Secury Operations

A SOC analyst is designing a playbook to filter for a high severity event and attach the event information to an incident. Which local connector action must the analyst use in this scenario?. Get Events. Update Incident. Update Asset and Identity. Attach Data to Incident.

According to the National Institute of Standards and Technology (NIST) cybersecurity framework, incident handling activities can be divided into phases. In which incident handling phase do you quarantine a compromised host in order to prevent an adversary from using it as a stepping stone to the next phase of an attack?. Containment. Analysis. Eradication. Recovery.

Which of the following are critical when analyzing and managing events and incidents in a SOC? (Choose two answers). Accurate detection of threats. Immediate escalation for all alerts. Rapid identification of false positives. Periodic system downtime for maintenance.

You are trying to find traffic flows to destinations that are in Europe or Asia, for hosts in the local LAN segment. However, the query returns no results. Assume these logs exist on FortiSIEM. Which three mistakes can you see in the query shown in the exhibit? (Choose three answers). The null value cannot be used with the IS NOT operator. The time range must be Absolute for queries that use configuration management database (CMDB) groups. There are missing parentheses between the first row (Group: Europe) and the second row (Group: Asia). The Source IP row operator must be BETWEEN 10.0.0.0, 10.200.200.254. The logical operator for the first row (Group: Europe) must be OR.

Which three statements accurately describe step utilities in a playbook step? (Choose three answers). The Timeout step utility sets a maximum execution time for the step and terminates playbook execution if exceeded. The Loop step utility can only be used once in each playbook step. The Variables step utility stores the output of the step directly in the step itself. The Condition step utility behavior changes depending on if a loop exists for that step. The Mock Output step utility uses HTML format to simulate real outputs.

Assume that the traffic flows are identical, except for the destination IP address. There is only one FortiGate in network address translation (NAT) mode in this environment. Based on the exhibits, which two conclusions can you make about this FortiSIEM incident? (Choose two answers). The client 10.200.3.219 is conducting active reconnaissance. FortiGate is not routing the packets to the destination hosts. The destination hosts are not responding. FortiGate is blocking the return flows.

Which FortiAnalyzer feature uses the SIEM database for advance log analytics and monitoring?. Threat hunting. Asset Identity Center. Event monitor. Outbreak alerts.

You are trying to create a playbook that creates a manual task showing a list of public IPv6 addresses. You were successful in extracting all IP addresses from a previous action into a variable calledip_list, which contains both private and public IPv4 and IPv6 addresses. You must now filter the results to display only public IPv6 addresses. Which two Jinja expressions can accomplish this task? (Choose two answers). {{ vars.ip_list | ipv6addr('public') }}. {{ vars.ip_list | ipaddr('public') | ipv6 }}. {{ vars.ip_list | ipaddr('!private') | ipv6 }}. {{ vars.ip_list | ipv6 | ipaddr('public') }}.

Which statement best describes the MITRE ATT&CK framework?. It provides a high-level description of common adversary activities, but lacks technical details. It covers tactics, techniques, and procedures, but does not provide information about mitigations. It describes attack vectors targeting network devices and servers, but not user endpoints. It contains some techniques or subtechniques that fall under more than one tactic.

You configured a spearphishing event handler and the associated rule. However. FortiAnalyzer did not generate an event. When you check the FortiAnalyzer log viewer, you confirm that FortiSandbox forwarded the appropriate logs, as shown in the raw log exhibit. What configuration must you change on FortiAnalyzer in order for FortiAnalyzer to generate an event?. In the Log Type field, change the selection to AntiVirus Log(malware). Configure a FortiSandbox data selector and add it tothe event handler. In the Log Filter by Text field, type the value: .5 ub t ype ma Iwa re.. Change trigger condition by selecting. Within a group, the log field Malware Kame (mname> has 2 or more unique values.

Which two ways can you create an incident on FortiAnalyzer? (Choose two.). Using a connector action. Manually, on the Event Monitor page. By running a playbook. Using a custom event handler.

The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action. Why is the FortiMail Sender Blocklist playbook execution. You must use the GET_EMAIL_STATISTICS action first to gather information about email messages. FortiMail is expecting a fully qualified domain name (FQDN). The client-side browser does not trust the FortiAnalzyer self-signed certificate. The connector credentials are incorrect.

Review the following incident report: Attackers leveraged a phishing email campaign targeting your employees. The email likely impersonated a trusted source, such as the IT department, and requested login credentials. An unsuspecting employee clicked a malicious link in the email, leading to the download and execution of a Remote Access Trojan (RAT). The RAT provided the attackers with remote access and a foothold in the compromised system. Which two MITRE ATT&CK tactics does this incident report capture? (Choose two.). Initial Access. Defense Evasion. Lateral Movement. Persistence.

Which three end user logs does FortiAnalyzer use to identify possible IOC compromised hosts? (Choose three answers). Web filter logs1. Email filter logs. DNS filter logs2. Application filter logs. IPS logs.

Which statement describes automation stitch integration between FortiGate and FortiAnalyzer?. An event handler on FortiAnalyzer executes an automation stitch when an event is created. An automation stitch is configured on FortiAnalyzer and mapped to FortiGate using the FortiOS connector. An event handler on FortiAnalyzer is configured to send a notification to FortiGate to trigger an automation stitch. A security profile on FortiGate triggers a violation and FortiGate sends a webhook call to FortiAnalyzer.

When configuring a FortiAnalyzer to act as a collector device, which two steps must you perform? (Choose two.). Enable log compression. Configure log forwarding to a FortiAnalyzer in analyzer mode. Configure the data policy to focus on archiving. Configure Fabric authorization on the connecting interface.

A SOC analyst is creating the Malicious File Detected playbook to run when FortiAnalyzer generates a malicious file event. The playbook must also update the incident with the malicious file event data. What must the next task in this playbook be?. A local connector with the action Update Asset and Identity. A local connector with the action Attach Data to Incident. A local connector with the action Run Report. A local connector with the action Update Incident.

Assume that all devices in the FortiAnalyzer Fabric are shown in the image. Which two statements about the FortiAnalyzer Fabric deployment are true? (Choose two.). FortiGate-B1 and FortiGate-B2 are in a Security Fabric. There is no collector in the topology. All FortiGate devices are directly registered to the supervisor. FAZ-SiteA has two ADOMs enabled.

Which three end user logs does FortiAnalyzer use to identify possible IOC compromised hosts? (Choose three.). Email filter logs. DNS filter logs. Application filter logs. IPS logs. Web filter logs.

What are three capabilities of the built-in FortiSOAR Jinja editor? (Choose three answers). It renders output by combining Jinja expressions and JSON input. It checks the validity of a Jinja expression. It creates new records in bulk. It loads the environment JSON of a recently executed playbook. It defines conditions to trigger a playbook step.

Which method most effectively reduces the attack surface of this organization? (Choose one answer). Forward all firewall logs to the security information and event management (SIEM) system. Remove unused devices. Implement macrosegmentation. Enable deep inspection on firewall policies.

You are reviewing the Triggering Events page for a FortiSIEM incident. You want to remove the Reporting IP column because you have only one firewall in the topology. How do you accomplish this? (Choose one answer). Clear the Reporting IP field from the Triggered Attributes section when you configure the Incident Action. Disable correlation for the Reporting IP field in the rule subpattern. Remove the Reporting IP attribute from the raw logs using parsing rules. Customize the display columns for this incident.

What can you conclude from analyzing the data using the threat hunting module?. Spearphishing is being used to elicit sensitive information. DNS tunneling is being used to extract confidential data from the local network. Reconnaissance is being used to gather victim identity information from the mail server. FTP is being used as command-and-control (C&C) technique to mine for data.

You configured a custom event handler and an associated rule to generate events whenever FortiMail detects spam emails. However, you notice that the event handler is generating events for both spam emails and clean emails. Which change must you make in the rule so that it detects only spam emails?. In the Log Type field, select Anti-Spam Log (spam). In the Log filter by Text field, type type==spam. Disable the rule to use the filter in the data selector to create the event. In the Trigger an event when field, select Within a group, the log field Spam Name (snane) has 2 or more unique values.

Which role does a threat hunter play within a SOC?. investigate and respond to a reported security incident. Collect evidence and determine the impact of a suspected attack. Search for hidden threats inside a network which may have eluded detection. Monitor network logs to identify anomalous behavior.