Security Monitoring Tools and SIEM Basics Questions
Understand what SIEM (Security Information and Event Management) systems do: collect, correlate, and analyze security logs from multiple sources. Understand basic intrusion detection concepts (HIDS vs NIDS), how security analysts use these tools to detect threats, and common SIEM platforms used in industry.
MediumTechnical
57 practiced
Compare and contrast EDR (Endpoint Detection and Response), SIEM, and NDR (Network Detection and Response). For each, explain the primary telemetry consumed, detection strengths, typical response capabilities, and an example detection scenario where one would succeed and another might fail.
Sample Answer
**Overview — quick distinction**- EDR: endpoint-centric; deep host telemetry and control.- SIEM: aggregator/correlation platform; collects across stack.- NDR: network-centric; inspects traffic/flows for lateral and C2.**Primary telemetry**- EDR: process events, file hashes, registry, shell commands, API calls.- SIEM: logs from endpoints, network devices, apps, cloud, identity systems.- NDR: packet captures, NetFlow, TLS metadata, DNS, Zeek logs.**Detection strengths**- EDR: precise host behavior, ransomware, living-off-the-land, post-exploit forensics.- SIEM: cross-domain correlation, long-term hunting, compliance/context enrichment.- NDR: detecting covert C2, lateral movement, blind-malware that avoids host agents.**Typical response capabilities**- EDR: isolate host, kill processes, rollback files, collect forensic artifacts.- SIEM: orchestrate playbooks, trigger alerts to SOAR, enrich context; limited direct controls.- NDR: block IPs at network layer, drop sessions, segment traffic via integrations.**Example scenarios**- Fileless PowerShell loader: EDR succeeds (process/command lineage); NDR may miss if encrypted; SIEM only if logs correlated.- Encrypted C2 over HTTP/443 using legitimate binaries: NDR detects unusual flow patterns and beaconing; EDR might miss if binaries are signed and benign; SIEM can flag if combined with failed auth events.- Insider using legitimate admin tools to exfiltrate via cloud storage: SIEM (log correlation) + EDR (file access anomalies) together catch it; NDR could fail if traffic is TLS to cloud and looks normal.My approach as an analyst is to use these tools complementarily: trust EDR for host proof, NDR for network-level anomalies, and SIEM to tie timelines and drive investigations.
HardTechnical
65 practiced
Create a normalized field mapping for the following Windows events to support lateral movement detection: 4624 (logon success), 4625 (logon failure), 4688 (process creation), and 5140 (network share accessed). For each event type, list the normalized fields you would populate (e.g., timestamp, host, user, src_ip, dst_ip, process_name, cmdline, share_name, auth_type) and briefly justify why each field is required for correlation.
Sample Answer
**Brief approach**I map each Windows event to a common normalized schema used for lateral-movement correlation (time-series joins, user/host pivots, process/credential chains). For each event I list fields and a short justification.**Common/base fields (always populated)**- timestamp — event ordering, sequence analysis- host.hostname / host.ip — target host for pivoting and scope- host.domain — AD domain for cross-domain detection- event_id — event type for logic- raw_record_id / log_source — audit traceability**4624 (Logon Success)**- user.name — account that logged on (detect reused credentials)- user.sid — canonical identity- src_ip — source machine or credential origin (pivot detection)- src_host — source hostname if available (RDP/SMB origin)- logon_type — interactive/remote/batch (distinguish lateral types)- auth_package / auth_type — NTLM/Kerberos (credential theft indicators)- session_id — correlate session to subsequent actionsJustification: links credentials to host/activity and distinguishes interactive vs network logons.**4625 (Logon Failure)**- user.name, user.sid — targeted account- src_ip, src_host — attacker origin- failure_reason / status — brute-force vs wrong domain- logon_type — helps detect password spraying / lateral reconJustification: failure patterns precede successful lateral movement.**4688 (Process Creation)**- timestamp, host.*, user.name (process owner)- process.name, process.path — identify attackers’ tooling (e.g., psexec)- process.cmdline — command and arguments for lateral tools- parent.process.name / parent.process.pid — execution chain- process.pid — correlate to session/process lifecycle- network.dst_ip or network.dst_port (if created network connections logged)Justification: shows execution of lateral tools, credential abuse, and command chains.**5140 (Network Share Accessed)**- timestamp, host.* (server), src_host (client) — source-target mapping- user.name — account accessing share- share.name — target resource (admin$ / C$ suspicious)- access_type / permissions — read/write for data transfer vs enumeration- session_id / connection_id — correlate to SMB session and logonJustification: SMB access often used for lateral movement (tools, credential dumping, lateral file staging).I would normalize types (IP, username canonicalization, timestamps to UTC) and enrich (DNS reverse, AD group lookup) to improve correlation quality.
HardTechnical
57 practiced
A SIEM alert indicates possible lateral movement. Explain a forensics-first response plan that preserves evidence and supports legal chain-of-custody. Include volatile data collection (memory, network connections), disk imaging, snapshotting cloud VMs, log preservation, integrity verification (hashing), and coordination with legal and operations to avoid contaminating or losing evidence.
Sample Answer
**Overview / Objectives**I would execute a forensics-first response to preserve volatile evidence, maintain integrity, and enable legal action while minimizing service disruption.**Immediate actions (first 0–15 min)**- Triage SIEM telemetry to identify affected hosts, user sessions, and unusual lateral patterns.- Notify Legal/Security Leadership and Ops: declare potential incident and request preservation hold.- Isolate affected systems on the network (segmentation or switch-port isolation) — avoid powering off.**Volatile data collection (live) — preserve first**- Use trusted forensic workstation and write-protected media. Collect in this order: 1. System time and sync status, screenshot console/logon. 2. Memory dump (e.g., Belkasoft/FTK/WinPMEM) — captures running malware, credentials. 3. Active network connections and ARP table (netstat/ss, arp -a), routing table. 4. Running processes, loaded modules, scheduled tasks, open files (tasklist/ps, lsof). 5. Collect relevant EDR telemetry and pull centralized logs.- Record tool versions, command parameters, operator, timestamps on chain-of-custody form.**Disk imaging & storage**- After volatile capture, image disks using a hardware write-blocker and tools like FTK Imager or dd (forensically appropriate).- Create full bit-for-bit images and hashes (SHA-256) for original disk and image file.- Retain original media in secure evidence locker; log custody transfers.**Cloud VMs / Snapshots**- For cloud hosts, snapshot VM disk state and capture instance metadata and serial console output.- Also capture memory where provider supports (e.g., AWS Nitro snapshot, Azure memory dump) or perform live memory dump within VM to secure storage.- Export snapshots to a dedicated secure account/bucket with restricted IAM and enable object immutability if available.**Log preservation**- Pull SIEM, host, authentication, AD, DHCP, proxy, and firewall logs. Preserve originals; export with timestamps and system IDs.- Configure WORM/immutable storage or legal hold for log buckets.**Integrity verification**- Compute SHA-256 (and optionally MD5) hashes for all collected artifacts: memory dumps, disk images, snapshots, logs.- Record hashes on chain-of-custody; verify after transfers and before analysis.**Chain-of-Custody & Documentation**- Maintain signed chain-of-custody for each artifact: collector, date/time, actions, media IDs.- Use centralized incident ticket with audit trail; capture screenshots and video of collection steps when permissible.**Coordination with Legal & Operations**- Legal defines preservation scope and guidance for interviews/notifications.- Ops assists with isolation, snapshots, and service continuity plans; agree on rollback vs quarantine.- If containment requires reimaging, ensure images and logs are complete and hashed before any remediation.**Analysis & Handover**- Work with DFIR/Threat Intel team for deep analysis using copies of evidence (never analyze originals).- Provide summary findings and preserve evidence for potential prosecution.**Key trade-offs / considerations**- Live collection risks altering memory/disk; minimize footprint and document every command.- Business impact: prefer network isolation over shutdown to preserve evidence while limiting disruption.This approach preserves volatile and persistent evidence, ensures integrity via hashing and documented custody, and coordinates legal/ops to avoid contamination or loss.
EasyTechnical
99 practiced
List the most common commercial and open-source SIEM platforms used in industry (for example: Splunk, IBM QRadar, Elastic Security, Micro Focus ArcSight, Sumo Logic, Google Chronicle). For each platform, name one key differentiator (e.g., cloud-native ingestion, analytics capabilities, licensing model) and a typical organization size or use-case that prefers it.
Sample Answer
**Overview**Below are common commercial and open-source SIEMs, each with one key differentiator and the typical organization size/use-case that prefers it.- Splunk - Differentiator: Powerful search + mature analytics and app ecosystem (Enterprise Security). - Typical use-case: Large enterprises or SOCs needing customizable analytics, rich dashboards, and wide third‑party integrations.- IBM QRadar - Differentiator: Built‑in correlation rules and asset/contextual risk scoring. - Typical use-case: Mid‑to‑large regulated orgs (finance, telecom) that need strong out‑of‑the‑box correlation and compliance reporting.- Elastic Security (ELK) - Differentiator: Open-source stack with flexible, fast ingestion and host-based EDR integrations. - Typical use-case: Organizations with in‑house dev/ops teams wanting cost‑effective, customizable detection.- Micro Focus ArcSight - Differentiator: High‑volume event normalization and mature correlation engine. - Typical use-case: Very large enterprises with complex legacy environments and high event throughput.- Sumo Logic - Differentiator: Cloud‑native log analytics and simple SaaS scaling/pricing. - Typical use-case: Cloud-first companies and dev teams that want managed SIEM without heavy ops burden.- Google Chronicle - Differentiator: Massive cloud scale with long‑term, low‑cost telemetry retention and fast search. - Typical use-case: Organizations needing global telemetry retention and threat hunting at scale.- OSS options (Wazuh, OSS Elastic, Splunk Free) - Differentiator: Low/no licensing cost and community-driven integrations. - Typical use-case: Small orgs, startups, or teams that can manage open‑source tooling and customization.Each choice balances cost, scalability, detection maturity, and operational overhead — pick based on SOC size, compliance needs, and in‑house engineering capability.
HardTechnical
71 practiced
Describe a process to identify, quantify, and remediate SIEM blind spots (logging gaps) that attackers could exploit, such as missing EDR on servers, absent DNS logs, or uninstrumented cloud services. Include discovery techniques, building a coverage matrix, automated logging tests, red-team validation, and a remediation prioritization framework.
Sample Answer
**Framework / Approach**I’d treat this as a four-phase program: Discovery → Quantify (coverage matrix + tests) → Validate (red-team) → Remediate & Prioritize.**Discovery techniques**- Inventory: use CMDB, cloud APIs (AWS/GCP/Azure), EDR management console, network scans, AD queries to enumerate assets and services.- Log pipeline check: validate agents, syslog, cloud-native logs (CloudWatch/Audit Logs), and network taps.- Passive detection: compare observed flows (NetFlow/PCAP) to asset list to find uninstrumented segments.**Build a coverage matrix**- Columns: asset, role, owner, logging types (EDR, process, DNS, auth, cloud audit), ingestion status, retention, parsing quality, alerting.- Score each cell (0–3) and compute risk-weighted coverage (asset criticality × gap score).**Automated logging tests**- Synthetic events: ship known IOCs, TTPs, and telemetry (e.g., simulate DNS exfil, Windows Event IDs) via a logging harness.- Continuous validation: CI pipeline checks agent heartbeat, schema conformity, and rule firing.- Alerting on test failures into ticketing/SOAR.**Red-team validation**- Execute low-risk emulation of attacker techniques mapped to gaps (e.g., disable EDR, use cloud metadata access).- Measure detection latency, telemetry fidelity, and blind-spot exploitation success; capture evidence for owners.**Remediation & prioritization**- Prioritize by risk = likelihood × impact (business-criticality, exposure, exploitable gap). Quick wins: deploy missing agents, enable cloud audit trails, forward DNS logs.- Medium: parsing rules, retention changes, use of sensors (TLS decrypt, network taps).- Long-term: SIEM use-case backlog, automation playbooks, owner SLA, and quarterly reassessments.**Outcome / Metrics**- Track mean time to detect, percent of critical assets with full telemetry, and reduction in exploitable gaps over time.
Unlock Full Question Bank
Get access to hundreds of Security Monitoring Tools and SIEM Basics interview questions and detailed answers.