Is the NSE7-SOC-AR-7-6 practice exam free?

Yes. ExamCademy offers all 38 NSE7-SOC-AR-7-6 practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the NSE7-SOC-AR-7-6 practice questions?

All NSE7-SOC-AR-7-6 questions are community-created and reviewed by moderators to align with Fortinet's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the NSE7-SOC-AR-7-6 exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official Fortinet documentation and hands-on experience for best results.

NSE7-SOC-AR-7-6 Practice Exam — Free 38+ Questions

38Practice Questions

3Study Modes

FreeTo Get Started

Topic:Sort:

Question 1

Detection Capabilities

Question 2

SOC Concepts and Frameworks

Question 3

SOAR Incident Handling and Threat Hunting

Question 4

SOC Concepts and Frameworks

Question 5

SOAR Incident Handling and Threat Hunting

Question 6

SOAR Playbook Development

Question 7

SOAR Playbook Development

Question 8

SOAR Incident Handling and Threat Hunting

Question 9

SOC Concepts and Frameworks

Question 10

SOAR Playbook Development

Question 11

SOAR Playbook Development

Question 12

SOAR Playbook Development

Question 13

Detection Capabilities

Question 14

Detection Capabilities

Question 15

SOAR Playbook Development

Question 16

Detection Capabilities

That's the end of the Preview

This exam has 38 community-verified practice questions. Create a free account to access all questions, comments, and explanations.

Topics covered:

SOC Concepts and FrameworksDetection CapabilitiesSOAR Incident Handling and Threat HuntingSOAR Playbook Development

Log In / Sign Up

Page 1 of 2 • Questions 1-25 of 38

1 2

→

Know a question that should be here? Contribute to this exam

Which two statements accurately describe the process to create a new rule from a search using FortiSIEM analytics? (Choose two.)

A All search filter rows are added into a single subpattern.
B The default aggregate condition will always be COUNT (Matched Events) >= 1.
C The incident action is automatically configured based on the event type.
D Raw event logs cannot be used for incident rule creation.

Review the incident report.
An attacker identified employee names, roles, and email patterns from public press releases, which were then used to craft tailored emails. The emails were directed to recipients to review an attached agenda using a link hosted off the corporate domain.
Which two MITRE ATT&CK tactics best fit this report? (Choose two.)

A Discovery
B Initial Access
C Defense Evasion
D Reconnaissance

Refer to the exhibit.

Question Image

How do you add a piece of evidence to the Action Logs Marked As Evidence area?

A By creating an evidence collection task and attaching a file
B By linking an indicator to the war room
C By tagging output or a workspace comment with the keyword Evidence
D By executing a playbook with the Save Execution Logs option enabled

Review the incident report.
Packet captures show a host maintaining periodic TLS sessions that imitate normal HTTPS traffic but run on TCP 8443 to a single external host. An analyst flags the traffic as potential command-and-control. During the same period, the host issues frequent DNS queries with oversized TXT payloads to an attacker-controlled domain, transferring staged files.
Which two MITRE ATT&CK techniques best describe this activity? (Choose two.)

A Exploitation of Remote Services
B Non-Standard Port
C Exfiltration Over Alternative Protocol
D Hide Artifacts

A partner organization recently had sensitive data exfiltrated by a well-known adversary group. You are tasked with threat hunting to see your organization is also affected.
Which action must you take first?

A Use threat intelligence to enrich the IP addresses of all destinations.
B Review the tactics, techniques, and procedures of the adversary.
C Use a packet analyzer to capture and review all traffic flows on critical devices.
D Review historical logs to establish a baseline for normal bandwidth usage.

You are trying to create a playbook that creates a manual task that shows a list of public IPv6 addresses.
You were successful in extracting all IP addresses om a previous action into a variable called ip_list, which has a mix of private and public IPv4 and IPv6 addresses. Now, you must filter the results to display only public IPv6 addresses.
Which two Jinja expressions can accomplish this task? (Choose two.)

A {{ vars.ip_list | ipaddr(!private) | ipv6 }}
B {{ vars.ip_list | ipv6 | ipaddr(‘public’) }}
C {{ vars.ip_list | ipv6addr(‘public’) }}
D {{ vars.ip_list | ipaddr(‘public’) | ipv6 }}

You want to automate a workflow on FortiSOAR so that whenever an incident with critical severity is moved to the containment phase, it is automatically reassigned to an L3 analyst as the incident lead.
Which two steps will accomplish this task? (Choose two.)

A Create a Find Record step to find matching incidents.
B Create a Condition step to check the incident phase and update the incident lead.
C Create an Update Record step to set the incident lead.
D Create an On Update trigger with trigger conditions that match the containment phase and critical severity.
E Set the playbook schedule to run persistently.

Refer to the exhibit.

Question Image

You must configure the FortiGate connector to allow FortiSOAR to perform actions on a firewall. However, the connection fails.
Which two configurations are required? (Choose two.)

A Trusted hosts must be enabled and the FortiSOAR IP address must be permitted.
B An API administrator must be created on FortiGate with the appropriate profile, along with a generated API key to configure on the connector.
C The VDOM name must be specified, or set to VDOM_1, if VDOMs are not enabled on FortiGate.
D HTTPS must be enabled on the FortiGate interface that FortiSOAR will communicate with.

DRAG DROP -
Match the FortiSIEM device type to its description.
Select each FortiSIEM device type in the left column, hold and drag it to the blank space next to its corresponding description in the column on the right. Once you match a device type to its description, you can move it again if you want to change your answer by clicking on the device type name. You need to match four device types to its description in the work area.

Question Image

When configuring an Ingest Bulk Feed playbook step, which two restrictions must you consider? (Choose two.)

A It will not trigger On Create triggers.
B It is slower than the Create Record step.
C It will not trigger On Update triggers.
D It cannot use step output from a connector action.

When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable?

A {{ vars.item.<variable_name> }}
B {{ vars.input.params.<variable_name> }}
C {{ globalVars.<variable_name> }}
D {{ vars.steps.<variable_name> }}

What are three capabilities of the built-in FortiSOAR Jinja editor? (Choose three.)

A It renders output by combining Jinja expressions and JSON input.
B It checks the validity of a Jinja expression.
C It loads the environment JSON of a recently executed playbook.
D It defines conditions to trigger a playbook step.
E It creates new records in bulk.

Refer to the exhibit.

Question Image

What are the two mistakes in the incident subpattern rule configuration? (Choose two.)

A The aggregate operator is incorrect.
B The Group By attributes conflict with each other.
C The subpattern is missing a time window definition.
D The mandatory Event Type attribute is missing.

Which three factors does the FortiSIEM rules engine use to determine the count when it evaluates the aggregate condition COUNT (Matched Events) on a specific subpattern? (Choose three.)

A Data source
B Group By attributes
C Incident action
D Time window
E Search filter

Which three statements accurately describe step utilities in a playbook step? (Choose three.)

A The Mock Output step utility uses HTML format to simulate real outputs.
B The Loop step utility can only be used once in each playbook step.
C The Condition step utility behavior changes depending on if a loop exists for that step.
D The Timeout step utility sets a maximum execution time for the step and terminates playbook execution, if exceeded.
E The Variables step utility stores the output of the step directly in the step itself.

Refer to the exhibit.

Question Image

Based on the configuration shown in the exhibit, what are two misconfigurations? (Choose two.)

A The time window should be lowered from 900 seconds to reduce false positives.
B The subpattern relationships between FailedLogin and FailedLogin2 should be removed.
C A logical operator is missing in the SuccessLogin subpattern to evaluate the subpattern relationships.
D The SuccessLogin subpattern is not correlated with any FailedLogin or FailedLogin2 attributes.

NSE7-SOC-AR-7-6Preview

About the NSE7-SOC-AR-7-6 Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

That's the end of the Preview

NSE7-SOC-AR-7-6Preview

About the NSE7-SOC-AR-7-6 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

That's the end of the Preview