While monitoring your network, you discover that one FortiGate device is sending significantly more logs to FortiAnalyzer than all of the other FortiGate devices in the topology.Additionally, the ADOM that the FortiGate devices are registered to consistently exceeds its quota.What are two possible solutions? (Choose two.)

Create a separate ADOM for the first FortiGate device and configure a different set of storage policies.

Reconfigure the first FortiGate device to reduce the number of logs it forwards to FortiAnalyzer.

Increase the storage space quota for the first FortiGate device.

Create a separate ADOM for the first FortiGate device and configure a different set of storage policies.

Reconfigure the first FortiGate device to reduce the number of logs it forwards to FortiAnalyzer.

Configure data selectors to filter the data sent by the first FortiGate device.

Refer to the exhibit. You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming your notification system.How can you fix this?

Increase the trigger count so that it identifies and reduces the count triggered by a particular group.

Disable the custom event handler because it is not working as expected.

Decrease the time range that the custom event handler covers during the attack.

Increase the log field value so that it looks for more unique field values when it creates the event.

When configuring a FortiAnalyzer to act as a collector device, which two steps must you perform? (Choose two.)

Configure log forwarding to a FortiAnalyzer in analyzer mode.

Configure Fabric authorization on the connecting interface.

Configure log forwarding to a FortiAnalyzer in analyzer mode.

Configure the data policy to focus on archiving.

Configure Fabric authorization on the connecting interface.

Which statement describes automation stitch integration between FortiGate and FortiAnalyzer?

A security profile on FortiGate triggers a violation and FortiGate sends a webhook call to FortiAnalyzer.

An event handler on FortiAnalyzer executes an automation stitch when an event is created.

An automation stitch is configured on FortiAnalyzer and mapped to FortiGate using the FortiOS connector.

An event handler on FortiAnalyzer is configured to send a notification to FortiGate to trigger an automation stitch.

A security profile on FortiGate triggers a violation and FortiGate sends a webhook call to FortiAnalyzer.

Refer to Exhibit: A SOC analyst is creating the Malicious File Detected playbook to run when FortiAnalyzer generates a malicious file event. The playbook must also update the incident with the malicious file event data.What must the next task in this playbook be?

A local connector with the action Update Incident

A local connector with the action Update Asset and Identity

A local connector with the action Attach Data to Incident

A local connector with the action Run Report

A local connector with the action Update Incident

Refer to the exhibits. The DOS attack playbook is configured to create an incident when an event handler generates a denial-of-ser/ice (DoS) attack event.Why did the DOS attack playbook fail to execute?

The Create SMTP Enumeration incident task is expecting an integer value but is receiving the incorrect data type

The Get Events task is configured to execute in the incorrect order.

The Attach_Data_To_lncident task failed.

The Attach_Data_To_lncident task is expecting an integer value but is receiving the incorrect data type.

Which two statements about the FortiAnalyzer Fabric topology are true? (Choose two.)

Logging devices must be registered to the supervisor.

Fabric members must be in analyzer mode.

Downstream collectors can forward logs to Fabric members.

Logging devices must be registered to the supervisor.

The supervisor uses an API to store logs, incidents, and events locally.

Fabric members must be in analyzer mode.

Refer to the exhibits. What can you conclude from analyzing the data using the threat hunting module?

DNS tunneling is being used to extract confidential data from the local network.

Spearphishing is being used to elicit sensitive information.

DNS tunneling is being used to extract confidential data from the local network.

Reconnaissance is being used to gather victim identity information from the mail server.

FTP is being used as command-and-control (C&C) technique to mine for data.

Refer to Exhibit: You are tasked with reviewing a new FortiAnalyzer deployment in a network with multiple registered logging devices. There is only one FortiAnalyzer in the topology.Which potential problem do you observe?

The analytics-to-archive ratio is misconfigured.

The disk space allocated is insufficient.

The analytics-to-archive ratio is misconfigured.

The analytics retention period is too long.

The archive retention period is too long.

Refer to the exhibit, which shows the partial output of the MITRE ATT&CK Enterprise matrix on FortiAnalyzer.Which two statements are true? (Choose two.)

There are four subtechniques that fall under technique T1071.

There are event handlers that cover tactic T1071.

There are four techniques that fall under tactic T1071.

There are four subtechniques that fall under technique T1071.

There are event handlers that cover tactic T1071.

There are 15 events associated with the tactic.

Refer to the exhibits. The Malicious File Detect playbook is configured to create an incident when an event handler generates a malicious file detection event.Why did the Malicious File Detect playbook execution fail?

The Create Incident task was expecting a name or number as input, but received an incorrect data format

The Get Events task did not retrieve any event data.

The Attach_Data_To_lncident incident task wasexpecting an integer, but received an incorrect data format.

The Attach Data To Incident task failed, which stopped the playbook execution.

Refer to the exhibit. Assume that all devices in the FortiAnalyzer Fabric are shown in the image.Which two statements about the FortiAnalyzer Fabric deployment are true? (Choose two.)

FortiGate-B1 and FortiGate-B2 are in a Security Fabric.

FAZ-SiteA has two ADOMs enabled.

FortiGate-B1 and FortiGate-B2 are in a Security Fabric.

There is no collector in the topology.

All FortiGate devices are directly registered to the supervisor.

FAZ-SiteA has two ADOMs enabled.

Refer to the exhibits. The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action.Why is the FortiMail Sender Blocklist playbook execution failing7

FortiMail is expecting a fully qualified domain name (FQDN).

You must use the GET_EMAIL_STATISTICS action first to gather information about email messages.

FortiMail is expecting a fully qualified domain name (FQDN).

The client-side browser does not trust the FortiAnalzyer self-signed certificate.

The connector credentials are incorrect

Which two ways can you create an incident on FortiAnalyzer? (Choose two.)

Manually, on the Event Monitor page

Which statement best describes the MITRE ATT&CK framework?

It contains some techniques or subtechniques that fall under more than one tactic.

It provides a high-level description of common adversary activities, but lacks technical details

It covers tactics, techniques, and procedures, but does not provide information about mitigations.

It describes attack vectors targeting network devices and servers, but not user endpoints.

It contains some techniques or subtechniques that fall under more than one tactic.

Exhibit: Which observation about this FortiAnalyzer Fabric deployment architecture is true?

The AMER HQ SOC team cannot run automation playbooks from the Fabric supervisor.

The AMER HQ SOC team must configure high availability (HA) for the supervisor node.

The EMEA SOC team has access to historical logs only.

The APAC SOC team has access to FortiView and other reporting functions.

Refer to the exhibits. You configured a custom event handler and an associated rule to generate events whenever FortiMail detects spam emails. However, you notice that the event handler is generating events for both spam emails and clean emails.Which change must you make in the rule so that it detects only spam emails?

In the Log Type field, select Anti-Spam Log (spam)

In the Log filter by Text field, type type==spam.

Disable the rule to use the filter in the data selector to create the event.

In the Trigger an event when field, select Within a group, the log field Spam Name (snane) has 2 or more unique values.

When does FortiAnalyzer generate an event?

When a log matches a rule in an event handler

When a log matches a filter in a data selector

When a log matches an action in a connector

When a log matches a rule in an event handler

When a log matches a task in a playbook

Refer to the exhibit. Which two options describe how the Update Asset and Identity Database playbook is configured? (Choose two.)

The playbook is using a local connector.

The playbook is using a FortiClient EMS connector.

The playbook is using a local connector.

The playbook is using a FortiMail connector.

The playbook is using an on-demand trigger.

The playbook is using a FortiClient EMS connector.

Which role does a threat hunter play within a SOC?

Search for hidden threats inside a network which may have eluded detection

investigate and respond to a reported security incident

Collect evidence and determine the impact of a suspected attack

Search for hidden threats inside a network which may have eluded detection

Monitor network logs to identify anomalous behavior

Fortinet FCSS_SOC_AN-7.4 Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 32

Refer to the exhibits.

Fortinet FCSS_SOC_AN-7.4 image Question 1 132051 12132024000420000000

You configured a spearphishing event handler and the associated rule. However. FortiAnalyzer did not generate an event.

When you check the FortiAnalyzer log viewer, you confirm that FortiSandbox forwarded the appropriate logs, as shown in the raw log exhibit.

What configuration must you change on FortiAnalyzer in order for FortiAnalyzer to generate an event?

In the Log Type field, change the selection to AntiVirus Log(malware).

Configure a FortiSandbox data selector and add it tothe event handler.

In the Log Filter by Text field, type the value: .5 ub t ype ma Iwa re..

Change trigger condition by selecting. Within a group, the log field Malware Kame (mname> has 2 or more unique values.

Comment (0)

Fortinet FCSS_SOC_AN-7.4 Practice Test 1

Question

Fortinet FCSS_SOC_AN-7.4 Practice Tests

Practice Tests