A SOC analyst at a large financial institution is designing a FortiAnalyzer playbook to automate the initial response to a critical 'Potential Ransomware Activity' event. The playbook must first isolate the affected endpoint using a FortiGate connector, then retrieve the process hash from the event logs, and finally submit this hash to a third-party sandboxing service for deep analysis. Which playbook task sequence represents the most logical and effective workflow for this scenario?
A threat hunter is using FortiAnalyzer's advanced search capabilities to proactively search for signs of lateral movement within the network. The hunter suspects an attacker is using PsExec for remote command execution. Which two of the following search queries would be most effective for identifying this specific activity? (Select TWO).
True or False: In a high-availability (HA) cluster of two FortiAnalyzer units, if the primary unit fails, a playbook that was in the middle of execution will be seamlessly migrated to the secondary unit and continue from the exact task where it left off.
A junior SOC analyst observes an event in FortiAnalyzer indicating a successful user login from an IP address geolocated in a country where the company has no employees. This is followed by the creation of a new administrative account. According to the MITRE ATT&CK framework, which two tactics are most clearly demonstrated by this sequence of events? (Select TWO).
A retail company is expanding its FortiAnalyzer deployment to handle logs from new stores. The current setup consists of a single FortiAnalyzer in analyzer mode at the headquarters. The new stores have unstable WAN connections. The company requires centralized analysis and reporting at HQ but needs to ensure logs are not lost during WAN outages at the store level. What is the most appropriate architectural change?
A SOC manager wants to create a custom dashboard in FortiAnalyzer to monitor for potential data exfiltration. The dashboard needs a chart that displays the top 10 users by the volume of data uploaded to `Cloud.Storage` applications. What is the correct `dataset` that should be used to build this chart?
An administrator configures an event handler to trigger an alert when more than 100 failed login attempts occur from a single source IP within 5 minutes. After deploying the handler, the SOC team receives numerous false positive alerts from an internal vulnerability scanner. What is the most effective way to modify the event handler to ignore the scanner while still monitoring other sources?
What is the primary function of the `fazlic-op-mode` CLI command on a FortiAnalyzer device?
A SOC analyst is investigating a security incident and needs to determine if a suspicious file, identified by its SHA256 hash, has been seen anywhere else in the network over the past 30 days. The analyst has access to logs from FortiGate, FortiSandbox, and FortiClient. Which FortiAnalyzer feature provides the most efficient way to perform this cross-device search for the indicator of compromise (IOC)?
A security architect is configuring a webhook connector in a FortiAnalyzer playbook. The purpose of this connector is to send alert details to a custom-built internal chat application. The chat application's API requires the 'Content-Type' header to be set to 'application/json'. Where in the FortiAnalyzer GUI would the architect configure this custom HTTP header for the webhook connector?