FortiSOAR 7.3 Study Guide

Questions and Answers

What is one of the main resources where users can find product documentation for FortiSOAR?

FortiGuard Labs

Fortinet Training Institute - Library

Fortinet Knowledge Base (correct)

Fortinet Forums

Which of the following topics is likely covered in the FortiSOAR study guide?

Firewall Configuration Best Practices

Cybersecurity Audit Processes

Network Protocols Overview

Dynamic Variable and Values (correct)

What is the primary purpose of the Application Editor in FortiSOAR?

To configure user accounts and permissions

To write custom Jinja filters and conditions

To develop and manage playbook processes (correct)

To create visual dashboards for data monitoring

Which section of the FortiSOAR study guide would you refer to for learning about data ingestion?

Playbook Connectors, Data Ingestion, and Execution Steps

What is the focus of the Playbook Evaluate Steps in FortiSOAR?

To assess playbook performance and outcomes

What is the first action taken by a level 3 analyst upon receiving an escalated incident?

Conduct further advanced manual investigation

What happens if the threat identified by the level 3 analyst is valid?

Manual remediation of the incident is performed

Which of the following is NOT part of the level 3 analyst's follow-up work?

Reviewing the case with a lawyer

What should a level 3 analyst do if there is no known procedure for an incident?

Update the knowledge base and develop a new playbook

Which component is essential for the level 3 analyst in the review process of an incident?

Developing a new playbook if necessary

What is the purpose of building a new SIEM rule or SOAR playbook?

To automate future responses to similar incidents

What does the level 3 analyst do after identifying the threat during the development of new procedures?

Thoroughly analyze indicators for the threat

Which of the following describes a potential outcome of performing a review process?

Continuous improvement of incident response strategies

What action can a level 1 analyst take if an alert is determined to be a false positive?

Close it as a false positive

What should a level 1 analyst do if an incident is confirmed as a threat?

Run a playbook for remediation

What happens if a playbook remediation is not available for an incident?

The incident is escalated to a level 2 analyst

How does FortiSOAR support the knowledge base of the SOC?

It allows for real-time updates to the knowledge base

Which of the following is NOT an established technique for a level 1 analyst?

Developing new security protocols

What is the role of a level 2 analyst when an incident has been escalated to them?

Conduct a manual investigation and validate the threat

Which of the following best describes the purpose of a playbook in FortiSOAR?

To provide a structured response to incidents

What is one of the primary responsibilities of a level 1 analyst in incident handling with FortiSIEM or FortiSOAR?

Automating aspects of the investigation

When should a level 1 analyst escalate an incident to a level 2 analyst?

When they cannot manually remediate the incident

What is a key feature of the MT_RegionalSOC deployment?

It provides a SOAR platform with regional capabilities.

Which of the following offers a license for an unlimited time for FortiSOAR?

Perpetual

How many actions per day does the Perpetual (Trial) license allow by default?

200 actions

Which license type allows evaluation with a predefined user count and expiry date?

Evaluation

What does the Subscription license offer in terms of user management?

Variable user count depending on needs

What distinguishes the FortiGuard threat intel feeds in version 7.3.0?

An extensive dataset curated by security experts

Which statement is true regarding the Evaluation license?

It has a limitation on both user count and duration.

What is the role of FortiSOAR in relation to the global SOC?

It can sync data and actions from the Global SOC FortiSOAR server.

What is the primary purpose of integrating FortiSOAR with FortiSIEM?

To allow FortiSOAR to receive incidents generated by FortiSIEM

Why is it recommended to send logs through the SIEM rather than using direct connectors?

SIEM acts as a central point of log aggregation

What action can be performed on incidents in FortiSOAR?

Run remediation playbooks against incidents

What does FortiSOAR do when it receives an incident indicating a malicious actor's access attempt?

Evaluates the incident and rates the external IP against threat intelligence

What does each incident forwarded from FortiSIEM to FortiSOAR represent?

A unique record on FortiSOAR

In a typical enterprise architecture involving FortiSOAR, what role does the SIEM play?

It aggregates logs for analytics and reporting

What is the result of incidents generated by FortiGate and sent to FortiSIEM?

They create incidents that are sent to FortiSOAR for handling

What is typically not a feature of FortiSOAR in relation to incident management?

Directly monitoring resource availability

Study Notes

Introduction to FortiSOAR

• FortiSOAR 7.3 automates investigation processes used by level 1 analysts, such as IOC reputation lookups.
• Analysts can close false positive alerts or escalate incidents to level 2 or level 3 analysts depending on the threat validity.
• Level 2 analysts assess incidents and can run remediation playbooks or document cases for future playbook development.

SOC Incident Handling

• Level 3 analysts take charge of escalated incidents, conducting advanced manual investigations after level 1 and level 2 efforts.
• If a threat is not valid, cases are documented and closed; if valid, manual remediation and potential updates to FortiSIEM rules or firewall policies are performed.
• New procedures may be developed for future incidents based on the findings, and case logs document these updates.

Developing New Techniques

• Protocols for creating new techniques involve identifying threats, indicators, and remediation strategies.
• Risks from exploitation may be mitigated through patches, blocks, and implementing future identification methods via SIEM rules or SOAR playbooks.

Enterprise Architecture Overview

• FortiSOAR operates within a typical enterprise architecture where logs from various devices are ingested through connectors.
• Recommended practice is to send logs through SIEM for centralization, analytics, and reporting rather than direct connectors.
• Incidents generated by FortiSIEM are unique records in FortiSOAR, allowing for remediation actions on target devices.

Licensing Options

• FortiSOAR licenses include:
  • Perpetual: Unlimited time license.
  • Perpetual (Trial): Free but restricted trial version.
  • Subscription: Limits on users and defined timeframes; renewable and adjustable user counts.
  • Evaluation: Limited user count with an expiry date for testing purposes.
• The license manager is accessed under the settings menu for management and configuration of licenses.

Description

This quiz focuses on the design and development aspects of FortiSOAR version 7.3. It will test your knowledge and understanding of essential concepts required for effective use and implementation within organizations. Prepare to enhance your skills and comprehension of FortiSOAR functionalities.