NSE6_EDR_AD-7.0 Fortinet NSE 6 - FortiEDR 7.0 Administrator Question and Answers

The correct answers are A and B .

The exhibit shows the event classification as Malicious , classified by FortinetCloudServices , and the history states that device R2D2-kvm63 was moved from the Training Collector Group to the High Security Collector Group . This is a Playbook action. The FortiEDR guide explains that after classification changes, the Overview pane displays the history of automatic FortiEDR actions, including Playbook policy-related actions .

The guide specifically lists Move device to High Security Group under Investigation actions in Playbook policies. It states that a checkmark in a classification column means the device is automatically moved to the High Security Collector Group when a security event with that classification is triggered. So the exhibit proves that Playbooks are configured for this event.

The second correct answer is B because the triggered rule is under Training • Extended Detection . The FortiEDR guide states that the eXtended Detection Policy logs events and displays them in the Incidents tab, but no blocking options are provided for this policy.

Option C is wrong because moving a device to the High Security Collector Group is not the same as isolating the device. Isolation would block communication to/from the affected Collector. The exhibit shows a Collector Group move, not isolation.

Option D is wrong because Extended Detection does not block. The guide explicitly says Extended Detection events are logged and displayed, with no blocking options provided.

=========

The correct answers are A. Device and user name and D. IP address and MAC address .

The FortiEDR 7.0.0 Administration Guide states that the GDPR feature is implemented in Administration > Settings > Personal Data Handling . It is used to remove relevant data for an employee or FortiEDR user who no longer has access to or uses the FortiEDR system. The guide explicitly identifies the personal data as device name, IP address, MAC address, and user name . It further states: “You must remove all device name, IP address, MAC address, and user name data from FortiEDR in order to fully comply with the GDPR standard.”

Therefore, installed applications and installed OS name are not the required GDPR personal data types in this FortiEDR procedure. The required removal is performed iteratively for the employee’s/user’s device name , IP address , MAC address , and user name . The guide also instructs administrators to continue removing the other required data: IP address, MAC address, and user name , and to delete any reports that may contain the user’s data.

The correct answers are A and B .

The FortiEDR 7.0.0 Administration Guide states that newly added applications are disabled by default , which means they are not blocked unless enabled. The guide further explains that the default state can be changed by enabling the Enable Default application state option in the Application Control Manager settings. Therefore, option A is correct.

Option B is also correct because Application Control allows an application to be defined by Hash or by any combination of File Name / Path / Signer . The guide says that the Path field specifies the path to the executable file of the application to be blocked. When using path-based matching, the enforcement is tied to the specified path criteria, not to every possible location of the same file.

Option C is wrong because the file name does not also need to match when only the Path attribute is used. Option D is wrong because blocking all instances regardless of location applies when only the File Name field is used, not when the match is path-specific. The guide explicitly states that if only the File Name field is filled, the application is blocked no matter where the executable appears.

The correct answer is B .

In the exhibit, the incident status clearly shows Unhandled at the incident level and also on the event rows. The FortiEDR guide explains that every detected security event is initially marked as unread and unhandled , and these statuses help multiple FortiEDR Central Manager users track whether anyone has read and handled the message.

The guide also states that when a FortiEDR Central Manager user marks a security event as Handled , all users see it as handled. The process is performed by selecting the event and clicking Handle Incident or the flag icon, then saving the incident handling details.

So the valid observation from the exhibit is that the incident has not been handled by a console administrator .

Option A is not supported by the exhibit. There is no visible evidence that the policy is in Simulation mode. Option C is wrong because the incident is still visible, not archived or deleted. Option D is wrong because the status is explicitly Unhandled ; it was not handled automatically by a Communication Control policy.

=========

The correct answers are B and C .

The exhibit shows the event classification as Malicious . In FortiEDR, event classification can be performed by the Core and later updated by FortiEDR Cloud Service (FCS) . The guide states that the audit history shows the classification chronology and includes details when FCS reclassifies a security event after the Core’s initial classification. It also states that notifications can be based on either Core or FCS classification depending on whether FCS classification is received within the timeout period.

The exhibit also shows TestApplication.exe with Status: Running . That means the process was launched and is currently running on the endpoint. Therefore, C is correct.

Option A is wrong because the exhibit clearly shows Status: Unhandled , not Handled. The guide states that FortiEDR security events are initially marked as unread and unhandled, and users can later mark them handled through the incident handling workflow.

Option D is wrong because the exhibit shows rule indicators such as Invalid Checksum , Suspicious Packer , and Writable Code , but it does not prove that TestApplication.exe is “sophisticated malware.” FortiEDR classifies the event as malicious, but the guide’s Malicious classification means the event is verified to have malicious capability, is intended to harm the infected device, and has no commercially viable use; the exhibit alone does not justify the stronger claim “sophisticated malware.”

=========

The correct answer is A. Create a separate communication control policy for each organization .

The key point is that Communication Control is not available in Hoster view . In a FortiEDR multi-tenant environment, Hoster view is the view used to display information for all organizations together. However, the guide clearly states under the Hoster view section: “Communication Control — The Communication Control window is not available in Hoster view.”

That means you cannot create one global Communication Control policy from Hoster view and assign it across all organizations. Options B , C , and D all assume cross-organization/global Communication Control policy assignment, but the guide does not support that capability. The practical recommendation is to configure Communication Control policies separately inside each organization.

The guide contrasts this with Security Policies, where in Hoster view the Security Policies page displays all policies from all organizations and supports cloning a security policy from one organization to another. That statement is for Security Policies , not Communication Control policies.

=========