Fortinet NSE6_EDR_AD-7.0 - Fortinet NSE 6 - FortiEDR 7.0 Administrator

The correct answer is C .

The FortiEDR 7.0.0 Administration Guide states that for on-premises deployments, the on-premise reputation service requests missing hashes from the cloud reputation service . If a proxy is not enabled, it requests the missing hashes from the cloud reputation service through the manager nginx . If a proxy is enabled, the on-premises reputation service requests the missing hashes through the proxy.

So, when the local reputation database does not contain the requested hash, the on-premises reputation server does not ignore the request, wait for endpoint input, or automatically block the application. It queries the cloud reputation service for the missing hash reputation data.

=========

The correct answers are A and C .

For Fortinet Security Fabric correlation through FortiAnalyzer or FortiAnalyzer Cloud, the FortiEDR guide states that FortiEDR can integrate with FortiAnalyzer/FortiAnalyzer Cloud “to correlate data between FortiEDR and the Fortinet Security Fabric and issue eXtended detection alerts.” To complete this, you must configure an eXtended Detection Source connector and enable eXtended Detection rules and FortiEDR Threat Hunting event collection.

The prerequisites include connectivity from the FortiEDR Central Manager to Fortinet Cloud Services (FCS) . The same prerequisite list also requires either a FortiAnalyzer administrator account with JSON API access enabled or, for FortiAnalyzer Cloud, a valid FortiCloud API user with read/write access to the FortiAnalyzer Cloud portal.

Option B is wrong because a Forensics add-on license is not listed as a requirement for this integration. Option D is badly worded and not correct. A Jumpbox with connectivity to FortiAnalyzer is required, and the guide points to FortiEDR Core setup for Jumpbox configuration, but the answer option says Core with core-only functionality , which is not the stated requirement.

=========

The FortiEDR 7.0.0 Administration Guide states that when manually adding applications to be blocked, you can define the application using Hash or using any combination of File Name / Path / Signer attributes. This means hashes can be used independently and do not require filename, path, or signer attributes.

The guide also states that each hash is a unique identifier of an individual application, and the exhibit itself shows the hash field note: “SHA-1 or SHA-2 or MD5.” Therefore, the hash must use a supported hash format, making D correct.

For multiple hash entries, the uploaded guide text says they must be comma separated , while the exhibit note says “You can enter multiple hashes comma separated.” So the technically exact guide wording supports comma separation, not line separation. However, given your answer choices, A is clearly trying to test the requirement that multiple hashes must be separated correctly. The option wording says “line-separated,” which is not exact against the guide; the better wording would be comma-separated . Since no “comma-separated” option is provided, A is the intended separation-related answer, but the wording is flawed.

Option B is definitely wrong because hash mode is an alternative to attributes. Option C is also not the best answer because, although each hash uniquely identifies a file/application variant, the operational requirement is not that “hashes must be unique to each application” in the way the option implies. Hashes may represent different variants of the same application.

The correct answers are A. Device and user name and D. IP address and MAC address .

The FortiEDR 7.0.0 Administration Guide states that the GDPR feature is implemented in Administration > Settings > Personal Data Handling . It is used to remove relevant data for an employee or FortiEDR user who no longer has access to or uses the FortiEDR system. The guide explicitly identifies the personal data as device name, IP address, MAC address, and user name . It further states: “You must remove all device name, IP address, MAC address, and user name data from FortiEDR in order to fully comply with the GDPR standard.”

Therefore, installed applications and installed OS name are not the required GDPR personal data types in this FortiEDR procedure. The required removal is performed iteratively for the employee’s/user’s device name , IP address , MAC address , and user name . The guide also instructs administrators to continue removing the other required data: IP address, MAC address, and user name , and to delete any reports that may contain the user’s data.

The correct answers are A and B .

The exhibit shows the event classification as Malicious , classified by FortinetCloudServices , and the history states that device R2D2-kvm63 was moved from the Training Collector Group to the High Security Collector Group . This is a Playbook action. The FortiEDR guide explains that after classification changes, the Overview pane displays the history of automatic FortiEDR actions, including Playbook policy-related actions .

The guide specifically lists Move device to High Security Group under Investigation actions in Playbook policies. It states that a checkmark in a classification column means the device is automatically moved to the High Security Collector Group when a security event with that classification is triggered. So the exhibit proves that Playbooks are configured for this event.

The second correct answer is B because the triggered rule is under Training • Extended Detection . The FortiEDR guide states that the eXtended Detection Policy logs events and displays them in the Incidents tab, but no blocking options are provided for this policy.

Option C is wrong because moving a device to the High Security Collector Group is not the same as isolating the device. Isolation would block communication to/from the affected Collector. The exhibit shows a Collector Group move, not isolation.

Option D is wrong because Extended Detection does not block. The guide explicitly says Extended Detection events are logged and displayed, with no blocking options provided.

=========

The correct answer is B. Deny the application in the Finance policy .

The FortiEDR 7.0.0 Administration Guide states that Communication Control policies define the actions to be taken for a given application or application version . It also states that each Communication Control policy applies to specific Collector Groups , and all devices that belong to those Collector Groups follow that policy. A Collector Group can be assigned to only one Communication Control policy.

In the exhibit, the Collector C8092231196 is stated to be a member of the Finance group. Therefore, to block FileZilla for that Collector, the application action must be set to Deny under the Finance policy , because that is the policy context that applies to the Collector’s group.

The guide also explains that you can modify a policy action for an application/version so that the selected application is explicitly set to Allow or Deny for the relevant policy. When modified this way, the Application/Version Details area shows the action as manually changed and excluded from the original policy action.

Option A is wrong because assigning a Simulation Communication Control Policy to the DBA group does not affect a Collector in the Finance group. Option C is wrong because assigning the Finance policy to the DBA group would affect DBA Collectors, not the Finance Collector in the scenario. Option D is wrong because assigning the Finance policy to a broader group such as Default Collector Group is unnecessary and could over-broaden the policy impact. The precise action is to deny FileZilla in the policy that applies to the Collector’s own group: Finance policy .

=========

The correct answer is C. The user account does not have the REST API role assigned .

The exhibit shows a Postman request to the FortiEDR Central Manager REST endpoint:

/management-rest/inventory/list-collectors

The response is 401 Unauthorized , which means the request reached the FortiEDR API endpoint but the supplied user credentials are not authorized for REST API access.

The FortiEDR 7.0.0 Administration Guide states that when adding or editing a user, the Rest API advanced option controls whether the user is allowed to access the FortiEDR Central Manager through API calls. The guide defines this option as: “Rest API — Specifies whether to allow the user to access the FortiEDR Central Manager through API calls.”

Therefore, the most accurate cause is that the account being used in Postman does not have the Rest API permission enabled.

Option A is incorrect because the request uses GET against a list endpoint, and an unsupported method would not normally be represented by this user-authentication failure. Option B is not supported by the exhibit or guide wording; the guide describes enabling REST API access per user. Option D is incorrect because first-login password reset is not the direct cause of this REST API authorization failure. The guide separately discusses password reset and password policy behavior, but that is not what the API error indicates.

The correct answer is D .

The FortiEDR guide confirms that Playbook actions are automatic incident response actions configured under Security Settings > Playbooks and applied based on security event classification. It also confirms that actions such as Terminate Process and device isolation actions can be configured as playbook responses. For scheduled-query-triggered events, the guide states that FortiEDR can automatically apply the Playbook action assigned to the Collector Group that the triggering device belongs to.

For isolation, the guide shows that isolation actions such as Isolate device with NAC are configured under the Investigation section of Playbooks, and similar isolation actions are triggered automatically when selected for the relevant classification.

The uploaded guide does not provide a specific line saying “if terminate process fails, continue to the next action.” Based on FortiEDR playbook behavior, configured actions are executed independently. A failure to terminate a protected Windows process does not automatically cancel the remaining playbook actions. Therefore, the next configured action, isolate device , is still executed.

Options A , B , and C are wrong because the playbook does not pause for administrator intervention, does not stop merely because an email is generated, and does not cancel all remaining configured actions because one action failed.

=========