View all questions & answers for the NSE 7 - Security Operations 7.6 Architect Materials exam


NSE 7 - Security Operations 7.6 Architect Materials-Question 32 Discussion

Refer to the exhibit. What are the two mistakes in the incident subpattern rule configuration? (Choose two answers)

  • A. The subpattern is missing a time window definition.
  • B. The aggregate operator is incorrect.
  • C. The Group By attributes conflict with each other.
  • D. The mandatory Event Type attribute is missing.
Correct Answer: B,D

Brave-Dump Clients Votes

BD 66.67%
BC 33.33%

Comments



Anonymous User 2026-03-07 18:17:01

Selected Answers: B, C


BC
  • Brave-Dumps.com Admin 2026-04-11 14:51:27
    Why?

Anonymous User 2026-04-14 03:00:58

Selected Answers: B, D


Answer: B and D
B — The aggregate operator is incorrect.
COUNT(Matched Events) < 1 triggers when zero events match, which is the opposite of what you need for detecting audit log clearing. It should be >= 1.
D — The mandatory Event Type attribute is missing.
The filter uses "Windows Event Category" but does not include the Event Type attribute, which is the standard and required attribute in FortiSIEM subpattern filters for identifying events. All rule examples in the official study guide use Event Type as the primary filter attribute.
Why not A: The time window is configured at the rule level, not inside the subpattern — so it's not missing from this view.
Why not C: Reporting IP, Computer, and Service Name are valid, non-conflicting Group By attributes.

Brave-Dumps.com Admin 2026-04-15 10:29:53

Selected Answers: B, D


B, D