Fortinet Fortinet NSE 7 - Advanced Analytics 6.3 NSE7_ADA-6.3 Exam Dumps: Updated Questions & Answers (September 2025)

phRuleMaster is a process that performs rule evaluation and incident generation on FortiSIEM. phRuleMaster queues up the data being received from the phRuleWorkers into buckets based on time intervals, such as one minute, five minutes, or ten minutes. phRuleMaster is present on both the supervisor and workers nodes of a FortiSIEM cluster. phRuleMaster wakes up every 30 seconds to evaluate all the rule data in parallel using multiple threads.

The rule engine loads the baseline data values from the profile database. The profile database contains historical data that is used for baselining calculations, such as minimum, maximum, average, standard deviation, and percentile values for various metrics.

You can invoke an integration policy on FortiSIEM rules by configuring the Notification Policy settings. You can select an integration policy from the drop-down list and specify the conditions for triggering it. For example, you can invoke an integration policy when an incident is created, updated, or closed. References: Fortinet NSE 7 - Advanced Analytics 6.3 Exam Description, page 9

You can empower SOC by deploying FortiSOAR in the following ways:

Collaborative knowledge sharing: FortiSOAR allows you to create and share playbooks, workflows, tasks, and notes among SOC analysts and teams. This enables faster and more consistent incident response and reduces duplication of efforts.

Reduce human error: FortiSOAR automates repetitive and tedious tasks, such as data collection, enrichment, analysis, and remediation. This reduces the risk of human error and improves efficiency and accuracy.

Address analyst skills gap: FortiSOAR provides a graphical user interface for creating and executing playbooks and workflows without requiring coding skills. This lowers the barrier for entry-level analysts and helps them learn from best practices and expert knowledge. References: Fortinet NSE 7 - Advanced Analytics 6.3 Exam Description, page 19

The incident was auto cleared because within five minutes, the packet loss percentage dropped to a level where the host IP of the original rule matches the host IP of the clear condition pattern. The clear condition pattern specifies that if there is an event with a packet loss percentage less than or equal to 10% and a host IP that matches any host IP in this incident, then clear this incident.

The incident from FortiSIEM shown in the exhibit is a brute force attack on a FortiGate device. The remediation option available to the administrator is to run the block IP FortiOS 5.4 action, which will block the source IP address of the attacker on the FortiGate device using a firewall policy.

If the Z-score for this rule is greater than or equal to three, it means that the rate of firewall connection is above the historical average value. The Z-score is a measure of how many standard deviations a value is away from the mean of a distribution. A Z-score of three or more indicates that the value is significantly higher than the mean, which implies an anomaly or deviation from normal behavior.

The user who would meet that condition is Tom. Tom has four rows in the results where the COUNT is greater than or equal to three, meaning he had at least three SSL VPN logon failures from the same source IP and reporting IP. The other users have either less than three rows or less than three COUNT in each row.

Tactic is what an attacker hopes to achieve in the MITRE ATT&CK framework. Tactic is a high-level category of adversary behavior that describes their objective or goal. For example, some tactics are Initial Access, Persistence, Lateral Movement, Exfiltration, etc. Each tactic consists of one or more techniques that describe how an attacker can accomplish that tactic.

Reconnaissance and Discovery are two Tactics in the MITRE ATT&CK framework. Tactics are the high-level objectives of an adversary, such as initial access, persistence, lateral movement, etc. Reconnaissance is the tactic of gathering information about a target before launching an attack. Discovery is the tactic of exploring a compromised system or network to find information or assets of interest. References: Fortinet NSE 7 - Advanced Analytics 6.3 Exam Description, page 21