Palo Alto Networks Data Analyst Case: Security Telemetry Impact Analysis and Executive Readout

This case mirrors Palo Alto Networks’ practical, impact‑oriented interview style for Data Analysts. You will investigate a real‑to‑life security telemetry scenario and translate findings into product and customer outcomes for platforms like Strata/Cortex/Prisma. Scenario overview: - Prompt: A recent content update increased high‑severity alert volume for a subset of enterprise tenants. Support tickets and MTTR nudges suggest possible false positives. Your task is to quantify the issue, isolate drivers, propose measurable remediations, and communicate trade‑offs to Product and Customer Success. What you’ll receive: - A compact dataset (CSV or SQL tables) resembling PAN multi‑tenant telemetry and GTM signals: • alerts(alert_id, customer_id, rule_id, product, severity, detected_ts, resolved_ts, disposition[true_positive|false_positive|unknown]) • policies(rule_id, rule_name, category, rollout_ts, version) • customers(customer_id, seg[SMB|MM|ENT], industry, region, entitlement) • devices(device_id, customer_id, model, sw_version) • support_cases(case_id, customer_id, opened_ts, reason_code, resolved_ts) • usage_events(customer_id, event_ts, feature, activity) Case tasks (what interviewers will probe): 1) Data quality and framing (5–10 min) - Define the decision question from a customer‑first lens (e.g., reduce false positives without degrading true detections). - Identify missing fields/assumptions and how you’ll mitigate them. 2) Core analysis (25–30 min) - Quantify impact: alert volume deltas pre/post rollout, by product/version/segment; compute precision, recall proxy, FPR, MTTR. - Slice drivers: top rules, industries, regions, sw_version, and tenant segments associated with the spike. - Link to outcomes: correlate alert surges with support ticket rates and feature usage changes. 3) Recommendation design (10–15 min) - Propose interventions (e.g., rule threshold adjustments for specific segments, guardrails, staged rollbacks, customer comms). - Define success metrics and a lightweight A/B or staged rollout plan; call out privacy and safety considerations. 4) Executive readout (10–15 min) - Deliver a crisp narrative: context → insight → impact → action plan → risks. - Provide one table/one chart you would show to a PM/CS leader. Evaluation rubric (aligned to PAN culture): - Analytical depth and SQL rigor: correct joins, careful handling of multi‑tenant data, and scalable thinking. - Security domain intuition: understands precision/recall trade‑offs, false‑positive cost, and operational metrics like MTTR. - Product and customer impact: ties insights to customer experience, support burden, and roadmap decisions. - Communication under time pressure: clear, concise storytelling for technical and non‑technical stakeholders. - Bias for action and collaboration: proposes pragmatic next steps with measurable guardrails and cross‑team touchpoints. Logistics (typical flow): - 75 minutes total: 5–10 min brief, 35–40 min analysis, 10–15 min readout, 5–10 min Q&A. - Tools: interviewer expects SQL first principles; Python or a quick pivot is welcome but not required; simple visuals are sufficient. What “good” looks like: - You quantify the size of the problem, isolate two to three high‑leverage drivers, and recommend a staged fix with a clear success metric (e.g., reduce FPR by 30% in ENT tenants using sw_version ≥ X without >2% TPR degradation), plus a monitoring plan and customer communication notes.