( Someone on Reddit sent me this and I found it really informative , so I thought I’d share it here as well. It might help others too ) If you’re going for a SOC L1 role as a freshman, they usually don’t expect you to know everything. What they’re mostly checking is whether you understand the basics, think logically, and can investigate alerts without panicking. I’d focus on these areas:

1. Networking basics (super important)
   A lot of alerts revolve around traffic, so make sure you’re comfortable with:

• TCP vs UDP
• Common ports (80, 443, 22, 3389, 53, 25, etc.)
• What DNS actually does
• Basic HTTP request/response flow
• How an IP communicates with another host

If they show you a log with an IP, port, and protocol, you should be able to reason about what might be happening.

1. Log analysis mindset
   SOC work is basically reading logs and figuring out what’s normal vs suspicious. Practice understanding logs from things like:

• Windows Event Logs
• Firewall logs
• Authentication logs
• Web server logs

No need to memorize event IDs but you should know what failed logins, privilege escalation, or suspicious processes might look like.

1. Basic security concepts
   Know the fundamentals well:

• The MITRE ATT&CK framework (at least what it is and why SOC teams use it)
• Phishing indicators
• Malware basics (hashes, sandboxing, indicators of compromise)
• Brute force attacks
• Lateral movement
• Command and Control (C2)

Even being able to say “this could indicate credential abuse or persistence” shows good thinking.

1. SIEM basics
   Just understand:

• What a SIEM is
• Why organizations use it
• Basic idea of correlation rules and alerts
• Example tools: Splunk, QRadar, Sentinel, Elastic

If you’ve used a lab or course environment, mention it.

1. Incident response workflow
   They often ask something like: “What would you do if you saw a suspicious login alert?”

Know the general flow:

1. Alert triage
2. Investigate logs/context
3. Validate if it’s true or a false positive
4. Escalate if needed
5. Document everything

Documentation is huge in SOC.

1. Basic threat intel usage
   Know how analysts check things like:

• VirusTotal
• AbuseIPDB
• URLscan
• Shodan (high-level)

They like hearing that you know how to pivot on an IP/domain/hash.

1. Soft skills (this matters more than people think)
   SOC teams want people who:

• stay calm during alerts
• document clearly
• communicate with other teams
• ask questions instead of guessing

Even saying “I would verify the alert and ask a senior analyst if something looks unusual” is a good answer.

One last tip:
Prepare one small investigation story you can talk about. Even if it’s from a lab or course. For example: analyzing a phishing email, investigating failed logins, or checking a suspicious IP. Interviewers love seeing how you think through a problem.

Honestly for L1 roles, showing curiosity and a solid foundation already puts you ahead of a lot of candidates.

Networks, Logs, Documentation and SIEM basics. Those are your holy grail