NSE7_SOC_AR-7.6 Practice Questions

Understanding the MITRE ATT&CK Matrix:

The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations.

Each tactic in the matrix represents the "why" of an attack technique, while each technique represents "how" an adversary achieves a tactic.

Analyzing the Provided Exhibit:

The exhibit shows part of the MITRE ATT&CK Enterprise matrix as displayed on FortiAnalyzer.

The focus is on technique T1071 (Application Layer Protocol), which has subtechniques labeled T1071.001, T1071.002, T1071.003, and T1071.004.

Each subtechnique specifies a different type of application layer protocol used for Command and Control (C2):

T1071.001 Web Protocols

T1071.002 File Transfer Protocols

T1071.003 Mail Protocols

T1071.004 DNS

Identifying Key Points:

Subtechniques under T1071:There are four subtechniques listed under the primary technique T1071, confirming that statement B is true.

Event Handlers for T1071:FortiAnalyzer includes event handlers for monitoring various tactics and techniques. The presence of event handlers for tactic T1071 suggests active monitoring and alerting for these specific subtechniques, confirming that statement C is true.

Misconceptions Clarified:

Statement A (four techniques under tactic T1071) is incorrect because T1071 is a single technique with four subtechniques.

Statement D (15 events associated with the tactic) is misleading. The number 15 refers to the techniques under the Application Layer Protocol, not directly related to the number of events.

Conclusion:

The accurate interpretation of the exhibit confirms that there are four subtechniques under technique T1071 and that there are event handlers covering tactic T1071.

Slot 1:dataSlot 2:json_querySlot 3:("results[?type=='FileHash-MD5']")Slot 4:value

Final Expression: {{ vars.artifacts.data | json_query("results[?type=='FileHash-MD5']") .value }}

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

InFortiSOAR 7.6, advanced data manipulation within playbooks often requires the use ofJMESPathqueries via the json_query Jinja filter. To extract specific data from a complex JSON object (like the vars.artifacts dictionary shown in the exhibit), the analyst must follow the structural hierarchy:

Slot 1 (data):Based on the exhibit, the root of the artifact information is located under vars.artifacts.data. Therefore, "data" is the starting point for the filter.

Slot 2 (json_query):To perform advanced filtering (searching for a specific type), the json_query filter must be applied. This allows the playbook to traverse the list and find items matching a specific key-value pair.

Slot 3 ("results[?type=='FileHash-MD5']"):This is the JMESPath expression. It looks into the results array and applies a filter [?...] to find only those objects where the type attribute exactly matches FileHash-MD5.

Slot 4 (value):Once the correct object(s) are found, the expression needs to return the actual hash. In the JSON exhibit, the MD5 string is stored in the key named value.

Why other options are incorrect:

tojson:This filter converts a dictionary/list into a JSON string, which would break the ability to further query the object for the "value" field.

results (as a standalone slot):While "results" is part of the path, it is handledinsidethe json_query string to allow for conditional filtering.

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

ThePyramid of Pain(David Bianco) is a core concept taught inFortiSIEM 7.3andFortiSOAR 7.6curriculum to help SOC analysts prioritize threat intelligence and detection logic. The model ranks indicators based on the "pain" or effort they cause an adversary to change:

IP Addresses (Easy):These are classified as "Easy" to change. An attacker can simply rotate through a proxy service, use a different VPS, or utilize a new compromised host to continue their campaign. While more valuable than a file hash, they provide relatively low-long term value to the defender because they are so ephemeral.

TTPs (Tough/Hard):This is the apex of the pyramid. TTPs (Tactics, Techniques, and Procedures) represent the fundamental way an adversary operates. If a defender successfully detects and blocks a Tactic (e.g., a specific way an attacker performs privilege escalation), the adversary is forced to reinvent their entire operational process, which is time-consuming and difficult.

Why other options are incorrect:

Artifacts (C):According to the pyramid, Network/Host Artifacts are classified as"Annoying", not "Easy". While an attacker can change them, it requires modifying their code or script behavior, which causes more friction than simply switching an IP address.

Tools (D):Tools are classified as"Challenging". While alternatives exist, an adversary usually invests significant time mastering a specific toolset; losing the ability to use that tool effectively disrupts their efficiency significantly.

1.FortiSIEM incident2.FortiSOAR alert3.FortiSOAR indicator4.FortiSOAR incident

In the standard integration betweenFortiSIEM 7.3andFortiSOAR 7.6, the data ingestion wizard follows a specific object mapping hierarchy to ensure that high-fidelity security events are managed correctly.

Step 1: FortiSIEM incident:The workflow begins in FortiSIEM. When a correlation rule triggers, it generates anIncident(not just a raw log). The FortiSOAR connector polls the FortiSIEM API specifically for these incident records.

Step 2: FortiSOAR alert:By default, ingested FortiSIEM incidents are mapped to theAlertsmodule in FortiSOAR. This serves as a "triage" layer where automated playbooks can perform initial analysis before a human determines if it warrants a full-scale investigation.

Step 3: FortiSOAR indicator:As the alert is processed (either during ingestion or immediately after), the playbook extracts technical artifacts (IPs, hashes, URLs) and createsIndicatorrecords. This allows for automated threat intelligence lookups and cross-referencing against other alerts.

Step 4: FortiSOAR incident:If the alert is validated (either through automated playbook scoring or manual analyst review), it is promoted to aFortiSOAR Incident. This represents a confirmed security issue that requires formal tracking, remediation, and reporting.