Fortinet NSE7_SOC_AR-7.6 - Fortinet NSE 7 - Security Operations 7.6 Architect Exam
Page: 2 / 8
Total 38 questions
Question #6 (Topic: Exam A)
Which three are threat hunting activities? (Choose three.)
A. Generate a hypothesis.
B. Tune correlation rules.
C. Perform packet analysis.
D. Automate workflows.
E. Enrich records with threat intelligence.
Answer: ACE
Question #7 (Topic: Exam A)
DRAG DROP
Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence.
Select each workflow component in the left column, hold and drag it to a blank position on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column. Once you place a step, you can move it again if you want to change your answer before moving to the next question. You need to drop four workflow components in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.
Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence.
Select each workflow component in the left column, hold and drag it to a blank position on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column. Once you place a step, you can move it again if you want to change your answer before moving to the next question. You need to drop four workflow components in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.
Answer: 
Question #8 (Topic: Exam A)
Refer to the exhibit.
You are investigating an open incident and want to add records from the Tickets module, a custom module, to the visual correlation widget. Assume there are already linked ticket records to the incident.
How do you accomplish this?
You are investigating an open incident and want to add records from the Tickets module, a custom module, to the visual correlation widget. Assume there are already linked ticket records to the incident.
How do you accomplish this?
A. Edit the incident template and add the Tickets module to the graph.
B. Define move module relationships under Correlation Settings.
C. Tag ticket records with the incident ID.
D. Ingest ticket records through a custom connector.
Answer: A
Question #9 (Topic: Exam A)
Refer to the exhibit.
You created a new playbook and executed it as a test. However, it failed to run. You want to investigate, but you do not see details about the error.
What is the reason for the lack of details?
You created a new playbook and executed it as a test. However, it failed to run. You want to investigate, but you do not see details about the error.
What is the reason for the lack of details?
A. The connector is deactivated.
B. The playbook logging level must be debug.
C. The Ignore Error option is enabled.
D. The user that executed the playbook does not have the necessary permissions.
Answer: B
Question #10 (Topic: Exam A)
Refer to the exhibit.
You configured a playbook named False Positive Close, and want to run it to verify if it works. However, when you click Execute and search for the playbook, you do not see it listed.
Which two reasons could be the cause of the problem? (Choose two.)
You configured a playbook named False Positive Close, and want to run it to verify if it works. However, when you click Execute and search for the playbook, you do not see it listed.
Which two reasons could be the cause of the problem? (Choose two.)
A. The manual trigger is configured to require record input to run.
B. The playbook must first be published using the Application Editor.
C. The Alerts module is not among the list of modules the playbook can execute on.
D. Another instance of the playbook is currently executing.
Answer: AC
