Security Monitoring and Threat Detection Questions
Covers the principles and practical design of security monitoring, logging, and threat detection across environments including cloud scale infrastructure. Topics include data collection strategies, centralized logging and storage, security information and event management architecture, pipeline and ingestion design for high volume and high velocity data, retention and indexing tradeoffs, observability and telemetry sources, and alerting and tuning to reduce noise. Detection techniques include signature based detection, anomaly detection, indicators of compromise, behavioral detection, correlation rules, and threat intelligence integration. Also covers evaluation metrics such as false positives and false negatives, detection coverage and lead time, incident escalation, playbook integration with incident response, automation and orchestration for investigation and remediation, and operational concerns such as scalability, cost, reliability, and privacy or compliance constraints.
MediumTechnical
82 practiced
Implement in Python a streaming-friendly function rolling_zscore(points, window_size, z_threshold) where points is an iterable of (timestamp, value) in time order. The function should compute a rolling z-score using the last window_size observations and yield (timestamp, value, z_score) for points where abs(z_score) >= z_threshold. Use an online mean/variance update (e.g., Welford) to avoid recomputing from scratch and mention numeric stability considerations.
MediumTechnical
67 practiced
Write a Python function compute_time_window_metrics(events, window='1D') that given a list of prediction records with fields {'ts': ISO timestamp, 'label': 0/1 or None, 'score': float, 'predicted': 0/1} computes per-window confusion matrix entries (TP, FP, TN, FN), precision, recall, and F1. Assume events may be sparse and some windows may lack labels; describe how you handle unlabeled data when reporting metrics and include a small example input and output.
HardTechnical
56 practiced
You have a monthly budget of $50,000 for telemetry storage. Your platform ingests 50 TB of raw logs per day. Hot indexed storage (Elasticsearch or similar) costs approximately $0.02 per GB per day (fast searchable), while cold object storage (S3/Glacier) costs approximately $0.0007 per GB per day. Design a retention and indexing policy to maximize detection capability over a 90-day window given the budget constraint. Include compression/rollup strategies, index rollups, selective indexing of high-cardinality fields, and sample calculations to justify trade-offs.
MediumTechnical
47 practiced
You must deploy a machine-learning-based network-traffic detector that scores flows in near real-time with p95 inference latency under 100ms. Expected workload: 100k flows/sec. Describe an end-to-end architecture that includes feature extraction from flow logs, feature enrichment (DNS, IP reputation), feature store or cache, model serving choices (online model server, batching, GPU vs CPU), autoscaling, and backpressure handling. Discuss trade-offs between batching for throughput and strict latency requirements.
MediumTechnical
53 practiced
Implement a simple signature-based rules engine in Python: function evaluate_rules(events, rules) where events is a list of dicts and rules is a list of rule dicts with keys like {'field': 'cmdline', 'op': 'regex', 'pattern': '.*Invoke-Expression.*'}. The function should return matched (event, rule_id) pairs efficiently; assume thousands of rules and high event throughput. Sketch optimizations to make matching efficient.
Unlock Full Question Bank
Get access to hundreds of Security Monitoring and Threat Detection interview questions and detailed answers.
