Fortinet NSE7_SOC_AR-7.6 시험

Question No : 1

Refer to the exhibits.






How is the investigation and remediation output generated on FortiSIEM?

• A.By using FortiAI to summarize the incident
• B.By exporting an incident
• C.By running an incident report
• D.By viewing the Context tab of an incident

답을 확인하기

정답:

Question No : 2

Refer to the exhibits.






You configured the FortiSIEM connector on FortiSOAR. However, when you try to save the configuration, you see the error shown in the exhibit.
What are two possible causes? (Choose two.)

• A.The Visibility option must be set to Public.
• B.FortiSOAR cannot reach FortiSIE
• C.The organization should be Super.
• D.The user credentials do not match FortiSIE

답을 확인하기

정답:

Question No : 3

You configured a queue called L1 Analysts, and generated shifts to cover morning, evenings, and overnight shifts, with two members covering each shift.
However, you noticed that all members of the queue are assigned ingested alerts in a round-robin fashion, instead of only users who are currently on shift.
What is the problem?

• A.The shift lead needs to disable automatic shift handover.
• B.The Queueable option is disabled for the alerts module.
• C.The queue rules conflict with the user assignment rules.
• D.Shift-based assignment is disabled.

답을 확인하기

정답:

Question No : 4

Refer to the exhibit.



A list of FortiSIEM connector actions is shown.
You want to create a playbook on FortiSOAR that allows you to accomplish the following:
Manually input a range of IP addresses.
Use the connector action in the exhibit to retrieve a list of devices from the FortiSIEM configuration management database (CMDB) within that IP address range.
For each returned result, create an asset record based on the IP address of the device.
Which combination and order of step operations fulfills the requirements with the fewest required playbook steps?

• A.1) Connector action, 2) Create record, 3) Update record
• B.1) On create trigger, 2) Connector action, 3) Code snippet, 4) Create record
• C.1) Manual trigger, 2) Connector action, 3) Create record
• D.1) Manual trigger, 2) Set variable, 3) Connector action, 4) Create record, 5) Update record

답을 확인하기

정답:

Question No : 5

Refer to the exhibit.



You created a threat hunting playbook to perform a search query using the FortiSIEM connector. However, when you run the playbook, you do not see any output.
Which step must you take first in your troubleshooting process?

• A.Confirm that the event logs matching your criteria exist on FortiSIE
• B.Configure a Set Variable step to save the output.
• C.Confirm that the FortiSIEM connector is up.
• D.Check the documentation for the input and output for the action.

답을 확인하기

정답:

Question No : 6

Refer to the exhibit.



You are trying to find traffic flows to destinations that are in Europe or Asia, for hosts in the local LAN segment. However, the query returns no results. Assume these logs exist on FortiSIEM.
Which three mistakes can you see in the query shown in the exhibit? (Choose three.)

• A.The logical operator for the first row (Group: Europe) must be O
• B.The null value cannot be used with the IS NOT operator.
• C.The time range must be Absolute for queries that use configuration management database (CMDB) groups.
• D.The Source IP row operator must be BETWEEN 10.0.0.0, 10.200.200.254.
• E.There are missing parentheses between the first row (Group: Europe) and the second row (Group: Asia).

답을 확인하기

정답:

Question No : 7

You are using FortiSIEM analytics to reference the configuration management database (CMDB) event type categories with the following requirements:
Attribute: Event Type -
Value: Group: Logon Success -
Which operator must you use for the analytics search?

• A.IN
• B.CONTAIN
• C.IS
• D.HAS

답을 확인하기

정답:

Question No : 8

Refer to the exhibits.






Assume that the traffic flows are identical, except for the destination IP address. There is only one FortiGate in network address translation (NAT) mode in this environment.
Based on the exhibits, which two conclusions can you make about this FortiSIEM incident? (Choose two.)

• A.The destination hosts are not responding.
• B.The client 10.200.3.219 is conducting active reconnaissance.
• C.FortiGate is blocking the return flows.
• D.FortiGate is not routing the packets to the destination hosts.

답을 확인하기

정답:

Question No : 9

Refer to the exhibit.



A compromised PC establishes an SSH connection to an engineering build server, which then relays HTTPS traffic to reach servers that would otherwise have blocked access from the LAN.
Which technique is used for this attack?

• A.Port knocking
• B.Exfiltration over C2 channel
• C.Man-in-the-middle (MITM)
• D.Protocol tunneling

답을 확인하기

정답:

Question No : 10

You are designing a FortiSOAR hybrid multi-tenant deployment. The architecture must support remote tenant execution and automation inside segmented networks.
Which three elements are true for this design? (Choose three.)

• A.The FortiSOAR master cluster can host shared tenants, with strict data isolation between them.
• B.FortiSOAR tenant nodes or agents use TCP port 5671 to communicate with a secure message exchange.
• C.FortiSOAR agents are deployed on the master cluster to improve high availability (HA) performance.
• D.Each tenant or agent has a dedicated, access-controlled space on a secure message exchange for message routing.
• E.The secure message exchange must be a dedicated instance instead of an embedded one.

답을 확인하기

정답:

Question No : 11

Refer to the exhibit.



You configured a playbook named False Positive Close, and want to run it to verify if it works. However, when you click Execute and search for the playbook, you do not see it listed.
Which two reasons could be the cause of the problem? (Choose two.)

• A.The manual trigger is configured to require record input to run.
• B.The playbook must first be published using the Application Editor.
• C.The Alerts module is not among the list of modules the playbook can execute on.
• D.Another instance of the playbook is currently executing.

답을 확인하기

정답:

Question No : 12

Refer to the exhibit.



You created a new playbook and executed it as a test. However, it failed to run. You want to investigate, but you do not see details about the error.
What is the reason for the lack of details?

• A.The connector is deactivated.
• B.The playbook logging level must be debug.
• C.The Ignore Error option is enabled.
• D.The user that executed the playbook does not have the necessary permissions.

답을 확인하기

정답:

Question No : 13

Refer to the exhibit.



You are investigating an open incident and want to add records from the Tickets module, a custom module, to the visual correlation widget. Assume there are already linked ticket records to the incident .
How do you accomplish this?

• A.Edit the incident template and add the Tickets module to the graph.
• B.Define move module relationships under Correlation Settings.
• C.Tag ticket records with the incident I
• D.Ingest ticket records through a custom connector.

답을 확인하기

정답:

Question No : 14

DRAG DROP -
Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence.
Select each workflow component in the left column, hold and drag it to a blank position on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column. Once you place a step, you can move it again if you want to change your answer before moving to the next question. You need to drop four workflow components in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.

답을 확인하기

정답:

Question No : 15

Which three are threat hunting activities? (Choose three.)

• A.Generate a hypothesis.
• B.Tune correlation rules.
• C.Perform packet analysis.
• D.Automate workflows.
• E.Enrich records with threat intelligence.

답을 확인하기

정답: