시험덤프
매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
  / NSE6_FSM_AN-7.4 덤프  / NSE6_FSM_AN-7.4 문제 연습

Fortinet NSE6_FSM_AN-7.4 시험

Fortinet NSE 6 - FortiSIEM 7.4 Analyst 온라인 연습

최종 업데이트 시간: 2026년06월29일

당신은 온라인 연습 문제를 통해 Fortinet NSE6_FSM_AN-7.4 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.

시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 NSE6_FSM_AN-7.4 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 37개의 시험 문제와 답을 포함하십시오.

 / 6

Question No : 1


A rule should detect administrative logons from nonapproved sources. Approved jump hosts are stored in a lookup table.
What should the rule compare?

정답:
Explanation:
The detection depends on whether the logon source is an approved jump host. The source host should be compared against the lookup table. The other comparisons do not identify approved or unapproved logon sources.

Question No : 2


A correlation rule has two subpatterns, but the second subpattern matches events from any host instead of the host found in the first subpattern.
What is missing?

정답:
Explanation:
Subpatterns must share a constrained field, such as host or user, to ensure the second pattern matches the same entity as the first. Without that constraint, unrelated events can satisfy the rule.

Question No : 3


A rule stopped triggering after the SOC added an exclusion for approved jump hosts. Manual searches still show suspicious activity from unapproved hosts.
What should be checked first?

정답:
Explanation:
If valid activity stops matching after an exclusion is added, the exclusion logic may be too broad or mapped to the wrong field. Severity, recipients, and dashboard filters do not prevent the rule from matching events.

Question No : 4


A rule should identify a source IP that fails authentication against more than 20 unique accounts.
Which aggregation is required?

정답:
Explanation:
The detection requires counting unique accounts targeted by the same source IP. A total event count could be caused by repeated failures against one account, which is a different pattern.

Question No : 5


A rule creates one incident for each destination IP contacted by the same infected host. The SOC wants one incident per infected host instead.
What should be changed?

정답:
Explanation:
If destination IP is part of the group-by logic, FortiSIEM can split activity into separate incidents per destination. Adjusting the destination grouping helps combine related activity under the infected host.

Question No : 6


A rule should identify DNS traffic to unapproved resolvers. Approved DNS resolver IPs are stored in a lookup table.
Which rule condition best fits?

정답:
Explanation:
The rule should alert when the DNS destination is outside the approved resolver list. Matching approved destinations would show expected behavior, and grouping alone would not detect the exception.

Question No : 7


A rule uses a lookup table of high-value servers, but it triggers for noncritical systems. The lookup table is correct.
What should the analyst verify next?

정답:
Explanation:
If the lookup table is correct but the rule matches the wrong systems, the rule may be comparing the lookup to the wrong field. The analyst should verify whether the target IP or host field is mapped correctly.

Question No : 8


A port-scan rule counts denied firewall events but does not distinguish a source that hits many ports from one that repeats a single port.
What should be added?

정답:
Explanation:
Port scanning requires measuring port diversity. A distinct port aggregation is better than a simple event count when deciding whether many ports were contacted.

Question No : 9


A rule should trigger only when failed logins exceed a threshold for the same source IP and target host pair.
Which configuration is most important?

정답:
Explanation:
The source IP and target host must be included in the group-by logic so the threshold is evaluated per pair. Display, owner, and notification settings do not define how the threshold is grouped.

Question No : 10


A newly created rule triggers on many unrelated firewall events because it uses only a broad normalized event type.
What should the analyst do first?

정답:
Explanation:
A broad event type can match too many events. Adding specific conditions such as action, direction, port, source, or destination improves precision. Report filters and severity changes do not improve rule matching.

Question No : 11


An analyst wants each incident to represent suspicious activity for one user, even when the user appears on multiple devices.
Which grouping is most appropriate?

정답:
Explanation:
Grouping by user identity keeps activity tied to the user across devices. Device, parser, or target-host grouping would split the activity by infrastructure rather than the user entity.

Question No : 12


A rule should detect one user logging in to many different hosts within 10 minutes.
Which aggregation best supports this detection?

정답:
Explanation:
The suspicious behavior is one user reaching many unique hosts. A distinct host count measures that spread. A total event count could trigger on repeated activity against one host and miss the intended behavior.

Question No : 13


A SOC team wants a rule to detect hosts that first generate endpoint malware events and then make outbound connections to suspicious countries.
Which rule design is strongest?

정답:
Explanation:
The requirement involves two related behaviors from the same host. Two linked subpatterns can correlate endpoint malware activity with later outbound network connections.

Question No : 14


A correlation rule is designed to detect five failures followed by one success. Testing shows the events match individually, but the rule does not trigger because the success occurs after the current evaluation period.
What should be adjusted?

정답:
Explanation:
If related events occur outside the evaluation period, the rule cannot correlate them. Adjusting the time window is the relevant fix. Grouping and lookup scope may affect matching, but they do not solve a timing miss.

Question No : 15


A failed-login rule fires during normal backup activity because known service accounts authenticate repeatedly. The events should remain searchable, but the rule should not alert on them.
What is the best tuning action?

정답:
Explanation:
Excluding known service accounts from the rule condition reduces expected noise while preserving event collection. Reducing the threshold would likely increase noise, and changing owner or grouping does not address the known-account exception.

 / 6
Fortinet