Security Monitoring and Threat Detection Questions
Covers the principles and practical design of security monitoring, logging, and threat detection across environments including cloud scale infrastructure. Topics include data collection strategies, centralized logging and storage, security information and event management architecture, pipeline and ingestion design for high volume and high velocity data, retention and indexing tradeoffs, observability and telemetry sources, and alerting and tuning to reduce noise. Detection techniques include signature based detection, anomaly detection, indicators of compromise, behavioral detection, correlation rules, and threat intelligence integration. Also covers evaluation metrics such as false positives and false negatives, detection coverage and lead time, incident escalation, playbook integration with incident response, automation and orchestration for investigation and remediation, and operational concerns such as scalability, cost, reliability, and privacy or compliance constraints.
HardSystem Design
56 practiced
Design an end-to-end security monitoring platform for a multi-cloud enterprise with 10 million hosts (including ephemeral containers) and an ingestion rate of 100 billion events per day. Requirements: real-time detection for high-risk alerts (sub-second when possible), support for offline ML training at petabyte scale, searchable indices for 90-day hot window, long-term archive for 3 years, multi-tenant isolation, data governance and GDPR compliance, cost-optimization, and high reliability. Describe the major components, data flows, storage tiers, model lifecycle (training, validation, deployment, rollback), monitoring/SLAs, and approaches to keep costs manageable.
MediumTechnical
86 practiced
Scenario: Your organization must collect security logs while complying with GDPR. For each of the following, describe concrete steps you would take: (1) logging web requests that may contain PII in headers or body, (2) storing logs that contain user identifiers, (3) supporting a right-to-be-forgotten request that affects analytics and model training. Explain techniques for pseudonymization, hashing/salting, data minimization, access controls, and how to maintain ML utility.
MediumTechnical
54 practiced
Scenario: You observe a potential lateral movement campaign in logs: multiple authentication successes across hosts by the same user, subsequent unusual process creations, and new service installations. Describe how you would correlate authentication, process, and network logs to detect this campaign. Provide an example correlation rule or graph query (pseudocode or SQL-like) and discuss heuristics for time windows, identity mapping, and enrichment data you would use to increase confidence.
MediumTechnical
67 practiced
Write a Python function compute_time_window_metrics(events, window='1D') that given a list of prediction records with fields {'ts': ISO timestamp, 'label': 0/1 or None, 'score': float, 'predicted': 0/1} computes per-window confusion matrix entries (TP, FP, TN, FN), precision, recall, and F1. Assume events may be sparse and some windows may lack labels; describe how you handle unlabeled data when reporting metrics and include a small example input and output.
HardTechnical
45 practiced
Case study: You are given a breach timeline showing a suspicious admin login, a sequence of privileged commands on a host, and rapid outbound data transfers. Design a SOAR playbook that automates containment and investigation using ML detections as triggers. Specify triggers (which detectors and thresholds), enrichment steps (asset owner, vulnerability history, whois, geolocation), automated containment actions (network block, disable credential, snapshot VM), human-in-the-loop checks, escalation criteria, and rollback procedures. Discuss safety checks to avoid disruptive false-positive remediation.
Unlock Full Question Bank
Get access to hundreds of Security Monitoring and Threat Detection interview questions and detailed answers.
