SprwLabs
Security Automation Orchestration and Response (SOAR) has a unique set of analyst requirements such as software development, general security security tooling knowledge and API experience. These requirements are difficult to find and staff. Simply put, they're the reason we exist. However, many organizations prefer to build the team out internally. If your organization wishes to hire or you are seeking a role as a SOAR engineer, here are our list of interview questions. Yes, you can expect to get asked these in an interview with us.
Before we dive into specific requirements, here are our basic questions. These are technical in nature and do not assess fit for an organization.
What programming languages or scripting languages do you know?
We are looking for any language. This is a disqualifying question and should be asked by a recruiter prior to an initial interview.
What are the different HTTP methods?
The answer is any of the following: Get, Post, Patch, Put, Delete, Options, or Head. This is a disqualifying question and should be asked by a recruiter prior to an initial interview. Basic knowledge of HTTP is a prerequisite to an interview.
What are the different data types in the programming language you're most familiar with?
This will vary language to language however most have a similar basis of string, integer, float, boolean, numeric, double, ect. There are a wide range of answers here which are heavily dependent on the language of choice. For example, Python would be: string, list, tuple, range, bytes, byte array, memory view, dictionary, boolean, set, frozen set.
Can you describe a solution or process you've recently automated?
Our goal is to assess willingness to automate or use programming to solve problems. If you want to focus on automation for a business, your mindset should be "how do I automate". The only wrong answer is no answer.
You are browsing your company website and it doesn't load, how would you start troubleshooting? What if it was loading slowly? What if you get an insecure error message?
While this question is not directly asking about an API, it reveals an understanding of the technologies involved in making a request. We're looking for an answer to contain DNS, firewall, HTTP, and SSL. Depending on the answers given, we'll usually follow it up with additional questions.
You're writing an integration with an API with no documentation, how do you start? The user can demonstrate the action.
We are looking for some knowledge of Chrome Developer tools or Postman or a similar way to view requests.
Assuming the candidate passes these questions, we dive into product specific experience and questions. Below are a list of questions based upon each SOAR technology:
Once an application has run it's workflow, how can you view the history of the record?
How can you trigger a workflow to run without Canvas?
All workflows are triggered based upon a record being created. You can create a record via the API, via an integration/task, or manually.
How do you deduplicate records?
When records are created, you can use insert/update with a primary key field. This will overwrite the existing record however it will stop duplicates from being created.
What are the benefits of Swimlane's new Canvas feature set?
This is relatively new to Swimlane. This will show how recently the candidate has worked with Swimlane depending on their answer.
How do you debug a task?
Within a specific task, you can run the task against a specific record or input values. The record must contain the inputs you wish to use or you can input them manually. It is better to use a record as there may be challenges with input types.
How do you make outputs from a task that are within a nested JSON object?
JSON Path within the output mappings
What are the different permissions available?
User and administrator. User permissions may be set for any specific application or fields within an application. Once a user is an administrator, they have permissions to the entire platform.
How do you view the current jobs running?
In Hangfire. From the UI, under background jobs, processing. With Canvas, you will debug tasks within the UI editor.
Do playbooks run automatically when an incident is generated?
Yes, only if under that incident type you have checked the Run Playbook Automatically setting. This is set per incident type.
What are the issues with re-excuting a playbook?
Context data is not removed without a specific step to clear context. Incident fields are not reset.
How would you de-duplicate incidents being ingested into the platform?
A preprocessing data may be used to deduplicate data when ingested.
What would you deploy to access tools on a separate network segment?
Engine.
What type of task can be used to collect information via email?
Ask task or data collection task.
What is context data and how is it used?
Stores the results from integration commands and automation scripts for a given incident which then allows that data to be passed between playbook tasks. Main piece is it stores data to be passed between playbook tasks.
How would you restrict permissions for a single integration command?
Either go to integration permissions and set which Role can run the specific command OR if the command is marked as potentially harmful then under User and Roles uncheck the Execute Potentially Harmful Actions radio button
You can view data via the JSON browser. The dropdown when creating an integration also enables you to search through outputs. If the output hasn't been seen, you may have to manually enter it as well.
How does data flow through a playbook?
Data flows through as a list of entities, and the context restricts entities of a certain type to perform an action. This prevents a hash query on an IP, etc.
What are environments used for in Siemplify?
Environments control where an action should run. They can be used to delegate action to on premise agents. Shared environments are used for all environments. For example, a VirusTotal integration may be used in any playbook however a Carbon Black integration would only be leveraged within the SecOps team.
How do you deduplicate or group alerts?
Within the settings there is a section for alert grouping where you can set up rules based on a number of different criteria such as alert source, source or destination IP, ect.
What are the data structure components that make up an ingested event?
1 Container being composed of X number of Artifacts, holding X number of CEF key/value pairs.
What are the primary methods of triggering an automation playbook?
You can create On-Poll Integrations, Inbound Webhooks, Event Forwarding, and Custom REST Integrations.
How can data be passed between playbook executions?
Any of the following answers would be acceptable: Artifact Creation, Handle/Collect2 API Methods, Trigger Event creation, External System sync.
What is the most common method of forwarding events from Splunk ES to Splunk SOAR?
This is the same method as other SOAR technologies. You can use either a Splunk SOAR/Phantom TA App (push) or Splunk App for Splunk SOAR (pull).
Within the Case Management feature set, what are the names of the components making up a case management workflow?
Templates, Phases, Tasks, Playbooks.
What are some of the built-in RBAC groups for Analysts, Engineers & Manager personas?
SOC Analyst, Security Engineer, SOC Manager.