NSE7_SOC_AR-7.6 Exam Dumps : Fortinet NSE 7 - Security Operations 7.6 Architect

Understanding the Event Handler Configuration:

The event handler is set up to detect specific security incidents, such as spearphishing, based on logs forwarded from other Fortinet products like FortiSandbox.

An event handler includes rules that define the conditions under which an event should be triggered.

Analyzing the Current Configuration:

The current event handler is named "Spearphishing handler" with a rule titled "Spearphishing Rule 1".

The log viewer shows that logs are being forwarded by FortiSandbox but no events are generated by FortiAnalyzer.

Key Components of Event Handling:

Log Type: Determines which type of logs will trigger the event handler.

Data Selector: Specifies the criteria that logs must meet to trigger an event.

Automation Stitch: Optional actions that can be triggered when an event occurs.

Notifications: Defines how alerts are communicated when an event is detected.

Issue Identification:

Since FortiSandbox logs are correctly forwarded but no event is generated, the issue likely lies in the data selector configuration or log type matching.

The data selector must be configured to include logs forwarded by FortiSandbox.

Solution:

B. Configure a FortiSandbox data selector and add it to the event handler:

By configuring a data selector specifically for FortiSandbox logs and adding it to the event handler, FortiAnalyzer can accurately identify and trigger events based on the forwarded logs.

Steps to Implement the Solution:

Step 1: Go to the Event Handler settings in FortiAnalyzer.

Step 2: Add a new data selector that includes criteria matching the logs forwarded by FortiSandbox (e.g., log subtype, malware detection details).

Step 3: Link this data selector to the existing spearphishing event handler.

Step 4: Save the configuration and test to ensure events are now being generated.

Conclusion:

The correct configuration of a FortiSandbox data selector within the event handler ensures that FortiAnalyzer can generate events based on relevant logs.

Fortinet Documentation on Event Handlers and Data Selectors FortiAnalyzer Event Handlers

Fortinet Knowledge Base for Configuring Data Selectors FortiAnalyzer Data Selectors

By configuring a FortiSandbox data selector and adding it to the event handler, FortiAnalyzer will be able to accurately generate events based on the appropriate logs.

Understanding the Playbook Configuration:

The "Malicious File Detect" playbook is designed to create an incident when a malicious file detection event is triggered.

The playbook includes tasks such as Attach_Data_To_Incident, Create Incident, and Get Events.

Analyzing the Playbook Execution:

The exhibit shows that the Create Incident task has failed, and the Attach_Data_To_Incident task has also failed.

The Get Events task succeeded, indicating that it was able to retrieve event data.

Reviewing Raw Logs:

The raw logs indicate an error related to parsing input in the incident_operator.py file.

The error traceback suggests that the task was expecting a specific input format (likely a name or number) but received an incorrect data format.

Identifying the Source of the Failure:

The Create Incident task failure is the root cause since it did not proceed correctly due to incorrect input format.

The Attach_Data_To_Incident task subsequently failed because it depends on the successful creation of an incident.

Conclusion:

The primary reason for the playbook execution failure is that the Create Incident task received an incorrect data format, which was not a name or number as expected.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

InFortiSOAR 7.6, manual playbooks appear in theExecutemenu of a record only if they meet specific configuration criteria defined in theManual Triggerstep:

Module Scope (C):When creating a playbook with a manual trigger, the administrator must explicitly select which modules (e.g., Alerts, Incidents, Indicators) can execute the playbook. If theAlertsmodule is not selected in the "Applicable Modules" section of the trigger configuration, the playbook will remain hidden from the Execute menu when an analyst is viewing the Alerts module.

Trigger Execution Requirements (D):Manual triggers can be configured to execute onno records, asingle record, ormultiple records. If a playbook is configured with the "Requires record input to run" setting but is specifically restricted to a different input type (or if there is a mismatch in the selection logic), it will not appear in the menu unless the correct number of records are selected. Furthermore, if a playbook is designed to run only whennorecord is selected (global utility), it will not show up in the context-sensitive menu of a specific record.

Why other options are incorrect:

Publishing (A):FortiSOAR playbooks do not require a separate "publishing" step via an Application Editor to become visible. Once they aresavedandactive(toggled on), they are immediately available for use based on their trigger settings.

Concurrent Execution (B):FortiSOAR allows multiple instances of the same playbook to run simultaneously. An active execution of a playbook does not hide it from the menu for other analysts or subsequent runs.