Fortinet NSE 7 - Security Operations 7.6 Architect
Last Update Jul 14, 2026
Total Questions : 91
We are offering FREE NSE7_SOC_AR-7.6 Fortinet exam questions. All you do is to just go and sign up. Give your details, prepare NSE7_SOC_AR-7.6 free exam questions and then go for complete pool of Fortinet NSE 7 - Security Operations 7.6 Architect test questions that will help you more.
Which three end user logs does FortiAnalyzer use to identify possible IOC compromised hosts? (Choose three answers)
Refer to the exhibit.

Which method most effectively reduces the attack surface of this organization? (Choose one answer)
Which two ways can you create an incident on FortiAnalyzer? (Choose two answers)
Refer to the exhibit.
You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming your notification system.
How can you fix this?
Refer to the exhibit.

The input of a FortiSIEM connector action is shown.
You want to create a playbook on FortiSOAR that allows you to accomplish the following:
Manually input an IP address.
Use the connector action in the exhibit to retrieve a device from the FortiSIEM configuration management database (CMDB) with that IP address.
Ask the SOC manager to review the information pulled from FortiSIEM about that device.
If the manager approves, an asset record is created.
Which combination and order of step operations fulfills the requirements with the fewest required playbook steps?
Review the incident report. A fake HR login page was sent to several employees through email. The page copied the company’s branding and captured usernames and passwords. The attacker later used the stolen credentials to sign in through the company’s web VPN. Which two MITRE ATT & CK tactics best characterize this report? Choose two answers.
What are three capabilities of the built-in FortiSOAR Jinja editor? (Choose three answers)
Review the incident report:
An attacker identified employee names, roles, and email patterns from public press releases, which were then used to craft tailored emails.
The emails were directed to recipients to review an attached agenda using a link hosted off the corporate domain.
Which two MITRE ATT & CK tactics best fit this report? (Choose two answers)
An analyst prioritizes blocking IP addresses and domains from every phishing campaign. Based on the Pyramid of Pain model, which two statements accurately describe this approach? Choose two answers.
Which two best practices should be followed when exporting playbooks in FortiAnalyzer? (Choose two answers)
Refer to the exhibits.
The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action.
Why is the FortiMail Sender Blocklist playbook execution failing7
Refer to the exhibit.
Which two options describe how the Update Asset and Identity Database playbook is configured? (Choose two.)
You wish to use FortiAI to help you design playbooks. Which two configurations on FortiSOAR are required? Choose two answers.
Refer to the exhibit.

What is the correct Jinja expression to filter the results to show only the MD5 hash values?
{{ [slot 1]|[slot 2] [slot 3].[slot 4] }}
Select the jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first
step in the first slot. Once you place an expression, you can move it again if you want to change your answer before moving to the next question. You
need to drop four jinja expressions in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.

Refer to the exhibits.

How is the investigation and remediation output generated on FortiSIEM? (Choose one answer)
Refer to the exhibit.

How do you add a piece of evidence to the Action Logs Marked As Evidence area? (Choose one answer)
Based on the Pyramid of Pain model, which two statements accurately describe the value of an indicator and how difficult it is for an adversary to change? (Choose two answers)
A FortiSOAR playbook includes a Wait step that is configured to pause execution after initiating a reputation lookup on an indicator. Which two configurations of the Wait step are valid? Choose two answers.
You want to trigger an incident when multiple failed logins from the same host are followed by a successful login on that same host within 15 minutes. The rule must correlate all events by source IP address and user to ensure they belong to the same login sequence. Which three configurations achieve this goal? Choose three answers.
Your company is doing a security audit To pass the audit, you must take an inventory of all software and applications running on all Windows devices
Which FortiAnalyzer connector must you use?
Refer to the exhibit.

You configured a playbook named False Positive Close , and want to run it to verify if it works. However, when you click Execute and search for the playbook, you do not see it listed. Which two reasons could be the cause of the problem? (Choose two answers)
Which of the following are critical when analyzing and managing events and incidents in a SOC? (Choose two answers)
Review the following incident report:
Attackers leveraged a phishing email campaign targeting your employees.
The email likely impersonated a trusted source, such as the IT department, and requested login credentials.
An unsuspecting employee clicked a malicious link in the email, leading to the download and execution of a Remote Access Trojan (RAT).
The RAT provided the attackers with remote access and a foothold in the compromised system.
Which two MITRE ATT & CK tactics does this incident report capture? (Choose two.)
While monitoring your network, you discover that one FortiGate device is sending significantly more logs to FortiAnalyzer than all of the other FortiGate devices in the topology.
Additionally, the ADOM that the FortiGate devices are registered to consistently exceeds its quota.
What are two possible solutions? (Choose two.)