Summer Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Fortinet NSE 7 - Security Operations 7.6 Architect Question and Answers

Fortinet NSE 7 - Security Operations 7.6 Architect

Last Update Jul 14, 2026
Total Questions : 91

We are offering FREE NSE7_SOC_AR-7.6 Fortinet exam questions. All you do is to just go and sign up. Give your details, prepare NSE7_SOC_AR-7.6 free exam questions and then go for complete pool of Fortinet NSE 7 - Security Operations 7.6 Architect test questions that will help you more.

NSE7_SOC_AR-7.6 pdf

NSE7_SOC_AR-7.6 PDF

$36.75  $104.99
NSE7_SOC_AR-7.6 Engine

NSE7_SOC_AR-7.6 Testing Engine

$43.75  $124.99
NSE7_SOC_AR-7.6 PDF + Engine

NSE7_SOC_AR-7.6 PDF + Testing Engine

$57.75  $164.99
Questions 1

Which three end user logs does FortiAnalyzer use to identify possible IOC compromised hosts? (Choose three answers)

Options:

A.  

Web filter logs1

B.  

Email filter logs

C.  

DNS filter logs2

D.  

Application filter logs

E.  

IPS logs

Discussion 0
Questions 2

Refer to the exhibit.

Which method most effectively reduces the attack surface of this organization? (Choose one answer)

Options:

A.  

Forward all firewall logs to the security information and event management (SIEM) system.

B.  

Enable deep inspection on firewall policies.

C.  

Implement macrosegmentation.

D.  

Remove unused devices.

Discussion 0
Questions 3

Which two ways can you create an incident on FortiAnalyzer? (Choose two answers)

Options:

A.  

Using a custom event handler

B.  

Using a connector action

C.  

Manually, on the Event Monitor page

D.  

By running a playbook

Discussion 0
Questions 4

Refer to the exhibit.

You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming your notification system.

How can you fix this?

Options:

A.  

Increase the trigger count so that it identifies and reduces the count triggered by a particular group.

B.  

Disable the custom event handler because it is not working as expected.

C.  

Decrease the time range that the custom event handler covers during the attack.

D.  

Increase the log field value so that it looks for more unique field values when it creates the event.

Discussion 0
Questions 5

Refer to the exhibit.

The input of a FortiSIEM connector action is shown.

You want to create a playbook on FortiSOAR that allows you to accomplish the following:

Manually input an IP address.

Use the connector action in the exhibit to retrieve a device from the FortiSIEM configuration management database (CMDB) with that IP address.

Ask the SOC manager to review the information pulled from FortiSIEM about that device.

If the manager approves, an asset record is created.

Which combination and order of step operations fulfills the requirements with the fewest required playbook steps?

Options:

A.  

Manual trigger, 2) Connector action, 3) Approval, 4) Create Record

B.  

Manual trigger, 2) Set Variable, 3) Connector action, 4) Set Variable, 5) Approval, 6) Create record

C.  

On Create trigger, 2) Connector action, 3) Manual Task, 4) Create record

D.  

Connector action, 2) Approval, 3) Create record, 4) Update record

Discussion 0
Questions 6

Review the incident report. A fake HR login page was sent to several employees through email. The page copied the company’s branding and captured usernames and passwords. The attacker later used the stolen credentials to sign in through the company’s web VPN. Which two MITRE ATT & CK tactics best characterize this report? Choose two answers.

Options:

A.  

Initial Access

B.  

Command and Control

C.  

Credential Access

D.  

Defense Evasion

Discussion 0
Questions 7

What are three capabilities of the built-in FortiSOAR Jinja editor? (Choose three answers)

Options:

A.  

It renders output by combining Jinja expressions and JSON input.

B.  

It checks the validity of a Jinja expression.

C.  

It creates new records in bulk.

D.  

It loads the environment JSON of a recently executed playbook.

E.  

It defines conditions to trigger a playbook step.

Discussion 0
Questions 8

Review the incident report:

An attacker identified employee names, roles, and email patterns from public press releases, which were then used to craft tailored emails.

The emails were directed to recipients to review an attached agenda using a link hosted off the corporate domain.

Which two MITRE ATT & CK tactics best fit this report? (Choose two answers)

Options:

A.  

Reconnaissance

B.  

Discovery

C.  

Initial Access

D.  

Defense Evasion

Discussion 0
Questions 9

Which two ways can you create an incident on FortiAnalyzer? (Choose two.)

Options:

A.  

Using a connector action

B.  

Manually, on the Event Monitor page

C.  

By running a playbook

D.  

Using a custom event handler

Discussion 0
Questions 10

An analyst prioritizes blocking IP addresses and domains from every phishing campaign. Based on the Pyramid of Pain model, which two statements accurately describe this approach? Choose two answers.

Options:

A.  

It helps identify strategic weaknesses in adversary infrastructure.

B.  

It imposes a high operational cost on adversaries when their attacks are detected.

C.  

It focuses on observable network indicators rather than underlying attack methods.

D.  

It relies on blocking indicators that adversaries can easily replace or rotate.

Discussion 0
Questions 11

Which two best practices should be followed when exporting playbooks in FortiAnalyzer? (Choose two answers)

Options:

A.  

Disable playbooks before exporting them.

B.  

Include the associated connector settings.

C.  

Move playbooks between ADOMs rather than exporting playbooks and re-importing them.

D.  

Ensure the exported playbook’s names do not exist in the target ADOM.

Discussion 0
Questions 12

Refer to the exhibits.

The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action.

Why is the FortiMail Sender Blocklist playbook execution failing7

Options:

A.  

You must use the GET_EMAIL_STATISTICS action first to gather information about email messages.

B.  

FortiMail is expecting a fully qualified domain name (FQDN).

C.  

The client-side browser does not trust the FortiAnalzyer self-signed certificate.

D.  

The connector credentials are incorrect

Discussion 0
Questions 13

Refer to the exhibit.

Which two options describe how the Update Asset and Identity Database playbook is configured? (Choose two.)

Options:

A.  

The playbook is using a local connector.

B.  

The playbook is using a FortiMail connector.

C.  

The playbook is using an on-demand trigger.

D.  

The playbook is using a FortiClient EMS connector.

Discussion 0
Questions 14

You wish to use FortiAI to help you design playbooks. Which two configurations on FortiSOAR are required? Choose two answers.

Options:

A.  

Train the FortiSOAR machine learning engine.

B.  

Install and configure the OpenAI connector.

C.  

Grant CRUD permissions to the Playbook user.

D.  

Install the FortiAI solution pack and run the configuration wizard.

Discussion 0
Questions 15

Refer to the exhibit.

What is the correct Jinja expression to filter the results to show only the MD5 hash values?

{{ [slot 1]|[slot 2] [slot 3].[slot 4] }}

Select the jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first

step in the first slot. Once you place an expression, you can move it again if you want to change your answer before moving to the next question. You

need to drop four jinja expressions in the work area.

Select and drag the screen divider to change the viewable area of the source and work areas.

Options:

Discussion 0
Questions 16

Refer to the exhibits.

How is the investigation and remediation output generated on FortiSIEM? (Choose one answer)

Options:

A.  

By exporting an incident

B.  

By running an incident report

C.  

By using FortiAI to summarize the incident

D.  

By viewing the Context tab of an incident

Discussion 0
Questions 17

Refer to the exhibit.

How do you add a piece of evidence to the Action Logs Marked As Evidence area? (Choose one answer)

Options:

A.  

By tagging output or a workspace comment with the keyword Evidence

B.  

By linking an indicator to the war room

C.  

By creating an evidence collection task and attaching a file

D.  

By executing a playbook with the Save Execution Logs option enabled

Discussion 0
Questions 18

Based on the Pyramid of Pain model, which two statements accurately describe the value of an indicator and how difficult it is for an adversary to change? (Choose two answers)

Options:

A.  

IP addresses are easy because adversaries can spoof them or move them to new resources.

B.  

Tactics, techniques, and procedures are hard because adversaries must adapt their methods.

C.  

Artifacts are easy because adversaries can alter file paths or registry keys.

D.  

Tools are easy because often, multiple alternatives exist.

Discussion 0
Questions 19

A FortiSOAR playbook includes a Wait step that is configured to pause execution after initiating a reputation lookup on an indicator. Which two configurations of the Wait step are valid? Choose two answers.

Options:

A.  

The playbook resumes when a specified amount of time has elapsed.

B.  

The playbook resumes when the indicator record is updated.

C.  

The Wait step can retry a specific step in the playbook at scheduled intervals until it succeeds.

D.  

The Wait step, during the AWAITING state, can execute child playbooks.

Discussion 0
Questions 20

You want to trigger an incident when multiple failed logins from the same host are followed by a successful login on that same host within 15 minutes. The rule must correlate all events by source IP address and user to ensure they belong to the same login sequence. Which three configurations achieve this goal? Choose three answers.

Options:

A.  

Ensure both subpatterns have the same aggregate condition.

B.  

Define a time window condition for each subpattern.

C.  

Configure two subpatterns—one for failed logins and one for the successful login.

D.  

Apply sequential logic using a FOLLOWED_BY operator between the subpatterns.

E.  

Define the subpattern relationships and constraints.

Discussion 0
Questions 21

Your company is doing a security audit To pass the audit, you must take an inventory of all software and applications running on all Windows devices

Which FortiAnalyzer connector must you use?

Options:

A.  

FortiClient EMS

B.  

ServiceNow

C.  

FortiCASB

D.  

Local Host

Discussion 0
Questions 22

Refer to the exhibit.

You configured a playbook named False Positive Close , and want to run it to verify if it works. However, when you click Execute and search for the playbook, you do not see it listed. Which two reasons could be the cause of the problem? (Choose two answers)

Options:

A.  

The playbook must first be published using the Application Editor.

B.  

Another instance of the playbook is currently executing.

C.  

The Alerts module is not among the list of modules the playbook can execute on.

D.  

The manual trigger is configured to require record input to run.

Discussion 0
Questions 23

Which of the following are critical when analyzing and managing events and incidents in a SOC? (Choose two answers)

Options:

A.  

Accurate detection of threats

B.  

Immediate escalation for all alerts

C.  

Rapid identification of false positives

D.  

Periodic system downtime for maintenance

Discussion 0
Questions 24

Which two types of variables can you use in playbook tasks? (Choose two.)

Options:

A.  

input

B.  

Output

C.  

Create

D.  

Trigger

Discussion 0
Questions 25

Review the following incident report:

Attackers leveraged a phishing email campaign targeting your employees.

The email likely impersonated a trusted source, such as the IT department, and requested login credentials.

An unsuspecting employee clicked a malicious link in the email, leading to the download and execution of a Remote Access Trojan (RAT).

The RAT provided the attackers with remote access and a foothold in the compromised system.

Which two MITRE ATT & CK tactics does this incident report capture? (Choose two.)

Options:

A.  

Initial Access

B.  

Defense Evasion

C.  

Lateral Movement

D.  

Persistence

Discussion 0
Questions 26

Which statement best describes the MITRE ATT & CK framework?

Options:

A.  

It provides a high-level description of common adversary activities, but lacks technical details

B.  

It covers tactics, techniques, and procedures, but does not provide information about mitigations.

C.  

It describes attack vectors targeting network devices and servers, but not user endpoints.

D.  

It contains some techniques or subtechniques that fall under more than one tactic.

Discussion 0
Questions 27

While monitoring your network, you discover that one FortiGate device is sending significantly more logs to FortiAnalyzer than all of the other FortiGate devices in the topology.

Additionally, the ADOM that the FortiGate devices are registered to consistently exceeds its quota.

What are two possible solutions? (Choose two.)

Options:

A.  

Increase the storage space quota for the first FortiGate device.

B.  

Create a separate ADOM for the first FortiGate device and configure a different set of storage policies.

C.  

Reconfigure the first FortiGate device to reduce the number of logs it forwards to FortiAnalyzer.

D.  

Configure data selectors to filter the data sent by the first FortiGate device.

Discussion 0