live chatMcAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Pass4Test 10%OFF Discount Code

Fortinet NSE 7 - Security Operations 7.6 Architect - NSE7_SOC_AR-7.6 Exam Questions

QUESTION NO: 1
Refer to the exhibit.
Which two options describe how the Update Asset and Identity Database playbook is configured? (Choose two.)
Correct Answer: C,D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 2
Refer to the exhibit.

What is the correct Jinja expression to filter the results to show only the MD5 hash values?
{{ [slot 1]|[slot 2] [slot 3].[slot 4] }}
Select the jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first step in the first slot. Once you place an expression, you can move it again if you want to change your answer before moving to the next question. You need to drop four jinja expressions in the work area.
Select and drag the screen divider to change the viewable area of the source and work areas.
Correct Answer:

Explanation:
Slot 1: vars.artifacts
Slot 2: json_query
Slot 3: ( " data.results[?type== ' FileHash-MD5 ' ]
Slot 4: value
Exact Extract: "You can assign specific fields from your connector action output to their own variables and further manipulate the data using Jinja filters. This approach allows you to efficiently extract, clean, and prepare information for use in later steps of your automation." Exact Extract: The guide shows the same Jinja pattern:
{{ vars.steps.Advanced_Search_Query.data.events | json_query( ' [].attributes.srcIpAddr ' ) | unique }} and explains that similar Jinja logic applies to extracting other variables from structured output.
The correct expression is {{ vars.artifacts | json_query( " data.results[?type== ' FileHash-MD5 ' ].value " ) }} because the JSON object stores artifact records under vars.artifacts.data.results. Each object in results has a type and a value. The filter condition [?type== ' FileHash-MD5 ' ] selects only records whose type is FileHash-MD5 , and .value returns only the MD5 hash strings, not the full objects.
tojson is unnecessary because the data is already structured and queryable. results, data, and value alone are incomplete because they do not filter by artifact type. The key operation is json_query , which uses a JMESPath-style expression to filter a list and project only the required field.
Technical Deep Dive: This is a classic FortiSOAR playbook parsing pattern. Use json_query when the object is already JSON-like and you know the path. The expression returns a list such as:
[ " 6aad63bcc3dd4e148f3724808955f912 " , " 9fd2b1c0e4a37658bca9d0f1e2c34567 " ] This is automation-layer data extraction. FortiGate NP/CP offloading is irrelevant because no packet inspection or firewall data-plane forwarding is involved.
QUESTION NO: 3
A partner organization recently suffered a distributed denial-of-service (DDoS) attack, but the adversary's identity and TTPs remain unknown. Your SOC has not received any relevant threat intelligence from the partner organization, but you are asked to determine whether similar activity could be happening in your environment. Which threat hunting action should you perform first? Choose one answer.
Correct Answer: C
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 4
Which three are threat hunting activities? (Choose three answers)
Correct Answer: B,C,D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 5
Refer to the exhibit.

A list of FortiSIEM connector actions is shown. You want to create a playbook on FortiSOAR that allows you to accomplish the following:
Manually input a range of IP addresses.
Use the connector action in the exhibit to retrieve a list of devices from the FortiSIEM configuration management database (CMDB) within that IP address range.
For each returned result, create an asset record based on the IP address of the device.
Which combination and order of step operations fulfills the requirements with the fewest required playbook steps?
Correct Answer: D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 6
Which two phases are part of the FortiSOAR incident handling process but are not phases in the NIST 800-61 Revision 2 model? Choose two answers.
Correct Answer: B,D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 7
What are three capabilities of the built-in FortiSOAR Jinja editor? (Choose three answers)
Correct Answer: A,C,D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 8
Which three end user logs does FortiAnalyzer use to identify possible IOC compromised hosts? (Choose three.)
Correct Answer: A,D,E
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 9
Refer to the exhibit.
Assume that all devices in the FortiAnalyzer Fabric are shown in the image.
Which two statements about the FortiAnalyzer Fabric deployment are true? (Choose two.)
Correct Answer: A,D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 10
Which statement best describes the MITRE ATT & CK framework?
Correct Answer: D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).