Log Analysis and Threat Hunting in Security Data Questions
Understand how to analyze security logs to identify suspicious activity. Know what different types of logs show (firewall, proxy, DNS, endpoint, application). Be able to correlate logs from multiple sources to trace attacker activity. Discuss threat hunting methodologies and how analysts proactively search for unknown threats in data.
MediumTechnical
100 practiced
You find a base64-encoded PowerShell string in a proxy query parameter. Describe step-by-step how you would safely decode and analyze it, including safe analysis environment setup, static analysis steps, behavioral checks, and ways to hunt for other hosts exhibiting the same payload or command patterns.
HardTechnical
87 practiced
Write a complex Splunk SPL or Elasticsearch query (describe in pseudo-query form) that correlates DNS logs, proxy logs, and process telemetry to identify hosts that resolved untrusted domains, then within 5 minutes made an HTTP POST uploading more than 1MB of data to an external IP. Explain how you would structure the joins/transactions and the performance considerations for running this query at scale.
HardSystem Design
92 practiced
Design a testing framework that continuously validates SIEM detections and hunting queries against realistic adversary behavior. Explain how you would map ATT&CK techniques to tests, generate telemetry safely (using tools like Atomic Red Team, Caldera), run tests in non-production or controlled environments, and integrate results into CI/CD pipelines for detection rules and playbooks.
MediumTechnical
75 practiced
Explain how Windows Sysmon and Linux auditd can be used to detect obfuscated PowerShell execution and suspicious binary launches. For each platform, list the specific event types/IDs and fields you would monitor, and propose 2-3 analytic rules (pseudo-SPL or plain-English) that would flag suspicious behavior.
MediumTechnical
96 practiced
You observe many clients resolving an unusual domain and subsequently making web requests to a small set of IPs that appear in a threat-intel feed. Describe step-by-step how you would correlate DNS logs, proxy logs, and endpoint telemetry to determine scope, pivot to affected hosts, and decide on escalation. Include what timestamps, fields, and joins you would perform.
Unlock Full Question Bank
Get access to hundreds of Log Analysis and Threat Hunting in Security Data interview questions and detailed answers.
Sign in to ContinueJoin thousands of developers preparing for their dream job.