● FCSS - Security Operations 7.6 Architect Exam Materials
Please note that the exam "FCSS - Security Operations 7.6 Architect Exam" is no longer offered by Fortinet and is not available for booking through Pearson VUE., so we opened it on free view,It has been replaced by the exam "NSE 7 - Security Operations 7.6 Architect."
The new exam version is available on Brave-Dumps and can be purchased.
❌ Please do not order: FCSS - Security Operations 7.6 Architect
✅ Please order: NSE 7 - Security Operations 7.6 Architect
The new exam version is available on Brave-Dumps and can be purchased.
❌ Please do not order: FCSS - Security Operations 7.6 Architect
✅ Please order: NSE 7 - Security Operations 7.6 Architect
Question #1
Question #2
Refer to the exhibits.
You configured a spearphishing event handler and the associated rule. However, FortiAnalyzer did not generate an event.
When you check the FortiAnalyzer log viewer, you confirm that FortiSandbox forwarded the appropriate logs, as shown in the raw log exhibit.
What configuration must you change on FortiAnalyzer in order for FortiAnalyzer to generate an event?
(Choose one answer)
- A. In the Log Type field, change the selection to AntiVirus Log (malware).
- B. Configure a FortiSandbox data selector to filter logs and add it to the event handler.
- C. In the Log Filter by Text field, type the value: subtype==malware.
- D. Change the Event Severity field to match level alert.
Question #3
Which two possible verdicts can FortiAnalyzer provide based on the overall IOC of an end user? (Choose two answers)
- A. Infected
- B. Clean
- C. Suspicious
- D. Malicious
Question #4
Which statements about the MITRE ATT&CK framework are true? (Choose two answers)
- A. Detection provides detailed instructions on how to identify tactics.
- B. Tactics describe what the adversary is trying to accomplish against a target.
- C. Procedures are used to describe real-world adversaries and their techniques.
- D. Mitigations contain real-world examples from all major vendors.
Question #5
Refer to the exhibits.
A SOC analyst is designing a playbook to filter for all critical severity events within the last month and attaches the event information to an existing incident. However, when they run the playbook, there are two fields waiting for input. The analyst wants to define only the incident number and not the event information.
Which two steps can they take to fix the problem?
(Choose two answers)
- A. Run the Attach Data to Incident task after the Get Events task instead of in parallel to it.
- B. Confirm the severity field is matching critical events in the Get Events task.
- C. Define the event parameters in the on-demand starter to apply the filter at the trigger level.
- D. Use the Get Events task output variable as the attachment.
Question #6
Which statement is true about actions in playbooks? (Choose one answer)
- A. New actions can be created using variables in the ${NEW_TASK.<action name>} format.
- B. New actions are configured under Fabric Connectors > Action.
- C. Actions are preconfigured based on the connector type.
- D. Actions must be defined before creating any playbook.
Question #7
You must configure a FortiAnalyzer device to generate an event when two conditions are met:
At least two different RFC1918 addresses try to access a domain controller using RDP within 10 minutes of each other
The domain controller accesses a malicious external IP address within an hour of the RDP attempts
How will you accomplish this task?
(Choose one answer)
- A. Create a correlation event handler with a correlation sequence.
- B. Create multiple basic event handlers and link them.
- C. Create a playbook with the on-schedule trigger to generate events.
- D. Create a basic event handler with multiple rules using AND logic.
Question #8
Refer to the exhibit.
Your manager has requested packet captures of all traffic coming from an endpoint with the IP address 10.0.0.50 to any destination outside of the LAN subnet.
It has been observed by your colleagues that the endpoint is intermittently sending suspicious traffic. Your task is to capture the packets for further analysis.
You decide to leave a running sniffer on the FortiGate CLI with the remote session output logged.
Which command allows you to accomplish this task?
(Choose one answer)
- A. diagnose sniffer packet port1 "host 10.0.0.50" 6 0 1
- B. diagnose sniffer packet "port1 10.0.0.50 all" 3 0 1
- C. diagnose sniffer packet port1 "host 10.0.0.50 and any" 4 0 1
- D. diagnose sniffer packet 10.0.0.50/24 "any" 6 0 1 port1
Question #9
Refer to the exhibit.
An analyst wants to create a playbook to do the following: manually input an IP address and incident ID, look up threat-related information for that IP address, and then attach the information from that indicator to the specified incident.
The result should look like the Indicators tab in the exhibit.
Which three playbook components are required?
(Choose three answers)
- A. Incident trigger
- B. On-demand trigger
- C. FortiOS connector
- D. FortiGuard connector
- E. Local connector
Question #10
Refer to the exhibits.
The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc.com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action.
Why is the FortiMail Sender Blocklist playbook execution failing?
(Choose one answer)
- A. FortiMail is expecting a fully qualified domain name (FQDN).
- B. The connector credentials are incorrect.
- C. The on-demand trigger needs the GET_EMAIL_STATISTICS action to save the manual inputs.
- D. The client-side browser does not trust the FortiAnalyzer self-signed certificate.
A SOC analyst is trying to configure a playbook with the FortiOS connector. However, when the analyst tries to select a device and an action, the fields are empty. There is only one FortiGate registered with FortiAnalyzer. The SOC analyst is able to confirm the logging status is online and that logs are received on FortiAnalyzer.
What could be the problem? (Choose one answer)