FortiSOAR Administrator 7.3 Study Guide

Questions and Answers

What is the principle that is implemented by ensuring administrators operate within their assigned roles?

Least privilege (correct)

Team collaboration

User empowerment

Maximum accessibility

How are users' levels of accessibility determined in FortiSOAR?

Organization policies alone

Roles and team memberships (correct)

Teams only

User preferences and settings

What must administrators manage to ensure proper permissions in FortiSOAR?

SLA templates

Backup schedules

Roles and teams (correct)

User interfaces

What does the management of team hierarchy involve in FortiSOAR?

Defining the levels of user roles and permissions

What does managing SLA templates in FortiSOAR enable administrators to do?

Define service level expectations

Which aspect of user permissions is incorrect in FortiSOAR?

Users manage their access levels independently.

Why is it essential to have backup and restore functionalities in FortiSOAR?

To maintain continuous operation

In FortiSOAR, what is a role's function in user management?

To control user access to specific modules

What must an administrator ensure regarding the permissions to work with add-ons in FortiSOAR?

They must have the required permissions for each respective module.

What does the SOAR Framework Solution Pack include?

Modules, dashboards, roles, and widgets for SOC operations.

What happens when an alert is ingested into FortiSOAR?

FortiSOAR verifies if the alert is a false positive.

What does the installation of the SOAR Framework Solution Pack provide?

A functional incident response platform with automation and threat intelligence.

How can alerts in FortiSOAR be created?

Automatically through connectors or manually.

What is required to optimally utilize FortiSOAR incident response features?

Installation of the SOAR Framework Solution Pack.

When can an alert be cleared in FortiSOAR?

After it is confirmed as a false positive.

What is the initial access requirement to view the Content Hub in FortiSOAR?

At least read permissions on the Content Hub and Applications modules.

What is the primary responsibility of a level 1 analyst when responding to an alert?

Investigate and triage the alert

Which action can a level 1 analyst take if an alert is confirmed as a false positive?

Close the alert

What does a level 2 analyst do if they determine that an incident is not a threat?

Close the incident

What is a key resource that a level 2 analyst may utilize during the investigation of an incident?

Playbooks

If a level 1 analyst determines that an alert requires further investigation, what can they do?

Open an incident or case

What must a level 2 analyst do after remediating an incident?

Update the knowledge base

If a remediation playbook is not available, what should the level 2 analyst do?

Attempt to resolve the incident manually

What capability do playbooks provide to level 1 analysts when investigating alerts?

Automation of reputation lookups for IOC

What is the main difference between named users and concurrent users regarding license allocation?

Named users require a license regardless of login status, while concurrent users only occupy a license when logged in.

In what scenario would using concurrent users be more beneficial than named users?

When users are working different shifts or from different time zones.

How can an administrator force a concurrent user to log out?

By using the log out button under the user's profile or the logout-user command.

What permissions are necessary to edit user profiles within the system?

Permissions to create, read, and update on the People module.

What information is typically included in a user's profile?

User's password, email, username, and phone numbers.

How can the login status of a user be viewed?

Both through the GUI and CLI using the show-logged-in-users command.

What happens when there are no available spots for concurrent users?

An error message is shown indicating unavailability.

Which command displays the login status of users in the CLI?

show-logged-in-users

What must be done first to edit the relationships of any team?

Drag and drop or double-click the team's title.

Which statement correctly describes the role of the SOC Team in relation to other teams?

SOC Team cannot access Australia Analysts and France Analysts records unless explicitly allowed.

What happens to changes made to a team if the Revert option is clicked?

Changes will be lost if not saved prior.

Under what circumstance can members of Australia Analysts team act on US Analysts records?

Due to their sibling relationship with US Analysts.

Which statement about the US L1, L2, and L3 teams is true?

They cannot act on records of any other teams except their own.

What is necessary to establish a sibling relationship between teams?

Changing the team in focus and explicitly defining siblings.

If the Fraud team is a child of US L1, L2, or L3, what can the SOC Team access?

SOC Team can access Fraud team records as great grandparent.

What is a characteristic of the SOC Team regarding relationships with other teams?

SOC Team is isolated from all other teams unless connected.

Study Notes

Device Management Overview

• Learn to configure roles, teams, team hierarchy, and manage users and permissions in FortiSOAR.
• Understand how to set up and manage Service Level Agreement (SLA) templates, and handle backup and restoration of configuration files.

User Roles and Permissions

• User access is determined by a combination of roles and team memberships, ensuring that administrators operate under the principle of least privilege.
• Specific module access is granted based on role permissions, which operate in accordance with team memberships.

Analyst Responsibilities

• Level 1 analysts respond to alerts, investigate and triage them, can automate some investigations, and escalate valid alerts to incidents if needed.
• Level 2 analysts utilize established techniques for incident investigation, closure of false threats, and remediation through available playbooks or manual resolution.

Incident Management

• Alerts can be created manually or ingested through connectors, with the ability to validate false positives and escalate legitimate alerts into incidents.
• Playbooks can be run to remediate incidents if available, or incidents may be escalated if not.

Team Hierarchy

• Teams can be organized in a hierarchy, with parent-child relationships affecting access to records across teams.
• Members of parent teams can access records of their child teams, while siblings lack this access unless explicitly defined.

Licensing and User Types

• FortiSOAR supports different user types: Named (permanently allocated) and Concurrent (shared as users log in).
• Concurrent user configurations allow for flexibility in license management, useful for organizations with varied shift patterns.

User Profiles

• Each user has a profile that can be edited to update personal information, but editing requires appropriate permissions in the People module.
• User profiles contain essential information such as name, email, username, password, and phone numbers.

Content Hub and Solution Packs

• The SOAR Framework Solution Pack is critical for effective SOC operations, providing essential modules, dashboards, roles, and widgets.
• It must be installed to fully utilize FortiSOAR's incident response capabilities; pre-installed in new setups but may require installation on upgrades.

Monitoring User Status

• The system allows viewing a user's login status through both GUI and CLI for active monitoring of user accessibility.
• Administrators can force logouts for concurrent users to free up seats as necessary.

Description

This quiz focuses on the key concepts from the FortiSOAR Administrator 7.3 guide, covering device management, role configuration, team hierarchy, and user permissions. It also addresses managing SLA templates and backup/restoration processes. Prepare for your certification with a comprehensive understanding of these topics.