Security Operations

The DOS attack playbook is configured to create an incident when an event handler generates a denial-of-ser /ice (DoS) attack event. Why did the DOS attack playbook fail to execute?. The Create SMTP Enumeration incident task is expecting an integer value but is receiving the incorrect data type. The Get Events task is configured to execute in the incorrect order. The Attach_Data_To_lncident task failed. The Attach_Data_To_lncident task is expecting an integer value but is receiving the incorrect data type.

Which three factors does the FortiSIEM rules engine use to determine the count when it evaluates the aggregate condition COUNT (Matched Events) on a specific subpattern? (Choose three answers). Group By attributes. Data source. Time window. Search filter. Incident action.

Which three are threat hunting activities? (Choose three answers). Enrich records with threat intelligence. Automate workflows. Generate a hypothesis. Perform packet analysis. Tune correlation rules.

Review the incident report: An attacker identified employee names, roles, and email patterns from public press releases, which were then used to craft tailored emails. The emails were directed to recipients to review an attached agenda using a link hosted off the corporate domain. Which two MITRE ATT&CK tactics best fit this report? (Choose two answers). Reconnaissance. Discovery. Initial Access. Defense Evasion.

How do you add a piece of evidence to the Action Logs Marked As Evidence area? (Choose one answer). By tagging output or a workspace comment with the keyword Evidence. By linking an indicator to the war room. By creating an evidence collection task and attaching a file. By executing a playbook with the Save Execution Logs option enabled.

Review the incident report: Packet captures show a host maintaining periodic TLS sessions that imitate normal HTTPS traffic but run on TCP 8443 to a single external host. An analyst flags the traffic as potential command-and-control. During the same period, the host issues frequent DNS queries with oversized TXT payloads to an attacker-controlled domain, transferring staged files. Which two MITRE ATT&CK techniques best describe this activity? (Choose two answers). Non-Standard Port. Exploitation of Remote Services. Exfiltration Over Alternative Protocol. Hide Artifacts.

How is the investigation and remediation output generated on FortiSIEM? (Choose one answer). By exporting an incident. By running an incident report. By using FortiAI to summarize the incident. By viewing the Context tab of an incident.

The Malicious File Detect playbook is configured to create an incident when an event handler generates a malicious file detection event. Why did the Malicious File Detect playbook execution fail?. The Create Incident task was expecting a name or number as input, but received an incorrect data format. The Get Events task did not retrieve any event data. The Attach_Data_To_lncident incident task wasexpecting an integer, but received an incorrect data format. The Attach Data To Incident task failed, which stopped the playbook execution.

A customer wants FortiAnalyzer to run an automation stitch that executes a CLI command on FortiGate to block a predefined list of URLs, if a botnet command-and-control (C&C) server IP is detected. Which FortiAnalyzer feature must you use to start this automation process. Playbook. Data selector. Event handler. Connector.

Which two options describe how the Update Asset and Identity Database playbook is configured? (Choose two.). The playbook is using a local connector. The playbook is using a FortiMail connector. The playbook is using an on-demand trigger. The playbook is using a FortiClient EMS connector.

When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable? (Choose one answer). {{ vars.input.params.<variable_name> }}. {{ globalVars.<variable_name> }}. {{ vars.item.<variable_name> }}. {{ vars.steps.<variable_name> }}.

Which two best practices should be followed when exporting playbooks in FortiAnalyzer? (Choose two answers). Disable playbooks before exporting them. Include the associated connector settings. Move playbooks between ADOMs rather than exporting playbooks and re-importing them. Ensure the exported playbook’s names do not exist in the target ADOM.

Which two playbook triggers enable the use of trigger events in later tasks as trigger variables? (Choose two.). EVENT. INCIDENT. ON SCHEDULE. ON DEMAND.

Which two types of variables can you use in playbook tasks? (Choose two.). Input. Output. Create. Trigger.

Which two statements about the FortiAnalyzer Fabric topology are true? (Choose two.). Downstream collectors can forward logs to Fabric members. Logging devices must be registered to the supervisor. The supervisor uses an API to store logs, incidents, and events locally. Fabric members must be in analyzer mode.

Based on the Pyramid of Pain model, which two statements accurately describe the value of an indicator and how difficult it is for an adversary to change? (Choose two answers). IP addresses are easy because adversaries can spoof them or move them to new resources. Tactics, techniques, and procedures are hard because adversaries must adapt their methods. Artifacts are easy because adversaries can alter file paths or registry keys. Tools are easy because often, multiple alternatives exist.

Which two ways can you create an incident on FortiAnalyzer? (Choose two answers). Using a custom event handler. Using a connector action. Manually, on the Event Monitor page. By running a playbook.

You configured a playbook namedFalse Positive Close, and want to run it to verify if it works. However, when you clickExecuteand search for the playbook, you do not see it listed. Which two reasons could be the cause of the problem? (Choose two answers). The playbook must first be published using the Application Editor. Another instance of the playbook is currently executing. The Alerts module is not among the list of modules the playbook can execute on. The manual trigger is configured to require record input to run.

You are tasked with reviewing a new FortiAnalyzer deployment in a network with multiple registered logging devices. There is only one FortiAnalyzer in the topology. Which potential problem do you observe?. The disk space allocated is insufficient. The analytics-to-archive ratio is misconfigured. The analytics retention period is too long. The archive retention period is too long.

An analyst wants to create an incident and generate a report whenever FortiAnalyzer generates a malicious attachment event based on FortiSandbox analysis. The endpoint hosts are protected by FortiClient EMS integrated with FortiSandbox. All devices are logging to FortiAnalyzer. Which connector must the analyst use in this playbook?. FortiSandbox connector. FortiClient EMS connector. FortiMail connector. Local connector.

Your company is doing a security audit To pass the audit, you must take an inventory of all software and applications running on all Windows devices. Which FortiAnalyzer connector must you use?. FortiClient EMS. ServiceNow. FortiCASB. Local Host.

Which FortiAnalyzer connector can you use to run automation stitches9. FortiCASB. FortiMail. Local. FortiOS.

which shows the partial output of the MITRE ATT&CK Enterprise matrix on FortiAnalyzer. Which two statements are true? (Choose two.). There are four techniques that fall under tactic T1071. There are four subtechniques that fall under technique T1071. There are event handlers that cover tactic T1071. There are 15 events associated with the tactic.

Which observation about this FortiAnalyzer Fabric deployment architecture is true?. The AMER HQ SOC team cannot run automation playbooks from the Fabric supervisor. The AMER HQ SOC team must configure high availability (HA) for the supervisor node. The EMEA SOC team has access to historical logs only. The APAC SOC team has access to FortiView and other reporting functions.

When does FortiAnalyzer generate an event?. When a log matches a filter in a data selector. When a log matches an action in a connector. When a log matches a rule in an event handler. When a log matches a task in a playbook.

You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming your notification system. How can you fix this?. Increase the trigger count so that it identifies and reduces the count triggered by a particular group. Disable the custom event handler because it is not working as expected. Decrease the time range that the custom event handler covers during the attack. Increase the log field value so that it looks for more unique field values when it creates the event.

Match the FortiSIEM device type to its description. Select each FortiSIEM device type in the left column, hold and drag it to the blank space next to its corresponding description in the column on the right. Agent. Collector. Supervisor. Tenant. Worker. Secure Message Exchange.

Using the default data ingestion wizard in FortiSOAR, place the incident handling workflow from FortiSIEM to FortiSOAR in the correct sequence. Select each workflow component in the left column, hold and drag it to a blank position in the column on the right. Place the four correct workflow components in order, placing the first step in the first position at the top of the column. FortiSIEM event log. FortiSOAR event log. FortiSIEM incident. FortiSOAR incident. FortiSIEM alert. FortiSOAR alert. FortiSIEM indicator. FortiSOAR indicator.

You must configure the FortiGate connector to allow FortiSOAR to perform actions on a firewall. However, the connection fails. Which two configurations are required? (Choose two answers). However, theabsenceof an API key or HTTPS access will definitively cause a failure regardless of trusted host settings. The VDOM name must be specified, or set to VDOM_1, if VDOMs are not enabled on FortiGate. HTTPS must be enabled on the FortiGate interface that FortiSOAR will communicate with. An API administrator must be created on FortiGate with the appropriate profile, along with a generated API key to configure on the connector.