[May-2026] Check your preparation for Fortinet NSE7_SOC_AR-7.6 On-Demand Exam [Q33-Q52]

[May-2026] Check your preparation for Fortinet NSE7_SOC_AR-7.6 On-Demand Exam

Practice Exam NSE7_SOC_AR-7.6 Realistic Dumps Verified Questions

Fortinet NSE7_SOC_AR-7.6 Exam Syllabus Topics:

Topic	Details
Topic 1	SOAR Incident Handling and Threat Hunting: Includes threat hunting analysis, managing FortiSOAR incidents, workload coordination, and using war rooms for incident response.
Topic 2	SOAR Playbook Development: Covers configuring playbooks and connectors, using Jinja filters for data handling, and troubleshooting FortiSOAR automation workflows.
Topic 3	Detection Capabilities: Focuses on configuring FortiSIEM incident rules, building log queries, and analyzing incidents for effective threat detection.
Topic 4	SOC Concepts and Frameworks: Covers analyzing security incidents, identifying adversary behaviors, understanding Fortinet SOC architecture, and recognizing common attack vectors.

 

NEW QUESTION # 33
Refer to the exhibits.

The DOS attack playbook is configured to create an incident when an event handler generates a denial-of-ser/ice (DoS) attack event.
Why did the DOS attack playbook fail to execute?

• A. The Get Events task is configured to execute in the incorrect order.
• B. The Create SMTP Enumeration incident task is expecting an integer value but is receiving the incorrect data type
• C. The Attach_Data_To_lncident task is expecting an integer value but is receiving the incorrect data type.
• D. The Attach_Data_To_lncident task failed.

Answer: B

Explanation:
* Understanding the Playbook and its Components:
* The exhibit shows the status of a playbook named "DOS attack" and its associated tasks.
* The playbook is designed to execute a series of tasks upon detecting a DoS attack event.
* Analysis of Playbook Tasks:
* Attach_Data_To_Incident:Task ID placeholder_8fab0102, status is "upstream_failed," meaning it did not execute properly due to a previous task's failure.
* Get Events:Task ID placeholder_fa2a573c, status is "success."
* Create SMTP Enumeration incident:Task ID placeholder_3db75c0a, status is "failed."
* Reviewing Raw Logs:
* The error log shows a ValueError: invalid literal for int() with base 10: '10.200.200.100'.
* This error indicates that the task attempted to convert a string (the IP address '10.200.200.100') to an integer, which is not possible.
* Identifying the Source of the Error:
* The error occurs in the file "incident_operator.py," specifically in the execute method.
* This suggests that the task "Create SMTP Enumeration incident" is the one causing the issue because it failed to process the data type correctly.
* Conclusion:
* The failure of the playbook is due to the "Create SMTP Enumeration incident" task receiving a string value (an IP address) when it expects an integer value. This mismatch in data types leads to the error.
References:
Fortinet Documentation on Playbook and Task Configuration.
Python error handling documentation for understanding ValueError.

NEW QUESTION # 34
Refer to the exhibits.
You configured a custom event handler and an associated rule to generate events whenever FortiMail detects spam emails. However, you notice that the event handler is generating events for both spam emails and clean emails.
Which change must you make in the rule so that it detects only spam emails?

• A. In the Log filter by Text field, type type==spam.
• B. In the Log Type field, select Anti-Spam Log (spam)
• C. Disable the rule to use the filter in the data selector to create the event.
• D. In the Trigger an event when field, select Within a group, the log field Spam Name (snane) has 2 or more unique values.

Answer: B

Explanation:
* Understanding the Custom Event Handler Configuration:
* The event handler is set up to generate events based on specific log data.
* The goal is to generate events specifically for spam emails detected by FortiMail.
* Analyzing the Issue:
* The event handler is currently generating events for both spam emails and clean emails.
* This indicates that the rule's filtering criteria are not correctly distinguishing between spam and non-spam emails.
* Evaluating the Options:
* Option A:Selecting the "Anti-Spam Log (spam)" in the Log Type field will ensure that only logs related to spam emails are considered. This is the most straightforward and accurate way to filter for spam emails.
* Option B:Typing type==spam in the Log filter by Text field might help filter the logs, but it is not as direct and reliable as selecting the correct log type.
* Option C:Disabling the rule to use the filter in the data selector to create the event does not address the issue of filtering for spam logs specifically.
* Option D:Selecting "Within a group, the log field Spam Name (snane) has 2 or more unique values" is not directly relevant to filtering spam logs and could lead to incorrect filtering criteria.
* Conclusion:
* The correct change to make in the rule is to select "Anti-Spam Log (spam)" in the Log Type field. This ensures that the event handler only generates events for spam emails.
References:
Fortinet Documentation on Event Handlers and Log Types.
Best Practices for Configuring FortiMail Anti-Spam Settings.

NEW QUESTION # 35
Refer to the exhibits.

What can you conclude from analyzing the data using the threat hunting module?

• A. Spearphishing is being used to elicit sensitive information.
• B. Reconnaissance is being used to gather victim identity information from the mail server.
• C. FTP is being used as command-and-control (C&C) technique to mine for data.
• D. DNS tunneling is being used to extract confidential data from the local network.

Answer: D

Explanation:
* Understanding the Threat Hunting Data:
* The Threat Hunting Monitor in the provided exhibits shows various application services, their usage counts, and data metrics such as sent bytes, average sent bytes, and maximum sent bytes.
* The second part of the exhibit lists connection attempts from a specific source IP (10.0.1.10) to a destination IP (8.8.8.8), with repeated "Connection Failed" messages.
* Analyzing the Application Services:
* DNS is the top application service with a significantly high count (251,400) and notable sent bytes (9.1 MB).
* This large volume of DNS traffic is unusual for regular DNS queries and can indicate the presence of DNS tunneling.
* DNS Tunneling:
* DNS tunneling is a technique used by attackers to bypass security controls by encoding data within DNS queries and responses. This allows them to extract data from the local network without detection.
* The high volume of DNS traffic, combined with the detailed metrics, suggests that DNS tunneling might be in use.
* Connection Failures to 8.8.8.8:
* The repeated connection attempts from the source IP (10.0.1.10) to the destination IP (8.8.8.8) with connection failures can indicate an attempt to communicate with an external server.
* Google DNS (8.8.8.8) is often used for DNS tunneling due to its reliability and global reach.
* Conclusion:
* Given the significant DNS traffic and the nature of the connection attempts, it is reasonable to conclude that DNS tunneling is being used to extract confidential data from the local network.
* Why Other Options are Less Likely:
* Spearphishing (A): There is no evidence from the provided data that points to spearphishing attempts, such as email logs or phishing indicators.
* Reconnaissance (C): The data does not indicate typical reconnaissance activities, such as scanning or probing mail servers.
* FTP C&C (D): There is no evidence of FTP traffic or command-and-control communications using FTP in the provided data.
SANS Institute: "DNS Tunneling: How to Detect Data Exfiltration and Tunneling Through DNS Queries" SANS DNS Tunneling OWASP: "DNS Tunneling" OWASP DNS Tunneling By analyzing the provided threat hunting data, it is evident that DNS tunneling is being used to exfiltrate data, indicating a sophisticated method of extracting confidential information from the network.

NEW QUESTION # 36
Refer to Exhibit:
A SOC analyst is designing a playbook to filter for a high severity event and attach the event information to an incident.
Which local connector action must the analyst use in this scenario?

• A. Update Asset and Identity
• B. Get Events
• C. Update Incident
• D. Attach Data to Incident

Answer: D

Explanation:
* Understanding the Playbook Requirements:
* The SOC analyst needs to design a playbook that filters for high severity events.
* The playbook must also attach the event information to an existing incident.
* Analyzing the Provided Exhibit:
* The exhibit shows the available actions for a local connector within the playbook.
* Actions listed include:
* Update Asset and Identity
* Get Events
* Get Endpoint Vulnerabilities
* Create Incident
* Update Incident
* Attach Data to Incident
* Run Report
* Get EPEU from Incident
* Evaluating the Options:
* Get Events:This action retrieves events but does not attach them to an incident.
* Update Incident:This action updates an existing incident but is not specifically for attaching event data.
* Update Asset and Identity:This action updates asset and identity information, not relevant for attaching event data to an incident.
* Attach Data to Incident:This action is explicitly designed to attach additional data, such as event information, to an existing incident.
* Conclusion:
* The correct action to use in the playbook for filtering high severity events and attaching the event information to an incident isAttach Data to Incident.
References:
Fortinet Documentation on Playbook Actions and Connectors.
Best Practices for Incident Management and Playbook Design in SOC Operations.

NEW QUESTION # 37
Which three statements accurately describe step utilities in a playbook step? (Choose three answers)

• A. The Timeout step utility sets a maximum execution time for the step and terminates playbook execution if exceeded.
• B. The Loop step utility can only be used once in each playbook step.
• C. The Condition step utility behavior changes depending on if a loop exists for that step.
• D. The Mock Output step utility uses HTML format to simulate real outputs.
• E. The Variables step utility stores the output of the step directly in the step itself.

Answer: A,B,C

Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, step utilities are advanced configurations applied to individual playbook steps to control logic, timing, and data processing. According to the Playbook Engine architecture:
* Timeout (A):TheTimeoututility allows an administrator to define a maximum duration for a step to complete. If the step does not finish within this designated window, the playbook engine terminates the step and the overall playbook execution to prevent hung processes and resource exhaustion.
* Loop (B):TheLooputility is used for iterative processing (e.g., performing a lookup for every IP in a list). A playbook step can only containone Loop utility configuration. If multiple iterations are required across different data sets, they must be handled in separate steps or nested child playbooks.
* Condition (D):TheConditionutility (Decision Step logic) behaves differently when aLoopis present. If there is no loop, the condition determines if the step executes once. If a loop is present, the condition is evaluated foreach itemin the loop, effectively acting as a filter for which iterations proceed.
Why other options are incorrect:
* Variables (C):TheVariablesutility (Set Variable) is used to define new custom variables within the scope of that step for later use. It does not "store the output of the step directly in the step itself"; step outputs are automatically stored in the vars.steps.<step_name> object by the engine regardless of the utility used.
* Mock Output (E):TheMock Outpututility is used for testing and development to simulate successful data returns without actually executing a connector. It usesJSON format, not HTML, to ensure the simulated data structure matches what the playbook engine expects for downstream Jinja processing.

NEW QUESTION # 38
Which FortiAnalyzer feature uses the SIEM database for advance log analytics and monitoring?

• A. Outbreak alerts
• B. Asset Identity Center
• C. Threat hunting
• D. Event monitor

Answer: C

Explanation:
* Understanding FortiAnalyzer Features:
* FortiAnalyzer includes several features for log analytics, monitoring, and incident response.
* The SIEM (Security Information and Event Management) database is used to store and analyze log data, providing advanced analytics and insights.
* Evaluating the Options:
* Option A: Threat hunting
* Threat hunting involves proactively searching through log data to detect and isolate threats that may not be captured by automated tools.
* This feature leverages the SIEM database to perform advanced log analytics, correlate events, and identify potential security incidents.
* Option B: Asset Identity Center
* This feature focuses on asset and identity management rather than advanced log analytics.
* Option C: Event monitor
* While the event monitor provides real-time monitoring and alerting based on logs, it does not specifically utilize advanced log analytics in the way the SIEM database does for threat hunting.
* Option D: Outbreak alerts
* Outbreak alerts provide notifications about widespread security incidents but are not directly related to advanced log analytics using the SIEM database.
* Conclusion:
* The feature that uses the SIEM database for advanced log analytics and monitoring in FortiAnalyzer isThreat hunting.
References:
Fortinet Documentation on FortiAnalyzer Features and SIEM Capabilities.
Security Best Practices and Use Cases for Threat Hunting.

NEW QUESTION # 39
You are trying to create a playbook that creates a manual task showing a list of public IPv6 addresses. You were successful in extracting all IP addresses from a previous action into a variable calledip_list, which contains both private and public IPv4 and IPv6 addresses. You must now filter the results to display only public IPv6 addresses. Which two Jinja expressions can accomplish this task? (Choose two answers)

• A. {{ vars.ip_list | ipaddr('!private') | ipv6 }}
• B. {{ vars.ip_list | ipv6addr('public') }}
• C. {{ vars.ip_list | ipaddr('public') | ipv6 }}
• D. {{ vars.ip_list | ipv6 | ipaddr('public') }}

Answer: C,D

Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, the playbook engine utilizes the powerful ipaddr family of Jinja filters (derived from the Ansible netaddr library) to manipulate network data. To isolate public IPv6 addresses from a mixed list, the order of operations in the filter chain ensures the correct data is extracted:
* Double Filtering Sequence (B):In the expression {{ vars.ip_list | ipaddr('public') | ipv6 }}, the first filter ipaddr('public') processes the entire list and retains only public addresses, including both IPv4 and IPv6 versions. The second filter in the pipe, | ipv6, then takes that subset of public addresses and filters them again to keep only those that conform to the IPv6 standard. The final result is a list containing only public IPv6 addresses.
* Version-First Filtering (D):In the expression {{ vars.ip_list | ipv6 | ipaddr('public') }}, the logic is reversed but equally effective. The first filter | ipv6 immediately strips all IPv4 and non-IP strings from the list, leaving only IPv6 addresses (both private and public). The subsequent filter | ipaddr('public') then evaluates these IPv6 addresses and discards any that fall within the private/unique-local ranges (like ULA or link-local), resulting in the same set of public IPv6 addresses.
Why other options are incorrect:
* A (ipv6addr 'public'):While ipv6addr is a valid filter in many Ansible environments, FortiSOAR's standard documentation for manual task creation and data manipulation primarily emphasizes the use of the generic ipaddr filter with specific flags or chained version filters (like | ipv6) to ensure cross- compatibility with the underlying Python libraries used by the SOAR engine.
* C (!private syntax):The ipaddr filter utilizes specific keywords for classification. While "not private" is the logical requirement, the filter expects positive assertions such as 'public', 'private', or 'multicast'. The
!private syntax is not a supported or documented operator for this filter within the Fortinet SOC ecosystem.

NEW QUESTION # 40
Which statement describes automation stitch integration between FortiGate and FortiAnalyzer?

• A. An automation stitch is configured on FortiAnalyzer and mapped to FortiGate using the FortiOS connector.
• B. A security profile on FortiGate triggers a violation and FortiGate sends a webhook call to FortiAnalyzer.
• C. An event handler on FortiAnalyzer is configured to send a notification to FortiGate to trigger an automation stitch.
• D. An event handler on FortiAnalyzer executes an automation stitch when an event is created.

Answer: B

Explanation:
* Overview of Automation Stitches: Automation stitches in Fortinet solutions enable automated responses to specific events detected within the network. This automation helps in swiftly mitigating threats without manual intervention.
* FortiGate Security Profiles:
* FortiGate uses security profiles to enforce policies on network traffic. These profiles can include antivirus, web filtering, intrusion prevention, and more.
* When a security profile detects a violation or a specific event, it can trigger predefined actions.
* Webhook Calls:
* FortiGate can be configured to send webhook calls upon detecting specific security events.
* A webhook is an HTTP callback triggered by an event, sending data to a specified URL. This allows FortiGate to communicate with other systems, such as FortiAnalyzer.
* FortiAnalyzer Integration:
* FortiAnalyzer collects logs and events from various Fortinet devices, providing centralized logging and analysis.
* Upon receiving a webhook call from FortiGate, FortiAnalyzer can further analyze the event, generate reports, and take automated actions if configured to do so.
* Detailed Process:
* Step 1: A security profile on FortiGate triggers a violation based on the defined security policies.
* Step 2: FortiGate sends a webhook call to FortiAnalyzer with details of the violation.
* Step 3: FortiAnalyzer receives the webhook call and logs the event.
* Step 4: Depending on the configuration, FortiAnalyzer can execute an automation stitch to respond to the event, such as sending alerts, generating reports, or triggering further actions.
Fortinet Documentation: FortiOS Automation Stitches
FortiAnalyzer Administration Guide: Details on configuring event handlers and integrating with FortiGate.
FortiGate Administration Guide: Information on security profiles and webhook configurations.
By understanding the interaction between FortiGate and FortiAnalyzer through webhook calls and automation stitches, security operations can ensure a proactive and efficient response to security events.

NEW QUESTION # 41
Refer to the exhibit.

Which two options describe how the Update Asset and Identity Database playbook is configured? (Choose two.)

• A. The playbook is using a FortiClient EMS connector.
• B. The playbook is using a local connector.
• C. The playbook is using a FortiMail connector.
• D. The playbook is using an on-demand trigger.

Answer: A,B

Explanation:
* Understanding the Playbook Configuration:
* The playbook named "Update Asset and Identity Database" is designed to update the FortiAnalyzer Asset and Identity database with endpoint and user information.
* The exhibit shows the playbook with three main components: ON_SCHEDULE STARTER, GET_ENDPOINTS, and UPDATE_ASSET_AND_IDENTITY.
* Analyzing the Components:
* ON_SCHEDULE STARTER:This component indicates that the playbook is triggered on a schedule, not on-demand.
* GET_ENDPOINTS:This action retrieves information about endpoints, suggesting it interacts with an endpoint management system.
* UPDATE_ASSET_AND_IDENTITY:This action updates the FortiAnalyzer Asset and Identity database with the retrieved information.
* Evaluating the Options:
* Option A:The actions shown in the playbook are standard local actions that can be executed by the FortiAnalyzer, indicating the use of a local connector.
* Option B:There is no indication that the playbook uses a FortiMail connector, as the tasks involve endpoint and identity management, not email.
* Option C:The playbook is using an "ON_SCHEDULE" trigger, which contradicts the description of an on-demand trigger.
* Option D:The action "GET_ENDPOINTS" suggests integration with an endpoint management system, likely FortiClient EMS, which manages endpoints and retrieves information from them.
* Conclusion:
* The playbook is configured to use a local connector for its actions.
* It interacts with FortiClient EMS to get endpoint information and update the FortiAnalyzer Asset and Identity database.
References:
Fortinet Documentation on Playbook Actions and Connectors.
FortiAnalyzer and FortiClient EMS Integration Guides.

NEW QUESTION # 42
Refer to the exhibits.
The Malicious File Detect playbook is configured to create an incident when an event handler generates a malicious file detection event.
Why did the Malicious File Detect playbook execution fail?

• A. The Attach Data To Incident task failed, which stopped the playbook execution.
• B. The Create Incident task was expecting a name or number as input, but received an incorrect data format
• C. The Attach_Data_To_lncident incident task wasexpecting an integer, but received an incorrect data format.
• D. The Get Events task did not retrieve any event data.

Answer: B

Explanation:
* Understanding the Playbook Configuration:
* The "Malicious File Detect" playbook is designed to create an incident when a malicious file detection event is triggered.
* The playbook includes tasks such as Attach_Data_To_Incident, Create Incident, and Get Events.
* Analyzing the Playbook Execution:
* The exhibit shows that the Create Incident task has failed, and the Attach_Data_To_Incident task has also failed.
* The Get Events task succeeded, indicating that it was able to retrieve event data.
* Reviewing Raw Logs:
* The raw logs indicate an error related to parsing input in the incident_operator.py file.
* The error traceback suggests that the task was expecting a specific input format (likely a name or number) but received an incorrect data format.
* Identifying the Source of the Failure:
* The Create Incident task failure is the root cause since it did not proceed correctly due to incorrect input format.
* The Attach_Data_To_Incident task subsequently failed because it depends on the successful creation of an incident.
* Conclusion:
* The primary reason for the playbook execution failure is that the Create Incident task received an incorrect data format, which was not a name or number as expected.
References:
Fortinet Documentation on Playbook and Task Configuration.
Error handling and debugging practices in playbook execution.

NEW QUESTION # 43
Which three are threat hunting activities? (Choose three answers)

• A. Enrich records with threat intelligence.
• B. Generate a hypothesis.
• C. Tune correlation rules.
• D. Perform packet analysis.
• E. Automate workflows.

Answer: A,B,D

Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
According to the specialized threat hunting modules and frameworks withinFortiSOAR 7.6and the advanced analytics capabilities ofFortiSIEM 7.3, threat hunting is defined as a proactive, human-led search for threats that have bypassed automated security controls. The three selected activities are core components of this lifecycle:
* Generate a hypothesis (C):This is the fundamental starting point of a "Structured Hunt." Analysts develop a testable theory-based on recent threat intelligence (such as a new TTP identified by FortiGuard) or environmental risk-about how an attacker might be operating undetected in the network.
* Enrich records with threat intelligence (A):During the investigation phase, hunters use theThreat Intelligence Management (TIM)module in FortiSOAR to enrich technical data (IPs, hashes, URLs) with external context. This helps determine if an anomaly discovered during the hunt is indeed malicious or part of a known campaign.
* Perform packet analysis (D):Since advanced threats often live in the "gaps" between log files, hunters frequently perform deep-packet or network-flow analysis using FortiSIEM's query tools or integrated NDR (Network Detection and Response) data to identify suspicious lateral movement or C2 (Command and Control) communication patterns that standard alerts might miss.
Why other options are excluded:
* Automate workflows (B):While SOAR is designed for automation, the act of "automating" is a DevOps or SOC engineering task. Threat hunting itself is a proactive investigation; while playbooks canassista hunter (e.g., by automating the data gathering), the act of hunting remains a manual or semi-automated cognitive process.
* Tune correlation rules (E):Tuning rules is areactivemaintenance task or a "post-hunt" activity. Once a threat hunter finds a new attack pattern, they will then tune SIEM correlation rules to ensure that specific threat is detected automatically in the future. The tuning is theresultof the hunt, not the activity of hunting itself.

NEW QUESTION # 44
Refer to the exhibit.

You are trying to find traffic flows to destinations that are in Europe or Asia, for hosts in the local LAN segment. However, the query returns no results. Assume these logs exist on FortiSIEM.
Which three mistakes can you see in the query shown in the exhibit? (Choose three answers)

• A. There are missing parentheses between the first row (Group: Europe) and the second row (Group: Asia).
• B. The null value cannot be used with the IS NOT operator.
• C. The Source IP row operator must be BETWEEN 10.0.0.0, 10.200.200.254.
• D. The logical operator for the first row (Group: Europe) must be OR.
• E. The time range must be Absolute for queries that use configuration management database (CMDB) groups.

Answer: A,C,D

Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
Analyzing theQuery Configurationexhibit in the context of FortiSIEM 7.3 search logic reveals several syntax and logical errors that prevent the query from returning results:
* Logical Operator Error (E):The user intends to find traffic to EuropeORAsia. In the exhibit, the first row (Group: Europe) is followed by a defaultANDoperator. This forces the query to look for a single flow where the destination is simultaneously in Europe and Asia, which is logically impossible. It must be changed toOR.
* Missing Parentheses (C):When combiningORandANDlogic in FortiSIEM, parentheses are required to define the order of operations. Without them, the query might evaluate "Asia AND Destination Country IS NOT null AND Source IP IN..." first. To correctly find (Europe OR Asia) that also matches the LAN segment, parentheses must group the first two rows.
* Incorrect Operator for IP Range (D):The exhibit uses theINoperator for the value 10.0.0.0,
10.200.200.254. In FortiSIEM, theINoperator is used for a comma-separated list of specific values or CMDB groups. To specify a continuous range of IP addresses (the "LAN segment"), theBETWEENoperator must be used.
Why other options are incorrect:
* IS NOT null (A):In FortiSIEM, "IS NOT null" is a valid operator/value combination used to ensure a specific attribute has been successfully parsed and populated in the event record.
* Time Range (B):There is no requirement for a time range to be "Absolute" when using CMDB groups;
"Relative" time ranges (like the "Last 30 Days" shown) are commonly used and fully supported for such queries.
SOC Concepts and Frameworks

NEW QUESTION # 45
Refer to the exhibit.

What is the correct Jinja expression to filter the results to show only the MD5 hash values?
{{ [slot 1] | [slot 2] [slot 3].[slot 4] }}
Select the Jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first step in the first slot.

Answer:

Explanation:

Explanation:
Slot 1:dataSlot 2:json_querySlot 3:("results[?type=='FileHash-MD5']")Slot 4:value Final Expression: {{ vars.artifacts.data | json_query("results[?type=='FileHash-MD5']") .value }} Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, advanced data manipulation within playbooks often requires the use ofJMESPathqueries via the json_query Jinja filter. To extract specific data from a complex JSON object (like the vars.artifacts dictionary shown in the exhibit), the analyst must follow the structural hierarchy:
* Slot 1 (data):Based on the exhibit, the root of the artifact information is located under vars.artifacts.
data. Therefore, "data" is the starting point for the filter.
* Slot 2 (json_query):To perform advanced filtering (searching for a specific type), the json_query filter must be applied. This allows the playbook to traverse the list and find items matching a specific key- value pair.
* Slot 3 ("results[?type=='FileHash-MD5']"):This is the JMESPath expression. It looks into the results array and applies a filter [?...] to find only those objects where the type attribute exactly matches FileHash-MD5.
* Slot 4 (value):Once the correct object(s) are found, the expression needs to return the actual hash. In the JSON exhibit, the MD5 string is stored in the key named value.
Why other options are incorrect:
* tojson:This filter converts a dictionary/list into a JSON string, which would break the ability to further query the object for the "value" field.
* results (as a standalone slot):While "results" is part of the path, it is handledinsidethe json_query string to allow for conditional filtering.

NEW QUESTION # 46
Which two best practices should be followed when exporting playbooks in FortiAnalyzer? (Choose two answers)

• A. Ensure the exported playbook's names do not exist in the target ADOM.
• B. Disable playbooks before exporting them.
• C. Include the associated connector settings.
• D. Move playbooks between ADOMs rather than exporting playbooks and re-importing them.

Answer: B,C

Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
According to theFortiAnalyzer 7.4 SOC Analystofficial training material (Lesson 5: Automation) and supporting documentation forFortiSOAR 7.6andFortiSIEM 7.3integration, the following best practices are recommended for playbook portability:
* Disable playbooks before exporting (A):When a playbook is exported, its current status (Enabled or Disabled) is preserved in the export file. If anEnabledplaybook is imported into a destination ADOM where its trigger conditions are immediately met, it will start executing automatically. Disabling the playbook before export is a critical best practice to prevent unintended automated actions from occurring in the new environment before the analyst has had a chance to verify local configurations.
* Include the associated connector settings (B):FortiAnalyzer allows you to include required connector configurations during the export process. By selecting this option, the exported file includes the necessary metadata and configurations for the connectors that the playbook relies on to execute its tasks. This ensures the playbook remains functional and portable across different FortiAnalyzer units or ADOMs without requiring the manual recreation of every connector.
Why other options are incorrect:
* Move playbooks between ADOMs (C):There is no native "Move" function for automation playbooks between ADOMs in the same sense as moving a device. The standard supported workflow for transferring automation logic is theExport and Importprocess.
* Ensure names do not exist in target (D):While maintaining unique names is good practice, it is not a required "best practice" for the export process itself because FortiAnalyzer automatically handles name conflicts. If an imported playbook shares a name with an existing one, the system automatically appends atimestampto the new playbook's name to avoid a conflict.

NEW QUESTION # 47
Which two ways can you create an incident on FortiAnalyzer? (Choose two answers)

• A. Using a connector action
• B. By running a playbook
• C. Manually, on the Event Monitor page
• D. Using a custom event handler

Answer: B,D

Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiAnalyzer 7.6and related SOC versions, incidents serve as centralized containers for tracking and analyzing security events. There are two primary automated and manual methods to initiate an incident:
* Using a custom event handler (A):In FortiAnalyzer, event handlers are used to generate events from raw logs.1A critical feature in recent versions is theAutomatically Create Incidentsetting within a custom event handler.2When enabled, the system automatically elevates a triggered event into a new incident record, allowing analysts to bypass the manual review of every individual event before an incident is raised.3
* By running a playbook (D):Playbooks provide a powerful way to automate the incident lifecycle.4A playbook can be configured with anEvent Trigger, meaning it executes as soon as an event matches specific criteria. One of the core actions available within these playbooks is theCreate Incidentaction, which can automatically populate incident details, severity, and category based on the triggering event's data.5This ensures high-fidelity events are consistently captured for investigation.
Why other options are incorrect:
* Using a connector action (B):While connectors allow FortiAnalyzer to communicate with external systems (like ITSM or Security Fabric devices), the act of "creating an incident"insideFortiAnalyzer is a function of the internal event engine or playbook automation, not a standalone connector action used for external integration.
* Manually, on the Event Monitor page (C):While you can view, filter, and acknowledge events on theEvent Monitorpage, the process ofmanuallyraising an incident typically occurs from theIncidentsmodule or by right-clicking an event to "Raise Incident" in the Log View or FortiView, rather than being a core function defined as occurring "on the Event Monitor page" in the same architectural sense as handlers and playbooks.

NEW QUESTION # 48
Refer to the exhibits.
The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action.
Why is the FortiMail Sender Blocklist playbook execution failing7

• A. The connector credentials are incorrect
• B. You must use the GET_EMAIL_STATISTICS action first to gather information about email messages.
• C. FortiMail is expecting a fully qualified domain name (FQDN).
• D. The client-side browser does not trust the FortiAnalzyer self-signed certificate.

Answer: C

Explanation:
* Understanding the Playbook Configuration:
* The playbook "FortiMail Sender Blocklist" is designed to manually input email addresses or IP addresses and add them to the FortiMail block list.
* The playbook uses a FortiMail connector with the action ADD_SENDER_TO_BLOCKLIST.
* Analyzing the Playbook Execution:
* The configuration and actions provided show that the playbook is straightforward, starting with an ON_DEMAND STARTER and proceeding to the ADD_SENDER_TO_BLOCKLIST action.
* The action description indicates it is intended to block senders based on email addresses or domains.
* Evaluating the Options:
* Option A:Using GET_EMAIL_STATISTICS is not required for the task of adding senders to a block list. This action retrieves email statistics and is unrelated to the block list configuration.
* Option B:The primary reason for failure could be the requirement for a fully qualified domain name (FQDN). FortiMail typically expects precise information to ensure the correct entries are added to the block list.
* Option C:The trust level of the client-side browser with FortiAnalyzer's self-signed certificate does not impact the execution of the playbook on FortiMail.
* Option D:Incorrect connector credentials would result in an authentication error, but the problem described is more likely related to the format of the input data.
* Conclusion:
* The FortiMail Sender Blocklist playbook execution is failing because FortiMail is expecting a fully qualified domain name (FQDN).
References:
Fortinet Documentation on FortiMail Connector Actions.
Best Practices for Configuring FortiMail Block Lists.

NEW QUESTION # 49
Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence. Select each workflow component in the left column, hold and drag it to a blank position in the column on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column.

Answer:

Explanation:

Explanation:
1.FortiSIEM incident2.FortiSOAR alert3.FortiSOAR indicator4.FortiSOAR incident In the standard integration betweenFortiSIEM 7.3andFortiSOAR 7.6, the data ingestion wizard follows a specific object mapping hierarchy to ensure that high-fidelity security events are managed correctly.
* Step 1: FortiSIEM incident:The workflow begins in FortiSIEM. When a correlation rule triggers, it generates anIncident(not just a raw log). The FortiSOAR connector polls the FortiSIEM API specifically for these incident records.
* Step 2: FortiSOAR alert:By default, ingested FortiSIEM incidents are mapped to theAlertsmodule in FortiSOAR. This serves as a "triage" layer where automated playbooks can perform initial analysis before a human determines if it warrants a full-scale investigation.
* Step 3: FortiSOAR indicator:As the alert is processed (either during ingestion or immediately after), the playbook extracts technical artifacts (IPs, hashes, URLs) and createsIndicatorrecords. This allows for automated threat intelligence lookups and cross-referencing against other alerts.
* Step 4: FortiSOAR incident:If the alert is validated (either through automated playbook scoring or manual analyst review), it is promoted to aFortiSOAR Incident. This represents a confirmed security issue that requires formal tracking, remediation, and reporting.

NEW QUESTION # 50
When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable? (Choose one answer)

• A. {{ vars.steps.<variable_name> }}
• B. {{ vars.input.params.<variable_name> }}
• C. {{ vars.item.<variable_name> }}
• D. {{ globalVars.<variable_name> }}

Answer: B

Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, the playbook engine utilizes Jinja2 expressions to handle dynamic data. When a playbook is configured with aManual Trigger, the administrator can define input fields (such as text, picklists, or checkboxes) that an analyst must fill out when executing the playbook from a record.
* Input Parameter Mapping:Any data entered by the user during this manual trigger phase is automatically mapped to the input.params dictionary within the vars object. Therefore, the syntax to retrieve a specific input value is {{ vars.input.params.variable_name }}.
* Scope of Variables:This specific path ensures that the variable is pulled from the initial user input rather than from the output of a subsequent step (vars.steps) or a globally defined variable (globalVars).

NEW QUESTION # 51
Refer to the exhibits.
What can you conclude from analyzing the data using the threat hunting module?

• A. Spearphishing is being used to elicit sensitive information.
• B. Reconnaissance is being used to gather victim identity information from the mail server.
• C. FTP is being used as command-and-control (C&C) technique to mine for data.
• D. DNS tunneling is being used to extract confidential data from the local network.

Answer: D

Explanation:
* Understanding the Threat Hunting Data:
* The Threat Hunting Monitor in the provided exhibits shows various application services, their usage counts, and data metrics such as sent bytes, average sent bytes, and maximum sent bytes.
* The second part of the exhibit lists connection attempts from a specific source IP (10.0.1.10) to a destination IP (8.8.8.8), with repeated "Connection Failed" messages.
* Analyzing the Application Services:
* DNS is the top application service with a significantly high count (251,400) and notable sent bytes (9.1 MB).
* This large volume of DNS traffic is unusual for regular DNS queries and can indicate the presence of DNS tunneling.
* DNS Tunneling:
* DNS tunneling is a technique used by attackers to bypass security controls by encoding data within DNS queries and responses. This allows them to extract data from the local network without detection.
* The high volume of DNS traffic, combined with the detailed metrics, suggests that DNS tunneling might be in use.
* Connection Failures to 8.8.8.8:
* The repeated connection attempts from the source IP (10.0.1.10) to the destination IP (8.8.8.8) with connection failures can indicate an attempt to communicate with an external server.
* Google DNS (8.8.8.8) is often used for DNS tunneling due to its reliability and global reach.
* Conclusion:
* Given the significant DNS traffic and the nature of the connection attempts, it is reasonable to conclude that DNS tunneling is being used to extract confidential data from the local network.
* Why Other Options are Less Likely:
* Spearphishing (A): There is no evidence from the provided data that points to spearphishing attempts, such as email logs or phishing indicators.
* Reconnaissance (C): The data does not indicate typical reconnaissance activities, such as scanning or probing mail servers.
* FTP C&C (D): There is no evidence of FTP traffic or command-and-control communications using FTP in the provided data.
SANS Institute: "DNS Tunneling: How to Detect Data Exfiltration and Tunneling Through DNS Queries" SANS DNS Tunneling OWASP: "DNS Tunneling" OWASP DNS Tunneling By analyzing the provided threat hunting data, it is evident that DNS tunneling is being used to exfiltrate data, indicating a sophisticated method of extracting confidential information from the network.

NEW QUESTION # 52
......

Valid NSE7_SOC_AR-7.6 Dumps for Helping Passing Fortinet Exam: https://vcetorrent.examtorrent.com/NSE7_SOC_AR-7.6-prep4sure-dumps.html