NSE7_ADA-6.3 Online Practice Questions and Answers

Correct Answer: B

Explanation: The unused events for the next three minutes for a 520 EPS license can be calculated by multiplying the licensed EPS by the time interval and subtracting the total number of events received in that interval. In this case, the calculation is: 520 x 180 - 27000 = 73460

Correct Answer: BDE

Explanation: You can empower SOC by deploying FortiSOAR in the following ways:

Collaborative knowledge sharing: FortiSOAR allows you to create and share playbooks, workflows, tasks, and notes among SOC analysts and teams. This enables faster and more consistent incident response and reduces duplication of

efforts.

Reduce human error: FortiSOAR automates repetitive and tedious tasks, such as data collection, enrichment, analysis, and remediation. This reduces the risk of human error and improves efficiency and accuracy. Address analyst skills gap:

FortiSOAR provides a graphical user interface for creating and executing playbooks and workflows without requiring coding skills. This lowers the barrier for entry-level analysts and helps them learn from best practices and expert knowledge.

References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 19

Correct Answer: D

Explanation: The windows device is still in the CMDB, even though the administrator uninstalled the windows agent, because the device must be deleted manually from the CMDB. Uninstalling the windows agent does not automatically remove the device from the CMDB, as there may be other sources of data for the device, such as SNMP or syslog. To delete the device from the CMDB, the administrator must go to CMDB > Devices > All Devices, select the device, and click Delete.

Correct Answer: C

Explanation: FortiSIEM allows EPS bursting to handle event spikes without dropping events or violating the license agreement. EPS bursting means that FortiSIEM will let you burst up to five times the licensed EPS at any given time, provided it has accumulated enough unused EPS from previous time intervals.

Correct Answer: A

Explanation: The disadvantage of automatic remediation is that it can make a disruptive change to a user, block access to an application, or disconnect critical systems from the network. Automatic remediation can have unintended consequences if not carefully planned and tested. Therefore, it is recommended to use manual or semi-automatic remediation for sensitive or critical systems. References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 15

Correct Answer: AD

Explanation: The processes associated with Machine Learning/AI on FortiSIEM are phFortiInsightAI and phAnomaly. phFortiInsightAI is responsible for detecting anomalous user behavior using UEBA (User and Entity Behavior Analytics) techniques. phAnomaly is responsible for detecting anomalous network behavior using NTA (Network Traffic Analysis) techniques.

Correct Answer: D

Explanation: The windows agent is not delivering event logs correctly because the agent is unmanaged, meaning it is not assigned to any organization or customer. The supervisor will drop the logs silently from unmanaged agents, as they are not associated with any valid license or CMDB.

Correct Answer: B

Explanation: The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting IP that belong to the Domain Controller applications group. This means that only events that have both criteria met will be processed by this rule. The event type and reporting IP are joined by an AND operator, which requires both conditions to be true.

Correct Answer: D

Explanation: To connect to a shared multi-tenant instance on FortiSOAR, the MSSP must install an agent node on the customer's network. The agent node acts as a proxy between the customer's devices and the FortiSOAR manager node. The agent node also performs data collection, enrichment, and normalization for the customer's data sources. References: Fortinet NSE 7 - Advanced Analytics 6.3 escription, page 11

Correct Answer: ABE

Explanation: phRuleMaster is a process that performs rule evaluation and incident generation on FortiSIEM. phRuleMaster queues up the data being received from the phRuleWorkers into buckets based on time intervals, such as one minute, five minutes, or ten minutes. phRuleMaster is present on both the supervisor and workers nodes of a FortiSIEM cluster. phRuleMaster wakes up every 30 seconds to evaluate all the rule data in parallel using multiple threads.