Practice Free NSE7_SOC_AR-7.6 Exam Online Questions
You are configuring a new FortiSIEM rule to trigger incidents based on receiving a number of either Fortigate-Traffic-Violation OR Fortigate-Traffic-Denied event types. You could use a single subpattern for this, but you decided to create two separate subpatterns, one for each event type, and correlate them using the OR operator.
Which two benefits does this approach provide? (Choose two.)
- A . Each subpattern can use a different group by condition.
- B . Each subpattern can use a different time window condition.
- C . Each subpattern can use a different aggregate condition.
- D . Each subpattern can trigger its own notification policy.
You wish to use FortiAI to help you design playbooks.
Which two configurations on FortiSOAR are required? (Choose two.)
- A . Grant CRUD permissions to the Playbook user.
- B . Install and configure the OpenAI connector.
- C . Install the FortiAI solution pack and run the configuration wizard.
- D . Train the FortiSOAR machine learning engine.
DRAG DROP
Refer to the exhibit.
What is the correct Jinja expression to filter the results to show only the MD5 hash values?
{{ [slot 1]|[slot 2][slot 3].[slot 4] ") }}
Select the Jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first step in the first slot. Once you place an expression, you can move it again if you want to change your answer before moving to the next question. You need to drop four Jinja expressions in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.
Answer:
5 1. Refer to this partial incident output:
Which conclusion can you make about this incident?
- A . It was triggered by a lookup table.
- B . It was triggered by a correlation rule.
- C . It was triggered by a baseline profile incident rule.
- D . It was triggered from a FortiAI machine learning rule.
You are trying to create a playbook that creates a manual task that shows a list of public IPv6 addresses.
You were successful in extracting all IP addresses om a previous action into a variable called ip_list, which has a mix of private and public IPv4 and IPv6 addresses. Now, you must filter the results to display only public IPv6 addresses .
Which two Jinja expressions can accomplish this task? (Choose two.)
- A . {{ vars.ip_list | ipaddr(!private) | ipv6 }}
- B . {{ vars.ip_list | ipv6 | ipaddr(‘public’) }}
- C . {{ vars.ip_list | ipv6addr(‘public’) }}
- D . {{ vars.ip_list | ipaddr(‘public’) | ipv6 }}
Refer to the exhibit.
A compromised PC establishes an SSH connection to an engineering build server, which then relays HTTPS traffic to reach servers that would otherwise have blocked access from the LAN.
Which technique is used for this attack?
- A . Port knocking
- B . Exfiltration over C2 channel
- C . Man-in-the-middle (MITM)
- D . Protocol tunneling
Refer to the exhibit.
You created a new playbook and executed it as a test. However, it failed to run. You want to investigate, but you do not see details about the error.
What is the reason for the lack of details?
- A . The connector is deactivated.
- B . The playbook logging level must be debug.
- C . The Ignore Error option is enabled.
- D . The user that executed the playbook does not have the necessary permissions.
You are using FortiSIEM analytics to reference the configuration management database (CMDB) event type categories with the following requirements:
Attribute: Event Type –
Value: Group: Logon Success –
Which operator must you use for the analytics search?
- A . IN
- B . CONTAIN
- C . IS
- D . HAS
DRAG DROP –
Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence.
Select each workflow component in the left column, hold and drag it to a blank position on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column. Once you place a step, you can move it again if you want to change your answer before moving to the next question. You need to drop four workflow components in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.
Refer to the exhibit.
A compromised PC establishes an SSH connection to an engineering build server, which then relays HTTPS traffic to reach servers that would otherwise have blocked access from the LAN. Assume the LAN to Engineering and Engineering to IT network flows are allowed by design.
Which configuration would prevent this attack vector?
- A . Reject incoming non-standard port HTTPS traffic to the IT servers.
- B . Enforce SSH version 2 across the organization.
- C . Enable SSL/SSH deep inspection on the firewall.
- D . Disable SSH port forwarding on the build server.
You created a war room and want to run a connector action to look up the reputation of a domain. Then, you need to save the output for your team to review. However, there is a lot of output, and you want to limit the amount of information attached to the war room.
How do you accomplish this?
- A . From the returned output, select only the output keys you want.
- B . Use the Investigate tab to map only the fields you want.
- C . Lower the playbook logging level before executing the connector.
- D . Apply a workspace filter to show only relevant fields.