APIs, and automating routine steps. ## Footnote Source: nttdata.jobs
37
Which scripting languages are common in SOC roles?
Common scripting languages include: * Python * PowerShell ## Footnote Source: nttdata.jobs
38
What is a SOAR platform?
SOAR stands for Security Orchestration, Automation, and Response, and it orchestrates and automates security workflows, integrating playbooks into SOC tools for automatic responses to alerts. ## Footnote Source: nttdata.jobs
39
Give an example of a task a SOC analyst might automate.
An example task is scripting the automatic enrichment of alerts with threat intel, such as pulling WHOIS data for an IP. ## Footnote Source: nttdata.jobs
40
Why should a SOC analyst know multiple operating systems?
Knowledge of multiple operating systems is essential because threats can target any OS, and each system has different logs and tools for investigation. ## Footnote Source: nttdata.jobs
41
Why is Linux knowledge valuable for SOC analysts?
Linux knowledge is valuable because many servers and security tools run on Linux, requiring analysts to navigate Linux file systems and log files during investigations. ## Footnote Source: nttdata.jobs
42
Why is Windows security knowledge important for SOC analysts?
Windows security knowledge is crucial as Windows is common in enterprises, and analysts need to understand Windows Event Logs and common Windows attacks. ## Footnote Source: nttdata.jobs
43
What is malware?
Malware is malicious software designed to harm or exploit systems, including viruses, worms, Trojans, spyware, etc. ## Footnote Source: bluevoyant.com
44
What is ransomware?
Ransomware is a type of malware that encrypts a victim’s files or systems and demands payment for decryption, making it highly disruptive. ## Footnote Source: fortinet.com
45
What is a phishing attack?
Phishing is when attackers send fraudulent messages pretending to be trusted sources to trick victims into giving up credentials or installing malware. ## Footnote Source: prospects.ac.uk
46
What is a Distributed Denial-of-Service (DDoS) attack?
A DDoS attack uses many compromised machines to flood a target’s network or servers with traffic, overwhelming resources and denying service to legitimate users. ## Footnote Source: fortinet.com
47
What is an SQL Injection attack?
SQL injection is a web attack where an adversary inserts malicious SQL commands into input fields of a database-driven application, potentially allowing data manipulation. ## Footnote Source: fortinet.com
48
What is Cross-Site Scripting (XSS)?
XSS is a web attack where malicious scripts are injected into web pages, executing in the user's browser to steal cookies or redirect to malicious sites. ## Footnote Source: fortinet.com
49
What does the 'principle of least privilege' mean?
The principle of least privilege means granting users and processes only the minimal access necessary to perform their tasks, limiting potential damage from compromised credentials. ## Footnote Source: fortinet.com
50
What is pharming?
Pharming is an attack that redirects users from legitimate websites to fraudulent ones, often by manipulating DNS settings. ## Footnote Source: prospects.ac.uk
51
What is a firewall?
A firewall is a network security device that filters incoming and outgoing traffic based on predefined rules, blocking unauthorized connections. ## Footnote Source: paloaltonetworks.com
52
How does a VPN enhance security?
A VPN encrypts data between a user and the destination, creating a secure tunnel over the public internet to prevent eavesdropping and attacks. ## Footnote Source: fortinet.com
53
What is an Intrusion Detection System (IDS)?
An IDS is a passive security tool that monitors network or system traffic for suspicious activity, alerting administrators without blocking traffic. ## Footnote Source: paloaltonetworks.com
54
What is an Intrusion Prevention System (IPS)?
An IPS actively detects and blocks threats in real time by being placed inline with network traffic, unlike an IDS which only alerts administrators. ## Footnote Source: paloaltonetworks.com
55
What security frameworks should SOC analysts know?
Examples of security frameworks include: * ISO/IEC 27001 * NIST Cybersecurity Framework * Cyber Essentials * SOC-2 ## Footnote Source: nttdata.jobs
56
What is an Intrusion Prevention System (IPS)?
An IPS is placed inline with network traffic to detect and actively block threats in real time.
57
What security frameworks should SOC analysts know?
* ISO/IEC 27001 * NIST Cybersecurity Framework * Cyber Essentials * SOC-2
58
What is ISO/IEC 27001?
ISO 27001 is an international standard defining requirements for an Information Security Management System (ISMS).
59
What is the NIST Cybersecurity Framework (CSF)?
NIST CSF is a set of best practices for managing cybersecurity risk, organized into core functions: Identify, Protect, Detect, Respond, Recover.
60
What is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme outlining basic security controls to protect an organization.
61
Why do SOC roles mention standards like NIST and ISO 27001?
These frameworks codify industry best practices for security and incident response.
62
What certifications are valuable for SOC analysts?
* CompTIA Security+ * GIAC GSEC * ISC2 (CISSP) * Microsoft SC-200 * Certified SOC Analyst (CSA)
63
Why do many SOC jobs require shift work?
Because SOCs must operate 24/7.
64
What soft skills do SOC employers emphasize?
* Strong verbal and written communication * Analytical thinking * Teamwork
65
What is vulnerability scanning?
It’s the process of using tools to identify known security weaknesses in systems.
66
What should SOC analysts recognize in system logs?
They should spot potential intrusion attempts and system compromises.
67
What experience level is typically expected for a Tier-2 SOC analyst?
Around 3–5 years in IT security, ideally with previous SOC or NOC experience.
68
What certifications do Tier-2 SOC listings mention?
* GIAC certifications * ISC2 certs (like CISSP) * Microsoft SC-200
69
Why is problem-solving ability important for SOC work?
Analysts must analyze complex alerts and logs to find root causes.
70
Why is teamwork important in a SOC?
Analysts work closely with IT and incident response teams.
71
What does knowing 'Incident Response approaches' mean?
It means being familiar with structured IR methodologies.
72
Why are forensic skills mentioned for SOC analysts?
Post-incident forensics helps determine attack details.
73
What is the relevance of reverse engineering in SOC?
Reverse engineering malware helps analysts understand how attacks work.
74
Why is ITIL knowledge mentioned in SOC jobs?
ITIL covers best practices for incident, problem, and change management.
75
Why is cloud platform experience relevant to SOC roles?
As many services run in AWS or Azure, analysts must secure and monitor cloud environments.
76
Why might a SOC analyst need Microsoft Office skills?
SOC analysts often use Excel and Word for reporting and analyzing data.
77
How much IT security experience do mid-level SOC jobs ask for?
Tier-2 positions often require several years (3–5) of security experience.
78
What do Tier-2 SOC job ads say about certifications?
They list certs like GIAC, ISC2 (CISSP), and SC-200.
79
What does 'Willingness to work 24/7/on-call' imply for SOC roles?
It means analysts must be prepared for round-the-clock duty.
80
What is Data Loss Prevention (DLP)?
DLP is a set of tools that monitor and block the unauthorized transfer of sensitive data outside the network.
81
What is SOC-2 and why might a SOC analyst know it?
SOC-2 is a compliance standard for service organizations covering security, availability, and confidentiality.
82
Why is log analysis a key SOC skill?
Reviewing system and network logs enables analysts to detect anomalies and breaches.
83
How does threat analysis help SOC analysts?
Analysts analyze known threats and vulnerabilities and leverage threat intelligence to anticipate new attacks.
84
What incident response tasks are SOC analysts responsible for?
* Investigating alerts * Identifying threats * Taking containment/remediation actions
85
Why is incident documentation important for SOCs?
Keeping detailed records of incidents and resolutions is crucial for tracking security posture.
86
How much experience do entry-level SOC analysts usually have?
Typically 1–3 years in cybersecurity or IT.
87
What additional certifications can benefit a SOC analyst?
* CISSP * CEH * CSA * GIAC GSEC
88
What technical skills are highlighted for SOC analysts?
* Proficiency with security tools (SIEM, IDS/IPS, EDR) * Network and system administration * Scripting
89
What is the role of 'threat hunting' mentioned in SOC jobs?
Threat hunting is actively searching for threats that evade automated detection.
90
How does the SOC use playbooks with SOAR tools?
SOCs integrate playbooks into SOAR platforms to automate response procedures.
91
What is the difference between an alert and an incident in SOC terms?
An alert is a notification of a potential issue; an incident is a confirmed security event requiring response.
92
What is the 'Cyber Kill Chain' and how does it relate to MITRE ATT&CK?
The Cyber Kill Chain outlines attack stages; MITRE ATT&CK details specific techniques at each stage.
93
What is the importance of communication in a SOC?
Analysts must write reports and explain issues to both technical and non-technical stakeholders.
94
What does 'monitor, triage, and analyze alerts' involve?
It means continuously watching security alerts, deciding which are highest priority, and digging into them.
95
What role do security policies play in SOC operations?
Policies guide SOC operations, including incident handling rules.
96
What is the significance of the SOC’s 4-on/4-off shift pattern?
This rotation ensures 24/7 coverage: 4 consecutive workdays followed by 4 days off.
97
What does 'vulnerability management' entail in a SOC context?
Identifying, ranking, and patching or mitigating vulnerabilities.
98
Why do SOC job descriptions mention 'monitor and triage alerts'?
Analysts must continuously filter through alert noise to focus on true threats.
99
What is a 'Security Operations Center' (SOC)?
The SOC is a centralized team and facility that monitors, detects, and responds to security incidents.
100
Why are certifications like CompTIA Security+ and CSA mentioned for SOC analysts?
These certifications validate foundational cybersecurity knowledge and SOC-specific skills.
101
What is 'threat intelligence enrichment'?
It's the process of adding context to alerts by looking up related threat data.
102
What are key components of effective SOC documentation?
* What happened * Who was involved * How it was handled * Recommendations
103
SOC
flashcards
Decks in class (3)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions