Scribd
Upload
26 views5 pages

Check List 1

Standard SOC interview checklist

Uploaded by

cychantt1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views5 pages

Check List 1

Standard SOC interview checklist

Uploaded by

cychantt1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Client Environment Survey for SOC Monitoring

1. Network Structure

1. Please provide a network topology diagram (physical/logical).


2. List all IP address ranges, VLANs, and subnets in use.
3. Describe firewall rules and VPN configurations (e.g., allowed traffic types, geo-
blocking).
4. What are the primary ingress/egress points for external traffic?
5. What traffic patterns are considered "normal" (e.g., bandwidth usage,
protocols like HTTP/S, FTP)?
6. List any traffic types or protocols explicitly blocked or flagged as suspicious
(e.g., Tor, IRC).
7. Are there wireless networks? If yes:
1. Are guest networks isolated from internal networks?
2. How are rogue access points detected?
8. Are there IoT devices (e.g., cameras, printers) or OT systems (industrial
control systems) on the network? If yes, how are they secured?
9. Describe how critical assets (e.g., databases, Active Directory) are segmented
from other networks.

2. Host Inventory

7. For each host, provide:


o Hostname/IP address
o Purpose (e.g., web server, database, user workstation)
o OS/software versions and patch status
o Criticality level (High/Medium/Low)
8. Which hosts store or process sensitive data (e.g., PII, financial records)?
9. List all open ports and services (e.g., RDP, SSH) on critical hosts.
10. Are there any legacy systems or unsupported software in use?
11. Are there virtualized environments (e.g., VMware, Hyper-V)
or containers (e.g., Docker, Kubernetes)? If yes:
o How are hypervisors or orchestrators secured?
o Are containers scanned for vulnerabilities before deployment?
3. Admin Accounts & Access

11. List all privileged accounts (local/domain/cloud), including:


1. Account names
2. Assigned users or roles
3. Privilege levels (e.g., Domain Admin, root, AWS Admin)
12. Is MFA enforced for admin accounts? If not, explain exceptions.
13. Are privileged accounts configured with:
1. Time-based access (e.g., JIT access)?
2. Session recording (e.g., for RDP, SSH)?
14. Describe typical admin login patterns (e.g., time of day, source IPs).
15. Are shared accounts (e.g., "admin") used? If yes, how are they monitored?
16. What alerts are configured for privilege escalation or role changes?
17. Are service accounts documented? Are their passwords rotated periodically?

4. Critical Services & Protocols

16. For RDP/SSH:


1. List all systems where these protocols are enabled.
2. Are they restricted to specific IP ranges or VPN-only?
3. Is Network Level Authentication (NLA) enforced for RDP?
17. For email systems:
1. Is SMTP/IMAP traffic encrypted?
2. Are phishing/spoofing protections enabled (e.g., SPF, DKIM, DMARC)?
18. For vulnerability management:
1. How are critical vulnerabilities prioritized and patched?
2. Are compensating controls used for unpatched systems (e.g., WAFs,
ACLs)?
19. Describe your vulnerability scanning process:

 Tools used (e.g., Nessus, Qualys)


 Frequency and scope of scans
 Remediation SLAs for critical vulnerabilities

20. For backups:


1. Are backups tested for integrity/restoration?
2. How are backup credentials stored and secured?
21. How are backups performed? Include:

 Schedule
 Success/failure monitoring
 Encryption and offsite storage details

5. Security Monitoring & Logging

19. List all log sources provided to the SOC (e.g., firewalls, endpoints, AD).
20. Describe log retention policies (e.g., 90 days, 1 year).
21. Are logs centralized (e.g., SIEM)? If yes, specify the tool.
22. Are the following logs enabled and monitored?
1. PowerShell/Command Line activity
2. Registry edits
3. File integrity monitoring (e.g., critical file changes)
23. Are there whitelisted IPs/domains that should never be blocked (e.g., SaaS
providers)?
24. What alerts are already configured (e.g., failed logins, large data transfers)?
25. List all "whitelisted" normal activities that should not be concerned about
while monitoring.

6. User Behavior & Anomalies

23. What are normal working hours for employees? Do remote workers follow
the same schedule?
24. Describe typical data access patterns (e.g., HR accessing payroll files,
developers accessing code repos).
25. What UEBA alerts are already configured (e.g., impossible travel, abnormal
file access)?
26. Are there data loss prevention (DLP) rules? If yes, describe policies (e.g.,
blocking USB drives, restricting cloud uploads).
27. List activities considered abnormal (e.g.:

 Logins outside business hours


 Unusual file encryption/deletion
 Bulk data transfers to external drives/cloud
 Remote desktop protocol)

list the hosts names, users, IPs and time if any of the abnormal activities are allowed
for specific user or host .
7. Third-Party Access

25. List all third-party vendors with network access (e.g., MSPs, contractors).
26. Do third parties use:
1. Dedicated VPN accounts?
2. Their own devices (BYOD) or company-managed devices?
27. Are third-party sessions (e.g., TeamViewer, AnyDesk) recorded or time-
limited?
28. Are guests network isolated from the main network ?

8. Incident Response (IR)

27. Provide IR playbooks for scenarios like ransomware, data exfiltration, and
insider threats.
28. What is the SLA for containment (e.g., 1 hour for critical incidents)?
29. Are forensic artifacts (e.g., memory dumps, disk images) preserved during
incidents?
30. Describe communication protocols during incidents (e.g., who is notified,
how is leadership updated?).
31. Are forensic capabilities (e.g., disk imaging) available for investigations?

9. Compliance Requirements

29. List compliance frameworks you must adhere to (e.g., GDPR, HIPAA).
30. Provide recent audit reports or gap analyses.
31. Are access reviews conducted periodically (e.g., quarterly for admin
accounts)?
32. Provide copies of:
1. Security policies (e.g., Acceptable Use, BYOD).
2. Risk assessment reports.
3. Penetration test results (last 12 months).

10. Physical Security

40. Describe physical access controls (e.g., biometrics, badge access for server
rooms).
41. Are workstations/servers secured against theft (e.g., cable locks)?
42. How are removable media (e.g., USB drives) restricted or monitored?

11.Additional Notes

31. Are there any undocumented systems or "shadow IT" in use?


32. Describe recent security incidents or ongoing concerns.
33. Is email encryption used for sensitive communications?
34. Are phishing simulations or security awareness training conducted? How
often?
35. Are endpoint detection and response (EDR) tools deployed? If yes, specify
the vendor.
36. Describe BYOD policies (e.g., MDM requirements, network segmentation for
personal devices).

12. Future Plans & Dependencies

47. Are there upcoming changes to the environment (e.g., cloud migration,
M&A)?
48. List business-critical projects that may impact security monitoring (e.g., new
SaaS adoption).
49. Are there dependencies (e.g., legacy apps, third-party SLAs) that could affect
incident response?

Formatting Tips for Clients

 Use tables for host inventories, IP ranges, and admin accounts.


 Attach network diagrams, firewall rules, and compliance policies.
 Highlight changes planned in the next 6 months (e.g., cloud migration).

This survey ensures the SOC has the context needed to distinguish normal vs.
malicious activity and prioritize alerts effectively. Adjust based on the client’s size and
industry!

You might also like