Fortinet Fortinet Certifications NSE7_ADA-6.3 Questions & Answers

• Question 11:

  Which syntax will register a collector to the supervisor?

  A. phProvisionCollector --add

  B. phProvisionCollector --add

  C. phProvisionCollector --add

  D. phProvisionCollector --add

  Correct Answer: B

  Explanation: The syntax that will register a collector to the supervisor is phProvisionCollector --add . This command will initiate the registration process between the collector and the supervisor, and exchange certificates and configuration information. The parameter is the IP address of the supervisor node.

• Question 12:

  Refer to the exhibit.

  

  How long has the UEBA agent been operationally down?

  A. 21 Hours

  B. 9 Hours

  C. 20 Hours

  D. 2 Hours

  Correct Answer: A

  Explanation: The UEBA agent status shows that it has been operationally down for one day and three hours ago (1d3h). This means that it has been down for 24 hours plus three hours, which is equal to 21 hours.

• Question 13:

  Refer to the exhibit.

  

  The window for this rule is 30 minutes. What is this rule tracking?

  A. A sudden 50% increase in WMI response times over a 30-minute time window

  B. A sudden 1.50 times increase in WMI response times over a 30-minute time window

  C. A sudden 75% increase in WMI response times over a 30-minute time window

  D. A sudden 150% increase in WMI response times over a 30-minute time window

  Correct Answer: B

  Explanation: The rule is tracking the WMI response times from Windows devices using a baseline calculation. The rule will trigger an incident if the current WMI response time is greater than or equal to 1.50 times the average WMI response time in the last 30 minutes.

• Question 14:

  Refer to the exhibit. Click on the calculator button.

  

  The profile database contains CPU utilization values from day one. At midnight on the second day, the CPU utilization values from the daily database will be merged with the profile database.

  In the profile database, in the Hour of Day column where 9 is the value, what will be the updated minimum, maximum, and average CPU utilization values?

  A. Min CPU Util=32.31, Max CPU Ucil=33.50 and AVG CPU Util=33.50

  B. Min CPU Util=32.31, Max CPU Ucil=33.50 and AVG CPU Util=32.67

  C. Min CPU Util=32.31, Max CPU Ucil=32.31 and AVG CPU Util=32.31

  D. Min CPU Util=33.50, Max CPU Ucil=33.50 and AVG CPU Util=33.50

  Correct Answer: B

  Explanation: The profile database contains CPU utilization values from day one. At midnight on the second day, the CPU utilization values from the daily database will be merged with the profile database using a weighted average formula:

  New value = (Old value x Old weight) + (New value x New weight) / (Old weight + New weight)

  The weight is determined by the number of days in each database. In this case, the profile database has one day of data and the daily database has one day of data, so the weight is equal for both databases. Therefore, the formula simplifies

  to:

  New value = (Old value + New value) / 2

  In the profile database, in the Hour of Day column where 9 is the value, the updated minimum, maximum, and average CPU utilization values are:

  Min CPU Util = (32.31 + 32.31) / 2 = 32.31 Max CPU Util = (33.50 + 33.50) / 2 = 33.50 AVG CPU Util = (32.67 + 32.67) / 2 = 32.67

• Question 15:

  Which of the following are two Tactics in the MITRE ATTandCK framework? (Choose two.)

  A. Root kit

  B. Reconnaissance

  C. Discovery

  D. BITS Jobs

  E. Phishing

  Correct Answer: BC

  Explanation: Reconnaissance and Discovery are two Tactics in the MITRE ATTandCK framework. Tactics are the high-level objectives of an adversary, such as initial access, persistence, lateral movement, etc. Reconnaissance is the tactic of gathering information about a target before launching an attack. Discovery is the tactic of exploring a compromised system or network to find information or assets of interest. References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 21

• Question 16:

  Refer to the exhibit.

  

  The service provider deployed FortiSIEM without a collector and added three customers on the supervisor. What mistake did the administrator make?

  A. Customer A and customer B have overlapping IP addresses.

  B. Collectors must be deployed on all customer premises before they are added to organizations on the supervisor.

  C. The number of workers on the FortiSIEM cluster must match the number of customers added.

  D. At least one collector must be deployed to collect logs from service provider infrastructure devices.

  Correct Answer: A

  Explanation: The mistake that the administrator made is that customer A and customer B have overlapping IP addresses. This will cause confusion and errors in event collection and correlation, as well as CMDB discovery and classification. To avoid this problem, each customer should have a unique IP address range or use NAT to translate their IP addresses.

• Question 17:

  How can you invoke an integration policy on FortiSIEM rules?

  A. Through Notification Policy settings

  B. Through Incident Notification settings

  C. Through remediation scripts

  D. Through External Authentication settings

  Correct Answer: A

  Explanation: You can invoke an integration policy on FortiSIEM rules by configuring the Notification Policy settings. You can select an integration policy from the drop-down list and specify the conditions for triggering it. For example, you can invoke an integration policy when an incident is created, updated, or closed. References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 9

• Question 18:

  Refer to the exhibit.

  

  An administrator wants to remediate the incident from FortiSIEM shown in the exhibit.

  What option is available to the administrator?

  A. Quarantine IP FortiClient

  B. Run the block MAC FortiOS.

  C. Run the block IP FortiOS 5.4

  D. Run the block domain Windows DNS

  Correct Answer: C

  Explanation: The incident from FortiSIEM shown in the exhibit is a brute force attack on a FortiGate device. The remediation option available to the administrator is to run the block IP FortiOS 5.4 action, which will block the source IP address of the attacker on the FortiGate device using a firewall policy.

• Question 19:

  What is Tactic in the MITRE ATTandCK framework?

  A. Tactic is how an attacker plans to execute the attack

  B. Tactic is what an attacker hopes to achieve

  C. Tactic is the tool that the attacker uses to compromise a system

  D. Tactic is a specific implementation of the technique

  Correct Answer: B

  Explanation: Tactic is what an attacker hopes to achieve in the MITRE ATTandCK framework. Tactic is a high-level category of adversary behavior that describes their objective or goal. For example, some tactics are Initial Access, Persistence, Lateral Movement, Exfiltration, etc. Each tactic consists of one or more techniques that describe how an attacker can accomplish that tactic.

• Question 20:

  How can you empower SOC by deploying FortiSOAR? (Choose three.)

  A. Aggregate logs from distributed systems

  B. Collaborative knowledge sharing

  C. Baseline user and traffic behavior

  D. Reduce human error

  E. Address analyst skills gap

  Correct Answer: BDE

  Explanation: You can empower SOC by deploying FortiSOAR in the following ways:

  Collaborative knowledge sharing: FortiSOAR allows you to create and share playbooks, workflows, tasks, and notes among SOC analysts and teams. This enables faster and more consistent incident response and reduces duplication of

  efforts.

  Reduce human error: FortiSOAR automates repetitive and tedious tasks, such as data collection, enrichment, analysis, and remediation. This reduces the risk of human error and improves efficiency and accuracy. Address analyst skills gap:

  FortiSOAR provides a graphical user interface for creating and executing playbooks and workflows without requiring coding skills. This lowers the barrier for entry-level analysts and helps them learn from best practices and expert knowledge.

  References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 19