Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Fortinet
  3. NSE7_SOC_AR-7.6

Fortinet NSE7_SOC_AR-7.6 (page: 1)

Fortinet NSE 7 - Security Operations 7.6 Architect

Updated 12-Apr-2026

Page 1 of 9 NSE7_SOC_AR-7.6 PDF — 57 Questions

Review the incident report:

An attacker identified employee names, roles, and email patterns from public press releases, which were then used to craft tailored emails.

The emails were directed to recipients to review an attached agenda using a link hosted off the corporate domain.

Which two MITRE ATT&CK tactics best fit this report? (Choose two answers)

  1. Reconnaissance
  2. Discovery
  3. Initial Access
  4. Defense Evasion

Answer(s): A,C

Explanation:

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

Based on the official documentation for FortiSIEM 7.3 (which utilizes the MITRE ATT&CK mapping for incident correlation) and FortiSOAR 7.6 (which uses these tactics for incident classification and playbook triggering):

Reconnaissance (Tactic TA0043): This tactic consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. In this scenario, the attacker identifies "employee names, roles, and email patterns from public press releases." This is categorized under Gather Victim Org Information (T1591) and Search Open Technical Databases (T1596). Since this activity happens prior to the compromise and involves gathering intelligence, it is strictly Reconnaissance.

Initial Access (Tactic TA0001): This tactic covers techniques that use various entry vectors to gain an initial foothold within a network. The act of sending "tailored emails... to recipients to review an attached agenda using a link" is the definition of Phishing: Spearphishing Link (T1566.002). This is the specific delivery mechanism used to gain the initial entry.

Why other options are incorrect:

Discovery (B): This tactic involves techniques an adversary uses to gain knowledge about the internal network after they have already gained access. Since the attacker is looking at public press releases, they are operating outside the perimeter.

Defense Evasion (D): This tactic consists of techniques that adversaries use to avoid detection throughout their compromise.
While using an external link might bypass some basic reputation filters, the primary goal described in the report is the act of establishing contact and access, which is the core of the Initial Access tactic.



Which three are threat hunting activities? (Choose three answers)

  1. Enrich records with threat intelligence.
  2. Automate workflows.
  3. Generate a hypothesis.
  4. Perform packet analysis.
  5. Tune correlation rules.

Answer(s): A,C,D

Explanation:

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

According to the specialized threat hunting modules and frameworks within FortiSOAR 7.6 and the advanced analytics capabilities of FortiSIEM 7.3, threat hunting is defined as a proactive, human-led search for threats that have bypassed automated security controls. The three selected activities are core components of this lifecycle:

Generate a hypothesis (C): This is the fundamental starting point of a "Structured Hunt." Analysts develop a testable theory--based on recent threat intelligence (such as a new TTP identified by FortiGuard) or environmental risk--about how an attacker might be operating undetected in the network.

Enrich records with threat intelligence (A): During the investigation phase, hunters use the Threat Intelligence Management (TIM) module in FortiSOAR to enrich technical data (IPs, hashes, URLs) with external context. This helps determine if an anomaly discovered during the hunt is indeed malicious or part of a known campaign.

Perform packet analysis (D): Since advanced threats often live in the "gaps" between log files, hunters frequently perform deep-packet or network-flow analysis using FortiSIEM's query tools or integrated NDR (Network Detection and Response) data to identify suspicious lateral movement or C2 (Command and Control) communication patterns that standard alerts might miss.

Why other options are excluded:

Automate workflows (B): While SOAR is designed for automation, the act of "automating" is a DevOps or SOC engineering task. Threat hunting itself is a proactive investigation; while playbooks can assist a hunter (e.g., by automating the data gathering), the act of hunting remains a manual or semi-automated cognitive process.

Tune correlation rules (E): Tuning rules is a reactive maintenance task or a "post-hunt" activity. Once a threat hunter finds a new attack pattern, they will then tune SIEM correlation rules to ensure that specific threat is detected automatically in the future. The tuning is the result of the hunt, not the activity of hunting itself.



Refer to the exhibit.



How do you add a piece of evidence to the Action Logs Marked As Evidence area? (Choose one answer)

  1. By tagging output or a workspace comment with the keyword Evidence
  2. By linking an indicator to the war room
  3. By creating an evidence collection task and attaching a file
  4. By executing a playbook with the Save Execution Logs option enabled

Answer(s): A

Explanation:

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In FortiSOAR 7.6, the War Room is a collaborative space designed for high-priority incident investigation. The Evidences tab within the Investigate view (as shown in the exhibit) is specifically designed to highlight critical findings found during the investigation process.

Evidence Tagging: To populate the Action Logs Marked As Evidence section, an analyst must specifically tag a relevant log entry, a playbook output, or a comment within the collaboration workspace with the system-defined keyword "Evidence".

Automatic Categorization: Once the tag is applied, FortiSOAR automatically parses these entries and displays them in this centralized view. This allows team members and stakeholders to quickly view substantiated facts and proof gathered during the "Root Cause Analysis" phase without sifting through all raw action logs.

Manual vs. Action Logs: The exhibit shows two distinct areas: "Manually Upload Evidences" (where files like the CSLAB document shown can be dragged and dropped) and "Action Logs Marked As Evidence." The latter is reserved exclusively for system-generated logs or comments that have been promoted to evidence status via tagging.

Why other options are incorrect:

By linking an indicator to the war room (B): Linking indicators associates technical artifacts (like IPs or hashes) with the record, but it does not automatically classify them as evidence within the War Room action log view.

By creating an evidence collection task and attaching a file (C): While this is a valid step in an investigation, attaching a file to a task typically places it in the "Attachments" or "Manually Upload Evidences" area, rather than the "Action Logs" section specifically.

By executing a playbook with the Save Execution Logs option enabled (D): Saving execution logs ensures a trail of what the playbook did, but it does not mark the output as "Evidence" unless the specific logic or a manual analyst action applies the "Evidence" tag to the resulting log entry.



Refer to the exhibits.



Assume that the traffic flows are identical, except for the destination IP address. There is only one FortiGate in network address translation (NAT) mode in this environment.

Based on the exhibits, which two conclusions can you make about this FortiSIEM incident? (Choose two answers)

  1. The client 10.200.3.219 is conducting active reconnaissance.
  2. FortiGate is not routing the packets to the destination hosts.
  3. The destination hosts are not responding.
  4. FortiGate is blocking the return flows.

Answer(s): A,C

Explanation:

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

Based on the analysis of the Triggering Events and the Raw Message provided in the FortiSIEM 7.3 interface:

Active Reconnaissance (A): The "Triggering Events" table shows a single source IP (10.200.3.219) attempting to connect to multiple different destination IP addresses (10.200.200.166, .128, .129, .159, .91) on the same service (FTP/Port 21). Each attempt consists of exactly 1 Sent Packet and 0 Received Packets. This pattern of "one-to-many" sequential connection attempts is the signature of a horizontal port scan, which is a primary technique in Active Reconnaissance.

Destination hosts are not responding (C): The Raw Log shows the action as "timeout" and specifically lists "sentpkt=1 rcvdpkt=0". In FortiGate log logic (which FortiSIEM parses), a "timeout" with zero received packets indicates that the firewall allowed the packet out (Action was not 'deny'), but no SYN-ACK or response was received from the target host within the session timeout period. This confirms the destination hosts are either offline, non-existent, or silently dropping the traffic.

Why other options are incorrect:

FortiGate is not routing (B): If the FortiGate were not routing the packets, the logs would typically not show a successful session initialization ending in a "timeout," or they would show a routing error/deny. The fact that 44 bytes were sent indicates the FortiGate processed and attempted to forward the traffic.

FortiGate is blocking return flows (D): If the return flow were being blocked by a security policy on the FortiGate, the action would typically be logged as "deny" for the return traffic, and the session state would reflect a policy violation rather than a generic session "timeout".



When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable? (Choose one answer)

  1. {{ vars.input.params.<variable_name> }}
  2. {{ globalVars.<variable_name> }}
  3. {{ vars.item.<variable_name> }}
  4. {{ vars.steps.<variable_name> }}

Answer(s): A

Explanation:

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In FortiSOAR 7.6, the playbook engine utilizes Jinja2 expressions to handle dynamic data.
When a playbook is configured with a Manual Trigger, the administrator can define input fields (such as text,

picklists, or checkboxes) that an analyst must fill out when executing the playbook from a record.

Input Parameter Mapping: Any data entered by the user during this manual trigger phase is automatically mapped to the input.params dictionary within the vars object. Therefore, the syntax to retrieve a specific input value is {{ vars.input.params.variable_name }}.

Scope of Variables: This specific path ensures that the variable is pulled from the initial user input rather than from the output of a subsequent step (vars.steps) or a globally defined variable (globalVars).



Based on the Pyramid of Pain model, which two statements accurately describe the value of an indicator and how difficult it is for an adversary to change? (Choose two answers)

  1. IP addresses are easy because adversaries can spoof them or move them to new resources.
  2. Tactics, techniques, and procedures are hard because adversaries must adapt their methods.
  3. Artifacts are easy because adversaries can alter file paths or registry keys.
  4. Tools are easy because often, multiple alternatives exist.

Answer(s): A,B

Explanation:

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

The Pyramid of Pain (David Bianco) is a core concept taught in FortiSIEM 7.3 and FortiSOAR 7.6 curriculum to help SOC analysts prioritize threat intelligence and detection logic. The model ranks indicators based on the "pain" or effort they cause an adversary to change:

IP Addresses (Easy): These are classified as "Easy" to change. An attacker can simply rotate through a proxy service, use a different VPS, or utilize a new compromised host to continue their campaign.
While more valuable than a file hash, they provide relatively low-long term value to the defender because they are so ephemeral.

TTPs (Tough/Hard): This is the apex of the pyramid. TTPs (Tactics, Techniques, and Procedures)

represent the fundamental way an adversary operates. If a defender successfully detects and blocks a Tactic (e.g., a specific way an attacker performs privilege escalation), the adversary is forced to reinvent their entire operational process, which is time-consuming and difficult.

Why other options are incorrect:

Artifacts (C): According to the pyramid, Network/Host Artifacts are classified as "Annoying", not "Easy".
While an attacker can change them, it requires modifying their code or script behavior, which causes more friction than simply switching an IP address.

Tools (D): Tools are classified as "Challenging".
While alternatives exist, an adversary usually invests significant time mastering a specific toolset; losing the ability to use that tool effectively disrupts their efficiency significantly.



DRAG DROP

Refer to the exhibits.



You have a playbook that, depending on whether an analyst deems the alert to be a true positive, could reference a child playbook. You need to pass variables from the parent playbook to the child playbook.

Place the steps needed to accomplish this in the correct order.

  1. See Explanation for the Answer.

Answer(s): A

Explanation:

1. Create a parameter in the child playbook.

2. Apply the parameter to the Disable User Account connector action.

3. Map data to the parameter in the Reference a playbook step in the parent playbook.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In FortiSOAR 7.6, the methodology for passing data between playbooks--specifically from a parent to a "Referenced" (child) playbook--follows a strict data flow hierarchy:

Step 1: Create a parameter in the child playbook. Before a parent can send data, the child playbook must be configured to receive it. This is done by adding "Input Parameters" in the Start step of the child playbook (configured as a "Referenced" trigger). These parameters act as the "inbox" for external data.

Step 2: Apply the parameter to the connector action. Once the child playbook has the parameter defined (e.g., user_id), you must use a Jinja expression like {{vars.input.params.user_id}} within the child's action steps (such as the Active Directory: Disable User Account connector) so that the child playbook actually utilizes the data it receives.

Step 3: Map data to the parameter in the parent playbook. Finally, in the parent playbook, when you add the Reference a Playbook step and select the child playbook, FortiSOAR automatically displays the parameters created in Step 1. You then map existing variables from the parent's environment (e.g., from a previous "Search by SamAccountName" step) into these fields to complete the hand-off.

Why other options are excluded:

Create a manual trigger and assign the user to a new variable: While manual triggers capture data, they are not the mechanism for passing data between nested playbooks; they are for user-to-system interaction.

Create a parameter in the parent playbook: Parameters in a parent playbook are used to receive data from outside (like an external API or manual input), not to send data down to a child. The child defines what it needs; the parent simply provides it in the Reference step.



Which three factors does the FortiSIEM rules engine use to determine the count when it evaluates the aggregate condition COUNT (Matched Events) on a specific subpattern? (Choose three answers)

  1. Group By attributes
  2. Data source
  3. Time window
  4. Search filter
  5. Incident action

Answer(s): A,C,D

Explanation:

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

The FortiSIEM rules engine evaluates subpatterns to detect complex attack behaviors.
When a rule uses an aggregate condition like COUNT (Matched Events), the engine calculates this value based on specific architectural parameters:

Group By attributes (A): The engine maintains a separate counter for each unique combination of "Group By" attributes defined in the subpattern. For example, if you group by "Source IP," the engine tracks the count of events for each unique IP address independently.

Time window (C): The count is relative to a specific time duration (e.g., 5 minutes). The engine only counts events that fall within this sliding or fixed window. Once an event falls outside this window, it is no longer included in the aggregate count.

Search filter (D): Only events that satisfy the specific "Search Filter" criteria (e.g., Event Type = "Failed Login") are considered "Matched Events." The filter defines the scope of the data that the rules engine processes before applying the count.

Why other options are incorrect:

Data source (B): While the data source determines where the logs come from, the rules engine itself uses the parsed attributes (defined in the search filter) rather than the raw data source to determine the count. Multiple data sources might contribute to the same filter and count.

Incident action (E): Incident actions (such as sending an email or triggering a SOAR playbook) are the result of a rule firing. They do not influence the internal logic or calculation of the event count during the evaluation phase.



Page 1 of 9

Share your comments for Fortinet NSE7_SOC_AR-7.6 exam with other users:

Elie Abou Chrouch 12/11/2023 3:38:00 AM

question 182 - correct answer is d. ethernet frame length is 64 - 1518b. length of user data containing is that frame: 46 - 1500b.
Anonymous


Damien 9/23/2023 8:37:00 AM

i need this exam pls
Anonymous


Nani 9/10/2023 12:02:00 PM

its required for me, please make it enable to access. thanks
UNITED STATES


ethiopia 8/2/2023 2:18:00 AM

seems good..
ETHIOPIA


whoAreWeReally 12/19/2023 8:29:00 PM

took the test last week, i did have about 15 - 20 word for word from this site on the test. (only was able to cram 600 of the questions from this site so maybe more were there i didnt review) had 4 labs, bgp, lacp, vrf with tunnels and actually had to skip a lab due to time. lots of automation syntax questions.
EUROPEAN UNION


vs 9/2/2023 12:19:00 PM

no comments
Anonymous


john adenu 11/14/2023 11:02:00 AM

nice questions bring out the best in you.
Anonymous


Osman 11/21/2023 2:27:00 PM

really helpful
Anonymous


Edward 9/13/2023 5:27:00 PM

question #50 and question #81 are exactly the same questions, azure site recovery provides________for virtual machines. the first says that it is fault tolerance is the answer and second says disater recovery. from my research, it says it should be disaster recovery. can anybody explain to me why? thank you
CANADA


Monti 5/24/2023 11:14:00 PM

iam thankful for these exam dumps questions, i would not have passed without this exam dumps.
UNITED STATES


Anon 10/25/2023 10:48:00 PM

some of the answers seem to be inaccurate. q10 for example shouldnt it be an m custom column?
MALAYSIA


PeterPan 10/18/2023 10:22:00 AM

are the question real or fake?
Anonymous


CW 7/11/2023 3:19:00 PM

thank you for providing such assistance.
UNITED STATES


Mn8300 11/9/2023 8:53:00 AM

nice questions
Anonymous


Nico 4/23/2023 11:41:00 PM

my 3rd purcahse from this site. these exam dumps are helpful. very helpful.
ITALY


Chere 9/15/2023 4:21:00 AM

found it good
Anonymous


Thembelani 5/30/2023 2:47:00 AM

excellent material
Anonymous


vinesh phale 9/11/2023 2:51:00 AM

very helpfull
UNITED STATES


Bhagiii 11/4/2023 7:04:00 AM

well explained.
Anonymous


Rahul 8/8/2023 9:40:00 PM

i need the pdf, please.
CANADA


CW 7/11/2023 2:51:00 PM

a good source for exam preparation
UNITED STATES


Anchal 10/23/2023 4:01:00 PM

nice questions
INDIA


J Nunes 9/29/2023 8:19:00 AM

i need ielts general training audio guide questions
BRAZIL


Ananya 9/14/2023 5:16:00 AM

please make this content available
UNITED STATES


Swathi 6/4/2023 2:18:00 PM

content is good
Anonymous


Leo 7/29/2023 8:45:00 AM

latest dumps please
INDIA


Laolu 2/15/2023 11:04:00 PM

aside from pdf the test engine software is helpful. the interface is user-friendly and intuitive, making it easy to navigate and find the questions.
UNITED STATES


Zaynik 9/17/2023 5:36:00 AM

questions and options are correct, but the answers are wrong sometimes. so please check twice or refer some other platform for the right answer
Anonymous


Massam 6/11/2022 5:55:00 PM

90% of questions was there but i failed the exam, i marked the answers as per the guide but looks like they are not accurate , if not i would have passed the exam given that i saw about 45 of 50 questions from dump
Anonymous


Anonymous 12/27/2023 12:47:00 AM

answer to this question "what administrative safeguards should be implemented to protect the collected data while in use by manasa and her product management team? " it should be (c) for the following reasons: this administrative safeguard involves controlling access to collected data by ensuring that only individuals who need the data for their job responsibilities have access to it. this helps minimize the risk of unauthorized access and potential misuse of sensitive information. while other options such as (a) documenting data flows and (b) conducting a privacy impact assessment (pia) are important steps in data protection, implementing a "need to know" access policy directly addresses the issue of protecting data while in use by limiting access to those who require it for legitimate purposes. (d) is not directly related to safeguarding data during use; it focuses on data transfers and location.
INDIA


Japles 5/23/2023 9:46:00 PM

password lockout being the correct answer for question 37 does not make sense. it should be geofencing.
Anonymous


Faritha 8/10/2023 6:00:00 PM

for question 4, the righr answer is :recover automatically from failures
UNITED STATES


Anonymous 9/14/2023 4:27:00 AM

question number 4s answer is 3, option c. i
UNITED STATES


p das 12/7/2023 11:41:00 PM

very good questions
UNITED STATES


AI Tutor 👋 I’m here to help!