NSE6_EDR_AD-7.0 Practice Questions

The correct answers are

A.  

The FortiEDR 7.0.0 Administration Guide states that FortiEDR Connect opens a console that provides direct access to a FortiEDR-protected device through a remote shell connection. This allows administrators to respond to incidents, run commands and scripts, collect and download forensic data, and remediate threats. The guide also states that the FortiEDR Connect terminal has a prompt where commands can be typed, and the Help button displays the supported commands and their parameters.

The guide further confirms that FortiEDR Connect supports FortiEDR-specific commands, Windows command-line access through %cmd , and Python commands.

For the exact command list, Fortinet’s official FortiEDR Connect technical tip lists the supported commands. In that list, %ipconfig_all is explicitly described as returning extended IP information, and %upload_file is explicitly described as uploading a file to the specified path. ( Fortinet Community )

Options

C.  

=========

=========

The correct answers are B and C .

The FortiEDR 7.0.0 Administration Guide has a specific troubleshooting section named “A FortiEDR Collector does not display in the INVENTORY tab.” It states that after a Collector is first launched, it registers with the FortiEDR Central Manager and appears in the Inventory tab. If it does not appear, the first checks are to confirm that the device where the Collector is installed is powered on and has Internet connectivity, and to validate that ports 8081 and 555 are available and not blocked by another third-party product.

Option B is therefore correct in the exam sense because ports 8081 and 555 must be open for FortiEDR communication. More precisely, the Collector communicates with the Aggregator on port 8081 and the Core on port 555 , not directly to the Central Manager in every architecture. The option wording says “between the collector and the central manager,” which is technically loose, but the required troubleshooting item is still the port availability.

Option C is also correct because the same guide says to check that the endpoint is powered on and connected. In practical FortiEDR troubleshooting, this includes confirming the FortiEDR Collector service/driver are running on the endpoint; otherwise the Collector cannot register or report health.

Option A is not listed in the FortiEDR guide as a required step for this issue. Option D is not the best answer because the guide says logs are generally retrieved when Fortinet Support requests them, and Collector logs can only be exported for Collectors in Running status; a newly installed Collector that does not appear in Inventory cannot normally be selected from Central Manager for log export.

The correct answers are B and C .

The exhibit shows the event classification as Malicious . In FortiEDR, event classification can be performed by the Core and later updated by FortiEDR Cloud Service (FCS) . The guide states that the audit history shows the classification chronology and includes details when FCS reclassifies a security event after the Core’s initial classification. It also states that notifications can be based on either Core or FCS classification depending on whether FCS classification is received within the timeout period.

The exhibit also shows TestApplication.exe with Status: Running . That means the process was launched and is currently running on the endpoint. Therefore, C is correct.

Option A is wrong because the exhibit clearly shows Status: Unhandled , not Handled. The guide states that FortiEDR security events are initially marked as unread and unhandled, and users can later mark them handled through the incident handling workflow.

Option D is wrong because the exhibit shows rule indicators such as Invalid Checksum , Suspicious Packer , and Writable Code , but it does not prove that TestApplication.exe is “sophisticated malware.” FortiEDR classifies the event as malicious, but the guide’s Malicious classification means the event is verified to have malicious capability, is intended to harm the infected device, and has no commercially viable use; the exhibit alone does not justify the stronger claim “sophisticated malware.”

=========

The FortiEDR 7.0.0 Administration Guide states that when manually adding applications to be blocked, you can define the application using Hash or using any combination of File Name / Path / Signer attributes. This means hashes can be used independently and do not require filename, path, or signer attributes.

The guide also states that each hash is a unique identifier of an individual application, and the exhibit itself shows the hash field note: “SHA-1 or SHA-2 or MD5.” Therefore, the hash must use a supported hash format, making D correct.

For multiple hash entries, the uploaded guide text says they must be comma separated , while the exhibit note says “You can enter multiple hashes comma separated.” So the technically exact guide wording supports comma separation, not line separation. However, given your answer choices, A is clearly trying to test the requirement that multiple hashes must be separated correctly. The option wording says “line-separated,” which is not exact against the guide; the better wording would be comma-separated . Since no “comma-separated” option is provided, A is the intended separation-related answer, but the wording is flawed.

Option B is definitely wrong because hash mode is an alternative to attributes. Option C is also not the best answer because, although each hash uniquely identifies a file/application variant, the operational requirement is not that “hashes must be unique to each application” in the way the option implies. Hashes may represent different variants of the same application.