Quiz Fortinet NSE 7 - Security Operations 7.6 Architect

Understanding the MITRE ATT&CK Matrix:
The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on
real-world observations.
Each tactic in the matrix represents the "why" of an attack technique, while each technique represents
"how" an adversary achieves a tactic.
Analyzing the Provided Exhibit:
The exhibit shows part of the MITRE ATT&CK Enterprise matrix as displayed on FortiAnalyzer.
The focus is on technique T1071 (Application Layer Protocol), which has subtechniques labeled
T1071.001, T1071.002, T1071.003, and T1071.004.
Each subtechnique specifies a different type of application layer protocol used for Command and Control
(C2):
T1071.001 Web Protocols
T1071.002 File Transfer Protocols
T1071.003 Mail Protocols
T1071.004 DNS
Identifying Key Points:
Subtechniques under T1071: There are four subtechniques listed under the primary technique T1071,
confirming that statement B is true.
Event Handlers for T1071: FortiAnalyzer includes event handlers for monitoring various tactics and
techniques. The presence of event handlers for tactic T1071 suggests active monitoring and alerting for
these specific subtechniques, confirming that statement C is true.
Misconceptions Clarified:
Statement A (four techniques under tactic T1071) is incorrect because T1071 is a single technique
with four subtechniques.
Statement D (15 events associated with the tactic) is misleading. The number 15 refers to the
techniques under the Application Layer Protocol, not directly related to the number of events.
Conclusion:
The accurate interpretation of the exhibit confirms that there are four subtechniques under technique
T1071 and that there are event handlers covering tactic T1071.
References:
MITRE ATT&CK Framework documentation.
FortiAnalyzer Event Handling and MITRE ATT&CK Integration guides.

Understanding FortiAnalyzer Fabric Topology:
The FortiAnalyzer Fabric topology is designed to centralize logging and analysis across multiple
devices in a network.
It involves a hierarchy where the supervisor node manages and coordinates with other Fabric
members.
Analyzing the Options:
Option A: Downstream collectors forwarding logs to Fabric members is not a typical configuration.
Instead, logs are usually centralized to the supervisor.
Option B: For effective management and log centralization, logging devices must be registered to the
supervisor. This ensures proper log collection and coordination.
Option C: The supervisor does not primarily use an API to store logs, incidents, and events locally.
Logs are stored directly in the FortiAnalyzer database.
Option D: For the Fabric topology to function correctly, all Fabric members need to be in analyzer
mode. This mode allows them to collect, analyze, and forward logs appropriately within the topology.
Conclusion:
The correct statements regarding the FortiAnalyzer Fabric topology are that logging devices must be
registered to the supervisor and that Fabric members must be in analyzer mode.
References:
Fortinet Documentation on FortiAnalyzer Fabric Topology.
Best Practices for Configuring FortiAnalyzer in a Fabric Environment.

Understanding the Threat Hunting Data:
The Threat Hunting Monitor in the provided exhibits shows various application services, their usage
counts, and data metrics such as sent bytes, average sent bytes, and maximum sent bytes.
The second part of the exhibit lists connection attempts from a specific source IP (10.0.1.10) to a
destination IP (8.8.8.8), with repeated "Connection Failed" messages.
Analyzing the Application Services:
DNS is the top application service with a significantly high count (251,400) and notable sent bytes (9.1
MB).
This large volume of DNS traffic is unusual for regular DNS queries and can indicate the presence of
DNS tunneling.
DNS Tunneling:
DNS tunneling is a technique used by attackers to bypass security controls by encoding data within
DNS queries and responses. This allows them to extract data from the local network without detection.
The high volume of DNS traffic, combined with the detailed metrics, suggests that DNS tunneling
might be in use.
Connection Failures to 8.8.8.8:
The repeated connection attempts from the source IP (10.0.1.10) to the destination IP (8.8.8.8) with
connection failures can indicate an attempt to communicate with an external server.
Google DNS (8.8.8.8) is often used for DNS tunneling due to its reliability and global reach.
Conclusion:
Given the significant DNS traffic and the nature of the connection attempts, it is reasonable to conclude
that DNS tunneling is being used to extract confidential data from the local network.
Why Other Options are Less Likely:
Spearphishing (A): There is no evidence from the provided data that points to spearphishing attempts,
such as email logs or phishing indicators.
Reconnaissance (C): The data does not indicate typical reconnaissance activities, such as scanning
or probing mail servers.
FTP C&C (D): There is no evidence of FTP traffic or command-and-control communications using
FTP in the provided data.
References:
SANS Institute: "DNS Tunneling: How to Detect Data Exfiltration and Tunneling Through DNS
Queries" SANS DNS Tunneling
OWASP: "DNS Tunneling" OWASP DNS Tunneling
By analyzing the provided threat hunting data, it is evident that DNS tunneling is being used to exfiltrate
data, indicating a sophisticated method of extracting confidential information from the network.

Understanding the Playbook and its Components:
The exhibit shows the status of a playbook named "DOS attack" and its associated tasks.
The playbook is designed to execute a series of tasks upon detecting a DoS attack event.
Analysis of Playbook Tasks:
Attach_Data_To_Incident: Task ID placeholder_8fab0102, status is "upstream_failed," meaning it did
not execute properly due to a previous task's failure.
Get Events: Task ID placeholder_fa2a573c, status is "success."
Create SMTP Enumeration incident: Task ID placeholder_3db75c0a, status is "failed."
Reviewing Raw Logs:
The error log shows aValueError: invalid literal for int() with base 10: '10.200.200.100'.
This error indicates that the task attempted to convert a string (the IP address '10.200.200.100') to an
integer, which is not possible.
Identifying the Source of the Error:
The error occurs in the file "incident_operator.py," specifically in theexecutemethod.
This suggests that the task "Create SMTP Enumeration incident" is the one causing the issue
because it failed to process the data type correctly.
Conclusion:
The failure of the playbook is due to the "Create SMTP Enumeration incident" task receiving a string
value (an IP address) when it expects an integer value. This mismatch in data types leads to the error.
References:
Fortinet Documentation on Playbook and Task Configuration.
Python error handling documentation for understanding Value Error.

Overview of Automation Stitches:
Automation stitches in FortiAnalyzer are predefined sets of automated actions triggered by specific
events. These actions help in automating responses to security incidents, improving efficiency, and
reducing the response time.
FortiAnalyzer Connectors:
FortiAnalyzer integrates with various Fortinet products and other third-party solutions through
connectors. These connectors facilitate communication and data exchange, enabling centralized
management and automation.
Available Connectors for Automation Stitches:
FortiCASB:
FortiCASB is a Cloud Access Security Broker that helps secure SaaS applications. However, it is
not typically used for running automation stitches within FortiAnalyzer.
[Reference: Fortinet FortiCASB Documentation FortiCASB, FortiMail: , FortiMail is an email security
solution. While it can send logs and events to FortiAnalyzer, it is not primarily used for running
automation stitches., Reference: Fortinet FortiMail Documentation FortiMail, Local: , The local connector
refers to FortiAnalyzer’s ability to handle logs and events generated by itself. This is useful for internal
processes but not specifically for integrating with other Fortinet devices for automation stitches.,
Reference: Fortinet FortiAnalyzer Administration Guide FortiAnalyzer Local, FortiOS: , FortiOS is the
operating system that runs on FortiGate firewalls. FortiAnalyzer can use the FortiOS connector to
communicate with FortiGate devices and run automation stitches. This allows FortiAnalyzer to send
commands to FortiGate, triggering predefined actions in response to specific events., Reference:
Fortinet FortiOS Administration Guide FortiOS, Detailed Process: , Step 1: Configure the FortiOS
connector in FortiAnalyzer to establish communication with FortiGate devices., Step 2: Define
automation stitches within FortiAnalyzer that specify the actions to be taken when certain events occur.,
Step 3: When a triggering event is detected, FortiAnalyzer uses the FortiOS connector to send the
necessary commands to the FortiGate device., Step 4: FortiGate executes the commands, performing
the predefined actions such as blocking an IP address, updating firewall rules, or sending alerts.,
Conclusion: , The FortiOS connector is specifically designed for integration with FortiGate devices,
enabling FortiAnalyzer to execute automation stitches effectively., References: , Fortinet FortiOS
Administration Guide: Details on configuring and using automation stitches., Fortinet FortiAnalyzer
Administration Guide: Information on connectors and integration options., By utilizing the FortiOS
connector, FortiAnalyzer can run automation stitches to enhance the security posture and response
capabilities within a network., , ]

Understanding FortiAnalyzer Roles:
FortiAnalyzer can operate in two primary modes: collector mode and analyzer mode.
Collector Mode: Gathers logs from various devices and forwards them to another FortiAnalyzer
operating in analyzer mode for detailed analysis.
Analyzer Mode: Provides detailed log analysis, reporting, and incident management.
Steps to Configure FortiAnalyzer as a Collector Device:

Overview of Indicators of Compromise (IoCs): Indicators of Compromise (IoCs) are pieces of evidence
that suggest a system may have been compromised. These can include unusual network traffic patterns,
the presence of known malicious files, or other suspicious activities.
FortiAnalyzer's Role: FortiAnalyzer aggregates logs from various Fortinet devices to provide
comprehensive visibility and analysis of network events. It uses these logs to identify potential IoCs and
compromised hosts.
Relevant Log Types:
DNS Filter Logs:
DNS requests are a common vector for malware communication. Analyzing DNS filter logs helps in
identifying suspicious domain queries, which can indicate malware attempting to communicate with
command and control (C2) servers.
[Reference: Fortinet Documentation on DNS Filtering FortiOS DNS Filter, IPS Logs: , Intrusion
Prevention System (IPS) logs detect and block exploit attempts and malicious activities. These logs are
critical for identifying compromised hosts based on detected intrusion attempts or behaviors matching
known attack patterns., Reference: Fortinet IPS Overview FortiOS IPS, Web Filter Logs: , Web filtering
logs monitor and control access to web content. These logs can reveal access to malicious websites,
download of malware, or other web-based threats, indicating a compromised host., Reference: Fortinet
Web Filtering FortiOS Web Filter, Why Not Other Log Types: , Email Filter Logs: , While important for
detecting phishing and email-based threats, they are not as directly indicative of compromised hosts as
DNS, IPS, and Web filter logs., Application Filter Logs: , These logs control application usage but are
less likely to directly indicate compromised hosts compared to the selected logs., Detailed Process: ,
Step 1: FortiAnalyzer collects logs from FortiGate and other Fortinet devices., Step 2: DNS filter logs are
analyzed to detect unusual or malicious domain queries., Step 3: IPS logs are reviewed for any intrusion
attempts or suspicious activities., Step 4: Web filter logs are checked for access to malicious websites or
downloads., Step 5: FortiAnalyzer correlates the information from these logs to identify potential IoCs
and compromised hosts., References: , Fortinet Documentation: FortiOS DNS Filter, IPS, and Web Filter
administration guides., FortiAnalyzer Administration Guide: Details on log analysis and IoC
identification., By using DNS filter logs, IPS logs, and Web filter logs, FortiAnalyzer effectively identifies
possible compromised hosts, providing critical insights for threat detection and response., , , ]

Understanding Playbook Variables:
Playbook tasks in Security Operations Center (SOC) playbooks use variables to pass and manipulate
data between different steps in the automation process.
Variables help in dynamically handling data, making the playbook more flexible and adaptive to
different scenarios.
Types of Variables:
Input Variables:
Input variables are used to provide data to a playbook task. These variables can be set manually or
derived from previous tasks.
They act as parameters that the task will use to perform its operations.
Output Variables:
Output variables store the result of a playbook task. These variables can then be used as inputs for
subsequent tasks.
They capture the outcome of the task's execution, allowing for the dynamic flow of information through
the playbook.
Other Options:
Create: Not typically referred to as a type of variable in playbook tasks. It might refer to an action but
not a variable type.
Trigger: Refers to the initiation mechanism of the playbook or task (e.g., an event trigger), not a type
of variable.
Conclusion:
The two types of variables used in playbook tasks areinputandoutput.
References:
Fortinet Documentation on Playbook Configuration and Variable Usage.
General SOC Automation and Orchestration Practices.

Understanding the Issue:
The custom event handler for detecting SMTP reconnaissance activities is generating a large number
of events.
This high volume of events is overwhelming the notification system, leading to potential alert fatigue
and inefficiency in incident response.
Event Handler Configuration:
Event handlers are configured to trigger alerts based on specific criteria.
The frequency and volume of these alerts can be controlled by adjusting the trigger conditions.
Possible Solutions:

Understanding FortiAnalyzer Fabric Deployment:
FortiAnalyzer Fabric deployment involves a hierarchical structure where the Fabric root (supervisor)
coordinates with multiple Fabric members (collectors and analyzers).
This setup ensures centralized log collection, analysis, and incident response across geographically
distributed locations.
Analyzing the Exhibit
FAZ1-Supervisoris located at AMER HQ and acts as the Fabric root.
FAZ2-Analyzeris a Fabric member located in EMEA.
FAZ3-Collectorand are Fabric members located in EMEA and APAC,FAZ4-Collector respectively.
Evaluating the Options:
Option A: The statement indicates that the AMER HQ SOC team cannot run automation playbooks from
the Fabric supervisor. This is true because automation playbooks and certain orchestration tasks
typically require local execution capabilities which may not be fully supported on the supervisor node.
Option B: High availability (HA) configuration for the supervisor node is a best practice for redundancy
but is not directly inferred from the given architecture.
Option C: The EMEA SOC team having access to historical logs only is not correct since FAZ2-Analyzer
provides full analysis capabilities.
Option D: The APAC SOC team has access to FortiView and other reporting functions through FAZ4-
Collector, but this is not explicitly detailed in the provided architecture.
Conclusion:
The most accurate observation about this FortiAnalyzer Fabric deployment architecture is that the AMER
HQ SOC team cannot run automation playbooks from the Fabric supervisor.
References:
Fortinet Documentation on FortiAnalyzer Fabric Deployment.
Best Practices for FortiAnalyzer and Automation Playbooks