Use VCE Exam Simulator to open VCE files
NSE5_EDR-5.0 Fortinet Practice Test Questions and Exam Dumps
Question No 1:
What is true about classifications assigned by Fortinet Cloud Service (FCS)?
A. FCS revises the classification of the core based on its database.
B. The core only assigns a classification if FCS is not available.
C. FCS is responsible for all classifications.
D. The core is responsible for all classifications if FCS playbooks are disabled.
Correct answer: D
Explanation:
D. The core is responsible for all classifications if FCS playbooks are disabled is the correct statement. Fortinet Cloud Service (FCS) typically assists in classifying traffic and events, but if the FCS playbooks are disabled, the core device or system takes over the responsibility for making those classifications. This ensures that classification still happens even when FCS is not involved in the process.
Here’s why the other options are incorrect:
A. FCS revises the classification of the core based on its database: FCS may provide classifications or assist with them, but it doesn't necessarily revise or overwrite classifications made by the core. The core and FCS work together, and the core can also operate independently.
B. The core only assigns a classification if FCS is not available: This is not entirely accurate because the core may assign classifications regardless of whether FCS is available or not, depending on the system's configuration. In some cases, FCS can assist or even override core decisions.
C. FCS is responsible for all classifications: While FCS plays a significant role in classification, it is not responsible for all classifications in every case. The core device can handle classification responsibilities, especially if FCS features are disabled or unavailable.
In conclusion, D is the correct answer because it explains the fallback mechanism where the core handles classifications when FCS playbooks are not enabled.
Question No 2:
Based on the forensics data shown in the exhibit, which two statements are true? (Choose two.)
A. The device cannot be remediated.
B. The execution prevention policy has blocked this event.
C. The event was blocked because the certificate is unsigned.
D. Device C8092231196 has been isolated.
Correct answer: B, D
Explanation:
To determine the correct answer, let’s break down each statement and evaluate its relevance to the forensics data provided.
Option A: The device cannot be remediated.
This statement suggests that the device cannot be fixed or restored. However, there is no direct evidence in the exhibit data that confirms the inability to remediate the device. Without more specific context (such as a failure in remediation efforts), this statement cannot be conclusively deemed true.
Option B: The execution prevention policy has blocked this event.
Execution prevention policies are used to block the running of malicious or unauthorized programs. If the exhibit data shows that the event was related to the blocking of an executable or process, then this statement would be true. Execution prevention policies often appear as part of security software (such as endpoint protection) that blocks specific actions from being performed by suspicious software, which is what seems to have occurred in this case.
Option C: The event was blocked because the certificate is unsigned.
This statement suggests that the event was blocked due to the certificate being unsigned. While this is a valid security mechanism (blocking unsigned certificates), there is no explicit indication in the provided data that the event was blocked due to an unsigned certificate. Unless the forensics data clearly references a certificate issue, we cannot confirm this as the reason for the block.
Option D: Device C8092231196 has been isolated.
This statement suggests that Device C8092231196 has been isolated, likely as part of an incident response action. If the forensics data shows that this particular device was quarantined or isolated, this would be a true statement. Device isolation is a common security action when an infected or compromised device needs to be contained to prevent further damage to the network.
Based on the given information and typical forensic actions, Option B (Execution prevention policy has blocked this event) and Option D (Device C8092231196 has been isolated) are the most likely true statements.
Question No 3:
Based on the event shown in the exhibit, which two statements about the event are true? (Choose two.)
A. The NGAV policy has blocked TestApplication.exe.
B. FCS classified the event as malicious.
C. TestApplication.exe is sophisticated malware.
D. The user was able to launch TestApplication.exe.
Answer: A and B
Explanation:
In this scenario, we are asked to determine which two statements are true based on the event shown in the exhibit. Here's how to analyze the given statements:
A. The NGAV policy has blocked TestApplication.exe.
NGAV (Next-Generation Antivirus) typically blocks suspicious or known harmful applications. If the exhibit indicates that the policy has successfully blocked TestApplication.exe, this statement would be true. In the context of modern security tools, blocking executable files is a common way to protect against threats.B. FCS classified the event as malicious.
FCS (Full Content Security) is a security tool designed to classify and detect harmful content. If FCS has classified the event as malicious, it suggests that the software detected something potentially harmful within the behavior of TestApplication.exe or its associated actions. This would also be true if the exhibit confirms that FCS flagged the event as malicious.C. TestApplication.exe is sophisticated malware.
While it's possible that TestApplication.exe could be sophisticated malware, the statement assumes that the application has been thoroughly analyzed and identified as "sophisticated." Based solely on the event shown, unless there is specific evidence in the exhibit about the complexity of the malware, we can't definitively claim that it is "sophisticated."D. The user was able to launch TestApplication.exe.
If the event is showing that TestApplication.exe was blocked by NGAV or classified as malicious by FCS, then the user likely was not able to launch the application. This would contradict the statement in option D.
Given these insights, the correct answers are A and B, as they align with the typical behaviors of security tools in blocking and detecting malicious activity.
Correct answers: A and B
Question No 4:
How does FortiEDR implement post-infection protection?
A. By insurance against ransomware
B. By preventing data exfiltration or encryption even after a breach occurs
C. By real-time filtering to prevent malware from executing
D. By using methods used by traditional EDR
Correct answer: B
Explanation:
FortiEDR is designed to provide advanced endpoint protection that focuses on both pre-emptive and post-infection defense mechanisms. Post-infection protection is crucial because, in some cases, malware may bypass initial defenses, and the system still needs to mitigate further damage once a breach has occurred. FortiEDR’s post-infection protection is particularly focused on preventing further malicious activity after an initial infection. This includes preventing data exfiltration or encryption that could happen after a breach, such as in the case of ransomware attacks or data theft.
A. By insurance against ransomware:
While FortiEDR may provide ransomware protection as part of its overall capabilities, this option refers more to a risk management tool rather than the actual security mechanism. "Insurance" typically implies a financial coverage model, not an active defense feature, so this is not an accurate description of how FortiEDR operates for post-infection protection.B. By preventing data exfiltration or encryption even after a breach occurs:
This is the correct answer because FortiEDR’s post-infection protection focuses on mitigating the consequences of an attack, such as stopping the exfiltration of sensitive data or encryption that may occur after malware has entered the network. It can prevent the further spread of damage, even if the initial breach was successful.C. By real-time filtering to prevent malware from executing:
This option describes FortiEDR’s real-time malware filtering, which is more related to pre-infection protection, rather than post-infection protection. This feature works to block malware before it executes and becomes a threat, but it doesn't address what happens once a system has already been compromised.D. By using methods used by traditional EDR:
While FortiEDR is based on traditional EDR methods like monitoring, detection, and response, it incorporates enhanced features like post-infection protection which go beyond traditional EDR tools. Traditional EDR methods focus on detecting and responding to threats but may not have the same level of protection once the attack has already occurred, making this option too broad and not fully accurate.
Thus, FortiEDR’s post-infection protection is best characterized by its ability to stop further damage from occurring, such as preventing data exfiltration or encryption after a breach has already taken place.
Question No 5:
Which scripting language is supported by the FortiEDR action manager?
A. TCL
B. Bash
C. Perl
D. Python
Correct answer: D
Explanation:
The FortiEDR action manager supports Python as its scripting language. Python is widely used for automation, scripting, and interacting with APIs in various security products, including FortiEDR. This language is chosen because of its simplicity, readability, and robust capabilities, making it suitable for writing custom actions, automation, and integrations in FortiEDR.
Now let's explore why the other options are not correct:
A. TCL (Tool Command Language) is a scripting language used for various purposes, such as network management, but it is not the supported scripting language for FortiEDR action manager.
B. Bash is a Unix shell and command language that is primarily used for shell scripting in Linux and Unix environments. While it is commonly used in many systems, FortiEDR action manager does not rely on Bash for scripting in this context.
C. Perl is another programming language known for its text-processing capabilities. While it is used in some security and automation tools, Python is the preferred choice for scripting in FortiEDR.
Python's versatility and ease of use make it ideal for FortiEDR's automation and action management tasks, enabling users to write custom scripts to enhance the functionality of the security platform.
Question No 6:
Which security policy has all of its rules disabled by default?
A. Exfiltration Prevention
B. Execution Prevention
C. Device Control
D. Ransomware Prevention
Correct answer: C
Explanation:
Security policies are designed to control different aspects of a system's security posture. Each policy can be tailored to meet specific organizational needs, and often, these policies come with preset rules. However, it is common for some policies to start with all their rules disabled by default, allowing administrators to enable and configure the rules based on their unique security requirements.
A. Exfiltration Prevention is a security policy that typically deals with preventing unauthorized transfer of sensitive data out of a system or network. While it might have some pre-configured rules, it is not the policy known for starting with all of its rules disabled by default.
B. Execution Prevention is focused on preventing certain types of applications or processes from running on a device, such as preventing malware or unauthorized software from executing. Execution Prevention can have different rules, but like Exfiltration Prevention, it does not start with all rules disabled by default in most systems.
C. Device Control is the security policy most commonly associated with having all of its rules disabled by default. Device Control policies govern the use of external devices (such as USB drives, external hard drives, and other peripherals) on a network or computer. By default, these rules are often disabled to avoid unintended disruptions in the user's ability to use necessary devices, and administrators need to manually enable and configure these rules based on organizational policies regarding device usage.
D. Ransomware Prevention is a policy designed to detect and mitigate ransomware threats, typically through file monitoring, behavioral analysis, and blocking suspicious file activities. While ransomware prevention may have some default configurations, it does not typically have all its rules disabled by default.
In conclusion, Device Control is the security policy that has all of its rules disabled by default. This allows administrators to carefully configure the specific devices and usage policies as needed, avoiding unnecessary restrictions until they are explicitly required.
Question No 7:
Based on the event shown in the exhibit, which two statements about the event are true? (Choose two.)
A. The policy is in simulation mode.
B. The device is moved to isolation.
C. The event has been blocked.
D. Playbooks is configured for this event.
correct answers are B
Explanation:
To analyze the event, we need to assess the context given in the options:
A (The policy is in simulation mode): In simulation mode, security actions are tested without affecting live environments. If the event is in simulation mode, it means actions were simulated but not fully executed. This is often used for testing policies without risking impact to live devices or systems.
B (The device is moved to isolation): This typically means that the device has been isolated from the network to prevent potential harm. If this action is visible in the event, it would indicate a higher-level response to a detected threat.
C (The event has been blocked): If an event is blocked, it means the security system has actively prevented or stopped the action or behavior associated with the event. This would likely be visible in the event description if it was actively prevented.
D (Playbooks is configured for this event): Playbooks are predefined automation workflows that can be triggered by an event. If this is configured, it would mean that specific actions (like isolation, alerting, etc.) are part of an automated response to the event.
Without being able to view the exhibit directly, we can assume that B and D are likely the correct answers in a scenario where security actions are taken and automation is part of the workflow.
Thus, the correct answers are B and D.
Question No 8:
Which connectors can you use for the FortiEDR automated incident response? (Choose two.)
A. FortiSandbox
B. FortiSiem
C. FortiNAC
D. FortiGate
Correct answer: A, D
Explanation:
FortiEDR (Fortinet's Endpoint Detection and Response) can integrate with various Fortinet products to automate incident response and provide a more seamless security ecosystem. The connectors you choose enable FortiEDR to work effectively with other security tools for enhanced protection and automated actions.
A. FortiSandbox: FortiSandbox is a powerful solution for analyzing suspicious files, malware, and threats in a safe, isolated environment. FortiEDR can use FortiSandbox as a connector to automatically trigger file analysis when suspicious activities are detected on endpoints. This integration allows FortiEDR to work closely with FortiSandbox, using its sandboxing capabilities to analyze and respond to threats more effectively.
D. FortiGate: FortiGate is Fortinet’s next-generation firewall, and it can be used in conjunction with FortiEDR for automated incident response. Through integration, FortiEDR can leverage FortiGate’s capabilities to block malicious IPs, control traffic flows, or take other actions automatically in response to incidents. This enables coordinated security responses across endpoints and network devices.
Now, let's look at why the other options are less suitable for this specific use case:
B. FortiSiem: While FortiSiem is an essential solution for security information and event management, it primarily focuses on the aggregation, correlation, and analysis of security events. Though FortiSiem can enhance visibility into incidents and automate some responses, it is not a direct connector for FortiEDR's automated incident response in the same manner as FortiSandbox or FortiGate. FortiEDR typically integrates with network-based devices like FortiGate to apply automated actions rather than using a SIEM tool directly for this purpose.
C. FortiNAC: FortiNAC (Network Access Control) is used to manage access to the network and enforce security policies for devices. While FortiNAC can integrate with FortiEDR for network segmentation and policy enforcement, it does not directly contribute to the automated incident response process in the same way that FortiSandbox or FortiGate can. FortiNAC would help in broader network access and device management but isn't as tightly connected with the real-time automated incident response in endpoint protection.
In summary, the best choices for FortiEDR's automated incident response are FortiSandbox and FortiGate (options A and D), as they directly enhance incident response automation through file analysis and network traffic control.
Question No 9:
Which FortiEDR component is required to find malicious files on the entire network of an organization?
A. FortiEDR Aggregator
B. FortiEDR Threat Hunting Repository
C. FortiEDR Central Manager
D. FortiEDR Core
Correct answer: B
Explanation:
FortiEDR is a comprehensive endpoint detection and response (EDR) solution that helps organizations monitor and protect their networks by detecting, analyzing, and responding to security threats, especially on endpoints. Each component of FortiEDR plays a specific role in identifying and mitigating security risks, including finding malicious files across the network.
Let's review the options:
A. FortiEDR Aggregator: The Aggregator is responsible for collecting, processing, and forwarding event data from endpoints to the FortiEDR Central Manager. While it plays an important role in data collection, it does not directly facilitate the process of finding malicious files on the network.
B. FortiEDR Threat Hunting Repository: This component is specifically designed for searching and analyzing threats across the organization. It provides a centralized place where security teams can perform in-depth threat hunting activities, such as identifying malicious files. The Threat Hunting Repository stores endpoint data and allows for the effective identification of suspicious or malicious files across the network, making it the essential component for finding malicious files.
C. FortiEDR Central Manager: The Central Manager is the centralized platform for managing FortiEDR endpoints, providing visibility and configuration options. While it is essential for overseeing FortiEDR's operation, it does not directly focus on the task of finding malicious files across the network.
D. FortiEDR Core: The Core component is responsible for the local protection and monitoring of individual endpoints. It performs activities like detecting and blocking malicious activities on a single endpoint, but it does not specifically facilitate searching across the entire network for malicious files.
Given this, the FortiEDR Threat Hunting Repository is the correct component required to search and identify malicious files across the entire network, as it stores data from endpoints and allows for detailed threat analysis and hunting.
Question No 10:
Which threat hunting profile is the most resource intensive?
A. Inventory
B. Comprehensive
C. Standard Collection
D. Default
Correct answer: B
Explanation:
Threat hunting involves proactively searching through networks and datasets to detect and isolate advanced threats that have evaded existing security measures. Different profiles for threat hunting can vary in the depth and breadth of data they collect, and the most resource-intensive profiles are typically those that gather the largest amount of data or require the most detailed analysis.
A. Inventory: This profile generally focuses on identifying and cataloging assets within the network. While it may involve scanning and identifying devices, users, and other assets, it is not as resource-intensive as more detailed hunting activities. It’s more about gathering an initial understanding of the environment.
B. Comprehensive: The comprehensive profile is the most resource-intensive because it seeks to gather extensive amounts of data across all potential entry points and layers within the network. It covers a wide range of systems, applications, and logs, and may involve deeper, more thorough scanning and analysis. As a result, it demands more computational resources, storage, and time to process and analyze data compared to other profiles.
C. Standard Collection: This profile typically collects a standard set of data necessary for most threat-hunting tasks, such as system logs, network traffic, and user activity. While important, it doesn't involve the exhaustive analysis or data collection seen in a comprehensive profile, so it is less resource-intensive.
D. Default: The default profile may include basic, predefined settings that gather a minimal amount of data. While useful for general purposes, it doesn’t provide the depth of analysis or data collection that would be needed in more advanced threat-hunting scenarios. As such, it is typically less resource-intensive than the comprehensive profile.
Therefore, the most resource-intensive threat hunting profile is B. Comprehensive, as it requires extensive data collection and deeper analysis across a broader scope of the network and systems.
Top Training Courses
SY0-701
CompTIA Security+
$14.99
AZ-104
Microsoft Azure Administrator
$14.99
200-301
Cisco Certified Network Associate (CCNA)
$14.99
AWS Certified Solutions Architect - Associate SAA-C03
AWS Certified Solutions Architect - Associate SAA-C03
$14.99
AZ-305
Designing Microsoft Azure Infrastructure Solutions
$14.99
PL-300
Microsoft Power BI Data Analyst
$14.99
350-401
Implementing Cisco Enterprise Network Core Technologies (ENCOR)
$14.99
AZ-900
Microsoft Azure Fundamentals
$14.99
CS0-003
CompTIA CySA+ (CS0-003)
$14.99
CISSP
Certified Information Systems Security Professional
$14.99
