Fortinet NSE7_SOC_AR-7.6 Exam Dumps

Overview of Indicators of Compromise (IoCs): Indicators of Compromise (IoCs) are pieces of evidence that suggest a system may have been compromised. These can include unusual network traffic patterns, the presence of known malicious files, or other suspicious activities.

FortiAnalyzer's Role: FortiAnalyzer aggregates logs from various Fortinet devices to provide comprehensive visibility and analysis of network events. It uses these logs to identify potential IoCs and compromised hosts.

Relevant Log Types:

DNS Filter Logs:

DNS requests are a common vector for malware communication. Analyzing DNS filter logs helps in identifying suspicious domain queries, which can indicate malware attempting to communicate with command and control (C2) servers.

IPS Logs:

Intrusion Prevention System (IPS) logs detect and block exploit attempts and malicious activities. These logs are critical for identifying compromised hosts based on detected intrusion attempts or behaviors matching known attack patterns.

Web Filter Logs:

Web filtering logs monitor and control access to web content. These logs can reveal access to malicious websites, download of malware, or other web-based threats, indicating a compromised host.

Why Not Other Log Types:

Email Filter Logs:

While important for detecting phishing and email-based threats, they are not as directly indicative of compromised hosts as DNS, IPS, and Web filter logs.

Application Filter Logs:

These logs control application usage but are less likely to directly indicate compromised hosts compared to the selected logs.

Detailed Process:

Step 1: FortiAnalyzer collects logs from FortiGate and other Fortinet devices.

Step 2: DNS filter logs are analyzed to detect unusual or malicious domain queries.

Step 3: IPS logs are reviewed for any intrusion attempts or suspicious activities.

Step 4: Web filter logs are checked for access to malicious websites or downloads.

Step 5: FortiAnalyzer correlates the information from these logs to identify potential IoCs and compromised hosts.

Fortinet Documentation: FortiOS DNS Filter, IPS, and Web Filter administration guides.

FortiAnalyzer Administration Guide: Details on log analysis and IoC identification.

By using DNS filter logs, IPS logs, and Web filter logs, FortiAnalyzer effectively identifies possible compromised hosts, providing critical insights for threat detection and response.

Understanding the Playbook Requirements:

The SOC analyst needs to design a playbook that filters for high severity events.

The playbook must also attach the event information to an existing incident.

Analyzing the Provided Exhibit:

The exhibit shows the available actions for a local connector within the playbook.

Actions listed include:

Update Asset and Identity

Get Events

Get Endpoint Vulnerabilities

Create Incident

Update Incident

Attach Data to Incident

Run Report

Get EPEU from Incident

Evaluating the Options:

Get Events: This action retrieves events but does not attach them to an incident.

Update Incident: This action updates an existing incident but is not specifically for attaching event data.

Update Asset and Identity: This action updates asset and identity information, not relevant for attaching event data to an incident.

Attach Data to Incident: This action is explicitly designed to attach additional data, such as event information, to an existing incident.

Conclusion:

The correct action to use in the playbook for filtering high severity events and attaching the event information to an incident is Attach Data to Incident.

Fortinet Documentation on Playbook Actions and Connectors.

Best Practices for Incident Management and Playbook Design in SOC Operations.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In FortiSOAR 7.6, the playbook engine utilizes Jinja2 expressions to handle dynamic data. When a playbook is configured with a Manual Trigger, the administrator can define input fields (such as text, picklists, or checkboxes) that an analyst must fill out when executing the playbook from a record.

Input Parameter Mapping: Any data entered by the user during this manual trigger phase is automatically mapped to the input.params dictionary within the vars object. Therefore, the syntax to retrieve a specific input value is {{ vars.input.params.variable_name }}.

Scope of Variables: This specific path ensures that the variable is pulled from the initial user input rather than from the output of a subsequent step (vars.steps) or a globally defined variable (globalVars).

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In the context of the Fortinet Security Fabric, FortiAnalyzer performs Indicator of Compromise (IOC) detection by correlating various security logs against a threat intelligence database.3 The IOC engine specifically analyzes the following logs of each end user to identify potentially compromised hosts:

Web Filter Logs (A): The engine parses web filtering logs to identify access attempts to blacklisted URLs, malicious domains, or IPs associated with known malware distribution sites.4 If a match is found in the threat database, the host is flagged as compromised.

DNS Filter Logs (C): DNS requests are a primary indicator of a compromise. The engine monitors these logs for queries directed at known Command and Control (C2) servers or domains generated by Domain Generation Algorithms (DGA).5

IPS Logs (E): Intrusion Prevention System (IPS) logs provide critical data on signature matches for known attacks. In newer Security Operations (SOC) curricula, IPS logs are used alongside Web and DNS logs to provide a high-fidelity assessment of whether a host is currently infected and attempting to communicate with an external threat actor.

Why other options are incorrect:

Email Filter Logs (B): While important for detecting phishing attempts (Initial Access), email logs are generally used for content filtering and antispam rather than being a primary source for the IOC engine's behavioral 'calling home' detection in the FortiAnalyzer Compromised Hosts view.

Application Filter Logs (D): Application control logs provide visibility into software usage but are less commonly used by the core IOC engine for identifying blacklisted network destinations compared to Web and DNS filtering.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

The FortiSIEM rules engine evaluates subpatterns to detect complex attack behaviors. When a rule uses an aggregate condition like COUNT (Matched Events), the engine calculates this value based on specific architectural parameters:

Group By attributes (A): The engine maintains a separate counter for each unique combination of 'Group By' attributes defined in the subpattern. For example, if you group by 'Source IP,' the engine tracks the count of events for each unique IP address independently.

Time window (C): The count is relative to a specific time duration (e.g., 5 minutes). The engine only counts events that fall within this sliding or fixed window. Once an event falls outside this window, it is no longer included in the aggregate count.

Search filter (D): Only events that satisfy the specific 'Search Filter' criteria (e.g., Event Type = 'Failed Login') are considered 'Matched Events.' The filter defines the scope of the data that the rules engine processes before applying the count.

Why other options are incorrect:

Data source (B): While the data source determines where the logs come from, the rules engine itself uses the parsed attributes (defined in the search filter) rather than the raw data source to determine the count. Multiple data sources might contribute to the same filter and count.

Incident action (E): Incident actions (such as sending an email or triggering a SOAR playbook) are the result of a rule firing. They do not influence the internal logic or calculation of the event count during the evaluation phase.