Free Fortinet NSE6_EDR_AD-7.0 Practice Exam with Questions & Answers

The correct answer is D .

The FortiEDR guide confirms that Playbook actions are automatic incident response actions configured under Security Settings > Playbooks and applied based on security event classification. It also confirms that actions such as Terminate Process and device isolation actions can be configured as playbook responses. For scheduled-query-triggered events, the guide states that FortiEDR can automatically apply the Playbook action assigned to the Collector Group that the triggering device belongs to.

For isolation, the guide shows that isolation actions such as Isolate device with NAC are configured under the Investigation section of Playbooks, and similar isolation actions are triggered automatically when selected for the relevant classification.

The uploaded guide does not provide a specific line saying “if terminate process fails, continue to the next action.” Based on FortiEDR playbook behavior, configured actions are executed independently. A failure to terminate a protected Windows process does not automatically cancel the remaining playbook actions. Therefore, the next configured action, isolate device , is still executed.

Options A , B , and C are wrong because the playbook does not pause for administrator intervention, does not stop merely because an email is generated, and does not cancel all remaining configured actions because one action failed.

=========

The correct answers are B and C .

The FortiEDR 7.0.0 Administration Guide explains that IoT device discovery continuously identifies newly connected non-workstation devices, such as printers, cameras, and media devices. During discovery, each relevant Collector periodically probes nearby neighboring devices. The guide states that nearby devices usually respond by providing information about themselves, including the device/host name and IP address . This directly supports option B .

Option C is also correct because the guide states that Collectors in degraded , disabled , or isolated states do not take part in the IoT probing process. It also says FortiEDR uses the most powerful Collectors in each subnet and excludes weaker Collectors, including disabled and degraded Collectors.

Option A is wrong because the guide explicitly says Collectors running on servers do not take part in IoT probing. Option D is wrong because IoT probing is not described as deep packet inspection of all neighboring traffic; it is a discovery/probing process used to identify nearby devices and collect basic device information.

=========

The correct answers are B and C .

The exhibit shows:

FortiEDR Service: Up

FortiEDR Driver: Up

FortiEDR Status: Degraded (no configuration)

This means the local Collector service and driver are running, but the Collector has not received valid configuration. In FortiEDR, a Collector must register and communicate with the FortiEDR Aggregator to receive its configuration. The guide states that the Collector initially sends registration information to the FortiEDR Aggregator using SSL, sends ongoing health/status/security-event information, and receives its configuration from the Aggregator.

During installation, a non-customized Windows Collector requires the correct Aggregator address , Aggregator port 8081 , and registration password . The guide explicitly states that the Aggregator port should be specified as 8081 , and that the registration password must be entered during installation.

Therefore, an incorrect registration password or incorrect port number can prevent proper registration/configuration retrieval, resulting in a degraded/no-configuration state.

Option A is not the best answer because Windows Firewall being enabled by itself does not automatically cause this FortiEDR status; only if it blocks required FortiEDR communication would it matter, and the option is too generic. Option D is also not correct as written because the Collector receives configuration from the Aggregator , not directly from the Central Manager. The guide describes Collector-to-Aggregator communication for registration and configuration.

=========

The correct answer is D .

The FortiEDR 7.0.0 Administration Guide explains that FortiEDR displays two severity ratings for applications: NIST Severity and ACI Severity . NIST Severity is based on FortiEDR’s vulnerability scoring system using the NIST Cybersecurity Framework. ACI Severity, however, is Adversary Centric Intelligence provided by FortiRecon and FortiGuard Threat Analysts, covering dark web, open-source, and technical threat intelligence, including threat actor insights . This helps administrators proactively assess risk, respond faster to incidents, understand attackers, and protect assets.

The guide also states that FortiEDR helps analysts prioritize alerts and incidents using risk factors such as severity of vulnerabilities , relevance of threat intelligence feeds , and severity of affected endpoints , so effort is focused on the most significant organizational risks.

Therefore, the application with Medium NIST severity but active ACI evidence of adversary targeting should be prioritized over an application with Critical NIST severity but Unknown ACI rating , because active adversary-centric intelligence indicates current attacker interest or exploitation relevance. In plain terms: a theoretical critical vulnerability matters, but an actively targeted vulnerability is the fire you put out first.

Option B is tempting but incomplete because it relies only on NIST/CVSS severity. FortiEDR’s ACI rating exists specifically to add adversary context to prioritization. Option A is wrong because FortiEDR does not treat all vulnerable applications equally. Option C is wrong because asset criticality can matter, but the guide does not say prioritization depends only on asset criticality.

=========

The correct answer is A. Create a separate communication control policy for each organization .

The key point is that Communication Control is not available in Hoster view . In a FortiEDR multi-tenant environment, Hoster view is the view used to display information for all organizations together. However, the guide clearly states under the Hoster view section: “Communication Control — The Communication Control window is not available in Hoster view.”

That means you cannot create one global Communication Control policy from Hoster view and assign it across all organizations. Options B , C , and D all assume cross-organization/global Communication Control policy assignment, but the guide does not support that capability. The practical recommendation is to configure Communication Control policies separately inside each organization.

The guide contrasts this with Security Policies, where in Hoster view the Security Policies page displays all policies from all organizations and supports cloning a security policy from one organization to another. That statement is for Security Policies , not Communication Control policies.

=========

The correct answers are C and D .

The guide states that for eXtended Detection Source integration, FortiEDR connects to external systems to collect activity logs. The aggregated data is then sent to Fortinet Cloud Services (FCS) , where it is correlated and analyzed to detect malicious indications. Those malicious indications result in security events for eXtended Detection policy rule violations .

For FortiAnalyzer/FortiAnalyzer Cloud specifically, the guide states that this integration is used to correlate data between FortiEDR and the Fortinet Security Fabric and issue eXtended Detection alerts .

Option A is wrong because FCS does not send the original log record to FortiAnalyzer. FortiAnalyzer is the external source whose data is correlated with FortiEDR data. Option B is wrong because OS metadata is collected by the Collector and handled through FortiEDR components; the FCS role here is cloud-side enrichment, correlation, and detection, not sending OS metadata back to the manager.

=========

The correct answer is C .

The FortiEDR 7.0.0 Administration Guide states that for on-premises deployments, the on-premise reputation service requests missing hashes from the cloud reputation service . If a proxy is not enabled, it requests the missing hashes from the cloud reputation service through the manager nginx . If a proxy is enabled, the on-premises reputation service requests the missing hashes through the proxy.

So, when the local reputation database does not contain the requested hash, the on-premises reputation server does not ignore the request, wait for endpoint input, or automatically block the application. It queries the cloud reputation service for the missing hash reputation data.

=========

The correct answer is B .

In the exhibit, the incident status clearly shows Unhandled at the incident level and also on the event rows. The FortiEDR guide explains that every detected security event is initially marked as unread and unhandled , and these statuses help multiple FortiEDR Central Manager users track whether anyone has read and handled the message.

The guide also states that when a FortiEDR Central Manager user marks a security event as Handled , all users see it as handled. The process is performed by selecting the event and clicking Handle Incident or the flag icon, then saving the incident handling details.

So the valid observation from the exhibit is that the incident has not been handled by a console administrator .

Option A is not supported by the exhibit. There is no visible evidence that the policy is in Simulation mode. Option C is wrong because the incident is still visible, not archived or deleted. Option D is wrong because the status is explicitly Unhandled ; it was not handled automatically by a Communication Control policy.

=========

The correct answer is C.

The FortiEDR guide explains that Threat Hunting searches across endpoint activity events, including registry activity. It states that Threat Hunting can search based on attributes of files, registry keys and values, network, processes, event log, and activity event types. This fits the requirement to search for specific registry modifications across endpoints.

The guide also explains that after filtering activity events, the query can be saved and defined as a Scheduled Query. It says: “Scheduled Query: Mark this option to automate the process of detecting threats so that this query is run automatically according to the schedule that you define.” It also states that a security event is automatically created in the Incidents tab when matches are detected, and notifications can be sent through email, Syslog, and other configured methods.

The guide further states that the Repeat Every/On options define the frequency and schedule when the query runs. Therefore, a 15-minute recurring query is handled through the Scheduled Query capability in Threat Hunting, not Communication Control, policy override, or a manual Playbook trigger.

Strictly speaking, the guide calls this a scheduled query under Threat Hunting saved queries, not a “communication control rule” or “manual query.” Option C is the intended answer.

=========