A financial institution is deploying FortiEDR in a multi-tenancy model to serve different internal departments as separate tenants. The security architect needs to ensure that administrators for the 'Investment Banking' tenant cannot view or manage endpoints belonging to the 'Retail Banking' tenant. Which FortiEDR feature is the primary mechanism for enforcing this level of strict data and administrative segregation?
A security operator at a Managed Security Service Provider (MSSP) is using the FortiEDR REST API to automate the onboarding of new customers. The script needs to perform the following actions in order: create a new Organization for the customer, generate a collector installation package for that specific Organization, and then assign a default security policy. Which API endpoint would be used to generate the customer-specific collector package?
A hospital is using FortiEDR to protect legacy medical devices running an unsupported version of Windows. These devices use a proprietary, unsigned application for critical operations. The 'Execution Prevention' security policy is blocking this application, causing service disruption. The administrator needs to allow this specific application to run without weakening the overall security posture for other applications. What is the most precise and secure method to create this exception in FortiEDR?
A security team has designed a FortiEDR playbook to automatically respond to 'Malicious File Detected' events on standard user workstations. The desired workflow is: 1) Isolate the affected device, 2) Terminate the malicious process, 3) Delete the malicious file, and 4) Open a ticket in a third-party system via a webhook. The administrator observes that devices are being isolated, but the malicious process is not being terminated. What is the most likely cause for this partial playbook execution?
A SOC analyst is investigating a complex alert and needs to understand the full attack chain. The analyst wants to find all network connections made by a specific process, `svchost.exe`, that were initiated after a suspicious PowerShell command was executed on the endpoint `CORP-WS-123`. Which FortiEDR feature provides the most effective and direct way to perform this type of historical, correlated analysis?
A threat hunter suspects that an attacker is using a living-off-the-land technique by running malicious scripts via the legitimate Windows utility `wmic.exe`. The hunter wants to create a query to find all instances where `wmic.exe` was launched with the command-line argument `process call create`. Which two components are required to build this query in the FortiEDR Threat Hunting interface? (Select TWO).
An organization has integrated FortiEDR with their FortiGate firewall as part of the Security Fabric. A playbook is configured to use the 'Block address with FortiGate' action when a high-severity threat is detected. After an event, the security team notices the endpoint's IP address was not blocked on the FortiGate. Troubleshooting reveals that the Fabric connection is up and other integrations are working. What is a likely misconfiguration specific to this automated response action?
A FortiEDR collector on a critical server is repeatedly disconnecting and reconnecting to the Central Manager, causing alert floods and inconsistent policy application. The network team has confirmed there is no packet loss between the server and the Central Manager. The server's CPU and memory utilization are normal. Which of the following is the most probable cause for this 'flapping' behavior?
True or False: When FortiEDR is deployed in a multi-tenant configuration, a Global Administrator can create threat hunting profiles that are automatically inherited and visible to all individual tenant administrators.
An administrator is configuring a Communication Control policy to prevent corporate laptops from accessing known malicious domains associated with phishing campaigns. The goal is to block any outbound TCP connection attempt to these domains from any process on the endpoint. Which rule configuration in the policy would achieve this?