Security Incident Response Questions
Security incident response (SOC/CSIRT handling of breaches, intrusions, and malicious activity): detection via SIEM/EDR/IDS telemetry, containment to limit blast radius from an adversary, eradication of malware or unauthorized access, evidence preservation and chain of custody for legal proceedings, and post-incident review of security controls. Grounded in frameworks like NIST SP 800-61.
MediumTechnical
29 practiced
Create a concise runbook for responding to a suspected targeted phishing compromise of a mailbox. The runbook should include detection and validation steps, containment actions (mailbox isolation and removal of malicious items), credential remediation, mailbox forensic artifacts to collect, communication templates for the user and manager, and a brief plan to scale the process if 500 users report similar emails within one hour.
MediumTechnical
37 practiced
Write a Python function parse_log_line(line: str) -> dict that attempts to parse either a syslog line or a CSV-formatted Windows Event Log export line and returns normalized fields: timestamp (UTC ISO8601), hostname, event_type, username, source_ip, raw_message. The function should try multiple timestamp formats, handle missing fields gracefully, and return None for completely unparsable lines. Include short comments about error handling.
EasyTechnical
52 practiced
List and briefly describe at least eight common detection sources an analyst relies on to identify incidents (for example SIEM alerts, EDR telemetry, firewall logs, DNS logs, proxy logs, cloud audit logs, email gateway logs, and user reports). For each source state one strength, one limitation, and one example of an indicator it would show.
HardTechnical
37 practiced
You suspect a Golden Ticket compromise in Active Directory, where forged KRBTGT tickets granted persistent domain access. Outline a remediation plan including detection and validation steps, containment (domain controller isolation strategy), eradication such as KRBTGT account resets and password-change strategy across the domain, replication considerations, restoring trust, validation checks to confirm cleanliness, and coordination with application owners to manage service impact.
MediumTechnical
37 practiced
Compare Windows memory acquisition and disk imaging in incident response. Describe what evidence each preserves (for example in-memory credentials, decrypted payloads, network connections versus persistent files and log artifacts), typical tools you would use, recommended order of collection, risks of live collection, and scenarios where memory acquisition is essential even though it complicates forensics.
Unlock Full Question Bank
Get access to hundreds of Security Incident Response interview questions and detailed answers.
Sign in to ContinueJoin thousands of developers preparing for their dream job.