Fortinet NSE6_EDR_AD-7.0 시험

Question No : 1

Within the FortiEDR architecture, which component needs JumpBox capabilities to enable authenticated and controlled communication with FortiAnalyzer?

• A.Core
• B.Central manager
• C.Reputation Server
• D.Aggregator

답을 확인하기

정답:
Explanation:
The central manager is responsible for integrating FortiEDR with external systems such as FortiAnalyzer. When secure and controlled communication is required through a JumpBox, the central manager uses this capability to authenticate and relay communication with FortiAnalyzer for logging, event sharing, and integration purposes.

Question No : 2

Refer to the exhibit.



You configured an execution prevention exclusion with both File Name =app.exe and Path = C:\Tools\
What will FortiEDR do?

• A.Exclude app.exe whenever it appears.
• B.Exclude all files in C:\Tools\
• C.Exclude only signed versions of app.exe.
• D.Exclude only app.exe when it is running from C:\Tools\

답을 확인하기

정답:
Explanation:
When defining a process exclusion using multiple attributes, FortiEDR requires all specified attributes to match for the exclusion to apply. Since both the file name and the path are configured, the exclusion applies only when the process named app.exe is executed from the specified directory C:\Tools.

Question No : 3

Refer to the exhibit



A FortiEDR analyst is prioritizing response efforts.
One application has a vulnerability score of Critical but an Unknown ACI rating, while another has a Medium vulnerability score with active ACI evidence of adversary targeting.
Which application must be addressed first?

• A.The application with the Medium vulnerability score and ACI evidence should be addressed first.
• B.The decision depends only on asset criticality, not scores.
• C.The application with the Critical vulnerability score should be addressed first.
• D.Both applications should be treated equally because patching is necessary.

답을 확인하기

정답:
Explanation:
Active ACI evidence indicates that adversaries are currently exploiting or targeting the vulnerability in real-world attacks. This makes the threat more immediate and actionable than a vulnerability with a higher severity score but no known adversary activity. Therefore, the application with active adversary targeting should be prioritized for response.

Question No : 4

Refer to the exhibit



An event exception is shown.
Which two statements about the exception are true? (Choose two.)
A. FCS playbooks are enabled by Fortinet support.
B. The system owner can modify the trigger rules parameters.
C. A partial exception is applied to this event.
D. The exception is applied only on device C8092231196

답을 확인하기

정답: A.D
Explanation:
The exception entry shows it was created and updated by FortinetCloud Services, indicating that Fortinet support enabled the automated FCS playbook that generated the exception. The description explicitly states that the file is classified as good on the device C8092231196, meaning the exception applies specifically to that device rather than globally.

Question No : 5

You added three new applications to FortiEDR using only the Path attribute.
What are two expected outcomes of this configuration? (Choose two.)

• A.These applications will be disabled until explicitly enabled.
• B.All instances of these applications will be blocked, regardless of location.
• C.These applications will be blocked only if the file name also matches.
• D.Only applications in the specified directory paths will be blocked.

답을 확인하기

정답:
Explanation:
When an application is defined using the Path attribute, the rule applies only to executables located in the specified directory path. FortiEDR identifies applications using attributes such as file name and path, so the block applies only when the executable file name also matches within that defined path.

Question No : 6

Refer to the exhibit.



What observation can you make about the Connectivity TestAppNew.exe incident?

• A.The incident was archived from the console unhandled.
• B.A rule assigned action is set to block but the policy is in simulation mode.
• C.The incident was handled automatically by the communication control policy.
• D.The incident has not been handled by a console administrator.

답을 확인하기

정답:
Explanation:
The incident status in the incident handler view is clearly marked as Unhandled. This indicates that no console administrator has taken action to investigate, resolve, or close the incident from the FortiEDR management console.

Question No : 7

Refer to the exhibit.



Based on the exhibit, which statement about this treat hunting query is true?

• A.RDP connections will be automatically blocked and classified as suspicious.
• B.A security incident will be generated whenever the device attempts an RDP connection.
• C.The query is limited to detecting network activity and does not inspect process behavior.
• D.The query is configured as a global hunting rule and is automatically visible across all organizations.

답을 확인하기

정답:
Explanation:
The query searches for network activity where the remote port is 3389, which corresponds to RDP traffic. The query is configured as a scheduled threat hunting query with a suspicious classification and runs repeatedly at a defined interval.
When the query condition is matched, FortiEDR generates a security event for that activity, resulting in a security incident being created when the device attempts an RDP connection.

Question No : 8

Refer to the exhibit.



Based on the event shown in the exhibit, which two statements about the event are true? (Choose two.)

• A.The user was able to launch TestApplication.exe
• B.The event is marked as Handled.
• C.FCS classified the event as malicious. D TestApplication.exe is sophisticated malware.

답을 확인하기

정답:
Explanation:
The event view shows the process TestApplication.exe with status Running, indicating the application was successfully launched on the endpoint. The classification label indicates the event is marked as malicious and the classification source is FortinetCloud Services, confirming that FCS performed the malicious classification.

Question No : 9

When implementing an application block policy in FortiEDR, which three actions, in order, reflect the correct operational sequence?
Select an action in the left column and hold and drag it to a blank position in the column on the right. Place the three correct actions in order, starting with the first action at the top of the column. After you place an action, you can move it again if you want to change your answer before proceeding to the next question. You must drop three actions in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.

답을 확인하기

정답:


Explanation:
Add applications to the application control manager.
Create a new application group.
Enable the blocklist rule on the application control policy.
To implement an application block policy, the applications must first be defined in the application control manager so FortiEDR can identify them. After defining the applications, they are organized into an application group that can be referenced by policies. Finally, the blocklist rule is enabled in the application control policy to enforce blocking of the defined applications on endpoints.

Question No : 10

You discovered that a newly installed collector does not display on the Inventory tab in the central manager.
Which two troubleshooting steps must you perform? (Choose two.)

• A.Check whether the FortiEDR services are running on the collector device.
• B.Verify that the central manager can resolve the collector hostname through DN
• C.Export and review the collector logs from the Central Manager for connection errors.
• D.Verify that TCP ports 8081 and 555 are open between the collector and the central manager.

답을 확인하기

정답:
Explanation:
The collector must have FortiEDR services running to establish communication with the central manager. If the services are not running, the collector cannot register or appear in the Inventory tab. Communication between the collector and the central manager also requires specific ports to be open, including TCP ports 8081 and 555, which are used for management and communication between the components