Practice Free NSE7_SOC_AR-7.6 Exam Online Questions
Refer to the exhibit.
You configured a playbook named False Positive Close, and want to run it to verify if it works. However, when you click Execute and search for the playbook, you do not see it listed.
Which two reasons could be the cause of the problem? (Choose two.)
- A . The manual trigger is configured to require record input to run.
- B . The playbook must first be published using the Application Editor.
- C . The Alerts module is not among the list of modules the playbook can execute on.
- D . Another instance of the playbook is currently executing.
DRAG DROP –
Match the FortiSIEM device type to its description.
Select each FortiSIEM device type in the left column, hold and drag it to the blank space next to its corresponding description in the column on the right. Once you match a device type to its description, you can move it again if you want to change your answer by clicking on the device type name. You need to match four device types to its description in the work area.
You configured a new module named Users. Next, you want to configure a playbook that creates users from ingested data.
When new records are created, you want to ensure that duplicate users do not overwrite existing user records and their fields. However, you also want the playbook to continue running even if duplicates are encountered so that any non-duplicate records are still created.
Which two actions fulfill the requirements? (Choose two.)
- A . Ensure the Users module has record uniqueness conditions configured.
- B . Configure the Execution Mode to run in parallel.
- C . Use the Do not create new record (keep existing intact) option in the Create Record step.
- D . Use the stop the create process option in the Create Record step.
When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable?
- A . {{ vars.item.<variable_name> }}
- B . {{ vars.input.params.<variable_name> }}
- C . {{ globalVars.<variable_name> }}
- D . {{ vars.steps.<variable_name> }}
A partner organization recently had sensitive data exfiltrated by a well-known adversary group. You are tasked with threat hunting to see your organization is also affected.
Which action must you take first?
- A . Use threat intelligence to enrich the IP addresses of all destinations.
- B . Review the tactics, techniques, and procedures of the adversary.
- C . Use a packet analyzer to capture and review all traffic flows on critical devices.
- D . Review historical logs to establish a baseline for normal bandwidth usage.
Which two statements best reflect the relationship between threat hunting and incident response in a mature SOC? (Choose two.)
- A . Threat hunting and incident response should operate in isolation to avoid bias.
- B . Threat hunting begins after incident response is completed.
- C . Incident response relies on existing detection.
- D . Threat hunting proactively looks for potential or missed threats.
From those devices, identify those that have generated Windows Login Failure events
Which two query components should be used for this nested query? (Choose two.)
- A . Outer Event Query
- B . Inner CMDB Query
- C . Outer CMDB Query
- D . Inner Event Query
From those devices, identify those that have generated Windows Login Failure events
Which two query components should be used for this nested query? (Choose two.)
- A . Outer Event Query
- B . Inner CMDB Query
- C . Outer CMDB Query
- D . Inner Event Query