Fortinet Fortinet Certifications NSE7_ADA-6.3 Questions & Answers

• Question 21:

  What are the modes of Data Ingestion on FortiSOAR? (Choose three.)

  A. Rule based

  B. Notification based

  C. App Push

  D. Policy based

  E. Schedule based

  Correct Answer: BCE

  Explanation: The modes of Data Ingestion on FortiSOAR are notification based, app push, and schedule based. Notification based mode allows FortiSOAR to receive data from external sources via webhooks or email notifications. App push mode allows FortiSOAR to receive data from external sources via API calls or scripts. Schedule based mode allows FortiSOAR to pull data from external sources at regular intervals using connectors. References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 17

• Question 22:

  Refer to the exhibit.

  

  Why is the windows device still in the CMDB, even though the administrator uninstalled the windows agent?

  A. The device was not uninstalled properly

  B. The device must be deleted from backend of FortiSIEM

  C. The device has performance jobs assigned

  D. The device must be deleted manually from the CMDB

  Correct Answer: D

  Explanation: The windows device is still in the CMDB, even though the administrator uninstalled the windows agent, because the device must be deleted manually from the CMDB. Uninstalling the windows agent does not automatically remove the device from the CMDB, as there may be other sources of data for the device, such as SNMP or syslog. To delete the device from the CMDB, the administrator must go to CMDB > Devices > All Devices, select the device, and click Delete.

• Question 23:

  Which statement about EPS bursting is true?

  A. FortiSIEM will let you burst up to five times the licensed EPS once during a 24-hour period.

  B. FortiSIEM must be provisioned with ten percent the licensed EPS to handle potential event surges.

  C. FortiSIEM will let you burst up to five times the licensed EPS at any given time, provided it has accumulated enough unused EPS.

  D. FortiSIEM will let you burst up to five times the licensed EPS at any given time, regardless of unused of EPS.

  Correct Answer: C

  Explanation: FortiSIEM allows EPS bursting to handle event spikes without dropping events or violating the license agreement. EPS bursting means that FortiSIEM will let you burst up to five times the licensed EPS at any given time, provided it has accumulated enough unused EPS from previous time intervals.

• Question 24:

  What is the disadvantage of automatic remediation?

  A. It can make a disruptive change to a user, block access to an application, or disconnect critical systems from the network.

  B. It is equivalent to running an IPS in monitor-only mode -- watches but does not block.

  C. External threats or attacks detected by FortiSIEM will need user interaction to take action on an already overworked SOC team.

  D. Threat behaviors occurring during the night could take hours to respond to.

  Correct Answer: A

  Explanation: The disadvantage of automatic remediation is that it can make a disruptive change to a user, block access to an application, or disconnect critical systems from the network. Automatic remediation can have unintended consequences if not carefully planned and tested. Therefore, it is recommended to use manual or semi-automatic remediation for sensitive or critical systems. References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 15

• Question 25:

  From where does the rule engine load the baseline data values?

  A. The profile report

  B. The daily database

  C. The profile database

  D. The memory

  Correct Answer: C

  Explanation: The rule engine loads the baseline data values from the profile database. The profile database contains historical data that is used for baselining calculations, such as minimum, maximum, average, standard deviation, and percentile values for various metrics.

• Question 26:

  Identify the processes associated with Machine Learning/Al on FortiSIEM. (Choose two.)

  A. phFortiInsightAI

  B. phReportMaster

  C. phRuleMaster

  D. phAnomaly

  E. phRuleWorker

  Correct Answer: AD

  Explanation: The processes associated with Machine Learning/AI on FortiSIEM are phFortiInsightAI and phAnomaly. phFortiInsightAI is responsible for detecting anomalous user behavior using UEBA (User and Entity Behavior Analytics) techniques. phAnomaly is responsible for detecting anomalous network behavior using NTA (Network Traffic Analysis) techniques.

• Question 27:

  Refer to the exhibit.

  

  Is the Windows agent delivering event logs correctly?

  A. The logs are buffered by the agent and will be sent once the status changes to managed.

  B. The agent is registered and it is sending logs correctly.

  C. The agent is not sending logs because it did not receive a monitoring template.

  D. Because the agent is unmanaged. the logs are dropped silently by the supervisor.

  Correct Answer: D

  Explanation: The windows agent is not delivering event logs correctly because the agent is unmanaged, meaning it is not assigned to any organization or customer. The supervisor will drop the logs silently from unmanaged agents, as they are not associated with any valid license or CMDB.

• Question 28:

  Which three processes are collector processes? (Choose three.)

  A. phAgentManaqer

  B. phParser

  C. phRuleMaster

  D. phReportM aster

  E. phMonitorAgent

  Correct Answer: BCE

  Explanation: The collector processes are responsible for receiving, parsing, normalizing, correlating, and monitoring events from various sources. The collector processes are phParser, phRuleMaster, and phMonitorAgent.

• Question 29:

  Refer to the exhibit.

  

  Which statement about the rule filters events shown in the exhibit is true?

  A. The rule filters events with an event type that belong to the Domain Account Locked CMDB group or a reporting IP that belong to the Domain Controller applications group.

  B. The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting |P that belong to the Domain Controller applications group.

  C. The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a user that belongs to the Domain Controller applications group.

  D. The rule filters events with an event type that equals Domain Account Locked and a reporting IP that equals Domain Controller applications.

  Correct Answer: B

  Explanation: The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting IP that belong to the Domain Controller applications group. This means that only events that have both criteria met will be processed by this rule. The event type and reporting IP are joined by an AND operator, which requires both conditions to be true.

• Question 30:

  Refer to the exhibit.

  

  An administrator runs an analytic search for all FortiGate SSL VPN logon failures. The results are grouped by source IP, reporting IP, and user. The administrator wants to restrict the results to only those rows where the COUNT >= 3. Which user would meet that condition?

  A. Sarah

  B. Jan

  C. Tom

  D. Admin

  Correct Answer: C

  Explanation: The user who would meet that condition is Tom. Tom has four rows in the results where the COUNT is greater than or equal to three, meaning he had at least three SSL VPN logon failures from the same source IP and reporting IP. The other users have either less than three rows or less than three COUNT in each row.