NSE7_SOC_AR-7.6 Exam Questions
52 real NSE7_SOC_AR-7.6 exam questions with expert-verified answers and explanations. Page 1 of 2.
- Question #1
Which statement describes automation stitch integration between FortiGate and FortiAnalyzer?
- Question #2
Which three end user logs does FortiAnalyzer use to identify possible IOC compromised hosts? (Choose three.)
- Question #3
Which role does a threat hunter play within a SOC?
- Question #4
According to the National Institute of Standards and Technology (NIST) cybersecurity framework, incident handling activities can be divided into phases. In which incident handling...
- Question #5
Which FortiAnalyzer connector can you use to run automation stitches9
- Question #6
Refer to the exhibits. What can you conclude from analyzing the data using the threat hunting module?
- Question #7
Refer to the exhibits. You configured a spearphishing event handler and the associated rule. However. FortiAnalyzer did not generate an event. When you check the FortiAnalyzer log...
- Question #8
While monitoring your network, you discover that one FortiGate device is sending significantly more logs to FortiAnalyzer than all of the other FortiGate devices in the topology. A...
- Question #9
Refer to the Exhibit. An analyst wants to create an incident and generate a report whenever FortiAnalyzer generates a malicious attachment event based on FortiSandbox analysis. The...
- Question #10
Your company is doing a security audit. To pass the audit, you must take an inventory of all software and applications running on all Windows devices. Which FortiAnalyzer connector...
- Question #11
Which two playbook triggers enable the use of trigger events in later tasks as trigger variables? (Choose two.)
- Question #12
Refer to the exhibit. You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming yo...
- Question #13
When configuring a FortiAnalyzer to act as a collector device, which two steps must you perform? (Choose two.)
- Question #14
Refer to the exhibit. You are tasked with reviewing a new FortiAnalyzer deployment in a network with multiple registered logging devices. There is only one FortiAnalyzer in the top...
- Question #15
Refer to the exhibit, which shows the partial output of the MITRE ATT&CK Enterprise matrix on FortiAnalyzer. Which two statements are true? (Choose two.)
- Question #16
Refer to Exhibit. A SOC analyst is creating the Malicious File Detected playbook to run when FortiAnalyzer generates a malicious file event. The playbook must also update the incid...
- Question #17
Refer to the exhibits. The DOS attack playbook is configured to create an incident when an event handler generates a denial-of-ser/ice (DoS) attack event. Why did the DOS attack pl...
- Question #18
Which two statements about the FortiAnalyzer Fabric topology are true? (Choose two.)
- Question #19
Review the following incident report: The RAT provided the attackers with remote access and a foothold in the compromised system. Which two MITRE ATT&CK tactics does this incident...
- Question #20
Refer to Exhibit. A SOC analyst is designing a playbook to filter for a high severity event and attach the event information to an incident. Which local connector action must the a...
- Question #21
Refer to the exhibit. Which two options describe how the Update Asset and Identity Database playbook is configured? (Choose two.)
- Question #22
Refer to the exhibits. The Malicious File Detect playbook is configured to create an incident when an event handler generates a malicious file detection event. Why did the Maliciou...
- Question #23
Refer to the exhibit. Assume that all devices in the FortiAnalyzer Fabric are shown in the image. Which two statements about the FortiAnalyzer Fabric deployment are true? (Choose t...
- Question #24
Which two types of variables can you use in playbook tasks? (Choose two.)
- Question #25
Refer to the exhibits. The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playb...
- Question #26
Which two ways can you create an incident on FortiAnalyzer? (Choose two.)
- Question #27
Which statement best describes the MITRE ATT&CK framework?
- Question #28
Refer to the exhibits. Which observation about this FortiAnalyzer Fabric deployment architecture is true?
- Question #29
Which FortiAnalyzer feature uses the SIEM database for advance log analytics and monitoring?
- Question #30
Refer to the exhibits. You configured a custom event handler and an associated rule to generate events whenever FortiMail detects spam emails. However, you notice that the event ha...
- Question #31
When does FortiAnalyzer generate an event?
- Question #32
A customer wants FortiAnalyzer to run an automation stitch that executes a CLI command on FortiGate to block a predefined list of URLs, if a botnet command-and-control (C&C) server...
- Question #33
Which National Institute of Standards and Technology (NIST) incident handling phase involves removing malware and persistence mechanisms from a compromised host?
- Question #34
You are not able to view any incidents or events on FortiAnalyzer. What is the cause of this issue?
- Question #35
Refer to the exhibits. The Quarantine Endpoint by EMS playbook execution failed. What can you conclude from reviewing the playbook tasks and raw logs?
- Question #36
You are tasked with configuring automation to quarantine infected endpoints. Which two Fortinet SOC components can work together to fulfill this task? (Choose two.)
- Question #37
Which two assets are available with the outbreak alert licensed feature on FortiAnalyzer? (Choose two.)
- Question #38
Which trigger type requires manual input to run a playbook?
- Question #39
Review the following incident report. Which two MITRE ATT&CK tactics are captured in this report? (Choose two.)
- Question #40
You are managing 10 FortiAnalyzer devices in a FortiAnalyzer Fabric. In this scenario, what is a benefit of configuring a Fabric group?
- Question #41
Refer to the exhibits. Which connector and action on FortiAnalyzer can you use to add the entries show in the exhibits? Domain List: Domain abc.com:
- Question #42
Which connector on FortiAnalyzer is responsible for looking up indicators to get threat intelligence?
- Question #43
Review the incident report. An attacker identified employee names, roles, and email patterns from public press releases, which were then used to craft tailored emails. The emails w...
- Question #44
Which three are threat hunting activities? (Choose three answers)
- Question #45
Refer to the exhibit. How do you add a piece of evidence to the Action Logs Marked As Evidence area? (Choose one answer)
- Question #46
Refer to the exhibits. Assume that the traffic flows are identical, except for the destination IP address. There is only one FortiGate in network address translation (NAT) mode in...
- Question #47
When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable? (Choose one answer)
- Question #48
Based on the Pyramid of Pain model, which two statements accurately describe the value of an indicator and how difficult it is for an adversary to change? (Choose two answers)
- Question #49
Refer to the exhibits. You have a playbook that, depending on whether an analyst deems the alert to be a true positive, could reference a child playbook. You need to pass variables...
- Question #50
Which three factors does the FortiSIEM rules engine use to determine the count when it evaluates the aggregate condition COUNT (Matched Events) on a specific subpattern? (Choose th...