[Apr 10, 2026] Pass NSE7_SOC_AR-7.6 Review Guide, Reliable NSE7_SOC_AR-7.6 Test Engine
NSE7_SOC_AR-7.6 Test Engine Practice Test Questions, Exam Dumps
Fortinet NSE7_SOC_AR-7.6 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 18
Refer to the exhibit.
Which shows the partial output of the MITRE ATT&CK Enterprise matrix on FortiAnalyzer.
Which two statements are true? (Choose two.)
- A. There are event handlers that cover tactic T1071.
- B. There are four subtechniques that fall under technique T1071.
- C. There are four techniques that fall under tactic T1071.
- D. There are 15 events associated with the tactic.
Answer: A,B
Explanation:
* Understanding the MITRE ATT&CK Matrix:
* The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations.
* Each tactic in the matrix represents the "why" of an attack technique, while each technique represents "how" an adversary achieves a tactic.
* Analyzing the Provided Exhibit:
* The exhibit shows part of the MITRE ATT&CK Enterprise matrix as displayed on FortiAnalyzer.
* The focus is on technique T1071 (Application Layer Protocol), which has subtechniques labeled T1071.001, T1071.002, T1071.003, and T1071.004.
* Each subtechnique specifies a different type of application layer protocol used for Command and Control (C2):
* T1071.001 Web Protocols
* T1071.002 File Transfer Protocols
* T1071.003 Mail Protocols
* T1071.004 DNS
* Identifying Key Points:
* Subtechniques under T1071:There are four subtechniques listed under the primary technique T1071, confirming that statement B is true.
* Event Handlers for T1071:FortiAnalyzer includes event handlers for monitoring various tactics and techniques. The presence of event handlers for tactic T1071 suggests active monitoring and alerting for these specific subtechniques, confirming that statement C is true.
* Misconceptions Clarified:
* Statement A (four techniques under tactic T1071) is incorrect because T1071 is a single technique with four subtechniques.
* Statement D (15 events associated with the tactic) is misleading. The number 15 refers to the techniques under the Application Layer Protocol, not directly related to the number of events.
Conclusion:
* The accurate interpretation of the exhibit confirms that there are four subtechniques under technique T1071 and that there are event handlers covering tactic T1071.
References:
MITRE ATT&CK Framework documentation.
FortiAnalyzer Event Handling and MITRE ATT&CK Integration guides.
NEW QUESTION # 19
Refer to the exhibits.
The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action.
Why is the FortiMail Sender Blocklist playbook execution failing7
- A. The client-side browser does not trust the FortiAnalzyer self-signed certificate.
- B. You must use the GET_EMAIL_STATISTICS action first to gather information about email messages.
- C. FortiMail is expecting a fully qualified domain name (FQDN).
- D. The connector credentials are incorrect
Answer: C
Explanation:
* Understanding the Playbook Configuration:
* The playbook "FortiMail Sender Blocklist" is designed to manually input email addresses or IP addresses and add them to the FortiMail block list.
* The playbook uses a FortiMail connector with the action ADD_SENDER_TO_BLOCKLIST.
* Analyzing the Playbook Execution:
* The configuration and actions provided show that the playbook is straightforward, starting with an ON_DEMAND STARTER and proceeding to the ADD_SENDER_TO_BLOCKLIST action.
* The action description indicates it is intended to block senders based on email addresses or domains.
* Evaluating the Options:
* Option A:Using GET_EMAIL_STATISTICS is not required for the task of adding senders to a block list. This action retrieves email statistics and is unrelated to the block list configuration.
* Option B:The primary reason for failure could be the requirement for a fully qualified domain name (FQDN). FortiMail typically expects precise information to ensure the correct entries are added to the block list.
* Option C:The trust level of the client-side browser with FortiAnalyzer's self-signed certificate does not impact the execution of the playbook on FortiMail.
* Option D:Incorrect connector credentials would result in an authentication error, but the problem described is more likely related to the format of the input data.
* Conclusion:
* The FortiMail Sender Blocklist playbook execution is failing because FortiMail is expecting a fully qualified domain name (FQDN).
References:
Fortinet Documentation on FortiMail Connector Actions.
Best Practices for Configuring FortiMail Block Lists.
NEW QUESTION # 20
Refer to the exhibit.
You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming your notification system.
How can you fix this?
- A. Increase the trigger count so that it identifies and reduces the count triggered by a particular group.
- B. Increase the log field value so that it looks for more unique field values when it creates the event.
- C. Decrease the time range that the custom event handler covers during the attack.
- D. Disable the custom event handler because it is not working as expected.
Answer: A
Explanation:
* Understanding the Issue:
* The custom event handler for detecting SMTP reconnaissance activities is generating a large number of events.
* This high volume of events is overwhelming the notification system, leading to potential alert fatigue and inefficiency in incident response.
* Event Handler Configuration:
* Event handlers are configured to trigger alerts based on specific criteria.
* The frequency and volume of these alerts can be controlled by adjusting the trigger conditions.
* Possible Solutions:
* A. Increase the trigger count so that it identifies and reduces the count triggered by a particular group:
* By increasing the trigger count, you ensure that the event handler only generates alerts after a higher threshold of activity is detected.
* This reduces the number of events generated and helps prevent overwhelming the notification system.
* Selected as it effectively manages the volume of generated events.
* B. Disable the custom event handler because it is not working as expected:
* Disabling the event handler is not a practical solution as it would completely stop monitoring for SMTP reconnaissance activities.
* Not selected as it does not address the issue of fine-tuning the event generation.
* C. Decrease the time range that the custom event handler covers during the attack:
* Reducing the time range might help in some cases, but it could also lead to missing important activities if the attack spans a longer period.
* Not selected as it could lead to underreporting of significant events.
* D. Increase the log field value so that it looks for more unique field values when it creates the event:
* Adjusting the log field value might refine the event criteria, but it does not directly control the volume of alerts.
* Not selected as it is not the most effective way to manage event volume.
* Implementation Steps:
* Step 1: Access the event handler configuration in FortiAnalyzer.
* Step 2: Locate the trigger count setting within the custom event handler for SMTP reconnaissance.
* Step 3: Increase the trigger count to a higher value that balances alert sensitivity and volume.
* Step 4: Save the configuration and monitor the event generation to ensure it aligns with expected levels.
* Conclusion:
* By increasing the trigger count, you can effectively reduce the number of events generated by the custom event handler, preventing the notification system from being overwhelmed.
Fortinet Documentation on Event Handlers and Configuration FortiAnalyzer Administration Guide Best Practices for Event Management Fortinet Knowledge Base By increasing the trigger count in the custom event handler, you can manage the volume of generated events and prevent the notification system from being overwhelmed.
NEW QUESTION # 21
Match the FortiSIEM device type to its description. Select each FortiSIEM device type in the left column, hold and drag it to the blank space next to its corresponding description in the column on the right.
Answer:
Explanation:
* Collector2.Worker3.Supervisor4.Agent
* The FortiSIEM 7.3 architecture is built upon a distributed multi-tenant model consisting of several distinct functional roles to ensure scalability and performance:
* Supervisor:This is the primary management node in a FortiSIEM cluster. It hosts the Graphical User Interface (GUI), the Configuration Management Database (CMDB), and manages the overall system configurations, reporting, and dashboarding.
* Worker:These nodes are responsible for the heavy lifting of data processing. They execute real- time event correlation against the rules engine, perform historical search queries, and handle the analytics workload to ensure the Supervisor node is not overwhelmed.
* Collector:Collectors are typically deployed at remote sites or different network segments to offload log collection from the central cluster. They receive logs via Syslog, SNMP, or WMI, compress the data, and securely forward it to the Workers or Supervisor. They also perform performance monitoring of local devices.
* Agent:These are lightweight software components installed directly on endpoints (Windows
/Linux). Their primary role is to collect local endpoint logs, monitor file integrity (system changes), and track user activity that cannot be captured via traditional network-based logging.
NEW QUESTION # 22
Review the incident report:
An attacker identified employee names, roles, and email patterns from public press releases, which were then used to craft tailored emails.
The emails were directed to recipients to review an attached agenda using a link hosted off the corporate domain.
Which two MITRE ATT&CK tactics best fit this report? (Choose two answers)
- A. Discovery
- B. Defense Evasion
- C. Initial Access
- D. Reconnaissance
Answer: C,D
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
Based on the official documentation forFortiSIEM 7.3(which utilizes the MITRE ATT&CK mapping for incident correlation) andFortiSOAR 7.6(which uses these tactics for incident classification and playbook triggering):
* Reconnaissance (Tactic TA0043):This tactic consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. In this scenario, the attacker identifies "employee names, roles, and email patterns from public press releases." This is categorized underGather Victim Org Information (T1591)andSearch Open Technical Databases (T1596). Since this activity happens prior to the compromise and involves gathering intelligence, it is strictly Reconnaissance.
* Initial Access (Tactic TA0001):This tactic covers techniques that use various entry vectors to gain an initial foothold within a network. The act of sending "tailored emails... to recipients to review an attached agenda using a link" is the definition ofPhishing: Spearphishing Link (T1566.002). This is the specific delivery mechanism used to gain the initial entry.
Why other options are incorrect:
* Discovery (B):This tactic involves techniques an adversary uses to gain knowledge about the internal network after they have already gained access. Since the attacker is looking at public press releases, they are operating outside the perimeter.
* Defense Evasion (D):This tactic consists of techniques that adversaries use to avoid detection throughout their compromise. While using an external link might bypass some basic reputation filters, the primary goal described in the report is the act of establishing contact and access, which is the core of the Initial Access tactic.
NEW QUESTION # 23
Refer to Exhibit:
You are tasked with reviewing a new FortiAnalyzer deployment in a network with multiple registered logging devices. There is only one FortiAnalyzer in the topology.
Which potential problem do you observe?
- A. The analytics-to-archive ratio is misconfigured.
- B. The archive retention period is too long.
- C. The disk space allocated is insufficient.
- D. The analytics retention period is too long.
Answer: A
Explanation:
* Understanding FortiAnalyzer Data Policy and Disk Utilization:
* FortiAnalyzer uses data policies to manage log storage, retention, and disk utilization.
* The Data Policy section indicates how long logs are kept for analytics and archive purposes.
* The Disk Utilization section specifies the allocated disk space and the proportions used for analytics and archive, as well as when alerts should be triggered based on disk usage.
* Analyzing the Provided Exhibit:
* Keep Logs for Analytics:60 Days
* Keep Logs for Archive:120 Days
* Disk Allocation:300 GB (with a maximum of 441 GB available)
* Analytics: Archive Ratio:30% : 70%
* Alert and Delete When Usage Reaches:90%
* Potential Problems Identification:
* Disk Space Allocation:The allocated disk space is 300 GB out of a possible 441 GB, which might not be insufficient if the log volume is high, but it is not the primary concern based on the given data.
* Analytics-to-Archive Ratio:The ratio of 30% for analytics and 70% for archive is unconventional.
Typically, a higher percentage is allocated for analytics since real-time or recent data analysis is often prioritized. A common configuration might be a 70% analytics and 30% archive ratio. The misconfigured ratio can lead to insufficient space for analytics, causing issues with real-time monitoring and analysis.
* Retention Periods:While the retention periods could be seen as lengthy, they are not necessarily indicative of a problem without knowing the specific log volume and compliance requirements.
The length of these periods can vary based on organizational needs and legal requirements.
* Conclusion:
* Based on the analysis, the primary issue observed is theanalytics-to-archive ratiobeing misconfigured. This misconfiguration can significantly impact the effectiveness of the FortiAnalyzer in real-time log analysis, potentially leading to delayed threat detection and response.
References:
Fortinet Documentation on FortiAnalyzer Data Policies and Disk Management.
Best Practices for FortiAnalyzer Log Management and Disk Utilization.
NEW QUESTION # 24
When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable? (Choose one answer)
- A. {{ vars.input.params.<variable_name> }}
- B. {{ vars.item.<variable_name> }}
- C. {{ vars.steps.<variable_name> }}
- D. {{ globalVars.<variable_name> }}
Answer: A
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, the playbook engine utilizes Jinja2 expressions to handle dynamic data. When a playbook is configured with aManual Trigger, the administrator can define input fields (such as text, picklists, or checkboxes) that an analyst must fill out when executing the playbook from a record.
* Input Parameter Mapping:Any data entered by the user during this manual trigger phase is automatically mapped to the input.params dictionary within the vars object. Therefore, the syntax to retrieve a specific input value is {{ vars.input.params.variable_name }}.
* Scope of Variables:This specific path ensures that the variable is pulled from the initial user input rather than from the output of a subsequent step (vars.steps) or a globally defined variable (globalVars).
NEW QUESTION # 25
Refer to the exhibits.
The DOS attack playbook is configured to create an incident when an event handler generates a denial-of-ser
/ice (DoS) attack event.
Why did the DOS attack playbook fail to execute?
- A. The Get Events task is configured to execute in the incorrect order.
- B. The Attach_Data_To_lncident task is expecting an integer value but is receiving the incorrect data type.
- C. The Attach_Data_To_lncident task failed.
- D. The Create SMTP Enumeration incident task is expecting an integer value but is receiving the incorrect data type
Answer: D
Explanation:
* Understanding the Playbook and its Components:
* The exhibit shows the status of a playbook named "DOS attack" and its associated tasks.
* The playbook is designed to execute a series of tasks upon detecting a DoS attack event.
* Analysis of Playbook Tasks:
* Attach_Data_To_Incident:Task ID placeholder_8fab0102, status is "upstream_failed," meaning it did not execute properly due to a previous task's failure.
* Get Events:Task ID placeholder_fa2a573c, status is "success."
* Create SMTP Enumeration incident:Task ID placeholder_3db75c0a, status is "failed."
* Reviewing Raw Logs:
* The error log shows a ValueError: invalid literal for int() with base 10: '10.200.200.100'.
* This error indicates that the task attempted to convert a string (the IP address '10.200.200.100') to an integer, which is not possible.
* Identifying the Source of the Error:
* The error occurs in the file "incident_operator.py," specifically in the execute method.
* This suggests that the task "Create SMTP Enumeration incident" is the one causing the issue because it failed to process the data type correctly.
* Conclusion:
* The failure of the playbook is due to the "Create SMTP Enumeration incident" task receiving a string value (an IP address) when it expects an integer value. This mismatch in data types leads to the error.
References:
Fortinet Documentation on Playbook and Task Configuration.
Python error handling documentation for understanding ValueError.
NEW QUESTION # 26
Which two types of variables can you use in playbook tasks? (Choose two.)
- A. Trigger
- B. Create
- C. input
- D. Output
Answer: C,D
Explanation:
* Understanding Playbook Variables:
* Playbook tasks in Security Operations Center (SOC) playbooks use variables to pass and manipulate data between different steps in the automation process.
* Variables help in dynamically handling data, making the playbook more flexible and adaptive to different scenarios.
* Types of Variables:
* Input Variables:
* Input variables are used to provide data to a playbook task. These variables can be set manually or derived from previous tasks.
* They act as parameters that the task will use to perform its operations.
* Output Variables:
* Output variables store the result of a playbook task. These variables can then be used as inputs for subsequent tasks.
* They capture the outcome of the task's execution, allowing for the dynamic flow of information through the playbook.
* Other Options:
* Create:Not typically referred to as a type of variable in playbook tasks. It might refer to an action but not a variable type.
* Trigger:Refers to the initiation mechanism of the playbook or task (e.g., an event trigger), not a type of variable.
* Conclusion:
* The two types of variables used in playbook tasks areinputandoutput.
References:
Fortinet Documentation on Playbook Configuration and Variable Usage.
General SOC Automation and Orchestration Practices.
NEW QUESTION # 27
Which two ways can you create an incident on FortiAnalyzer? (Choose two.)
- A. Using a custom event handler
- B. By running a playbook
- C. Manually, on the Event Monitor page
- D. Using a connector action
Answer: A,C
Explanation:
* Understanding Incident Creation in FortiAnalyzer:
* FortiAnalyzer allows for the creation of incidents to track and manage security events.
* Incidents can be created both automatically and manually based on detected events and predefined rules.
* Analyzing the Methods:
* Option A:Using a connector action typically involves integrating with other systems or services and is not a direct method for creating incidents on FortiAnalyzer.
* Option B:Incidents can be created manually on the Event Monitor page by selecting relevant events and creating incidents from those events.
* Option C:While playbooks can automate responses and actions, the direct creation of incidents is usually managed through event handlers or manual processes.
* Option D:Custom event handlers can be configured to trigger incident creation based on specific events or conditions, automating the process within FortiAnalyzer.
* Conclusion:
* The two valid methods for creating an incident on FortiAnalyzer are manually on the Event Monitor page and using a custom event handler.
References:
Fortinet Documentation on Incident Management in FortiAnalyzer.
FortiAnalyzer Event Handling and Customization Guides.
NEW QUESTION # 28
Which of the following are critical when analyzing and managing events and incidents in a SOC? (Choose two answers)
- A. Immediate escalation for all alerts
- B. Accurate detection of threats
- C. Periodic system downtime for maintenance
- D. Rapid identification of false positives
Answer: B,D
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
In a modern Security Operations Center (SOC) environment powered byFortiSIEM 7.3andFortiSOAR 7.6, the efficiency of the incident response lifecycle depends on two primary pillars of analysis:
* Accurate detection of threats (A):The primary goal of a SOC is to identify genuine malicious activity.
Using FortiSIEM's correlation rules and machine learning (UEBA), the system must be tuned to detect patterns that signify real risk. Accuracy ensures that the SOC is not blinded by noise and can focus on critical security events that impact the organization's posture.
* Rapid identification of false positives (C):"Alert Fatigue" is one of the greatest challenges in a SOC.
Analysts must be able to quickly distinguish between legitimate anomalies (false positives) and actual threats.FortiSOARassists in this by using automated playbooks to perform initial triage and "pre- processing"-such as checking IP reputations or verifying user activity-to automatically close or demote alerts that do not represent a true threat, thereby freeing up analysts for high-priority investigations.
Why other options are incorrect:
* Immediate escalation for all alerts (B):This is a poor SOC practice. Escalating every alert without triage leads to analyst burnout and overloads senior responders with low-value tasks. The goal of a tiered SOC (Tier 1, Tier 2, Tier 3) is to filter alerts so only significant incidents are escalated.
* Periodic system downtime (D):SOC systems (SIEM/SOAR) are considered "Mission Critical" and must operate on a24/7/365basis. Maintenance should be performed using High Availability (HA) configurations or during "low-flow" windows without causing a complete stop in monitoring, as attackers often leverage downtime to strike.
NEW QUESTION # 29
Review the incident report:
Packet captures show a host maintaining periodic TLS sessions that imitate normal HTTPS traffic but run on TCP 8443 to a single external host. An analyst flags the traffic as potential command-and-control. During the same period, the host issues frequent DNS queries with oversized TXT payloads to an attacker-controlled domain, transferring staged files.
Which two MITRE ATT&CK techniques best describe this activity? (Choose two answers)
- A. Hide Artifacts
- B. Exploitation of Remote Services
- C. Non-Standard Port
- D. Exfiltration Over Alternative Protocol
Answer: C,D
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
In accordance with the MITRE ATT&CK mapping utilized byFortiSIEM 7.3andFortiSOAR 7.6, the described behaviors correspond to the following techniques:
* Non-Standard Port (T1571):This technique involves adversaries communicating using a protocol and port pairing that are typically not associated. The incident report identifies HTTPS (TLS) traffic running onTCP 8443rather than the standard port 443.FortiSIEMspecifically includes built-in correlation rules, such as "Suspicious Typical Malware Back Connect Ports," designed to detect these protocol-port mismatches.
* Exfiltration Over Alternative Protocol (T1048):This technique describes adversaries stealing data by exfiltrating it over a different protocol than the primary command and control (C2) channel. In this scenario, while the C2 channel is established via HTTPS on port 8443, the adversary is transferring staged files usingDNS queries with oversized TXT payloads. DNS is a common "alternative protocol" used to bypass standard data transfer monitoring and egress filtering.
Analysis of Incorrect Options:
* Exploitation of Remote Services (B):This technique falls underInitial AccessorLateral Movementtactics, focusing on gaining entry into a system via vulnerabilities in network services like SMB or RDP. It does not apply to the maintenance of an established C2 channel or the exfiltration of data.
* Hide Artifacts (D):This is aDefense Evasiontechnique where an adversary attempts to conceal their presence by removing traces such as log files or registry keys. While the attacker is "imitating normal traffic," the specific acts of using a non-standard port and DNS exfiltration are primary behavioral signatures defined by their own more specific techniques.
NEW QUESTION # 30
Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence. Select each workflow component in the left column, hold and drag it to a blank position in the column on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column.
Answer:
Explanation:
Explanation:
1.FortiSIEM incident2.FortiSOAR alert3.FortiSOAR indicator4.FortiSOAR incident In the standard integration betweenFortiSIEM 7.3andFortiSOAR 7.6, the data ingestion wizard follows a specific object mapping hierarchy to ensure that high-fidelity security events are managed correctly.
* Step 1: FortiSIEM incident:The workflow begins in FortiSIEM. When a correlation rule triggers, it generates anIncident(not just a raw log). The FortiSOAR connector polls the FortiSIEM API specifically for these incident records.
* Step 2: FortiSOAR alert:By default, ingested FortiSIEM incidents are mapped to theAlertsmodule in FortiSOAR. This serves as a "triage" layer where automated playbooks can perform initial analysis before a human determines if it warrants a full-scale investigation.
* Step 3: FortiSOAR indicator:As the alert is processed (either during ingestion or immediately after), the playbook extracts technical artifacts (IPs, hashes, URLs) and createsIndicatorrecords. This allows for automated threat intelligence lookups and cross-referencing against other alerts.
* Step 4: FortiSOAR incident:If the alert is validated (either through automated playbook scoring or manual analyst review), it is promoted to aFortiSOAR Incident. This represents a confirmed security issue that requires formal tracking, remediation, and reporting.
NEW QUESTION # 31
When configuring a FortiAnalyzer to act as a collector device, which two steps must you perform? (Choose two.)
- A. Configure Fabric authorization on the connecting interface.
- B. Enable log compression.
- C. Configure the data policy to focus on archiving.
- D. Configure log forwarding to a FortiAnalyzer in analyzer mode.
Answer: A,D
Explanation:
* Understanding FortiAnalyzer Roles:
* FortiAnalyzer can operate in two primary modes: collector mode and analyzer mode.
* Collector Mode: Gathers logs from various devices and forwards them to another FortiAnalyzer operating in analyzer mode for detailed analysis.
* Analyzer Mode: Provides detailed log analysis, reporting, and incident management.
* Steps to Configure FortiAnalyzer as a Collector Device:
* A. Enable Log Compression:
* While enabling log compression can help save storage space, it is not a mandatory step specifically required for configuring FortiAnalyzer in collector mode.
* Not selected as it is optional and not directly related to the collector configuration process.
* B. Configure Log Forwarding to a FortiAnalyzer in Analyzer Mode:
* Essential for ensuring that logs collected by the collector FortiAnalyzer are sent to the analyzer FortiAnalyzer for detailed processing.
* Selected as it is a critical step in configuring a FortiAnalyzer as a collector device.
* Step 1: Access the FortiAnalyzer interface and navigate to log forwarding settings.
* Step 2: Configure log forwarding by specifying the IP address and necessary credentials of the FortiAnalyzer in analyzer mode.
Fortinet Documentation on Log Forwarding FortiAnalyzer Log Forwarding
C). Configure the Data Policy to Focus on Archiving:
Data policy configuration typically relates to how logs are stored and managed within FortiAnalyzer, focusing on archiving may not be specifically required for a collector device setup.
Not selected as it is not a necessary step for configuring the collector mode.
D). Configure Fabric Authorization on the Connecting Interface:
Necessary to ensure secure and authenticated communication between FortiAnalyzer devices within the Security Fabric.
Selected as it is essential for secure integration and communication.
Step 1: Access the FortiAnalyzer interface and navigate to the Fabric authorization settings.
Step 2: Enable Fabric authorization on the interface used for connecting to other Fortinet devices and FortiAnalyzers.
Reference: Fortinet Documentation on Fabric Authorization FortiAnalyzer Fabric Authorization Implementation Summary:
Configure log forwarding to ensure logs collected are sent to the analyzer.
Enable Fabric authorization to ensure secure communication and integration within the Security Fabric.
Conclusion:
Configuring log forwarding and Fabric authorization are key steps in setting up a FortiAnalyzer as a collector device to ensure proper log collection and forwarding for analysis.
References:
Fortinet Documentation on FortiAnalyzer Roles and Configurations FortiAnalyzer Administration Guide By configuring log forwarding to a FortiAnalyzer in analyzer mode and enabling Fabric authorization on the connecting interface, you can ensure proper setup of FortiAnalyzer as a collector device.
NEW QUESTION # 32
Which role does a threat hunter play within a SOC?
- A. Monitor network logs to identify anomalous behavior
- B. Search for hidden threats inside a network which may have eluded detection
- C. Collect evidence and determine the impact of a suspected attack
- D. investigate and respond to a reported security incident
Answer: B
Explanation:
* Role of a Threat Hunter:
* A threat hunter proactively searches for cyber threats that have evaded traditional security defenses. This role is crucial in identifying sophisticated and stealthy adversaries that bypass automated detection systems.
* Key Responsibilities:
* Proactive Threat Identification:
* Threat hunters use advanced tools and techniques to identify hidden threats within the network. This includes analyzing anomalies, investigating unusual behaviors, and utilizing threat intelligence.
Reference: SANS Institute, "Threat Hunting: Open Season on the Adversary" SANS Threat Hunting Understanding the Threat Landscape:
They need a deep understanding of the threat landscape, including common and emerging tactics, techniques, and procedures (TTPs) used by threat actors.
Reference: MITRE ATT&CK Framework MITRE ATT&CK
Advanced Analytical Skills:
Utilizing advanced analytical skills and tools, threat hunters analyze logs, network traffic, and endpoint data to uncover signs of compromise.
Reference: Cybersecurity and Infrastructure Security Agency (CISA) Threat Hunting Guide CISA Threat Hunting Distinguishing from Other Roles:
Investigate and Respond to Incidents (A):
This is typically the role of an Incident Responder who reacts to reported incidents, collects evidence, and determines the impact.
Reference: NIST Special Publication 800-61, "Computer Security Incident Handling Guide"NIST Incident Handling Collect Evidence and Determine Impact (B):
This is often the role of a Digital Forensics Analyst who focuses on evidence collection and impact assessment post-incident.
Monitor Network Logs (D):
This falls under the responsibilities of a SOC Analyst who monitors logs and alerts for anomalous behavior and initial detection.
Conclusion:
Threat hunters are essential in a SOC for uncovering sophisticated threats that automated systems may miss.
Their proactive approach is key to enhancing the organization's security posture.
References:
SANS Institute, "Threat Hunting: Open Season on the Adversary"
MITRE ATT&CK Framework
CISA Threat Hunting Guide
NIST Special Publication 800-61, "Computer Security Incident Handling Guide" By searching for hidden threats that elude detection, threat hunters play a crucial role in maintaining the security and integrity of an organization's network.
NEW QUESTION # 33
A customer wants FortiAnalyzer to run an automation stitch that executes a CLI command on FortiGate to block a predefined list of URLs, if a botnet command-and-control (C&C) server IP is detected.
Which FortiAnalyzer feature must you use to start this automation process?
- A. Event handler
- B. Playbook
- C. Data selector
- D. Connector
Answer: A
Explanation:
* Understanding Automation Processes in FortiAnalyzer:
* FortiAnalyzer can automate responses to detected security events, such as running commands on FortiGate devices.
* Analyzing the Customer Requirement:
* The customer wants to run a CLI command on FortiGate to block predefined URLs when a botnet C&C server IP is detected.
* This requires an automated response triggered by a specific event.
* Evaluating the Options:
* Option A:Playbooks orchestrate complex workflows but are not typically used for direct event- triggered automation processes.
* Option B:Data selectors filter logs based on criteria but do not initiate automation processes.
* Option C:Event handlers can be configured to detect specific events (such as detecting a botnet C&C server IP) and trigger automation stitches to execute predefined actions.
* Option D:Connectors facilitate communication between FortiAnalyzer and other systems but are not the primary mechanism for initiating automation based on log events.
* Conclusion:
* To start the automation process when a botnet C&C server IP is detected, you must use anEvent handlerin FortiAnalyzer.
References:
Fortinet Documentation on Event Handlers and Automation Stitches in FortiAnalyzer.
Best Practices for Configuring Automated Responses in FortiAnalyzer.
NEW QUESTION # 34
Refer to the exhibit.
You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming your notification system.
How can you fix this?
- A. Increase the trigger count so that it identifies and reduces the count triggered by a particular group.
- B. Increase the log field value so that it looks for more unique field values when it creates the event.
- C. Decrease the time range that the custom event handler covers during the attack.
- D. Disable the custom event handler because it is not working as expected.
Answer: A
Explanation:
* Understanding the Issue:
* The custom event handler for detecting SMTP reconnaissance activities is generating a large number of events.
* This high volume of events is overwhelming the notification system, leading to potential alert fatigue and inefficiency in incident response.
* Event Handler Configuration:
* Event handlers are configured to trigger alerts based on specific criteria.
* The frequency and volume of these alerts can be controlled by adjusting the trigger conditions.
* Possible Solutions:
* A. Increase the trigger count so that it identifies and reduces the count triggered by a particular group:
* By increasing the trigger count, you ensure that the event handler only generates alerts after a higher threshold of activity is detected.
* This reduces the number of events generated and helps prevent overwhelming the notification system.
* Selected as it effectively manages the volume of generated events.
* B. Disable the custom event handler because it is not working as expected:
* Disabling the event handler is not a practical solution as it would completely stop monitoring for SMTP reconnaissance activities.
* Not selected as it does not address the issue of fine-tuning the event generation.
* C. Decrease the time range that the custom event handler covers during the attack:
* Reducing the time range might help in some cases, but it could also lead to missing important activities if the attack spans a longer period.
* Not selected as it could lead to underreporting of significant events.
* D. Increase the log field value so that it looks for more unique field values when it creates the event:
* Adjusting the log field value might refine the event criteria, but it does not directly control the volume of alerts.
* Not selected as it is not the most effective way to manage event volume.
* Implementation Steps:
* Step 1: Access the event handler configuration in FortiAnalyzer.
* Step 2: Locate the trigger count setting within the custom event handler for SMTP reconnaissance.
* Step 3: Increase the trigger count to a higher value that balances alert sensitivity and volume.
* Step 4: Save the configuration and monitor the event generation to ensure it aligns with expected levels.
* Conclusion:
* By increasing the trigger count, you can effectively reduce the number of events generated by the custom event handler, preventing the notification system from being overwhelmed.
Fortinet Documentation on Event Handlers and Configuration FortiAnalyzer Administration Guide Best Practices for Event Management Fortinet Knowledge Base By increasing the trigger count in the custom event handler, you can manage the volume of generated events and prevent the notification system from being overwhelmed.
NEW QUESTION # 35
Refer to the exhibits.
How is the investigation and remediation output generated on FortiSIEM? (Choose one answer)
- A. By using FortiAI to summarize the incident
- B. By viewing the Context tab of an incident
- C. By exporting an incident
- D. By running an incident report
Answer: A
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSIEM 7.3, a key innovation is the integration ofFortiAI, which provides generative AI capabilities to assist SOC analysts during the triage and response process.
* Generative AI Summary:When an incident occurs, FortiAI can automatically analyze the underlying logs, correlation logic, and MITRE ATT&CK techniques (such as "Exfiltration Over Alternative Protocol" shown in the exhibit) to generate a human-readable summary.
* Structured Output:The output displayed in the exhibit-specifically the categorizedInvestigation Actions (identifying affected systems, analyzing traffic) andRemediation Actions(immediate containment, patching, user training)-is the typical result of a FortiAI summary request.
* Analyst Efficiency:This feature is designed to reduce the "mean time to respond" (MTTR) by providing analysts with immediate, actionable steps without requiring them to manually piece together the recommended response plan from static documentation or disparate log views.
Why other options are incorrect:
* Exporting an incident (A):Exporting an incident typically results in a raw data file (CSV/JSON/PDF) containing the log data and metadata, rather than an AI-generated strategic plan for investigation and remediation.
* Running an incident report (B):Standard incident reports provide statistical and historical data about incidents over time. They do not dynamically generate specific, numbered investigation steps tailored to the unique context of a single live incident.
* Context tab (D):The Context tab in FortiSIEM is primarily used to view theCMDBinformation of the involved assets (e.g., host details, owner, location) and related historical events. While it provides thedataneeded for an investigation, it does not provide thelist of actionsto take.
NEW QUESTION # 36
Refer to the exhibit.
What is the correct Jinja expression to filter the results to show only the MD5 hash values?
{{ [slot 1] | [slot 2] [slot 3].[slot 4] }}
Select the Jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first step in the first slot.
Answer:
Explanation:
Explanation:
Slot 1:dataSlot 2:json_querySlot 3:("results[?type=='FileHash-MD5']")Slot 4:value Final Expression: {{ vars.artifacts.data | json_query("results[?type=='FileHash-MD5']") .value }} Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, advanced data manipulation within playbooks often requires the use ofJMESPathqueries via the json_query Jinja filter. To extract specific data from a complex JSON object (like the vars.artifacts dictionary shown in the exhibit), the analyst must follow the structural hierarchy:
* Slot 1 (data):Based on the exhibit, the root of the artifact information is located under vars.artifacts.
data. Therefore, "data" is the starting point for the filter.
* Slot 2 (json_query):To perform advanced filtering (searching for a specific type), the json_query filter must be applied. This allows the playbook to traverse the list and find items matching a specific key- value pair.
* Slot 3 ("results[?type=='FileHash-MD5']"):This is the JMESPath expression. It looks into the results array and applies a filter [?...] to find only those objects where the type attribute exactly matches FileHash-MD5.
* Slot 4 (value):Once the correct object(s) are found, the expression needs to return the actual hash. In the JSON exhibit, the MD5 string is stored in the key named value.
Why other options are incorrect:
* tojson:This filter converts a dictionary/list into a JSON string, which would break the ability to further query the object for the "value" field.
* results (as a standalone slot):While "results" is part of the path, it is handledinsidethe json_query string to allow for conditional filtering.
NEW QUESTION # 37
Refer to the exhibit.
How do you add a piece of evidence to the Action Logs Marked As Evidence area? (Choose one answer)
- A. By creating an evidence collection task and attaching a file
- B. By tagging output or a workspace comment with the keyword Evidence
- C. By linking an indicator to the war room
- D. By executing a playbook with the Save Execution Logs option enabled
Answer: B
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, theWar Roomis a collaborative space designed for high-priority incident investigation.
TheEvidencestab within theInvestigateview (as shown in the exhibit) is specifically designed to highlight critical findings found during the investigation process.
* Evidence Tagging:To populate theAction Logs Marked As Evidencesection, an analyst must specifically tag a relevant log entry, a playbook output, or a comment within the collaboration workspace with the system-defined keyword"Evidence".
* Automatic Categorization:Once the tag is applied, FortiSOAR automatically parses these entries and displays them in this centralized view. This allows team members and stakeholders to quickly view substantiated facts and proof gathered during the "Root Cause Analysis" phase without sifting through all raw action logs.
* Manual vs. Action Logs:The exhibit shows two distinct areas: "Manually Upload Evidences" (where files like the CSLAB document shown can be dragged and dropped) and "Action Logs Marked As Evidence." The latter is reserved exclusively for system-generated logs or comments that have been promoted to evidence status via tagging.
Why other options are incorrect:
* By linking an indicator to the war room (B):Linking indicators associates technical artifacts (like IPs or hashes) with the record, but it does not automatically classify them as evidence within the War Room action log view.
* By creating an evidence collection task and attaching a file (C):While this is a valid step in an investigation, attaching a file to a task typically places it in the "Attachments" or "Manually Upload Evidences" area, rather than the "Action Logs" section specifically.
* By executing a playbook with the Save Execution Logs option enabled (D):Saving execution logs ensures a trail of what the playbook did, but it does not mark the output as "Evidence" unless the specific logic or a manual analyst action applies the "Evidence" tag to the resulting log entry.
NEW QUESTION # 38
Refer to the exhibits.
You configured a custom event handler and an associated rule to generate events whenever FortiMail detects spam emails. However, you notice that the event handler is generating events for both spam emails and clean emails.
Which change must you make in the rule so that it detects only spam emails?
- A. In the Log Type field, select Anti-Spam Log (spam)
- B. Disable the rule to use the filter in the data selector to create the event.
- C. In the Trigger an event when field, select Within a group, the log field Spam Name (snane) has 2 or more unique values.
- D. In the Log filter by Text field, type type==spam.
Answer: A
Explanation:
* Understanding the Custom Event Handler Configuration:
* The event handler is set up to generate events based on specific log data.
* The goal is to generate events specifically for spam emails detected by FortiMail.
* Analyzing the Issue:
* The event handler is currently generating events for both spam emails and clean emails.
* This indicates that the rule's filtering criteria are not correctly distinguishing between spam and non-spam emails.
* Evaluating the Options:
* Option A:Selecting the "Anti-Spam Log (spam)" in the Log Type field will ensure that only logs related to spam emails are considered. This is the most straightforward and accurate way to filter for spam emails.
* Option B:Typing type==spam in the Log filter by Text field might help filter the logs, but it is not as direct and reliable as selecting the correct log type.
* Option C:Disabling the rule to use the filter in the data selector to create the event does not address the issue of filtering for spam logs specifically.
* Option D:Selecting "Within a group, the log field Spam Name (snane) has 2 or more unique values" is not directly relevant to filtering spam logs and could lead to incorrect filtering criteria.
* Conclusion:
* The correct change to make in the rule is to select "Anti-Spam Log (spam)" in the Log Type field. This ensures that the event handler only generates events for spam emails.
References:
Fortinet Documentation on Event Handlers and Log Types.
Best Practices for Configuring FortiMail Anti-Spam Settings.
NEW QUESTION # 39
Refer to Exhibit:
A SOC analyst is creating the Malicious File Detected playbook to run when FortiAnalyzer generates a malicious file event. The playbook must also update the incident with the malicious file event data.
What must the next task in this playbook be?
- A. A local connector with the action Update Asset and Identity
- B. A local connector with the action Attach Data to Incident
- C. A local connector with the action Update Incident
- D. A local connector with the action Run Report
Answer: C
Explanation:
* Understanding the Playbook and its Components:
* The exhibit shows a playbook in which an event trigger starts actions upon detecting a malicious file.
* The initial tasks in the playbook include CREATE_INCIDENT and GET_EVENTS.
* Analysis of Current Tasks:
* EVENT_TRIGGER STARTER: This initiates the playbook when a specified event (malicious file detection) occurs.
* CREATE_INCIDENT: This task likely creates a new incident in the incident management system for tracking and response.
* GET_EVENTS: This task retrieves the event details related to the detected malicious file.
* Objective of the Next Task:
* The next logical step after creating an incident and retrieving event details is to update the incident with the event data, ensuring all relevant information is attached to the incident record.
* This helps SOC analysts by consolidating all pertinent details within the incident record, facilitating efficient tracking and response.
* Evaluating the Options:
* Option A:Update Asset and Identity is not directly relevant to attaching event data to the incident.
* Option B:Attach Data to Incident sounds plausible but typically, updating an incident involves more comprehensive changes including status updates, adding comments, and other data modifications.
* Option C:Run Report is irrelevant in this context as the goal is to update the incident with event data.
* Option D:Update Incident is the most suitable action for incorporating event data into the existing incident record.
* Conclusion:
* The next task in the playbook should be to update the incident with the event data to ensure the incident reflects all necessary information for further investigation and response.
References:
Fortinet Documentation on Playbook Creation and Incident Management.
Best Practices for Automating Incident Response in SOC Operations.
NEW QUESTION # 40
Which three factors does the FortiSIEM rules engine use to determine the count when it evaluates the aggregate condition COUNT (Matched Events) on a specific subpattern? (Choose three answers)
- A. Search filter
- B. Incident action
- C. Group By attributes
- D. Data source
- E. Time window
Answer: A,C,E
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
The FortiSIEM rules engine evaluates subpatterns to detect complex attack behaviors. When a rule uses an aggregate condition likeCOUNT (Matched Events), the engine calculates this value based on specific architectural parameters:
* Group By attributes (A):The engine maintains a separate counter for each unique combination of
"Group By" attributes defined in the subpattern. For example, if you group by "Source IP," the engine tracks the count of events foreachunique IP address independently.
* Time window (C):The count is relative to a specific time duration (e.g., 5 minutes). The engine only counts events that fall within this sliding or fixed window. Once an event falls outside this window, it is no longer included in the aggregate count.
* Search filter (D):Only events that satisfy the specific "Search Filter" criteria (e.g., Event Type = "Failed Login") are considered "Matched Events." The filter defines the scope of the data that the rules engine processes before applying the count.
Why other options are incorrect:
* Data source (B):While the data source determines where the logs come from, the rules engine itself uses the parsed attributes (defined in the search filter) rather than the raw data source to determine the count.
Multiple data sources might contribute to the same filter and count.
* Incident action (E):Incident actions (such as sending an email or triggering a SOAR playbook) are theresultof a rule firing. They do not influence the internal logic or calculation of the event count during the evaluation phase.
NEW QUESTION # 41
Refer to the exhibit.
You configured a playbook namedFalse Positive Close, and want to run it to verify if it works. However, when you clickExecuteand search for the playbook, you do not see it listed. Which two reasons could be the cause of the problem? (Choose two answers)
- A. Another instance of the playbook is currently executing.
- B. The manual trigger is configured to require record input to run.
- C. The Alerts module is not among the list of modules the playbook can execute on.
- D. The playbook must first be published using the Application Editor.
Answer: B,C
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, manual playbooks appear in theExecutemenu of a record only if they meet specific configuration criteria defined in theManual Triggerstep:
* Module Scope (C):When creating a playbook with a manual trigger, the administrator must explicitly select which modules (e.g., Alerts, Incidents, Indicators) can execute the playbook. If theAlertsmodule is not selected in the "Applicable Modules" section of the trigger configuration, the playbook will remain hidden from the Execute menu when an analyst is viewing the Alerts module.
* Trigger Execution Requirements (D):Manual triggers can be configured to execute onno records, asingle record, ormultiple records. If a playbook is configured with the "Requires record input to run" setting but is specifically restricted to a different input type (or if there is a mismatch in the selection logic), it will not appear in the menu unless the correct number of records are selected. Furthermore, if a playbook is designed to run only whennorecord is selected (global utility), it will not show up in the context-sensitive menu of a specific record.
Why other options are incorrect:
* Publishing (A):FortiSOAR playbooks do not require a separate "publishing" step via an Application Editor to become visible. Once they aresavedandactive(toggled on), they are immediately available for use based on their trigger settings.
* Concurrent Execution (B):FortiSOAR allows multiple instances of the same playbook to run simultaneously. An active execution of a playbook does not hide it from the menu for other analysts or subsequent runs.
NEW QUESTION # 42
......
100% Free NSE7_SOC_AR-7.6 Daily Practice Exam With 59 Questions: https://exam-labs.itpassleader.com/Fortinet/NSE7_SOC_AR-7.6-dumps-pass-exam.html