Fortinet NSE7_SOC_AR-7.6 시험

Question No : 1

Refer to the exhibit.



You configured a playbook named False Positive Close, and want to run it to verify if it works. However, when you click Execute and search for the playbook, you do not see it listed.
Which two reasons could be the cause of the problem? (Choose two.)

• A.The manual trigger is configured to require record input to run.
• B.The playbook must first be published using the Application Editor.
• C.The Alerts module is not among the list of modules the playbook can execute on.
• D.Another instance of the playbook is currently executing.

답을 확인하기

정답:

Question No : 2

Refer to the exhibit.



You created a new playbook and executed it as a test. However, it failed to run. You want to investigate, but you do not see details about the error.
What is the reason for the lack of details?

• A.The connector is deactivated.
• B.The playbook logging level must be debug.
• C.The Ignore Error option is enabled.
• D.The user that executed the playbook does not have the necessary permissions.

답을 확인하기

정답:

Question No : 3

Refer to the exhibit.



You are investigating an open incident and want to add records from the Tickets module, a custom module, to the visual correlation widget. Assume there are already linked ticket records to the incident.
How do you accomplish this?

• A.Edit the incident template and add the Tickets module to the graph.
• B.Define move module relationships under Correlation Settings. Most Voted
• C.Tag ticket records with the incident I
• D.Ingest ticket records through a custom connector.

답을 확인하기

정답:

Question No : 4

DRAG DROP -
Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence.
Select each workflow component in the left column, hold and drag it to a blank position on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column. Once you place a step, you can move it again if you want to change your answer before moving to the next question. You need to drop four workflow components in the work area. Select and drag the screen divider to change the viewable area of the source and work areas.

답을 확인하기

정답:

Question No : 5

Which three are threat hunting activities? (Choose three.)

• A.Generate a hypothesis.
• B.Tune correlation rules.
• C.Perform packet analysis.
• D.Automate workflows.
• E.Enrich records with threat intelligence.

답을 확인하기

정답:

Question No : 6

Based on the Pyramid of Pain model, which two statements accurately describe the value of an indicator and how it is for an adversary to change? (Choose two.)

• A.Tactics, techniques, and procedures are hard because adversaries must adapt their methods.
• B.Tools are easy because often, multiple alternatives exist.
• C.IP addresses are easy because adversaries can spoof them or move them to new resources.
• D.Artifacts are easy because adversaries can alter file paths or registry keys.

답을 확인하기

정답:

Question No : 7

Refer to the exhibit.



You are reviewing the Triggering Events page for a FortiSIEM incident. You want to remove the Reporting IP column because you have only one firewall in the topology.
How do you accomplish this?

• A.Customize the display columns for this incident.
• B.Remove the Reporting IP attribute from the raw logs using parsing rules.
• C.Disable correlation for the Reporting IP field in the rule subpattern.
• D.Clear the Reporting IP field from the Triggered Attributes section when you configure the Incident Action.

답을 확인하기

정답:

Question No : 8

DRAG DROP
Refer to the exhibits.






You have a playbook that, depending on whether an analyst deems the alert to be a true positive, could reference a child playbook. You need to pass variables from the parent playbook to the child playbook. Place the steps needed to accomplish this in the correct order.
Select the step in the left column, hold and drag it to a blank position on the right. Place the three correct steps in order, placing the first step in the first position at the top of the column. Once you place a step, you can move it again if you want to change your answer before moving to the next question. You need to drop three steps in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.

답을 확인하기

정답:

Question No : 9

DRAG DROP -
Refer to the exhibit.



What is the correct Jinja expression to filter the results to show only the MD5 hash values?
{{ [slot 1]|[slot 2][slot 3].[slot 4] }}
Select the jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first step in the first slot. Once you place an expression, you can move it again if you want to change your answer before moving to the next question. You need to drop four jinja expressions in the work area. Select and drag the screen divider to change the viewable area of the source and work areas.

답을 확인하기

정답:

Question No : 10

Refer to the exhibit.



Which method most effectively reduces the attack surface of this organization?

• A.Remove unused devices.
• B.Enable deep inspection on firewall policies.
• C.Forward all firewall logs to the security information and event management (SIEM) system.
• D.Implement macrosegmentation.

답을 확인하기

정답:

Question No : 11

When configuring a FortiAnalyzer to act as a collector device, which two steps must you perform? (Choose two.)

• A.Enable log compression.
• B.Configure log forwarding to a FortiAnalyzer in analyzer mode.
• C.Configure the data policy to focus on archiving.
• D.Configure Fabric authorization on the connecting interface.

답을 확인하기

정답:
Explanation:
Understanding FortiAnalyzer Roles:
FortiAnalyzer can operate in two primary modes: collector mode and analyzer mode.
Collector Mode: Gathers logs from various devices and forwards them to another FortiAnalyzer operating in analyzer mode for detailed analysis.
Analyzer Mode: Provides detailed log analysis, reporting, and incident management.
Steps to Configure FortiAnalyzer as a Collector Device:
A. Enable Log Compression:
While enabling log compression can help save storage space, it is not a mandatory step specifically required for configuring FortiAnalyzer in collector mode.
Not selected as it is optional and not directly related to the collector configuration process.
B. Configure Log Forwarding to a FortiAnalyzer in Analyzer Mode:
Essential for ensuring that logs collected by the collector FortiAnalyzer are sent to the analyzer FortiAnalyzer for detailed processing.
Selected as it is a critical step in configuring a FortiAnalyzer as a collector device.
Step 1: Access the FortiAnalyzer interface and navigate to log forwarding settings.
Step 2: Configure log forwarding by specifying the IP address and necessary credentials of the FortiAnalyzer in analyzer mode.
Fortinet Documentation on Log Forwarding FortiAnalyzer Log Forwarding
C. Configure the Data Policy to Focus on Archiving:
Data policy configuration typically relates to how logs are stored and managed within FortiAnalyzer, focusing on archiving may not be specifically required for a collector device setup.
Not selected as it is not a necessary step for configuring the collector mode.
D. Configure Fabric Authorization on the Connecting Interface:
Necessary to ensure secure and authenticated communication between FortiAnalyzer devices within the Security Fabric.
Selected as it is essential for secure integration and communication.
Step 1: Access the FortiAnalyzer interface and navigate to the Fabric authorization settings.
Step 2: Enable Fabric authorization on the interface used for connecting to other Fortinet devices and FortiAnalyzers.
Reference: Fortinet Documentation on Fabric Authorization FortiAnalyzer Fabric Authorization Implementation Summary:
Configure log forwarding to ensure logs collected are sent to the analyzer.
Enable Fabric authorization to ensure secure communication and integration within the Security Fabric.
Conclusion:
Configuring log forwarding and Fabric authorization are key steps in setting up a FortiAnalyzer as a collector device to ensure proper log collection and forwarding for analysis.
References:
Fortinet Documentation on FortiAnalyzer Roles and Configurations FortiAnalyzer Administration Guide
By configuring log forwarding to a FortiAnalyzer in analyzer mode and enabling Fabric authorization on the connecting interface, you can ensure proper setup of FortiAnalyzer as a collector device.

Question No : 12

A customer wants FortiAnalyzer to run an automation stitch that executes a CLI command on FortiGate to block a predefined list of URLs, if a botnet command-and-control (C&C) server IP is detected.
Which FortiAnalyzer feature must you use to start this automation process?

• A.Playbook
• B.Data selector
• C.Event handler
• D.Connector

답을 확인하기

정답:
Explanation:
Understanding Automation Processes in FortiAnalyzer:
FortiAnalyzer can automate responses to detected security events, such as running commands on FortiGate devices.
Analyzing the Customer Requirement:
The customer wants to run a CLI command on FortiGate to block predefined URLs when a botnet C&C server IP is detected.
This requires an automated response triggered by a specific event.
Evaluating the Options:
Option A: Playbooks orchestrate complex workflows but are not typically used for direct event-triggered automation processes.
Option B: Data selectors filter logs based on criteria but do not initiate automation processes.
Option C: Event handlers can be configured to detect specific events (such as detecting a botnet C&C server IP) and trigger automation stitches to execute predefined actions.
Option D: Connectors facilitate communication between FortiAnalyzer and other systems but are not the primary mechanism for initiating automation based on log events.
Conclusion:
To start the automation process when a botnet C&C server IP is detected, you must use anEvent handlerin FortiAnalyzer.
References:
Fortinet Documentation on Event Handlers and Automation Stitches in FortiAnalyzer.
Best Practices for Configuring Automated Responses in FortiAnalyzer.

Question No : 13

Refer to the exhibit.



How do you add a piece of evidence to the Action Logs Marked As Evidence area? (Choose one answer)

• A.By tagging output or a workspace comment with the keyword Evidence
• B.By linking an indicator to the war room
• C.By creating an evidence collection task and attaching a file
• D.By executing a playbook with the Save Execution Logs option enabled

답을 확인하기

정답:
Explanation:
From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, theWar Roomis a collaborative space designed for high-priority incident investigation. TheEvidencestab within theInvestigateview (as shown in the exhibit) is specifically designed to highlight critical findings found during the investigation process.
Evidence Tagging: To populate theAction Logs Marked As Evidencesection, an analyst must specifically tag a relevant log entry, a playbook output, or a comment within the collaboration workspace with the system-defined keyword"Evidence".
Automatic Categorization: Once the tag is applied, FortiSOAR automatically parses these entries and displays them in this centralized view. This allows team members and stakeholders to quickly view substantiated facts and proof gathered during the "Root Cause Analysis" phase without sifting through all raw action logs.
Manual vs. Action Logs: The exhibit shows two distinct areas: "Manually Upload Evidences" (where files like the CSLAB document shown can be dragged and dropped) and "Action Logs Marked As Evidence." The latter is reserved exclusively for system-generated logs or comments that have been promoted to evidence status via tagging.
Why other options are incorrect:
By linking an indicator to the war room (B): Linking indicators associates technical artifacts (like IPs or hashes) with the record, but it does not automatically classify them as evidence within the War Room action log view.
By creating an evidence collection task and attaching a file (C): While this is a valid step in an investigation, attaching a file to a task typically places it in the "Attachments" or "Manually Upload Evidences" area, rather than the "Action Logs" section specifically.
By executing a playbook with the Save Execution Logs option enabled (D): Saving execution logs ensures a trail of what the playbook did, but it does not mark the output as "Evidence" unless the specific logic or a manual analyst action applies the "Evidence" tag to the resulting log entry.

Question No : 14

Refer to Exhibit:
A SOC analyst is designing a playbook to filter for a high severity event and attach the event information to an incident.
Which local connector action must the analyst use in this scenario?

• A.Get Events
• B.Update Incident
• C.Update Asset and Identity
• D.Attach Data to Incident

답을 확인하기

정답:
Explanation:
Understanding the Playbook Requirements:
The SOC analyst needs to design a playbook that filters for high severity events.
The playbook must also attach the event information to an existing incident.
Analyzing the Provided Exhibit:
The exhibit shows the available actions for a local connector within the playbook.
Actions listed include:
Update Asset and Identity
Get Events
Get Endpoint Vulnerabilities
Create Incident
Update Incident
Attach Data to Incident
Run Report
Get EPEU from Incident
Evaluating the Options:
Get Events: This action retrieves events but does not attach them to an incident.
Update Incident: This action updates an existing incident but is not specifically for attaching event data.
Update Asset and Identity: This action updates asset and identity information, not relevant for attaching event data to an incident.
Attach Data to Incident: This action is explicitly designed to attach additional data, such as event information, to an existing incident.
Conclusion:
The correct action to use in the playbook for filtering high severity events and attaching the event information to an incident is Attach Data to Incident.
References:
Fortinet Documentation on Playbook Actions and Connectors.
Best Practices for Incident Management and Playbook Design in SOC Operations.

Question No : 15

Refer to the exhibits.



The Malicious File Detect playbook is configured to create an incident when an event handler generates a malicious file detection event.
Why did the Malicious File Detect playbook execution fail?

• A.The Create Incident task was expecting a name or number as input, but received an incorrect data format
• B.The Get Events task did not retrieve any event data.
• C.The Attach_Data_To_lncident incident task wasexpecting an integer, but received an incorrect data format.
• D.The Attach Data To Incident task failed, which stopped the playbook execution.

답을 확인하기

정답:
Explanation:
Understanding the Playbook Configuration:
The "Malicious File Detect" playbook is designed to create an incident when a malicious file detection event is triggered.
The playbook includes tasks such as Attach_Data_To_Incident, Create Incident, and Get Events.
Analyzing the Playbook Execution:
The exhibit shows that the Create Incident task has failed, and the Attach_Data_To_Incident task has also failed.
The Get Events task succeeded, indicating that it was able to retrieve event data.
Reviewing Raw Logs:
The raw logs indicate an error related to parsing input in the incident_operator.py file.
The error traceback suggests that the task was expecting a specific input format (likely a name or number) but received an incorrect data format.
Identifying the Source of the Failure:
The Create Incident task failure is the root cause since it did not proceed correctly due to incorrect input format.
The Attach_Data_To_Incident task subsequently failed because it depends on the successful creation of an incident.
Conclusion:
The primary reason for the playbook execution failure is that the Create Incident task received an incorrect data format, which was not a name or number as expected.
References:
Fortinet Documentation on Playbook and Task Configuration.
Error handling and debugging practices in playbook execution.