NSE7_SOC_AR-7.6 Fortinet NSE 7 - Security Operations 7.6 Architect Free Practice Exam Questions (2026 Updated)

Role of a Threat Hunter:

A threat hunter proactively searches for cyber threats that have evaded traditional security defenses. This role is crucial in identifying sophisticated and stealthy adversaries that bypass automated detection systems.

Key Responsibilities:

Proactive Threat Identification:

Threat hunters use advanced tools and techniques to identify hidden threats within the network. This includes analyzing anomalies, investigating unusual behaviors, and utilizing threat intelligence.

Understanding the Playbook Requirements:

The SOC analyst needs to design a playbook that filters for high severity events.

The playbook must also attach the event information to an existing incident.

Analyzing the Provided Exhibit:

The exhibit shows the available actions for a local connector within the playbook.

Actions listed include:

Update Asset and Identity

Get Events

Get Endpoint Vulnerabilities

Create Incident

Update Incident

Attach Data to Incident

Run Report

Get EPEU from Incident

Evaluating the Options:

Get Events:This action retrieves events but does not attach them to an incident.

Update Incident:This action updates an existing incident but is not specifically for attaching event data.

Update Asset and Identity:This action updates asset and identity information, not relevant for attaching event data to an incident.

Attach Data to Incident:This action is explicitly designed to attach additional data, such as event information, to an existing incident.

Conclusion:

The correct action to use in the playbook for filtering high severity events and attaching the event information to an incident isAttach Data to Incident.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

InFortiSIEM 7.3, theTriggering Eventsview is a dynamic table that displays the individual logs that caused a specific rule to fire. To manage the visibility of data within this specific view:

Interface Customization:The "Triggering Events" tab includes a column management feature. By clicking on the column headers or the table settings icon (typically found at the top right of the event list), an analyst cancustomize the display columns. This allows the user to uncheck the "Reporting IP" attribute, effectively hiding it from the view without altering the underlying data or rule logic.

Operational Efficiency:This is a common task in environments with a simplified topology where the "Reporting IP" is redundant information. Customizing the view helps the analyst focus on the most relevant data points, such as "Source IP," "Destination IP," and "Destination Port."

Why other options are incorrect:

A (Incident Action):Clearing a field from the Incident Action configuration affects what data is sent in an email alert or passed to a SOAR platform, but it does not change the layout of the FortiSIEM GUI "Triggering Events" page.

B (Disable Correlation):Disabling correlation for an attribute determines whether that attribute is used by the rules engine to group events. It does not control the visual display of columns in the incident dashboard.

C (Parsing Rules):Removing attributes via parsing rules is a destructive process that prevents the SIEM from indexing that data entirely. This would make the "Reporting IP" unavailable for all searches and reports, which is excessive for a simple display preference.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In a modern Security Operations Center (SOC) environment powered byFortiSIEM 7.3andFortiSOAR 7.6, the efficiency of the incident response lifecycle depends on two primary pillars of analysis:

Accurate detection of threats (A):The primary goal of a SOC is to identify genuine malicious activity. Using FortiSIEM's correlation rules and machine learning (UEBA), the system must be tuned to detect patterns that signify real risk. Accuracy ensures that the SOC is not blinded by noise and can focus on critical security events that impact the organization's posture.

Rapid identification of false positives (C):"Alert Fatigue" is one of the greatest challenges in a SOC. Analysts must be able to quickly distinguish between legitimate anomalies (false positives) and actual threats.FortiSOARassists in this by using automated playbooks to perform initial triage and "pre-processing"—such as checking IP reputations or verifying user activity—to automatically close or demote alerts that do not represent a true threat, thereby freeing up analysts for high-priority investigations.

Why other options are incorrect:

Immediate escalation for all alerts (B):This is a poor SOC practice. Escalating every alert without triage leads to analyst burnout and overloads senior responders with low-value tasks. The goal of a tiered SOC (Tier 1, Tier 2, Tier 3) is to filter alerts so only significant incidents are escalated.

Periodic system downtime (D):SOC systems (SIEM/SOAR) are considered "Mission Critical" and must operate on a24/7/365basis. Maintenance should be performed using High Availability (HA) configurations or during "low-flow" windows without causing a complete stop in monitoring, as attackers often leverage downtime to strike.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

According to theFortiAnalyzer 7.4 SOC Analystofficial training material (Lesson 5: Automation) and supporting documentation forFortiSOAR 7.6andFortiSIEM 7.3integration, the following best practices are recommended for playbook portability:

Disable playbooks before exporting (A):When a playbook is exported, its current status (Enabled or Disabled) is preserved in the export file. If anEnabledplaybook is imported into a destination ADOM where its trigger conditions are immediately met, it will start executing automatically. Disabling the playbook before export is a critical best practice to prevent unintended automated actions from occurring in the new environment before the analyst has had a chance to verify local configurations.

Include the associated connector settings (B):FortiAnalyzer allows you to include required connector configurations during the export process. By selecting this option, the exported file includes the necessary metadata and configurations for the connectors that the playbook relies on to execute its tasks. This ensures the playbook remains functional and portable across different FortiAnalyzer units or ADOMs without requiring the manual recreation of every connector.

Why other options are incorrect:

Move playbooks between ADOMs (C):There is no native "Move" function for automation playbooks between ADOMs in the same sense as moving a device. The standard supported workflow for transferring automation logic is theExport and Importprocess.

Ensure names do not exist in target (D):While maintaining unique names is good practice, it is not a required "best practice" for the export process itself because FortiAnalyzer automatically handles name conflicts. If an imported playbook shares a name with an existing one, the system automatically appends atimestampto the new playbook's name to avoid a conflict.

Overview of Automation Stitches: Automation stitches in Fortinet solutions enable automated responses to specific events detected within the network. This automation helps in swiftly mitigating threats without manual intervention.

FortiGate Security Profiles:

FortiGate uses security profiles to enforce policies on network traffic. These profiles can include antivirus, web filtering, intrusion prevention, and more.

When a security profile detects a violation or a specific event, it can trigger predefined actions.

Webhook Calls:

FortiGate can be configured to send webhook calls upon detecting specific security events.

A webhook is an HTTP callback triggered by an event, sending data to a specified URL. This allows FortiGate to communicate with other systems, such as FortiAnalyzer.

FortiAnalyzer Integration:

FortiAnalyzer collects logs and events from various Fortinet devices, providing centralized logging and analysis.

Upon receiving a webhook call from FortiGate, FortiAnalyzer can further analyze the event, generate reports, and take automated actions if configured to do so.

Detailed Process:

Step 1: A security profile on FortiGate triggers a violation based on the defined security policies.

Step 2: FortiGate sends a webhook call to FortiAnalyzer with details of the violation.

Step 3: FortiAnalyzer receives the webhook call and logs the event.

Step 4: Depending on the configuration, FortiAnalyzer can execute an automation stitch to respond to the event, such as sending alerts, generating reports, or triggering further actions.

Fortinet Documentation: FortiOS Automation Stitches

FortiAnalyzer Administration Guide: Details on configuring event handlers and integrating with FortiGate.

FortiGate Administration Guide: Information on security profiles and webhook configurations.

By understanding the interaction between FortiGate and FortiAnalyzer through webhook calls and automation stitches, security operations can ensure a proactive and efficient response to security events.

Understanding Incident Creation in FortiAnalyzer:

FortiAnalyzer allows for the creation of incidents to track and manage security events.

Incidents can be created both automatically and manually based on detected events and predefined rules.

Analyzing the Methods:

Option A:Using a connector action typically involves integrating with other systems or services and is not a direct method for creating incidents on FortiAnalyzer.

Option B:Incidents can be created manually on the Event Monitor page by selecting relevant events and creating incidents from those events.

Option C:While playbooks can automate responses and actions, the direct creation of incidents is usually managed through event handlers or manual processes.

Option D:Custom event handlers can be configured to trigger incident creation based on specific events or conditions, automating the process within FortiAnalyzer.

Conclusion:

The two valid methods for creating an incident on FortiAnalyzer are manually on the Event Monitor page and using a custom event handler.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In accordance with the MITRE ATT&CK mapping utilized byFortiSIEM 7.3andFortiSOAR 7.6, the described behaviors correspond to the following techniques:

Non-Standard Port (T1571):This technique involves adversaries communicating using a protocol and port pairing that are typically not associated. The incident report identifies HTTPS (TLS) traffic running onTCP 8443rather than the standard port 443.FortiSIEMspecifically includes built-in correlation rules, such as "Suspicious Typical Malware Back Connect Ports," designed to detect these protocol-port mismatches.

Exfiltration Over Alternative Protocol (T1048):This technique describes adversaries stealing data by exfiltrating it over a different protocol than the primary command and control (C2) channel. In this scenario, while the C2 channel is established via HTTPS on port 8443, the adversary is transferring staged files usingDNS queries with oversized TXT payloads. DNS is a common "alternative protocol" used to bypass standard data transfer monitoring and egress filtering.

Analysis of Incorrect Options:

Exploitation of Remote Services (B):This technique falls underInitial AccessorLateral Movementtactics, focusing on gaining entry into a system via vulnerabilities in network services like SMB or RDP. It does not apply to the maintenance of an established C2 channel or the exfiltration of data.

Hide Artifacts (D):This is aDefense Evasiontechnique where an adversary attempts to conceal their presence by removing traces such as log files or registry keys. While the attacker is "imitating normal traffic," the specific acts of using a non-standard port and DNS exfiltration are primary behavioral signatures defined by their own more specific techniques.

Overview of Indicators of Compromise (IoCs): Indicators of Compromise (IoCs) are pieces of evidence that suggest a system may have been compromised. These can include unusual network traffic patterns, the presence of known malicious files, or other suspicious activities.

FortiAnalyzer's Role: FortiAnalyzer aggregates logs from various Fortinet devices to provide comprehensive visibility and analysis of network events. It uses these logs to identify potential IoCs and compromised hosts.

Relevant Log Types:

DNS Filter Logs:

DNS requests are a common vector for malware communication. Analyzing DNS filter logs helps in identifying suspicious domain queries, which can indicate malware attempting to communicate with command and control (C2) servers.

Understanding FortiAnalyzer Fabric Topology:

The FortiAnalyzer Fabric topology is designed to centralize logging and analysis across multiple devices in a network.

It involves a hierarchy where the supervisor node manages and coordinates with other Fabric members.

Analyzing the Options:

Option A:Downstream collectors forwarding logs to Fabric members is not a typical configuration. Instead, logs are usually centralized to the supervisor.

Option B:For effective management and log centralization, logging devices must be registered to the supervisor. This ensures proper log collection and coordination.

Option C:The supervisor does not primarily use an API to store logs, incidents, and events locally. Logs are stored directly in the FortiAnalyzer database.

Option D:For the Fabric topology to function correctly, all Fabric members need to be in analyzer mode. This mode allows them to collect, analyze, and forward logs appropriately within the topology.

Conclusion:

The correct statements regarding the FortiAnalyzer Fabric topology are that logging devices must be registered to the supervisor and that Fabric members must be in analyzer mode.

Understanding Playbook Variables:

Playbook tasks in Security Operations Center (SOC) playbooks use variables to pass and manipulate data between different steps in the automation process.

Variables help in dynamically handling data, making the playbook more flexible and adaptive to different scenarios.

Types of Variables:

Input Variables:

Input variables are used to provide data to a playbook task. These variables can be set manually or derived from previous tasks.

They act as parameters that the task will use to perform its operations.

Output Variables:

Output variables store the result of a playbook task. These variables can then be used as inputs for subsequent tasks.

They capture the outcome of the task's execution, allowing for the dynamic flow of information through the playbook.

Other Options:

Create:Not typically referred to as a type of variable in playbook tasks. It might refer to an action but not a variable type.

Trigger:Refers to the initiation mechanism of the playbook or task (e.g., an event trigger), not a type of variable.

Conclusion:

The two types of variables used in playbook tasks areinputandoutput.

Understanding FortiAnalyzer Data Policy and Disk Utilization:

FortiAnalyzer uses data policies to manage log storage, retention, and disk utilization.

The Data Policy section indicates how long logs are kept for analytics and archive purposes.

The Disk Utilization section specifies the allocated disk space and the proportions used for analytics and archive, as well as when alerts should be triggered based on disk usage.

Analyzing the Provided Exhibit:

Keep Logs for Analytics:60 Days

Keep Logs for Archive:120 Days

Disk Allocation:300 GB (with a maximum of 441 GB available)

Analytics: Archive Ratio:30% : 70%

Alert and Delete When Usage Reaches:90%

Potential Problems Identification:

Disk Space Allocation:The allocated disk space is 300 GB out of a possible 441 GB, which might not be insufficient if the log volume is high, but it is not the primary concern based on the given data.

Analytics-to-Archive Ratio:The ratio of 30% for analytics and 70% for archive is unconventional. Typically, a higher percentage is allocated for analytics since real-time or recent data analysis is often prioritized. A common configuration might be a 70% analytics and 30% archive ratio. The misconfigured ratio can lead to insufficient space for analytics, causing issues with real-time monitoring and analysis.

Retention Periods:While the retention periods could be seen as lengthy, they are not necessarily indicative of a problem without knowing the specific log volume and compliance requirements. The length of these periods can vary based on organizational needs and legal requirements.

Conclusion:

Based on the analysis, the primary issue observed is theanalytics-to-archive ratiobeing misconfigured. This misconfiguration can significantly impact the effectiveness of the FortiAnalyzer in real-time log analysis, potentially leading to delayed threat detection and response.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

To establish a successful integration betweenFortiSOAR 7.6and aFortiGatefirewall via the FortiGate connector, specific administrative and network requirements must be met on the FortiGate side:

API Administrator and Key (D):FortiSOAR does not use standard UI login credentials. Instead, it requires aREST API Administratoraccount to be created on the FortiGate. This account must be assigned an administrative profile with the necessary permissions (e.g., Read/Write for Firewall policies or Address objects). Upon creation, the FortiGate generates a uniqueAPI Key, which must be entered into the "API Key" field of the FortiSOAR configuration wizard as shown in the exhibit.

HTTPS Management Access (C):The connector communicates with the FortiGate using REST API calls overHTTPS(port 443 by default). Therefore, the physical or logical interface on the FortiGate that corresponds to the "Hostname" IP (172.16.200.1) must haveHTTPSenabled under "Administrative Access" in its network settings. If HTTPS is disabled, the connection will time out or be refused.

Why other options are incorrect:

Trusted hosts (A):While it is a best practice to restrict API access to specific IPs (like the FortiSOAR IP), the integration can technically function without "Trusted hosts" enabled if the network allows the traffic. However, theabsenceof an API key or HTTPS access will definitively cause a failure regardless of trusted host settings.

VDOM name (B):In the exhibit, the VDOM field contains multiple values ("VDOM_1", "VDOM_2"). If VDOMs are disabled on the FortiGate, this field should generally be left blank or set to the default "root." Setting it specifically to "VDOM_1" when VDOMs are disabled is not a universal requirement for connectivity; the primary handshake depends on the API key and HTTPS connectivity.

Understanding the MITRE ATT&CK Framework:

The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by adversaries to achieve their objectives.

It is widely used for understanding adversary behavior, improving defense strategies, and conducting security assessments.

Analyzing the Options:

Option A:The framework provides detailed technical descriptions of adversary activities, including specific techniques and subtechniques.

Option B:The framework includes information about mitigations and detections for each technique and subtechnique, providing comprehensive guidance.

Option C:MITRE ATT&CK covers a wide range of attack vectors, including those targeting user endpoints, network devices, and servers.

Option D:Some techniques or subtechniques do indeed fall under multiple tactics, reflecting the complex nature of adversary activities that can serve different objectives.

Conclusion:

The statement that best describes the MITRE ATT&CK framework is that it contains some techniques or subtechniques that fall under more than one tactic.

Requirement Analysis:

The objective is to inventory all software and applications running on all Windows devices within the organization.

This inventory must be comprehensive and accurate to pass the security audit.

Key Components:

FortiClient EMS (Endpoint Management Server):

FortiClient EMS provides centralized management of endpoint security, including software and application inventory on Windows devices.

It allows administrators to monitor, manage, and report on all endpoints protected by FortiClient.

Connector Options:

FortiClient EMS:

Best suited for managing and reporting on endpoint software and applications.

Provides detailed inventory reports for all managed endpoints.

Selected as it directly addresses the requirement of taking inventory of software and applications on Windows devices.

ServiceNow:

Primarily a service management platform.

While it can be used for asset management, it is not specifically tailored for endpoint software inventory.

Not selected as it does not provide direct endpoint inventory management.

FortiCASB:

Focuses on cloud access security and monitoring SaaS applications.

Not applicable for managing or inventorying endpoint software.

Not selected as it is not related to endpoint software inventory.

Local Host:

Refers to handling events and logs within FortiAnalyzer itself.

Not specific enough for detailed endpoint software inventory.

Not selected as it does not provide the required endpoint inventory capabilities.

Implementation Steps:

Step 1: Ensure all Windows devices are managed by FortiClient and connected to FortiClient EMS.

Step 2: Use FortiClient EMS to collect and report on the software and applications installed on these devices.

Step 3: Generate inventory reports from FortiClient EMS to meet the audit requirements.

Fortinet Documentation on FortiClient EMS FortiClient EMS Administration Guide

By using the FortiClient EMS connector, you can effectively inventory all software and applications on Windows devices, ensuring compliance with the security audit requirements.

Understanding the Custom Event Handler Configuration:

The event handler is set up to generate events based on specific log data.

The goal is to generate events specifically for spam emails detected by FortiMail.

Analyzing the Issue:

The event handler is currently generating events for both spam emails and clean emails.

This indicates that the rule's filtering criteria are not correctly distinguishing between spam and non-spam emails.

Evaluating the Options:

Option A:Selecting the "Anti-Spam Log (spam)" in the Log Type field will ensure that only logs related to spam emails are considered. This is the most straightforward and accurate way to filter for spam emails.

Option B:Typing type==spam in the Log filter by Text field might help filter the logs, but it is not as direct and reliable as selecting the correct log type.

Option C:Disabling the rule to use the filter in the data selector to create the event does not address the issue of filtering for spam logs specifically.

Option D:Selecting "Within a group, the log field Spam Name (snane) has 2 or more unique values" is not directly relevant to filtering spam logs and could lead to incorrect filtering criteria.

Conclusion:

The correct change to make in the rule is to select "Anti-Spam Log (spam)" in the Log Type field. This ensures that the event handler only generates events for spam emails.